Thycotic Privilege Manager 11.2

1. October 2021

Since the middle of September 2021 Release 11.2 is available – Learn here which improvements have been implemented with Privilege Manager 11.2.0 from Thycotic.

In addition to improvements and the usual bug fixes, the previously known known issues are also addressed:

11.2.0 Release Notes

Enhancements

Enhancements available with the 11.2.0 release of Privilege Manager. Enhancements are for both versions, On-premises and Cloud, unless otherwise outlined under a specific On-prem or Cloud subtopic.

Added support for Targeted Computer Groups. With this new feature the former Roles option in the Admin menu was renamed to Security and a Configuration tab was added to support custom scoping of user roles to Target Computer or AD Domain groups.
New fields were added to the User Context Filter to allow targeting of an account (user or group) by SID, even if that account has not yet been inventoried in the server.
Added a Role Membership tab to user details page for easy role membership verification and changes, like role removal and add to new role options.
Added a Windows Registry Inventory client task to create a Windows Registry Inventory report.
Multiple SAML provider support via Create option on the SAML Providers Foreign Systems page. Multiple SAML Providers can be set up and Privilege Manager verifies the uniqueness of the Issuer ID.
Authentication Provider changes are disabled for the provider the current user is logged in with.
Azure Active Directory groups are not supported for Advanced Message Actions that require authentication by a member of the group. As such, the By member of the group selections only show groups that have an AD SID (not pure Azure AD groups).
The User Access Control Consent Dialog Detect filter was changed to also catch UAC prompts run for MSI installer file types.

Windows Specific

Added rich text or WYSIWYG Advanced Display Message Action editing support. Deny and Warning prompts, Approvals (online only in v11.2.0), and Justification messages are supported by the new Display Advanced Message (HTML) template. Other changes delivered with this feature enhancement:
- Error message improvements in the log viewer to provide better error details around message actions.
The Global Application Control policy path exclusions can be configured via the Windows Agent Configuration policy.

macOS Specific

Introduction of the native event uploader, making the Retry errored TMS Events – Catalina and later (macOS) policy obsolete for Privilege Manager macOS agents v11.2 or later.
Added support for App Translocation when evaluating the App Bundle Filter Path property. If an App Bundle is run from an App Translocation path, its original path will be evaluated properly against the Filter’s Bundle Path property.
RegEx support when evaluating the Bundle Path property of an App Bundle Filter. This allows an App Bundle Filter to target a path based on RegEx and makes App Bundle Filters more flexible.
Running the Uninstall.sh script now fully removes all macOS agent artifacts on an endpoint.

Feature Deprecations

Removed the delete option for Authentication providers if currently active.
UTC support on Tasks schedules has been deprecated. ThycoticCentrify recommends that all customized Tasks currently using UTC are changed to have the UTC switch turned off.

macOS Specific

The Allow Copy to /Applications/ Directory action is deprecated and not supported in v11.2 and higher agents. Use the Copy Install Application Filter instead, to install to the /Applications folder.This deprecation only impacts the v11.2.x macOS agents, older agents will continue to work with Allow Copy and drag and drop.
The Finder Sync Extension used to expose the self-elevate Finder context menu has been removed.

Bug Fixes

Unacknowledged Events and Tasks in ‘Ready’ state are not clearing in the console.
When an Agent registers without knowledge of the AD Domain SID, duplicate AD Domains are created.
Following an Agent install the Computer/Agent IDs are not merging as expected.
When importing items the Overwrite Existing Items checkbox does not function as expected. Refer to Importing Items for details on the specific import conditions based on checkbox selection.
Updating WMI Data fails on systems where the UUID remains the same after a change to the operating system, WindowsDirectory, or BootDevice.
Azure Groups are not being pushed to endpoints.
504 timeout error reported on loading of “Group Policies – Administrator Built-In Managed Group”.
Dependencies prevent Purge File Undiscovered and Purge Old Computer maintenance tasks from purging correctly and freeing up licenses.
Authentication provider changes do not trigger an application pool recycle.
The User Management Policy for built-in accounts displays the incorrect policy.
Inaccurate data shown on the Application Actions Report drilldown page.
The computer drilldown report displays incorrect data for the Domain Groups as Local Administrators.
The information under Settings on the Authenticated Justification Message Action is incorrect, the information only pertains to the “By a member of the group” option and not to all settings.
The UTC Time option does not work with scheduled Email tasks.
Expired licenses are not deleted from the server.

Cloud Specific

AD Containers are not recognized by OU Computer Group Filter.
Cloud instances are showing the “No Valid Support License” banner.
Setting up and running the Email Scheduled task does not trigger emails to be sent.
View Password role does not immediately work after system upgrade.

macOS Specific

File Specification Filter does not support RegEx as intended.
In versions prior to 11.2 the Uninstall.sh script did not fully remove all artifacts. The following files
- /var/db/receipts/com.thycotic.agent.bom
- /var/db/receipts/com.thycotic.agent.plist
  remained.
  Running pkgutil –files com.thycotic.agent should report the following:
  No receipt for 'com.thycotic.agent' found at '/'.

Known Issues

Deleting a Parent Targeted Group with a child group will throw an exception message, while partially performing a delete on certain items. As a workaround, first delete the child group before deleting the parent.
If a block policy is duplicated and used to create another policy to add Exclusions, the customized policy will be listed under Elevate vs. Block policies on the Application Policies page.
No Domain name is listed under Global Account Details when looking at Azure AD users and groups in the resource explorer.
Due to the Azure Graph API deprecation in the Azure Portal, manual steps are required to set up the Azure AD Foreign Systems integration:
1. When you get the Azure Graph API deprecation error while on steps 13 through 15 of this procedure, in the left Manage menu, navigate to Manifest.
2. Copy and paste this text into the json file:

{
   "resourceAppId": "00000002-0000-0000-c000-000000000000",
   "resourceAccess": [
            {
                     "id": "5778995a-e1bf-45b8-affa-663a9f3f4d04",
                     "type": "Role"
           }
   ]
 }

Refer to the sample image below:

macOS Specific

App Translocation path resolution does not work on Catalina 10.15.7 (19H1323). This affects App Bundle Filters using the Bundle Path property and File Quarantine Actions. Feedback FB9553808 has been filed for reference.

Clarifications

Added a topic to demonstrate how to block all sudo commands, while allowing specific exceptions. Refer to “Block All Sudo Commands on a macOS Agent and Stopping the Fallback to Standard Behavior”.

FAST FIND

→ You can find these release notes and other versions quickly and easily with us:
fast-find/delinea

Delinea specializes in password management and endpoint security solutions.
FYRE Consulting is an official authorized partner of Delinea.