Silverback 20.0 Update 2 TP2
Operating System Review
With this technical preview we reviewed all current beta version of upcoming releases for the following operating systems. At the current state all platforms are supported out of the box, so that a Silverback update for supporting the new versions isn't required.
- iOS 14
- iPadOS 14
- macOS 11.0
- Android 11
New Features
UUX for SUEM
We've added valuable information to the Secure Unified Endpoint Management. Please find all new information listed below.
Windows 10 Defender Information
With the last Technical Preview, we added already the Defender Health status for Windows 10 devices into the Silverback Management Console. With this technical preview and the updated Service Adapter Version 3.1.0 Administrators will be able to view the information in the Secure Unified Endpoint Management Console as well.
Windows 10 Security & Privacy
With the last release we brought already some new security and privacy features for macOS devices into the product. Currently we are focused on bringing the feature landscape to the Windows 10 device management. This includes for this Technical Preview the configuration of the Windows Defender Firewall.
Windows Defender Firewall
The Firewall configuration allows to control the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Administrators can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. The Firewall configuration is supported beginning with Windows 10, version 1709.
Settings | Options | Description |
---|---|---|
Defender Firewall Settings | Enabled or Disabled | Enables the Defender Firewall Profile |
Global Settings | ||
Security Association Idle Time Before Deletion (in secs) |
e.g. 400 |
Security associations are deleted after network traffic is not seen for this number of seconds. Supported Values from 300 to 3600 |
Pre-shared Key Encoding |
|
Specifies the preshared key encoding that is used |
IPsec Exemptions |
|
Configure specific traffic to be exempt from performing IPsec. |
Certificate Revocation List Verification |
|
Defines how certificate revocation list verification is enforced. The following options are available:
|
Packet Queuing |
|
Specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. |
File Transfer Protocol | Enabled or Disabled | |
Opportunistically Match Authentication Set Per Keying Module | Enabled or Disabled | If enabled, keying modules will ignore unsupported authentication suites. |
Network Settings (applies to Domain, Private, or Public Network) | ||
Microsoft Defender Firewall | Enabled or Disabled | If this setting is not enabled, no network traffic will be blocked regardless of other policy settings |
Stealth Mode | Enabled or Disabled | When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific |
IPsec Secured Packet Exemption With Stealth Mode | Enabled or Disabled | If stealth mode is enabled, this option will be ignored. Otherwise the stealth mode rules must not prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec |
Shielded | Enabled or Disabled | If this value is true and Defender Firewall is on, the server must block all incoming traffic regardless of other policy settings |
Unicast Responses to Multicast Broadcasts | Enabled or Disabled | If true, unicast responses to multicast broadcast traffic is blocked. |
Inbound Notifications | Enabled or Disabled | If false, the Firewall may display a notification to the user when an application is blocked from listening on a port. If this setting is enabled, the Firewall must not display such notifications. |
Default Action For Outbound Connections |
|
This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. |
Default Action for Inbound Connections |
|
This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. |
Auth App Firewall Rules From the Local Store | Enabled or Disabled | If this value is false, authorized application firewall rules in the local store are ignored and not enforced |
Global Port Firewall Rules From the Local Store | Enabled or Disabled | If this value is false, global port firewall rules in the local store are ignored and not enforced |
Firewall Rules From the Local Store | Enabled or Disabled | If this value is false, firewall rules from the local store are ignored and not enforced |
IPsec Rules From the Local Store | Enabled or Disabled | If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and security rule version |
Security Feedback on Android
With this technical preview we are happy to announce a feature that will improve the security management capabilities for any Administrator.
Android SafetyNet Attestation
The SafetyNet Attestation provides a cryptographically-signed attestation, assessing the device's integrity, which will help you to identity if devices in your device fleet has been tampered or modified. SafetyNet is an API provided by Google which validates software and hardware information on the device and creates a profile of that device, which then will be compared with certified devices. Based on the SafetyNet Attestation you will gain as an example the ability to detect devices with non-rooted custom ROMs or device emulators. The SafetyNet attestation provides different levels of integrity checks and thus intercepts different levels of security.
Information | Example | Description |
---|---|---|
Basic Integrity | Yes | Basic Integrity is a more lenient verdict of device integrity. If the value is yes , the device likely wasn't tampered but hasn't necessarily passed Android compatibility testing. |
Extended Integrity | No | A stricter verdict of device integrity. If the value is yes, then the profile of the device matches the profile of a device that has passed Android compatibility testing. |
Advisory Response | LOCK_BOOTLOADER | Provides a suggestion for how to get a device back into a good state. This Advisory Response can be empty and isn't influenced by the Management system. |
Please review the examples of what the different integrity levels covers.
Device Status | Basic Integrity | Extended Integrity |
---|---|---|
Certified, genuine device that passes CTS | Yes | Yes |
Certified device with unlocked bootloader | Yes | No |
Genuine but uncertified device, such as when the manufacturer doesn't apply for certification | Yes | No |
Device with custom ROM (not rooted) | Yes | No |
Emulator | No | No |
No device (such as a protocol emulating script) | No | No |
Signs of system integrity compromise, one of which may be rooting | No | No |
Signs of other active attacks, such as API hooking | No | No |
macOS App Configuration
With this Technical Preview and the upcoming release of Silverback 20.0 Update 2 we enhanced the capabilities for Administrators to configure specific app controls through the Management Console. From now on it is possible to provide to Enterprise applications a specific XML formatted configuration file like on iOS and iPadOS applications.
Remote Application Configuration
We are offering two ways on configuring the application. If you add the configuration in the App Portal section (1), this will be used every time as default when you add the application into a Tag. However you can at every time adjust and overrule the configuration inside the Tag with the edit button (2). The documentation about the App Configuration XML should be part of the applications developer, so please get in touch to receive information about the configuration options for you desired application. With the following example the Incognito Mode for Google Chrome will be deactivated.
After configuration you can review your configuration on the device under Settings > Profiles > Silverback Managed Preferences
By default the target folder for configurations is Library > Managed Preferences
![]() |
![]() |
Global configuration for Chrome with allowed Incognito Mode | Tag based configuration with disallowed Incognito Mode |
![]() |
![]() |
Improvements
- Added new device actions to Windows 10 devices
- Defender Signature Update
- Defender Offline Scan
- Improved User Experience for Application Feedback
- Added additional values to Software Update Policy
- Merged Bitlocker controls from Restrictions and Profiles
- Updated to Service Bus Adapter version 3.1.0