Centrify Application Services (formerly known as Identity Services)

The following apps have been updated:

• • GitHub Enterprise on-premise (user / password)
  • ExpressionEngine (user / password)
  • VersionOne Support (user / password)
  • Simply Voting Election Manager (user / password)

End-of-life Notification

This section contains notifications for upcoming termination of apps, features or programmatic access (APIs):

• The Walk-Me help feature will be removed from the Admin Portal in the next release (18.3)

Announcement of Upcoming Changes Regarding OpenID Connect App (release 18.3)

We are enhancing our OpenID Connect app to allow customers to request refresh tokens as specified by the OAuth 2 spec. The app configuration page for OpenID Connect has also been modified to be more consistent with our other apps. Some fields have been moved around into more logical groupings. 

As part of these changes, all existing OpenID Connect apps will continue to work as is. However, if the customer wishes to make use of refresh tokens or if they wish to make any other changes to the app, some changes will be required on the customer's end. Customers will be notified of any changes they need to make if they attempt to edit their OpenID Connect app.

New Features - Centrify Infrastructure Services (formerly known as Privilege Service)

Local Administrative Account – Phase I

• Follows-up the administrative account capability of Active Directory domains
• Incremental set of capabilities with these goals
  • Account/Password reconciliation
  • High-availability
  • Advanced device functionality
• Phase I
  • Ability to set a ‘local admin’ account will be introduced on system onboard and shortcuts
  • Initially with network devices

Check Point GAiA™ - Revisited

• Check Point GAiA™ SAPM and PSM was introduced in the summer of 2017
• This new iteration introduces:
  • Local administrative account
  • Expert mode password management
• In this release:
  • Admins use their accounts for access
  • To utilize expert mode, admins return to Infrastructure Services to check out the expert mode password of the corresponding CP GAiA system and pastes it in the terminal
• Coming in a future release:
  • Enhancement to establish a secure session directly as the expert-mode account

DirectAudit – Support for Multiple Installations

• Prior to 18.2, only one DirectAudit installation could be used per CS instance
• With 18.2, multiple DirectAudit installations are supported
• Connector affinity can be set in a per installation basis
• Supports hybrid cloud (or distributed datacenter) scenarios

Resolved Issues and Behavior Changes

The following list records issues resolved in this release and behavior changes.

• The /UserMgmt/UpdateSecurityQuestions API now allows administrators to set security questions for users. The following JSON payload should be used:
  
  {“ID”,””, “securityquestion”, “”, “questionanswer”, “”}
  
  (CC-54704).
• The StartAuthentication API no longer requires a Referrer when calling with a federated ID (CC-54442).
• The Android mobile app now will remember policies that have been received even if the app is killed while applying the policies. Previously any policies that had been received but not applied before the app terminated would be lost (CC-53618)
• No longer receive an error about a missing provisioning handler when SSO-ing to an app from the catalog after provisioning is enabled (CC-54691).
• Location information is now reported correctly for iOS 11 devices (CC-54857).
• A switch has been added to turn WS-Trust off for a given policy, affecting all application instances of Office 365 and Microsoft Dynamics CRM (WS-Fed). In addition a switch is now provided to allow the administrator to enforce app policy challenges for WS-Trust. By default application policies which cannot be supported via WS-Trust (such as MFA) are not enforced and prevents authentication challenges from blocking WS-Trust authentication (CC-52624).
• In some cases it was possible where a group created by role mapping in the Box or GSuite provisioning apps would contain only one user, even when multiple users were synched. Groups created in this way now contain the correct number of users (CC-54784, CC-54858).
• In policies, BundleIDs are now valid when there is a period (“.”) in the last character, following Apple recommendations (CC-53948).
• A custom enrollment welcome screen is now supported for Android devices as well as for iOS devices (CC-53674).
• Non-ATS compliant NTLM basic custom applications on enrolled iOS devices no longer display SSL errors (CC-52968).
• SSO now correctly functions on Internet Explorer for NTLM and basic app templates (CC-50108).
• Apps that are specific to countries outside the US can now be added to iOS devices after finding them in country-specific app stores (CC-53950).
• The AuthName of the user is no longer included when using cert-based authentication as it is optional and can cause issues with some profiles (CC-53221).
• The sub-tabs in the device details page in the portals have been reordered, they are now: Details, Activity, Device Applications, Location, Location History, Policy Summary (CC-54298).
• Custom text added for device enrollment by SMS now correctly shows in the text message when the invite is sent from “Add Device” in the User Portal (CC-54179).
• Group Name is no longer mandatory on the Cisco IPsec VPN profile (CC-53989).

For security advisories and known issues, please see attached file.

For Maintenance Release 1 security advisories and known issues , please see attached file. 

For Maintenance Release 2 security advisories and known issues , please see attached file. 

For Maintenance Release 3 security advisories and known issues , please see attached file. 

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.