10.6 On-premise Release Notes

Release Date: 07/11/2019

Enhancements

Enhancements available with the 10.6 On-premises release of Verify Privilege Manager include:

  • The Syslog integration options have been improved and support for HTTP/HTTPS was added. The HTTPS option specifically supports integrations with DEVO. (Also available in Cloud release.)
  • A Getting Started dialog provides information on initial configuration steps and links to documentation to guide customers through configuration, integration, and setup.
  • An Offline Approval Process has been implemented so end users can request an approval for an application to continue to execute even if an endpoint is offline. Approval workflows usually require an endpoint to be online to send out the approval request and then receive an approval for an application to continue to run or execute. The offline approval dialog can be customized within the policy action configuration area. Summary reports for offline approvals are available via the Reports page in Verify Privilege Manager.

  • Filters/Actions have been added in support of various new Verify Privilege Manager functionality:

    • Application Approval Request (with Offline Fallback) Message Action (Windows, macOS)
    • Copy Install Application (macOS)
    • User Requested Run As Administrator Filter (macOS)
    • Executable Declared as Privileged Filter (macOS)
    • Codesign Elevated Application Filter (macOS)
  • Direct approval process selection for ServiceNow is now available in the Verify Privilege Manager UI, and no longer requires SilverLight.
  • The Windows agent supports the display of the ServiceNow approval request ID after the approval has been submitted.
  • Integration to use Azure AD as an authentication provider has been improved. It is now possible to specify the Client ID and the Client Secret in the configuration for Azure AD. If not specified, the associated user credential will be used. This enables customers to use just one credential for both import and login, or use separate ones based on preference. Local Active Directory accounts can be imported and synchronized with Azure Active Directory. Tasks have been added to support importing a subset of the directory instead of needing to import the entire directory.

  • New macOS features, refer to the macOS information under Platforms and Computer Groups for detailed information.

    • A policy can be created to allow or deny standard users to install specific applications by copying the application into the Applications folder.
    • Just as on Windows endpoints, users can request application self-elevation via a context menu action on macOS system endpoints. The application control is policy based and the macOS system with the endpoint agent must have been online at least once to request its policies from the Verify Privilege Manager server.
  • A setting was put in place to cap the maximum number of events that can be sent back to the server at 1 Million events. Once that threshold is reached, the oldest event is purged from the list. This setting can be adjusted in the Advanced section of the Configuration page.
  • A browser-based server Log Viewer is now available from the Admin menu.
  • Error notification and performance in high latency environments have been greatly improved in this release.
  • Bulk delete actions have been added to support the removal of large numbers of file resources without timeouts.
  • The Resource Targets on the Conditions tab of an ACS policy has been renamed to “when ANY match” for clarification of scope.
  • General improvements to the Groups view within the Local Security area.
  • The Verify Privilege Manager feature to support RDP session monitoring is being discontinued.

Bug Fixes

Listed below are the bugs that have been addressed in this release. The description below reflects the product behavior prior to the fix and specific details about the fix for some of the items.

  • In the Verify Privilege Manager UI domain users cannot be added to TMS Roles, only groups may be added.
  • When the URI information is deleted from an existing SMTP server configuration, the URI entry box disappears from the UI.
  • The Verify Privilege Manager UI does not correctly load policy details with large numbers of filters configured. Paging functionality has been added, defaulting to 10 items per page viewed. This can be customized on any given list page to a view of up to 100 items per page.
  • Unable to edit configuration of "All Other Users and Groups" for groups in local security from “Ignore if found” to “Remove if found”. When this issue occurs, Verify Privilege Manager will show an error, which then allows the user to fix the error by navigating to the “RemoteScheduledClientCommandContract” for the group that is having the issue, removing the input parameters for the provisioned group, and then retrying the change.
  • Error upgrading to 10.5 U3 Directory Services for some specific conditions.
  • LSS Member filter does not work if the number of members across endpoints and the number of endpoints is large.
  • The Verify Privilege Manager Remove Program Utility displays incorrect buttons for NoModify and NoRepair registry keys.
  • The Add/Remove Programs Utility is preventing repairs to Microsoft Office products.
  • The User Context Filter via SID Filter "create page" validation causes an error, which prevents the SID to be saved.
  • After reboot, the endpoint agent creates a certificate based on the UUidCache information causing an invalid agentID error.
  • A macOS account with a computed RelativeId (RID) that is null results in an exception that causes Local User Inventory to fail.
  • macOS: The Administrator account (500) is required to be added to the managed Administrators (544) group.
  • After editing a managed local group, the list of members will sometimes expand to include what appears to be the entire list of all users in the system. Refreshing the console will return to showing just the members that were configured.
  • During Event Discovery, if the same file is discovered from 2 policies, only one file entry will be removed but receive an Acknowledge All. The second listing of the same file cannot be removed.
  • Built-in Verify Privilege Manager User does not have read access to policies.
  • Verify Privilege Manager relies on the Require Folders for SecretsVerify Privilege Vault setting during integration set-up.
  • Login button is displayed after authentication with Verify Privilege Vault.
  • Customer upgrading from version 8.x have issues deleting or saving items with GUID 71f3e19c-625c-4696-80e6-c9616554cb3c.
  • UAC Override policy does not go into effect until UAC Override scheduled task is run.
  • Event discovery resources stuck in Pending Assignment status.
  • On macOS endpoints with agent version 10.6.19 installed, depending on the user interaction with the approval dialog, it is possible that after clicking Continue or Cancel the dialog is redisplayed and cannot be dismissed.

Known Issues

  • The macOS self-elevation feature is not supported for systems running macOS 10.11 (El Capitan). The Verify Privilege Manager Finder Extension does not work when installed on macOS 10.11. IBM Security recommends upgrading macOS endpoints to a newer version of the macOS operating system to utilize the latest feature enhancements in the Verify Privilege Manager 10.6 macOS endpoint agent.
  • If a customer implementation uses the Microsoft Azure Service Bus for their Internet connected clients, the clients will NOT be able to communicate with the Verify Privilege Manager server after an upgrade to 10.6. Contact IBM Security Support if you are using Microsoft Azure Service Bus and are planning to upgrade. This does not impact implementations using a Reverse Proxy.

  • Verify Privilege Manager macOS Administrator and Verify Privilege Manager Windows Administrator roles:

    • If you are using the Verify Privilege Manager macOS Administrator and/or the Verify Privilege Manager Windows Administrator roles, you must also add those members to the Verify Privilege Manager Users role or they may not be able to view some of the application filters or actions. If you are using Verify Privilege Vaultauthentication, restarting the Verify Privilege Manager app pools may be required to have this take effect.
    • Members of the Verify Privilege Manager macOS Administrator and/or the Verify Privilege Manager Windows Administrator roles may not be able to delete some items such as policies, actions and filters, even though they are editable. Have a member of the Verify Privilege Manager Administrators role delete those items if this occurs.