New Features -Centrify Privileged Access Service
Enhancements for an easy on boarding experience
Improvements to the existing Quick Start wizard, which include a Getting Started wizard for easy onboarding. System administrators will be guided through Connector installation and an import of up to 20 systems.
· Allows for a quick discovery of Active Directory-joined Windows servers
· Supports the option to discover and manage the local administrator accounts
Improved VMWare support
We are improving our support for VMWare VMkernel systems and accounts. In this release, we will add the functionality of managing local accounts for VMKernel on ESXi hypervisor versions 5.5 and higher.
· Enables shared account password management on VMWare VMkernel systems
· Allows remote login access to VMWare VMkernel systems with account credentials and SSH keys
We are also enhancing the VMWare vSphere client desktop application. This will allow login to VMWare vSphere via vaulted account credentials and SSH keys using the desktop application.
Improved Database performance
Performance at enterprise scale is a feature. Improved PAS architecture and queries for PostgreSQL enable fast page loads and queries for enterprise scale resource and account loads.
· Orders of magnitude improvements for page loads and database queries
· Scales to large enterprise deployment scale
· Requires upgrade to version 19.4 database
If you are a customer using Centrify cloud service, no action is needed. These enhancements will be part of the 19.4 deployment.
For customers who are using on-premises deployment, please follow
https://centrify.force.com/support/Article/KB-11818-How-To-Enable-FastDB-on-Customer-Managed-Privilege-Access-Service-PostgreSQL-Database to enable the feature.
The return of minutes in windowed workflow requests
The ability to specify windowed workflow requests in intervals of minutes instead of hours is coing back to the Privileged Access Service. This will allow users to specify their just-in-time login and checkout access requests down to the minute for granular time selection.
19.4 Workflow – Windowed Login Request by Minute
19.3 Workflow – Windowed Login Request by Hour
Extended support of account soft locks for Active Directory and LDAP
In order to prevent Denial of Service (DOS) attacks, we are extending the account lock capabilities of our Centrify Directory Users to Active Directory (AD) and LDAP Users. This feature will set a soft lock in the Privileged Access Service for an account that has attempted to login more than a set number of invalid attempts. This will prevent the account that is locked from accessing Centrify services. The number of maximum consecutive bad password attempts, capture window, and lockout duration before a password re-attempt is allowed can be customized to be a policy level below the AD or LDAP policy threshold.
Enhanced support for Federated Login
Light Federation allows for federated users to be mapped to existing non-federated directory users in a Centrify tenant. Federation can now be configured to make account mapping disabled, optional, or required for users that are coming from an external source directory (A Federated Centrify Directory, A Federated Idaptive Directory, A Federated Active Directory). This feature will enable users to be provisioned with access rights into the Centrify Privileged Access Service (PAS) before they login for the first time. With the enhanced Light Federation support, customers will receive the following:
· Support for granting PAS administrative rights to federated users by giving those rights to an existing mapped directory service account.
· Support for optionally creating a Centrify Directory user when there is no existing account to map.
· Support for synchronizing federated user attributes with a mapped user’s attributes.
· Support for adding existing mapped users to federated groups.
· Support for access policies that control multi-factor authentication (MFA).
· Support for OAuth credentials for non-interactive federated authentication, which is primarily a feature that is used for Centrify PAS Client authentication.
New Centrify Privileged Access Service (PAS) Client for Windows
The new Centrify Client for Windows works with the PAS platform to provide brokered authentication to Windows systems. By using the common code of the Centrify Client for Linux, we are able to achieve synergy between PAS clients. This client is lightweight, easy to deploy, and ideal for customers that have IaaS or DMZ use cases. The following benefits will be provided with the client for Windows:
· Multi-directory support (AD, LDAP, Google, and Centrify Directories)
· Conditional Access
· Multi-step and Multi-factor Authentication
· Password-less login with “Use my Account”
· CLI Tooling to interact with PAS
· Local Group Mapping
End of life notification
This section contains notifications for upcoming termination of apps, features, programmatic access or device support.
· In release 19.4 the minimum supported Android version has been raised from 4.2 to 4.4.2. Devices running an Android release prior to 4.4.2 are still able to access Privileged Access Service using the Centrify mobile app from a previous release, however newer features introduced after the mobile app was introduced will be unavailable.
The following list records issues resolved in this release and behavior changes.
· On "Centrify only" customer tenant , the Browser Extension will change to Idaptive Browser Extension. These customers will see a banner in the portal advising them to uninstall Idaptive Browser Extension and install Centrify Browser Extension. For details, please see https://centrify.force.com/support/Article/KB-11955-How-to-Replace-the-Idaptive-Browser-Extension-with-the-Centrify-Browser-Extension
. A new version of Centrify Privileged Access Service Mobile app (iOS and Android) is available with every release. While customers have a choice to update, we will be requiring the upgrade to our next release, Centrify PAS 19.5 where there are some architectural changes being made.
. Resolved an issue where Centrify cloud agent login was timing out retrieving group memberships for Active Directory users (CC-67149).
· Port scan discovery now recognizes Windows systems with RDP and RPC ports closed, previously Windows systems with these ports closed were ignored (CC-67941).
· It is now possible to grant account permissions to a group using the csetaccount command (CC-44696).
· Cjoin now explicitly differentiates between Oracle Linux and Red Hat Enterprise Linux (CC-34973).
. Cenroll now checks and honors the ProxyURL setting if the -p option is not used (CC-67445).
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.