Skip to main content
Matrix42 Self-Service Help Center

Silverback 20.0 Update 2 TP1

Silverback 20.0 Update 2 Technical Preview 1

 Silverback-Technical-Preview-1-20.0.2.png

Download: Matrix42 Marketplace

New Features

Please find below all new features for Silverback 20.0 Update 2 Technical Preview 1.

UUX for SUEM

We've added valuable information to the Secure Unified Endpoint Management.  Please find all new information listed below. 

Device Information

The following device information will now be sent over the Service Bus to the UUX for SUEM. Within the UUX perform a double click on the device and navigate through the corresponding target fields. 

Information UUX
Supervised Management > Overview
Device Owner Management > Overview
Lost Mode Management > Overview
Active Sync ID Management > Mobile Data
Device ID Identification > Import Identifiers
Device Capacity used Inventory > Equipment Data
Device Capacity Inventory > Equipment Data
Battery Level Inventory > Equipment Data

Profile Information

Besides the extend device information, we added the Profile List to be sent over the Service Bus to the UUX for SUEM. Within the UUX perform a double click on the devices and navigate to Management to view installed profiles. 

Restriction Updates

This Technical Preview provides a complete revised experience with restrictions. On glance restrictions are now grouped by categories to provide a better user experience and we've added overall 68 new valuable device configuration options. 

New Restriction Grouping

With this technical preview, all restrictions for all supported platforms are now grouped and can be expanded and collapsed with one click. Please find the overview about the available categories sorted by management type below

Android Enterprise 
Management Type Android Enterprise
Categories
  • Applications
  • Network and Connection
  • Security and Privacy
  • System Settings
  • Users, Accounts and Profiles
  • Content and Media
Management Type Samsung Safe
Categories
  • Applications
  • Network & Connection
  • Privacy & Security
  • System Settings
  • Content & Media
iOS, iPadOS 
Management Type

General

Categories
  • App Store & iTunes
  • Applications
  • iCloud
  • Lock Screen
  • Managed Open-In
  • Network & Connection
  • Security & Privacy
  • Shared Devices & Classrom
  • System Settings
Management Type

Supervised

Categories
  • App Store & iTunes
  • Applications
  • Game Center
  • Keyboard
  • Network & Connection
  • Printing
  • Safari
  • Security & Privacy
  • Shared Devices & Classrom
  • Siri
  • System Settings
macOS
Management Type All
 
  • App Store & iTunes
  • Classroom
  • Game Center
  • iCloud
  • Security & Privacy
  • Sharing
  • System Preferences
  • System Settings

New Restrictions for iOS, iPadOS

We've added 36 new restrictions for iOS and iPads. With this missing items we arrived at the 100% level of device configuration via restrictions for iPhones and iPads. 

Restrictions Availability Options Requirement Description
Applications
Allow Apple Music Radio
  • iPhone
  • iPad
Enabled or Disabled iOS 9.3 (supervised) If false, disables Apple Music Radio. Requires a supervised device. Available in iOS 9.3 and later.
Allow System Apps Removal
  • iPhone
  • iPad
Enabled or Disabled iOS 11 (supervised) If false, disables the removal of system apps from the device. Requires a supervised device. Available in iOS 11 and later.
The Maximum Level of App Content Allowed on The Device
  • iPhone
  • iPad
  • All
  • 17+
  • 12+
  • 9+
  • 4+
  • None
iOS 4 The maximum level of app content allowed on the device. Available in iOS 4 and later, and tvOS 11.3 and later.
The Maximum Level of Movie Content Allowed on The Device
  • iPhone
  • iPad
  • All
  • NC-17
  • R
  • PG-13
  • PG
  • G
  • None
iOS 4 The maximum level of movie content allowed on the device. Available in iOS 4 and later, and tvOS 11.3 and later.
App Store & iTunes
Allow Enterprise Book Backup
  • iPhone
  • iPad
  • User Enrollment
Enabled or Disabled iOS 8 If false, disables backup of Enterprise books. Available in iOS 8 and later. Also available for user enrollment.
Allow Enterprise Book Sync
  • iPhone
  • iPad
  • User Enrollment
Enabled or Disabled iOS 8 If false, disables sync of Enterprise books, notes, and highlights. Available in iOS 8 and later. Also available for user enrollment.
Network & Connection
Allow Cellular Plan Modification
  • iPhone
  • iPad
Enabled or Disabled iOS 11 (supervised) If false, users can't change any settings related to their cellular plan. Requires a supervised device. Available in iOS 11 and later.
Allow eSIM Modification
  • iPhone
  • iPad
Enabled or Disabled iOS 12.1 (supervised) If false, disables modifications to the eSIM setting. Requires a supervised device. Available in iOS 12.1 and later.
Allow USB Restricted Mode
  • iPhone
  • iPad
Enabled or Disabled iOS 11.4.1 (supervised) If false, allows the device to always connect to USB accessories while locked. Requires a supervised device. Available in iOS 11.4.1 and later.
Allow VPN Creation
  • iPhone
  • iPad
Enabled or Disabled iOS 11 (supervised) If false, disables the creation of VPN configurations. Requires a supervised device. Available in iOS 11 and later.
Force AirPlay Outgoing Requests Pairing Password
  • iPhone
  • iPad
  • User Enrollment
Enabled or Disabled iOS 7.1 If true, forces all devices receiving AirPlay requests from this device to use a pairing password. Available in iOS 7.1 and later. Also available for user enrollment.
Managed Open-In
Allow Managed Apps Write Contacts to Unmanaged
  • iPhone
  • iPad
Enabled or Disabled iOS 12 If true, managed apps can write contacts to unmanaged contacts accounts. If allowOpenFromManagedToUnmanaged is true, this restriction has no effect. If this restriction is set to true, you must install the payload through MDM. Available in iOS 12 and later.

Allow Unmanaged Apps to Read Managed Contacts

  • iPhone
  • iPad
  • User Enrollment
Enabled or Disabled iOS 12 If true, unmanaged apps can read from managed contacts accounts. If allowOpenFromManagedToUnmanaged is true, this restriction has no effect. If this restriction is set to true, you must install the payload through MDM. Available in iOS 12 and later. Also available for user enrollment.
Printing
Allow AirPrint
  • iPhone
  • iPad
Enabled or Disabled iOS 11 (supervised) If false, disables AirPrint.  Requires a supervised device. Available in iOS 11 and later.
Allow AirPrint Credentials Storage
  • iPhone
  • iPad
Enabled or Disabled iOS 11 (supervised) If false, disables keychain storage of user name and password for AirPrint. Requires a supervised device. Available in iOS 11 and later.
Allow AirPrint iBeacon Discovery
  • iPhone
  • iPad
Enabled or Disabled iOS 11 (supervised) If false, disables iBeacon discovery of AirPrint printers, which prevents spurious AirPrint Bluetooth beacons from phishing for network traffic. Requires a supervised device. Available in iOS 11 and later.
Force AirPrint Trusted TLS Requirement
  • iPhone
  • iPad
Enabled or Disabled iOS 11 (supervised) If true, requires trusted certificates for TLS printing communication. Requires a supervised device. Available in iOS 11 and later
Siri
Allow Siri User-Generated Content
  • iPhone
  • iPad
Enabled or Disabled iOS 7 If false, prevents Siri from querying user-generated content from the web. Requires a supervised device. Available in iOS 7 and later.
Force Assistant Profanity Filter
  • iPhone
  • iPad
Enabled or Disabled iOS 11 (supervised) If true, forces the use of the profanity filter assistant. Requires a supervised device. Available in iOS 11 and later.
Security & Privacy
Allow Diagnostic Data to be Sent to Apple
  • iPhone
  • iPad
Enabled or Disabled iOS 9.3.2 (supervised) If false, disables changing the diagnostic submission and app analytics settings in the Diagnostics & Usage UI in Settings. Requires a supervised device. Available in iOS 9.3.2 and later.
Allow Fingerprint Modification
  • iPhone
  • iPad
Enabled or Disabled iOS 8.3 (supervised) If false, prevents the user from modifying Touch ID or Face ID. Requires a supervised device. Available in iOS 8.3 and later.
Allow Password AutoFill
  • iPhone
  • iPad
Enabled or Disabled iOS 12 (supervised) If false, disables the AutoFill Passwords feature in iOS (with Keychain and third-party password managers) and the user isn't prompted to use a saved password in Safari or in apps. This restriction also disables Automatic Strong Passwords, and strong passwords are no longer suggested to users. It does not prevent AutoFill for contact info and credit cards in Safari. Requires a supervised device. Available in iOS 12 and later, and macOS 10.14 and later.
Allow Password Proximity Requests
  • iPhone
  • iPad
Enabled or Disabled iOS 12 (supervised) If false, disables requesting passwords from nearby devices. Requires a supervised device. Available in iOS 12 and later, macOS 10.14 and later, and tvOS 12 and later.
Allow Password Sharing
  • iPhone
  • iPad
Enabled or Disabled iOS 12 (supervised) If false, disables sharing passwords with the Airdrop Passwords feature. Requires a supervised device. Available in iOS 12 and later, and macOS 10.14 and later.
Allow Proximity Setup to New Devices
  • iPhone
  • iPad
Enabled or Disabled iOS 11 (supervised) If false, disables the prompt to set up new devices that are nearby. Requires a supervised device. Available in iOS 11 and later.
Allow Untrusted TLS Certificates
  • iPhone
  • iPad
Enabled or Disabled iOS 5 If false, automatically rejects untrusted HTTPS certificates without prompting the user. Available in iOS 5 and later.
Force Authentication Before AutoFill
  • iPhone
  • iPad
Enabled or Disabled iOS 11 (supervised) If true, the user must authenticate before passwords or credit card information can be autofilled in Safari and Apps. If this restriction isn't enforced, the user can toggle this feature in Settings. Only supported on devices with Face ID or Touch ID. Requires a supervised device. Available in iOS 11 and later.
Shared Device & Classroom
Allow Shared Device Temporary Sessions
  • iPhone
  • iPad
Enabled or Disabled iOS 13.4 If false, temporary sessions are not available on Shared iPad. Available in iOS 13.4 and later.
Force Classroom Automatically Join Classes
  • iPhone
  • iPad
Enabled or Disabled iOS 11 (supervised) If true, automatically gives permission to the teacher's requests without prompting the student. Requires a supervised device. Available in iOS 11 and later, and macOS 10.14.4 and later.
Force Classroom Requests Permission to Leave Classes
  • iPhone
  • iPad
Enabled or Disabled iOS 11.3 (supervised) If true, a student enrolled in an unmanaged course through Classroom requests permission from the teacher when attempting to leave the course. Requires a supervised device. Available in iOS 11.3 and later, and macOS 10.14.4 and later.
Force Classroom Unprompted Apps and Device Lock
  • iPhone
  • iPad
Enabled or Disabled iOS 11 (supervised) If true, allows the teacher to lock apps or the device without prompting the student. Requires a supervised device. Available in iOS 11 and later, and macOS 10.14.4 and later.
Force Classroom Unprompted Screen Observation
  • iPhone
  • iPad
Enabled or Disabled iOS 11 (supervised) If true and ScreenObservationPermissionModificationAllowed is also true in the Education payload, a student enrolled in a managed course via the Classroom app automatically gives permission to that course teacher's requests to observe the student's screen without prompting the student. Requires a supervised device. Available in iOS 11 and later, and macOS 10.14.4 and later.
System Settings
Allow Music Service
  • iPhone
  • iPad
Enabled or Disabled iOS 9.3 (supervised) If false, disables the Music service, and the Music app reverts to classic mode. Requires a supervised device. Available in iOS 9.3 and later, and macOS 10.12 and later.
Allow News
  • iPhone
  • iPad
Enabled or Disabled iOS 9 (supervised) If false, disables News. Requires a supervised device. Available in iOS 9 and later.
Allow Remote Screen Observation
  • iPhone
  • iPad
Enabled or Disabled iOS 12 If false, disables remote screen observation by the Classroom app. Nest this key beneath allowScreenShot as a subrestriction. If allowScreenShot is set to false, the Classroom app doesn't observe remote screens. Required a supervised device until iOS 13 and macOS 10.15. Available in iOS 12 and later, and macOS 10.14.4 and later.
Force Set Date and Time Automatically
  • iPhone
  • iPad
Enabled or Disabled iOS 12 (supervised) If true, enables the Set Automatically feature in Date & Time and can't be disabled by the user. The device's time zone is updated only when the device can determine its location using a cellular connection or Wi-Fi with location services enabled. Requires a supervised device. Available in iOS 12 and later, and tvOS 12.2 and later.

New Restrictions for macOS 

We've added 32 new restrictions for macOS. With this missing items we arrived at the 100% level of device configuration via restrictions for macOS devices. 

Setting Options Requirement Description
App Store & iTunes      
Allow iTunes File Sharing Services Enabled or Disabled macOS 10.13 If false, disables iTunes file sharing services. Available in macOS 10.13 and later.
Classroom
Force Classroom Automatically Join Classes Enabled or Disabled macOS 10.4.4 If true, automatically gives permission to the teacher's requests without prompting the student. Requires a supervised device. Available in iOS 11 and later, and macOS 10.14.4 and later.
Force Classroom Requests Permission to Leave Classes Enabled or Disabled macOS 10.4.4 If true, a student enrolled in an unmanaged course through Classroom requests permission from the teacher when attempting to leave the course. Requires a supervised device. Available in iOS 11.3 and later, and macOS 10.14.4 and later.
Force Classroom Unprompted Apps and Device Lock Enabled or Disabled macOS 10.4.4 If true, allows the teacher to lock apps or the device without prompting the student. Requires a supervised device. Available in iOS 11 and later, and macOS 10.14.4 and later.
Force Classroom Unprompted Screen Observation Enabled or Disabled macOS 10.4.4 If true and ScreenObservationPermissionModificationAllowed is also true in the Education payload, a student enrolled in a managed course via the Classroom app automatically gives permission to that course teacher's requests to observe the student's screen without prompting the student. Requires a supervised device. Available in iOS 11 and later, and macOS 10.14.4 and later.
iCloud      
Allow iCloud Address Book Enabled or Disabled macOS 10.12 If false, disables iCloud Address Book services. Available in macOS 10.12 and later.
Allow iCloud Bookmarks Enabled or Disabled macOS 10.12 If false, disables iCloud Bookmark sync. Available in macOS 10.12 and later.
Allow iCloud Calendar Enabled or Disabled macOS 10.12 If false, disables iCloud Calendar services. Available in macOS 10.12 and later.
Allow iCloud Desktop and Documents Enabled or Disabled macOS 10.12.4 If false, disables cloud desktop and document services. Available in macOS 10.12.4 and later.
Allow iCloud Document Sync Enabled or Disabled macOS 10.11 If false, disables document and key-value syncing to iCloud. As of iOS 13, this restriction requires a supervised device. Available in iOS 5 and later, and macOS 10.11 and later.
Allow iCloud Keychain Sync Enabled or Disabled macOS 10.12 If false, disables iCloud keychain synchronization. This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in iOS 7 and later, and macOS 10.12 and later.
Allow iCloud Mail Services Enabled or Disabled macOS 10.12 If false, disables iCloud Mail services. Available in macOS 10.12 and later.
Allow iCloud Notes Services Enabled or Disabled macOS 10.12 If false, disables iCloud Notes services. Available in macOS 10.12 and later.
Allow iCloud Photo Library Enabled or Disabled macOS 10.12 If false, disables iCloud Photo Library. Any photos not fully downloaded from iCloud Photo Library to the device are removed from local storage. Available in iOS 9 and later, and macOS 10.12 and later.
Allow iCloud Reminder Services Enabled or Disabled macOS 10.12 If false, disables iCloud Reminder services. Available in macOS 10.12 and later.
Security & Privacy      
Allow Auto Unlock Enabled or Disabled macOS 10.12 If false, disallows auto unlock. Available in macOS 10.12 and later.
Allow Diagnostic Data to be Sent to Apple Enabled or Disabled macOS 10.13 If false, prevents the device from automatically submitting diagnostic reports to Apple. Available in iOS 6 and later, and macOS 10.13 and later. Also available for user enrollment.
Allow Fingerprint For Unlock Enabled or Disabled macOS 10.12.4 If false, prevents Touch ID or Face ID from unlocking a device. Available in iOS 7 and later, and macOS 10.12.4 and later.
Allow  Passcode Modification Enabled or Disabled macOS 10.13 If false, prevents the device passcode from being added, changed, or removed. This restriction is ignored by Shared iPads. Requires a supervised device. Available in iOS 9 and later, and macOS 10.13 and later.
Allow Password AutoFill Enabled or Disabled macOS 10.14 If false, disables the AutoFill Passwords feature in iOS (with Keychain and third-party password managers) and the user isn't prompted to use a saved password in Safari or in apps. This restriction also disables Automatic Strong Passwords, and strong passwords are no longer suggested to users. It does not prevent AutoFill for contact info and credit cards in Safari. Requires a supervised device. Available in iOS 12 and later, and macOS 10.14 and later.
Allow Password Proximity Requests Enabled or Disabled macOS 10.14 If false, disables requesting passwords from nearby devices. Requires a supervised device. Available in iOS 12 and later, macOS 10.14 and later, and tvOS 12 and later.
Allow Password Sharing Enabled or Disabled macOS 10.14 If false, disables sharing passwords with the Airdrop Passwords feature. Requires a supervised device. Available in iOS 12 and later, and macOS 10.14 and later.
Allow Safari Autofill Enabled or Disabled macOS 10.13 If false, disables Safari AutoFill for passwords, contact info, and credit cards and also prevents the Keychain from being used for AutoFill. Though third-party password managers are allowed and apps can use AutoFill. As of iOS 13, requires a supervised device. Available in iOS 4 and later, and macOS 10.13 and later.
Allow Spotlight Internet Results Enabled or Disabled macOS 10.11 If false, disables Spotlight Internet search results in Siri Suggestions. Available in iOS 8 and later, and macOS 10.11 and later.
Sharing      
Allow Content Caching Enabled or Disabled macOS 10.13 If false, disables content caching. As of 10.13.4 this is included in the content caching payload. Available in macOS 10.13 and later.
System Settings      
Allow Activity Continuation Enabled or Disabled macOS 10.15 If false, disables activity continuation. Available in iOS 8 and later, and macOS 10.15 and later.
Allow Camera Enabled or Disabled macOS 10.11 If false, disables the camera, and its icon is removed from the Home screen. Users are unable to take photographs. This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in iOS 4 and later, and macOS 10.11 and later.
Allow Dictation Enabled or Disabled macOS 10.13 If false, disallows dictation input. Requires a supervised device. Available in iOS 10.3 and later, and macOS 10.13 and later.
Allow Music Service Enabled or Disabled macOS 10.12 If false, disables the Music service, and the Music app reverts to classic mode. Requires a supervised device. Available in iOS 9.3 and later, and macOS 10.12 and later.
Allow Screen Capture Enabled or Disabled    

Allow Remote Screen Observation

Enabled or Disabled macOS 10.14.4 If false, disables remote screen observation by the Classroom app. Nest this key beneath allowScreenShot as a subrestriction. If allowScreenShot is set to false, the Classroom app doesn't observe remote screens. Required a supervised device until iOS 13 and macOS 10.15. Available in iOS 12 and later, and macOS 10.14.4 and later.
Allow Wallpaper Modification Enabled or Disabled macOS 10.14 If false, prevents wallpaper from being changed. Requires a supervised device. Available in iOS 9 and later, and macOS 10.13 and later.

Windows 10 Security and Privacy

With the last release we brought already some new security and privacy features for macOS devices into the product. Currently we are focused on bringing the feature landscape to the Windows 10 device management. This includes the receiving important defender information from the device fleet, control mechanism for operating system updates or the extension of BitLocker settings for device encryption.

Defender Health State

The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise. Within this version of Silverback, Administrators are able to receive defender health status information like when the last scan for quick and full scanning was, what scanning signatures has been used and were they maybe outdated. Also general information are present about the defender version and if the defender services is running at all on the client.

Information Example Description
Defender version 4.18.2007.8 Version number of Windows Defender on the device.
Defender engine version 1.1.17300.4 Version number of the current Windows Defender engine on the device.
Defender signature version 1.321.98.0 Version number of the current Windows Defender signatures on the device.
Defender service is running Yes Indicates whether the Windows Defender service is running.
Signature is outdated No Indicates whether the Windows Defender signature is outdated.
Current state of the product No status flags set

Shows the current state of the product. It can contain one or multiple values from this list:

  • No status
  • Service not running
  • Service started without any malware protection engine
  • Pending full scan due to threat action
  • Pending reboot due to threat action
  • ending manual steps due to threat action
  • AV signatures out of date
  • AS signatures out of date
  • No quick scan has happened for a specified period
  • No full scan has happened for a specified period
  • System initiated scan in progress 
  • System initiated clean in progress
  • There are samples pending submission
  • Product running in evaluation mode
  • Product running in non-genuine Windows mode
  • Product expired
  • Off-line scan required
  • Service is shutting down as part of system shutdown
  • Threat remediation failed critically 
  • Threat remediation failed non-critically
  • No status flags set (well initialized state)
  • Platform is out of date
  • Platform update is in progress 
  • Platform is about to be outdated
  • Signature or platform end of life is past or is impending
  • Windows SMode signatures still in use on non-Win10S install

Requires Windows 10 Version 1809

Current state of the device Clean

Displays the current state of the device like: 

  • Clean
  • Pending full scan
  • Pending reboot
  • Pending manual steps (Windows Defender is waiting for the user to take some action, such as restarting the computer or running a full scan)
  • Pending offline scan
  • Pending critical failure (Windows Defender has failed critically and an Administrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender)
Full scan is required No Indicates whether a Windows Defender full scan is required.
Last full scan 07/24/2020 16:09:37 UTC Time of the last Windows Defender full scan of the device.
Last full scan signature version 1.319.2181.0 Signature version used for the last full scan of the device.
Full scan is overdue for the device No

Indicates whether a Windows Defender full scan is overdue for the device.

A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and catchup Full scans are disabled (default).

Review Windows 10 Restrictions for catch-up controls

Last quick scan 07/29/2020 02:08:16 UTC Time of the last Windows Defender quick scan of the device.
Last quick scan signature version 1.321.74.0 Signature version used for the last quick scan of the device.
Quick scan is overdue for the device No

Indicates whether a Windows Defender quick scan is overdue for the device.

A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and catch up Quick scans are disabled (default).

Review Windows 10 Restrictions for catch-up controls

Real-time protection is running Yes Indicates whether real-time protection is running
Network protection is running Yes Indicates whether network protection is running
Tamper protection feature is enabled No Indicates whether the Windows Defender tamper protection feature is enabled. Requires Windows 10 Server 1903
Device reboot is needed No  Indicates whether a device reboot is needed.
Is a virtual machine Yes Indicates whether the device is a virtual machine. Requires Windows 10 Version 1903

Operating System Update Control

For Windows 10 Administrators will gain with this Technical Preview the control over OS Updates through the Mobile Device Management Layer. Microsoft presents the Update Policy CSP for that. With this integration you will gain control over how and when updates will be installed and which servicing channel will used.

Setting Options Description

 

  • Windows Insider build - Fast
  • Windows Insider build - Slow
  • Release Windows Insider Build
  • Semi-annual Channel (default)
  • Semi-annual Channel (only applicable to releases prior to 1903)

 

Allows to set which branch a device receives their updates from. Requires Windows 10 Version 1607.

 

Enabled or Disabled Allows to exclude Windows Update (WU) drivers during updates. Requires Windows 10 Version 1607.

 

Enabled or Disabled

Option to download updates automatically over metered connections (off by default). 

A significant number of devices primarily use cellular data and do not have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates.

This policy is accessible through the Update setting in the user interface or Group Policy. 

Requires Windows 10 Version 1709.

 

e.g. 15 Defers Quality Updates for the specified number of days. Supported Values are 0-365. Requires Windows 10 Version 1607.

 

e.g. 90 Defers Feature Updates for the specified number of days. Supported Values are 0-365. Requires Windows 10 Version 1703.

 

2-60 days Enables to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days. Requires Windows 10 Version 1803.

 

  • Notify the user before downloading the update
  • Auto install the update and then notify the user to schedule a device restart
  • Auto install and restart (default)
  • Auto install and restart at a specified time
  • Auto install and restart without end-user control
  • Turn off automatic updates

Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.

Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart.

Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart.

Auto install and restart at a specified time. Specify  the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.

Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only.

Turn off automatic updates.

 

  • Every day (default)
  • Sunday
  • Monday
  • Tuesday
  • Wednesday
  • Thursday
  • Friday
  • Saturday
Enables the IT admin to schedule the day of the update installation.

 

e.g. 08 AM

Allows the IT admin, when used with Active Hours End to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. Requires Windows 10 Version 1607.

The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. Please refer to Active Hours Max Range 

 

e.g. 05 PM Added in Windows 10, version 1607. Allows the IT admin, when used with Active Hours Start to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. Requires Windows 10 Version 1607.

 

e.g.  12

Allows to specify the period for auto-restart warning reminder notifications. Supported values are 2, 4, 8, 12, or 24 (hours). The default value is 4 (hours). Requires Windows 10 Version 1703.

 

e.g. 60

Allows  to specify the period for auto-restart imminent warning notifications. The default value is 15 (minutes). Supported values are 15, 30, or 60 (minutes). Requires Windows 10 Version 1703.

 

  • Use the default Windows Update notifications (default)
  • Turn off all notifications, excluding restart warnings
  • Turn off all notifications, including restart warnings
Display options for update notifications. This policy allows you to define what Windows Update notifications users see. This policy doesn't control how and when updates are downloaded and installed.

 

e.g. 90

Allows to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.

Supported Values are 2 - 30 (Default = 7), which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. 

Requires Windows 10 Version 1903.

 

e.g. 5

Allows to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.

Supports values  from 2 - 30 (Default =7), which indicates the number of days a device will wait until performing an aggressive installation of a required quality update. 

Requires Windows 10 Version 1903.

 

e.g. 1

Allows the IT admin, when used with Deadline For Feature Updates or Deadline For Quality Updates to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies.

Supports a numeric value from 0 - 7 (Default =2), which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once deadline has been reached.

Requires Windows 10 Version 1903.

Enabled or Disabled

If enabled and when used with Deadline for feature or quality updates, devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart.

When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline. 

Requires Windows 10 Version 1903.

Extended BitLocker Controls

The BitLocker configuration service provider is used by the enterprise to manage encryption of PCs and devices. We already have the capability to force the bitlocker encryption for Windows 10 devices since a long time in the product, but with this Technical Preview feature we enriched the capabilities for Administrators to the feature set. This includes as an example to configure the encryption methods used for the system drive and/or data or removable data drives. Another benefit will be that Administrators can now force additional authentication settings when the machine is booting.

Setting Options Description

Enabled or Disabled Allows  to require encryption to be turned on by using BitLocker.
BitLocker base settings  

Enabled or Disabled Allows  to disable the warning prompt for other disk encryption on the user machines. Starting in Windows 10, version 1803, the setting can only be disabled for Azure Active Directory joined devices. 

When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.

The endpoint for a fixed data drive's backup is chosen in the following order:

  1. The user's Windows Server Active Directory Domain Services account.
  2. The user's Azure Active Directory account.
  3. The user's personal OneDrive (MDM/MAM only).

Encryption will wait until one of these three locations backs up successfully.

Enabled or Disabled Allows user without Administrative rights to enable BitLocker encryption on the device. This settings applies to Azure Active Directory Joined devices. 

Enabled or Disabled Allows to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.

  • AES-CBC 128
  • AES-CBC 256
  • XTS-AES 128 (recommended)
  • XTS-AES 256 (recommended)
This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.

  • AES-CBC 128
  • AES-CBC 256
  • XTS-AES 128 (recommended)
  • XTS-AES 256 (recommended)
This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.

  • AES-CBC 128 (recommended)
  • AES-CBC 256 (recommended)
  • XTS-AES 128
  • XTS-AES 256
This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
BitLocker OS drive settings  

Enabled or Disabled This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker.

Enabled or Disabled Block the use of BitLocker on computers without a compatible Trusted Platform Module. Requires a password a startup key on a USB flash drive. 

  • Allow
  • Do not allow
  • Required
Configure if TPM is allowed, required or not allowed for startup

  • Allow
  • Do not allow
  • Required
Configure if a TPM startup key is allowed, required or not allowed for startup

  • Allow
  • Do not allow
  • Required
Configure if a TPM startup PIN is allowed, required or not allowed for startup

  • Allow
  • Do not allow
  • Required
Configure if a TPM Startup key and PIN is allowed, required or not allowed for startup.

Enabled or Disabled This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker.

e.g. 20 The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.

Enabled or Disabled This setting allows to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when turning on BitLocker.

Enabled or Disabled Specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.

  • Allow 48-digit recovery password
  • Do not allow 48-digit recovery password
  • Require 48-digit recovery password
Set whether users are allowed, required, or not allowed to generate a 48-digit recovery password

  • Allow 256-bit recovery key
  • Do not allow 256-bit recovery key
  • Require 256-bit recovery key
Set whether users are allowed, required, or not allowed to generate a 256-bit recovery key.

Enabled or Disabled Prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that a user will not be able to specify which recovery option to use when turning on BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy.

Enabled or Disabled Enable BitLocker recovery information to be stored in AD DS

  • Backup recovery password and key package
  • Backup recovery password only
Choose which BitLocker recovery information to store in AD DS for fixed data drives. If Backup recovery password and key package selected, both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If Backup recovery password only selected only the recovery password is stored in AD DS.

Enabled or Disabled Prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. In this case a recovery password is automatically generated.

Enabled or Disabled This setting allows to configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.

  • Use default recovery key message and URL
  • Use custom recovery message
  • Us custom recovery URL

 

Use default recovery message and URL:  The default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "to Use default recovery message and URL.

Use custom recovery message. The message you set will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.

Use custom recovery URL: The URL you type in will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.

BitLocker fixed data-drive settings 

Enabled or Disabled

This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.

If this setting is enabled, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

Enabled or Disabled This setting allows to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when turning on BitLocker.

Enabled or Disabled Specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.

  • Allow 48-digit recovery password
  • Do not allow 48-digit recovery password
  • Require 48-digit recovery password
Set whether users are allowed, required, or not allowed to generate a 48-digit recovery password

  • Allow 256-bit recovery key
  • Do not allow 256-bit recovery key
  • Require 256-bit recovery key
Set whether users are allowed, required, or not allowed to generate a 256-bit recovery key.

Enabled or Disabled Prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that a user will not be able to specify which recovery option to use when turning on BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy.

  • Backup recovery password and key package
  • Backup recovery password only
Choose which BitLocker recovery information to store in AD DS for fixed data drives. If Backup recovery password and key package selected, both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If Backup recovery password only selected only the recovery password is stored in AD DS.

Enabled or Disabled Enables saving the recovery key to AD.
BitLocker removable data-drive settings  

Enabled or Disabled  

Enabled or Disabled  

macOS

Please find all new macOS Features below. 

Defer Updates

If you are managing supervised iOS and iPadOS devices then you might be already familiar with the feature to postpone OS Updates. With this Technical Preview Administrators will gain the possibility to defer operating system updates up to 90 days as well for macOS devices. 

When creating the OS Updates policy ensure that Profile is enabled under the Tag definition. 

clipboard_efcc2607a30387c5dd42ef4ee50009e9e.png

Application XML Configuration

This Technical Preview provides the first draft of XML configurations for Enterprise applications on macOS devices. This feature is well known for iOS and iPadOS application management and we are happy to bring the same capabilities to macOS. Navigate to the App Portal, select your managed applications and click the Edit button next to App Config. Afterwards ensure to provide a proper xml configuration according to the application developer guidelines. 

clipboard_e6c9bd0ef1b4fe319c1207d55d78b64b7.png

Application Feedback 

For customers using Android Enterprise we are happy to introduce the first beta version of the App Feedback Channel. Some applications are capable of sending feedback  in form of a unique identifier (key), a corresponding message, the severity status and a timestamp. For this feature, the applications needs to be integrated with the so called Enterprise Jetpack library. With this Technical Preview of Silverback you will find a new device action named as "Application Report" shown to Android Enterprise devices.  By using the Force Report and Reload button, Administrators will gain the possibility to receive feedback from installed and managed applications. As an example, getting or receiving feedback is an important feature of the Samsung Knox Service Plugin. If errors appear when installing a configuration for the application or in any other cases, the information will be reported to Silverback and highlighted in the Management Console with a readable message. 

clipboard_e662750b0dc1d67e04e948013e7f88447.png

Improvements

  • Application names, descriptions and family types for Volume Purchase Program application will be now updated automatically
  • Added Managed Configuration iFrame hierarchies view (e.g. for  Samsung Knox Service Plugin)
  • Removed HTTP-Header information
  • Added all public release from Windows 10 (1803, 1809, 1903, 1909, 2004) to OS Version Compliance
  • Removed "null" version for Microsoft Business Application in assign application window
  • Changed ordering of settings for App Management section for Enterprise applications and aligned checkboxes
  • Added tooltip to Edit managed configuration for Android Enterprise applications
  • Removed Feedback Assistant application from enforced blacklist section
  • Was this article helpful?