CyberArk Identity Release Notes

Release 21.7.146 (available July 16, 2021) introduces the following changes. Refer to CyberArk Identity Release Notes - Previous Versions for changes in previous releases.

New features

The following new features are available in this release.

Multi-Factor Authentication

Multi-Factor Authentication mechanism compliance reporting

Authentication Mechanisms on the Authentication Profile are now separated by the following categories:

  • Something you have

  • Something you are

  • Something you know

Select mechanisms from two or more of these categories to maximize security and ensure true multi-factor authentication, as defined by National Institute of Standards and Technology (NIST).

In addition, new built-in reports are available to help you establish authentication compliance with your organization's MFA and self-service policies, or with third-party guidelines such as those provided by NIST.

Refer to Create authentication profiles and Establish authentication compliance for more detail.

General platform

CyberArk Identity Password Generator

The CyberArk Identity Browser Extension now features a Password Generator so users can easily generate secure and unique passwords for use with business applications, which can be stored and replayed upon subsequent access. This reduces password-related security threats by removing the incentive for users to reuse weak (but easily remembered) passwords, while simplifying application access user experience.

Refer to Generate strong passwords with the CyberArk Identity Password Generator for more detail.

Lifecycle Management

Standards-based interfaces to manage privileged accounts in CyberArk Privileged Access Security

CyberArk Identity currently supports SCIM (System for Cross-domain Identity Management) server interfaces to manage users and groups in its CyberArk Cloud Directory and privileged accounts and objects in CyberArk Privilege Cloud. This interface now extends support for the management of privileged accounts and objects in self-hosted CyberArk Privileged Access Security without requiring a VPN connection.

The new SCIM endpoints facilitate integration of 3rd party SCIM Client compliant Identity Governance and Administration (IGA) platforms (such as SailPoint) to simplify and automate the lifecycle management of privileged accounts. A built-in Administrative Right called Vault Management is available to grant the SCIM clients permissions to manage objects in PAS.

This feature is available in conjunction with the Privileged Access Security 12.1 release or later. The PVWA (Password Vault Web Access) component version in PAS should be 12.2 or later.


CyberArk Identity Verification integration

    An Identity Verification (IDV) workflow is now available using third-party identity proofing solutions and provides seamless identity verification as part of a CyberArk Identity sign-up workflow. IDV solutions can be integrated into the user sign-up workflow to recognize high-risk users and take appropriate actions based on your specific configuration to prevent identity fraud. Currently, CyberArk Identity supports Ekata as a third-party Identity Verification solution.

    Refer to Configure an Identity Verification workflow.

Improvements and behavior changes

This release includes the following product improvements.

General platform

  • Trial tenants have self-service password reset (SSPR) enabled by default. Trial users receive an email confirmation challenge before they can change their password.

  • Added one-click copy icons to the User Name and URL fields from user password apps in the User Portal. This improvement simplifies copying values from generic user password apps migrated from PVWA to business application sign in pages so Land & Catch can add the application to the CyberArk Identity User Portal, enabling credential auto fill.

Mobile applications

Updated product branding for the iOS and Android mobile apps

To create a more consistent product experience, the iOS and Android mobile applications branding now reflects CyberArk Identity instead of Idaptive. This change impacts the UI of the apps as well as the presentation in Apple's App Store and the Google Play app store. This change does not impact functionality.

Early access features

The following features are available to customers that want to try out early access features in their testing environment prior to general availability. Early access features may have limited functionality and may change prior to the product release date. Since early access features are still considered to be under development, product documentation may not be complete.

In order to enable an early access feature, you need to contact your CyberArk account representative.

General platform

  • Custom domains URLs

    CyberArk Identity now supports creating custom domains and mapping it to the CyberArk root tenant URL. For example, you can create the custom domain and map it to (root tenant URL). This allows you to completely customize the sign in experience so your users sign in through your domain. Contact your CyberArk account representative to enable this feature.

    Refer to Configure a custom domain.

Component versions

This release includes the following components:



Windows Cloud Agent


Windows Device Trust Agent


Mac Cloud Agent


Android CyberArk Identity mobile app


iOS CyberArk Identity mobile app


Windows CyberArk Authenticator


Mac CyberArk Authenticator


Browser Extensions




Browser support

This version of CyberArk Identity has been tested with the following browsers:



Internet Explorer

Version 11 on Windows 2008 server, Windows 2012 server, Windows 7, and Windows 8

Microsoft Edge

latest version available at release

Mozilla Firefox

latest version available at release

Google Chrome

latest version available at release

Apple Safari


For silent authentication to work correctly, some web browsers need additional configuration (see Configure browsers for silent authentication) or a browser extension (see How to install the CyberArk Identity Browser Extension).

On devices, the CyberArk Identity mobile app and Idaptive for KNOX open the web applications in the native browser unless that application requires a browser extension to provide single sign-on. For these applications only, the CyberArk Identity mobile app and Idaptive for KNOX open the application in its built-in browser.

CyberArk Identity Browser Extension support

The Browser Extension for Internet Explorer and Safari is deprecated. If your users use those browsers with a previous version of the Browser Extension and you want them to continue to do so, you should restrict updates to the Browser Extension.

Users restricted to old versions of the Browser Extension will not benefit from updates and new features.Refer to Restrict CyberArk Identity Browser Extension updates for more information.

Computers must meet the following requirements to install the Browser Extension.

  • Microsoft .NET Framework 4.6.2 or later
  • Microsoft Installer 3.1 or later

In addition, browser support for the Browser Extension features is indicated in the following table.


(latest available at release)

(latest available at release)


Form filling Yes Yes


App capture Not supported Yes

Not supported

Land and Catch Yes Yes


App Launch Yes Yes


Device support

If you are using CyberArk Identity for mobile device management and authentication, it supports enrolling the following devices and computers using the cloud agents.

The purpose of the cloud agent is to enforce authentication profiles; it’s only active during authentication. Unlike Anti-Virus and Endpoint Detection and Response agents, the CyberArk cloud agents are not listening to system events or otherwise consuming endpoint resources after the user logs in.

Operating System

Versions supported


10, Server 2016, Server 2019


10.13, 10.14, 10.15, 11


11.x and above

Devices using iOS 10 can still be enrolled and will be supported, but you cannot update the CyberArk Identity client beyond version 19.518.3.


13.x and above


5.0 or later

Samsung KNOX Enterprise SDK

3.x or later

Language support

Foreign language support is provided for the following components:

  • CyberArk Identity user portal help -- Japanese only
  • User portal text strings.
  • Admin Portal text strings

Not all of the languages listed below are available for the Admin Portal text strings.

Administrators can select the language in which the user portal texts and CyberArk Identity system messages are displayed. The default setting, (--), is equivalent to not setting a language. In this case, the user's browser language selection will be used. However, if users configure their own language selection, then that language takes precedence. For example, if you set the language to French in the Admin Portal and a user sets the language to Vietnamese in the User Portal, then Vietnamese is used for that user. Users can specify their language selection in User Portal > Account > Personal Profile > Language drop-down list.

To configure the language option in the Admin Portal

  1. Log-in to the Admin Portal.
  2. Click Access > Policies > Select the relevant policy.
  3. Click User Security Policies > User Account Settings.
  4. Select the default language in the Default Language drop-down list.
  5. Click Save.

In this release, translations are provided for the following languages:

  • Arabic
  • Brazilian Portuguese
  • Chinese—Simplified and Traditional
  • Dutch
  • French
  • German
  • Italian
  • Japanese
  • Korean
  • Portuguese
  • Russian
  • Serbian
  • Spanish
  • Swedish
  • Thai
  • Vietnamese

Additional languages are being added over time—see the Release Notes for the most recent additions.

Known issues

Windows Cloud Agent

Mac Cloud Agent

  • The Mac Cloud Agent installer shows the Gatekeeper warning the first time it is installed on a device.


    1. Go to System Preferences > Security & Privacy > General, then click Open Anyway.

    2. Click Open on the warning screen that appears.

      After making these changes, the Gatekeeper warning will not display again for the Mac Cloud Agent on that device for the logged in user.

  • The MFA login screen shows “Phone Call” more than once if user has multiple phone numbers configured.

  • The Mac Cloud Agent cannot be updated from the UI.

    WorkAround1 : Go to the user portal or admin portal to download the latest agent.

    Workaround 2: Click the Update button on the top menu, then click latest agent version. When you see the message "Failed to connect to launch...", click OK, then close the application.

    Reopen the Mac Cloud Agent and note the agent is updated to the latest version.

  • Self-service account unlock is not supported in this release.

  • User may not able to see the device location.

    WorkAround: Go to user policy Endpoint Policies > Common Settings > Mobile Settings > Restriction Settings, then under Report mobile device location select Force for Permit administrator to see device location.Then unenroll the user and enroll again.

  • Mac login MFA options show FIDO2 and Radius if they were configured in the authentication profile; however, these MFA challenges are currently not supported.

    Workaround: Always make sure authentication challenges configured in the authentication profile are available to your users and configured for each user.

  • The local account can get out of sync with the matching account in the directory source after the password change, resulting in a denied login.

    Workaround: Log in to a local admin account and set the local password of the impacted user to the same password as the directory source through System Preferences > Users or through the dscl command line.

  • When creating an authentication profile for Mac MFA, password must be the first factor (Challenge 1).

  • A user might get removed from the FileVault boot screen if they changed their password without entering their previous password in the Keychain Sync dialog on 10.14.3+ macOS devices.

    Workaround: To avoid this issue, users should log out after changing their password in the User Portal. When they log back in, click Yes at the Keychain Sync prompt and enter their previous password to sync their keychain and FileVault password.

  • Apple Watch unlock is not compatible with the MFA lock screen policy

    Workaround: Disable the MFA lock screen policy for Apple Watch users in the Admin Portal.

  • Idaptive Menu Item is not removed from the UI after unenrolling until the next login or restart.

    You might receive a certificate error during munkiimport after tenant migration.

    Workaround: Re-enroll the Mac

  • MFA Lockscreen is disabled in macOS 10.15 due to an Apple bug which we expect will be fixed in an upcoming patch release. For the 19.6 Mac Cloud Agent, the normal macOS lock screen with password will be shown.

  • The Apple Device Enrollment Program (DEP) needs to be configured explicitly to work with the 19.6 Mac Cloud Agent. Please contact support if you plan to use DEP.

iOS client

Derived credentials functionality for iOS devices is not available in 20.2. The existing devices already enrolled for derived credentials will continue to work, but no new devices will be able to setup derived credentials. We'll be adding this functionality back in an upcoming release.