10.7 On-premise Release Notes

Release Date: 2019-12-09

Enhancements

Enhancements available with the 10.7 On-premises release of Verify Privilege Manager:

• Migrate Local Security Policies has been added. The migration path to the latest Local Security implementation provides an analysis report of issues like missing account credentials, or accounts that are not unique across targets, which can then be remediated before the migration.
• Change History auditing is available for resource items providing information on who initiated the change, at what date and time, and what type of change was made.
• The Remove Programs Utility in previous versions available via Configuration Feeds has been fully integrated with Verify Privilege Manager Server and the Agents installation packages. The functionality has been expanded to also include Windows 10 App Store applications.
• Export and import of policies – including all dependent filter, action, and user context type items.
• A new Reset Licensing task was added.
• Support filtering on the subject name of a signed digital certificate allowing for much more generic certificate management.

• Dependency checks have been added to Verify Privilege Manager for:

  • Deleting Items
  • Task Parameter and Schedule Parameters

• Agents Enhancements:

  • Agent Hardening
  • Agent will only receive new and updated policies that are relevant to that endpoint.
  • Enhance Client Item Cache Log View in Agent Utility.
• Support for configurable session and inactivity timeouts was added to the product.
• Allow right-click as a IBM Security Admin for .msu and .msc files.
• ServiceNow ticket request numbers are displayed within Verify Privilege Manager's prompts.
• Restrict access rights of File-Open dialogs that are launched from elevated processes.
• Domain User support in User Context Filters.
• When choosing a resource target, if an OU (Organizational Unit) is synced, the UI will display the computer and site names in their proper hierarchical structure
• When choosing a domain user for a Role, the picker now shows the domain and group membership of that user.
• Ability to bypass policy inspection during endpoint boot-up time in order to not affect boot-up time.
• Performance improvements during agent registration.
• Admin controlled list of extensions that are excluded from agent hashing.
• Application's friendly name displayed in approval workflow prompts.
• The default log size can be set using configuration settings in the administrative policies tab.

• The default permissions on the Application Control Agent Configuration Policies have been updated as follows:

  • TMS Admins and Windows Admins have read/write to the Application Control Agent Configuration Policy (Windows)
  • TMS Admins and Mac Admins have read/write to the Application Control Agent Configuration Policy (macOS)
  • TMS Admins, Windows Admins, and Mac Admins have Read/Create/Revoke access to Install codes

• macOS specific features:

  • Target specific commands on macOS using wildcards (starts with, ends with, contains) and regular expressions.
  • Secure Token support.
  • macOS discovery settings are more readily accessible on the discovery configuration page.
  • PKG files can now directly be uploaded within the Verify Privilege Manager UI, alleviating the need to first perform file inventory of those applications on the endpoints. The application policy manager has added ability to inventory a PKG file to allow building of policies prior to the discovery of the package.
  • macOS Catalina support.

Bug Fixes

Listed below are the bugs that have been addressed in this release. The description below reflects the product behavior prior to the fix and specific details about the fix for some of the items.

• Changing the selected collection for an SCCM collection does not correctly update membership.
• Page goes blank when navigating to Admin | Configuration and "Enable Automatic Refresh of Verify Privilege Manager Alerts in Browser" is disabled.
• Clear remote scheduled policy parameters when the command is changed.
• Message Action text editor in UI should support formatting included in XML.
• Double-clicking on column width adjustment in the Agent Log Viewer gives an Unhandled Exception.
• The Advanced Display Message Action is running in the background.
• New schedule updates do not display clearly in the schedule.
• The Application Justification Report returns no results.
• The Resource Monitor doesn't show counters after elevation.
• The COM Objects Elevation showing Windows UAC after canceling IBM Security prompt.
• The “folder” view in the item selector does not work.
• The Event Counts on the Verify Privilege Manager home are incorrect.
• Events are duplicated in the Event Discovery view.
• Win32Exe filter correctly handles files that have the internal attributes stripped.
• Remote/cloud connected clients that pull tasks are broken with service hardening tasks.
• The Password Age chart is broken and does not return any results.
• The Agent falls back to using legacy services and no longer retries to connect to current services.
• Offline Approval access is not available for the Verify Privilege Manager HelpDesk User role.
• macOS Resource Targets are not updating when trying to add to a policy.
• On mouse-over the Statistics | Changes Period to Past Month report throws an exception.
• Changing an Azure User's Role membership in Azure is not reflected in Verify Privilege Manager.
• An exception is thrown when navigating back to the Verify Privilege Manager home after a session timeout.
• System does not handle logins to a machine without standard SIDs.
• The horizontal scrollbar is showing in the table for Windows Privilege Personas.
• The Policies table is congested when opened in smaller resolution.
• Reports displayed from the homepage may scroll pass the pagination controls.
• The Top Applications widget on the homepage throws an exception
• Several reports on the home page are not loading properly in Firefox.
• Updates to an exclusion filter name are not displayed after editing.
• The no licenses installed banner is missing.
• Redundant warnings appear about the anti-virus exclusion settings.
• An exception is thrown when navigating to the Foreign Systems tab on the Configuration page.
• AD synchronization does not work correctly for users with distinguished names in excess of 256 characters.
• The report generated from Purge Maintenance - Files Undiscovered has duplicate messages.
• The Agent configuration form does not show previous values when a user clicks cancel.

• Verify Privilege Manager instances with Verify Privilege Vault integration:

  • Secrets deleted from Verify Privilege Vault create duplicate user credentials.
  • The expiration of a Verify Privilege Vault session does not prevent access to Verify Privilege Manager.
  • Changing Verify Privilege Vault Role Permissions for Verify Privilege Manager requires recycling TMS application pool.

Known Issues

• If you are upgrading from an older Verify Privilege Manager version (pre 10.5) contact IBM Security Support for assistance.
• Agent Hardening does not allow for an automated rollback. The workaround is to manually Restore Default Agent Permissions.
• If an issue is encountered with local UI preferences, IBM Security recommends clearing the local storage cache to remove old preference values. This can be done by going to Admin | Diagnostics and clicking the Clear Local Storage Cache button.
• Creating copies of a Persona or currently selected task schedule does not work.
• The File Specification Filter definition does not work on macOS 10.15 (Catalina) when the File Names field starts with com.apple.preference and/or Path field starts with /System/Library/PreferencePanes/. Any Policies leveraging these filter definitions is also impacted.
• In Safari and Edge browsers column filtering for the Agent Policy State and Agent Policy State - Drilldown reports does not work.
• The macOS self-elevation feature is not supported for systems running macOS 10.11 (El Capitan). The Verify Privilege Manager Finder Extension does not work when installed on macOS 10.11. IBM Security recommends upgrading macOS endpoints to a newer version of the macOS operating system to utilize the latest feature enhancements in the Verify Privilege Manager 10.7 macOS endpoint agent.

• Verify Privilege Manager macOS Administrator and Verify Privilege Manager Windows Administrator roles:

  • If you are using the Verify Privilege Manager macOS Administrator and/or the Verify Privilege Manager Windows Administrator roles, you must also add those members to the Verify Privilege Manager Users role or they may not be able to view some of the application filters or actions. If you are using Verify Privilege Vault authentication, restarting the Verify Privilege Manager app pools may be required to have this take effect.
  • Members of the Verify Privilege Manager macOS Administrator and/or the Verify Privilege Manager Windows Administrator roles may not be able to delete some items such as policies, actions and filters, even though they are editable. Have a member of the Verify Privilege Manager Administrators role delete those items if this occurs.