CyberArk Identity Release Notes

Release 22.11 (available November 9, 2022) introduces the following changes.

See CyberArk Identity Release Notes - Previous Versions for changes in previous releases.


We made the following updates to the release notes after the release, based on new information.



  • Removed Known Issue: Zero Sign On (ZSO) certificate login does not work.

    The product works as designed. This was a misconfiguration erroneously reported as a known issue.

December 9, 2022


The following table lists changes made as hotfixes to the 22.11 release.

Hotfix versions



  • Previously, the authentication policy settings (Authentication Policies > CyberArk Identity > Session Parameters) could not control the session lifetime for federated users.

  • New custom attributes for O365 SSO template

    You can add two new custom attributes, setCustomAttribute and setCustomAttributeArray to the O365 template. Go to the Admin Portal, select Apps & Widgets > Web Apps > 0365 then click the Advanced tab and add the two new custom attributes to the script.

    The attributes allow three parameters. You can use the following syntax:

    setCustomAttribute(<key-string>, <name-space-string>, <value-string>)
    setCustomAttributeArray(<key-string>, <name-space-string>, <value-array>)

  • Postman collection for end-user APIs

    Use the CyberArk Identity Postman collection to try the CyberArk Identity APIs before starting the integration, while enabling you to connect to your own tenant, to help with API development and CyberArk Identity API integration. You can leverage the CyberArk Identity Postman collection for end user and API management. See CyberArk Identity Postman Collection for the collection of APIs.

What's new

The following new features are available.

Feature Description


Access Orchestrator

The Access Orchestrator enables you to create rules-based authentication requirements using a logic flowchart. This improves the user experience by making it easier to visualize how the authentication rules impact users trying to access the CyberArk Identity User Portal or launch a web app from the User Portal. In addition, you can use a logic flowchart to create a dynamic authentication profile. This simplifies creating authentication profiles that meet your organizational best practices. For more information, see Create custom authentication with the Access Orchestrator.

MFA Fatigue report

This built-in report provides a view into potential MFA Fatigue/Bombing attacks in which an attacker sends multiple MFA requests and hopes the user approves one of them.

You are provided with the number of denials and approvals of our MobileCyberArk Identity push notification requests for a defined time period.


Support for macOS Ventura

Release 22.11 will support macOS Ventura in Mac Cloud Agent and Mac Device Trust.

Fixed issues

Issue Description

Assignment of groups to users was not working as part of SCIM-based user provisioning from third-party Identity Providers to CyberArk Identity.

The issue is fixed. Modifications to PUT Groups operations have been made.

Unable to use the Multi-factor Authentication (MFA) drop-down menu

The issue is fixed. When the user clicks the drop-down menu to use MFA on the login page, the menu does not appear.

A federated user who signs in to the User Portal from an identity provider to a server provider is unable to edit the Additional Attribute name and value.

The issue is fixed.

Early access features

Early access features are fully-supported features made available on a case-by-case basis by request. Early access features might see more frequent updates compared to GA features.

Contact your account representative to enable early access features.

The following table describes features that are currently in an early access state.

Feature Description

Initial release version

Customer Identity


User Portal navigation

This feature enables a user to navigate back to a customer website from CyberArk Identity User Portal after performing self-service actions such as configuring MFA or personal profile updates.


User Portal customization and branding

You can customize and brand the CyberArk Identity User Portal to meet the needs of your organization. Users who navigate to the portal from external applications for self-service profile management and authentication factor enrollment can then see your company's specific branding.

The following customizations are available:

  • Hide all tabs except for the Account tab.

  • Customize the User Portal landing page (land on the Account page or Application page) where users land when they navigate from an external application.

  • Enable or disable each authentication in the Account > Authentication Factors page.

  • Replace CyberArk with your company branding.


Monthly Active Users report and alerts

The Monthly Active Users (MAU) report is a built-in report that provides an overview of the MAU quota purchased, and the number of active users per month who have logged in or signed up to CyberArk Identity or an external app for the selected period.

This report now indicates whether your purchased MAU plans are active or completed, and the number of remaining and consumed MAU reports for each plan. Administrators receive an email notification when the remaining MAUs drop below a configured percentage. The default is 30%.


Developer experience

Generate scoped access token

You can use an OpenID Connect app to acquire both an ID Token and a scoped access token using a single API call, thereby reducing the complexity of integrating with CyberArk Identity through the OIDC protocol. The scoped access tokens in OIDC app can help developers use both OIDC and OAuth features from a single authorization server endpoint.

In the CyberArk Identity Admin Portal, you can configure specific types of authorization scopes. For example, scopes can access APIs or retrieve custom claims that are part of ID Token.​​ You can also configure scopes to require user consent.


User interface


Updated design in Application tile

The design is updated for the app tiles. A new Shared icon has been introduced in the app tile. You can view this icon on the lower right of the app tile. You can view all other icons on the lower right of the tile except the New and Error icons.


Enhanced interface in Applications

This enhancement enables you to customize tabs in the applications based on your requirements. You can perform the following actions in the User Portal:

  • Add tabs

  • Delete tabs

  • Re-order tabs

  • Drag and drop apps from one tab to another tab

A new drop-down has been introduced, which enables you to sort all applications.

See Manage web apps for more information.


Additional enhancements to the Applications interface in the User Portal

This release adds the following enhancements to the Applications interface in the User Portal.

  • A new Shared Apps tab to show all applications shared with you or by the Workforce Password Management feature

  • The ability to rename tabs

  • The ability to scroll through tabs if you have more tabs than can fit in your available screen width



Attribute mapping in external IDP federation

This feature enables any federated user attribute to be mapped with any attribute of AD user or CyberArk Cloud Directory user. This enables more flexibility in linking the federated user account to an existing AD or CyberArk Cloud Directory policy service user account.


Sign in APIs now support multiple identifiers

CyberArk Cloud Directory users can now sign in to CyberArk Identity with their email address or phone number.

If an email address or phone number is used in multiple user accounts, signin will fail.


New Single Sign-On templates

New Single Sign-On (SSO) application templates are added to the CyberArk Identity Web App Catalog on a regular basis, independent of the product release schedule.

See Recent SSO application templates for a list of recently added templates.

Component versions

See the following table for a list of component versions in the latest release:



CyberArk Identity


User Behavior Analytics


Windows Cloud Agent


Windows Device Trust


Mac Cloud Agent


Mac Device Trust


Android CyberArk Identity mobile app


iOS CyberArk Identity mobile app


Windows CyberArk Authenticator


Mac CyberArk Authenticator


Browser Extension - Chrome


Browser Extension - Edge Chromium


Browser Extension - Firefox




Known issues

Issue Workaround

Customer Identity

The app-level MFA doesn't work with the RP-initiated login using embedded widgets.


When setting the mobile number in the Authentication Setup page, the UI keeps loading when you click Done without any input. This happens only when the User Portal Back Navigation is configured for the tenant. See Edit the fields under User Portal Back Navigation for more information.

In the Admin Portal, select the relevant policy, go to User Security Policies > User Account Settings, then select No from the Prompt users to set up mobile number on login drop-down list.

The screen view is truncated when you click the pin in the left navigation pane.

Refresh the browser to view the screen.

Inbound Provisioning

Just in Time (JIT) syncs in the configuration of Workday to Cloud, followed by Cloud to AD, are not triggered.

Set the scheduled incremental syncs interval to 10 minutes for Cloud to AD to capture any changes not synced by JIT.

Single Sign-On

In addition to launching applications from the User Portal or CyberArk Identity Browser Extension, users can go directly to the web application and click the CyberArk icon next to the login form fields to fill in the username and password and automatically login. This feature currently does not work due to a known issue and will be fixed in a subsequent release.

Users can still successfully launch the apps directly from the User Portal, from the Browser Extension, or copy the username and password of the application from the Browser Extension context menu.

Windows Cloud Agent

With RDP (v 6.0+), a user cannot RDP to the endpoint/server with the Windows Cloud Agent using a CyberArk Cloud Directory user. This is because the network credential validation is done on the client side first, before establishing the remote desktop connection.

Mac Cloud Agent

The Mac Cloud Agent installer shows the Gatekeeper warning the first time it is installed on a device.

  1. Go to System Preferences > Security & Privacy > General, then click Open Anyway.

  2. Click Open on the warning screen that appears.

    After you make these changes, the Gatekeeper warning will not display again for the Mac Cloud Agent on that device for the logged in user.

The MFA login screen shows “Phone Call” more than once if user has multiple phone numbers configured.


The Mac Cloud Agent cannot be updated from the UI.

WorkAround: Go to the User Portal or the Admin Portal to download the latest agent.

Reopen the Mac Cloud Agent and note that the agent is updated to the latest version.

Self-service account unlock is not currently supported.


User may not able to see the device location.

Go to user policy Endpoint Policies > Common Settings > Mobile Settings > Restriction Settings, then under Report mobile device location, select Force for Permit administrator to see device location. Then unenroll the user and enroll again.

Mac login MFA options show FIDO2 and Radius if they were configured in the authentication profile; however, these MFA challenges are currently not supported.

Always make sure authentication challenges configured in the authentication profile are available to your users and configured for each user.

The local account can get out of sync with the matching account in the directory source after the password change, resulting in a denied login.

Log in to a local admin account and set the local password of the impacted user to the same password as the directory source through System Preferences > Users or through the dscl command line.

When creating an authentication profile for Mac MFA, password must be the first factor (Challenge 1).


A user might get removed from the FileVault boot screen if they changed their password without entering their previous password in the Keychain Sync dialog on 10.14.3+ macOS devices.

To avoid this issue, users should log out after changing their password in the User Portal. When they log back in, click Yes at the Keychain Sync prompt and enter their previous password to sync their keychain and FileVault password.

The CyberArk Menu Item is not removed from the UI after unenrolling until the next login or restart.

You might receive a certificate eror during munkiimport after tenant migration.

Workaround: Re-enroll the Mac

The Apple Device Enrollment Program (DEP) needs to be configured explicitly to work with the 19.6 Mac Cloud Agent. Please contact support if you plan to use DEP.


Mobile applications

For iOS devices running in the Zoom display mode (Settings > Display & Brightness > Display Zoom: 'Zoom'), the Mobile Authenticator code gets truncated.

Use only the 'Standard' display mode.

System requirements

See System requirements and supported browsers for more information about browser and device support.