Ermetix 3.9 – RELEASE NOTES


Ermetix suite update version 3.9 now is live.
This update includes optimizations, hotfixes, an improved Support page and new important features including iOS 14, iPadOS14, tvOS 14 and Android 11 day-zero compatibility.

Single Sign-On (SSO)

Ermetix UEM 3.9 allows admins to enable the SSO letting the users access using company’s accounts.

SSO can be configured with one or more of the following identity services:

  • Google Workspace (aka GSuite)
  • Azure Active Directory or Microsoft 365 (aka Office 365)
  • Radius
  • SAML 2+, OpenSAML 2+; by ADFS or Shibboleth
single sign-on
Single Sing-On under Ermetix Admin > Global Settings

After SSO is configured, users can access to Ermetix login screens with other access methods, too.

The SSO is supported in:

  • Ermetix Admin
  • Ermetix MDM Agent for Android
  • Ermetix Learn for Android
  • Ermetix Bazaar for Android
  • Ermetix Teach webapp
  • iOS 13+ and iPadOS 13+ OTA Remote Management screen

Note: Ermetix Learn for iOS, Ermetix Teach for iOS and Ermetix Bazaar for iOS will support SSO in the next updates.

single sign-on
Ermetix UEM login screen with SSO services

Directory Sync

One of the new feature is Directory Sync, admin can choose one of the services to take users and roles synched with Ermetix UEM.

  • Google Workspace (aka GSuite)
  • Google Classroom
  • Azure Active Directory or Microsoft 365 (aka Office 365)
  • Microsoft School Data Sync
  • LDAP, OpenLDAP
Directory Sync
Directory Sync under Ermetix Admin > Global Settings

New Payloads

“Permitted Google Accounts” payload for Android
Admin can specify allowed Google Workspace (GSuite) domains and specific Google accounts.

permitted google accounts
Permitted Google Accounts payload under Ermetix Admin > Management > Devices or Groups > profile manager view

“DNS Settings” payload
Admin can specify Secure / Private DNS settings for iOS 14+, iPadOS 14+ and Android 10+.

dns secure
DNS Settings payload under Ermetix Admin > Management > Devices or Groups > profile manager view

“Cellular” payload for KNOX (Android)
Admin can manage APNs configurations with the integration of Samsung Knox framework.

Enhanced Work Profile for Android 11+

Android 11 has introduced Enhanced Work Profile.

Learn more about changes on MANAGEMENT IN ANDROID 11.

Now, it is possibile to choose the provision type for Zero-touch, KME under Device Enrollment and QR-Code under License.

passport
License under Ermetix Admin

New Restrictions for Android

  • Allow adjusting Volume (Android Nougat 7.0)
  • Allow unmuting Microphone (Supervised or Enhanced Work Profile only)
  • App Home launcher (Supervised only)
  • Allowed Accessibility Tools (Supervised only)
  • Location services level Precision (Supervised only)
  • Allow Status Bar (supervised or User Space only)
  • Pause limit on Enhanced Work Profile
  • Allow Ambient Display feature (Supervised only)
  • Allow modifying Brightness (Supervised only)
  • Keep Screen On during charge (Supervised only)
  • Allow Personal Apps (Enhanced Work Profile only)
  • Allow modifying WiFi settings
  • Allow configure Private DNS

Passcode improvements for Android

“Definition for Complex Passcode Policy” setting
Admin can now define criteria for “Complex” passcode policy.

passcode payload
Passcode payload under Ermetix Admin > Management > Devices or Groups > profile manager view

Additional lock screen limitations
Admin can now restrict devices notifications and camera in lockscreen.

lockscreen notifications
Passcode payload under Ermetix Admin > Management > Devices or Groups > profile manager view

“Strong Authentication time-out” setting
Admin can now specify a time-out to force user to authenticate via passcode.

strong auth
Passcode payload under Ermetix Admin > Management > Devices or Groups > profile manager view

Passcode age and history settings
Admin can now specify a maximum passcode age and history.

passcode age history
Passcode payload under Ermetix Admin > Management > Devices or Groups > profile manager view

Security Logs for Android 8+

Security Logs allow admins to track and watch system logs on Enhanced Work profile or Supervised devices.

security logs
Security Logs under Ermetix Admin > Monitoring

Security Logs can be enabled assigning a Monitoring payload to devices or groups. Choose the log level gravity to grab logs and sync with Ermetix UEM server.

monitoring payload
Monitoring payload under Ermetix Admin > Management > Devices or Groups > profile manager view

Android Enterprise Zero-touch integration

Now admins can create zero-touch configuration, set that as default and sync placeholders automatically.

To do this, admin has to sign into the Zero-touch Google account and choose options.

zerotouch sync
Android Enterprise Zero-touch integration under Ermetix Admin > Global Settings > Google

Note: you can specify what kind of provisioning type will be the main one: Supervised (Fully Managed) or Enhanced Work Profile (Android 11+).

Ermetix MDM Agent new extras bundle

Configuration for QR-Code or Zero-touch provisionings can be customized with new parameters:

  • “additionalProvisioningText”, text to show into the Welcome screen
  • “whiteLabelLogo”, url to customize the logo on the top
  • “provisionType”, 0 for Supervised (Fully Managed) and 1 for Enhanced Work Profile (Android 11+)
"android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE":{
"Ermetix_activationCode":"YOURTENANTCODE",
"provisionType":0/1,
"additionalProvisioningText":"your additional text to show",
"whiteLabelLogo":"https://yoururl/resource.png",
}

Example of extras bundle json configuration for Ermetix UEM

New Global Settings

In Ermetix Admin > Global settings > General is possibile to change following new settings:

Close Ermetix MDM Agent after enrollment
Auto update policy for Android Enterprise apps
Teachers and Operators can now be enabled to have access and setup managed rules or view theirselves devices into Ermetix Panel

New iOS 14 features

iOS 14 introduces different updates on the Apple’s MDM protocol:

  • Allow user password to be updated in Exchange payload
  • DNS Settings payload
  • Per Account VPN for Calendar, Contact, Exchange, LDAP, Mail payloads
  • Prevent apps from displaying a preview in Notification payload
  • Wi-Fi MAC address randomization can be disabled with a Network payload
  • Skip Setup Assistant panes “Get Started” and “Update Completed” in Global Settings > Apple > Deployment program
  • Allow App Clips under Restrictions payload
  • Non-removable Managed Apps under Managed Rules
  • Set Timezone action in Management > Devices > Action menu
  • eSIM identifiers and info in Device details under Management > Devices > select a device
managed settings ios
Attributes under Ermetix Admin > Management > Apps & Media > Managed rules > select a rule > Apple > Gear button of an app
set timezone
Set time zone action under Ermetix Admin > Management > Devices > actions menu