Transcript
Specifically to start with, these are the five pillars that essentially we're going to be investing into AI everywhere. Oh, by the way, sorry, I have to introduce myself. I'm Aruna Kuretti. I'm the Director of Product Management, managing all of the SUVM portfolio that involves all of the on-prem and cloud MDM, along with the secure productivity apps that also includes MTD as well. Yeah, so just getting back to the strategic themes that we have that we'll be focusing on the upcoming quarters and the following year is AI everywhere, zero trust by default, unified admin experience, specifically customer-driven roadmaps, and of course, maintaining the partnership ecosystem. So we are embedding AI into every aspect of our platform in terms of detection, remediation, compliance, and of course, the user experience. So this means basically focusing on the automation means smarter automation and proactive security, which will help the IT teams become more efficient and driving better outcomes. Zero trust by default, again, as we know, security is foundational. We are moving to zero trust by default, enabling certificate-based access and robust conditional policies across all of our device platforms. Again, this helps you safeguard your environment without exceptions. Unified admin experience. This is, again, managing devices and users shouldn't mean jumping between separate portals. So we're going to unify workflows across the other product areas, such as neurons and neurons for MDM. So the admins get a streamlined, consistent experience, whether handling endpoint management or troubleshooting between the various product portfolios that we have within Ivanti. Also added to that, we're also working on the enhancements on the admin experience by itself on the neurons for MDM and followed by EPMM to make ease of use for the admin. Part of this also, again, this will have AI embedded into the admin experience as well. So you'll be seeing more in the upcoming quarters on what are those details. Customer-driven roadmaps. Again, we want a roadmap to reflect your needs. So we are prioritizing customer-requested features, especially all our customers give us great feedback, which we definitely want to incorporate into a roadmap, which has a direct influence for future releases. Then partnership ecosystem. As you all know, we are tightly aligned with the leading technology partners, such as Apple, Google, Samsung, and Microsoft. So our goal is to deliver day zero readiness for all the OS updates and new devices so you remain secure and productive without any wait times. So that's on the high level where we are investing in our product and strategy going forward. With that, I'll just get started with the Android on the cloud and also cover the on-prem. What are the new capabilities that are coming in Q2? And I'll hand it off to my team members, each of them covering their following areas. And we also have Jason on the call, who is also a PM who manages the Windows, and he will be covering the Windows platform area. All right. So MTD is a mobile threat defense. As you all know, again, we have the partnership both with Zimperium and Lookout with the specified solutions with those specific partners. But again, the goal is to make sure the devices are secure. So on that note, we have a couple of features with the Zimperium integration. One is the ADB threat definitions. This, again, monitors and enforces strict policies around ADB usage to prevent unauthorized access and data risks on the managed devices. Then the smishing protection for specifically on the Android detects and blocks SMS phishing attempts to keep users safe from deceptive messages and data breaches. For the Lookout, smishing protection configuration on the Ivanti Admin Console. What this is, we do already have the smishing protection enabled on the Lookout. Essentially, the admin has to go to the Lookout portal and enable and disable the smishing protection when it's required. But what we did is we have provided an option of enabling smishing protection option on the Ivanti Console itself, where the admin doesn't have to keep going back and forth into Lookout Console to enable and disable smishing protection. So default, I think first, the initial enablement has to happen on the Lookout. But post that, you don't have to go into Lookout Console. Rather, just enable, disable the smishing protection within the Ivanti Console. Then we have granular classifications, both for iOS and Android, where for the Android, we have flags denied or suspicious storage permissions requests to help admins detect risky apps and reduce data leakage. And for the iOS, we have the alerts. These classifications alert admins when users deny notification permissions and ensure they can proactively maintain critical security communications. So for the Android, there are a few features that we have planned for our Q2 release, of which is the RCS archival support. This allows automatic archiving of RCS and SMS MMS messages via Ivanti MDM, supporting the custom RCS servers and third-party archival apps for compliance. So this is a feature from Google. At the same time, the customer would need to have the RCS server and also a third-party app that would like to use for the archival support. But again, MDM would be able to help you through pushing the app and managing that app that would be archiving the MMS and SMS messages. eSIM service subscription. This will enhance visibility to show detailed eSIM and SIM info on the Android devices, matching iOS for unified management and reporting. Then we have a clear app cache. This introduces remote app cache clearing for admins to improve device performance and storage across fleets. So this is the most asked feature from a lot of our customers. So this is something that we have put into our Q2. Then we have the Android client ticketing URL. So this enables admin to centrally configure and display a direct ticketing portal link in the app, improving the user access to support and reducing delays. So this ticketing URL will show up in a tab. We have a new support tab on the clients, both on the EPMM and the mobile network and GoClient. So the mobile network is also in works, so you'll be seeing that. Where the support tab will have your support phone numbers or if needed, email. Also, admin has a capability to put a link for the support portal, whichever the ticketing portal that you have as your organization, you can place that URL into that support portal tab, and then the end user clicks on that link, they are directly landed on that. Whatever the ticketing system that you have, that makes it much more convenient because you are able to check on the support tab if there is anything that you need help from the support team or you want to directly log a ticket, you can just click on the link and get onto the portal. It's more of an end user convenience that helps reduce the calls for this admin. This is beyond the enterprise. These are the Google VTs, some of the new capabilities that Google has introduced, of which the phase one, we're going to cover a couple of capabilities. One is the provide zero-touch provisioning and reprovisioning workflows for large and distributed Android feeds, which basically, again, supports a granular policy enforcement and efficient device lifecycle management. There is a couple of more extensions to this better together, beyond the enterprise features. You'll be hearing more in the upcoming quarters, which is laid out as a roadmap for us. Now, NFC, this has been introduced in the previous release from Google. However, there was some issue that Google had to fix, so we're bringing it back for the NFC, where it allows the granular control over NFC features to minimize security risks and meet regulatory needs in finance, health care, and government. This is basically an IL-5 compliance requirement that we're working on, where it supports including the organizational unit, the OU attribute in certificate signing, requests for Android Go clients. This is required for the DoD security and compliance standards, focusing on the security pieces of the areas. The EPMM, earlier I did mention about the support ticketing URL that will show up on the support tab. This is where you'll see the support tab. We are introducing the support tab with troubleshooting tools and self-service resources in the Android client, which basically empowers users to resolve issues independently and reducing IT ticket volumes. So this is how it's going to look like, and here is where you will also see where the user, the admin, can actually add a ticketing URL into this particular tab that will show up on your clients. It is available both on Go client, and this is going to be on the mobile network in the Q2. This is the same thing, the ticketing system URL. As I mentioned, we're going to show up on the support tab where the end user will be able to click on that link and land on the ticketing system that you have for your organization. Enable the location services on the device. This is basically force enabling. So we are implementing the remote fleet-wide activation of location services on managed Android devices to ensure compliance and data reliability without user intervention. And we also have this phishing protection earlier configuration, the Ivanti Admin Console. As I mentioned, this is the option that we provided on the console, rather than admin going back and forth to enable and disable phishing protection on the lookout. Instead, you will have this option within the Ivanti Console that you can take the control of enablement and disablement of this machine. We have already worked on it. It's just that we have some external dependencies on Samsung that we are waiting on to get a go. If we can actually open it up in Q2. So we are holding on to this. I cannot guarantee that this is going to be available in Q2, but it depends on the integration. So whatever the dependency that we have with Samsung is clear. But otherwise, we have this feature, which essentially is the integrates of Samsung Knox mobile enrollment for automated bulk device enrollment and unified policy management all within the console. So this basically reduces the manual work and security risk for Samsung devices and also cut down the step that you manage everything from the Samsung portal versus you will be managing everything from the Ivanti portal. Service subscriptions, again, same thing earlier. We have these details for SIM and eSIM data of the Android devices. Also matches the iOS devices for the consistency, which have much more visibility, which you could use it for your reports or for your filtering and try to get more details on the SIM and eSIM data. Also, establish policies based on that. Then we have always-on VPN lockdown. This is also one of the popular asks from the customers. What this is essentially is adding a support on eBMM to set always-on VPN package API options. This enables the admins to configure lockdown more and lockdown allow list and also enforces strict connectivity restrictions when VPN is unavailable. But only-sorry about that again. I have some issue on the team's technical problems today. Apologies. Also permitting essential management functions, ensuring the security and compliance on all of the Android devices. So we'll be looking at what are some of the exciting enhancements that we are doing in these areas now. The first enhancements that we are doing is that we are going to do a force shaking of the devices whenever there's a change in the network status. Like if user migrate from Wi-Fi to cellular or vice versa. And why we are going to do that? Because when the network gets changed, so there are different configuration or the compliance status of the device that has to be pushed to the server immediately. If it is not pushed, it may pose a security risk also. So in order to get the latest update configuration and report the latest compliance status to the server, we are going to do the force shaking of the devices as soon as this network status changes. This is coming on iOS. We already support this on Android. I'll move to next. Then another feature that we are releasing is the option to disable app distribution de-smoothing. So scenario here is that you have a super admin, you have a tier one, tier two admin within your organization. And you have asked certain administrators to distribute the application to certain set of groups or users. Now, in some cases, what has been observed by some customers is that some apps will be absolutely required to be there on the end users' devices in order to comply for them for certain regularity and organizational policy that it must be there. But accidentally or maybe because of not knowing, it has happened that they de-scope those applications and those applications get removed from those devices. And there's no control with the super admin right now to restrict that. So this is where we are bringing this control. So we are going to introduce this RBAC control, which will allow super admins to not allow any application distribution de-scoping to the users. Then there's no audit log getting generated right now. Whenever you do add, delete or edit device group, now you will see that audit logs are getting generated for these actions also. This is a small announcement. So currently this OS build version as a attribute is missing. Whenever you go for creating a device group. So this will help you to create a device group based on OS build version. And by the way, we are working a lot on these attributes right now. We are planning to expand these attributes as much as we can in the coming releases so that customers will have a better control and more attributes that they can use while creating the, filtering the devices or creating the device groups. Okay. So next announcement that we are doing. So most of you will be aware about the send message action that you send to the users to notify certain things. So now that send message action will also support the variables that you can use the variable like device name while sending the message. And so it will, that actual device name will get appended into that message. This, I will not talk about this. So we are providing a control to enable disable smashing protection on neurons for MDM. Okay. On the platform side, we are, we are support, we'll be supporting our cloud connector on Azure and it will be also supported with IPv6. So this is the HRN use case. So HRN is a highly restricted network from Apple. So we will be supporting this Samsung NOS and other devices session on that network also. Then there's an announcement of supporting the user provided certificate in base 64 format because this KSPR, which is from Samsung, it only supports this certificates in base 64 format. And we'll now also give the ability to upload this certificate in base 64. With email plus, we now support Apple's liquid glass system design, which is delivering a more expressive and immersive UI experience, which is fully aligned with Apple's latest visual evolution. So that is one part of email plus. And second is we have improved the calendar invite experience to reduce the number of steps. Users can now open the meeting invite directly from the inbox with a single tap by using the RSVP action, which actually eliminates the need to open the invite first and then the attachment and then looking into the invite. This is streamlined flow, which will provide quick visibility into, it also provides visibility into the nearby events and schedule conflicts so that it is easier to, and very faster to respond to meetings. Yeah, on the email plus for Android, we'll be supporting their Teams integration, which was a long ask, which you already support on iOS, which is now we're going to support this on email plus Android as well. And coming to AppConnect, Swift and UIKit, you know, like are the Apple's two main UI frameworks. So while UIKit is the legacy imperative framework, the SwiftUI is Apple's modern declarative framework, which is now recommended for all the new development. So when we say AppConnect now supports SwiftUI, it means that AppConnect can connect, correctly integrate with and enforce the security policies on iOS applications built using the SwiftUI lifecycle. So, and this is in addition to the traditional UIKit-based apps as well. These are some of the key features for the productivity app side. And yeah, pretty much for the productivity apps. So I'll hand over to Yosune. So let's start with Neurons for MDM. I think one of the major features that we have for this release is the ability to set up the latest version in the enrollment profile. As you know, Apple introduced this feature to have a version as the minimum OS version during DEP or ADE enrollments. And one of the customer requests was the ability to be able to update this automatically from the Apple Lookup service. So instead of manually having to change the version, every time there is a new version out there, which happens very frequently, we can, our customers now can select latest version and that will generate it automatically. And that will be the minimum OS version. So whatever is out there released by Apple, that will always be the latest OS version. Then for enrollment options, there are new enrollment options is the do not use profile from backup. So now customers can choose not to use that backup profile when they are re-enrolling a device. So if the same device doesn't get the same profile and will get and generate a new profile during enrollment. Then for macOS, we have a new console ability where you, let's say a customer, an end user needs to lock the device. So then the admin generates a PIN and pass it to the end user. That end user leaves the company and we didn't have a way to retrieve the PIN so we can unlock that device again. So now there will be a way for that PIN that was generated by the admin to be stored in the console and say, and the admin will be able to retrieve it and see it in the console for that unlocking. Since the unlock command doesn't exist for macOS, it's not available from the Apple commands. It's only available for iOS today. So we provided this option to help with the use case. Another macOS improvement, following parity that we had with Windows is the ability to push some scripts to some specific devices ad hoc. So you can go into your device list, select the devices, the macOS devices that require a specific script. And then that script will be pushed to those devices via this feature. So you can click in scripts and actions, select the script that you already created, of course, in the script tab, and then you can push it directly to those devices. You don't need to change or manage the configuration itself. It will be our command and pushed directly via the macOS agent. As you know, we are, and Manoj also mentioned, we are in the transitioning of declarative device management. So slowly all our current configurations will be transformed. We already support the framework. There are many configurations that are declarative management already. Some of them are net new because as you know, most of the customer of the new configurations, they come in declarative management already by Apple. But then we have all these other configurations that have been there in MDM protocol for a long time. So Apple has given us the option or the ability to transform this legacy configurations into DDM without having to disrupt our customers' workflows. So you don't have to push a new configuration. You don't have to migrate it yourself. So new configurations for PASCO in this case will be automatically leveraging declarative device management in the backend. And this is how we've been transitioned some of the configurations. Single app mode has also been transitioned in that way. So your current configurations deployed to the devices will not be impacted. They are still in MDM protocol. A new configuration that you create, that will come in declarative management. And what is the benefit of now having PASCO configuration in declarative management, is that you can leverage the predicates. So predicates are conditions, specific conditions. Today, for example, when you are managing your watchOS that are linked to a device, if you push a PASCO configuration, it automatically goes to the watchOS as well. So we have many use cases that customers that are managing the phones, but not the watches. But if there is a watch assigned to it, if you set up a six digit passcode for the phone, it will also apply to the watch. And that was not the desired behavior. Now with this passcode config in DDM, you can specifically say that that passcode config should only apply to iOS. And that will limit the configuration to that and it will never pass to watchOS because you have not defined that condition. So predicates can be created. If you go to admin Apple predicates, it's in COCA language and you have to define it. But that's how you add them there in the distribution tab of the configuration. You will see for any DDM configuration at the bottom of the distribution, it will say activation with predicates. And this goes on top of the device groups. So these are just conditions that you can apply. In terms of the Avanti Go app, we have added a new return to service home and at the home screen. So for many customers that need to quickly wipe a device and reprovisioning on site, let's say you're in a manufacturing facility, you are in a hospital that need to pass that iPad from a patient to another patient and you don't have time like the admin to go and repurpose the device. You need the staff that it's on the floor quickly to be wiping that device and not do anything else for the reprovisioning and the re-enrollment into the MDM. So with this return to service button, now you can enable it. It's not there by default, of course. You can enable it with a KVP into your app configurations and that home button will show. And then when an end user clicks on this home button to repurpose the device, it will automatically wipe the device and it will automatically grab the profile from the ABM. So everything will be automatic. It's only one touch for your end user and then the device will be completely wiped. Everything will be erased. So privacy will be maintained from patient to patient, for example, but then everything will be back into the device without any extra effort. Wi-Fi profiles, the applications that are required, et cetera. Everything will be back on the device without extra effort. And before I pass it to Jason, I want to touch upon EPMM on the Apple side. So on EPMM, also we have this do not use profile from backup coming in our Q2 release 12.9. So customers can leverage that as well. Also, we're having the latest version, same as in iOS. So you can have a latest version for the enrollment profile for iOS and also for macOS that will search the Apple lookup service for the latest version available to set up as the minimum version. This is a new security request. So in the CERT pinning in the enrollment keys, there are some new requirements that we added for our EPMM customers. Apple has added a few new keys that we didn't have in the enrollment profile for CERT pinning, and those will be now available. So for checking the URL, pinning the revocation, and server URL pinning certificate UID. So all of these new keys will be available in our Q2 release. We've been talking about this, the Raise a Support Ticket button. So to be able to enable it into the Mobile at Work app, we already have it available in our Go application on the cloud, but in EPMM, we are releasing it now in Q2. So this will be available there. So you can have, like Aruna mentioned, because it's also for Android, you will add the URL and that will automatically show the raise to, with the toggle, I'm sorry, will be showing the Raise a Ticket on your Support tab in the Mobile at Work app. We have also added support for the latest Windows versions. So if you have any Windows devices, as you know, we are maintaining our current deployments and the latest versions support it. No new features are added, but at least your devices are covered if you haven't migrated out of the EPMM for Windows devices yet. So in the version, as I mentioned before, so we added the server side of the Raise a Support Ticket button, so where you can configure it, so that configuration is coming. And then, of course, this is how it's going to look like in your Mobile at Work Support tab. You're having this button now once you enable it. So customers will click here and it will automatically take them to the URL that you defined for your support portal. All right. We have a few ways to do scripts within Windows MDM, but now we want to be able to directly from the device screen be able to just select a script so you don't have to change your flow, move into a different format, backspace, whatever, back into it. So this release will provide the ability to directly pick a script from the devices view. You can either list it from the list or you can manually upload it based on a radio button selection, and that will just help ensure the workflow and moving forward on that. Google BeyondCorp for Windows, we added a single account prior, but with Windows Google BeyondCorp, you can possibly have multiple accounts within the Windows OS, unlike within Mac or Android where you're limited to a account. So we are working on this. As you notice, this is a stretch. We're hoping to have this completed. We're putting up the finishing touches before release. If not, we will carry this in and it will release next quarter. ADMX backend profiles continued. Two things on this. We'll continue to add the ADMX policies and the CSPs to it. That is a rather lengthy list that is constantly changing every update from Microsoft, and so we're working to keep on it. We are also uploading the new ADMX profile builder out of sandbox into all landscapes upon release of this quarter's build. So we're excited for that one. All right. Well, thank you everyone for joining us.
