CyberArk Identity Release Notes
Release 22.1 (available January 21, 2022) introduces the following changes.
Refer to CyberArk Identity Release Notes - Previous Versions for changes in previous releases.
New features
The following new features are available starting in 22.1.
| Feature | Description |
|---|---|
Workforce Password Management |
|
|
Store shared credentials for admin-deployed user password apps in your self-hosted PAM vault. |
Previously, when you deployed a user password application with the option All users share one name selected on the Account Mapping tab, the shared credentials were stored in the CyberArk Identity cloud. In this release, you can securely store these credentials in your self-hosted PAS vault. As an additional security measure, end users cannot view, change, or share vault-stored credentials. This feature requires you to configure your tenant to communicate with the self-hosted PAM vault. Refer to Manage business application credentials in CyberArk PAM (Workforce Password Management) for more detail on how to configure your tenant with PAM.
|
|
Share User Password application credentials that are stored in self-hosted PAM |
Previously, end users could only share their personally added or captured applications with other users if the credentials were stored in the CyberArk Identity cloud. In this release, end users can securely share their personally added or captured applications with other users if the credentials are stored in self-hosted PAM. For example, a team lead can now share their personally added application credentials with their team members, grant permissions to view or edit the application credentials, and revoke access to the shared application at any time without requiring assistance from the administrator. As an added security measure, an administrator can configure all such shared applications to require that share recipients prove their identity using MFA before they can launch, view, or edit the credentials. Refer to Configure users to share business application credentials and Share business application credentials for more information. |
|
Transfer ownership of shared applications when credentials are stored in self-hosted PAM. |
CyberArk Identity enables application owners (end users who have added a username and password application to their user portal) to securely manage shared access to their business apps. With this release, you can configure CyberArk Identity to transfer ownership of a specific shared application to another user if the original application owner is deprovisioned from CyberArk Identity. This ensures uninterrupted access to username and password apps even when the user that initially added and shared the application leaves the company. Refer to Configure users to share business application credentials for more information. |
Multi-Factor Authentication |
|
|
Authentication profile scoring based on NIST AAL standards. |
You can now see your Authenticator Assurance Level (AAL) minimum and maximum scores in the authentication profile as you select authentication mechanisms. This simplifies configuring MFA to meet industry best practices. Refer to Create authentication profiles for more details. |
Developer enablement |
|
|
QR code authenticator and push notifications in iOS and Android SDKs |
Quickly embed secure, adaptive, and out-of-band factors like QR code and mobile push notification using the iOS or Android SDK. Also leverage native biometric (for example, Fingerprint on Android). The SDK allows you to secure the entry to apps or step-up workflows within apps while maintaining your own branding. Leverage the iOS and Android sample apps to accelerate the development process. This feature was previously an Early Access feature, and is now generally available. Refer to the following links for more information. Developer documentation
GitHub |
|
Java-Angular sample web app |
This Java-Angular sample web app enables developers to explore CyberArk Identity. The sample web app uses the CyberArk Identity Java SDK integrated to the Java Spring Boot for the back-end and Angular for front-end UI. To access the sample web app
This feature was previously an Early Access feature, and is now generally available. |
|
Java SDK for web apps |
Quickly integrate your web app with CyberArk Identity to perform authentication and authorization of users by leveraging the OAuth/OIDC protocols using the Java SDK. Refer to https://identity-developer.cyberark.com/docs/cyberark-identity-java-sdk-reference for more information. |
Improvements and behavior changes
This release includes the following product improvement.
| Improvement | Description |
|---|---|
Authentication |
|
|
Rebranded Corporate IP range to Secure Zones |
In the Admin Portal, Settings > Network > Corporate IP Range is now Settings > Network > Secure Zones. The purpose of this change is to better reflect the full scope of the feature, as you can also specify external IP addresses or ranges when you define a Secure Zone. Refer to Define Secure Zones for more information. |
macOS endpoints |
|
| Added suport for macOS 12 (Monterey) |
Mac Device Trust and the Mac Cloud Agent now support macOS 12. Munki is not support by the Mac Cloud Agent and macOS 12. |
User interface |
|
|
New logos |
The User Portal, Admin Portal, and User Behavior Analytics portal feature updated logos for more consistency with other CyberArk products. In addition, the Getting Started wizard features a new logo.
|
CyberArk Identity mobile apps |
|
|
Added a new policy setting that can limit sharing of mobile device details |
This enhancement adds a policy setting to control whether to report the following device details to the cloud, as these details can be considered personally identifiable information.
This is to enable customers to comply with data privacy requirements from regulations such as GDPR. Refer to Restrictions Settings for more information. |
|
Added a new policy setting to configure the CyberArk Identity mobile app landing screen |
This enhancement adds a policy setting to configure the landing screen (starting screen) for the CyberArk Identity mobile app for both iOS and Android. This allows you to reduce the number of taps needed to navigate to commonly used features. You can configure any of the following screens as the landing screen.
|
|
Updated the CyberArk Identity mobile apps for more UI consistency with other CyberArk products |
Color schemes, navigation, field styles, and more were updated to better align with CyberArk UI standards. Functionality is unchanged by this update. Click here for more information. |
User Portal |
|
|
Changed the Secure Web Sessions icon |
User Portal applications with Secure Web Sessions enabled now show the following icon.
|
Early access features
Early access features are fully-supported features made available on a case-by-case basis by request. Early access features might see more frequent updates compared to GA features.
Contact your account representative to enable early access features.
The following table describes features that are currently in an early access state.
| Feature | Description |
Initial release version |
|---|---|---|
Authentication |
||
|
New Authentication Widget Builder |
This feature enables you to create a widget and visualize the preview of the widget before using it. |
22.1 |
|
Progressive migration of passwords using code plugin |
This feature enables you to progressively migrate hashed passwords from their legacy stores to CyberArk Identity by providing an inline legacy authentication hook into the CyberArk Identity authentication process. |
21.12 |
User interface |
|
|
|
Updated User Portal design |
The User Portal app tiles feature an updated design. The new tiles are larger in size and include an updated notification area. Icons in the notification area alert users if the application is new, any user action is required, the application uses shared credentials, or if the application is protected by Secure Web Sessions. |
22.1 |
Android mobile application |
||
|
Support for push notifications on the Android mobile app for users in China |
This feature enables users who don't have access to Google services, like users in China, to explicitly fetch the push notifications and policy updates sent by CyberArk Identity. Contact your CyberArk account representative to enable this feature if you have users without access to Google services. Refer to Download the CyberArk Identity mobile app for Android and CyberArk Identity-SDK for-Android for more information. |
21.11 |
Endpoints |
||
|
Windows and Mac Device Trust |
The CyberArk IdentityWindows Device Trust and Mac Device Trust prevent untrusted computers from accessing the CyberArk Identity portals or web applications using authentication certificates as a conditional access mechanism. This provides additional device trust to identity and access policies. The Windows Device Trust is available for AD-joined devices and users must first be validated using IWA authentication. The Windows Device Trust is available in the Admin Portal > Downloads. The CyberArk IdentityMac Device Trust is available for AD-joined devices and non AD-joined devices, and is deployed with Jamf Pro. Additional enhancements include:
Refer to CyberArk Identity Mac Device Trust and CyberArk Identity Windows Device Trust for more information. |
Mac - 21.9 Windows - 21.5 |
New Single Sign-On templates
New Single Sign-On (SSO) application templates are added to the CyberArk Identity Web App Catalog on a regular basis, independent of the product release schedule.
Refer to Recent SSO application templates for a list of recently added templates.
Android CyberArk Identity mobile app support changes
The policy setting to Encrypt internal onboard storage (Endpoint policies > Common settings > mobile settings > common > Encrypt internal onboard storage) will be removed in an upcoming CyberArk Identity release. CyberArk is removing this policy setting because encrypting internal storage has been the default behavior starting with Android 5. After the policy setting is removed, it won't be possible to enroll Android 4.4.4 and older devices.
Currently, enrollment of Android 4.4.4 and older devices is still possible, even though CyberArk only supports Android 8 or newer.
Component versions
Refer to the following table for a list of component versions in the latest release:
|
Component |
Version |
|---|---|
|
CyberArk Identity |
22.1.190 |
|
Windows Cloud Agent |
22.1.289 |
|
Windows Device Trust |
22.1.289 |
|
Mac Cloud Agent |
22.1.289 |
|
Mac Device Trust |
22.1.290 |
|
Android CyberArk Identity mobile app |
22.1.115 |
|
iOS CyberArk Identity mobile app |
22.1.106 |
|
Windows CyberArk Authenticator |
22.1.290 |
|
Mac CyberArk Authenticator |
22.1.290 |
|
Browser Extensions |
22.1.3 |
|
Connector |
22.1.190 |
Browser support
This version of CyberArk Identity has been tested with the following browsers:
|
Browser |
Version |
|---|---|
|
Internet Explorer |
Version 11 on Windows 2008 server, Windows 2012 server, Windows 7, and Windows 8 |
|
Microsoft Edge |
latest version available at release |
|
Mozilla Firefox |
latest version available at release |
|
Google Chrome |
latest version available at release |
|
Apple Safari |
11 |
For silent authentication to work correctly, some web browsers need additional configuration (see Configure browsers for silent authentication) or a browser extension (see Use the CyberArk Identity Browser Extension).
On devices, the CyberArk Identity mobile app and Idaptive for KNOX open the web applications in the native browser unless that application requires a browser extension to provide single sign-on. For these applications only, the CyberArk Identity mobile app and Idaptive for KNOX open the application in its built-in browser.
CyberArk Identity Browser Extension support
The Browser Extension for Internet Explorer and Safari is deprecated. If your users use those browsers with a previous version of the Browser Extension and you want them to continue to do so, you should restrict updates to the Browser Extension.
Users restricted to old versions of the Browser Extension will not benefit from updates and new features. Refer to Restrict CyberArk Identity Browser Extension updates for more information.
Computers must meet the following requirements to install the Browser Extension.
- Microsoft .NET Framework 4.6.2 or later
- Microsoft Installer 3.1 or later
In addition, browser support for the Browser Extension features is indicated in the following table.
|
|
Chrome |
Firefox |
Edge |
|---|---|---|---|
| Form filling | Yes | Yes |
Yes |
| App capture | Not supported | Yes |
Not supported |
| Land and Catch | Yes | Yes |
Yes |
| App Launch | Yes | Yes |
Yes |
Device support
If you are using CyberArk Identity for mobile device management and authentication, it supports enrolling the following devices and computers using the cloud agents.
|
Operating System |
Versions supported |
|---|---|
|
Windows |
10, Server 2016, Server 2019 Desktop Experience is required for Windows servers.
|
|
macOS |
10.13, 10.14, 10.15, 11, 12 |
|
iOS |
11.x and later |
|
iPadOS |
13.x and later |
|
watchOS |
5.x and later |
|
Android |
8.x and later |
Language support
Foreign language support is provided for the following components:
- CyberArk Identity User Portal help -- Japanese only
- User Portal text strings.
- Admin Portal text strings
Not all of the languages listed below are available for the Admin Portal text strings.
Administrators can select the language in which the user portal texts and CyberArk Identity system messages are displayed. The default setting, (--), is equivalent to not setting a language. In this case, the user's browser language selection will be used. However, if users configure their own language selection, then that language takes precedence. For example, if you set the language to French in the Admin Portal and a user sets the language to Vietnamese in the User Portal, then Vietnamese is used for that user. Users can specify their language selection in User Portal > Account > Personal Profile > Language drop-down list.
To configure the language option in the Admin Portal
- Log-in to the Admin Portal.
- Click Access > Policies > Select the relevant policy.
- Click User Security Policies > User Account Settings.
- Select the default language in the Default Language drop-down list.
- Click Save.
In this release, translations are provided for the following languages:
- Arabic
- Brazilian Portuguese
- Chinese—Simplified and Traditional
- Dutch
- French
- German
- Italian
- Japanese
- Korean
- Portuguese
- Russian
- Serbian
- Spanish
- Swedish
- Thai
- Vietnamese
Additional languages are being added over time—see the Release Notes for the most recent additions.
Known issues
| Issue | Workaround |
|---|---|
General platform |
|
|
When you create a Role and add members before saving the Role, the members are not saved. |
Create and save the Role, then add members to the Role and save it again. |
Windows Cloud Agent |
|
|
With RDP (v 6.0+), a user cannot RDP to the endpoint/server with the Windows Cloud Agent using an Idaptive directory user. This is because the network credential validation is done on the client side first, before establishing the remote desktop connection. |
|
Mac Cloud Agent |
|
|
The Mac Cloud Agent installer shows the Gatekeeper warning the first time it is installed on a device. |
|
|
The MFA login screen shows “Phone Call” more than once if user has multiple phone numbers configured. |
None |
|
The Mac Cloud Agent cannot be updated from the UI. |
WorkAround: Go to the User Portal or the Admin Portal to download the latest agent. Reopen the Mac Cloud Agent and note the agent is updated to the latest version. |
|
Self-service account unlock is not currently supported. |
None |
|
User may not able to see the device location. |
Go to user policy Endpoint Policies > Common Settings > Mobile Settings > Restriction Settings, then under Report mobile device location select Force for Permit administrator to see device location.Then unenroll the user and enroll again. |
|
Mac login MFA options show FIDO2 and Radius if they were configured in the authentication profile; however, these MFA challenges are currently not supported. |
Always make sure authentication challenges configured in the authentication profile are available to your users and configured for each user. |
|
The local account can get out of sync with the matching account in the directory source after the password change, resulting in a denied login. |
Log in to a local admin account and set the local password of the impacted user to the same password as the directory source through System Preferences > Users or through the dscl command line. |
|
When creating an authentication profile for Mac MFA, password must be the first factor (Challenge 1). |
None |
|
A user might get removed from the FileVault boot screen if they changed their password without entering their previous password in the Keychain Sync dialog on 10.14.3+ macOS devices. |
To avoid this issue, users should log out after changing their password in the User Portal. When they log back in, click Yes at the Keychain Sync prompt and enter their previous password to sync their keychain and FileVault password. |
|
Apple Watch unlock is not compatible with the MFA lock screen policy |
Disable the MFA lock screen policy for Apple Watch users in the Admin Portal. |
|
Idaptive Menu Item is not removed from the UI after unenrolling until the next login or restart. You might receive a certificate error during munkiimport after tenant migration. |
Workaround: Re-enroll the Mac |
|
The Apple Device Enrollment Program (DEP) needs to be configured explicitly to work with the 19.6 Mac Cloud Agent. Please contact support if you plan to use DEP. |
None |
Mobile applications |
|
|
If the iPhone app (or the push authenticator) is locked using biometric or pin, then Apple Watch approval shows an error message. |
None |
|
Users can sign in to the Apple watch only after the first notification is delivered to the watch. |
None |
