New Features - Centrify Application Services (formerly known as Identity Services)
Linked Applications
This feature enables customers to create separate app tiles for SSO apps that share the same authentication.
- Linked Applications tab in app configuration
- Amazon Web Services

- Office 365 (Preview)

- Other SSO Applications
- Custom SAML Apps
- Custom OpenID Connect Apps
- SAML / OpenID Connect Catalog Apps
PCI Compliance Update for MFA
User experience for incorrect logins when using MFA has been updated in order to achieve PCI compliance.
- Current Experience:
- If user enters wrong information for first mechanism, authentication fails before asking for the 2nd mecahnism

- New Experience:
- If user enters wrong information first, 2nd mechanism is still asked before authentication fail
- If first challenge response is incorrect, the 2nd factor is not checked (i.e. email / SMS won't be sent)

Improved UX for MFA response through RADIUS
We now support out-of-band responses from our authentication mechanisms for RADIUS clients (e.g. VPNs).
- Users can authenticate through the authentication mechanism itself (e.g. push the code on Mobile Authenticator or click on the link in email / SMS)
- No longer need to type in OTP
- New Configuration options under:
- Settings> Authentication > RADIUS Connections > Clients

Ability to Rename Roles
Role names can now be edited and renamed.

New Features - Centrify Endpoint Services
Configurable LAPM Password Rotation
Admins can now control the password rotation period for managed local admin accounts.
- Default = 90 days
- Valid settings:
- New policy:
- Policies > Mobile Device Policies > OS X Settings > Manage Local Admin Account> Periodic password rotation at specified interval (days)

Password Generation Profile for Mac
Admins can now set rules for the password complexity to use for the Local Admin Accounts on Macs.
- Settings > Infrastructure > Password Generation Profiles> Unix Profile

Password Checkout Error Handling
When using LAPM, an Admin may want to check out an Admin Password before the Cloud has confirmation from the Mac that the password has been changed.
- Now support a confirmation from the agent that the account has been rotated
- Password history can be provided If Admin checks out password before the confirmation is received

The following apps have been added to the catalog:
- Ivanti (SAML)
- SAP ERP ABAP (SAML)
- SAP CRM ABAP (SAML)
The following apps have been updated:
- Webex (User/Password)
- eBay (User/Password)
- CDW (User/Password)
- UPS (User/Password)
- iTunes Connect (User/Password)
- Hightail (User/Password)
- ScreenSteps Live (SAML)
- Eventbrite (User/Password)
- Canvas (SAML)
The following apps have been renamed:
- AVG CloudCare --> Avast Business CloudCare
- AVG Managed Workplace --> Avast Business Managed Workplace
- ProofHQ --> Workfront
- HEAT --> Ivanti
New Features - Centrify Infrastructure Services (formerly known as Privilege Service)
Infrastructure Factory: Check Point GAiA™
- GAiA™ is Check Point’s Secure Operating System
- In this release, we are supporting shared account password management and secure session access.
- Versions:
- “Expert Mode” enhancement to follow in future release

Scheduled Discovery
- 17.9 adds scheduling to our Network Discovery
- Different discovery profiles can now be set to run on a schedule based on organizational needs
- A report is generated upon each run, outlining items discovered

Account-level Checkout Lifetime Override
- Allows granular definition of password checkout lifetime policies at the account level
- Useful to establish policy for end users at the global or system level, with the flexibility to establish policy at the account level for other use cases (such as system-to-system)

Linux Agent – Password Checkout for Database & Domain
- The CIP Linux agent has been updated to support for database and domain account password checkouts with the cgetaccount CLI utility
- The service account (system) should have the checkout permission in the target accounts
- Leverages --type parameter

Examples:
$ sudo cgetaccount --type domain centrify.vms/diana-a
$ sudo cgetaccount --type database sql2012a/sa
ServiceNow – Privileged Access Request (Domain+Database)
- ServiceNow is in the process of certifying Privilege Access Request 2.0.0
- This version adds support for database and domain account password checkout via ServiceNow’s Service Catalog
- Support to request “login” is available for local system accounts, it will be added to AD accounts in a future enhancement

New Features - Centrify Analytics Services
New Factor
“Account” has been added as a factor for Shared Account Password Management
Faster User Experience
Improved rendering engine.

Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- Prompt is now supported with custom URLs with OpenID Connect (CC-45912).
- SCIM provisioning is now available on all catalog apps, previously it was only available on generic (custom) apps (CC-50660).
- A new custom app type has been added: Linked Application, supporting OpenID Connect and SAML (CC-32809).
- Support has been added for multiple simultaneous policy management editors (CC-34579).
- Phone number validation has been updated to support recent Thai style changes (CC-51063, CISSUP-3334).
- Users of Apple devices managed by DEP and VPP v2 (token) can now update the App Store apps on their devices without creating their own Apple IDs (CC-49476).
- Successful RADIUS challenges no longer create a pair (one successful, one failure) of RADIUS log entries (CC-51501).
- Successful ZSO logins now correctly show the login reason on the User Activity dashboard and in the user’s detail page (CC-50700, CISSUP-3307).
- All devices now correctly show location in the User Portal when one of the devices is Windows 10 (CC-50315).
- Launch counts for App Gateway-enabled apps are now included in the source data for Most Commonly User Web Apps and Unused Web Apps reports (CC-39645).
- ZSO log in to the User Portal now records as login activity on the User Portal Activity page (CC-49444).
- When a policy is changed while a device is offline, the policy summary will now show “pending” for the device’s compliance until the device is returned online and the policy is successfully applied (CC-48699).
For security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.