Infos
Ivanti Endpoint Manager Mobile (Ivanti EPMM) is a mobile management software engine that enables IT to set policies for mobile devices, applications, and content. This product enables mobile device management, mobile application management, and mobile content management capabilities.
Ivanti Endpoint Manager Mobile (Ivanti EPMM) brings together comprehensive security and Unified Endpoint Management (UEM) tools including:
- Mobile Device Management (MDM)
- Mobile Application Management (MAM)
- Mobile Content Management (MCM)
With Ivanti EPMM, you can securely manage the lifecycle of mobile devices and mobile applications, from registering a device with Ivanti EPMM, to retiring the device from Ivanti EPMM management. When using an Ivanti EPMM managed device, device users can securely access corporate data, email, and mobile apps that you control and distribute using Ivanti EPMM.
What can you do with Ivanti EPMM?
Ivanti EPMM allows you to:
- Connect to backend services such as LDAP and leverage LDAP users for use in Ivanti EPMM.
- Register both company- and employee-owned devices to be managed by Ivanti EPMM.
- Configure and push to devices policies and settings such as VPN settings and security policies.
- Securely synchronize data from backend systems such as corporate email.
- Distribute, install, and manage both publicly available and in-house mobile apps.
- Leverage existing platform-specific mobile device management protocols, such as iOS MDM.
- Configure and push certificates to devices.
- Configure and enforce compliance rules to handle compromised or stolen devices.
Users
- How many Admins ?
- in Admin Portal > Admin > Admins.
- misystem user
- Usage of default password ?
- User management
- Admin Portal > Devices & Users > Users
- LDAP Servers (Admin Portal > Services > LDAP.)
- Ensure LDAPS is used (636)
- Advanced Options :
- Quality of Protection : Authentication with integrity and privacy protection
Local users
- Devices & Users > Users.
- Check Passwords complexity enforcement
- Settings > Security > Password Policy.
- The password length must be 128 or less.
- The password cannot be the same as the user ID.
Security Policies
| Password fields | Recommended value |
|---|---|
| Password | Mandatory |
| Password Type | Alphanumeric: Requires passwords to include at least one letter and one number. |
| Complex PIN (Android only) | On |
| Minimum Password Length | 10 - 12 |
| Maximum Inactivity Timeout | 5 minutes |
| Minimum Number of Complex Characters | 1 - Digits only (the default) 2 - Digits and lowercase letters are required 3 - Digits, lowercase letters, and uppercase letters are required 4 - Digits, lowercase letters, uppercase letters, and special characters are required. |
| Maximum Password Age | 90 days |
| Maximum Number of Failed Attempts | 5 |
| Password History | 4 - 5 |
| Maximum Number of Failed Attempts | 5 |
| Grace Period for Device Lock | 15 |
| Data Encryption These features are not supported on iOS or macOS devices. | |
| Device Encryption | On |
| Data Type | For Android devices only: Indicates the data type. |
| File Types | For Android devices only: Indicates the file type. |
| SD Card Encryption | On |
| Device Log Encryption | On See “Device log encryption” in the Device Management Guide for Android Devices. |
| Android (For Android only) | |
| Require strict TLS for Apps@Work (Android only) | Enabled (select this box) |
| Common Criteria Mode (Samsung Knox and LG only) | Enabled (select this option) |
| Block SmartLock (from Android 6.0 only) | Enabled (select this option) |
| Block Smart Lock Options (from Android 6.0) | Enabled |
| Block Bluetooth | Enabled (to discuss) |
| Block NFC | Enabled |
| Block Places (Location) | Enabled |
| Block Face | Enabled |
| Block On-body | Enabled |
| Block Voice | Enabled |
| Block Fingerprint (from Android 6.0 or Samsung MDM 5.3) | Enabled |
| Block Iris Scan (Samsung and Android 9.0) | Enabled |
| Block Face Unlock (Samsung and Android 9.0) | Enabled |
| Require Google SafetyNet Attestation | Enabled |
| Block notifications on lock screen | Enabled |
| Allow only redacted notifications on lock screen | Enabled or Block (up) |
| Windows Phone 8.1 | (For Windows Phone 8.1 devices only.) |
| Firewall | On |
| Anti-Virus | On |
| Auto-Update | On |
| Windows 10 | (For Windows 10 devices only.) |
| Defender Real-time Protection | On |
| DHA On-premises URL | On |
| Access Control | |
| For the following options, select the compliance action you want to apply to devices that trigger access control. For detailed information on the impact that compliance actions have on devices, see “Compliance actions for security policy violations” in the Ivanti EPMM Device Management Guide for your operating system. | |
| For All Platforms | |
| Apply compliance action when a device has not connected to Ivanti EPMM in x days | Select the compliance action you want to apply if a device has not connected to Ivanti EPMM in the specified number of days. For iOS devices: All compliance actions are supported if MDM is enabled, except for those related to Android devices, When Data Encryption is disabled, and Application Restrictions. Ivanti EPMM only checks whether MDM policies are out of date. For macOS devices: You can send an alert and quarantine the device. For Android devices: Only the following compliance actions are supported: - Sending alert - Blocking email access if you are using a Standalone Sentry for email access. - Blocking app tunnels. For Windows devices: Only the following compliance actions are supported: - Sending alert - Blocking email access if you are using a Standalone Sentry for email access. - Supported custom compliance actions. |
| Apply compliance action when a policy has been out of date for x days | Select the compliance action you want to apply if a device has not met policy requirements for the specified number of days. For iOS devices: All compliance actions are supported. For macOS devices: You can send an alert and quarantine the device. For Android devices: Supports only the following compliance actions: - Sending alert - Blocking email access if you are using a Standalone Sentry for email access. - Blocking app tunnels. For Windows devices: Supports only the following compliance actions: - Sending alert - Blocking email access if you are using a Standalone Sentry for email access. - Supported custom compliance actions. |
| Apply compliance action when a device violates the following App Control rules | Select the compliance action you want to apply when a device violates the specified App Control rules. See the Ivanti EPMM Apps@Work Guide. |
| iOS and tvOS devices | |
| Apply compliance action when iOS version is less than | Select the compliance action you want to apply when Ivanti EPMM detects an iOS device having a version number less than the specified version. |
| Apply compliance action when a compromised iOS device is detected | Select the compliance action you want to apply when Ivanti EPMM detects an iOS device that has been modified to circumvent manufacturer restrictions. In Ivanti Mobile@Work, if the compliance action specifies Enforce compliance actions locally on devices, the following compliance actions, if selected, are enforced on the device without connecting to Ivanti EPMM: - Alert the device user with a banner or notification. - Block AppConnect apps. - The device user becomes unauthorized to use AppConnect apps. - Retire AppConnect apps. - The device user becomes unauthorized to use AppConnect apps and the apps’ secure data is deleted. All other compliance actions require the device to be connected with Ivanti EPMM. |
| Apply compliance action for the following disallowed devices | Select the compliance action you want to apply when Ivanti EPMM detects a specified iOS device, such as AppleTV or iPad 2. |
| Apply compliance action when device MDM is deactivated (iOS 5 or higher) | Select the compliance action you want to apply when Ivanti EPMM detects that the MDM profile has been removed from the device. |
| Enable Activation Lock (Supervised iOS 7 and later devices only) | Enabled |
| Only join Wi-Fi networks installed by profiles (iOS 10.3 and later with supervised devices only) | Enabled |
| iOS devices | |
| Apply compliance action when Data Protection is disabled | Select the compliance action you want to apply when Ivanti EPMM detects an iOS device that has the Data Protection feature disabled. Note: If the data protection feature is required for devices in the security policy, or if the password requirements are imposed, tvOS devices will fail to satisfy the policy because Apple does not support password requirements. To impose this requirement on your devices, create a separate policy for tvOS devices. |
| macOS | |
| Apply compliance action when macOS version is less than | Select a compliance action to apply when the macOS version on the device is less than the version you select from the drop-down list. |
| Apply compliance action when Full Disk Encryption (FileVault) is disabled | Select a compliance action to apply when full disk encryption (FileVault) is disabled on the device. |
| Apply compliance action when device MDM is deactivated | Select a compliance action to apply when the MDM (mobile device management) profile is deactivated on the device. |
| For Android devices only | |
| Apply compliance action when Android version is less than x | Select the compliance action you want to apply when Ivanti EPMM detects an Android device having a version number less than the specified version. |
| Apply compliance action when a compromised Android device is detected | Select the compliance action you want to apply when Ivanti EPMM detects an Android device that has been “rooted,” that is, root access has been given to an app. |
| Apply compliance action when Data Encryption is disabled | Select the compliance action you want to apply when Ivanti EPMM detects an Android device that has the Data Encryption feature disabled. The quarantine action Remove All Configurations has no impact when data encryption is disabled. |
| Apply compliance action when Samsung Knox device attestation fails | Select the compliance action you want to apply when Ivanti EPMM detects that a Samsung Knox device has failed an attestation check. |
| Apply compliance action when device administrator is deactivated | Select the compliance action you want to apply when Ivanti EPMM detects that the device administrator privilege has been removed from the Ivanti Mobile@Work app. The quarantine action Remove All Configurations has no impact when the device administrator is deactivated. |
| Apply compliance action when USB debug is enabled | Select the compliance action you want to apply when Ivanti EPMM detects that USB debugging was enabled. |
| Bypass Factory Reset Protection | Disabled |
| For Windows devices only | |
| Apply compliance action when Windows version is less than x | Select the compliance action you want to apply when Ivanti EPMM detects an Windows device having a version number less than the specified version. |
| Don’t allow simple password | Check this box |
| Apply compliance action when Data Encryption is disabled | Select the compliance action you want to apply when Ivanti EPMM detects a Windows Phone 8.1 device that has the Data Encryption feature disabled. |
| Application Restrictions | Enabled |