Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

Centrify 17.11 Release Notes

11 April,19 at 11:50 AM

New Features - Centrify Application Services (formerly known as Identity Services)


Conditional Access for Endpoints and Infrastructure


Improved interaction with Infrastructure Services and Endpoint Services.

    • Previous support was always on MFA
      Conditional Previous Support.png
    • Now supports conditional access / adaptive MFA


Customization of SMS Messages


Added support for customization of SMS messages.

  • MFA Challenge
  • MFA Challenge for RADIUS
  • Device Enrollment

Includes new “tiny URL” support.

  • Reduced URLs from variable length of ~100 characters to 36 characters

Easy to customize in any of the supported languages.




old sms.png

Old SMS with long URL


new sms.png

17.11 New SMS with short URL


 FIDO U2F Support


Added support for FIDO Universal 2nd Factor:


  • Users can now self-register their U2F Security Keys
    FIDO self.gif
  • Once registered, users can use these keys as an authentication mechanism.
    FIDO auth.gif
    FIDO last.png



Support for Multiple AWS Root Accounts


Updated Browser Extension and App template to support logging into multiple AWS Root Accounts.

  • Template update:  new field for Account ID
  • Browser Extension update: now detects if you are logged in to AWS, and will log you out in order to log into the correct account




Active Users Dashboard Widget


Easy for Admins to find out how many user licenses they are using.

  • Overview Dashboard now contains “Active Users” widget

Active Users = users who have authenticated through the service in the last 30 days.


active user dashboard.png



 Updates to OAuth (Preview)


Several enhancements to our OAuth implementation:

  • Scopes now defined in-line in the OAuth App
    • Settings menu for Scopes has been removed
      OAuth removed.png
  • New OAuth Client App
    • Ability to get Bearer Token for Client app
      OAuth App.gif
  • Ability to generate Password for Confidential Clients
    • Bonus feature this is available for setting the password for ALL users
      Oauth password.gif



New Features - Centrify Endpoint Services


Password Checkout for Managed Local Admin Account (Mac)


Admins retrieving the LAPM password are now checking out the password:

  • Password is rotated based on time interval in policy
  • UI will change from "get" to "checkout" in 18.1
  • Tip: use Password Generation Profiles to simplify the LAPM Password

password checkout mac.png 



Derived Credentials integration with Intercede MyID


You can now use Intercede MyID for Derived Credentials.

  • Enabled via Policy
    intercede a.png
  • Intercede libraries compiled into Centrify's iOS and Android apps
  • Scan QR code to add Intercede MyID Derived Credential
  • Both Intercede and Centrify's Derived Credential can be on the device together
  • Removing the need for an entitlement to enable Derived Credential

Intercede App.gif 



The following apps have been added to the catalog:

  • SpaceIQ (SAML)
  • Constant Contact (User/Password) – re-added

The following apps have been updated:

  • Amazon Web Services Console for IAM Users (User/Password)
  • Box (SAML+Provisioning) – documentation update only
  • FedEx (User/Password)
  • G Suite (SAML+Provisioning) – documentation update only
  • Humanity (SAML) – documentation update only
  • Zoom (SAML) – documentation update only
  • Zoho (SAML) – documentation update only


 The following apps have been removed:

  • ProofHQ



New Features - Centrify Infrastructure Services (formerly known as  Privilege Service)



Core Services Changes – Login Policies 


  • Policies – 17.11 changes:
    • Login Policies
      • Portal Policies are now separate
      • (New) UNIX and Windows Servers section
      • (New) Windows Workstations section
    • (New) Privilege Elevation Policies

core login.gif


  • Changes the way MFA is set up
  • Provides flexibility and future capabilities
    • E.g. challenge for MFA only on weekends and outside business hours
  • Existing customers:
    • An “Auto generated” policy will be created automatically on first use



Active Directory - Automatic Account Maintenance


  • Prior to 17.11, the target AD account password was used for SAPM operations
  • Earlier this year, we introduced the Active Directory administrative account to support operations (unlock, zone role)
  • Starting with 17.11, a new Policy is introduced: “Automatic Account Maintenance using Administrative Account"
  • When enabled, CPS uses the Administrative Account for SAPM operations
    Note: This policy has to be explicitly turned on.
  • This greatly simplifies the process of adding AD accounts to Privilege Service
  • In this release, we introduce a new domain permission “Add Account.”

    This permission is required for CPS administrators that have to add managed or unmanaged Active Directory account passwords into CPS.

    Existing users (even if they have the Privilege Service Administrator entitlement) will not be able to add Active Directory accounts until they explicitly add the permission under the target domain’s permissions tab.

 active aam.gif



New Features - Centrify Analytics Services and SIEM


Behavior-based access control for Server Access (Alpha Release)


  • Centrify Infrastructure Services Standard / Enterprise Customers can:
    • Enable Behavior-based access control for every server access – login / privileged elevation
    • Easily understand Server Access within their Enterprise (with Insights)
    • Identify anomalous (with Explorer) Server Access based on past behavior on:
      • Time, Command, Target Server, Account, etc.
    • Forward Centrify Audit Events to Analytics Service via Centrify Sensor




Centrify Identity Platform Splunk Integration (Beta Release)


  • Centrify Syslog Writer
    • Easy to install Docker container that works on Windows Server 2012, RHEL 6, RHEL 7
    • Gets Centrify Identity Platform access events (App Launches, Portal Access etc.) and forwards to a Syslog Server
  • Centrify Identity Platform Splunk Add-On
    • Normalizes Centrify Identity Platform events in Splunk



Resolved Issues and Behavior Changes


The following list records issues resolved in this release and behavior changes.


  • A maximum of 20 devices may now be enrolled for each user. This is only enforced at enrollment time, so any devices already enrolled are unaffected (CC-53044).
  • This release adds support for FIDO U2F authentication, however this is only supported natively on Chrome and Opera (CC-50450).
  • When capturing an app using the browser extension for Firefox, it is now possible to specify additional fields (CISSUP-3460, CC-52619).
  • Launching JIRA with IdP-initiated SSO now functions correctly (CC-52788).
  • It is now possible to search for an app in the User Portal simply by typing its name. Hitting enter launches the app if there’s only one search result (CC-42822).
  • With Safari 11 on a Mac, it is now possible to expand the Provisioning Script panel in the Provisioning tab (CC-52399).
  • The email notification results from OATH token bulk import have had duplicates removed and are now accurate (CISSUP-3492, CC-52975).
  • When uploading a certificate for a SAML application, the newly uploaded certificate is automatically selected for the app (CC-47919).
  • Users are now de-provisioned correctly from custom SAML apps that use SCIM for provisioning (CC-52473).
  • When using MFA, bad passwords are now logged as events when a password is the first challenge and the user failed to complete other challenges (CISSUP-3456, CC-52627).
  • Revised, more intuitive UI for providing a date range for report generation (CC-52522).
  • Users that are created and added to a provisioning role before any invitation has been sent by the admin are no longer shown as having a last invite date/time (CISSUP-3495, CC-52937).
  • The policy summary no longer shows an Organizational Unit (OU) when no longer using device policy management Active Directory policy (CC-52252).
  • When using App Store apps purchased under a Volume Purchase Plan (VPP), license details are now shown for apps from all app stores, not just the US (CISSUP-3427, CISSUP-3079, CC-52356).
  • The option “Do not de-provision (deactivate or delete) users in target application when the users are removed from mapped role” is now checked by default for all provisioning apps (CC-51904).



For security advisories and known issues, please see attached file.


Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.