Release Notes

July 2019

What's New

This month we’re announcing the general availability of our Policy Management and macOS Enrollment features. Our fully functional policy management feature extends touchless configuration and management of mobile devices while enforcing device compliance. The full macOS enrollment workflow now includes the ability to manage passcodes, which aligns it with iOS enrollment capabilities.

In addition to the GA of policy management and macOS enrollment, we’re also releasing App Usage Restrictions for Android.

Policy Management - General Availability

Admins can now create, manage, and link policies in KACE Cloud MDM, as well as access compliance information for users and devices. The policy library contains different configuration packages that include settings for Wi-Fi, VPN, apps, passcodes, and OS-specific options. To illustrate the basic workflow of policy management, we've included the diagram below.

IMG: Policy Management Workflow

The Default Policy

When first setting up policy management in KACE Cloud MDM, the default policy will be pre-populated with all library configurations that were previously marked for auto deploy on enrollment The auto deploy checkbox has been functionally replaced by the Default Policy feature. With the release of the Policy Management GA, rules and restrictions are automatically deployed to all devices and users. These settings may be altered by editing the default policy or by creating and applying additional policies.. An admin can edit any of the policy settings; however, the order of the default policy in the policy list cannot be changed. The default policy is the baseline created by the system and will always be applied first to all users and devices. Policies that are added subsequently will take precedence over the default policy in the event of a conflict.

Labels and Policies

Labels are the key component for linking policies with users and devices. To link a group of users and/or devices with a policy, an admin can:

Link a Policy with an Existing Label: From an individual policy page, select ‘Applies To’ in the left-hand navigation, then locate a label and click the 'Link to Policy' button. See complete instructions in Policy Management documentation.

Link a New Label with a Policy: From the labels library, add, configure, and save a new label. Next, go to the policies library—and from an individual policy page, click the 'Link Labels ...' button. Select the new label, then click 'Link to Policy'. See complete instructions in Policy Management documentation.

---

macOS Enrollment - General Availability

macOS device enrollment follows the same process as enrolling an iOS device. After installing a provisioning profile on the mobile device, the admin provides an enrollment URL to the device user to initiate enrollment. We recommend using the Safari browser to ensure a better enrollment experience for the end user.

Passcode Management

Admins can now manage passcodes for macOS devices just as they would for iOS devices. From the passcode rules library, add a new rule set—noting the icons adjacent to each rule and restriction. Some rules can be applied to both iOS and macOS, and some rules will apply to only one or the other.

Apple Device Enrollment Program

The Apple Device Enrollment Program (DEP) is also available to admins enrolling macOS devices. Apple DEP lets admins create an automated device enrollment process for their end users on macOS devices. Set up automated enrollment using Apple DEP.

Learn more about macOS Enrollment.

---

Functional Enhancement

Android App Usage Restrictions

The new Android app usage restrictions are the equivalent of usage restrictions for iOS; however, Android does not support the ability to 'disallow' or 'block' apps. With Android, admins can achieve the same results by choosing to 'Allow ALL approved apps' or 'Allow specific apps'.

Learn more about Android App Usage Restrictions.

---

Known Issues

Role Management and SSO Configuration

If user role assignment is set to Automatic during SSO Configuration, a manual attempt to update an individual user's role via the Users > Edit User path may appear possible, but will be overwritten by the original SSO Configuration. To resolve, the configuration setting can be changed to Manual, which will then enable editing of individual user roles.

Android-Specific Considerations

Restrictions

Restrictions that are configured to deploy upon enrollment may not immediately appear in the inventory for impacted devices; however, the restrictions will be enforced on the device.

Device Owner Setup

When using the Device Owner enrollment flow (afw#kace), the enrollment flow may not complete if the Google Play services on the factory default image of the device are out of date. This a known issue with the Android operating system, caused by the enrollment process timing out before the update of the Play services on the device can complete. You will know that this situation occurred if you are never asked for your subdomain name during the enrollment process. If you end up back at the device home screen, locate and launch the KACE Cloud MDM agent app on the device and click the 'Enroll Device' button to complete the setup process.

Gmail App

Android devices require the Gmail app to be installed in order to use the email account configurations.

Set and Clear Passcode Commands

The set and clear passcode functions are different in Android 7.0 and later. On versions prior to 7.0, an administrator could set or clear the passcode as desired. On Android 7.0 and later, the passcode can only be set on devices that do not already have a passcode set, and passcodes cannot be cleared. The user interface does not currently warn users who are attempting to set or clear a passcode on Android 7.0 and later, but an error message will appear. Note that attempting to clear a passcode will also fail if there is a policy in place that requires use of a passcode to do so.

iOS-Specific Considerations

Factory Reset - Apple iOS iCloud Account Lock

When resetting an Apple iOS device back to factory defaults, the device will remain locked to the associated iCloud account. To prevent this from happening, before resetting the device, manually turn off the 'Find my phone' feature on the iPhone.

 

Additional Resources

Getting Started with KACE Cloud MDM

 

---

© 2019 Quest Software Inc.

ALL RIGHTS RESERVED.

This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Quest Software Inc.

The information in this document is provided in connection with Quest Software products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest Software products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST SOFTWARE ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST SOFTWARE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest Software makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest Software does not make any commitment to update the information contained in this document.

If you have any questions regarding your potential use of this material, contact:

Quest Software Inc.

Attn: LEGAL Dept.

4 Polaris Way

Aliso Viejo, CA 92656

Refer to our website (www.quest.com) for regional and international office information.

Patents

Quest Software is proud of our advanced technology. Patents and pending patents may apply to this product. For the most current information about applicable patents for this product, please visit our website at www.quest.com/legal.

Trademarks

Quest and the Quest logo are trademarks and registered trademarks of Quest Software Inc. in the U.S.A. and other countries. For a complete list of Quest Software trademarks, please visit our website at www.quest.com/legal. All other trademarks, servicemarks, registered trademarks, and registered servicemarks are the property of their respective owners.