New Features - Centrify Identity Service

Administrative Tutorials ("Walk Me Through" Quick Start Wizard)

Interactive tutorials have been added to Cloud Manager.

• Pop-up help appears the first-time a user visits each tab
  
  
  
• Instructions for adding users
  
  
  
• Steps to configure Apps
  
  
  
• Administrative Tutorials enabled as a service 
  • Only in Centrify brand (cloud tenants)
  • “Getting Started” Dashboard has been deprecated
  • “Quick Start Wizard” is now a menu option
    
    
    
  •  Wizard can be disabled at the tenant-level
    
    
    

User Security Question Report

New report gives administrators visibility to their users' security question state.

• Reports > Builtin Reports > Security > User security question state for last 30 days
  
  

New Adaptive Authentication Conditions

Adaptive authentication has been expanded to include the following conditions:

• Device OS
• Browser
• Country

Centrify Browser Extension (CBE) Private Preview

Private beta of form-filling:

• Enables “Land and Fill”
• Users can now go directly to username / password app to sign-in without having to go to User Portal
• Available in Firefox only (additional browser support coming soon)

Preview: Derived Credentials Support for SCEP CAs

• Admins can now deploy Derived Credentials from either MSFT or SCEP

Device Location Reporting Option for Admins

• Admins now have policy for viewing device location
  
  
• Default - (no) Admin does not see device location
• Opt-in – Admin can see device location after approval by user
  
  

• Force – Admin will see device location (corp / fleet type devices)

New Centrify for Mac Agent – macOS Sierra & HSPD 12

Day Zero Support for macOS Sierra Release

• Visit macOS Sierra Support Resources Page for more info

HSPD 12 Support - Beyond PIV / CAC Login

• Multi-user PIV support
• Keychain protection via smart card
• Remote access (SSH & VNC) via smart card leveraging kerberos / GSSAPI
• Sudo via Smart Card.

The following apps have been updated:

• PagerDuty (SAML)
• ShiftPlanning (SAML)
• Stripe (user-password)
• Orbitz (user-password)
• Zoom (user-password)
• Box (user-password)

The following apps have been removed from the app catalog:

• Unison (SAML)
• PunchTab
• Symform
• Export Trader
• Lore
• Concept Feedback
• EmailBrain
• hotelguide.com
• OLX
• itDuzzit
• ClickBank
• Kenmore
• Moodstocks
• Gumtree

New Features - Centrify Privilege Service

Computer and Service Account Discovery

Computers and service accounts can be automatically discovered by Privilege Service and added to the vault. 

In this release, CPS discovers computers in Active Directory – both Windows and domain-joined *nix computers. 

Domain accounts used to launch Windows services and scheduled tasks on servers and workstations are also discovered, and associated with the computers on which they’re found.

Computer and account discovery based on network segments (for example, a range of IP addresses) will be added in a future release.

Windows Service Account Password Management

Privilege Service can now manage passwords for domain accounts used to launch Windows services and scheduled tasks.

These passwords can be automatically and periodically rotated on a user-defined schedule.  This enables customers to meet industry standards and regulatory requirements around password aging, even for a domain account that is referenced on multiple computers, accounts that are typically difficult to catalog and manage through manual processes.

A new multiplex account enables CPS to safely and securely rotate passwords for these accounts without risk of service or task failure because of ‘server off-line’ or other synchronization issues.

Re-enable Domain Account Management

Earlier this year, Microsoft removed part of their .NET API within a recommended security update for Windows.  Microsoft had previously recommended that vendors who needed to manage passwords for Windows local and domain accounts use this API.  CPS vaulting continues to work; however, with the removal of this API, CPS cannot automatically change passwords for Windows accounts.

• Re-enable password management (e.g. automatic rotation)

The fix in CPS for Microsoft’s API change is in two parts.  In this release, full management of passwords for domain accounts (i.e. Active Directory accounts) is re-enabled.

Support for local accounts is targeted for 16.10.

Supported Platforms

Centrify Privilege Service

The following platforms are supported by the Centrify Privilege Service (CPS) CLI toolkit:

     Red Hat   6.8, 7.2

     CentOS    6.7, 7.2

     Oracle    6.8, 7.2

     Fedora    24

     Amazon Linux

     SLES      11 SP4, 12 SP1

     Ubuntu    12.04LTS, 14.04LTS, 16.04LTS

Notes:

1. Unless otherwise stated, always use latest available patch level.
2. Only 64-bit variants supported.
3. For Red Hat/CentOS/Oracle 7.2, use 7.2 where a GA version is available, otherwise use 7.1.
4. Where applicable, desktop/workstation variants are both supported.

End of Life Notice

Centrify Privilege Service CLI Toolkit

The Centrify CLI Toolkit is deprecated in release 16.8, and will be removed from CPS entirely in release 16.10. Similar functionality to that in the CLI Toolkit will be available in the new command-line tools in the Centrify Cloud Agent in CPS release 16.10.  This functionality includes the application-to-application password management (AAPM) feature set.

End of life for support of the CLI Toolkit

Centrify will end support for the CLI Toolkit in CPS release 16.12, targeted for December, 2017. In addition, because of updates to Kerberos, Centrify Server Suite will support only the new Centrify Cloud Agent feature set as of Server Suite 2017.

Centrify strongly recommends that customers use the new Centrify Cloud Agent feature set beginning with CPS version 16.10.

Changes to CLI Commands in the Centrify Cloud Agent

A new service account will be used to join a computer to the customer’s Centrify cloud tenant.  The "service account" will be a cloud user account with a name like

{hostname}$@{tenant.alias}.

The Kerberos-based join (aka -k option, with the Centrify Server Suite DirectControl agent) will be dropped.

There will be no requirement for the computer to be joined to an Active Directory domain in order to use the new cloud agent.

Platform changes

Support for the Fedora platform will be dropped in 16.10.  The matrix below lists the platforms that will be supported by the Centrify Cloud Agent in release 16.10 for AAPM, and for user authentication from either a cloud user account or a user account from an Active Directory instance connected to the customer's Centrify cloud tenant.

Resolved Issues and Behavior Changes

The following list records issues resolved in this release and behavior changes.

• This is the last release in which HTTP can be used for IWA. In 16.10:
  • The “Use HTTPS for IWA” checkbox will be gone from the UI, all behavior will be as if that box was checked.
  • All IWA from Web browsers, it attempted, will be done using the HTTPS port configured. If not configured properly, IWA will fail silently and users will have to login interactively.
  • IWA will be attempted if there is no IP range configured, or if the IP range is configured and the Web browser is within that range.
  • The cloud connector will continue to listen on the internal network for HTTP traffic, to support older on-prem AAPM clients, etc, but this will be removed in 16.11.
• In cases where an IP proxy is used, some proxies include the private IP address in headers and this can cause IWA to fail. Now IWA looks for the first public IP address a header (CC-40452).
• Support has been added for WS-Trust 1.3 (CC-40721).
• In the Citrix Sharefile, Dropbox and NetSuite (provisioning) apps, de-provisioning now disables a user rather than deleting them from the app (CC-39811, CC-39875, CC-39876).
• A policy has been added to control what happens when an app is unassigned. If the policy is enabled then the app will be removed from the device then it is unassigned from the role (CC-33437).
• In the DocuSign app, a new user is no longer created is the email address for a synched inactive user is updated (CC-38294).
• Some group synching with provisioning apps no longer fails with “Object reference not set to an instance of an object (CC-40494).
• The description of the Everybody role has been updated to better define which users will be included (CC-40182).
• The job history now no longer shows duplicate job entries for some apps (CC-38158).
• When an attempt to provisioning an Active Directory group fails, the rejected group name is now shown in the report instead of UNKNOWN (CC-39444).
• SalesHood can now be launched with SP-initiated SSO (CC-40517).
• A link to the release notes is now provided in the Cloud Manager About box (CC-40181).

For security advisories and known issues, please see attached file.

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.