11.4.3 Release Notes

Release Schedule

Privilege Manager Cloud Release – December 9, 2023

Privilege Manager On-Premise Release - January 5, 2024

Windows Agent Software

  • 11.4.3220 Bundled Privilege Manager Agent Installer

  • 11.4.3220 Core Thycotic Agent (x64)

  • 11.4.3220 Core Thycotic Agent (x86)

  • 11.4.3220 Application Control Agent (x64)

  • 11.4.3220 Application Control Agent (x86)

  • 11.4.3220 Local Security Solution Agent (x64)

  • 11.4.3220 Local Security Solution Agent (x86)

  • 11.4.3220 Bundled Privilege Manager Core and Directory Services Agent

  • 11.4.3031 Directory Services Agent (x64)

macOS Agent

11.4.3.033 Privilege Manager macOS Agent (Catalina and later)

10.8.27 Privilege Manager macOS Agent (Catalina and previous)

When upgrading Privilege Manager to a newer version, Delinea recommends upgrading the Directory Services agent such that both are running on the same release version.

Privilege Manager exclusively supports operating systems (OS) that have not reached their official End of Support. For optimal performance and compatibility, it is recommended to utilize Privilege Manager on a supported and actively maintained OS.

Delinea recommends as a best practice to create system restore points prior to doing system changes such as patches.

Stability and Reliability Improvements

As part of our continuous efforts to enhance our software, we are pleased to introduce key improvements in the stability and reliability of the Privilege Manager in our latest release. These updates significantly contribute to a more stable and reliable experience for all our users.

Scheduled Agent Jobs Optimization

Timeframe: January 13th - February 16th

Improvement Detail: Users may notice refined scheduling of Privilege Manager's scheduled agent jobs. These changes aim to boost the system's overall reliability and performance.

New Policy Introduction: The Task Scheduler - Ensure Randomness policy has been integrated to improve how agents execute scheduled jobs. It ensures adherence to the random delays predefined in those jobs, enhancing task execution efficiency.

Upgrading with Virtual Service Accounts

Starting with version 11.4.2, the Thycotic Application Control service is run using a virtual service account named NT SERVICE\ArelliaACSvc instead of NT AUTHORITY\SYSTEM (LocalSystem). Note that virtual service accounts really are "virtual" in that there isn't a user account being provisioned on the computer. These accounts have been a supported feature since the release of Windows 7 SP1.

By default, all virtual service accounts are members of the group NT SERVICE\ALL SERVICES, and Microsoft grants the Log on as a service log on right to that group when Windows is installed. If that log on right is revoked from that group, the service will not start.

Before upgrading to version 11.4.2 or newer from version 11.4.1 & older, review this information completely and ensure that your runtime environment complies with the stated requirements. Failing to do so will result in the application control service failing to function properly.

Refer to Virtual Service Accounts in Upgrades.

Certificate Validation for SSPM Agents

For both the Windows Agent and macOS Agent, by default, validate server certificate is turned off. However, if your server domain includes one of these, then validate server certificate will automatically be turned on and the server certificate will be validated:

  • .privilegemanagercloud.com

  • .privilegemanagercloud.eu

  • .privilegemanagercloud.com.au

  • .privilegemanagercloud.com.sg

  • .privilegemanagercloud.ca

To force this setting to be enabled for use with an on-premise Privilege Manager server via MDM deployment of the agent, refer to:

Installing Windows Agents

Installing macOS Agents

Using regex with Group Memberships

With the ability to be able to use regex (preferred) or wildcard values in the local group membership controls in 11.4.3, you must use specific and restrictive regex. We cannot guarantee that your expression will never include an unintended user. Please validate the expression yourself with one of the many online regex testers, and check group members regularly.

Enhancements

  • When agents are failing to register because they are unknown or have an invalid install code, an alert will be raised in Privilege Manager. The alert has a link to a report that shows key details such as name and source IP.

    Privilege Manager Admins should review the list of invalid registrations and determine whether the computer needs to have the agent re-registered, or removed completely. Refer to Addressing Invalid Agent Registrations.

  • By default only commonly-used items will appear in global search results. A check box has been added to the UI to enable returning all results. Note that this will include items most users shouldn't modify without the assistance of support.

  • A new Agent Summary by Version report has been added to Privilege Manager. This report can be found under the Reports | Agent section. The report will display agent versions, generated from the core agent component, separated by the operating system.

    When a row is selected from the Agent Summary by the Version, users will be presented with Managed Computers by Agent Version, which displays all agents running the same core agent component version.

  • Added the ability to select multiple events on the Policy Events screen and acknowledge them in bulk.

  • The character limit for Windows Users and User Groups has been increased from 20 to 64, and on macOS from 20 to 128.

  • The User Group Management page now shows only built-in and managed groups by default. A toggle has been added to the top of the page to show all inventoried groups, but may time out on very large groups.

  • Improvement to the Windows Agent Utility, ensure consistency when using the Agent utility to invoke Register or Update options.

  • Windows Agents now include their Azure Device ID as part of the standard agent registration process.

  • In version 11.4.3, the shell script used to uninstall the Mac agent has been replaced with an Installer package to perform this operation.

  • In version 11.4.3, resource discovery in the macOS agent will report Mach-O header info and digital signatures for executables built solely for Apple silicon. For universal applications, both slices (Apple and Intel) will be reported.

  • A new bundled EXE Installer includes all Privilege Manager Agents for Windows machines (Core, ACS, LSS), replacing the three separate deployments previously required. You can use the bundled installer directly on individual endpoints for testing or for production environments in either 32-bit or 64-bit environments.

  • A title bar now appears on workstation messaging dialogs that provides information for screen reader software.

  • On Mac workstations, user accounts can now be created with a random password instead of a static one.

Bug Fixes

  • Using the File Upload feature of the Privilege Manager UI (Console) to upload a file whose size is a multiple of 1048576 bytes no longer results in a Bad Request error.

  • The SQL query for Group Management has been updated so that it no longer shows duplicates.

Agent Specific

Windows

  • Fixed an issue where some programs were being falsely detected as system components, and didn't appear in the Remove Programs Utility.

  • Previously, the Parent is a High-Risk Application filter, associated with the Delinea Policy Framework policy Malware Attack Protection contained an old version of the Microsoft Edge filter. An up to date filter has now been included, so LOLBAS attacks instigated from Microsoft Edge will now be recognized where this policy is active.

  • When a COM or MSI elevation policy has a justify or approval action and that action is cancelled, the default UAC elevation/consent prompt will no longer be displayed.

  • Authenticated Justification Message Actions are now properly handling groups marked as Use for deny only, which previously could result in the action incorrectly producing a success result when a failure result should have been produced.

  • The Immediate File Inventory action has been fixed in this release. The purpose of the Immediate File Inventory action is to force an inventory of an executable as soon as a policy with this action is applies.

    If required, we advise this is used in test environments, when the product is initially being set up. It is not designed to be used long term, in large environments, as it will create a extra load on servers with every computer reporting the same inventory.

  • The issue where HTML messages appear twice for policies that target MMC snap-ins has been resolved. The message will only appear once when the policy is prompted. This fix also addressed issues that caused the Failed to obtain long prefix path for error message in the Agent logs.

  • Applications no longer open behind other windows following user interaction with a XAML/HTML action.

  • Performance improvements have been made on 12th and 13th generation Intel processors.

macOS

  • Updates have been made to the configuration of policies when controlling the usage of sudo. See Controlling the Usage of sudo for detailed information.

  • For the MacOS Agent Privilege Manager Preference pane, the Policies Last Updated time is now updated when either updateclientitems (CLI or Pref Pane button) or the Update Applicable Policies (Mac OS) policy is executed (CLI or Schedule) where there has been an update made to a policy details from the Privilege Manager Server.

    Previously, invalid modifications to the Mac agent configuration policy could lead to various issues, including:

    • The configuration policy was displayed as “Unknown” in the client item lists

    • XML events such as Basic Inventory were not accepted by the Privilege Manager server

    This has been resolved by the Mac agent performing additional validation of the agent configuration policy; invalid values will be ignored or replaced by a default value.

  • Resolved an issue where commands that use a root shell automatically (ps, su, top, etc) were not successfully blocked when using a Deny Execute action without prefacing the command with sudo. Now, If a Deny Execute action is placed on running /usr/bin/su, for example, each of the command lines su and sudo su are blocked from running in the terminal.

  • Resolved an issue that could prevent registration of Macs bound to AD domains that were configured with non-default search paths.

  • A fix was implemented to ensure running sudo as a command running a bare sudo command correctly displays the sudo usage information, instead of running an elevated shell.

  • The following fix is available for macOS Monterey and Ventura to address an issue with the Printer Queue not opening:

    • Update the agent to 11.4.3

    • Remove the printer from the Printers & Scanners preference pane

    • Add the printer back into the Printers & Scanners preference pane

    The Printer Queue then opens normally.