Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

Centrify 17.4 and 17.4 Hotfix Release Notes

11 April,19 at 11:50 AM

New Features - Centrify Identity Service


Support using DN for Cert Subject Alternative Name 


Certificates generated from tenant CA will use DN for SA

  • Customer request – many VPN and WiFi devices use this parameter for the username
  • Old method was to use the UPN


ZSO on Android without MDM (SSO only mode)


ZSO can now function on Android when not using MDM (SSO Mode)

  • This applies to Android only – iOS uses external cert
  • External Certs for “is Managed” do not work on Android – enroll Centrify client in SSO mode


Support Split Screen Multi-tasking in iPad Pro


Centrify app can now be used in split-screen mode with the iPad Pro.





Policy to Limit Device Enrollment to Corporate Owned


New policy to limit enrollment to corporate devices

  • Do not use Sets with a deny policy to limit corporate enrollment





Mobile UI Improvements for Notifications


  • Better display and swipe to delete functionality
  • Both iOS and Android Apps have been updated






Centrify Agent for Mac 17.4


  • Moved from a .app in 16.12 to a .pkg in 17.4
  • Manual update only
  • Automatic update coming soon after 17.4
  • Added "Enroll On Behalf Of Another User"
  • Allows an admin user to enroll another user


Mac App Management (powered by Munki & AutoPkg)




  • Old Method Deprecated but still supported
    munki2 - oldmethod.gif
  • Policy to enable Managed Software Center installation (AKA Munki Client)
    munki3 - policy to enable.png
  • Centrify Munki & AutoPkg admin tools in the Download Center
    munki4 - centrify munki and autopkg.png
  • Run munkiimport on an enrolled Mac (requires App Management rights)
  • Munki Apps Automatically imported leveraging ZSO
  • New App type for Munki Apps
    munki5 - zso.gif
  • Application details automatically populated
  • Assignment can be done through User Access or through Munki command line
  • AutoPkg will automate the population of the App catalog via Recipes
    munki6 - application details.gif
  • Enrolled Macs securely authenticated via ZSO cert
  • Silent installation of automatic apps
  • Catalog of optional apps with categories
  • Rich App Store like Enterprise App Store



The following apps have been added to the catalog:

  • WordPress


The following apps have been removed from the catalog:

  • US Airways


The following apps have been updated:

  • MangoApps
  • Twitter
  • AWS (provisioning + SAML)
  • Concur (provisioning + SAML)
  • ServiceNow (provisioning + SAML)
  • BrowserStack
  • Formstack


New Features - Centrify Privilege Service


Access Request for Privilege Roles


  • Allows the use of CPS as a workflow engine for CSS resource roles
  • Ideally used for temporary access control to individual systems
  • Requesters are AD users, the approval chain can contain any type of CIP users
  • Permanent, Temporary and Windowed assignments can be requested with approver override
  • Support for documenting ticket numbers
  • Canned reports to demonstrate “documented approvals”



Resolved Issues and Behavior Changes


The following list records issues resolved in this release and behavior changes.


  • AssertionConsumerServiceIndex is now supported in SAML app advanced scripts to allow choice of which ACS URL a SAML response will be sent to (CC-45125).
  • Some jurisdictions’ privacy laws do not allow user location to be tracked or displayed, so a configuration option has been added to allow Centrify Support to disable map and location tracking on a per-customer basis, based on customer request (CC-45760).
  • Provisioning job reports have been improved with updated section titles and section order. In addition, the status reported for various issues has been changed as follows:
    • User rejected by script was in “user already synced or not updated” and is now in “user skipped”
    • Sync user without email was in “user already synced or not updated” and is now in “user failed”
    • Sync user with invalid email was in “user already synced or not updated” and is now in “user failed”
    • Deprovision user scenario “do not de-provision selected” was not shown, now in “user skipped”
    • Deprovision deactivated user “do not de-provision selected” was not shown, now in “user skipped”
      (CC-45399, CC-44926).
  • Hybrid flow is now supported for OpenID Connect apps for the following flows: “code id_token”, “code token” and “code id_token token” (CC-40656).
  • A policy has been added to Container Settings > Restriction Settings to allow Samsung devices capable of KNOX 2.5 and above to permit use of USB by apps inside the KNOX container (CC-43425).
  • The display of the Mobile Authenticator on devices is now controlled by the following policy: Mobile Device Policies > Common Mobile Settings > Security Settings > Show Mobile Authenticator by Default (CC-44270).
  • Both policy rules and default profile for per-app policy, and VPP can now be set by users that have only the Application Management right (CC-43779, CC-45403).
  • Support has been added for multiple versions of an in-house Android app, with role membership determining which version is made available to a particular device (CC-43131).
  • Google has rebranded “Android for Work” as “Android Management” and this change is reflected in 17.4 (CC-44164).
  • Enrollment notification date/time now shows in local time, previously it was shown in UTC (CC-43938).
  • The policy compliance status is now shown correctly for Samsung KNOX devices (CC-45512).
  • App gateway launch events are now included in the user activity report (CC-45266).
  • Enabled support for TLS 1.1 and 1.2 to both cloud and Connector (CC-44120, CC-46930).


 For security advisories and known issues, please see attached file.


For 17.4 Hot Fix 1 security advisories and known issues, please see attached file.

For 17.4 Hot Fix 2 security advisories and known issues, please see attached file.

For 17.4 Hot Fix 3 security advisories and known issues, please see attached file.

For 17.4 Hot Fix 4 security advisories and known issues, please see attached file.


Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.

Related Articles

No related Articles