10.5 and Previous Releases

10.5.4

Release Date: 12/11/2018

Enhancements

Listed below are the enhancements being provided in this release:

  • When creating a resource target for a policy, the “Groups” option is available to allow targeting of organization units (OUs). See article: https://support.delinea.com/support/s/article/User-Defined-Resource-Targets-and-Collections
  • A new report called “Server Node Status” will show the version installed on each server node in high availability environment. This report will inform customers of the installed version of Verify Privilege Manager across multiple instances for high availability.

Bug Fixes

Listed below are the bugs that have been * Fixed in this release. (The product behavior is described as it was prior to the * Fix. In a few of the items below, the specific * Fix is also described.)

  • Users with the Verify Privilege Manager Helpdesk Users role are unable to approve items; get an error message.
  • Authenticated XAML message does not work if agent cannot connect to domain. * Fix: When validating credentials, if the domain is not available Verify Privilege Manager will now authenticate against the operating systems so that (if the domain isn't available) the agent will use the local database SAM cache.
  • Purge Maintenance task times out on extremely large tables when performing a deletion of millions of records.
  • Exporting the Application Summary Report to CSV fails.
  • During upgrade, some servers don't have proper permissions to allow writing new certificates to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys. * Fix: A new error message was added for Verify Privilege Manager servers that do not have proper permissions during the upgrade to write new certificates to: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.
  • After successfully adding the first license, message saying “No records to display” is still displayed.
  • Licensing page does not display an error if importing an invalid or duplicate license.
  • On some reports, some valid filterable values are not being displayed as a selectable option after selecting the “Filter Report” button.
  • Labels and information displayed when viewing a task does not properly align when the screen size is small.
  • Option to “Backup the System” under “Client System Settings” policies does not elevate without selecting to apply to child processing. * Fix: Elevation will now occur automatically without having to change the child processing setting.
  • Some Role membership group names are in all lowercase, not Pascal case.
  • On the Help page, the link for the user guide is pointing to the Preferences page instead of the actual user guide.
  • User is unable to press the ‘Cancel' button on the Preferences page.
  • When the browser is made smaller, the page to create scheduled tasks has overlapping text.
  • When editing a copy of the “Approval Request Form Action”, the selected value in the “Approval type” disappears when switching from view mode to edit mode.
  • Changing the “Minimum Security Level” field in the console log settings is not limiting the records displayed in the logs.
  • “Base URL” field for Verify Privilege Manager server under Foreign systems reads as “Base URI”. * Fix: Text of the “Base URI” label in a Foreign System has been changed to “Base URL”.
  • Selecting options besides the “Upper Case” option when configuring a user's password results in “Undefined” being displayed as a selected option.
  • Incorrect error messages are displayed if a new User credential is saved without or with an incorrect password.
  • After clicking “Import” on the Import Items page, the import button does not grey out to display feedback that the import is processing.
  • Exception is thrown on “Client System Settings” page when the Assign Filter field is left blank.
  • Assigning filters to any of the items in “Client System Settings” can cause the page to become unresponsive.
  • On the Time of Day filter, changing the time under “Different Periods on Different Days” also incorrectly changes the times under “Same Period Every Day”.
  • Clicking the Sort column of an empty report causes page to error.
  • When deleting a filter or an action that is used in a policy, Verify Privilege Manager correctly prevents the deletion but displays an incorrect error message.
  • When building resource target queries, starting with “All Computers” causes poor performance. * Fix: This been removed from the default way resource target queries are built.
  • “OU Directory Scope Collection Update” task fails if Collection.LastUpdated is null.
  • Applications hang if a new certificate is created and the agent requests new client items before it updates applicable policies or registers with the server.
  • Installing a new agent on a macOS endpoint results in a corrupted schedules.plist file.
  • Azure AD tokens are expiring within minutes. * Fix: Azure AD will now last as long as normally issued tokens.
  • If the “UNC Elevation Policy Template” Config Feed is imported, the "UNC Content Query" is erroring.
  • When Verify Privilege Vault and Verify Privilege Manager are installed together using the combined installer, and a separate domain account without write permissions is used, subsequent upgrades fail if the domain account running the application pool does not have Write permissions on the TMS web folder.
  • “Advanced Deny Notification Actions” are not included in dashboard counts and the list of denied files.

10.5.000003

Release Date: 9/25/2018

Bug Fixes

  • Fixed issue where the macOS agent configuration did not have a default task check in interval saved.
  • Fixed issue where queries for reports that are scoped to display only certain resources will fail if the Default Security Descriptor ID is null or empty.
  • Fixed issue where large Active Directories caused the Collection and Resource Targeting Update task to run for too long.
  • Fixed issue where Verify Privilege Manager's authentication provider screen would crash if incorrectly configured. When Verify Privilege Manager cannot reach an Active Directory domain, a useful error message is now displayed.
  • Fixed issue where Verify Privilege Manager task schedules are not properly saved and displayed.
  • Fixed issue where the dashboard would display an unexpected error in a modal popup the state of a gauge undefined.
  • Fixed issue where the sign-in page URL query string could be used to redirect a user to another URL by only allowing relative URLs.
  • Fixed issue where Telerik grids were not able to be resized when zoomed in or out in Chrome, Firefox, and Edge.
  • Fixed issue where the GetToken API returned an invalid token for unauthorized requests instead of a 401 response code.
  • Fixed issue that allowed Verify Privilege Manager to be embedded inside of an iframe.
  • Fixed issue where a New Loaded Resource file is not assigned to an endpoint's agent after the Resource Discovery task is executed once.
  • Fixed issue where the Resource Discovery task does not finish and will continue to display a spinner when discovering a New Loaded Resource file that is not assigned to an endpoint's agent.
  • Fixed issue where a New Loaded Resource was not discoverable if the location has been discovered but the file has been removed from the endpoint.
  • Fixed issue that displayed the HTTP status code instead of the actual server error when bad XML was imported to Verify Privilege Manager.
  • Fixed issue where the data grid within a policy that displays all the filters loads slowly.

macOS Agent Updates (version 10.5.12)

  • Fixes issue where the macOS agent was not properly logging failed agent registration attempts when an invalid install code was used.
  • Fixed issue where macOS agent was writing exceptions to the logs if v4 agent registration fails when connecting to a Verify Privilege Manager version prior to 10.5.
  • Fixed issues where initial basic inventory was not being removed after first running.

10.5.000001

Release Date: 9/04/2018

Bug Fixes

  • Fixed issue where Verify Privilege Manager, when configured with Verify Privilege Vault for authentication, did not properly fall back to NTLM authentication if Verify Privilege Vault was not properly configured.
  • Fixed issue where Verify Privilege Manager upgrade failed if duplicate IDs existed in [Ams].FileUploads or [Ams.Data].Win32_OperatingSystem tables.
  • Fixed issue where Verify Privilege Manager did not prevent deletion of an item referenced by another object. For example, it did not block a filter from being deleted if that filter was also being used by an active policy.
  • Fixed an issue where the delete operation of computers did not properly display completion for long-running deletes.

​10.5.000000

Release Date: 8/15/2018

Overview

Notable enhancements to 10.5 include a new dashboard as the home page, integration with Cylance reputation analysis, support for Azure Active Directory, performance enhancements, and improved agent security.

Important for Verify Privilege Vault Combined Upgrades

If Verify Privilege Vault is installed in conjunction with Verify Privilege Manager, Verify Privilege Vault must be upgraded to 10.5.000001 before you upgrade to Verify Privilege Manager 10.5.000000.

10.5 Agent Upgrades

Unless the “Prevent Legacy Agent Registration (10.4 and older)” option is checked (Admin > Configuration > Advanced), older agent versions will still function in Verify Privilege Manager 10.5.000000, but IBM Security recommends that you do upgrade Verify Privilege Manager agents to the 10.5 version due to security enhancements.

That when installing new 10.5.000000 agents you will be prompted to install with a valid Install Code.

Enhancements

  • New dashboard for deep reporting and visibility into the state of Verify Privilege Manager.
  • Integration with Cylance for real-time threat intelligence policy checks.
  • Support for Azure Active Directory for authentication, resource targeting, and user context filters.
  • Excel reports that are exported are sanitized to prevent macro injection attacks against end-users who open the Excel files.
  • Cross site request forgery prevention implemented.
  • Sensitive data encrypted on endpoint with machine, non-global key.
  • Agent installation requires agent install code as a parameter or as a field entered when using the bundled installer for additional security.
  • Redesign of agent/server trust requiring shared secret before agent can register with server and receive policies.
  • Redesign of client item encryption to improve security.
  • “Add new filter” and “Add to policy” buttons are on resource page for MSIs and scripts.
  • Support for inventory filters added as secondary file filters to allow targeting of MSIs and scripts by hash.
  • Support wildcards in fields of the Win32 executable filter. See inline help for details.
  • Added SQL indexes for improved performance.
  • Collection update and resource targeting update tasks are combined into task called “Run Policy Targeting Update.”
  • Allow unattended uninstall of macOS agent by adding command-line option to suppress the user confirmation prompt.
  • Reduced the time it takes a newly installed agent to download policies.
  • Advanced message options for justification window supports end user authentication.
  • Default to validating client item signatures on Windows agents.
  • Support and maintenance license are viewable on the licenses page.
  • Option to "Apply action to child processes" is unchecked by default.
  • Deployment tab of a policy will display a button to update the collection of resource targets on demand.
  • EULA not shown upon product upgrade.

Bug Fixes

  • Fixed issue where Administrator group incorrectly displayed SYSTEM account as a member.
  • Fixed issue where Server URL on agent was not updated if server was changed.
  • Fixed issue where setting password rotation for a one-time update failed to rotate the password.
  • Resolved error when custom approval process was initiated.
  • Processed events are purged up from the [AMS.DATA].FileUploads, [AMS.DATA].FileUploadChunks, and [AMS.DATA].FileUploadSessions tables.
  • Fixed issue where changed numeric values on the Advanced tab of the configuration page were not saved.
  • Resolved schedule creation error in certain time zones.
  • Resolved an issue where provisioning a local user would enable a disabled account and/or disable an enabled account.
  • All internal links to support documentation now utilize https.

Known Issues

  • If Verify Privilege Vault is installed in conjunction with Verify Privilege Manager,Verify Privilege Vault must be upgraded to 10.5.000001 before you upgrade to Verify Privilege Manager 10.5.000000.
  • Agent trust is broken if VM UUID changes. Agent must be reinstalled to resolve.
  • On the user screen in local security, the text “undefined” will appear if any option for password “Characters” is selected except 'Upper Case.'

10.4.001233

Release Date: 3/28/2018

Bug Fixes

  • Resolved issue to ensure the trimming of the table storing data from uploaded files

10.4.001231

Release Date: 3/6/2018

Enhancements

  • Support for SQL 2017
  • Support for agent communication on Windows 7 systems with TLS 1.1 and SSL 3.0 disable
  • Checks for a valid maintenance license to allow product upgrades
  • Client item cache is cleared automatically
  • Clicking the “Run” button for tasks indicates successful execution and prevents kicking off of multiple tasks
  • Built-in administrator is prevented from being removed from group and the associated operation will display “Required Account”
  • Support "log4net log (.log)" format in the Thycotic Monitor

Bug Fixes

  • Reports on "Managed Local Users" and "Managed Local Group" will now allow users to select the account name as a drill through to a report on the computers the account exists on
  • Breadcrumbs will display the correct name after renaming a computer group
  • Upgrades will retain security ratings setting for VirusTotal
  • Custom time of day filter correctly saves
  • Simple policy view allows for new filter to be saved inline
  • The popup allowing users to add a new account to a group allows sorting
  • License correctly determines client and server types during basic inventory
  • Ability to clone credentials has been removed when Verify Privilege Manager stored credentials in Verify Privilege Vault
  • Resolved searching for filters from within the secondary file filter
  • Upon saving group membership, the operation column correctly displays the action that will be taken on the associated account
  • Resolved validation of password field for a managed user when using Edge browser
  • Charts on the statistics page scale correctly for both small and large number of endpoints
  • Resolved issue that prevented enabling of firewall policy
  • Password scheduler saved when UTC is selected
  • Allow domain groups to be members of roles
  • Resolved issue preventing application inventory on network shares
  • Prevent non administrative access to the Thycotic folder on local drive

10.4.000000

Release Date: 1/17/2018

Enhancements

  • Least Privilege Enforcement for Local Users and Groups
  • Provision local users and groups across all endpoints
  • Permanently remove accounts from privileged local groups
  • Prevent group membership from being changed directly on the endpoint, even by an administrator
  • Local Account and Credential Management
  • Uniformly apply user properties to local accounts
  • Set secure and unique passwords for local accounts by defining character requirements and password length
  • Rotate local account passwords automatically on a scheduled basis
  • New and Enhanced User Interface
  • Least Privilege features are built on top of a new easy to use and manage interface within the Local Security section of the application.
  • Policies are easily deployed to groups of users or endpoints, making it easy to deploy least privilege in a phased approach
  • Dashboard, reporting, and statistics are built into the interface to understand the current state of local users and groups on the endpoint and any changes. Easily spot vulnerabilities and trends.
  • Actionable tips will appear inline when the environment is not following best practices
  • Usability enhancements to application control functionality
  • All grids have filtering options to narrow down large datasets
  • Integration with Verify Privilege Vault
  • When using both Verify Privilege Manager and Verify Privilege Vault, passwords can be stored in Verify Privilege Vault's vault
  • Intended for use on endpoint workstations where remote management of local or non-domain accounts is not possible
  • Verify Privilege Vault enterprise PAM features can be used upon secrets that are managed by Privileged Manager
  • Role Based Access
  • Define users of the Verify Privilege Manager application: set administrators, read only users, macOS users, Windows OS users, and helpdesk users
  • Security trimmed access specifically designed for help desk users, who's responsibility it is to disclose passwords and approve/deny applications
  • Reporting and Dashboards
  • New reports provide visibility into local user and group membership, an audit of passwords that have been disclosed, a summary of local administrators, and all computers with passwords being managed by Privileged Manager
  • Contextual reporting for each group of users and computers where least privilege policies are being applied to understand the affect of policies on users
  • Simple charts provide an understanding of all endpoints with each individual user or group
  • Dashboard will display trends of user's group membership changes, users being added and removed from groups, and passwords being disclosed. Trends provide insight into understanding outliers and potential rogue activity.
  • Endpoint Visibility Utility
  • Simple console deployed directly on the endpoint to check the communication status, register with the server, get the latest policies, view and export the logs.
  • Ideal for enhanced visibility and understanding, especially when working directly with internal IBM Security support or professional services.

Bug Fixes

  • Language and text * Fixes on installer screens for non-English systems
  • Issue where Verify Privilege Manager's macOS copy helper would perform the copy without waiting the approval to complete. After * Fixing, we can now target .pkg files with policies.
  • Secondary file filter will detect scripts being executed on Windows 10, after changes were made on how PowerShell scripts are launched on the OS
  • Allow install (and pre-req install) to succeed if PowerShell Execution Policy is set to RemoteSigned in Group Policy
  • Editing the Application Control Configuration policy will not set some values as blank
  • Allow for configuration of "days" parameter for Purge Old Computers Task
  • On macOS, track which certificate Verify Privilege Manager received the most recent time it was registered.
  • Ability to assign ServiceNow Process in Execute App Type through Verify Privilege Manager UI

Known Issues

  • On Windows 10 Enterprise edition with patch version 1709 (released October 26, 2017), UAC is not suppressed, and thus end users are prompted to enter admin credentials
  • Unable to Clone Credential when Verify Privilege Vault is used as vault
  • Agent is not communicating to server on Windows 7 over TLS 1.1
  • Creating a File Hash specific filter fails if there are spaces at the end of the hash

10.3.000014

Release Date: 8/29/2017

Enhancements

  • Implemented automatic and continuous server-side logging
  • Incorporated sandbox actions, allowing policies to limit the environments in which applications can execute
  • On demand retrieval of a newly discovered file after event discovery. When “New Loaded Resource” is displayed, the user can click a new button called “Discover Now” to retrieve resources data.

  • New check box added to the Event Discovery configuration to find all applications that require administrator rights to run

    ServiceNow configuration improvements

  • Option to run the installation just for Verify Privilege Vault, without installing Verify Privilege Manager
  • Upgrade of Verify Privilege Manager will not require local admin rights when installed in conjunction with Verify Privilege Vault
  • Display warning if policy does not target any application
  • Policy creation screen will remember simple or advanced view preference
  • Paginate Resources list view
  • Improved error handling on installation and the addition of an error icon indicating an issue
  • Fixed issues in the VirusTotal reputation calculation and service call handling
  • Upgrading a product within the setup app will also update dependent products
  • Log files are now being stored to disk
  • Installation Summary report now includes the last time agents registered
  • Enhancements within installer for web applications to run as a user account
  • Enhancements to better show report rows and chart sections that can be clicked into for drill-down into another report

Bug Fixes

  • HTTP binding is not required on Verify Privilege Manager website
  • VirusTotal configuration is retained after upgrade or repair
  • Issue installing the file inventory with machines using non-US date/time
  • Trailing slash () will not affect the path field in Win32 and File Specification filters
  • Future changes to agent configuration policies will be preserved and not overwritten
  • All system policies are prevented from being edited so the user can create a copy

10.3.000000

Release Date: 7/12/2017

Enhancements

  • Added an agent to allow deny and allow lists, approvals, and elevation on Macs.
  • Added "easy Policies" to allow for simple ways of creating allow and deny lists.
  • The dashboard is now a series of tiles designed to give a simpler experience.

10.2.000000

Release Date: 4/12/2017

Enhancements

  • Updated Installer
  • New installer to handle more prerequisites for HTTPS Bindings, WCF, and SQL
  • Updated setup home for managing product upgrades going forward
  • Session Monitoring Agents
  • A new agent and policy is available to record RDP and console sessions. Note that this requires a Verify Privilege Vault installation and licenses.
  • For more information on RDP monitoring policies see this KB article

10.1.000000

Release Date: 1/18/2017

Enhancements

  • Added page specific help into Verify Privilege Manager console
  • Added options in the Discovery for kicking off inventory tasks to expedite policy testing
  • Brought EMET policy options into the Verify Privilege Manager console
  • Brought the Application Firewall policy options into the Verify Privilege Manager console
  • Added configuration feeds for uploading policies and other items from support.

Bug Fixes

  • Fixed issue where adding a new Persona and going back to the persona home required a browser refresh to see the new Persona
  • Fixed issues in IE where the Report title text on the report home was not a link.
  • Fixed issues with configuring Active Directory domains.