New Features - Centrify Identity Service
MFA Policies for User Account Settings
MFA Everywhere – now able to set policies requiring step-up authentication for:
- Password changes

- Configuring OATH OTP client

- Setting Security Question

- Modifying Personal Profile
- All policies under Policies > User Account Settings
- “Show QR code for self-service” and “OATH OTP Display Name” policies moved from “OATH OTP”
- “Enable users to change passwords” moved from “Password Settings”
Sets Added to Identity Service Tabs
Optimized page viewing and performance by grouping large lists into Sets of like items:
- Users
- Apps
- Endpoints
- Click Set name to filter list
- Set Default using ellipsis menu
- All page visits for that user will remember the selection
- Sets UI slides in and out on click
- To improve page load performance, choose “Remove as default” (and remove check mark) for page with no results (search only)

Intelligent Selection of Connectors
Previously, calls to connectors for IWA and RADIUS were made randomly. Connectors are now selected based on IP address as follows:
- Choose Connector with matching IP Address
- Randomly choose between Connectors when there are multiple matches
- Choose Connector with matching sub-net
- Randomly choose between Connectors when there are multiple matches
- Randomly choose Connector
Dropbox Provisioning Support for Union
Admins can now choose to provision users into Dropbox using the following options:
- Union of all Groups, or
- Single Group

Improved 3rd Party RADIUS Support
When setting up 3rd party RADIUS authentication, some systems do more than a simple username / password authentication and need additional time to complete the request.
- Default value of 5 (seconds) is set
- Values from 5 to 55 are valid

Admin Control over Signing Certificates
Admins can see and manage all certificates in use in their tenants under
Settings > Authentication > Signing Certificates
- Older tenants (created prior to July 2016) used SHA 1 certificates by default, and later tenants used SHA256
- App UI has been updated to include a pick-list for choosing which certificate to use
- Office 365 certificate is now exposed
- Office 365 re-federate option to push new certificate

Mobile Features – Policy to Disallow Incoming Calls
New policy to prevent incoming calls on device
- Useful for data-only devices such as kiosk mode

Mobile Features – SIM Removal Tracking
New policy to track SIM removal
- Device can become non-complaint if SIM is removed
- Only on Samsung devices

Mobile Features – New Samsung Firewall (hostname based)
In addition to supporting the new Samsung IP based firewall – hostnames can now be used for firewall rules

Munki Enhancements
Munki Improvements
Removing Security Login
- Ability to enroll with just username and password has been removed for new tenants
- Admins will need to use the new 17.6 agent to enroll

The following apps have been updated:
- Freshservice (doc only)
- Salesforce (doc only)
- Slack (provisioning)
- Dropbox (provisioning)
- Workplace by Facebook (provisioning)
- LoopUp (user-password)
- Frevvo Live Forms (SAML)
- TeamSnap (user-password)
- Microsoft Dynamics CRM on-prem (WS-Trust)
New Features - Centrify Privilege Service
Secrets
- Allows CPS to secure generic secrets (files and text types)
- Only users that have the “retrieve secret” entitlement can access them
- You can add policy rules from the Identity Platform or use MFA to secure the retrieval of secrets
- File secrets can optionally be stored with a password
(e.g. a word/excel/pdf/SSH-key with a password) - Secret uploads and downloads are secured with double-encryption
- File secrets are limited to 5MB per file and text secrets to 24k

New Login/Checkout Sequence
- New terminology
- Improved flow
- Compatibility for “AD Account login” using the Local Client

New Features - Centrify Analytics Service
Traveling-Velocity Factor
- Traveling-Velocity helps address the impossible travel scenario
- This feature can isolate situations such as User accessing Applications from both Santa Clara & LA in < 15mins, even though the User’s access pattern considers both locations as normal

UI Improvements
Copy cell to clipboard
- Copy ‘email’ to clipboard to edit in search bar
Insights – Word cloud widget
- Available only in Insights boards as a new widget
Download CSV
- Insights and Explorer Widgets data download

Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- Centrify Privilege Service session brokering now supports negotiation with systems configured for TLS 1.2 (CC-47306).
- Policies based on a device being corporate or personally owned are now correctly based on both the user and device (CC-47949).
- Administrators can now enable a policy to determine if the Browser Extension is auto-updated or pinned to a specific version.
- Provisioning sync job reports have been enhanced to include timings for each job, allowing slow running jobs to be identified (CC-44806).
- The following parameters are now collected from enrolled Windows 10 devices:
- Anti-spyware status
- Antivirus status
- Encryption compliance
- Firewall status
(CC-47333)
- Users rejected by for provisioning are now logged in the sync report (CC-47480).
- IWA will now succeed even if a cloud connector is joined to a domain with a disjoined namespace (CC-43948).
- Support has been added for more than one concurrent Google Directory service (CC-44704).
- ForceAuthn from http-post now re-authenticates when a custom tenant URL is used (CC-43934).
- Role mapping in Dropbox provisioning has been enhanced to support both assigning destination groups to the first role a user is a member of (based on a prioritized list) and also assigning to each role the user is a member of (CC-46462).
- The fixed five-second timeout value for an external RADIUS server has been replaced by an administrator-defined timeout value up to 55 seconds (CC-44206).
- The last invite date for a user or group invitation is now set even if the invite email or SMS failed (CC-47226).
- Office 365 deprovisioning rules are now maintained after authenticating an Office 365 administrator – previously they were deleted (CC-43588).
- Browser bookmarks can now be pushed to Samsung KNOX devices in both kiosk and non-kiosk modes (CC-45529).
- A policy has been added to allow / disallow changes to the date / time on Samsung KNOX devices (CC-47180).
- ZSO login now works with Chrome on OS X 10.12 (CC-46899).
- The default value for Pre-Provisioning Interval for Workday inbound provisioning has been set to 120 (5 days), previously it was zero (CC-47207).
For security advisories and known issues, please see attached file.
For 17.6 Hot Fix 1 security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.