Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

Centrify 18.5 Release Notes

11 April,19 at 11:50 AM

End-of-life notification

This section contains notifications for upcoming termination of apps, features or programmatic access (APIs):

  • Action Required – TLS 1.0 Deprecation

    As part of our mission to protect customers and align with PCI DSS standards, Centrify will be updating the minimum TLS protocol required to connect to the Centrify Cloud Platform from TLS 1.0 to TLS 1.1 as of 18.5. TLS 1.0 support will be deprecated on June 16, 2018 when Centrify Cloud 18.6 is released. Please see this knowledge base article for important details and steps to take to prevent any service outage.

  • From the 18.6 release, Connectors earlier than 17.7-108 will lose service if not upgraded. As a reminder, Centrify support policy provides support for the Connectors running the current release and two prior releases, and running a connector from a prior release may limit the use of newer functionality. For more information, please see this Tech Alert article.

 

New Features - Centrify Application Services   

Centrify Browser Extension (CBE) Land & Catch

When a user manually logs into a web application, CBE will ask if they want to create/update the app in Centrify.

  • Name, Description, and Icon allow the app to be customized before update/creation
  • Clicking on "Yes" will create/update the app
  • Clicking on "No" will ignore the prompt once
  • Clicking on "Never" will always ignore in the future

 CBE.png

 

 

The following apps have been updated:

 

  • EchoSign (SAML)
  • UtilPro (U/P)

 

The following apps have been removed from the catalog:

 

·       XpandedReports

·       AlertGrid

·       FriendFund

·       Pulse360

·       Cranberry

·       Imo Messenger

·       Grooveshark

·       NGINX

·       99Designs

·       AddThis

·       Hackety Hack

·       Gumboot.co.nz

·       Interstate

·       GROU.PS

·       Vyew

·       .extendr

·       BrixHQ

·       SightMax

·       Parse

·       Readability

·       SMALLKNOT

·       ProofHQ

·       ClearBenefits

·       ETS Personal Potential Index

·       Pearson Developers Community

·       World Book

·       PageLime

·       FluidSurvey

·       Remy Cointreau Academy

·       Novell Partner Portal

·       The Daily Beast

·       Choice Hotels

·       Expedia Travel

·       Brandy Melville

·       Flowroute Travel

·       Factor 4 Index

·       Inkdit

·       Wiggio

·       Avis

·       Adobe FormsCentral

·       Plaxo

·       myTab

·       FatWallet

·       AIM

 

·       Technorati

·       Zerigo

·       VirtualTourist

·       BookFresh

·       Viralheat

·       BillPin

·       Boston.com

·       iDrive

·       Bol.com

·       This Is My Jam

·       BookJetty

·       Trulia Pro

·       Boomerang

·       FeedMyInbox

·       The Network Integrated GRC Suite

·       Flavors.me

·       FluidSurvey

·       Bullhorn Reach

·       Fontdeck

·       Pose

·       TradingTree

·       xTuple

·       Xoom

·       WebLaunching

·       Tripology

·       Pressitt

·       PC Tools

·       Pulse

·       Plancast

·       DNSstuff

·       Expedia France

·       Expedia Australia

·       Boxee

·       dotCloud

·       Blog.com

·       Vinaora

·       TouristEye

·       US Airways

·       OneReceipt

·       App.net

·       Symantec SORT

·       Check

 

·       PlannerX

·       Phanfare

·       Beach Candy

·       Amiando

·       Carbonite

·       Speek

·       LAbite.com

·       Invoice Dude

·       Joobili

·       Sonic Sense

·       SpendOut

·       Aviary Developers

·       CakeHealth

·       Mongo Lab

·       LuggagePoint.com

·       Mahalo

·       Luvocracy

·       Moxiecode Webshop

·       B2Bee

·       Novell Downloads

·       Examiner

·       Learnist

·       Distimo

·       My Wardrobe

·       Critsend

·       HelloFax

·       Chinaorgcn

·       Mandrill

·       myBrainshark

·       Rundavoo

·       easySYS

·       EducationOnDemand

·       GraphicMail

·       De-Nic-Vu

·       Rhapsody

·       Connexions

·       ADrive

·       Diapers

·       DeskAway

·       Discovery Store

·       Howlr

·       CrashPlan PROe

·       Crocodoc Personal

 

 

New Features - Centrify Endpoint Services

 

Centrify Keychain Sync for Mac (Released in Infrastructure Services 2018)

 

  • This feature solves a problem all Mac AD users face when changing their password:
    • The Mac Keychain (used by apps to store data) can no longer be unlocked when the password changes
    • This results in many application pop-up errors and a confusing resolution prompt from the OS

keychain 1.gif

  • Centrify's solution will detect when a user's password has been changed and prompt the user to get it back in sync again.
    • This feature prevents the confusing OS dialog from popping up
    • Feature is enabled by a new group policy
    • There is an option to remember the user's old password, thus only requiring the new password to resolve the issue

keychain 2.gif

   

 

 

New Features - Centrify Infrastructure Services 

  

Privileged Access Service

 

Alternative Account Discovery

 

    • Enterprises use alternative (administrative) accounts to separate regular user vs. "privileged user" accounts in Active Directory.
    • “Dash-A” or “Admin” accounts are typically one of the first use cases to be addressed by vault-based security.
    • With 18.5, admins will be able to:
      • Discover alternative accounts based on a specified criteria with automatic or manual owner matching
      • Secure the alternative account by assigning to the corresponding owner
      • Ease of access to alternative accounts for password checkout and secure login

alternative account discovery.png

 

 

SAP ASE (Adaptive Server Enterprise)

 

  • 18.5 adds SAPM support for SAP ASE
  • SAP ASE is the database product formerly known as Sybase.
  • SAPM Support:
    • Stand-alone
    • Clustered
  • Versions 15.x, 16.x 

 SAP ASE.png

 

 

Cisco AsyncOS (formerly IronPort)  

 

  • Cisco AsyncOS supports the family of IronPort appliances.
  • All Cisco Email security appliances are powered by the Cisco AsyncOS operating system, optimized for high performance and security.
  • Supported versions: 10.x and 11.x

 cisco.png

 

 

 

Centrify Agent for Linux – MFA

 

  • 18.5 introduces MFA at login for the Centrify Agent for Linux.
  • The agent now supports MFA:
    • Upon manual enrollment (cenroll --user)
    • When logging-in
  • MFA leverages the Policy Engine (Login Policies – UNIX and Windows Servers).
  • Conditional Access is supported.

 

 linuxmfa.gif

 

  

Centrify Connector – RDP Service Customization

 

  • Starting with 18.5, customers will be able to control:
    • RDP Server (enable/disable).
    • RDP Port (previously configurable through tenant parameter).
  • Prior to 18.5, this was an internal parameter change that required a support case or additional setup in the customer-hosted version of Privileged Access Service.

connector.png

 

 

 

Centrify Analytics Services

 

Ingest Centrify Infrastructure Data

 

Enable Centrify customers to get their data ingested to the Centrify Analytics Portal for better access insights.

 

Forward Audit Events

  • Flexible deployment of the Centrify Sensor
  • Better control of events ingested into the Centrify Analytics Portal


Forward Session Data

  • Control where session data is stored
  • Store only sessions with unusual activity


Forward Zone Data

  • Expose 70+ views for better reporting
  • Synchronize the zone data at a customizable frequency

ingest1.pngingest2.pngingest3.png

 

 

 

Access Insights for Centrify Infrastructure Services

 

Dashboards covering Infrastructure Risk and Infrastructure Usage to help with better visibility.

 

Customize Dashboards

  • 16+ canned dashboards
  • 10s of widgets that help create dashboards

Share Dashboards

  • Easily share in different file formats
  • Access like an application in one portal for teams

Dashboard Auto Update

  • Dashboards are refreshed to be current on a pre-set interval

 

access insights.png

 

 

Behavior-based access control for Infrastructure Access

 

Enable risk-aware access to login and privilege elevation for infrastructure access.

 

Basic Policy via Portal

  • If ‘risk-level is high’ and ‘access is from outside the corporate network' --> trigger step up with 2 strong factors
  • If ‘risk-level is low’ and ‘access is from a trusted device' --> allow access

Advanced Policy via API

  • If ‘risk-level is high for privilege elevation’ and ‘access is from China' --> terminate the session

behavior based1.pngbehavior based2.png

 

Enhanced Anomaly Detection based on Behavior 

 

Detect anomalies based on multiple new factors in addition to factors in the Centrify User Analytics Services.

 

New Factors Include:

  • Unusual recent privilege change
  • Unusual command run
  • Unusual target accessed
  • Unusual privilege elevation
  • Unusual role used
  • Consecutive login failures

enhanced anomaly.png

 

 

Investigate Access Anomalies 

 

Investigate Privilege Anomalies leveraging a powerful toolkit streamlined for just identity anomaly investigation.

 

Session Timeline

  • View the detailed activity timeline from the Centrify Analytics Portal

Play Video Session

  • Easily re-play the Anomaly from the timeline

Understand Anomalies Easily

  • Identify the factors contributing to the anomaly

 

investigate.png 

 

 

Adaptive Session Recording and Replay for Anomalies 

 

Record sessions when anomalies are detected and help prioritize sessions based on risk.

  • Click-through from Session Timeline
  • Enterprise Control on Storage of Session Recording
  • Control the Trigger for Session Recording

 adaptive.png

 

 

Alerting and Notifications

 

Remediate anomalies by integrating with any Webhook-enabled endpoint.

 

Support for Anomaly Alerting

  • Leverage Slack or incident response applications like PagerDuty for real-time alerting; integrate with any Webhook-enabled endpoint

Customize Alert Content

  • Define what to include in the alert message

 

 alert notification.png

 

 

 

New Features - Centrify Core Services 

 

MFA Service

 

MFA: Multi-Step and Multi-Factor Support

 

Authentication Profiles define one or two sets of Authenticators, a new Policy controls the behavior.

 

Multi-Step will fail on the first factor that does not succeed.

  • This is now an option within the Login Policy for Centrify Portal to "Continue with additional challenges after failed challenge".

Multi-Factor will always step through both factors and fail at the end if one is not successful.

  • This MFA model is NIST compliant for Assurance Level 2, this is also PCI-DSS compliant.

MFA multi step multi factor.png

 

 

 

MFA: OTP Server (RADIUS) Custom Challenge Message

 

OTP Servers can require different data input from end users, administrators would like to customize the user challenge prompt.

  • For example, some OTP Servers may require the user to enter a PIN+Passcode if configured for higher authentication assurance level 2

otp.gif

 

 

SMTP Gateway in Connector

 

Some customers may require email to be delivered from their domain using their own SMTP Servers.

  • If the SMTP Server is located inside a customer's network (not in the DMZ), the Connector will be needed to connect internal SMTP Server.

 

Centrify can use any Connector or specified Connectors to route SMTP messages to internal SMTP Servers.

smtp.png

 

 

  

Resolved Issues and Behavior Changes

 

The following list records issues resolved in this release and behavior changes.

 

  • From release 18.6, the Centrify Identity Services platform will no longer support TLS 1.0 connections. The Centrify Browser Extension requires .NET 4.6.2 in order to support the latest security protocols used by the Centrify Identity Services platform and, as a result, versions of the Centrify Browser Extension prior to 18.5 will no longer be supported on IE (SSO will fail). If you have pinned an older version of the Centrify Browser Extension, please update the policy to allow updates to 18.5 in order to support this change in the 18.6 release (CC-57765).
  • Starting in this release, all user logins to Centrify Agent for Linux (except for local users) will require Multi-Factor Authentication (MFA) and “Unix and Windows Server” login policy is used to determine how the user is authenticated. Note that this is a major behavioral change for users. If the user does not have any valid authentication profile setup, they will be denied login whereas they were allowed to login in prior versions of Centrify Agent for Linux. Customers can disable the MFA requirement for login by setting the mfa.enabled parameter to false in /etc/centrifycc/centrifycc.conf (CC-55933).
  • Localized versions of application names and descriptions can now be added by an administrator for apps created in the Admin Portal (CC-52944).
  • The Salesforce SCIM endpoint is now supported for outbound SCIM using a custom SAML app (CC-57381).
  • Administrators can now choose to allow end users to specify whether their mobile device is personally or corporate owned on enrollment to ensure the right policies and privacy is applied to the device (CC-53399). 
  • Credentials are no longer required when launching Company Apps on an iOS device (CC-58022). 
  • Administrators can now set a policy to prevent users from duplicating answers to multiple security questions (CC-55562). 
  • Array values are now supported in provisioning scripts (CC-43913). 
  • Zendesk provisioning configuration documentation has been updated (CC-57982). 
  • The Mobile Authenticator MFA option is now available when using DEP enrollment (CC-57805). 
  • In SAML app scripts, the Relay State value is now correctly passed, previously it was truncated at the first double quote (“) mark found (CC-57789).

 

 

For security advisories and known issues, please see attached file.

 

 

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.

Attachments:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.