12.0.2 Release Notes

Privilege Manager Cloud Release – September 28, 2024

Windows Agent Software

Do not upgrade any Windows 11, version 23H2 or older machines to Windows 11 24H2 if they are also running Privilege Manager agent version 12.0.1096 or older. (Agent versions newer than 12.0.1096 are fine to install.) Likewise, do not install agent version 12.0.1096 or older on any computer that already has Windows 11, version 24H2 or Windows Server 2025 pre-installed on it.

If an incompatible older agent is installed on Windows 11 version 24H2 or Windows Server 2025, it will render the system unusable. Symptoms of the incompatibility include UAC failing to elevate any/all programs that require administrative rights.

There is a security issue with Windows agent versions 12.0.2142 and older. A fix for the issue is included in version 12.0.2150 of the Windows agent which is available on the Software Downloads page.

12.0.2150 Bundled Privilege Manager Agent Installer

12.0.2150 Core Thycotic Agent (x64)

12.0.2150 Core Thycotic Agent (x86)

12.0.2150 Application Control Agent (x64)

12.0.2150 Application Control Agent (x86)

12.0.2150 Local Security Solution Agent (x64)

12.0.2150 Local Security Solution Agent (x86)

12.0.2150 Bundled Privilege Manager Core and Directory Services Agent

12.0.2014 Directory Services Agent (x64)

macOS Agent

12.0.2.091 Privilege Manager macOS Agent (macOS Big Sur 11 and later)

Installation Notes

  • Starting with builds 11.4.3235 & 12.0.1016, and going forward with all newer builds, there is a dependency on a PowerShell script being executed by the MSI installer package for the application control agent. The script itself is signed with our code signing certificate so it will meet the execution policy requirements for signed scripts, but if all script execution has been disabled, then it will cause the installer to fail.

  • When upgrading Privilege Manager to a newer version, Delinea recommends upgrading the Directory Services agent such that both are running on the same release version.

  • Privilege Manager exclusively supports operating systems (OS) that have not reached their official End of Support. For optimal performance and compatibility, it is recommended to utilize Privilege Manager on a supported and actively maintained OS.

    Privilege Manager version 12.0.2 and later no longer supports Windows Server 2012 R2 and older operating systems. To ensure implementation of the latest security improvements, existing installs will need to migrate to the minimum system requirements of Windows Server 2016 or newer before upgrading to version 12.0.2 and later. Workstations remain unaffected.

    Likewise, do not install agent version 12.0.1096 or older on any computer that already has Windows 11, version 24H2 or Windows Server 2025 pre-installed on it.

    If an incompatible older agent is installed on Windows 11 version 24H2 or Windows Server 2025, it will render the system unusable. Symptoms of the incompatibility include UAC failing to elevate any/all programs that require administrative rights.

  • Delinea recommends as a best practice to create system restore points prior to doing system changes such as patches.

    Delinea supports the use of software versions up to a year prior to the current version. The links to prior versions are found in the PDFs available for prior versions on Links to Previous Versions.

Certificate Validation for SSPM Agents

For both the Windows Agent and macOS Agent, by default, validate server certificate is turned off. However, if your server domain includes one of these, then validate server certificate will automatically be turned on and the server certificate will be validated:

  • .privilegemanagercloud.com

  • .privilegemanagercloud.eu

  • .privilegemanagercloud.com.au

  • .privilegemanagercloud.com.sg

  • .privilegemanagercloud.ca

To force this setting to be enabled for use with an on-premise Privilege Manager server via MDM deployment of the agent, refer to the documentation:

Installing Windows Agents

Installing macOS Agents

Using regex with Group Memberships

With the ability to be able to use regex (preferred) or wildcard values in the local group membership controls in 11.4.3, you must use specific and restrictive regex. We cannot guarantee that your expression will never include an unintended user. Please validate the expression yourself with one of the many online regex testers, and check group members regularly.

Service Process Update for LSA Privileges

The Thycotic Application Control service is no longer configured to use a virtual service account; it is now configured to run as NT AUTHORITY\SYSTEM (local system) again. The removal of a dependency on using a virtual service account first appeared in version 12.0.0 (build 12.0.1016).

A different mechanism is now used to ensure that the service process has all of the Local Security Authority (LSA) privileges required for it to function properly. LSA privileges do not need to be explicitly granted for the service to run properly, and there is no need for GPOs (Group Policy Objects) to be created or modified as part of deploying the agent.

macOS Big Sur 11.x Support

Privilege Manager version 12.0.2 of the Mac agent will be the last release to support macOS Big Sur (11.x), for which Apple has not released a security update since September 2023. Going forward,Privilege Manager will follow the common practice of supporting those OS versions that Apple itself supports with security updates, namely, the current and two previous versions of macOS. We encourage our users to upgrade to a supported version of macOS to continue receiving the latest features and security updates.

Software like Privilege Manager is more closely coupled to the lower-level macOS frameworks than other applications; in particular, the security frameworks show a faster pace of evolution as Apple continues to update macOS. Adopting this support policy enables us to better follow Apple’s guidance by using the latest and most secure technologies, rather than relying on outdated or even deprecated frameworks. In this way, we can provide our customers with a better user experience and improved application functionality.

macOS Sequoia 15.x

macOS Sequoia 15.x includes a new privacy feature requiring user permission to allow applications to access devices on a local network.

As a result, endpoints with an installed macOS agent that connects to an on premise Privilege Manager server on the same network may present an "Allow access to find devices on a local network" message to end users when submitting actions such as an approval request for the first time.

Once allowed, the message will not be displayed again and the agent will function as expected.

This message will not be seen for customers who register their agent against Privilege Manager cloud.

The permission can also be granted by going to System Settings > Privacy & Security > Local Network and enabling Privilege Manager.

Currently, Apple does not provide any method to pre-approve these requests using Mobile Device Management (MDM).

Enhancements

  • The ServiceNow integration now accepts the following extensions: .service-now.com or .servicenowservices.com.

  • For macOS, a new menu bar icon, as well as a selection in the Agent Utility window, provides an item that allows the user to request JIT administration privileges.

    A new version of the JIT Approval Request pop-up window is provided on the Privilege Manager server when MacOS JIT requests are carried out.

  • For Windows requests, the JIT Elevated Access pop-up window now includes days remaining when time remaining is more than 24 hours.

  • Policy Events acknowledge all events selected, not just the ones in views, consistent with the Export policy functionality.

  • The macOS agent's sudo plugin now supports the use of numeric options with the -u and -g sudo flags (e.g., -u#501); this improves compatibility with other third-party software.

  • A new macOS Activity Monitor Sudo Authorization Right (com.apple.activitymonitor.sudo) Action has been added to Privilege Manager. This action will allow the elevation rights to force quit processes in Activity Monitor for macOS Sequoia. For macOS Sonoma and older the Activity Monitor Kill Authorization Right (com.apple.activitymonitor.kill) Action will still be required.

  • Removed the out-of-the box Windows Service Inventory policy. We do not recommend using this policy as it collects more data than is necessary. Instead, a policy should be created using the Service Inventory command on a very small subset of machines if the Service Inventory is needed.

  • Improved Windows agent installation checks for all of the .msi and .exe files, to ensure the components can not be installed on ARM-based architecture.

    This is only supported on Intel-based architecture.

  • When upgrading Privilege Manager with Secret Server vault enabled, duplicate Service accounts are no longer created.

  • To improve the speed and reliability of logging in to Privilege Manager, applicable roles will only be evaluated two levels of group membership.

  • In order to combat database locking for on-premises installations, the following database properties are set by default for new Privilege Manager server installations and after upgrading to 12.0.2:

    • Allow Snapshot Isolation = True

    • Is Read Committed Snapshot On = True

  • The Voluntary Product Accessibility Template (VPAT) was updated to account for the updated Web Content Accessibility Guidelines (WCAG) 2.2 criteria, and also to account for the Onboarding feature in 12.0.2. Refer to the Privilege Manager Accessibility Documentation.

  • The Onboarding Tutorial now contains Advanced Configuration steps for enabling additional authentication providers such as SAML or Azure AD.

Bug Fixes

  • Fixed an issue that caused the number of computers and their associated groups to be incorrectly reported.

Agent Specific

Windows

  • Updated Windows agents to correctly pass the submitted user credentials when an application has been launched using Run as a different user.

  • Elevation of Universal Windows Platform (UWP) applications has been updated to properly handle third-party store applications which are manifested with the runFullTrust capability..

  • The Windows agent was updated to accommodate changes in Windows 11, version 24H2 , which caused an incompatibility problem and resulted in UAC elevation not functioning properly when when no elevation policies were applied to a program for which elevation was requested or required.

  • Whenever a program was launched using SHIFT+right-click > Run as different user, using the RUNAS.EXE utility, or when a native NT service was started when configured to logon as a local or domain user, a ReadEvent() error would get logged by the ACS (Application Control Service). The underlying problem has been fixed and this will no longer occur.

  • Fixed a issue that caused Directory Services Agent AD Sync to report an incomplete/timeout task when it should be reporting a succeed/complete task.

  • When upgrading with Secret Server vault enabled, duplicate Service accounts are no longer created.

  • Once a Jamf Computer Group collection has been removed from all associations, it can be removed from the Privilege Manager console.

  • Fixed an issue where the deny execute balloon message wasn't appearing at the bottom of the screen when certain applications were being blocked.

  • A fix has been added to the latest agent to ensure the Application Control Service will always correctly identify the primary image name when Kaspersky or any other anti-virus or security product is co-installed with the Privilege Manager application control agent.

macOS

  • Resolved an issue where the sudo plug-in on macOS would sometimes fail to apply a policy to a command line tool, most noticeably when the Mac agent had been running for some time.

  • Improvements were made to the macOS agent start up procedures to ensure that information is correctly sent to the Privilege Manager Server and that Agents appear in the Agent Installation Summary Report.

  • Improved the performance and reliability of the macOS agent when processing and uploading policy events.

Known Issues

Resource discovery on Intel-based Macs can sometimes fail to obtain the Mach-O header and raw digital signature from executable files. This issue will be addressed in a future release of the Mac agent.