support-masthead

What's New in Centrify Support

At Centrify, we believe it is essential for our customers to stay abreast with the latest developments — be it product — or company related. Our ‘What’s New’ section provides you with complete details on recent product releases and announcements.

Centrify Announcements


December 6, 2021

What's New in Centrify Server Suite Release 2021.1

About Centrify Server Suite

Centrify Server Suite (formerly known as Zero Trust Privilege Service and Infrastructure Services) is a comprehensive family of products aimed to provide organizations with powerful tools for Directory Integration, Privileged Account Management, and Access Controls. It consists of:

  • Centrify Authentication Service - a "best-of-breed" Active Directory bridging solution that secures your platforms using the same authentication and Group Policy services deployed for your Windows Active Directory environment.
  • Centrify Privilege Elevation Service that centrally manages and enforces role-based entitlements for fine-grained control of privileged user access and privileges on UNIX, Linux, and Windows systems.
  • Centrify Audit & Monitoring Service that delivers auditing, logging, and real-time monitoring of privileged user activity on your Windows, UNIX, and Linux systems.

The net result for thousands of customers who have deployed Centrify Server Suite is increased security, as well as improved compliance and operational efficiencies. Release 2021.1 contains enhancements to security and functionality.

About Centrify Server Suite Release 2021.1

Release 2021.1 is an update to Release 2021. It contains functionality additions for recorded sessions, monitoring of components, support for additional AD account types, expanded platform support, and more!

What's New in Centrify Server Suite 2021.1
Centrify Authentication Service (formerly DirectControl)

Agent versioon 5.8.1

  • Support for Thycotic ID Bridging AD configuration. Thycotic’s AD Bridging solution uses its own algorithm for generating user IDs for AD users and provision access to Linux/Unix systems. With release 2021.1, the Centrify DirectControl agent is able to leverage that for customers that had already deployed the Thycotic AD Bridging solution on their environments.
  • Support gMSA account type. With Release 2021.1, customers can now provision identities and access to Unix and Linux systems with gMSA accounts.
  • macOS 12 (Monterey) support. Release 2021.1 is supported on macOS 12 (Monterey).
Centrify Audit and Monitoring Service (formerly DirectAudit)

Agent versioon 5.8.1

  • Ability to tag sessions. This allows customers to tag audited sessions with one or more keywords.
  • SCOM module for auditing. This provides a SCOM Management Pack to monitor DA components like Collector, Agents, etc. Customers often use Microsoft SCOM as a tool to monitor performance and availability of their infrastructure.
Centrify Reporting Services
  • Support for local users and groups. Reporting Services now support reporting on local users and groups roles and rights assignments, etc.
New Platform Support

Support is added for the following operating system platforms in this release:

  • Alpine Linux 3.13, 3.14 (x86_64)
  • CentOS 8.4 (x86_64, aarch64)
  • Debian 10.11, 11 (x86_64)
  • MacOS 11.5, 11.6, 12 (Intel)
  • MacOS 11.5, 11.6, 12 (M1)
  • Oracle Linux 8.4 (x86_64, aarch64)
  • Red Hat Enterprise Linux 8.4 (x86_64, aarch64)
  • Red Hat Fedora Linux 35 (x86_64)
  • Ubuntu Linux 21.10 (x86_64, PPC64EL)
  • Windows 11M
  • Windows Server 2022

Note: The same DirectControl for Mac package will work with both Intel and Apple Silicon (M1) chips. Rosetta 2 is still required, because of some third-party components like nss-tools and QT-framework.

To see all platforms supported by Centrify Privileged Access Management within the extended support period, select “SEE ALL PLATFORM VERSIONS” at www.centrify.com/platforms

To check whether your platform is at the end of life, click www.centrify.com/product-lifecycle and scroll down the page. (You will need your Centrify Support Portal credentials to access this page.)

Notice of Termination of Support

Support is removed for the following operating system platforms in this release:

  • AIX 7.1 TL1 below
  • Fedora 33

This is the last release to support the following operating system platforms (Ref: 395898):

  • Red Hat Enterprise Linux Atomic Host

Unless specially announced, we follow the operating system vendors’ published End of Life schedules. To check whether your platform is end of life, please refer to Lifecycle Policy for Centrify Support of Operating Systems for details.

December 6, 2021

What's New in Centrify Privileged Access Management 21.8

New Features for Centrify Vault Suite

Prompt for justification on non-workflow based operations

With release 21.8 of Privileged Access Management, customers can now prompt for justification on non-workflow based operations, such as login or check-out. Before this release, only workflow requests would allow administrators to enter justification.

This can be set at the System-level (for all interactive login sessions on that system) or at the Account-level (for all login and check-out operations on that account). As usual, this setting is also available as a Policy setting that can be enabled for sets of Systems / sets of Accounts:

System-Level:

Account-Level:

Policy:

New Features for Centrify Cloud Suite
Granular Privilege Elevation for Cloud Suite (GA)

Release 21.8 of Cloud Suite enables customers to define granular Privilege Elevation commands for users so that they can elevate privileges to run only the applications and commands that they're allowed to. For convenience, application and command privileges can be grouped into Sets, and the Sets applied globally to all systems, to Sets of systems, or individual systems.

More information on this feature can be found here:

https://docs.centrify.com/Content/Infrastructure/clients/privilege-elev-commands.htm

Linux Identity Management (GA)

This new feature will enable customers to do UID rationalization for Linux systems. Before release 21.8, PAS would assign random UIDs for users when they logged in to systems. With 21.7, customers can control which UIDs users should assume when logging in to Linux systems, as well as the home directory, username, GID, shell, etc. This is similar functionality that Server Suite provides for Active Directory accounts, but with the Cloud Platform, this can be applied to any backend directory that is being used.

October 14, 2021

What's New in Centrify Privileged Access Management 21.7

New Features for Centrify Vault Suite
Secret Server as a Vault to Platform

In Privileged Access Service (PAS) 21.7, a new feature is introduced that allows customers to integrate Secret Server vault instances with the Cloud Platform, through the PAS portal UI. This is the first step in integrating the Centrify and Thycotic product portfolios. With this integration, customers can seamlessly interact with Secret Server managed secrets from the PAS interface and enable additional functionality such as secure remote access leveraging the Platform Gateway Connector infrastructure and step-up multi-factor authentication (MFA) at login to the portal UI, checkout, and login session initiation.

The Accounts view will provide an additional column called "Vault," so that users know which accounts are managed in the linked Secret Server instances. From there, they can interact with the accounts the same way they do for regular PAS managed accounts:

For more information on this integration, please see here:

https://docs.centrify.com/Content/Infrastructure/resources-add/secret-server-configure.htm

https://docs.centrify.com/Content/Infrastructure/resources-add/secret-server-deploy-connectors.htm

https://docs.centrify.com/Content/Infrastructure/resources-add/secret-server-config-template-mappings.htm

New Features for Centrify Cloud Suite
Granular Privilege Elevation for Cloud Suite (Preview)

Release 21.7 of Cloud Suite enables customers to define granular Privilege Elevation commands for users so that they can elevate privileges to run only the applications and commands that they're allowed to. For convenience, application and command privileges can be grouped into Sets, and the Sets applied globally to all systems, to Sets of systems, or individual systems.

More information on this feature can be found here:

https://docs.centrify.com/Content/Infrastructure/clients/privilege-elev-commands.htm

Linux Identity Management (Preview)

This new feature will enable customers to do UID rationalization for Linux systems. Before release 21.7, PAS would assign random UIDs for users when they logged in to systems. With 21.7, customers can control which UIDs users should assume when logging in to Linux systems, as well as the home directory, username, GID, shell, etc. This is similar functionality that Server Suite provides for Active Directory accounts, but with the Cloud Platform, this can be applied to any backend directory that is being used.

September 13, 2021

What's New in Centrify Privileged Access Management 21.6

New Features for Centrify Vault Suite
MFA Redirection

Expanding on our MFA everywhere best practice, this new release supports MFA redirection for additional authentication factors, allowing users to perform MFA on behalf of another user. An example use case is for system administrators with multiple accounts – a main low-privilege account for routine tasks such as email and web surfing, and additional “dash-a” or “alternate admin” accounts used for privileged tasks. Second factors need only be configured on the main account but will be applied when using any alternate admin accounts and an MFA policy is triggered.

This feature is a huge step up in convenience and security, reducing 2nd-factor maintenance for admins. This capability also applied to apps using application accounts that require additional proof of legitimacy from a human, adding an extra layer of MFA assurance.

ServiceNow MID Server Plugin update

In addition, with this release, we continue to enhance our support for the popular enterprise platform, ServiceNow. Our MID Server integration now supports multiple credential types.

July 26, 2021

What's New in Centrify Privileged Access Management 21.5

New Features for Centrify Vault Suite
Force Password Check-In

With Vault Suite 21.5, users are able to force the check-in of a password that is currently checked out by another user.

This is useful when the user who originally checked out the password forgot to check it back in, making it inaccessible. This avoids having to wait until the checkout window expires or the user manually checks the password back in.

This is achieved by rotating the password on the checked-out account, which will clear the check-out flag making it available again for check-out.

Improved Report Sharing and Management

With this update, the reports feature no longer uses a folder structure to contain individual reports. This brings consistency with the way all other objects are displayed and handled.

  • Flat list of objects (reports)
  • Built-in or custom
  • Sets of reports
  • Permissions on reports and report sets for sharing
New Features for the Centrify Cloud Suite
CLI Commands Without Admin Rights

This new feature allows users to run CClient CLI commands such as cgetaccount and csetaccount without having to log in as "root".

Before this version, Centrify CLI commands required root privileges to run as they would communicate with the platform using the machine credential. With 21.5, it is now possible to run CLI commands in a regular user context – which will prompt the user for credentials that will be used to authenticate against the Platform.

July 7, 2021

What's New in Centrify Server Suite Release 2021

ABOUT CENTRIFY SERVER SUITE

Centrify Server Suite (formerly known as Zero Trust Privilege Service and Infrastructure Services) is a comprehensive family of products aimed to provide organizations with powerful tools for Directory Integration, Privileged Account Management, and Access Controls. It consists of:

  • Centrify Authentication Service - a "best-of-breed" Active Directory bridging solution that secures your platforms using the same authentication and Group Policy services deployed for your Windows Active Directory environment.
  • Centrify Privilege Elevation Service that centrally manages and enforces role-based entitlements for fine-grained control of privileged user access and privileges on UNIX, Linux, and Windows systems.
  • Centrify Audit & Monitoring Service that delivers auditing, logging, and real-time monitoring of privileged user activity on your Windows, UNIX, and Linux systems.

The net result for thousands of customers who have deployed Centrify Server Suite is increased security, as well as improved compliance and operational efficiencies. Release 2021 contains enhancements to security and functionality.

ABOUT CENTRIFY SERVER SUITE RELEASE 2021

Release 2021 is the first update for the calendar year 2021. It contains functionality additions for Just-In-Time / Just-Enough Privilege capabilities as well as smart card authentication, better user login experience, expanded platform support, and more!

WHAT'S NEW IN THE CENTRIFY AUTHENTICATION AND CENTRIFY PRIVILEGE ELEVATION SERVICE FOR UNIX AND Linux
Centrify Authentication Service (formerly DirectControl) Agent

Agent version is 5.8.0

  • Back channel and DirectAuthorize override. Adclient now allows temporary privilege elevation without waiting for Active Directory policy propagation. Leveraging the Centrify Platform, adclient overcomes Active Directory replication delays that can prevent Just-In-Time scenarios from working properly.
  • Smart card authentication on Ubuntu servers. Smart cards are now supported for Active Directory user authentication on Ubuntu workstations.
Centrify Authentication Service and Utilities Compatibility Notes

Except for Solaris (see below), this release of Centrify DirectControl Agent for *NIX will work with the following:

  • The latest releases of Centrify for DB2 and Centrify for Samba.
  • Centrify DirectAudit Agent release 2017 or later, except:
    • On AIX platforms, DirectAudit Agent must be release 2020.1 or later.
    • On Linux PowerPC platforms, DirectAudit Agent must be release 2017.3 or later.
  • Centrify OpenSSH release 19.6.

On Solaris, you must upgrade all packages to release 2020. This release of Centrify DirectControl Agent for *NIX will not work with old versions of the adbindproxy package, DirectAudit Agent, Centrify OpenSSH, etc., since the location of 64-bit executables has changed (e.g. 'bin/amd64' for x86, and 'bin/sparcv9' for sparc).

Note: Since Centrify Deployment Manager is discontinued after Release 18.11, Deployment Manager cannot deploy this release of Centrify DirectControl Agent for *NIX.

Centrify Access Manager Console
  • Added an option to not set the security descriptor when creating a computer object or zone object.
  • Added a registry value "UseMemberNisNetGroup" (Registry key: HKLM\SOFTWARE\Centrify\CIMS\Rfc2307NisMap; Type: DWORD) to save sub-NIS-net-groups in the attribute "memberNisNetgroup" if the registry value is greater than 0. By default, this registry value is 0 or empty, which means to save the sub-NIS-net-groups in the attribute "nisNetgroupTriple".
  • Added a registry value "AllowedTrusts" (Registry key: HKLM\SOFTWARE\Centrify\CIMS; Type: REG_MULTI_SZ) to manage which foreign trusts are allowed. By default, this registry value is empty.
Centrify Access Module for PowerShell
  • Added the support for managing delegation scope by introducing a new parameter "AdComputerScope" of Set-CdmDelegation to control delegation scope when users are granted permission to join computers to the specified zone.
Centrify OpenSSH
  • Added a new ssh_config option "ScpBlockUnsafeSpec", to specify whether to deny the scp commands which contain unsafe symbols. The default is "no", meaning not to deny. This option, when set to yes, can avoid the vulnerability mentioned in CVE-2020-15778.
  • Added the SELINUX support on SLES with "minimum" and "targeted" policy.
Centrify Smart Card
  • Added support for smart card login on Debian 9 (x86_64) or later and Ubuntu 18.04 LTS (x86_64) or later.
Centrify Licensing Service
  • Enhanced the section 'DirectControl Workstation – ALL (summary)' in the Deployment Report to include the count of zoneless systems.
  • Changed the word 'Unmanaged' in the Deployment Report to 'Zoneless' to better describe the category.
Centrify Zone Provisioning Agent
  • Added support to specify which Domain Controller to use for connection when accessing the zones, users, and groups in the domain.
  • Added a registry value "AllowedDomains" (Registry key: HKLM\SOFTWARE\Centrify ZPA; Type: REG_MULTI_SZ) to manage which domains/foreign trusts are allowed. By default, this registry value is empty.

For additional (and more detailed information) about the Centrify Zone Provisioning Agent, command-line utility enhancements, tooling improvements, and parameters, please refer to the Centrify Authentication Service release notes document.

WHAT'S NEW IN CENTRIFY PRIVILEGE ELEVATION SERVICE FOR WINDOWS

Agent version is 5.8.0

  • .NET Framework version requirement. Starting with Centrify Server Suite Release 2021, the minimum version of .NET framework required for the Centrify Agent for Windows is .NET 4.8.
  • Preventing double-prompting when using RADIUS. The Identity Services Platform service feature of the Centrify Agent for Windows now allows administrators to configure the credential provider in such a way that it can silently send the user’s password or a fixed string as the first response to the authentication workflow. This feature prevents double-prompting of the user password when a 3rd party Radius server is being used as an authentication provider.
  • TLS 1.2 used by default. The "Audit Extension for Centrify Client" now uses TLS 1.2 by default to communicate with a DirectAudit Collector that is enrolled with the Centrify Platform. A registry setting has also been provided to fall back to the older protocols such as SSL in case TLS 1.2 has not been enabled on the target audited system.
  • Enhanced caudit capabilities. The caudit utility facilitated by the "Audit Extension for Centrify Client" has been enhanced to show detailed messages and corrective actions when the auditing is not enabled or configured correctly.
  • Windows Service username checks. The Centrify Agent for Windows installer now warns the user if it detects that one or more services on the local system have been configured to use a UPN formatted service account as those services may fail to start after the Centrify Agent for Windows is installed and configured.
  • CLI for "Run as Alternate". The "Run as alternate" account functionality provided by the Centrify Agent for Windows now provides a CLI (Command Line Interface) option. Previously, this functionality was only available in the form of a Windows Shell Extension.
  • GPO MFA grace period for RDP. Customers can now control the grace period for both console and RDP sessions. The MFA grace period applies a pass-through duration for the multi-factor authentication (MFA) policy for Linux, UNIX, and Windows Servers.

For additional (and more detailed information) about the Privilege Elevation Service for Windows(TM), please refer to the Agent Release Notes document.

WHAT'S NEW IN THE CENTRIFY AUDIT & MONITORING SERVICE (formerly DirectAudit)

Agent version is 5.8.0

  • .NET Framework version requirement. Starting with Centrify Server Suite Release 2021, the minimum version of the .NET framework required for the Centrify Agent for Windows is .NET 4.8.
  • Audit Data Masking Capabilities for Unix. More secure treatment of the data and auditing. This avoids the risk of exposing potentially sensitive or highly restricted data when audit sessions are shared with managers and their delegates.
  • Customization for DA Prompts. On DirectAudit, customers can now customize messages they want the users to see - this allows you to customize the prompt for different languages.
  • CPU Utilization on Windows 10. This release improves CPU utilization performance on Windows 10 and Windows Server 2019, with DirectAudit Agent running on the machines.
  • Audit status reported to AD. DirectAudit status is now reported to AD. Customers can tell which machines have auditing enabled by checking an attribute in AD.
Compatibility
  • With the Centrify Agent for Windows version 19.6 and later, the Audit and Monitoring Service uses a different compression library to compress the video data being sent from the agent to the collector. As a result, this agent and all future versions of agents are NOT compatible with audit collector versions 18.11 or earlier. IMPORTANT: You will lose video data if you deploy the newer agents in an environment with 18.11 or older collectors. Audit trail events and indexed events lists are not affected in this situation.
  • The minimum Centrify DirectControl Agent for *NIX version required by this version of the service is 5.4.0 (Release 2017) with the following exceptions:
    • On AIX platforms, Centrify DirectControl Agent must be Release 2020.1 or later.
    • On Linux PowerPC platforms, Centrify DirectControl Agent must be Release 2017.3 or later.
    • On Solaris x86 and SPARC platforms, Centrify DirectControl Agent must be Release 2020 or later because the location of the 64 bit executable has been changed (e.g. ‘bin/amd64’ for x86 and ‘bin/sparcv9’ for SPARC).
Centrify DirectAudit Agent for *NIX
  • Centrify DirectAudit now supports SELINUX on SuSE with “minimum” and “targeted” policy.
  • Centrify DirectAudit Agent for *NIX now supports obfuscation of STDIN data. This feature allows administrators to define patterns of sensitive information in the form of regular expressions so that any audited information matching those patterns would not be saved and displayed in plain text format during session replays.
  • The DirectAudit Agent for *NIX now uses TLS 1.2 by default to communicate with a DirectAudit Collector that is enrolled with the Centrify Cloud Platform.
  • The DirectAudit Agent for *NIX now allows administrators to customize user-visible messages (such as the message displayed when the disk space is low or when the DA daemon unexpectedly stops) by creating a message file and configuring the DirectAudit to use that message file.
  • The DirectAudit Agent for *NIX now provides a way to automatically add local users with the “files” registry attribute to the user ignore list on AIX platform.
Centrify Agent for Windows
  • The "Audit Extension for Centrify Client" now uses TLS 1.2 by default to communicate with a DirectAudit Collector that is enrolled with the Centrify Platform. A registry setting has also been provided to fall back to the older protocols such as SSL in case TLS 1.2 has not been enabled on the target audited system.
  • The caudit utility facilitated by the "Audit Extension for Centrify Client" has been enhanced to show detailed messages and corrective actions when the auditing is not enabled or configured correctly.

For additional (and more detailed information) about the Centrify Audit & Monitoring Service, please review the Centrify Audit & Monitoring Service release notes.

NEW PLATFORM SUPPORT

Support is added for the following operating system platforms in this release:

  • Amazon Linux 2 LTS (aarch64)
  • CentOS 8.3 (x86_64, aarch64)
  • Debian 10.7, 10.8, 10.9 (x86_64)
  • MacOS 11.2, 11.3, 11.4 (Intel)
  • MacOS 11.0, 11.1, 11.2, 11.3, 11.4 (M1)
  • Red Hat Enterprise Linux 8.0 (S390)
  • Red Hat Fedora Linux 33, 34 (x86_64)
  • SUSE Enterprise Linux 12 SP3 or above (aarch64)
  • Ubuntu Linux 18.04 or above (aarch64)
  • Ubuntu Linux 21.04 (x86_64, PPC64EL)

Note: The same DirectControl for Mac package will work with both Intel and Apple Silicon (M1) chips. Rosetta 2 is still required, because of some third-party components like nss-tools and QT-framework.

To see all platforms supported by Centrify Privileged Access Management within the extended support period, select “SEE ALL PLATFORM VERSIONS” at www.centrify.com/platforms.

To check whether your platform is at the end of life, click www.centrify.com/product-lifecycle and scroll down the page. (You will need your Centrify Support Portal credentials to access this page.)

NOTICE OF TERMINATION OF SUPPORT

Support is removed for the following operating system platforms in this release:

  • Amazon Linux AMI (2018.03)
  • CoreOS
  • MacOS 10.14
  • Red Hat Enterprise Linux 5.x
  • Red Hat Fedora Linux 32
  • Ubuntu 16.04 LTS, 20.10
  • SUSE Enterprise Linux 11 and all its Service Packs
  • SUSE Enterprise Linux 12 SP2 or below

Unless specially announced, we follow the operating system vendors’ published End of Life schedules. To check whether your platform is end of life, please refer to Lifecycle Policy for Centrify Support of Operating Systems for details.

June 8, 2021

What's New in Centrify Vault Suite and Centrify Cloud Suite 21.4

NEW FEATURES FOR THE CENTRIFY VAULT SUITE:
Granular Admin Rights

With Vault Suite 21.4, Centrify is introducing more granular Administrative Rights that you can assign to Roles. The new rights are: Add Cloud Providers, Add Domains, and Add Secrets. These new rights allow administrators to grant more specific permissions to groups of users.

Additionally, with the PAS Admin User right also assigned, the "Domains" and "Cloud Providers" tabs will now be visible to that user.

Note: in this release, the "Add Secrets" right is only available upon request via an explicit entitlement. If you would like to test this out, please contact Centrify Support to have it enabled for your tenant. For tenants with the "Add Secrets" right enabled, "Privilege Service Users" and "Privilege Service Power Users" will only be able to add new Secrets if they also have the "Add Service" right granted.

Custom Attributes for Systems and Accounts Objects

This new feature extends a capability that was previously only available for the "Users" object. You can now add custom attributes to the "Systems" and "Accounts" objects.

This new feature gives you more flexible customized reporting. For example, your report query can search for and report on all systems with a custom attribute "pci_systems" set to the value "yes."

Your custom attributes can also be queried and modified via API calls to the Centrify Platform. Thus, for example, external applications or scripts whose logic depends on a specific "System" or "Account" custom attribute value can call a Centrify API to obtain it.

Note: spaces in attribute names are not supported. Replace space with an underscore.

Mandatory MFA Setup

Before this release, it was at the users' discretion whether or when to configure MFA second factors in Centrify Vault Suite. Thus, should an MFA policy trigger for a user with no second factors configured, the user would be explicitly denied access. Especially in time-critical situations where the user needs to (for example) check out a vaulted account password or initiate a remote login session to a server, this results in a delay until the user can rectify the situation.

New in this release is the ability to force users to configure MFA second factors. Via policy, you can select which authentication methods are mandatory - to be immediately configured when a user signs in before they are allowed to proceed further. Since these policies can target users based on Sets, you can build policies around sets tailored to different types of users, solving complex cases where all users may not have access to the same authentication mechanisms.

The diagram below is an example of enabling this feature for OATH OTP and Security Questions.

Users subject to this policy will see the following screen at their first login to the Centrify Vault Suite, forcing them to configure required authentication mechanisms and allowing them to configure more if they want to.

Once the mandatory second factors are configured, the user can continue to the Vault Suite landing page. Also, you can configure non-mandatory second factors during this process, or the user is free to do this at any time via their Profile settings.

Custom SAML Claim Mapping for IDP Federation

Centrify Identity Provider (IDP) Federation profiles now support custom SAML Claim mapping, allowing for larger dynamic group management by using single or multi-valued strings from SAML Claims coming from the IDP.

In the Custom Mappings screen during Partner Management configuration, you can now identify single or multi-valued SAML Claim attribute names and associate a federated Group Name for each expected value.

In the example below, our goal is to dynamically add federated users into appropriate Centrify Groups based on which department they belong to. Thus, we can query the multi-valued SAML Claim attribute "Department" and, based on its value, dynamically add the user to the appropriate Centrify Group "Sales," "Engineering," or "Marketing." According to the configured mappings, users with more than one Attribute Name match in their SAML token will be automatically added to the appropriate Centrify Groups.

This new feature can be used in addition to the existing "Group Mappings" feature, which is looking for a multi-valued attribute named Group.

AWS EC2 Instance Continuous Discovery and Automated Management (GA)

For cloud migration projects, organizations are moving their in-house applications to the Cloud. For many, the path of least resistance is to lift and shift their VMs and apps into their preferred cloud platform. Whether on-premises or in the cloud, administrators will still need to log in for troubleshooting and maintenance. When on-premises, this is trivial; admins can easily log in with their on-premises enterprise identity (e.g., AD or LDAP credentials). In the cloud, however, there's no immediate direct line-of-sight to the on-premises domain controllers without implementing a site-to-site VPN or replicating your directory infrastructure in the cloud. A typical shortcut is to provide the admins with SSH Keys and local accounts to log in to the Linux VMs and the local administrator account password for Windows VMs. Team members working on the same Linux VM will typically share a single privileged local account.

All this introduces complexity, risk, and operational overhead. There's no accountability when using shared privileged accounts. If compromised, they give the threat actor the keys to the kingdom, so they increase your attack surface and risk. When there is a personnel change in the team, the rotation of SSH keys and the local administrator account password on all the VMs running in the cloud is operationally intensive. The more VMs, the more work involved. Such efforts are often ignored, resulting in back-doors and potential vectors of attack.

Centrify's Cloud Provider capability, introduced in the 20.6 release, helps address these issues. Adding to the management of AWS root/billing accounts and vaulting of AWS IAM users and their associated Access Keys, this release adds:

  • Discovery now supports a new type for "AWS EC2 Instances" alongside the existing "Active Directory" and "Port Scan" discovery types.
  • Continuous Discovery supports the automatic removal of terminated instances and the addition of new instances to the Centrify Platform.
  • Additional "Actions" for discovered EC2 instances that support automatic:
    • Downloading and installing a Centrify Client (Windows and Linux).
    • Enrolling the system into the Centrify Platform.
    • Downloading and configuring the "Use My Account" certificate to enable single-click log in from the vault UI.
    • Configuring local sudoers policies to grant users elevated privileges on the system.
  • The ability to automatically deploy a Centrify Gateway Connector on an AWS EC2 Windows instance for a specific VPC and subnet.
Federated User Support for Native SSH/RDP Through the Centrify Gateway Connector

Before this release, RDP and SSH connections via the Centrify Gateway Connector did not support federated users. In this release, federated users can now launch RDP and SSH connections through the Centrify Gateway Connector.

Oracle Database Support

This release adds two new Oracle database capabilities:

  • Encrypted connections from the Centrify Gateway Connector to Oracle databases
    • The Centrify Gateway Connector can now detect the encryption settings in the target Oracle database and use the settings defined.
    • Note: This has been accomplished by updating the ODP.NET libraries on the Centrify Gateway Connector. You will need to update your ODP.NET libraries on the Centrify Gateway Connector host machine. Please refer to this Centrify Knowledge Base article for more details: KB-51964.
  • Vaulting Oracle 18c and 19c database accounts
    • Before this release, Centrify Vault Suite only supported vaulting Oracle 11g and 12c accounts. With the update to ODP.NET libraries mentioned above, this release now supports 18c and 19c databases.
Mobile Application User Interface Updates, Including Privilege Elevation Workflow Support

The Centrify Mobile Application user interface has been updated to improve usability, navigation, and features.

These improvements include:

  • For emergency break-glass situations, fast access to resources via search (including the search for Sets and recently searched)
  • Access to system details and offline rescue passcode
  • A separate Alternate Administration (AA) accounts section in the domain drill down
  • Modernized User interface:
    • Improved main navigation tabs at the bottom of the screen
    • Dark Mode
    • An updated mobile authenticator that's closely associated with the passcodes feature
    • A simplified Settings list
    • An extensible structure not confined to a single tab list

Also, the Centrify Mobile Application can now receive privilege elevation request notifications from the Centrify Client, making it easier for approvers to quickly review and allow or reject those requests directly from their mobile device without the need to login to the Centrify Vault Suite portal.

NEW FEATURES FOR THE CENTRIFY CLOUD SUITE:
Alpine Linux Support

The Centrify Client is now supported on Alpine Linux - the Linux distribution based on musl and BusyBox - designed for security, simplicity, and resource efficiency.

Authentication Priority Order for Domain-Joined Windows Servers

You can now configure the Centrify Client on Windows to support federated directory login even if the Windows server is also domain-joined. This allows users to log in with (for example) their Azure AD or Okta Directory federated account as the primary authentication method.

Centrify administrators will be able to configure a list of domain suffixes that the Centrify Client will use to determine whether or not to send an authentication request to the Centrify Vault Suite. If a domain suffix is not on this list, Centrify Vault Suite will not attempt authentication. Instead, it will pass to Active Directory.

Auto-Update for the Centrify Client

With this new feature, instead of manually downloading and installing Centrify Client updates on enrolled systems, you can now configure the Centrify Client to auto-update to ensure it is always at the latest version.

Auto-update is configured by policy on a per-system basis or for a set of systems.

Centrify Client will auto-update according to the following conditions:

  • If the Centrify Client is on a Long-Term Support (LTS) version, the Centrify Client will update to the latest LTS client (with any bug/vulnerability fixes)
  • If the Centrify Client is on a non-LTS version, then the Centrify Client will update to the most recent version of the software

The Centrify Client auto-update process will leverage the Centrify Platform job system. Upon completing an update, the job system will email an update report summarizing success or failure with other relevant details.

As part of auto-update, the Centrify Client system activities will be updated.

NEW FEATURES
  • In this release new support is added to the Privileged Access Service (PAS) for discovery and inventory of cloud virtual machines (VMs) running on AWS EC2 instances. As VMs are added and deleted, the inventory in PAS is updated accordingly. In addition, AD user credentials can be used to log on to the VMs running on AWS EC2 using native client applications, such as PuTTY, Secure CRT, RoyalTS, etc (CC-77123).
  • More granular administration rights – support is now provided for additional administrative rights to govern the ability to add resource objects for systems, databases and SSH keys, domains, Web and desktop apps (CC-77227, CC-76992)
  • In cases where only one MFA option is supported by an organization, it is vital that users set their MFA factor on first login or subsequent login attempts will not be possible. With this release you can now make setting up of MFA factors mandatory, ensuring that users will always have a valid MFA factor on login (CC-76607).
  • It is now possible to customize the translation of custom or previously unsupported SAML claims to user attributes that are supported by the cloud platform (CC-76488).
  • You can now define custom attributes for computer systems and accounts. Attributes are created as key / value pairs where the value can be any type – check box, alphanumeric, numeric, etc (CC-77797).
  • Centrify clients for UNIX and Windows now support auto-upgrade so that clients can be kept update to the latest version without having to deploy manually. Long Term Support (LTS) versions are updated to the latest LTS clients, non-LTS versions are updated to the most recent version (CC-78364).
  • The user interfaces for both the Centrify mobile app for Android and the mobile app for iOS have been updated to provide support for dark mode, a simplified settings list, a revised mobile authenticator that’s closely associated with the passcodes feature, access to system details and an offline rescue password, support for privilege elevation workflow, and fast access to resources via search (CC-75978).
  • The graphical evaluation installer for Hyper-scalable Privilege Access Service (HSPAS) can now optionally install a containerized Redis service as part of the single node install (CC-77894).
  • A new Centrify Client is provided for Alpine Linux 3.14 x (CC-76943).
CHANGES

The following list records issues resolved in this release and behavior changes.

  • Scram-sha-256 must now be used for passwords instead of md5 with PostgreSQL on HSPAS. The method to upgrade an existing PostgreSQL installation is documented here: https://www.postgresql.org/docs/11/auth-password.html# (CC-77843).
  • Starting with this release there is no support for Android 4.4 in the Centrify Android app. Users with Android 4.4 devices may continue to use the release 21.3 Android app, however functionality introduced after 21.3 may not work as expected (CC-77738).
  • A new connector registry setting has been added to allow choice of audit data compression mode. Choices are Default, Uncompressed or QuickLZ150 to best match the environment (CC-78219).
  • Resolved an issue whereby in some situations discovery jobs were running twice (CC-78187).
  • Federated users can now login to a Unix or Windows machine using native SSH/RDP support (CC-73794).
  • It is now possible to customize UNIX / Linux script timeout values on a per system basis. Previously it was only possible to set the timeout value for all systems (CC-78220).
  • System discovery now works when the time zone is set to Singapore (CC-78174).
  • Resolved an issue with port scan discovery whereby it would fail to add servers when using Import systems detected without known credentials (CC-78276).
  • -RedisTrustServerSSL is now supported in the Centrify-Pas-ModifyInstallation.ps1 script in HSPAS (CC-78175).
  • Resolved an issue whereby cagent would fail to start after a reboot on Linux machines (CC-78132).
  • It is now possible to store multiple key-value pairs in a single KeyValue-type secret. All the key-value pairs are accessed / managed as a single object so, for example, permissions are set on the individual parent secret, not on individual key-value pairs and individual key-value pairs will not be found through search (CC-78133).
  • WebRDP connections no longer drop after 5 – 7 minutes with Chrome 88 and above (CC-77620).
Supported Platforms

Centrify Connector

  • Windows Server 2012r2, Server 2016, Server 2019

Self-hosted Centrify Privileged Access Service

  • Windows Server 2012r2, Server 2016, Server 2019

Hyper-scalable Centrify Privileged Access Service

  • Windows Server 2016, Server 2019

Centrify Clients for Linux

Client for Red Hat 6

  • Red Hat Enterprise Linux 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1
  • CentOS 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 8.0, 8.1, 8.2, 8.3
  • Fedora 30, 31, 32
  • Oracle Linux 6.9, 6.10, 7.5, 7.6, 7.7, 7.8, 7.9
  • Amazon Linux AMI 2017.09, 2018.03
  • Amazon Linux 2 2017.09, 2018.03

Client for Red Hat 7 (ARM architecture)

  • 7.5, 7.6, 7.7, 7.8, 7.9, 8.0, 8.1

Client for SUSE 12

  • SUSE 12, 15

Client for Debian 9

  • Debian 9
  • Ubuntu 16.04LTS, 18.04LTS, 20.04LTS

Client for Alpine Linux 3

  • Alpine Linux 3.14 x

Centrify Client for Microsoft Windows

  • Windows Server 2012r2, Server 2016, Server 2019

Windows PAS Remote Access Kit

  • Windows 10, Server 2012r2, Server 2016, Server 2019

Centrify app for Android

  • Android 5 (API level 21) and later

Centrify app for IOS

  • iOS 12 and above

(Tested systems and devices for Privileged Access Service are listed in the documentation)

May 3, 2021

What's New in Centrify Vault Suite and Centrify Cloud Suite 21.3

NEW FEATURES FOR THE CENTRIFY VAULT SUITE:
Centrify Provider for Terraform

This is a Terraform Provider allowing management of a Centrify tenant and its objects using Terraform. This Provider is available as a binary to be used with Terraform CLI and registry.terraform.io for use from Terraform Cloud.

Source code, docs, examples, scripts, and binaries are available on Centrify's GitHub account: https://github.com/centrify/terraform-provider-centrify

Adding Support for Different BaseDNs for Users and Groups Using LDAP Directory Services

Centrify LDAP directory services integration now supports configuring a separate BaseDN for groups. For customers who store groups in a different location than users, this enables them to specify both a BaseDB and a GroupDN to begin LDAP lookups.

Multiple Domain Administrative Accounts for the Same Domain

In this release, customers can configure a unique domain administrative account for specific account Sets allowing multiple domain administrative accounts for accounts in the same domain.

In a Policy Set, under Resources / Accounts, the Domain Administrative Account can be set:

A Policy Set can be assigned to a Set that contains a subset of domain accounts.

Update and Include AWS CLI for PowerShell and Python in Centrify Vault Suite

Customers can already achieve SAML-based federated single sign-on to the AWS Management Console via a Centrify Web App in the Vault Suite portal. Now, this capability is extended to users of the AWS CLI.

From the Trust properties page of the AWS Console Web App (or the Vault Suite Downloads page in the Tools section), you can download updated Python and PowerShell CLI utilities to access AWS services in this manner.

These updated scripts also support on-premises Centrify tenants and add more verbose output for clarity.

Sample scripts are provided for PowerShell and Python.

NEW FEATURES FOR THE CENTRIFY CLOUD SUITE:
Privilege Elevation for CClient - Phase I (GA)

This is the first phase of privilege elevation support for the Centrify CClient. This phase will provide all-or-nothing elevation to root for Linux systems and local Administrator for Windows systems. From the Centrify Vault Suite Portal, customers can now centrally configure, enable, or disable privilege elevation for Active Directory, Centrify Directory, Google Cloud Directory, or federated users. In this phase, you can also enable multi-factor authentication (MFA) at elevation for extra protection and validation of a user's identity. Note that this was included in release 21.1 as a preview.

Csetaccount Support for Adding to Account Sets (Windows, Linux)

A new command-line parameter for "csetaccount" allows customers to specify a destination Set that the new account will be added to. By specifying a destinate Set on the command line, the account will automatically inherit access and permissions configured for that Set. This is especially beneficial in DevOps automation scenarios to avoid making additional CLI or API calls to configure such entitlements.

March 22, 2021

What's New in Centrify Vault Suite and Centrify Cloud Suite 21.2

New Features for the Centrify Vault Suite:
AWS EC2 Instances Continuous Discovery and Automated Management (Preview)

For cloud migration projects, organizations are moving their in-house applications to the Cloud. For many, the path of least resistance is to simply lift-and-shift their VMs and apps into their preferred cloud platform. Whether on-premises or in the cloud, administrators will still need to log in for troubleshooting and maintenance. When on-premises, this is trivial; admins can easily log in with their on-premises enterprise identity (e.g. AD or LDAP credentials). In the cloud, however, there's no immediate direct line-of-sight to the on-premises domain controllers without implementing a site-to-site VPN or replicating your directory infrastructure in the cloud. A typical shortcut is to provide the admins with SSH Keys and local accounts to log in to the Linux VMs and the local administrator account password for Windows VMs. Team members working on the same Linux VM will typically share a single privileged local account.

All this introduces complexity, risk, and operational overhead. There's no accountability when using shared privileged accounts. If compromised, they give the threat actor the keys to the kingdom, so they increase your attack surface and risk. When there is a personnel change in the team, the rotation of SSH keys and the local administrator account password on all the VMs running in the cloud is operationally intensive. The more VMs, the more work involved. Such efforts are often ignored, resulting in back-doors and potential vectors of attack.

Centrify's Cloud Provider capability, introduced in the 20.6 release, helps address these issues. Adding to the management of AWS root/billing accounts and vaulting of AWS IAM users and their associated Access Keys, this release adds:

  • Discovery now supports a new type for "AWS EC2 Instances" alongside the existing "Active Directory" and "Port Scan" discovery types
  • Additional "Actions" for discovered EC2 instances that support automatic:
    • Downloading and installing a Centrify Client (Windows and Linux).
    • Enrolling the system into the Centrify Platform.
    • Downloading and configuring the "Use My Account" certificate to enable single-click log in from the vault UI.
    • Configuring local sudoers policies to grant users elevated privileges on the system.
  • The ability to automatically deploy a Centrify Gateway Connector on an AWS EC2 Windows instance for a specific VPC and subnet.
  • Continuous Discovery supports automatic removal of terminated instances and the addition of new instances to the Centrify Platform.

Note that AWS EC2 instances discovery and management is a preview release. If you would like to explore this feature, please contact your Centrify representative to have it enabled for your tenant.

Centrify Privileged Access Request (PAR) App for ServiceNow now supports Orlando, Paris, and Quebec Releases

Centrify Privileged Access Request provides customers with just-in-time access. When an administrator needs additional Centrify roles to check out a vaulted account password, log in to a system, or elevate privilege on a system, she can request such access without leaving the ServiceNow Service Catalog, leveraging its native workflow. Custom integration between Centrify and ServiceNow fulfills an approved request, provisioning the required role(s) for a limited time. The administrator can then use Centrify Vault Suite to check out the password or remotely log in to the resource. This capability improves operational efficiency and reduces risk by promoting a zero standing privileges posture.

Key features include:

  • Requesting access to IT infrastructure from the ServiceNow Service Catalog.
  • Requesting a Centrify Zone role.
  • Securing remote access to infrastructure without requiring a VPN.
  • Time-bound and monitored access to privileged accounts.
  • Detailed monitoring and reporting of privileged accounts.

Benefits include:

  • Reducing risk with time-bound access to critical resources.
  • Delivering a modern service experience for controlling privileged access.
  • Controlling privileged access to critical assets.
  • Leveraging ServiceNow's strong workflow capabilities.
  • Ensuring policy compliance.
  • Reducing IT service requests by leveraging ServiceNow.
  • Simple request processing for gaining privileged access to critical resources.
  • No need to store or remember shared account credentials.
Centrify App and Add-On for Splunk now support Splunk version 8.x

The Centrify Add-On for Splunk categorizes event log data captured from the Centrify Platform related to privileged access activity and normalizes these events for the Splunk Common Information Model (CIM). This allows real-time analysis and risk mitigation to identify a potential breach in progress.

Key features and benefits include:

  • Minimizing the risk associated with privileged access abuse.
  • Centralizing visibility across enterprise deployments.
  • Easily importing categorized data sets from privileged user activity.
  • Leveraging existing investments in SIEM and alert tools without additional costs.

The Centrify App for Splunk provides Centrify Vault Suite customers with dashboards and reports designed to interpret and display Centrify Audit events properly. They can be used as-is or to enrich existing Splunk visualizations with Centrify security-related event data.

Key features and benefits include:

  • Dashboards that show login activity, privileged access activity, privileged access anomalies, and admin activity.
  • Reports around privileged admin activity, login activity, authorization failure, and more.
  • Alerts around multiple login failures in the last day, privileged command authentication failures in the last day, and more.
New Features for Centrify Cloud Suite:
Support for Offline Login

To fully support the Linux and Windows operating systems as authentication clients, the Centrify Client now supports offline login. By definition, offline login is an availability control used when the system cannot communicate to the realm that the system has joined ("enrolled" in Centrify terminology). This may be due to service unavailability, connectivity issues, etc. The result is that the end-user is unable to access the system.

Key features include:

  • Offline login policy.
  • Offline login with cached credentials.
  • Offline login with cached credentials and identity validation.
  • New Reports to show offline login activity for the last 30 days and systems that allow offline login.
  • MFA for specific local administrator accounts.
  • Platform independence (features is supporting both Windows and Linux clients).
Centrify Client for Windows will now challenge for MFA when Elevating Privilege using "Use My Alternate Account"

On Windows, when a user right-clicks an application and selects "Use my alternate account" from the contextual menu to run with elevated privileges, the Centrify Client now supports an MFA challenge, if configured.

The Centrify Client can to determine that extra MFA is configured, fetch the MFA challenge(s), and present them to the user.

January 19, 2021

What's New in Centrify Privileged Access Service 21.1

NEW FEATURES FOR THE CENTRIFY PRIVILEGED ACCESS SERVICE:
Set Visibility

Today with Centrify Privileged Access Service (PAS), users must be given the "View" permission to gain visibility to a specific set or group of sets. Similarly, members of the System Administrator role must be assigned individual permissions on each set to gain visibility. This manual process increases administrative overhead, especially for large numbers of sets. This new feature solves this problem with a global setting that, when enabled, provides set visibility across all resources of all System Administrators.

What's New 01/19 01
Granular Admin Rights

The current Centrify Platform Administrative Rights are broad in scope and do not offer the ability to define and manage which users can add what resource types. In this first phase of the Granular Admin Rights capability, we have created new Administrative Rights for three resource actions that can be assigned to users. These rights can be combined with existing and more restrictive rights, such as the Centrify Privileged Access Service User (View access), to create a custom role that gives the user just enough privilege.

New rights have been added to the Administrative Rights list for the following:

  • Adding Systems
  • Adding Databases
  • Adding SSH Keys
What's New 01/19 02
Centrify Remote Access Kit (RAK) for Centrify 'Use My Account' (UMA) Feature

The Centrify Remote Access Kit allows a user to perform remote operations using a preferred local client. With this new feature, any session launched using Centrify's UMA authentication from the Centrify Portal will honor the "User Preference" of launching a native remote client application for UMA-initiated sessions, rather than launching the default Web based client.

NEW FEATURES FOR CENTRIFY CLIENTS FOR LINUX AND WINDOWS:
Privilege Elevation for CClient - Phase I (preview)

This is the first phase of privilege elevation support for Centrify CClient. This phase will provide all or nothing elevation to root on Linux systems and local Administrator for Windows systems. From the Centrify Portal, customers can now centrally configure, enable, or disable privilege elevation for Active Directory, Centrify Directory, Google Cloud Directory, or federated users. Also in this phase, you can enable multi-factor authentication (MFA) at elevation for extra protection and validation of a user's identity. This phase is marked as a preview for release 21.1.

What's New 01/19 03
What's New 01/19 04
What's New 01/19 05
Vaulting Support for Windows Workstations

Centrify CClient now provides vaulting support for Windows workstations. Vault local administrator accounts and leverage the Centrify vault's client-based password reconciliation feature to reconcile out-of-sync passwords. Please note that this phase only supports the Windows 8 and Windows 10 platforms and local account reconciliation. Other Centrify CClient features such as Agent Auth, Delegated Machine Credentials (DMC), and Application-to-Application Password Management (AAPM) are planned for a future phase.

Removal of Local Accounts (GA)

Removal of Local Accounts previewed with release 20.7. This is the official GA for this feature. Enabling Removal of Local Accounts ensures that all local accounts created by the Centrify CClient on Windows machines are cleaned up upon user logout. This feature can be used in tandem with local group mapping and Agent Auth for just-in-time elevation via a temporary account.

What's New 01/19 06

December 18, 2020

What's New in Centrify Zero Trust Privilege Services Release 2020.1

About Centrify Zero Trust Privilege Services

Centrify Zero Trust Privilege Services (formerly Centrify Infrastructure Services or Centrify Server Suite) is a comprehensive family of products aimed to provide organizations with powerful tools for Directory Integration, Privileged Account Management, and Access Controls. It consists of:

  • Centrify Privileged Access Service, which enables you to discover, manage, and apply policies to account passwords, secrets, as well as access rules for both privileged and unprivileged accounts. Centrify Privileged Access Service also offers centralized access to systems and session auditing when combined with the Centrify Audit and Monitoring Service.
  • Centrify Authentication Service is a "best-of-breed" Active Directory bridging solution that secures your platforms using the same authentication and Group Policy services deployed for your Windows Active Directory environment.
  • Centrify Privilege Elevation Service centrally manages and enforces role-based entitlements for fine-grained control of privileged user access and privileges on UNIX, Linux, and Windows systems.
  • Centrify Audit and Monitoring Service delivers auditing, logging, and real-time monitoring of privileged user activity on your Windows, UNIX, and Linux systems.

The net result for thousands of customers who have deployed Centrify Zero Trust Privilege Services is increased security, as well as improved compliance posture, and operational efficiencies.

About Centrify Zero Trust Privilege Services Release 2020.1

Release 2020.1 is a minor release focused on the Centrify Server Suite (Centrify Authentication, Centrify Privilege Elevation, and Centrify Audit and Monitoring Service) and consists of bug fixes and a few feature improvements.

What's New in the Centrify Authentication and Centrify Privilege Elevation Service for UNIX and Linux

Centrify Authentication Service Agent

Agent version is 5.7.1

  • Python LRPC/LRPC2/CAPI modules: easily manage the Centrify Authentication Service (formerly DirectControl) Agent using two new two Python modules, pylrpc and pycapi, that provide object-oriented APIs which can be utilized within Python programs to configure and interact with the Centrify Authentication Service Agent.
  • Additional ignore flags for adfixid: two new options "-Y, --ignore-directory <pattern>", and "-E, --ignore-file <pattern>" have been added to the command adfixid to allow a user to skip directory(s) or file(s) respectively if the object name matches the provided pattern (uses POSIX extended regular expressions).
  • Enhanced deployment report granularity: provides a deeper insight into the deployment and the use of Centrify software within the environment. The enhanced report highlights the exact features of the Centrify Authentication Service being used and provides inventory on the number of users, roles, PAM rights, actual role assignments, computer roles, etc. that are currently alive in the environment.

Centrify Authentication Service Platform Update Notes

  • macOS Big Sur Support: Centrify has recently added macOS support for Big Sur v.11.0 with the Authentication Service Agents v.5.7.0. Please note that this version is not compatible with macOS v.11.1 Big Sur though. Any attempt to install the Authentication Service Agent v.5.7.0 on a machine running macOS v.11.1 will fail. Support for macOS v11.1 will be provided in a subsequent one-off release. In addition, please note that the Apple M1 Chip is not supported in this release, nor will it be supported in the upcoming one-off release for macOS v11.1. However, it will be added in a future release.
  • AIX OS Patch Incompatibility: It was recently reported that Microsoft Active Directory users will not be able to log on to AIX systems with the Centrify Authentication Service Agent installed after applying AIX 7.1 OS Patch 7100-05-07-2038 and AIX 7.2 OS Patch 7100-05-01-2038. The Centrify Authentication Agent from R2020.1 (v.5.7.1) contains the fix to address this issue.

Centrify Authentication Service Agent and Utilities Compatibility

This release of the Centrify Authentication Service Agent for *NIX will work with the following except on Solaris:

  • The latest release of Centrify for DB2 and Centrify for Samba.
  • Centrify Audit and Monitoring Agent (formerly DirectAudit) of Release 2017 or later, except on:
  • AIX and Linux PowerPC platforms (Centrify Audit and Monitoring Agent must be of Release 2017.3 or later).
  • Centrify OpenSSH of Release 19.6.
  • On Solaris, you must upgrade all packages to Release 2020 or above. For example, this release of Centrify Authentication Service Agent for *NIX will not work with old versions of the adbindproxy package, Centrify Audit and Monitoring Agent Centrify OpenSSH, etc., as the location of 64-bit executables has changed.
  • As Centrify Deployment Manager is already discontinued after Release 18.11, the Centrify Deployment Manager cannot deploy this release of Centrify Authentication Service Agent for *NIX.
  • Centrify OpenSSH is upgraded based on OpenSSH v8.4 from v8.2 - this includes several security fixes and potentially incompatible changes. For more information please refer to the OpenSSH release notes.

Centrify Report Services

  • The Centrify Report Service now supports both SQL Server 2017 and 2019.

Centrify Licensing Service

  • Created a new section "Special Local User Profiles Defined Report" within the Licensing Report. This section will list out special local user profiles based on the search pattern configured in the registry value "SpecialUserProfilePattern".

For more detailed information about the Centrify Authentication Service Agent, command-line utility enhancements, tooling improvements, and parameters, please refer to the Centrify Authentication Service release notes document.

What's New in Centrify Privilege Elevation Service for Windows

Agent version is 3.7.1

  • Audit trail for PowerShell remoting: the Centrify Privilege Elevation Service Agent for Windows now supports the auditing of PowerShell commands that are run remotely on to a Centrify Zone-joined system. This means that the Centrify Audit Trail will now capture remotely run scripts, commands, their content/ arguments, return codes, time stamp, and the users who initiated the operation. Use this feature to keep track of remote activity and closely monitor the specific scripts and commands being run through PowerShell remoting.

For more detailed information about the Privilege Elevation Service for Windows refer to the Centrify Privilege Elevation Service Agent release notes document.

What's New in the Centrify Audit and Monitoring Service (formerly DirectAudit)

Agent version 3.7.1

  • Session IDs for deleted sessions: currently the Centrify Audit trail produces a summary audit trail event that records how many sessions were deleted. With this feature, you have two new events that will be logged when a user tries to delete a session. These events will capture the specific session IDs, the user who initiated the deletion operation, and the machine name of the audited session. The Centrify Audit Analyzer console, find-sessions functionality, and the PowerShell cmdlets have all been modified to log the new events for every deleted session.
  • Deployment report granularity for Centrify Audit deployment: similar to the Centrify Authentication Service, the Centrify Deployment Report has been enhanced to provide more detail on your Centrify Audit installation. It provides deeper information on how many systems are being audited, which type of audit is enabled, Centrify Agent version, etc.

For more detailed information about the Centrify Audit and Monitoring Service, please review the Centrify Audit and Monitoring Service release notes.

Centrify Audit and Monitoring Service Compatibility

With the Centrify Agent for Windows version 19.6 and later, the Audit and Monitoring Service uses a different compression library to compress the video data being sent from the Centrify Agent to the collector. As a result, this Agent and all future versions of Agents are *not* compatible with the Centrify Audit Collector versions 18.11 or earlier. IMPORTANT: You will lose video data if you deploy the newer Agents in an environment with 18.11 or older collectors. Audit trail events and indexed events lists are not affected in this situation.

Because of this incompatibility and risk of data loss, you must upgrade all of your collectors to the 19.6 or higher version BEFORE you upgrade the Agents to Release 2020.1.

The minimum Centrify Authentication Service Agent for *NIX version required by this version of the service is 5.4.0 (Release 2017) with the following exceptions:

  • On AIX and Linux PowerPC platforms, Centrify Authentication Service Agents must be Release 2017.3 or later.
  • On Solaris x86 and SPARC platforms, the Centrify Authentication Service Agent must be Release 2020 or later because the location of the 64-bit executable has been changed, as mentioned above.
New Platform Support Updates

Support is added to the following operating system platforms in this release:

  • CentOS 7.4 and up (aarch64)
  • CentOS 7.9 (x86_64)
  • Debian 10.6 (x86_64)
  • Oracle Linux 7.9, 8.3 (x86_64)
  • Oracle Linux 7.4 and up (aarch64)
  • Red Hat Enterprise Linux 7.9 (x86_64, PPC64, PPC64LE)
  • Red Hat Enterprise Linux 8.3 (x86_64, PPC64LE)
  • Red Hat Enterprise Linux 7.4 and up (aarch64)
  • Ubuntu Linux 20.10 (x86_64, PPC64EL)

To see all platforms in the Centrify Zero Trust Privilege Services within the extended support period, select “SEE ALL PLATFORM VERSIONS” at www.centrify.com/platforms.

To check whether your platform is at the end of life, click www.centrify.com/product-lifecycle and scroll down the page. You will need your Centrify Support Portal Login to access this page.

Notice of Termination of Support

Support is removed from the following operating system platforms in this release:

  • Fedora 31
  • Red Hat Enterprise Linux 7.2 on S390 (Note)

Note: Our termination of support follows IBM's discontinuation of support for Red Hat Enterprise Linux 7.x.

This release is the last supported release for the following operating system platforms:

  • Amazon Linux AMI (2018.03)
  • CoreOS
  • Red Hat Enterprise Linux 5.x
  • Ubuntu 16.04 LTS
  • SUSE Enterprise Linux 11 and all its Service Packs
  • SUSE Enterprise Linux 12 SP2 or below

Unless specially announced, we follow Operating System vendors’ End of Life schedule. To check whether your platform is end of life, please refer to https://www.centrify.com/support/customer-support-portal/policies/product-lifecycle/#lifecycle_policy for details.

December 7, 2020

What's New in Centrify Privileged Access Service 20.7

NEW FEATURES FOR CENTRIFY PRIVILEGED ACCESS SERVICE:
Automatically Manage Discovered Accounts (preview):

The Centrify Platform provides discovery services that help automatically populate the Centrify Privileged Access Service with systems and accounts. The 'Manage Discovered Accounts' feature builds out these Centrify discovery capabilities by allowing users to further automate the account on-boarding and management process.

Today the Centrify Privileged Access Service offers the following password management services:

  • Password rotation.
  • Password change according to your systems password profile settings.
  • Password rotation based on a periodic rotation schedule and upon password check-in.

With this feature, users can automatically subscribe their discovered accounts to all these management services to reduce the administrative overhead associated with manually managing the accounts.

What's New 20.7 Image 1
UNIX Local Account Password Reconciliation - Phase 2 (preview):

UNIX Local Account Password Reconciliation (Unix LAPR), released earlier this year, extended the support of a privileged administrative account to reconcile local account passwords on UNIX and Linux machines without any manual intervention. Phase 2 introduces password reconciliation using a domain administrative account that has limited privileges necessary to change the password of local accounts. This helps users stay true to "Just-Enough-Privilege" principles and further secures credential operations throughout your environment. In addition, this phase also provides a built-in report outlining all password reconciliation events for greater visibility and tracking.

What's New 20.7 Image 2
Remove Active Directory Dependency for Gateway-Based Auditing:

In its current design, gateway-based auditing, by way of the Centrify Gateway Connectors, depends on Active Directory to discover the Centrify Audit Collectors and then subsequently authenticate via Kerberos and forward the audited data. This feature decouples the Centrify Gateway Connector from Active Directory by establishing a Transport Layer Security (TLS) communications channel to the Centrify Audit Collectors, allowing gateway-based auditing to now support environments without direct connectivity such as DMZs or in a Shared Services VPC/VNet model.

Centrify Gateway Connector Logging Improvements:

Today the Centrify Gateway Connectors are involved in multiple operations, including remote access, password reset, etc. This capability gives users the ability to identify and tag each connector-driven operation with the Centrify Gateway Connector that's performing the action. This feature increases visibility, allows troubleshooters to quickly identify the source of the issue and therefore improves time-to-resolution.

What's New 20.7 Image 3
Centrify Browser Extension Custom App Support:

You can now use the Centrify Browser Extension to launch applications without the Centrify Admin Portal and adjust the user experience to your preferences. Two custom Centrify Browser Extension (CBE) applications, “Browser Extension” and “Browser Extension (Advanced)” have been added to the Custom tab of the application catalog. Both these templates can be used to provide single sign-on (SSO) to a Web application that requires a username and password where the login pages are dynamic, use cookies, or when header information needs to be passed. In addition, the Advanced CBE template allows you to enable SSO to a Web application that requires a user-specific URL or differs in functionality based on the browser in use.

What's New 20.7 Image 4
NEW INTEGRATION FEATURES FOR THE CENTRIFY AGENTS AND CENTRIFY PLATFORM:
PowerShell SDK for the Centrify Platform:

This SDK is a PowerShell module for the Centrify Platform. The module provides wrapper functions for the Centrify Platform API as PowerShell Cmdlets that can be used from scripts or from an interactive PowerShell session. The PowerShell module can be installed on a Windows Server or Workstation running PowerShell 5.0 or above. Package and source code available on https://github.com/centrify/powershell-sdk

Ansible - Centrify Client Management on UNIX/Linux Module:

Centrify provides Ansible roles that can be used in any of the Ansible playbooks and allows for management of the Centrify Server Suite and Centrify Cloud Suite Agents. These Ansible roles can be used using Ansible CLI or Ansible Tower. Roles are built so that variables can be used to granularly control the Centrify Agent to deploy and to determine which Active Directory or Centrify Platform tenant is used for enrollment, as well as configuring several features around the Agents. Ansible roles available on https://github.com/centrify/ansible

Ansible Tower - Auth and Secrets Management Modules:

Centrify is providing customers with a credential plugin, allowing Ansible Tower to retrieve credentials from the Centrify Privileged Access Service when running tasks against systems enrolled to your Centrify Platform Tenant. This plugin will be available as part of the AWX community project and Ansible Tower.

NEW FEATURES FOR CENTRIFY CLIENTS FOR LINUX AND WINDOWS:
Local Account Clean-Up (CClient for Windows )(preview):

The Centrify CClient for Windows creates a local account upon login. Today these accounts are preserved in order to maintain any end user profile-specific changes. With this new feature, users will now have a policy level option that when set will ensure local accounts are cleaned-up upon session termination. This feature, when used in tandem with Centrify CClient's Local Group Mapping and Login (agentauth workflow), provides Just-in-Time Elevation via an ephemeral account. This empowers you to minimize your attack surface by eliminating standing privileges and granting short-lived access, as well as elevated privileges on the fly - only when needed.

What's New 20.7 Image 5
MFA Grace Period Support:

Improve IT operational efficiency by applying a customizable pass-through duration for multi-factor authentication (MFA) for AD-Joined Windows Servers. Once this setting is configured an end user will not be re-prompted for MFA credentials at login if he/she has successfully fulfilled MFA within the set duration.

What's New 20.7 Image 6
Feature Management:

Today the configuration of the Centrify CClient features is only possible during a re-enrollment operation. With this new feature, an admin can easily manage Centrify CClient features through the client page in the portal (toggle on/off) as well as via CLI tooling(Cedit). This capability allows you to centralize Centrify CClient management and reduce local administration.

What's New 20.7 Image 7
ARM Support:

The Centrify Client for Linux now supports aarch64 for RHEL 7.6+. Note: this package can only be retrieved from the official Centrify repository. Please visit the Centrify Downloads Center for instructions on how to access the Centrify repository.

October 23, 2020

What's New in Centrify Privileged Access Service 20.6

AWS Cloud Provider

Centrify Privileged Access Service will now support adding Cloud IaaS Providers starting with AWS in order to support the vaulting and management of both root/billing account credentials, as well as IAM user account credentials.

This first phase of the Centrify Direct RDP Gateway includes the following features:

  • Vaulting and SSO login for AWS root account, its password, and multi-factor authentication (MFA) secret token.
    • Admin-assisted password rotation for AWS root account password.
    • Support for enabling AWS MFA using Centrify as the virtual MFA device. This facilitates establishing Amazon's best practice for protecting the AWS root account from compromised credentials while still maintaining strong governance by the vault.
  • Vaulting of IAM access key secrets for IAM users. Centrify will be expanding this set of capabilities for AWS and other IaaS Cloud Providers in the future over the next several releases.
Whats New 20.6 01
Centrify Platform Adds Support for Centrify Gateaway Connector Registration Codes

Centrify recently updated its Centrify Platform in release 20.5 to support the automated registration for new Centrify Gateway Connectors to the Centrify Platform using a registration code. To enhance the manageability and accessibility of the registration codes, this release provides the user interface to create, modify, and retrieve the registration codes for Centrify Gateway Connectors from the PAS portal. Admins can now delegate the registration of new Centrify Gateway Connectors that may be required within a new project to the project owner or the automation tooling used to create that project without granting additional rights to the project team. As an example, Centrify has published a sample Terraform script that will auto-create a VPC with dual availability zones and then deploy and register Centrify Gateway Connectors within each availability zone in the private subnet. You can find that example in the Terraform-Connector-Automation project on github.com/centrify.

Whats New 20.6 02
Centrify Platform Support for Silent Request for External Radius Server

With this release, the Centrify Platform will support a silent request for an external RADIUS server; you can now opt to generate the initial RADIUS AccessRequest with a specified fixed answer and then forward it over to the RADIUS server. Once the response to the initial AccessRequest is received, MFA will continue as normal. Today, the Centrify Privileged Access Service uses your existing RADIUS server for user authentication by enabling communication between your RADIUS server and the Centrify Gateway Connector (acting as a RADIUS client). When the MFA mechanism is set to an external RADIUS server, the Centrify Platform sends the user credentials (username and passcode) to the Centrify Gateway Connector, which validates them against the configured RADIUS server, and subsequently returns the result of that validation. Prior to this feature, the user would have to manually answer the initial RADIUS AccessRequest, but now with the silent request support, the Centrify platform will automatically send adaptive push-notifications based on the provided fixed answer directly to the user's registered device. This allows you to streamline the use of any custom configurations of an external RADIUS Server by minimizing the need for user intervention.

Whats New 20.6 03
Offline Passcode Support for Centrify Client for Windows via the Centrify Mobile App

Centrify Client for Windows supports offline access with MFA required for when a machine loses connectivity with the Centrify Platform using the updated Centrify Mobile App. Users who have been granted the offline rescue permission to login can now use the Centrify Mobile App to retrieve the offline rescue one-time-password (OTP) for any vaulted system on which they have the view and rescue permission. The Centrify Mobile App also allows users to retrieve resource account credentials (domain, database, and system) from the Centrify Privileged Access Service based on their permissions.

Whats New 20.6 04

September 21, 2020

What's New in Centrify Privileged Access Service 20.5

Centrify Direct RDP Gateway (Phase 1)

The ability to launch RDP connections without visiting the Centrify Privileged Access Service portal enables quick and secure access to systems. Users can specify a target system to connect to and the vaulted or manual account to be used for the brokered session.

This first phase of the Centrify Direct RDP Gateway includes the following features:

  • Support for initiating sessions with accounts that are vaulted in the Centrify Privileged Access Service.
  • Support for initiating sessions with manually entered account credentials that are known including: Vaulted Accounts and vaulted Alternate Admin Accounts.
  • Support for initiating sessions with My Account using keyword "me"
  • Support for Microsoft Remote Desktop clients such as Royal TS.
  • Reports on Centrify Direct RDP Gateway usage.
Cloud Providers (PREVIEW Mode Featuring AWS)

AWS will be configurable as a ”Cloud Provider” in the Centrify Privileged Access Service. An AWS Cloud Provider will support:

  • Vaulting and password management of AWS root/billing accounts.
  • Single sign-on (SSO) into managed AWS root/billing accounts with multi-factor authentication (MFA) enabled (either Centrify MFA or native AWS MFA).
  • Vaulting of AWS IAM accounts.

The recommended best practice in AWS is to secure the AWS root account password. With an AWS Cloud Provider configured in Centrify Privileged Access Service, you can store and rotate the AWS root account password on demand.

Secrets Workflow

Workflow for secrets provides a user who has only View permission on a secret to request Retrieve access. Once the request is made, one or more "approvers" may grant the request, and if so, the permissions on the secret are updated to give the user access.

  • Workflow can be enabled globally for all secrets or at an individual system level.
  • Upon approval, temporary or permanent permission will be added for the user on the specific secret. This permission assignment will only be alive for the approved time period. And like any other permission, the administrator is free to remove the permission assignment at any time.
  • Use the built-in report detailing all secret workflow requests and outcomes, as well as the period for which access was granted if the request was accepted.
Use My Account (UMA) Support for Native Clients

The Use My Account (UMA) feature can now be leveraged in native SSH/RDP applications by specifying "me" as the account name. The keyword "me" is configurable via the tenant config UseMyAccountName.

  • Login challenges are applied if the admin would like to require multiple security challenges or provide more options for the end users.
  • Use My Account is available as an action:
  • On Windows systems, if the system is enrolled, and the user has AgentAuth permission.
  • On Linux systems, if the 'UMA is configured' is checked in Settings. Note that the target system may or may not be enrolled. If it is enrolled, UMA will fail if the user lacks AgentAuth permission.
Unenroll Centrify Clients from Centrify Privileged Access Service GUI

For individual systems in the Systems list, right-click on a system name to unenroll the Centrify Client from the Centrify Privileged Access Service Portal. Alternatively, unenroll groups of systems in a Set from the Set options.

  • This allows for seamless de-provisioning of the cclient from one central management pane without accessing the machine locally.
  • Unenrolling a system will no longer allow Centrify Privileged Access Service to reconcile local accounts if the local account reconciliation feature was enabled for that system. Therefore, the user will be prompted to skip the systems where reconciliation is enabled.
  • Allows users to protect privileged resources stored in the Centrify Privileged Access Service in case the enrolled System gets compromised and client-side unenrollment is not possible.
AgentAuth Workflow for Centrify Clients

Provides on-demand, secure, and strictly enforced temporary or permanent access to privileged machines where the Centrify Client for Windows or Linux is installed.

  • Allows a user who has only the View Permission on a Centrify Client-enrolled system but not the AgentAuth permission to request the login permission via Centrify native workflow.
  • Can be configured at a global level or individual system level.
  • Upon approval, temporary or permanent permission will be added for the user granting AgentAuth on the specific machine. This permission will only be alive for the approved time period. And like any other permission, the administrator is free to remove the permission assignment at any time.
  • Provides just-in-time access upon request and approval.
  • Use the built-in report detailing all AgentAuth workflow requests, the outcome, as well as the period for which access was granted if the request was accepted, etc.
Alternate Account Support for Centrify Clients

When elevating privilege on a target system, users now have the option to elevate using their "Alternate Account" (also known as "dash-a" account), assuming the user's alternate account has been discovered by the Centrify Privileged Access Service. This avoids having to return to the Privileged Access Service portal, manually check out the account, then return to the system to use it.

  • Securely and seamlessly elevates privilege using an associated Alternate Account from Active Directory that's been discovered by Centrify Privileged Access Service.
  • Provides faster time-to-elevation by eradicating manual account checkouts/check-ins and elimination of a Portal visit.
  • Avoids exposing the Alternate Account password, which could be used to move laterally. Instead, uses token manipulation to securely elevate privilege without password exposure.
Multi Factor Authentication and Registration Code Support for Connector Registration

When registering a connector interactively, the registering user will be prompted for multi factor authentication using the cloud policy for the user. User must also have appropriate rights to register connectors. Alternatively, new APIs are available to allow connectors to be registered using a registration code, rather than interactive authentication. Registration code support in 20.5 is via API only; Portal UI support is forthcoming in a future release.

Domain and Database account password checkout on mobile client

Password checkout, extend password functionality for Domain and Database accounts is now available on the Centrify mobile client (iOS and Android).

September 3, 2020

What's New in Centrify Zero Trust Privilege Services Release 2020

About Centrify Zero Trust Privilege Services

Centrify Zero Trust Privilege Services (formerly Centrify Infrastructure Services or Centrify Server Suite) is a comprehensive family of products aimed to provide organizations with powerful tools for Directory Integration, Privileged Account Management, and Access Controls. It consists of:

  • Centrify Privileged Access Service, which enables you to discover, manage, and apply policies to account passwords, secrets, as well as access rules for both privileged and unprivileged accounts. Centrify Privileged Access Service also offers centralized access to systems and session auditing when combined with the Centrify Audit & Monitoring Service.
  • Centrify Authentication Service is a "best-of-breed" Active Directory bridging solution that secures your platforms using the same authentication and Group Policy services deployed for your Windows Active Directory environment.
  • Centrify Privilege Elevation Service centrally manages and enforces role-based entitlements for fine-grained control of privileged user access and privileges on UNIX, Linux, and Windows systems.
  • Centrify Audit & Monitoring Service delivers auditing, logging, and real-time monitoring of privileged user activity on your Windows, UNIX, and Linux systems.

The net result for thousands of customers who have deployed Centrify Zero Trust Privilege Services is increased security, as well as improved compliance and operational efficiencies. Release 2020 is a major release that contains significant enhancements to security and functionality.

About Centrify Zero Trust Privilege Services Release 2020

Release 2020 is a major release for the calendar year 2020. It contains functionality additions for keytab management, design changes for domain and connector selection, local Windows users and group management, a marquee capability for X11 auditing, and more!

What's New in the Centrify Authentication and Centrify Privilege Elevation Service for UNIX and Linux

Centrify Authentication Service (formerly DirectControl) Agent
Agent version is 5.7.0

  • External keytab management: after successful password change and krb.keytab update, Centrify Authentication Service Agent will launch an optional user process/command to do user-specified action, controlled by the configuration parameter, 'adclient.krb5.password.change.hook'. Also enhanced the adkeytab command with a new option '-o/--copy' to copy the specified keys from an input keytab file into an output keytab file based on specified SPN.
  • Smarter domain controller and Centrify Gateway Connector selection: DC will now use the "next_closest_site" API to choose a connector and a domain controller based on the lowest site link cost before proceeding to search domain-wide. Controlled by a new configuration parameter 'adclient.next.closest.site.lookup.enabled'. This capability provides faster-time-to-failover selection and better availability.
  • Status updates: the Centrify Authentication Service Agent will now send periodic messages containing Agent and environment-specific data to the syslog and a computer object's postalAddress attribute in Active Directory.
  • Information for syslog updates include adinfo status details: HostName, DomainName, PreWin2kName, CurrentDC, PreferredSite, Zone, LastPasswordSet, CentrifyDC Mode, and the LicensedFeature. The interval is configurable through Group Policy, with default to 0 to disable the message and the message is prepended with the WATCH keyword for easy identification. This message is useful in Analytics, and SIEM software to monitor the healthiness of the Agent.
  • Information for Active Directory updates include: current domain controller, current connector, update timestamp, adclient process elapse time, computer uptime, connector uptime, and domain join time. Users can use this information for quick cloud deployment. Note: the update interval is controlled by the configuration parameter 'adclient.deploy.report.update.interval'.
  • MFA grace-period applies a pass through duration for multi-factor authentication (MFA) policy for Linux, UNIX, and Windows Servers. You can apply the pass-through duration based on the source and/or target. Once this feature is enabled, an end user will not be re-prompted for MFA credentials once he/she has successfully fulfilled MFA within the set duration.
  • CPU consumption alert: added the capability in Centrify Authentication Service watchdog to emit alert when adclient CPU consumption is above a specified threshold. Use the 'adclient.watch.cpu.utilization.warning.threshold' to configure the threshold value for CPU usage above which cdcwatch will write a WARN message. The default is -1, which means no threshold is set.
  • Centrify smart card support: added the support of smart card login on RHEL 8.

Centrify Authentication Service and Utilities Compatibility Notes
This release of the Centrify Authentication Service Agent for *NIX will work with the following:

  • The latest released Centrify for DB2 and Centrify for Samba.
  • Centrify Authentication Service Agent of Release 2017 or later, except:
  • On AIX, Linux PowerPC platforms, Centrify Audit & Monitoring Agent must be of Release 2017.3 or later.
  • On Solaris x86 and SPARC platforms, Centrify Audit & Monitoring Agent must be of Release 2018 or later.
  • Centrify OpenSSH of Release 2017 or later, except
  • On Linux PowerPC platforms, all packages must be of Release 2017.3 or later.
  • On Solaris x86 and SPARC platforms, Centrify OpenSSH must be version 2018 or later.

Centrify adedit

  • Added a new option '-notdelegateanyright' in 'precreate_computer' command. When this option is specified, the command will not set the security descriptor when creating a computer object

Centrify Access Manageer Console

  • Added a column 'Agent Version' in the Centrify Access Manager. Users can now see the Agent version without running a report.
  • Centrify Access Manager can now manage local Windows users and groups. PowerShell cmdlets, and audit trail events are also available for local Windows accounts management. For details, please refer to Administrator’s Guide for Windows.
  • Fixed self-service join status for computers that have been pre-created. Status is now shown un unjoined.

Centrify Group Policy Management

  • The group policy 'Computer Configuration' -> 'Windows Settings' -> 'Security Settings' -> 'Public Key Policies' -> 'Trusted Root Certification Authorities' is enhanced to validate and not install expired CA certificates to prevent the provisioning of expired certificates.

Centrify Licensing Service

  • Added a compression feature to the Licensing Report notification email. When the size of a Licensing Report is larger than the specified value of the registry key 'ReportNotificationCompressionThreshold' the report will be compressed into a zip file before sending out as the attachment in the notification email.

Centrify Zone Provisioning Agent

  • Enhanced the logic to tolerate a slow network. When accessing the Active Directory objects, the maximum tolerance before logging a performance warning in the Centrify logs is now configurable with a default value of 8 seconds.

For additional (and more detailed information) about the Agent, command-line utility enhancements, tooling improvements, and parameters, please refer to the Centrify Authentication Service release notes document.

What's New in Centrify Privilege Elevation Service for Windows

Agent version is 3.7.0

  • Automatic group provisioning: Centrify Agent for Windows can now automatically add Windows accounts with 'Windows console login' right and/or 'Windows remote login' right to the 'Allow log on locally' policy and/or the 'Remote Desktop Users' local group, if this feature is enabled via a registry setting.
  • Privilege elevation Mode: decouples the Centrify Authentication Service from the authorization service and allows a user to deactivate the access control mechanisms and deploy only the Privilege Agent for elevation.
  • Alternate account support: Centrify Agent for Windows now allows running applications using the logged-in user’s alternate account configured in the Centrify Privileged Access Service. For details on how to use this feature, please refer to the User’s Guide for Windows.
  • Status updates: Centrify Agent for Windows now emits heartbeat information to the Windows Application log at a controllable interval which can be used by the Centrify Privilege Threat Analytics Service and other SIEM tools for monitoring the Agent’s status and now writes the timestamp information to the Active Directory when the computer is joined to a zone.
  • Windows local user and group management: you can now manage local users and groups on Windows Systems that are joined to a zone in two modes: Detect and Enforce. For details, refer to the Administrator’s Guide for Windows.
  • Starting Release 2020, the 'Endpoint enrollment' feature (also known as 'Zero Sign-On') has been removed from the Centrify Agent for Windows.

Centrify Access Module for PowerShell

  • Added a new switch 'SkipPermissionSetting' in 'New-CdmManagedComputer' command to not set the security descriptor when creating a computer object.
  • Added the support of DN/SID/@/ADComputer to the command 'Get-CdmComputerRole -Computer'.

Centrify Windows SDK

  • Four methods are added to the Centrify Access API to help pre-create computers or computer zones without delegating permissions.

Centrify PuTTY 5.7.0

  • Centrify PuTTY is upgraded based on PuTTY v0.73 from v0.71.
  • This includes several security fixes, e.g. CVE-2019-17067, CVE-2019-17068, and CVE-2019-17069.

For additional (and more detailed information) about the Privilege Elevation Service for Windows(tm) refer to the Agent Release Notes document.

Note: The directory user must belong to a role that is mapped to the machine's local administrator group. Role mappings can be configured using the Centrify Client's local group mapping feature, located on the Windows system's Local Group Mapping page.

What's New in the Centrify Audit & Monitoring Service (formerly DirectAudit)

Agent version is 3.7.0

  • Status updates: The Centrify Audit & Monitoring Service Agent for *NIX & Windows now sends the following information in addition to the existing payload when sending its heartbeat: offline store size, despool rate, free disk space, AD site name, the status of session auditing, configuration/deployment mode, and status of advanced monitoring.
  • X11 Audit: The Centrify Audit & Monitoring Service now supports Linux Desktop auditing for GNOME (v3) desktop environments on RehHat/CentOS 6, 7 and 8 platforms.
  • End of session events: new audit trail events that can capture the start of session auditing and end of session auditing actions for an audited user have been added.
  • New Cmdlets: Centrify Audit Module for PowerShell has introduced a new cmdlet viz. New-CdaInstallation that can be used by administrators to create a new Centrify Audit & Monitoring Service installation from a command prompt

For additional (and more detailed information) about the Centrify Audit & Monitoring Service, please review the Centrify Audit & Monitoring Service release notes.

New Platform Support

Support is added to the following operating system platforms in this release:

  • CentOS 7.8, 8.1, 8.2 (x86_64)
  • Debian 9.12, 9.13, 10.2, 10.3, 10.4, 10.5 (x86_64)
  • Fedora 31, 32 (x86_64)
  • Oracle Linux 7.8, 8.1, 8.2 (x86_64)
  • Red Hat Enterprise Linux 7.8 (x86_64, PPC64, PPC64LE)
  • Red Hat Enterprise Linux 8.1, 8.2 (x86_64, PPC64LE)
  • Ubuntu Linux 20.04 (x86_64, PPC64EL)

To see all platforms in the Centrify Zero Trust Privilege Services within the extended support period, select “SEE ALL PLATFORM VERSIONS” at www.centrify.com/platforms.

To check whether your platform is at the end of life, click www.centrify.com/product-lifecycle and scroll down the page. (You will need your Centrify Support Portal Login to access this page.)

August 4, 2020

What's New in Centrify Privileged Access Service 20.4

SSH Key Management

In this upcoming release, we are extending the current SSH key vaulting features beyond key storage and log in.

The existing capabilities will be enhanced to support the following operations:

  • The ability to enable SSH key management, which allows for key rotation.
  • The ability to apply the following policies for the rotation of SSH keys:
    • SSH key rotation interval
    • Minimum SSH key age
    • SSH key generation algorithm
    • Clean-up intervals for retired SSH keys
  • The ability to leverage an account that has an SSH key for System and Account Discovery operations.
Whats New 20.4 Image 1
Discover Local Accounts with Specific Names

The Centrify Privileged Access Service Discovery tool is getting an upgrade to have a new Actions option that allows rules to be made around what specific local accounts to discover for particular system types.

Multiple account names can be specified by using a comma or semi-colon separated list.

Whats New 20.4 Image 2
Support for Clipboard Copy and Paste in Web-Based RDP Sessions

The user experience can be enhanced for Centrify Privileged Access Service vault-brokered RDP sessions by allowing for copy and paste of text and images.

  • The ability to enable or disable the clipboard for native and web-based RDP sessions.
  • The ability to copy and paste text and images for web-based RDP sessions while using the following browsers:
    • Google Chrome
    • Microsoft Edge
    • Microsoft Internet Explorer (*text only)
Whats New 20.4 Image 3
Whats New 20.4 Image 4
UAC Support for Centrify Client on Windows

End users can now log on to a Windows host machine using a non-privileged account and launch an application as administrator after satisfying UAC using a cloud user's credentials.

Note: The directory user must belong to a role that is mapped to the machine's local administrator group. Role mappings can be configured using the Centrify Client's local group mapping feature, located on the Windows system's Local Group Mapping page.

June 19, 2020

What's New in Centrify Privileged Access Service 20.3

Centrify Hyper-Scalable Privileged Access Service

Our new architecture for Customer Managed Clustering will provide the world’s first “shared-nothing” high availability and on-premises privileged access management (PAM) with cloud-first services.

Centrify Hyper-Scalable Privileged Access Service uses cloud-first technology for customer-managed installs that were honed from our SaaS offering with a web-tier, job scheduler, caching, and load balancing. In turn, it yields the following benefits for customers:

  • Upgrading has zero-downtime and is fully automatable.
  • Easy provisioning and management of cluster resources.
  • Allows for infinite horizontal scale-out.
  • Active-active web, background, and TCP relay nodes.
  • Consolidated diagnostic logging.
  • Continued support for high availability.
Support 20.3 Image 1
Resource Policies for Centrify Privileged Access Service

Sets were introduced in 2017 to improve the manageability of Centrify Privileged Access Service resource objects. In this new release, policies will be applicable to sets of resources. An example of a policy that administrators will be able to apply is multi-factor authentication (MFA) for login to systems on the built-in set of all systems and do the same for requiring MFA for checkout of account passwords.

Policies will be able to be applied to sets of the following resource objects:

  • Accounts
  • Domains
  • Databases
  • Systems
  • SSH Keys
  • Secrets

Easily identify the policy summary and the sources (Default, Global, Set, or Resource Object override).

Support 20.3 Image 2
Inventory of Resources and Users

Administrators will be able to obtain better visibility of Centrify Privileged Access Service resources and users via an enhanced dashboard that accounts for the inventory in the portal. The Resource Counts dashboard will display the systems, databases, accounts, services, clients, and users that are in the service as of the last daily snapshot.

Support 20.3 Image 3
SSH Resource Profile Enhancements

An SSH Resource Profile can be created to define a custom system and specify how Centrify Privileged Access Service should interact with a device that supports the SSH protocol. In the 20.3 release, we will be enhancing the SSH Resource Profiles so that they can be grouped into sets for permissions management. We will also support the ability to import and export these profiles so that they can be shared between different environments. This will be a step towards our future plans of the Centrify Integration Hub, which will be a self-service portal that will allow custom device and application plugins for privileged sessions and password management to be shared by customers, partners, and third-party software vendors in the Centrify community.

Support 20.3 Image 4
Client-Driven Password Reconciliation for Local Accounts

Out-of-sync passwords can interrupt IT operations and impact security. Centrify supports automatic password reconciliation using shared accounts (multi-phase). The Centrify Client will enable the following account operations without reliance on the Centrify Gateway Connector:

  • Password Reset
  • Account Unlock (Only for Windows)
  • Password Rotation
  • Account Status Verification
  • System Connection Verification
  • Proxy Account Management

The Centrify Client will be the preferred reconciliation method, If both the Centrify Client and Centrify Gateway Connector are present, and fall back to the Centrify Gateway Connector automatically if connectivity fails.

Support 20.3 Image 5
Client Delegated Machine Credentials

Centrify Delegated Machine Credentials leverage the OAUTH2-based credentials and machine identity of the Centrify Clients for Centrify Privileged Access Service to delegate API access to applications.

  • Uses machine identity to build a strong authenticated relationship with Centrify Privileged Access Service.
  • Brokers out this trust to be utilized by applications and clients for automation and application-to-application password management (AAPM) use cases.
  • Requires a Centrify Client to be enrolled on the target machine with the Centrify Delegated Machine Credentials feature enabled.
Support 20.3 Image 6

May 21, 2020

What's New in Centrify Privileged Access Service 20.2

Centrify External Credential Storage Plugin for ServiceNow MID Server

Solutions, like ServiceNow IT Operations Management (ITOM), make use of the ServiceNow MID Server to perform inventory and orchestration tasks. The Centrify External Credential Storage Plugin is a MID Server integration for ServiceNow's ITOM applications. For example, ServiceNow Discovery can use the account credentials from the Centrify Privileged Access Service vault to scan the network and collect information on Linux, UNIX, and Windows servers in an environment.

This release of the Centrify External Credential Storage Plugin for ServiceNow MID Server will allow:

  • ServiceNow MID Server to retrieve local account credentials from the Centrify Privileged Access Service vault.
  • Secure inventory discovery and orchestration by leveraging vaulted credentials
What's New PAS 20.2

More information on our partnership with ServiceNow can be found at https://www.centrify.com/partners/zero-trust-network/servicenow/

March 4, 2020

What's New in PAS 20.1

Automatic Password Reconciliation for Local Accounts on UNIX and Linux Systems

Out of sync passwords can interrupt IT operations and impact security. This new feature will extend the support of a privileged local administrative account to reconcile passwords of local accounts on UNIX and Linux, without manual administrative intervention. This will guarantee that Centrify is the single source of truth for passwords used to access infrastructure. Systems with managed local accounts enabled for automatic maintenance will have password updates that happen automatically when the stored credentials don't match the local password on the system.

What's New PAS 20.1

Centrify Integration Hub (Phase I): SSH Self-Service Resource Profiles

The ability to add thousands of different device types that support the SSH protocol is now supported in the form of SSH Self-Service Resource Profiles. This is the first phase of what will become the Centrify Integration Hub self-service portal for custom device and application plugins. The Centrify Integration Hub with SSH Self Service Resource Profiles will provide the tools necessary to create, test, and validate numerous custom SSH device plugins, called Resource Profiles, in a self-service model. The SSH device profiles will allow for customizations to be made to specific systems and account operations from password management to password reconciliation.

In Phase I of the Centrify Integration Hub, we present the following features for SSH Self-Service Resource Profiles:

  • Resource Profiles for SSH-enabled devices.
  • Provides the ability to define custom system profiles leveraging the Expect framework.
  • Includes support for Credential Verification, Password Rotation, Password Reconciliation, and Proxy Accounts.
  • Delivers an SSH Test Kit for validating functionality.
What's New PAS 20.1

December 27, 2019

About Centrify Zero Trust Privilege Services

Centrify Zero Trust Privilege Services (formerly Centrify Infrastructure Services or Centrify Server Suite) is a comprehensive family of products aimed to provide organizations with powerful tools for Directory Integration, Privileged Account Management, and Access Controls. It consists of:

  • Privileged Access Service enables you to discover, manage, apply policy to account passwords, secrets, as well as access rules for both privileged and unprivileged accounts PAS also offers centralized access to systems and session auditing when combined with the Audit and Monitoring Service.
  • Authentication Service is a "best of breed" Active Directory bridging solution that secures your platforms using the same authentication and Group Policy services deployed for your Windows Active Directory environment.
  • Privilege Elevation Service centrally manages and enforces role-based entitlements for fine-grained control of user access and privileges on UNIX, Linux and Windows systems.
  • Audit & Monitoring Service delivers auditing, logging and real-time monitoring of user activity on your Windows, UNIX and Linux systems.

The net result for thousands of customers who have deployed Centrify Services is increased security, improved compliance and operational efficiencies. Release 19.6 is a major release that contains significant enhancements to security and functionality.

About Release 19.9

Release 19.9 is a minor update, however it includes key capabilities for customers using the MS PAM component of the Microsoft Enhanced Security Administrative Environment (MS PAM), customers leveraging Smart Cards on RHEL platforms on Citrix VDA, plus includes the first phase of the modernization of the Direct Audit capabilities.

What's new in the Authentication Service and Privilege Service for UNIX and Linux 19.9

DirectControl Agent
  • Agent version is 5.6.1
  • Enhanced Support for the Microsoft Enhanced Security Administrative Environment (MS ESAE)
    Centrify DirectControl Agent's Microsoft Privilege Access Management (PAM) Privilege Escalation feature is enhanced to support single sign-on (SSO) scenario. Note: After the user has been granted elevation and added to the PAMGroup, the user is required to re-obtain a new ticket-granting ticket (TGT) for SSO login.
  • Smart Card Support for Citrix VDA
    Centrify DirectControl Agent can now integrate with Citrix Linux Virtual Delivery Agent to support smart card login on Red Hat platforms.
DirectControl and Utilities Compatibility Notes

This release of Centrify DirectControl Agent for *NIX will work with the following:

  • The latest released Centrify for DB2 and Centrify for Samba.
  • Centrify DirectAudit Agent of Release 2017 or later, except:
  • On AIX, Linux PowerPC platforms, DirectAudit Agent must be of Release 2017.3 or later.
  • On Solaris x86 and SPARC platforms, DirectAudit Agent must be of Release 2018 or later.
  • Centrify OpenSSH of Release 19.6.
  • Centrify OpenSSH of Release 2017 or later, except
  • On Linux PowerPC platforms, all packages must be of Release 2017.3 or later.
  • On Solaris x86 and SPARC platforms, Centrify OpenSSH must be version 2018 or later.
Access Manager Console
  • Fixed a security vulnerability that allowed an attacker to perform remote code execution - related to .NET framework vulnerability detailed in CVE-2012-0161.
Centrify Group Policy Management
  • Added the GP mapper script to distribute CA Bundle for AIX and HPUX.
Centrify Report Services
  • Added the support of using PostgreSQL instead of MS SQL Server as the database for Centrify Report Services. The version of PostgreSQL must be 11 or above. Please note that Centrify reports cannot be used if the database engine is PostgreSQL

For additional (and more detailed information) about the agent, command line utilities enhancements, tooling improvements and parameters, refer to the Centrify DirectControl release notes document.

What's new in Privilege Service for Windows™

Agent version is 3.6.1

Security Fixes
  • Fixed a security vulnerability that allowed an attacker to perform remote code execution - related to .NET framework vulnerability detailed in CVE-2012-0161.

For additional (and more detailed information) about the Privilege Elevation Service for Windows(tm) refer to the Agent Release Notes document.

What's new in the Audit and Monitoring Service

  • DirectAudit now supports auditing of Windows and Linux systems that are enrolled with the Centrify cloud platform and may not be joined to an Active Directory domain.
  • DirectAudit has introduced a new component named “Audit Extension for Centrify Client” which facilitates auditing of Windows systems that are enrolled with the Centrify cloud platform.
Centrify DirectAudit Collector
  • DirectAudit Collector now supports auditing of both Active Directory joined systems and the systems enrolled with the Centrify cloud platform using an SSL/TLS based communication channel.
Centrify Audit Analyzer and Session Player
  • Audit Analyzer console's results pane now displays audited session's identifier (a.k.a. SessionId) for each of the returned results.
Centrify DirectAudit Agent for UNIX/Linux
  • Centrify DirectAudit Agent for Linux now facilitates auditing of Linux systems that are not joined to an Active Directory domain.
  • The '/sbin/shutdown' has now been added to the list of nologin shells viz. nss.nologin.shell.
  • The following programs have been added to the default value of nss.program.ignore: polkitd, abrtd, dbus-daemon, systemd-tmpfiles, systemd-journald and crond.
Centrify Direct Audit Module for PowerShell

Centrify Audit Module for PowerShell now supports permanent deletion of audit trail events based on the specified search criteria

Security Fixes
  • Fixed a security vulnerability that allowed an attacker to perform remote code execution - related to .NET framework vulnerability detailed in CVE-2012-0161.

For additional (and more detailed information) about the the Auditing and Monitoring Service, please review the DirectAudit release notes.

New Platform Support

In this release, we have added support for these new platforms:

  • CentOS 7.7 (x86_64)
  • CentOS 8.0 (x86_64)
  • Debian 9.10, 9.11, 10.0, 10.1 (x86_64)
  • Oracle Linux 8.0 (x86_64)
  • Oracle Linux 7.7 (x86_64)
  • Red Hat Enterprise Linux 7.7 (x86_64, PPC64, PPC64LE)
  • Ubuntu Linux 19.10 (x86_64, PPC64EL)

To see all platforms in the Centrify Infrastructure Services within the extended support period, select “SEE ALL PLATFORM VERSIONS” in www.centrify.com/platforms.

To check whether your platform is end of life, click www.centrify.com/product-lifecycle and scroll down the page. (You will need your Centrify Support Portal Login to access this page.)

Notice of Termination of Support

In this release, we are removing support for the following platforms:

  • Fedora 29

This is the last release in which we'll support these platforms:

  • Amazon Linux (2017-09)
  • Debian 8.x
  • Ubuntu 19.04
  • Windows 7
  • Windows 2008R2

For more detailed information about supported platforms and notices of termination, review the lifecycle policies pages https://www.centrify.com/support/customer-support-portal/policies/product-lifecycle/versions/ or review the Zero Trust Privilege Services release notes.

December 17, 2019

New Features - Centrify Privileged Access Service

Automatic password reconciliation for local accounts on Windows systems

Out of sync passwords can interrupt IT operations and impact security. This new feature will extend the support of a privileged domain administrative account to reconcile passwords of Windows local accounts, without manual administrative interaction. This will guarantee that Centrify is the single source of truth for passwords used to access infrastructure. Windows systems with managed local accounts enabled for maintenance will have password updates that happen automatically when the stored credentials are incorrect. In addition, these accounts can also be enabled to be unlocked if they are in a locked state.

What's New 12/17 Img01
Local client support for RDP and SSH on Mac

Macs are first-class citizens in the world of IT administration and require full functionality for remote system management. Centrify adds support for local RDP and SSH clients on Mac. IT admins can launch remote sessions and connect with thick clients installed on their local machine.

What's New 12/17 Img01
Administrative Bulk Actions for Systems and Accounts

Administrators will gain the ability to do actions to systems and accounts in bulk from the PAS UI.

The following actions will be simple to do on multiple systems and accounts with a few clicks.

  • Delete systems by multi-select
  • Delete systems by manual or dynamic sets
  • Delete, Manage, and Rotate accounts by multi-select
  • Delete, Manage, and Rotate accounts manual or dynamic sets
What's New 12/17 Img03
What's New 12/17 Img04
Enhanced Support for LDAP

The Centrify Privileged Access Service is extending supportability for generic LDAP servers with the ability to customize LDAP attributes and schemas. LDAP user and group attribute names for non-standard and custom LDAP schemas can be added, mapped, and tested for validity.

Highlights

  • Improved unique identifier support
  • Improved support for LDAP groups
  • Support for password change and resets
  • Improved site awareness using native methods
  • Improved search capability by understanding native methods
  • Validated support for Radiant Logic’s federated identity service, RadiantOne Federated Identity (FID)
  • Support for other LDAP vendors to come in the future
What's New 12/17 Img05
FIDO2 Support for multi-factor authentication

Centrify has supported Fast IDentity Online (FIDO) for years and is a member of the FIDO alliance. FIDO2 is an authentication standard hosted by FIDO Alliance. FIDO2 cryptographic login credentials are unique across every website, never leave the user’s device and are never stored on a server. Since FIDO cryptographic keys are unique for each internet site, they cannot be used to track users across sites. This security model eliminates the risks of phishing, forms of password theft, and replay attacks. Also, this provides better alignment with NIST 800-53 high-assurance authentication controls.

Centrify will be leveraging the WebAuthn API to enable password-less authentication to the Privileged Access Service using either on-device or external authenticators. On-device authenticators are biometric authenticators integrated into the device hardware. Popular examples are Apple Touch ID and Face ID, Windows Hello, and fingerprint scanners. External authenticators are security keys that you plug into the device's USB port; for example, a YubiKey.

What's New 12/17 Img06
Centrify Client Auditing

Audit for the new generation Centrify Clients. This new generation of client-based auditing will be independent from Active Directory, allowing for more flexible and scalable deployments. Please look forward to some of the following benefits with this release.

  • Deploy the Audit and Monitoring agent on the Centrify Client for Windows or Linux without Active Directory (AD)
  • Secure data path over HTTPS
  • Improves the ability to deploy Auditing in DMZs or IaaS where AD is not available
What's New 12/17 Img07
Offline Login on Centrify Client for Windows

The Centrify Privileged Access Service introduces a new permission called “Offline Rescue” to improve the availability controls for Windows systems. This permission allows an end-user to have the ability to use a passcode to log into a system that is offline.

  • OTP settings for Key Algorithm, number of digits, and counter period can be configured
  • Offline passcode can be retrieved from the system properties
  • Support for other Unix/Linux to come in the future
What's New 12/17 Img08
What's New 12/17 Img09

September 12, 2019

About Centrify Zero Trust Privilege Services

Centrify Zero Trust Privilege Services (formerly Centrify Infrastructure Services or Centrify Server Suite) is a comprehensive family of products aimed to provide organizations with powerful tools for Directory Integration, Privileged Account Management, and Access Controls. It consists of:

  • Privileged Access Service enables you to discover, manage, apply policy to account passwords, secrets, as well as access rules for both privileged and unprivileged accounts PAS also offers centralized access to systems and session auditing when combined with the Audit and Monitoring Service.
  • Authentication Service is a "best of breed" Active Directory bridging solution that secures your platforms using the same authentication and Group Policy services deployed for your Windows Active Directory environment.
  • Privilege Elevation Service centrally manages and enforces role-based entitlements for fine-grained control of user access and privileges on UNIX, Linux and Windows systems.
  • Audit & Monitoring Service delivers auditing, logging and real-time monitoring of user activity on your Windows, UNIX and Linux systems.

The net result for thousands of customers who have deployed Centrify Services is increased security, improved compliance and operational efficiencies. Release 19.6 is a major release that contains significant enhancements to security and functionality.

What's new in the Authentication Service and Privilege Service for UNIX and Linux 19.6

Special Note on FIPS Mode

As part of this release, we updated the OpenSSL library, which is not yet FIPS-validated by the supplier. When OpenSSL releases a FIPS-certified version, Centrify will QA it and subsequently issue an update. Until then, Centrify recommends that customers relying on FIPS-certified products should not upgrade to this release version.

Open Source and Shared Component Upgrades
DirectControl Agent
  • Agent version is 5.6.0
  • Added a feature on DirectControl Agent installer for Ubuntu to support the adapter library /lib/i386-Linux-gnu/ which hosts all 32-bit libraries on a 64-bit Ubuntu host.

Command Line Utilities

  • adcdiag improvements:
  • Improved timestamps when probing connectors.
  • New 'adclient.cloud.connector' parameter to limit the probes to a specific connectors.
  • Added the option "adcdiag -z" to display the Centrify Identity Platform configurations for the joined zone.
  • Added the option "adcdiag -l connectors -I ❮tenantid❯" to show the connectors for the specific tenant ID only.
  • Added the qualifier "-d, --visible" for the "-l instances" or "-l connectors" option in adcdiag to show the instances or connectors only if they are visible to DirectControl agent.
  • adcheck has been enhanced to verify if the name service cache daemon (ncsd) is installed in the system.
  • adjoin now supports parallel execution when using the --precreate command to pre-create computers in a zone during provisioning.
  • adjoin and adleave support automatic sasauth PAM configuration update.
  • adkeytab now supports an --interactive switch along with the --adopt command as an alternative to --newpasswd to prevent entering a password in clear text on the command line.
  • adleave improvements
  • There are two new options to remove role assignments from computer zone and computer zone itself when leaving a zone:
  • -o, --removecomputerzone, to remove computer zone from Active Directory.
  • -O, --removemachinescope, to remove Direct Authorize scope from Active Directory.
  • added option -k, --removekeytab to adleave command to remove krb5.keytab file on successful leave. Without this option, adleave will only clean up keytab entries but not remove key table file.
  • adsyncignore improvements:
  • New the --case option to do case-sensitive comparisons to AD user/group names. By default, it will do case-insensitive comparison.
  • New --dzcache option as a performance improvement. When this option is specified, the adsyncignore command will use the DZ cache from DirectControl agent instead of walking through the zone tree to check user visibility in the joined zone. This can usually improve the performance, especially when there is a lot of role assignments, and a lot of users who have complete Unix profiles but do not have role assigned.
  • adedit improvements:
  • Added an option '-notdelegateanyright' for adedit 'create_zone' command. By default, the switch is false, which means same behavior as before. If the switch is on, 'create_zone' will not set any security descriptor to the newly created zone object.
  • Added the support of a new zone field 'tenantid' for hierarchical zones in adedit 'get_zone_field' and 'set_zone_field' commands.
  • Behavior change: DirectControl command line utilities run by non-root users will now write kset files to /tmp instead of /var/centrifydc/user. The directory /var/centrifydc/user is now obsolete.
DirectControl and Utilities Compatibility Notes

This release of Centrify DirectControl Agent for *NIX will work with the following:

  • The latest released Centrify for DB2 and Centrify for Samba.
  • Centrify DirectAudit Agent of Release 2017 or later, except
  • On AIX, Linux PowerPC platforms, DirectAudit Agent must be of Release 2017.3 or later.
  • On Solaris x86 and SPARC platforms, DirectAudit Agent must be of Release 2018 or later.
  • Centrify OpenSSH of Release 19.6.

As Centrify Deployment Manager is already discontinued after Release 18.11, Deployment Manager cannot deploy this release of Centrify DirectControl Agent for *NIX.

Notes for the OpenSSL libraries update

(*) OpenSSL and OpenSSH: This is a major upgrade from v1.0.2 to v1.1.1 which means the internal openssl library and APIs are not backward compatible. Centrify OpenSSH is also upgraded based on openssh v7.9p1 because of this reason. Several algorithms, EVP_sha, EVP_dss, EVP_dss1, EVP_ecdsa, are deprecated in OpenSSL v1.1.1 and hence no longer supported by our products, e.g. adcert, in this release.

(**) FIPS Mode: There is no FIPS mode support in this version. That means, all affected Centrify products will not support FIPS mode in this release. For example, DirectControl agent will ignore the FIPS mode related group policy, 'Use FIPS compliant algorithms for encryption, hashing and signing', and the centrifydc.conf parameter, 'fips.mode.enable'.

Centrify-enhanced OpenSSH
  • Added a feature to allow remote root execution of commands without allowing remote login by root. Note: Please contact Centrify Support if you want to use it.
  • Added a new option GSSAPIKexAlgorithms in ssh_config and sshd_config to specify the list of key exchange algorithms that are accepted by GSSAPI key exchange. Possible values are gss-gex-sha1-, gss-group1-sha1-, gss-group14-sha1-. The default is 'gss-gex-sha1-, gss-group1-sha1-, gss-group14-sha1-'. This option only applies to protocol version 2 connections using GSSAPI.
Access Manager Console
  • Implemented the ability to export single zone info (roles and rights) without identifiable environment info and to import such exports in the new environment.
  • Added the console support to manage AIX extended attributes of users, groups, local users, and local groups.
  • Added the console support for the alternate nisNetGroup from RFC2307 schema. Access Manager now shows one more node named 'NIS NetGroups (RFC2307)' under each zone's 'UNIX Data' node. User could use RFC2307 schema nisNetGroup Active Directory object to manage NIS net groups under this new node for larger groups without worrying about 1024 characters limitation. Sample C# programs and PowerShell scripts are also provided in Centrify Access SDK to show how to manage this feature. Note: The usage of this nisNetGroup is controlled by the parameter 'ldapproxy.netgroup.use.rfc2307nisnetgroup' in the slapd.conf of Centrify OpenLDAP Proxy.
  • Added the console support in the Platform tab of the Zone Properties page to manage both the Centrify Identity Platform instance (tenant) ID and URL.

Centrify Access Module for PowerShell

  • Added a switch 'SkipPermissionSetting' in the cmdlet 'New-CdmZone' to not set the security descriptor when creating a zone. Note: This switch does not work on SFU zones yet.
  • Added a parameter 'Computer' in the cmdlet 'Get-CdmComputerRole' to get a list of computer roles for a specified computer from the zone hierarchy.
  • Added in the cmdlet 'Set-CdmRoleAssignment' the ability to update the description of a role assignment, and, similarly, in another cmdlet 'Get-CdmRoleAssignment' the ability to get the description of a role assignment.
  • Added a switch 'OverrideZPA' in the cmdlets 'Remove-CdmUserProfile' and 'Remove-CdmGroupProfile' to allow users to remove user and group profiles when auto-provisioning for profiles is enabled.
  • Added a parameter 'TenantId' to the cmdlets 'New-CdmZone', 'Set-CdmZone' for users to set the 'TenantId' property for a zone and added a property 'TenantId' to the 'CdmZone' object.
Centrify Group Policy Management
  • Added a selection of the populating location in the group policies 'Specify user names to ignore (lookup)' and 'Specify group names to ignore (lookup)' to select whether to populate the user/group names directly into the Centrify DirectControl configuration file or into the user/group ignore files. The default is Centrify DirectControl configuration file.
  • On Solaris, added a Group Policy to install AD certificates to standard system certificate store.
  • On Solaris, added a Group Policy to install AD certificates to standard system certificate store.
Centrify Zone Provisioning Agent
  • Added an event log message to show the summary of a provisioning process. The summary information includes the start time, end time and elapsed time of the provisioning process, the count of objects provisioned and the count of objects de-provisioned.

For additional (and more detailed information) about the agent, command line utilities enhancements, tooling improvements and parameters, refer to the Centrify DirectControl release notes document.

What's New in Privilege Service for Windows(tm) 19.6

Agent version is 3.6.0

Command Line Utilities
  • dzleave CLI now allows to specify an option to remove role assignment from computer zone information in Active Directory.
Privilege Elevation MFA now supports RADIUS

This capability is being introduced to assist organizations wanting to leverage their existing MFA provider not for authentication but for Privilege Elevation on Windows (Run with Privilege, New Desktop). Note that this capability is not available for the RunAsRole.exe utility. Configuration is performed via Group Policy and RADIUS secrets via Centrify DirectAuthorize PowerShell Module.

Centrify DirectAuthorize PowerShell Module

Provides these commandlets:

  • Join-CdmZone for joining a Centrify Zone. This command supports the Windows SecureString (PSCredential) class for improved automation in public and private clouds.
  • Exit-CdmZone for leaving a Centrify Zone. This command supports the Windows SecureString (PSCredential) class for improved automation in public and private clouds.
  • Set-RadiusSecret for provisioning the RADIUS secret in each independent system for MFA on Privilege Elevation via RADIUS.
Behavior Change

The DirectAuthorize Windows agent now supports finding the tenant and connectors by Tenant ID. For machines that are joined to a zone, use Access Manager to specify the tenant ID on zone properties. For machines not joined to a zone, use the GP "Specify the Platform Instance ID to use (when the agent is not joined to a zone)" to specify the tenant ID, or use Agent Configuration Panel to set the tenant ID when adding the identity platform service.

For additional (and more detailed information) about the Privilege Elevation Service for Windows(tm) refer to the Agent Release Notes document.

What's New in the Auditing and Monitoring Service 19.6

Centrify DirectAudit Collector
  • Updated encryption algorithm used in communications to Audit Collectors from 3DES to AES.
  • Upgrade compression library (quicklz) to the latest stable version.
Centrify Audit Analyzer and Session Player
  • Session player now generates audit trail events when user starts playing a session.
  • Session player now allows auditors to update the review status of the audited session.
Centrify Agent for Windows
  • Updated encryption algorithm used in communications to Audit Collectors from 3DES to AES.
  • Upgrade compression library (quicklz) to the latest stable version.
DirectAudit Compatibility Notes

The minimum Centrify DirectControl Agent for *NIX version required by this version of the service is 5.4.0 (Release 2017) with the following exceptions:

  • On AIX, Linux PowerPC platforms, Centrify DirectControl Agent must be Release 2017.3 or later.
  • On Solaris x86 and SPARC platforms, Centrify DirectControl Agent must be Release 2018 or later because the Solaris x86 packages have been changed to 64-bit in this release - The packages still provide 32-bit libraries to work with 32-bit programs.

For additional (and more detailed information) about the the Auditing and Monitoring Service, please review the DirectAudit release notes.

New Platform Support 19.6

In this release, we have added support for these new platforms:

  • Debian 9.7, 9.8, 9.9 (x86_64)
  • IBM VIOS 3.x (PPC)
  • Red Hat Enterprise Linux 8 (x86_64, PPC64, PPC64LE)
  • Ubuntu Linux 19.04 (x86_64, PPC64EL)
  • Windows Server 2019 (LTSC)

To see all platforms in the Centrify Infrastructure Services within the extended support period, select “SEE ALL PLATFORM VERSIONS” in www.centrify.com/platforms.

To check whether your platform is end of life, click www.centrify.com/product-lifecycle and scroll down the page. (You will need your Centrify Support Portal Login to access this page.)

Notice of Termination of Support 19.6

In this release, we are removing support for the following platforms:

  • Fedora 28
  • IBM VIOS 2.x
  • Ubuntu 14.04 LTS
  • Ubuntu 18.10

This is the last release in which we'll support these platforms:

  • Amazon Linux (2017-09)
  • Debian 8.x
  • Fedora 29
  • Ubuntu 19.04
  • Windows 2008R2
  • Windows 7 (x64)

For more detailed information about supported platforms and notices of termination, please review the Zero Trust Privilege Services release notes.

Centrify DirectSecure

From release 20.1 and onwards, Centrify DirectSecure will be completely deprecated and the following changes will be implemented:

  • DirectSecure will not be updated beyond the 5.4.2 version (2017.2 release).
  • The Core Support for version 5.4.2 will be provided till October 2020.
  • The Extended Support for version 5.4.2 will be provided till October 2022.
  • Beyond these support packages, there will be no further releases or support.
Alternatives for Centrify DirectSecure

Unfortunately, there are no other recommended alternatives for DirectSecure provided by Centrify.

New Features - Centrify Privileged Access Service 19.5

Privileged Access Request application update for ServiceNow’s New York release

The ServiceNow integration for PAS enables IT users to request temporary or permanent access to the specific systems or network devices they need to manage, checkout the password, or request a new role assignment associated with a specific resource from the ServiceNow asset management database. This release updates the certification of the integration for the most recent ServiceNow release, New York.

Centrify Support Diagram 1
Documentation enhancements for integrating with Okta and Azure Active Directory Identity Providers

Integrations with Identity Providers can allow for federated user authentication from other directory sources into Centrify Privileged Access Service. This release will include documentation on how to configure SAML-based single sign-on for integrating the Privileged Access Service with both Okta and Microsoft Azure Active Directory.

Centrify Support Diagram 2

June 28, 2019

What’s New in Centrify Privileged Access Service 19.4

New Features -Centrify Privileged Access Service
Enhancements for an easy onboarding experience

Improvements to the existing Quick Start wizard, which include a Getting Started wizard for easy onboarding. System administrators will be guided through Connector installation and an import of up to 20 systems.

  • Allows for a quick discovery of Active Directory-joined Windows servers
  • Supports the option to discover and manage the local administrator accounts
 
Whats New 19.4 Image 001
 

Improved VMWare Support

We are improving our support for VMWare VMkernel systems and accounts. In this release, we will add the functionality of managing local accounts for VMKernel on ESXi hypervisor versions 5.5 and higher.

  • Enables shared account password management on VMWare VMkernel systems
  • Allows remote login access to VMWare VMkernel systems with account credentials and SSH keys
 
Whats New 19.4 Image 002
 

We are also enhancing the VMWare vSphere client desktop application. This will allow login to VMWare vSphere via vaulted account credentials and SSH keys using the desktop application.

 
Whats New 19.4 Image 003
 

Improved Database Performance

Performance at enterprise scale is a feature. Improved PAS architecture and queries for PostgreSQL enable fast page loads and queries for enterprise scale resource and account loads.

  • Orders of magnitude improvements for page loads and database queries
  • Scales to large enterprise deployment scale
  • Requires upgrade to version 19.4 database

If you are a customer using Centrify cloud service, no action is needed. These enhancements will be part of the 19.4 deployment.

For customers who are using on-premises deployment, please follow:
https://centrify.force.com/support/Article/KB-11818-How-To-Enable-FastDB-on-Customer-Managed-Privilege-Access-Service-PostgreSQL-Database to enable the feature.

 

The return of minutes in windowed workflow requests

The ability to specify windowed workflow requests in intervals of minutes instead of hours is coing back to the Privileged Access Service. This will allow users to specify their just-in-time login and checkout access requests down to the minute for granular time selection.

 
19.4 Workflow – Windowed Login Request by Minute
Whats New 19.4 Image 004
 
19.3 Workflow – Windowed Login Request by Hour
Whats New 19.4 Image 005
 

Extended support of account soft locks for Active Directory and LDAP

In order to prevent Denial of Service (DOS) attacks, we are extending the account lock capabilities of our Centrify Directory Users to Active Directory (AD) and LDAP Users. This feature will set a soft lock in the Privileged Access Service for an account that has attempted to login more than a set number of invalid attempts. This will prevent the account that is locked from accessing Centrify services. The number of maximum consecutive bad password attempts, capture window, and lockout duration before a password re-attempt is allowed can be customized to be a policy level below the AD or LDAP policy threshold.

 
Whats New 19.4 Image 006
 
 
Whats New 19.4 Image 007
 
Whats New 19.4 Image 008
 

Enhanced support for Federated Login

Light Federation allows for federated users to be mapped to existing non-federated directory users in a Centrify tenant. Federation can now be configured to make account mapping disabled, optional, or required for users that are coming from an external source directory (A Federated Centrify Directory, A Federated Idaptive Directory, A Federated Active Directory). This feature will enable users to be provisioned with access rights into the Centrify Privileged Access Service (PAS) before they login for the first time. With the enhanced Light Federation support, customers will receive the following:

  • Support for granting PAS administrative rights to federated users by giving those rights to an existing mapped directory service account.
  • Support for optionally creating a Centrify Directory user when there is no existing account to map.
  • Support for synchronizing federated user attributes with a mapped user’s attributes.
  • Support for adding existing mapped users to federated groups.
  • Support for access policies that control multi-factor authentication (MFA).
  • Support for OAuth credentials for non-interactive federated authentication, which is primarily a feature that is used for Centrify PAS Client authentication.
 
Whats New 19.4 Image 009
 

New Centrify Privileged Access Service (PAS) Client for Windows

The new Centrify Client for Windows works with the PAS platform to provide brokered authentication to Windows systems. By using the common code of the Centrify Client for Linux, we are able to achieve synergy between PAS clients. This client is lightweight, easy to deploy, and ideal for customers that have IaaS or DMZ use cases. The following benefits will be provided with the client for Windows:

  • Multi-directory support (AD, LDAP, Google, and Centrify Directories)
  • Conditional Access
  • Multi-step and Multi-factor Authentication
  • Password-less login with “Use my Account”
  • CLI Tooling to interact with PAS
  • Local Group Mapping
 
Whats New 19.4 Image 010
Whats New 19.4 Image 011
 
Whats New 19.4 Image 012
 
 
Whats New 19.4 Image 013
 
 
 

April 16, 2019

What’s New in Centrify Privileged Access Service 19.3

Privileged Access Request application update for new ServiceNow releases

The ServiceNow integration for PAS comprises support for access request to PAS systems, PAS accounts and Zone roles in an Active Directory domain using a ServiceNow workflow. This release updates the certification of the integration for recent ServiceNow releases.

Centrify Integration for ServiceNow is now certified on:

  • ServiceNow London release
  • ServiceNow Madrid release
 
Privileged Access Request Image
 
 

March 8, 2019

What’s New in Centrify Privileged Access Service 19.2

PAS Integration with SailPoint IdentityIQ PAM Module

Combining role-based access control with attestation and remediation from the industry leaders – Centrify and SailPoint

SailPoint IdentityIQ is the industry-leading IAM application focusing on attestation and remediation, access request, and user provisioning.

Centrify’s integration with SailPoint enables organizations to accelerate the adoption of crucial governance and compliance processes for identity and access management.

  • Provisioning users into Centrify PAS Roles or Sets
  • SailPoint PAM Module containers map to Centrify PAS Roles and Sets
    • Provision users into Centrify PAS Roles
    • Grant user permissions on Centrify PAS Sets
  • Attestation of user rights and permissions from PAS
 
Whats New 3/8/19 Image 1
 

Use and manage secrets in an RBAC hierarchy

Role-based access control is the proven methodology for managing distributed access to critical information. Centrify adds an RBAC hierarchy to file and text secrets.

  • Define who can edit and use Secrets within a Secret and folder hierarchy
  • You control:
    • The hierarchy (‘Secret and folder’)
    • Who can edit/use Secrets in which folder
    • Who can create/delete new folders in the hierarchy
    • Who can move Secrets and folders
  • Virtually unlimited namespace for Secrets
  • Standard for managing Secrets in DevOps
    • Secure API access to hierarchy and Secrets
 
Whats New 3/8/19 Image 2

SailPoint IdentityIQ connector integration enhancements

For customers who enable self-service for their users within SailPoint IdentityIQ, the Centrify Connector Integration offers unique value for self-service access request to systems and accounts managed by PAS.

The connector integration is enhanced to enable access request to Centrify Zone roles, in addition to resources and accounts managed by PAS.

Access request from within SailPoint IIQ to:

  • Centrify Zone roles
    • Writes new Zone information to Active Directory
    • User access updates based on agent settings
 
Whats New 3/8/19 Image 3

New UI for system and account tiles in old User Portal

The new Centrify PAS user interface puts a laser focus on managing your IT infrastructure. IT system and account logins for low privileged users (such as Help Desk) now appear in a user Workspace.

User Portal tiles for PAS systems and accounts are migrated into a new Workspace user interface.

  • New “My System Accounts” table in the user Workspace
  • Automatically migrates existing tiles
  • Portal Login permission is changed to Workspace Login
    • Accounts with this permission will appear in the user Workspace
  • Enables users without PAS administrative rights to access systems and accounts
    • Minimizes user interface for these users
 
Whats New 3/8/19 Image 4
 

New Features - Centrify Infrastructure Services

The 19.2 release of infrastructure services contains enhancements to use the LDAP proxy to access NIS Netgroups from RFC2307 data in Active Directory and some Kerberos enhancements.

 
 

January 28, 2019

What’s New in Centrify Privileged Access Service 19.1

Force rotation of account passwords

Security incidents may require an immediate update to all, or a selection of, an organization’s managed account passwords.

  • Enable PAS administrators to rotate managed account passwords on demand.
  • Select from Managed Accounts list
  • Starts password rotation job immediately
  • Email notification when job is complete
  • Activity and job history status of all password rotations
  • Independent of scheduled password rotation policy
 
Rotate Password Screenshot
 
Force Rotation of Account Passwords Screenshot
 

Escrow encrypted password catalog

Secure, encrypted catalog for operational recovery of infrastructure supporting the solution.

In parallel with HA/DR, keep an optional daily backup of your passwords.

  • Encrypted file (CSV)
  • All account passwords
  • Intended for highly privileged administrators
  • OpenPGP key
  • Encrypted file e-mailed on a periodic daily schedule
  • Configured through the REST API
 

December 18, 2018

What's New in Centrify 18.11

NEW CENTRIFY INFRASTRUCTURE SERVICES FEATURES:

Linux and UNIX
  • The Centrify SMB stack has been upgraded to support SMBv3. This enables the agent to retrieve group policies or files from SMB shares configured with that level of encryption.
  • New mechanisms to prevent forged host ticket (aka. "silver ticket" attack).
  • New extended support for the NSS mail aliases on zone enabled AD users.
  • Enhanced the Multi-Factor Authentication performance to prefer connectors in the same subnet and then in the same Active Directory site.
  • Solaris improvements
    • Alternate password hash for Solaris disabled users are now supported.
    • MIT Kerberos commands or programs linked with MIT Kerberos library (release 1.13 or above) to inter-operate with Centrify KCM service on Solaris.
  • Improvements to Audit Trail
    • New Centrify-enhanced sudo audit trail events for dzdo command execution starts/ends.
    •  
    • New Kerberos audit trail events for KCM Kerberos credential access.
  • Improvements to CLI tooling (adinfo, adjoin, adleave).
  • Added the support in zone property pages to allow users to specify the domain prefix IDs to improve entropy for UID and GID generation.
 
Centrify Agent for WindowsTM
  • Justification for Privilege Elevation and ITSM Validation.
  • New capability to specify an alternative Centrify Zone user for Privilege Elevation (Run with Privilege/New Desktop).
  • YubiKey is now supported as a second factor for offline login.
  • New integration with McAfee Endpoint Drive Encryption software that enables features such as Auto Pre-boot and Password Synchronization.
  • Enhanced the Multi-Factor Authentication performance to prefer connectors in the same subnet and then in the same Active Directory site.
  • Diagnostics are now accessible diagnostics from the Centrify systray.
  • Improved tooling (dzinfo.exe, dzleave.exe).
 
Direct Audit
  • New system platform affinity allows for the separation of Windows or UNIX session and event data into different audit stores.
  • The default database shipped with the product has changed to Microsoft SQL Server Express 2016.
 
Centrify Cloud Agent for WindowsTM Preview
  • Leverage connected directories (Active Directory, LDAP, Google Directory or Centrify Directory) to provide brokered authentication to stand-alone Windows systems.
  • Multiple access methods: Direct, Gateway-based via RDP Client, Gateway-based using Web Client.
  • Password-less Web RDP access with “Use My Account” feature.
  • Multi-step/Multi-factor authentication policy.
  • Conditional Access Rules.
  • Role to Windows Group Mapping.
 
Utilities and Open Source Components
  • LDAP Proxy utility extended to support the critical extension flag “!” to allow for paged results.
  • Centrify Reports now can deploy pre-canned reports onto any accessible SQL Service Reporting Services.
  • Updates to Centrify OpenSSL (now based on OpenSSL 1.0.2o) and Centrify cURL (now based on cURL 7.61.1).
 

NEW CENTRIFY INFRASTRUCTURE SERVICES FEATURES:

  • Better support for just-in-time access with a new control to disallow permanent grant of permissions in the access request workflow
  • Update to SSH library for improved security
 

NEW CENTRIFY APPLICATION SERVICES FEATURES:

  • Box de-provisioning. Option to transfer content to admin account in addition to previously supported de-provisioning options.
  • Password Complexity Settings. Adhere to NIST standard (NIST 800-63B)
  • Customized Privacy Policy and Terms of Use. Allow customer to have custom links to their privacy policy and terms of use.
  • ADFS MFA Plugin (Beta only). Centrify’s MFA plugin for ADFS 3.0,
  • SCIM server APIs. CRUD for user/group resources.
  • Custom MFA Phone Messages. Allows the customer to customize the audio messages for phone calls related to MFA
  • Mandatory Setup of MFA (require end users to set up MFA). Allows administrators to force and ensure end users have setup required MFA factors at first portal login
 

NEW CENTRIFY ENDPOINT SERVICES FEATURES:

  • iOS - Show a custom message on Lock screen: Device lock MDM command (Lock Screen action) supports custom message (both iOS/Mac) and Phone number (iOS).

For a complete set of new features, please review the Centrify Cloud 18.11 Release Notes and Infrastructure Services 18.11 Release Notes.


November 12, 2018

What's New in Centrify 18.10

What's New in Centrify
Privileged Access Service 18.10

BETTER SUPPORT FOR JUST-IN-TIME ACCESS AND APPROVAL

Many organizations are moving to a model of just-in-time access and approval. Centrify supports this model with new controls to prohibit permanent entitlements in the request and approval process.

 
Security Settings Screenshot
 

Disallow approvers the option to grant permanent entitlements.

  • Applies to all access request and approval processes
    • Password checkout or SSH key retrieval
    • Remote management sessions
  • Approvers can grant only time-bound access to accounts and systems
  • Global switch applies to all approval processes
    • Simple to enact and prove to auditors
 
REMOTE SESSIONS AT SCALE FOR CUSTOMER-MANAGED INSTALLATIONS

Distributed connector architecture and direct-to-target session brokering ensures performance at enterprise scale.

 
Remote Sessions Diagram
 

Enable the use of local SSH/RDP clients and disallow session streaming through the Web tier.

  • Forces remote management session data path direct from user workstation to connector to target system
    • Removes the Web tier from the data path
    • Scale management sessions by adding connectors
  • Global switch disallows use of browser-based SSH/RDP and brokers session out of the Web tier
  • Logging and auditing fully supported
 
SYSTEM, APPLIANCE AND DATABASE SUPPORT FOR SHARED ACCOUNTS

Continuous improvement in coverage of local account management for systems, appliances and databases, and secure remote access for systems and appliances.

 
System, Application, and Database Diagram
 

Multi-tenant Oracle

  • Manage database account password on Oracle Database 12c multi-tenant architecture
  • Standalone database only

October 25, 2018

What's New in Centrify 18.9

New Centrify Privileged Access Services Features:

Manage connections and passwords for desktop apps

For organizations who require external controls on desktop application and database clients, Centrify controls the accounts and target connections the client can access.

Control the users and accounts that can access your systems and databases through thick clients such as TOAD.

Thick clients — Windows desktop applications — run on a secure proxy.

 
Manage Connections and Passwords Diagram
 

You control:

  • Who can log into the proxy
  • What thick client application they can run
  • What the client can connect to
  • What account the client uses to connect

Sessions are audited (recorded)

Users can create custom templates for apps that:

  • Support running in Windows Remote Desktop Services for Windows Server 2012R2 and 2016.
  • Allow command line parameters for account credentials and, optionally, target systems (such as databases).

Pre-defined templates are provided for:

  • Microsoft SQL Server Management Studio
  • TOAD for Oracle
  • VMware vSphere Client Network-based discovery of local privileged accounts

Managing local privileged accounts can be a challenge for even the best IT teams. New discovery features help you find local privileged accounts and manage their passwords.

 
Managing Local Privileged Accounts Diagram
 

Use Centrify to automatically find, import, and manage local privileged accounts.

  • Find and scan systems for local privileged accounts by network subnet
  • Uses the same robust architecture and features as network system discovery
  • Automatically import local accounts
  • Take local account passwords under management
  • New bulk selection, i.e. “multi-select”

Discovered local accounts are automatically placed into sets. Accounts that are members of a Windows built-in/Administrators group (local administrator) can optionally be added to a separate set, making it easy to discover and view Windows local accounts that have very high privilege.

 
System and device login using SSH keys

For organizations who use SSH keys for access to systems, Centrify supports storing and using SSH keys for login.

 
System and Device Login Diagram
 

Control the users and accounts that can access your systems through SSH keys.

  • Any account can use either a password or an SSH key (exclusive)
  • Access request to accounts using SSH keys is fully supported
  • PAS supports PEM for private keys and the following key algorithms:
    • DSA
    • PEM
 
Additional Enhancements

Time stamps were added to the log output of the diagnostic PowerShell scripts in customer-managed installations.

For customer-managed installations, a new process for obtaining the APNS certificate ensures that these customers will receive a unique CSR from Centrify, and a unique APNS certificate from Apple.

A change to the SailPoint IdentityIQ integration with PAS enables the creation of a tile on the PAS User Portal after an access request has been approved within IIQ.

 

New Centrify Application Services Features:

  • MFA Redirect Phase 1: Allows admins/users with multiple accounts potentially in different domains to ensure that he or she can use MFA from one account
  • CBE Improvements: We now provide extension for all 4 browsers to access apps easier
  • SAML script editor: The editor now includes inline hints, autocomplete, and onscreen help to make it easier for customers to write SAML scripts
  • DevOps applications category: This new applications category in the apps catalog enables customers to easily set up SSO for popular DevOps CI/CD apps
  • AWS CLI Utilities: We now offer Python and PowerShell CLI utilities for both admins and users to access Amazon Web Services (AWS) by leveraging Centrify Identity Services
  • Time-based workflow for mobile and desktop: Customers can now reduce risk by requesting and granting access to apps only during a given time window
 

New Centrify EndPoint Services Features:

  • Delegated Administration: Customers can now implement policy sets for endpoints and mobile devices ensuring that endpoints / mobile devices are being added to and removed from sets dynamically, based on changes to the attributes of the device.
  • O365 conditional access: We now provide an exchange (o365) / MDM administrators the ability to ensure that no one can get access to company mail from a mobile device unless that mobile device is enrolled in MDM with our Centrify MDM solution.

For details see Centrify Cloud 18.9 Release Notes.
 


OCTOBER 9, 2018

Centrify to Focus on Zero Trust Privilege, Spins out IDaaS Business as Idaptive

Centrify announces the spinout of its IDaaS business into a new company called Idaptive to better serve its customers and partners.

Centrify and Idaptive will operate as independent, affiliated companies beginning in January 2019. This strategy doubles down on two distinct areas of enterprise security – Privileged Access Management and IDaaS – with dedicated resources to optimize focus, efficiency and growth.

  • Centrify is sharpening its strategic focus on redefining the legacy approach to Privileged Access Management (PAM) with cloud-ready Zero Trust Privilege to stop the leading cause of breaches – privileged access abuse.
  • Idaptive will deliver Next-Gen Access to protect employees, partners and customers with its market-leading IDaaS solution, securing access everywhere with an Intelligent Access Cloud that constantly learns from and adapts to login context and risk in a way that protects companies.

We’re committed to clearly and consistently communicating this news to our customers, partners, and employees, so there are a lot of communications going out starting today:

For details, please contact your Centrify Account representative.