Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

Centrify 18.4 Release Notes

11 April,19 at 11:51 AM

End-of-life notification

This section contains notifications for upcoming termination of apps, features or programmatic access (APIs):

  • As of this release, the lowest iOS release supported by the Centrify mobile app for iOS is 10. Users with devices running iOS 9 will still be able to install the 18.3 Centrify mobile app for iOS, which is the last release that supported iOS 9.
  • From the 18.4 release, Connectors earlier than 17.7-108 will lose service if not upgraded. As a reminder, Centrify support policy provides support for the Connectors running the current release and two prior releases, and running a connector from a prior release may limit the use of newer functionality. For more information, please see this Tech Alert article.

 

New Features - Centrify Application Services   

SAML App UI Enhancements

 

“Attribute Value” allows for the selection of Objects, Variables, and Methods.

  • Clicking “Add” creates a new attribute that will be passed in the SAML Response
  • Free form text can be added to Attribute Value
  • The drop down in “Attribute Value” can be selected to chose an object and variables/methods available in that object

saml.png 

 

 

The following user name / password apps have been updated:

 

  • Brainpop
  • Bath & Body Works
  • Cub Foods
  • EDU20
  • Finance41
  • ISNIC Registry
  • Trip.com

 

New Features - Centrify Endpoint Services

 

 

 

End-user Checkout for Mac LAPM Account

 

Policy allows end user LAPM checkout:

  • By default, end-user checkout is not allowed
  • When enabled, checkout is for the enrolled user only
  • Checkout is done through the user portal
  • Coming soon: checkout from mobile devices

end user checkout.gif 

 

 

End-user Checkout for Mac LAPM Account from Mobile

 

Checkout is now now available on mobile:

  • Support for iOS and Android
  • Phone and tablet form factors
  • See details of all enrolled devices
  • Coming soon: Device actions

end user checkout mobile.gif

 

Certificate Authority Template Picker for Mobile Policies

 

  • For all email, WiFi and VPN policies, admins are now able to select the source certificate authority for deploying client certs
  • Use the built-in CA in the Centrify Tenant, or any Microsoft CAs that have been added to the admin portal
  • Select the CA for each policy, for MS CAs admins can select the corresponding certificate template 

cert auth.gif

 

 

Language Specific Enrollment Welcome Screen

 

  • Enrollment welcome screen is optional
  • There is a new option to “specify unique welcome message for supported languages” N

 language.gif

 

 

New Features - Centrify Infrastructure Services 

  

 

New Import Tool

  • Starting in 18.4, Infrastructure Services will introduce a new tool for importing objects into the privilege service vault
  • This feature complements the existing manual and CSV import GUI capabilities
  • The new Import Tool allows admins to import:
    • Systems, Domains, Databases and their Accounts
    • Newly-added attributes (such as administrative accounts)
    • “Add to Set” functionality
  • This new tooling will be distributed via Centrify’s GitHub once 18.4 is released

 import tool.png

 

 

Device Factory – F5 BIG-IP SAPM/PSM

 

  • 18.4 adds SAPM and PSM support for one of the most common devices in enterprise networks: F5 BIG-IP (TMOS)
  • Infrastructure Services add:
    • Password Management via REST
    • Privilege Session
    • Local Administrative account (required for SAPM)
    • Vault-based policy and MFA.
  • Versions 11.x-13.x

f5.png 

 

 

Improvements for Centrify Connectors with multiple NICs 

 

  • Organizations often have systems with multiple network interface cards (NICs) that are acting as Centrify Connectors
  • In the past, Infrastructure Services would use the first-returned NIC for network operations (e.g. secure access and password operations)
  • Behavior Change:
    • Starting with 18.4, Infrastructure Services will use the Connector’s returned FQDN IP addresses of the system for network operations
    • All returned IP addresses are attempted until there is a hit

 nics.png

 

 

 

Improvements for SSH/RDP Local Client Window Identification

 

  • 18.4 Improves the usability of Local Client session by providing better identification

 

ID pre.png

 

ID post.png 

 

 

 

Centrify Agent for Linux

 

  • Targeting fix for performance related to caching of group membership information

  • 2017.3 installer (install.sh) has also been refreshed
  • Support for Amazon Linux 2 (both adclient and cclient)
  • Enroll CentOS Docker container in CIP

    • Instructions, configuration files published to github.com/centify/docker_files

 

 

Centrify Analytics Services - Private Beta

 

Please contact Centrify Support to inquire about participation in the beta program.

 

 

Ingest Centrify Infrastructure Services – Audit Events

 

Forward Audit Events into the Analytics Portal leveraging Centrify Sensor.

  • Flexible Deployment - Centrify Sensor can be flexibly deployed:
    • Deployed with DA collector
    • Deployed with Centrify Agent
  • Enterprise Control on Events Ingested: Filter / Mask what you don’t want to move to the cloud

as audit.png 

 

 

Ingest Centrify Infrastructure Services – Zone Data

 

Forward ”Who has access to which Infrastructure Server, i.e., Policy Data” Zone data into Centrify Analytics Portal.

  • Easy Enablement: Leverage Centrify Sensor to forward both Events and Policy Data
  • Flexible Reporting: Admins can now query Events & Policy via one console easily

as zone.png

 

 

 

Ingest Centrify Infrastructure Services – DA Session Data

 

Adaptively record session videos for Infrastructure activity anomalies .

  • Adaptive Session Recording: 15-30 second session recording of anomalies leveraging Real-time Threat Analytics
  • Session Timeline: Events are all co-related to a sessions on a timeline

as da session.png

 

as da session2.png

 

 

Additional Access Insights for Centrify Infrastructure Services

 

New dashboards around Infrastructure Risk Assessment and Infrastructure Access Overview.

  • Easily Customize Dashboards: Comes with pre-configured datasets around Events / Zone data to help on-board
  • Comes with 12+ pre-configured widgets to help create a new dashboard
  • Easily Share / Export Dashboards

 access.gif

 

 

Enhanced Anomaly Detection based on Behavior

 

Multiple new factors added to evaluate infrastructure access risk.
New factors include:

  • Unusual Recent Privilege Change
  • Unusual Command Run
  • Unusual Target Accessed
  • Unusual Account Used
  • Unusual Privilege Elevation

anon detect.png 

 

Behavior based access control for Infrastructure Access

 

 behav.gif

 

Investigate Access Anomalies 

 

Investigate a Privilege Anomaly easily via drilldown to explorer:

  • Session timeline view from the event
  • Targeted session replay for the Infrastructure access anomaly
  • Easily identity what factors contributed to the anomaly

investigate.png 

 

 

Adaptive Session Recording and Replay for Anomalies 

 

Replay session for any anomalies based on machine learning models:

  • Click-through from Session timeline
  • Enterprise control on storage of session recordings
  • Control the trigger for session recordings

adaptive session.png 

 

 

Alerting and Notifications

 

Remediate anomalies via integration with any Webhook enabled endpoint:

  • Supports anomaly alerting via Slack, Pager Duty, etc.
  • integrates with any Webhook enabled endpoint
  • Easily customize what’s included in the Alert 

 alert notification.png

 

New Features - SIEM and ServiceNow Integrations

 

Centrify ServiceNow – Zone Role Workflow

 

Request temporary access for Accounts from ServiceNow

  • Centrify Zone Role Workflow has been added to the Service Catalog
  • Leverage the ServiceNow Service Catalog to request access to infrastructure
  • Enables temporary Zone Role assignment within Active Directory

 

service now.png 

 

 

Centrify Identity Services – HP ArcSight Integration (Sample)

 

Open source HP ArcSight sample for categorizing and normalizing events

  • Integration guide available on docs.centrify
  • Sample python code available on github
  • CIP ArcSight integration is not supported
  • Supported: Writing to Syslog in Syslog format 

 

 HP.png

 

Resolved Issues and Behavior Changes

 

The following list records issues resolved in this release and behavior changes.

 

  • Thai and Serbian language support has been added to the User Portal (CC-56904).
  • Minor security fixes were applied in this release to tighten some deprecated MFA APIs. Customers still using GetAuthPolicy and related APIs may see an increase in login failures as a result. No changes were made to current MFA APIs (CC-53660).
  • The connector now automatically enables higher-security security protocols. As of release 18.6 TLS 1.0 will no longer be supported (CC-54386).
  • The Cloud Linux Agent now supports Amazon Linux 2 (CC-54183).
  • A Mobile policy has been added to allow / disallow capturing OTP passcodes for other sites. The default value is to allow passcodes to be captured / shown on a mobile device (CC-54377).
  • Support has been added in this release for Single Sign Out. Previously the logout URL logged the users out from the Cloud Service, now it also logs the user out of the app (CC-47215).
  • Administrators can now modify the ownership of a device from corporate to personal or vice-versa from the action menu or by right-clicking on the device. This overrides the ownership set during enrollment (CC-54597).
  • Active Directory users can now upload a user photo in the User Portal (CC-55864).
  • The Forgot Password and change password experience has been updated to make it more intuitive with additional information to guide users to the cause of a password failure due to complexity requirements (CC-53664).
  • Wildcard domain names are now allowed in Settings > Authentication > Security Settings > API Security (CC-56463).
  • The correct payload is now generated to support SCIM 2.0 PATCH (CC-55336).
  • After logging out from Google Web apps such as Google Mail, the account is remembered by accounts.google.com. Google Web apps now launch and single sign-on correctly in cases where the user name has been remembered by the app (CC-55353).

 

 

For security advisories and known issues, please see attached file.

 

 

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.

Attachments:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.