Idaptive release notes

Release 20.5.163 (available October 23, 2020) introduces the following changes.

New Features

Windows Cloud Agent

NLA-based trust establishment for RDP connections

The Windows Cloud Agent can now apply an authentication profile based on whether an RDP client has performed Network Level Authentication (“NLA”). This can be used by CyberArk PSM, or any RDP client that supports NLA, while connecting to a server with the Windows Cloud Agent.

Refer to Enforce adaptive MFA on NLA connections for more information.

Single Sign-On

The Office 365 application template now supports token-based authentication.

Basic authentication will continue to work until Microsoft stops supporting it; however, to ensure uninterrupted provisioning functionality, we recommend switching to token-based authentication as soon as possible.

Refer to Configure Office 365 for single sign-on for more information.

General platform

IP address affinity for IWA connections

IP address affinity for IWA connections allows admins of large network environments to prioritize connectors in the same region as the IWA client, creating more predictability in how users’ endpoint connectors are selected. If no connector is available for the specified IP address, a different connector is selected based on connector health.

Refer to Set IP address affinity for IWA connections for more information.

Improvements and behavior changes

Lifecycle management

This release adds support for the jobTitle attribute for UltiPro inbound provisioning. Note that mapping jobTitle to Active Directory requires creating a matching custom attribute in Active Directory.

Single Sign-On

RSA-OAEP encryption is available for SAML integrations. RSA-OAEP offers enhanced security; however, you should verify that the service provider supports it before selecting it.

Refer to Trust settings for more information.

Android client

Knox UMC enrollment has been discontinued as a feature. Other enrollment options can be used for Samsung phones.

Component versions

This release includes the following components:

Component Version

Windows Cloud Agent

20.5.163

Mac Cloud Agent

20.4.163

Android client

20.4.225

iOS client

20.4.147

Browser Extensions

20.5.163

Connector

20.5.163

Browser support

This version of Idaptive Identity Services has been tested with the following browsers:

Browser

Version

Internet Explorer

Version 11 on Windows 2008 server, Windows 2012 server, Windows 7, and Windows 8

Microsoft Edge

latest version available at release

Mozilla Firefox

latest version available at release

Google Chrome

latest version available at release

Apple Safari

11

For silent authentication to work correctly, some web browsers need additional configuration (see How to configure browsers for silent authentication) or a browser extension (see How to install the Idaptive Identity Service Browser Extension).

On devices, the Idaptive application and Idaptive for KNOX open the web applications in the native browser unless that application requires a browser extension to provide single sign-on. For these applications only, the Idaptive application and Idaptive for KNOX open the application in its built-in browser.

Browser Extension support

The Browser Extension for Internet Explorer and Safari is deprecated. If your users use those browsers with a previous version of the Browser Extension and you want them to continue to do so, you should restrict updates to the Browser Extension.

Users restricted to old versions of the Browser Extension will not benefit from updates and new features.Refer to Restricting Browser Extension updates for more information.

Computers must meet the following requirements to install the Browser Extension.

  • Microsoft .NET Framework 4.6.2 or later
  • Microsoft Installer 3.1 or later

In addition, browser support for the Browser Extension features is indicated in the following table.

  Chrome
(latest available at release)
Firefox
(latest available at release)
Edge
Form filling Yes Yes

Yes

App capture Not supported Yes

Not supported

Land and Catch Yes Yes

Yes

App Launch Yes Yes

Yes

Device support

If you are using Idaptive Identity Services for mobile device management and authentication, it supports enrolling the following devices and computers using the cloud agents.

The Idaptive cloud agents' purpose is to enforce authentication profiles; it’s only active during authentication. Unlike Anti-Virus and Endpoint Detection and Response agents, the Idaptive cloud agents are not listening to system events or otherwise consuming endpoint resources after the user logs in.

Operating System

Versions supported

Windows

10, Server 2016, Server 2019

macOS

10.13, 10.14, 10.15

iOS

11.x, 12.x, 13.x

Devices using iOS 10 can still be enrolled and will be supported, but you cannot update the Idaptive Identity Services client beyond version 19.518.3.

iPadOS

13.x

Android

5.0 or later

Samsung KNOX Enterprise SDK

3.x or later

This includes transparent integration with the Samsung Universal Mobile device Management Client (UMC) and the Samsung Enterprise Gateway.

Language support

Foreign language support is provided for the following components:

  • Idaptive Identity Services user portal help -- Japanese only
  • User portal text strings.
  • Admin Portal text strings

Not all of the languages listed below are available for the Admin Portal text strings.

Administrators can select the language in which the user portal texts and Idaptive Identity Services system messages are displayed. The default setting, (--), is equivalent to not setting a language. In this case, the user's browser language selection will be used. However, if users configure their own language selection, then that language takes precedence. For example, if you set the language to French in the Admin Portal and a user sets the language to Vietnamese in the User Portal, then Vietnamese is used for that user. Users can specify their language selection in User Portal > Account > Personal Profile > Language drop-down list.

To configure the language option in the Admin Portal

  1. Log-in to the Admin Portal.
  2. Click Access > Policies > Select the relevant policy.
  3. Click User Security Policies > User Account Settings.
  4. Select the default language in the Default Language drop-down list.
  5. Click Save.

In this release, translations are provided for the following languages:

  • Arabic
  • Brazilian Portuguese
  • Chinese—Simplified and Traditional
  • Dutch
  • French
  • German
  • Italian
  • Japanese
  • Korean
  • Portuguese
  • Russian
  • Serbian
  • Spanish
  • Swedish
  • Thai
  • Vietnamese

Additional languages are being added over time—see the Release Notes for the most recent additions.

Known Issues

Directory services

User Portal > Account > Personal Profile is read-only for Google Directory Service, LDAP, and Federated Directory users due to an issue with saving additional attributes.

Adaptive Multi-Factor Authentication

  • FIDO2 or on-device authenticators require logging in from your tenant-specific url.

  • The webhook to lock users based on risk level is not working.

Windows Cloud Agent

  • The MFA login screen shows “Phone Call” more than once if user has multiple phone numbers configured.

  • LDAP is not currently supported as a user directory for the Windows Cloud Agent.

  • With RDP (v 6.0+), a user cannot RDP to the endpoint/server with the Windows Cloud Agent using an Idaptive directory user. This is because the network credential validation is done on the client side first, before establishing the remote desktop connection.

    Workaround: https://support.microsoft.com/en-au/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e

  • Windows Defender SmartScreen might show a warning when installing the Windows Cloud Agent. This happens because the Windows Cloud Agent is new and not yet on the list of safe files that Windows Defender SmartScreen checks.

Mac Cloud Agent

  • Certificate-based authentication is not functional on Mac Cloud Agent enrolled Macs.

    Workaround: Users can sign in to Idaptive services manually.

  • The Mac Cloud Agent cannot be updated from the UI.

    WorkAround1 : Go to the user portal or admin portal to download the latest agent.

    Workaround 2: Click the Update button on the top menu, then click latest agent version. When you see the message "Failed to connect to launch...", click OK, then close the application.

    Reopen the Mac Cloud Agent and note the agent is updated to the latest version.

  • Self-service account unlock is not supported in this release.

  • User may not able to see the device location.

    WorkAround: Go to user policy Endpoint Policies > Common Settings > Mobile Settings > Restriction Settings, then under Report mobile device location select Force for Permit administrator to see device location.Then unenroll the user and enroll again.

  • Mac login MFA options show FIDO2 and Radius if they were configured in the authentication profile; however, these MFA challenges are currently not supported.

    Workaround: Always make sure authentication challenges configured in the authentication profile are available to your users and configured for each user.

  • The local account can get out of sync with the matching account in the directory source after the password change, resulting in a denied login.

    Workaround: Log in to a local admin account and set the local password of the impacted user to the same password as the directory source through System Preferences  Users or through the dscl command line.

  • When creating an authentication profile for Mac MFA, password must be the first factor (Challenge 1).

  • A user might get removed from the FileVault boot screen if they changed their password without entering their previous password in the Keychain Sync dialog on 10.14.3+ macOS devices.

    Workaround: To avoid this issue, users should log out after changing their password in the User Portal. When they log back in, click Yes at the Keychain Sync prompt and enter their previous password to sync their keychain and FileVault password.

  • Apple Watch unlock is not compatible with the MFA lock screen policy

    Workaround: Disable the MFA lock screen policy for Apple Watch users in the Admin Portal.

  • Idaptive Menu Item is not removed from the UI after unenrolling until the next login or restart.

    You might receive a certificate error during munkiimport after tenant migration.

    Workaround: Re-enroll the Mac

  • MFA Lockscreen is disabled in macOS 10.15 due to an Apple bug which we expect will be fixed in an upcoming patch release. For the 19.6 Mac Cloud Agent, the normal macOS lock screen with password will be shown.

  • The Apple Device Enrollment Program (DEP) needs to be configured explicitly to work with the 19.6 Mac Cloud Agent. Please contact support if you plan to use DEP.

iOS client

Derived credentials functionality for iOS devices is not available in 20.2. The existing devices already enrolled for derived credentials will continue to work, but no new devices will be able to setup derived credentials. We'll be adding this functionality back in an upcoming release.

Lifecycle management

  • If a duplicate LDAP configuration is added (duplicating the host/port, BaseDN, and unique identifier mapping from an already-existing LDAP configuration) then the configuration will appear to be added successfully. However, the duplication causes errors with the previously existing LDAP configuration, and attempting to delete the duplicate configuration deletes BOTH configurations, resulting in "orphaning" all of the users associated with the previous LDAP service.

    Workaround: Do not create duplicate LDAP configurations.

  • The Manager attribute is not synced to Office 365 when you are using token-based authentication with Office 365 provisioning.

  • Unable to update Groups with the proxyAddress attribute when you are using token-based authentication with Office 365 provisioning. This is because the proxyAddress attribute is not supported by the Graph API.

    Workaround: Set proxyAddress to null in the provisioning script. Office 365 will assign a SMTP email as a default proxy address.