12.0.0 Release Notes

Release Schedule

Privilege Manager Cloud Release – March 30, 2024

Privilege Manager On-Premise Release - June 25, 2024

Windows Agent Software

12.0.1016 Bundles Privilege Manager Agent Installer

12.0.1016 Core Thycotic Agent (x64)

12.0.1016 Core Thycotic Agent (x86)

12.0.1016 Application Control Agent (x64)

12.0.1016 Application Control Agent (x86)

12.0.1016 Local Security Solution Agent (x64)

12.0.1016 Local Security Solution Agent (x86)

12.0.1016 Bundled Privilege Manager Core and Directory Services Agent

12.0.1002 Directory Services Agent (x64)

macOS Agent

12.0.0.058 Privilege Manager macOS Agent (Catalina and later)

When upgrading Verify Privilege Manager to a newer version, IBM Security recommends upgrading the Directory Services agent such that both are running on the same release version.
Verify Privilege Manager exclusively supports operating systems (OS) that have not reached their official End of Support. For optimal performance and compatibility, it is recommended to utilize Verify Privilege Manager on a supported and actively maintained OS.
IBM Security recommends as a best practice to create system restore points prior to doing system changes such as patches.

IBM Security supports the use of software versions up to a year prior to the current version. The links to prior versions are found in the PDFs available for prior versions on Links to Previous Versions.

Stability and Reliability Improvements

As part of our continuous efforts to enhance our software, we are pleased to introduce key improvements in the stability and reliability of the Verify Privilege Manager in our latest release. These updates significantly contribute to a more stable and reliable experience for all our users.

Scheduled Agent Jobs Optimization

Improvement Detail: Users may notice refined scheduling of Verify Privilege Manager's scheduled agent jobs. These changes aim to boost the system's overall reliability and performance. The change was applied to a subset of customer environments initially, and is now rolled out to all environments with the 12.0.0 release.

New Policy Introduction: The Task Scheduler - Ensure Randomness policy has been integrated to improve how agents execute scheduled jobs. It ensures adherence to the random delays predefined in those jobs, enhancing task execution efficiency.

Certificate Validation for SSPM Agents

For both the Windows Agent and macOS Agent, by default, validate server certificate is turned off. However, if your server domain includes one of these, then validate server certificate will automatically be turned on and the server certificate will be validated:

  • .privilegemanagercloud.com

  • .privilegemanagercloud.eu

  • .privilegemanagercloud.com.au

  • .privilegemanagercloud.com.sg

  • .privilegemanagercloud.ca

To force this setting to be enabled for use with an on-premise Verify Privilege Manager server via MDM deployment of the agent, refer to the documentation:

Installing Windows Agents

Installing macOS Agents

Using regex with Group Memberships

With the ability to be able to use regex (preferred) or wildcard values in the local group membership controls in 11.4.3, you must use specific and restrictive regex. We cannot guarantee that your expression will never include an unintended user. Please validate the expression yourself with one of the many online regex testers, and check group members regularly.

Jamf Pro Classic API: Basic Authentication Removal

Jamf has announced that the Classic API will no longer be enabled by default for new Jamf Pro instances for enhanced security. Support for Basic authentication is scheduled to be removed on March 31, 2024.

Beginning with Verify Privilege Manager 12.0, IBM Security supports the Jamf Bearer Token Authentication method.

This requires updating the Privilege Manager credential that is used to connect to Jamf Pro. The instructions for this can be found in Creating a Verify Privilege Manager Credential.

Service Process Update for LSA Privileges

The Thycotic Application Control service is no longer configured to use a virtual service account; it is now configured to run as NT AUTHORITY\SYSTEM (local system) again.

A different mechanism is now used to ensure that the service process has all of the Local Security Authority (LSA) privileges required for it to function properly. LSA privileges do not need to be explicitly granted for the service to run properly, and there is no need for GPOs (Group Policy Objects) to be created or modified as part of deploying the agent.

macOS 10.15 Catalina Support

Verify Privilege Manager version 12.0.0 is the last version of the Mac agent to support macOS 10.15 Catalina, for which Apple has not released a security update since July 2022. Going forward,Verify Privilege Manager will follow the common practice of supporting those OS versions that Apple itself supports with security updates, namely, the current and two previous versions of macOS. (We anticipate discontinuing support for macOS 11 Big Sur when we implement support for the next release of macOS in late 2024.) We encourage our users to upgrade to a supported version of macOS to continue receiving the latest features and security updates.

Software like Verify Privilege Manager is more closely coupled to the lower-level macOS frameworks than other applications; in particular, the security frameworks show a faster pace of evolution as Apple continues to update macOS. Adopting this support policy enables us to better follow Apple’s guidance by using the latest and most secure technologies, rather than relying on outdated or even deprecated frameworks. In this way, we can provide our customers with a better user experience and improved application functionality.

Enhancements

  • A new Microsoft Entra ID Authentication action enables single or muli-factor authentication for Windows and macOS, using Microsoft Entra ID. Refer to Microsoft Entra ID Authentication.

  • The default schedules for out-of-the box policies have been updated to help alleviate sudden spikes of traffic to the server.

  • When creating a new Email Approval Process task, the UI has been changed slightly to allow the URL to be included in the tasks XML, without having to save the task first.

  • Creating a new agent configuration for a macOS Computer Group now allows you to define a unique secure token credential for that group. Previously, only a single credential could be defined that would be shared by all configurations.

  • Improvements have been made to the Managed Group UI experience improving speed and reliability of the information displayed. IBM Security recommends adding Built-in users to the managed group using the Local Users option only.

  • The Policy Name field is editable in the policy view, so users no longer have to use the Rename option.

  • The message informing users that there is too much data in a report to export to a PDF has been enhanced.

  • Active Directory sync performance has been enhanced to limit the frequency of the full AD import to once every 24 hours. Also, a new facility allows customers to only enter the names of the AD Groups that need to be imported. IBM Security recommend that customers only import the resources that they actually require, that the new Groups functionality will allow.

  • A new task has been created to remove resources, based on the last modified date. The resources available to be deleted are Computers, Files, Domain Users and Domain Groups. The job is accessed via the Resources folder. Refer to Resource Cleanup.

  • Two reports, available in Application Control, provide details of the policies and policy filters configured in a Computer Group. Refer to Policy Modifications Reports.

  • A new Skip To link has been added to the top of the left hand navigation panel for accessibility purposes. In the absence of keyboard focus, pressing Tab gives users the option to shift the focus to the main area of the screen, or remain in the navigation panel.

  • A new feature for Export is available on the Application Policies page, allowing the selection of multiple policies that can be exported to a ZIP file and imported elsewhere. See Exporting Policies.

Bug Fixes

  • An issue with exporting and importing hash based filters has been fixed.

  • The All Unclassified Applications filter is not easily maintained and largely unused. It will be deleted during upgrade, unless it's being actively used in a policy.

  • The Summary of Application Approvals and Denials report and its drill-down have been fixed to improve performance and should no longer show duplicate rows.

  • Fixed an issue where users and groups with a space in the account name (not display name) were not being imported properly.

  • This release fixes performance issues from high SQL worker utilization caused by stored procedures that run as part of the collection and resource targeting updates.

  • The Command Line Approval Request Action was updated to be included as part of the macOS actions, along with removing redundant text.

  • An issue was resolved where copying a JIT policy and making any edits to the policy would result in the Action of the policy being changed from JIT Elevation to something else (e.g., Block, or Elevate). Now, all policies with a JIT Action will display JIT Elevation when they are edited.

  • The banner "Attention: There are 2 or more critical alerts that require action" can now be closed when clicked.

  • An update made increases the time it takes to retry registering an invalid agent.

Agent Specific

Windows

  • A problem was fixed where the Restrict File dialogs action was not detecting the display of an Open/Save file dialog in Microsoft Office applications such as Excel. Another problem was fixed where context menus could be erroneously re-enabled in a file Save As dialog, even though the Restrict File dialogs action had been applied to it.

  • A problem where enforcement of a managed group policy for the BUILTIN\Administrators group would fail under a specific set of conditions based on how the policy was configured has been resolved. Now, when those conditions are encountered, the operation is allowed to performed successfully after some internal corrective action is taken by the client-side code in the agent.

  • A legacy component, no longer required to be present in the agent, was causing some applications to fail to run properly in rare situations, when a shell execute operation was performed. The legacy component has been removed to prevent the problem from occurring in the future.

  • A update was made to the token elevation code to ensure that all groups related to full or partial administrative rights are now fully enabled when an elevated token is assigned to a process via an elevation policy. Previously, groups such as Domain Admins were being left disabled, even though BUILTIN\Administrators was being added to the token during elevation. The failure to properly re-enable disabled groups could result in an elevated process still failing access checks or failing to perform certain administrative operations.

  • An issue was resolved where the Privilege Manager agent was unnecessarily applying a certificate filter to a secondary file, which in some cases could cause performance issues and cause files to be locked, specifically when opening large database files in MS Access.

macOS

  • Addressed an issue where the Mac agent would sometimes try to register with an invalid agent ID (all zeroes). When installing the upgrade on agents in this state, it will be necessary to re-enter the install code.

  • The macOS Agent now correctly elevates .pkg policies when a white space exists in the .pkg name.

Known Issues

  • Adding a local users (Regex) definition to a managed group that will include built-in users, will result in displaying any built-in users under their own line in the Members table rather than the Regex line.

  • Adding a manual users definition to a managed group that will match a built-in users, will result in displaying two lines for the same user. This can be simply resolved by removing the named user line and keeping the built-in user line.