24.10
Release 24.10 starts deployment on October 4, 2024. See CyberArk Identity releases for more information about the release rollout process and how to subscribe to release notifications.
See CyberArk Identity Release Notes - Previous for changes in previous releases.
Related services
Workforce Password Management
See the WPM Release Notes for update notes specific to WPM.
Secure Web Sessions
See What's New for update notes specific to SWS.
Identity Compliance
See CyberArk Identity Compliance release notes for update notes specific to Identity Compliance.
Identity Flows
See What's new for update notes specific to Identity Flows.
Improvements and behavior changes
This release includes the following product improvements.
SSO
|
Improvement |
Description |
|---|---|
|
Enhanced application changelog for SSO web applications |
The application changelog for SSO web applications now enables you to customize the list by specifying a date range of 30, 60, or 90 days, or a custom date range. This page is used to track and review recent application updates and enhancements that are related to SSO. See Application changelog for more information. |
Fixed issues
This section lists the issues fixed in this release.
Mobile app
|
Issue |
Description |
|---|---|
|
Intermittent push notification delays on mobile app for Android |
When some Android users used the Mobile Authenticator option as the MFA factor to sign in to the User Portal, push notifications to the device were intermittently delayed. Users could receive the notification by manually refreshing the Push Notifications section of the app or by relaunching the mobile app. This issue is fixed on an early access basis. Contact your account representative to enable this fix. |
Early access features
Early access features are made available on a case-by-case basis by request. Early access features might see more frequent updates compared to GA features.
Contact your account representative to enable early access features.
The following tables describe features that are currently in an early access state.
Platform
|
Feature |
Description |
Initial release version |
|---|---|---|
|
CyberArk Identity now enables the use browser fingerprinting to secure AuthCookies |
Previously, attackers could copy browser cookies to take over a session that impersonates a legitimate user. This new feature prevents attackers from copying AuthCookies to continue a session. When the attacker attempts to use a copied AuthCookie on a different machine or browser, the mismatch in browser fingerprinting prevents the attacker from logging in, and logs out the compromised session. When the Enable browser fingerprinting checkbox is selected, it provides an additional layer of security by ensuring that session AuthCookies cannot be reused on unauthorized devices or browsers. See Authentication security options for more information. |
24.10 |
|
The new API Gateway connects on-premises application RESTful APIs with the cloud |
The new API Gateway enables secure machine-to-machine communication with on-premises application RESTful APIs. By using API keys for authentication, external services can access on-premises APIs without user intervention. The API Gateway enhances security by limiting access to specific endpoints on a restricted list. This prevents credential leaks and ensures only authorized identities can access the on-premises application APIs, making the API Gateway an essential tool for secure and efficient integration with external services. See API Gateway for more information. |
24.8 |
|
CyberArk Identity now supports Czech, Slovak and Romanian languages for the User Portal, CyberArk Identity mobile app (iOS and Android), the authentication widget, and email templates. |
Users can select the Czech, Slovak and Romanian languages in the User Portal > Account > Personal Profile > Language drop-down menu. See Foreign language support for more information. |
24.8 |
|
Require registration code for connector activation |
You can now require the use of a registration code to activate a connector. You can enable the use of a generated registration code instead of a username and password for registration of a connector. This streamlines the registration process and provides security against potential attacks. See Install the CyberArk Identity Connector for more information. |
24.5 |
CyberArk Identity mobile app
|
Feature |
Description |
|---|---|
|
CyberArk Identity now supports a unified endpoint management (UEM) trust for managed mobile devices, which enhances the security of mobile applications on both Android and iOS devices using a supported third-party mobile device management (MDM) provider. |
At this time, Microsoft Intune is supported for both Android and iOS devices. The mobile device trust enables admins to create authentication rules for native apps on managed mobile devices, such as requiring that devices are compliant or enrolled before they can open a protected application. For more information, see Configure access based on a third-party UEM trust. |
Core services
|
Feature |
Description |
Initial release version |
|---|---|---|
|
Persistent sessions for SAML federated users |
SAML federated users can opt for persistent sessions using the Keep me signed in option in the Identity User Portal and the Browser Extension. This feature aligns with the policy for non-federated users to remain signed in for a specified duration, configurable in the authentication policy settings. To configure Keep me signed in, see To display Keep me signed in on the sign in screen:. Existing users will see the Keep me signed in option if the policy is enabled. |
24.4 |
Windows Cloud Agent
|
Feature |
Description |
Initial release version |
|---|---|---|
|
Support for federated users and additional authentication options |
The Windows Cloud Agent now supports a WebView component for the endpoint login UI, in addition to the native Windows Cloud Agent login UI. The WebView-based experience offers all of the benefits of the native Windows Cloud Agent experience, plus the following advantages:
See CyberArk Identity Windows Cloud Agent for more information. |
24.2 |
SSO
|
Improvement |
Description |
Initial release |
|---|---|---|
|
Single logout (SLO) now includes external IdPs |
With this release, federated users who log out of a SAML or OIDC web application are seamlessly logged out from the external IdP. To configure SLO, see Configure Single Logout. |
23.11 |
Customer Identity
|
Feature |
Description |
Initial release version |
|---|---|---|
|
Monthly Active Users report and alerts |
The Monthly Active Users (MAU) report is a built-in report that shows the MAU quota purchased and the number of active users per month. It tracks users who have logged in or signed up to CyberArk Identity or an external app for the selected period. This report now indicates whether your purchased MAU plans are active or completed, and the number of remaining and consumed MAU reports for each plan. Administrators receive an email notification when the remaining MAUs drop below a configured percentage. The default is 30%. |
22.9 |
Authentication
|
Feature |
Description |
Initial release version |
|---|---|---|
|
New self-service password reset endpoint |
You can now reset your password from a designated endpoint. You can embed the password reset URL in your solution and add a Close button. These new options provide greater control and flexibility in environments where security and efficient script management are critical while the Close button ensures that users can quickly and safely stop scripts that could impact system performance or security. Go to Core Services > Policies, select a policy then go to User Security Policies > Self Service and select Yes in the Enable account self service controls drop-down menu. See Configure user self-service options for more information. |
24.9 |
|
The browser now closes after successful Duo Universal Prompt log in |
With this release, the browser tab automatically closes when users successfully authenticate using Duo Universal Prompt. Previously, users had to close the browser tab and return to the main login page. |
24.3 |
|
Sign-in APIs now support multiple identifiers |
CyberArk Cloud Directory users can now sign in to CyberArk Identity with their email address or phone number. If an email address or phone number is used in multiple user accounts, sign-in will fail. |
22.3 |
New single sign-on templates
New single sign-on (SSO) application templates are added to the CyberArk Identity Web App Catalog on a regular basis, independent of the product release schedule.
See Recent SSO application templates for a list of recently added templates.
Component versions
The following table lists the latest component versions.
|
Component |
Version |
|---|---|
|
CyberArk Identity |
24.10.207 |
|
User Behavior Analytics |
24.10.200 |
|
Windows Cloud Agent |
24.5.212 |
|
Windows Device Trust |
23.5.208 |
|
Mac Cloud Agent |
24.5.212 |
|
Mac Device Trust |
23.8.219 |
|
Android CyberArk Identity mobile app |
24.10.100 |
|
iOS CyberArk Identity mobile app |
24.10.100 |
|
Windows CyberArk Authenticator |
23.5.208 |
|
Mac CyberArk Authenticator |
23.8.219 |
|
Browser Extension - Chrome |
24.10.1 |
|
Browser Extension - Edge Chromium |
24.10.1 |
|
Browser Extension - Firefox |
24.10.2 |
|
Connector |
24.10.209 |
Known issues
Single sign-on
|
Issue |
Description |
|---|---|
|
Single logout is not working for the Confluence and Aha apps. |
Signing out of Confluence or Aha with single logout configured does not sign the user out of CyberArk Identity. There is currently no workaround. |
Mac Cloud Agent
|
Issue |
Workaround |
|---|---|
|
The Mac Cloud Agent installer shows the Gatekeeper warning the first time it is installed on a device. |
|
|
The user may not able to see the device location. |
Go to user policy Endpoint Policies > Common Settings > Mobile Settings > Restriction Settings, then under Report mobile device location, select Force for Permit administrator to see device location. Then unenroll the user and enroll again. |
|
Mac login MFA options show FIDO2 and Radius if they were configured in the authentication profile; however, these MFA challenges are currently not supported. |
Always make sure authentication challenges configured in the authentication profile are available to your users and configured for each user. |
|
The CyberArk Menu Item is not removed from the UI after you unenroll until the next login or restart. You might receive a certificate error during munkiimport after tenant migration. |
Workaround: Re-enroll the Mac. |
|
The Apple Device Enrollment Program (DEP) needs to be configured explicitly to work with the 19.6 Mac Cloud Agent. Contact support if you plan to use DEP. |
None |
CyberArk Identity mobile app
|
Issue |
Workaround |
|---|---|
|
For iOS devices running in the Zoom display mode (Settings > Display & Brightness > Display Zoom: 'Zoom'), the Mobile Authenticator code gets truncated. |
Use only the Standard display mode. |
|
When enrolling the CyberArk Identity mobile app on an Android device using a Google account, the Play Store doesn't redirect as expected, and installation is not completed. |
Use work-profile mode and turn off Enable third-party Android mobile management from the Google Administration console. Then the app installs from Play Store. |
System requirements
See System requirements and supported browsers for more information about browser and device support.
