Release Notes

October 2019

What's New

In our October release, we’ve added new macOS FileVault full disk encryption functionality. This new functionality improves the security of macOS devices—and when used with KACE Cloud MDM Policies, FileVault can be added automatically to devices during enrollment. KACE Cloud MDM FileVault functionality is available for both DEP and BYOD macOS devices.

New Feature: FileVault/macOS Imaging

What is FileVault?

FileVault is the name for macOS disk encryption. The current version is FileVault2 and uses the AES-XTS mode of AES with 128-bit blocks and a 256-bit key to encrypt the disk. FileVault-enabled users can unlock the disk with their password at the pre-boot stage on a FileVault-enabled macOS device.

Through KACE Cloud MDM, an administrator can choose whether to set up a personal or institutional recovery key, or both. An admin can also choose whether to show the personal recovery key to the user during FileVault setup and whether to include the personal recovery key as part of KACE Cloud MDM's device inventory process.

Learn more about FileVault Recovery Keys.

macOS MDM as an Installation Method

For macOS, imaging is considered a deprecated technology and is no longer supported. The APFS file system, which is now mandatory for macOS, means imaging is no longer possible. And the newer Apple T2 chip prevents net booting, which is another requirement for imaging.

macOS MDM is Apple’s recommended replacement for macOS Imaging and there are a number of advantages when moving from the SDA to KACE Cloud MDM for macOS deployments. Benefits include:

  • Easier Setup
  • Zero-touch Enrollment
  • Built-in OS support—including support for 10.14+
  • Built-in Security
  • Speed of Deployment
  • Remote Access Benefits
  • Post-Deployment Management
  • No Memory Limit

Learn more about FileVault Management and Configuration.

Resolved Issues

Issue Description Status
3308 - Job counts are incorrect. Application of passcode rules to managed Android devices was failing. Fixed
3253 - Android: Which passcode policy is applied to a fully managed device? For jobs which include a command for a device that was originally marked as timed-out, the counts would be incorrect if that device did eventually respond. Fixed
3202 - Unable to upload custom Android App Customers can now upload updated APK Android packages. Fixed
3122 - Combination of 'Kiosk Mode' iOS Profile and app in policy may cause device lock up If policy includes iOS Profile that sets devices to kiosk mode as well as the app that should run, device enrollment may not complete successfully. Fixed
3112 - Deleting apps from the library fails when they are linked to policies If an app is linked to a policy, deleting that app from the library may occasionally fail. Fixed
3100 - Unable to delete certificate linked to policy If a certificate is linked to a policy, deleting that app from the library may occasionally fail. Fixed
3096 - Policy configs not removed from device after deactivating policy Sometimes when deactivating a policy, items are not removed from all devices. However during the next inventory of that device, the removal of appropriate items should be triggered. Fixed
3090 - Deleting label from library does not unlink associated device from policy When a label is deleted from the library, policies which include that label are not immediately updated. This could result in devices being incorrectly included when evaluating those policies. Fixed
2789 - Phone number not reported in Work Profile if not baked into the SIM. If the phone number is not baked into the SIM, the Android telephony APIs won't return the number. Can't Fix
Performance concerns: Policy Management Improved performance for policy management. Fixed
Android - Can't see device info after enrollment Android device information would sometimes not show up after enrollment. Fixed
'About' page subscription information Subscription information was displayed incorrectly on the About page. Fixed
Need for iPadOS support for enrollment Added support for enrolling devices running iPadOS. Fixed
Need support for multi-part configuration variables Account configurations now support multi-part configuration variables. Fixed
iOS/macOS - Need OAuth authentication support for both Account configurations now support OAuth authentication (iOS and macOS). Fixed
iOS - iOS devices unenroll when certificate expires Fixed issue with iOS devices unenrolling when certificate expired. Fixed
LDAP Sync - Attributes being duplicated in multi-domain configs Fixed LDAP Sync Service issue where attributes were being duplicated in multi-domain configurations. Fixed
Default app configs are recreated with every VPP sync Fixed issue with default app configurations getting recreated with each VPP sync. Fixed
Need to be able to use country-specific Apple app stores. Added support for using country-specific Apple App Stores. Fixed
OpenID Connect - Problem with OpenID Connect SSO config Fixed issue with OpenID Connect SSO configuration. Fixed

Known Issues

Issue Description Status
3286 - Apparent mismatch between device compliance and individual entity compliance. Occasionally the policy details for a device may show success even if the entity in question did not successfully install. Open
3108 - Auto-deployed Android restrictions don't appear in the device restrictions list If auto-deployed restrictions for Android are sent to the device, the database may not be properly updated. Open
3070 - System attempts to remove policy configs when unassigned device is assigned to a user During reassignment of a device to a user, removal of previous configurations may fail. If this happens, it may be possible to work around this by first unenrolling the device. Open
Android - Role Management and SSO Configuration If user role assignment is set to Automatic during SSO Configuration, a manual attempt to update an individual user's role via the Users > Edit User path may appear possible, but will be overwritten by the original SSO Configuration. To resolve, the configuration setting can be changed to Manual, which will then enable editing of individual user roles. Open
Android - Restrictions Restrictions that are configured to deploy upon enrollment may not immediately appear in the inventory for impacted devices; however, the restrictions will be enforced on the device. Open
Android - Device Owner Setup When using the Device Owner enrollment flow (afw#kace), the enrollment flow may not complete if the Google Play services on the factory default image of the device are out of date. This a known issue with the Android operating system, caused by the enrollment process timing out before the update of the Play Services on the device can complete. You will know that this situation occurred if you are never asked for your subdomain name during the enrollment process. If you end up back at the device home screen, locate and launch the KACE Cloud MDM agent app on the device and click the 'Enroll Device' button to complete the setup process. Open
Android - Gmail App Android devices require the Gmail app to be installed in order to use the email account configurations. Open
Android - Set and Clear Passcode Commands The set and clear passcode functions are different in Android 7.0 and later. On versions prior to 7.0, an administrator could set or clear the passcode as desired. On Android 7.0 and later, the passcode can only be set on devices that do not already have a passcode set, and passcodes cannot be cleared. The user interface does not currently warn users who are attempting to set or clear a passcode on Android 7.0 and later, but an error message will appear. Note that attempting to clear a passcode will also fail if there is a policy in place that requires use of a passcode to do so. Open
iOS - Factory Reset: Apple iOS iCloud Account Lock When resetting an Apple iOS device back to factory defaults, the device will remain locked to the associated iCloud account. To prevent this from happening, before resetting the device, manually turn off the 'Find my phone' feature on the iPhone. Open
macOS - macOS 10.15 Account Configuration During enrollment, if the ‘Prevent Primary Account Changes’ option is checked and DEP authentication is enabled, the primary account will be created automatically using the DEP authentication token as the account password. While still in the enrollment process, the password cannot be changed. However, once enrollment is complete, the account password can be changed as normal. Open

Additional Resources

Getting Started Guide

Admin Guide

© 2019 Quest Software Inc.


This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Quest Software Inc.

The information in this document is provided in connection with Quest Software products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest Software products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST SOFTWARE ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST SOFTWARE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest Software makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest Software does not make any commitment to update the information contained in this document.

If you have any questions regarding your potential use of this material, contact:

Quest Software Inc.

Attn: LEGAL Dept.

4 Polaris Way

Aliso Viejo, CA 92656

Refer to our website ( for regional and international office information.


Quest Software is proud of our advanced technology. Patents and pending patents may apply to this product. For the most current information about applicable patents for this product, please visit our website at


Quest and the Quest logo are trademarks and registered trademarks of Quest Software Inc. in the U.S.A. and other countries. For a complete list of Quest Software trademarks, please visit our website at All other trademarks, servicemarks, registered trademarks, and registered servicemarks are the property of their respective owners.