Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

Centrify 17.9 Release Notes

11 April,19 at 11:50 AM

New Features - Centrify Application Services (formerly known as Identity Services)


Linked Applications


This feature enables customers to create separate app tiles for SSO apps that share the same authentication.


  • Linked Applications tab in app configuration
    • Amazon Web Services
    • Office 365 (Preview)
    • Other SSO Applications
      • Custom SAML Apps
      • Custom OpenID Connect Apps
      • SAML / OpenID Connect Catalog Apps



PCI Compliance Update for MFA


User experience for incorrect logins when using MFA has been updated in order to achieve PCI compliance.


  • Current Experience:
    • If user enters wrong information for first mechanism, authentication fails before asking for the 2nd mecahnism
      PCI Before.gif
  • New Experience:
    • If user enters wrong information first, 2nd mechanism is still asked before authentication fail
    • If first challenge response is incorrect, the 2nd factor is not checked (i.e. email / SMS won't be sent)
      PCI AFTER.gif




Improved UX for MFA response through RADIUS


We now support out-of-band responses from our authentication mechanisms for RADIUS clients (e.g. VPNs).


  • Users can authenticate through the authentication mechanism itself (e.g. push the code on Mobile Authenticator or click on the link in email / SMS)
    • No longer need to type in OTP
  • New Configuration options under:
    • Settings> Authentication > RADIUS Connections > Clients




Ability to Rename Roles


Role names can now be edited and renamed. 





New Features - Centrify Endpoint Services


Configurable LAPM Password Rotation


Admins can now control the password rotation period for managed local admin accounts.


  • Default = 90 days
  • Valid settings:
    • 1 day
    • 365 days
  • New policy:
    • Policies > Mobile Device Policies > OS X Settings > Manage Local Admin Account> Periodic password rotation at specified interval (days)



Password Generation Profile for Mac


Admins can now set rules for the password complexity to use for the Local Admin Accounts on Macs.

  • Settings > Infrastructure > Password Generation Profiles> Unix Profile

 password mac.gif



Password Checkout Error Handling


When using LAPM, an Admin may want to check out an Admin Password before the Cloud has confirmation from the Mac that the password has been changed.

  • Now support a confirmation from the agent that the account has been rotated
  • Password history can be provided If Admin checks out password before the confirmation is received

 password gen.gif




The following apps have been added to the catalog:

  • Ivanti (SAML)


The following apps have been updated:

  • Webex (User/Password)
  • eBay (User/Password)
  • CDW (User/Password)
  • UPS (User/Password)
  • iTunes Connect (User/Password)
  • Hightail (User/Password)
  • ScreenSteps Live (SAML)
  • Eventbrite (User/Password)
  • Canvas (SAML)

The following apps have been renamed:

  • AVG CloudCare  -->  Avast Business CloudCare
  • AVG Managed Workplace  -->  Avast Business Managed Workplace
  • ProofHQ  -->  Workfront
  • HEAT  -->  Ivanti



New Features - Centrify Infrastructure Services (formerly known as  Privilege Service)


Infrastructure Factory: Check Point GAiA™


  • GAiA™ is Check Point’s Secure Operating System
  • In this release, we are supporting shared account password management and secure session access.
  • Versions:
    • R77.30
    • R80.10
  • “Expert Mode” enhancement to follow in future release




Scheduled Discovery


  • 17.9 adds scheduling to our Network Discovery
  • Different discovery profiles can now be set to run on a schedule based on organizational needs
  • A report is generated upon each run, outlining items discovered





Account-level Checkout Lifetime Override


  • Allows granular definition of password checkout lifetime policies at the account level
  • Useful to establish policy for end users at the global or system level, with the flexibility to establish policy at the account level for other use cases (such as system-to-system)

 account level checkout.png



Linux Agent – Password Checkout for Database & Domain


  • The CIP Linux agent has been updated to support for database and domain account password checkouts with the cgetaccount CLI utility
  • The service account (system) should have the checkout permission in the target accounts
  • Leverages --type parameter
    linux agent.png



$ sudo cgetaccount --type domain centrify.vms/diana-a
$ sudo cgetaccount --type database sql2012a/sa



ServiceNow – Privileged Access Request (Domain+Database)


  • ServiceNow is in the process of certifying Privilege Access Request 2.0.0
  • This version adds support for database and domain account password checkout via ServiceNow’s Service Catalog
  • Support to request “login” is available for local system accounts, it will be added to AD accounts in a future enhancement



New Features - Centrify Analytics Services


New Factor


“Account” has been added as a factor for Shared Account Password Management


Faster User Experience


Improved rendering engine.


Analytics Servers.png



Resolved Issues and Behavior Changes


The following list records issues resolved in this release and behavior changes.


  • Prompt is now supported with custom URLs with OpenID Connect (CC-45912). 
  • SCIM provisioning is now available on all catalog apps, previously it was only available on generic (custom) apps (CC-50660).
  • A new custom app type has been added: Linked Application, supporting OpenID Connect and SAML (CC-32809).
  • Support has been added for multiple simultaneous policy management editors (CC-34579).
  • Phone number validation has been updated to support recent Thai style changes (CC-51063, CISSUP-3334).
  • Users of Apple devices managed by DEP and VPP v2 (token) can now update the App Store apps on their devices without creating their own Apple IDs (CC-49476).
  • Successful RADIUS challenges no longer create a pair (one successful, one failure) of RADIUS log entries (CC-51501).
  • Successful ZSO logins now correctly show the login reason on the User Activity dashboard and in the user’s detail page (CC-50700, CISSUP-3307).
  • All devices now correctly show location in the User Portal when one of the devices is Windows 10 (CC-50315).
  • Launch counts for App Gateway-enabled apps are now included in the source data for Most Commonly User Web Apps and Unused Web Apps reports (CC-39645).
  • ZSO log in to the User Portal now records as login activity on the User Portal Activity page (CC-49444).
  • When a policy is changed while a device is offline, the policy summary will now show “pending” for the device’s compliance until the device is returned online and the policy is successfully applied (CC-48699).



For security advisories and known issues, please see attached file.


Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.