February 24th, 2021:
Enhancements available with the 11.0.0 release of Privilege Manager. Enhancements are for both versions, On-premises and Cloud, unless otherwise outlined under a specific On-prem or Cloud subtopic.
- Renamed Suppress UAC Action to Suppress UAC (Legacy). Refer to Default Actions and Adjust Process Rights Action.
- The Remove Program Utility does not require process elevation going forward. With this change a new sample policy was added to Privilege Manager. The Elevate Privilege Manager Remove Programs Policy Children Policy (Sample) policy should be activated on endpoints that are configured to use the Remove Program Utility. This policy elevates the uninstallers only after an approval request has been granted.
Filter validations for application control policies.
- Conflicting filters in application policies are reported, preventing a policy from being saved or activated.
- Non-application filters cannot be used as the only filter on an application policy or added as an application target.
- Added Observed Parent Processes reports for discovered events.
- Commandline information support on Server reports for Windows and macOS systems.
- Added computer SID registration information to be available via resource manager computer global account data.
General user interface improvements, focused field indicators, etc.
- Overhaul of statistics pages for User Policies.
- Overhaul of Configuration Feeds.
- Licensing page updates.
- Scheduler updates.
- Reports and Gauges.
New integration, Jamf Integration, to allow users to:
- Import Smart and Static Computer Groups and Computers.
- Import installed applications on Jamf endpoints as discovered resources and create filters.
- Rollout Privilege Manager Agents on to Jamf Endpoints.
- The Silverlight console has reached its EOL and all support has been removed from Privilege Manager release version 11.
- Added Apple® silicon support.
- Added Authorization DB handler.
- Rich text editing of end user prompts (message actions) via HTML editor.
- Added commandline parameters for macOS binaries in Manage Approvals for the approval request.
- New Unix/Linux OS support in the form of an Agent connecting to the Privilege Manager Server to exchange policies and events.
- Role support for Unix/Linux Administrators.
- Added Filters, Actions, and Computer Group support for Unix/Linux Computers.
- Service method for agents to post events via REST (JSON).
- Added Strict-Transport-Security header to 301/400/403 http responses.
- Improved path traversal and invalid header handling.
- Client-side password complexity check improvements.
- API endpoint authentication improvements.
- Folder View loads slowly for large resources with over 200K endpoints.
No option to specify different .NET framework versions for combined installations of Secret Server and Privilege Manager.
- Privilege Manager on-premises does not work with Azure Service Bus if the web server is set to use only TLS 1.2.
- Summary of Application Actions by Product Version Reports.
- BSOD error following a Windows system update.
- Send SysLog ... template based tasks to send logs to server fails.
- When adding a Persona, not all configuration options are visible in UI.
- The Application Control Service is creating a conflict when saving or printing Excel or Word files.
- Local user logout does not work correctly, preventing another local user from logging in.
- Errors in exported Agent Log file are not displayed.
- User accounts in a child domain do not appear as members of a local group.
- Folder View loads slowly for large resources with over 200K endpoints.
- The Administrator group is showing up twice when viewing the Group Policies section.
- User and group inventory may not reflect proper group membership the first time it runs on the endpoints. Subsequent runs will finish processing that information and will be accurate.
- Users removed from Security Group in AD still show as members of the AD group inside Privilege Manager.
- Creating a new managed user through macOS user policies and adding that new user to a newly created user policy on Privilege Manager Cloud an .outlets exception error is returned.
- macOS endpoint restart is blocked on macOS 10.15.7 (19H1030) when a policy targets PKG installation.
- When the agent needs to generate a UUID instead of relying on the Hardware UUID for the AgentId, multiple self-signed certificates are created in the System keychain.
- The KEXT and SYSEX flavors of the macOS agent can experience high memory utilization during File Inventory.
- With the SYSEX flavor of the macOS agent, a policy targeting PKG installation results in multiple authentication prompts to be triggered.
- Packages installed via
/usr/sbin/installerfail to complete. (Delivered in April 2021 macOS agent hotfix.)
- The elevation of copying an app bundle to Applications or moving it to the trash would sometimes prompt for admin credentials on Big Sur.
- When the sudo plugin is unable to connect to the system extension, the user is unable to execute commands via sudo.
- Newly created users do not show up under the associated group if the user is a managed macOS user.
Upgrading to Privilege Manager 10.8 or later from version prior to Privilege Manager 10.8.0 causes a task to run to merge computer groups and remove unused system computer groups. This primarily affects the Application Control policies that are using resource targets/computer groups named All Windows Computers with Application Control Agent Installed. With 10.8, those policies will use the Windows Computers computer group and macOS will use macOS Computers.
If you want to prevent this automatic merge, modify the XML of this item:
Add on line 2
Offline upgrades on multiple servers will need to be done manually.
With the Safari Browser, the behavior for default selection on drop-down menus might vary from other browsers.
On endpoints using OneDrive, GoogleDrive, DropBox, or similar extensions, the endpoint will take about 2 min to correctly initialize the Finder Extension functionality after enabling the extension or after the upgrade to 10.8 with an enabled extension.
If you have a policy allowing management of the /Applications folder via the Copy Install Application filter, deleting multiple applications from the /Applications folder will result in a dialog prompting for administrator credentials. The workaround is to have your end-users delete applications one at a time.
If you have enabled the Elevate Privilege Manager Agent Preference Pane (Sample) policy to elevate the Agent preference pane and you wish to target Big Sur, you will need to duplicate it and change the File Names to:
If you have already duplicated the Elevate Privilege Manager Agent Preference Pane (Sample) policy to elevate the Agent preference pane and you wish to target Big Sur, you will need to change the File Names to:
- The latest Application Control Agent released with Privilege Manager version 11 is not compatible with the driver verifier tool for Windows 10 version 1507. Any endpoints on Windows 10 version 1507 should remain on the 10.8 version of the Application Control Agent until the endpoint can be upgraded to a newer Windows 10 version.
- Registering Unix/Linux endpoints to the default target can take up to 15 min.