CyberArk Identity Release Notes

Release 22.1 (available January 21, 2022) introduces the following changes.

Refer to CyberArk Identity Release Notes - Previous Versions for changes in previous releases.

New features

The following new features are available starting in 22.1.

Feature Description

Workforce Password Management

Store shared credentials for admin-deployed user password apps in your self-hosted PAM vault.

Previously, when you deployed a user password application with the option All users share one name selected on the Account Mapping tab, the shared credentials were stored in the CyberArk Identity cloud. In this release, you can securely store these credentials in your self-hosted PAS vault. As an additional security measure, end users cannot view, change, or share vault-stored credentials.

This feature requires you to configure your tenant to communicate with the self-hosted PAM vault. Refer to Manage business application credentials in CyberArk PAM (Workforce Password Management) for more detail on how to configure your tenant with PAM.

  • Automatic migration for apps that currently store credentials in the CyberArk Identity cloud is not supported.

  • You can't switch between storing credentials in self-hosted PAM and the CyberArk Identity cloud without losing access to stored credentials; you will have to save them again.

Share User Password application credentials that are stored in self-hosted PAM

Previously, end users could only share their personally added or captured applications with other users if the credentials were stored in the CyberArk Identity cloud. In this release, end users can securely share their personally added or captured applications with other users if the credentials are stored in self-hosted PAM.

For example, a team lead can now share their personally added application credentials with their team members, grant permissions to view or edit the application credentials, and revoke access to the shared application at any time without requiring assistance from the administrator.

As an added security measure, an administrator can configure all such shared applications to require that share recipients prove their identity using MFA before they can launch, view, or edit the credentials.

Refer to Configure users to share business application credentials and Share business application credentials for more information.

Transfer ownership of shared applications when credentials are stored in self-hosted PAM.

CyberArk Identity enables application owners (end users who have added a username and password application to their user portal) to securely manage shared access to their business apps.

With this release, you can configure CyberArk Identity to transfer ownership of a specific shared application to another user if the original application owner is deprovisioned from CyberArk Identity. This ensures uninterrupted access to username and password apps even when the user that initially added and shared the application leaves the company.

Refer to Configure users to share business application credentials for more information.

Multi-Factor Authentication

Authentication profile scoring based on NIST AAL standards.

You can now see your Authenticator Assurance Level (AAL) minimum and maximum scores in the authentication profile as you select authentication mechanisms. This simplifies configuring MFA to meet industry best practices.

Refer to Create authentication profiles for more details.

Developer enablement

QR code authenticator and push notifications in iOS and Android SDKs

Quickly embed secure, adaptive, and out-of-band factors like QR code and mobile push notification using the iOS or Android SDK. Also leverage native biometric (for example, Fingerprint on Android). The SDK allows you to secure the entry to apps or step-up workflows within apps while maintaining your own branding​.

Leverage the iOS and Android sample apps to accelerate the development process.

This feature was previously an Early Access feature, and is now generally available.

Refer to the following links for more information.

Developer documentation


Java-Angular sample web app

This Java-Angular sample web app enables developers to explore CyberArk Identity. The sample web app uses the CyberArk Identity Java SDK integrated to the Java Spring Boot for the back-end and Angular for front-end UI.

To access the sample web app

  1. Download the web app from

  2. Setup the prerequisites as described in

  3. Explore the CyberArk Identity API, OAuth, and OIDC integrations.

This feature was previously an Early Access feature, and is now generally available.

Java SDK for web apps

Quickly integrate your web app with CyberArk Identity to perform authentication and authorization of users by leveraging the OAuth/OIDC protocols using the Java SDK.

Refer to for more information.

Improvements and behavior changes

This release includes the following product improvement.

Improvement Description


Rebranded Corporate IP range to Secure Zones

In the Admin Portal, Settings > Network > Corporate IP Range is now Settings > Network > Secure Zones.

The purpose of this change is to better reflect the full scope of the feature, as you can also specify external IP addresses or ranges when you define a Secure Zone.

Refer to Define Secure Zones for more information.

macOS endpoints

Added suport for macOS 12 (Monterey)

Mac Device Trust and the Mac Cloud Agent now support macOS 12.

Munki is not support by the Mac Cloud Agent and macOS 12.

User interface

New logos

The User Portal, Admin Portal, and User Behavior Analytics portal feature updated logos for more consistency with other CyberArk products. In addition, the Getting Started wizard features a new logo.

CyberArk Identity mobile apps

Added a new policy setting that can limit sharing of mobile device details

This enhancement adds a policy setting to control whether to report the following device details to the cloud, as these details can be considered personally identifiable information.

  • Model name and number

  • Battery level

This is to enable customers to comply with data privacy requirements from regulations such as GDPR.

Refer to Restrictions Settings for more information.

Added a new policy setting to configure the CyberArk Identity mobile app landing screen

This enhancement adds a policy setting to configure the landing screen (starting screen) for the CyberArk Identity mobile app for both iOS and Android. This allows you to reduce the number of taps needed to navigate to commonly used features.

You can configure any of the following screens as the landing screen.

  • Web Apps

  • Passcodes

  • QR Code Authenticator

  • Push Notifications

Updated the CyberArk Identity mobile apps for more UI consistency with other CyberArk products

Color schemes, navigation, field styles, and more were updated to better align with CyberArk UI standards. Functionality is unchanged by this update.

Click here for more information.

User Portal

Changed the Secure Web Sessions icon

User Portal applications with Secure Web Sessions enabled now show the following icon.

Early access features

Early access features are fully-supported features made available on a case-by-case basis by request. Early access features might see more frequent updates compared to GA features.

Contact your account representative to enable early access features.

The following table describes features that are currently in an early access state.

Feature Description

Initial release version


New Authentication Widget Builder

This feature enables you to create a widget and visualize the preview of the widget before using it.


Progressive migration of passwords using code plugin

This feature enables you to progressively migrate hashed passwords from their legacy stores to CyberArk Identity by providing an inline legacy authentication hook into the CyberArk Identity authentication process.


User interface


Updated User Portal design

The User Portal app tiles feature an updated design. The new tiles are larger in size and include an updated notification area. Icons in the notification area alert users if the application is new, any user action is required, the application uses shared credentials, or if the application is protected by Secure Web Sessions.


Android mobile application

Support for push notifications on the Android mobile app for users in China

This feature enables users who don't have access to Google services, like users in China, to explicitly fetch the push notifications and policy updates sent by CyberArk Identity.

Contact your CyberArk account representative to enable this feature if you have users without access to Google services.

Refer to Download the CyberArk Identity mobile app for Android and CyberArk Identity-SDK for-Android for more information.



Windows and Mac Device Trust

The CyberArk IdentityWindows Device Trust and Mac Device Trust prevent untrusted computers from accessing the CyberArk Identity portals or web applications using authentication certificates as a conditional access mechanism. This provides additional device trust to identity and access policies.

The Windows Device Trust is available for AD-joined devices and users must first be validated using IWA authentication. The Windows Device Trust is available in the Admin Portal > Downloads.

The CyberArk IdentityMac Device Trust is available for AD-joined devices and non AD-joined devices, and is deployed with Jamf Pro.

Additional enhancements include:

  • New functionality (Revoke, Issue, Renew, and Lifetime ) has been added for certificate management for Windows Cloud Agent and Windows Device Trust. This is available in the Admin Portal > Settings > Endpoints, select an endpoint then go to the Certificates tab.

  • Integrations in the Admin Portal > Settings > Endpoints has been renamed to Device Trust.

Refer to CyberArk Identity Mac Device Trust and CyberArk Identity Windows Device Trust for more information.

Mac - 21.9

Windows - 21.5

New Single Sign-On templates

New Single Sign-On (SSO) application templates are added to the CyberArk Identity Web App Catalog on a regular basis, independent of the product release schedule.

Refer to Recent SSO application templates for a list of recently added templates.

Android CyberArk Identity mobile app support changes

The policy setting to Encrypt internal onboard storage (Endpoint policies > Common settings > mobile settings > common > Encrypt internal onboard storage) will be removed in an upcoming CyberArk Identity release. CyberArk is removing this policy setting because encrypting internal storage has been the default behavior starting with Android 5. After the policy setting is removed, it won't be possible to enroll Android 4.4.4 and older devices.

Currently, enrollment of Android 4.4.4 and older devices is still possible, even though CyberArk only supports Android 8 or newer.

Component versions

Refer to the following table for a list of component versions in the latest release:



CyberArk Identity


Windows Cloud Agent


Windows Device Trust


Mac Cloud Agent


Mac Device Trust


Android CyberArk Identity mobile app


iOS CyberArk Identity mobile app


Windows CyberArk Authenticator


Mac CyberArk Authenticator


Browser Extensions




Browser support

This version of CyberArk Identity has been tested with the following browsers:



Internet Explorer

Version 11 on Windows 2008 server, Windows 2012 server, Windows 7, and Windows 8

Microsoft Edge

latest version available at release

Mozilla Firefox

latest version available at release

Google Chrome

latest version available at release

Apple Safari


For silent authentication to work correctly, some web browsers need additional configuration (see Configure browsers for silent authentication) or a browser extension (see Use the CyberArk Identity Browser Extension).

On devices, the CyberArk Identity mobile app and Idaptive for KNOX open the web applications in the native browser unless that application requires a browser extension to provide single sign-on. For these applications only, the CyberArk Identity mobile app and Idaptive for KNOX open the application in its built-in browser.

CyberArk Identity Browser Extension support

The Browser Extension for Internet Explorer and Safari is deprecated. If your users use those browsers with a previous version of the Browser Extension and you want them to continue to do so, you should restrict updates to the Browser Extension.

Users restricted to old versions of the Browser Extension will not benefit from updates and new features. Refer to Restrict CyberArk Identity Browser Extension updates for more information.

Computers must meet the following requirements to install the Browser Extension.

  • Microsoft .NET Framework 4.6.2 or later
  • Microsoft Installer 3.1 or later

In addition, browser support for the Browser Extension features is indicated in the following table.


(latest available at release)

(latest available at release)


Form filling Yes Yes


App capture Not supported Yes

Not supported

Land and Catch Yes Yes


App Launch Yes Yes


Device support

If you are using CyberArk Identity for mobile device management and authentication, it supports enrolling the following devices and computers using the cloud agents.

The purpose of the cloud agent is to enforce authentication profiles; it’s only active during authentication. Unlike Anti-Virus and Endpoint Detection and Response agents, the CyberArk cloud agents are not listening to system events or otherwise consuming endpoint resources after the user logs in.

Operating System

Versions supported


10, Server 2016, Server 2019

Desktop Experience is required for Windows servers.


10.13, 10.14, 10.15, 11, 12


11.x and later


13.x and later


5.x and later


8.x and later

Language support

Foreign language support is provided for the following components:

  • CyberArk Identity User Portal help -- Japanese only
  • User Portal text strings.
  • Admin Portal text strings

Not all of the languages listed below are available for the Admin Portal text strings.

Administrators can select the language in which the user portal texts and CyberArk Identity system messages are displayed. The default setting, (--), is equivalent to not setting a language. In this case, the user's browser language selection will be used. However, if users configure their own language selection, then that language takes precedence. For example, if you set the language to French in the Admin Portal and a user sets the language to Vietnamese in the User Portal, then Vietnamese is used for that user. Users can specify their language selection in User Portal > Account > Personal Profile > Language drop-down list.

To configure the language option in the Admin Portal

  1. Log-in to the Admin Portal.
  2. Click Access > Policies > Select the relevant policy.
  3. Click User Security Policies > User Account Settings.
  4. Select the default language in the Default Language drop-down list.
  5. Click Save.

In this release, translations are provided for the following languages:

  • Arabic
  • Brazilian Portuguese
  • Chinese—Simplified and Traditional
  • Dutch
  • French
  • German
  • Italian
  • Japanese
  • Korean
  • Portuguese
  • Russian
  • Serbian
  • Spanish
  • Swedish
  • Thai
  • Vietnamese

Additional languages are being added over time—see the Release Notes for the most recent additions.

Known issues

Issue Workaround

General platform

When you create a Role and add members before saving the Role, the members are not saved.

Create and save the Role, then add members to the Role and save it again.

Windows Cloud Agent

With RDP (v 6.0+), a user cannot RDP to the endpoint/server with the Windows Cloud Agent using an Idaptive directory user. This is because the network credential validation is done on the client side first, before establishing the remote desktop connection.

Mac Cloud Agent

The Mac Cloud Agent installer shows the Gatekeeper warning the first time it is installed on a device.

  1. Go to System Preferences > Security & Privacy > General, then click Open Anyway.

  2. Click Open on the warning screen that appears.

    After making these changes, the Gatekeeper warning will not display again for the Mac Cloud Agent on that device for the logged in user.

The MFA login screen shows “Phone Call” more than once if user has multiple phone numbers configured.


The Mac Cloud Agent cannot be updated from the UI.

WorkAround: Go to the User Portal or the Admin Portal to download the latest agent.

Reopen the Mac Cloud Agent and note the agent is updated to the latest version.

Self-service account unlock is not currently supported.


User may not able to see the device location.

Go to user policy Endpoint Policies > Common Settings > Mobile Settings > Restriction Settings, then under Report mobile device location select Force for Permit administrator to see device location.Then unenroll the user and enroll again.

Mac login MFA options show FIDO2 and Radius if they were configured in the authentication profile; however, these MFA challenges are currently not supported.

Always make sure authentication challenges configured in the authentication profile are available to your users and configured for each user.

The local account can get out of sync with the matching account in the directory source after the password change, resulting in a denied login.

Log in to a local admin account and set the local password of the impacted user to the same password as the directory source through System Preferences > Users or through the dscl command line.

When creating an authentication profile for Mac MFA, password must be the first factor (Challenge 1).


A user might get removed from the FileVault boot screen if they changed their password without entering their previous password in the Keychain Sync dialog on 10.14.3+ macOS devices.

To avoid this issue, users should log out after changing their password in the User Portal. When they log back in, click Yes at the Keychain Sync prompt and enter their previous password to sync their keychain and FileVault password.

Apple Watch unlock is not compatible with the MFA lock screen policy

Disable the MFA lock screen policy for Apple Watch users in the Admin Portal.

Idaptive Menu Item is not removed from the UI after unenrolling until the next login or restart.

You might receive a certificate error during munkiimport after tenant migration.

Workaround: Re-enroll the Mac

The Apple Device Enrollment Program (DEP) needs to be configured explicitly to work with the 19.6 Mac Cloud Agent. Please contact support if you plan to use DEP.


Mobile applications

If the iPhone app (or the push authenticator) is locked using biometric or pin, then Apple Watch approval shows an error message.


Users can sign in to the Apple watch only after the first notification is delivered to the watch.