Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

Centrify 18.4 Release Notes

11 April,19 at 11:51 AM

End-of-life notification

This section contains notifications for upcoming termination of apps, features or programmatic access (APIs):

  • As of this release, the lowest iOS release supported by the Centrify mobile app for iOS is 10. Users with devices running iOS 9 will still be able to install the 18.3 Centrify mobile app for iOS, which is the last release that supported iOS 9.
  • From the 18.4 release, Connectors earlier than 17.7-108 will lose service if not upgraded. As a reminder, Centrify support policy provides support for the Connectors running the current release and two prior releases, and running a connector from a prior release may limit the use of newer functionality. For more information, please see this Tech Alert article.


New Features - Centrify Application Services   

SAML App UI Enhancements


“Attribute Value” allows for the selection of Objects, Variables, and Methods.

  • Clicking “Add” creates a new attribute that will be passed in the SAML Response
  • Free form text can be added to Attribute Value
  • The drop down in “Attribute Value” can be selected to chose an object and variables/methods available in that object




The following user name / password apps have been updated:


  • Brainpop
  • Bath & Body Works
  • Cub Foods
  • EDU20
  • Finance41
  • ISNIC Registry


New Features - Centrify Endpoint Services




End-user Checkout for Mac LAPM Account


Policy allows end user LAPM checkout:

  • By default, end-user checkout is not allowed
  • When enabled, checkout is for the enrolled user only
  • Checkout is done through the user portal
  • Coming soon: checkout from mobile devices

end user checkout.gif 



End-user Checkout for Mac LAPM Account from Mobile


Checkout is now now available on mobile:

  • Support for iOS and Android
  • Phone and tablet form factors
  • See details of all enrolled devices
  • Coming soon: Device actions

end user checkout mobile.gif


Certificate Authority Template Picker for Mobile Policies


  • For all email, WiFi and VPN policies, admins are now able to select the source certificate authority for deploying client certs
  • Use the built-in CA in the Centrify Tenant, or any Microsoft CAs that have been added to the admin portal
  • Select the CA for each policy, for MS CAs admins can select the corresponding certificate template 

cert auth.gif



Language Specific Enrollment Welcome Screen


  • Enrollment welcome screen is optional
  • There is a new option to “specify unique welcome message for supported languages” N




New Features - Centrify Infrastructure Services 



New Import Tool

  • Starting in 18.4, Infrastructure Services will introduce a new tool for importing objects into the privilege service vault
  • This feature complements the existing manual and CSV import GUI capabilities
  • The new Import Tool allows admins to import:
    • Systems, Domains, Databases and their Accounts
    • Newly-added attributes (such as administrative accounts)
    • “Add to Set” functionality
  • This new tooling will be distributed via Centrify’s GitHub once 18.4 is released

 import tool.png



Device Factory – F5 BIG-IP SAPM/PSM


  • 18.4 adds SAPM and PSM support for one of the most common devices in enterprise networks: F5 BIG-IP (TMOS)
  • Infrastructure Services add:
    • Password Management via REST
    • Privilege Session
    • Local Administrative account (required for SAPM)
    • Vault-based policy and MFA.
  • Versions 11.x-13.x




Improvements for Centrify Connectors with multiple NICs 


  • Organizations often have systems with multiple network interface cards (NICs) that are acting as Centrify Connectors
  • In the past, Infrastructure Services would use the first-returned NIC for network operations (e.g. secure access and password operations)
  • Behavior Change:
    • Starting with 18.4, Infrastructure Services will use the Connector’s returned FQDN IP addresses of the system for network operations
    • All returned IP addresses are attempted until there is a hit





Improvements for SSH/RDP Local Client Window Identification


  • 18.4 Improves the usability of Local Client session by providing better identification


ID pre.png


ID post.png 




Centrify Agent for Linux


  • Targeting fix for performance related to caching of group membership information

  • 2017.3 installer ( has also been refreshed
  • Support for Amazon Linux 2 (both adclient and cclient)
  • Enroll CentOS Docker container in CIP

    • Instructions, configuration files published to



Centrify Analytics Services - Private Beta


Please contact Centrify Support to inquire about participation in the beta program.



Ingest Centrify Infrastructure Services – Audit Events


Forward Audit Events into the Analytics Portal leveraging Centrify Sensor.

  • Flexible Deployment - Centrify Sensor can be flexibly deployed:
    • Deployed with DA collector
    • Deployed with Centrify Agent
  • Enterprise Control on Events Ingested: Filter / Mask what you don’t want to move to the cloud

as audit.png 



Ingest Centrify Infrastructure Services – Zone Data


Forward ”Who has access to which Infrastructure Server, i.e., Policy Data” Zone data into Centrify Analytics Portal.

  • Easy Enablement: Leverage Centrify Sensor to forward both Events and Policy Data
  • Flexible Reporting: Admins can now query Events & Policy via one console easily

as zone.png




Ingest Centrify Infrastructure Services – DA Session Data


Adaptively record session videos for Infrastructure activity anomalies .

  • Adaptive Session Recording: 15-30 second session recording of anomalies leveraging Real-time Threat Analytics
  • Session Timeline: Events are all co-related to a sessions on a timeline

as da session.png


as da session2.png



Additional Access Insights for Centrify Infrastructure Services


New dashboards around Infrastructure Risk Assessment and Infrastructure Access Overview.

  • Easily Customize Dashboards: Comes with pre-configured datasets around Events / Zone data to help on-board
  • Comes with 12+ pre-configured widgets to help create a new dashboard
  • Easily Share / Export Dashboards




Enhanced Anomaly Detection based on Behavior


Multiple new factors added to evaluate infrastructure access risk.
New factors include:

  • Unusual Recent Privilege Change
  • Unusual Command Run
  • Unusual Target Accessed
  • Unusual Account Used
  • Unusual Privilege Elevation

anon detect.png 


Behavior based access control for Infrastructure Access




Investigate Access Anomalies 


Investigate a Privilege Anomaly easily via drilldown to explorer:

  • Session timeline view from the event
  • Targeted session replay for the Infrastructure access anomaly
  • Easily identity what factors contributed to the anomaly




Adaptive Session Recording and Replay for Anomalies 


Replay session for any anomalies based on machine learning models:

  • Click-through from Session timeline
  • Enterprise control on storage of session recordings
  • Control the trigger for session recordings

adaptive session.png 



Alerting and Notifications


Remediate anomalies via integration with any Webhook enabled endpoint:

  • Supports anomaly alerting via Slack, Pager Duty, etc.
  • integrates with any Webhook enabled endpoint
  • Easily customize what’s included in the Alert 

 alert notification.png


New Features - SIEM and ServiceNow Integrations


Centrify ServiceNow – Zone Role Workflow


Request temporary access for Accounts from ServiceNow

  • Centrify Zone Role Workflow has been added to the Service Catalog
  • Leverage the ServiceNow Service Catalog to request access to infrastructure
  • Enables temporary Zone Role assignment within Active Directory


service now.png 



Centrify Identity Services – HP ArcSight Integration (Sample)


Open source HP ArcSight sample for categorizing and normalizing events

  • Integration guide available on docs.centrify
  • Sample python code available on github
  • CIP ArcSight integration is not supported
  • Supported: Writing to Syslog in Syslog format 




Resolved Issues and Behavior Changes


The following list records issues resolved in this release and behavior changes.


  • Thai and Serbian language support has been added to the User Portal (CC-56904).
  • Minor security fixes were applied in this release to tighten some deprecated MFA APIs. Customers still using GetAuthPolicy and related APIs may see an increase in login failures as a result. No changes were made to current MFA APIs (CC-53660).
  • The connector now automatically enables higher-security security protocols. As of release 18.6 TLS 1.0 will no longer be supported (CC-54386).
  • The Cloud Linux Agent now supports Amazon Linux 2 (CC-54183).
  • A Mobile policy has been added to allow / disallow capturing OTP passcodes for other sites. The default value is to allow passcodes to be captured / shown on a mobile device (CC-54377).
  • Support has been added in this release for Single Sign Out. Previously the logout URL logged the users out from the Cloud Service, now it also logs the user out of the app (CC-47215).
  • Administrators can now modify the ownership of a device from corporate to personal or vice-versa from the action menu or by right-clicking on the device. This overrides the ownership set during enrollment (CC-54597).
  • Active Directory users can now upload a user photo in the User Portal (CC-55864).
  • The Forgot Password and change password experience has been updated to make it more intuitive with additional information to guide users to the cause of a password failure due to complexity requirements (CC-53664).
  • Wildcard domain names are now allowed in Settings > Authentication > Security Settings > API Security (CC-56463).
  • The correct payload is now generated to support SCIM 2.0 PATCH (CC-55336).
  • After logging out from Google Web apps such as Google Mail, the account is remembered by Google Web apps now launch and single sign-on correctly in cases where the user name has been remembered by the app (CC-55353).



For security advisories and known issues, please see attached file.



Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.