New Features - Centrify Identity Service
Support using DN for Cert Subject Alternative Name
Certificates generated from tenant CA will use DN for SA
- Customer request – many VPN and WiFi devices use this parameter for the username
- Old method was to use the UPN
ZSO on Android without MDM (SSO only mode)
ZSO can now function on Android when not using MDM (SSO Mode)
- This applies to Android only – iOS uses external cert
- External Certs for “is Managed” do not work on Android – enroll Centrify client in SSO mode
Support Split Screen Multi-tasking in iPad Pro
Centrify app can now be used in split-screen mode with the iPad Pro.
Policy to Limit Device Enrollment to Corporate Owned
New policy to limit enrollment to corporate devices
- Do not use Sets with a deny policy to limit corporate enrollment
Mobile UI Improvements for Notifications
- Better display and swipe to delete functionality
- Both iOS and Android Apps have been updated
Centrify Agent for Mac 17.4
- Moved from a .app in 16.12 to a .pkg in 17.4
- Manual update only
- Automatic update coming soon after 17.4
- Added "Enroll On Behalf Of Another User"
- Allows an admin user to enroll another user
Mac App Management (powered by Munki & AutoPkg)
- Old Method Deprecated but still supported
- Policy to enable Managed Software Center installation (AKA Munki Client)
- Centrify Munki & AutoPkg admin tools in the Download Center
- Run munkiimport on an enrolled Mac (requires App Management rights)
- Munki Apps Automatically imported leveraging ZSO
- New App type for Munki Apps
- Application details automatically populated
- Assignment can be done through User Access or through Munki command line
- AutoPkg will automate the population of the App catalog via Recipes
- Enrolled Macs securely authenticated via ZSO cert
- Silent installation of automatic apps
- Catalog of optional apps with categories
- Rich App Store like Enterprise App Store
The following apps have been added to the catalog:
The following apps have been removed from the catalog:
The following apps have been updated:
- AWS (provisioning + SAML)
- Concur (provisioning + SAML)
- ServiceNow (provisioning + SAML)
New Features - Centrify Privilege Service
Access Request for Privilege Roles
- Allows the use of CPS as a workflow engine for CSS resource roles
- Ideally used for temporary access control to individual systems
- Requesters are AD users, the approval chain can contain any type of CIP users
- Permanent, Temporary and Windowed assignments can be requested with approver override
- Support for documenting ticket numbers
- Canned reports to demonstrate “documented approvals”
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- AssertionConsumerServiceIndex is now supported in SAML app advanced scripts to allow choice of which ACS URL a SAML response will be sent to (CC-45125).
- Some jurisdictions’ privacy laws do not allow user location to be tracked or displayed, so a configuration option has been added to allow Centrify Support to disable map and location tracking on a per-customer basis, based on customer request (CC-45760).
- Provisioning job reports have been improved with updated section titles and section order. In addition, the status reported for various issues has been changed as follows:
- User rejected by script was in “user already synced or not updated” and is now in “user skipped”
- Sync user without email was in “user already synced or not updated” and is now in “user failed”
- Sync user with invalid email was in “user already synced or not updated” and is now in “user failed”
- Deprovision user scenario “do not de-provision selected” was not shown, now in “user skipped”
- Deprovision deactivated user “do not de-provision selected” was not shown, now in “user skipped”
- Hybrid flow is now supported for OpenID Connect apps for the following flows: “code id_token”, “code token” and “code id_token token” (CC-40656).
- A policy has been added to Container Settings > Restriction Settings to allow Samsung devices capable of KNOX 2.5 and above to permit use of USB by apps inside the KNOX container (CC-43425).
- The display of the Mobile Authenticator on devices is now controlled by the following policy: Mobile Device Policies > Common Mobile Settings > Security Settings > Show Mobile Authenticator by Default (CC-44270).
- Both policy rules and default profile for per-app policy, and VPP can now be set by users that have only the Application Management right (CC-43779, CC-45403).
- Support has been added for multiple versions of an in-house Android app, with role membership determining which version is made available to a particular device (CC-43131).
- Google has rebranded “Android for Work” as “Android Management” and this change is reflected in 17.4 (CC-44164).
- Enrollment notification date/time now shows in local time, previously it was shown in UTC (CC-43938).
- The policy compliance status is now shown correctly for Samsung KNOX devices (CC-45512).
- App gateway launch events are now included in the user activity report (CC-45266).
- Enabled support for TLS 1.1 and 1.2 to both cloud and Connector (CC-44120, CC-46930).
For security advisories and known issues, please see attached file.
For 17.4 Hot Fix 1 security advisories and known issues, please see attached file.
For 17.4 Hot Fix 2 security advisories and known issues, please see attached file.
For 17.4 Hot Fix 3 security advisories and known issues, please see attached file.
For 17.4 Hot Fix 4 security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.