• The ability to enable SSH key management, which allows for key rotation. 
• The ability to apply the following policies for the rotation of SSH keys:
  • SSH key rotation interval
  • Minimum SSH key age 
  • SSH key generation algorithm
  • Clean-up intervals for retired SSH keys
• The ability to leverage an account that has an SSH key for System and Account Discovery operations.

Discover Local Accounts with Specific Names

The Centrify Privileged Access Service Discovery tool is getting an upgrade to have a new Actions option that allows rules to be made around what specific local accounts to discover for particular system types.

Multiple account names can be specified by using a comma or semi-colon separated list.



Support for Clipboard Copy and Paste in Web-Based RDP Sessions

The user experience can be enhanced for Centrify Privileged Access Service vault-brokered RDP sessions by allowing for copy and paste of text and images.

• The ability to enable or disable the clipboard for native and web-based RDP sessions.
• The ability to copy and paste text and images for web-based RDP sessions while using the following browsers:
  • Google Chrome
  • Microsoft Edge
  • Microsoft Internet Explorer (*text only)

 

UAC Support for Centrify Client on Windows

End users can now log on to a Windows host machine using a non-privileged account and launch an application as administrator after satisfying UAC using a cloud user's credentials.
Note: The directory user must belong to a role that is mapped to the machine's local administrator group. Role mappings can be configured using the Centrify Client's local group mapping feature, located on the Windows system's Local Group Mapping page.


New Features

• Domain Controller "Penalty Box"

• Windows Server 2019 is now supported as the host OS for Centrify Self-hosted PAS.
• Drag and drop is now supported to upload secrets from the host OS into the secrets UI where supported by the browser

• The Centrify Agent now supports a new status 'disabled' for the case that the enrolled system was deleted from PAS. If this state is detected, the Centrify Agent will try to unenroll itself (similar to 'cunenroll -f'), leaving only the cagent service in the system. A re-enrollment is required to bring the agent working (CC-74284).  
• Backchannel and password reconciliation in closed environments (i.e. environments that use an HTTP proxy) now works reliably (CC-74757).
• When adding SSH keys, either directly or via a file, a duplicate name causes an exception. A new payload property (“ImplicitRename”), has been added to AddSshKey and AddSshKeyFile, defaulting to false, to rename the key on collision.  An additional optional property (“RenameHint”) provides a string to help with the rename. If the property is set to true, the response from the endpoint will include both the new key UUID and the new name in an object of the form (_RowKey:“foo”, Name:”bar”). The response is unchanged in the case ImplicitRename is set to false (CC-74316).  
• Resolved an issue where the URL provided to pull SP metadata in federated cases with Centrify Hyper-scale PAS and Centrify Self-hosted PAS was not correct (CC-75119).
• Centrify Hyper-scale PAS can now be installed successfully with the database in -DBNoPLV8 mode (CC-75121).  
• Deleting a system now also removes the agent profile and service account. Previously these were not removed and caused issues if the system was re-enrolled (CC-73993).
• RDP requests with an empty password are no longer treated as a failed auth, they are now treated as if a password has not been provided (CC-74352).  
• Disabling the management of a service password in Service Settings now updates the assigned multiplexed account (CC-74353).
• The semantics of the UpdateResource API has changed with regard to delegated machine credentials (DMC) scopes. If there is no change to the DMC scope, there will be no DMCScope element in the payload. If there is any change to DMC scope, all DMCScopes are sent in the DMCScope element as an array. The back end will replace the current DMCScope settings. Note that all scopes are required in the payload, not just the delta. If the user wants to delete all DMC scopes, the DMCScope element is included in the payload but it is empty (CC-74798).
• RDP connections are now allowed to target machines with SecurityLater=0. The behavior matches the MS Terminal Services Client setting on the Connector machine (Connect / Warn / Do Not Connect). (CC-74080).
• The status of an approval request in the portal is now updated reliably to reflect an approval or rejection operation (CC-71225).  
• The swagger API reference is now included in the Self-hosted PAS and Hyper-scalable PAS packages at <base url>/vfslow/lib/api/swagger.json (CC-74728).
• Both administrators and the owner of the device can now unregister a device in the Admin Portal. Previously only administrators had the right to unregister a device. (CC-73940).

Centrify Connector

• Windows Server 2012r2, Server 2016, Server 2019

Self-hosted Centrify Privileged Access Service

• Windows Server 2012r2, Server 2016, Server 2019

Hyper-scalable Centrify Privileged Access Service

• Windows Server 2016, Server 2019

Centrify Clients for Linux

• Red Hat Enterprise Linux 6.9, 6.10, 7.5, 7.6, 8.0, 8.1
• CentOS 6.9, 6.10, 7.5, 7.6, 8.0
• Fedora 30, 31
• Oracle Linux 6.9, 6.10, 7.5, 7.6
• Amazon Linux AMI 2017.09, 2018.03
• Amazon Linux 2 2017.09, 2018.03
   

• Latest stable release 2345.3.0

• SuSE 12, 15

• Debian 8, 9
• Ubuntu 16.04LTS, 18.04LTS, 18.10, 19.04

Centrify Client for Microsoft Windows

• Windows Server 2012r2, Server 2016, Server 2019

Windows PAS Remote Access Kit

• Windows 10, Server 2012r2, Server 2016, Server 2019

Centrify app for Android

• Android 4.4 (API level 19) and later

Centrify app for iOS

• iOS 11 and above