New Features
Show Password Complexity Requirements
New policy to show the password complexity requirements throughout the product wherever passwords are set / reset.
- Cloud Directory: Requirements come from policies automatically
- AD / Other: Admin can enter text to describe the requirements

Recovery of Forgotten User Name
New Setting (Authentication > Security Settings) to enable recovery of forgotten user name
- “Forgot User Name?” link appears on Sign In screen when enabled
- Email is used to recover the user name

Require Separate Device for MFA
New policy to require MFA from a separate device.
- When used, SMS, Phone Call and Authenticator are disallowed as MFA mechanisms
- Supports NIST 800-53r4

Expanded SAP Support
2 new SAP SAML apps have been added:
- Business Planning and Consolidation (BPC)
- Business Objects

Box Role Mapping Support for Union
Ability to assign destination Groups in Box as:
- Union of all Roles
- First Role “wins”

Mobile – Invite based enrollment
AKA Passwordless enrollment Enrollment:
- User gets enrollment invite link (either from User Portal – Add Device or Admin Invite email)
- If Centrify App is not installed, then user is directed to the app store
- If Centrify App IS installed , then No type enrollment starts

Mobile – Multi-Select on Devices Tab
Perform bulk-actions on mobile devices:
- Select 1 or more devices, Actions Tab will show appropriate actions for the group of devices selected

Mobile – Tabs Icon for Open Web Apps
Easy tab-based navigation when Web Apps open:
- Display number of web apps open
- Clicking on the Tabs Icon will show a tabs selector

Improved OATH Token Management for Admins
MFA – OATH HOTP
- Bulk upload of tokens now supports HOTP OATH tokens
- Enables YubiKeys (and others) for OTP
Admins can manage (remove) all tokens.
- "Created By" column now shows user who added the OATH token

App documentation has been added for the following SAML apps:
- ADP
- BenefitFocus
- Freshdesk
- Freshservice
- Frevvo
- Replicon
- SAP Business Planning and Consolidation
- SAP Business Objects
- Syncplicity
The following apps have been updated:
- AngiesList
- Box
- CheapAir
- codeExactTarget
- Dropbox
- Google Apps for Work
- My Adobe
- MyOwnBusiness
- Nettica
- RackspaceCloud
- Redbooth
- Reference.com
- RegOnline
- Replicon
- RoughGuides
- Salesforce
- Vimeo
- Wikimedia Incubator
- Xively
- Yahoo Mail
- Zara US
- Samanage
Supported Platforms
End of support
IE 10 is no longer supported. If you are using a browser earlier than IE 11, please upgrade to IE 11.
Centrify Privilege Service
The following platforms are supported by the Centrify Privilege Service CLI toolkit:
Red Hat 6.7, 7.2
CentOS 6.7, 7.2
Oracle 6.7, 7.2
Fedora 23
SLES 11 SP3, 12
Ubuntu 12.04LTS, 14.04LTS, 15.10
Notes:
1. Unless otherwise stated, always use latest available patch level.
2. Only 64-bit variants supported.
3. For Red Hat/CentOS/Oracle 7.2, use 7.2 where a GA version is available, otherwise use 7.1.
4. Where applicable, desktop/workstation variants are both supported.
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- UpdateRole API now takes a delta for principals add/removes. This resolves an issue with Box where users were unintentionally removed from a role and deprovisioned (CC-36473).
- For Box provisioning, sync without HomeParentId now no longer fails with "Parameter id may not be null or whitespace (CC-37515).
- With the Box app, administrators can choose between a priority order or union scheme (role order has no effect) to determine role memberships (CC-35452).
- Resolved an issue where a new group was added to the Box account when changing the synced group name. Now the name is changed, rather than being added as a new group (CC-35990).
- No longer fail to create personal folders for some users in Box provisioning (CC-36596).
- Fixed an issue where an unhandled exception was reported when clicking "Sync All Apps" when the displayed language was not English (CC-35095).
- Swedish is now supported in the User Portal, invitation emails and in the mobile apps if the user's default language is set to Swedish. The Cloud Manager and online help are not translated to Swedish and will show in English (CC-36947).
- The package name for Cisco Anyconnect VPN has changed, the Samsung KNOX policy now finds the new package name (CC-36204).
- Dropbox group membership is no longer removed after provisioning if no destination group is defined for a role (CC-37170/CISSUP-1955).
- Fixed an issue where provisioning would encounter an exception when it encountered an AD user with an apostrophe in their email address (CC-37160).
- Infinite apps now populates the user name/password fields when attempting to open apps in IE 11 (CC-19955).
- Can now select SMS option for MFA when the language is set to Brazillian (CC-37398/CISSUP-1999/CISSUP-2003).
- Fixed multiple issues where the Cloud Connector was not failing over to another DC (CC-37201/CC-37202/CISSUP-1964/CISSUP-1971).
- Office 365 provisioning now errors out if the Immutable Ids are different between the source AD and target Office 365 (CC-36828/CISSUP-1896).
- AD title changes now update in Samanage on incremental and daily syncs (CC-37348/CISSUP-1958).
- Emails are no longer always sent to users on Egnyte app syncs (CC-36903/CISSUP-1767).
- The Egnyte app now reports an error if a non-admin user account is used to authorize the app (CC-36749, CISSUP-1767).
- Resolved a screen layout issue for the Clear button for the user's photo when the language was set to Spanish (CC-37569/CISSUP-2020).
- FederationBrandName is now cleaned up when a domain is un-federated (CC-37071/CISSUP-1931).
- Resolved an issue with the Browser Extension where an exception was encountered if the Adobe PDF reader add-on tried to open a document (CC-37656).
- Incorrect name for Android for Work policy corrected. In Android for Work Settings > Restrictions, the policy "Permit data sharing from Work Profile" has been renamed to "Enable data sharing from Work to Personal Profiles".
- The search funciton now functions on the User Portal activity page (CC-37083).
- Secret keys in TOTP profiles now must be two characters or more, previously it was possible to create keys with a single character (CC-36799/CC-37001).
- The policy Samsung KNOX Device Settings > Firewall Settings > Proxy Rules now correctly sets proxy rules on a Samsung Galaxy S6 (CC-36888).
- An error message is now shown when running a manual provisioning sync with an invalid access token or invalid credentials (CC-36498)
For security advisories and known issues, please see attached file.