New Features - Centrify Identity Service

3rd Party RADIUS (e.g., RSA SecurID) Support

Accept MFA responses from 3rd party solutions through RADIUS.

Settings > Authentication > RADIUS Connections > Servers

Settings > Authentication > Authentication Profiles

Settings > Network > Cloud Connector > Enable RADIUS Client

 Policies > User Security Policies > RADIUS

Dashboard Updates

Dashboard UI has been refreshed with the following enhancements:

• New Black / White Options
• Click on the ellipsis icon (…) for menu to set a dashboard as the default
• New Dashboard:
  • Security Overview

Black / White Options

 Click on the ellipsis icon (…) for menu to set a dashboard as the default

New Dashboards: Security Overview

UI Enhancements

Additional UI Enhancements include:

• Pod information is now displayed in the "About" menu
• Infinite Apps Refresh
• New design for the Cloud Connector Page

About Menu > Pod Information

Infinite Apps Refresh

Cloud Connector Page Design Refresh

Smart Card Support for Office 365 Thick Clients

Smart Card authentication is now extended to thick clients for Office 365!

• Note: Derived Credentials (for mobile) is not currently available

Derived Credentials UI Improvements

• CA and Templates from MS-CA automatically populate
• Admins can choose pre-configured templates (instead of keying in information manually)

Gmail is now the default email app in Android for Work

• Latest versions of Gmail app has EAS v16 support
• Email, Calendar, Contacts are all synced

App documentation has been added for the following SAML apps:

• PleaseReview
• IBM Connections Cloud
• Influitive

The following apps have been updated:

• Apple App Store
• Hiveage (renamed from CurdBee)

In addition, the following apps have been removed from the app catalog: Veer, Unison

New Features - Centrify Privilege Service

On-site Deployment Option

CPS now has two deployment options:

• Cloud service: Customers can choose to deploy and use CPS as a cloud service.  Centrify will manage the CPS application for the customer.

• On-site installation: Customers can choose to install CPS locally on their own Windows Server 2012R2 instance.  The customer will manage the CPS application.

Deprecating the Centrify CLI Toolkit

The CLI Toolkit will be removed from CPS entirely in release 16.10.  Similar functionality to that in the CLI Toolkit will be available in the new command-line tools in the Centrify Cloud Agent in CPS release 16.10. Centrify will end support for the CLI Toolkit in CPS release 16.12.

Changes to CLI commands in the Centrify Cloud Agent:

• A new service account will be used to join a computer to the customer’s Centrify cloud tenant. The "service account" will be a cloud user account with a name such as {hostname}$@{tenant.alias}
• The Kerberos-based join (aka -k option, with the Centrify Server Suite DirectControl agent) will be dropped
• There will be no requirement for the computer to be joined to an Active Directory domain in order to use the new cloud agent

Supported Platforms

Centrify Privilege Service

The following platforms are supported by the Centrify Privilege Service (CPS) CLI toolkit:

     Red Hat   6.7, 7.1, 7.2

     CentOS    6.7, 7.2

     Oracle    6.7, 7.2

     Fedora    24

     SLES      11 SP3, 12

     Ubuntu    12.04LTS, 14.04LTS, 16.04LTS

Notes:

1. Unless otherwise stated, always use latest available patch level.
2. Only 64-bit variants supported.
3. For Red Hat/CentOS/Oracle 7.2, use 7.2 where a GA version is available, otherwise use 7.1.
4. Where applicable, desktop/workstation variants are both supported.

End of Life Notice

Centrify Privilege Service CLI Toolkit

The Centrify CLI Toolkit is deprecated in release 16.8, and will be removed from CPS entirely in release 16.10. Similar functionality to that in the CLI Toolkit will be available in the new command-line tools in the Centrify Cloud Agent in CPS release 16.10.  This functionality includes the application-to-application password management (AAPM) feature set.

End of life for support of the CLI Toolkit

Centrify will end support for the CLI Toolkit in CPS release 16.12, targeted for December, 2017. In addition, because of updates to Kerberos, Centrify Server Suite will support only the new Centrify Cloud Agent feature set as of Server Suite 2017.

Centrify strongly recommends that customers use the new Centrify Cloud Agent feature set beginning with CPS version 16.10.

Changes to CLI Commands in the Centrify Cloud Agent

A new service account will be used to join a computer to the customer’s Centrify cloud tenant.  The "service account" will be a cloud user account with a name like

{hostname}$@{tenant.alias}.

The Kerberos-based join (aka -k option, with the Centrify Server Suite DirectControl agent) will be dropped.

There will be no requirement for the computer to be joined to an Active Directory domain in order to use the new cloud agent.

Platform changes

Support for the Fedora platform will be dropped in 16.10.  The matrix below lists the platforms that will be supported by the Centrify Cloud Agent in release 16.10 for AAPM, and for user authentication from either a cloud user account or a user account from an Active Directory instance connected to the customer's Centrify cloud tenant.

Resolved Issues and Behavior Changes

The following list records issues resolved in this release and behavior changes.

• Role memberships can no longer be defined by Active Directory Distribution Groups or Domain Local groups. Please use security groups to define role memberships. See https://centrify.force.com/support/Article/KB-6906-How-to-convert-a-distribution-group-to-a-security-group for help converting a distribution group to a security group.
• In “Policies > User Security Policies > RADIUS > Allow RADIUS client connections” the default behavior (i.e. when the policy setting shows unset (‘--')) is now NOT to allow RADIUS connections. Previously the default was to allow connections (CC-40074).
• For Mac devices, the device settings page will now show the amount of RAM installed on the machine as long as the user has enrolled using the Mac cloud agent (CC-37021).
• No Android for Work exchange client is installed on a device as part of enrollment unless the Centrify app is release 16.8 or later. In previous releases the Divide Productivity client was installed, in 16.8 and later it is the Gmail client that is now installed (CC-40207, CC-39002).
• The status of installed Android in-house apps is no longer displayed while in kiosk mode as the user is unable to add or remove apps in this mode (CC-39405).
• When the the SyncGroups domains are changed in Google Apps, synched Active Directory groups are now removed where needed (CC-39106).
• Cloud connector status now shows the RADIUS server status if it is enabled (CC-39879).
• Filtering has been added back when in group view on a mobile device (CC-39848, CC-39851).
• The sign-in page now displays correctly on Windows Phone (CC-38137).
• Cloud Service-generated certificates now use SHA-256 as the signing algorithm instead of SHA-1 (CC-39978).
• The login session no longer hangs when accessing the Zendesk iOS native app (CC-40387).

For security advisories and known issues, please see attached file.

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.