11 April,19 at 11:50 AM
New Features - Centrify Identity Service
Administrative Tutorials ("Walk Me Through" Quick Start Wizard)
Interactive tutorials have been added to Cloud Manager.
User Security Question Report
New report gives administrators visibility to their users' security question state.
New Adaptive Authentication Conditions
Adaptive authentication has been expanded to include the following conditions:
Centrify Browser Extension (CBE) Private Preview
Private beta of form-filling:
Preview: Derived Credentials Support for SCEP CAs
Device Location Reporting Option for Admins
New Centrify for Mac Agent – macOS Sierra & HSPD 12
Day Zero Support for macOS Sierra Release
HSPD 12 Support - Beyond PIV / CAC Login
New Features - Centrify Privilege Service
Computer and Service Account Discovery
Computers and service accounts can be automatically discovered by Privilege Service and added to the vault.
In this release, CPS discovers computers in Active Directory – both Windows and domain-joined *nix computers.
Domain accounts used to launch Windows services and scheduled tasks on servers and workstations are also discovered, and associated with the computers on which they’re found.
Computer and account discovery based on network segments (for example, a range of IP addresses) will be added in a future release.
Windows Service Account Password Management
Privilege Service can now manage passwords for domain accounts used to launch Windows services and scheduled tasks.
These passwords can be automatically and periodically rotated on a user-defined schedule. This enables customers to meet industry standards and regulatory requirements around password aging, even for a domain account that is referenced on multiple computers, accounts that are typically difficult to catalog and manage through manual processes.
A new multiplex account enables CPS to safely and securely rotate passwords for these accounts without risk of service or task failure because of ‘server off-line’ or other synchronization issues.
Re-enable Domain Account Management
Earlier this year, Microsoft removed part of their .NET API within a recommended security update for Windows. Microsoft had previously recommended that vendors who needed to manage passwords for Windows local and domain accounts use this API. CPS vaulting continues to work; however, with the removal of this API, CPS cannot automatically change passwords for Windows accounts.
The fix in CPS for Microsoft’s API change is in two parts. In this release, full management of passwords for domain accounts (i.e. Active Directory accounts) is re-enabled.
Support for local accounts is targeted for 16.10.
Supported Platforms
The following platforms are supported by the Centrify Privilege Service (CPS) CLI toolkit:
Red Hat 6.8, 7.2
CentOS 6.7, 7.2
Oracle 6.8, 7.2
Fedora 24
Amazon Linux
SLES 11 SP4, 12 SP1
Ubuntu 12.04LTS, 14.04LTS, 16.04LTS
Notes:
End of Life Notice
The Centrify CLI Toolkit is deprecated in release 16.8, and will be removed from CPS entirely in release 16.10. Similar functionality to that in the CLI Toolkit will be available in the new command-line tools in the Centrify Cloud Agent in CPS release 16.10. This functionality includes the application-to-application password management (AAPM) feature set.
End of life for support of the CLI Toolkit
Centrify will end support for the CLI Toolkit in CPS release 16.12, targeted for December, 2017. In addition, because of updates to Kerberos, Centrify Server Suite will support only the new Centrify Cloud Agent feature set as of Server Suite 2017.
Centrify strongly recommends that customers use the new Centrify Cloud Agent feature set beginning with CPS version 16.10.
Changes to CLI Commands in the Centrify Cloud Agent
A new service account will be used to join a computer to the customer’s Centrify cloud tenant. The "service account" will be a cloud user account with a name like
{hostname}$@{tenant.alias}.
The Kerberos-based join (aka -k option, with the Centrify Server Suite DirectControl agent) will be dropped.
There will be no requirement for the computer to be joined to an Active Directory domain in order to use the new cloud agent.
Platform changes
Support for the Fedora platform will be dropped in 16.10. The matrix below lists the platforms that will be supported by the Centrify Cloud Agent in release 16.10 for AAPM, and for user authentication from either a cloud user account or a user account from an Active Directory instance connected to the customer's Centrify cloud tenant.
Platform |
AAPM |
Login |
RHEL |
Y |
Y |
CentOS |
Y |
|
Oracle |
Y |
|
Fedora |
|
|
AMI |
Y |
Y |
SLES |
Y |
|
Ubuntu |
Y |
|
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
For security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.