Thycotic Privilege Manager 11.1

Since the middle of June 2021 Release 11.1 is available – Learn here which improvements have been implemented with Privilege Manager 11.1.0 from Thycotic.

In addition to improvements and the usual bug fixes, the previously known known issues are also addressed:

11.1.0 Release Notes

Enhancements

Enhancements available with the 11.1.0 release of Privilege Manager. Enhancements are for both versions, On-premises and Cloud, unless otherwise outlined under a specific On-prem or Cloud subtopic.

  • SAML Support
    • Only one SAML connection/foreign system configuration is supported.
    • Tested with Okta and others, documentation example based on Okta integration.
  • Improved Azure AD support for:
    • User Context Filters : Azure AD users have 2 SID values. These are mapped and handled on the backend.
    • Group Policies:
      • Add/remove Azure AD users from group policies
      • Add Azure AD user SID to local machine group
  • Renamed Group Policies to Group Management .
  • Renamed User Policies to User Management .
  • Reorganization of the Server tasks as it relates to Foreign Systems and Directory Services tasks. Created new component entry Directory Services Maintenance Tasks .
  • In support of Computer Name Pattern Collections, the Computer by Name Pattern Query was added to Privilege Manager. The query allows to create custom collections containing a subset of computers based on a wild card supported name query.
  • Added a framework that allows real-time status reporting of running server-side tasks. This is currently available for the AD Import task only.
  • Privilege Manager now automatically sets the home directory path during provisioning.
  • The Security Descriptor Agent Discoverer has been removed for new installations and will be disabled during system upgrades from pre 11.1.0 versions.
  • Standardized Privilege Manager logout process to remove access token on logout.
  • Console Audit Logs can be sent to a syslog connector, for example to Splunk.
  • New View Password role added to Role Management.
  • Commandline arguments added to policy feedback and approvals.
  • Updated About page. Added Privilege Manager product version details and 3rd party web licenses information to the page.
  • Added Config Feeds for Thycotic Policy Framework quick start policies that improve the initial Privilege Manager configuration experience.

macOS Specific

  • Added support for File Inventory of Application Bundles as zip files via File Upload.
  • Added support for macOS Homebrew installer .
    • As part of the Homebrew installer support, added a new parameter to the Just-in-Time Group Membership Action to better determine the sudo plugin usage.
  • Added Run as User action that is leveraged by the sudo plugin to run arbitrary commands as a specified user.
  • Added CLI Approval Message action , which allows administrators to prompt command line users on macOS endpoints for an approval request.
  • Added CLI Justification Message action , which prompts the user for a justification when using Terminal to execute commands and scripts under sudo.

Unix/Linux Specific

  • User and group inventory for reports.
  • Setting to delay password for “X” times after first login.
  • Added File Hash filter support.
  • Added Run as User action , which allows a command the user runs on an endpoint to be treated as if a different user ran it.
  • Added CLI Approval Message action , which allows administrators to prompt command line users on Unix/Linux endpoints for an approval request.
  • Added CLI Justification Message action , which can be used to provide a customized multi-line justification question to the user.

Security

  • Implemented friendly error messages when registration fails due to invalid BaseURL, excluding stack trace details.
  • Added support for additional Hash algorithms (Limitation: newer security hash algorithms are only supported on v11.1 Agents and later.)

    Note: Customers are encouraged to change their policies and filters with SHA1 specification to SHA256 or other supported algorithms.

API

  • New API to run an existing report and return the results.
  • New API to run a task based on a specified task Id.

Integrations/Foreign Systems

  • New ServiceNow integration via available ServiceNow Application in the ServiceNow App Store. The ServiceNow app requires a Privilege Manager Foreign Systems setup that includes webhooks configuration . The Privilege Manager ServiceNow app provides the following functionality:
    • Approval/denial
    • Time based approvals
    • Privilege Manager approval process support
    • Records approvals from outside normal flow

Bug Fixes

  • The Resources page is not showing any computers under Organizational Units.
  • Agent registration not automatically merging with Azure AD Devices data.
  • Loading groups from Not Well-Known Local Group Summary or Well-Known Group Summary pages creates an error.
  • Retrieving large numbers of Users and Groups can be slow.
  • The application control agent creates an error when uploading a file to OneNote 2008 notebook.
  • When a new managed user is created, the original created password is reset, preventing user login.
  • Justification and approval messages are not working when used with networked drive letters in the path properties.
  • Computer Groups are not always picking up all added endpoints.
  • Password changes for standard users are not honored.
  • UAC triggers false positive detection messages.
  • Running Privilege Manager: Task Purge Maintenance does not work for Correlated Change History.
  • ArelliaDisplayXAMLaction.exe inherits elevation from parent policy when the Add Administrative Rights and/or Unrestricted actions are included in a blocking policy.
  • The Event Summary widget does not reflect changes when changing the associated resource target filter.
  • Once the number of events crosses ~21 Million, trimming does not work.
  • An issue with the Ams.SimpleWorkerTask table causes tasks not to run while agent events are processed.
  • The agent summary by OS report is not reflecting the correct numbers.
  • Path exclusion changes are not saved.

Cloud

  • UI stops responding while trying to select “Security Group” as an option to add computers to a computer group.
  • Azure Only Accounts are required for when Azure AD Authentication is configured.
  • The task scheduler does not correctly reflect history for tasks with single quotation marks.
  • 504 timeout error reported on loading of “Group Policies – Administrator Built-In Managed Group”.

macOS

  • macOS justification policy ends the script targeted by a sudo plugin policy.
  • The sudo plugin fails to elevate binary with path relative to current directory.
  • Users added to multiple groups via macOS Just-in-Time Group Membership Action are only removed from the first but not all groups automatically.
  • On agent installation, a Privilege Manager Server URL with a port number is not saved properly.

Known Issues

  • Privilege Manager Agents v10.8 and up, might prevent user login when USB over IP options are enabled for eCatcher or eBuddy setups. If you encounter an issue, disable the USB over IP option.
  • The Alerts page does not display file name details under the Name column.
  • When Authentication providers are changed, an application pool recycle might be required as indicated via error message.
  • When using the latest Privilege Manager agents with old Privilege Manager Server version, like v10.6, policies on the endpoint might not be available. The workaround is to run the Resource and Collection Targeting Update Task on the policy until the endpoint is updated.
  • The Setup Add/Upgrades Feature page fails to provide new package information, if the Privilege Manager server is installed on a Windows 2016 system that is also configured as a domain controller.
  • The File Hash Filter for Authenticode does not work. This is no longer supported with the new hash algorithms.

macOS

  • One-time approvals are not properly recognized when using the latest Privilege Manager agent with older versions of Privilege Manager Server (e.g. v10.5, v10.6, v10.7). In this scenario, once approved, the user will be prompted with another approval request. However, time-based approvals work (within the approved time period). The workaround to one-time approvals is to use a time-based approval.
  • On a Safari browser, the option to print licenses via the About page does not render.

Documentation Clarifications

FAST FIND

→ You can find these release notes and previous versions quickly and easily with us:
https://fyre-consulting.ch/en/fast-find/thycotic-links-downloads/




Thycotic specializes in password management and endpoint security solutions.
FYRE Consulting is an official authorized partner of Thycotic.