Thycotic Privilege Manager 11.0

Seit Ende Februar 2021 ist nun ein neuer Release verfügbar – Erfahren Sie hier, welche Verbesserungen mit Privilege Manager 11.0.0 von Thycotic implementiert wurden.

Nebst Verbesserungen und den den üblichen Bug Fixes werden zusätzlich noch die bis dato bekannten Known Issues adressiert:

11.0.0 Release Notes (Englisch)

Enhancements

Enhancements available with the 11.0.0 release of Privilege Manager. Enhancements are for both versions, On-premises and Cloud, unless otherwise outlined under a specific On-prem or Cloud subtopic.

  • Renamed Suppress UAC Action to Suppress UAC (Legacy). Refer to Default Actions and Adjust Process Rights Action .
  • The Remove Program Utility does not require process elevation going forward. With this change a new sample policy was added to Privilege Manager. The Elevate Privilege Manager Remove Programs Policy Children Policy (Sample) policy should be activated on endpoints that are configured to use the Remove Program Utility. This policy elevates the uninstallers only after an approval request has been granted.
  • Filter validations for application control policies.
    • Conflicting filters in application policies are reported, preventing a policy from being saved or activated.
    • Non-application filters cannot be used as the only filter on an application policy or added as an application target.
  • Added Observed Parent Processes reports for discovered events.
  • Commandline information support on Server reports for Windows and macOS systems.
  • Added computer SID registration information to be available via resource manager computer global account data.
  • General user interface improvements, focused field indicators, etc.
    • Overhaul of statistics pages for User Policies.
    • Overhaul of config feeds area .
    • Licensing page updates.
    • Scheduler updates.
    • Reports and Gauges.
  • New integration Jamf Connector to allow users to:
    • Import Smart and Static Computer Groups and Computers.
    • Import installed applications on Jamf endpoints as discovered resources and create filters.
    • Rollout Privilege Manager Agents on to Jamf Endpoints.
  • The Silverlight console has reached its EOL and all support has been removed from Privilege Manager release version 11.

MacOS

  • Added Apple? silicon support.
  • Added Authorization DB handler.
  • Rich text editing of end user prompts (message actions) via HTML editor .
  • Added commandline parameters for macOS binaries in Manage Approvals for the approval request.

Linux

  • New Unix/Linux OS support in the form of an Agent connecting to the Privilege Manager Server to exchange policies and events.
  • Role support for Unix/Linux Administrators .
  • Added Filters , Actions , and Computer Group support for Unix/Linux.

Agents

  • Service method for agents to post events via REST (JSON).

Security

  • Added Strict-Transport-Security header to 301/400/403 http responses.
  • Improved path traversal and invalid header handling.
  • Client-side password complexity check improvements.
  • API endpoint authentication improvements.

Bug Fixes

  • Folder View loads slowly for large resources with over 200K endpoints.
  • No option to specify different .NET framework versions for combined installations of Secret Server and Privilege Manager.
    • Privilege Manager on-premises does not work with Azure Service Bus if the web server is set to use only TLS 1.2.
  • Summary of Application Actions by Product Version Reports.
  • BSOD error following a Windows system update.
  • Send SysLog … template based tasks to send logs to server fails.
  • When adding a Persona, not all configuration options are visible in UI.
  • The Application Control Service is creating a conflict when saving or printing Excel or Word files.
  • Local user logout does not work correctly, preventing another local user from logging in.
  • Errors in exported Agent Log file are not displayed.
  • User accounts in a child domain do not appear as members of a local group.
  • Folder View loads slowly for large resources with over 200K endpoints.
  • The Administrator group is showing up twice when viewing the Group Policies section.
  • User and group inventory may not reflect proper group membership the first time it runs on the endpoints. Subsequent runs will finish processing that information and will be accurate.
  • Users removed from Security Group in AD still show as members of the AD group inside Privilege Manager.

Cloud

  • Creating a new managed user through macOS user policies and adding that new user to a newly created user policy on Privilege Manager Cloud an .outlets exception error is returned.

macOS

  • The KEXT and SYSEX flavors of the macOS agent can experience high memory utilization during File Inventory.
  • With the SYSEX flavor of the macOS agent, a policy targeting PKG installation results in multiple authentication prompts to be triggered.
  • Packages installed via /usr/sbin/installer fail to complete. (Delivered in April 2021 macOS agent hotfix.)
  • The elevation of copying an app bundle to Applications or moving it to the trash would sometimes prompt for admin credentials on Big Sur.
  • When the sudo plugin is unable to connect to the system extension, the user is unable to execute commands via sudo.
  • Newly created users do not show up under the associated group if the user is a managed macOS user.

Known Issues

  • Upgrading to Privilege Manager 10.8 or later from version prior to Privilege Manager 10.8.0 causes a task to run to merge computer groups and remove unused system computer groups. This primarily affects the Application Control policies that are using resource targets/computer groups named All Windows Computers with Application Control Agent Installed. With 10.8, those policies will use the Windows Computers computer group and macOS will use MacOS Computers.

    If you want to prevent this automatic merge, modify the XML of this item:
    PrivilegeManager/#/item/xml/b2e02684-d154-48ca-9987-12b1759df822
    Add on line 2 <adc:Attributes>NoModify</adc:Attributes>.
  • Offline upgrades on multiple servers will need to be done manually.
  • With the Safari Browser, the behavior for default selection on drop-down menus might vary from other browsers.

macOS Specific

  • On endpoints using OneDrive, GoogleDrive, DropBox, or similar extensions, the endpoint will take about 2 min to correctly initialize the Finder Extension functionality after enabling the extension or after the upgrade to 10.8 with an enabled extension.
  • If you have a policy allowing management of the /Applications folder via the Copy Install Application filter, deleting multiple applications from the /Applications folder will result in a dialog prompting for administrator credentials. The workaround is to have your end-users delete applications one at a time.
  • If you have enabled the Elevate Privilege Manager Agent Preference Pane (Sample) policy to elevate the Agent preference pane and you wish to target Big Sur, you will need to duplicate it and change the File Names to:
    legacyLoader;legacyLoader-x86_64
  • If you have already duplicated the Elevate Privilege Manager Agent Preference Pane (Sample) policy to elevate the Agent preference pane and you wish to target Big Sur, you will need to change the File Names to:
    legacyLoader;legacyLoader-x86_64

Agent Specific

Windows
  • The latest Application Control Agent released with Privilege Manager version 11 is not compatible with the driver verifier tool for Windows 10 version 1507. Any endpoints on Windows 10 version 1507 should remain on the 10.8 version of the Application Control Agent until the endpoint can be upgraded to a newer Windows 10 version.
Unix/Linux
  • Registering Unix/Linux endpoints to the default target can take up to 15 min.

Schnell gefunden

→ Diese Release Notes und frühere Versionen finden Sie bei uns schnell und einfach:
www.fyre-consulting.ch/schnell-gefunden/thycotic




Thycotic ist spezialisiert auf Passwort Management und Endpoint Security-Lösungen.
FYRE Consulting ist offizieller autorisierter Partner von Thycotic.