Idaptive release notes

Release 20.7.156 (available December 12, 2020) introduces the following changes. Refer to Idaptive Release Notes - Previous Versions for changes in previous releases.

New Features

Multi-Factor Authentication

  • QR Code authentication

    Offer users increased security and convenience with the option to log in to the Idaptive Identity Service without having to type even a username; users can simply scan a QR code with version 20.7 or later of the CyberArk Idaptive application on an enrolled mobile device.

    Release of the 20.7 version of the iOS app is pending review by Apple.

    In addition, you can use QR codes as an authentication mechanism for MFA challenges for users with an enrolled mobile device.

    Refer to QR Code login for more information.

Single Sign-On

Integration with CyberArk Alero

CyberArkAlero is a SaaS based service that integrates with Core PAS for complete visibility and control of remote privileged activities without the need for VPNs, agents or passwords. Refer to the Alero documentation for more detail.

Users with this integration can utilize the single sign-on and adaptive MFA features of the Idaptive Identity Service to remotely access privileged targets protected inside the CyberArk Vault, PVWA, and other elements of CorePAS.

Refer to CyberArk Alero integration for details.

General platform

Custom support links

Add a custom support link to the Admin Portal support menu to your own custom link. For example, you might prefer to link to your own support organization rather than CyberArk support.

Refer to Customize the support links for more information.

Improvements and behavior changes

Single Sign-On

  • Changed the Client Secret and Token Secret field types in on the Provisioning page of the Netsuite SAML app template from clear text to password.

General platform

  • Roles with members can't be deleted if the role has permissions to an app.

  • Updated the following with CyberArk branding:

    • ADFS MFA plugin

    • Syslog Writer

    • Splunk add on

Fixed issues

Multi-Factor Authentication

  • Time ranges in rules-based authentication policy for RADIUS MFA now always indicate UTC.

    Prior to the fix, the UI implied local time even though UTC was used.

Lifecycle management

  • The Manager attribute is now synced to Office 365 when you use token-based authentication with Office 365 provisioning.

Component versions

This release includes the following components:

Component

Version

Windows Cloud Agent

20.7.156

Mac Cloud Agent

20.4.163

Android client

20.7.142

iOS client

20.7.128 - pending review by Apple

Browser Extensions

20.7.156

Connector

20.7.156

Browser support

This version of Idaptive Identity Services has been tested with the following browsers:

Browser

Version

Internet Explorer

Version 11 on Windows 2008 server, Windows 2012 server, Windows 7, and Windows 8

Microsoft Edge

latest version available at release

Mozilla Firefox

latest version available at release

Google Chrome

latest version available at release

Apple Safari

11

For silent authentication to work correctly, some web browsers need additional configuration (see Configure browsers for silent authentication) or a browser extension (see How to install the Idaptive Identity Service Browser Extension).

On devices, the Idaptive application and Idaptive for KNOX open the web applications in the native browser unless that application requires a browser extension to provide single sign-on. For these applications only, the Idaptive application and Idaptive for KNOX open the application in its built-in browser.

Browser Extension support

The Browser Extension for Internet Explorer and Safari is deprecated. If your users use those browsers with a previous version of the Browser Extension and you want them to continue to do so, you should restrict updates to the Browser Extension.

Users restricted to old versions of the Browser Extension will not benefit from updates and new features.Refer to Restrict Browser Extension updates for more information.

Computers must meet the following requirements to install the Browser Extension.

  • Microsoft .NET Framework 4.6.2 or later
  • Microsoft Installer 3.1 or later

In addition, browser support for the Browser Extension features is indicated in the following table.

 

Chrome
(latest available at release)

Firefox
(latest available at release)

Edge

Form filling Yes Yes

Yes

App capture Not supported Yes

Not supported

Land and Catch Yes Yes

Yes

App Launch Yes Yes

Yes

Device support

If you are using Idaptive Identity Services for mobile device management and authentication, it supports enrolling the following devices and computers using the cloud agents.

The Idaptive cloud agents' purpose is to enforce authentication profiles; it’s only active during authentication. Unlike Anti-Virus and Endpoint Detection and Response agents, the Idaptive cloud agents are not listening to system events or otherwise consuming endpoint resources after the user logs in.

Operating System

Versions supported

Windows

10, Server 2016, Server 2019

macOS

10.13, 10.14, 10.15

iOS

11.x and above

Devices using iOS 10 can still be enrolled and will be supported, but you cannot update the Idaptive Identity Services client beyond version 19.518.3.

iPadOS

13.x and above

Android

5.0 or later

Samsung KNOX Enterprise SDK

3.x or later

This includes transparent integration with the Samsung Universal Mobile device Management Client (UMC) and the Samsung Enterprise Gateway.

Language support

Foreign language support is provided for the following components:

  • Idaptive Identity Services user portal help -- Japanese only
  • User portal text strings.
  • Admin Portal text strings

Not all of the languages listed below are available for the Admin Portal text strings.

Administrators can select the language in which the user portal texts and Idaptive Identity Services system messages are displayed. The default setting, (--), is equivalent to not setting a language. In this case, the user's browser language selection will be used. However, if users configure their own language selection, then that language takes precedence. For example, if you set the language to French in the Admin Portal and a user sets the language to Vietnamese in the User Portal, then Vietnamese is used for that user. Users can specify their language selection in User Portal > Account > Personal Profile > Language drop-down list.

To configure the language option in the Admin Portal

  1. Log-in to the Admin Portal.
  2. Click Access > Policies > Select the relevant policy.
  3. Click User Security Policies > User Account Settings.
  4. Select the default language in the Default Language drop-down list.
  5. Click Save.

In this release, translations are provided for the following languages:

  • Arabic
  • Brazilian Portuguese
  • Chinese—Simplified and Traditional
  • Dutch
  • French
  • German
  • Italian
  • Japanese
  • Korean
  • Portuguese
  • Russian
  • Serbian
  • Spanish
  • Swedish
  • Thai
  • Vietnamese

Additional languages are being added over time—see the Release Notes for the most recent additions.

Known Issues

Directory services

User Portal > Account > Personal Profile is read-only for Google Directory Service, LDAP, and Federated Directory users due to an issue with saving additional attributes.

Adaptive Multi-Factor Authentication

  • FIDO2 or on-device authenticators require logging in from your tenant-specific url.

Windows Cloud Agent

  • The MFA login screen shows “Phone Call” more than once if user has multiple phone numbers configured.

  • LDAP is not currently supported as a user directory for the Windows Cloud Agent.

  • With RDP (v 6.0+), a user cannot RDP to the endpoint/server with the Windows Cloud Agent using an Idaptive directory user. This is because the network credential validation is done on the client side first, before establishing the remote desktop connection.

    Workaround: https://support.microsoft.com/en-au/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e

  • Windows Defender SmartScreen might show a warning when installing the Windows Cloud Agent. This happens because the Windows Cloud Agent is new and not yet on the list of safe files that Windows Defender SmartScreen checks.

Mac Cloud Agent

  • The Mac Cloud Agent installer shows the Gatekeeper warning the first time it is installed on a device.

    Workaround:

    1. Go to System Preferences > Security & Privacy > General, then click Open Anyway.

    2. Click Open on the warning screen that appears.

      After making these changes, the Gatekeeper warning will not display again for the Mac Cloud Agent on that device for the logged in user.

  • Certificate-based authentication is not functional on Mac Cloud Agent enrolled Macs.

    Workaround: Users can sign in to Idaptive services manually.

  • The Mac Cloud Agent cannot be updated from the UI.

    WorkAround1 : Go to the user portal or admin portal to download the latest agent.

    Workaround 2: Click the Update button on the top menu, then click latest agent version. When you see the message "Failed to connect to launch...", click OK, then close the application.

    Reopen the Mac Cloud Agent and note the agent is updated to the latest version.

  • Self-service account unlock is not supported in this release.

  • User may not able to see the device location.

    WorkAround: Go to user policy Endpoint Policies > Common Settings > Mobile Settings > Restriction Settings, then under Report mobile device location select Force for Permit administrator to see device location.Then unenroll the user and enroll again.

  • Mac login MFA options show FIDO2 and Radius if they were configured in the authentication profile; however, these MFA challenges are currently not supported.

    Workaround: Always make sure authentication challenges configured in the authentication profile are available to your users and configured for each user.

  • The local account can get out of sync with the matching account in the directory source after the password change, resulting in a denied login.

    Workaround: Log in to a local admin account and set the local password of the impacted user to the same password as the directory source through System Preferences  Users or through the dscl command line.

  • When creating an authentication profile for Mac MFA, password must be the first factor (Challenge 1).

  • A user might get removed from the FileVault boot screen if they changed their password without entering their previous password in the Keychain Sync dialog on 10.14.3+ macOS devices.

    Workaround: To avoid this issue, users should log out after changing their password in the User Portal. When they log back in, click Yes at the Keychain Sync prompt and enter their previous password to sync their keychain and FileVault password.

  • Apple Watch unlock is not compatible with the MFA lock screen policy

    Workaround: Disable the MFA lock screen policy for Apple Watch users in the Admin Portal.

  • Idaptive Menu Item is not removed from the UI after unenrolling until the next login or restart.

    You might receive a certificate error during munkiimport after tenant migration.

    Workaround: Re-enroll the Mac

  • MFA Lockscreen is disabled in macOS 10.15 due to an Apple bug which we expect will be fixed in an upcoming patch release. For the 19.6 Mac Cloud Agent, the normal macOS lock screen with password will be shown.

  • The Apple Device Enrollment Program (DEP) needs to be configured explicitly to work with the 19.6 Mac Cloud Agent. Please contact support if you plan to use DEP.

iOS client

Derived credentials functionality for iOS devices is not available in 20.2. The existing devices already enrolled for derived credentials will continue to work, but no new devices will be able to setup derived credentials. We'll be adding this functionality back in an upcoming release.

Lifecycle management

  • If a duplicate LDAP configuration is added (duplicating the host/port, BaseDN, and unique identifier mapping from an already-existing LDAP configuration) then the configuration will appear to be added successfully. However, the duplication causes errors with the previously existing LDAP configuration, and attempting to delete the duplicate configuration deletes BOTH configurations, resulting in "orphaning" all of the users associated with the previous LDAP service.

    Workaround: Do not create duplicate LDAP configurations.

Single Sign-On

The Client ID changed in OpenID Connect apps that were exported and imported prior to 20.7. Contact support for assistance with updating the Client ID.