What's new 2020

Customers can now enable Alero company users to authenticate via an external Identity provider, allowing users a unified SSO experience between Alero and other applications. For details, see Configure external Identity Provider integration.

We added Prerequisite network requirements to help you with the firewall rules required to install the Snap and Docker prerequisites for the Alero connector.

We added documentation of the breakglass flow for admins of tenants that are configured for Idaptive or External IdP authentication. For details, see Breakglass tenant Admin access.

Users and vendors can now manage their full Alero profile directly from the Alero portal. They can self-delete their Alero user from the portal (as well as in the mobile app) maintaining full control at all times over their personal data.

For details, see Profile.

The first batch of Alero videos is ready! These are quick videos that show some common Alero flows that can be easily reviewed and help get you up to speed before your next Alero task. More are in the works and coming soon!

For details, see Videos.

Idaptive and Alero customers can now integrate tenants to benefit from Idaptive SSO and MFA for a seamless user experience when accessing business applications via Idaptive, and when accessing PVWA and privileged accounts via Alero, remotely and without a VPN. For more information, see the Idaptive docs.

Users can now switch to other Alero data centers as needed via a handy drop-down on the QR authentication page. For details, see Change your Data Center.

• You can view screenshots of every step of mobile user registration.

• A new structure in the Settings pages reflects the hierarchy in the Alero portal, and enables you to find information about the Alero Settings pages more easily.

We have added a new data center in Montreal, Canada, to meet market demand in that region.

The new data center, in addition to our existing data centers based in US East and Frankfurt, Germany, further extends our global network.

When configuring your Alero tenant and connector, you can use the Canadian data center to ensure all data is kept within Canadian borders.

Additionally, this new data center also acts as an additional Traffic Manager, improving performance of any Alero user sessions in the region.

Administrators now can see the source IP of the Alero user session in the tenant sign in and application login activities. Administrators can also enable a source IP allowlist to restrict access to applications.

Tenant administrators can use the Notification Center to receive information about different Alero events which may require admin actions. The current set of notifications are relevant for customers using Alero integration with CyberArk Privilege Cloud, with more event sources coming soon!

For details, see Notifications for Privilege Cloud Integration.

The Alero connector can now be deployed on a wider range of operating systems. The connector can now be deployed on Red Hat Enterprise Linux v7.9, in addition to v7.6, v7.7, and v7.8 which were previously supported.

We have enhanced the REST APIs that can be utilized to automate Alero administrative tasks and integrate with external systems. This update to Alero APIs includes:

• New capabilities for managing vendor self-service invitation requests.

• A full update of the Alero activities to reflect the latest functionality from our recent releases.

We have improved Alero documentation in the following area:

• We clarified License consumption between Alero licenses and CyberArk Vault licenses.

Alero administrators can now see full details of users in the mobile app, making it easier to manage them. For details, see View user details.

We released a new Alero Connector with security fixes and under-the-hood changes to prepare for future functionality. To upgrade, see Upgrade connectors.

We have uploaded a new version of the Alero OpenID dll to the Marketplace, which supports newer versions of the PVWA.

We have improved Alero documentation in the following areas:

• We updated the Remote Access Data Protection FAQ to reflect changes that were included in the latest versions of the Alero Connector and Alero Mobile apps.

• We clarified requirements for using multiple Alero Connectors with Load Balanced PVWAs.

• We published the Remote Access End-of-Life policy for supported components, alongside the rest of the CyberArk End-of-Life policy.

New Alero app users are now asked to specify the Alero data center where the personal identification details they enter in the application are stored.

Alero tenant admins can now select and manage multiple Vendor Self-service requests in a single step, via easy-to-use checkboxes. For details, see Reject requests.

Bulk actions for additional tasks are coming soon.

We have deployed multiple Alero Traffic Managers globally, which facilitates improved connection times and session performance to customers located geographically distant from their Alero data centers. Traffic Managers were deployed at the following locations - Virginia, Frankfurt, Mumbai, Singapore.

We have enhanced the REST APIs that can be utilized to automate Alero administrative tasks and integrate with external systems. Alero API v2 contains updates and enhancements to visibility, creation, and management of invitations, users, vendors, and Alero vendor groups.

The Alero service can be used as an SAML identity provider (IDP) to the PVWA, so that user authentication from Alero is accepted by the PVWA. This version improves the user experience when configuring SAML authentication in Alero, reducing human errors and allowing quicker setup.

This release includes an updated Alero connector with the following enhancements:

• Communication between AleroLDAP and the Vault does not allow encryption lower than TLS 1.2.

• Alero's Just-in-Time provisioning of vendors to the Vault now includes the vendor's email address.

This version introduces a simple and independent way for vendors to join a tenant and get access to company assets, which reduces administration overhead and human errors. Vendors can request to join a tenant by registering themselves in a dedicated URL, entering their registration details, the timeframe required for access, and additional comments. The Alero administrator who receives the request can reject it, approve it, and edit its administration details, saving the need for them to enter the vendors' registration details.

For details, see Self-service requests.

To join Alero, vendors and company employees must be invited to a tenant via email that contains an invitation link to Alero. This version simplifies the process by enabling users to join directly from their smartphone, without needing to connect to the Alero portal from their computer.

This version of the Alero mobile application simplifies administrator workflows by enabling tenant admins to perform additional management tasks directly from the app, including: company user invitations, users management and vendor management.

For details, see Manage tenants via app.

For enhanced security, Alero administrators can configure Alero to periodically validate a company employee's credentials against the Active Directory, and deny access to Alero if the validation fails (for example, if the user was suspended or deleted in the AD). Alero can be set to automatically remove users whose validation failed after a certain timeframe, providing simpler administration of these users.

For details about configuration, see Validate user AD credentials.

The Alero administrator can now update their corporate logo in the Alero SaaS. For more details, see Company details settings.

Vendors who have been authorized to invite additional vendors from their organization, can now see and manage their pending invitations.

• Alero Administrators can now configure a regular interval after which Vendors will re-confirm their membership within the Vendor Company by re-verifing their corporate email address.

  For details, see Vendor email verification interval.

Alero documentation has been improved to provide more clarity in the following areas:

• PAS versions required for different integrated features via Alero. For details, see Privileged Access Management integration.

• System Requirements. For details, see System requirements

This release provides wider support for various target keyboard layouts. In addition to the en-us-qwerty keyboard layout, vendors and remote employees can now use other keyboard layouts on their systems during sessions to remote targets.

Alero Administrators can now create and add custom invitation templates to vendor invitations. For more information, see Set vendor general settings.

You can now configure the interval after which expired vendors will be automatically removed from your Alero tenant. For more information, see Settings.

Non-app vendors can now receive codes via phone calls in addition to text. As part of this enhancement, an extension can be included in the vendor phone number. For more information, see Access using Phone/Text and Email Tokens.

We have implemented a content delivery network or (CDN) for the Alero portal. This provides a geographically distributed group of servers that work together to provide fast delivery of the Alero portal, anywhere in the world.

This release includes mailing service configuration changes that are designed to raise the trust level for emails sent from the Alero service.

Alero administrators can now see a drill-down view of Alero activities, giving them more details and an improved ability to track Alero usage.

3rd party vendors may not always be able to use the Alero mobile app to authenticate to Alero. This person might not own a smartphone with biometric identification capability, or simply doesn't agree to installing a work-related application on their private phone. For more details, see Vendor access.

Alero administrators can now invite 3rd party vendors to authenticate to Alero via SMS & Email tokens, instead of using the built-in strong, biometric authentication of the Alero mobile app. For more details, see Manage vendors.

We have added a new data center in Frankfurt, Germany, to meet the market demand in the EU region.

The new data center, in addition to our existing data center based in US East, further extends our global network. When initially signing up as a tenant in Alero, you can choose whether to use the US data center or the EU data center, and then set up your Alero connector accordingly. For more details, see Install the connector.

You can now limit the number of subvendors that a vendor admin is permitted to manage. For more details, see Invite Vendors.

The Alero connector can now be deployed on a wider range of operating systems. The connector can now be deployed on Red Hat Enterprise Linux v7.8, in addition to v7.6 and v7.7 which were previously supported.

Alero administrators can provision access to remote vendors directly, or can delegate this responsibility to a remote vendor admin by allowing them to invite other vendors. In this version, we added granular administration settings for delegated invitations, including a sub-set of the applications, a sub-set of the groups, and a shorter timeframe than that which the vendor admin was permitted to use.

Alero can integrate with the customer’s Active Directory to allow existing company users to access Core PAS remotely through Alero. In this version, we enhanced the security of this integration by supporting the use of LDAPS protocol.

Customers who cannot use URLs to set firewalls rules can now use a static IP address for the Alero service to set the firewall rule.

Vendors can now see their assigned access timeframe and user status in the Alero mobile app

To ensure constant business continuity and optimal performance for large scale deployments, customers can now deploy multiple Alero connectors inside a site. An active-active topology ensures that if a connector suffers disruption, all communication is automatically redirected through a different connector. Additionally, a built-in load balancer ensures that load is distributed between the connectors.

A new window provides information to Alero administrators about license usage, including warnings when approaching the license limit.

Vendors expired for more than 30 days are now automatically removed from Alero, to free up licenses.

Providing access to your company employees from remote is essential to maintain business operations in an efficient and simple manner. Exposing the company's internal assets to the public network poses a great risk and must be secured. Alero can now be used for remote company employees, in addition to 3rd party vendors, to access internal assets protected with CyberArk PAS through Alero's VPN-less secure tunnel and strong authentication. A simple user invitation process facilitates onboarding company employees through a simple email invitation and self-enrollment.

You can also use Alero to access PAS when inside the network, not only remotely.

A refreshed UI, simplifies day-to-day tasks and helps improve productivity for the Alero administrator.

Alero administrators can create groups in Alero to streamline Just-in-Time user provisioning, and then assign these groups Safe ownership and permission in the Privileged Access Security (PAS) solution. Vendors can be added to one or more groups when their invitation is created.

In addition, Alero administrators can view all users, vendors, groups and pending invitations in dedicated pages and perform actions on them.

A new "Settings" page provides security controls to Alero administrators, such as adding email domains in vendor invitations to an allow list, setting an expiration timeframe for accepting invitations, and more.

The new Alero mobile application simplifies administrator workflows by performing management tasks directly from the app, including Site management and vendor invitations.

Alero acts as an Identity Provider for PAS by utilizing SAML or OpenID-based authentication. A new configuration for the OpenID-based authentication removes the need to open a connection from the PVWA to Alero.io.

Configuration of the AleroLDAP for Just-in-Time vendor user provisioning has been improved to automate many of the steps which previously had to be done manually. It is now a faster and more stable process.

Alero administrators who create applications to connect Alero to their PVWA will find that the first time they perform a ‘connect’ operation to test the setup, their predefined username is ‘AleroTestUser’. Create and assign permissions/Safes to this user in your PAS solution to test the connection. After users set their Active Directory credentials, and following Active Directory integration with Alero, each user's validated username replaces this field.

Alero now exposes REST API which enables automatic vendor provisioning and management, as well as access to audit and entitlement data. This allows for integration with external systems such as identity management system. You can also perform bulk actions, like inviting multiple vendors at once, deactivating and removing vendors.

Vendors can now access the Alero portal using Internet Explorer, Edge and Firefox, in addition to Chrome.

In this version, customers who use SAML authentication for their internal employees no longer need to use a dedicated PVWA for Alero. Authentication to PAS can use OpenID-based authentication, which coexists with SAML authentication in the PVWA.

In this version, we simplified PSM HTML5 gateway deployment, by reducing the number of manual steps.

Stability improvements

Bug fixes

Significant improvements in connection stability and performance in a new Alero connector.