support-masthead

What's New in Centrify Support

At Centrify, we believe it is essential for our customers to stay abreast with the latest developments — be it product- or company related. Our ‘What’s New’ section provides you with complete details on recent product releases and announcements.

CENTRIFY ANNOUNCEMENTS


September 12, 2019

About Centrify Zero Trust Privilege Services

Centrify Zero Trust Privilege Services (formerly Centrify Infrastructure Services or Centrify Server Suite) is a comprehensive family of products aimed to provide organizations with powerful tools for Directory Integration, Privileged Account Management, and Access Controls. It consists of:

  • Privileged Access Service enables you to discover, manage, apply policy to account passwords, secrets, as well as access rules for both privileged and unprivileged accounts PAS also offers centralized access to systems and session auditing when combined with the Audit and Monitoring Service.
  • Authentication Service is a "best of breed" Active Directory bridging solution that secures your platforms using the same authentication and Group Policy services deployed for your Windows Active Directory environment.
  • Privilege Elevation Service centrally manages and enforces role-based entitlements for fine-grained control of user access and privileges on UNIX, Linux and Windows systems.
  • Audit & Monitoring Service delivers auditing, logging and real-time monitoring of user activity on your Windows, UNIX and Linux systems.

The net result for thousands of customers who have deployed Centrify Services is increased security, improved compliance and operational efficiencies. Release 19.6 is a major release that contains significant enhancements to security and functionality.

 

What's new in the Authentication Service and Privilege Service for UNIX and Linux 19.6

Open Source and Shared Component Upgrades
 
DirectControl Agent
  • Agent version is 5.6.0
  • Added a feature on DirectControl Agent installer for Ubuntu to support the adapter library /lib/i386-Linux-gnu/ which hosts all 32-bit libraries on a 64-bit Ubuntu host.

Command Line Utilities

  • adcdiag improvements:
  • Improved timestamps when probing connectors.
  • New 'adclient.cloud.connector' parameter to limit the probes to a specific connectors.
  • Added the option "adcdiag -z" to display the Centrify Identity Platform configurations for the joined zone.
  • Added the option "adcdiag -l connectors -I ❮tenantid❯" to show the connectors for the specific tenant ID only.
  • Added the qualifier "-d, --visible" for the "-l instances" or "-l connectors" option in adcdiag to show the instances or connectors only if they are visible to DirectControl agent.
  • adcheck has been enhanced to verify if the name service cache daemon (ncsd) is installed in the system.
  • adjoin now supports parallel execution when using the --precreate command to pre-create computers in a zone during provisioning.
  • adjoin and adleave support automatic sasauth PAM configuration update.
  • adkeytab now supports an --interactive switch along with the --adopt command as an alternative to --newpasswd to prevent entering a password in clear text on the command line.
  • adleave improvements
  • There are two new options to remove role assignments from computer zone and computer zone itself when leaving a zone:
  • -o, --removecomputerzone, to remove computer zone from Active Directory.
  • -O, --removemachinescope, to remove Direct Authorize scope from Active Directory.
  • added option -k, --removekeytab to adleave command to remove krb5.keytab file on successful leave. Without this option, adleave will only clean up keytab entries but not remove key table file.
  • adsyncignore improvements:
  • New the --case option to do case-sensitive comparisons to AD user/group names. By default, it will do case-insensitive comparison.
  • New --dzcache option as a performance improvement. When this option is specified, the adsyncignore command will use the DZ cache from DirectControl agent instead of walking through the zone tree to check user visibility in the joined zone. This can usually improve the performance, especially when there is a lot of role assignments, and a lot of users who have complete Unix profiles but do not have role assigned.
  • adedit improvements:
  • Added an option '-notdelegateanyright' for adedit 'create_zone' command. By default, the switch is false, which means same behavior as before. If the switch is on, 'create_zone' will not set any security descriptor to the newly created zone object.
  • Added the support of a new zone field 'tenantid' for hierarchical zones in adedit 'get_zone_field' and 'set_zone_field' commands.
  • Behavior change: DirectControl command line utilities run by non-root users will now write kset files to /tmp instead of /var/centrifydc/user. The directory /var/centrifydc/user is now obsolete.
 
DirectControl and Utilities Compatibility Notes

This release of Centrify DirectControl Agent for *NIX will work with the following:

  • The latest released Centrify for DB2 and Centrify for Samba.
  • Centrify DirectAudit Agent of Release 2017 or later, except
  • On AIX, Linux PowerPC platforms, DirectAudit Agent must be of Release 2017.3 or later.
  • On Solaris x86 and SPARC platforms, DirectAudit Agent must be of Release 2018 or later.
  • Centrify OpenSSH of Release 19.6.

As Centrify Deployment Manager is already discontinued after Release 18.11, Deployment Manager cannot deploy this release of Centrify DirectControl Agent for *NIX.

Notes for the OpenSSL libraries update

(*) OpenSSL and OpenSSH: This is a major upgrade from v1.0.2 to v1.1.1 which means the internal openssl library and APIs are not backward compatible. Centrify OpenSSH is also upgraded based on openssh v7.9p1 because of this reason. Several algorithms, EVP_sha, EVP_dss, EVP_dss1, EVP_ecdsa, are deprecated in OpenSSL v1.1.1 and hence no longer supported by our products, e.g. adcert, in this release.

(**) FIPS Mode: There is no FIPS mode support in this version. That means, all affected Centrify products will not support FIPS mode in this release. For example, DirectControl agent will ignore the FIPS mode related group policy, 'Use FIPS compliant algorithms for encryption, hashing and signing', and the centrifydc.conf parameter, 'fips.mode.enable'.

 
Centrify-enhanced OpenSSH
  • Added a feature to allow remote root execution of commands without allowing remote login by root. Note: Please contact Centrify Support if you want to use it.
  • Added a new option GSSAPIKexAlgorithms in ssh_config and sshd_config to specify the list of key exchange algorithms that are accepted by GSSAPI key exchange. Possible values are gss-gex-sha1-, gss-group1-sha1-, gss-group14-sha1-. The default is 'gss-gex-sha1-, gss-group1-sha1-, gss-group14-sha1-'. This option only applies to protocol version 2 connections using GSSAPI.
 
Access Manager Console
  • Implemented the ability to export single zone info (roles and rights) without identifiable environment info and to import such exports in the new environment.
  • Added the console support to manage AIX extended attributes of users, groups, local users, and local groups.
  • Added the console support for the alternate nisNetGroup from RFC2307 schema. Access Manager now shows one more node named 'NIS NetGroups (RFC2307)' under each zone's 'UNIX Data' node. User could use RFC2307 schema nisNetGroup Active Directory object to manage NIS net groups under this new node for larger groups without worrying about 1024 characters limitation. Sample C# programs and PowerShell scripts are also provided in Centrify Access SDK to show how to manage this feature. Note: The usage of this nisNetGroup is controlled by the parameter 'ldapproxy.netgroup.use.rfc2307nisnetgroup' in the slapd.conf of Centrify OpenLDAP Proxy.
  • Added the console support in the Platform tab of the Zone Properties page to manage both the Centrify Identity Platform instance (tenant) ID and URL.
 

Centrify Access Module for PowerShell

  • Added a switch 'SkipPermissionSetting' in the cmdlet 'New-CdmZone' to not set the security descriptor when creating a zone. Note: This switch does not work on SFU zones yet.
  • Added a parameter 'Computer' in the cmdlet 'Get-CdmComputerRole' to get a list of computer roles for a specified computer from the zone hierarchy.
  • Added in the cmdlet 'Set-CdmRoleAssignment' the ability to update the description of a role assignment, and, similarly, in another cmdlet 'Get-CdmRoleAssignment' the ability to get the description of a role assignment.
  • Added a switch 'OverrideZPA' in the cmdlets 'Remove-CdmUserProfile' and 'Remove-CdmGroupProfile' to allow users to remove user and group profiles when auto-provisioning for profiles is enabled.
  • Added a parameter 'TenantId' to the cmdlets 'New-CdmZone', 'Set-CdmZone' for users to set the 'TenantId' property for a zone and added a property 'TenantId' to the 'CdmZone' object.
 
Centrify Group Policy Management
  • Added a selection of the populating location in the group policies 'Specify user names to ignore (lookup)' and 'Specify group names to ignore (lookup)' to select whether to populate the user/group names directly into the Centrify DirectControl configuration file or into the user/group ignore files. The default is Centrify DirectControl configuration file.
  • On Solaris, added a Group Policy to install AD certificates to standard system certificate store.
  • On Solaris, added a Group Policy to install AD certificates to standard system certificate store.
 
Centrify Zone Provisioning Agent
  • Added an event log message to show the summary of a provisioning process. The summary information includes the start time, end time and elapsed time of the provisioning process, the count of objects provisioned and the count of objects de-provisioned.

For additional (and more detailed information) about the agent, command line utilities enhancements, tooling improvements and parameters, refer to the Centrify DirectControl release notes document.

 

What's New in Privilege Service for Windows(tm) 19.6

Agent version is 3.6.0

Command Line Utilities
  • dzleave CLI now allows to specify an option to remove role assignment from computer zone information in Active Directory.
 
Privilege Elevation MFA now supports RADIUS

This capability is being introduced to assist organizations wanting to leverage their existing MFA provider not for authentication but for Privilege Elevation on Windows (Run with Privilege, New Desktop). Note that this capability is not available for the RunAsRole.exe utility. Configuration is performed via Group Policy and RADIUS secrets via Centrify DirectAuthorize PowerShell Module.

 
Centrify DirectAuthorize PowerShell Module

Provides these commandlets:

  • Join-CdmZone for joining a Centrify Zone. This command supports the Windows SecureString (PSCredential) class for improved automation in public and private clouds.
  • Exit-CdmZone for leaving a Centrify Zone. This command supports the Windows SecureString (PSCredential) class for improved automation in public and private clouds.
  • Set-RadiusSecret for provisioning the RADIUS secret in each independent system for MFA on Privilege Elevation via RADIUS.
 
Behavior Change

The DirectAuthorize Windows agent now supports finding the tenant and connectors by Tenant ID. For machines that are joined to a zone, use Access Manager to specify the tenant ID on zone properties. For machines not joined to a zone, use the GP "Specify the Platform Instance ID to use (when the agent is not joined to a zone)" to specify the tenant ID, or use Agent Configuration Panel to set the tenant ID when adding the identity platform service.

For additional (and more detailed information) about the Privilege Elevation Service for Windows(tm) refer to the Agent Release Notes document.

 

What's New in the Auditing and Monitoring Service 19.6

Centrify DirectAudit Collector
  • Updated encryption algorithm used in communications to Audit Collectors from 3DES to AES.
  • Upgrade compression library (quicklz) to the latest stable version.
 
Centrify Audit Analyzer and Session Player
  • Session player now generates audit trail events when user starts playing a session.
  • Session player now allows auditors to update the review status of the audited session.
 
Centrify Agent for Windows
  • Updated encryption algorithm used in communications to Audit Collectors from 3DES to AES.
  • Upgrade compression library (quicklz) to the latest stable version.
 
DirectAudit Compatibility Notes

The minimum Centrify DirectControl Agent for *NIX version required by this version of the service is 5.4.0 (Release 2017) with the following exceptions:

  • On AIX, Linux PowerPC platforms, Centrify DirectControl Agent must be Release 2017.3 or later.
  • On Solaris x86 and SPARC platforms, Centrify DirectControl Agent must be Release 2018 or later because the Solaris x86 packages have been changed to 64-bit in this release - The packages still provide 32-bit libraries to work with 32-bit programs.

For additional (and more detailed information) about the the Auditing and Monitoring Service, please review the DirectAudit release notes.

 

New Platform Support 19.6

In this release, we have added support for these new platforms:

  • Debian 9.7, 9.8, 9.9 (x86_64)
  • IBM VIOS 3.x (PPC)
  • Red Hat Enterprise Linux 8 (x86_64, PPC64, PPC64LE)
  • Ubuntu Linux 19.04 (x86_64, PPC64EL)
  • Windows Server 2019 (LTSC)

To see all platforms in the Centrify Infrastructure Services within the extended support period, select “SEE ALL PLATFORM VERSIONS” in www.centrify.com/platforms.

To check whether your platform is end of life, click www.centrify.com/product-lifecycle and scroll down the page. (You will need your Centrify Support Portal Login to access this page.)

 

Notice of Termination of Support 19.6

In this release, we are removing support for the following platforms:

  • Fedora 28
  • IBM VIOS 2.x
  • Ubuntu 14.04 LTS
  • Ubuntu 18.10

This is the last release in which we'll support these platforms:

  • Amazon Linux (2017-09)
  • Debian 8.x
  • Fedora 29
  • Ubuntu 19.04
  • Windows 2008R2
  • Windows 7 (x64)

For more detailed information about supported platforms and notices of termination, please review the Zero Trust Privilege Services release notes.

 

New Features - Centrify Privileged Access Service 19.5

Privileged Access Request application update for ServiceNow’s New York release

The ServiceNow integration for PAS enables IT users to request temporary or permanent access to the specific systems or network devices they need to manage, checkout the password, or request a new role assignment associated with a specific resource from the ServiceNow asset management database. This release updates the certification of the integration for the most recent ServiceNow release, New York.

 
Centrify Support Diagram 1
 
 
Documentation enhancements for integrating with Okta and Azure Active Directory Identity Providers

Integrations with Identity Providers can allow for federated user authentication from other directory sources into Centrify Privileged Access Service. This release will include documentation on how to configure SAML-based single sign-on for integrating the Privileged Access Service with both Okta and Microsoft Azure Active Directory.

 
Centrify Support Diagram 2
 
 
 

June 28, 2019

What’s New in Centrify Privileged Access Service 19.4

New Features -Centrify Privileged Access Service
Enhancements for an easy onboarding experience

Improvements to the existing Quick Start wizard, which include a Getting Started wizard for easy onboarding. System administrators will be guided through Connector installation and an import of up to 20 systems.

  • Allows for a quick discovery of Active Directory-joined Windows servers
  • Supports the option to discover and manage the local administrator accounts
 
Whats New 19.4 Image 001
 

Improved VMWare Support

We are improving our support for VMWare VMkernel systems and accounts. In this release, we will add the functionality of managing local accounts for VMKernel on ESXi hypervisor versions 5.5 and higher.

  • Enables shared account password management on VMWare VMkernel systems
  • Allows remote login access to VMWare VMkernel systems with account credentials and SSH keys
 
Whats New 19.4 Image 002
 

We are also enhancing the VMWare vSphere client desktop application. This will allow login to VMWare vSphere via vaulted account credentials and SSH keys using the desktop application.

 
Whats New 19.4 Image 003
 

Improved Database Performance

Performance at enterprise scale is a feature. Improved PAS architecture and queries for PostgreSQL enable fast page loads and queries for enterprise scale resource and account loads.

  • Orders of magnitude improvements for page loads and database queries
  • Scales to large enterprise deployment scale
  • Requires upgrade to version 19.4 database

If you are a customer using Centrify cloud service, no action is needed. These enhancements will be part of the 19.4 deployment.

For customers who are using on-premises deployment, please follow:
https://centrify.force.com/support/Article/KB-11818-How-To-Enable-FastDB-on-Customer-Managed-Privilege-Access-Service-PostgreSQL-Database to enable the feature.

 

The return of minutes in windowed workflow requests

The ability to specify windowed workflow requests in intervals of minutes instead of hours is coing back to the Privileged Access Service. This will allow users to specify their just-in-time login and checkout access requests down to the minute for granular time selection.

 
19.4 Workflow – Windowed Login Request by Minute
Whats New 19.4 Image 004
 
19.3 Workflow – Windowed Login Request by Hour
Whats New 19.4 Image 005
 

Extended support of account soft locks for Active Directory and LDAP

In order to prevent Denial of Service (DOS) attacks, we are extending the account lock capabilities of our Centrify Directory Users to Active Directory (AD) and LDAP Users. This feature will set a soft lock in the Privileged Access Service for an account that has attempted to login more than a set number of invalid attempts. This will prevent the account that is locked from accessing Centrify services. The number of maximum consecutive bad password attempts, capture window, and lockout duration before a password re-attempt is allowed can be customized to be a policy level below the AD or LDAP policy threshold.

 
Whats New 19.4 Image 006
 
 
Whats New 19.4 Image 007
 
Whats New 19.4 Image 008
 

Enhanced support for Federated Login

Light Federation allows for federated users to be mapped to existing non-federated directory users in a Centrify tenant. Federation can now be configured to make account mapping disabled, optional, or required for users that are coming from an external source directory (A Federated Centrify Directory, A Federated Idaptive Directory, A Federated Active Directory). This feature will enable users to be provisioned with access rights into the Centrify Privileged Access Service (PAS) before they login for the first time. With the enhanced Light Federation support, customers will receive the following:

  • Support for granting PAS administrative rights to federated users by giving those rights to an existing mapped directory service account.
  • Support for optionally creating a Centrify Directory user when there is no existing account to map.
  • Support for synchronizing federated user attributes with a mapped user’s attributes.
  • Support for adding existing mapped users to federated groups.
  • Support for access policies that control multi-factor authentication (MFA).
  • Support for OAuth credentials for non-interactive federated authentication, which is primarily a feature that is used for Centrify PAS Client authentication.
 
Whats New 19.4 Image 009
 

New Centrify Privileged Access Service (PAS) Client for Windows

The new Centrify Client for Windows works with the PAS platform to provide brokered authentication to Windows systems. By using the common code of the Centrify Client for Linux, we are able to achieve synergy between PAS clients. This client is lightweight, easy to deploy, and ideal for customers that have IaaS or DMZ use cases. The following benefits will be provided with the client for Windows:

  • Multi-directory support (AD, LDAP, Google, and Centrify Directories)
  • Conditional Access
  • Multi-step and Multi-factor Authentication
  • Password-less login with “Use my Account”
  • CLI Tooling to interact with PAS
  • Local Group Mapping
 
Whats New 19.4 Image 010
Whats New 19.4 Image 011
 
Whats New 19.4 Image 012
 
 
Whats New 19.4 Image 013
 
 
 

April 16, 2019

What’s New in Centrify Privileged Access Service 19.3

Privileged Access Request application update for new ServiceNow releases

The ServiceNow integration for PAS comprises support for access request to PAS systems, PAS accounts and Zone roles in an Active Directory domain using a ServiceNow workflow. This release updates the certification of the integration for recent ServiceNow releases.

Centrify Integration for ServiceNow is now certified on:

  • ServiceNow London release
  • ServiceNow Madrid release
 
Privileged Access Request Image
 
 

March 8, 2019

What’s New in Centrify Privileged Access Service 19.2

PAS Integration with SailPoint IdentityIQ PAM Module

Combining role-based access control with attestation and remediation from the industry leaders – Centrify and SailPoint

SailPoint IdentityIQ is the industry-leading IAM application focusing on attestation and remediation, access request, and user provisioning.

Centrify’s integration with SailPoint enables organizations to accelerate the adoption of crucial governance and compliance processes for identity and access management.

  • Provisioning users into Centrify PAS Roles or Sets
  • SailPoint PAM Module containers map to Centrify PAS Roles and Sets
    • Provision users into Centrify PAS Roles
    • Grant user permissions on Centrify PAS Sets
  • Attestation of user rights and permissions from PAS
 
Whats New 3/8/19 Image 1
 

Use and manage secrets in an RBAC hierarchy

Role-based access control is the proven methodology for managing distributed access to critical information. Centrify adds an RBAC hierarchy to file and text secrets.

  • Define who can edit and use Secrets within a Secret and folder hierarchy
  • You control:
    • The hierarchy (‘Secret and folder’)
    • Who can edit/use Secrets in which folder
    • Who can create/delete new folders in the hierarchy
    • Who can move Secrets and folders
  • Virtually unlimited namespace for Secrets
  • Standard for managing Secrets in DevOps
    • Secure API access to hierarchy and Secrets
 
Whats New 3/8/19 Image 2

SailPoint IdentityIQ connector integration enhancements

For customers who enable self-service for their users within SailPoint IdentityIQ, the Centrify Connector Integration offers unique value for self-service access request to systems and accounts managed by PAS.

The connector integration is enhanced to enable access request to Centrify Zone roles, in addition to resources and accounts managed by PAS.

Access request from within SailPoint IIQ to:

  • Centrify Zone roles
    • Writes new Zone information to Active Directory
    • User access updates based on agent settings
 
Whats New 3/8/19 Image 3

New UI for system and account tiles in old User Portal

The new Centrify PAS user interface puts a laser focus on managing your IT infrastructure. IT system and account logins for low privileged users (such as Help Desk) now appear in a user Workspace.

User Portal tiles for PAS systems and accounts are migrated into a new Workspace user interface.

  • New “My System Accounts” table in the user Workspace
  • Automatically migrates existing tiles
  • Portal Login permission is changed to Workspace Login
    • Accounts with this permission will appear in the user Workspace
  • Enables users without PAS administrative rights to access systems and accounts
    • Minimizes user interface for these users
 
Whats New 3/8/19 Image 4
 

New Features - Centrify Infrastructure Services

The 19.2 release of infrastructure services contains enhancements to use the LDAP proxy to access NIS Netgroups from RFC2307 data in Active Directory and some Kerberos enhancements.

 
 

January 28, 2019

What’s New in Centrify Privileged Access Service 19.1

Force rotation of account passwords

Security incidents may require an immediate update to all, or a selection of, an organization’s managed account passwords.

  • Enable PAS administrators to rotate managed account passwords on demand.
  • Select from Managed Accounts list
  • Starts password rotation job immediately
  • Email notification when job is complete
  • Activity and job history status of all password rotations
  • Independent of scheduled password rotation policy
 
Rotate Password Screenshot
 
Force Rotation of Account Passwords Screenshot
 

Escrow encrypted password catalog

Secure, encrypted catalog for operational recovery of infrastructure supporting the solution.

In parallel with HA/DR, keep an optional daily backup of your passwords.

  • Encrypted file (CSV)
  • All account passwords
  • Intended for highly privileged administrators
  • OpenPGP key
  • Encrypted file e-mailed on a periodic daily schedule
  • Configured through the REST API
 

December 18, 2018

What's New in Centrify 18.11

NEW CENTRIFY INFRASTRUCTURE SERVICES FEATURES:

Linux and UNIX
  • The Centrify SMB stack has been upgraded to support SMBv3. This enables the agent to retrieve group policies or files from SMB shares configured with that level of encryption.
  • New mechanisms to prevent forged host ticket (aka. "silver ticket" attack).
  • New extended support for the NSS mail aliases on zone enabled AD users.
  • Enhanced the Multi-Factor Authentication performance to prefer connectors in the same subnet and then in the same Active Directory site.
  • Solaris improvements
    • Alternate password hash for Solaris disabled users are now supported.
    • MIT Kerberos commands or programs linked with MIT Kerberos library (release 1.13 or above) to inter-operate with Centrify KCM service on Solaris.
  • Improvements to Audit Trail
    • New Centrify-enhanced sudo audit trail events for dzdo command execution starts/ends.
    •  
    • New Kerberos audit trail events for KCM Kerberos credential access.
  • Improvements to CLI tooling (adinfo, adjoin, adleave).
  • Added the support in zone property pages to allow users to specify the domain prefix IDs to improve entropy for UID and GID generation.
 
Centrify Agent for WindowsTM
  • Justification for Privilege Elevation and ITSM Validation.
  • New capability to specify an alternative Centrify Zone user for Privilege Elevation (Run with Privilege/New Desktop).
  • YubiKey is now supported as a second factor for offline login.
  • New integration with McAfee Endpoint Drive Encryption software that enables features such as Auto Pre-boot and Password Synchronization.
  • Enhanced the Multi-Factor Authentication performance to prefer connectors in the same subnet and then in the same Active Directory site.
  • Diagnostics are now accessible diagnostics from the Centrify systray.
  • Improved tooling (dzinfo.exe, dzleave.exe).
 
Direct Audit
  • New system platform affinity allows for the separation of Windows or UNIX session and event data into different audit stores.
  • The default database shipped with the product has changed to Microsoft SQL Server Express 2016.
 
Centrify Cloud Agent for WindowsTM Preview
  • Leverage connected directories (Active Directory, LDAP, Google Directory or Centrify Directory) to provide brokered authentication to stand-alone Windows systems.
  • Multiple access methods: Direct, Gateway-based via RDP Client, Gateway-based using Web Client.
  • Password-less Web RDP access with “Use My Account” feature.
  • Multi-step/Multi-factor authentication policy.
  • Conditional Access Rules.
  • Role to Windows Group Mapping.
 
Utilities and Open Source Components
  • LDAP Proxy utility extended to support the critical extension flag “!” to allow for paged results.
  • Centrify Reports now can deploy pre-canned reports onto any accessible SQL Service Reporting Services.
  • Updates to Centrify OpenSSL (now based on OpenSSL 1.0.2o) and Centrify cURL (now based on cURL 7.61.1).
 

NEW CENTRIFY INFRASTRUCTURE SERVICES FEATURES:

  • Better support for just-in-time access with a new control to disallow permanent grant of permissions in the access request workflow
  • Update to SSH library for improved security
 

NEW CENTRIFY APPLICATION SERVICES FEATURES:

  • Box de-provisioning. Option to transfer content to admin account in addition to previously supported de-provisioning options.
  • Password Complexity Settings. Adhere to NIST standard (NIST 800-63B)
  • Customized Privacy Policy and Terms of Use. Allow customer to have custom links to their privacy policy and terms of use.
  • ADFS MFA Plugin (Beta only). Centrify’s MFA plugin for ADFS 3.0,
  • SCIM server APIs. CRUD for user/group resources.
  • Custom MFA Phone Messages. Allows the customer to customize the audio messages for phone calls related to MFA
  • Mandatory Setup of MFA (require end users to set up MFA). Allows administrators to force and ensure end users have setup required MFA factors at first portal login
 

NEW CENTRIFY ENDPOINT SERVICES FEATURES:

  • iOS - Show a custom message on Lock screen: Device lock MDM command (Lock Screen action) supports custom message (both iOS/Mac) and Phone number (iOS).

For a complete set of new features, please review the Centrify Cloud 18.11 Release Notes and Infrastructure Services 18.11 Release Notes.


November 12, 2018

What's New in Centrify 18.10

What's New in Centrify
Privileged Access Service 18.10

BETTER SUPPORT FOR JUST-IN-TIME ACCESS AND APPROVAL

Many organizations are moving to a model of just-in-time access and approval. Centrify supports this model with new controls to prohibit permanent entitlements in the request and approval process.

 
Security Settings Screenshot
 

Disallow approvers the option to grant permanent entitlements.

  • Applies to all access request and approval processes
    • Password checkout or SSH key retrieval
    • Remote management sessions
  • Approvers can grant only time-bound access to accounts and systems
  • Global switch applies to all approval processes
    • Simple to enact and prove to auditors
 
REMOTE SESSIONS AT SCALE FOR CUSTOMER-MANAGED INSTALLATIONS

Distributed connector architecture and direct-to-target session brokering ensures performance at enterprise scale.

 
Remote Sessions Diagram
 

Enable the use of local SSH/RDP clients and disallow session streaming through the Web tier.

  • Forces remote management session data path direct from user workstation to connector to target system
    • Removes the Web tier from the data path
    • Scale management sessions by adding connectors
  • Global switch disallows use of browser-based SSH/RDP and brokers session out of the Web tier
  • Logging and auditing fully supported
 
SYSTEM, APPLIANCE AND DATABASE SUPPORT FOR SHARED ACCOUNTS

Continuous improvement in coverage of local account management for systems, appliances and databases, and secure remote access for systems and appliances.

 
System, Application, and Database Diagram
 

Multi-tenant Oracle

  • Manage database account password on Oracle Database 12c multi-tenant architecture
  • Standalone database only

October 25, 2018

What's New in Centrify 18.9

New Centrify Privileged Access Services Features:

Manage connections and passwords for desktop apps

For organizations who require external controls on desktop application and database clients, Centrify controls the accounts and target connections the client can access.

Control the users and accounts that can access your systems and databases through thick clients such as TOAD.

Thick clients — Windows desktop applications — run on a secure proxy.

 
Manage Connections and Passwords Diagram
 

You control:

  • Who can log into the proxy
  • What thick client application they can run
  • What the client can connect to
  • What account the client uses to connect

Sessions are audited (recorded)

Users can create custom templates for apps that:

  • Support running in Windows Remote Desktop Services for Windows Server 2012R2 and 2016.
  • Allow command line parameters for account credentials and, optionally, target systems (such as databases).

Pre-defined templates are provided for:

  • Microsoft SQL Server Management Studio
  • TOAD for Oracle
  • VMware vSphere Client Network-based discovery of local privileged accounts

Managing local privileged accounts can be a challenge for even the best IT teams. New discovery features help you find local privileged accounts and manage their passwords.

 
Managing Local Privileged Accounts Diagram
 

Use Centrify to automatically find, import, and manage local privileged accounts.

  • Find and scan systems for local privileged accounts by network subnet
  • Uses the same robust architecture and features as network system discovery
  • Automatically import local accounts
  • Take local account passwords under management
  • New bulk selection, i.e. “multi-select”

Discovered local accounts are automatically placed into sets. Accounts that are members of a Windows built-in/Administrators group (local administrator) can optionally be added to a separate set, making it easy to discover and view Windows local accounts that have very high privilege.

 
System and device login using SSH keys

For organizations who use SSH keys for access to systems, Centrify supports storing and using SSH keys for login.

 
System and Device Login Diagram
 

Control the users and accounts that can access your systems through SSH keys.

  • Any account can use either a password or an SSH key (exclusive)
  • Access request to accounts using SSH keys is fully supported
  • PAS supports PEM for private keys and the following key algorithms:
    • DSA
    • PEM
 
Additional Enhancements

Time stamps were added to the log output of the diagnostic PowerShell scripts in customer-managed installations.

For customer-managed installations, a new process for obtaining the APNS certificate ensures that these customers will receive a unique CSR from Centrify, and a unique APNS certificate from Apple.

A change to the SailPoint IdentityIQ integration with PAS enables the creation of a tile on the PAS User Portal after an access request has been approved within IIQ.

 

New Centrify Application Services Features:

  • MFA Redirect Phase 1: Allows admins/users with multiple accounts potentially in different domains to ensure that he or she can use MFA from one account
  • CBE Improvements: We now provide extension for all 4 browsers to access apps easier
  • SAML script editor: The editor now includes inline hints, autocomplete, and onscreen help to make it easier for customers to write SAML scripts
  • DevOps applications category: This new applications category in the apps catalog enables customers to easily set up SSO for popular DevOps CI/CD apps
  • AWS CLI Utilities: We now offer Python and PowerShell CLI utilities for both admins and users to access Amazon Web Services (AWS) by leveraging Centrify Identity Services
  • Time-based workflow for mobile and desktop: Customers can now reduce risk by requesting and granting access to apps only during a given time window
 

New Centrify EndPoint Services Features:

  • Delegated Administration: Customers can now implement policy sets for endpoints and mobile devices ensuring that endpoints / mobile devices are being added to and removed from sets dynamically, based on changes to the attributes of the device.
  • O365 conditional access: We now provide an exchange (o365) / MDM administrators the ability to ensure that no one can get access to company mail from a mobile device unless that mobile device is enrolled in MDM with our Centrify MDM solution.

For details see Centrify Cloud 18.9 Release Notes.
 


OCTOBER 9, 2018

Centrify to Focus on Zero Trust Privilege, Spins out IDaaS Business as Idaptive

Centrify announces the spinout of its IDaaS business into a new company called Idaptive to better serve its customers and partners.

Centrify and Idaptive will operate as independent, affiliated companies beginning in January 2019. This strategy doubles down on two distinct areas of enterprise security – Privileged Access Management and IDaaS – with dedicated resources to optimize focus, efficiency and growth.

  • Centrify is sharpening its strategic focus on redefining the legacy approach to Privileged Access Management (PAM) with cloud-ready Zero Trust Privilege to stop the leading cause of breaches – privileged access abuse.
  • Idaptive will deliver Next-Gen Access to protect employees, partners and customers with its market-leading IDaaS solution, securing access everywhere with an Intelligent Access Cloud that constantly learns from and adapts to login context and risk in a way that protects companies.

We’re committed to clearly and consistently communicating this news to our customers, partners, and employees, so there are a lot of communications going out starting today:

For details, please contact your Centrify Account representative.


 

Ready to protect against the #1 Attack Vector?

Register for a 30-day trial of Centrify's Privileged Access Management (PAM) software to minimize your attack surface and control privileged access to your hybrid environment.

Free Trial