New Mobility Clients for Windows (January 17, 2018)Versions of Mobility prior to v11.32 are fully compatible with recent Windows updates (released January 3 and 9, 2017) that address the Spectre and Meltdown vulnerabilities. However, we anticipate the release of a subsequent Windows update that will be incompatible with pre-v11.32 Mobility clients. NetMotion Software has released new Windows 10, Windows 8, and Windows 7 Mobility clients that address this future incompatibility. You must upgrade to Mobility v11.32 before applying the expected Windows updates, otherwise Mobility will not work as expected. You must be proactive and install the v11.32 Mobility clients now to prevent incompatibility with the expected Microsoft updates. On January 17, we sent an email to Mobility administrators and posted an FAQ addressing this issue in more detail. There is no need to update the Mobility server. Notes: For administrators who require a Mobility XE client, which uses an earlier client architecture, the release you must upgrade to is Mobility XE, v10.74. If you are running security software from Trend Micro, read the description of MOB-12067 before upgrading.
About Upgrading MobilitySettings: When you upgrade Mobility, the settings that you have configured in the earlier release are used in the new installation. But sometimes NetMotion Software will change settings and you need to be aware of the consequences. See Things to Consider Before You Upgrade Mobility in the Mobility server help for details. Mobility warehouse: Versions 10 and later of the Mobility server work only with version 7.0 and later of the Mobility warehouse. If you are upgrading to Mobility v11, your starting point must be Mobility servers running v9.2x or later, and version 7.0 of the Mobility warehouse. If you have version 7.0 of the warehouse from a previous release, upgrade the warehouse to v11.
See Upgrading the Mobility Warehouse in the Mobility server help for details. FIPS 140-2 CNG Modules When Mobility is configured to require FIPS 140-2 validated encryption, a Mobility server accepts connections from Mobility clients that use any of a list of cryptographic modules specified in the Mobility console. The default list of modules is as follows: | Module | Version | Module | Version | | ccrypto | 7 | cng | 6.1.7601.17919 | | ccrypto | 8 | cng | 6.1.7601.21861 | | ccrypto | 9 | cng | 6.1.7601.22076 | | ccrypto | 10.11 | cng | 6.2.9200 | | cng | 6.1.7600.16385 | cng | 6.3.9600 | | cng | 6.1.7600.16915 | cng | 10.0 | | cng | 6.1.7600.21092 | mocana | 5.5.F | | cng | 6.1.7601.17514 | openssl-fips | 2.0.12 | | cng | 6.1.7601.17725 |
Before you install or upgrade the Mobility server, refer to FIPS Considerations During Setup in the help. It includes important tips for upgrading and information about Windows 7 clients. Analytics ModuleAs of Mobility v9.50 the Analytics Module is a single component. For users who are upgrading and want to use the data they have collected, there are procedures and a utility (the Analytics Module Data Exporter) to migrate data from all supported configurations. Before installing version 11, look through the scenarios in Upgrading the Analytics Module in the Mobility server help and follow the instructions for the one that best fits your deployment. Specifying an Internal InterfaceIf you have more than one network adapter on the computer that will host your Mobility server, you must specify (during Setup) the name of the network adapter that is to be used as the internal interface. To make sure that Mobility-related traffic is properly routed, refer to Configuring Network Interfaces and Routing for information about what you need to configure and take into account. Customer Support and EOL AdvisoriesThe Mobility server is supported only on Windows Server 2016 and Windows Server 2012 R2. For a list of advisories, with information about when support ends for operating systems or Mobility versions, see the Mobility server help. Windows Server 2012 R2: Microsoft Support Advisory for NPSOn Tuesday August 8, 2017, Microsoft released a roll-up patch (KB4034681) for NPS running on Windows Server 2012 R2 that broke authentication based on RADIUS EAP-TLS and PEAP-TLS. You may no longer be able to authenticate after applying the roll-up. Microsoft has published a work around that involves changing a registry setting on your NPS server. NPS administrators should evaluate whether to implement the work around, or to hold off installing the patch until Microsoft implements a fix. Known Issues: Mobility Client | ↑Top |
Client issues are grouped by operating system and listed in descending order by issue number. Cross-Platform Client IssuesiOS and Android: Skype session does not persist during roam [MOB-8599]If you are on a Skype video call and you roam between cellular and Wi-Fi, your call is disconnected.
Client logon with UPN fails when authentication is NTLM [MOB-8578]If you use a UPN to log on to a Mobility server (for example, user.name@your.company.com), and if the authentication protocol is NTLM, the logon fails. Call Technical Support for help if using a UPN is required in your deployment.
Windows ClientUpgrade fails unless Trend Micro has patch [MOB-12067]If you are running security software from Trend Micro, and you plan to upgrade Mobility clients running on Windows, there are two options for ensuring a successful Mobility upgrade: Install the latest client software patch from Trend Micro before upgrading Mobility. The client hotfix that addresses this issue is 4440; you may need to request it from Trend Micro. Uninstall Trend Micro, upgrade the Mobility client, and then re-install your security software.
macOS ClientmacOS: A quick disconnect/reconnect may cause Mobility to fail (Apple RADAR ID: 32073323) [MOB-11447]If you disconnect your Mobility session, and then reconnect within 5 seconds, the operating system may spontaneously disconnect Mobility about 20 seconds later. In most cases Mobility will automatically reconnect when it detects this problem. This is an issue with the Apple operating system (Apple RADAR ID: 32073323).
macOS: AirWatch Per-App profile not displayed in Mobility client [MOB-8500]If you create a VPN profile for Mobility in the AirWatch console, and you enable Per App VPN Rules in the connection info area, the profile does not appear in the list of configurations for the Mobility client for macOS.
macOS: Mobility extension stops unexpectedly (Apple RADAR ID: 25290018) [MOB-8172]There is an issue with the Apple operating system (Apple RADAR ID: 25290018) that can cause the Mobility client to stop unexpectedly during roaming or startup, or when a policy is applied or removed. The Mobility app automatically reconnects if the Mobility extension crashes for any reason, so users may not be aware of this issue. When the problem occurs, an Info message is logged to appLog.txt ('Mobility extension stopped unexpectedly. Reconnecting.').
iPhone/iPad ClientiOS: Upgrading the Apple OS [MOB-11563]If the Mobility VPN is installed when you upgrade your Apple operating system to version 11, you may see problems connecting with Mobility after the upgrade. To resolve this issue, restart the device, open Mobility, and establish a connection to the Mobility server.
Android ClientAndroid 8 and name resolution [MOB-11680]When the Mobility client is running on Android 8, there are no issues getting names resolved by a DNS server that Mobility is configured to use. But the client may have issues with names that require a DNS server accessible via the local network (for example, a local printer).
Android 8: Mobility notifications not displayed [MOB-11679]The Mobility client displays a number of connection-related notifications, indicating, for example, that the Mobility server is unreachable, the client is disconnected, or Mobility is connecting. These notifications are not working in Android 8; Mobility works as expected, but the user is not notified of connection issues.
Android: Application connections do not persist when roaming between networks [MOB-11233, MOB-3275]Mobility supports two types of session persistence: application sessions and VPN tunnel sessions. Google made changes in Android 4.4, 7.x, and 8.x that may affect TCP application session persistence while roaming between networks. Session persistence when moving through coverage gaps, all UDP traffic, and VPN tunnel sessions are all unaffected, but when a network interface is reset (for example, roaming from cellular to Wi-Fi), TCP application sessions do not persist. Until Google fixes this issue, TCP session persistence on Android may be limited: In all cases, Mobility automatically maintains the VPN tunnel session so that users do not need to re-authenticate. Even when there are interruptions, Mobility improves application behavior, performance, and stability.
After an upgrade, the user name field is blank [MOB-10900]If you have a working VPN configuration when you upgrade your Mobility client, the configuration will continue to work. If you open the configuration and look at its settings, however, the User name field will be blank. The working credentials are saved in your configuration, just not visible.
Expected certificate is not listed as active [MOB-10703]When you view or edit a VPN configuration for an Android device that includes a certificate in its credentials, the certificate is not always listed as expected. Here are situations in which that may occur: Manually created profile: If a certificate is selected during authentication, it is not listed as the active certificate. Android for Work: The certificate in the profile is not listed as active. nmcfg. file: You can create a configuration file and distribute it using email, as described here. If multiple certs are included with your .nmcfg profile, only the most recent certificate is selected and listed as active.
Changing or clearing certificates [MOB-10476]On older Android devices (before version 6), changing or clearing certificates in Android Settings may also remove them from any Mobility configurations that use them (in the Mobility client, the certificate will be listed as Unknown). To use the certificate, you must import it again.
SOTI MobiControl and Android+ authentication [MOB-10414]SOTI, the creators of the MDM MobiControl, collaborated with device hardware manufacturers to come up with a series of Android devices they call Android+. When you configure NetMotion Mobility VPN for an Android+ device using MobiControl, only password authentication is supported.
MobiControl profile may need to be pushed to clients again [MOB-10030]When a profile is pushed down from the MobiControl console to devices running Mobility, the configuration should take place immediately. This is currently not working as designed; the workaround is to install Mobility first, then use the MobiControl console to push the profile down to devices.
Android: Mobility client is incompatible with IAS [MOB-9352]The Mobility client for Android is incompatible with an authentication server running Internet Authentication Service (IAS), Microsoft's RADIUS implementation for Windows Server 2003. Mobility supports Network Policy Server (NPS), the current Microsoft implementation of a RADIUS server and proxy.
Android 5.x: Connecting Mobility on startup takes about a minute after device restart [MOB-7148]When Connect on startup is selected, the Mobility client attempts to connect to a Mobility server at the same time as the Android device starts. On a device running Android 5.x that has been restarted, it can take up to a minute before Mobility begins connecting to the Mobility server.
Android 5.x: 'Connecting ... waiting for Mobility adapter' state persists [MOB-5739]If a user is connected using Mobility and then uninstalls and re-installs the Mobility app (either the same version of the app, or during an upgrade), the Mobility client will remain in the 'Connecting ... waiting for Mobility adapter' state. Reboot the Android device to clear the message.
Android: Interface proxy settings are ignored when connected with Mobility [MOB-4190]In the Android operating system you can modify the proxy settings for WiFi connectivity, but these settings are ignored when the device is connected over the Mobility VPN tunnel (without a VPN installed the proxy works as expected). This is due to Google issue 33935.
Android: Restricted profiles and multiple users [MOB-2914]When an Android device has a restricted profile or is configured to support multiple users, the Mobility client for Android can only be started by the primary user. It cannot be started by any other user.
Known Issues: Mobility Server | ↑Top |
Mobility v11 browser settings for Internet Explorer 10In Mobility v11 the console cannot be accessed using TLS 1.0; if you have only TLS 1.0 enabled, you will see the error This page can't be displayed. To change your Internet Explorer browser settings, go to Tools > Internet options > Advanced tab > Security and then select Use TLS 1.1. This is a workaround for Internet Explorer 10; it is not an issue with Internet Explorer 11, Firefox, or Chrome.
For automated warehouse backup, warehouse port must be 389 [MOB-12139]By default, Mobility servers communicate with the warehouse over port 389. If you specify a different port, automated backups of the warehouse will not work.
ActiveMQ event log error message [MOB-11443]In the Mobility server event log you may see a Reporting error that looks like this right after you enable a log management server: TaskRunnerFactory - Error in thread 'ActiveMQ VMTransport: vm://Log4MobilityCollector#1-2'. This should be rare and the error can be ignored.
Standards-compliant RADIUS compatibility [MOB-10083]Mobility supports standards-compliant RADIUS servers for authentication: If you are using a Dual Shield RADIUS server, make sure it is version 5.9.3.0215 or later, to ensure that it supports TLS 1.2. If you are using a Free RADIUS server, make sure it fully supports TLS 1.2.
Primary warehouse name cannot include Japanese characters [MOB-7821]If you are running Mobility software that has been localized for the Japanese market, do not assign the primary warehouse a name that includes Japanese characters: a standby warehouse will not be able to create a replication agreement with the primary warehouse.
If a NIC is renamed, the new interface name must be selected in the Mobility Management Tool [MOB-6125]If you change the name of the network adapter on the computer hosting a Mobility server, you must open the Mobility Management Tool and select the correct internal interface on the Mobility Server tab (even though there is only one interface displayed). If you do not perform this step, your Mobility deployment will continue to function, but only until the server is rebooted. If the server is rebooted and the correct interface has not been selected, Mobility clients will be able to connect, but will have invalid virtual addresses.
Known Issues: Analytics Module | ↑Top |
Analytics alerts using syslog do not send Japanese characters correctly [MOB-10135]If your analytics server is hosted on a computer running a Japanese operating system, and you configure analytics to send alerts to a syslog server (Analytics > Settings > Send Alerts - Syslog), the characters are not sent correctly. To work around this issue, specify a syslog server using server settings instead (Configure > Server Settings > Syslog).
Resolved Issues: Mobility Client | ↑Top |
| Fixed In | Summary | Issue Number | Description | | 11.31 | Windows 10: Skype for Business sometimes fails to start | MOB-11657 | When Mobility v11.30 was installed on Windows 10, Skype for Business periodically failed to start. | | 11.05 | Windows clients: Disconnect reason 107 | MOB-10459 | Mobility clients sometimes disconnected at logon (reason 107). | | 11.05 | Windows clients: 32-bit Chrome v56 and Windows 64-bit | MOB-10420 | Running version 56 of the 32-bit Chrome browser on a 64-bit computer caused the Mobility client to fail. | | 11.04 | macOS: Settings not preserved during Mobility upgrade (Apple RADAR ID: 25911312) | MOB-8671 | Configuration profiles created in Mobility disappeared when you upgraded Mobility (this was an issue with the Apple operating system). If you are running macOS version 10.12 or later, this is not an issue. | | 11.04 | iOS: Per-App VPN manual connect fails (Apple RADAR ID: 27704986) | MOB-9348 | This was an issue with the Apple operating system that has now been resolved. | | 11.03 | Reauthentication using certificates failed on iOS devices when the device was locked | MOB-9836 | If reauthentication occurred while a device was locked, Mobility did not have access to the certificate and the process failed. This is fixed in v11.03. | | 11.03 | Windows Defender update incompatible with Mobility client | MOB-9771 | On the Mobility client running Windows 10 or Windows 8.1, the latest Windows Defender virus definition update failed. This is fixed in Mobility client v11.03. | | 11.03 | When policy changes, re-evaluate the traffic flows | MOB-9666 | When a policy change occurs on the Mobility client, immediately re-evaluate the UDP and TCP traffic flows (do not use the cached flow). | | 11.02 | Mobility now supports TLS1.1/1.2 for RADIUS authentication | MOB-8613 | Pre-v11.02 Mobility clients accept only TLS1.0 for RADIUS authentication. | | 11 | Passthru DNS traffic is routed to the virtual adapter | MOB-7084 | Passthru DNS traffic is routed to the virtual adapter. | | 11 | TCP active sessions aborted | MOB-6925 | Outbound RDP failed. |
Resolved Issues: Mobility Server | ↑Top |
| Fixed In | Summary | Issue Number | Description | | 11.31 | Policies that are compatible with v10.70 were disconnecting v10.70 clients | MOB-11770 | When a policy rule was configured to disconnect clients that were incompatible, and the rule action or condition required v10.70 or later, v10.70 clients were incorrectly disconnected. | | 11.31 | Error when moving a user from one group to another | MOB-11750 | When a user was moved from one group to another, the following error appeared in the event log: Web Server Cannot communicate with Mobility server. | | 11.31 | Analytics failed to start after upgrade from v10.71 to v11.30 | MOB-11728 | After upgrading from Mobility v10.71 to v11.30, the analytics module did not start (AmqInfo-Reporting-Server.log reported Detected missing journal files). | | 11.31 | Could not restrict web server access to a particular IP address range | MOB-11676 | In the Mobility Management Tool, on the Web Server tab, the Network access options are designed to let you restrict access to the Mobility console. The Only from the IPv4 network defined below option did not work in v11.30. | | 11.30 | Setup issue—Windows Server 2016 configured for Secure Boot | MOB-11643 | Mobility server installation failed on Windows Server 2016 configured for Secure Boot. Mobility v11.30.7299 addresses this issue. | | 11.30 | Policy rule or rule set names required ASCII characters | MOB-9892 | With Mobility server v11.03 only ASCII characters were valid for the names of policy rules or rules sets. If extended characters were used, such as an 'a' with a diaresis (ä) or a Japanese character, the policy could not be pushed down to any clients. | | 11.30 | A user was temporarily prevented from being re-added to a group | MOB-6755 | If a user belonged to a group and the entry was somehow corrupted, the Mobility warehouse put a 'lock' on the data that lasted about 30 minutes. A server reboot after the 30-minute waiting period was over was required. | | 11.03 | Warehouse errors displayed in Mobility console | MOB-9755 | The Mobility warehouse stores configuration settings and client policies. A change to the warehouse sometimes failed until it was attempted a second time. | | 11.03 | Mobility server upgrades to v11.02 sometimes failed | MOB-9687 | During Mobility Setup there was an incompatibility with Windows Server 2012 R2 certificates. | | 11.02 | Automatic warehouse backup failed with older base DN | MOB-9480 | In earlier Mobility releases, Setup prompted users to enter a base DN for the Mobility warehouse. Users with a non-default base DN who upgraded to Mobility v11 were unable to use the automatic warehouse backup feature. | | 11.02 | Make log messages sent to syslog easier for Splunk to parse | MOB-9406 | Make session numbers consistent across logs (regardless of source). | | 11.02 | New clients cannot connect after incomplete upgrade to v11 | MOB-9388 | If you were prompted to reboot the Mobility server during an upgrade to v11, it is possible that the Configuration Wizard failed to run following the reboot. In this case, the upgrade is incomplete and clients are not able to connect. In Mobility v11.02 the Configuration Wizard starts automatically after a reboot. | | 11.02 | Testing DC mapping only found groups that belonged to the user's logon domain | MOB-9102 | The Domain Controller Mapping Test button only mapped AD groups that belonged to the user's logon domain. As of v11.02 there is an option for also searching trusted domains. | | 11 | Firewall failover failed with Mobility XG clients | MOB-7263 | During a failover to another firewall node Mobility failed to send packets to the new firewall MAC address. | | 11 | A custom Logon Notice was not shown on initial connection | MOB-6647 | If you configured Mobility to add devices to a group based on operating system, and you also configured a logon notice, the notice was not displayed when the device connected for the first time. | | 11 | Could not establish a remote session on the Mobility server over WAN | MOB-5145 | With the Mobility client running on iPhone or iPad, a remote session on the Mobility server over WAN timed out with an error. | | 11 | TcpTransport event log errors when adding an Analytics Module | MOB-782 | If you added an Analytics Module to a pool of Mobility servers, you might see (ignorable) errors in the event log that look like this: Error <time stamp> Reporting TcpTransport - Reason: java.lang.InterruptedException |
Release Dates and Build Numbers | ↑Top |
| Version | Component | Release Date | Build Number | Description | | 10.72 | iOS client | September 14, 2016 | 18050 | Users must upgrade to this release to prevent duplicate device registrations after Mobility 11 is released (see help) | | 10.73 | Windows client | October 10, 2016 | 19765 | Microsoft Defender fix (MOB- 9771) | | 10.74 | Windows client | January 17, 2018 | 12281 | Fix Mobility XE (Windows 7) forward compatibility issue (MOB-11980) | | 11 | Server | July 5, 2016 | 14681 | See What's New in NetMotion Mobility | | 11 | Windows client | July 5, 2016 | 14681 | See What's New in NetMotion Mobility | | 11 | macOS client | July 5, 2016 | 14548 | See What's New in NetMotion Mobility | | 11.01 | Server | July 27, 2016 | 15791 | Japanese language support | | 11.01 | Windows client | July 27, 2016 | 15791 | Japanese language support | | 11.02 | Server | August 31, 2016 | 17625 | Maintenance release (English, Japanese) | | 11.02 | Windows client | August 31, 2016 | 17625 | Multilingual (Japanese, French, Italian, German, and Spanish) support | | 11.02 | Windows client | October 10, 2016 | 19757 slipstream | Maintenance release (MOB-9771) | | 11.02 | Android client | September 15, 2016 | 18145 | Multilingual (Japanese, French, Italian, German, and Spanish) support | | 11.02 | iOS client | October 10, 2016 | 19666 | Multilingual (Japanese, French, Italian, German, and Spanish) support; iOS 10 is required | | 11.03 | Windows client | October 17, 2016 | 19822 | Maintenance release (MOB-9771, MOB-9666) | | 11.03 | Server | October 17, 2016 | 19822 | Maintenance release (MOB-9687, MOB-9755) | | 11.03 | iOS client | October 28, 2016 | 20378 | Diagnostics compatibility. | | 11.04 | Server | November 22, 2016 | 21384 | Support for Windows Server 2016, policy issue fix (MOB-9892) | | 11.04 | Windows client | November 22, 2016 | 21384 | Maintenance release (MOB-9894, MOB-9805) | | 11.04 | macOS client | November 22, 2016 | 21579 | Maintenance release (MOB-9894, MOB-9805) | | 11.04 | iOS client | November 23, 2016 | 21379 | Maintenance release (MOB-9894, MOB-9805) | | 11.04 | Android client | November 22, 2016 | 21376 | Maintenance release (MOB-9894, MOB-9805) | | 11.04 | Windows client | December 8, 2016 | 22344 | Maintenance release (MOB-10020) | | 11.04.01 | iOS client | January 24, 2017 | 23750 | Maintenance release (MOB-9969) | | 11.04 | Windows client | February 13, 2017 | 25554 | Bug fixes (MOB-10290). | | 11.05 | Windows client | April 3, 2017 | 27233 | Bug fixes (MOB-10420, MOB-10459). | | 11.05 | iOS client | June 7, 2017 | 31089 | Improved integration with NetMotion Diagnostics; minor bug fixes. | | 11.06 | iOS client | June 16, 2017 | 31657 | Minor bug fixes (MOB-11003). | | 11.06 | Windows client | August 18, 2017 | 04461 | Bug fixes:
MOB-11376—Failure to load drivers on some Windows 10 systems
MOB-11337—Timeout of video uploads using Coban application (client fix) | | 11.30 | Android client | August 10, 2017 | 04151 | The user interface and functionality of the Android client has improved dramatically in this release; for a list of changes, see What's New in NetMotion Mobility. | | 11.30 | Server
Windows client | September 29, 2017 | 7087
7299 (Windows Server 2016 only) | Includes support for publishing Mobility client and server data to a log management server, such as Splunk or NetMotion Mobile IQ (see What's New in NetMotion Mobility), and the fix for MOB-11337 on the Mobility server. | | 11.31 | Server and Windows client | November 15, 2017 | 9670 | Bug fixes (MOB-11657, MOB-11676, MOB-11728, MOB-11750, MOB-11770). In addition, we now use consistent identification of users and devices when both Mobility and Diagnostics are publishing data to a common system. | | 11.31 | iOS client | November 14, 2017 | 9670 | We now use consistent identification of users and devices when both Mobility and Diagnostics are publishing data to a common system. | | 11.31 | Android client | November 17, 2017 | 9670 | We now use consistent identification of users and devices when both Mobility and Diagnostics are publishing data to a common system. | | 11.32 | Android client | December 12, 2017 | 11185 | Minor bug fixes. | | 11.32 | Windows client | January 17, 2018 | 12223 | Fix Windows 10 forward compatibility issue (MOB-11980) |
|
