New Features - Centrify Identity Service

 

Component Name Changes

 

Product component names have been rebranded to create a single name that works across on-premises and cloud deployments.

• Cloud Manager is now Admin Portal
• Cloud Connector is now Centrify Connector

 

 

Centrify Browser Extension Form-Fill Preview

 

Form-Fill allows users to go directly to username / password app and login through Centrify (without going to the User Portal).

 

Preview is now available for:

• Firefox (Beta)
• IE (Beta)
• Chrome (Alpha)

Administrators can access preview release files from the Downloads menu:

 

 

 

 

Windows MFA

 

We are extending our MFA Everywhere initiative to include Windows Login

 

• MFA for Windows Login now includes Windows endpoints (in addition to Servers)
• Windows Agent is now available from the Downloads Menu
  

• Windows MFA will require a new Endpoint license (contact your account team to learn more)

 

Policy Compliance

 

Devices will now check for policy compliance

• A new Compliance column has been added to the Devices tab
  

 

 

Aggregate Map of Device Locations

 

Administrator can Toggle between list view and Map view

• Views will show all devices that have opted-in or Forced for Admin location sharing
• Toggle is hidden until device location tracking policy is enabled

 

 

 

Notifications Menu

 

Notifications are now consolidated into their own section in the app.

 

 

  

The following apps have been updated:

• Druva inSync

 

 

New Features - Centrify Privilege Service

 

The Centrify Agent for Linux

 

The new Centrify Agent for Linux replaces and extends the functionality found formerly in the CLI Toolkit.  In addition to the application-to-application password management (AAPM) features, the agent brokers authentication (logon) with supported Linux systems for identities known to CPS.  Supported identity providers in this release include:

• Active Directory
• LDAP
• Centrify Directory

 

 

 

The new agent enables logon for Active Directory users on Linux systems that cannot be joined to the Active Directory domain.  These could include servers hosted by an IaaS provider; servers within a virtual private cloud; or even servers on-premises, such as those in a network DMZ.

 

Manage Account Passwords for SQL Server Clusters

 

Privilege Service now manages account passwords for Microsoft SQL Server™ in both single-server and clustered modes of operation. 

 

 

 

For Windows authentication with SQL Server, account passwords can be synchronized for SQL Server clusters using:

• Failover clustered instances (FCI)
• Database mirroring
• AlwaysOn availability groups
• Log shipping
• Any combination of these features

For SQL Server “mixed mode” authentication, failover clustered instances are supported.

 

End of Life Notice

 

Centrify Privilege Service CLI Toolkit

The Centrify CLI Toolkit has been removed from CPS in this release. Similar functionality to that in the CLI Toolkit is available in the new command-line tools in the Centrify Agent.  This functionality includes the application-to-application password management (AAPM) and agent authentication features.

 

End of life for support of the CLI Toolkit

Centrify will end support for the CLI Toolkit in CPS release 16.12, targeted for December, 2016. In addition, because of updates to Kerberos, Centrify Server Suite will support only the new Centrify Agent feature set as of Server Suite 2017.

 

Centrify strongly recommends that customers use the new Centrify Agent feature set in this release.

 

Changes to CLI Commands in the Centrify Agent

A new service account will be used to join a computer to the customer’s Centrify tenant.  The "service account" will be a Centrify Directory user account with a name like

 

{hostname}$@{tenant.alias}.

 

The Kerberos-based join (aka -k option, with the Centrify Server Suite DirectControl agent) will be dropped.

 

There is no requirement for the computer to be joined to an Active Directory domain in order to use the new Centrify Agent.

 

Platform Support Changes

Centrify Connector
Windows Server 2016 is now supported as a Centrify Connector platform.

Centrify Agent
The Centrify Agent supports the following Linux platforms:

Platform	AAPM	Agent Authentication
Red Hat Enterprise Linux 6.8, 7.3	✓	✓
CentOS 6.8, 7.2	✓	✓
Oracle Linux 6.8, 7.2	✓
Amazon Linux	✓	✓
SLES 12 SP1	✓
Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS	✓

 

Note: Upgrading from the CPS CLI Toolkit to the Centrify Agent for Linux is not supported. Please ensure the CLI Toolkit is removed before the Centrify Agent for Linux is installed.

  

 

Resolved Issues and Behavior Changes

 

The following list records issues resolved in this release and behavior changes.

 

• The Downloads page now includes the option to download preview releases of browser extensions for supported browsers (CC-42370).
• IWA now works through HTTPS where the Centrify connector is joined to a child domain (CC-40905).
• Sync options can now be modified on the provisioning page for the Qmarkets app where it is supported by the app (CC-39445).
• The synced user’s email is now correctly updated in the Zendesk provisioning app if it has been modified (CC-38949).
• When a provisioned user’s phone numbers are removed they are now correctly removed from Samanage (CC-38105).
• In an app’s policy tab, “Login Authentication Rules” has been renamed “Application Challenge Rules” to better describe its purpose and remove any confusion with the user security policy of the same name (CC-42060).
• By default, all newly deployed provisioning applications have the “Do not de-provision…” option checked in the Provisioning tab. Settings for applications that were deployed in a previous release will not be modified (CC-39227).
• All installed apps are now correctly shown for Android devices (CC-41720).
• The system configuration tab is now shown for system admins when the settings page is refreshed (CC-41042).
• App gateway diagnostics, accessible from an app’s App Gateway tab, now complete correctly (CC-41504).
• The “Active Devices Not Seen in the Last Seven Days” report once again provides the expected list (CC-41817).
• The policy compliance report now shows non-MDM policies on Android devices (CC-41983).
• The Chrome browser is now disabled on a Samsung KNOX device when Google Apps are disallowed by a policy setting (CC-41989).
• A “view” action has been added to the reports in the built-in security reports page actions menu (CC-41812).
• Devices can once again be enrolled from an SMS invitation message (CC-42774).
• All Webex attributes are now correctly being set when set in the provisioning script (CC-42818).
• Incremental provisioning syncs no longer get randomly stuck (CC-42265).
• Fixed a message in job history when syncing an AD group with an invalid email for the Box app (CC-40589).
• The correct count is now displayed in the device enrollment history in the mobile overview dashboard (CC-42058).
• Sync reports now no longer report federated users that are not configured for provisioning (CC-37271).

 

 

For security advisories and known issues, please see attached file.

 

For 16.11 Hot Fix 1 security advisories and known issues, please see attached file. 

 

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.