12.0.3 Release Notes

Release Schedule

Privilege Manager Cloud Release Date: February 8, 2025

Privilege Manager On-Premise Release Date: February 21, 2025

12.0.3185 Bundled Privilege Manager Agent Installer

12.0.3185 Core Thycotic Agent (x64)

12.0.3185 Core Thycotic Agent (x86)

12.0.3185 Application Control Agent (x64)

12.0.3185 Application Control Agent (x86)

12.0.3185 Local Security Solution Agent (x64)

12.0.3185 Local Security Solution Agent (x86)

12.0.3185 Bundled Privilege Manager Core and Directory Services Agent

12.0.3021 Directory Services Agent (x64)

macOS Agent

12.0.3.108 Privilege Manager macOS Agent (macOS Big Sur 11 and later)

Installation Notes

  • Starting with builds 11.4.3235 & 12.0.1016, and going forward with all newer builds, there is a dependency on a PowerShell script being executed by the MSI installer package for the application control agent. The script itself is signed with our code signing certificate so it will meet the execution policy requirements for signed scripts, but if all script execution has been disabled, then it will cause the installer to fail.

  • When upgrading Privilege Manager to a newer version, Delinea recommends upgrading the Directory Services agent such that both are running on the same release version.

  • Privilege Manager exclusively supports operating systems (OS) that have not reached their official End of Support. For optimal performance and compatibility, it is recommended to utilize Privilege Manager on a supported and actively maintained OS.

    Privilege Manager version 12.0.2 and later no longer supports Windows Server 2012 R2 and older operating systems. To ensure implementation of the latest security improvements, existing installs will need to migrate to the minimum system requirements of Windows Server 2016 or newer before upgrading to version 12.0.2 and later. Workstations remain unaffected.
    Likewise, do not install agent version 12.0.1096 or older on any computer that already has Windows 11, version 24H2 or Windows Server 2025 pre-installed on it.
    If an incompatible older agent is installed on Windows 11 version 24H2 or Windows Server 2025, it will render the system unusable. Symptoms of the incompatibility include UAC failing to elevate any/all programs that require administrative rights.

  • Delinea recommends as a best practice to create system restore points prior to doing system changes such as patches.

    Delinea supports the use of software versions up to a year prior to the current version. You can find previous versions of the documentation here.

    Supported Agent Versions

    Privilege Manager 12.0.3 is the final release that supports agent versions 10.5 and older. After 12.0.3, any agents that are 10.5 or older will no longer function.

    Certificate Validation for SSPM Agents

    For both the Windows Agent and macOS Agent, by default, validate server certificate is turned off. However, if your server domain includes one of these, then validate server certificate will automatically be turned on and the server certificate will be validated:

    • .privilegemanagercloud.com

    • .privilegemanagercloud.eu

    • .privilegemanagercloud.com.au

    • .privilegemanagercloud.com.sg

    • .privilegemanagercloud.ca

    To force this setting to be enabled for use with an on-premise Privilege Manager server via MDM deployment of the agent, refer to the documentation:

    Installing Windows Agents

    Installing macOS Agents

    macOS Big Sur 12.x Support

    Privilege Manager version 12.0.3 of the Mac agent will be the last release to support macOS Big Sur (12.x), for which Apple has not released a security update since July 2024. Going forward,Privilege Manager will follow the common practice of supporting those OS versions that Apple itself supports with security updates, namely, the current and two previous versions of macOS. We encourage our users to upgrade to a supported version of macOS to continue receiving the latest features and security updates.

    macOS Sequoia 15.x

    macOS Sequoia 15.x includes a new privacy feature requiring user permission to allow applications to access devices on a local network.

    As a result, endpoints with an installed macOS agent that connects to an on premise Privilege Manager server on the same network may present an "Allow access to find devices on a local network" message to end users when submitting actions such as an approval request for the first time.

    Once allowed, the message will not be displayed again and the agent will function as expected.

    This message will not be seen for customers who register their agent against Privilege Manager cloud.

    The permission can also be granted by going to System Settings > Privacy & Security > Local Network and enabling Privilege Manager.

    Currently, Apple does not provide any method to pre-approve these requests using Mobile Device Management (MDM).

    Enhancements

    • Improved security of the Mac agent by restricting access to the client item database.

    • To improve the security of communications between processes and the Agent Utility, the macOS agent has been updated to use the XPC technology that provides the signature validation mechanism.

    • Improvements have been made to the Mac agent for scheduled client jobs with time-based triggers.

    • Enhancements to the Approvals workflow include:

      • An updated Approval page that combines JIT approval requests

      • A details pane for each approval request, when selected

      • The full URL displayed for Path in an approval request

      • An Offline Approvals tab for approving offline approval requests

      • A History tab for tracking approval disposition

      • Improved design of message dialogs

    • Improvements have been made to the Jamf and ServiceNow integrations when Privilege Manager is configured to use a proxy service.

    • The ServiceNow URLs no are no longer required to be defined as either service-now.com or servicenowservices.com, although the URL is required to be HTTPS.

    • Improved logging and error handling have been added to address any issues during the Privilege Manager Server combined installation.

    • A new report has been created called Computers With Local User. The report is currently available for Windows built-in computer groups only. In the report parameters, the name of a local user can be input and the report will return all of the computers in the specified computer groups, along with information about whether the User account is present and if it is an Administrator account. Delinea recommends that larger customers use the Computer Group parameter on this report, to prevent issues with performance.

    • A new report called Audit Changes to Managed Groups has been created. This report displays details from the Audit tab of multiple managed groups in one report. The report can be found under the Local Security section in the Reports page.

      Customers with many agent endpoints need to be mindful when changing the filters in the report, as a larger number of days/weeks/months entered will result in more data and slower loading times.

    • Two new reports have been created: macOS Computer Names and Windows Computer Names.

      Windows Computer Names report provides: ComputerObjectName (name from the computer object in Privilege Manager), Caption (value from Win32 Computer System), CSName (value of Win32 Operating System), and Name (value from Win32 Computer System).

      macOS Computer Names report provides: ComputerObjectName (name from the computer object in Privilege Manager), ComputerName value from Mac system configuration), HostName (value from Mac system configuration).

    • The Approvals page now incorporates Offline Approvals.

    • The drill-down of the Approval Requests report defaults to the last seven days in order to avoid potential performance issues with larger queries. The reports can be filtered for larger periods of time if necessary.

    • A new default action, Modify LaunchDaemons Authorization Right (com.apple.ServiceManagement.daemons.modify) is available. It is used when a process adds helper tools during an install process.

    Bug Fixes

    • When tasks are run on a schedule, the selection made for UTC will now be respected by the agent endpoint. If UTC is not selected, the task will run at the selected time in any timezone. If UTC is selected, the task will run at the selected time on UTC. This information is reflected in the Task Scheduler.

    • Resolved an issue with Privilege Manager server installations on web servers set to use a time in a time zone from UTC+3 to UTC+14 where a redirect loop would occur when trying to log in to Privilege Manager and were unable to install or upgrade Privilege Manager.

    • It is now possible to Add a Filter Rule to a computer group when Selected Items has Nothing Selected and the List Type is Computer List. Previously, this combination would be removed when saving the computer group.

    • Fixed an issue where the User Account policy tasks were not being triggered after a managed user was deleted or had their configuration updated on an endpoint.

    • A bug has been fixed to display all domain users who are Local Administrators in the following reports:

      • Detailed Summary of Users as Local Administrator

      • Summary of Domain Users as Local Administrators

      • Summary of Users as Local Administrators

    • When using Secret Server vault, View Secret now always displays as expected.

      An issue was addressed and now ensures when selecting View Secret (Computer Groups | User Management | Managed User | View Password), the Secret Server password link is always opened in a new tab.

    • An update made in build 12.0.2150 to resolve a security vulnerability problem inadvertently caused a regression in how elevation is performed. This resulted in Visual Studio Code and other applications which create child processes to malfunction if they were elevated via policy.

    • The Helpdesk user role will now access both the Domain and OS Name fields when selecting computers in the Offline Approvals screen.

    • Previously, it was not possible to delete orphaned policies that were displayed in the Related Policies in a Computer Group. An error would be displayed saying the deletion was blocked. This has been fixed, and although the link in the Related Policies page will still show an error, it will be possible to delete the orphaned policy by looking it up in the global search and deleting it from there, without seeing the message about any dependencies.

    • The Group Management page now shows domain users and domain groups being removed when the last option for all other users and groups is set to Remove If Found.

    • Fixed an issue where the User Account Policy tasks were not being triggered after a managed user was deleted or had their configuration updated on an endpoint.

    • A security issue in the Thycotic Diagnostics Tool in Privilege Manager On-Premise server software was fixed.

    • Resolved an issue with Privilege Manager server installations on web servers set to use a time in a time zone from UTC+3 to UTC+. A redirect loop would occur when trying to log in to Privilege Manager and were unable to install or upgrade Privilege Manager.

    • Improvements have been made to the Mac agent for scheduled client jobs with time-based triggers.

    • A security issue in the Thycotic Diagnostics Tool in Privilege Manager on-premise server software was fixed.

    Agent Specific

    Windows

    • Fixed an issue where our Remove Programs Utility would not load successfully on Windows 11 24H2 operating systems using Windows agent builds 12.0.2.2153 and older. This was fixed in Windows agent build 12.0.2.2155. Additionally, due to a Microsoft limitation issue, Microsoft App store applications will not be displayed in the utility until a fix is released by Microsoft.

    • Windows agents no longer allow dragging of items onto HTML message actions displayed on the agent.

    • An update to resolve a security vulnerability problem in build 12.0.2150 inadvertently caused a regression in how elevation is performed, resulting in Visual Studio Code and other applications which create child processes to malfunction if they were elevated via policy. This has also been resolved.

    • Fixed an issue where our Remove Programs Utility would not load successfully on Windows 11 24H2 operating systems using Windows agent builds 12.0.2.2153 and older. This was fixed in Windows agent build 12.0.2.2155. Additionally, due to a Microsoft limitation issue, Microsoft App store applications will not be displayed in the utility until a fix is released by Microsoft.

    • The JIT time remaining notification being displayed to the user was verified and updates made to align with the current documentation.

    macOS

    • The Mac agent did not always observe the UTC setting for scheduled client jobs with time-based triggers. This has been fixed.

    • The Mac agent now ensures that an active JIT admin session is correctly terminated, even in the event that the com.thycotic.acsd background process quits unexpectedly.

    • The agentconfig.json file that is created and used during the macOS agent installation is no longer removed after installation.

    • If a policy is in place that allows users to move apps in and out of the /Application/ folder, and the user tries to move multiple apps at once, a notification displays "For your security, policies can't be applied when multiple applications are being moved at once. Please select a single application to move, and try again."

    • Resolved an issue where the macOS agent running on Intel-based Macs could fail to send a complete inventory for applications when the Resource Discovery task is run.

    • Updated the macOS agent to ensure that both JIT and standard approval requests are correctly handled when the system is working in multi-user mode.

    • The Mac agent did not always observe the UTC setting for scheduled client jobs with time-based triggers. This has been fixed.

    • The Mac agent now ensures that an active JIT administrator session is correctly terminated, even in the event that the com.thycotic.acsd background process quits unexpectedly.

    • When the macOS Fast User Switching feature is used to change the user logged into the desktop, any active JIT administrator session is ended (this is by design). The Agent Utility window and icon menu now correctly reflect that the administrator session has ended.