New Features - Centrify Application Services (formerly known as Identity Services)

Applications Dashboard

New dashboard highlighting apps in the platform

• Pie chart showing:
  • Status
  • Type
  • Provisioning Status
  • App Gateway Status
• Lists showing:
  • App Details
  • Total App Launches in last 7 Days
• Pie-charts are drill-able
  • List views are filtered based on charts

[Preview] Centrify Browser Extensions Pinning (Available by Request Only)

New policy to set Browser Extension Version.

• Latest version or specific version number
• When version is set to a specific number, User Portal will prompt for upgrade based on policy version rather than cloud release version
• Centrify will not force upgrade when version is et, however, Centrify will only support current version and 2 versions prior
• Downloads shows all pinned versions (N/A for Chrome)

[Preview] SCIM Provisioning 

SCIM is an open standard for automating the exchange of user identity information between identity domains, or IT systems.

• Custom SSO templates now contain a Provisioning tab
  • Custom SAML App
  • Custom OpenID Connect App
• Previously deployed custom apps using this template can now be updated to include provisioning (if the app supports this feature)

Updates to User Portal

Account Page Redesign:

• Cleaner design on the “Security Settings” page
  • Passcodes feature is now separated out onto its own tab
• Settings Menu moved to User Portal Banner (on Apps and Devices pages)
• Grouped / Grid toggle moved to the Settings Menu
• Refreshed Activity page with Map widget, Login / Denied Logins, App Usage and Activity Stream 

Easy Navigation to Job Provisioning Report for User

When troubleshooting provisioning events for a particular user, Admins need a way to find the right report for those events.

• Drill-Down in Users page now includes links to each report

Mobile Features – iOS Notification improvements

MFA actions no longer require going to the Centrify app

• Reduce app flipping for all notifications
• Only actions that require in-app functionality are flipped (for example, Require Fingerprint on MFA respond)

Mobile Features – iOS Activation Lock Bypass codes

Administrators now have access to the Activation Lock Bypass code

• When wiping device, activation code must be entered from original user
• Admin can look up bypass code for managed devices
• Customers can open a support ticket to retrieve unenrolled/deleted device bypass codes

Mobile Features – OATH OTP Push

OATH Codes in Passcodes can now be “pushed” to the respective tenant (similar to mobile authenticator)

• Allows MFA to multiple tenants from a single client enrollment
• After selecting OATH OTP MFA Method - Go to Passcodes in the Centrify app, and tap the tenant you are trying to log into

Mobile Features – Proxy profiles for Android WiFi

Proxy configuration settings can now be set and sent to Android devices (previously only Samsung and iOS).

The following apps have been added to the catalog:

• Expensify (SAML)
• HipChat (SAML)

The following apps have been updated:

• 15Five (SAML)
• Cloudera (User/Password)
• Cognology (SAML)
• SumoLogic (SAML)
• Yahoo Mail (User/Password)
• 15Five (SAML)
• Amazon Germany (User/Password)
• Atlassian Customer Portal (User/Password)
• com (User/Password)
• Cloudera (User/Password)
• Cognology (SAML)
• Evernote (User/Password)
• Float (User/Password)
• net (User/Password)
• Google apps (SAML)
• HRS (User/Password)
• LiveDrive (User/Password)
• MilitaryHire (User/Password)
• Mimecast Personal Portal (User/Password)
• SumoLogic (SAML)
• Yahoo Mail (User/Password)
• Zenefits (User/Password)

The following apps have been renamed:

• ShiftPlanning     -->          Humanity

New Features - Centrify Endpoint Services (formerly known as  Identity Service)

Mac Updates

Centrify Agent for Mac:

• Centrify Agent for Mac on the Centrify Identity Services Download page
• Support for Munki Unattended Uninstall
• Dynamic policies for non-Apple MDM policies

New Features - Centrify Infrastructure Services (formerly known as  Privilege Service)

Secure Shell Gateway 

• Improves usability and deployment flexibility by allowing users to establish SSH connections (manual or with shared accounts) via the Centrify Connector(s) as a Jumpbox without visiting the admin portal.
• Maintains platform features:
  • Authentication Profiles (MFA)
  • Watch and Terminate
  • Access Request (Workflow)
  • Agentless DirectAudit (if available)
• You can use this feature for native SSH clients on Windows, UNIX/Linux and Mac OS.

Built-in Reports for Secrets

• Available via Core Services > Reports > Built-in Reports > Systems > Secrets
• All Secrets (contains secret size) & secrets by type
• Modified Secrets (last 7 days)
• Retrieval Counts (most popular secrets)

Resolved Issues and Behavior Changes

The following list records issues resolved in this release and behavior changes.

• In 17.6 and earlier, when syncing groups for Office 365 provisioning they were incorrectly synched to a depth of 2. When the sync traverses to the second level, immutable IDs were not properly mapped for migrated users and this could cause group sync to fail, depending on timing. From 17.7 sub-groups are no longer synced unless explicitly included for sync (CC-48105).
• In the Box provisioning page, the option “Allow personal folder to be synced by Box clients” has been renamed to “Sync all personal folders to admin’s desktop via Box Sync”. The function of this option has not changed, but the label has been changed to better reflect the functionality (CC-47392).
• External CA revocation checks are now performed on a per-CA chain basis (CC-48358).
• IWA now works for the Ring Central desktop app (CC-48942).
• Sha256, sha384 and sha512 have been added as options for the algorithm and digest method for encrypted keys in SAML apps (CC-48526).
• Custom CBE internal apps now function correctly on iOS devices after the built-in browser’s cache is cleared (CC-48007).
• An issue was resolved where Connectors could not reach Active Directory domain controllers. The issue was caused by a failure to retrieve the distinguished name of the NTDS settings object from a domain controller running in Windows 2008 Domain Mode. Any registry changes implemented during 17.6 to work around this issue should be removed with this new release (CISSUP-3178, CISSUP-3180).
• Connectors will now connect to any available domain controller if the Connector does not belong to any site (CC-48052).
• Active Directory per-user customization (for example, OATH tokens) are no longer removed when a Connector is removed (CC-49334).
• The correct license type for Office 365 ProPlus is now shown in the license summary, previously it would show “officesubscription” (CC-48528).
• IWA now succeeds with the Ring Central desktop app when configured for single sign-on (CC-48942).

For security advisories and known issues, please see attached file.

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.