New Features - Centrify Identity Service

 

3rd Party RADIUS (e.g., RSA SecurID) Support

 

Accept MFA responses from 3rd party solutions through RADIUS.

 

Settings > Authentication > RADIUS Connections > Servers

 

Settings > Authentication > Authentication Profiles

 

Settings > Network > Cloud Connector > Enable RADIUS Client

 

 Policies > User Security Policies > RADIUS

 

Dashboard Updates

 

Dashboard UI has been refreshed with the following enhancements:

• New Black / White Options
• Click on the ellipsis icon (…) for menu to set a dashboard as the default
• New Dashboard:
  • Security Overview

 

 

Black / White Options

 

 Click on the ellipsis icon (…) for menu to set a dashboard as the default

 

 

New Dashboards: Security Overview

 

 

UI Enhancements

 

Additional UI Enhancements include:

• Pod information is now displayed in the "About" menu
• Infinite Apps Refresh
• New design for the Cloud Connector Page

 

About Menu > Pod Information

 

Infinite Apps Refresh

 

Cloud Connector Page Design Refresh

 

 

Smart Card Support for Office 365 Thick Clients

 

Smart Card authentication is now extended to thick clients for Office 365!

• Note: Derived Credentials (for mobile) is not currently available

 

 

Derived Credentials UI Improvements

 

• CA and Templates from MS-CA automatically populate
• Admins can choose pre-configured templates (instead of keying in information manually)

Gmail is now the default email app in Android for Work

 

• Latest versions of Gmail app has EAS v16 support
• Email, Calendar, Contacts are all synced

 

App documentation has been added for the following SAML apps:

• PleaseReview
• IBM Connections Cloud
• Influitive

 

The following apps have been updated:

• Apple App Store
• Hiveage (renamed from CurdBee)

In addition, the following apps have been removed from the app catalog: Veer, Unison

 

New Features - Centrify Privilege Service

 

On-site Deployment Option

 

CPS now has two deployment options:

• Cloud service: Customers can choose to deploy and use CPS as a cloud service.  Centrify will manage the CPS application for the customer.

• On-site installation: Customers can choose to install CPS locally on their own Windows Server 2012R2 instance.  The customer will manage the CPS application.

 

 

Deprecating the Centrify CLI Toolkit

 

The CLI Toolkit will be removed from CPS entirely in release 16.10.  Similar functionality to that in the CLI Toolkit will be available in the new command-line tools in the Centrify Cloud Agent in CPS release 16.10. Centrify will end support for the CLI Toolkit in CPS release 16.12.

 

Changes to CLI commands in the Centrify Cloud Agent:

• A new service account will be used to join a computer to the customer’s Centrify cloud tenant. The "service account" will be a cloud user account with a name such as {hostname}$@{tenant.alias}
• The Kerberos-based join (aka -k option, with the Centrify Server Suite DirectControl agent) will be dropped
• There will be no requirement for the computer to be joined to an Active Directory domain in order to use the new cloud agent

 

Supported Platforms

 

Centrify Privilege Service

The following platforms are supported by the Centrify Privilege Service (CPS) CLI toolkit:

 

     Red Hat   6.7, 7.1, 7.2

     CentOS    6.7, 7.2

     Oracle    6.7, 7.2

     Fedora    24

     SLES      11 SP3, 12

     Ubuntu    12.04LTS, 14.04LTS, 16.04LTS

 

Notes:

1. Unless otherwise stated, always use latest available patch level.
2. Only 64-bit variants supported.
3. For Red Hat/CentOS/Oracle 7.2, use 7.2 where a GA version is available, otherwise use 7.1.
4. Where applicable, desktop/workstation variants are both supported.

 

End of Life Notice

Centrify Privilege Service CLI Toolkit

The Centrify CLI Toolkit is deprecated in release 16.8, and will be removed from CPS entirely in release 16.10. Similar functionality to that in the CLI Toolkit will be available in the new command-line tools in the Centrify Cloud Agent in CPS release 16.10.  This functionality includes the application-to-application password management (AAPM) feature set.

 

End of life for support of the CLI Toolkit

Centrify will end support for the CLI Toolkit in CPS release 16.12, targeted for December, 2017. In addition, because of updates to Kerberos, Centrify Server Suite will support only the new Centrify Cloud Agent feature set as of Server Suite 2017.

 

Centrify strongly recommends that customers use the new Centrify Cloud Agent feature set beginning with CPS version 16.10.

 

Changes to CLI Commands in the Centrify Cloud Agent

A new service account will be used to join a computer to the customer’s Centrify cloud tenant.  The "service account" will be a cloud user account with a name like

 

{hostname}$@{tenant.alias}.

 

The Kerberos-based join (aka -k option, with the Centrify Server Suite DirectControl agent) will be dropped.

 

There will be no requirement for the computer to be joined to an Active Directory domain in order to use the new cloud agent.

 

Platform changes

Support for the Fedora platform will be dropped in 16.10.  The matrix below lists the platforms that will be supported by the Centrify Cloud Agent in release 16.10 for AAPM, and for user authentication from either a cloud user account or a user account from an Active Directory instance connected to the customer's Centrify cloud tenant.

 

Platform	AAPM	Login
RHEL	Y	Y
CentOS	Y
Oracle	Y
Fedora
AMI	Y	Y
SLES	Y
Ubuntu	Y

 

 

Resolved Issues and Behavior Changes

 

The following list records issues resolved in this release and behavior changes.

 

• Role memberships can no longer be defined by Active Directory Distribution Groups or Domain Local groups. Please use security groups to define role memberships. See https://centrify.force.com/support/Article/KB-6906-How-to-convert-a-distribution-group-to-a-security-group for help converting a distribution group to a security group.
• In “Policies > User Security Policies > RADIUS > Allow RADIUS client connections” the default behavior (i.e. when the policy setting shows unset (‘--')) is now NOT to allow RADIUS connections. Previously the default was to allow connections (CC-40074).
• For Mac devices, the device settings page will now show the amount of RAM installed on the machine as long as the user has enrolled using the Mac cloud agent (CC-37021).
• No Android for Work exchange client is installed on a device as part of enrollment unless the Centrify app is release 16.8 or later. In previous releases the Divide Productivity client was installed, in 16.8 and later it is the Gmail client that is now installed (CC-40207, CC-39002).
• The status of installed Android in-house apps is no longer displayed while in kiosk mode as the user is unable to add or remove apps in this mode (CC-39405).
• When the the SyncGroups domains are changed in Google Apps, synched Active Directory groups are now removed where needed (CC-39106).
• Cloud connector status now shows the RADIUS server status if it is enabled (CC-39879).
• Filtering has been added back when in group view on a mobile device (CC-39848, CC-39851).
• The sign-in page now displays correctly on Windows Phone (CC-38137).
• Cloud Service-generated certificates now use SHA-256 as the signing algorithm instead of SHA-1 (CC-39978).
• The login session no longer hangs when accessing the Zendesk iOS native app (CC-40387).

 

For security advisories and known issues, please see attached file.

 

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.