New Features - Centrify Identity Service
Additional Controls for Adaptive Authentication
Login Authentication policy now supports the following conditions:
- Day of Week
- Date Range
- Time Range
More Robust Cloud Connector
Cloud Connectors refactored and optimized for large / complex AD environments (there are no changes to the UI).
Note: we are deprecating support for Local Security Groups (LSGs) and Distribution Lists (DLs) in Roles:
- Existing Roles will continue to work as is in 16.5
- Admins will not be able to add members to Roles using LSGs / DLs in 16.5
- We’ve created a PowerShell script to migrate LSGs / DLs to Security Groups
- Support will work with customers to migrate their LSGs / DLs before 16.6 (when LSGs and DLs will no longer be supported for existing Roles)
App documentation has been added for the following SAML apps:
The following apps have been updated:
- Amazon Web Services Console
- Atlassian Customer Portal
- Dollar Tree
- Farm Fresh
- Pagoda Box
- SharePoint on-prem
- Windows Live
- Rally Agile Central renamed to CA Agile Central
- Invotrak renamed to Due
In addition, the Copy, SideTour and LaQuinta apps have been removed from the app catalog.
New Features - Centrify Privilege Service
Multi-factor Authentication for Accounts and Resources
Centrify is committed to providing MFA Everywhere – the additional security of multi-factor authentication to protect your critical IT assets, where you need it, when you need it.
In this release, Privilege Service provides new features for MFA when users attempt to access critical accounts and resources. Users can be required to answer an MFA challenge when checking out a password, accessing a remote system, or using a shared account to log into a remote system.
MFA challenge rule for account password checkout
Privilege Service supports the same robust set of MFA options and policies as Centrify Identity Service.
Password History Clean Up
Privilege Service can now automatically clean up the oldest entries in an account's password history list. This feature can align the storage of historical account passwords with an organization's data retention policies, and reduce the amount of storage required for the data.
Password history clean up policy settings for a domain
Historical passwords whose dates are older than the maximum configured period configured in policy will be automatically cleaned up (deleted). By default, the global setting for the maximum age of all historical passwords in Privilege Service is 365 days. The minimum value for retention of historical passwords is 90 days; this value cannot be overridden.
This policy only applies to historical passwords, not the current password for an account. Policy can be set at the global, domain, and resource levels.
Global Policies and Settings Moved in the User Interface
All global policies and configuration settings for Privilege Service have been moved in this release from the Cloud Manager portal to the Privilege Manager portal in the Privilege Service user interface. This change places all controls for Privilege Service within same portal, making the service easier to set up and administer. The permissions required to edit these policies have not changed.
Global policy and configuration settings consolidated in the Privilege Service user interface
If you are a current Privilege Service customer, you may need to reset one or more of these policy values as the result of this change. Please contact Centrify Support if you have questions or need help.
Centrify Privilege Service
The following platforms are supported by the Centrify Privilege Service CLI toolkit:
Red Hat 6.7, 7.2
CentOS 6.7, 7.2
Oracle 6.7, 7.2
SLES 11 SP3, 12
Ubuntu 12.04LTS, 14.04LTS, 15.10
- Unless otherwise stated, always use latest available patch level.
- Only 64-bit variants supported.
- For Red Hat/CentOS/Oracle 7.2, use 7.2 where a GA version is available, otherwise use 7.1.
- Where applicable, desktop/workstation variants are both supported.
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- The Box plug-in was updated to use the new URL introduced by Box at the end of March, 2016 – account.box.com (CC-36748).
- Error messages are no longer shown in the sync report when syncing users with personal home folder options set (CC-37532).
- The provisioning UI for the Box plug-in has been updated to remove a superfluous prompt when setting role mappings where the user is assigned a single destination group based on the role order (CC-37374). The label for this option has also been updated to better reflect its function (CC-37225).
- Upload and Download buttons are now shown on the cloud connector configuration page IWA service tab in Firefox (CC-38160).
- For the Box and Google Apps for Work provisioning feature, when enabling or disabling the ADGroupSync option, manual sync of the app will now unassign / assign users from the destination groups specified in the role mappings (CC-36955/CC-36956).
- When changing the option from Union scheme to Priority order in the Box app, users are no longer left in Union groups (CC-37525).
- ServiceNow app configuration documentation has been updated as a step was missing and some steps were in the wrong order (CC-38242).
- ThousandEyes SAML app configuration documentation has been updated to reflect the current UI (CC-38194).
- Users are no longer removed from unmanaged groups on sync operations when using provisioning with Google Apps (CC-37518).
- CustomerID in the login URL is supported but became case-sensitive in 16.4 This has been resolved in this release and is no longer case-sensitive (CC-38218).
- The Zero Sign-On (ZSO) feature is now supported on Macs as well as Android and iOS devices (CC-37537).
- On iOS devices, the list of company apps no longer always indicate some apps need update even after they have been updated (CC-34594).
- A fix was made to the App Gateway to resolve app launches from mobile devices always prompting for user names and passwords (CC-36448).
- The app configuration documentation for the Zscaler SAML app has been updated to note that SHA-2 is now supported (CC-37755).
- Fixed a race condition where a successfully completed O365 sync job was incorrectly marked as Process Failed (NotFound) (CC-37275).
- In the Samanage provisioning UI, “Non-European” is now the default Region option (CC-37933).
- The CloudBees app configuration documentation was updated to reflect the CloudBees current UI (CC-2385).
- Can now create an app using App Capture and add a custom icon to it (CC-37827).
- Maps are now shown when running reports that deliver their information via a map. Previously an error was shown indicating that no location information was available (CC-37959).
- In the Samanage app, title changes are now synched (CC-37348).
- Apps in tags / categories are now sorted alphanumerically (CC-37852).
- The Jobs History “Running Jobs” query now returns pending jobs (CC-37912).
- The firewall and external IP address requirements documentation for the cloud service has been updated (CC-37951).
- When a provisioning job encounters an error and is cancelled, or a user cancels the request, and then another error occurred after that, the original cancellation reason was overwritten and never logged (CC-37822).
- If the Cloud Connector installer cannot restart the connector service after upgrade, the installer can now optionally reboot the computer the service is running on (CC-37482).
- The global policy settings for Centrify Privilege Service have been moved from the Cloud Manager to the Privilege Portal in the Settings Tab, Security Settings item (CC-36471).
For security advisories and known issues, please see attached file.