10.6 Cloud Release Notes

Release Date: 05/30/2019

In this new release, IBM Security expands its Enterprise-Grade Privileged Access Management (PAM) as a Service, offering Verify Privilege Manager in the cloud and building upon its industry-leading cloud-ready solutions.

Enhancements

Enhancements available with the 10.6 Cloud release of Verify Privilege Manager include:

  • A Getting Started dialog provides information on initial configuration steps and links to documentation to guide customers through configuration, integration, and setup steps.

  • An Offline Approval Process has been implemented so end users can request an approval for an application to continue to execute even if an endpoint is offline. Approval workflows usually require an endpoint to be online to send out the approval request and then receive an approval for an application to continue to run or execute. The offline approval dialog can be customized within the policy action configuration area. Summary reports for offline approvals are available via the Reports page in Verify Privilege Manager.

  • Clear communication for regularly scheduled or emergency maintenance tasks:

    • In Verify Privilege Manager Cloud environments regularly scheduled maintenance tasks will be announced via a maintenance banner at least 14 days prior to the maintenance window being in effect.
    • IBM Security will announce any regularly scheduled and emergency maintenance to inform customers when maintenance is performed on the cloud instance.

  • Filters/Actions have been added in support of various new Verify Privilege Manager functionality:

    • Application Approval Request (with Offline Fallback) Message Action (Windows, macOS)
    • Copy Install Application (macOS)
    • User Requested Run As Administrator Filter (macOS)
    • Executable Declared as Privileged Filter (macOS)
    • Codesign Elevated Application Filter (macOS)

  • Direct approval process selection for ServiceNow is now available in the Verify Privilege Manager UI, and no longer requires Silverlight.

  • The Windows agent supports the display of the ServiceNow approval request ID after the approval has been submitted.

  • Thycotic One is the access portal to Verify Privilege Manager Cloud and provides data center access/support via Thycotic One US East, EU, and Australia Azure geo locations.

  • Integration to use Azure AD as an authentication provider has been improved. It is now possible to specify the Client ID and the Client Secret in the configuration for Azure AD. If not specified, the associated user credential will be used. This enables customers to use just one credential for both import and login, or use separate ones based on preference. https://support.delinea.com/support/s/article/PM-How-to-Configure-Privilege-Manager-with-Secret-Server

    Local Active Directory accounts can be imported and synchronized with Azure Active Directory. Tasks have been added to support importing a subset of the directory instead of needing to import the entire directory. https://support.delinea.com/support/s/article/PM-Setting-Up-Azure-Active-Directory-Sync

  • macOS, refer to the Mac User Guide for detailed information on the new macOS features.

    • A policy can be created to allow or deny standard users to install specific applications by copying the application into the Applications folder.
    • Just as on Windows endpoints, users can request application self-elevation via a context menu action on macOS system endpoints. The application control is policy based and the macOS system with the endpoint agent must have been online at least once to request its policies from the Verify Privilege Manager server.

  • A policy was put in place to cap the maximum number of events that can be sent back to the server at 25000 events. Once the 25000 event comes in, the oldest event is purged from the list. For troubleshooting purposes this can be temporarily adjusted by IBM Security support.

  • A browser-based server Log Viewer is now available from the Admin menu.

  • Error notification and performance in high latency environments have been greatly improved in this release.

  • Bulk delete actions have been added to support the removal of large numbers of file resources without timeouts.

  • The Resource Targets on the Conditions tab of an ACS policy has been renamed to “when ANY match” for clarification of scope.

  • General improvements to the Groups view within the Local Security area.

  • The Verify Privilege Manager feature to support RDP session monitoring is being discontinued.

Bug Fixes

Listed below are the bugs that have been addressed in this release. The description below reflects the product behavior prior to the fix and specific details about the fix for some of the items

  • In the Verify Privilege Manager UI domain users cannot be added to TMS Roles, only groups may be added.
  • When the URI information is deleted from an existing SMTP server configuration, the URI entry box disappears from the UI.
  • The Verify Privilege Manager UI does not correctly load policy details with large numbers of filters configured. Paging functionality has been added, defaulting to 10 items per page viewed. This can be customized on any given list page to a view of up to 100 items per page.
  • Unable to edit configuration of "All Other Users and Groups" for groups in local security from “Ignore if found” to “Remove if found”. When this issue occurs, Verify Privilege Manager will show an error, which then allows the user to fix the error by navigating to the “RemoteScheduledClientCommandContract” for the group that is having the issue and removing the input parameters for the provisioned group and then retry the change.
  • Error upgrading to 10.5 U3 Directory Services for some specific conditions.
  • LSS Member filter does not work if the number of members across endpoints and the number of endpoints is large.
  • The Verify Privilege Manager Remove Program Utility displays incorrect buttons for NoModify and NoRepair registry keys.
  • The Add/Remove Programs Utility is preventing repairs to Microsoft Office products.
  • The User Context Filter via SID Filter "create page" validation causes an error, which prevents the SID to be saved.
  • After reboot, the endpoint agent creates a certificate based on the UUidCache information causing an invalid agentID error.
  • A macOS account with a computed RelativeId (RID) that is null results in an exception that causes Local User Inventory to fail.
  • macOS: The Administrator account (500) is required to be added to the managed Administrators (544) group.
  • After editing a managed local group, the list of members will sometimes expand to include what appears to be the entire list of all users in the system. Refreshing the console will return to showing just the members that were configured.
  • During Event Discovery, if the same file is discovered from 2 policies, only one file entry will be removed but receive an Acknowledge All. The second listing of the same file cannot be removed.
  • Built-in Verify Privilege Manager User does not have read access to policies.

Limitations in Verify Privilege Manager Cloud 10.6 vs. On-prem

  • The Local Active Directory features exists, but requires a direct connection to the domain controller, which is often not permissible due to firewall configurations.
  • Verify Privilege Vault integration for authentication and vaulting of local account credentials is not presently available.
  • All license key management is done via IBM Security and license keys are not visible on the licensing page. There are not presently options for customers to add additional licenses directly.
  • Access to the Security Manager console (Silverlight version) is not available.
  • Personas are not available.
  • Server-side PowerShell scripts not signed by IBM Security are not allowed. Custom server-side work can be done via Professional Services engagements.
  • The setup is managed by IBM Security and installations, upgrades, and repairs are unavailable to the customer directly, this includes setup, add/remove feature options, and connection option to existing Verify Privilege Vault. Upgrade notices and banners are removed with upgrades being handled by IBM Security during maintenance periods.

All other features and functionality of Verify Privilege Manager On-premises and Cloud are the same.

Known Issues

  • The macOS self-elevation feature is not supported for systems running macOS 10.11 (El Capitan). The Verify Privilege Manager Finder Extension does not work when installed on macOS 10.11. IBM Security recommends upgrading macOS endpoints to a newer version of the macOS operating system to utilize the latest feature enhancements in the Verify Privilege Manager 10.6 macOS endpoint agent.