End of life notification
This section contains notifications for upcoming termination of apps, features or programmatic access (APIs):
Termination of v1 REST API support
Why are we doing this?
- Centrify introduced the v2 enrollment APIs with the 17.2 release to support setting of additional resource-related information during enrollment. This new version is a superset of the original v1 enrollment APIs. As the Centrify Agent for Linux and Mac agents have been using the v2 APIs since 17.2, we are now planning to disable the old v1 enrollment APIs in 18.10.
Who will be affected?
- Customers who deploy Centrify Agent for Linux/Mac agents.
- Customers who develop their applications using the following REST APIs: ServerAgent/Register, ServerAgent/Enroll, ServerAgent/EnableFeatures
What steps do I need to take?
- If you deploy Centrify Agent for Linux/Mac agents, upgrade to the latest version of Centrify Agent for Linux/Mac.
If you develop applications using the REST APIs:
- Change your code to call the corresponding V2 REST API (e.g., ServerAgent/RegisterV2, ServerAgent/EnrollV2, ServerAgent/EnableFeaturesV2).
What happens if I do nothing? What errors or issues am I likely to see?
- If you have deployed older versions of Centrify Agent for Linux/Mac agents, existing enrolled agents will continue to work, however new features will not be available.
- After the Centrify Identity Platform is upgraded to 18.10, once the agent is unenrolled it cannot re-enroll again. You MUST upgrade the agent to re-enroll.
- If you have developed applications using the REST APIs, the REST API call will fail with an error.
New Features - Centrify Application Services
- Allows admins or users with multiple accounts potentially in different domains to ensure that he or she can use MFA from one account, namely the one they have logged into the Centrify app on their mobile phone.
- Administrators can redirect MFA notifications for a given account to be sent to another account.
- For the account where the redirect is enabled and set, all subsequent notifications will be sent to the account specified.
- The user should be able to use an OTP code or Mobile Authenticator from the phone associated with the account that has been targeted for MFA notifications.
- Administrators can use policy to allow end users to be able to set their own MFA redirection.
- If enabled for a given user or set of users, the user will find the option to configure MFA redirect in the user portal under the Account page under the information about their phone.
Centrify Browser Extension Enhancements
- Apps that leverage the Centrify Browser Extension can be launched directly from the browser's CBE menu:
- To access applications from CBE:
- Install Centrify Browser extension for your browser.
- Sign-in with your username and password.
- Click on the CBE to select applications to launch.
All 4 major browsers supported (IE, Chrome, Mozilla & Safari).
SAML Script Editor
- The editor now includes inline hints, autocomplete, and onscreen help to make it easier for customers to write SAML scripts.
- SAML script methods appear in hints and can be used with autocomplete.
- On-screen documentation of methods and variables is provided.
DevOps Application Category
- This new applications category in the apps catalog enables customers to easily set up SSO for popular DevOps CI/CD apps.
- To add DevOps applications to your app catalog:
- Login to Centrify portal as administrator.
- Navigate to Apps tab and click “Add Web Apps”.
- DevOps category will be show in the list of categories.
AWS CLI Utilities
- Centrify now offers Python and PowerShell CLI utilities for both admins and users to access Amazon Web Services (AWS) by leveraging Centrify Identity Services.
- Customers have the option to download the AWS utilities from the user portal under application settings.
- A new tab was also added to the download page in the Admin Portal called “CLI Tools” from where the AWS CLI tools can be downloaded.
- Official documentation to setup and operate also available.
Time-based Workflow for Mobile and Desktop
- Customers can now reduce risk by requesting and granting access to apps only during a given time window.
- Under workflow tab in the Apps section, you can select “Windowed”assignment type and specify start and end times.
- Approver can either accept requested window or modify.
The following catalog apps have been updated:
New Features - Centrify Endpoint Services
- Customers can now implement policy sets for endpoints and mobile devices ensuring that endpoints / mobile devices are being added to and removed from sets dynamically, based on changes to the attributes of the device.
- An Administrator can define specific policy sets by device attributes that would automatically update if any of those attributes were to change.
- For example, Macs can have a specific policy and if that endpoint were to turn off FileVault the policy would be updated automatically.
- The Administrator can then go into Endpoints, select the dynamic set and see the endpoints that meet that query.
Office 365 Conditional Access
- An Administrator can limit access to Exchange o365 by recognizing whether the device is recognized as managed by the Centrify MDM solution.
- Conditional access for apps is an existing feature and works for all apps/browsers that support cert based authentication.
- This release adds cert based authentication for the Outlook app.
- Including the ability to install a ZSO certificate on a Samsung device to support this feature.
New Features - Centrify API Services
New Documentation Updates (available 10/6/2018)
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- To improve security, Forgot Password now completes the entire forgot password process for users that do not exist (CC-59842).
- The App Gateway tab now appears for on-premises SAML apps for users with read-only administrator permission. Previously read/write administrator permission was required (CC-62356).
- TLS 1.1 and 1.2 are now enabled by default on devices running Android 4.1 – 4.4 (CC-62436).
- The manager field can now be set for a normal SCIM user as well as an enterprise user (CC-60545).
- Third party VPN profiles now show correctly on the security tab (CC-62281).
- Mobile applications are now no longer installed automatically when associated with a role created prior to release 18.7 and automatic deploy is unchecked (CC-61763).
- Enrollment via QR code now works for iOS 12 (CC-61793).
- The Centrify mobile app for iOS no longer repeatedly prompts for a PIN (CC-61732).
- Mobile devices are now correctly tagged as corporate when the serial number is imported after the device is enrolled (CC-60193).
- Devices no longer unenroll unexpectedly when the device incorrectly reports the Centrify mobile app is uninstalled while it is in the update process (CC-61044).
- The change password tab no longer shows in client settings after the enrolled user has been locked (CC-60890).
- On Privilege Access Service workflow, the default time bounding is now updated after being changed by approver 1 (CC-59858).
- The discovery history page for Privilege Access Service now loads while a system discovery job is running (CC-61359).
Changes for HF1
- Connector LDAP queries for custom attributes are improved (CC-62898)
Changes for HF2
- Fixed an issue with display of Role membership. The Role members list is empty even if users are assigned to the role. (CPSSUP-473)
- Slow user provisioning for both full and incremental jobs has been improved. (CISSUP-4452, CISSUP-4431, CC-62998)
- User changes for large groups reported to cloud have improved use of caching. (CC-62658)
- Fixed an error presented when selecting a previously discovered service in the Admin Portal. (CC-61466)
Changes for HF3
- Fixed an issue with performance during bulk enrollment of mobile devices. (CISSUP-4560)
For security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.