10.7.1 Release Notes

Release Date: Cloud 2020-03-05, On-premises 2020-03-12

Enhancements

Enhancements available with the 10.7.1 release of Verify Privilege Manager. Enhancements are for both versions, On-premises and Cloud, unless otherwise outlined under a specific On-prem or Cloud subtopic.

  • The Verify Privilege Vault Vault integration does not require Verify Privilege Vault to be set up as the authentication provider. Any supported authentication provider can be used, independent from using Verify Privilege Vault as a Password Vault. Refer to Setting up Integration between Verify Privilege Manager and Verify Privilege Vault.
  • Computers in Domain Groups can be leveraged as resource targets to be used in policies. Computer groups can be set up to utilize Active Directory security groups and organizational units (OUs). These so called domain security groups and OUs can be imported via Active Directory or Azure AD. However, OUs do not exist in Azure AD. Refer to Local Security.
  • General in product user guidance improvement for Mobile Application configuration. Refer to Verify Privilege Manager Mobile Application.
  • The policy Agent Service Start / Stop Control (Windows) is now obsolete. Users should disable that policy and/or delete it. We have added a new policy named Restrict Account Permissions on Agent Services (Windows). Users should clone that policy, to edit and assign to the desired targets, and enable. Refer to Agent Hardening
  • Improved verbose logging during token validation logic.
  • Report export options allow to select all data sets vs. data sets currently displayed on the page. Refer to Reports.
  • On-premises only support for deployments with Amazon RDS database systems.

macOS Specific Features

  • New Configuration Feed to ignore macOS Catalina Software Updates. For details refer to Ignoring macOS Updates.
  • Best Practices for macOS system preference panes have been added, refer to System Preferences.
  • Improved and new macOS event discovery filters, refer to macOS Specific Filters. Beginning with macOS Catalina, Apple changed the location of the application bundles that ship with the operating system. Traditionally, these applications were located in /Applications. Now they are located in /System/Applications. That location however is masked by Finder. The new and improved filters work with both locations.
  • It is no longer necessary to include the .app extension for the Bundle Name property of an App Bundle Filter (e.g., Console.app). The agent will account for its presence while performing policy evaluation and properly match the filter if it is applicable. Refer to App Bundle Filter

Cloud Specific Features

  • Data centers in Canada and Singapore have been added.
  • Verify Privilege Vault can be used as a password vault independent from the authentication provider.
  • ServiceNow connector is automatically installed for all new cloud instances.
  • The integrated SMTP server is automatically configured for all customers during the cloud instance setup, alleviating the need for customers to connect their own SMTP server.

Bug Fixes

Listed below are the bugs that have been addressed in this release. The description below reflects the product behavior prior to the fix. Bug Fixes are addressed for both versions On-premises and Cloud unless otherwise outlined under a specific On-prem or Cloud subtopic.

  • Long lists of resource items are not scrollable when trying to view or select items. For example when adding a user to Local Security Groups or when looking at the password history of a user, the form cannot scroll down the entire list of users.
  • The 10.7 agent fails and prevents execution on certain Java based applications.
  • Reports exported to CSV only include information of the data currently displayed in the UI and not all data records from that report.
  • Grids in reports are not properly sorting date column data.
  • The offline approval picker is not displaying parameters and computer list does not fit into page.
  • When editing an Import Directory or Import Directory Computers task, the Directory ID and the Query parameters cannot be saved.
  • Secondary file filters are ignoring items with spaces in their name and not triggering appropriate policy actions.
  • Exporting a FileParameterCollectionFilterContract does not export the underlying file resources.
  • When creating Filters for Windows systems and the user has the Verify Privilege Manager macOS Administrators role, an exception is shown.
  • Misleading counts when built-in local Admin users are backed-up by provisioned user.
  • When creating a copy of an Approval Request (with ServiceNow Request Item Number) Form action, the contents cannot be edited.
  • Security ratings reports pagination is not working correctly.
  • macOS latency in updating a VNODE structure on disk is resulting in application execution being denied.
  • Cannot add new policies with application targets and enable.
  • Selected credentials on AD foreign system cannot be edited.
  • Changing authentication providers throws an exception.
  • A Verify Privilege Manager client license count is exceeded message is displayed when it exceeds the 90% threshold and valid licenses are still available.
  • Any domain groups added as a local administrator in the LSS Computer Groups disappear after being added.
  • Creating a user context filter with a properly formatted SID that does not exist fails. A malformed SID results in an unfriendly error message.
  • Users cannot add new machines to a managed computer group.
  • For policies using a Group Member Authenticated Message Action, members in nested groups are not validated during the authentication process.
  • Users in nested groups don't get the proper application role.
  • Cross site anti-forgery token validation was using an email as a match, but the value was configured as a name.
  • The Resource Target Computer List removes previously selected items when attempting to add additional computers.
  • Verify Privilege Manager installs prior to 10.5 cannot be upgraded to 10.7.0.
  • Preferences cannot be fetched or saved by non-administrative users.
  • Agent hardening removes permissions to modify/delete Agent Services.
  • ServiceNow connector fails when upgrading Verify Privilege Manager from 10.4 to 10.7.0.
  • The Domain Users as Local Administrators and Summary of Domain Users as Local Administrators reports are timing out when run in large environments.
  • Changes to the default file inventory from the Event Discovery page are not saved.
  • UNC share policies imported from Config Feeds are not displayed under policies.
  • Application control agents installed on Windows 10 machines are not reported on the Application Control Agent Summary report.

Agent Updates

Refer to Software Downloads for the latest available agent software downloads.

Agent Version Bug Fixes
Core IBM Security Agent 10.7.2266 Rebuild with bundle to include Application Control Agent updates.
Application Control Agent 10.7.2257 Secondary file filter pre-filtering performance is causing slowness when there are large numbers of child processes launched (such as git.exe for each file).
10.7.2256 System experiencing poor performance for the Group Member Authenticated Message Action.
10.7.2239 Send SysLog ... template based tasks to send logs to server fails.
10.7.2219 Initial 10.7.1 release version.
Verify Privilege Manager macOS Agent 10.7.30 Users are locked out of their macOS device user account and unable to log in again, if the option to reopen the application on next login is enabled.
10.7.27 The download filter policy is not triggering due to invalid URL partial match logic.
Local groups on macOS without a SID prevents local user inventory from completing.
macOS agent experiences database contention when Office for macOS is installed or updated.
10.7.21 Initial 10.7.1 release version.

Known Issues

  • The macOS self-elevation feature is not supported for systems running macOS 10.11 (El Capitan). The Verify Privilege Manager Finder Extension does not work when installed on macOS 10.11. IBM Security recommends upgrading macOS endpoints to a newer version of the macOS operating system to utilize the latest feature enhancements in the Verify Privilege Manager 10.7 and newer macOS endpoint agent.
  • When installing Verify Privilege Manager on a Windows Server 2012 pointed to a DB that is running on SQL Server 2017 or above, SSDT binaries will need to be leveraged, which are only available in .NET 4.6 or above. If your Server 2012 has .NET 4.5.1, make sure to update it to the recommended .NET 4.6.1 version.