Sep 14th, 2021:
Enhancements available with the 11.2.0 release of Privilege Manager. Enhancements are for both versions, On-premises and Cloud, unless otherwise outlined under a specific On-prem or Cloud subtopic.
- Added support for Secured Computer Groups. With this new feature the former Roles option in the Admin menu was renamed to Security and a Configuration tab was added to support custom scoping of user roles to Target Computer or AD Domain groups.
- New fields were added to the User Context Filter to allow targeting of an account (user or group) by SID, even if that account has not yet been inventoried in the server.
- Added a Role Membership tab to user details page for easy role membership verification and changes, like role removal and add to new role options.
- Added a Windows Registry Inventory client task to create a Windows Registry Inventory report.
- Multiple SAML provider support via Create option on the SAML Providers Foreign Systems page. Multiple SAML Providers can be set up and Privilege Manager verifies the uniqueness of the Issuer ID.
- Authentication Provider changes are disabled for the provider the current user is logged in with.
- Azure Active Directory groups are not supported for Advanced Message Actions that require authentication by a member of the group. As such, the By member of the group selections only show groups that have an AD SID (not pure Azure AD groups).
- The User Access Control Consent Dialog Detect filter was changed to also catch UAC prompts run for MSI installer file types.
Added rich text or WYSIWYG Advanced Display Message Action editing support. Deny and Warning prompts, Approvals (online only in v11.2.0), and Justification messages are supported by the new Display Advanced Message (HTML) template. Other changes delivered with this feature enhancement:
- Error message improvements in the log viewer to provide better error details around message actions.
- The Global Application Control policy path exclusions can be configured via the Windows Agent Configuration policy.
- Introduction of the native event uploader, making the Retry errored TMS Events - Catalina and later (macOS) policy obsolete for Privilege Manager macOS agents v11.2 or later.
- Added support for App Translocation when evaluating the App Bundle Filter Path property. If an App Bundle is run from an App Translocation path, its original path will be evaluated properly against the Filter's Bundle Path property.
- RegEx support when evaluating the Bundle Path property of an App Bundle Filter. This allows an App Bundle Filter to target a path based on RegEx and makes App Bundle Filters more flexible.
- Running the Uninstall.sh script now fully removes all macOS agent artifacts on an endpoint.
Removed the delete option for Authentication providers if currently active.
UTC support on Tasks schedules has been deprecated. Delinea recommends that all customized Tasks currently using UTC are changed to have the UTC switch turned off.
The Allow Copy to /Applications/ Directoryaction is deprecated and not supported in v11.2 and higher agents. Use the Copy Install Application Filter instead, to install to the /Applications folder.
This deprecation only impacts the v11.2.x macOS agents, older agents will continue to work with Allow Copy and drag and drop.
The Finder Sync Extension used to expose the self-elevate Finder context menu has been removed.
- Unacknowledged Events and Tasks in 'Ready' state are not clearing in the console.
- When an Agent registers without knowledge of the AD Domain SID, duplicate AD Domains are created.
- Following an Agent install the Computer/Agent IDs are not merging as expected.
- When importing items the Overwrite Existing Items checkbox does not function as expected. Refer to Importing Items for details on the specific import conditions based on checkbox selection.
- Updating WMI Data fails on systems where the UUID remains the same after a change to the operating system, WindowsDirectory, or BootDevice.
- Azure Groups are not being pushed to endpoints.
- 504 timeout error reported on loading of "Group Policies - Administrator Built-In Managed Group".
- Dependencies prevent Purge File Undiscovered and Purge Old Computer maintenance tasks from purging correctly and freeing up licenses.
- Authentication provider changes do not trigger an application pool recycle.
- The User Management Policy for built-in accounts displays the incorrect policy.
- The information under Settings on the Authenticated Justification Message Action is incorrect, the information only pertains to the "By a member of the group" option and not to all settings.
- The UTC Time option does not work with scheduled Email tasks.
- Expired licenses are not deleted from the server.
- AD Containers are not recognized by OU Computer Group Filter.
- Cloud instances are showing the "No Valid Support License" banner.
- Setting up and running the Email Scheduled task does not trigger emails to be sent.
- View Password role does not immediately work after system upgrade.
File Specification Filter does not support RegEx as intended.
In versions prior to 11.2 the Uninstall.sh script did not fully remove all artifacts. The following files
Running pkgutil --files com.thycotic.agent should report the following:
No receipt for 'com.thycotic.agent' found at '/'.
A change was made when upgrading to the 11.2.0 Release of Privilege Manager that forces a renewed save of all items to ensure they are in their correct states. To an agent, this re-save looks like an update to all of the existing policies and groups and will force a call back to the Privilege Manager Server to ensure it has all the updated policies and correct data. This causes all agents to call back to the server, generating a large amount of traffic while the agents attempt to get the full updated policy set. This impacts network traffic and slows Server processes while the agents are calling back for their updates. The amount of slowdown that the Server process experiences will depend on the number of agents that are attempting to update.
This can potentially cause a backup if new policies are added or existing policies are being modified and the updates are trying to be sent out, as those updates will be delayed until the update from the re-save is completed.
For on-premise installations of Privilege Manager version 11.2.0, if you are seeing a large increase in network traffic and Server bandwidth, this is a potential cause. Once all the Agents have been updated with the policies, you should see traffic and resources return to normal.
Deleting a Parent Targeted Group with a child group will throw an exception message, while partially performing a delete on certain items. As a workaround, first delete the child group before deleting the parent.
If a block policy is duplicated and used to create another policy to add Exclusions, the customized policy will be listed under Elevate vs. Block policies on the Application Policies page.
No Domain name is listed under Global Account Details when looking at Azure AD users and groups in the resource explorer.
Due to the Azure Graph API deprecation in the Azure Portal, manual steps are required to set up the Azure AD Foreign Systems integration:
- App Translocation path resolution does not work on Catalina 10.15.7 (19H1323). This affects App Bundle Filters using the Bundle Path property and File Quarantine Actions. Feedback FB9553808 has been filed for reference.
- Added a topic to demonstrate how to block all sudo commands, while allowing specific exceptions. Refer to macOS Privilege Manager Sudo Plugin.