12.0.1 Release Notes

Release Schedule

Privilege Manager Cloud Release – Saturday, June 22, 2024

Privilege Manager On-Premise Release - July 1, 2024

Windows Agent Software

Do not upgrade any Windows 11, version 23H2 or older machines to Windows 11 24H2 if they are also running Privilege Manager agent version 12.0.1096 or older. Likewise, do not install the agent on any computer what already has Windows 11, version 24H2 pre-installed on it.

This same warning applies to a server running Windows Server 2025. Do not install the agent on a server running Windows Server 2025.

Privilege Manager is working to have an agent compatible with the changes Microsoft made within this version available before the general release of Windows 11, version 24H2 and Windows Server 2025.

12.0.1096 Bundled Privilege Manager Agent Installer

12.0.1096 Core Thycotic Agent (x64)

12.0.1096 Core Thycotic Agent (x86)

12.0.1096 Application Control Agent (x64)

12.0.1096 Application Control Agent (x86)

12.0.1096 Local Security Solution Agent (x64)

12.0.1096 Local Security Solution Agent (x86)

12.0.1016 Bundled Privilege Manager Core and Directory Services Agent

12.0.1008 Directory Services Agent (x64)

macOS Agent

12.0.1.070 Privilege Manager macOS Agent (Catalina and later)

Installation Notes

  • Starting with builds 11.4.3235 & 12.0.1016, and going forward with all newer builds, there is a dependency on a PowerShell script being executed by the MSI installer package for the application control agent. The script itself is signed with our code signing certificate so it will meet the execution policy requirements for signed scripts, but if all script execution has been disabled, then it will cause the installer to fail.

  • When upgrading Privilege Manager to a newer version, Delinea recommends upgrading the Directory Services agent such that both are running on the same release version.

  • Privilege Manager exclusively supports operating systems (OS) that have not reached their official End of Support. For optimal performance and compatibility, it is recommended to utilize Privilege Manager on a supported and actively maintained OS.

    Privilege Manager version 12.0.1 and later no longer support Windows Server 2012 R2 and older operating systems. To ensure implementation of the latest security improvements, existing installs will need to migrate to the minimum system requirements of Windows Server 2016 or newer before upgrading to version 12.0.1 and later. Workstations remain unaffected.

  • Delinea recommends as a best practice to create system restore points prior to doing system changes such as patches.

    Delinea supports the use of software versions up to a year prior to the current version. The links to prior versions are found in the PDFs available for prior versions on Links to Previous Versions.

Stability and Reliability Improvements

As part of our continual focus on improving the quality of our service, we identified an infrastructure limitation in our cloud provider which, in some cases, caused stability and reliability problems when accessing the console. In this release, we updated the way our cloud resources communicate internally to avoid this limitation.

Certificate Validation for SSPM Agents

For both the Windows Agent and macOS Agent, by default, validate server certificate is turned off. However, if your server domain includes one of these, then validate server certificate will automatically be turned on and the server certificate will be validated:

  • .privilegemanagercloud.com

  • .privilegemanagercloud.eu

  • .privilegemanagercloud.com.au

  • .privilegemanagercloud.com.sg

  • .privilegemanagercloud.ca

To force this setting to be enabled for use with an on-premise Privilege Manager server via MDM deployment of the agent, refer to the documentation:

Installing Windows Agents

Installing macOS Agents

Using regex with Group Memberships

With the ability to be able to use regex (preferred) or wildcard values in the local group membership controls in 11.4.3, you must use specific and restrictive regex. We cannot guarantee that your expression will never include an unintended user. Please validate the expression yourself with one of the many online regex testers, and check group members regularly.

Jamf Pro Classic API: Basic Authentication Removal

Jamf has announced that the Classic API will no longer be enabled by default for new Jamf Pro instances for enhanced security. Support for Basic authentication is scheduled to be removed on March 31, 2024.

Beginning with Privilege Manager 12.0, Delinea supports the Jamf Bearer Token Authentication method.

This requires updating the Privilege Manager credential that is used to connect to Jamf Pro. The instructions for this can be found in Creating a Privilege Manager Credential.

Service Process Update for LSA Privileges

The Thycotic Application Control service is no longer configured to use a virtual service account; it is now configured to run as NT AUTHORITY\SYSTEM (local system) again. The removal of a dependency on using a virtual service account first appeared in version 12.0.0 (build 12.0.1016).

A different mechanism is now used to ensure that the service process has all of the Local Security Authority (LSA) privileges required for it to function properly. LSA privileges do not need to be explicitly granted for the service to run properly, and there is no need for GPOs (Group Policy Objects) to be created or modified as part of deploying the agent.

macOS 10.15 Catalina Support

Privilege Manager version 12.0.1 of the Mac agent no longer supports macOS 10.15 Catalina, for which Apple has not released a security update since July 2022. Going forward,Privilege Manager will follow the common practice of supporting those OS versions that Apple itself supports with security updates, namely, the current and two previous versions of macOS. (We anticipate discontinuing support for macOS 11 Big Sur when we implement support for the next release of macOS in late 2024.) We encourage our users to upgrade to a supported version of macOS to continue receiving the latest features and security updates.

Software like Privilege Manager is more closely coupled to the lower-level macOS frameworks than other applications; in particular, the security frameworks show a faster pace of evolution as Apple continues to update macOS. Adopting this support policy enables us to better follow Apple’s guidance by using the latest and most secure technologies, rather than relying on outdated or even deprecated frameworks. In this way, we can provide our customers with a better user experience and improved application functionality.

Enhancements

  • An interactive onboarding tutorial is available within the Privilege Manager application. This tutorial guides new users though the basic installation and configuration steps, helping them quickly get their system up and running.

  • A new Agent Icon, for both macOS and Windows platforms, provides access to essential agent functions directly from the system tray or menu bar, improving operational efficiency.

  • A new Jamf Connect User Context Filter is available for use with macOS agents. If Jamf Connect is used to connect local macOS user accounts to Microsoft Entra ID, this filter can be used to target specific Entra groups in Privilege Manager policies.

  • Two new actions, Registry Control and Impersonation Token, permit a policy to be created that allows a non-admin user to have administrative access to specific portions of the registry.

  • The set of LSA privileges granted when the original out-of-the-box Add Administrative Rights action was performed did not exactly match the privileges given to a user with membership in the BUILTIN\Administrators group and then elevated via UAC. This occasionally resulted workarounds for edge case issues by way of creating custom Adjust Process Rights actions. Additionally, there were extra LSA privileges being granted which administrative users do not typically have as of Windows Vista and newer.

    A new out-of-the-box Add Administrative Rights (Modern) action was created which provides LSA privileges that exactly match what an administrative user should have as of Windows Vista and newer. This new action directly replaces the former Add Administrative Rights action and will be used automatically by existing policies as it has the same ItemId value.

    A new out-fo-the-box Add Administrative Rights (Legacy) action was created which is configured exactly the same as the former Add Administrative Rights action. If any existing elevation policy results in a program failing to run properly with the new Add Administrative Rights (Modern) action, the policy can be modified to use Add Administrative Rights (Legacy) while the issue is being investigated.

    Delinea recommends using the Add Administrative Rights (Modern) action when creating new elevation policies. The Modern version will reduce program compatibility issues and tighten security by removing some unnecessary privileges that are granted by the Legacy version.

  • Improvement to the Privilege Manager Vault migration task, where previous Privilege Manager would load all of the accounts to be migrated before starting the process. This has now been updated to be a progressive process.

    Also, if a credential fails to migrate the process will continue rather than failing back. Refer to Integrating Privilege Manager and Secret Server for additional information.

  • For macOS, improvements have been made in reporting to the user when the sudo plug-in encounters an issue when communicating with the Privilege Manager agent.

    The pmagentctl restart command now also restarts the Privilege Manager Security system extension. This may help resolve issues encountered by the sudo plug-in.

  • Privilege Manager now meets WCAG Success Criteria Page Titled (endpoints) and Bypass Blocks (for Admin console). Refer to the Privilege Manager Accessibility documentation here.

    This is due to a major accessibility feature, keyboard "skip to" function, that enables users to more easily navigate areas of the admin console when using the keyboard to navigate. Refer to the Privilege Manager Accessibility Conformance Reports.

  • The Application Control Agent now ignores process and thread create events for protected processes. This eliminates a variety of warning and error messages that were previously being logged to the agent's event log for failures associated with opening a process.

  • Improvements have been made to model name reporting for Apple silicon Macs.

  • The folder in which the client items database is stored, C:\ProgramData\Arellia\ClientItems, now has more strict security applied to it during installation of the agent and any time that the SetupAgent.ps1 PowerShell script is executed. With the more restrictive security, non-administrator users no longer have any access to the directory at all.

    Previously, non-administrator users had read access, which allowed the client items database content to be read. If a customer had a poorly configured elevation policy, it would be theoretically possible for non-admin user to perform an escalation of privilege attack. With this change, the attack surface of the application control agent has been reduced.

Bug Fixes

  • Computer groups can no longer be created with no Filter rules.

  • A small code change has been made to the Execute Application action to fix an issue where unnecessary command line parameters were being incorrectly added to the command line.

  • After a managed user policy first executes and is configured to set an initial random password, repeated execution of the same policy will not result in repeatedly setting a random password. This change prevents changes to the policy from automatically resulting in a new random password being set along with the corresponding flood of encrypted password events being sent back to the Privilege Manager server.

    Password rotation policies are not affected by this change and will still result in a random password being set each time the password rotation policy executes.

  • An issue where information from an executable file was not being read when using a low integrity token has been resolved. This previously caused some filters with Original File Names to be processed incorrectly.

Agent Specific

Windows

  • The core agent service has been modified to no longer make use of the .NET Shadow Copies behavior, where assembly DLL files get copied to a temporary directory before being loaded into an application domain.

    This change was made due to the fact that the file system security settings on the temporary direction that gets used may be inconsistent across different installations of Windows. In some cases, it was possible for a non-administrator user to copy arbitrary DLL files to the temporary directory such that the potential for a EoP (Exchange Online Protection) attack existed if the core agent service were to load a malicious DLL.

  • This bug fixes a problem where error messages were thrown in XAML action messages advising users that No hashes were calculated for file....

    Code has been added so that physical optical drives with a disc inserted and mounted as a volume, as well as virtual optical drives hosting a mounted ISO image of a CD/DVD disc, will always have their native NT device paths properly converted to DOS device paths (including a drive letter). Additionally, this also applies to all other types of removable drives, such as external hard drives or flash drives connected via USB.

macOS

  • A policy with an Authorization DB Right action could sometimes cause authorization dialogs from macOS system processes such as mdmclient. This no longer happens.

  • The Any Package (macOS) filter now correctly recognizes .mpkg as well as .pkg files..

  • Resolved an issue with the Mac agent's Codesign Entitled Elevated Application filter, which caused it to behave unreliably on macOS Monterey and later.

  • It is now possible to have a monitoring policy for Installer packages (.pkg/.mpkg files) without any actions assigned to the policy.

    When using the Policy Wizard to create a monitoring policy for .pkg files, make sure that the Applies To All Processes option is enabled under Policy Enforcement in the Advanced settings. If this isn't enabled, the policy will not generate events.

  • The script will execute under the /bin/bash shebang, although you can define an alternative the agent will override and use bash. Scripts can be defined using ; line separators or standard line returns.

    The following examples export the current date time to a file in /Users/Shared, create and empty file in /Users/Shared, and output information to the pmcored log.

    Single line with ; separators

    Copy
    date >> /Users/Shared/current_date.txt ; touch /Users/Shared/some_new_empty_file.txt ; echo "Hostname: $(hostname)" ; echo "Echo output from: Run Shell Script"

    Standard line return defined

Copy
date >> /Users/Shared/current_date.txt 
touch /Users/Shared/some_new_empty_file.txt 
echo "Hostname: $(hostname)" 
echo "Echo output from: Run Shell Script"
  • The Mac agent now properly executes the Run Shell Script (MacOS) action, allowing you to create a Scheduled job that will execute a script on Mac agents, according to a defined schedule. The script is executed by the bash shell (any #! interpreter directive will be disregarded), so the script must use bash-compatible syntax.

    The following example writes a time stamp to a file in /Users/Shared and writes a message to the pmcored log.

    Copy
    date >> /Users/Shared/current_date.txt 
    echo "Hostname: $(hostname)" 
    echo "Echo output from: Run Shell Script"