10.8.2 Release Notes

December 2nd, 2020:

Enhancements

Enhancements available with the 10.8.2 release of Verify Privilege Manager. Enhancements are for both versions, On-premises and Cloud, unless otherwise outlined under a specific On-prem or Cloud subtopic.

• Added CorrelationID support to Server Logs.
• Added Complex Password Policy enforcement for Verify Privilege Manager users.
• Added API Client User logout option via delete method on API Authentication endpoint.
• Added Visual Studio Installer Elevation example policy and filters to configuration feeds.

Security

• Added Process Hollowing prevention for elevated applications. The 10.8.2 Verify Privilege Manager agent adds memory checks for all processes that are elevated via Verify Privilege Manager.
• Return of generic "Invalid username or password" messages.
• Unknown code fallback to generic error message, such as "unable to login".
• Generic HTTP response messages.
• Removed ASP.Net MVC Default HTTP Headers information.
• Updated jQuery to latest version.
• Updated Handlebars to latest version.
• Verify Privilege Manager Cloud server side enforcement of TLS 1.2. On-premises instances can be configured to enforce TLS 1.2 at the OS level.

macOS

• In support of Apple's Catalina and Big Sur macOS System Extension based security enhancements, a Installing macOS Agents is made available.
• New Just-in-Time (JIT) Group Membership action for elevation/approval policies.
• Added elevation support for move to trash bin when standard user is deleting from /Applications directory.
• Modified policy with Allow Package Installation action workflow behavior for .pkg installs on macOS endpoints.
• The AdjustEffectiveProcessRightsContract action has been deprecated for endpoints running macOS Big Sur. The Run as Root action has to be used in policies instead.
• Added SUDO Plugin for elevating from command line. Refer to Sudo Plugin. Policies that previously just elevated a process no longer work and the elevation has to be run via sudo instead.
• Added All macOS Big Sur Computers Filter, with membership defined as any macOS Big Sur endpoint having an agent installed and registered.
• The default policy Retry errored TMS Events - Catalina (macOS) has been renamed to Retry errored TMS Events - Catalina and later (macOS).
• The default policy Retry errored TMS Events - Catalina and later (macOS) Computer Groups Targeted property has been changed to All macOS Catalina and Later Computers with Application Control Agent Installed (Target).

Agent Pertaining to Big Sur and Catalina

There are several features available with the KEXT version of the agent which are deprecated in the SYSEX version. There are others that are supported, but may require a change to policy configuration and/or user workflows.

Deprecated

• Allow Self-Elevate via Finder Extension – This feature provided the limited ability to right-click an application and have it run elevated. Depending on the application and how it was implemented, this may have had limited success for end-users.
• Run as Root applied to application bundles – This feature provided the limited ability to have an application bundle run elevated when it was launched via Finder. Depending on the application and how it was implemented, this may have had limited success for end-users.
• Run as Custom User, Run as Print Admin User – These Adjust Effective Process Rights actions are deprecated.

Supported, but may require workflow changes

• Run as Root applied to command-line binaries – If you have policies that elevate specific command-line binaries (e.g. systemsetup), you will need to inform your end-users that they should now precede these commands with sudo. This takes advantage of the new sudo plugin feature for elevating command-line binaries.* Endpoint Security system extension (SYSEX) replacing most functionality previously provided by the Kernel Extension (KEXT).

Bug Fixes

• The KEXT and SYSEX flavors of the macOS agent can experience high memory utilization during File Inventory.
• The 10.8.1 based Policy Events page does not always load correctly.
• Users removed from a Security Group in AD still show as members of the AD group inside Verify Privilege Manager.
• Logging out does not invalidate the session/cookies that may have been previously stored/cached during a valid logon session.
• Changing the API Client User secret after token issuance, does not force an authorization error and logout.
• Approval reports don't provide drill-down details when accessed.
• X-Powered-By information returned in 301 and 400 http responses.
• Provide detailed DB error messages in log file only.
• Provide detailed error message via log file only.
• The Administrators group is showing up twice when viewing the Group Policies section.
• License counts are not correctly reflected per OS.
• Intermittent failure on approval requests.
• Saving Excel and Word files on SharePoint, MS Query, and Excel print issues due to Application Control Service

Known Issues

• The combined installer released with Verify Privilege Vault 10.9.000005/32 does not contain a NuGet folder as provided with previous combined installers. Customers can use the download resource link provided via the Software Downloads topic to download the Verify Privilege Manager Application Files for use with their manual and/or offline installs/upgrades. Refer to Manual Installation - Installing as a Virtual Directory for details.
• User and group inventory may not reflect proper group membership the first time it runs on the endpoints. Subsequent runs will finish processing that information and will be accurate.
• With the Safari Browser, the behavior for default selection on drop-down menus might vary from other browsers.

macOS Specific

• On endpoints using OneDrive, GoogleDrive, DropBox, or similar extensions, the endpoint will take about 2 min to correctly initialize the Finder Extension functionality after enabling the extension or after the upgrade to 10.8 with an enabled extension.

• If you have a policy allowing management of the /Applications folder via the Copy Install Application filter, deleting multiple applications from the /Applications folder will result in a dialog prompting for administrator credentials. The workaround is to have your end-users delete applications one at a time.

• If you have enabled the Elevate Verify Privilege Manager Agent Preference Pane (Sample) policy to elevate the Agent preference pane and you wish to target Big Sur, you will need to duplicate it and change the File Names to:

  legacyLoader;legacyLoader-x86_64

• If you have already duplicated the Elevate Verify Privilege Manager Agent Preference Pane (Sample) policy to elevate the Agent preference pane and you wish to target Big Sur, you will need to change the File Names to:

  legacyLoader;legacyLoader-x86_64