Ivanti UEM EU Alternative 2026: MobileIron Legacy, Critical Zero-Days, and CLOUD Act 17/25 Risk
Post #1206 in the sota.io EU Mobile Device Management Series
Ivanti is one of the most complex MDM/UEM vendors for European data protection officers to evaluate. The company is built entirely from acquisitions — MobileIron ($872M, 2020), LANDesk (2017), Heat Software (2017), Pulse Secure ($400M, 2020) — creating a fragmented portfolio with inconsistent security practices and overlapping jurisdictional exposures. In 2024, Ivanti became the subject of CISA emergency directives, FBI joint advisories, and the single largest coordinated zero-day exploitation campaign against enterprise security products in recent memory. For European enterprises considering Ivanti Neurons for UEM, Endpoint Manager, or any product from the Ivanti portfolio, this analysis unpacks what the CLOUD Act risk score of 17/25 means in practice under GDPR Article 28, NIS2 Article 21, and DORA Article 28.
Ivanti Inc.: Corporate and Jurisdictional Overview
| Attribute | Detail |
|---|---|
| Legal entity | Ivanti Inc. |
| Headquarters | South Jordan, Utah, USA |
| Incorporation | Delaware, USA |
| Ownership | Clearlake Capital Group + TA Associates (private equity, since 2017) |
| Revenue (est.) | ~$1.5B ARR (private, no public filing) |
| Employees | ~3,000 (post-acquisition consolidation) |
| CLOUD Act score | 17/25 |
| US person? | Yes — US-incorporated, US PE-backed |
| PRISM program? | No confirmed participation (unlike Microsoft, Google) |
Ivanti Inc. is incorporated in Delaware and headquartered in Utah — both US jurisdictions from which the US government can compel data disclosure under the CLOUD Act (18 U.S.C. § 2713). As a privately held company backed by Clearlake Capital (Los Angeles) and TA Associates (Boston), Ivanti has no public transparency obligations around government data requests and publishes no transparency report.
The Acquisition Stack: What You're Actually Running
Ivanti's product portfolio is the direct result of a decade of private-equity-driven consolidation:
| Year | Acquisition | Price | Legacy Product |
|---|---|---|---|
| 2017 | LANDESK Software | ~$1.1B (with IVANTECH merger) | Endpoint Manager, Service Desk |
| 2017 | Heat Software | Undisclosed | Heat Service Management |
| 2017 | Wavelink | Undisclosed | Terminal/mobile device management |
| 2020 | MobileIron Inc. | $872M | MobileIron Cloud/Core (now Neurons UEM) |
| 2020 | Pulse Secure | $400M | VPN/Zero Trust (Pulse Connect Secure) |
| 2021 | Cherwell Software | ~$1.65B | ITSM platform |
| 2023 | Neurons Platform rebranding | — | Unified Neurons branding |
Each acquisition brought its own codebase, data handling practices, and security debt. The MobileIron acquisition in particular is critical for MDM evaluation: MobileIron was once the dominant enterprise MDM platform, founded in Santa Clara CA in 2007, listed on NASDAQ as MOBL. The $872M acquisition by Ivanti merged a mature but US-architected MDM platform into a PE-driven consolidator.
CLOUD Act Score: 17/25 Analysis
The sota.io CLOUD Act risk framework scores UEM/MDM providers on 25 data sovereignty dimensions. Ivanti's 17/25 derives from:
Jurisdiction (5/5 maximum — Ivanti scores 4/5):
- US incorporation: YES (Delaware, +1)
- US PE ownership (Clearlake + TA): YES (+1)
- No EU legal entity with independent data control: correct (+1)
- No transparency report published: +1
- No confirmed PRISM: -1 (partial mitigation)
Data processing location (5/5 maximum — Ivanti scores 4/5):
- Ivanti Neurons for UEM Cloud: hosted on AWS US East/West by default
- EU hosting option available for some tiers, but control plane in US: +1
- MobileIron Cloud enrollment data (device identity, certificates, APNs tokens): processed US
- MDM policy push/commands: originate from US-hosted management plane
- Neurons Intelligence analytics: US SaaS, no EU data residency option
Security track record (5/5 maximum — Ivanti scores 5/5 risk): This is where Ivanti's score diverges sharply from peers. The 2024 zero-day cascade:
| CVE | Severity | Component | Exploited in Wild |
|---|---|---|---|
| CVE-2024-21888 | CVSS 8.8 | Ivanti Connect Secure / Policy Secure — privilege escalation | Yes (CISA KEV) |
| CVE-2024-21893 | CVSS 8.2 | SAML component SSRF — authentication bypass | Yes (CISA KEV) |
| CVE-2024-21887 | CVSS 9.1 | Connect Secure command injection | Yes (UNC5221) |
| CVE-2024-22024 | CVSS 8.3 | XML External Entity (XXE) — another auth bypass | Yes |
| CVE-2024-21885 | CVSS 9.8 | Connect Secure heap overflow | Patch released |
CISA issued Emergency Directive ED 24-01 on January 19, 2024, ordering all Federal agencies to disconnect and rebuild Ivanti Connect Secure and Policy Secure deployments. The directive was unprecedented in scope: CISA required agencies to reimage devices even after patching, because "threat actors may have deployed webshells that persisted through factory resets."
The exploiting actor — UNC5221, assessed with moderate confidence by Mandiant to be a China-nexus espionage threat — operated within Ivanti's administrative environment for months before detection, indicating the vulnerability existed long before the CVE disclosure window. This represents exactly the NIS2 Article 21(2)(g) supply-chain incident scenario: a Tier-1 IT management system becomes the attack surface.
Government nexus (5/5 maximum — Ivanti scores 2/5):
- FedRAMP authorized products: YES (Neurons for MDM FedRAMP Moderate)
- US DoD/IC customer base: YES (LANDESK heritage in US government)
- No confirmed NSL/gag orders: -2 (unknown, private company)
- No PRISM participation confirmed: -1
Contractual protections (5/5 maximum — Ivanti scores 2/5):
- EU SCCs available: YES (partial mitigation)
- DPA available: YES
- No EU adequacy decision replacement: standard SCCs only
- No independent EU data controller: -1
- Post-Schrems II compliance unverified by EU DPA: -1
What Data Does Ivanti Neurons for UEM Process?
For a European DPO evaluating Ivanti, the data flows are more complex than traditional SaaS because UEM sits at the root of device management — it has administrative authority over every enrolled endpoint.
Device enrollment data (processed by Ivanti cloud management plane):
- Device identifiers: IMEI, serial numbers, MAC addresses, hardware UDIDs
- Apple Push Notification Service (APNs) tokens — tied to US Apple infrastructure
- Android FCM tokens (Firebase Cloud Messaging — Google US)
- X.509 device certificates (signed by Ivanti PKI)
- MDM enrollment profiles (contain organizational policy, app assignments)
Operational data (ongoing):
- Device compliance status (pushed to US management plane for policy evaluation)
- App inventory per device (what's installed, versions — can reveal business tooling)
- Location data (if geofencing policies enabled)
- User identity linkage (device → AD/Entra identity → email)
- Remote wipe/lock commands (originate from Ivanti cloud)
Neurons Intelligence (US SaaS only): Ivanti Neurons Intelligence is the analytics and automation layer — it ingests device telemetry, user experience scores (DEX — Digital Employee Experience), patch compliance data, and vulnerability exposure data. There is no EU-hosted option for Neurons Intelligence. This mirrors the problem with VMware Workspace ONE Intelligence (analyzed in our previous post): the analytics plane that requires the richest data stream is the component with the highest US jurisdictional exposure.
GDPR Art. 28 DPO Checklist for Ivanti:
| Question | Answer |
|---|---|
| Is Ivanti a data processor under Art. 28? | Yes — processes personal data on behalf of controller |
| Is a DPA available? | Yes — available on request |
| EU data residency for management plane? | Partial — available for some tiers, verify per contract |
| EU data residency for Neurons Intelligence? | No — US SaaS only |
| Sub-processors disclosed? | Yes — includes AWS, Azure (US entities) |
| Transfer mechanism (non-EU hosting)? | EU SCCs (Art. 46 GDPR) |
| DPA audit right? | Limited — no on-site audit right, questionnaire only |
| Breach notification 72h? | Contractual — but 2024 incidents suggest delayed discovery |
The 2024 Zero-Day Cascade: NIS2 Implications
The 2024 Ivanti security incidents are not merely a vendor embarrassment — they represent a precedent-setting example of why NIS2 Article 21(2)(g) "supply chain security" requirements are operationally critical for European enterprises.
Timeline:
- January 10, 2024: Ivanti discloses CVE-2024-21887 and CVE-2024-21888 as zero-days actively exploited in the wild
- January 19, 2024: CISA Emergency Directive ED 24-01 — disconnect all Ivanti Connect Secure / Policy Secure
- January 22, 2024: CISA + FBI + MS-ISAC + Australian ASD ACSC joint advisory published
- February 2, 2024: CVE-2024-21893 disclosed — second zero-day, SAML authentication bypass
- February 8, 2024: CVE-2024-22024 disclosed — third wave, XXE vulnerability
- February 29, 2024: CISA confirms threat actor persistent access survived factory reset in some deployments
- March 2024: Mandiant publishes UNC5221 attribution analysis — China-nexus espionage assessment
The NIS2 supply chain problem:
Under NIS2 Directive (EU) 2022/2555, Article 21(2)(g), "essential" and "important" entities must implement "policies and procedures regarding the use of cryptography and, where appropriate, encryption" and must perform supply chain risk assessment. More broadly, Art. 21(2)(d) requires "supply chain security" measures.
An Ivanti UEM deployment gives the vendor administrative authority over every managed endpoint. When the management platform itself is compromised — as occurred in 2024 — every managed endpoint is a potential pivot point. For NIS2-scope entities, this is a Tier-1 supply chain risk: a single vendor compromise can cascade to the entire managed device fleet.
DORA Article 28 (for financial sector):
Financial entities under DORA are required to maintain a register of critical ICT third-party service providers and perform concentration risk analysis. An MDM/UEM vendor like Ivanti that manages endpoint access control qualifies as critical ICT dependency. Post-2024, Ivanti's security track record would generate mandatory escalation in a DORA ICT risk assessment.
EU-Native MDM/UEM Alternatives
European enterprises seeking MDM/UEM solutions that eliminate US CLOUD Act jurisdiction entirely have several mature alternatives:
baramundi management suite
CLOUD Act Score: 0/25
baramundi Software AG, headquartered in Augsburg, Bavaria. Subsidiary of Freudenberg SE — a German industrial group with €12B+ revenue. No US parent, no US investor, no PE ownership.
baramundi management suite provides:
- Windows endpoint management (Unified Endpoint Management focus)
- Patch management and software deployment
- Mobile device management (MDM for iOS/Android)
- OS deployment and inventory
- Security baseline enforcement
Architecture: on-premises first, with optional baramundi Cloud (EU-hosted). All telemetry stays within customer-controlled infrastructure or EU data centers.
GDPR advantage: baramundi processes data under German law (BDSG), with German DPA (BayLDA) as supervisory authority. No CLOUD Act vector. No US sub-processors for core functionality.
Best for: German Mittelstand enterprises, KRITIS-regulated organizations, public sector.
ACMP by Aagon
CLOUD Act Score: 0/25
Aagon GmbH, headquartered in Soest, North Rhine-Westphalia. Privately held, German ownership. ACMP (Aagon Client Management Platform) serves 500+ enterprise customers including multiple KRITIS sector organizations.
ACMP provides:
- Windows lifecycle management
- Patch and vulnerability management
- Software distribution
- OS deployment with ACMP COPE (Corporate-Owned, Personally Enabled) profiles
- Asset management and CMDB
Architecture: on-premises deployment, no cloud dependency. All data remains within customer network perimeter.
Best for: highly regulated sectors (healthcare, energy, public administration), organizations requiring complete data sovereignty.
Matrix42 UEM
CLOUD Act Score: 1/25
Matrix42 AG, headquartered in Frankfurt am Main. Note: Vector Capital (San Francisco) is current owner (PE acquisition 2017) — this creates a minor US-nexus score. However, Matrix42's operational entities, data processing, and engineering are EU-based.
Matrix42 UEM provides:
- Enterprise mobility management (iOS, Android, Windows Mobile)
- Workspace management
- IT Asset Management (ITAM)
- ITSM integration
- Physical and virtual desktop management
Architecture: available both on-premises (full data sovereignty) and Matrix42 Cloud (EU-hosted). The PE ownership is a minor factor; contractual data processing remains EU-controlled.
Best for: enterprises needing combined UEM + workspace + ITSM in a single platform.
Cortado MDM
CLOUD Act Score: 0/25
Cortado Mobile Solutions GmbH, headquartered in Berlin. Subsidiary of ThinPrint GmbH (Cortado AG group). German-owned, no PE or US investor.
Cortado MDM specializes in:
- Apple Business Manager (ABM) + Apple School Manager (ASM) integration
- iOS and macOS device management
- Android Enterprise (fully managed, COPE, COBO)
- Mobile app management (MAM)
- Cortado Corporate Server (on-premises option)
Architecture: Cortado Cloud (Berlin-hosted data center), with optional on-premises via Cortado Corporate Server. German data center, German legal entity, BayLDA supervisory jurisdiction.
Best for: Apple-centric enterprises, organizations prioritizing iOS/macOS fleet management with full EU sovereignty.
Migration Guide: Ivanti Neurons UEM → EU-Native UEM
For enterprises currently running Ivanti Neurons for UEM (formerly MobileIron Cloud) and planning to migrate to an EU-native alternative, the following 12-week roadmap reflects the actual complexity:
Weeks 1-2: Assessment and inventory
- Export full device inventory from Ivanti Neurons (CSV/API)
- Document all MDM profiles (configuration, Wi-Fi, VPN, app assignment)
- Identify MobileIron-specific features in use (Tunnel, AppStation, Access)
- Map Apple Business Manager (ABM) and Android Enterprise (AE) enrollment configurations
- Document SCIM/LDAP/Entra ID integration points
Weeks 3-4: Architecture decision
- Select EU-native platform (baramundi/ACMP/Matrix42/Cortado based on OS mix)
- Decide on cloud vs. on-premises deployment
- Provision pilot environment (isolated VLAN recommended)
- Configure LDAP/Entra ID sync in new platform
- Set up new Apple MDM push certificate (cannot reuse MobileIron's APNs cert)
Weeks 5-6: Profile migration
- Recreate Wi-Fi, VPN, email, certificate profiles in new platform
- Test Apple Business Manager supervised enrollment (DEP)
- Test Android Zero-Touch enrollment
- Validate compliance policy evaluation (locked screen, encryption, OS version)
- App catalog migration (B2B apps, App Store apps, in-house apps)
Weeks 7-8: Pilot rollout
- Enroll 50-100 test devices (representative sample: iOS, Android, Windows)
- Validate all profile pushes, compliance checks, remote wipe test
- Verify app deployment (VPP tokens must be transferred in ABM — requires Apple Business Manager re-linking)
- Test helpdesk self-service portal
Weeks 9-10: Parallel operation
- Run both platforms in parallel
- Begin production enrollment of new devices in EU-native platform
- Wipe-and-re-enroll approach for existing devices (phased by department)
- Document exceptions (devices requiring Ivanti-specific features)
Weeks 11-12: Ivanti decommission
- Unenroll all devices from Ivanti Neurons
- Delete device records and revoke certificates in Ivanti
- Cancel Ivanti SaaS subscription (check contract notice periods — typically 30-90 days)
- Archive Ivanti configuration for audit trail (export before cancellation)
- GDPR Art. 17 data deletion request to Ivanti (MDM data, device telemetry, Neurons Intelligence)
Critical Apple-specific note: You cannot transfer an Apple MDM push certificate between providers. When migrating from Ivanti Neurons UEM to a new MDM provider, you must:
- Renew/create a new MDM certificate in Apple Business Manager
- All iOS/macOS devices must be unenrolled from Ivanti and re-enrolled with the new provider
- This requires physical or remote access to each device (via Ivanti's remote management before decommission)
- Plan for a managed device enrollment window — devices are unmanaged between unenroll and re-enroll
NIS2 Vendor Selection Criteria for MDM/UEM
Under NIS2 Directive Article 21(2)(d) and related ENISA guidelines on supply chain security, essential and important entities should evaluate MDM/UEM vendors against:
1. Incident response track record Ivanti's 2024 incidents are instructive: the vulnerability existed for months before disclosure, the threat actor achieved persistence that survived factory reset, and CISA required complete device rebuild. EU-native vendors (baramundi, ACMP) with smaller attack surfaces and on-premises deployment models present a materially different risk profile.
2. Sub-processor jurisdiction All EU-native alternatives listed above process data under EU jurisdiction with EU supervisory authorities (German BayLDA, Austrian DSB, or relevant national DPA). Ivanti's US-hosted management plane means US law governs data access.
3. Security development lifecycle (SDL) ENISA recommends evaluating whether vendors publish SDL documentation, security bulletins, and CVE response timelines. Ivanti's 2024 response was criticized by CISA for delayed disclosure and insufficient patch quality (patches bypassed in some cases).
4. CLOUD Act waiver unavailability No contractual provision in any Ivanti DPA or EU SCC can waive the US government's right to compel data disclosure under CLOUD Act §2713. EU-native vendors incorporated exclusively in EU member states are not subject to this statute.
GDPR Data Transfer Risk Assessment
For organizations using Ivanti Neurons for UEM with data flowing to US-hosted infrastructure:
Legal basis under GDPR Chapter V:
- EU SCCs (Standard Contractual Clauses) under Commission Decision 2021/914 are the applicable transfer mechanism
- Post-Schrems II (CJEU C-311/18, 2020), SCCs require a Transfer Impact Assessment (TIA)
- TIA must evaluate US surveillance law (FISA §702, EO 12333, CLOUD Act) and conclude whether SCCs provide "equivalent protection"
- Given CISA's demonstrated ability to compel Ivanti's cooperation (ED 24-01), the TIA for Ivanti is particularly complex
Recommended TIA conclusions: DPOs should document whether the TIA concludes that SCCs provide sufficient protection given:
- Ivanti's US incorporation and PE ownership
- CLOUD Act compelled disclosure risk for MDM telemetry (device identifiers, user identity, behavioral data)
- 2024 incident history demonstrating actual US government engagement with Ivanti (CISA ED 24-01)
- No independent EU data controller status
A documented TIA that concludes "sufficient protection" for a US MDM vendor with Ivanti's profile will face scrutiny from any EU supervisory authority auditing post-Schrems II compliance.
Conclusion: 17/25 in Context
Ivanti's CLOUD Act score of 17/25 reflects a company that is:
- Unambiguously US-incorporated with PE ownership
- Running MDM management planes on US-hosted infrastructure
- Offering Neurons Intelligence analytics exclusively from US data centers
- Operating under a 2024 security incident record that triggered CISA emergency action
- Publishing no transparency report and no government request statistics
For European enterprises, the question is not whether Ivanti processes MDM data in the US (it does) but whether the business case for Ivanti's capabilities justifies the residual jurisdictional risk after SCCs are applied. Given the availability of mature EU-native alternatives (baramundi at 0/25, ACMP at 0/25, Cortado at 0/25, Matrix42 at 1/25), the NIS2 supply chain risk framework increasingly favors EU-native selection for regulated entities.
The 2024 zero-day cascade makes this evaluation particularly acute: when the MDM vendor itself becomes the attack vector, and US government agencies respond with emergency disconnection orders, the supply chain risk calculus for European enterprises managing GDPR-protected employee and device data shifts materially.
Next in the EU MDM Series: EU MDM Comparison Finale — Jamf vs Microsoft Intune vs VMware Workspace ONE vs Ivanti UEM 2026
sota.io is an EU-native managed PaaS platform. Hetzner Germany infrastructure. No US parent company. No CLOUD Act exposure. Deploy your stack with full data sovereignty →
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.