CyberArk Identity Release Notes
Release 22.11 (available November 9, 2022) introduces the following changes.
See CyberArk Identity Release Notes - Previous Versions for changes in previous releases.
Changelog
We made the following updates to the release notes after the release, based on new information.
Change |
Date |
---|---|
|
December 9, 2022 |
Hotfixes
The following table lists changes made as hotfixes to the 22.11 release.
Hotfix versions |
Change(s) |
---|---|
22.11.208 |
|
What's new
The following new features are available.
Feature | Description |
---|---|
Authentication |
|
Access Orchestrator |
The Access Orchestrator enables you to create rules-based authentication requirements using a logic flowchart. This improves the user experience by making it easier to visualize how the authentication rules impact users trying to access the CyberArk Identity User Portal or launch a web app from the User Portal. In addition, you can use a logic flowchart to create a dynamic authentication profile. This simplifies creating authentication profiles that meet your organizational best practices. For more information, see Create custom authentication with the Access Orchestrator. |
MFA Fatigue report |
This built-in report provides a view into potential MFA Fatigue/Bombing attacks in which an attacker sends multiple MFA requests and hopes the user approves one of them. You are provided with the number of denials and approvals of our MobileCyberArk Identity push notification requests for a defined time period. |
Endpoints |
|
Support for macOS Ventura |
Release 22.11 will support macOS Ventura in Mac Cloud Agent and Mac Device Trust. |
Fixed issues
Issue | Description |
---|---|
Assignment of groups to users was not working as part of SCIM-based user provisioning from third-party Identity Providers to CyberArk Identity. |
The issue is fixed. Modifications to PUT Groups operations have been made. |
Unable to use the Multi-factor Authentication (MFA) drop-down menu |
The issue is fixed. When the user clicks the drop-down menu to use MFA on the login page, the menu does not appear. |
A federated user who signs in to the User Portal from an identity provider to a server provider is unable to edit the Additional Attribute name and value. |
The issue is fixed. |
Early access features
Early access features are fully-supported features made available on a case-by-case basis by request. Early access features might see more frequent updates compared to GA features.
Contact your account representative to enable early access features.
The following table describes features that are currently in an early access state.
Feature | Description |
Initial release version |
---|---|---|
Customer Identity |
||
User Portal navigation |
This feature enables a user to navigate back to a customer website from CyberArk Identity User Portal after performing self-service actions such as configuring MFA or personal profile updates. |
22.11 |
User Portal customization and branding |
You can customize and brand the CyberArk Identity User Portal to meet the needs of your organization. Users who navigate to the portal from external applications for self-service profile management and authentication factor enrollment can then see your company's specific branding. The following customizations are available:
|
22.9 |
Monthly Active Users report and alerts |
The Monthly Active Users (MAU) report is a built-in report that provides an overview of the MAU quota purchased, and the number of active users per month who have logged in or signed up to CyberArk Identity or an external app for the selected period. This report now indicates whether your purchased MAU plans are active or completed, and the number of remaining and consumed MAU reports for each plan. Administrators receive an email notification when the remaining MAUs drop below a configured percentage. The default is 30%. |
22.9 |
Developer experience |
||
Generate scoped access token |
You can use an OpenID Connect app to acquire both an ID Token and a scoped access token using a single API call, thereby reducing the complexity of integrating with CyberArk Identity through the OIDC protocol. The scoped access tokens in OIDC app can help developers use both OIDC and OAuth features from a single authorization server endpoint. In the CyberArk Identity Admin Portal, you can configure specific types of authorization scopes. For example, scopes can access APIs or retrieve custom claims that are part of ID Token. You can also configure scopes to require user consent. |
22.4 |
User interface |
|
|
Updated design in Application tile |
The design is updated for the app tiles. A new Shared icon has been introduced in the app tile. You can view this icon on the lower right of the app tile. You can view all other icons on the lower right of the tile except the New and Error icons.
|
22.2 |
Enhanced interface in Applications |
This enhancement enables you to customize tabs in the applications based on your requirements. You can perform the following actions in the User Portal:
A new drop-down has been introduced, which enables you to sort all applications.
See Manage web apps for more information. |
22.2 |
Additional enhancements to the Applications interface in the User Portal |
This release adds the following enhancements to the Applications interface in the User Portal.
|
22.3 |
Authentication |
||
Attribute mapping in external IDP federation |
This feature enables any federated user attribute to be mapped with any attribute of AD user or CyberArk Cloud Directory user. This enables more flexibility in linking the federated user account to an existing AD or CyberArk Cloud Directory policy service user account. |
22.11 |
Sign in APIs now support multiple identifiers |
CyberArk Cloud Directory users can now sign in to CyberArk Identity with their email address or phone number. If an email address or phone number is used in multiple user accounts, signin will fail.
|
22.3 |
New Single Sign-On templates
New Single Sign-On (SSO) application templates are added to the CyberArk Identity Web App Catalog on a regular basis, independent of the product release schedule.
See Recent SSO application templates for a list of recently added templates.
Component versions
See the following table for a list of component versions in the latest release:
Component |
Version |
---|---|
CyberArk Identity |
22.11.207 |
User Behavior Analytics |
22.11.205 |
Windows Cloud Agent |
22.11.207 |
Windows Device Trust |
22.11.207 |
Mac Cloud Agent |
22.11-207 |
Mac Device Trust |
22.11.207 |
Android CyberArk Identity mobile app |
22.10-102 |
iOS CyberArk Identity mobile app |
22.10-110 |
Windows CyberArk Authenticator |
22.11.207 |
Mac CyberArk Authenticator |
22.11.207 |
Browser Extension - Chrome |
22.11.2 |
Browser Extension - Edge Chromium |
22.11.2 |
Browser Extension - Firefox |
22.11.3 |
Connector |
22.11.207 |
Known issues
Issue | Workaround |
---|---|
Customer Identity |
|
The app-level MFA doesn't work with the RP-initiated login using embedded widgets. |
None |
When setting the mobile number in the Authentication Setup page, the UI keeps loading when you click Done without any input. This happens only when the User Portal Back Navigation is configured for the tenant. See Edit the fields under User Portal Back Navigation for more information. |
In the Admin Portal, select the relevant policy, go to User Security Policies > User Account Settings, then select No from the Prompt users to set up mobile number on login drop-down list. |
The screen view is truncated when you click the pin in the left navigation pane. |
Refresh the browser to view the screen. |
Inbound Provisioning |
|
Just in Time (JIT) syncs in the configuration of Workday to Cloud, followed by Cloud to AD, are not triggered. |
Set the scheduled incremental syncs interval to 10 minutes for Cloud to AD to capture any changes not synced by JIT. |
Single Sign-On |
|
In addition to launching applications from the User Portal or CyberArk Identity Browser Extension, users can go directly to the web application and click the CyberArk icon next to the login form fields to fill in the username and password and automatically login. This feature currently does not work due to a known issue and will be fixed in a subsequent release. |
Users can still successfully launch the apps directly from the User Portal, from the Browser Extension, or copy the username and password of the application from the Browser Extension context menu. |
Windows Cloud Agent |
|
With RDP (v 6.0+), a user cannot RDP to the endpoint/server with the Windows Cloud Agent using a CyberArk Cloud Directory user. This is because the network credential validation is done on the client side first, before establishing the remote desktop connection. |
|
Mac Cloud Agent |
|
The Mac Cloud Agent installer shows the Gatekeeper warning the first time it is installed on a device. |
|
The MFA login screen shows “Phone Call” more than once if user has multiple phone numbers configured. |
None |
The Mac Cloud Agent cannot be updated from the UI. |
WorkAround: Go to the User Portal or the Admin Portal to download the latest agent. Reopen the Mac Cloud Agent and note that the agent is updated to the latest version. |
Self-service account unlock is not currently supported. |
None |
User may not able to see the device location. |
Go to user policy Endpoint Policies > Common Settings > Mobile Settings > Restriction Settings, then under Report mobile device location, select Force for Permit administrator to see device location. Then unenroll the user and enroll again. |
Mac login MFA options show FIDO2 and Radius if they were configured in the authentication profile; however, these MFA challenges are currently not supported. |
Always make sure authentication challenges configured in the authentication profile are available to your users and configured for each user. |
The local account can get out of sync with the matching account in the directory source after the password change, resulting in a denied login. |
Log in to a local admin account and set the local password of the impacted user to the same password as the directory source through System Preferences > Users or through the dscl command line. |
When creating an authentication profile for Mac MFA, password must be the first factor (Challenge 1). |
None |
A user might get removed from the FileVault boot screen if they changed their password without entering their previous password in the Keychain Sync dialog on 10.14.3+ macOS devices. |
To avoid this issue, users should log out after changing their password in the User Portal. When they log back in, click Yes at the Keychain Sync prompt and enter their previous password to sync their keychain and FileVault password. |
The CyberArk Menu Item is not removed from the UI after unenrolling until the next login or restart. You might receive a certificate eror during munkiimport after tenant migration. |
Workaround: Re-enroll the Mac |
The Apple Device Enrollment Program (DEP) needs to be configured explicitly to work with the 19.6 Mac Cloud Agent. Please contact support if you plan to use DEP. |
None |
Mobile applications |
|
For iOS devices running in the Zoom display mode (Settings > Display & Brightness > Display Zoom: 'Zoom'), the Mobile Authenticator code gets truncated. |
Use only the 'Standard' display mode. |
System requirements
See System requirements and supported browsers for more information about browser and device support.