11.4.1 Release Notes
Release Schedule
- Privilege Manager Cloud Release – Saturday, June 17th, 2023
- Privilege Manager On-Premise Release – Friday July 7th, 2023
Privilege Managerexclusively supports operating systems (OS) that have not reached their official End of Support. For optimal performance and compatibility, it is recommended to utilize Privilege Manager on a supported and actively maintained OS.
Delinearecommends as a best practice to create system restore points prior to doing system changes such as patches.
Certificate Validation for SSPM Agents
For both the Windows Agent and macOS Agent, by default, validate server certificate is turned off. However, if your server domain includes one of these, then validate server certificate will automatically be turned on and the server certificate will be validated:
.privilegemanagercloud.com .privilegemanagercloud.eu .privilegemanagercloud.com.au .privilegemanagercloud.com.sg .privilegemanagercloud.ca
To force this setting to be enabled for use with an on-premise Privilege Manager server via MDM deployment of the agent, refer to the documentation:
Installing Windows AgentsInstalling macOS Agents
Jamf Applications
Enhancements
- The Privilege Manager application has been enhanced to support accessibility features that include keyboard navigation in the left navigation panel and top menu bar, keyboard shortcuts, and screen readers that support tool tips and on-screen controls.
- The Delinea Policy Framework introduces predefined policies as a baseline for policy implementation, along with an intuitive interface that guides the user through policy definition and customization. Predefined policy templates include: Visual Studio Installers, Software Development Tools, Malware Attack Protection, Capture Application Elevation Attempts, and Allow Microsoft Signed Security Catalog.
- The UI now shows additional associations between objects (users, computers, etc.) that were previously hidden.
- Examined reports and removed report parameters that did not actually affect the data presented in the report.
- Added triggers to better detect when a user account is changed, and the managed user settings need to be reapplied.
- Added new trace log messages to help troubleshoot regex command line filters.
- If a scheduled task is still running the next time the schedule comes due, a new instance will not be launched, and an alert will be raised.
- Because using images with duplicate machine SIDs is becoming more common, the option to merge these as duplicates has been removed.
- SysLog tasks that send application action and justification events now have the option to send events from the last x number of days.
- The Computers Without Agent Installations report has been replaced to clearly show computer resources that do not have a Privilege Manager agent installed. This is not an exhaustive list of all computers that may be in an environment. It lists computers synced to Privilege Manager that don't have a corresponding agent registration. This can occur through Active Directory, Azure Active Directory, and other foreign system computer syncs.
- A new report called Computers Without Agent Components has been added that can be used to find computers that have older agents installed or are missing certain Privilege Manager agent components. These machines have at least some parts of the Privilege Manager agent installed.
- SysLog tasks that send application action and justification events now have the option to send events from the last x number of days.
- Block Local User Management and Block Local Group Management actions are now available to prevent specific sets of Win32 API functions from being called.
Bug Fixes
- Fixed an issue where no error was displayed when deleting a resource has failed.
- Fixed an issue where incorrect user accounts were being displayed in the Group Management view.
- Fixed an issue that caused multiple updates to the same policy items unnecessarily.
- Task Schedule pages now show their own Task History tab with runs associated only with the schedule.
- Fixed an issue that could cause failures to save AD sync settings.
- When using the HTML Approval action, when an approval is submitted and the application re-opened, it will display the existing approval request. Also, if an application is approved for a set amount of time, opening the application will no longer display the approved modal before opening the application.
- Resolved an issue where Admin users attempting to elevate executables through the Windows settings menus caused errors to be seen in the XAML action modals and agent logs.
- Fixed an issue where approval/justification messages failed to display with some UWP apps.
- Fixed an issue where some programs were not being shown in the Remove Programs utility.
Agent Specific
Windows
- Added protections against resetting the password for managed users on the Windows agent, whose password is also being rotated.
- An issue involving Privilege Manager failing to handle 32-bit Win32 desktop applications requiring administrative rights launched by the modern/immersive System Settings UWP application on Windows 10/11 caused the application not to launch properly. This issue is resolved. Multiple error codes are now tested for and an appropriate retry is performed that works equally well for both 32-bit & 64-bit applications.
macOS
- Performing a Disable or Enable of a Managed macOS User will now work as expected on the macOS Agent.
-
When macOS Managed Users or Groups are updated from the Privilege Manager Server, the agent will now execute the updated policy upon receiving it.
Previously the agent would only execute on the defined schedule.
- Resolved an issue where Copy to Applications and similar policies would not always activate when the user's preferred language was set to something other than English.
- If the macOS agent is unable to update the local account password when executing a password rotation policy, it will no longer send the new password to the Privilege Manager Server.
- Resolved an issue where users were not being added/removed to the macOS admin group when the policy was deployed to the macOS agents.
- Fixed an issue where after an extended period of time, the macOS agent's event processor might stop responding to commands.
- Apple included a security update in macOS Ventura 13.3 with an undocumented side effect that disabled Privilege Manager’s ability to apply policies to Installer packages (.pkg files). Apple subsequently included the same change in BigSur 11.7.7 and Monterey 12.6.6, with the same side effect. This release restores the functionality that was disabled by the security update.
- Resolved an issue in which choosing the Launch option in the Approval Notification for Installer packages (.pkg files) would not cause the package to be opened and installed.
Known Issues
-
Issue: On older macOS releases, when approval is received for an installer package (.pkg file), but that package is installed by opening it directly rather than from the notification, then the same package is opened a second time and approval is granted, the package may not be elevated as expected when it is (re-)installed.
Affected Systems:- Catalina 10.15.7 and older
- BigSur 11.7.6 and older
- Monterey 12.6.5 and older
- Ventura 13.2.1 and older
Resolution: Repeat the approval process for the package one more time.
-
Issue: Sometimes, after installing the Privilege Manager agent on the latest releases of macOS Big Sur (11.7.7) and Monterey (12.6.6), the OS fails to prompt the user to approve notifications from Privilege Manager, and the Privilege Manager application does not appear in the Notifications pane of System Preferences.
Workaround: Restart the Mac. After restarting and logging in, you will be presented with the prompt to approve notifications from Privilege Manager -
User Access Control Consent Dialog Detected filter is not able to detect when a fully-trusted UWP application is launched with Run as administrator from a right-click menu.