New Features - Centrify Identity Service
Updated Dashboards
- Dashboards have been improved with new loading indicator bar
- “User Activity” dashboard has been renamed to “User Login Map”
- Changes to Security Dashboard:
- Dashboard now reflects denied events only
- Successful events are now displayed in a new “User Logins” Dashboard

OATH Management Rights
OATH Management (add/delete) rights now available to Users with the following rights:
- User Management (new)
- Sysadmin (system generated Admin Role)

Policy to Display Password Expiration Notification on Mobile
New policy to control whether enrolled mobile devices warn user that password needs to be reset
- Policies > User Security Policies > Password Settings

Apple VPP v2 Support
Now supporting the latest features of Apple VPP (Volume Purchase Program)
- License config is done per-app
- Support both old “redemption code” method and new token method
- For more information, please see the Apple VPP site

Preview: CIP Support for Windows
- CIP Supports Windows 10 MDM
- Desktops, Laptop, Surface, Tablet and Mobile
- Policy to enable Windows Enrollment and Portal Prompt
- Agentless enrollment
- ZSO certificate deployed
- Locate, Lock, Wipe, Reset Password
- Please contact Centrify Support to enable this preview feature
The following apps have been added to the catalog:
- Yardi eLearning (SAML)
- Palo Alto Networks firewalls (SAML)
- Subscribe HR (SAML)
The following apps have been updated:
- BrainStorm QuickHelp (SAML)
- Salesforce (Provisioning + SAML)
- 15Five (SAML)
- Dropbox (Provisioning + SAML)
- Citrix ShareFile
- Publix
- RackSpace Cloud Control Panel
- HootSuite
- SendGrid
- US Airways
- DocuSign (user-password only)
- ServiceNow (user-password only)
- Hy-Vee
The following apps have been renamed:
New Features - Centrify Privilege Service
HP NonStop OS Support
Shared Account Password Management for:
- SUPER.SUPER account
- Alias accounts
- User accounts
Session:
- SSH Session access (shared account/manual login)
- Requires SSH daemon and SafeGuard enabled

New Entitlement – View Permission
- Limits visibility of objects to users or role assignees
- Allows for the enforcement of the least access/least privilege model
- Enhances the capabilities of Sets (static sets can be used to set visibility)
- Enhanced Permissions tab shows:
- Who has access
- What entitlements

- Inherited from what role(s)

- Enhances the new “Privilege Service User” administrative right.
Administrative Rights Changes
- "Privilege Management (Limited)" is now called “Privilege Service Power User”
- "Privilege Management" is now called “Privilege Service Administrator”
- "Privilege Management (Portal Login)" is now called “Privilege Service User Portal”
- A new administrative right “Privilege Service User” has been introduced to enforce least access administration

Privilege Service User – UI
- Reduced Menus
- PSU role will only see a reduced number of menus
- No Dashboard, Database, etc.
- Least Access
- PSU role assignees can only see resources that have been explicitly granted view permission
- Settings Tab
- PSU role assignees will only see the local client preferences

Local Client for RDP
- Allows end-users to launch Windows Remote Desktop sessions using the local client (mstsc.exe)
- This is the preferred method for high-performance and scalable RDP access
- Uses the Centrify Connector as a proxy to connect to Windows resources
- Optional Local Client Launcher for a streamlined experience

Centrify Agent for Linux
- In CPS on-premises deployments, functionality has been added to check for back-end server version
- This is to make sure the agent is compatible with newer functionality (e.g. sets, view permission, etc.)
- Checks are performed during enrollment, startup and upgrade
- A new CLI option for cinfo (--platform-version) has been added to manually check the version of the back-end CPS server
New GA - Centrify Analytics Service
Analytics Service can be enabled for existing Centrify Identity Service / Centrify Privilege Service Customers.
Contact your sales representative for details. Analytics Portal will be part of the menu dropdown after this service is enabled.

Real-time Access Insights
- Real-time toolkit for analyzing the access behavior of Apps and Infrastructure
- 12 Widget Types
- 7 Real-time Dashboards – Risk, User Experience, Endpoints, MFA, Resources, Apps, User Insights
- Drill down for detailed analysis
- Custom Dashboard Builder
- Export / Import Dashboards
- Uses Time, Location and Device Macro dimensions to analyze access behavior

Risk-based Access
- Profile the behavior of a user and detect anomalies using machine learning. Authentication profiles can be triggered based on:
- High Risk
- Medium Risk
- Low Risk
- Integrates with existing Rules for Portal, App or Resource access

Dynamic Events Explorer
- Real-Time Events Explorer for administrators to investigate access anomalies/behaviors
- Ability to Investigate the nature of an Anomaly
- Real-time toolkit for exploring access behavior
- Events Cross-filtering
- Dynamic Widgets – over 12 included
- Custom query generator
- Export / Import query

Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- Standard variables that represent user properties can now be used in app restrictions in Android for Work. Currently supported variables are:
sAMAccountName
UserPrincipalName
Name
Mail
DisplayName
Description
(CC-43423). - Administrators can now configure the attribute used for the user name sent to RADIUS for third party MFA configuration (CC-44919).
- Can now re-register a Connector from the Connector configuration UI without having to restart the configuration UI (CC-44045).
- The following Centrify Privilege Service administrative rights have been renamed:
Privilege Management (Limited) is now called Privilege Service Power User
Privilege Management is now called Privilege Service Administrator
Privilege Management (Portal Login) is now called Privilege Service User Portal
And a new administrative right Privilege Service User has been introduced to enforce least access administration.
Roles granted the Privilege Service User administrative right will only be able to view the system menus that correspond to objects that they can access and the settings page will be limited to their local client preferences (CC-43925).
- In this release only the following policies contribute to the policy compliance status calculation:
iOS passcode
iOS restriction settings
KNOX device restrictions
KNOX device security settings
KNOX device password settings
KNOX workspace container passcode settings
KNOX workspace container restriction settings
Location tracking enablement (excluding Admin location setting)
(CC-45484)
- When a conflict is detected during a provisioning sync operation the correct UPN is now set for the user (CC-40777).
- Zero Sign-On login from an enrolled iOS or Android device can now identify the enrolled device, this allows policies that restrict access only to enrolled devices (for example) to correctly determine a device’s access (CC-38798).
- The Firefox browser extension install instructions have been updated to reflect new install steps (CC-31958).
- System-managed groups have been removed from provisioning options for the Dropbox app as membership of these cannot be modified (CC-43906).
- Corporate-owned devices can now be tagged as corporate instead of personal after self-service enrollment based on a serial number list of corporate-owned devices uploaded to the admin portal (CC-44277).
- Apps launched through the app gateway are now correctly shown in the Frequently Used and Recent lists in the User Portal (CC-39239).
- Exchange ActiveSync profiles now correctly show status, previously the status was always pending (CC-44465).
- Report folders can now be deleted in the Admin Portal (CC-44286).
- Full preview syncs with the Office 365 app in hybrid sync mode now correctly shows the number of synched, failed and skipped users and groups (CC-44461).
- SMS enrollment invites are now sent in the language used by the user in the User Portal (CC-44787).
- A policy script to block Microsoft.Exchange.MAPI has been added to the Office 365 app (CC-44204).
- The “Items Up To Date” value is now correct after a sync failure (CC-44654).
In the device list the “Compliance” column now shows “Compliant” for compliant devices instead of a blank (CC-44476).
For security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.