× Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.

In case you hadn't heard, we will be upgrading our platform (Centrify Identity Service and Centrify Privilege Service) to version 17.6 this weekend (Saturday, July 8th).  The complete list of new features is available in the release notes, but as always I will tell you about my favorites here:

 

MFA Policies for User Account Settings

We have added security improvements to enable policies to require users to provide additional authentication factors when doing the following:

  • changing passwords,
  • configuring OATH OTP clients,
  • setting security questions, or 
  • modifying their profile.

All of these policies now appear under a new heading called "User Account Settings" (you will also note that we moved a few policies from other areas to make use of these policies more convenient).  For each of these policies, the Admin can choose which Authentication Profile should be called when the user makes these changes. 

User Account Settings.png

 

Admin Control over Signing Certificates

With this release we have also given control to Administrators to better manage the signing certificates used by our service.  As you probably already know, Google recently cracked SHA1 certificates and as a result many service providers have announced that they will deprecate support for SHA1 certificates.  If you have a Centrify tenant that was created before July 2016, then the default certificate used by your tenant is SHA1.  As you probably know, when using a signing certificate for SAML, you can upload your own certificate so you can use one with a stronger algorithm; however, we wanted to address this problem in a more turnkey manner and wanted to give you more control over your options.  In 17.6 you will see that we have a new Signing Certificates feature that works exactly as our Authentication Profiles feature works.  We now have a "Signing Certificates" page in our "Settings" menu for managing certificates, and we leverage that page directly in the App configuration UI (Admins can choose a certificate from a drop-down menu, or create a new one).  

 

Signing Certificates.png

If you want to change a certificate for an application, don't forget, you will need to go into the administrative console for that application and upload the new signing certificate in order to make sure your SSO still works.  For Office 365, we have automated that step through a new "Re-Federate" option.

Refederate.png 

 

In addition to the above, this release includes two performance improvements that I wanted to call out:

  1. Addition of "Sets" in Users, Apps and Endpoints.  Why is this a performance improvement?  The Sets UI enables the Admin to set a default view for each of those pages based on the filter selected.  More importantly, Admins can set their default view to have nothing selected so that pages with long lists (e.g. the Users page) loads immediately, as the default view is simply the search bar!
  2. Intelligent selection of Connectors for IWA and RADIUS.  With 17.6, we have improved our connector selection logic to first look for a matching IP address, then a matching sub-net and if neither are found then to randomly select a connector.

We hope you like these new features and look forward to hearing your feedback!

 

Centrify 17.6 Release Notes

By Community Manager Community Manager 3 weeks ago - last edited Tuesday

New Features - Centrify Identity Service

 

MFA Policies for User Account Settings

 

MFA Everywhere – now able to set policies requiring step-up authentication for:

  • Password changes
    MFA1.gif
  • Configuring OATH OTP client
    MFA2.gif
  • Setting Security Question
    MFA3.gif
  • Modifying Personal Profile
    MFA4.gif
    •  All policies under Policies > User Account Settings
    • “Show QR code for self-service” and “OATH OTP Display Name” policies moved from “OATH OTP”
    • “Enable users to change passwords” moved from “Password Settings”

 

Sets Added to Identity Service Tabs

 

Optimized page viewing and performance by grouping large lists into Sets of like items:

  • Users
  • Apps
  • Endpoints
    • Click Set name to filter list
    • Set Default using ellipsis menu
      • All page visits for that user will remember the selection
      • Sets UI slides in and out on click
      • To improve page load performance, choose “Remove as default” (and remove check mark) for page with no results (search only)

 

Sets.gif

 

 

Intelligent Selection of Connectors

 

Previously, calls to connectors for IWA and RADIUS were made randomly.  Connectors are now selected based on IP address as follows:

  • Choose Connector with matching IP Address
    • Randomly choose between Connectors when there are multiple matches
  • Choose Connector with matching sub-net
    • Randomly choose between Connectors when there are multiple matches
  • Randomly choose Connector

Dropbox Provisioning Support for Union

 

Admins can now choose to provision users into Dropbox using the following options:

  • Union of all Groups, or
  • Single Group

Dropbox.png

 

 

  

Improved 3rd Party RADIUS Support

 

When setting up 3rd party RADIUS authentication, some systems do more than a simple username / password authentication and need additional time to complete the request.

 

  • Default value of 5 (seconds) is set
  • Values from 5 to 55 are valid

Radius.png

Admin Control over Signing Certificates

 

Admins can see and manage all certificates in use in their tenants under
Settings > Authentication > Signing Certificates

  • Older tenants (created prior to July 2016) used SHA 1 certificates by default, and later tenants used SHA256
  • App UI has been updated to include a pick-list for choosing which certificate to use
    • Office 365 certificate is now exposed
    • Office 365 re-federate option to push new certificate

Signing.gif

 

Mobile Features – Policy to Disallow Incoming Calls

 

New policy to prevent incoming calls on device

  • Useful for data-only devices such as kiosk mode

 Mobile - incoming calls.png

Mobile Features – SIM Removal Tracking

 

New policy to track SIM removal

  • Device can become non-complaint if SIM is removed
  • Only on Samsung devices

Mobile - SIM.png

 

Mobile Features – New Samsung Firewall (hostname based)

 

In addition to supporting the new Samsung IP based firewall – hostnames can now be used for firewall rules

  • Only on Samsung devices

Mobile - Samsung.png

 

Munki Enhancements

 

Munki Improvements

Removing Security Login

  • Ability to enroll with just username and password has been removed for new tenants
    • Admins will need to use the new 17.6 agent to enroll

Munki.png

 

 

  

The following apps have been updated:

  • Freshservice (doc only)
  • Salesforce (doc only)
  • Slack (provisioning)
  • Dropbox (provisioning)
  • Workplace by Facebook (provisioning)
  • LoopUp (user-password)
  • Frevvo Live Forms (SAML)
  • TeamSnap (user-password)
  • Microsoft Dynamics CRM on-prem (WS-Trust)

 

 

 

New Features - Centrify Privilege Service

 

Secrets

 

  • Allows CPS to secure generic secrets (files and text types)
  • Only users that have the “retrieve secret” entitlement can access them
  • You can add policy rules from the Identity Platform or use MFA to secure the retrieval of secrets
  • File secrets can optionally be stored with a password
    (e.g. a word/excel/pdf/SSH-key with a password)
  • Secret uploads and downloads are secured with double-encryption
  • File secrets are limited to 5MB per file and text secrets to 24k

secrets.png

 

New Login/Checkout Sequence

 

  • New terminology
  • Improved flow
  • Compatibility for “AD Account login” using the Local Client

newlogin.png

 

 

 

New Features - Centrify Analytics Service

 

Traveling-Velocity Factor

 

  • Traveling-Velocity helps address the impossible travel scenario
  • This feature can isolate situations such as User accessing Applications from both Santa Clara & LA in < 15mins, even though the User’s access pattern considers both locations as normal

 

travel velocity.png

 

UI Improvements

 

Copy cell to clipboard

  • Copy ‘email’ to clipboard to edit in search bar

Insights – Word cloud widget

  • Available only in Insights boards as a new widget

Download CSV

  • Insights and Explorer Widgets data download

 

CPS UI.png

 

 

 

 

 

Resolved Issues and Behavior Changes

 

The following list records issues resolved in this release and behavior changes.

  

  • Centrify Privilege Service session brokering now supports negotiation with systems configured for TLS 1.2 (CC-47306).
  • Policies based on a device being corporate or personally owned are now correctly based on both the user and device (CC-47949).
  • Administrators can now enable a policy to determine if the Browser Extension is auto-updated or pinned to a specific version.
  • Provisioning sync job reports have been enhanced to include timings for each job, allowing slow running jobs to be identified (CC-44806).
  • The following parameters are now collected from enrolled Windows 10 devices:
    • Anti-spyware status
    • Antivirus status
    • Encryption compliance
    • Firewall status
      (CC-47333)
  • Users rejected by for provisioning are now logged in the sync report (CC-47480).
  • IWA will now succeed even if a cloud connector is joined to a domain with a disjoined namespace (CC-43948).
  • Support has been added for more than one concurrent Google Directory service (CC-44704).
  • ForceAuthn from http-post now re-authenticates when a custom tenant URL is used (CC-43934).
  • Role mapping in Dropbox provisioning has been enhanced to support both assigning destination groups to the first role a user is a member of (based on a prioritized list) and also assigning to each role the user is a member of (CC-46462).
  • The fixed five-second timeout value for an external RADIUS server has been replaced by an administrator-defined timeout value up to 55 seconds (CC-44206).
  • The last invite date for a user or group invitation is now set even if the invite email or SMS failed (CC-47226).
  • Office 365 deprovisioning rules are now maintained after authenticating an Office 365 administrator – previously they were deleted (CC-43588).
  • Browser bookmarks can now be pushed to Samsung KNOX devices in both kiosk and non-kiosk modes (CC-45529).
  • A policy has been added to allow / disallow changes to the date / time on Samsung KNOX devices (CC-47180).
  • ZSO login now works with Chrome on OS X 10.12 (CC-46899).
  • The default value for Pre-Provisioning Interval for Workday inbound provisioning has been set to 120 (5 days), previously it was zero (CC-47207).

 

For security advisories and known issues, please see attached file.

 

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.

In case you hadn't heard, we will be upgrading our platform (Centrify Identity Service and Centrify Privilege Service) to version 17.5 this weekend (Saturday, June 3rd).  The complete list of new features is available in the release notes, but as always I will tell you about my favorites here:

 

New UI

17.5 is a milestone release for us as it consolidates the User Interfaces for the 2 component products in the platform!  With this release, the UI for the "Privilege Manager" has been moved to the Admin Portal.  To accommodate this change (and the addition for many more tabs), we have moved from a horizontal menu to a vertical one.  Let me point out a few additional features of this new UI:

  • Cross-product capabilities are now grouped under "Core Services"
  • Centrify Privilege Service capabilities are now grouped under "Infrastructure" (please note, the UI is built dynamically based on entitlement -- meaning you will only see the Privilege Service UI in your tenant if you're an existing Privilege Service customer).
  • All of the grouped tabs can be collapsed or expanded (by clicking the Label / arrow)
  • Perhaps the most exciting news about the new UI, is that we've also taken measures to improve page loading performance by caching the UI in the browser.  With 17.5, if you go to a page with a  long list (e.g. the Users page with thousands of users), you will only need to wait for the page to load the first time you access it! 

On the User Portal side, we have kept the horizontal navigation, but we've refreshed the portal to align with the new UI.

New UI.png 

 

If you'd like to see more of a sneak peak at the new UI, please refer to this video

 

New Security Features

We've also added a couple of cool new security features:

  • Managed Device Policy: Customers have often asked for a way to limit app access to trusted devices only.  In the past we were able to support this through our scripting interface, in this release we've made setting this up much simpler by exposing conditions in our rules builder used throughout the product (login authentication policy, app and resource policies). 

 block unmanaged devices.png

 

Note: devices are considered managed if: (i) the device is under management by Centrify, or (ii) a known trusted certificate is on the device (known by being uploaded to the tenant as a trusted CA – under Settings > Authentication > Certificate Authorities).

 

  • Password Reset Confirmation Email: We've also added a new feature to send an email confirmation to the end-user whenever his/her password is changed though our platform:
    • Password reset (login UI),
    • Password change by User in the User Portal or mobile app, or
    • Password change by the Admin using the "Set Password" action in the Admin Portal.

 Password Change Notification.png

 

Admins can enable this feature in the Admin Portal by going to Settings > Authentication > Security Settings.

 

Local Administrator Account Password Management for Macs

If your organization uses Macs, you will love this last feature!  If you're like most organizations you use the same admin account on all of your Macs.  Of course your users only have access to their personal user account but the administrative account on the endpoint is there and likely the same across all of your endpoints.  You try to keep access to that password limited but over time the threat vector expands as you have more endpoints using the same password, you have turnover in your IT department and you occasionally need to provide end users with access to that Admin account.  

In an ideal world, you would use different passwords for each endpoint, your admins / end users wouldn't know those passwords (but would be able to access the accountwhen needed) and the passwords would get automatically updated for you.  This feature makes that ideal world a reality by leveraging Centrify's Mac management capabilities in conjunction with our Privilege Service!  Centrify can now manage the local accounts for your Macs, change the passwords on a regular basis and control who can access those accounts!

 

LAPM for Mac.png 

Customers of Centrify Identity Service and Centrify Privilege Service can enable this feature by setting the policies under Policies > Mobile Device Policies > OS X Settings > Manage Local Admin Account.

 

We hope you like these new features and look forward to hearing your feedback!

New Features - Centrify Identity Service

 

New UI

 

Identity Service and Privilege Service admin portals have been merged.

 

New UI 1.gif

 

  • Vertical navigation to support more tabs
  • Cross-product capabilities now grouped under “Core Services”
    Screen Shot 2017-05-12 at 9.54.46 AM.png
  • Privilege Service specific capabilities grouped under “Infrastructure”
    Screen Shot 2017-05-12 at 9.55.06 AM.png
  • Grouped tabs can be collapsed
    new UI 2.1.gif
  • Tabs / Quick Start Wizard steps appear based on entitlement
  • Caching for better performance

User Portal has been refreshed.

 

new UI 3.gif 

 

Managed Device Policy

 

Easily limit access to Apps and Infrastructure to trusted devices (managed devices)

  • Now available as conditions in our rules builder:
    • Login Authentication Policy
    • App/Resource Policy
  • No longer requires a policy script

managed device policy 1.gif

 

Managed Device = device under management by Centrify (MDM), or a 3rd party (based on presence of a certificate).

 

Screen Shot 2017-05-12 at 9.58.47 AM.png

Screen Shot 2017-05-12 at 9.59.01 AM.png

  

Password Reset Confirmation Email

 

Improved security by sending email to user whenever password is changed:

  • Password Reset (login UI)
  • Password Change by User in the User Portal
  • Password Change by Admin via Set Password action in Admin Portal

password1.gif

 

Admin must enable at tenant level

  • Settings > Authentication > Security Settings
    Screen Shot 2017-05-12 at 10.00.19 AM.png

 

 

  

Local Admin Account Password Management for Mac

 

Unique admin password for each Mac

  • Vaulted in CPS
  • Rotated on schedule
  • Policy driven account creation
  • Policy to specify account name
    Screen Shot 2017-05-12 at 10.00.42 AM.png
  • Automatic take-over of existing account
  • “Checkout” for authorized admins
    check out.gif
  • Role must explicitly have the “Device Management All” right
    Screen Shot 2017-05-12 at 10.01.19 AM.png

 

 The following apps have been added to the catalog:

 

  • Provisioning support for Workplace by Facebook app
  • JIRA Cloud (SAML)

  

The following apps have been renamed:

  • Facebook at Work  -->       Workplace by Facebook
  • Adobe EchoSign     -->       Adobe Sign 

  

The following apps have been updated:

  • dobe Sign
  • Yahoo Mail
  • Igloo (app icon only)
  • AVG CloudCare
  • QuickBooks Online
  • EMC
  • Redhat Support (Customer Portal)

 

 

New Features - Centrify Privilege Service

 

AD Account Unlock

 

  • Provides administrator-assisted AD account unlock or automated unlock on CPS operations
  • Another use for the domain’s “Administrative Account”
  • A New Entitlement “Unlock account” at the domain level allows manual unlocks
  • Policy at the domain level allows for automatic unlocks on privilege session or password checkout

CPS AD.png

 

 

Manual Multiplex Account Password Rotation and Swap

 

  • Accelerates the ability to demonstrate password management for Services
  • Prior to 17.5, it was not possible to rotate the password of any of the 2 physical AD account that make multiplex account
  • The new behavior allows for the rotation of the account that is not in use
  • Admins can push the password and Privilege Service does the rest

 CPS Manual.png

 

New Features - Centrify Analytics Service

 

Download Default Dashboards

 

Select any number of default dashboards to export. Anyone can upload these dashboards into Analytics Service to customize the default dashboard.

 

analytics1.png

 

Analytics Service Usage Dashboard

 

This dashboard helps you understand who’s using the Analytics Portal and provides you it’s usage insights.

 

analytics2.png

 

 

Added Table View for Insights Widgets

 

Dashboard Widgets can now to toggled to display data in table view.

 

Analytics3.png

Resolved Issues and Behavior Changes

 

The following list records issues resolved in this release and behavior changes.

  

  • In addition to the new user experience in 17.5, numerous changes have been made to improve the responsiveness and performance. Two changes should be significantly faster:
    • When changing main navigation tabs that display grids, if the tab has been opened before in this session it should display very quickly the second and subsequent time it is accessed.
    • Search and sorting results on main navigation tabs that display grids is also cached, so repeating a search or sort a second time in a session will provide the results quickly.
  • Inbound provisioning with Workday now supports setting a date when the user should be created, with the default date of the user’s start date. Previously users were always created on the user’s start date (CC-45723).
  • A confirmation email can now be sent to a user after a successful password reset. This option is off by default, but can be enabled in Settings>Authentication>Security Settings (CC-46035).
  • Managed device status (i.e. is or isn’t a managed device) can now be used in auth rules for application access (CC-45765).
  • When disabled users are deleted in Active Directory they are now correctly deleted from Office 365 if the deprovisioning rule User Deleted in Active Directory > Delete Office 365 Object Account is set to cause it (CC-47436).
  • The reset password option is now present for Samsung devices that do not support Android for Work profiles (CC-47067).
  • IdP metadata now lists all supported NameID formats (CC-46853).
  • The link in the SMS invite for device enrollment for iOS devices now correctly directs users to the App Store to download the Centrify app (CC-46743).
  • When IWA is triggered a random Connector will now be chosen. Previously all but one of the Connectors could be chosen due to a math error, meaning that in forests with two Connectors, one was always being chosen (CC-46162).

     

For security advisories and known issues, please see attached file.

 

For 17.5 Hot Fix 1 security advisories and known issues, please see attached file.

 

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.

In case you hadn't heard, we will be upgrading our platform (Centrify Identity Service and Centrify Privilege Service) to version 17.4 this weekend (Sunday, April 23rd).   The complete list of new features is available in the release notes, but as always I will tell you about my favorites here:

 

Performance Improvements

Over the past few months our dev team has been laser focused on improving performance throughout the product.  We've examined every line of code and tuned the software to run better at scale.  It's hard to quantify exact improvements in most cases, but in some areas the improvements are very noticeable.  For example, when clicking through to the Activity tab for a given user, the page now loads about 20x faster!  We've also made a number of changes to the jobs system and the jobs report used by our provisioning engine.  We are excited about these improvements as we feel this focus was needed to better serve our customers.

 

In addition to the performance improvements, I'm excited about a few smaller features that customers have been waiting for:

  • Support for using DN (instead of UPN) as Subject Alternative Name for certificates (contact support if interested and we can enable for your tenant)
  • OpenID Connect custom template now supports Hybrid Flow

 

Mac Improvements 

I'm also very excited about the improvements we've made to our Mac product in 17.4.  Specifically, we're adding two new capabilities to our Mac support:

 

  1. Enroll on Behalf of:  The new Centrify Agent now supports enrolling the Mac for a different user.  Many of our customers want to have their Admins enroll the Mac before giving the Mac to the end user.  The 17.4 agent introduces this capability!Enroll on Behalf of.png
  2. All new Mac App Management: So you might be saying Centrify already does app management for the Mac, so why is this considered a 'new' feature?  Well, with 17.4, we have completely replaced the old Mac app management capabilities and retooled our solution to leverage Munki and AutoPkg, open source tools for app management on Macs.  These tools are loved by Mac Admins and are now integrated with our platform to enable automatic installation and update of software on end users' Macs.  Admins can now automatically install software on the end users' Macs or make the software available to end users as optional software in the Managed Software Center (Munki client).Managed Software Center.png

We hope you enjoy these new features and look forward to hearing your feedback!

New Features - Centrify Identity Service

 

Support using DN for Cert Subject Alternative Name 

 

Certificates generated from tenant CA will use DN for SA

  • Customer request – many VPN and WiFi devices use this parameter for the username
  • Old method was to use the UPN

 

ZSO on Android without MDM (SSO only mode)

 

ZSO can now function on Android when not using MDM (SSO Mode)

  • This applies to Android only – iOS uses external cert
  • External Certs for “is Managed” do not work on Android – enroll Centrify client in SSO mode

  

Support Split Screen Multi-tasking in iPad Pro

 

Centrify app can now be used in split-screen mode with the iPad Pro.

 

 splitscreen.png

 

  

Policy to Limit Device Enrollment to Corporate Owned

 

New policy to limit enrollment to corporate devices

  • Do not use Sets with a deny policy to limit corporate enrollment

 

limitdevice.png 

 

 

Mobile UI Improvements for Notifications

 

  • Better display and swipe to delete functionality
  • Both iOS and Android Apps have been updated

 

 

 mobileUI.png

 

 

Centrify Agent for Mac 17.4

 

  • Moved from a .app in 16.12 to a .pkg in 17.4
  • Manual update only
  • Automatic update coming soon after 17.4
    macagent1.png
  • Added "Enroll On Behalf Of Another User"
    macagent2.png
  • Allows an admin user to enroll another user
    macagent3.png

 

Mac App Management (powered by Munki & AutoPkg)

 

munki1.png

 

  • Old Method Deprecated but still supported
    munki2 - oldmethod.gif
  • Policy to enable Managed Software Center installation (AKA Munki Client)
    munki3 - policy to enable.png
  • Centrify Munki & AutoPkg admin tools in the Download Center
    munki4 - centrify munki and autopkg.png
  • Run munkiimport on an enrolled Mac (requires App Management rights)
  • Munki Apps Automatically imported leveraging ZSO
  • New App type for Munki Apps
    munki5 - zso.gif
  • Application details automatically populated
  • Assignment can be done through User Access or through Munki command line
  • AutoPkg will automate the population of the App catalog via Recipes
    munki6 - application details.gif
  • Enrolled Macs securely authenticated via ZSO cert
  • Silent installation of automatic apps
  • Catalog of optional apps with categories
  • Rich App Store like Enterprise App Store

 

 

The following apps have been added to the catalog:

  • WordPress

 

The following apps have been removed from the catalog:

  • US Airways

  

The following apps have been updated:

  • MangoApps
  • Twitter
  • AWS (provisioning + SAML)
  • Concur (provisioning + SAML)
  • ServiceNow (provisioning + SAML)
  • BrowserStack
  • Formstack

 

New Features - Centrify Privilege Service

 

Access Request for Privilege Roles

 

  • Allows the use of CPS as a workflow engine for CSS resource roles
  • Ideally used for temporary access control to individual systems
  • Requesters are AD users, the approval chain can contain any type of CIP users
  • Permanent, Temporary and Windowed assignments can be requested with approver override
  • Support for documenting ticket numbers
  • Canned reports to demonstrate “documented approvals”

 cps.png

  

Resolved Issues and Behavior Changes

 

The following list records issues resolved in this release and behavior changes.

 

  • AssertionConsumerServiceIndex is now supported in SAML app advanced scripts to allow choice of which ACS URL a SAML response will be sent to (CC-45125).
  • Some jurisdictions’ privacy laws do not allow user location to be tracked or displayed, so a configuration option has been added to allow Centrify Support to disable map and location tracking on a per-customer basis, based on customer request (CC-45760).
  • Provisioning job reports have been improved with updated section titles and section order. In addition, the status reported for various issues has been changed as follows:
    • User rejected by script was in “user already synced or not updated” and is now in “user skipped”
    • Sync user without email was in “user already synced or not updated” and is now in “user failed”
    • Sync user with invalid email was in “user already synced or not updated” and is now in “user failed”
    • Deprovision user scenario “do not de-provision selected” was not shown, now in “user skipped”
    • Deprovision deactivated user “do not de-provision selected” was not shown, now in “user skipped”
      (CC-45399, CC-44926).
  • Hybrid flow is now supported for OpenID Connect apps for the following flows: “code id_token”, “code token” and “code id_token token” (CC-40656).
  • A policy has been added to Container Settings > Restriction Settings to allow Samsung devices capable of KNOX 2.5 and above to permit use of USB by apps inside the KNOX container (CC-43425).
  • The display of the Mobile Authenticator on devices is now controlled by the following policy: Mobile Device Policies > Common Mobile Settings > Security Settings > Show Mobile Authenticator by Default (CC-44270).
  • Both policy rules and default profile for per-app policy, and VPP can now be set by users that have only the Application Management right (CC-43779, CC-45403).
  • Support has been added for multiple versions of an in-house Android app, with role membership determining which version is made available to a particular device (CC-43131).
  • Google has rebranded “Android for Work” as “Android Management” and this change is reflected in 17.4 (CC-44164).
  • Enrollment notification date/time now shows in local time, previously it was shown in UTC (CC-43938).
  • The policy compliance status is now shown correctly for Samsung KNOX devices (CC-45512).
  • App gateway launch events are now included in the user activity report (CC-45266).
  • Enabled support for TLS 1.1 and 1.2 to both cloud and Connector (CC-44120, CC-46930).

 

 For security advisories and known issues, please see attached file.

 

For 17.4 Hot Fix 1 security advisories and known issues, please see attached file.

For 17.4 Hot Fix 2 security advisories and known issues, please see attached file.

For 17.4 Hot Fix 3 security advisories and known issues, please see attached file.

For 17.4 Hot Fix 4 security advisories and known issues, please see attached file.

  

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.

In case you hadn't heard, we will be upgrading our platform (Centrify Identity Service and Centrify Privilege Service) to version 17.3 this weekend (Sunday, March 26th).   The complete list of new features is available in the release notes, but as always I will tell you about my favorites here:

 

Updated Dashboards

Admins will notice right away that the dashboards now include a loading indicator bar (you will see a green bar at the top of the dashboard indicating the progress of the data being presented).  In addition, we've made the following changes to the included dashboards:

 

  1. The Security Dashboard now only reflects denied access events (logins, access to apps or infrastructure, and self-service).
  2. The successful access events from that dashboard now appear in a new dashboard called "User Logins".
  3. The "User Activity" dashboard has been renamed to "User Login Map" to better reflect what that dashboard provides.

 

 Dashboards.png

 

Windows 10 MDM (Preview)

As you know, Centrify Identity Service includes a fully-featured Enterprise Mobility Management solution.  For years, we have differentiated our product in the IDaaS market by including rich mobile device management capabilities for Android, iOS and Mac.  With 17.3, we have a preview feature, which can be enabled by contacting Support, that extends these capabilities to Windows 10 devices.  Remember, the Windows 10 OS is the same across all supported devices (desktops, laptops, tablets, Surface and mobile)!  The feature is enabled via policy, which when enabled allows users to enroll their Windows 10 PCs!

 

Windows 10 MDM.png

 

Device enrollment is agentless and once done, users will be able locate, lock, wipe and reset the passwords for those devices through the User Portal.  In addition, enrolled devices will get a ZSO certificate from Centrify enabling easy and secure access to applications without passwords!

 

We hope you enjoy these new features and look forward to hearing your feedback!

Centrify 17.3 Release Notes

By Community Manager Community Manager ‎03-21-2017 10:52 AM

New Features - Centrify Identity Service

 

Updated Dashboards 

 

  • Dashboards have been improved with new loading indicator bar
  • “User Activity” dashboard has been renamed to “User Login Map”
  • Changes to Security Dashboard:
    • Dashboard now reflects denied events only
    • Successful events are now displayed in a new “User Logins” Dashboard

 dashboard.gif

 

   

OATH Management Rights

 

OATH Management (add/delete) rights now available to Users with the following rights:

  • User Management (new)
  • Sysadmin (system generated Admin Role)

 OATH.png

 

 

Policy to Display Password Expiration Notification on Mobile

 

New policy to control whether enrolled mobile devices warn user that password needs to be reset

  • Policies > User Security Policies > Password Settings

 policy to display password.png

 

  

Apple VPP v2 Support

 

Now supporting the latest features of Apple VPP (Volume Purchase Program)

  • License config is done per-app
  • Support both old “redemption code” method and new token method
  • For more information, please see the Apple VPP site

AppleVPP.png

 

 

 

Preview: CIP Support for Windows

 

  • CIP Supports Windows 10 MDM
  • Desktops, Laptop, Surface, Tablet and Mobile
  • Policy to enable Windows Enrollment and Portal Prompt
  • Agentless enrollment
  • ZSO certificate deployed
  • Locate, Lock, Wipe, Reset Password
  • Please contact Centrify Support to enable this preview feature

cip.gif 

 

 

 

The following apps have been added to the catalog:

  • Yardi eLearning (SAML)
  • Palo Alto Networks firewalls (SAML)
  • Subscribe HR (SAML)

 

The following apps have been updated:

  • BrainStorm QuickHelp (SAML)
  • Salesforce (Provisioning + SAML)
  • 15Five (SAML)
  • Dropbox (Provisioning + SAML)
  • Citrix ShareFile
  • Publix
  • RackSpace Cloud Control Panel
  • HootSuite
  • SendGrid
  • US Airways
  • DocuSign (user-password only)
  • ServiceNow (user-password only)
  • Hy-Vee

 

The following apps have been renamed:

  • Google Apps -> G Suite

 

New Features - Centrify Privilege Service

 

HP NonStop OS Support

 

Shared Account Password Management for:

  • SUPER.SUPER account
  • Alias accounts
  • User accounts

Session:

  • SSH Session access (shared account/manual login)
  • Requires SSH daemon and SafeGuard enabled

 CPS HP nonstop.png

 

 

New Entitlement – View Permission

 

  • Limits visibility of objects to users or role assignees
  • Allows for the enforcement of the least access/least privilege model
  • Enhances the capabilities of Sets (static sets can be used to set visibility)
  • Enhanced Permissions tab shows:
    • Who has access
    • What entitlements
      CPS New Entitlement.png
    • Inherited from what role(s)
      CPS new entitlement 2.png
  • Enhances the new “Privilege Service User” administrative right.

 

 

 Administrative Rights Changes

 

  • "Privilege Management (Limited)" is now called “Privilege Service Power User”
  • "Privilege Management" is now called “Privilege Service Administrator”
  • "Privilege Management (Portal Login)" is now called “Privilege Service User Portal”
  • A new administrative right “Privilege Service User” has been introduced to enforce least access administration

CPS administrative rights changes.png

 

Privilege Service User – UI 

  • Reduced Menus
    • PSU role will only see a reduced number of menus
    • No Dashboard, Database, etc.
  • Least Access
    • PSU role assignees can only see resources that have been explicitly granted view permission
  • Settings Tab
    • PSU role assignees will only see the local client preferences

CPS UI.gif

 

 

Local Client for RDP

 

  • Allows end-users to launch Windows Remote Desktop sessions using the local client (mstsc.exe)
  • This is the preferred method for high-performance and scalable RDP access
  • Uses the Centrify Connector as a proxy to connect to Windows resources
  • Optional Local Client Launcher for a streamlined experience

 Screen Shot 2017-03-13 at 3.00.26 PM.png

 

 

Centrify Agent for Linux

 

  • In CPS on-premises deployments, functionality has been added to check for back-end server version
  • This is to make sure the agent is compatible with newer functionality (e.g. sets, view permission, etc.)
  • Checks are performed during enrollment, startup and upgrade
  • A new CLI option for cinfo (--platform-version) has been added to manually check the version of the back-end CPS server

 

 

New  GA - Centrify Analytics Service

 

Analytics Service can be enabled for existing Centrify Identity Service / Centrify Privilege Service Customers.

 

Contact your sales representative for details. Analytics Portal will be part of the menu dropdown after this service is enabled.

 

analytics service ga.png

 

Real-time Access Insights 

 

  • Real-time toolkit for analyzing the access behavior of Apps and Infrastructure
    • 12 Widget Types
    • 7 Real-time Dashboards – Risk, User Experience, Endpoints, MFA, Resources, Apps, User Insights
    • Drill down for detailed analysis
    • Custom Dashboard Builder
    • Export / Import Dashboards
  • Uses Time, Location and Device Macro dimensions to analyze access behavior

real time access insights.png

 

Risk-based Access

 

  • Profile the behavior of a user and detect anomalies using machine learning. Authentication profiles can be triggered based on:
    • High Risk
    • Medium Risk
    • Low Risk
  • Integrates with existing Rules for Portal, App or Resource access

risk based access.png

 

 

Dynamic Events Explorer

 

  • Real-Time Events Explorer for administrators to investigate access anomalies/behaviors
  • Ability to Investigate the nature of an Anomaly
  • Real-time toolkit for exploring access behavior
    • Events Cross-filtering
    • Dynamic Widgets – over 12 included 
    • Custom query generator
    • Export / Import query

DYNAMIC EVENTS EXPLORER.png

 

 

Resolved Issues and Behavior Changes

 

The following list records issues resolved in this release and behavior changes.

 

  • Standard variables that represent user properties can now be used in app restrictions in Android for Work. Currently supported variables are:

    sAMAccountName
    UserPrincipalName
    Name
    Mail
    DisplayName
    Description
    (CC-43423).
  • Administrators can now configure the attribute used for the user name sent to RADIUS for third party MFA configuration (CC-44919).
  • Can now re-register a Connector from the Connector configuration UI without having to restart the configuration UI (CC-44045).
  • The following Centrify Privilege Service administrative rights have been renamed:
    Privilege Management (Limited)  is now called  Privilege Service Power User
    Privilege Management  is now called  Privilege Service Administrator

    Privilege Management (Portal Login)  is now called  Privilege Service User Portal

    And a new administrative right  Privilege Service User  has been introduced to enforce least access administration.

    Roles granted the Privilege Service User administrative right will only be able to view the system menus that correspond to objects that they can access and the settings page will be limited to their local client preferences (CC-43925).
  • In this release only the following policies contribute to the policy compliance status calculation:
    iOS passcode
    iOS restriction settings
    KNOX device restrictions
    KNOX device security settings
    KNOX device password settings
    KNOX workspace container passcode settings
    KNOX workspace container restriction settings

    Location tracking enablement (excluding Admin location setting)

(CC-45484)

  • When a conflict is detected during a provisioning sync operation the correct UPN is now set for the user (CC-40777).
  • Zero Sign-On login from an enrolled iOS or Android device can now identify the enrolled device, this allows policies that restrict access only to enrolled devices (for example) to correctly determine a device’s access (CC-38798).
  • The Firefox browser extension install instructions have been updated to reflect new install steps (CC-31958).
  • System-managed groups have been removed from provisioning options for the Dropbox app as membership of these cannot be modified (CC-43906).
  • Corporate-owned devices can now be tagged as corporate instead of personal after self-service enrollment based on a serial number list of corporate-owned devices uploaded to the admin portal (CC-44277).
  • Apps launched through the app gateway are now correctly shown in the Frequently Used and Recent lists in the User Portal (CC-39239).
  • Exchange ActiveSync profiles now correctly show status, previously the status was always pending (CC-44465).
  • Report folders can now be deleted in the Admin Portal (CC-44286).
  • Full preview syncs with the Office 365 app in hybrid sync mode now correctly shows the number of synched, failed and skipped users and groups (CC-44461).
  • SMS enrollment invites are now sent in the language used by the user in the User Portal (CC-44787).
  • A policy script to block Microsoft.Exchange.MAPI has been added to the Office 365 app (CC-44204).
  • The “Items Up To Date” value is now correct after a sync failure (CC-44654).

In the device list the “Compliance” column now shows “Compliant” for compliant devices instead of a blank (CC-44476).
 

 

For security advisories and known issues, please see attached file.

  

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.

In case you hadn't heard, we will be upgrading our platform (Centrify Identity Service and Centrify Privilege Service) to version 17.2 this weekend (Saturday, February 25th).   The complete list of new features is available in the release notes, but as always I will tell you about my favorites here:

 

Extensible Directory

We've often had customers ask us to do one of the following:

  1. Expand the attributes available in the Centrify Directory, and/or
  2. Provide a data-store for custom attributes for their existing user identities.

This feature delivers upon both of these requests!  We now offer the ability for Admins to create custom user attributes to be maintained within the Admin Portal.  These attributes can be stored for any user type regardless of the user identity source (Centrify Directory, AD, LDAP, Google, Federated Partner or Social)!  These custom attributes are stored in our cloud and can be passed on to downstream applications through SAML assertions, can be used for reporting and can be used as additional attributes for MFA. For example, if a company wants to allow their end users to receive an SMS or email for MFA purposes on a personal account without storing those personal details in their AD, this feature can be used for that.

 

Extnsible Directory.png

 

Custom attributes can be added by going to Settings > Customization > Other > Additional Attributes.  Once the attributes have been added, values for those attributes for individual users can be added in the user object under Additional Attributes.

 

Inbound Provisioning

Back in December, we announced the preview of Inbound Provisioning when we released version 16.12 of the product.  As a refresher, this feature enables organizations that rely on an HR Management System to treat that system as the system of record for all users in the organization.  As you know, the Centrify Platform enables secure access to apps and infrastructure for users from any of the sources mentioned above.  Many customers rely heavily on their HR Management System and only create users in their AD after the record is created in the HR System.  Of course, customers want to optimize how this is done by automating the process for creating a user object in AD after it has been created in their HR app.  Inbound Provisioning refers to the process of creating users in a company's user store from the HR application.  We have built this feature to be plug-and-play such that we can enable multiple source and target directories.  In the initial GA version of the product (in this release) we enable Workday as a single source directory and AD as a single target directory.  WIth Inbound Provisioining, once the user record is created in the target directory (AD), the user can access apps and infrastructure through the Centrify Platform as any other user from that directory can.

 

Inbound Provisioning.png

 

You can setup Inbound Provisioning under Settings > Users > Other > Inbound Provisioning.  If you know our product well, you will have noticed from the picture above, we've also added a place for "Administrative Accounts".   This is a cool and necessary component of Inbound Provisioning.  With Inbound Provisioning, we are creating and editing user objects in AD, and need to have the appropriate permissions to do that.  Specifically, we need to have domain or enterprise administrator rights. The Administrative Accounts feature allows you to store the necessary credentials in the platform for use with your AD.  Those credentials can be vaulted in our platform or can come from a managed account from Centrify Privilege Service.

 

We hope you enjoy these new features and look forward to hearing your feedback!

New Features - Centrify Identity Service

 

Extensible Directory 

 

Custom user attributes can now be stored in the Centrify Directory.

  • Attributes can be stored for users regardless of the user’s source directory (AD, LDAP, Centrify, Google, Federated User, B2C user)
  • Attributes can be used in SAML attributes
  • Attributes can be used in MFA
  • Attributes can be used in Reports

 

extensible directory.gif

  

 

Inbound Provisioning

 

For companies who use Workday and want Workday to be the system of record for user identities.

  • Workday --> Active Directory
    • Once in AD, users are visible to Centrify through the connector.

 inbound provisioning.gif

 

Administrative Accounts

 

Inbound Provisioning will create and update users in AD. 

 

Writing to AD requires privilege:

  • Domain Admin, or
  • Enterprise Admin

Platform now stores Admin Accounts in order to write to AD.  Centrify Privilege Service and AD are supported. 

 

administrative accounts.gif

 

 

Search Added to OATH Tokens Page

 

Admins can now search for a specific OATH Token for easier management.

  • This is helpful when the admin needs to delete a token because:
    • User loses token
    • User leaves the organization

 

 

 OATH.gif

 

 

Force Fingerprint for Mobile Authenticator (iOS)

 

Policy to require fingerprint read is now supported on iOS:

  • Anytime using mobile authenticator MFA Method, a required fingerprint pop-up will appear 
  • Policy to allow or disallow PIN Fallback

 

FingerPrint.png

 

 

Centrify Analytics Service Limited Public Beta

 

Centrify Analytics Service is now available for beta testing in production tenants on cloud.centrify.com. Features include:

  • Real-time Access Insights
  • Risk-based Access
  • Dynamic Events Explorer

 

Please email analyticsbeta@centrify.com to inquire about participation in the beta program.

 

analytics.png

 

 

The following apps have been added to the catalog:

  • Interact (SAML)

 

The following apps have been updated:

  • OfficeSpace (SAML)
  • Red Hat support (customer portal)
  • Zendesk (provisioning)

 

 

New Features - Centrify Privilege Service

 

User-defined Sets of Resources and Accounts

 

Persistent named sets of resources and accounts

  • User defined
  • Operate on a set to act on all its members
    • E.g. set permissions for a user on all the servers in a set
  • Complete UI visibility of how users inherit permissions
  • Static and dynamic sets
    • Dynamic sets use a query to automatically update members

 

 CPS.png

 

 

 

Resolved Issues and Behavior Changes

 

The following list records issues resolved in this release and behavior changes.

 

  • A new field InternalDeviceType has been added to the device enroll event, returning a device type identifier (I for iOS, A for Android, M for Mac and W for Windows) for device enroll events with 17.2 or later. Using this field in queries with device enroll events prior to the 17.2 release will not return a valid response (CC-44777).
  • DeviceId has now been added as a common property to all events, it is set if available when the event is posted (CC-44310).
  • On devices enrolled using Android for Work, all of the applications associated with a user’s role now show on a single page (CC-44283).
  • Choosing to email a built-in application report now emails the report (CC-44862).
  • The built-in report User Provisioning for Office 365 now shows provisioned users (CC-43619).
  • The Modify action has been removed from the Office365 domains section as it had no function (CC-43887).
  • Administrators now have the right to see device locations for devices with location tracking enabled without requiring a separate permission to be granted (CC-44579).
  • Added four new attributes to the OfficeSpace SAML app template – first_name, last_name, email and name (CC-43840).
  • The help tips for sync options have been corrected in the provisioning UI (CC-41814).
  • A search function has been added for OATH tokens in settings (CC-44193).
  • Email and Exchange policies now show compliance status on Android devices (CC-43253).

 

 

 

For security advisories and known issues, please see attached file.

 

For 17.2 Hot Fix 1 security advisories and known issues, please see attached file.

  

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.

In case you hadn't heard, we will be upgrading our platform (Centrify Identity Service and Centrify Privilege Service) to version 17.1 this weekend (Saturday, January 14th).   The complete list of new features is available in the release notes, but as always I will tell you about my favorites here:

 

Form-Filling GA

After a successful beta of our Form-Filling, I am happy to announce that Form-FIlling is now generally available.  In case you missed the earlier announcements, Form-Filling is the ability for Centrify to log a user into a username and password application when the user goes directly to the app (instead of clicking on the tile in the User Portal).  This feature is analogous to the SP-Initiated login flow for SAML apps.  I've been using the feature personally for the past several months, and really love how it's made me more productive and has improved my account security.  I've added all of my personal apps to Centrify, and when I did that, I created complex and random passwords that I actually don't remember.  Now, I never type in passwords for my personal apps, I simply go to my personal app, and click the Centrify logo to login!

Form Fill.png

Form-filling is now generally available and supported on the following browsers:

  • Chrome
  • Firefox
  • IE

Our development team is hard at work building these capabilities for Safari, so stay tuned for future updates on that!

 

Mobile Enhancements

This release also has several improvements to our mobile offering.  We've updated our mobile app to support 3D Touch on iOS and App Shortcuts on Android.  On these devices, a  long press of the Centrify app icon will bring up a menu with the following options:

  • Send MFA Code (Mobile Authenticator)
  • The last 2 apps used
  • Notifications 

While the above is simply a convenience feature, we've also added a couple of great security features for mobile:

 

  1. Force Fingerprint for Mobile Authenticator.  As it sounds, Admins can now set policy requiring users to provide a  fingerprint when using Mobile Authenticator.  This is an added security measure so that access is only granted to the rightful owner of the device when using Mobile Authenticator.  (NOTE: currently available on Android devices only)
  2. Remediation Actions for Unreachable Devices.  Admins can now set policy to take actions (lock or unenroll) on managed devices that are no longer reachable.  You can think of this as a "poison pill" set on the client to take action if it does not successfully "phone home" within a specified period of time.Disable Unreachable Clients.png

 

We hope you enjoy these new features and look forward to hearing your feedback!

New Features - Centrify Identity Service

 

CBE Form-Fill 

 

This feature allows users to go directly to username / password app to login through Centrify without going to the User Portal.

 

Form-Fill now available for:

  • Firefox
  • IE
  • Chrome

User can enable/disable auto-login.

 

CBE form fill.gif  

 

Force finger print for Mobile Authenticator (Android)

 

This is a new policy to require finger print scan.

 

  • When using mobile authenticator MFA Method, a required finger print pop-up will appear 
  • Policy to allow or disallow PIN Fallback
  • iOS coming in the next release

 Forced Fingerprint.png

 

 

Remediation Actions for Unreachable Devices

 

If a device is unreachable for X days, the following actions are available to admins:

  • Admin Lock
  • Auto-Unenroll

unreachable devices.png 

 

 

3D Touch / App Shortcuts

 

Long press on the Centrify app icon will bring up:

  • Send MFA Code (Mobile Authenticator)
  • The last 2 apps used
  • Notifications area

 

This feature is available for Both for iOS and Android 7.1+.

 

3d touch.png 

 

 

New policy for Samsung KNOX – Force GPS

 

Admins can now force managed Samsung KNOX devices to have GPS enabled.  New policy is available here:

  • Policies > Mobile Device Policies > Samsung KNOX Device Settings > Restriction Settings

Samsung KNOX.png

 

 The following apps have been updated:

 

  • Windows Live
  • Skype
  • Yahoo Mail
  • eFax
  • Box
  • Lynda
  • My Adobe
  • Twitter
  • PollEverywhere
  • Juniper Pulse renamed to Pulse Secure

 

 

New Features - Centrify Privilege Service

 

Privilege Service On-Premises

 

  • Centrify Agent for Windows is bundled with Privilege Service on-premises
  • Accessible via Admin Portal > Downloads > Centrify Agents

CPS om prem.png 

 

Web Proxy Option - Centrify Agent for Linux 

 

In this version we introduce the -p (--http-proxy) option for the cenroll command to specify a web proxy for Centrify Agent for Linux enrollment operations.


Using this option will update the agent.web.proxy.global and agent.web.proxy.order parameters of the /etc/centrifycc/centrifycc.conf file (ref:CC-42880)

 

 

Resolved Issues and Behavior Changes

 

The following list records issues resolved in this release and behavior changes.

 

  • De-provisioning both a user and user’s manager at the same time in the NetSuite app now correctly de-provisions the user’s manager (CC-43569).
  • The Internet Explorer browser extension now loads pages where there is no document.defaultView object (CC-43553).
  • The Download Signing Certificate help tip now displays on IE in the WebEx SAML app (CC-42130).
  • Samsung KNOX UMC enrollment is now initiated with the Chrome browser on Samsung KNOX devices (CC-43323).
  • The IMEI is now displayed correctly for Android 6.0+ devices (CC-43164).
  • A device no longer shows as enrolled in the Admin Portal if enrollment was cancelled before completion (CC-43731).
  • The derived credential status no longer gets stuck at “pending” for devices running Android versions earlier than 7.0 (CC-43436).
  • Manager and Subsidiary field values are now sent to NetSuite (CC-42932).
  • Existing users are no longer overwritten by the Slack provisioning app if the option to keep existing users is checked (CC-42907).
  • All phone numbers (office, home, mobile) are now synched by the Slack provisioning app (CC-37056).
  • The Qmarkets provisioning app now supports the option to disable a user (CC-42967).
  • If a role is assigned as a workflow approver, the name of the role member that approved is now displayed after the approval has been given (CC-43221).
  • In the Google Apps for Work provisioning app, it is now possible to add a child Active Directory group for a synched Active Directory group (CC-39478).
  • Sync records for rejected user cases are no longer deleted by the Office 365 provisioning app (CC-43514).
  • All approvers on a Workflow request are now shown in the approval/rejection email to the affected user (CC-43171).
  • The Role “Add Members” dialog no longer pre-fills the list of all available users to improve UI performance (CC-43291).

 

For security advisories and known issues, please see attached file.

 

For 17.1 Hot Fix 1 security advisories and known issues, please see attached file.

 

For 17.1 Hot Fix 2 security advisories and known issues, please see attached file.

 

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.

In case you hadn't heard, we will be upgrading our platform (Centrify Identity Service and Centrify Privilege Service) to version 16.12 this weekend (Saturday, December 17th).   The complete list of new features is available in the release notes, but as always I will tell you about my favorites here:

 

Multi-Step Workflow

As you may know, we introduced Workflow to our platform (for both Centrify Identity Service App+ Edition, and for Centrify Privilege Service) over a year ago when we released 15.10.  When we introduced workflow, we enabled admins to create a very simple one-step approval flow for access to apps and infrastructure.  We're happy to announce, that with this release we have augmented our workflow engine to support multiple steps for approval.  In addition to being able to specify multiple steps, we now offer the ability to create workflows (single-step or multi-step) where the requestor's manager can be specified as an approver in addition to the already supported named user or role.

 

Multi-Step Workflow.png

 

Usability Improvements

We've made 2 minor usability improvements for working with Centrify Connectors and setting up a Corporate IP Range.  For both of these interfaces, we now provide the ability for the Admin to create a friendly name or label.  For the Connectors, the name is used throughout the product when specifying a Connector to route traffic through (e.g. specifying a Connector to use as an App Gateway for a particular app).  While the Corporate IP Ranges are only shown on 1 page, we've had customers (with large networks with multiple locations) ask us for this feature to enable them to easily identity each entry.

 

Labels.png

 

Preview of Inbound Provisioning (from Workday)

Finally, I'm very excited to announce that we are introducing a preview feature for inbound provisioning into our platform.  As you know, our products enable secure access to apps and infrastructure to the user communities that are important to our customers.  The platform integrates easily with existing data stores and does not require replication of user data.  For customers who maintain their users in AD, our Connectors simply proxy the existing Active Directory.  Our customers love the ease of use and security that this approach of "Identity from Anywhere" provides.  Many of our customers have either invested, or are planning to invest, in a Human Capital Management (HCM) solution like Workday.  These customers have asked that we better integrate with their identity ecosystem, and we've answered with this new feature.  Centrify can now be used for inbound provisioning from Workday into Active Directory.  Once in AD, those users can then access apps and infrastructure through Identity Service and Privilege Service.  This feature has been built to be extensible so that we can easily add support for other data sources (i.e. other HCM solutions) and target directories (most notably, we will soon add support to provision into the Centrify Directory).

 

Inbound Provisioning.png

 

Please note that this preview feature must be enabled for your environment (it does not appear by default).  If you would like to try it out in your environment please contact support.

 

We hope you enjoy these new features and look forward to hearing your feedback!

New Features - Centrify Identity Service

 

Inbound Provision from Workday (Preview)

 

This feature enables Centrify customers to create users in CIS / CPS directly from Workday.

  • Workday provisioning directly to Centrify - For customers who want to stay entirely in the cloud
  • Workday provisioning to AD via Centrify - For customers who use Active Directory together with Workday
  • Modular architecture to support future Human Capital Management solutions
    • UltiPro
    • BambooHR

Inbound A.png

 

This preview version supports provisioning from Workday to AD.

  • Preview feature must be enabled by Centrify. Contact Centrify Support for more information. 
  • Released version will support options to provision to AD or Centrify Directory
    • Preview version will only  only support provisioning to AD
  • Modular architecture allowing Workday to be replaced with another Human Capital Management system in the future

 inbound b.gif

 

 

Multi-step Workflow

 

Workflows can now be setup with an unlimited number of approval steps.

  • Unlimited number of named users or roles
  • New option: User’s Manager (this can only be selected once)
    • If User's Manager is unknown, or one does not exist, approval will be assumed by the system (subsequent approvers will see that the approval was implied)

multi.gif

 

 

Policy Compliance Details

 

Admins can now see which policies are not compliant on a specific device.

  • Drill-down to device from Devices table
  • Go to Policy Summary
  • Compliance column now appears with details (non-compliant policies appear in red text)

policy compliance.gif  

 

 

Labels for Connectors and Corporate IP Range

 

Admins can now provide labels for Centrify Connectors and for IP Addresses in their Corporate IP Range.

  • Connector “names” are used throughout the product for selecting connectors for affinity (i.e. designating specific connectors as App Gateways)
  • Corporate IP Range labels are helpful as a “sanity check” for verifying satellite offices have been accounted for

label.gif

 

 The following apps have been updated:

  • DocuSign (SAML+Provisioning)
  • Webex (SAML+Provisioning)
  • Dropbox (SAML+Provisioning)
  • Box (SAML+Provisioning)

 

The following apps have been removed from the catalog:

  • Hotels.com UK
  • Fontdeck
  • FaxItNice

 

 

New Features - Centrify Privilege Service

 

Local Client for SSH

 

  • Designed to improve usability of Privilege Service's remote session feature
  • 16.12 will support PuTTY
    • Windows RDP Client (mstsc.exe) support target is 17.2.
  • Local SSH client is supported on Windows
  • Sessions go through the Centrify connector (connector must be able to reach the target system)
  • Maintains capabilities like watch, terminate and MFA
  • Remote Access kit (local access launcher) must be installed on local system 

 

local client.png

 

 

 

Platform Support Changes

iOS

iOS 8 is no longer supported by the Centrify App for iOS. If you are using iOS 8 you will still be able to install and use the Centrify App for iOS release 16.11 and earlier, however you will not be able to upgrade to 16.12 or later until you have upgraded your OS to iOS 9 or later.

 

 

Resolved Issues and Behavior Changes

 

The following list records issues resolved in this release and behavior changes.

 

  • Event indexing performance has been improved such that large event populations no longer cause timeouts when displaying Recent Activity, Active Sessions, Password Checkouts (CC-43348, CISSUP-2585, CISSUP-2588).
  • Online help now opens in a browser window with toolbar and location bar, this will enable easier navigation and allow readers to quickly share links (CC-42321).
  • The Centrify App for iOS now supports Application Transport Security, which is an Apple requirement for apps released after January 1, 2017 (CC-43051).
  • A VPN profile has been added for the Pulse Secure Juniper VPN client (CC-42682).
  • The “Company managed groups” feature of Dropbox is now supported by the SAML+Provisioning Dropbox app (CC-41353).
  • The Webex plug-in has been enhanced to support all the privilege attributes and sessionOption attributes (CC-42818, CISSUP-2529).
  • Users with Application Management rights can now correctly delete apps deployed by other users (CC-42627).
  • The correct assigned / available license count is now shown for Office 365 (CC-43268 / CISSUP-2543).
  • Accented characters are now allowed in email addresses (CC-43242).
  • In the Box app, it is now possible to update the location for a user’s home directory’s parent folder (CC-42201).
  • In the User Portal references to a user’s Primary Device have been removed as this concept has been replaced by the more flexible Notifications feature (CC-42694).
  • Reports whose names contain a space can now be deleted (CC-42789).
  • The Unenroll command only shows in the User Portal where permitted by the “Permit user to unenroll devices” policy (CC-42403).

 

For security advisories and known issues, please see attached file.

 

For 16.12 Hot Fix 1 security advisories and known issues, please see attached file.

 

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.

In case you hadn't heard, we will be upgrading our platform (Centrify Identity Service and Centrify Privilege Service) to version 16.11 this weekend (Saturday, November 19th).   The complete list of new features is available in the release notes, but as always I will tell you about my favorites here:

 

Windows MFA

If you've been following Centrify over the past year, you've surely heard us talk about our MFA Everywhere initiative.  This has been the Centrify rallying cry for the past several months, as we've been encouraging our customers to protect their apps and infrastructure by using multi-factor authentication wherever possible.  This is an area where we continue to invest to further extend our ability to protect the enterprise.  To this end, we are happy to announce that with 16.11, we now support MFA for Windows login.  

 

Windows MFA.png

 

This is an add-on feature available through a new endpoint license.  Please contact your account team for more information.

 

Form-Filling Extended Beta

You may recall that we introduced a beta feature for form-filling when 16.9 was released.  Again, this enables users to go directly to a username / password application (instead of the user portal) to get signed in automatically to the application.  In 16.9, we made this feature available for Firefox only.  Now, the beta is available for IE and Chrome, too!  Better still, the beta software is directly available for you to download from the "Downloads" menu in the Admin Portal.

 

 Form-Fill Beta Downloads.png

 

 

You will also notice that we officially changed the name of our administrative portal from Cloud Manager to Admin Portal.  We did this to have a more consistent user experience across deployment models (the Privilege Service is available for on-premises deployments, so we dropped the term Cloud from our admin portal and from our Connectors).

 

Notifications Menu for Mobile

Finally, we've updated our mobile app to include a notifications center.  In the mobile app you will see a new bell icon, if you have a notifications that require an action (e.g. approve an authentication request, or confirm you've enrolled another mobile device) the bell will contain an indicator that you have actions to take.

 

Notifications.png 

 

We hope you enjoy these new features and look forward to hearing your feedback!

 

New Features - Centrify Identity Service

 

Component Name Changes

 

Product component names have been rebranded to create a single name that works across on-premises and cloud deployments.

  • Cloud Manager is now Admin Portal
  • Cloud Connector is now Centrify Connector

 

Component.png

 

Centrify Browser Extension Form-Fill Preview

 

Form-Fill allows users to go directly to username / password app and login through Centrify (without going to the User Portal).

 

CBESignin.gif

Preview is now available for:

  • Firefox (Beta)
  • IE (Beta)
  • Chrome (Alpha)

Administrators can access preview release files from the Downloads menu:

 

CBEDownload.gif 

 

 

Windows MFA

 

We are extending our MFA Everywhere initiative to include Windows Login

 

Win MFA Login.png

  • MFA for Windows Login now includes Windows endpoints (in addition to Servers)
  • Windows Agent is now available from the Downloads Menu
    Win MFA.gif
  • Windows MFA will require a new Endpoint license (contact your account team to learn more)

 

Policy Compliance

 

Devices will now check for policy compliance

  • A new Compliance column has been added to the Devices tab
    PolicyCompliance.png

 

 

Aggregate Map of Device Locations

 

Administrator can Toggle between list view and Map view

  • Views will show all devices that have opted-in or Forced for Admin location sharing
  • Toggle is hidden until device location tracking policy is enabled

map.png 

 

 

Notifications Menu

 

Notifications are now consolidated into their own section in the app.

notification1.png

 

notification2.png

 

  

The following apps have been updated:

  • Druva inSync

 

 

New Features - Centrify Privilege Service

 

The Centrify Agent for Linux

 

The new Centrify Agent for Linux replaces and extends the functionality found formerly in the CLI Toolkit.  In addition to the application-to-application password management (AAPM) features, the agent brokers authentication (logon) with supported Linux systems for identities known to CPS.  Supported identity providers in this release include:

  • Active Directory
  • LDAP
  • Centrify Directory

 cps1.png

 

 

The new agent enables logon for Active Directory users on Linux systems that cannot be joined to the Active Directory domain.  These could include servers hosted by an IaaS provider; servers within a virtual private cloud; or even servers on-premises, such as those in a network DMZ.

 

Manage Account Passwords for SQL Server Clusters

 

Privilege Service now manages account passwords for Microsoft SQL Server™ in both single-server and clustered modes of operation. 

 

 cps2.png

 

For Windows authentication with SQL Server, account passwords can be synchronized for SQL Server clusters using:

  • Failover clustered instances (FCI)
  • Database mirroring
  • AlwaysOn availability groups
  • Log shipping
  • Any combination of these features

For SQL Server “mixed mode” authentication, failover clustered instances are supported.

 

End of Life Notice

 

Centrify Privilege Service CLI Toolkit

The Centrify CLI Toolkit has been removed from CPS in this release. Similar functionality to that in the CLI Toolkit is available in the new command-line tools in the Centrify Agent.  This functionality includes the application-to-application password management (AAPM) and agent authentication features.

 

End of life for support of the CLI Toolkit

Centrify will end support for the CLI Toolkit in CPS release 16.12, targeted for December, 2016. In addition, because of updates to Kerberos, Centrify Server Suite will support only the new Centrify Agent feature set as of Server Suite 2017.

 

Centrify strongly recommends that customers use the new Centrify Agent feature set in this release.

 

Changes to CLI Commands in the Centrify Agent

A new service account will be used to join a computer to the customer’s Centrify tenant.  The "service account" will be a Centrify Directory user account with a name like

 

<hostname>$@<tenant.alias>.

 

The Kerberos-based join (aka -k option, with the Centrify Server Suite DirectControl agent) will be dropped.

 

There is no requirement for the computer to be joined to an Active Directory domain in order to use the new Centrify Agent.

 

Platform Support Changes

Centrify Connector
Windows Server 2016 is now supported as a Centrify Connector platform.

Centrify Agent
The Centrify Agent supports the following Linux platforms:

Platform

AAPM

Agent Authentication

Red Hat Enterprise Linux 6.8, 7.3

CentOS 6.8, 7.2

Oracle Linux 6.8, 7.2

 

Amazon Linux

SLES 12 SP1

 

Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS

 

 

Note: Upgrading from the CPS CLI Toolkit to the Centrify Agent for Linux is not supported. Please ensure the CLI Toolkit is removed before the Centrify Agent for Linux is installed.

  

 

Resolved Issues and Behavior Changes

 

The following list records issues resolved in this release and behavior changes.

 

  • The Downloads page now includes the option to download preview releases of browser extensions for supported browsers (CC-42370).
  • IWA now works through HTTPS where the Centrify connector is joined to a child domain (CC-40905).
  • Sync options can now be modified on the provisioning page for the Qmarkets app where it is supported by the app (CC-39445).
  • The synced user’s email is now correctly updated in the Zendesk provisioning app if it has been modified (CC-38949).
  • When a provisioned user’s phone numbers are removed they are now correctly removed from Samanage (CC-38105).
  • In an app’s policy tab, “Login Authentication Rules” has been renamed “Application Challenge Rules” to better describe its purpose and remove any confusion with the user security policy of the same name (CC-42060).
  • By default, all newly deployed provisioning applications have the “Do not de-provision…” option checked in the Provisioning tab. Settings for applications that were deployed in a previous release will not be modified (CC-39227).
  • All installed apps are now correctly shown for Android devices (CC-41720).
  • The system configuration tab is now shown for system admins when the settings page is refreshed (CC-41042).
  • App gateway diagnostics, accessible from an app’s App Gateway tab, now complete correctly (CC-41504).
  • The “Active Devices Not Seen in the Last Seven Days” report once again provides the expected list (CC-41817).
  • The policy compliance report now shows non-MDM policies on Android devices (CC-41983).
  • The Chrome browser is now disabled on a Samsung KNOX device when Google Apps are disallowed by a policy setting (CC-41989).
  • A “view” action has been added to the reports in the built-in security reports page actions menu (CC-41812).
  • Devices can once again be enrolled from an SMS invitation message (CC-42774).
  • All Webex attributes are now correctly being set when set in the provisioning script (CC-42818).
  • Incremental provisioning syncs no longer get randomly stuck (CC-42265).
  • Fixed a message in job history when syncing an AD group with an invalid email for the Box app (CC-40589).
  • The correct count is now displayed in the device enrollment history in the mobile overview dashboard (CC-42058).
  • Sync reports now no longer report federated users that are not configured for provisioning (CC-37271).

 

 

For security advisories and known issues, please see attached file.

 

For 16.11 Hot Fix 1 security advisories and known issues, please see attached file

 

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.

In case you hadn't heard, we will be upgrading our platform (Centrify Identity Service and Centrify Privilege Service) to version 16.10 this weekend (Saturday, October 29th).   The complete list of new features is available in the release notes, but as always I will tell you about my favorites here:

 

Improved App Policy

In this release we've made significant improvements to:

 

  1. The way Admins configure per-app policies, and
  2. The interactions between per-app policies and login authentication policies (used to access the portal).

First, let's look at the improvements to the configuration in per-app policies.  In the past, if you wanted to set an application specific policy, you could easily enable 2 policies via checkboxes (restricting access to clients within the Corporate IP range, and/or to always require strong authentication), or you could use the scripting engine to write your own per app policy.  With this new release, we are adding the rules builder UI that is currently available under Policies for setting Login Authentication policies to Apps!

 

App Rules Builder.png

This makes building policies for apps much simpler.  While we've made it simpler to setup rules for app access for most use cases, we did not remove access to the scripting engine so more complex rules can still be created. 

 

Most importantly, we've made a significant change to the interaction between application policy, and the more general login authentication.  In the past, we treated the login flow separately, and if the user logged in using MFA, we considered the user to be "highly authenticated" for the entire platform.  This meant, if the user then logged into an application that also required strong authentication, the user would not be asked to provide additional credentials to authenticate into the application.  With 16.10, we've done away with the concept of high auth for the platform and now honor the app policy regardless of how the user authenticated to access the platform.  We've also made a couple of changes to the login authentication policy to better support this.  Specifically, in the past, we had policy settings for IWA and certificates to "consider those logins as strongly authenticated".  Those policies have been changed to  indicate that IWA or certificates "satisfy all MFA mechanisms".   Of course, we've also removed the login authentication policy to set the authentication profile to use for strong authentication for applications (since that can now be set independently for each app that requires strong auth).

 

Administrative Features

In this release we've also added two new features to improve the Admin experience. Specifically, we've improved the people picker for SAML app script testing.  With this release, when you need to test a SAML script, the people picker will default to the logged in user.  If you change that user to someone else, and then modify the script, when you come back to test the script it will remember who you tested as previously.  We also took this time to replace the people picker widget with our standard people picker used throughout the product.

 

SAML People Picker.png 

 

In addition, we added a safety feature to prevent admins from setting policies that would lock themselves out of the platform.  In the past, we've had customers call us to help unlock their accounts because they could no longer login as the system administrator for their tenant.  Typically this happens when the admin sets up an authentication profile that requires an MFA mechanism that the admin can't provide.   With 16.10, whenever the admin makes changes that affect the login flow, we will validate that those changes will not prevent sysadmins from being able to login.  If the changes would result in a lockout condition, we now pop a warning message.

 

We hope you enjoy these new features and look forward to hearing your feedback!

Centrify Cloud 16.10 Release Notes

By Community Manager Community Manager ‎10-14-2016 04:51 PM

New Features - Centrify Identity Service

 

Improved App Policy

 

Introduced rules builder for per-App policy

  • Same UI / options as are available in Login Authentication (Policy) / Privilege Service
  • Admin can use scripts if preferred

New Behavior with App Challenges

  • MFA at portal login is no longer considered “Highly Authenticated” for app access

 

app policy.gif 

 

 

Changes to Login Authentication Policy

 

16.10 no longer has a notion of High Auth for portal login.

  • MFA at portal login does not prevent app policy from also asking for MFA
  • No longer ask for application policy profile

login auth policy before.png

Login Authentication options from 16.9: Application Policy Profile

 

login auth policy after.png

Login Authentication options from 16.10: No Longer Ask for Application Policy Profile 

 

 

  • 16.10 no longer has the option to “accept IWA” / “certificates” as strongly authenticated for application policies
    • Admins can specify that IWA / Certificates satisfy all MFA mechanisms

login auth policy before 2.png

Login Authentication options from 16.9

 

login auth policy after 2.png

 Login Authentication options from 16.10

 

 

Improved People Picker for SAML App Script Testing

 

We’ve made it easier for Admins to test their SAML apps:

  • 16.10 now uses the standard People Picker UI
  • Default search is on current user
    • System remembers the last user

 script testing.gif

 

 

Warning Message for Administrative Changes Resulting in Sysadmin Lockout

 

A warning message will appear if the system detects that changes may lock administrators out of their environment.

  • Admin sets up profiles that Sysadmins can’t fulfill
  • Warning appears after changes have been made

 Picture3.png

 

 

Deprecated Support for IWA over HTTP

 

As communicated when we upgraded to 16.7, we are officially removing support for IWA over HTTP.

  • HTTPS checkbox has been removed, as it’s now the only option

 Picture4.png

 Cloud Connector Configuration from 16.9

 

Picture5.png

Cloud Connector Configuration from 16.10 - HTTPS checkbox removed

 

 

The following apps have been updated:

  • HootSuite
  • ARIBA Exchange
  • Citrix ShareFile
  • Autotask
  • Xing
  • Splunk
  • Symantec PartnerNet
  • TradingView
  • Enterprise Rent-A-Car

 

New Features - Centrify Privilege Service

 

Improvements to Application Management

 

16.9 - App updates happen on the 60 minute sweep interval:

 cps1.png

 

16.10 - Right click to push an update: 

 

 

cps2.png

 

 

Re-enable Domain Account Management

 

Earlier this year, Microsoft removed part of their .NET API within a recommended security update for Windows.  Microsoft had previously recommended that vendors who needed to manage passwords for Windows local and domain accounts use this API.  CPS vaulting continues to work; however, with the removal of this API, CPS cannot automatically change passwords for Windows accounts.

  • Re-enable password management (e.g. automatic rotation)

The fix in CPS for Microsoft’s API change is in two parts. 

 

End of Life Notice

 

Centrify Privilege Service CLI Toolkit

The Centrify CLI Toolkit has been removed from CPS in this release. Similar functionality to that in the CLI Toolkit is available in the new command-line tools in the Centrify Cloud Agent.  This functionality includes the application-to-application password management (AAPM) feature set.

 

End of life for support of the CLI Toolkit

Centrify will end support for the CLI Toolkit in CPS release 16.12, targeted for December, 2016. In addition, because of updates to Kerberos, Centrify Server Suite will support only the new Centrify Cloud Agent feature set as of Server Suite 2017.

 

Centrify strongly recommends that customers use the new Centrify Cloud Agent feature set in this release.

 

Changes to CLI Commands in the Centrify Cloud Agent

A new service account will be used to join a computer to the customer’s Centrify cloud tenant.  The "service account" will be a cloud user account with a name like

 

<hostname>$@<tenant.alias>.

 

The Kerberos-based join (aka -k option, with the Centrify Server Suite DirectControl agent) will be dropped.

 

There is no requirement for the computer to be joined to an Active Directory domain in order to use the new cloud agent.

 

Platform Support Changes

Support for the Fedora platform is dropped in this release.  The matrix below lists the platforms that are be supported by the Centrify Cloud Agent in release 16.10 for AAPM, and for user authentication from either a cloud user account or a user account from an Active Directory instance connected to the customer’s Centrify cloud tenant.

 

Platform

AAPM

Login

RHEL

Y

Y

CentOS

Y

 

Oracle

Y

 

Fedora

 

 

AMI

Y

Y

SLES

Y

 

Ubuntu

Y

 

 

Resolved Issues and Behavior Changes

 

The following list records issues resolved in this release and behavior changes.

 

  • HTTP can no longer be used for IWA in 16.10.
    • The “Use HTTPS for IWA” checkbox is gone from the UI, all behavior will be as if that box was checked.
    • All IWA from Web browsers, it attempted, is done using the HTTPS port configured. If not configured properly, IWA will fail silently and users will have to login interactively.
    • IWA will be attempted if there is no IP range configured, or if the IP range is configured and the Web browser is within that range.
    • The cloud connector will continue to listen on the internal network for HTTP traffic, to support older on-prem AAPM clients, etc, but this will be removed in 16.11.
  • With the changes to authentication policy in 16.10, the concept of high authentication has been eliminated and the new Application Challenges feature works differently. For IWA users, checking the policy option “Accept IWA connections as strongly authenticated for application policies” would cause them never to be challenged for apps tagged with privileged launch requirements. In 16.10, Application Challenges require users to satisfy authentication mechanisms once per configurable time period (default 30 minutes) before being able to launch a privileged app.

    By default, IWS logins satisfy the password mechanism only. For any privileged app set up with a challenge that requires any mechanisms other than password (for example, email or SMS), IWA users will have to provide that mechanism before the app will launch and provide it again once the duration in the associated auth profile is exceeded.

    You can limit the challenge to once per session by extending the duration in the associated auth profile to a long period, for example 10 hours. Note, however, that such a setup has a significant security impact as any IWA user will be able to launch privileged apps without identity re-verification for extended periods (CC-41247).
  • A user’s password is now correctly synched to Google Apps for Work if the sync option is enabled after a user first logs in (CC-40948, CC-38514).
  • In Box, a user’s home directory is no longer only created if the user is the owner of the directory. As long as the user is a collaborator on the directory, the directory can be used as the user’s home directory (CC-41500).
  • The “Download Signing Certificate” help tip has been updated for the Webex SAML/provisioning app (CC-40711).
  • Support has been added to write back msDS-ExternalDirectoryObject for Office 365 (CC-33936).
  • A race condition has been resolved whereby it was possible to create duplicate users with the same name if the same user was created by two administrators within a couple of seconds of each other (CC-41914).
  • Active Directory groups are now correctly enumerated. Previously, if an error was encountered other than a non-existent user then the enumeration would terminate and could result in symptoms such as users being de-provisioned or failed lookup of a user’s AD groups (CC-41821, CISSUP-2447, CISSUP-2427).
  • The Slack provisioning plug-in has been updated to provide more feedback when user name updates fail (CC-40410).
  • The frequently user and recent list of apps in the User Portal is now correctly populated. Previously some frequently or recently used applications were left out (CC-39239).
  • It is now possible to add an Exchange server in Settings > Mobile > ActiveSync Device Quarantining (CC-41573).
  • No longer receive invalid primary domain errors when attempting to authorize Google apps for provisioning (CC-41654, CISSUP-2413).
  • The Overwrite, Keep, Retain and Deprovision option prompts on a provisioning-capable app’s de-provisioning page have been updated to better describe their actions (CC-40315).
  • Users’ phone numbers can now be synched to Webex (CC-37894).
  • Mobile apps are now removed from iOS devices when the application setting “Uninstall this app if app is unassigned from the user” is checked (CC-41455).

 

For security advisories and known issues, please see attached file.

 

For 16.10 Hot Fix 1 security advisories and known issues, please see attached file.

 

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.

In case you hadn't heard, we will be upgrading our platform (Centrify Identity Service and Centrify Privilege Service) to version 16.9 this weekend (Saturday, September 24th).   The complete list of new features is available in the release notes, but as always I will tell you about my favorites here:

 

Administrative Tutorials

In order to improve the on-boarding experience and shorten the learning curve for Administrators, we have added step-by-step tutorials in the admin portal.  When using the admin portal from a new browser (no cookie), the admin will see pop-up dialogs when they first navigate to each tab (i.e. Dashboards, Users, etc.).  Now that we have these tutorials built into the product, we have removed the "Getting Started" dashboard (the Quick Start Wizard can now be started as an option in the drop-down menu under your user name).  The tutorials also appear on the app configuration pages, providing a list of steps needed to deploy the application.

 

Admin Tutorial.png

 

Please note, if you don't want to show the tutorials in your tenant, they can be turned off by going to the Account Customization page under Settings.

 

Applying Policies to "Sets" of Devices

I am very excited to announce that this release marks our introduction of "Sets".  In the past, our platform could be used to apply policies to "All Users and Devices" or to "Roles".  With 16.9, we are introducing a concept that we refer to as Sets, which are groups of things that policies can be applied to.  We intend to use sets more extensively in future releases, but for now, we are introducing sets for devices.  This allows the administrator to apply device policies to groups of devices.  Specifically, device sets enable separate policies by OS, or by corporate vs personally owned devices! 

 

Device Policy Set.png

 

Corporate owned devices are automatically identified as such through bulk enrollment (through Apple DEP, Android for Work, etc.).  In addition, if you've already deployed your mobile devices, you can retroactively identify devices as corporate owned by importing a list of those devices by going to Settings > General >  Corporate-owned Devices.   We've even added new policies to enable admins to track the location of devices (this works great in conjunction with the Sets feature so that admins can now track the location of their corporate-owned devices without tracking personal ones). 

 

Form-Filling (Beta)

As you probably know, Centrify Identity Service supports SSO through SAML and also enables SSO for username / password applications.  For username / password applications that were brought in using the Centrify Browser Extension (including all apps added by an admin using Infinite Apps) we now support a land-and fill capability.  More specifically, this enables users to go directly to a username / password application (instead of the user portal) to get signed in automatically to the application.  With the form-filling beta, users will see a Centrify logo in a username field; clicking that icon will log them into the application!

 

Form-Fill.png

 

This feature is currently available for beta testing for the Firefox browser only.  Private message me, if you are interested in testing this capability.

 

We hope you enjoy these new features and look forward to hearing your feedback!

 

Centrify Cloud 16.9 Release Notes

By Community Manager Community Manager ‎09-16-2016 04:39 PM

New Features - Centrify Identity Service

 

Administrative Tutorials ("Walk Me Through" Quick Start Wizard)

 

Interactive tutorials have been added to Cloud Manager.

  • Pop-up help appears the first-time a user visits each tab
    WalkMe1.png

  • Instructions for adding users
    WalkMe2.png

  • Steps to configure Apps
    WalkMe3.jpg

  • Administrative Tutorials enabled as a service 
    • Only in Centrify brand (cloud tenants)
    • “Getting Started” Dashboard has been deprecated
    • “Quick Start Wizard” is now a menu option
      WalkMe4.jpg

    •  Wizard can be disabled at the tenant-level
      WalkMe5.jpg

User Security Question Report

 

New report gives administrators visibility to their users' security question state.

  • Reports > Builtin Reports > Security > User security question state for last 30 days

User Security Question Report.jpg

     

 

New Adaptive Authentication Conditions

 

Adaptive authentication has been expanded to include the following conditions:

  • Device OS
  • Browser
  • Country

 

 

 

Centrify Browser Extension (CBE) Private Preview

 

Private beta of form-filling:

  • Enables “Land and Fill”
  • Users can now go directly to username / password app to sign-in without having to go to User Portal
  • Available in Firefox only (additional browser support coming soon)

 

Centrify Browser Extension Private Preview.png

 

Preview: Derived Credentials Support for SCEP CAs

 

  • Admins can now deploy Derived Credentials from either MSFT or SCEP

Derived Credentials Support for SCEP CAs.png

 

Device Location Reporting Option for Admins

 

device location.png

  • Admins now have policy for viewing device location
    device location 1.png
  • Default - (no) Admin does not see device location
  • Opt-in – Admin can see device location after approval by user
    device location 3.png

      device location 2.png

  • Force – Admin will see device location (corp / fleet type devices)

 

New Centrify for Mac Agent – macOS Sierra & HSPD 12

 

Day Zero Support for macOS Sierra Release

HSPD 12 Support - Beyond PIV / CAC Login

  • Multi-user PIV support
  • Keychain protection via smart card
  • Remote access (SSH & VNC) via smart card leveraging kerberos / GSSAPI
  • Sudo via Smart Card.

 

The following apps have been updated:

  • PagerDuty (SAML)
  • ShiftPlanning (SAML)
  • Stripe (user-password)
  • Orbitz (user-password)
  • Zoom (user-password)
  • Box (user-password)

 

The following apps have been removed from the app catalog:

  • Unison (SAML)
  • PunchTab
  • Symform
  • Export Trader
  • Lore
  • Concept Feedback
  • EmailBrain
  • hotelguide.com
  • OLX
  • itDuzzit
  • ClickBank
  • Kenmore
  • Moodstocks
  • Gumtree

 

New Features - Centrify Privilege Service

 

Computer and Service Account Discovery

 

Computers and service accounts can be automatically discovered by Privilege Service and added to the vault. 

 

In this release, CPS discovers computers in Active Directory – both Windows and domain-joined *nix computers. 

 

Domain accounts used to launch Windows services and scheduled tasks on servers and workstations are also discovered, and associated with the computers on which they’re found.

 

Computer and account discovery based on network segments (for example, a range of IP addresses) will be added in a future release.

 

CPS - Computer and Service Account Discovery.png

 

Windows Service Account Password Management

 

Privilege Service can now manage passwords for domain accounts used to launch Windows services and scheduled tasks.

 

These passwords can be automatically and periodically rotated on a user-defined schedule.  This enables customers to meet industry standards and regulatory requirements around password aging, even for a domain account that is referenced on multiple computers, accounts that are typically difficult to catalog and manage through manual processes.

 

A new multiplex account enables CPS to safely and securely rotate passwords for these accounts without risk of service or task failure because of ‘server off-line’ or other synchronization issues.

 

CPS - Windows service account password management.png

 

Re-enable Domain Account Management

 

Earlier this year, Microsoft removed part of their .NET API within a recommended security update for Windows.  Microsoft had previously recommended that vendors who needed to manage passwords for Windows local and domain accounts use this API.  CPS vaulting continues to work; however, with the removal of this API, CPS cannot automatically change passwords for Windows accounts.

  • Re-enable password management (e.g. automatic rotation)

The fix in CPS for Microsoft’s API change is in two parts.  In this release, full management of passwords for domain accounts (i.e. Active Directory accounts) is re-enabled.

 

Support for local accounts is targeted for 16.10.

 

CPS - Re-enable domain account management.png

 

Supported Platforms

 

Centrify Privilege Service

The following platforms are supported by the Centrify Privilege Service (CPS) CLI toolkit:

 

     Red Hat   6.8, 7.2

     CentOS    6.7, 7.2

     Oracle    6.8, 7.2

     Fedora    24

     Amazon Linux

     SLES      11 SP4, 12 SP1

     Ubuntu    12.04LTS, 14.04LTS, 16.04LTS

 

Notes:

  1. Unless otherwise stated, always use latest available patch level.
  2. Only 64-bit variants supported.
  3. For Red Hat/CentOS/Oracle 7.2, use 7.2 where a GA version is available, otherwise use 7.1.
  4. Where applicable, desktop/workstation variants are both supported.

 

End of Life Notice

 

Centrify Privilege Service CLI Toolkit

The Centrify CLI Toolkit is deprecated in release 16.8, and will be removed from CPS entirely in release 16.10. Similar functionality to that in the CLI Toolkit will be available in the new command-line tools in the Centrify Cloud Agent in CPS release 16.10.  This functionality includes the application-to-application password management (AAPM) feature set.

 

End of life for support of the CLI Toolkit

Centrify will end support for the CLI Toolkit in CPS release 16.12, targeted for December, 2017. In addition, because of updates to Kerberos, Centrify Server Suite will support only the new Centrify Cloud Agent feature set as of Server Suite 2017.

 

Centrify strongly recommends that customers use the new Centrify Cloud Agent feature set beginning with CPS version 16.10.

 

Changes to CLI Commands in the Centrify Cloud Agent

A new service account will be used to join a computer to the customer’s Centrify cloud tenant.  The "service account" will be a cloud user account with a name like

 

<hostname>$@<tenant.alias>.

 

The Kerberos-based join (aka -k option, with the Centrify Server Suite DirectControl agent) will be dropped.

 

There will be no requirement for the computer to be joined to an Active Directory domain in order to use the new cloud agent.

 

Platform changes

Support for the Fedora platform will be dropped in 16.10.  The matrix below lists the platforms that will be supported by the Centrify Cloud Agent in release 16.10 for AAPM, and for user authentication from either a cloud user account or a user account from an Active Directory instance connected to the customer's Centrify cloud tenant.

 

Platform

AAPM

Login

RHEL

Y

Y

CentOS

Y

 

Oracle

Y

 

Fedora

 

 

AMI

Y

Y

SLES

Y

 

Ubuntu

Y

 

 

 

 

Resolved Issues and Behavior Changes

 

The following list records issues resolved in this release and behavior changes.

 

  • This is the last release in which HTTP can be used for IWA. In 16.10:
    • The “Use HTTPS for IWA” checkbox will be gone from the UI, all behavior will be as if that box was checked.
    • All IWA from Web browsers, it attempted, will be done using the HTTPS port configured. If not configured properly, IWA will fail silently and users will have to login interactively.
    • IWA will be attempted if there is no IP range configured, or if the IP range is configured and the Web browser is within that range.
    • The cloud connector will continue to listen on the internal network for HTTP traffic, to support older on-prem AAPM clients, etc, but this will be removed in 16.11.
  • In cases where an IP proxy is used, some proxies include the private IP address in headers and this can cause IWA to fail. Now IWA looks for the first public IP address a header (CC-40452).
  • Support has been added for WS-Trust 1.3 (CC-40721).
  • In the Citrix Sharefile, Dropbox and NetSuite (provisioning) apps, de-provisioning now disables a user rather than deleting them from the app (CC-39811, CC-39875, CC-39876).
  • A policy has been added to control what happens when an app is unassigned. If the policy is enabled then the app will be removed from the device then it is unassigned from the role (CC-33437).
  • In the DocuSign app, a new user is no longer created is the email address for a synched inactive user is updated (CC-38294).
  • Some group synching with provisioning apps no longer fails with “Object reference not set to an instance of an object (CC-40494).
  • The description of the Everybody role has been updated to better define which users will be included (CC-40182).
  • The job history now no longer shows duplicate job entries for some apps (CC-38158).
  • When an attempt to provisioning an Active Directory group fails, the rejected group name is now shown in the report instead of UNKNOWN (CC-39444).
  • SalesHood can now be launched with SP-initiated SSO (CC-40517).
  • A link to the release notes is now provided in the Cloud Manager About box (CC-40181).

 

For security advisories and known issues, please see attached file.

 

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.

In case you hadn't heard, we will be upgrading our platform (Centrify Identity Service and Centrify Privilege Service) to version 16.8 this weekend (Saturday, August 27th).   The complete list of new features is available in the release notes, but as always I will tell you about the most important features here:

 

Enhancements to the Administrative User Interface

When logging into Cloud Manager, you will immediately notice some improvements we've made to the dashboards User Interface.  Specifically, we've made the following improvements:

  • We've done a refresh of the dashboards, using new widgets and colors.  I think they look much cleaner.
  • We now have a toggle option to switch between our standard white background and a dark grey background (this is great if you like to use these dashboards in presentations with a dark background).
  • We've changed the icon for selecting the option to "pin" a dashboard as the default dashboard to show in the Dashboards tab.  The gear icon has been replaced with an ellipsis (...).
  • We've also added a new Security Overview dashboard featuring a great time-based view of successful and failed login attempts.  This dashboard is interactive, it features a slider widget to specify a time range, and clicking on elements within the dashboard will filter the data set.  In the lower left-hand quadrant of the dashboard you will see a detailed list of the active data set.  This entire list can be downloaded easily from the dashboard, or clicking on an individual user will bring up a new "User Inspector" dialog showing details about that specific user and his/her recent activity.

New Dashboard.png

 

In addition to the enhancements to the Dashboards, we've also made the following UI changes:

  1. The "About" menu now shows which Pod a tenant is on.  This is helpful information when looking at Centrify's Trust page so you can see if there are any issues affecting your pod.
  2. We've also improved the interface for Infinite Apps (our tool for adding username and password apps to the service).
  3. Finally, we've cleaned up the design for the Cloud Connectors page (in Settings>  Network> Cloud Connectors).  With the new design, we've replaced the individual columns for the services running on each Cloud Connector (e.g. AD Proxy, App Gateway, RADIUS, etc.) with a single column listing all of the "Enabled Services" running on each Connector.

Expanded MFA Support

Continuing on our MFA Everywhere initiative, we have added 2 big features to further expand our support for Multi-factor authentication:

  1. For customers who use Smart Cards instead of usernames and passwords, we've added Smart Card support for Office 365 thick clients!
  2. We've extended our RADIUS support to allow both client and server connections!

Let me dive into RADIUS a little further to provide better context here.  In 16.2, we added support for RADIUS where the Cloud Connector would serve as a RADIUS server allowing us to extend our MFA to RADIUS clients (enabling us to add MFA to VPNs, etc.).  At that time, we also added support to integrate 3rd party MFA solutions that use OATH (e.g. Google Authenticator).  Since that time, we've had a number of customers ask us to support MFA responses from other 3rd party solutions through RADIUS (e.g. RSA SecurID).  With 16.8, our Cloud Connector can now serve as both/either a RADIUS client and/or server.  To enable 3rd party MFA through RADIUS, you will need to do the following:

  1. Go to Settings> Authentication > RADIUS Connections and Add a  RADIUS Server
  2. Go to Settings> Authentication > Authentication Profiles and add (or update) a profile to accept "3rd Party RADIUS Authentication"
  3. Go to Settings> Network> Cloud Connectors and enable a Connector as a RADIUS Client
  4. Go to Policies > User Security Policies> RADIUS and enable "Allow 3rd Party RADIUS Authentication"

RSA SecurID Auth.png

 

We hope you enjoy these new features and look forward to hearing your feedback!

Centrify Cloud 16.8 Release Notes

By Community Manager Community Manager ‎08-19-2016 09:29 AM

New Features - Centrify Identity Service

 

3rd Party RADIUS (e.g., RSA SecurID) Support

 

Accept MFA responses from 3rd party solutions through RADIUS.

 

Settings > Authentication > RADIUS Connections > Servers

 

Settings > Authentication > Authentication Profiles

 

Settings > Network > Cloud Connector > Enable RADIUS Client

 

 Policies > User Security Policies > RADIUS

 

Dashboard Updates

 

Dashboard UI has been refreshed with the following enhancements:

  • New Black / White Options
  • Click on the ellipsis icon (…) for menu to set a dashboard as the default
  • New Dashboard:
    • Security Overview

 

 

Dashboard-black-white.gif

Black / White Options

 

 Click on the ellipsis icon (…) for menu to set a dashboard as the default

 

 

2Picture2.jpg

New Dashboards: Security Overview

 

 

UI Enhancements

 

Additional UI Enhancements include:

  • Pod information is now displayed in the "About" menu
  • Infinite Apps Refresh
  • New design for the Cloud Connector Page

 

UI-Pod.gif

About Menu > Pod Information

 

3Picture3.png

Infinite Apps Refresh

 

3Picture1.png

Cloud Connector Page Design Refresh

 

 

Smart Card Support for Office 365 Thick Clients

 

Smart Card authentication is now extended to thick clients for Office 365!

  • Note: Derived Credentials (for mobile) is not currently available

 

o365.png

 

Derived Credentials UI Improvements

 

  • CA and Templates from MS-CA automatically populate
  • Admins can choose pre-configured templates (instead of keying in information manually)

5Picture1.png

Gmail is now the default email app in Android for Work

 

  • Latest versions of Gmail app has EAS v16 support
  • Email, Calendar, Contacts are all synced

 

App documentation has been added for the following SAML apps:

  • PleaseReview
  • IBM Connections Cloud
  • Influitive

 

The following apps have been updated:

  • Apple App Store
  • Hiveage (renamed from CurdBee)

In addition, the following apps have been removed from the app catalog: Veer, Unison

 

New Features - Centrify Privilege Service

 

On-site Deployment Option

 

CPS now has two deployment options:

  • Cloud service: Customers can choose to deploy and use CPS as a cloud service.  Centrify will manage the CPS application for the customer.
  • On-site installation: Customers can choose to install CPS locally on their own Windows Server 2012R2 instance.  The customer will manage the CPS application.

cps1Picture1.png

 

 

Deprecating the Centrify CLI Toolkit

 

The CLI Toolkit will be removed from CPS entirely in release 16.10.  Similar functionality to that in the CLI Toolkit will be available in the new command-line tools in the Centrify Cloud Agent in CPS release 16.10. Centrify will end support for the CLI Toolkit in CPS release 16.12.

 

Changes to CLI commands in the Centrify Cloud Agent:

  • A new service account will be used to join a computer to the customer’s Centrify cloud tenant. The "service account" will be a cloud user account with a name such as <hostname>$@<tenant.alias>
  • The Kerberos-based join (aka -k option, with the Centrify Server Suite DirectControl agent) will be dropped
  • There will be no requirement for the computer to be joined to an Active Directory domain in order to use the new cloud agent

cps2Picture1.png

 

Supported Platforms

 

Centrify Privilege Service

The following platforms are supported by the Centrify Privilege Service (CPS) CLI toolkit:

 

     Red Hat   6.7, 7.1, 7.2

     CentOS    6.7, 7.2

     Oracle    6.7, 7.2

     Fedora    24

     SLES      11 SP3, 12

     Ubuntu    12.04LTS, 14.04LTS, 16.04LTS

 

Notes:

  1. Unless otherwise stated, always use latest available patch level.
  2. Only 64-bit variants supported.
  3. For Red Hat/CentOS/Oracle 7.2, use 7.2 where a GA version is available, otherwise use 7.1.
  4. Where applicable, desktop/workstation variants are both supported.

 

End of Life Notice

Centrify Privilege Service CLI Toolkit

The Centrify CLI Toolkit is deprecated in release 16.8, and will be removed from CPS entirely in release 16.10. Similar functionality to that in the CLI Toolkit will be available in the new command-line tools in the Centrify Cloud Agent in CPS release 16.10.  This functionality includes the application-to-application password management (AAPM) feature set.

 

End of life for support of the CLI Toolkit

Centrify will end support for the CLI Toolkit in CPS release 16.12, targeted for December, 2017. In addition, because of updates to Kerberos, Centrify Server Suite will support only the new Centrify Cloud Agent feature set as of Server Suite 2017.

 

Centrify strongly recommends that customers use the new Centrify Cloud Agent feature set beginning with CPS version 16.10.

 

Changes to CLI Commands in the Centrify Cloud Agent

A new service account will be used to join a computer to the customer’s Centrify cloud tenant.  The "service account" will be a cloud user account with a name like

 

<hostname>$@<tenant.alias>.

 

The Kerberos-based join (aka -k option, with the Centrify Server Suite DirectControl agent) will be dropped.

 

There will be no requirement for the computer to be joined to an Active Directory domain in order to use the new cloud agent.

 

Platform changes

Support for the Fedora platform will be dropped in 16.10.  The matrix below lists the platforms that will be supported by the Centrify Cloud Agent in release 16.10 for AAPM, and for user authentication from either a cloud user account or a user account from an Active Directory instance connected to the customer's Centrify cloud tenant.

 

Platform

AAPM

Login

RHEL

Y

Y

CentOS

Y

 

Oracle

Y

 

Fedora

 

 

AMI

Y

Y

SLES

Y

 

Ubuntu

Y

 

 

 

Resolved Issues and Behavior Changes

 

The following list records issues resolved in this release and behavior changes.

 

  • Role memberships can no longer be defined by Active Directory Distribution Groups or Domain Local groups. Please use security groups to define role memberships. See https://centrify.force.com/support/Article/KB-6906-How-to-convert-a-distribution-group-to-a-security... for help converting a distribution group to a security group.
  • In “Policies > User Security Policies > RADIUS > Allow RADIUS client connections” the default behavior (i.e. when the policy setting shows unset (‘--')) is now NOT to allow RADIUS connections. Previously the default was to allow connections (CC-40074).
  • For Mac devices, the device settings page will now show the amount of RAM installed on the machine as long as the user has enrolled using the Mac cloud agent (CC-37021).
  • No Android for Work exchange client is installed on a device as part of enrollment unless the Centrify app is release 16.8 or later. In previous releases the Divide Productivity client was installed, in 16.8 and later it is the Gmail client that is now installed (CC-40207, CC-39002).
  • The status of installed Android in-house apps is no longer displayed while in kiosk mode as the user is unable to add or remove apps in this mode (CC-39405).
  • When the the SyncGroups domains are changed in Google Apps, synched Active Directory groups are now removed where needed (CC-39106).
  • Cloud connector status now shows the RADIUS server status if it is enabled (CC-39879).
  • Filtering has been added back when in group view on a mobile device (CC-39848, CC-39851).
  • The sign-in page now displays correctly on Windows Phone (CC-38137).
  • Cloud Service-generated certificates now use SHA-256 as the signing algorithm instead of SHA-1 (CC-39978).
  • The login session no longer hangs when accessing the Zendesk iOS native app (CC-40387).

 

For security advisories and known issues, please see attached file.

 

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.

In case you hadn't heard, we will be upgrading our platform (Centrify Identity Service and Centrify Privilege Service) to version 16.7 this weekend (Saturday, July 30th).   The complete list of new features is available in the release notes, but as always I will tell you about the most important features here:

 

Additional Attributes for MFA

As you know, Centrify has always focused on security and has been a big proponent of the use of Multi-Factor Authentication throughout the enterprise.  We are very proud of the work that we've done to make the use of MFA more accessible to our customers.  MFA is not a new solution, but it is more viable today as it has become simpler to deploy. In the past, MFA solutions required rolling out infrastructure and providing users with yet another thing to carry (e.g. hard tokens).  These things often led to failed MFA deployments as the costs outweighed the benefits and user adoption was slow to pick up.  With the Centrify Identity Platform, MFA is much simpler as the "what you have" component can be fulfilled from several different response mechanisms, including responding to emails, phone calls or text messages.  When using these factors for MFA, the email address / phone number must be on record in directory that you are authenticating against (AD, LDAP or our cloud directory).  With this release, we are now enabling the administrator to define other attributes from your local directory source for email and phone.

MFA Attributes.png

 This feature has two primary benefits:

  1. It allows the organization to provide users with more options for how they authenticate.
  2. It enables users to authenticate with personal phone numbers and email addresses that can be stored in Active Directory, but are not populated in the GAL (Global Address Library).

 

Mobile Notifications on Multiple Devices

We've also improved upon our mobile authenticator (mobile app for approving / denying MFA requests) to better serve users with multiple devices.  For security reasons, we limit mobile notifications (MFA requests) to a single, primary device only.  While this is a great feature from a security perspective, customers have asked for the ability to send those notifications to all of a user's enrolled devices.  With the new release, we've added a new mobile policy to allow notifications on multiple devices (you will find the policy under Policies > Mobile Device Policies > Common Mobile Settings > Common).  When this policy is enabled, the user will be able to determine which mobile devices should receive notifications.

Mobile Notifications.png

 

In addition to the features above, I wanted to point out a change we are making to how we support IWA (Integrated Windows Authentication) for improved security.  The summary version of the change is as follows:

  1. If you have IWA enabled but have not set a Corporate IP Range we will not attempt to login your users via IWA; and
  2. Going forward, the default setting for IWA will be to use HTTPS.  (Please note: we plan to deprecate support for IWA over HTTP in version 16.9.)

For more details, please see the KB article.

 

We hope you enjoy these new features and look forward to hearing your feedback!

Centrify Cloud 16.7 Release Notes

By Community Manager Community Manager ‎07-08-2016 05:16 PM

New Features - Centrify Identity Service

 

Improved Settings Pages

 

Settings pages have been updated to include a text description of what can be done on each page.

 

1 Improved Settings Page.png

 

Additional Attributes for MFA

 

Administrators can now setup their tenants to support the use of additional attributes for MFA challenges.

  • Settings > Authentication > Security Settings
  • Select attribute and define the type
    • Choose from commonly used attributes, or
    • Specify custom attributes

 

 

Google Apps Support for Multiple Domains

 

Identity Service now supports provisioning of Google Apps for customers with multiple domains.

  • Roles can be mapped to destination domains

 

 

Changes to IWA

 

Changes to protect against a MitM vulnerability:

 4 iwa.png

 

 

Mobile Notifications on Multiple Devices

 

  • Users can now specify what device(s) get notifications from Centrify
  • Admin can disable this by policy

5 mobile notification.png

 

App documentation has been added for the following SAML apps:

  • Image Relay
  • Veracode
  • Aha!

 

The following apps have been updated:

  • OfficeSpace Software
  • Lyndacom
  • MediaWiki
  • SkyDrive
  • DocuSign
  • Spotify
  • Microsoft Premier Online
  • Microsoft Developer Network
  • Microsoft Volume Licensing
  • ADP Workforce Now
  • ProfilePond has been renamed to Cranberry

 

In addition, the following apps have been removed from the app catalog: BusinessITOnline, Dropcam.

 

New Features - Centrify Privilege Service

 

Rotate Password Now

 

Admin option to rotate a managed password immediately:

  • New “Rotate Password” action for managed accounts
  • Requires user permission for “Rotate”
    • Under Settings > Account Permissions

cps 1.png

 

 

Improved Cloud Connector Selection for Databases

 

Cloud Connector selection for databases now shows unavailable Cloud Connectors with status indicator.

  • Using CPS for a Database requires a Cloud Connector plugin
  • Admin can now see unavailable Cloud Connectors, along with the reasons why they are unavailable

cps 2.png

 

Supported Platforms

 

Centrify Privilege Service

The following platforms are supported by the Centrify Privilege Service CLI toolkit:

 

     Red Hat   6.7, 7.1, 7.2

     CentOS    6.7, 7.2

     Oracle    6.7, 7.2

     Fedora    24

     SLES      11 SP3, 12

     Ubuntu    12.04LTS, 14.04LTS, 16.04LTS

 

Notes:

  1. Unless otherwise stated, always use latest available patch level.
  2. Only 64-bit variants supported.
  3. For Red Hat/CentOS/Oracle 7.2, use 7.2 where a GA version is available, otherwise use 7.1.
  4. Where applicable, desktop/workstation variants are both supported.

 

Resolved Issues and Behavior Changes

The following list records issues resolved in this release and behavior changes.

 

  • Role memberships can no longer be defined by Active Directory Distribution Groups or Domain Local groups. Please use security groups to define role memberships. See KB-6906 on how to convert a distribution group to a security group. Existing role definitions using Distribution or Domain Local groups will continue to work in 16.7 but will cease to function in 16.9.
  • In the Box provisioning app, skipped users are now merged when the overwrite option is chosen (CC-37130).
  • In the Box provisioning app, the role-based access level now displays correctly when syncing users with the union scheme (CC-38834).
  • The Google provisioning app now supports multiple domains (CC-36879 / CISSUP-1910).
  • The Cloud Connector / Manage setting “Use HTTPS Port for IWA Negotiations” is now defaulted to on. New connector registrations and re-registrations of a connector will use this setting, any existing connectors will be unaffected. Note that IWA will not function unless a Corporate IP range has been set and the IWA user is within that range (CC-39303).
  • Changing IWA from https to http now shows a warning / confirmation dialog as this potentially makes IWA vulnerable to man in the middle attacks (CC-39299).
  • IWA is now only attempted if a corporate IP range is configured, scoping the possibility of a man in the middle attack at IWA to on-premise DNS (CC-39302).
  • The deprecated CDirectoryService/DeleteUser API now cleans up the user table after deleting a cloud user (CC-39197).
  • Multiple domain support has been added for Google apps and this requires a higher permission level for the admin. As a result, it will require re-authentication for the admin (CC-39169).
  • The user name can now be pasted into the login dialog (CC-37723).
  • The Slack SAML app now has a Role Mappings section to map user accounts to Slack based on group membership (CC-37707).
  • Fixed an issue where an app that required a browser extension would launch to a blank page if no browser extension was installed (CC-39325).
  • The “Retain user account in target application if role membership changes” option for provisioning-capable apps now functions correctly (CC-38971).
  • Detailed information is now logged when a user denies an MFA request (CC-634).
  • Group View is now supported in MyWebApps on an Android device and for Mobile Web Apps on an iOS or Android device (CC-38991, CC-36702, CC-36543).
  • An option has been added to SAML apps’ enhanced scripts to use a custom Relay State (CC-28025).
  • Android devices can now still be managed even if firewall deny rules are set to block everything (CC-39183 / CISSUP-2215)
  • In the Webex provisioning app, setting the meetingtypes parameter to an array of one element no longer causes sync jobs to fail (CC-38724).
  • Search is now supported on the My Authenticator page on iOS devices (CC-36263).
  • In the Dropbox provisioning app, synched users now show in the correct (new) group after the destination group is updated in role mappings (CC-38927).
  • The login authentication profile is now shown in the policy summary on the users’ details page (CC-38036).
  • In the Salesforce provisioning app,
  • The amount of installed memory is now reported for enrolled Mac computers (CC-37021).
  • On a Mac, true SSO (zero sign-on) is now attempted before IWA as it should always work for Macs (CC-39485).

 

For security advisories and known issues, please see attached file.

In our 16.6 Centrify Identity Service release we are introducing a new Centrify Agent for Macs specifically geared to enhancing management for Macs enrolled in the Centrify Identity Service in the cloud. This new agent will serve as a foundational component for Centrify to deliver additional Mac management capabilities beyond what we can currently accomplish without an agent. This first release of the new Centrify Agent for Mac will deliver the following features and improvements

 

  • Simplified Mac cloud enrollment
    • The new agent delivers a cleaner user experience for enrolling a Mac for management with Centrify.
  • Location tracking for Macs
    • Users will now see the location of their Macs in the Centrify User Portal in the same way they can currently see the location of their enrolled mobile devices. As in the case of location for mobile devices, this location is currently only available for end users to view. Location is important not only for when you have misplaced your Mac, but will also be used to help determine where an application or resource is being accessed from.
  • True Single Sign-On for Macs
    • As a part of the installation of the new Mac agent, we are deploying a user specific certificate that will allow for a true single sign-on experience when users are accessing the Centrify User Portal or any resource or application that has federated authentication to Centrify.
    • This means you don’t have to go through the Centrify User Portal to experience seamless authentication, you can open your favorite browser and just type the URL of the service, or click a link in a document or email. Once that service has identified your service domain or user, it will forward to its configured Identity Provider authentication page where we will discover the configured certificate which tells us that the device is managed and secured by Centrify and allow the user to go straight through to the desired resource.

Enabling Mac Enrollment and the new Mac Agent

 

The new Centrify Mac agent replaces our existing web enrollment for Macs. This feature is optional and can be enabled in our cloud policy by enabling Mac enrollment. Users can be prompted to enroll their Macs whenever they visit the user portal from a Mac that is not currently enrolled.

 

Mac Agent 1.png

 

An Important Note for Already Enrolled Users

 

If you have a Mac that was previously enrolled for management with the Centrify Identity Service without the new Centrify Mac Agent, upon running the new agent you will see a message that says you are already enrolled. The user will need to unenroll first before proceeding with the new agent enrollment. This step of unenrolling can be initiated by the end user as a part of the new agent, or via the user portal or admin portal as a device action. See the screen shot below for what the user will see when the agent is run.

 

Mac Agent 2.png

 

Centrify Mac Agent End User Experience

 

(Note: You can see a video capture of the end user experience of the enrollment process here: https://www.youtube.com/watch?v=W4UJ3tumBQA)

 

If you have enabled the policy to prompt users to enroll their device, the next time they visit the Centrify User Portal from a Mac they will see the following:

 

Mac Agent 3.png

 

If the user chooses to proceed with enrollment, they will be reminded that this is intended for personal systems only and not intended for shared systems.

 

Mac Agent 4.png

 

Upon continuing with the enrollment process, the new Centrify Mac Agent will be downloaded to the user’s system in the form of a .dmg file.

 

Mac Agent 5.png

 

Mac Agent 4.png

 

Once they have completed the download and run it they will begin the new enrollment process. The user will be asked to enter their username and password and any additional factors of authentication required. This will follow the same rules that apply for the user to access the Centrify User Portal.

 

Mac Agent 7.png

 

Mac Agent 8.png

 

 Mac Agent 9.png

 

Upon successful authentication, the user will be asked if the accept the EULA, and would like to proceed with enrollment. The user will be prompted to enter credentials for an administrative account in order to complete the enrollment.

 

Mac Agent 10.png

 

Mac Agent 11.png

 

Mac Agent 12.png

 

Once enrollment has completed, there is just one more step required to configure Safari appropriately to leverage the newly provisioned ZSO certs (Zero Sign-on). 

 

Mac Agent 13.png

 

Once enrollment has completed the user will notice the management profiles and certificates under the “Profiles” section of System Preferences.

 

Mac Agent 14.png 

 

Once complete the user will have a new application installed which is a shortcut to the Centrify User Portal and one for the Centrify Apps for enterprise Apps. Following these shortcuts and or accessing any other applications that federate authentication to the Centrify Identity Service should result in access without the need for additional authentication, unless the application or portal has been specifically configured to require MFA. This experience will be true for Safari, Chrome and Firefox browsers.

 

 

16.6 Highlights: Improved RADIUS Support, Derived Credentials and the New Mac Agent

By Centrify Advisor III on ‎06-17-2016 04:06 PM - last edited ‎06-21-2016 03:55 PM

In case you hadn't heard, we will be upgrading our platform (Centrify Identity Service and Centrify Privilege Service) to version 16.6 this weekend (Saturday, June 18th).   This release focuses primarily on performance improvements, but we've also added some great new capabilities.  The complete list of new features is available in the release notes, but as always I will tell you about the most important features here:

 

Improved RADIUS Support

As you probably know, our platform allows you to extend our MFA solution to any RADIUS client.  When we first released this capability (in the 16.2 release), the Admin would need to specify which authentication mechanism would need to be used for all of the users.  With 16.6, we have augmented this feature to leverage our authentication profiles (allowing the user to choose from a list of supported authentication mechanisms).

 

RADIUS Auth Profile.png

NOTE: When using this feature, Centrify will contact the user to authenticate but the user must manually type in the code that is sent to respond.

 

Smart Card and Derived Credentials Support

You may have heard us talk about Smart Card support and Derived Credentials in the past.  Smart Card support allows users to login to the service with a Smart Card and a PIN in lieu of a username and password.  Derived Credentials allows a user to access Smart Card enabled services through a mobile device without physically attaching the Smart Card.  We do this by issuing a certificate to the device that is derived from the physical card (user must request the certificate through the User Portal while logged in with their Smart Card).

 

These features have been in popular demand from our government and other high-security-minded customers for some time. In the past, if a customer wanted to be able to login to our service and their apps using Smart Cards our Ops team would need to manually enable the feature for the customer.  With this release, Smart Cards and Derived Credentials can now be self-configured by our end customers.  Please note that these are premium features and are only available to customers who have purchased Centrify Identiy Service App+ Edition or Centrify Privilege Service.   If you have a version of the product that does not have these features but you want to test out these new capabilities, please contact your Account team.

 

Smart Card - Derived Credentials.png

 

New Mac Agent

Last, but certainly not least, with 16.6 we have a new Mac agent for enrolling Macs with the service.  You're probably thinking, big deal, you already had an agent.  This is true...but, this one is much cooler as it offers additional capabilities above and beyond what we could do in the past.  With the new agent, we've added 3 features:

  1. We have a policy that the Admin can set which prompts the user to enroll their Mac when logging into the User Portal (this policy only prompts users logging in on a Mac and will not prompt the user if he/she has already enrolled, or dismissed the prompt and selected "Do not ask me again"Enroll Mac.png
  2. The new agent enables location reporting (so the user can see where the Mac is on a map)Mac Location.png
  3. This agent enables our "True SSO" feature (previously only available on mobile devices), which enables SSO (zero sign-on, actually) to the User Portal and to SAML apps without having to login to the portal first! 

We hope you enjoy these new features and look forward to hearing your feedback!

Centrify Cloud 16.6 Release Notes

By Community Manager Community Manager ‎06-07-2016 03:19 PM

New Features - Centrify Identity Service

 

RADIUS Support for Multiple Challenges

 

RADIUS support has been improved to allow for multiple challenges.

  • Admin no longer needs to select one mechanism for all users
  • Admin can now use an existing auth profile, and user will be prompted to pick an auth mechanism 

 

 

SMTP Server Configuration

 

Admins can now configure product to use their own SMTP server for outbound mail.

  • Using corporate SMTP server improves message delivery
  • Go to: Settings > Customization > Account > System Configuration

SMTP Server Config.png

 

Cross-Origins Resource Sharing (CORS) Support

 

Admins can now enable API calls from foreign domains by enabling CORS.

  • Go to: Settings > Authentication > Security Settings

CORS.png

 

 

UI Changes

 

Minor updates to UI:

  • New image for Quick Start Wizard
  • “Power” button on the upper right hand corner has been replaced with “Sign Out” link

 

 

 

UI for Enabling Smart Card Support

 

Smart Card support is now available via the Cloud Manager UI. Administrators no longer need to contact Centrify Support to configure the back-end.

  • UI is available under Settings > Authentication > Certificate Authorities
  • Available as a premium feature for App+ and Privilege Service

UI SC animated.gif

 

Derived Credentials

 

Smart Card users can now provision a Derived Credential to their enrolled mobile devices.

  • Allows Web-App access to PIV/CAC sites through mobile
  • NOTE: Derived Credentials support is currently limited to Microsoft CA. Support for additional Certificate Authorities is coming soon

 

 

Mobile Feature – Device Enrollment Notifications

 

New device enrollments cause notification to be sent to all other currently enrolled devices:

  • User can force unenroll the new device

device enrollment notifications.png

 

Introducing the new Centrify Identity Service Mac Cloud Agent

 

  • Improved Mac Cloud enrollment
  • Location Reporting and True SSO for Macs

 

 

 App documentation has been added for the following SAML apps:

 

  • 15Five
  • 8x8
  • CrashPlan PROe
  • com
  • Docurated
  • EZOfficeInventory
  • Facebook at Work
  • Highfive
  • IBM Emptoris
  • Populi
  • ProofHQ
  • SalesHood
  • Teamseer
  • The Network Integrated GRC Suite
  • Vidbeo

 

The following apps have been updated:

 

  • Salesforce
  • Eventbrite
  • JIRA
  • RightScale
  • Kontiki
  • Zendesk
  • Harvest
  • GoToMeeting
  • Citrix ShareFile
  • TalentLMS
  • QMarkets
  • Samanage
  • ServiceNow
  • EchoSign
  • Yammer
  • Twitter
  • EMC
  • Vocality Networks
  • com
  • IBM PartnerWorld
  • Fundraise
  • TripIt
  • JungleDisk
  • com
  • GetYourGuide
  • Publix

 

In addition, the following apps have been removed from the app catalog: Barnes & Noble, iCloud, ThoughtWorks Support, SideTour.

 

 

New Features - Centrify Privilege Service

 

Database Application Account Password Management

Centrify Privilege Service can now manage passwords for database accounts held internally by various DBMS applications.  Password checkout is supported, including the option for automatic password rotation after the checkout period expires (or the password is checked in).

 

In this release, the following DBMS applications are supported.

  • Microsoft SQL Server
  • Oracle Database

Additional DBMS applications will be supported in future releases.  Single database instances are supported in this release; support for accounts across database clusters is under development.

 

cps database application account password management.png

 

Security Settings and Account Types

There are three major types of accounts in this update of Centrify Privilege Service.

  • Resource accounts held locally by the host operating system
  • Domain accounts held by Active Directory
  • Database accounts held internally by the DBMS application

Account Security Settings, available as policy, have been rationalized across these account types at the resource, domain, and database levels, as well as globally.  Time periods can be defined where applicable, e.g. maximum number of days before a password must be rotated.

  • Allow multiple password checkouts
  • Enable periodic password history cleanup
  • Enable periodic password rotation
  • Enable periodic health check

 

cps security settings and account types.png

 

Supported Platforms

 

Centrify Privilege Service

 

The following platforms are supported by the Centrify Privilege Service CLI toolkit:

 

     Red Hat   6.7, 7.2

     CentOS    6.7, 7.2

     Oracle    6.7, 7.2

     Fedora    23

     SLES      11 SP3, 12

     Ubuntu    12.04LTS, 14.04LTS, 15.10

 

Notes:

  1. Unless otherwise stated, always use latest available patch level.
  2. Only 64-bit variants supported.
  3. For Red Hat/CentOS/Oracle 7.2, use 7.2 where a GA version is available, otherwise use 7.1.
  4. Where applicable, desktop/workstation variants are both supported.

 

Resolved Issues and Behavior Changes

 

The following list records issues resolved in this release and behavior changes.

 

  • Fixed an issue with the Salesforce provisioning app where an error “Value cannot be null” could be reported (CC-38361).
  • Implemented group membership state tracking for provisioning apps, such as Box, Google and DropBox, to resolve issues with role un-assignment. This does not cover AD groups, they will be added in a later release (CC-35742).
  • Updated ServiceNow app help doc to cover the installation and configuration of the Centrify Identity Service app (CC-38427).
  • JIRA JIT provisioning now updates synched users’ email and display names (CC-37948).
  • Read-only administrators can now view the Box provisioning tab (CC-37743).
  • Role mapping or role membership membership changes now cause Box and Google apps to re-sync affected users (CC-38020).
  • Users with the Application Management right but who are not a system administrator can now start provisioning syncs (CC-37190).
  • The error message shown in the sync report when trying to sync a user with an invalid email address has been improved to make the error more clear (CC-37626).
  • The NetSuite app no longer shows excessive numbers of connection timeout errors in the sync report (CC-37298).
  • Attempts to clone a SAML app no longer fail because of a duplicate Application ID. The Application ID is now set to NULL during the cloning operation (CC-38169).
  • ServiceNow, Samanage, EchoSign, Yammer and Qmarkets provisioning apps have been updated to correctly clear fields in the target app if they are cleared in the source user record (CC-37241).
  • The default region for the Samanage provisioning app is now set to non-European and the drop down has been replaced by two radio buttons (CC-37895).
  • Resolved a race condition with incremental synching that would cause the job to fail as Process Failed (NotFoundCreated) (CC-38470).
  • Resolved issue with synching that caused the job to fail with Failed System.NullReferenceException: Object reference not set to an instance of an object (CC-38385).
  • App gateway URLs can now be entered with a trailing period (“.”) (CC-38206).
  • The width of the About dialog has been increased as user names were frequently being truncated (CC-38460).
  • Service users are now displayed in the users list in the Cloud Manager when the All Users filter is applied. Previously service users were only shown with the All Service Users filter. To show all users except service users, use ten new All users except service users filter (CC-38298).
  • Administrators are now prompted to set their password after clicking the one-time link in the account activation email. Previously only non-admin users were prompted to set their password and could result in administrators being locked out if they did not remember to reset their passwords (CC-38220).
  • The power button on the User Portal and Cloud Manager has been replaced with a more standard “Sign Out” option in the drop down menu under the user’s name (CC-38213).
  • System administrators can now wipe a mobile device from the Cloud Manager even if the policy is set to disable users from wiping their devices (CC-38157).
  • The password complexity shown in the Add Users dialog now matches the effective policy complexity settings, rather than the default complexity settings (CC-38109).
  • The MFA Events – Last 7 days report has been replaced by MFA Events – Last 30 days (CC-38058).
  • The quick start Wizard start screen in the Cloud Manager has been refreshed, the functionality is unchanged (CC-38023).
  • Users can now paste their user name into the login dialog, previously only the keyboard ctrl-v shortcut would successfully paste a user’s name into the dialog (CC-37723).
  • iOS built-in apps (such as Safari and Mail) can now be configured as the kiosk mode app (CC-37635).
  • Administrators can now force a mobile device to update itself to use the latest Centrify mobile app version (CC-37517).
  • Policies are now provided for iOS 9.3 app whitelisting and blacklisting (CC-37434).
  • “Find Now” is now supported for iOS devices (CC-37433).
  • The Accounts tab in the User Portal has been reworked to make the third party One Time Password UI more clear (CC-36114).
  • CPS database account names are now case sensitive; a name conflict warning is shown if an account is already configured with a name that differs only in case if one of the resources is case insensitive (CC-38630).

16.6 Hot Fix 1 - June 28, 2016

  • Added improved support for applications using WS-Trust (CC-38693).
  • Fixed a bug with missing scroll bars in online help when using Firefox browser (CC-39393).
  • Fixed a bug with intermittent ZSO login for Mac computers (CC-39218).
  • Improved logic for the Centrify Cloud Connector during group lookups to prevent return of "null" value (CC-39454).

 

 

For security advisories and known issues, please see attached file.

In case you hadn't heard, we will be upgrading our platform (Centrify Identity Service and Centrify Privilege Service) to version 16.5 this weekend (Saturday, May 21st).   This release focuses primarily on performance improvements, but we've also added some great new capabilities.  The complete list of new features is available in the release notes, but as always I will tell you about the most important features here:

 

Enhanced Adaptive Authentication

As you probably already know, Centrify has supported adaptive authentication (ability to approve/deny access or require different ways to authenticate based on the context of the access request) in our platform for years.  With this feature, the administrator can choose to deny access, or require different challenges to authenticate (using our authentication profiles) based on pre-defined conditions.  When we first introduced the concept of auth profiles, we  supported 2 conditions:

  1. IP address (on or off the corporate network), and
  2. Identity cookie (present or not).

In this release we are adding 4 new conditions:

  1. Day of week
  2. Date
  3. Date range
  4. Time range

Adaptive Auth.png

 You will find these new capabilities under "Policies > User Security Policies > Login Authentication".  While these rules are only available for portal login today, we will be adding these same capabilities to our per app policies in the near future (stay tuned)!

 

Improved Cloud Connectors

As I'm sure you already know, our Cloud Connectors are a simple Windows service that enable secure communication between a customer's network and the Centrify cloud.  Among other things, the Connector serves as a proxy to a customer's AD.  In this release we have done a major overhaul of the Cloud Connector primarily to improve performance to meet the needs of  customers with large / complex AD environments.

 

As we were doing this work to improve Cloud Connector performance, we decided that we also needed to deprecate support for Local Security Groups (LSGs) and Distribution Lists (DLs) in Roles.  Let me point out the following:

  1. Existing Roles will continue to work as is in 16.5
  2. Admins will not be able to add members to Roles using LSGs / DLs in 16.5.
  3. We’ve created a PowerShell script to migrate LSGs / DLs to Security Groups.
  4. Centify Support will be contacting customers to help migrate LSGs / DLs before 16.7 (when LSGs and DLs will no longer be supported for existing Roles).

If you are using LSGs and DLs for your roles and want to learn how to migrate them to a supported group, please refer to this KB article for more information.

 

We hope you enjoy these new features and look forward to hearing your feedback!

 

 

 

Centrify® Cloud 16.5 Release Notes

By Community Manager Community Manager ‎05-17-2016 04:30 PM

New Features - Centrify Identity Service

 

Additional Controls for Adaptive Authentication

 

Login Authentication policy now supports the following conditions:

  • Day of Week
  • Date
  • Date Range
  • Time Range

 16.5 1.png

 

 

More Robust Cloud Connector

 

Cloud Connectors refactored and optimized for large / complex AD environments (there are no changes to the UI).

 

16.5 2.png

 

Note: we are deprecating support for Local Security Groups (LSGs) and Distribution Lists (DLs) in Roles:

  1. Existing Roles will continue to work as is in 16.5
  2. Admins will not be able to add members to Roles using LSGs / DLs in 16.5
  3. We’ve created a PowerShell script to migrate LSGs / DLs to Security Groups
  4. Support will work with customers to migrate their LSGs / DLs before 16.6 (when LSGs and DLs will no longer be supported for existing Roles)

 

 

App documentation has been added for the following SAML apps:

 

  • JitBit
  • LiquidFiles
  • OneDesk
  • PagerDuty
  • ShiftPlanning
  • Streetscape
  • WatchDox
  • xMatters


The following apps have been updated:

 

  • Amazon Web Services Console
  • Appbackr
  • Atlassian Customer Portal
  • Box
  • Concur
  • Dollar Tree
  • Elastica
  • Farm Fresh
  • NetSuite
  • OnStage
  • Pagoda Box
  • Paymo
  • Samanage
  • SharePoint on-prem
  • Vidbeo
  • Webex
  • Windows Live
  • Rally Agile Central renamed to CA Agile Central
  • Invotrak renamed to Due

 

In addition, the Copy, SideTour and LaQuinta apps have been removed from the app catalog.

 

 

New Features - Centrify Privilege Service

 

Multi-factor Authentication for Accounts and Resources

Centrify is committed to providing MFA Everywhere – the additional security of multi-factor authentication to protect your critical IT assets, where you need it, when you need it.


In this release, Privilege Service provides new features for MFA when users attempt to access critical accounts and resources. Users can be required to answer an MFA challenge when checking out a password, accessing a remote system, or using a shared account to log into a remote system.

 

16.5 cps 1.png

MFA challenge rule for account password checkout

 

Privilege Service supports the same robust set of MFA options and policies as Centrify Identity Service. 

 

 

Password History Clean Up 

Privilege Service can now automatically clean up the oldest entries in an account's password history list.  This feature can align the storage of historical account passwords with an organization's data retention policies, and reduce the amount of storage required for the data.

 

16.5 cps 2.png

Password history clean up policy settings for a domain

 

Historical passwords whose dates are older than the maximum configured period configured in policy will be automatically cleaned up (deleted).  By default, the global setting for the maximum age of all historical passwords in Privilege Service is 365 days. The minimum value for retention of historical passwords is 90 days; this value cannot be overridden. 

 

This policy only applies to historical passwords, not the current password for an account.  Policy can be set at the global, domain, and resource levels.

 

 

Global Policies and Settings Moved in the User Interface

All global policies and configuration settings for Privilege Service have been moved in this release from the Cloud Manager portal to the Privilege Manager portal in the Privilege Service user interface.  This change places all controls for Privilege Service within same portal, making the service easier to set up and administer.  The permissions required to edit these policies have not changed.

 

16.5 cps 3.png

Global policy and configuration settings consolidated in the Privilege Service user interface

 

If you are a current Privilege Service customer, you may need to reset one or more of these policy values as the result of this change.  Please contact Centrify Support if you have questions or need help.

 

 

Supported Platforms

 

Centrify Privilege Service

 

The following platforms are supported by the Centrify Privilege Service CLI toolkit:

 

     Red Hat   6.7, 7.2

     CentOS    6.7, 7.2

     Oracle    6.7, 7.2

     Fedora    23

     SLES      11 SP3, 12

     Ubuntu    12.04LTS, 14.04LTS, 15.10

 

Notes:

  1. Unless otherwise stated, always use latest available patch level.
  2. Only 64-bit variants supported.
  3. For Red Hat/CentOS/Oracle 7.2, use 7.2 where a GA version is available, otherwise use 7.1.
  4. Where applicable, desktop/workstation variants are both supported.

 

  

Resolved Issues and Behavior Changes

 

The following list records issues resolved in this release and behavior changes.

 

  • The Box plug-in was updated to use the new URL introduced by Box at the end of March, 2016 – account.box.com (CC-36748).
  • Error messages are no longer shown in the sync report when syncing users with personal home folder options set (CC-37532).
  • The provisioning UI for the Box plug-in has been updated to remove a superfluous prompt when setting role mappings where the user is assigned a single destination group based on the role order (CC-37374). The label for this option has also been updated to better reflect its function (CC-37225).
  • Upload and Download buttons are now shown on the cloud connector configuration page IWA service tab in Firefox (CC-38160).
  • For the Box and Google Apps for Work provisioning feature, when enabling or disabling the ADGroupSync option, manual sync of the app will now unassign / assign users from the destination groups specified in the role mappings (CC-36955/CC-36956).
  • When changing the option from Union scheme to Priority order in the Box app, users are no longer left in Union groups (CC-37525).
  • ServiceNow app configuration documentation has been updated as a step was missing and some steps were in the wrong order (CC-38242).
  • ThousandEyes SAML app configuration documentation has been updated to reflect the current UI (CC-38194).
  • Users are no longer removed from unmanaged groups on sync operations when using provisioning with Google Apps (CC-37518).
  • CustomerID in the login URL is supported but became case-sensitive in 16.4 This has been resolved in this release and is no longer case-sensitive (CC-38218).
  • The Zero Sign-On (ZSO) feature is now supported on Macs as well as Android and iOS devices (CC-37537).
  • On iOS devices, the list of company apps no longer always indicate some apps need update even after they have been updated (CC-34594).
  • A fix was made to the App Gateway to resolve app launches from mobile devices always prompting for user names and passwords (CC-36448).
  • The app configuration documentation for the Zscaler SAML app has been updated to note that SHA-2 is now supported (CC-37755).
  • Fixed a race condition where a successfully completed O365 sync job was incorrectly marked as Process Failed (NotFound) (CC-37275).
  • In the Samanage provisioning UI, “Non-European” is now the default Region option (CC-37933).
  • The CloudBees app configuration documentation was updated to reflect the CloudBees current UI (CC-2385).
  • Can now create an app using App Capture and add a custom icon to it (CC-37827).
  • Maps are now shown when running reports that deliver their information via a map. Previously an error was shown indicating that no location information was available (CC-37959).
  • In the Samanage app, title changes are now synched (CC-37348).
  • Apps in tags / categories are now sorted alphanumerically (CC-37852).
  • The Jobs History “Running Jobs” query now returns pending jobs (CC-37912).
  • The firewall and external IP address requirements documentation for the cloud service has been updated (CC-37951).
  • When a provisioning job encounters an error and is cancelled, or a user cancels the request, and then another error occurred after that, the original cancellation reason was overwritten and never logged (CC-37822).
  • If the Cloud Connector installer cannot restart the connector service after upgrade, the installer can now optionally reboot the computer the service is running on (CC-37482).
  • The global policy settings for Centrify Privilege Service have been moved from the Cloud Manager to the Privilege Portal in the Settings Tab, Security Settings item (CC-36471).

 

  

For security advisories and known issues, please see attached file.

In case you hadn't heard, we will be upgrading our platform (Centrify Identity Service and Centrify Privilege Service) to version 16.4 this weekend (Saturday, April 30th).   The complete list of new features is available in the release notes, but as always I will tell you about my favorite new features here:

 

New Self-Service Features

For user self-service, we've added two new features to improve the user experience:

  • Show Password Complexity Requirements (for password reset), and
  • Recovery of Forgotten User Name

Centrify Identity Service has supported password reset (both for Cloud Directory and for AD users) for a very long time now.  While this is a great feature, it needed some improvement in the user experience department.  Specifically, the password reset experience could be frustrating for users as the interface did not communicate to the user what the password complexity requirements were.  With this release we've added a new policy (under "User Security Policies > Password Settings") to display the password complexity requirements in the user interface.

 

NOTE: for Active Directory users, this feature provides a text box for the Admin to type out the requirements. We do not do this for Cloud Directory users as we know precisely which rules are in place for each user.

Password Complexity.png

In addition we've augmented our support for recovery of lost credentials.  Specifically, the platform now supports recovery of a forgotten user name.  To enable this feature, go to "Settings >  Authentication > Security Settings" and click the box to "Enable forgot username self-service at login".  When this is enabled, the Sign In screen will contain a "Forgot User Name?" link.  Clicking this link pompts the user to provide an email address so that we can email the user name to the user.  (NOTE: for security reasons, we will not indicate if the email address does not match any user records.)

 

Improved Token Management

We've expanded upon the token management feature that was added in 16.3 which enables Admins to bulk upload  OATH tokens (under Settings > Authentication > Other > OATH Tokens) to register OATH clients with the service on behalf of the user and remove these tokens later as needed.  In 16.4 we've added 2 new capabilities to this feature:

  1. Admins can now bulk upload HOTP OATH tokens in addition to TOTP tokens, and
  2. Admins can now remove tokens added by the user as well (in 16.3, they could only remove the tokens that they had added).

Token Management.png

 

Passwordless Mobile Enrollment

This feature is an example of where the breadth of Centriy's customer base benefits all of our users.  In working with our customers in government and highly regulated industries where security is paramount, we found that many of these customers have moved to Smart Cards and have gotten rid of their passwords all together.  As you may have seen, we added Smart Card support to the platform several months ago.  This works great when accessing the portal on a computer, but was problematic on mobile.  We've addressed their needs by adding a policy (under "Mobile Device Policies > Device Enrollment Settings") to "Enable invite based enrollment".  When this policy is enabled, invite links that are sent to the user will contain a one time passcode for enrollment that will satisfy the authentication needs from the device.

 

Passwordless Enrollment.png As a best practice, we recommend having your users first download the Centrify Mobile App, then login to the portal and go to the Devices tab, and click on the "Add Devices" button to send an SMS link to the phone. 

 

We hope you enjoy these new features and look forward to hearing your feedback!

 

Showing results for 
Search instead for 
Do you mean 

Community Control Panel