- Mark all as New
- Mark all as Read
- Float this item to the top
- Subscribe
- Bookmark
- Subscribe to RSS Feed
- Invite a Friend
New Features - Centrify Privileged Access Service
Force rotation of account passwords
Security incidents may require an immediate update to all, or a selection of, an organization’s managed account passwords.
- Enable PAS administrators to rotate managed account passwords on demand.
- Select from Managed Accounts list
- Starts password rotation job immediately
- Email notification when job is complete
- Activity and job history status of all password rotations
- Independent of scheduled password rotation policy
Escrow encrypted password catalog
Secure, encrypted catalog for operational recovery of infrastructure supporting the solution.
In parallel with HA/DR, keep an optional daily backup of your passwords.
- Encrypted file (CSV)
- All account passwords
- Intended for highly privileged administrators
- OpenPGP key
- Encrypted file e-mailed on a periodic daily schedule
- Configured through the REST API
New Features - Idaptive Application and End Point Services
Adaptive SSO, Adaptive MFA, Lifecycle, Mobile & Endpoint Security
- Custom portal login banner: Customization feature to display custom pre-login message to the user logging into the Idaptive user portal.
- Connector/Browser Extension Branding for Idaptive: Rebranding of existing Centrify Browser extension to Idaptive for all currently supported browsers.
- ADFS 3.0 MFA Plugin available on Idaptive Github: MFA plugin for ADFS 3.0 available through Idaptive Github. https://github.com/idaptive/mfa-adfs-plugin
- Partner Federation: Relay State support for SAML for auto-launch of apps without landing on the SP portal.
- Better visibility into users by type: User count type by user, OAuth2, Computer, Service types.
Frictionless Trial and Onboarding
- New Getting Started Wizard
- Frictionless Trial: updated system emails
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- It is now possible for users who either logged into the portal before their password expired, or who use IWA or certificates to login, to change their password once it has expired (CC-64966, CC-65063).
- Devices marked as personal can now successfully be imported to be corporate-owned (CC-64777).
- Android for Work mobile app deployment and auto-install once again work as documented (CC-60982, CC-63610, CC-63684).
- Reapply policy no longer removes bookmarks from the home screen on Android devices using Android 7 or earlier (CC-64498).
- Options to unenroll a device are now not shown if the selected device was enrolled via device-owner mode (CC-63779, CC-63372).
- In device-owner mode the delete command now wipes the selected device rather than unenrolling it (CC-63994).
- Where Partner Management has been configured between an external IdP (i.e. one that is not Centrify) and the cloud service, and a user has IdP single-signed on to the cloud service via Partner Management, it is now possible to launch SAML apps without the User Portal being visible during the launch / sign-on (CC-64706).
- Administrators now have the ability to assign a Windows machine to a user on the Endpoints page. A “Set User” command will be displayed if the Windows machine is not currently assigned to any user (CC-64748).
- Administrators can now create a custom login banner for the User Portal. Banners can be created in plain text in multiple languages, and once configured will be shown to users on login until the button is clicked on the dialog. An event is logged when the user clicks the button (CC-64330, CC-64850).
- Administrators and users can now choose a default view for apps, choosing between grid or grouped, large or small icons, with/without titles (CC-64471).
- Privilege Access Service limited view users are no longer able to view database accounts if they do not have view permissions on the database (CC-64022).
- Windows sessions being audited through the Privilege Access Service portal no longer show as disconnected in the audit analyzer (CC-64439).
The following apps have been updated:
- PollEverywhere (User / Password)
- LinkedIn (User / Password)
For security advisories and known issues, please see attached file
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of therelease date. Please check back at release time for updates.
New Features - Centrify Application Service
- Box de-provisioning. Option to transfer content to admin account in addition to previously supported de-provisioning options.
- Password Complexity Settings. Adhere to NIST standard (NIST 800-63B).
- Customized Privacy Policy and Terms of Use. Allow customer to have custom links to their privacy policy and terms of use.
- ADFS MFA Plugin (Beta only). Centrify’s MFA plugin for ADFS 3.0.
- SCIM server APIs. CRUD for user/group resources.
- Custom MFA Phone Messages. Allows the customer to customize the audio messages for phone calls related to MFA.
- Mandatory Setup of MFA (require end users to set up MFA). Allows administrators to force and ensure end users have setup required MFA factors at first portal login.
New Features - Centrify Endpoint Service
- iOS - Show a custom message on Lock screen: Device lock MDM command (Lock Screen action) supports custom message (both iOS/Mac) and Phone number (iOS).
New Features - Centrify Privileged Access Service
- Better support for just-in-time access with a new control to disallow permanent grant of permissions in the access request workflow
- Update to SSH library for improved security
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
-
- A count of MDM commands send to each device is now kept, there are separate counters for the current day and the current week. To report on a specific device:
Select DeviceId, Name, CommandCountToday, CommandCountThisWeek from Device
The count includes both MDM and client app commands such as Lock client app. The count is only incremented when the command is actually delivered to the app, so if a device is offline or has no connectivity the counts won’t be incremented even if they may have some pending commands (CC-62146). - LDAP users in a group are now added to a Role that group is assigned to if the server is using a special identifier (CC-64534).
- Administrators can now add their own Terms of Use and Privacy Policy links to the Administrator and User portal page footers (CC-62986).
- Administrators can now set a customized message for phone call multi-factor authentication. Separate messages can be set for supported languages (CC-51720).
- The O365 app has been updated with the full set of correct license names (CC-63413).
- Users deleted in Active Directory are now synched with O365 and correctly removed (CC-62876).
- App policy now works for WS-Trust applications (CC-63632).
- Verifying SCIM provisioning in a custom SAML app no longer produces an exception error (CC-63602).
- It is now possible to save an Authentication Profile to a newly created custom SAML app (CC-63587).
- It is once again possible to manage apps in Munki – the manage column has been reinstated in the Admin Portal (CC-64227).
- The Inactive Users Report now correctly completes when the user’s language is set to French (CC-63414).
- A control has been provided for Privilege Access Service to turn on/off the “Permanent” workflow option for password checkout (CC-59489).
- With Privilege Access Service, discovery now finds local Linux accounts (CC-64307).
- Privilege Access Service administrators can now configure the command timeout for RoboTyper scripts when managing systems and network devices (CC-52388).
- Modifying Sets of systems no longer causes a syntax error (CC-64051).
- Cenroll can now add resources to a particular Set when the same name is used both for a server and a non-server object type (CC-63763).
- Privilege Access Service limited view users no longer require domain view permissions to use domain accounts (CC-58717).
- A count of MDM commands send to each device is now kept, there are separate counters for the current day and the current week. To report on a specific device:
For security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.
End of life notification
This section contains notifications for upcoming termination of apps, features or programmatic access (APIs):
Termination of v1 REST API support
Why are we doing this?
- Centrify introduced the v2 enrollment APIs with the 17.2 release to support setting of additional resource-related information during enrollment. This new version is a superset of the original v1 enrollment APIs. As the Centrify Agent for Linux and Mac agents have been using the v2 APIs since 17.2, we are now planning to disable the old v1 enrollment APIs in 18.10.
Who will be affected?
- Customers who deploy Centrify Agent for Linux/Mac agents.
- Customers who develop their applications using the following REST APIs: ServerAgent/Register, ServerAgent/Enroll, ServerAgent/EnableFeatures
What steps do I need to take?
- If you deploy Centrify Agent for Linux/Mac agents, upgrade to the latest version of Centrify Agent for Linux/Mac.
If you develop applications using the REST APIs:
- Change your code to call the corresponding V2 REST API (e.g., ServerAgent/RegisterV2, ServerAgent/EnrollV2, ServerAgent/EnableFeaturesV2).
What happens if I do nothing? What errors or issues am I likely to see?
- If you have deployed older versions of Centrify Agent for Linux/Mac agents, existing enrolled agents will continue to work, however new features will not be available.
- After the Centrify Identity Platform is upgraded to 18.10, once the agent is unenrolled it cannot re-enroll again. You MUST upgrade the agent to re-enroll.
- If you have developed applications using the REST APIs, the REST API call will fail with an error.
New Features - Centrify Application Services
MFA Redirect
- Allows admins or users with multiple accounts potentially in different domains to ensure that he or she can use MFA from one account, namely the one they have logged into the Centrify app on their mobile phone.
- Administrators can redirect MFA notifications for a given account to be sent to another account.
- For the account where the redirect is enabled and set, all subsequent notifications will be sent to the account specified.
- The user should be able to use an OTP code or Mobile Authenticator from the phone associated with the account that has been targeted for MFA notifications.
- Administrators can use policy to allow end users to be able to set their own MFA redirection.
- If enabled for a given user or set of users, the user will find the option to configure MFA redirect in the user portal under the Account page under the information about their phone.
-
Centrify Browser Extension Enhancements
- Apps that leverage the Centrify Browser Extension can be launched directly from the browser's CBE menu:
- To access applications from CBE:
- Install Centrify Browser extension for your browser.
- Sign-in with your username and password.
- Click on the CBE to select applications to launch.
All 4 major browsers supported (IE, Chrome, Mozilla & Safari).
SAML Script Editor
- The editor now includes inline hints, autocomplete, and onscreen help to make it easier for customers to write SAML scripts.
- SAML script methods appear in hints and can be used with autocomplete.
- On-screen documentation of methods and variables is provided.
DevOps Application Category
- This new applications category in the apps catalog enables customers to easily set up SSO for popular DevOps CI/CD apps.
- To add DevOps applications to your app catalog:
- Login to Centrify portal as administrator.
- Navigate to Apps tab and click “Add Web Apps”.
- DevOps category will be show in the list of categories.
AWS CLI Utilities
- Centrify now offers Python and PowerShell CLI utilities for both admins and users to access Amazon Web Services (AWS) by leveraging Centrify Identity Services.
- Customers have the option to download the AWS utilities from the user portal under application settings.
- A new tab was also added to the download page in the Admin Portal called “CLI Tools” from where the AWS CLI tools can be downloaded.
- Official documentation to setup and operate also available.
Time-based Workflow for Mobile and Desktop
- Customers can now reduce risk by requesting and granting access to apps only during a given time window.
- Under workflow tab in the Apps section, you can select “Windowed”assignment type and specify start and end times.
- Approver can either accept requested window or modify.
The following catalog apps have been updated:
- Jira Server (SAML)
New Features - Centrify Endpoint Services
Delegated Administration
- Customers can now implement policy sets for endpoints and mobile devices ensuring that endpoints / mobile devices are being added to and removed from sets dynamically, based on changes to the attributes of the device.
- An Administrator can define specific policy sets by device attributes that would automatically update if any of those attributes were to change.
- For example, Macs can have a specific policy and if that endpoint were to turn off FileVault the policy would be updated automatically.
- The Administrator can then go into Endpoints, select the dynamic set and see the endpoints that meet that query.
Office 365 Conditional Access
- An Administrator can limit access to Exchange o365 by recognizing whether the device is recognized as managed by the Centrify MDM solution.
- Conditional access for apps is an existing feature and works for all apps/browsers that support cert based authentication.
- This release adds cert based authentication for the Outlook app.
- Including the ability to install a ZSO certificate on a Samsung device to support this feature.
New Features - Centrify API Services
New Documentation Updates (available 10/6/2018)
- AWS CLI installation guide: https://developer.centrify.com/docs/aws-cli
- AWS Powershell Utility v10: https://developer.centrify.com/docs/aws-powershell-utility-v10
- Authorization (Auth) Code Flow: https://developer.centrify.com/v1.2/docs/auth-code-flow
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- To improve security, Forgot Password now completes the entire forgot password process for users that do not exist (CC-59842).
- The App Gateway tab now appears for on-premises SAML apps for users with read-only administrator permission. Previously read/write administrator permission was required (CC-62356).
- TLS 1.1 and 1.2 are now enabled by default on devices running Android 4.1 – 4.4 (CC-62436).
- The manager field can now be set for a normal SCIM user as well as an enterprise user (CC-60545).
- Third party VPN profiles now show correctly on the security tab (CC-62281).
- Mobile applications are now no longer installed automatically when associated with a role created prior to release 18.7 and automatic deploy is unchecked (CC-61763).
- Enrollment via QR code now works for iOS 12 (CC-61793).
- The Centrify mobile app for iOS no longer repeatedly prompts for a PIN (CC-61732).
- Mobile devices are now correctly tagged as corporate when the serial number is imported after the device is enrolled (CC-60193).
- Devices no longer unenroll unexpectedly when the device incorrectly reports the Centrify mobile app is uninstalled while it is in the update process (CC-61044).
- The change password tab no longer shows in client settings after the enrolled user has been locked (CC-60890).
- On Privilege Access Service workflow, the default time bounding is now updated after being changed by approver 1 (CC-59858).
- The discovery history page for Privilege Access Service now loads while a system discovery job is running (CC-61359).
Changes for HF1
- Connector LDAP queries for custom attributes are improved (CC-62898)
Changes for HF2
- Fixed an issue with display of Role membership. The Role members list is empty even if users are assigned to the role. (CPSSUP-473)
- Slow user provisioning for both full and incremental jobs has been improved. (CISSUP-4452, CISSUP-4431, CC-62998)
- User changes for large groups reported to cloud have improved use of caching. (CC-62658)
- Fixed an error presented when selecting a previously discovered service in the Admin Portal. (CC-61466)
Changes for HF3
- Fixed an issue with performance during bulk enrollment of mobile devices. (CISSUP-4560)
For security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.
End of life notification
This section contains notifications for upcoming termination of apps, features or programmatic access (APIs):
Termination of v1 REST API support
- Why are we doing this?
Centrify introduced the v2 enrollment APIs with the 17.2 release to support setting of additional resource-related information during enrollment. This new version is a superset of the original v1 enrollment APIs. As the Centrify Agent for Linux and Mac agents have been using the v2 APIs since 17.2, we are now planning to disable the old v1 enrollment APIs in 18.10. - Who will be affected?
- Customers who deploy Centrify Agent for Linux/Mac agents.
- Customers who develop their applications using the following REST APIs: ServerAgent/Register, ServerAgent/Enroll, ServerAgent/EnableFeatures
- What steps do I need to take?
- If you deploy Centrify Agent for Linux/Mac agents, upgrade to the latest version of Centrify Agent for Linux/Mac.
- If you develop applications using the REST APIs:
- Change your code to call the corresponding V2 REST API (e.g., ServerAgent/RegisterV2, ServerAgent/EnrollV2, ServerAgent/EnableFeaturesV2).
- Contact Centrify Support
- What happens if I do nothing? What errors or issues am I likely to see?
- If you have deployed older versions of Centrify Agent for Linux/Mac agents, existing enrolled agents will continue to work, however new features will not be available.
- After the Centrify Identity Platform is upgraded to 18.10, once the agent is unenrolled it cannot re-enroll again. You MUST upgrade the agent to re-enroll.
- If you have developed applications using the REST APIs, the REST API call will fail with an error.
- If you have deployed older versions of Centrify Agent for Linux/Mac agents, existing enrolled agents will continue to work, however new features will not be available.
New Features - Centrify Application Services
Dome9 SAML App in the App Catalog
- Dome9 delivers full visibility, control and faster time to protection as organizations scale in AWS, Azure and Google Cloud environments.
- A new SAML App for Dome9 has been added to Centrify's App Catalog, simplifying Dome9 integration for SSO.
Password Complexity and History Enhancements
- New Password History Policy ensures that passwords can only be changed after a minimum configured password age (default is 0 days).
- Self-Service Password Reset Policy limits the number of forgotten password resets within a time window (default is 10 days).
Centrify Browser Extension Enhancements
- The settings tab within the Centrify Browser Extension now has the following abilities:
- Sign In
- Set preference to open apps in new tab
- Configure the portal host name
- Export Diagnostics logs
The following apps have been added to the catalog:
- Dome9 (SAML)
The following apps have been updated:
- Brainstorm QuickHelp (SAML)
- Eat Club (User / Password)
- Cognology (SAML)
The following apps have been renamed:
- Ace of Sales --> Outstand
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
-
- With self-hosted Infrastructure Service, if there is an existing database folder prior to a restore operation, it is renamed and the restored data will be placed in a new folder that has the correct database folder name (CC-60616).
- Apostrophes are now correctly handled in email addresses in workflows (CC-61544).
- The inbound provisioning sync report no longer shows UnexpectedUserSyncException when synching AD users. You must update to the 18.8 connector in order to use the revised code (CC-60349).
- Mobile apps marked for Automatic Install in the Admin Portal are now shown as “Recommended” on mobile devices rather than “Optional” (CC-60865).
- When enrolling an Android device in Android for Work DO mode, checksum errors are no longer seen (CC-56928).
- The “Uninstall this app if the app is unassigned from the user” policy has been revised to prevent unexpected automatic uninstall of apps from mobile devices (CC-60347).
- SCIM provisioning now allows users to be added to Salesforce (CC-60678).
- The sysadmin role no longer has Automation Deploy and Run permissions by default for all apps (CC-60135, CC-59392).
- The timestamp for an iOS device’s location is now correctly updated after using “Find Now” in the User Portal, even if the device has not changed location since the last shown location (CC-59992).
- SAML metadata import now works on IE (CC-54410).
- It is now possible to upload SP metadata XML to a SAML app (CC-58762).
- On older Android devices shortcuts are now still available after switching to kiosk mode (CC-60958).
- With mobile devices, when there are multiple approvers for a workflow, prior approvers in the chain are shown on the approval screen for later approvers (CC-59832).
- The connector now correctly determines the Active Directory forest based on the forest it was registered against, not the forest that the user registering the connector was logged in against (CC-59922).
- Users with read-only admin permission can now view APNS details and VPP settings page for iOS (CC-60743).
Changes for hot fix 1.
-
- Android 9 devices can now be successfully enrolled (CC-61936, CISSUP-4347).
- Apostrophes are now correctly handled in email addresses in workflows (CC-61544).
- URLs are re-added for catalog and custom SAML apps for Federation (CC-62009, CISSUP-4358).
- The CreateUsers API has been extended to add ExtData (extended data attributes) functionality (CC-61830).
- The domain account can now be entered for the “Port Scan” type’s discovery profile for Centrify Privilege Access Service (CC-61908).
- Error now prompted when an invalid password is entered for an administrative account in the domain settings page for Centrify Privilege Access Service (CC-61585).
- Error now prompted when the password for an administrative account is set by a user that does not have “Add Account” permission for Centrify Privilege Access Service (CC-61170).
Changes for hot fix 2.
-
- Slow API response times issue has been improved (CISSUP-4366).
- Outlook stops prompting for zso and becomes unmanaged preventing login on iOS and Android devices after user password change (CISSUP-4356).
- Loading time for admin dashboards has been improved (CISSUP-4289).
- A configuration has been added for limiting the amount of data shown in a dashboard (CC-62491).
- TcpRelay BeginWriteWithStream is updated for using the correct stream in all cases (CC-62446).
- Resolves issue with AsyncTcpConnection, causing TcpRelay read exceptions and reconnects (CC-62406).
- Resolves an issue on iOS devices where user credentials are not updated resulting in MSFT Authenticator error after a user performs password change (CC-62289).
- Resolves error 'Download failed(HTTP result 500: internal server error)' when install munkiimport apps/iOS/Android inhouse apps (CC-62186).
Changes for hot fix 3.
-
- Additional improvements have been added to address slow API response times (CISSUP-4407).
- Performance improvements have been added for reloading user role membership with a large number of direct users when viewing user details in the Admin Portal (CC-62484.
- Issue related to backend stale cache error is now resolved (CC-62573).
Changes for hot fix 4.
-
- Additional improvements have been added to address slow API response (CISSUP-4168).
For security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.
New Features - Centrify Application Services
SAP SuccessFactors: Support for In-bound provisioning
- Seamless Provisioning of user information from SAP SuccessFactors into ActiveDirectory
- Configurable Provisioning Rules that enable:
- Explicit Mapping of attributes between SAP SuccessFactors and AD
- Specifying AD group in which user can be created
- Selective Provisioning of all users or a subset (business Unit)
- Periodic full sync or incremental syncs
- Customizable Attribute Mapping via Scripts
- Deeper insight into provisioning status via Job Reports
Delegated Administration for Apps via Sets
-
Ability to create a set of Apps (or delete) through the Admin portal by either selecting Apps manually, or via a dynamic script
-
Ability to specify permissions for a user, group or role to Grant, View, Edit and Delete the Set of Apps
-
Ability to review recent activity on a set
The following apps have been updated:
• Sydney Morning Herald (User name / Password)
• JIRA Server (SAML)
• Webex (User name / Password)
• DocuSign (User name / Password)
New Features - Centrify Endpoint Services
Delegated Administration for Endpoints via Sets
- Endpoint administrators can now create and manage custom sets of Endpoints, beyond the built-in sets
- Assign policies to admin-defined sets of Endpoints
- Ability to specify permissions for a user, group or role to Grant, View, Edit and Delete sets of Endpoints
- Note: For this release, sets of Endpoints will not include dynamic sets defined as the result of a query
Certificate Auto Renewal for iOS, Android & Mac
- Certificates are now automatically renewed
- Effective for all mobile policies leveraging certificates including Email, WiFi, VPN and ZSO certificate
- Renewal request starts when 20% of the certificate lifetime is left
Time Bound Workflow Approval on Mobile
- Workflow approval for Infrastructure Services now supports time bound access
- Previously, approvers could only approve or deny access permanently
- Now approvers can provided a window of time where access is allowed, matching what can be done via the browser
- Flexibility to choose permanent or windowed access regardless of the request type
New Features - Centrify Infrastructure Services
Privileged Access Service
Centrify Agent for Linux – CoreOS Support
- Centrify Agent for Linux now supports CoreOS. Key capabilities include:
- Brokered Authentication
- AAPM
- Ability to register the container directly on Privileged Access Service
- This feature will be released with samples via Centrify GitHub to facilitate demos, evaluation and deployment scenarios
Enhanced Password Generation Rules
- New Password Rules:
- Restrict the number times a given character can appear in a password
- Restrict the minimum number of alphabetic characters that can appear in a password
- Restrict the number of non-alphabetic characters that can appear in a password
- Accommodates additional rules implemented in systems such as IBM AIX
Performance Optimizations
- 18.7 Includes the following performance optimizations:
- Password Checkout Performance
- RDP and SSH Session Performance
Remote Access Kit – Host Trust Verification
- Remote Access Kit allows a PAS user to use their local SSH (PuTTY) or RDP (Microsoft Remote Desktop Client) to initiate privilege sessions
- With 18.7, the Remote Access Kit has been enhanced to support host trust verification
Privileged Access Service - Customer Hosted
Windows Server 2016 Support
- Privileged Access Service (Customer Hosted) was launched last year with support for Windows Server 2012 R2.
- Customer Hosted installation now supports the current version of Windows Server (2016)
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- Unassigned users in a provisioning group from Workday are no longer synched to an Active Directory “test” group (CC-57998).
- Tagging a SAML app in the User Portal no longer generates an error (CC-54368).
- The Dynamic CRM plug-in now works using WS-Trust (CC-60305).
- New default load sample scripts are supplied in the Source to Target tab for Workday inbound provisioning (CC-57792).
- Report names can now include the pound (“#”) symbol (CC-54880).
- The Export Reports and Email Reports commands have been restored to the option drop down in My Reports (CC-59978).
- The Samanage app configuration documentation has been updated (CC-59414).
- Users with the User Management right now have the right to update the policy needed to invite users (CC-60184).
- Users now need the Application Management or Read Only System Administration right in order to see the job history list (CC-60191).
- Previously any systems with port 135 (DCE/RPC) open were discovered by the Privilege Access Service as Windows computers. HP-UX have this port open by default and are now correctly discovered as HP-UX (CC-60104).
- Users are no longer prompted for a certificate to use when attempting to Zero Sign On when using an external Certificate Authority but with no Certificate Authorities available (CC-59389).
- It is now possible to select more than one department in the Source Selection Rule for inbound provisioning (CC-60062).
- The Trace function now functions correctly in an Office 365 advanced script (CC-58773).
- Iterating in a SAML script through users who are members of a large number of groups no longer produces an exception (CC-59099).
- Calculation of the date for the next discovery run for the Privilege Access Service is now correct (CC-58627).
For security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.
End-of-life notification
This section contains notifications for upcoming termination of apps, features or programmatic access (APIs):
- Action Required – TLS 1.0 Deprecation
As part of our mission to protect customers and align with PCI DSS standards, Centrify updated the minimum TLS protocol required to connect to the Centrify Cloud Platform from TLS 1.0 to TLS 1.1 as of 18.5. TLS 1.0 support will be deprecated when Centrify Cloud 18.6 is released. Connectors running on machines with Windows Server 2008 R2 or older must upgrade the Connector to version 18.5 prior to the release of Centrify Cloud 18.6 to avoid potential disruptions. Please see this knowledge base article for important details.
New Features - Centrify Application Services
BambooHR: Support for In-bound provisioning
- Seamless Provisioning of user information from BambooHR into ActiveDirectory
- Configurable Provisioning Rules that enable:
- Explicit Mapping of attributes between BambooHR and AD
- Specifying AD group in which user can be created
- Selective Provisioning of all users or a subset (business unit)
- Periodic full sync or incremental syncs
- Customizable Attribute Mapping via scripts
- Deeper insight into provisioning status via Job Reports
ADP: Enhanced Support for SSO into WorkforceNow
-
Extend SAML SSO support for ADP’s portfolio to WorkforceNow, a suite of apps from ADP covering Payroll & Tax, Time and Labor Management, Employee Benefits and ACA for midsize businesses
-
Complete Centrify's SAML SSO support to all apps in ADP’s portfolio including ADP Portal, my.adp.com, Vantage HCM and WorkforceNow Enhanced Time
The following apps have been updated:
- UltiPro (User / Password)
- ADP (SAML)
New Features - Centrify Endpoint Services
iOS Mobile App Management Improvements
- Customized App Install message identifies the customer as the one installing the app rather than the tenant URL
- Configurable App Installation attempts:
- Policies -> Endpoint Policies -> iOS Settings -> Application Management Settings
- Policies -> Endpoint Policies -> iOS Settings -> Application Management Settings
- Set once globally for all mobile app installations (required apps only)
Centrify Mobile Device Enrollment Improvements
- New option allows user to select Company vs. Personal ownership during enrollment
- Option to set default device ownership
- Support for hyperlinks in the enrollment welcome screen
- Streamlined device enrollment for iOS 11.3 and newer devices leveraging SFSafariViewController in enrollment
- Rooted Android device detection is now possible even when Magisk is used to hide detection
New Features - Centrify Infrastructure Services
Privileged Access Service
New System Discovery Engine
- The new discovery engine provides added capabilities:
- Modular architecture: allows for additional types of discovery in different contexts (AA, system, etc.) using in a common framework.
- New system discovery that allows for multiple types of approaches: AD or Port Scan.
- Management Flexibility
- “Actions” have broadened to support PAS strengths including “Add to set”
- Discovery credential management.
- Excluded systems (blacklist) management.
- Extensible Framework
SailPoint IdentityIQ Integration – PAS Access Request
- 18.6 starts the first phase of integration with SailPoint IdentityIQ.
- With the SailPoint integration you can:
- Onboard PAS objects (systems, accounts) as assets.
- Use SailPoint IdentityIQ to manage the workflow lifecycle (request, approve, trace... etc.) for secure access or password checkout to PAS.
Privileged Access Service - Customer Hosted
Evaluation Mode
- This option provides the ability to run Privileged Access Service (customer hosted) in a single node configuration without High-Availability.
- This significantly reduces the complexity of evaluation pre-requisites.
New Features - Centrify Core Services
Improved Language Support
Administrators can define Default Language by Policy in User Account Policy.
Users can change their language in User Portal under Account
- User choice will override default policy
Bulk import to a Role that defines language
Platform honors the AD Preferred Language attribute
- Centrify attribute will override what is stored in AD
- Centrify does not update the AD Preferred Language attribute
Centrify Language Support
- User Portal: 18 languages
- Admin Portal: 10 languages
New Features - SIEM and ServiceNow Integrations
Support MSP Use Case – Early Access
- MSPs can now support multiple Centrify customers on one ServiceNow tenant
- MSP support for all 4 Applications:
- App Access Request
- Privileged Access Request
- Password Reset
- Identity Service
Support “Request” from ServiceNow
- Approve workflow request based leveraging existing CHG Request
- If the ticket is approved within ServiceNow, access is fulfilled
- If the ticket associated with the request isn’t approved, then go through the workflow engine within ServiceNow
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- A new policy has been added for default message language. By default, the language used is the message sender’s language setting (i.e. the language setting for the administrator that caused the message to be sent), but that can be overridden to a specific language by setting the policy (CC-51721).
- Advanced script capabilities have been added to all SAML applications, previously this was only available on some SAML applications (CC-55466).
- When enrolling devices, if PKI certificates are defined by Active Directory group policy to be downloaded, three certificates are now sent: root CA, user CA and issuing CA. This matches the behavior when PKI certificates are defined in a cloud policy (CC-57705).
- An error is no longer shown when a user with read-only management right enters the Partner Management page (CC-58426).
- Emailed reports no longer show an error if a relative date type is set (CC-57562).
- Network unavailable is no longer shown on an iOS device using Safari when launching a bookmark app that has a mobile authenticator profile, with the MFA approval step on the same device (CC-58453).
- Phone numbers for newly enrolled Android devices are now correctly shown in the Admin Portal (CC-58622).
- Resolved an issue whereby some iOS native apps would continuously prompt for update due to two different version numbers inside the app (CC-58652).
- Administrators can now block access from the Centrify mobile app to various domains in the firewall policy for Android devices. Individual domains can be blocked in the domain deny rules – denying all will still allow the mobile app to access the Centrify cloud (CC-58029).
For security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.
End-of-life notification
This section contains notifications for upcoming termination of apps, features or programmatic access (APIs):
- Action Required – TLS 1.0 Deprecation
As part of our mission to protect customers and align with PCI DSS standards, Centrify will be updating the minimum TLS protocol required to connect to the Centrify Cloud Platform from TLS 1.0 to TLS 1.1 as of 18.5. TLS 1.0 support will be deprecated on June 16, 2018 when Centrify Cloud 18.6 is released. Please see this knowledge base article for important details and steps to take to prevent any service outage.
- From the 18.6 release, Connectors earlier than 17.7-108 will lose service if not upgraded. As a reminder, Centrify support policy provides support for the Connectors running the current release and two prior releases, and running a connector from a prior release may limit the use of newer functionality. For more information, please see this Tech Alert article.
New Features - Centrify Application Services
Centrify Browser Extension (CBE) Land & Catch
When a user manually logs into a web application, CBE will ask if they want to create/update the app in Centrify.
- Name, Description, and Icon allow the app to be customized before update/creation
- Clicking on "Yes" will create/update the app
- Clicking on "No" will ignore the prompt once
- Clicking on "Never" will always ignore in the future
The following apps have been updated:
- EchoSign (SAML)
- UtilPro (U/P)
The following apps have been removed from the catalog:
· XpandedReports · AlertGrid · FriendFund · Pulse360 · Cranberry · Imo Messenger · Grooveshark · NGINX · 99Designs · AddThis · Hackety Hack · Gumboot.co.nz · Interstate · GROU.PS · Vyew · .extendr · BrixHQ · SightMax · Parse · Readability · SMALLKNOT · ProofHQ · ClearBenefits · ETS Personal Potential Index · Pearson Developers Community · World Book · PageLime · FluidSurvey · Remy Cointreau Academy · Novell Partner Portal · The Daily Beast · Choice Hotels · Expedia Travel · Brandy Melville · Flowroute Travel · Factor 4 Index · Inkdit · Wiggio · Avis · Adobe FormsCentral · Plaxo · myTab · FatWallet · AIM
|
· Technorati · Zerigo · VirtualTourist · BookFresh · Viralheat · BillPin · Boston.com · iDrive · Bol.com · This Is My Jam · BookJetty · Trulia Pro · Boomerang · FeedMyInbox · The Network Integrated GRC Suite · Flavors.me · FluidSurvey · Bullhorn Reach · Fontdeck · Pose · TradingTree · xTuple · Xoom · WebLaunching · Tripology · Pressitt · PC Tools · Pulse · Plancast · DNSstuff · Expedia France · Expedia Australia · Boxee · dotCloud · Blog.com · Vinaora · TouristEye · US Airways · OneReceipt · App.net · Symantec SORT · Check
|
· PlannerX · Phanfare · Beach Candy · Amiando · Carbonite · Speek · LAbite.com · Invoice Dude · Joobili · Sonic Sense · SpendOut · Aviary Developers · CakeHealth · Mongo Lab · LuggagePoint.com · Mahalo · Luvocracy · Moxiecode Webshop · B2Bee · Novell Downloads · Examiner · Learnist · Distimo · My Wardrobe · Critsend · HelloFax · Chinaorgcn · Mandrill · myBrainshark · Rundavoo · easySYS · EducationOnDemand · GraphicMail · De-Nic-Vu · Rhapsody · Connexions · ADrive · Diapers · DeskAway · Discovery Store · Howlr · CrashPlan PROe · Crocodoc Personal
|
New Features - Centrify Endpoint Services
Centrify Keychain Sync for Mac (Released in Infrastructure Services 2018)
- This feature solves a problem all Mac AD users face when changing their password:
- The Mac Keychain (used by apps to store data) can no longer be unlocked when the password changes
- This results in many application pop-up errors and a confusing resolution prompt from the OS
- Centrify's solution will detect when a user's password has been changed and prompt the user to get it back in sync again.
- This feature prevents the confusing OS dialog from popping up
- Feature is enabled by a new group policy
- There is an option to remember the user's old password, thus only requiring the new password to resolve the issue
New Features - Centrify Infrastructure Services
Privileged Access Service
Alternative Account Discovery
-
- Enterprises use alternative (administrative) accounts to separate regular user vs. "privileged user" accounts in Active Directory.
- “Dash-A” or “Admin” accounts are typically one of the first use cases to be addressed by vault-based security.
- With 18.5, admins will be able to:
- Discover alternative accounts based on a specified criteria with automatic or manual owner matching
- Secure the alternative account by assigning to the corresponding owner
- Ease of access to alternative accounts for password checkout and secure login
SAP ASE (Adaptive Server Enterprise)
- 18.5 adds SAPM support for SAP ASE
- SAP ASE is the database product formerly known as Sybase.
- SAPM Support:
- Stand-alone
- Clustered
- Versions 15.x, 16.x
Cisco AsyncOS (formerly IronPort)
- Cisco AsyncOS supports the family of IronPort appliances.
- All Cisco Email security appliances are powered by the Cisco AsyncOS operating system, optimized for high performance and security.
- Supported versions: 10.x and 11.x
Centrify Agent for Linux – MFA
- 18.5 introduces MFA at login for the Centrify Agent for Linux.
- The agent now supports MFA:
- Upon manual enrollment (cenroll --user)
- When logging-in
- MFA leverages the Policy Engine (Login Policies – UNIX and Windows Servers).
- Conditional Access is supported.
Centrify Connector – RDP Service Customization
- Starting with 18.5, customers will be able to control:
- RDP Server (enable/disable).
- RDP Port (previously configurable through tenant parameter).
- Prior to 18.5, this was an internal parameter change that required a support case or additional setup in the customer-hosted version of Privileged Access Service.
Centrify Analytics Services
Ingest Centrify Infrastructure Data
Enable Centrify customers to get their data ingested to the Centrify Analytics Portal for better access insights.
Forward Audit Events
- Flexible deployment of the Centrify Sensor
- Better control of events ingested into the Centrify Analytics Portal
Forward Session Data
- Control where session data is stored
- Store only sessions with unusual activity
Forward Zone Data
- Expose 70+ views for better reporting
- Synchronize the zone data at a customizable frequency
Access Insights for Centrify Infrastructure Services
Dashboards covering Infrastructure Risk and Infrastructure Usage to help with better visibility.
Customize Dashboards
- 16+ canned dashboards
- 10s of widgets that help create dashboards
Share Dashboards
- Easily share in different file formats
- Access like an application in one portal for teams
Dashboard Auto Update
- Dashboards are refreshed to be current on a pre-set interval
Behavior-based access control for Infrastructure Access
Enable risk-aware access to login and privilege elevation for infrastructure access.
Basic Policy via Portal
- If ‘risk-level is high’ and ‘access is from outside the corporate network' --> trigger step up with 2 strong factors
- If ‘risk-level is low’ and ‘access is from a trusted device' --> allow access
Advanced Policy via API
- If ‘risk-level is high for privilege elevation’ and ‘access is from China' --> terminate the session
Enhanced Anomaly Detection based on Behavior
Detect anomalies based on multiple new factors in addition to factors in the Centrify User Analytics Services.
New Factors Include:
- Unusual recent privilege change
- Unusual command run
- Unusual target accessed
- Unusual privilege elevation
- Unusual role used
- Consecutive login failures
Investigate Access Anomalies
Investigate Privilege Anomalies leveraging a powerful toolkit streamlined for just identity anomaly investigation.
Session Timeline
- View the detailed activity timeline from the Centrify Analytics Portal
Play Video Session
- Easily re-play the Anomaly from the timeline
Understand Anomalies Easily
- Identify the factors contributing to the anomaly
Adaptive Session Recording and Replay for Anomalies
Record sessions when anomalies are detected and help prioritize sessions based on risk.
- Click-through from Session Timeline
- Enterprise Control on Storage of Session Recording
- Control the Trigger for Session Recording
Alerting and Notifications
Remediate anomalies by integrating with any Webhook-enabled endpoint.
Support for Anomaly Alerting
- Leverage Slack or incident response applications like PagerDuty for real-time alerting; integrate with any Webhook-enabled endpoint
Customize Alert Content
- Define what to include in the alert message
New Features - Centrify Core Services
MFA Service
MFA: Multi-Step and Multi-Factor Support
Authentication Profiles define one or two sets of Authenticators, a new Policy controls the behavior.
Multi-Step will fail on the first factor that does not succeed.
- This is now an option within the Login Policy for Centrify Portal to "Continue with additional challenges after failed challenge".
Multi-Factor will always step through both factors and fail at the end if one is not successful.
- This MFA model is NIST compliant for Assurance Level 2, this is also PCI-DSS compliant.
MFA: OTP Server (RADIUS) Custom Challenge Message
OTP Servers can require different data input from end users, administrators would like to customize the user challenge prompt.
- For example, some OTP Servers may require the user to enter a PIN+Passcode if configured for higher authentication assurance level 2
SMTP Gateway in Connector
Some customers may require email to be delivered from their domain using their own SMTP Servers.
- If the SMTP Server is located inside a customer's network (not in the DMZ), the Connector will be needed to connect internal SMTP Server.
Centrify can use any Connector or specified Connectors to route SMTP messages to internal SMTP Servers.
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- From release 18.6, the Centrify Identity Services platform will no longer support TLS 1.0 connections. The Centrify Browser Extension requires .NET 4.6.2 in order to support the latest security protocols used by the Centrify Identity Services platform and, as a result, versions of the Centrify Browser Extension prior to 18.5 will no longer be supported on IE (SSO will fail). If you have pinned an older version of the Centrify Browser Extension, please update the policy to allow updates to 18.5 in order to support this change in the 18.6 release (CC-57765).
- Starting in this release, all user logins to Centrify Agent for Linux (except for local users) will require Multi-Factor Authentication (MFA) and “Unix and Windows Server” login policy is used to determine how the user is authenticated. Note that this is a major behavioral change for users. If the user does not have any valid authentication profile setup, they will be denied login whereas they were allowed to login in prior versions of Centrify Agent for Linux. Customers can disable the MFA requirement for login by setting the mfa.enabled parameter to false in /etc/centrifycc/centrifycc.conf (CC-55933).
- Localized versions of application names and descriptions can now be added by an administrator for apps created in the Admin Portal (CC-52944).
- The Salesforce SCIM endpoint is now supported for outbound SCIM using a custom SAML app (CC-57381).
- Administrators can now choose to allow end users to specify whether their mobile device is personally or corporate owned on enrollment to ensure the right policies and privacy is applied to the device (CC-53399).
- Credentials are no longer required when launching Company Apps on an iOS device (CC-58022).
- Administrators can now set a policy to prevent users from duplicating answers to multiple security questions (CC-55562).
- Array values are now supported in provisioning scripts (CC-43913).
- Zendesk provisioning configuration documentation has been updated (CC-57982).
- The Mobile Authenticator MFA option is now available when using DEP enrollment (CC-57805).
- In SAML app scripts, the Relay State value is now correctly passed, previously it was truncated at the first double quote (“) mark found (CC-57789).
For security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.
End-of-life notification
This section contains notifications for upcoming termination of apps, features or programmatic access (APIs):
- As of this release, the lowest iOS release supported by the Centrify mobile app for iOS is 10. Users with devices running iOS 9 will still be able to install the 18.3 Centrify mobile app for iOS, which is the last release that supported iOS 9.
- From the 18.4 release, Connectors earlier than 17.7-108 will lose service if not upgraded. As a reminder, Centrify support policy provides support for the Connectors running the current release and two prior releases, and running a connector from a prior release may limit the use of newer functionality. For more information, please see this Tech Alert article.
New Features - Centrify Application Services
SAML App UI Enhancements
“Attribute Value” allows for the selection of Objects, Variables, and Methods.
- Clicking “Add” creates a new attribute that will be passed in the SAML Response
- Free form text can be added to Attribute Value
- The drop down in “Attribute Value” can be selected to chose an object and variables/methods available in that object
The following user name / password apps have been updated:
- Brainpop
- Bath & Body Works
- Cub Foods
- EDU20
- Finance41
- ISNIC Registry
- Trip.com
New Features - Centrify Endpoint Services
End-user Checkout for Mac LAPM Account
Policy allows end user LAPM checkout:
- By default, end-user checkout is not allowed
- When enabled, checkout is for the enrolled user only
- Checkout is done through the user portal
- Coming soon: checkout from mobile devices
End-user Checkout for Mac LAPM Account from Mobile
Checkout is now now available on mobile:
- Support for iOS and Android
- Phone and tablet form factors
- See details of all enrolled devices
- Coming soon: Device actions
Certificate Authority Template Picker for Mobile Policies
- For all email, WiFi and VPN policies, admins are now able to select the source certificate authority for deploying client certs
- Use the built-in CA in the Centrify Tenant, or any Microsoft CAs that have been added to the admin portal
- Select the CA for each policy, for MS CAs admins can select the corresponding certificate template
Language Specific Enrollment Welcome Screen
- Enrollment welcome screen is optional
- There is a new option to “specify unique welcome message for supported languages” N
New Features - Centrify Infrastructure Services
New Import Tool
- Starting in 18.4, Infrastructure Services will introduce a new tool for importing objects into the privilege service vault
- This feature complements the existing manual and CSV import GUI capabilities
- The new Import Tool allows admins to import:
- Systems, Domains, Databases and their Accounts
- Newly-added attributes (such as administrative accounts)
- “Add to Set” functionality
- This new tooling will be distributed via Centrify’s GitHub once 18.4 is released
Device Factory – F5 BIG-IP SAPM/PSM
- 18.4 adds SAPM and PSM support for one of the most common devices in enterprise networks: F5 BIG-IP (TMOS)
- Infrastructure Services add:
- Password Management via REST
- Privilege Session
- Local Administrative account (required for SAPM)
- Vault-based policy and MFA.
- Versions 11.x-13.x
Improvements for Centrify Connectors with multiple NICs
- Organizations often have systems with multiple network interface cards (NICs) that are acting as Centrify Connectors
- In the past, Infrastructure Services would use the first-returned NIC for network operations (e.g. secure access and password operations)
- Behavior Change:
- Starting with 18.4, Infrastructure Services will use the Connector’s returned FQDN IP addresses of the system for network operations
- All returned IP addresses are attempted until there is a hit
Improvements for SSH/RDP Local Client Window Identification
- 18.4 Improves the usability of Local Client session by providing better identification
Centrify Agent for Linux
-
Targeting fix for performance related to caching of group membership information
- 2017.3 installer (install.sh) has also been refreshed
- Support for Amazon Linux 2 (both adclient and cclient)
-
Enroll CentOS Docker container in CIP
- Instructions, configuration files published to github.com/centify/docker_files
Centrify Analytics Services - Private Beta
Please contact Centrify Support to inquire about participation in the beta program.
Ingest Centrify Infrastructure Services – Audit Events
Forward Audit Events into the Analytics Portal leveraging Centrify Sensor.
- Flexible Deployment - Centrify Sensor can be flexibly deployed:
- Deployed with DA collector
- Deployed with Centrify Agent
- Enterprise Control on Events Ingested: Filter / Mask what you don’t want to move to the cloud
Ingest Centrify Infrastructure Services – Zone Data
Forward ”Who has access to which Infrastructure Server, i.e., Policy Data” Zone data into Centrify Analytics Portal.
- Easy Enablement: Leverage Centrify Sensor to forward both Events and Policy Data
- Flexible Reporting: Admins can now query Events & Policy via one console easily
Ingest Centrify Infrastructure Services – DA Session Data
Adaptively record session videos for Infrastructure activity anomalies .
- Adaptive Session Recording: 15-30 second session recording of anomalies leveraging Real-time Threat Analytics
- Session Timeline: Events are all co-related to a sessions on a timeline
Additional Access Insights for Centrify Infrastructure Services
New dashboards around Infrastructure Risk Assessment and Infrastructure Access Overview.
- Easily Customize Dashboards: Comes with pre-configured datasets around Events / Zone data to help on-board
- Comes with 12+ pre-configured widgets to help create a new dashboard
- Easily Share / Export Dashboards
Enhanced Anomaly Detection based on Behavior
Multiple new factors added to evaluate infrastructure access risk.
New factors include:
- Unusual Recent Privilege Change
- Unusual Command Run
- Unusual Target Accessed
- Unusual Account Used
- Unusual Privilege Elevation
Behavior based access control for Infrastructure Access
Investigate Access Anomalies
Investigate a Privilege Anomaly easily via drilldown to explorer:
- Session timeline view from the event
- Targeted session replay for the Infrastructure access anomaly
- Easily identity what factors contributed to the anomaly
Adaptive Session Recording and Replay for Anomalies
Replay session for any anomalies based on machine learning models:
- Click-through from Session timeline
- Enterprise control on storage of session recordings
- Control the trigger for session recordings
Alerting and Notifications
Remediate anomalies via integration with any Webhook enabled endpoint:
- Supports anomaly alerting via Slack, Pager Duty, etc.
- integrates with any Webhook enabled endpoint
- Easily customize what’s included in the Alert
New Features - SIEM and ServiceNow Integrations
Centrify ServiceNow – Zone Role Workflow
Request temporary access for Accounts from ServiceNow
- Centrify Zone Role Workflow has been added to the Service Catalog
- Leverage the ServiceNow Service Catalog to request access to infrastructure
- Enables temporary Zone Role assignment within Active Directory
Centrify Identity Services – HP ArcSight Integration (Sample)
Open source HP ArcSight sample for categorizing and normalizing events
- Integration guide available on docs.centrify
- Sample python code available on github
- CIP ArcSight integration is not supported
- Supported: Writing to Syslog in Syslog format
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- Thai and Serbian language support has been added to the User Portal (CC-56904).
- Minor security fixes were applied in this release to tighten some deprecated MFA APIs. Customers still using GetAuthPolicy and related APIs may see an increase in login failures as a result. No changes were made to current MFA APIs (CC-53660).
- The connector now automatically enables higher-security security protocols. As of release 18.6 TLS 1.0 will no longer be supported (CC-54386).
- The Cloud Linux Agent now supports Amazon Linux 2 (CC-54183).
- A Mobile policy has been added to allow / disallow capturing OTP passcodes for other sites. The default value is to allow passcodes to be captured / shown on a mobile device (CC-54377).
- Support has been added in this release for Single Sign Out. Previously the logout URL logged the users out from the Cloud Service, now it also logs the user out of the app (CC-47215).
- Administrators can now modify the ownership of a device from corporate to personal or vice-versa from the action menu or by right-clicking on the device. This overrides the ownership set during enrollment (CC-54597).
- Active Directory users can now upload a user photo in the User Portal (CC-55864).
- The Forgot Password and change password experience has been updated to make it more intuitive with additional information to guide users to the cause of a password failure due to complexity requirements (CC-53664).
- Wildcard domain names are now allowed in Settings > Authentication > Security Settings > API Security (CC-56463).
- The correct payload is now generated to support SCIM 2.0 PATCH (CC-55336).
- After logging out from Google Web apps such as Google Mail, the account is remembered by accounts.google.com. Google Web apps now launch and single sign-on correctly in cases where the user name has been remembered by the app (CC-55353).
For security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.
New Features - Centrify Application Services
Significant Behavior Changes
Centrify Connector
From the next release, Connectors earlier than 17.7-108 will lose service if not upgraded. As a reminder, Centrify support policy provides support for the Connectors running the current release and two prior releases, and running a connector from a prior release may limit the use of newer functionality. For more information, please see this Tech Alert article.
Open ID Connect App
The OpenID Connect app has been enhanced to allow refresh tokens to be refreshed as specified by the OAuth 2 spec. The app configuration page for OpenID Connect has also been modified to be more consistent with other apps. Some fields have been moved around into more logical groupings.
As part of these changes, all existing OpenID Connect apps will continue to work as-is. However, if you wish to make use of refresh tokens or if you wish to make any other changes to the app, you will need to make other changes outside the OpenID Connect app in order for this to work. You will be notified of any changes you to need to make when you attempt to edit the OpenID Connect app.
End-of-life Notification
Android versions earlier than 4.3 will not be supported by the Centrify mobile app for Android from the next release (18.4).
Zero Trust: Block or Force Challenge for WS-Trust Authentication
-
Enable or Disable WS-Trust
-
Enforce challenges with WS-Trust
-
If enabled, WS-Trust connections that do not support MFA challenges will be blocked
App Gateway: Improved Reverse Proxy / Firewall Integration
-
Allow firewall to filter inbound app gateway traffic using the X-Forwarded-For and/or RFC-7239 headers
-
Allow use of the REMOTE_USER header to indicate the incoming users as asserted by Centrify IDP
-
Enabled on a per app basis in App Gateway
-
Allows use of the X-Forwarded-For header as either the Username or the Client IP Address
Localization of App Names and Description
-
Allows customers to customize the name and description of applications for supported languages
- Enabled on a per app basis
- Set the default language
- Provide a custom app name and description for each supported language
The following apps have been updated:
- Frevvo Live Forms In-house (SAML)
- Lucidchart (SAML)
- Box (SAML + Provisioning)
- Centrify Online Training (User name / Password)
New Features - Centrify Infrastructure Services
Test Connection /Verify Password
- Starting in 18.3, Infrastructure Services will introduce manual system ping and account health check options
- This functionality will supersede the global/system/domain/database setting that enabled automatic health checks
- Ping & health check functionality can be initiated by any IS (CPS) user and will be tracked in the object’s attributes
- The AllowHealthCheck,HealthCheckInterval JSON are deprecated
Palo Alto Firewall (PANOS) SAPM/PSM
- Adds SAPM and PSM to the existing SAML application included with Application Services
- 18.3 adds the following features:
- Password Management via API (requires PKI setup) for Administrative users without Authentication Profiles
- Privilege Session
- Local Administrative account (required for SAPM)
- Vault-based policy and MFA
- Versions 7.1 and 8.0
Use My Account (LMIv1) for UNIX
- Provides the capability be “logged in” automatically as a vault user in an IS system that uses adclient or cclient with OpenSSH 7.4 and above, configured with a specific SSH CA master key
- Uses the web session (not the local client)
- Bypasses MFA: ideally an authentication assurance level is achieved at the vault level (e.g. smart card)
- Version 1 does not support multiple Smart Card identities
- Federated identity is not supported by LMI
Centrify Agent for Linux – Secondary UNIX Group Visibility
- Version 18.3 of the Centrify Agent for Linux (cclient) starts the initial phase to support secondary UNIX groups
- CIP groups containing supported identity sources can be used as UNIX secondary groups using the Group Visibility feature
- Name is same as CIP name and GID is automatically-generated
- Future improvements: performance and group enumeration for NSS-like applications
AD Domain Administrative Account Issue Detection
- 18.3 features mechanisms to notify the end user if something is wrong with the AD domain’s administrative account:
- Insufficient rights (group membership or rights modification)
- Bad credentials (password change directly in Active Directory)
Centrify Analytics Services - Private Beta
Please contact Centrify Support to inquire about participation in the beta program.
Ingest Centrify Infrastructure Services – Audit Events
Forward Audit Events into the Analytics Portal leveraging Centrify Sensor.
- Flexible Deployment - Centrify Sensor can be flexibly deployed:
- Deployed with DA collector
- Deployed with Centrify Agent
- Enterprise Control on Events Ingested: Filter / Mask what you don’t want to move to the cloud
Ingest Centrify Infrastructure Services – Zone Data
Forward ”Who has access to which Infrastructure Server, i.e., Policy Data” Zone data into Centrify Analytics Portal.
- Easy Enablement: Leverage Centrify Sensor to forward both Events and Policy Data
- Flexible Reporting: Admins can now query Events & Policy via one console easily
Ingest Centrify Infrastructure Services – DA Session Data
Adaptively record session videos for Infrastructure activity anomalies .
- Adaptive Session Recording: 15-30 second session recording of anomalies leveraging Real-time Threat Analytics
- Session Timeline: Events are all co-related to a sessions on a timeline
Additional Access Insights for Centrify Infrastructure Services
New dashboards around Infrastructure Risk Assessment and Infrastructure Access Overview.
- Easily Customize Dashboards: Comes with pre-configured datasets around Events / Zone data to help on-board
- Comes with 12+ pre-configured widgets to help create a new dashboard
- Easily Share / Export Dashboards
Enhanced Anomaly Detection based on Behavior
Multiple new factors added to evaluate infrastructure access risk.
New factors include:
- Unusual Recent Privilege Change
- Unusual Command Run
- Unusual Target Accessed
- Unusual Account Used
- Unusual Privilege Elevation
Behavior based access control for Infrastructure Access
Investigate Access Anomalies
Investigate a Privilege Anomaly easily via drilldown to explorer:
- Session timeline view from the event
- Targeted session replay for the Infrastructure access anomaly
- Easily identity what factors contributed to the anomaly
Adaptive Session Recording and Replay for Anomalies
Replay session for any anomalies based on machine learning models:
- Click-through from Session timeline
- Enterprise control on storage of session recordings
- Control the trigger for session recordings
Alerting and Notifications
Remediate anomalies via integration with any Webhook enabled endpoint:
- Supports anomaly alerting via Slack, Pager Duty, etc.
- integrates with any Webhook enabled endpoint
- Easily customize what’s included in the Alert
New Features - SIEM and ServiceNow Integrations
Centrify ServiceNow Apps – Certified for latest ServiceNow Release
4 Apps Certified for Jakarta, Istanbul, Helsinki & Geneva.
Centrify Identity Services SIEM Integration – GA
Forward all Centrify Identity Services events into Syslog
- Enhanced Splunk support to include Splunk Add-On for CIP in Splunkbase
- Supports Splunk Cloud and Splunk Enterprise
- Centrify Syslog Writer is GA and is available via Centrify's Download Center – extents Centrify's events into other SIEM tools
- Integration guide available on docs.centrify.com
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- The Walk-Me help feature has been removed from the Admin Portal in this release (CC-55314).
- Maximum password history has been increased from 10 to 20 (CC-55558).
- Modifying LDAP server configuration is now correctly supported on LDAP servers that have required custom unique identifiers, such as the MS-LDAP and Tivoli LDAP servers (CC-52777).
- Zero Sign-On (ZSO) support has been added for Firefox v58+ (CC-54822).
- Support has been added for storing very large SP Metadata (CC-54812).
- The status for suspended Google Directory users is now shown correctly. Previously they were always shown as active (CC-55371).
- The Test Advanced Script function has been modified in this release to enhance security. The SAML response preview now has the response certificate, signature and digest values obfuscated, however the real values will be used for SSO.
- QRadar application now correctly works through the App Gateway (CC-56215).
- The Box provisioning app no longer returns 404 errors if content ownership changes (CC-55527).
- The Dropbox provisioning app has been enhanced to support role mapping for Support Admin and User Management Admin (CC-48357).
- Dropbox SSO configuration documentation has been updated for Chrome and Firefox browsers (CC-40211).
- Administrators can now choose between Enterprise and Standard accounts in the Slack app (CC-52691).
- MFA can now be required for portal access for federated (B2B) users (CC-53237).
- Active Directory group sync is now supported in SCIM (CC-53930).
- The Webapp shortcut can now be opened on Android N devices and later (CC-54736).
- Where certificates have been uploaded for policies, it is now possible to remove the uploaded cert (using “Remove”) without affecting the other policy settings (CC-55054).
- The order of SAML elements can now be dynamic for WS-Fed applications (CC-54456).
- It is now possible to prevent collection of installed applications on enrolled devices – the default is to collect the information (CC-53775).
- An option has been added to show / not show a custom welcome screen for iOS devices during enrollment (CC-53676).
- When managed apps are installed on a device for an enrolled user, only those managed apps are shown on the application tab (CC-54946).
- The Company Apps store for iOS devices now only shows apps that are compatible or the type of device being used. For example, iPad-only apps are not shown for iPhones (CC-39129).
- The Download Apple Configurator link in the Admin Portal has been updated with the revised link from Apple (CC-55194).
- Location is now optionally tracked after enrollment on Windows 10 devices (CC-48372).
- The System Administrator role can now be made available for use in a UNIX group by the Cloud Linux Agent (CC-53943).
- In this release, the “AllowHealthCheck”:true,”HealthCheckInterval”:2 request JSON are deprecated. They will have no functional impact (CC-54832).
For security advisories and known issues, please see attached file.
For Maintenance Release 2 security advisories and known issues , please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.
Centrify Application Services (formerly known as Identity Services)
The following apps have been updated:
-
- GitHub Enterprise on-premise (user / password)
- ExpressionEngine (user / password)
- VersionOne Support (user / password)
- Simply Voting Election Manager (user / password)
End-of-life Notification
This section contains notifications for upcoming termination of apps, features or programmatic access (APIs):
- The Walk-Me help feature will be removed from the Admin Portal in the next release (18.3)
Announcement of Upcoming Changes Regarding OpenID Connect App (release 18.3)
We are enhancing our OpenID Connect app to allow customers to request refresh tokens as specified by the OAuth 2 spec. The app configuration page for OpenID Connect has also been modified to be more consistent with our other apps. Some fields have been moved around into more logical groupings.
As part of these changes, all existing OpenID Connect apps will continue to work as is. However, if the customer wishes to make use of refresh tokens or if they wish to make any other changes to the app, some changes will be required on the customer's end. Customers will be notified of any changes they need to make if they attempt to edit their OpenID Connect app.
New Features - Centrify Infrastructure Services (formerly known as Privilege Service)
Local Administrative Account – Phase I
- Follows-up the administrative account capability of Active Directory domains
- Incremental set of capabilities with these goals
- Account/Password reconciliation
- High-availability
- Advanced device functionality
- Phase I
- Ability to set a ‘local admin’ account will be introduced on system onboard and shortcuts
- Initially with network devices
Check Point GAiA™ - Revisited
- Check Point GAiA™ SAPM and PSM was introduced in the summer of 2017
- This new iteration introduces:
- Local administrative account
- Expert mode password management
- In this release:
- Admins use their accounts for access
- To utilize expert mode, admins return to Infrastructure Services to check out the expert mode password of the corresponding CP GAiA system and pastes it in the terminal
- Coming in a future release:
- Enhancement to establish a secure session directly as the expert-mode account
DirectAudit – Support for Multiple Installations
- Prior to 18.2, only one DirectAudit installation could be used per CS instance
- With 18.2, multiple DirectAudit installations are supported
- Connector affinity can be set in a per installation basis
- Supports hybrid cloud (or distributed datacenter) scenarios
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- The /UserMgmt/UpdateSecurityQuestions API now allows administrators to set security questions for users. The following JSON payload should be used:
{“ID”,”<id or name of user to set security question for>”, “securityquestion”, “<text of question>”, “questionanswer”, “<text of answer>”}
(CC-54704). - The StartAuthentication API no longer requires a Referrer when calling with a federated ID (CC-54442).
- The Android mobile app now will remember policies that have been received even if the app is killed while applying the policies. Previously any policies that had been received but not applied before the app terminated would be lost (CC-53618)
- No longer receive an error about a missing provisioning handler when SSO-ing to an app from the catalog after provisioning is enabled (CC-54691).
- Location information is now reported correctly for iOS 11 devices (CC-54857).
- A switch has been added to turn WS-Trust off for a given policy, affecting all application instances of Office 365 and Microsoft Dynamics CRM (WS-Fed). In addition a switch is now provided to allow the administrator to enforce app policy challenges for WS-Trust. By default application policies which cannot be supported via WS-Trust (such as MFA) are not enforced and prevents authentication challenges from blocking WS-Trust authentication (CC-52624).
- In some cases it was possible where a group created by role mapping in the Box or GSuite provisioning apps would contain only one user, even when multiple users were synched. Groups created in this way now contain the correct number of users (CC-54784, CC-54858).
- In policies, BundleIDs are now valid when there is a period (“.”) in the last character, following Apple recommendations (CC-53948).
- A custom enrollment welcome screen is now supported for Android devices as well as for iOS devices (CC-53674).
- Non-ATS compliant NTLM basic custom applications on enrolled iOS devices no longer display SSL errors (CC-52968).
- SSO now correctly functions on Internet Explorer for NTLM and basic app templates (CC-50108).
- Apps that are specific to countries outside the US can now be added to iOS devices after finding them in country-specific app stores (CC-53950).
- The AuthName of the user is no longer included when using cert-based authentication as it is optional and can cause issues with some profiles (CC-53221).
- The sub-tabs in the device details page in the portals have been reordered, they are now: Details, Activity, Device Applications, Location, Location History, Policy Summary (CC-54298).
- Custom text added for device enrollment by SMS now correctly shows in the text message when the invite is sent from “Add Device” in the User Portal (CC-54179).
- Group Name is no longer mandatory on the Cisco IPsec VPN profile (CC-53989).
For security advisories and known issues, please see attached file.
For Maintenance Release 1 security advisories and known issues , please see attached file.
For Maintenance Release 2 security advisories and known issues , please see attached file.
For Maintenance Release 3 security advisories and known issues , please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.
New Features - Centrify Application Services (formerly known as Identity Services)
Multiple Security Questions
- Administrator can set policy enabling users to provide a bank of security questions
- Questions can be both Admin-Defined and User-Defined
- Administrator can set policy for minimum character length
- Number of security questions user must answer can now be defined under Authentication Profiles
- User is prompted to setup security questions in User Portal
- MFA using security questions will randomly select a security question from the bank of questions
Simplified SAML Configuration
-
SAML app templates have been improved
- Clearly break out setup of the Trust Relationship
- New “Trust” tab as been added
- Simplified ability to configure the SAML Response
- New “SAML Response” tab, featuring:
- An Attribute Mapping Widget
- A Script Editor for custom logic
- New “SAML Response” tab, featuring:
- Clearly break out setup of the Trust Relationship
Create Groups via Role Mapping
-
For apps that support provisioning, administrators can now create Groups in the app based on Roles in our platform
- Groups can be automatically created in target app
New Features - Centrify Endpoint Services
End-user Checkout for Mac LAPM Account
-
Policy allows end user LAPM checkout
- End-user checkout is not allowed by default
- If enabled, checkout is available for enrolled users only
- Checkout is done through the user portal
- Checkout from mobile device will be coming soon in future release
Install only iPad compliant apps on iPads
iOS Apps will only be deployed to compliant devices
- Based on the devices supported as identified by the app developer
- If an app is not supported on an iPhone or iPad, it will not deployed and will not show up in the Company Apps catalog
The following apps have been added to the catalog:
- 6sense (SAML)
The following apps have been updated:
- Amazon Web Services (User/Password)
- Highfive (SAML)
- JIRA Cloud (SAML)
- G Suite (SAML+Provisioning)
New Features - Centrify Infrastructure Services (formerly known as Privilege Service)
Discovery of IIS Application Pool Identity
-
This feature enhances the existing AD-based Discovery introduced in 17.10
- Discovery filters have added IIS Application Pool identities in addition Scheduled Tasks, Windows Services
- Same rules apply. IIS Application Pools will be discovered as long as they are using a domain or local identity
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- A new Active Directory permission has been added for Privilege Service called “Add Account”. This permission is required for administrators that add managed or unmanaged Active Directory account passwords into Privilege Service. Existing users (even if they have the Privilege Service Administrator entitlement) will not be able to add Active Directory accounts until they explicitly add the permission under the target domain’s permissions tab.
- Search for apps in the User or Admin portals now uses “contains” style searching rather than “begins with”. Search will match a string as long as that string is contained within the app name (CC-54222).
- The SSO status of the device now shows correctly in the User Portal device details page (CC-36580).
- In-house iOS apps are now only shown in the Company Apps store on a device if they are compatible with the device. Universal apps are shown for all device types, but iPad apps are not shown for iPhones and vice versa (CC-33856).
- It is now possible to add users to roles, or invite users, by searching by first name or last name (CC-44032).
- Support has been added for OpenID Connect apps that do not support https. http URIs are now supported (CC-53010).
- Fingerprint authentication now works on Android devices after the device resume from the lock screen (CC-53006).
- The SharePoint Server app now allows external users to access via the App Gateway (CC-53369).
- The SharePoint OnPrem app now supports linked apps (CC-52744).
- The serial number for Centrify-provisioned derived credentials on Android devices is now shown. Previously they were only shown on iOS devices (CC-53665).
- The location of iOS devices is now correctly updated periodically, as well as when a location change occurs, when the policy is enabled (CC-53466).
For security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.
In case you hadn't heard, we will be upgrading our platform to version 17.11 this weekend (Saturday, December 16th). The complete list of new features is available in the release notes, but as always I will tell you about my favorites here:
Conditional Access for Endpoints and Infrastructure
This is without a doubt my favorite new feature in this release. As you probably know, all of our products are integrated with and/or built on the platform. This allows core capabilities, such as MFA, to be extended to all of our products. When we first integrated our Infrastructure Services and Endpoint Services agents with the platform, we created tenant-wide settings to require an Authentication Profile for Login Authentication and another profile for Privilege Elevation. This was a great first step and allowed us to offer always-on MFA for login and/or privilege elevation. This offered better security, but left 3 problems:
- poor user experience in that these protected resources / operations always required a user to provide a 2nd factor to access,
- admins could not require different profiles for servers vs workstations, and
- admins could not block access conditionally (as long as the user has the 2nd factor they can access the resource or elevate their privilege).
In this release, we have addressed this by moving this global setting to new policies. In 17.11 we now have the following policies for conditional access:
- Login Policies
- Centrify Portal
- UNIX and Windows Servers
- Windows Workstations
- Privilege Elevation Policies
- Privilege Elevation
Customization Extended to SMS Messages
As you probably know, our interface and any email messages sent through our service can already be customized. You may also know that we have recently made it much easier to change the email messages in all of the languages we support and we've improved the Admin's ability to see which languages those messages have been customized in. In the past, we had not exposed that interface to SMS messages generated by our system. We never provided SMS customization because the URLs that we send with enrollment links / MFA challenge responses were so long that there really wasn't any room for that customization. We are happy to announce that we have addressed that in this release. We now use fixed-length short URLs and have exposed those messages for Admins to customize!
FIDO U2F Support
Finally, we are very pleased to announce that we have expanded our MFA offering to include FIDO U2F Security Keys as a 2nd factor. Admins can now set policy allowing their users to self-enroll any U2F-compliant device and then use that device as a 2nd factor when authenticating through our platform.
We hope you like these new features and look forward to hearing your feedback!
New Features - Centrify Application Services (formerly known as Identity Services)
Conditional Access for Endpoints and Infrastructure
Improved interaction with Infrastructure Services and Endpoint Services.
-
- Previous support was always on MFA
- Now supports conditional access / adaptive MFA
- Previous support was always on MFA
Customization of SMS Messages
Added support for customization of SMS messages.
- MFA Challenge
- MFA Challenge for RADIUS
- Device Enrollment
Includes new “tiny URL” support.
- Reduced URLs from variable length of ~100 characters to 36 characters
Easy to customize in any of the supported languages.
Old SMS with long URL
17.11 New SMS with short URL
FIDO U2F Support
Added support for FIDO Universal 2nd Factor:
- Users can now self-register their U2F Security Keys
- Once registered, users can use these keys as an authentication mechanism.
Support for Multiple AWS Root Accounts
Updated Browser Extension and App template to support logging into multiple AWS Root Accounts.
- Template update: new field for Account ID
- Browser Extension update: now detects if you are logged in to AWS, and will log you out in order to log into the correct account
Active Users Dashboard Widget
Easy for Admins to find out how many user licenses they are using.
- Overview Dashboard now contains “Active Users” widget
Active Users = users who have authenticated through the service in the last 30 days.
Updates to OAuth (Preview)
Several enhancements to our OAuth implementation:
- Scopes now defined in-line in the OAuth App
- Settings menu for Scopes has been removed
- Settings menu for Scopes has been removed
- New OAuth Client App
- Ability to get Bearer Token for Client app
- Ability to get Bearer Token for Client app
- Ability to generate Password for Confidential Clients
- Bonus feature – this is available for setting the password for ALL users
- Bonus feature – this is available for setting the password for ALL users
New Features - Centrify Endpoint Services
Password Checkout for Managed Local Admin Account (Mac)
Admins retrieving the LAPM password are now checking out the password:
- Password is rotated based on time interval in policy
- UI will change from "get" to "checkout" in 18.1
- Tip: use Password Generation Profiles to simplify the LAPM Password
Derived Credentials integration with Intercede MyID
You can now use Intercede MyID for Derived Credentials.
- Enabled via Policy
- Intercede libraries compiled into Centrify's iOS and Android apps
- Scan QR code to add Intercede MyID Derived Credential
- Both Intercede and Centrify's Derived Credential can be on the device together
- Removing the need for an entitlement to enable Derived Credential
The following apps have been added to the catalog:
- SpaceIQ (SAML)
- Constant Contact (User/Password) – re-added
The following apps have been updated:
- Amazon Web Services Console for IAM Users (User/Password)
- JIRA (SAML)
- Box (SAML+Provisioning) – documentation update only
- FedEx (User/Password)
- G Suite (SAML+Provisioning) – documentation update only
- Humanity (SAML) – documentation update only
- Zoom (SAML) – documentation update only
- Zoho (SAML) – documentation update only
The following apps have been removed:
- ProofHQ
New Features - Centrify Infrastructure Services (formerly known as Privilege Service)
Core Services Changes – Login Policies
- Policies – 17.11 changes:
- Login Policies
- Portal Policies are now separate
- (New) UNIX and Windows Servers section
- (New) Windows Workstations section
- (New) Privilege Elevation Policies
- Login Policies
Impact:
- Changes the way MFA is set up
- Provides flexibility and future capabilities
- E.g. challenge for MFA only on weekends and outside business hours
- Existing customers:
- An “Auto generated” policy will be created automatically on first use
Active Directory - Automatic Account Maintenance
- Prior to 17.11, the target AD account password was used for SAPM operations
- Earlier this year, we introduced the Active Directory administrative account to support operations (unlock, zone role)
- Starting with 17.11, a new Policy is introduced: “Automatic Account Maintenance using Administrative Account"
- When enabled, CPS uses the Administrative Account for SAPM operations
Note: This policy has to be explicitly turned on. - This greatly simplifies the process of adding AD accounts to Privilege Service
-
In this release, we introduce a new domain permission “Add Account.”
This permission is required for CPS administrators that have to add managed or unmanaged Active Directory account passwords into CPS.
Existing users (even if they have the Privilege Service Administrator entitlement) will not be able to add Active Directory accounts until they explicitly add the permission under the target domain’s permissions tab.
New Features - Centrify Analytics Services and SIEM
Behavior-based access control for Server Access (Alpha Release)
- Centrify Infrastructure Services Standard / Enterprise Customers can:
- Enable Behavior-based access control for every server access – login / privileged elevation
- Easily understand Server Access within their Enterprise (with Insights)
- Identify anomalous (with Explorer) Server Access based on past behavior on:
- Time, Command, Target Server, Account, etc.
- Forward Centrify Audit Events to Analytics Service via Centrify Sensor
Centrify Identity Platform Splunk Integration (Beta Release)
- Centrify Syslog Writer
- Easy to install Docker container that works on Windows Server 2012, RHEL 6, RHEL 7
- Gets Centrify Identity Platform access events (App Launches, Portal Access etc.) and forwards to a Syslog Server
- Centrify Identity Platform Splunk Add-On
- Normalizes Centrify Identity Platform events in Splunk
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- A maximum of 20 devices may now be enrolled for each user. This is only enforced at enrollment time, so any devices already enrolled are unaffected (CC-53044).
- This release adds support for FIDO U2F authentication, however this is only supported natively on Chrome and Opera (CC-50450).
- When capturing an app using the browser extension for Firefox, it is now possible to specify additional fields (CISSUP-3460, CC-52619).
- Launching JIRA with IdP-initiated SSO now functions correctly (CC-52788).
- It is now possible to search for an app in the User Portal simply by typing its name. Hitting enter launches the app if there’s only one search result (CC-42822).
- With Safari 11 on a Mac, it is now possible to expand the Provisioning Script panel in the Provisioning tab (CC-52399).
- The email notification results from OATH token bulk import have had duplicates removed and are now accurate (CISSUP-3492, CC-52975).
- When uploading a certificate for a SAML application, the newly uploaded certificate is automatically selected for the app (CC-47919).
- Users are now de-provisioned correctly from custom SAML apps that use SCIM for provisioning (CC-52473).
- When using MFA, bad passwords are now logged as events when a password is the first challenge and the user failed to complete other challenges (CISSUP-3456, CC-52627).
- Revised, more intuitive UI for providing a date range for report generation (CC-52522).
- Users that are created and added to a provisioning role before any invitation has been sent by the admin are no longer shown as having a last invite date/time (CISSUP-3495, CC-52937).
- The policy summary no longer shows an Organizational Unit (OU) when no longer using device policy management Active Directory policy (CC-52252).
- When using App Store apps purchased under a Volume Purchase Plan (VPP), license details are now shown for apps from all app stores, not just the US (CISSUP-3427, CISSUP-3079, CC-52356).
- The option “Do not de-provision (deactivate or delete) users in target application when the users are removed from mapped role” is now checked by default for all provisioning apps (CC-51904).
For security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.
In case you hadn't heard, we will be upgrading our platform to version 17.10 this weekend (Sunday, November 19th). The complete list of new features is available in the release notes, but as always I will tell you about my favorites here:
Improved Administrative Features
Normally I only write about 2 or 3 features, but this release includes several enhancements to existing functionality so I cheated and lumped 3 features into 1
- Parameterized reports: Our reporting engine has been updated to support reports that can be modified by updating specific parameters (e.g. Dates, Roles, Users, Applications, etc.). Now, when creating custom reports, you can use the Parameters tab to allow the report to be easily modified with a few mouse clicks. We've also updated all of the built-in reports that were time-bound, or applied to specific Roles or Resources to make those parameterized reports. This means a single report can easily be modfifed direcly by the user running the report without requiring the user to save and modify the report script itself.
- Workflow now supports actions when a manager is unknown: We've also updated our workflow engine to provide administrative control over the action to take in the event that the requestor's manager must approve a request but the requestor has no manager. In the past, we would take the default action of assuming an approval and the UI would reflect that the step had been skipped. Now, Admins can specify to take one of the following actions if there is no manager:
- Automatically Approve
- Automatically Deny
- Route to a Role our User
- Easier email customization for foreign languages: Here's a feature that our multi-national customers will really appreciate which is better ability to customize our email messages in foreign languages and better visibility over what has been customized. In the past, if you wanted to customize an email template, you'd have to change your browser locale in order to do that. If you wanted to know if message for a particular language had been updated, you'd have to switch your browser locale to that language and look to see if there were a date for when the template had last been updated. We've updated the interface to allow you to choose the language of the template that you want to update and update the template without requiring you to switch the browser locale. More importantly, the table now shows which languages have been updated.
Form-Filling on Safari
As you probably know, we added support for Form-Filling in January. If you are not familiar with this feature, this is the ability to go directly to a username / password site (instead of the User Portal) and login to that site with credentials stored in the Centrify platform. This feature is enabled through the Centrify Browser Extension and had previously been available for Chrome, Firefox and Internet Explorer. With 17.10, we have extended this functionality to the Safari browser!
OAuth 2.0 (Preview) Support
Finally, I am very excited to announce the Preview release of our OAuth 2.0 support! For our customers and partners who are developing applications or integrating with our platform in other ways, this feature provides a simple and secure way to provide authorization and to scope which APIs a particular client may access. This feature enables:
- Customers to securely build their own apps using our APIs,
- Better security when using our APIs, and
- Better support for app to app authorization.
The feature is comprised of:
- A new App Template for OAuth Server,
- Ability to create a "user" in our directory as an "OAuth Confidential Client", and
- The ability to Scope which APIs can be called by a specific client application.
For more information, please refer to the OAuth Section in our new developer site.
We hope you like these new features and look forward to hearing your feedback!
New Features - Centrify Application Services (formerly known as Identity Services)
Parameterized Reports
Reporting engine now supports modifying reports by changing parameters:
- Date
- Role
- User
- Application, etc.
Reports updated as follows
- Built-in Reports modified to include parameters (date, application, etc.)
- Custom Reports can be built with parameters
Pin for Phone MFA
PIN is now required when using phone call for MFA.
- Admin specifies number of required characters (4-8)
- User can then create PIN (up to 8 characters)
- Phone Call will not show up in list for user if PIN has not been set
NOTE: in 17.10 this feature is only available for new tenants
OpenID Connect Ability to Pass Login URL for Authentication
Use case is as follows:
- OpenID Connect App has a session timeout
- App is made available to users federated by another IDP (i.e. B2B)
- This specifies where to send the user to re-authenticate
Office 365 Linked Apps Support for Multiple SharePoint Sites
Deep link support now available for multiple SharePoint Sites.
- Linked Applications Wizard now provides ability for admin to specify URL of each SharePoint site
Form-Filling Support on Safari
Form-Filling (ability to go to a username / password app and login by clicking on the Centrify logo) is now available on Safari.
Active Users Report
This feature allows Admins to find out how many user licenses they are using.
- Built-in Report for “Active Users”
Active Users = users who have authenticated through the service in the last 30 days.
Workflow Options for No Manager
Admins can now determine what action to take for requests that require manager approval when there is no manager:
- Automatically Approve
- Automatically Deny
- Route to Role / User
Improved Multi-Language Email Customization
Email template customization now provides ability to customize the template without changing the browser language.
- Template selections allows Admin to choose which language to update
- UI now shows which languages have been updated
OAuth 2.0 (Preview)
This feature enables customers to better interact with Centrify's platform for app development and integration.
- OAuth 2.0 is the industry-standard protocol for authorization
- Focuses on simplicity and enables:
- Customers to build their own apps using our APIs
- Better security when using our APIs
- Better support for app to app authorization
New Features - Centrify Endpoint Services
Endpoint Password Generation Profiles
Password generation profiles for Endpoints (Local Account Password Management) are now in a separate location under Settings.
- Settings > Endpoints > Endpoint Password Profiles
- Built-in “Mac Profile”
- New profiles can be created in-line in Policies, or from this page
The following apps have been updated:
- Elastica CloudSOC (SAML)
- ElasticaForCisco (SAML)
- Confluence On-prem (SAML)
- BackBlaze (User/Password)
- SonicWall (User/Password)
- JIRA Cloud (SAML)
- Paylocity Web Pay (User/Password)
- Inacct (SAML) – logo icon only
The following apps have been renamed:
- Elastica --> Elastica CloudSOC
- Stash --> Bitbucket Server
- Windows Intune --> Microsoft Intune
New Features - Centrify Infrastructure Services (formerly known as Privilege Service)
IIS Application Pool Identity - Password Management
- 17.10 adds support for IIS Application Pool Identity Password Management
- Versions: 7.5 (2008R2), IIS 8 (2012) and IIS 10 (2016)
- It uses CPS-managed Active Directory accounts with Multiplex accounts
- In this release, IIS Application Pool services can be onboarded manually
- In the next release, we are tracking the addition of discovery of IIS Application pool identities
Effective Rights Reports
- Infrastructure Services now offers the ability to produce effective rights reports for users and roles related to all objects (systems, accounts, databases, services and secrets)
- Reports leverage the “Parameterized Reports” feature of the platform
- Reports can be generated interactively or sent to the report requester via email in different formats
- Note: for on-premises deployments, this feature requires PostgreSQL engine
Effective Rights Report - Sample CSV Export (all objects)
Support for future date/time (login, checkout)
- Enhances workflow request to support future date/time login and password checkouts (like zone role workflow)
- Now assignment types can be permanent and windowed (instead of just permanent and time-bound)
- The requester can specify the assignment type and the first approver has the final say on what type will be granted
- This use case is consistent with change control requests approved for a maintenance window in the future
SSH Gateway Enhancements
- Banner (Infrastructure > Security)
- To align with very common security guidelines
- Enable/disable (Connector)
- Turned off by default (decreases exposure footprint)
- Allows for segregation of duties (infrastructure components)
E.g. an “App Gateway” connector is quite busy, just like an SSH Gateway. If expecting heavy usage, you can segregate capabilities like AD/LDAP proxying, vs. dedicated gateways.
- Change port configuration
- For customers wanting to run the SSH Gateway service in a non-standard port
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- Changes have been made in this release to harden the cloud service from Cross Origin Resource Sharing (CORS) exploits. As a result of these changes, for SP-initiated SSO to succeed with SAML apps, administrators should do one of two things:
- The ACS URL must be supplied in the app template with a matching domain to the URL that the SP comes back to the cloud service on.
- Add an exception to Settings > Authentication > Security Settings > Specify trusted DNS domains for API calls.
(CC-47996, CC-52930).
- Account unlock behavior has changed in this release. In previous releases, challenges could be removed if necessary to ensure that the user has the ability to pass through the unlock policy. In this release, the user must answer every challenge specified by the unlock policy. If a user cannot answer a challenge, the unlock attempt will fail. In most cases the system will recognize that the user cannot answer all challenges and will not even try to unlock, however in a few cases the user will still be presented with the first challenge (CC-51644).
- The date range condition used by authentication policies has been overhauled in this release to be more intuitive. The new date rules are as follows:
Rule: Today's date is greater than XX/XX/XXXX
Handling: Today's calendar date must be greater than XX/XX/XXXX
Rule: Today's date is less than XX/XX/XXXX
Handling: Today's calendar date must be less than XX/XX/XXXX
Rule: Today's date is between XX/XX/XXXX and YY/YY/YYYY
Handling: Today's calendar date must be greater than or equal to XX/XX/XXXX and less than YY/YY/YYYY
(CC-50825).
- In the Security Dashboard, logins that don’t contain an “@” symbol are masked to reduce the chance of showing a user’s password in the dashboard if it was accidentally entered in place of the user name (CC-52295).
- msOrg-IsOrganizational for security groups now syncs correctly from Active Directory to Office 365 (CC-52764).
- Password reset is now supported on IBM Security Directory Server version 6.4 (CC-51035).
- It is now possible to set the maximum allowable clock drift for TOTP OATH tokens. Previously the value was set at 30 seconds, now it is possible to set the number of 30 second units (default 1) that the token clock may drift either side of the current time (CC-52769).
- Mobile Authenticator no longer creates notifications for abandoned or expired sessions (CC-50168).
- A new method has been added to SAML app script processing: createWebRequestWithBasicAuth (string applicationUrl, string username, string password) for http/https basic authentication (CC-52147).
- “User skipped” is now always shown in the provisioning report for skipped users that had been removed from the mapped role (CC-46397).
- A user’s Provisioned Applications page now shows the user having been provisioned for the application after the user was only partially updated during the sync (CC-44102).
- User detail > Provisioned Applications > Provisioning history now correctly shows role names instead of role IDs (CC-50691).
- When adding apps, apps in the Recommended tab are now alphanumerically sorted by default (CC-44708).
- With SCIM provisioning, de-provision now disables a user by default rather than deleting them (CC-51858).
- To prevent policies being created that are larger than devices can handle, a limit (default 5MB) is now enforced when saving the policy (CC-50671).
- Managed apps are now correctly cleaned up from the installed app list when unassigned (CC-51859).
- Device last location timestamp is now shown for administrator location tracking (CC-51704).
- The LDAP connection test has been updated to only verify the existence of the base DN, rather than verifying that there are entities under it. This change avoids timeouts with large numbers of second level entities that would be treated as a connection test failure (CC-51651).
- When an administrator sets an in-house SMTP server for email, email templates are now updated (CC-51585).
- Enrollments of Windows machines are now marked as corporate owned (CC-51200).
- With Android for Work, Gmail and Calendar apps are no longer uninstalled when assigned to the user (CC-50583).
- An issue that prevented users with the Privilege Service entitlement from seeing the Settings menu when using the Safari Web browser has been resolved (CC-50351).
For security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.
In case you hadn't heard, we will be upgrading our platform to version 17.9 this weekend (Saturday, October 21st). The complete list of new features is available in the release notes, but as always I will tell you about my favorites here:
Linked Applications
Many SSO applications leverage a single authentication for a user, yet have options for access to discrete "component" applications. A few prime examples of this are AWS and Office 365. Both of these applications can be broken down to separate component applications (e.g. EC2 and S3 for AWS and Outlook and Calendar for Office 365). With the introduction of linked apps, we allow the admin to create separate application tiles and mappings for user access for the discrete component applications. With this release, all SSO apps (SAML and OpenID Connect) and all custom SSO apps in the catalog now have a LInked Applications tab. From this tab, the Admin can add the linked app to make the component applications available to their users.
For AWS, and Office 365, we know which apps are available as linked apps and show those in the UI. For other applications, we simply provide a template allowing the Admin to add the linked application. NOTE: Linked Apps is currently in "Preview" for Office 365 because some of the Microsoft component applications do not support a true SSO experience (for those apps, the user must click on a profile name to get signed into the app).
Improved UX for MFA response through RADIUS
Customers using our RADIUS implementation to extend our MFA to clients (e.g. VPNs) have been asking us to support out-of-band responses when using MFA from the client. In other words, when logging into a VPN client, when the user is prompted for MFA, the user should be able to respond to the challenge (e.g. push notification through Mobile Authenticator, SMS, etc.) through the challenge itself (rather than typing in a response code in the client). This can now be enabled by going to Settings > Authentication > RADIUS Connections > Clients and configuring the response options.
Improved Local Admin Account Password Management for Macs
I'm also really excited about the improvements we've made to our ability to manage the local admin accounts for Macs. Specifically, in this release we've made 2 improvements:
- We now give Admins the ability to set a policy to define how frequently passwords get rotated, and
- We now give Admins the ability to set rules for the password complexity of the passwords we create.
We hope you like these new features and look forward to hearing your feedback!
New Features - Centrify Application Services (formerly known as Identity Services)
Linked Applications
This feature enables customers to create separate app tiles for SSO apps that share the same authentication.
- Linked Applications tab in app configuration
- Amazon Web Services
- Office 365 (Preview)
- Other SSO Applications
- Custom SAML Apps
- Custom OpenID Connect Apps
- SAML / OpenID Connect Catalog Apps
- Amazon Web Services
PCI Compliance Update for MFA
User experience for incorrect logins when using MFA has been updated in order to achieve PCI compliance.
- Current Experience:
- If user enters wrong information for first mechanism, authentication fails before asking for the 2nd mecahnism
- If user enters wrong information for first mechanism, authentication fails before asking for the 2nd mecahnism
- New Experience:
- If user enters wrong information first, 2nd mechanism is still asked before authentication fail
- If first challenge response is incorrect, the 2nd factor is not checked (i.e. email / SMS won't be sent)
Improved UX for MFA response through RADIUS
We now support out-of-band responses from our authentication mechanisms for RADIUS clients (e.g. VPNs).
- Users can authenticate through the authentication mechanism itself (e.g. push the code on Mobile Authenticator or click on the link in email / SMS)
- No longer need to type in OTP
- New Configuration options under:
- Settings> Authentication > RADIUS Connections > Clients
Ability to Rename Roles
Role names can now be edited and renamed.
New Features - Centrify Endpoint Services
Configurable LAPM Password Rotation
Admins can now control the password rotation period for managed local admin accounts.
- Default = 90 days
- Valid settings:
- 1 day
- 365 days
- New policy:
- Policies > Mobile Device Policies > OS X Settings > Manage Local Admin Account> Periodic password rotation at specified interval (days)
Password Generation Profile for Mac
Admins can now set rules for the password complexity to use for the Local Admin Accounts on Macs.
- Settings > Infrastructure > Password Generation Profiles> Unix Profile
Password Checkout Error Handling
When using LAPM, an Admin may want to check out an Admin Password before the Cloud has confirmation from the Mac that the password has been changed.
- Now support a confirmation from the agent that the account has been rotated
- Password history can be provided If Admin checks out password before the confirmation is received
The following apps have been added to the catalog:
- Ivanti (SAML)
- SAP ERP ABAP (SAML)
- SAP CRM ABAP (SAML)
The following apps have been updated:
- Webex (User/Password)
- eBay (User/Password)
- CDW (User/Password)
- UPS (User/Password)
- iTunes Connect (User/Password)
- Hightail (User/Password)
- ScreenSteps Live (SAML)
- Eventbrite (User/Password)
- Canvas (SAML)
The following apps have been renamed:
- AVG CloudCare --> Avast Business CloudCare
- AVG Managed Workplace --> Avast Business Managed Workplace
- ProofHQ --> Workfront
- HEAT --> Ivanti
New Features - Centrify Infrastructure Services (formerly known as Privilege Service)
Infrastructure Factory: Check Point GAiA™
- GAiA™ is Check Point’s Secure Operating System
- In this release, we are supporting shared account password management and secure session access.
- Versions:
- R77.30
- R80.10
- “Expert Mode” enhancement to follow in future release
Scheduled Discovery
- 17.9 adds scheduling to our Network Discovery
- Different discovery profiles can now be set to run on a schedule based on organizational needs
- A report is generated upon each run, outlining items discovered
Account-level Checkout Lifetime Override
- Allows granular definition of password checkout lifetime policies at the account level
- Useful to establish policy for end users at the global or system level, with the flexibility to establish policy at the account level for other use cases (such as system-to-system)
Linux Agent – Password Checkout for Database & Domain
- The CIP Linux agent has been updated to support for database and domain account password checkouts with the cgetaccount CLI utility
- The service account (system) should have the checkout permission in the target accounts
- Leverages --type parameter
Examples:
$ sudo cgetaccount --type domain centrify.vms/diana-a $ sudo cgetaccount --type database sql2012a/sa
ServiceNow – Privileged Access Request (Domain+Database)
- ServiceNow is in the process of certifying Privilege Access Request 2.0.0
- This version adds support for database and domain account password checkout via ServiceNow’s Service Catalog
- Support to request “login” is available for local system accounts, it will be added to AD accounts in a future enhancement
New Features - Centrify Analytics Services
New Factor
“Account” has been added as a factor for Shared Account Password Management
Faster User Experience
Improved rendering engine.
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- Prompt is now supported with custom URLs with OpenID Connect (CC-45912).
- SCIM provisioning is now available on all catalog apps, previously it was only available on generic (custom) apps (CC-50660).
- A new custom app type has been added: Linked Application, supporting OpenID Connect and SAML (CC-32809).
- Support has been added for multiple simultaneous policy management editors (CC-34579).
- Phone number validation has been updated to support recent Thai style changes (CC-51063, CISSUP-3334).
- Users of Apple devices managed by DEP and VPP v2 (token) can now update the App Store apps on their devices without creating their own Apple IDs (CC-49476).
- Successful RADIUS challenges no longer create a pair (one successful, one failure) of RADIUS log entries (CC-51501).
- Successful ZSO logins now correctly show the login reason on the User Activity dashboard and in the user’s detail page (CC-50700, CISSUP-3307).
- All devices now correctly show location in the User Portal when one of the devices is Windows 10 (CC-50315).
- Launch counts for App Gateway-enabled apps are now included in the source data for Most Commonly User Web Apps and Unused Web Apps reports (CC-39645).
- ZSO log in to the User Portal now records as login activity on the User Portal Activity page (CC-49444).
- When a policy is changed while a device is offline, the policy summary will now show “pending” for the device’s compliance until the device is returned online and the policy is successfully applied (CC-48699).
For security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.
In case you hadn't heard, we will be upgrading our platform (Centrify Application Services and Centrify Infrastructure Services) to version 17.8 this weekend (Saturday, September 9th). The complete list of new features is available in the release notes, but as always I will tell you about my favorites here:
Browser Extension Pinning and SCIM GA
Both of these features were made available as previews in 17.7, and are now available generally. As a refresher, browser extension pinning allows you to set policies (under Policies > Application Policies > User Settings) to set the Centrify Browser Extension to a specific version. This allows you to control if and when your users are prompted to install a new browser extension.
With the GA of SCIM, we now include the provisioning tab on all of the SSO apps (SAML and OpenID Connect) in our catalog. In 17.7, SCIM was only available when using the custom templates. In 17.8, we include provisioning for existing SAML and OpenID Connect apps.
In addition, to the above we've made several enhancements to existing features, including:
Support for Next Token Mode for RSA SecurID
As you may know, we have integrated with RSA SecurID through our RADIUS implementation. Customers using this feature asked us to add support for Next Toke Mode (when RSA prompts the user to provide a 2nd token for added security -- this is typically required after too many incorrect passcodes have been entered).
Enhancements to Inbound Provisioning
Customers using our inbound provisioning feature (provisioning users into AD from Workday) had asked for a few enhancements and with this release we have delivered! Specifically, we've made the following enhancements:
- Admins now have additional options for where to email the password for new employees when we generate that password. In the past, a generated password could only be sent to a specific email address (e.g. an alias for an onboarding team). With this release, you can now choose to send those generated passwords to any combination of the following:
- specific email address
- user's manager, and/or
- user's personal email address
- Admins can now specify an OU to place users in upon termination. This helps to automate a business process whereby users who have left the organization are temporarily held in a specific OU. Of course, this is done in addition to disabling the user's account in AD!
Enroll Mobile Device with QR Code
In 17.8, we've made enrolling a mobile device even simpler! As you may recall, our invite-based enrollment policy allows users to enroll a mobile device without providing their credentials. When this policy is enabled, users can enroll their devices without providing a username / password by using any of the 3 options in the User Portal (send SMS, send email or scan QR code).
We hope you like these new features and look forward to hearing your feedback!
New Features - Centrify Application Services (formerly known as Identity Services)
CBE Pinning
New policy to set Browser Extension Version:
- Set by latest version or specific version number
- When version is set to a specific number, User Portal will prompt for upgrade based on policy version rather than cloud release version
- Centrify will not force upgrade when policy is set
- Only latest version and 2 versions prior are supported
- Downloads shows all pinned versions (not available for Chrome)
OpenID Connect and SCIM GA
OpenID Connect custom template is now GA (no longer appears as “Preview”).
SCIM provisioning support is now GA
- Custom template no longer displayed as “Preview”
- Provisioning tab added to all SSO catalog apps
- SAML
- OpenID Connect
Support for RSA SecurID's Next Token Mode
Periodically, users will be asked by RSA to provide the next token code
- E.g. after entering too many incorrect passcodes
Centrify's RADIUS implementation and UI have been updated to support this use case.
Enhancements to Inbound Provisioning
Admins now have the following options on where to email generated credentials:
- Specific email address
- User’s manager
- User’s personal email
Admins can now choose an option to assign users to an OU upon termination.
Bulk Upload Support for Extensible Directory Attributes
Admins can now add values for extensible directory attributes through a bulk upload
- CSV file is now generated on the fly to include columns for each extensible directory attribute
Additional User Portal Settings for UI
The Settings menu in the User Portal now gives users two additional options
- Change the size of the app icons
- Remove / Display app Titles
Enroll mobile device with QR code
Similar to invite-based enrollment, but with QR code from User Portal
- User scans QR code with Centrify app, and enrollment begins
- No Username / Password required
- Allow invite-based enrollment policy must be set to Yes
Android Managed Accounts
No more detailed setup with Google for Android Management
- Google accounts are created dynamically and without setup for GSuite
- Simplified Android Management
- See Android Management under Settings->Mobile to toggle modes
- Existing Android for Work users will need to re-enroll to switch modes
The following apps have been updated:
- Microsoft Partner Network (user / password)
- GSuite
- CloudLock (SAML)
- CloudAMQP (user / password)
- FastHosts (user / password)
- Kayak (user / password)
- Kroger (user / password)
- My Adobe (user / password)
- Sonicwall (user / password)
- Symantec PartnerNet (user / password)
- W3Schools Forum (user / password)
- Fortigate Firewall (user / password)
- Mimecast (SAML)
- Qmarkets (SAML + provisioning)
- Salesforce (SAML + provisioning)
- AbsorbLMS (SAML + provisioning)
- Wordpress (SAML)
- Liquidfiles (SAML)
- Frevvo Live Forms In-house (SAML)
- Docusign (SAML)
- AirWatch (SAML)
- Tableau (user / password)
The following apps have been renamed:
- Timeoffmanager --> PurelyHR
New Features - Centrify Infrastructure Services (formerly known as Privilege Service)
Secure Shell Gateway – File Transfer
- Adds to the Secure Shell Gateway capability implemented in 17.7
- Users can establish file transfer sessions using shared accounts directly, and use their favorite client (e.g. WinSCP) without visiting the portal and leveraging the Centrify connector(s) as the gateway
- Maintains platform features:
- Authentication Profiles (MFA)
- Administrative SCP session termination
- Access Request (Workflow)
Password Complexity Profiles
- Allows the ability to set up password complexity rules at the global or system level
- Centrify provides a set of built-in rules that are QA-validated to work on supported classes of systems
- Granularity to define password length, additional requirements, special characters, leading or trailing characters
- Built-in profiles are tied to corresponding system classes
- This is a foundational capability to support systems such as IBM i and other upcoming capabilities
IBM System i
- The IBM System i (formerly AS/400) platform enjoys large penetration in highly-regulated enterprises (mostly seen in banking)
- The underlying OS (OS/400) relies heavily on shared accounts (profiles), therefore Shared Account Password Management is a must
- Versions supported (6.1 and above) using the SSH Server daemon
- The Password Profile feature can be leverage to onboard IBM i systems with different password rules
Session Size Preferences
- This highly-requested feature allows end-users to set their preferred privilege session window size for SSH (web client) and RDP (local & web client)
- The preference is set per browser
PowerShell samples support for AD and Database Accounts
- 17.8 updates the sample PowerShell scripts
- Add / Moves / Changes (Get, Set & Remove) of local, AD or database accounts
- Get-CIPAccount can be used to retrieve passwords. Make sure the system service account has the view+checkout permissions in the target account
- Use the domainname or databasename parameters to specify the account type
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- RADIUS challenges are now supported for RADIUS authentication, however RADIUS accounting is not currently supported. Note that if you are using external RADIUS (such as RSA SecurID) you must upgrade Connectors to 17.8 for full functionality (CC-46766).
- After enrollment, the default on Android devices for the Settings -> Show All Applications option is now checked (CC-49463).
- Room objects are no longer mistaken as users during Office 365 provisioning (CC-47843)
- MS-LDAP users can now log in and be invited to the User Portal. Microsoft LDAP uses a slightly different dialect to other LDAP servers and this is now supported (CC-50060).
- The forgot user name self-service feature now accepts user email addresses regardless of entered case (CC-49486).
- Errors no longer generated when provisioning GSuite users (CC-50156, CISSUP-3254).
- In the Box and GSuite provisioning apps, Active Directory users are no longer removed from AD groups when a user’s attributes are updated (CC-47102).
- With the Wordpress SAML app, Active Directory users’ Active Directory groups are now updated to Wordpress (CC-46252).
- The Wordpress SAML app now honors the “Allow unlisted users” checkbox (CC-46251).
- Active Directory computer users are now tagged as service users automatically. Note that existing AD computer users will not be tagged until they log in again (CC-50059).
- The SSH gateway feature no longer reports authentication failed when the authentication profile that applied to the user had two consecutive password options (CC-48695).
For security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.
New Features - Centrify Application Services (formerly known as Identity Services)
Applications Dashboard
New dashboard highlighting apps in the platform
- Pie chart showing:
- Status
- Type
- Provisioning Status
- App Gateway Status
- Lists showing:
- App Details
- Total App Launches in last 7 Days
- Pie-charts are drill-able
- List views are filtered based on charts
[Preview] Centrify Browser Extensions Pinning (Available by Request Only)
New policy to set Browser Extension Version.
- Latest version or specific version number
- When version is set to a specific number, User Portal will prompt for upgrade based on policy version rather than cloud release version
- Centrify will not force upgrade when version is et, however, Centrify will only support current version and 2 versions prior
- Downloads shows all pinned versions (N/A for Chrome)
[Preview] SCIM Provisioning
SCIM is an open standard for automating the exchange of user identity information between identity domains, or IT systems.
- Custom SSO templates now contain a Provisioning tab
- Custom SAML App
- Custom OpenID Connect App
- Previously deployed custom apps using this template can now be updated to include provisioning (if the app supports this feature)
Updates to User Portal
Account Page Redesign:
- Cleaner design on the “Security Settings” page
- Passcodes feature is now separated out onto its own tab
- Settings Menu moved to User Portal Banner (on Apps and Devices pages)
- Grouped / Grid toggle moved to the Settings Menu
- Refreshed Activity page with Map widget, Login / Denied Logins, App Usage and Activity Stream
Easy Navigation to Job Provisioning Report for User
When troubleshooting provisioning events for a particular user, Admins need a way to find the right report for those events.
- Drill-Down in Users page now includes links to each report
Mobile Features – iOS Notification improvements
MFA actions no longer require going to the Centrify app
- Reduce app flipping for all notifications
- Only actions that require in-app functionality are flipped (for example, Require Fingerprint on MFA respond)
Mobile Features – iOS Activation Lock Bypass codes
Administrators now have access to the Activation Lock Bypass code
- When wiping device, activation code must be entered from original user
- Admin can look up bypass code for managed devices
- Customers can open a support ticket to retrieve unenrolled/deleted device bypass codes
Mobile Features – OATH OTP Push
OATH Codes in Passcodes can now be “pushed” to the respective tenant (similar to mobile authenticator)
- Allows MFA to multiple tenants from a single client enrollment
- After selecting OATH OTP MFA Method - Go to Passcodes in the Centrify app, and tap the tenant you are trying to log into
Mobile Features – Proxy profiles for Android WiFi
Proxy configuration settings can now be set and sent to Android devices (previously only Samsung and iOS).
The following apps have been added to the catalog:
- Expensify (SAML)
- HipChat (SAML)
The following apps have been updated:
- 15Five (SAML)
- Cloudera (User/Password)
- Cognology (SAML)
- SumoLogic (SAML)
- Yahoo Mail (User/Password)
- 15Five (SAML)
- Amazon Germany (User/Password)
- Atlassian Customer Portal (User/Password)
- com (User/Password)
- Cloudera (User/Password)
- Cognology (SAML)
- Evernote (User/Password)
- Float (User/Password)
- net (User/Password)
- Google apps (SAML)
- HRS (User/Password)
- LiveDrive (User/Password)
- MilitaryHire (User/Password)
- Mimecast Personal Portal (User/Password)
- SumoLogic (SAML)
- Yahoo Mail (User/Password)
- Zenefits (User/Password)
The following apps have been renamed:
- ShiftPlanning --> Humanity
New Features - Centrify Endpoint Services (formerly known as Identity Service)
Mac Updates
Centrify Agent for Mac:
- Centrify Agent for Mac on the Centrify Identity Services Download page
- Support for Munki Unattended Uninstall
- Dynamic policies for non-Apple MDM policies
New Features - Centrify Infrastructure Services (formerly known as Privilege Service)
Secure Shell Gateway
- Improves usability and deployment flexibility by allowing users to establish SSH connections (manual or with shared accounts) via the Centrify Connector(s) as a Jumpbox without visiting the admin portal.
- Maintains platform features:
- Authentication Profiles (MFA)
- Watch and Terminate
- Access Request (Workflow)
- Agentless DirectAudit (if available)
- You can use this feature for native SSH clients on Windows, UNIX/Linux and Mac OS.
Built-in Reports for Secrets
- Available via Core Services > Reports > Built-in Reports > Systems > Secrets
- All Secrets (contains secret size) & secrets by type
- Modified Secrets (last 7 days)
- Retrieval Counts (most popular secrets)
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- In 17.6 and earlier, when syncing groups for Office 365 provisioning they were incorrectly synched to a depth of 2. When the sync traverses to the second level, immutable IDs were not properly mapped for migrated users and this could cause group sync to fail, depending on timing. From 17.7 sub-groups are no longer synced unless explicitly included for sync (CC-48105).
- In the Box provisioning page, the option “Allow personal folder to be synced by Box clients” has been renamed to “Sync all personal folders to admin’s desktop via Box Sync”. The function of this option has not changed, but the label has been changed to better reflect the functionality (CC-47392).
- External CA revocation checks are now performed on a per-CA chain basis (CC-48358).
- IWA now works for the Ring Central desktop app (CC-48942).
- Sha256, sha384 and sha512 have been added as options for the algorithm and digest method for encrypted keys in SAML apps (CC-48526).
- Custom CBE internal apps now function correctly on iOS devices after the built-in browser’s cache is cleared (CC-48007).
- An issue was resolved where Connectors could not reach Active Directory domain controllers. The issue was caused by a failure to retrieve the distinguished name of the NTDS settings object from a domain controller running in Windows 2008 Domain Mode. Any registry changes implemented during 17.6 to work around this issue should be removed with this new release (CISSUP-3178, CISSUP-3180).
- Connectors will now connect to any available domain controller if the Connector does not belong to any site (CC-48052).
- Active Directory per-user customization (for example, OATH tokens) are no longer removed when a Connector is removed (CC-49334).
- The correct license type for Office 365 ProPlus is now shown in the license summary, previously it would show “officesubscription” (CC-48528).
- IWA now succeeds with the Ring Central desktop app when configured for single sign-on (CC-48942).
For security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.
In case you hadn't heard, we will be upgrading our platform (Centrify Identity Service and Centrify Privilege Service) to version 17.6 this weekend (Saturday, July 8th). The complete list of new features is available in the release notes, but as always I will tell you about my favorites here:
MFA Policies for User Account Settings
We have added security improvements to enable policies to require users to provide additional authentication factors when doing the following:
- changing passwords,
- configuring OATH OTP clients,
- setting security questions, or
- modifying their profile.
All of these policies now appear under a new heading called "User Account Settings" (you will also note that we moved a few policies from other areas to make use of these policies more convenient). For each of these policies, the Admin can choose which Authentication Profile should be called when the user makes these changes.
Admin Control over Signing Certificates
With this release we have also given control to Administrators to better manage the signing certificates used by our service. As you probably already know, Google recently cracked SHA1 certificates and as a result many service providers have announced that they will deprecate support for SHA1 certificates. If you have a Centrify tenant that was created before July 2016, then the default certificate used by your tenant is SHA1. As you probably know, when using a signing certificate for SAML, you can upload your own certificate so you can use one with a stronger algorithm; however, we wanted to address this problem in a more turnkey manner and wanted to give you more control over your options. In 17.6 you will see that we have a new Signing Certificates feature that works exactly as our Authentication Profiles feature works. We now have a "Signing Certificates" page in our "Settings" menu for managing certificates, and we leverage that page directly in the App configuration UI (Admins can choose a certificate from a drop-down menu, or create a new one).
If you want to change a certificate for an application, don't forget, you will need to go into the administrative console for that application and upload the new signing certificate in order to make sure your SSO still works. For Office 365, we have automated that step through a new "Re-Federate" option.
In addition to the above, this release includes two performance improvements that I wanted to call out:
- Addition of "Sets" in Users, Apps and Endpoints. Why is this a performance improvement? The Sets UI enables the Admin to set a default view for each of those pages based on the filter selected. More importantly, Admins can set their default view to have nothing selected so that pages with long lists (e.g. the Users page) loads immediately, as the default view is simply the search bar!
- Intelligent selection of Connectors for IWA and RADIUS. With 17.6, we have improved our connector selection logic to first look for a matching IP address, then a matching sub-net and if neither are found then to randomly select a connector.
We hope you like these new features and look forward to hearing your feedback!
New Features - Centrify Identity Service
MFA Policies for User Account Settings
MFA Everywhere – now able to set policies requiring step-up authentication for:
- Password changes
- Configuring OATH OTP client
- Setting Security Question
- Modifying Personal Profile
- All policies under Policies > User Account Settings
- “Show QR code for self-service” and “OATH OTP Display Name” policies moved from “OATH OTP”
- “Enable users to change passwords” moved from “Password Settings”
Sets Added to Identity Service Tabs
Optimized page viewing and performance by grouping large lists into Sets of like items:
- Users
- Apps
- Endpoints
- Click Set name to filter list
- Set Default using ellipsis menu
- All page visits for that user will remember the selection
- Sets UI slides in and out on click
- To improve page load performance, choose “Remove as default” (and remove check mark) for page with no results (search only)
Intelligent Selection of Connectors
Previously, calls to connectors for IWA and RADIUS were made randomly. Connectors are now selected based on IP address as follows:
- Choose Connector with matching IP Address
- Randomly choose between Connectors when there are multiple matches
- Choose Connector with matching sub-net
- Randomly choose between Connectors when there are multiple matches
- Randomly choose Connector
Dropbox Provisioning Support for Union
Admins can now choose to provision users into Dropbox using the following options:
- Union of all Groups, or
- Single Group
Improved 3rd Party RADIUS Support
When setting up 3rd party RADIUS authentication, some systems do more than a simple username / password authentication and need additional time to complete the request.
- Default value of 5 (seconds) is set
- Values from 5 to 55 are valid
Admin Control over Signing Certificates
Admins can see and manage all certificates in use in their tenants under
Settings > Authentication > Signing Certificates
- Older tenants (created prior to July 2016) used SHA 1 certificates by default, and later tenants used SHA256
- App UI has been updated to include a pick-list for choosing which certificate to use
- Office 365 certificate is now exposed
- Office 365 re-federate option to push new certificate
Mobile Features – Policy to Disallow Incoming Calls
New policy to prevent incoming calls on device
- Useful for data-only devices such as kiosk mode
Mobile Features – SIM Removal Tracking
New policy to track SIM removal
- Device can become non-complaint if SIM is removed
- Only on Samsung devices
Mobile Features – New Samsung Firewall (hostname based)
In addition to supporting the new Samsung IP based firewall – hostnames can now be used for firewall rules
- Only on Samsung devices
Munki Enhancements
Munki Improvements
Removing Security Login
- Ability to enroll with just username and password has been removed for new tenants
- Admins will need to use the new 17.6 agent to enroll
The following apps have been updated:
- Freshservice (doc only)
- Salesforce (doc only)
- Slack (provisioning)
- Dropbox (provisioning)
- Workplace by Facebook (provisioning)
- LoopUp (user-password)
- Frevvo Live Forms (SAML)
- TeamSnap (user-password)
- Microsoft Dynamics CRM on-prem (WS-Trust)
New Features - Centrify Privilege Service
Secrets
- Allows CPS to secure generic secrets (files and text types)
- Only users that have the “retrieve secret” entitlement can access them
- You can add policy rules from the Identity Platform or use MFA to secure the retrieval of secrets
- File secrets can optionally be stored with a password
(e.g. a word/excel/pdf/SSH-key with a password) - Secret uploads and downloads are secured with double-encryption
- File secrets are limited to 5MB per file and text secrets to 24k
New Login/Checkout Sequence
- New terminology
- Improved flow
- Compatibility for “AD Account login” using the Local Client
New Features - Centrify Analytics Service
Traveling-Velocity Factor
- Traveling-Velocity helps address the impossible travel scenario
- This feature can isolate situations such as User accessing Applications from both Santa Clara & LA in < 15mins, even though the User’s access pattern considers both locations as normal
UI Improvements
Copy cell to clipboard
- Copy ‘email’ to clipboard to edit in search bar
Insights – Word cloud widget
- Available only in Insights boards as a new widget
Download CSV
- Insights and Explorer Widgets data download
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- Centrify Privilege Service session brokering now supports negotiation with systems configured for TLS 1.2 (CC-47306).
- Policies based on a device being corporate or personally owned are now correctly based on both the user and device (CC-47949).
- Administrators can now enable a policy to determine if the Browser Extension is auto-updated or pinned to a specific version.
- Provisioning sync job reports have been enhanced to include timings for each job, allowing slow running jobs to be identified (CC-44806).
- The following parameters are now collected from enrolled Windows 10 devices:
- Anti-spyware status
- Antivirus status
- Encryption compliance
- Firewall status
(CC-47333)
- Users rejected by for provisioning are now logged in the sync report (CC-47480).
- IWA will now succeed even if a cloud connector is joined to a domain with a disjoined namespace (CC-43948).
- Support has been added for more than one concurrent Google Directory service (CC-44704).
- ForceAuthn from http-post now re-authenticates when a custom tenant URL is used (CC-43934).
- Role mapping in Dropbox provisioning has been enhanced to support both assigning destination groups to the first role a user is a member of (based on a prioritized list) and also assigning to each role the user is a member of (CC-46462).
- The fixed five-second timeout value for an external RADIUS server has been replaced by an administrator-defined timeout value up to 55 seconds (CC-44206).
- The last invite date for a user or group invitation is now set even if the invite email or SMS failed (CC-47226).
- Office 365 deprovisioning rules are now maintained after authenticating an Office 365 administrator – previously they were deleted (CC-43588).
- Browser bookmarks can now be pushed to Samsung KNOX devices in both kiosk and non-kiosk modes (CC-45529).
- A policy has been added to allow / disallow changes to the date / time on Samsung KNOX devices (CC-47180).
- ZSO login now works with Chrome on OS X 10.12 (CC-46899).
- The default value for Pre-Provisioning Interval for Workday inbound provisioning has been set to 120 (5 days), previously it was zero (CC-47207).
For security advisories and known issues, please see attached file.
For 17.6 Hot Fix 1 security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.
In case you hadn't heard, we will be upgrading our platform (Centrify Identity Service and Centrify Privilege Service) to version 17.5 this weekend (Saturday, June 3rd). The complete list of new features is available in the release notes, but as always I will tell you about my favorites here:
New UI
17.5 is a milestone release for us as it consolidates the User Interfaces for the 2 component products in the platform! With this release, the UI for the "Privilege Manager" has been moved to the Admin Portal. To accommodate this change (and the addition for many more tabs), we have moved from a horizontal menu to a vertical one. Let me point out a few additional features of this new UI:
- Cross-product capabilities are now grouped under "Core Services"
- Centrify Privilege Service capabilities are now grouped under "Infrastructure" (please note, the UI is built dynamically based on entitlement -- meaning you will only see the Privilege Service UI in your tenant if you're an existing Privilege Service customer).
- All of the grouped tabs can be collapsed or expanded (by clicking the Label / arrow)
- Perhaps the most exciting news about the new UI, is that we've also taken measures to improve page loading performance by caching the UI in the browser. With 17.5, if you go to a page with a long list (e.g. the Users page with thousands of users), you will only need to wait for the page to load the first time you access it!
On the User Portal side, we have kept the horizontal navigation, but we've refreshed the portal to align with the new UI.
If you'd like to see more of a sneak peak at the new UI, please refer to this video.
New Security Features
We've also added a couple of cool new security features:
- Managed Device Policy: Customers have often asked for a way to limit app access to trusted devices only. In the past we were able to support this through our scripting interface, in this release we've made setting this up much simpler by exposing conditions in our rules builder used throughout the product (login authentication policy, app and resource policies).
Note: devices are considered managed if: (i) the device is under management by Centrify, or (ii) a known trusted certificate is on the device (known by being uploaded to the tenant as a trusted CA – under Settings > Authentication > Certificate Authorities).
- Password Reset Confirmation Email: We've also added a new feature to send an email confirmation to the end-user whenever his/her password is changed though our platform:
- Password reset (login UI),
- Password change by User in the User Portal or mobile app, or
- Password change by the Admin using the "Set Password" action in the Admin Portal.
Admins can enable this feature in the Admin Portal by going to Settings > Authentication > Security Settings.
Local Administrator Account Password Management for Macs
If your organization uses Macs, you will love this last feature! If you're like most organizations you use the same admin account on all of your Macs. Of course your users only have access to their personal user account but the administrative account on the endpoint is there and likely the same across all of your endpoints. You try to keep access to that password limited but over time the threat vector expands as you have more endpoints using the same password, you have turnover in your IT department and you occasionally need to provide end users with access to that Admin account.
In an ideal world, you would use different passwords for each endpoint, your admins / end users wouldn't know those passwords (but would be able to access the accountwhen needed) and the passwords would get automatically updated for you. This feature makes that ideal world a reality by leveraging Centrify's Mac management capabilities in conjunction with our Privilege Service! Centrify can now manage the local accounts for your Macs, change the passwords on a regular basis and control who can access those accounts!
Customers of Centrify Identity Service and Centrify Privilege Service can enable this feature by setting the policies under Policies > Mobile Device Policies > OS X Settings > Manage Local Admin Account.
We hope you like these new features and look forward to hearing your feedback!
New Features - Centrify Identity Service
New UI
Identity Service and Privilege Service admin portals have been merged.
- Vertical navigation to support more tabs
- Cross-product capabilities now grouped under “Core Services”
- Privilege Service specific capabilities grouped under “Infrastructure”
- Grouped tabs can be collapsed
- Tabs / Quick Start Wizard steps appear based on entitlement
- Caching for better performance
User Portal has been refreshed.
Managed Device Policy
Easily limit access to Apps and Infrastructure to trusted devices (managed devices)
- Now available as conditions in our rules builder:
- Login Authentication Policy
- App/Resource Policy
- No longer requires a policy script
Managed Device = device under management by Centrify (MDM), or a 3rd party (based on presence of a certificate).
Password Reset Confirmation Email
Improved security by sending email to user whenever password is changed:
- Password Reset (login UI)
- Password Change by User in the User Portal
- Password Change by Admin via Set Password action in Admin Portal
Admin must enable at tenant level
- Settings > Authentication > Security Settings
Local Admin Account Password Management for Mac
Unique admin password for each Mac
- Vaulted in CPS
- Rotated on schedule
- Policy driven account creation
- Policy to specify account name
- Automatic take-over of existing account
- “Checkout” for authorized admins
- Role must explicitly have the “Device Management All” right
The following apps have been added to the catalog:
- Provisioning support for Workplace by Facebook app
- JIRA Cloud (SAML)
The following apps have been renamed:
- Facebook at Work --> Workplace by Facebook
- Adobe EchoSign --> Adobe Sign
The following apps have been updated:
- dobe Sign
- Yahoo Mail
- Igloo (app icon only)
- AVG CloudCare
- QuickBooks Online
- EMC
- Redhat Support (Customer Portal)
New Features - Centrify Privilege Service
AD Account Unlock
- Provides administrator-assisted AD account unlock or automated unlock on CPS operations
- Another use for the domain’s “Administrative Account”
- A New Entitlement “Unlock account” at the domain level allows manual unlocks
- Policy at the domain level allows for automatic unlocks on privilege session or password checkout
Manual Multiplex Account Password Rotation and Swap
- Accelerates the ability to demonstrate password management for Services
- Prior to 17.5, it was not possible to rotate the password of any of the 2 physical AD account that make multiplex account
- The new behavior allows for the rotation of the account that is not in use
- Admins can push the password and Privilege Service does the rest
New Features - Centrify Analytics Service
Download Default Dashboards
Select any number of default dashboards to export. Anyone can upload these dashboards into Analytics Service to customize the default dashboard.
Analytics Service Usage Dashboard
This dashboard helps you understand who’s using the Analytics Portal and provides you it’s usage insights.
Added Table View for Insights Widgets
Dashboard Widgets can now to toggled to display data in table view.
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- In addition to the new user experience in 17.5, numerous changes have been made to improve the responsiveness and performance. Two changes should be significantly faster:
- When changing main navigation tabs that display grids, if the tab has been opened before in this session it should display very quickly the second and subsequent time it is accessed.
- Search and sorting results on main navigation tabs that display grids is also cached, so repeating a search or sort a second time in a session will provide the results quickly.
- Inbound provisioning with Workday now supports setting a date when the user should be created, with the default date of the user’s start date. Previously users were always created on the user’s start date (CC-45723).
- A confirmation email can now be sent to a user after a successful password reset. This option is off by default, but can be enabled in Settings>Authentication>Security Settings (CC-46035).
- Managed device status (i.e. is or isn’t a managed device) can now be used in auth rules for application access (CC-45765).
- When disabled users are deleted in Active Directory they are now correctly deleted from Office 365 if the deprovisioning rule User Deleted in Active Directory > Delete Office 365 Object Account is set to cause it (CC-47436).
- The reset password option is now present for Samsung devices that do not support Android for Work profiles (CC-47067).
- IdP metadata now lists all supported NameID formats (CC-46853).
- The link in the SMS invite for device enrollment for iOS devices now correctly directs users to the App Store to download the Centrify app (CC-46743).
- When IWA is triggered a random Connector will now be chosen. Previously all but one of the Connectors could be chosen due to a math error, meaning that in forests with two Connectors, one was always being chosen (CC-46162).
For security advisories and known issues, please see attached file.
For 17.5 Hot Fix 1 security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.
In case you hadn't heard, we will be upgrading our platform (Centrify Identity Service and Centrify Privilege Service) to version 17.4 this weekend (Sunday, April 23rd). The complete list of new features is available in the release notes, but as always I will tell you about my favorites here:
Performance Improvements
Over the past few months our dev team has been laser focused on improving performance throughout the product. We've examined every line of code and tuned the software to run better at scale. It's hard to quantify exact improvements in most cases, but in some areas the improvements are very noticeable. For example, when clicking through to the Activity tab for a given user, the page now loads about 20x faster! We've also made a number of changes to the jobs system and the jobs report used by our provisioning engine. We are excited about these improvements as we feel this focus was needed to better serve our customers.
In addition to the performance improvements, I'm excited about a few smaller features that customers have been waiting for:
- Support for using DN (instead of UPN) as Subject Alternative Name for certificates (contact support if interested and we can enable for your tenant)
- OpenID Connect custom template now supports Hybrid Flow
Mac Improvements
I'm also very excited about the improvements we've made to our Mac product in 17.4. Specifically, we're adding two new capabilities to our Mac support:
- Enroll on Behalf of: The new Centrify Agent now supports enrolling the Mac for a different user. Many of our customers want to have their Admins enroll the Mac before giving the Mac to the end user. The 17.4 agent introduces this capability!
- All new Mac App Management: So you might be saying Centrify already does app management for the Mac, so why is this considered a 'new' feature? Well, with 17.4, we have completely replaced the old Mac app management capabilities and retooled our solution to leverage Munki and AutoPkg, open source tools for app management on Macs. These tools are loved by Mac Admins and are now integrated with our platform to enable automatic installation and update of software on end users' Macs. Admins can now automatically install software on the end users' Macs or make the software available to end users as optional software in the Managed Software Center (Munki client).
We hope you enjoy these new features and look forward to hearing your feedback!
New Features - Centrify Identity Service
Support using DN for Cert Subject Alternative Name
Certificates generated from tenant CA will use DN for SA
- Customer request – many VPN and WiFi devices use this parameter for the username
- Old method was to use the UPN
ZSO on Android without MDM (SSO only mode)
ZSO can now function on Android when not using MDM (SSO Mode)
- This applies to Android only – iOS uses external cert
- External Certs for “is Managed” do not work on Android – enroll Centrify client in SSO mode
Support Split Screen Multi-tasking in iPad Pro
Centrify app can now be used in split-screen mode with the iPad Pro.
Policy to Limit Device Enrollment to Corporate Owned
New policy to limit enrollment to corporate devices
- Do not use Sets with a deny policy to limit corporate enrollment
Mobile UI Improvements for Notifications
- Better display and swipe to delete functionality
- Both iOS and Android Apps have been updated
Centrify Agent for Mac 17.4
- Moved from a .app in 16.12 to a .pkg in 17.4
- Manual update only
- Automatic update coming soon after 17.4
- Added "Enroll On Behalf Of Another User"
- Allows an admin user to enroll another user
Mac App Management (powered by Munki & AutoPkg)
- Old Method Deprecated but still supported
- Policy to enable Managed Software Center installation (AKA Munki Client)
- Centrify Munki & AutoPkg admin tools in the Download Center
- Run munkiimport on an enrolled Mac (requires App Management rights)
- Munki Apps Automatically imported leveraging ZSO
- New App type for Munki Apps
- Application details automatically populated
- Assignment can be done through User Access or through Munki command line
- AutoPkg will automate the population of the App catalog via Recipes
- Enrolled Macs securely authenticated via ZSO cert
- Silent installation of automatic apps
- Catalog of optional apps with categories
- Rich App Store like Enterprise App Store
The following apps have been added to the catalog:
- WordPress
The following apps have been removed from the catalog:
- US Airways
The following apps have been updated:
- MangoApps
- AWS (provisioning + SAML)
- Concur (provisioning + SAML)
- ServiceNow (provisioning + SAML)
- BrowserStack
- Formstack
New Features - Centrify Privilege Service
Access Request for Privilege Roles
- Allows the use of CPS as a workflow engine for CSS resource roles
- Ideally used for temporary access control to individual systems
- Requesters are AD users, the approval chain can contain any type of CIP users
- Permanent, Temporary and Windowed assignments can be requested with approver override
- Support for documenting ticket numbers
- Canned reports to demonstrate “documented approvals”
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- AssertionConsumerServiceIndex is now supported in SAML app advanced scripts to allow choice of which ACS URL a SAML response will be sent to (CC-45125).
- Some jurisdictions’ privacy laws do not allow user location to be tracked or displayed, so a configuration option has been added to allow Centrify Support to disable map and location tracking on a per-customer basis, based on customer request (CC-45760).
- Provisioning job reports have been improved with updated section titles and section order. In addition, the status reported for various issues has been changed as follows:
- User rejected by script was in “user already synced or not updated” and is now in “user skipped”
- Sync user without email was in “user already synced or not updated” and is now in “user failed”
- Sync user with invalid email was in “user already synced or not updated” and is now in “user failed”
- Deprovision user scenario “do not de-provision selected” was not shown, now in “user skipped”
- Deprovision deactivated user “do not de-provision selected” was not shown, now in “user skipped”
(CC-45399, CC-44926).
- Hybrid flow is now supported for OpenID Connect apps for the following flows: “code id_token”, “code token” and “code id_token token” (CC-40656).
- A policy has been added to Container Settings > Restriction Settings to allow Samsung devices capable of KNOX 2.5 and above to permit use of USB by apps inside the KNOX container (CC-43425).
- The display of the Mobile Authenticator on devices is now controlled by the following policy: Mobile Device Policies > Common Mobile Settings > Security Settings > Show Mobile Authenticator by Default (CC-44270).
- Both policy rules and default profile for per-app policy, and VPP can now be set by users that have only the Application Management right (CC-43779, CC-45403).
- Support has been added for multiple versions of an in-house Android app, with role membership determining which version is made available to a particular device (CC-43131).
- Google has rebranded “Android for Work” as “Android Management” and this change is reflected in 17.4 (CC-44164).
- Enrollment notification date/time now shows in local time, previously it was shown in UTC (CC-43938).
- The policy compliance status is now shown correctly for Samsung KNOX devices (CC-45512).
- App gateway launch events are now included in the user activity report (CC-45266).
- Enabled support for TLS 1.1 and 1.2 to both cloud and Connector (CC-44120, CC-46930).
For security advisories and known issues, please see attached file.
For 17.4 Hot Fix 1 security advisories and known issues, please see attached file.
For 17.4 Hot Fix 2 security advisories and known issues, please see attached file.
For 17.4 Hot Fix 3 security advisories and known issues, please see attached file.
For 17.4 Hot Fix 4 security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.
In case you hadn't heard, we will be upgrading our platform (Centrify Identity Service and Centrify Privilege Service) to version 17.3 this weekend (Sunday, March 26th). The complete list of new features is available in the release notes, but as always I will tell you about my favorites here:
Updated Dashboards
Admins will notice right away that the dashboards now include a loading indicator bar (you will see a green bar at the top of the dashboard indicating the progress of the data being presented). In addition, we've made the following changes to the included dashboards:
- The Security Dashboard now only reflects denied access events (logins, access to apps or infrastructure, and self-service).
- The successful access events from that dashboard now appear in a new dashboard called "User Logins".
- The "User Activity" dashboard has been renamed to "User Login Map" to better reflect what that dashboard provides.
Windows 10 MDM (Preview)
As you know, Centrify Identity Service includes a fully-featured Enterprise Mobility Management solution. For years, we have differentiated our product in the IDaaS market by including rich mobile device management capabilities for Android, iOS and Mac. With 17.3, we have a preview feature, which can be enabled by contacting Support, that extends these capabilities to Windows 10 devices. Remember, the Windows 10 OS is the same across all supported devices (desktops, laptops, tablets, Surface and mobile)! The feature is enabled via policy, which when enabled allows users to enroll their Windows 10 PCs!
Device enrollment is agentless and once done, users will be able locate, lock, wipe and reset the passwords for those devices through the User Portal. In addition, enrolled devices will get a ZSO certificate from Centrify enabling easy and secure access to applications without passwords!
We hope you enjoy these new features and look forward to hearing your feedback!
New Features - Centrify Identity Service
Updated Dashboards
- Dashboards have been improved with new loading indicator bar
- “User Activity” dashboard has been renamed to “User Login Map”
- Changes to Security Dashboard:
- Dashboard now reflects denied events only
- Successful events are now displayed in a new “User Logins” Dashboard
OATH Management Rights
OATH Management (add/delete) rights now available to Users with the following rights:
- User Management (new)
- Sysadmin (system generated Admin Role)
Policy to Display Password Expiration Notification on Mobile
New policy to control whether enrolled mobile devices warn user that password needs to be reset
- Policies > User Security Policies > Password Settings
Apple VPP v2 Support
Now supporting the latest features of Apple VPP (Volume Purchase Program)
- License config is done per-app
- Support both old “redemption code” method and new token method
- For more information, please see the Apple VPP site
Preview: CIP Support for Windows
- CIP Supports Windows 10 MDM
- Desktops, Laptop, Surface, Tablet and Mobile
- Policy to enable Windows Enrollment and Portal Prompt
- Agentless enrollment
- ZSO certificate deployed
- Locate, Lock, Wipe, Reset Password
- Please contact Centrify Support to enable this preview feature
The following apps have been added to the catalog:
- Yardi eLearning (SAML)
- Palo Alto Networks firewalls (SAML)
- Subscribe HR (SAML)
The following apps have been updated:
- BrainStorm QuickHelp (SAML)
- Salesforce (Provisioning + SAML)
- 15Five (SAML)
- Dropbox (Provisioning + SAML)
- Citrix ShareFile
- Publix
- RackSpace Cloud Control Panel
- HootSuite
- SendGrid
- US Airways
- DocuSign (user-password only)
- ServiceNow (user-password only)
- Hy-Vee
The following apps have been renamed:
- Google Apps -> G Suite
New Features - Centrify Privilege Service
HP NonStop OS Support
Shared Account Password Management for:
- SUPER.SUPER account
- Alias accounts
- User accounts
Session:
- SSH Session access (shared account/manual login)
- Requires SSH daemon and SafeGuard enabled
New Entitlement – View Permission
- Limits visibility of objects to users or role assignees
- Allows for the enforcement of the least access/least privilege model
- Enhances the capabilities of Sets (static sets can be used to set visibility)
- Enhanced Permissions tab shows:
- Who has access
- What entitlements
- Inherited from what role(s)
- Enhances the new “Privilege Service User” administrative right.
Administrative Rights Changes
- "Privilege Management (Limited)" is now called “Privilege Service Power User”
- "Privilege Management" is now called “Privilege Service Administrator”
- "Privilege Management (Portal Login)" is now called “Privilege Service User Portal”
- A new administrative right “Privilege Service User” has been introduced to enforce least access administration
Privilege Service User – UI
- Reduced Menus
- PSU role will only see a reduced number of menus
- No Dashboard, Database, etc.
- Least Access
- PSU role assignees can only see resources that have been explicitly granted view permission
- Settings Tab
- PSU role assignees will only see the local client preferences
Local Client for RDP
- Allows end-users to launch Windows Remote Desktop sessions using the local client (mstsc.exe)
- This is the preferred method for high-performance and scalable RDP access
- Uses the Centrify Connector as a proxy to connect to Windows resources
- Optional Local Client Launcher for a streamlined experience
Centrify Agent for Linux
- In CPS on-premises deployments, functionality has been added to check for back-end server version
- This is to make sure the agent is compatible with newer functionality (e.g. sets, view permission, etc.)
- Checks are performed during enrollment, startup and upgrade
- A new CLI option for cinfo (--platform-version) has been added to manually check the version of the back-end CPS server
New GA - Centrify Analytics Service
Analytics Service can be enabled for existing Centrify Identity Service / Centrify Privilege Service Customers.
Contact your sales representative for details. Analytics Portal will be part of the menu dropdown after this service is enabled.
Real-time Access Insights
- Real-time toolkit for analyzing the access behavior of Apps and Infrastructure
- 12 Widget Types
- 7 Real-time Dashboards – Risk, User Experience, Endpoints, MFA, Resources, Apps, User Insights
- Drill down for detailed analysis
- Custom Dashboard Builder
- Export / Import Dashboards
- Uses Time, Location and Device Macro dimensions to analyze access behavior
Risk-based Access
- Profile the behavior of a user and detect anomalies using machine learning. Authentication profiles can be triggered based on:
- High Risk
- Medium Risk
- Low Risk
- Integrates with existing Rules for Portal, App or Resource access
Dynamic Events Explorer
- Real-Time Events Explorer for administrators to investigate access anomalies/behaviors
- Ability to Investigate the nature of an Anomaly
- Real-time toolkit for exploring access behavior
- Events Cross-filtering
- Dynamic Widgets – over 12 included
- Custom query generator
- Export / Import query
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- Standard variables that represent user properties can now be used in app restrictions in Android for Work. Currently supported variables are:
sAMAccountName
UserPrincipalName
Name
Mail
DisplayName
Description
(CC-43423). - Administrators can now configure the attribute used for the user name sent to RADIUS for third party MFA configuration (CC-44919).
- Can now re-register a Connector from the Connector configuration UI without having to restart the configuration UI (CC-44045).
- The following Centrify Privilege Service administrative rights have been renamed:
Privilege Management (Limited) is now called Privilege Service Power User
Privilege Management is now called Privilege Service Administrator
Privilege Management (Portal Login) is now called Privilege Service User Portal
And a new administrative right Privilege Service User has been introduced to enforce least access administration.
Roles granted the Privilege Service User administrative right will only be able to view the system menus that correspond to objects that they can access and the settings page will be limited to their local client preferences (CC-43925).
- In this release only the following policies contribute to the policy compliance status calculation:
iOS passcode
iOS restriction settings
KNOX device restrictions
KNOX device security settings
KNOX device password settings
KNOX workspace container passcode settings
KNOX workspace container restriction settings
Location tracking enablement (excluding Admin location setting)
(CC-45484)
- When a conflict is detected during a provisioning sync operation the correct UPN is now set for the user (CC-40777).
- Zero Sign-On login from an enrolled iOS or Android device can now identify the enrolled device, this allows policies that restrict access only to enrolled devices (for example) to correctly determine a device’s access (CC-38798).
- The Firefox browser extension install instructions have been updated to reflect new install steps (CC-31958).
- System-managed groups have been removed from provisioning options for the Dropbox app as membership of these cannot be modified (CC-43906).
- Corporate-owned devices can now be tagged as corporate instead of personal after self-service enrollment based on a serial number list of corporate-owned devices uploaded to the admin portal (CC-44277).
- Apps launched through the app gateway are now correctly shown in the Frequently Used and Recent lists in the User Portal (CC-39239).
- Exchange ActiveSync profiles now correctly show status, previously the status was always pending (CC-44465).
- Report folders can now be deleted in the Admin Portal (CC-44286).
- Full preview syncs with the Office 365 app in hybrid sync mode now correctly shows the number of synched, failed and skipped users and groups (CC-44461).
- SMS enrollment invites are now sent in the language used by the user in the User Portal (CC-44787).
- A policy script to block Microsoft.Exchange.MAPI has been added to the Office 365 app (CC-44204).
- The “Items Up To Date” value is now correct after a sync failure (CC-44654).
In the device list the “Compliance” column now shows “Compliant” for compliant devices instead of a blank (CC-44476).
For security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.