3.16 Release Notes

From idenprotect Knowledge Base
Jump to: navigation, search


Introduction

These are the release notes for Version 3.16 of the idenprotect platform. These notes provide a high-level view of the new features offered in this version.

IMPORTANT - You should make sure that your license is NOT expired prior to upgrading to version 3.16. Audit checks will be performed against the licence during an upgrade and if your licence is expired, your users may not be able to continue authenticating. Note that there is also new Entitlement configuration in the LDAP User Sync Configuration that will need to be entered. If you do not specify the groups to assign SSO or Windows entitlements, your users will not be able to authenticate. If you do not have an active licence, please contact your idenprotect partner or email us at support@idenprotect.com

Licensing and Entitlements

Licensing has been updated with additional entitlements for Single Sign-On, Windows and Maximum Devices Per User.

  • The maximum number of devices per User will override the number in the configuration should that be set higher
  • SSO Entitlement will now be required in order to authenticate via the idenprotect Authentication Provider
  • Windows Entitlement will now be required in order to authenticate to idenprotect for Windows

In order to support these changes, legacy licences where no SSO/Windows entitlements are defined will automatically have eligibility for both entitlements up to the number of Users provisioned by the Licence. However, in order to grant the entitlements to your users, you will need to specify the groups of users who are permitted to have the entitlement. Group definitions are added in the LDAP configuration to specify which groups of users should receive SSO or Windows entitlements and these are additionally checked in the LDAP connection test). On the dashboard, new information is now displayed to show the available and used capacity of your entitlements and a new licence upload pop-up additionally shows a summary of all licences and entitlements that have been uploaded. The users screen is now filterable on these entitlements, and the entitlements are displayed on the Users screen and individual User information pop-up (where the entitlements can also be modified). The default user on a new installation will automatically have both entitlements and finally, regular auditing will take place to ensure that the licences do not go over their allocation (say due to a lapsed licence for example). Where this is the case, Users/entitlements are removed in reverse order of when they were added.

Supporting UEM Cloud

We have UEM configuration on the console which allows us to specify the location of the UEM installation. For on-premise installations, we are able to grab UEM access keys and use them during the enrollment process which allows a smoother enrollment without the Users being required to enter this key manually. For cloud-based installations of the UEM client, the method of authentication is different - we now support this method of authentication with some additional configuration required. This allows us to automatically obtain an access key regardless of the location of your UEM installation.

Application Policies

New policies have been introduced to specify which application types your Users are permitted to use. This allows you to have multiple application types running simultaneously amongst your users. There are global policies that take initial precedence but if, for example, this is set to any. You can specify which groups of users in Active Directory are eligible for which applications. These groups are additionally being checked in the LDAP connection test. In addition to this, where users may have BlackBerry or intune app types - you can enable these apps to also be used for SAML purposes.

Dashboard Improvements

There are now more data donuts on the dashboard to show a greater range of information, including the licensing information. Some of these donuts now have direct links which will take you to the page you are seeing information about (for instance the Users of Devices page)

Configuration Improvements

Configuration editors have now been cleaned up to improve the ordering and hiding unrelated properties. When committing new configuration, instead of returning to the Configuration home screen, if you were in a tab (such as Authentication Portal) you will now be returned to that tab. Additionally, we have added a Search option to allow you to quickly find an individual configuration item. These are clickable to take you straight to the location where the item can be modified.

In addition, there are new configuration screens for some new features such as being able to upload enterprise certificates for the mobile client to use and specifying an external location to obtain User certificates during enrollment

User Avatar

An image can now be synchronised directly from Active Directory and used as a User's "profile" picture. When an image has been synchronised for a User, you can see it in the User information pop-up on the User's screen (in place of where you would normally see initials). Additionally, it will also replace the initials for a User when they are logged into the idenprotect User Portal.

Web Socket Changes

Where an idenprotect Sync Agent (which uses web sockets to communicate) is installed on a Linux based machine, the idenprotect Service Manager can now request the restarts of all connected web sockets. The web socket server code has been refactored on the idenprotect Core Platform to provide further functionality included the introduction of Authentication API's and a policy to allow web sockets to be used for authentication purposes. In addition, the server can be completely disabled if it is not in use, if enabled, switching between web socket or direct Active Directory connections will no longer require the idenprotect Core Platform to be restarted.

Other minor changes and bug-fixes

  • Active Directory User Synchronization configuration can now support multiple groups by separating with a semi-colon
  • Hardened the encryption used for passwords (where required) stored in properties files while continuing to be able to decrypt using the previous method
  • Service providers can now be created by uploading the Metadata in XML format
  • Service providers can no longer have both a Country Whitelist and Blacklist
  • HTTP-Redirect options added to IDP Metadata (previously only supported HTTP-POST)
  • When syncing Active Directory from multiple nodes, Users will no longer clash if they are attempting to be created from multiple locations
  • Removed Certificate Authority algorithms no longer in use
  • Mutual TLS now working with Internal Certificate Authority
  • Enrollment options have been simplified, the server must now always initiate an enrollment session
  • Dedicated Error Handling Page on idenprotect Core Platform and idenprotect User Portal to improve the User Experience when errors are encountered. Error handling has also been improved in other places
  • Special characters in an Active Directory attribute no longer break the QR code
  • Improved the user experience when switching between different Core Platform Site Users (especially where the Users hold different roles)
  • Users and Devices page will no longer refuse to open if a corrupt certificate is held on a User Device
  • OATH tokens can no longer be assigned to disabled or soft deleted users, in addition, they can now be removed without needing to assign them to a user first.
  • Report export now exports all results found not just the results on display on the current page
  • Reports can now filter by username instead of the email address
  • Device app versions are now updated when a User updates their app
  • Users can now be manually created without the requirement for a CSR Subject to be input
  • Changes to User info that are not saved are no longer persisted on the User information pop-up prior to it being refreshed
  • When using multiple idenprotect Sync Agents, you can now pick a specific node to begin the sync process on the Users page
  • User roles have been refined and updated
  • Improved logging