CyberArk Identity Release Notes

Release 22.9 (available September 9, 2022) introduces the following changes.

See CyberArk Identity Release Notes - Previous Versions for changes in previous releases.

Planned changes

Changes to the default access URL format

In the CyberArk Identity mobile app, the default access URL format was changed to https://cloud.pod.id.cyberark.cloud/ in the 22.6 release. This URL works, but unfortunately the change was not communicated beforehand. For this reason, we will revert the default URL format back to https://cloud.idaptive.app in the 22.10 release due in October. Both URL formats will continue to function without disrupting services, as long as these URLs are accessible from mobile devices.

Hotfixes

The following table lists changes made as hotfixes to the 22.9 release.

Hotfix versions

Change(s)

22.9-216

Fixed a performance issue with SAML scripts that use the LoginUser.GroupNames object.

Impact of Microsoft deprecating Basic Authentication

The Microsoft announcement regarding deprecation of Basic Authentication as documented at https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online only disables Basic Authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online. This change for the above services by Microsoft does not affect the Office 365 or Azure Portal applications in the CyberArk Identity App Catalog and their functionality. CyberArk uses Microsoft's Provisioning Web Client as the backend tool when using Basic Authentication and Microsoft's Graph API when using Token-Based Authentication for Office 365 and Azure Portal applications for authentication and provisioning.  See the following article for more details on this: https://cyberark-customers.force.com/s/article/Basic-Auth-Deprecation.

Though basic authentication for CyberArk integration with O365 will continue to be supported, for various security reasons listed in the Microsoft article, CyberArk strongly recommends that customers migrate to the more modern and secure token-based authentication.

New features

The following new features are available.

Feature Description

Workforce Password Management

Transfer ownership of Secured Items

Previous releases allowed you to transfer ownership of shared application credentials from an application owner (the user who added an application credential and shared access of that credential with other users) to another user. Now you can also transfer ownership of shared Secured Items and shared application credentials to another user even after the original owner has been deprovisioned from CyberArk Identity. This feature ensures uninterrupted access to Secured Items and application credentials even after the user who initially added and shared the application or Secured Item leaves the enterprise.

For details, see Transfer Ownership of a Secured Item.

Authentication

Enable Password never expires for bulk user import

You can configure passwords to never expire when you bulk import users to CyberArk Identity. This setting is disabled by default.

Secure Web Sessions

See What's New for more details on upgrade notes and backwards compatibility.

Additional automation capabilities for session recordings

Two new APIs are available to enable Secure Web Sessions (SWS) customers to GET a list of all recordings within a certain time frame (GET SWS Recordings), and to GET the specific steps taken in a particular session (GET SWS recordings by ID). These APIs allow you to pull specific session details and can enable integration with other security tools such as SIEM.

For details, see API commands.

Seamless third-party identity provider (IdP) support

You can apply SWS protections directly to third-party IdP SSO sessions, without requiring CyberArk Identity SSO. This feature streamlines setup, maintenance, licensing, and provides an easier user experience with less actions.

For details, see Configure SWS protections for applications.

New download details, clipboard action, and blocked Session Protection event auditing

SWS now provides visibility and auditing for user downloads and clipboard actions taken in any web-session secured with Step Recording. In addition, SWS session details now include events for any user actions that were blocked by Session Protection.

For details on the auditor workflow, see Access session recordings.

Identity Compliance (new)

Identity Compliance service

CyberArk Identity Compliance, another addition to our Software-as-a-Service (SaaS) portfolio, helps you to continuously review users' access to ensure that access privileges are relevant and comply with your organization’s access requirements.

CyberArk Identity Compliance provides a single view of who has access to what and makes it easier for organizations to enforce and demonstrate compliance by continuously discovering workforce and privileged access, streamlining access certifications, and providing comprehensive identity analytics.

See your Identity Compliance documentation for details.

Endpoints

Support for Windows Device Trust

You can leverage Integrated Windows Authentication (IWA) to drop and maintain a trust certificate on Windows devices. The certificate ensures that sensitive applications are accessed only from trusted Windows devices. Trust validation can be performed even when a device is remote and not visible to the domain controller. This feature is now generally available.

Support for Mac Device Trust

You can leverage Jamf mobile device management (MDM) to drop and maintain a trust certificate on managed Mac devices. The certificate ensures that sensitive applications are only accessed from Jamf-managed Mac devices. This feature is now generally available.

Mobile Applications

Fetch notifications and updates from CyberArk Identity

Users who cannot access Google services, for example users in China, can now explicitly fetch the push notifications and policy updates sent by CyberArk Identity. This feature is now generally available.

Control mobile authentication on Apple watches

You can use policy to control whether push authentications and passcodes are available on Apple watches.

Improvements and behavior changes

This release includes the following product improvements.

Improvement Description

Authentication

Copying a password from the CyberArk Identity Browser Extension now adheres to the view/copy passwords policy.

You can disable Copy Password for users from the Browser Extension or the browser context menu using the policy Allow users to view/copy personal passwords available at Core Services > Policies > Application Policies.

Fixed Issues

Issue Description

On iPadOS, scanning the QR code from the CyberArk Identity mobile app loads a sign-in page instead of starting enrollment.

This issue is fixed.

While importing files from external credential mangers, for files with duplicate records, the files cannot be uploaded and an error message is displayed saying "File contains duplicate records". The import only happens if the records are all unique.

This issue is fixed.

Early access features

Early access features are fully-supported features made available on a case-by-case basis by request. Early access features might see more frequent updates compared to GA features.

Contact your account representative to enable early access features.

The following table describes features that are currently in an early access state.

Feature Description

Initial release version

Customer Identity

 

User portal customization and branding

You can customize and brand the CyberArk Identity User Portal to meet the needs of your organization. Users who navigate to the portal from external applications for self-service profile management and factor enrollment can then see your company's specific branding.

The following customizations are available:

  • Hide all tabs except for the Account tab.

  • Customize the User Portal page where users land when they navigate from an external application.

  • Enable or disable each authentication factor on the factor enrollment page​.

  • Replace CyberArk with your company branding.

22.9

Licensing

 

Monthly Active Users report and alerts

The Monthly Active Users (MAU) report is a built-in report that provides an overview of the MAU quota purchased, and the number of active users per month who have logged in or signed up to CyberArk Identity or an external app for the selected period.

This report now indicates whether your purchased MAU plans are active or completed, and the number of remaining and consumed MAU reports for each plan. Administrators receive an email notification when the remaining MAUs drop below a configured percentage. The default is 30%.

22.9

Developer experience

Generate scoped access token

You can use an OpenID Connect app to acquire both an ID Token and a scoped access token using a single API call, thereby reducing the complexity of integrating with CyberArk Identity through the OIDC protocol. The scoped access tokens in OIDC app can help developers use both OIDC and OAuth features from a single authorization server endpoint.

In the CyberArk Identity Admin Portal, you can configure specific types of authorization scopes. For example, scopes can access APIs or retrieve custom claims that are part of ID Token.​​ You can also configure scopes to require user consent.

22.4

User interface

 

Updated design in Application tile

The design is updated for the app tiles. A new Shared icon has been introduced in the app tile. You can view this icon on the lower right of the app tile. You can view all other icons on the lower right of the tile except the New and Error icons.

22.2

Enhanced interface in Applications

This enhancement enables you to customize tabs in the applications based on your requirements. You can perform the following actions in the User Portal:

  • Add tabs

  • Delete tabs

  • Re-order tabs

  • Drag and drop apps from one tab to another tab

A new drop-down has been introduced, which enables you to sort all applications.

See Organize your applications for more information.

22.2

Additional enhancements to the Applications interface in the User Portal

This release adds the following enhancements to the Applications interface in the User Portal.

  • A new Shared Apps tab to show all applications shared with you or by the Workforce Password Management feature

  • The ability to rename tabs

  • The ability to scroll through tabs if you have more tabs than can fit in your available screen width

22.3

Authentication

Create and apply access requests with the Access Orchestrator

You can now use Access Orchestrator to create authentication request flows with challenge dependencies. With this new feature, the end user’s second challenge is contingent on their first challenge selection, which allows a stricter way to enforce a secure authentication process and comply with industry standards.

See Create access requests with the Access Orchestrator for more information.

22.7

Sign in APIs now support multiple identifiers

CyberArk Cloud Directory users can now sign in to CyberArk Identity with their email address or phone number.

If an email address or phone number is used in multiple user accounts, signin will fail.

22.3

Mobile Applications

Number matching implementation to prevent accidental push approvals (push fatigue) and push attacks

This feature enables users to prevent accidental or habitual push approvals and fraudulent push attacks.

If a push approval is sent, this feature prompts the user to tap on a number that matches to the one that is displayed on the Login screen and the authenticator app screen alike. This adds an additional confirmation from the end user when a push notification is sent.

22.6

New Single Sign-On templates

New Single Sign-On (SSO) application templates are added to the CyberArk Identity Web App Catalog on a regular basis, independent of the product release schedule.

See Recent SSO application templates for a list of recently added templates.

Component versions

See the following table for a list of component versions in the latest release:

Component

Version

CyberArk Identity

22.9-215

User Behavior Analytics

22.9-203

Windows Cloud Agent

22.9.215

Windows Device Trust

22.9-215

Mac Cloud Agent

22.9-215

Mac Device Trust

22.9-215

Android CyberArk Identity mobile app

22.9-100

iOS CyberArk Identity mobile app

22.9-111

Windows CyberArk Authenticator

22.9.215

Mac CyberArk Authenticator

22.9-215

Browser Extension - Chrome

22.9.2

Browser Extension - Edge Chromium

22.9.2

Browser Extension - Firefox

22.9.3

Connector

22.9-215

Browser support

This version of CyberArk Identity has been tested with the following browsers:

Browser

Version

Internet Explorer

Version 11 on Windows 2008 server, Windows 2012 server, Windows 7, and Windows 8

Microsoft Edge

Latest version available at release

Mozilla Firefox

Latest version available at release

Google Chrome

Latest version available at release

Apple Safari

11

For silent authentication to work correctly, some web browsers need additional configuration (see Configure browsers for silent authentication) or a browser extension (see Manage credentials with Workforce Password Management).

On devices, the CyberArk Identity mobile app opens the web applications in the native browser unless that application requires a browser extension to provide single sign-on. For these applications only, the CyberArk Identity mobile app opens the application in its built-in browser.

CyberArk Identity Browser Extension support

The Browser Extension for Internet Explorer and Safari is deprecated. If your users use those browsers with a previous version of the Browser Extension and you want them to continue to do so, you should restrict updates to the Browser Extension.

Users restricted to old versions of the Browser Extension will not benefit from updates and new features. SeeSend feedback for more information.

Computers must meet the following requirements to install the Browser Extension.

  • Microsoft .NET Framework 4.6.2 or later
  • Microsoft Installer 3.1 or later

In addition, browser support for the Browser Extension features is indicated in the following table.

 

Chrome
(latest available at release)

Firefox
(latest available at release)

Edge

Form filling Yes Yes

Yes

App capture Not supported Yes

Not supported

Land and Catch Yes Yes

Yes

App Launch Yes Yes

Yes

Device support

CyberArk Identity supports enrollment of the following devices.

The purpose of the cloud agent is to enforce authentication profiles; it’s only active during authentication. Unlike Anti-Virus and Endpoint Detection and Response agents, the CyberArk cloud agents are not listening to system events or otherwise consuming endpoint resources after the user logs in.

Operating System

Versions supported

Windows

10, 11, Server 2012 R2, Server 2016, Server 2019 and Server 2022

Desktop Experience is required for Windows servers.

macOS

10.15, 11, 12

iOS

13.x and later

iPadOS

13.x and later

watchOS

6.x and later

Android

10.x and later

The CyberArk Identity mobile app is not available in the following countries.

  • Cuba

  • Iran

  • Lebanon

  • North Korea

  • Sudan

  • Syria

  • Iraq

  • Libya

  • Palestinian Authority territories

    • West Bank, including East Jerusalem

    • Gaza Strip

Language support

Foreign language support is provided for the following components:

  • CyberArk Identity User Portal help -- Japanese only
  • User Portal text strings
  • Admin Portal text strings

Not all of the languages listed below are available for all of the Admin Portal text strings.

Administrators can select a default language for UI text and system messages. The default setting, (--), is equivalent to not setting a language. In this case, the user's browser language selection is used.

If users select a different language in their User Portal, then that language takes precedence. For example, if you set the language to French in the Admin Portal and a user sets the language to Vietnamese in the User Portal, then Vietnamese is used for that user. Users can select a language in User Portal > Account > Personal Profile > Language drop-down list.

To configure the language option in the Admin Portal:

  1. Log-in to the Admin Portal.
  2. Click Access > Policies > Select the relevant policy.
  3. Click User Security Policies > User Account Settings.
  4. Select the default language in the Default Language drop-down list.
  5. Click Save.

In this release, we support the following languages:

  • Arabic
  • German
  • English
  • Spanish
  • French
  • Italian
  • Japanese
  • Korean
  • Dutch
  • Portuguese - Brazil
  • Portuguese
  • Russian
  • Serbian
  • Swedish
  • Thai
  • Vietnamese
  • Chinese - Simplified
  • Chinese - Traditional

Known issues

Issue Workaround

Windows Cloud Agent

With RDP (v 6.0+), a user cannot RDP to the endpoint/server with the Windows Cloud Agent using a CyberArk Cloud Directoryuser. This is because the network credential validation is done on the client side first, before establishing the remote desktop connection.

https://docs.microsoft.com/en-au/troubleshoot/windows-server/remote/remote-desktop-connection-6-prompts-credentials

Mac Cloud Agent

The Mac Cloud Agent installer shows the Gatekeeper warning the first time it is installed on a device.

  1. Go to System Preferences > Security & Privacy > General, then click Open Anyway.

  2. Click Open on the warning screen that appears.

    After you make these changes, the Gatekeeper warning will not display again for the Mac Cloud Agent on that device for the logged in user.

The MFA login screen shows “Phone Call” more than once if user has multiple phone numbers configured.

None

The Mac Cloud Agent cannot be updated from the UI.

WorkAround: Go to the User Portal or the Admin Portal to download the latest agent.

Reopen the Mac Cloud Agent and note that the agent is updated to the latest version.

Self-service account unlock is not currently supported.

None

User may not able to see the device location.

Go to user policy Endpoint Policies > Common Settings > Mobile Settings > Restriction Settings, then under Report mobile device location, select Force for Permit administrator to see device location. Then unenroll the user and enroll again.

Mac login MFA options show FIDO2 and Radius if they were configured in the authentication profile; however, these MFA challenges are currently not supported.

Always make sure authentication challenges configured in the authentication profile are available to your users and configured for each user.

The local account can get out of sync with the matching account in the directory source after the password change, resulting in a denied login.

Log in to a local admin account and set the local password of the impacted user to the same password as the directory source through System Preferences > Users or through the dscl command line.

When creating an authentication profile for Mac MFA, password must be the first factor (Challenge 1).

None

A user might get removed from the FileVault boot screen if they changed their password without entering their previous password in the Keychain Sync dialog on 10.14.3+ macOS devices.

To avoid this issue, users should log out after changing their password in the User Portal. When they log back in, click Yes at the Keychain Sync prompt and enter their previous password to sync their keychain and FileVault password.

Apple Watch unlock is not compatible with the MFA lock screen policy

Disable the MFA lock screen policy for Apple Watch users in the Admin Portal.

The CyberArk Menu Item is not removed from the UI after unenrolling until the next login or restart.

You might receive a certificate error during munkiimport after tenant migration.

Workaround: Re-enroll the Mac

The Apple Device Enrollment Program (DEP) needs to be configured explicitly to work with the 19.6 Mac Cloud Agent. Please contact support if you plan to use DEP.

None

Mobile applications

For iOS devices running in the Zoom display mode (Settings > Display & Brightness > Display Zoom: 'Zoom'), the Mobile Authenticator code gets truncated.

Use only the 'Standard' display mode.

Authentication

A federated user who signs in to the User Portal from an identity provider to a server provider is unable to edit the Additional Attribute name and value.

None