What's new 2021

Large scale customers often need to delegate the responsibilities of invitations and requests management to different managers. While they can do so today by allowing vendors to invite other vendors (an external vendor manager), they did not have the ability to delegate these responsibilities to their own company’s Business unit managers (internal employees). With this new version, Remote Access administrators now have an option to delegate permissions rights for inviting vendors to other company users (“vendor managers”). The administrator can determine the level of control that a vendor manager has over the invitations they send, including to which Vault groups they can invite, to what timeframe they can invite, which Applications, and more. This allows distributing the load of vendors’ management to multiple managers and segregation of duties, while maintaining least privilege principals. For more information, see Delegate Vendor Manager role.

Remote Access provides an ability for company employees to authenticate via an external Identity provider, allowing users a unified SSO experience between Remote Access and other applications. Self-hosted PAM - Self-Hosted customers who used this capability were required to also integrate Remote Access with Active Directory. With this release, we removed this requirement. This reduces configuration steps, and removes the need for users to authenticate against Active Directory and save their user credentials in the CyberArk Mobile app. Remote Access will authenticate the user against their IdP, and will require them to authenticate again with the IdP on a periodic basis, set by the Remote Access administrator.

Remote AccessService Status page now provides notifications on scheduled maintenance work. Customers can also subscribe to updates in this page, getting email notifications on expected maintenance work.

The Data Protection FAQ was updated.

Remote Access no longer supports installation of the connector on RHEL versions 7.8 and below. RHEL version 7.9 continues to be supported.

Starting November 30, 2021, the Remote Access Connector minimum supported version will be 1.0.12409.

Connectors version 1.0.12002 (and below) will cease functioning after this date, affecting vendors’ and users’ ability to reach CyberArk via the Remote Access service.

This is happening in accordance with the CyberArk end-of-life policy, and to provide optimal service to our Remote Access customers.

As always, we advise to update to the latest version which contains the latest functionality, performance, and security enhancements, as well as the latest bug-fixes. For more information, see Upgrade connectors.

The Get-Connectors API enables administrators to pull and review the list of connectors in their Remote Access tenant and the status of each one.

CyberArk PAM - Self-Hosted is where customers manage their “keys to the kingdom” credentials, some of which are needed for critical operations and business continuity. While our solutions offer high availability and resiliency, there is a need to access business-critical accounts to ensure business continuity if PAM - Self-Hosted is unavailable due to planned or unplanned outage, or if the user has no connectivity ("offline"). Utilizing the new CyberArk Mobile App, CyberArk now provides access to credentials even when PAM - Self-Hosted is unavailable. Within the app, users can conveniently see the list of accounts to which they have permissions and select those who will be available for offline access. The CyberArk Mobile app will securely store the selected credentials within the app, protected with multi-factor and biometric authentication. When PAM - Self-Hosted is unavailable, users can fetch the stored credentials from the app and use them to connect directly to remote machines.

See Access PAM accounts offline credentials for more details for the end user.

See Activate offline access for PAM accounts for more details for the administrator.

Added Configure VendorLDAP manually in the PVWA and PrivateArk to Configure just-in-time vendor access

• The Data Protection FAQ was updated.

• The Configure just-in-time vendor access section was renamed with new headings to better reflect the topics.

• Fixed a typo in the Configure OpenID authentication configuration.

• Uploaded new videos for Secure Native Access configuration and user flow. To view them, see Configure secure native access and Secure native access through RDP.

We have officially renamed the Alero service to the new name Remote Access. This release includes the changes in the Remote Access connector and VendorLDAP. For more information, see Upgrade the Alero connector to Remote Access CLI and Just-in-Time Provisioning High Availability.

The Remote Access connector hardening for Red Hat hosts has been updated based on CIS Hardening benchmark v3.1.0. For more information see Hardening benchmarks.

The Connectivity tests on Linux page was updated with additional connectivity tests to verify that the Remote Access connector traffic can be secured from the connector host.

• The alero-connector CLI is now known as the remote-access-cli. The alero-connector snap is being deprecated from this point further (but is still available).

• The AleroLDAP component on the connector, used for just-in-time provisioning of vendors, is now known as the VendorLDAP

• The alerouser included in the installation script for the alero-connector docker container is now the 'remoteaccessuser'.

• The name of the running container seen on the host has been changed to remote-access.connector.

• The name of the underlying connector image pulled from the CyberArk repository of alero.connector has not been changed.

• In addition, these changes also affect the command to install and upgrade the connector, connector log locations, hardening commands. The documentation has been updated accordingly.

Prior to this release, a user who had passed a biometric challenge in the 10 seconds before launching the CyberArk Mobile app, would not have been challenged again.

In response to recent changes made by some device manufacturers, the CyberArk Mobile app now requires biometric authentication on each app launch regardless of prior biometric challenge results.

We have officially renamed the former Alero portal to the new name Remote Access. Further, the mobile application is now named CyberArk Mobile. Functionality remains the same and only the names on the portal and the mobile app are changed.

• The Connector CLI utility page is updated to better clarify the reset function.

• The Manage users and Manage vendors pages were updated to better clarify how to delete users.

• The commands for starting the connector manually were updated in the Troubleshooting page.

Administrators can now enable their remote vendors and users to open secure RDP sessions to protected privileged assets from mobile RDP clients via Alero. For more information, see Configure Secure Native Access

Alero now has additional notifications regarding possible error scenarios with Just-in-Time vendor provisioning into Privilege Cloud. For more information, see Privilege Cloud integration

Alero is now committed to a 99.9% SLA. This improvement helps prove to our customers our commitment to making Alero even more reliable and available.

Alero tenant admins can now select and manage multiple users or vendors in a single step via easy to use checkboxes.

This release provides additional keyboard layout support for end users who connect through HTML5 browser-based privileged sessions. In addition to en-us-qwerty (default), fr-fr-azerty, and de-de-qwertz, end users can now use other keyboard layouts on their targets when working with privileged sessions. For details, see Keyboard layouts.

We have upgraded internal software used by the PSM HTML5 Gateway (Guacamole and Free-RDP) for enhanced security.

The Tomcat version was upgraded to enhance security in the HTML5 Docker Image.

The Secure Native Access documentation is updated with new information about setting up a secure native RDP connection to a specific account in PAM.

For details, see Set up a secure native RDP connection to a specific account

Remote vendors and IT administrators are accustomed to using remote connection applications of their choosing, and usually prefer to maintain their regular work processes when working with PAM. CyberArk PAM adheres to those needs by providing the ability to connect with native Remote Desktop clients and connection managers. This release adds the ability for remote users and vendors to initiate privileged sessions directly from their desktop with connection managers and RDP client applications, while benefiting from Remote Access’s remote, VPN-less, password-less access. For details about configuration, see Configure Secure Native Access.

The connection from the client machine is initially established using the RDP client, but it provides connectivity not only to Windows machines, but to a wide range of systems and applications, and without the need to open any RDP inbound to your datacenter. The connection can be made from Windows, Mac or Unix / Linux end user workstation.

After a user initiates a connection from their RDP client, the mobile app allows users to authenticate and choose targets, triggering a secure session. Alternatively, they can pre-configure their connection managers with the relevant target account details. For details, see Connect with Secure Native Access .

Customers can now deploy and configure the Alero connector secure tunnel to communicate outbound SSH traffic to the Alero SaaS via port 22.

For details, see Set up connectors

The SaaS service status page for Alero is now available here: https://status.alero.io/. This page provides real-time visibility into the performance of Alero SaaS service uptime and tracks incident history.

For details, see Remote Access services.

We have deployed an additional traffic manager in Hong Kong, which facilitates improved connection times and session performance to customers located in this region. This joins the existing Alero Traffic Manager network deployed in Virginia, Frankfurt, Mumbai, Singapore, Montreal and Sydney.

We have added a new command to the Alero CLI which allows users to choose the colors for the Error and Warning messages presented via the Alero CLI.

For details, see Settings commands.

The Data Protection FAQ for Alero is updated with new information related to the Direct RDP Access feature.

We have added a new data center in Sydney, Australia, to meet market demand in that region.

The new data center, in addition to our existing data centers based in US (Virginia), EU (Frankfurt), and Canada (Montreal), further extends our global network.

When configuring your Alero tenant, mobile application, and connector, you can use the Australia datacenter to ensure all data is kept within Australia borders. Additionally, this new data center also acts as an additional Traffic Manager, improving performance of any Alero user sessions in the region.

CyberArk has received Alero’s official SOC 2 Type II certification. This means that an independent auditing firm has reviewed and examined our control objectives, activities, and tested those controls to ensure that they are operating effectively. In achieving this certification, customers can be assured that data is kept secure through the implementation of standardized controls as defined in the AICPA Trust Service Principles framework.

The Alero license has been updated per CyberArk 2021. As part of this update, we also provide better visibility into usage of Alero licenses broken down by Vendor or User according to license allotment. For details, see Licensing.

In the latest version of the Alero connector, you can deploy and configure AleroLDAP for Just-in-time vendor provisioning on multiple Alero connectors, allowing for high availability of this component to the PVWA. Multiple connectors in the same site now automatically use the same AleroLDAP CA certificate as well as bind user information to ensure no manual steps are required by the customer, and to maintain Just-in-time vendor provisioning in case of a disruption to any one connector.

The latest connector and SaaS release also includes AleroLDAP maintenance tasks, reporting of connector activities, and notifications on AleroLDAP certificate expiration. For details, see Configure just-in-time vendor access.

Idaptive Administrators can now allow their users to reach PVWA applications configured via Alero without onboarding via the Alero mobile application first. This is in addition to the existing integration, further improving the experience for joint customers looking for a seamless SSO and MFA experience across business applications and privileged accounts. For details, see the Idaptive docs.

Alero now displays a notification in the notification center when a connector has been 'disconnected' for more than 5 minutes. This alert indicates to Alero administrators that remedial action may need to be taken to restore service. For details, see Connector.

Alero administrators can now view tenant audit activities in the Alero mobile app, which enables better monitoring without requiring the use of a browser.

The following 'Show Help' pages in the Alero portal have been reviewed and updated for clarification.

Set up connectors

Invite Vendors

Settings: Manage general settings and Manage identities settings