End-of-life notification

This section contains notifications for upcoming termination of apps, features or programmatic access (APIs):

• Action Required – TLS 1.0 Deprecation

  As part of our mission to protect customers and align with PCI DSS standards, Centrify updated the minimum TLS protocol required to connect to the Centrify Cloud Platform from TLS 1.0 to TLS 1.1 as of 18.5. TLS 1.0 support will be deprecated when Centrify Cloud 18.6 is released. Connectors running on machines with Windows Server 2008 R2 or older must upgrade the Connector to version 18.5 prior to the release of Centrify Cloud 18.6 to avoid potential disruptions. Please see this knowledge base article for important details.

New Features - Centrify Application Services   

BambooHR: Support for In-bound provisioning

• Seamless Provisioning of user information from BambooHR into ActiveDirectory
• Configurable Provisioning Rules that enable:
  • Explicit Mapping of attributes between BambooHR and AD
  • Specifying AD group in which user can be created
  • Selective Provisioning of all users or a subset (business unit)
  • Periodic full sync or incremental syncs
  • Customizable Attribute Mapping via scripts
• Deeper insight into provisioning status via Job Reports

ADP: Enhanced Support for SSO into WorkforceNow

• Extend SAML SSO support for ADP’s portfolio to WorkforceNow, a suite of apps from ADP covering Payroll & Tax, Time and Labor Management, Employee Benefits and ACA for midsize businesses

   

• Complete Centrify's SAML SSO support to all apps in ADP’s portfolio including ADP Portal, my.adp.com, Vantage HCM and WorkforceNow Enhanced Time

The following apps have been updated:

• UltiPro (User / Password)
• ADP (SAML)

New Features - Centrify Endpoint Services

iOS Mobile App Management Improvements

• Customized App Install message identifies the customer as the one installing the app rather than the tenant URL
  
  
• Configurable App Installation attempts:
  • Policies -> Endpoint Policies -> iOS Settings -> Application Management Settings
    
    
• Set once globally for all mobile app installations (required apps only)

Centrify Mobile Device Enrollment Improvements

• New option allows user to select Company vs. Personal ownership during enrollment
• Option to set default device ownership
  
  
• Support for hyperlinks in the enrollment welcome screen
  
  
• Streamlined device enrollment for iOS 11.3 and newer devices leveraging SFSafariViewController in enrollment
  
  
• Rooted Android device detection is now possible even when Magisk is used to hide detection

New Features - Centrify Infrastructure Services 

Privileged Access Service

New System Discovery Engine

• The new discovery engine provides added capabilities:
  • Modular architecture: allows for additional types of discovery in different contexts (AA, system, etc.) using in a common framework.
  • New system discovery that allows for multiple types of approaches: AD or Port Scan.
• Management Flexibility
  • “Actions” have broadened to support PAS strengths including “Add to set”
  • Discovery credential management.
  • Excluded systems (blacklist) management.
• Extensible Framework

SailPoint IdentityIQ Integration – PAS Access Request

• 18.6 starts the first phase of integration with SailPoint IdentityIQ.
• With the SailPoint integration you can:
  • Onboard PAS objects (systems, accounts) as assets.
  • Use SailPoint IdentityIQ to manage the workflow lifecycle (request, approve, trace... etc.) for secure access or password checkout to PAS.

Privileged Access Service - Customer Hosted

Evaluation Mode

• This option provides the ability to run Privileged Access Service (customer hosted) in a single node configuration without High-Availability.
• This significantly reduces the complexity of evaluation pre-requisites.
  
  

New Features - Centrify Core Services

Improved Language Support

Administrators can define Default Language by Policy in User Account Policy.

Users can change their language in User Portal under Account

• User choice will override default policy

Bulk import to a Role that defines language

Platform honors the AD Preferred Language attribute

• Centrify attribute will override what is stored in AD
• Centrify does not update the AD Preferred Language attribute

Centrify Language Support

• User Portal: 18 languages
• Admin Portal: 10 languages

New Features - SIEM and ServiceNow Integrations

Support MSP Use Case – Early Access

• MSPs can now support multiple Centrify customers on one ServiceNow tenant
• MSP support for all 4 Applications:
  • App Access Request
  • Privileged Access Request
  • Password Reset
  • Identity Service 

Support “Request” from ServiceNow 

• Approve workflow request based leveraging existing CHG Request
  • If the ticket is approved within ServiceNow, access is fulfilled
  • If the ticket associated with the request isn’t approved, then go through the workflow engine within ServiceNow

Resolved Issues and Behavior Changes

The following list records issues resolved in this release and behavior changes.

• A new policy has been added for default message language. By default, the language used is the message sender’s language setting (i.e. the language setting for the administrator that caused the message to be sent), but that can be overridden to a specific language by setting the policy (CC-51721).
• Advanced script capabilities have been added to all SAML applications, previously this was only available on some SAML applications (CC-55466).
• When enrolling devices, if PKI certificates are defined by Active Directory group policy to be downloaded, three certificates are now sent: root CA, user CA and issuing CA. This matches the behavior when PKI certificates are defined in a cloud policy (CC-57705).
• An error is no longer shown when a user with read-only management right enters the Partner Management page (CC-58426).
• Emailed reports no longer show an error if a relative date type is set (CC-57562).
• Network unavailable is no longer shown on an iOS device using Safari when launching a bookmark app that has a mobile authenticator profile, with the MFA approval step on the same device (CC-58453).
• Phone numbers for newly enrolled Android devices are now correctly shown in the Admin Portal (CC-58622).
• Resolved an issue whereby some iOS native apps would continuously prompt for update due to two different version numbers inside the app (CC-58652).
• Administrators can now block access from the Centrify mobile app to various domains in the firewall policy for Android devices. Individual domains can be blocked in the domain deny rules – denying all will still allow the mobile app to access the Centrify cloud (CC-58029).

For security advisories and known issues, please see attached file.

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.