This section contains notifications for upcoming termination of apps, features or programmatic access (APIs):
- As of this release, the lowest iOS release supported by the Centrify mobile app for iOS is 10. Users with devices running iOS 9 will still be able to install the 18.3 Centrify mobile app for iOS, which is the last release that supported iOS 9.
- From the 18.4 release, Connectors earlier than 17.7-108 will lose service if not upgraded. As a reminder, Centrify support policy provides support for the Connectors running the current release and two prior releases, and running a connector from a prior release may limit the use of newer functionality. For more information, please see this Tech Alert article.
New Features - Centrify Application Services
SAML App UI Enhancements
“Attribute Value” allows for the selection of Objects, Variables, and Methods.
- Clicking “Add” creates a new attribute that will be passed in the SAML Response
- Free form text can be added to Attribute Value
- The drop down in “Attribute Value” can be selected to chose an object and variables/methods available in that object
The following user name / password apps have been updated:
- Bath & Body Works
- Cub Foods
- ISNIC Registry
New Features - Centrify Endpoint Services
End-user Checkout for Mac LAPM Account
Policy allows end user LAPM checkout:
- By default, end-user checkout is not allowed
- When enabled, checkout is for the enrolled user only
- Checkout is done through the user portal
- Coming soon: checkout from mobile devices
End-user Checkout for Mac LAPM Account from Mobile
Checkout is now now available on mobile:
- Support for iOS and Android
- Phone and tablet form factors
- See details of all enrolled devices
- Coming soon: Device actions
Certificate Authority Template Picker for Mobile Policies
- For all email, WiFi and VPN policies, admins are now able to select the source certificate authority for deploying client certs
- Use the built-in CA in the Centrify Tenant, or any Microsoft CAs that have been added to the admin portal
- Select the CA for each policy, for MS CAs admins can select the corresponding certificate template
Language Specific Enrollment Welcome Screen
- Enrollment welcome screen is optional
- There is a new option to “specify unique welcome message for supported languages” N
New Features - Centrify Infrastructure Services
New Import Tool
- Starting in 18.4, Infrastructure Services will introduce a new tool for importing objects into the privilege service vault
- This feature complements the existing manual and CSV import GUI capabilities
- The new Import Tool allows admins to import:
- Systems, Domains, Databases and their Accounts
- Newly-added attributes (such as administrative accounts)
- “Add to Set” functionality
- This new tooling will be distributed via Centrify’s GitHub once 18.4 is released
Device Factory – F5 BIG-IP SAPM/PSM
- 18.4 adds SAPM and PSM support for one of the most common devices in enterprise networks: F5 BIG-IP (TMOS)
- Infrastructure Services add:
- Password Management via REST
- Privilege Session
- Local Administrative account (required for SAPM)
- Vault-based policy and MFA.
- Versions 11.x-13.x
Improvements for Centrify Connectors with multiple NICs
- Organizations often have systems with multiple network interface cards (NICs) that are acting as Centrify Connectors
- In the past, Infrastructure Services would use the first-returned NIC for network operations (e.g. secure access and password operations)
- Behavior Change:
- Starting with 18.4, Infrastructure Services will use the Connector’s returned FQDN IP addresses of the system for network operations
- All returned IP addresses are attempted until there is a hit
Improvements for SSH/RDP Local Client Window Identification
- 18.4 Improves the usability of Local Client session by providing better identification
Centrify Agent for Linux
Centrify Analytics Services - Private Beta
Please contact Centrify Support to inquire about participation in the beta program.
Ingest Centrify Infrastructure Services – Audit Events
Forward Audit Events into the Analytics Portal leveraging Centrify Sensor.
- Flexible Deployment - Centrify Sensor can be flexibly deployed:
- Deployed with DA collector
- Deployed with Centrify Agent
- Enterprise Control on Events Ingested: Filter / Mask what you don’t want to move to the cloud
Ingest Centrify Infrastructure Services – Zone Data
Forward ”Who has access to which Infrastructure Server, i.e., Policy Data” Zone data into Centrify Analytics Portal.
- Easy Enablement: Leverage Centrify Sensor to forward both Events and Policy Data
- Flexible Reporting: Admins can now query Events & Policy via one console easily
Ingest Centrify Infrastructure Services – DA Session Data
Adaptively record session videos for Infrastructure activity anomalies .
- Adaptive Session Recording: 15-30 second session recording of anomalies leveraging Real-time Threat Analytics
- Session Timeline: Events are all co-related to a sessions on a timeline
Additional Access Insights for Centrify Infrastructure Services
New dashboards around Infrastructure Risk Assessment and Infrastructure Access Overview.
- Easily Customize Dashboards: Comes with pre-configured datasets around Events / Zone data to help on-board
- Comes with 12+ pre-configured widgets to help create a new dashboard
- Easily Share / Export Dashboards
Enhanced Anomaly Detection based on Behavior
Multiple new factors added to evaluate infrastructure access risk.
New factors include:
- Unusual Recent Privilege Change
- Unusual Command Run
- Unusual Target Accessed
- Unusual Account Used
- Unusual Privilege Elevation
Behavior based access control for Infrastructure Access
Investigate Access Anomalies
Investigate a Privilege Anomaly easily via drilldown to explorer:
- Session timeline view from the event
- Targeted session replay for the Infrastructure access anomaly
- Easily identity what factors contributed to the anomaly
Adaptive Session Recording and Replay for Anomalies
Replay session for any anomalies based on machine learning models:
- Click-through from Session timeline
- Enterprise control on storage of session recordings
- Control the trigger for session recordings
Alerting and Notifications
Remediate anomalies via integration with any Webhook enabled endpoint:
- Supports anomaly alerting via Slack, Pager Duty, etc.
- integrates with any Webhook enabled endpoint
- Easily customize what’s included in the Alert
New Features - SIEM and ServiceNow Integrations
Centrify ServiceNow – Zone Role Workflow
Request temporary access for Accounts from ServiceNow
- Centrify Zone Role Workflow has been added to the Service Catalog
- Leverage the ServiceNow Service Catalog to request access to infrastructure
- Enables temporary Zone Role assignment within Active Directory
Centrify Identity Services – HP ArcSight Integration (Sample)
Open source HP ArcSight sample for categorizing and normalizing events
- Integration guide available on docs.centrify
- Sample python code available on github
- CIP ArcSight integration is not supported
- Supported: Writing to Syslog in Syslog format
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- Thai and Serbian language support has been added to the User Portal (CC-56904).
- Minor security fixes were applied in this release to tighten some deprecated MFA APIs. Customers still using GetAuthPolicy and related APIs may see an increase in login failures as a result. No changes were made to current MFA APIs (CC-53660).
- The connector now automatically enables higher-security security protocols. As of release 18.6 TLS 1.0 will no longer be supported (CC-54386).
- The Cloud Linux Agent now supports Amazon Linux 2 (CC-54183).
- A Mobile policy has been added to allow / disallow capturing OTP passcodes for other sites. The default value is to allow passcodes to be captured / shown on a mobile device (CC-54377).
- Support has been added in this release for Single Sign Out. Previously the logout URL logged the users out from the Cloud Service, now it also logs the user out of the app (CC-47215).
- Administrators can now modify the ownership of a device from corporate to personal or vice-versa from the action menu or by right-clicking on the device. This overrides the ownership set during enrollment (CC-54597).
- Active Directory users can now upload a user photo in the User Portal (CC-55864).
- The Forgot Password and change password experience has been updated to make it more intuitive with additional information to guide users to the cause of a password failure due to complexity requirements (CC-53664).
- Wildcard domain names are now allowed in Settings > Authentication > Security Settings > API Security (CC-56463).
- The correct payload is now generated to support SCIM 2.0 PATCH (CC-55336).
- After logging out from Google Web apps such as Google Mail, the account is remembered by accounts.google.com. Google Web apps now launch and single sign-on correctly in cases where the user name has been remembered by the app (CC-55353).
For security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.