CyberArk Identity Release Notes

Release 22.6 (available June 17, 2022) introduces the following changes.

Refer to CyberArk Identity Release Notes - Previous Versions for changes in previous releases.

New features

The following new features are available.

Feature Description

Workforce Password Management

Import accounts from external password managers

End users can now import their existing application credentials stored in external password managers or from other generic CSV files into CyberArk Identity. The credentials are imported either to Identity Cloud or self-hosted CyberArk PAM Vault as configured by the administrator.

For details, see Import accounts

Mobile SDK

Authentication widgets in Android mobile SDK

The Android mobile SDK enables end users to add authentication and authorization with strong MFA into their mobile apps using the CyberArk Identity Authentication widget.

End users can leverage the CyberArk Identity MFA and SSO features and self-service features such as password reset, account unlock, user registration, for your Android mobile applications using the Authentication widget.

To see how Android SDK is used to embed the Authentication widget into the mobile app, download the sample app using SDK from GitHub.

See Integrate authentication widget for strong MFA for more details.

Mobile Applications

Support for TOTP in Apple watch

This feature enables TOTPs (pass-codes) in the Apple watch companion app. If end user have pass-codes enrolled on the Identity iOS app, they are now displayed on the companion watch as well. End users cannot add new TOTPs from the watch, but can only use them.

Improvements and behavior changes

This release includes the following product improvements.

Improvement Description

Workforce Password Management

Removal of Set Browser Extension Version policy option

The latest versions CyberArk Identity Browser Extensions are now available on the browser extension stores for Edge, Chrome, and Firefox browsers.

The Policy setting Set Browser Extension version (default latest version) is deprecated and is no longer available under the following path Core Services > Policies > Policy > [Policy name] > Policy Settings > Application Policies > User Settings.

Identity Security Platform

Change in Default policy description content

The description for the Default policy is now changed to the following text:

"The default policy contains all security settings related to enforcement of Adaptive MFA, SSO, RADIUS, and other Identity related configurations."

App Gateway Application to ISP URL Migration for New Tenants

Previously, the App Gateways did not support domains that end with

Now, the App Gateway application is integrated to the Identity Security Platform and can start populating and supporting new <guid>


Sysprep of machine is no longer a pre-requisite

Previously, for the virtual machines created from the same image, Sysprep was a prerequisite to complete the Windows Cloud Agent installation.

From this release, Sysprep of a machine is no longer required.

QR Code support in Windows Cloud Agent and Mac Cloud Agent

In addition to the existing MFA options, end users can now set up authentication profiles to support QR code in MFA for Windows Cloud Agent and Mac Cloud Agent. After successful authentication with the username and password, end users can then select the QR Code option from the MFA drop-down list and scan the QR code to log in.

General Maintenance

Change in signing certificate for downloadable artifacts

Currently, our artifacts are signed with a DigiCert Trusted G4 certificate issued to the Idaptive, LLC entity. From this release, the new certificate is a GlobalSign SHA256 Code Signing certificate issued to the CyberArk Software Ltd. entity.

In most instances, this will not affect CyberArk Identity users. However, if you are utilizing an allowlist/blocklist check on consumable artifacts, you might need to update your configuration to prevent downloads from being blocked.

Early access features

Early access features are fully-supported features made available on a case-by-case basis by request. Early access features might see more frequent updates compared to GA features.

Contact your account representative to enable early access features.

The following table describes features that are currently in an early access state.

Feature Description

Initial release version

Developer experience

Generate scoped access token

Customers can generate scoped access tokens for the OpenID connect endpoint to access protected resources.


User interface


Updated design in Application tile

The design is updated for the app tiles. A new Shared icon has been introduced in the app tile. You can view this icon on the lower right of the app tile. You can view all other icons on the lower right of the tile except the New and Error icons.


Enhanced interface in Applications

This enhancement enables you to customize tabs in the applications based on your requirements. You can perform the following actions in the User Portal:

  • Add tabs

  • Delete tabs

  • Re-order tabs

  • Drag and drop apps from one tab to another tab

A new drop-down has been introduced, which enables you to sort all applications.

Refer to Organize your applications for more information.


Additional enhancements to the Applications interface in the User Portal

This release adds the following enhancements to the Applications interface in the User Portal.

  • A new Shared Apps tab to show all applications shared with you or by through the Workforce Password Management feature

  • The ability to rename tabs

  • The ability to scroll through tabs if you have more tabs than can fit in your available screen width



Monthly Active Users Report

The Monthly Active Users report is an in-built report that displays the count of unique users who have logged in or signed up to CyberArk Identity or an external app within the past month.

This report gives an overview of the MAU quota purchased and the active users per month for the selected period.



Custom branded CyberArk Identity Admin Portal

This feature enables customers to configure the CyberArk Identity Admin Portal to add their custom branding. It provides their end users and partners the customer's brand experience when accessing the Admin Portal.


Sign in APIs now support multiple identifiers

CyberArk Cloud Directory users can now sign in to CyberArk Identity with their email address or phone number.

If an email address or phone number is used in multiple user accounts, signin will fail.


Mobile Applications

Number matching implementation to prevent accidental push approvals (push fatigue) and push attacks

This feature enables users to prevent accidental or habitual push approvals and fraudulent push attacks.

If a push approval is sent, this feature prompts the user to tap on a number that matches to the one that is displayed on the Login screen and the authenticator app screen alike. This adds an additional confirmation from the end user when a push notification is sent.


Support for push notifications on the Android mobile app for users in China

This feature enables users who don't have access to Google services, like users in China, to explicitly fetch the push notifications and policy updates sent by CyberArk Identity.

Contact your CyberArk account representative to enable this feature if you have users without access to Google services.

Refer to Download the CyberArk Identity mobile app for Android and CyberArk Identity-SDK for-Android for more information.



Windows and Mac Device Trust

The CyberArk Identity Windows Device Trust and Mac Device Trust prevent untrusted computers from accessing the CyberArk Identity portals or web applications using authentication certificates as a conditional access mechanism. This provides additional device trust to identity and access policies.

The Windows Device Trust is available for AD-joined devices and users must first be validated using IWA authentication. The Windows Device Trust is available in the Admin Portal > Downloads.

The CyberArk IdentityMac Device Trust is available for AD-joined devices and non-AD-joined devices, and then is deployed with Jamf Pro.

Additional enhancements include:

  • New functionality (Revoke, Issue, Renew, and Lifetime) has been added for certificate management for Windows Cloud Agent and Windows Device Trust. Go to Admin Portal > Settings > Endpoints, select an endpoint then go to the Certificates tab to view the functionality.

  • Integrations in the Admin Portal > Settings > Endpoints has been renamed to Device Trust.

Refer to CyberArk Identity Mac Device Trust and CyberArk Identity Windows Device Trust for more information.

Mac - 21.9

Windows - 21.5

New Single Sign-On templates

New Single Sign-On (SSO) application templates are added to the CyberArk Identity Web App Catalog on a regular basis, independent of the product release schedule.

Refer to Recent SSO application templates for a list of recently added templates.

Component versions

Refer to the following table for a list of component versions in the latest release:



CyberArk Identity


Windows Cloud Agent


Windows Device Trust


Mac Cloud Agent


Mac Device Trust


Android CyberArk Identity mobile app


iOS CyberArk Identity mobile app


Windows CyberArk Authenticator


Mac CyberArk Authenticator


Browser Extensions




Browser support

This version of CyberArk Identity has been tested with the following browsers:



Internet Explorer

Version 11 on Windows 2008 server, Windows 2012 server, Windows 7, and Windows 8

Microsoft Edge

Latest version available at release

Mozilla Firefox

Latest version available at release

Google Chrome

Latest version available at release

Apple Safari


For silent authentication to work correctly, some web browsers need additional configuration (see Configure browsers for silent authentication) or a browser extension (see Manage credentials with Workforce Password Management).

On devices, the CyberArk Identity mobile app opens the web applications in the native browser unless that application requires a browser extension to provide single sign-on. For these applications only, the CyberArk Identity mobile app opens the application in its built-in browser.

CyberArk Identity Browser Extension support

The Browser Extension for Internet Explorer and Safari is deprecated. If your users use those browsers with a previous version of the Browser Extension and you want them to continue to do so, you should restrict updates to the Browser Extension.

Users restricted to old versions of the Browser Extension will not benefit from updates and new features. Refer to Restrict CyberArk Identity Browser Extension updates for more information.

Computers must meet the following requirements to install the Browser Extension.

  • Microsoft .NET Framework 4.6.2 or later
  • Microsoft Installer 3.1 or later

In addition, browser support for the Browser Extension features is indicated in the following table.


(latest available at release)

(latest available at release)


Form filling Yes Yes


App capture Not supported Yes

Not supported

Land and Catch Yes Yes


App Launch Yes Yes


Device support

CyberArk Identity supports enrollment of the following devices.

The purpose of the cloud agent is to enforce authentication profiles; it’s only active during authentication. Unlike Anti-Virus and Endpoint Detection and Response agents, the CyberArk cloud agents are not listening to system events or otherwise consuming endpoint resources after the user logs in.

Operating System

Versions supported


10, 11, Server 2012 R2, Server 2016, Server 2019 and Server 2022

Desktop Experience is required for Windows servers.


10.13, 10.14, 10.15, 11, 12


11.x and later


13.x and later


5.x and later


8.x and later

The CyberArk Identity mobile app is not available in the following countries.

  • Cuba

  • Iran

  • Lebanon

  • North Korea

  • Sudan

  • Syria

  • Iraq

  • Libya

  • Palestinian Authority territories

    • West Bank, including East Jerusalem

    • Gaza Strip

Language support

Foreign language support is provided for the following components:

  • CyberArk Identity User Portal help -- Japanese only
  • User Portal text strings
  • Admin Portal text strings

Not all of the languages listed below are available for the Admin Portal text strings.

Administrators can select the language in which the user portal texts and CyberArk Identity system messages are displayed. The default setting, (--), is equivalent to not setting a language. In this case, the user's browser language selection will be used. However, if users configure their own language selection, then that language takes precedence. For example, if you set the language to French in the Admin Portal and a user sets the language to Vietnamese in the User Portal, then Vietnamese is used for that user. Users can specify their language selection in User Portal > Account > Personal Profile > Language drop-down list.

To configure the language option in the Admin Portal

  1. Log-in to the Admin Portal.
  2. Click Access > Policies > Select the relevant policy.
  3. Click User Security Policies > User Account Settings.
  4. Select the default language in the Default Language drop-down list.
  5. Click Save.

In this release, translations are provided for the following languages:

  • Arabic
  • Brazilian Portuguese
  • Chinese—Simplified and Traditional
  • Dutch
  • French
  • German
  • Italian
  • Japanese
  • Korean
  • Portuguese
  • Russian
  • Serbian
  • Spanish
  • Swedish
  • Thai
  • Vietnamese

Additional languages are being added over time—see the Release Notes for the most recent additions.

Known issues

Issue Workaround

Windows Cloud Agent

With RDP (v 6.0+), a user cannot RDP to the endpoint/server with the Windows Cloud Agent using a CyberArk Cloud Directoryuser. This is because the network credential validation is done on the client side first, before establishing the remote desktop connection.

Mac Cloud Agent

The Mac Cloud Agent installer shows the Gatekeeper warning the first time it is installed on a device.

  1. Go to System Preferences > Security & Privacy > General, then click Open Anyway.

  2. Click Open on the warning screen that appears.

    After you make these changes, the Gatekeeper warning will not display again for the Mac Cloud Agent on that device for the logged in user.

The MFA login screen shows “Phone Call” more than once if user has multiple phone numbers configured.


The Mac Cloud Agent cannot be updated from the UI.

WorkAround: Go to the User Portal or the Admin Portal to download the latest agent.

Reopen the Mac Cloud Agent and note that the agent is updated to the latest version.

Self-service account unlock is not currently supported.


User may not able to see the device location.

Go to user policy Endpoint Policies > Common Settings > Mobile Settings > Restriction Settings, then under Report mobile device location, select Force for Permit administrator to see device location. Then unenroll the user and enroll again.

Mac login MFA options show FIDO2 and Radius if they were configured in the authentication profile; however, these MFA challenges are currently not supported.

Always make sure authentication challenges configured in the authentication profile are available to your users and configured for each user.

The local account can get out of sync with the matching account in the directory source after the password change, resulting in a denied login.

Log in to a local admin account and set the local password of the impacted user to the same password as the directory source through System Preferences > Users or through the dscl command line.

When creating an authentication profile for Mac MFA, password must be the first factor (Challenge 1).


A user might get removed from the FileVault boot screen if they changed their password without entering their previous password in the Keychain Sync dialog on 10.14.3+ macOS devices.

To avoid this issue, users should log out after changing their password in the User Portal. When they log back in, click Yes at the Keychain Sync prompt and enter their previous password to sync their keychain and FileVault password.

Apple Watch unlock is not compatible with the MFA lock screen policy

Disable the MFA lock screen policy for Apple Watch users in the Admin Portal.

The CyberArk Menu Item is not removed from the UI after unenrolling until the next login or restart.

You might receive a certificate error during munkiimport after tenant migration.

Workaround: Re-enroll the Mac

The Apple Device Enrollment Program (DEP) needs to be configured explicitly to work with the 19.6 Mac Cloud Agent. Please contact support if you plan to use DEP.


Mobile applications

For iOS devices running in the Zoom display mode (Settings > Display & Brightness > Display Zoom: 'Zoom'), the Mobile Authenticator code gets truncated.

Use only the 'Standard' display mode.

On iPadOS, scanning the QR code from the CyberArk Identity mobile app loads a signin page instead of starting enrollment.

Scan the QR code from the device camera app instead of the CyberArk Identity mobile app. In addition, make sure Safari is not configured to request the desktop site.

If the iPhone app (or the push authenticator) is locked using biometric or pin, then Apple Watch approval shows an error message.


Users can sign in to the Apple watch only after the first notification is delivered to the watch.


Workforce Password Management

While importing files from external credential mangers, for files with duplicate records, the files cannot be uploaded and an error message is displayed saying "File contains duplicate records". The import only happens if the records are all unique.