This section contains notifications for upcoming termination of apps, features or programmatic access (APIs):
- Action Required – TLS 1.0 Deprecation
As part of our mission to protect customers and align with PCI DSS standards, Centrify will be updating the minimum TLS protocol required to connect to the Centrify Cloud Platform from TLS 1.0 to TLS 1.1 as of 18.5. TLS 1.0 support will be deprecated on June 16, 2018 when Centrify Cloud 18.6 is released. Please see this knowledge base article for important details and steps to take to prevent any service outage.
- From the 18.6 release, Connectors earlier than 17.7-108 will lose service if not upgraded. As a reminder, Centrify support policy provides support for the Connectors running the current release and two prior releases, and running a connector from a prior release may limit the use of newer functionality. For more information, please see this Tech Alert article.
New Features - Centrify Application Services
Centrify Browser Extension (CBE) Land & Catch
When a user manually logs into a web application, CBE will ask if they want to create/update the app in Centrify.
- Name, Description, and Icon allow the app to be customized before update/creation
- Clicking on "Yes" will create/update the app
- Clicking on "No" will ignore the prompt once
- Clicking on "Never" will always ignore in the future
The following apps have been updated:
- EchoSign (SAML)
- UtilPro (U/P)
The following apps have been removed from the catalog:
· Imo Messenger
· Hackety Hack
· ETS Personal Potential Index
· Pearson Developers Community
· World Book
· Remy Cointreau Academy
· Novell Partner Portal
· The Daily Beast
· Choice Hotels
· Expedia Travel
· Brandy Melville
· Flowroute Travel
· Factor 4 Index
· Adobe FormsCentral
· This Is My Jam
· Trulia Pro
· The Network Integrated GRC Suite
· Bullhorn Reach
· PC Tools
· Expedia France
· Expedia Australia
· US Airways
· Symantec SORT
· Beach Candy
· Invoice Dude
· Sonic Sense
· Aviary Developers
· Mongo Lab
· Moxiecode Webshop
· Novell Downloads
· My Wardrobe
· Discovery Store
· CrashPlan PROe
· Crocodoc Personal
New Features - Centrify Endpoint Services
Centrify Keychain Sync for Mac (Released in Infrastructure Services 2018)
- This feature solves a problem all Mac AD users face when changing their password:
- The Mac Keychain (used by apps to store data) can no longer be unlocked when the password changes
- This results in many application pop-up errors and a confusing resolution prompt from the OS
- Centrify's solution will detect when a user's password has been changed and prompt the user to get it back in sync again.
- This feature prevents the confusing OS dialog from popping up
- Feature is enabled by a new group policy
- There is an option to remember the user's old password, thus only requiring the new password to resolve the issue
New Features - Centrify Infrastructure Services
Privileged Access Service
Alternative Account Discovery
- Enterprises use alternative (administrative) accounts to separate regular user vs. "privileged user" accounts in Active Directory.
- “Dash-A” or “Admin” accounts are typically one of the first use cases to be addressed by vault-based security.
- With 18.5, admins will be able to:
- Discover alternative accounts based on a specified criteria with automatic or manual owner matching
- Secure the alternative account by assigning to the corresponding owner
- Ease of access to alternative accounts for password checkout and secure login
SAP ASE (Adaptive Server Enterprise)
- 18.5 adds SAPM support for SAP ASE
- SAP ASE is the database product formerly known as Sybase.
- SAPM Support:
- Versions 15.x, 16.x
Cisco AsyncOS (formerly IronPort)
- Cisco AsyncOS supports the family of IronPort appliances.
- All Cisco Email security appliances are powered by the Cisco AsyncOS operating system, optimized for high performance and security.
- Supported versions: 10.x and 11.x
Centrify Agent for Linux – MFA
- 18.5 introduces MFA at login for the Centrify Agent for Linux.
- The agent now supports MFA:
- Upon manual enrollment (cenroll --user)
- When logging-in
- MFA leverages the Policy Engine (Login Policies – UNIX and Windows Servers).
- Conditional Access is supported.
Centrify Connector – RDP Service Customization
- Starting with 18.5, customers will be able to control:
- RDP Server (enable/disable).
- RDP Port (previously configurable through tenant parameter).
- Prior to 18.5, this was an internal parameter change that required a support case or additional setup in the customer-hosted version of Privileged Access Service.
Centrify Analytics Services
Ingest Centrify Infrastructure Data
Enable Centrify customers to get their data ingested to the Centrify Analytics Portal for better access insights.
Forward Audit Events
- Flexible deployment of the Centrify Sensor
- Better control of events ingested into the Centrify Analytics Portal
Forward Session Data
- Control where session data is stored
- Store only sessions with unusual activity
Forward Zone Data
- Expose 70+ views for better reporting
- Synchronize the zone data at a customizable frequency
Access Insights for Centrify Infrastructure Services
Dashboards covering Infrastructure Risk and Infrastructure Usage to help with better visibility.
- 16+ canned dashboards
- 10s of widgets that help create dashboards
- Easily share in different file formats
- Access like an application in one portal for teams
Dashboard Auto Update
- Dashboards are refreshed to be current on a pre-set interval
Behavior-based access control for Infrastructure Access
Enable risk-aware access to login and privilege elevation for infrastructure access.
Basic Policy via Portal
- If ‘risk-level is high’ and ‘access is from outside the corporate network' --> trigger step up with 2 strong factors
- If ‘risk-level is low’ and ‘access is from a trusted device' --> allow access
Advanced Policy via API
- If ‘risk-level is high for privilege elevation’ and ‘access is from China' --> terminate the session
Enhanced Anomaly Detection based on Behavior
Detect anomalies based on multiple new factors in addition to factors in the Centrify User Analytics Services.
New Factors Include:
- Unusual recent privilege change
- Unusual command run
- Unusual target accessed
- Unusual privilege elevation
- Unusual role used
- Consecutive login failures
Investigate Access Anomalies
Investigate Privilege Anomalies leveraging a powerful toolkit streamlined for just identity anomaly investigation.
- View the detailed activity timeline from the Centrify Analytics Portal
Play Video Session
- Easily re-play the Anomaly from the timeline
Understand Anomalies Easily
- Identify the factors contributing to the anomaly
Adaptive Session Recording and Replay for Anomalies
Record sessions when anomalies are detected and help prioritize sessions based on risk.
- Click-through from Session Timeline
- Enterprise Control on Storage of Session Recording
- Control the Trigger for Session Recording
Alerting and Notifications
Remediate anomalies by integrating with any Webhook-enabled endpoint.
Support for Anomaly Alerting
- Leverage Slack or incident response applications like PagerDuty for real-time alerting; integrate with any Webhook-enabled endpoint
Customize Alert Content
- Define what to include in the alert message
New Features - Centrify Core Services
MFA: Multi-Step and Multi-Factor Support
Authentication Profiles define one or two sets of Authenticators, a new Policy controls the behavior.
Multi-Step will fail on the first factor that does not succeed.
- This is now an option within the Login Policy for Centrify Portal to "Continue with additional challenges after failed challenge".
Multi-Factor will always step through both factors and fail at the end if one is not successful.
- This MFA model is NIST compliant for Assurance Level 2, this is also PCI-DSS compliant.
MFA: OTP Server (RADIUS) Custom Challenge Message
OTP Servers can require different data input from end users, administrators would like to customize the user challenge prompt.
- For example, some OTP Servers may require the user to enter a PIN+Passcode if configured for higher authentication assurance level 2
SMTP Gateway in Connector
Some customers may require email to be delivered from their domain using their own SMTP Servers.
- If the SMTP Server is located inside a customer's network (not in the DMZ), the Connector will be needed to connect internal SMTP Server.
Centrify can use any Connector or specified Connectors to route SMTP messages to internal SMTP Servers.
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- From release 18.6, the Centrify Identity Services platform will no longer support TLS 1.0 connections. The Centrify Browser Extension requires .NET 4.6.2 in order to support the latest security protocols used by the Centrify Identity Services platform and, as a result, versions of the Centrify Browser Extension prior to 18.5 will no longer be supported on IE (SSO will fail). If you have pinned an older version of the Centrify Browser Extension, please update the policy to allow updates to 18.5 in order to support this change in the 18.6 release (CC-57765).
- Starting in this release, all user logins to Centrify Agent for Linux (except for local users) will require Multi-Factor Authentication (MFA) and “Unix and Windows Server” login policy is used to determine how the user is authenticated. Note that this is a major behavioral change for users. If the user does not have any valid authentication profile setup, they will be denied login whereas they were allowed to login in prior versions of Centrify Agent for Linux. Customers can disable the MFA requirement for login by setting the mfa.enabled parameter to false in /etc/centrifycc/centrifycc.conf (CC-55933).
- Localized versions of application names and descriptions can now be added by an administrator for apps created in the Admin Portal (CC-52944).
- The Salesforce SCIM endpoint is now supported for outbound SCIM using a custom SAML app (CC-57381).
- Administrators can now choose to allow end users to specify whether their mobile device is personally or corporate owned on enrollment to ensure the right policies and privacy is applied to the device (CC-53399).
- Credentials are no longer required when launching Company Apps on an iOS device (CC-58022).
- Administrators can now set a policy to prevent users from duplicating answers to multiple security questions (CC-55562).
- Array values are now supported in provisioning scripts (CC-43913).
- Zendesk provisioning configuration documentation has been updated (CC-57982).
- The Mobile Authenticator MFA option is now available when using DEP enrollment (CC-57805).
- In SAML app scripts, the Relay State value is now correctly passed, previously it was truncated at the first double quote (“) mark found (CC-57789).
For security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.