New Features - Centrify Identity Service

 

MFA Policies for User Account Settings

 

MFA Everywhere – now able to set policies requiring step-up authentication for:

• Password changes
  
• Configuring OATH OTP client
  
• Setting Security Question
  
• Modifying Personal Profile
  
  •  All policies under Policies > User Account Settings
  • “Show QR code for self-service” and “OATH OTP Display Name” policies moved from “OATH OTP”
  • “Enable users to change passwords” moved from “Password Settings”

 

Sets Added to Identity Service Tabs

 

Optimized page viewing and performance by grouping large lists into Sets of like items:

• Users
• Apps
• Endpoints
  • Click Set name to filter list
  • Set Default using ellipsis menu
    • All page visits for that user will remember the selection
    • Sets UI slides in and out on click
    • To improve page load performance, choose “Remove as default” (and remove check mark) for page with no results (search only)

 

 

 

Intelligent Selection of Connectors

 

Previously, calls to connectors for IWA and RADIUS were made randomly.  Connectors are now selected based on IP address as follows:

• Choose Connector with matching IP Address
  • Randomly choose between Connectors when there are multiple matches
• Choose Connector with matching sub-net
  • Randomly choose between Connectors when there are multiple matches
• Randomly choose Connector
   

Dropbox Provisioning Support for Union

 

Admins can now choose to provision users into Dropbox using the following options:

• Union of all Groups, or
• Single Group

 

 

  

Improved 3rd Party RADIUS Support

 

When setting up 3rd party RADIUS authentication, some systems do more than a simple username / password authentication and need additional time to complete the request.

 

• Default value of 5 (seconds) is set
• Values from 5 to 55 are valid

 

Admin Control over Signing Certificates

 

Admins can see and manage all certificates in use in their tenants under
Settings > Authentication > Signing Certificates

• Older tenants (created prior to July 2016) used SHA 1 certificates by default, and later tenants used SHA256
• App UI has been updated to include a pick-list for choosing which certificate to use
  • Office 365 certificate is now exposed
  • Office 365 re-federate option to push new certificate

 

 

Mobile Features – Policy to Disallow Incoming Calls

 

New policy to prevent incoming calls on device

• Useful for data-only devices such as kiosk mode

 

Mobile Features – SIM Removal Tracking

 

New policy to track SIM removal

• Device can become non-complaint if SIM is removed
• Only on Samsung devices

 

Mobile Features – New Samsung Firewall (hostname based)

 

In addition to supporting the new Samsung IP based firewall – hostnames can now be used for firewall rules

• Only on Samsung devices

 

Munki Enhancements

 

Munki Improvements

• Custom Pkginfo Files
• Pre and post install scripts

Removing Security Login

• Ability to enroll with just username and password has been removed for new tenants
  • Admins will need to use the new 17.6 agent to enroll

 

 

  

The following apps have been updated:

• Freshservice (doc only)
• Salesforce (doc only)
• Slack (provisioning)
• Dropbox (provisioning)
• Workplace by Facebook (provisioning)
• LoopUp (user-password)
• Frevvo Live Forms (SAML)
• TeamSnap (user-password)
• Microsoft Dynamics CRM on-prem (WS-Trust)

 

 

 

New Features - Centrify Privilege Service

 

Secrets

 

• Allows CPS to secure generic secrets (files and text types)
• Only users that have the “retrieve secret” entitlement can access them
• You can add policy rules from the Identity Platform or use MFA to secure the retrieval of secrets
• File secrets can optionally be stored with a password
  (e.g. a word/excel/pdf/SSH-key with a password)
• Secret uploads and downloads are secured with double-encryption
• File secrets are limited to 5MB per file and text secrets to 24k

 

New Login/Checkout Sequence

 

• New terminology
• Improved flow
• Compatibility for “AD Account login” using the Local Client

 

 

 

New Features - Centrify Analytics Service

 

Traveling-Velocity Factor

 

• Traveling-Velocity helps address the impossible travel scenario
• This feature can isolate situations such as User accessing Applications from both Santa Clara & LA in < 15mins, even though the User’s access pattern considers both locations as normal

 

 

UI Improvements

 

Copy cell to clipboard

• Copy ‘email’ to clipboard to edit in search bar

Insights – Word cloud widget

• Available only in Insights boards as a new widget

Download CSV

• Insights and Explorer Widgets data download

 

 

 

 

 

 

Resolved Issues and Behavior Changes

 

The following list records issues resolved in this release and behavior changes.

  

• Centrify Privilege Service session brokering now supports negotiation with systems configured for TLS 1.2 (CC-47306).
• Policies based on a device being corporate or personally owned are now correctly based on both the user and device (CC-47949).
• Administrators can now enable a policy to determine if the Browser Extension is auto-updated or pinned to a specific version.
• Provisioning sync job reports have been enhanced to include timings for each job, allowing slow running jobs to be identified (CC-44806).
• The following parameters are now collected from enrolled Windows 10 devices:
  • Anti-spyware status
  • Antivirus status
  • Encryption compliance
  • Firewall status
    (CC-47333)

• Users rejected by for provisioning are now logged in the sync report (CC-47480).
• IWA will now succeed even if a cloud connector is joined to a domain with a disjoined namespace (CC-43948).
• Support has been added for more than one concurrent Google Directory service (CC-44704).
• ForceAuthn from http-post now re-authenticates when a custom tenant URL is used (CC-43934).
• Role mapping in Dropbox provisioning has been enhanced to support both assigning destination groups to the first role a user is a member of (based on a prioritized list) and also assigning to each role the user is a member of (CC-46462).
• The fixed five-second timeout value for an external RADIUS server has been replaced by an administrator-defined timeout value up to 55 seconds (CC-44206).
• The last invite date for a user or group invitation is now set even if the invite email or SMS failed (CC-47226).
• Office 365 deprovisioning rules are now maintained after authenticating an Office 365 administrator – previously they were deleted (CC-43588).
• Browser bookmarks can now be pushed to Samsung KNOX devices in both kiosk and non-kiosk modes (CC-45529).
• A policy has been added to allow / disallow changes to the date / time on Samsung KNOX devices (CC-47180).
• ZSO login now works with Chrome on OS X 10.12 (CC-46899).
• The default value for Pre-Provisioning Interval for Workday inbound provisioning has been set to 120 (5 days), previously it was zero (CC-47207).

 

For security advisories and known issues, please see attached file.

 

For 17.6 Hot Fix 1 security advisories and known issues, please see attached file.

 

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.