CyberArk Identity Release Notes
Release 22.9 (available September 9, 2022) introduces the following changes.
See CyberArk Identity Release Notes - Previous Versions for changes in previous releases.
Planned changes
Changes to the default access URL format
In the CyberArk Identity mobile app, the default access URL format was changed to https://cloud.pod.id.cyberark.cloud/ in the 22.6 release. This URL works, but unfortunately the change was not communicated beforehand. For this reason, we will revert the default URL format back to https://cloud.idaptive.app in the 22.10 release due in October. Both URL formats will continue to function without disrupting services, as long as these URLs are accessible from mobile devices.
Hotfixes
The following table lists changes made as hotfixes to the 22.9 release.
|
Hotfix versions |
Change(s) |
|---|---|
|
22.9-216 |
Fixed a performance issue with SAML scripts that use the LoginUser.GroupNames object. |
Impact of Microsoft deprecating Basic Authentication
The Microsoft announcement regarding deprecation of Basic Authentication as documented at https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online only disables Basic Authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online. This change for the above services by Microsoft does not affect the Office 365 or Azure Portal applications in the CyberArk Identity App Catalog and their functionality. CyberArk uses Microsoft's Provisioning Web Client as the backend tool when using Basic Authentication and Microsoft's Graph API when using Token-Based Authentication for Office 365 and Azure Portal applications for authentication and provisioning. See the following article for more details on this: https://cyberark-customers.force.com/s/article/Basic-Auth-Deprecation.
Though basic authentication for CyberArk integration with O365 will continue to be supported, for various security reasons listed in the Microsoft article, CyberArk strongly recommends that customers migrate to the more modern and secure token-based authentication.
New features
The following new features are available.
| Feature | Description |
|---|---|
Workforce Password Management |
|
|
Transfer ownership of Secured Items |
Previous releases allowed you to transfer ownership of shared application credentials from an application owner (the user who added an application credential and shared access of that credential with other users) to another user. Now you can also transfer ownership of shared Secured Items and shared application credentials to another user even after the original owner has been deprovisioned from CyberArk Identity. This feature ensures uninterrupted access to Secured Items and application credentials even after the user who initially added and shared the application or Secured Item leaves the enterprise. For details, see Transfer Ownership of a Secured Item. |
Authentication |
|
|
Enable Password never expires for bulk user import |
You can configure passwords to never expire when you bulk import users to CyberArk Identity. This setting is disabled by default. |
Secure Web Sessions |
|
|
See What's New for more details on upgrade notes and backwards compatibility. |
|
|
Two new APIs are available to enable Secure Web Sessions (SWS) customers to GET a list of all recordings within a certain time frame (GET SWS Recordings), and to GET the specific steps taken in a particular session (GET SWS recordings by ID). These APIs allow you to pull specific session details and can enable integration with other security tools such as SIEM. For details, see API commands. |
|
|
You can apply SWS protections directly to third-party IdP SSO sessions, without requiring CyberArk Identity SSO. This feature streamlines setup, maintenance, licensing, and provides an easier user experience with less actions. For details, see Configure SWS protections for applications. |
|
|
New download details, clipboard action, and blocked Session Protection event auditing |
SWS now provides visibility and auditing for user downloads and clipboard actions taken in any web-session secured with Step Recording. In addition, SWS session details now include events for any user actions that were blocked by Session Protection. For details on the auditor workflow, see Access session recordings. |
Identity Compliance (new) |
|
|
Identity Compliance service |
CyberArk Identity Compliance, another addition to our Software-as-a-Service (SaaS) portfolio, helps you to continuously review users' access to ensure that access privileges are relevant and comply with your organization’s access requirements. CyberArk Identity Compliance provides a single view of who has access to what and makes it easier for organizations to enforce and demonstrate compliance by continuously discovering workforce and privileged access, streamlining access certifications, and providing comprehensive identity analytics. See your Identity Compliance documentation for details. |
Endpoints |
|
|
Support for Windows Device Trust |
You can leverage Integrated Windows Authentication (IWA) to drop and maintain a trust certificate on Windows devices. The certificate ensures that sensitive applications are accessed only from trusted Windows devices. Trust validation can be performed even when a device is remote and not visible to the domain controller. This feature is now generally available. |
|
Support for Mac Device Trust |
You can leverage Jamf mobile device management (MDM) to drop and maintain a trust certificate on managed Mac devices. The certificate ensures that sensitive applications are only accessed from Jamf-managed Mac devices. This feature is now generally available. |
Mobile Applications |
|
|
Fetch notifications and updates from CyberArk Identity |
Users who cannot access Google services, for example users in China, can now explicitly fetch the push notifications and policy updates sent by CyberArk Identity. This feature is now generally available. |
|
Control mobile authentication on Apple watches |
You can use policy to control whether push authentications and passcodes are available on Apple watches. |
Improvements and behavior changes
This release includes the following product improvements.
| Improvement | Description |
|---|---|
Authentication |
|
|
Copying a password from the CyberArk Identity Browser Extension now adheres to the view/copy passwords policy. |
You can disable Copy Password for users from the Browser Extension or the browser context menu using the policy Allow users to view/copy personal passwords available at Core Services > Policies > Application Policies. |
Fixed Issues
| Issue | Description |
|---|---|
|
On iPadOS, scanning the QR code from the CyberArk Identity mobile app loads a sign-in page instead of starting enrollment. |
This issue is fixed. |
|
While importing files from external credential mangers, for files with duplicate records, the files cannot be uploaded and an error message is displayed saying "File contains duplicate records". The import only happens if the records are all unique. |
This issue is fixed. |
Early access features
Early access features are fully-supported features made available on a case-by-case basis by request. Early access features might see more frequent updates compared to GA features.
Contact your account representative to enable early access features.
The following table describes features that are currently in an early access state.
| Feature | Description |
Initial release version |
|---|---|---|
Customer Identity |
||
|
User portal customization and branding |
You can customize and brand the CyberArk Identity User Portal to meet the needs of your organization. Users who navigate to the portal from external applications for self-service profile management and factor enrollment can then see your company's specific branding. The following customizations are available:
|
22.9 |
Licensing |
|
|
|
Monthly Active Users report and alerts |
The Monthly Active Users (MAU) report is a built-in report that provides an overview of the MAU quota purchased, and the number of active users per month who have logged in or signed up to CyberArk Identity or an external app for the selected period. This report now indicates whether your purchased MAU plans are active or completed, and the number of remaining and consumed MAU reports for each plan. Administrators receive an email notification when the remaining MAUs drop below a configured percentage. The default is 30%. |
22.9 |
Developer experience |
||
|
Generate scoped access token |
You can use an OpenID Connect app to acquire both an ID Token and a scoped access token using a single API call, thereby reducing the complexity of integrating with CyberArk Identity through the OIDC protocol. The scoped access tokens in OIDC app can help developers use both OIDC and OAuth features from a single authorization server endpoint. In the CyberArk Identity Admin Portal, you can configure specific types of authorization scopes. For example, scopes can access APIs or retrieve custom claims that are part of ID Token. You can also configure scopes to require user consent. |
22.4 |
User interface |
|
|
|
Updated design in Application tile |
The design is updated for the app tiles. A new Shared icon has been introduced in the app tile. You can view this icon on the lower right of the app tile. You can view all other icons on the lower right of the tile except the New and Error icons.
|
22.2 |
|
Enhanced interface in Applications |
This enhancement enables you to customize tabs in the applications based on your requirements. You can perform the following actions in the User Portal:
A new drop-down has been introduced, which enables you to sort all applications.
See Organize your applications for more information. |
22.2 |
|
Additional enhancements to the Applications interface in the User Portal |
This release adds the following enhancements to the Applications interface in the User Portal.
|
22.3 |
Authentication |
||
|
Create and apply access requests with the Access Orchestrator |
You can now use Access Orchestrator to create authentication request flows with challenge dependencies. With this new feature, the end user’s second challenge is contingent on their first challenge selection, which allows a stricter way to enforce a secure authentication process and comply with industry standards. See Create access requests with the Access Orchestrator for more information. |
22.7 |
|
Sign in APIs now support multiple identifiers |
CyberArk Cloud Directory users can now sign in to CyberArk Identity with their email address or phone number. If an email address or phone number is used in multiple user accounts, signin will fail.
|
22.3 |
Mobile Applications |
||
|
Number matching implementation to prevent accidental push approvals (push fatigue) and push attacks |
This feature enables users to prevent accidental or habitual push approvals and fraudulent push attacks. If a push approval is sent, this feature prompts the user to tap on a number that matches to the one that is displayed on the Login screen and the authenticator app screen alike. This adds an additional confirmation from the end user when a push notification is sent. |
22.6 |
New Single Sign-On templates
New Single Sign-On (SSO) application templates are added to the CyberArk Identity Web App Catalog on a regular basis, independent of the product release schedule.
See Recent SSO application templates for a list of recently added templates.
Component versions
See the following table for a list of component versions in the latest release:
|
Component |
Version |
|---|---|
|
CyberArk Identity |
22.9-215 |
|
User Behavior Analytics |
22.9-203 |
|
Windows Cloud Agent |
22.9.215 |
|
Windows Device Trust |
22.9-215 |
|
Mac Cloud Agent |
22.9-215 |
|
Mac Device Trust |
22.9-215 |
|
Android CyberArk Identity mobile app |
22.9-100 |
|
iOS CyberArk Identity mobile app |
22.9-111 |
|
Windows CyberArk Authenticator |
22.9.215 |
|
Mac CyberArk Authenticator |
22.9-215 |
|
Browser Extension - Chrome |
22.9.2 |
|
Browser Extension - Edge Chromium |
22.9.2 |
|
Browser Extension - Firefox |
22.9.3 |
|
Connector |
22.9-215 |
Browser support
This version of CyberArk Identity has been tested with the following browsers:
|
Browser |
Version |
|---|---|
|
Internet Explorer |
Version 11 on Windows 2008 server, Windows 2012 server, Windows 7, and Windows 8 |
|
Microsoft Edge |
Latest version available at release |
|
Mozilla Firefox |
Latest version available at release |
|
Google Chrome |
Latest version available at release |
|
Apple Safari |
11 |
For silent authentication to work correctly, some web browsers need additional configuration (see Configure browsers for silent authentication) or a browser extension (see Manage credentials with Workforce Password Management).
On devices, the CyberArk Identity mobile app opens the web applications in the native browser unless that application requires a browser extension to provide single sign-on. For these applications only, the CyberArk Identity mobile app opens the application in its built-in browser.
CyberArk Identity Browser Extension support
The Browser Extension for Internet Explorer and Safari is deprecated. If your users use those browsers with a previous version of the Browser Extension and you want them to continue to do so, you should restrict updates to the Browser Extension.
Users restricted to old versions of the Browser Extension will not benefit from updates and new features. SeeSend feedback for more information.
Computers must meet the following requirements to install the Browser Extension.
- Microsoft .NET Framework 4.6.2 or later
- Microsoft Installer 3.1 or later
In addition, browser support for the Browser Extension features is indicated in the following table.
|
|
Chrome |
Firefox |
Edge |
|---|---|---|---|
| Form filling | Yes | Yes |
Yes |
| App capture | Not supported | Yes |
Not supported |
| Land and Catch | Yes | Yes |
Yes |
| App Launch | Yes | Yes |
Yes |
Device support
CyberArk Identity supports enrollment of the following devices.
|
Operating System |
Versions supported |
|---|---|
|
Windows |
10, 11, Server 2012 R2, Server 2016, Server 2019 and Server 2022 Desktop Experience is required for Windows servers.
|
|
macOS |
10.15, 11, 12 |
|
iOS |
13.x and later |
|
iPadOS |
13.x and later |
|
watchOS |
6.x and later |
|
Android |
10.x and later |
The CyberArk Identity mobile app is not available in the following countries.
-
Cuba
-
Iran
-
Lebanon
-
North Korea
-
Sudan
-
Syria
-
Iraq
-
Libya
-
Palestinian Authority territories
-
West Bank, including East Jerusalem
-
Gaza Strip
-
Language support
Foreign language support is provided for the following components:
- CyberArk Identity User Portal help -- Japanese only
- User Portal text strings
- Admin Portal text strings
Not all of the languages listed below are available for all of the Admin Portal text strings.
Administrators can select a default language for UI text and system messages. The default setting, (--), is equivalent to not setting a language. In this case, the user's browser language selection is used.
If users select a different language in their User Portal, then that language takes precedence. For example, if you set the language to French in the Admin Portal and a user sets the language to Vietnamese in the User Portal, then Vietnamese is used for that user. Users can select a language in User Portal > Account > Personal Profile > Language drop-down list.
To configure the language option in the Admin Portal:
- Log-in to the Admin Portal.
- Click Access > Policies > Select the relevant policy.
- Click User Security Policies > User Account Settings.
- Select the default language in the Default Language drop-down list.
- Click Save.
In this release, we support the following languages:
- Arabic
- German
- English
- Spanish
- French
- Italian
- Japanese
- Korean
- Dutch
- Portuguese - Brazil
- Portuguese
- Russian
- Serbian
- Swedish
- Thai
- Vietnamese
- Chinese - Simplified
- Chinese - Traditional
Known issues
| Issue | Workaround |
|---|---|
Windows Cloud Agent |
|
|
With RDP (v 6.0+), a user cannot RDP to the endpoint/server with the Windows Cloud Agent using a CyberArk Cloud Directoryuser. This is because the network credential validation is done on the client side first, before establishing the remote desktop connection. |
|
Mac Cloud Agent |
|
|
The Mac Cloud Agent installer shows the Gatekeeper warning the first time it is installed on a device. |
|
|
The MFA login screen shows “Phone Call” more than once if user has multiple phone numbers configured. |
None |
|
The Mac Cloud Agent cannot be updated from the UI. |
WorkAround: Go to the User Portal or the Admin Portal to download the latest agent. Reopen the Mac Cloud Agent and note that the agent is updated to the latest version. |
|
Self-service account unlock is not currently supported. |
None |
|
User may not able to see the device location. |
Go to user policy Endpoint Policies > Common Settings > Mobile Settings > Restriction Settings, then under Report mobile device location, select Force for Permit administrator to see device location. Then unenroll the user and enroll again. |
|
Mac login MFA options show FIDO2 and Radius if they were configured in the authentication profile; however, these MFA challenges are currently not supported. |
Always make sure authentication challenges configured in the authentication profile are available to your users and configured for each user. |
|
The local account can get out of sync with the matching account in the directory source after the password change, resulting in a denied login. |
Log in to a local admin account and set the local password of the impacted user to the same password as the directory source through System Preferences > Users or through the dscl command line. |
|
When creating an authentication profile for Mac MFA, password must be the first factor (Challenge 1). |
None |
|
A user might get removed from the FileVault boot screen if they changed their password without entering their previous password in the Keychain Sync dialog on 10.14.3+ macOS devices. |
To avoid this issue, users should log out after changing their password in the User Portal. When they log back in, click Yes at the Keychain Sync prompt and enter their previous password to sync their keychain and FileVault password. |
|
Apple Watch unlock is not compatible with the MFA lock screen policy |
Disable the MFA lock screen policy for Apple Watch users in the Admin Portal. |
|
The CyberArk Menu Item is not removed from the UI after unenrolling until the next login or restart. You might receive a certificate error during munkiimport after tenant migration. |
Workaround: Re-enroll the Mac |
|
The Apple Device Enrollment Program (DEP) needs to be configured explicitly to work with the 19.6 Mac Cloud Agent. Please contact support if you plan to use DEP. |
None |
Mobile applications |
|
|
For iOS devices running in the Zoom display mode (Settings > Display & Brightness > Display Zoom: 'Zoom'), the Mobile Authenticator code gets truncated. |
Use only the 'Standard' display mode. |
Authentication |
|
|
A federated user who signs in to the User Portal from an identity provider to a server provider is unable to edit the Additional Attribute name and value. |
None |
