The Centrify Platform provides discovery services that help automatically populate the Centrify Privileged Access Service with systems and accounts. The ‘Manage Discovered Accounts' feature builds out these Centrify discovery capabilities by allowing users to further automate the account on-boarding and management process.
Today the Centrify Privileged Access Service offers the following password management services:
Password change according to your systems password profile settings.
Password rotation based on a periodic rotation schedule and upon password check-in.
With this feature, users can automatically subscribe their discovered accounts to these management services to reduce the administrative overhead associated with manually managing the accounts.
UNIX Local Account Password Reconciliation - Phase 2 (preview):
UNIX Local Account Password Reconciliation (Unix LAPR), released earlier this year, extended the support of a privileged administrative account to reconcile local account passwords on UNIX and Linux machines without any manual intervention. Phase 2 introduces the ability to perform password reconciliation using a domain administrative account that has the limited privileges necessary to change the password of local accounts. This helps users stay true to "Just-Enough-Privilege" principles and further secures credential operations throughout your environment. In addition, this phase also provides a built-in report outlining all password reconciliation events for greater visibility and tracking.
Remove Active Directory Dependency for Gateway-Based Auditing:
In its current design, gateway-based auditing, by way of the Centrify Gateway Connectors, depends on Active Directory to discover the Centrify Audit Collectors and then subsequently authenticate via Kerberos and forward the audited data. This feature decouples the Centrify Gateway Connector from Active Directory by establishing a Transport Layer Security (TLS) communications channel to the Centrify Audit Collectors, allowing gateway-based auditing to now support environments without direct connectivity such as DMZs or in a Shared Services VPC/VNet model.
Centrify Gateway Connector Logging Improvements:
Today the Centrify Gateway Connectors are involved in multiple operations, including remote access, password reset, etc. This capability gives users the ability to identify and tag each connector-driven operation with the Centrify Gateway Connector that's performing the action. This feature improves time to resolution by increasing visibility and helping troubleshooters to quickly identify the problem source.
Centrify Browser Extension Custom App Support:
PowerShell SDK for the Centrify Platform:
This SDK is a PowerShell module for the Centrify Platform. The module provides wrapper functions for the Centrify Platform API as PowerShell Cmdlets that can be used from scripts or from an interactive PowerShell session. The PowerShell module can be installed on a Windows Server or Workstation running PowerShell 5.0 or above. Package and source code available on https://github.com/centrify/powershell-sdk
Ansible Tower - Auth and Secrets Management Modules:
Centrify is providing customers with a credential plugin, allowing Ansible Tower to retrieve credentials from the Centrify Privileged Access Service when running tasks against systems enrolled to your Centrify Platform Tenant. This plugin will be available as part of the AWX community project and Ansible Tower.
New features for Centrify Clients for Linux and Windows:
Ansible - Centrify Client Management on UNIX/Linux Module:
Centrify provides Ansible roles that can be used in any of the Ansible playbooks and allows for management of the Centrify Cloud Suite or Centrify Server Suite Agents. These Ansible roles can be used using Ansible CLI or Ansible Tower. Roles are built so that variables can be used to granularly control the deployment, enrollment and feature configuration of the Centrify agents. Ansible roles available on https://github.com/centrify/ansible
Local Account Clean-Up (CClient for Windows) (preview):
The Centrify CClient for Windows creates a local account upon login. Today these accounts are preserved in order to maintain any end user profile-specific changes. With this new feature, users will now have a policy level option that when set will ensure local accounts are cleaned-up upon session termination. This feature, when used in tandem with Centrify CClient's Local Group Mapping and Login (agentauth workflow), provides Just-in-Time Elevation via an ephemeral account. This empowers you to minimize your attack surface by eliminating standing privileges and granting short-lived access, as well as elevated privileges on the fly - only when needed.
MFA Grace Period Support:
Improve IT operational efficiency by applying a customizable pass-through duration for multi-factor authentication (MFA) for Linux and Windows Servers. Once this setting is configured an end user will not be re-prompted for MFA credentials at login if he/she has successfully fulfilled MFA within the set duration.
Today the configuration of the Centrify CClient features is only possible during a re-enrollment operation. With this new feature, an admin can easily manage Centrify CClient features through the client page in the portal (toggle on/off) as well as via CLI tooling (cedit). This capability allows you to centralize Centrify CClient management and reduce local administration.
The Centrify Client for Linux now supports aarch64 for RHEL 7.4+. Note: this package can only be retrieved from the official Centrify repository. Please visit the Centrify Downloads Center for instructions on how to access the Centrify repository.
Changes & Fixes in 20.7:
The following list records issues resolved in this release and behavior changes.
Changing the host name is now supported in Centrify Hyper-Scale PAS using the Centrify-Pas-ModifyInstallation.ps1 script (CC-75977).
A script is now provided for Centrify Hyper-Scale PAS in the Management folder to recover lost administrator access (CC-76294).
A mechanism is now provided for Centrify Hyper-Scale PAS and Self-hosted Privileged Access Service (PAS) to increase timeouts for database commands. Two timeout values are provided, one for normal operation and one when the schema is being upgraded. The two parameters are: