12.0.5 Release Notes

Release Schedule

Verify Privilege Manager Cloud Release Date: January 17, 2026

Windows Agent Software

Do not install agent build 12.0.4237, or any older version of the agent, on any build of Windows newer than Windows 11 24H2 (10.0.26200.x). Likewise, on any Windows 11 system running those versions of the agent, do not upgrade to Windows 11 25H2. Agent versions 12.0.4258 and newer are compatible with Windows 11 25H2.

Supported Agents

Do not enroll any Windows workstations into insider preview update channels. The operating systems builds provided via the channel are not generally available or officially supported by IBM Security. We recommend using the mainstream Windows update channel.

12.0.5289 Bundled Verify Privilege Manager Agent Installer

12.0.5289 IBM Security Agent (x64)

12.0.5289 IBM Security Agent (x86)

12.0.5289 Application Control Agent (x64)

12.0.5289 Application Control Agent (x86)

12.0.5289 Local Security Solution Agent (x64)

12.0.5289 Local Security Solution Agent (x86)

12.0.5289 Bundled Verify Privilege Manager Core and Directory Services Agent

12.0.5041 Directory Services Agent (x64)

macOS Agent

12.0.5.176 Verify Privilege Manager macOS Agent (macOS Ventura 13 and later)

Installation Notes

  • When upgrading Verify Privilege Manager to a newer version, IBM Security recommends upgrading the Directory Services agent such that both are running on the same release version.

  • Verify Privilege Manager exclusively supports operating systems (OS) that have not reached their official End of Support. For optimal performance and compatibility, it is recommended to utilize Verify Privilege Manager on a supported and actively maintained OS.

  • IBM Security recommends as a best practice to create system restore points prior to doing system changes such as patches.

    IBM Security supports the use of software versions up to a year prior to the current version. You can find previous versions of the documentation here.

  • IBM Security does not support installing or upgrading any components of the Verify Privilege Manager agent or server for Windows via winget.exe, and customers should never use winget.exe for that purpose. IBM Security recommends blocking access to https://github.com/microsoft/winget-pkgs/tree/master/manifests/d/Delinea via firewall settings or other mechanisms to ensure privileged end users cannot use winget.exe to obtain unauthorized manifests.

    IBM Security prohibits all third parties from creating & publishing manifests for the isvp-manager installation packages, for both agent and server, on any/all WinGet repositories.

    Supported Operating Systems

    Version 12.0.5 will be the last release of Verify Privilege Manager to officially support the macOS 13 Ventura operating system.

    Unix/Linux Support Lifecycle Update

    Verify Privilege Manager for Unix/Linux is marked as End of Renewal (EOR) as of August 1, 2025. This will transition to End of Life (EOL) on August 1, 2026, meaning the product will be entirely discontinued and unavailable for product support. Contract you IBM Security Account Manager to learn more about our recommended solutions for these operating systems going forward.

    Enhancements

    Identifier Release Notes
    592922 Agent updates allow a customizable One Time JIT Approval Duration field that has been added to the Application Control Agent Configuration Policy.
    617392 The users and groups full organizational unit (OU) and domain name are now included in the User Context Filter (Application Filter) for Active Directory.
    645063 Service Now approvals can now be used in macOS JIT policies.
    652205 The name of the user who executed a task within the Privilege Manager Server will now get recorded on the Task History of the task.
    660677 A new field called JIT Approval Duration has been added to the Application Control Configuration policy. This field allows customers to customize the default amount of time that a JIT policy will be applied when One Time is selected during the approval process. The system default is four hours and this will be displayed after upgrading or creating new computer groups with an active agent configuration. See Just In Time (JIT) Access.
    661642 Updated the macOS Agent to only allow one pkg file to be opened at any time. Previously, an unapproved pkg file could be elevated for installation if opened while another approved pkg was already open.
    662347

    The Agent Utility has been updated for the Mac agent. It includes the following new features:

    • The UI is completely rewritten to have new look and feel. Now it's more convenient and standardized.

    • New features compared to the legacy utility:

      Showing of the current user along with their Admin Privileges status

      Showing the current agent version and the registration status

    • Breakdown of the application policies to the categories: Application Control, Scheduled Job, Agent Configuration

    • Ability to run scheduled jobs right from the utility UI via Run, near each job policy

    • Search functionality throughout all kinds of Client Items: Policies, Actions, Commands, Filters, Provisioned Resources

    • Progress bar and detailed text output when updating polices and performing other commands via various UI controls

    See macOS Agent Utility.

    • Control Panel tab with the new controls: Display Config, Send Events, Diagnostic Logs, Export Logs.

    • Export Logs feature (Diagnostic Logs and Export Logs on the Control Panel): Implemented major simplification of collecting logs for the Mac agent. Using the system facilities, now it is possible to collect all the logs needed via two simple actions: enabling the diagnostics and performing the export of all possible Agent logs to an archive file after the troubleshooting has completed.

    663047 Enhancements have been made to the Audit Changes to Managed Groups report. The report now accurately captures and reflects audit changes for all managed groups. Additionally, a new Show All option has been introduced to the Report filter. When selected, users can view all group membership changes within the environment, extending beyond just those groups and computers governed by a management policy.
    665090 Improved labeling was implemented for the Foreign Systems configuration of the Syslog for Splunk Cloud (HEC) protocol. See Setting up a Syslog Connection.
    668262 macOS now supports the addition of path exclusions to exclude specified folder paths from all application control policy processing. See macOS Agent Configuration
    674099 From version 12.0.5, the Windows Agent is able to dynamically detect if it can correctly function against unsupported versions of Windows such as Windows Insider Developer Channel. Previously, if the Windows version exceed they expect build number, the Agent would stop functioning in order to protect any possible issue. Now the agent will dynamically check the system driver version and continue to function where possible. An updated registry configuration option has also been created. See Supported Windows Operating Systems (both 32- and 64-bit) on Systems Considered Workstations
    674620 Verify Privilege Manager file uploads will now use a RFC compliant method.
    677003 A new field, RequesterUserName, was added to the response for the /api/v1/approval/pending API call. To clarify, this field contains the requesting user's username, not necessarily their account name.
    680690 Import Items allows you to select the computer group the policy will be imported into. This is recommended when importing policies from a different environment. Ensure the policy is not imported into an incorrect computer group (e.g., do not import Windows policies into macOS computer groups and vice versa). The Change Computer Group drop-down provides options for Standard computer groups; Secured computer groups are not available. Imports will fail if the policy was exported containing domain information ( e.g., User context filters referencing domain users). In this case, you should duplicate the policy and remove domain information first.
    681172 A new report, Computer Groups Membership, is available under the Local Security section in Reports. Using the filter options, you can see the computers that make up each computer group.
    683167 A new syslog template, Send Logon Events to Syslog, sends details of Privilege Manager logins via any kind of method (e.g., Standard, Federated, Thycotic One and Secret Server). The data also displays attempted/failed logins for non-federated users and will also display whether these failures occurred because the user was locked out of the system. See Third-Party Foreign Systems Integration.
    683621 The Application User Activity report (Security section) now includes both Status and Is Locked Out columns. Verify Privilege Manager is only able to capture failed login requests from Standard user console logins. Third-party failures are handled by the provider, such as Azure manager access, although a success will be displayed. Is Locked Out is also related to the Standard users, where after nine failed attempts, the account will become locked.
    687616 When the specified registry value is present (refer to product documentation), ArelliaDisplayXamlAction.exe will use the "interactive" logon type instead of the "network" logon type when performing authenticated message actions.
    692459 Updated the macOS agent sudo policy plugin to use the latest version of Apple's open-source sudo project. The Sudoers policy plugin version has been updated to 1.9.17p2 and will continue to work with macOS sudo version's older than 1.9.17p2.

    Fixed Issues

    Identifier Release Notes
    580697 Fixed an issue where an Authorization DB policy for an application with a continue enforcing policies advanced option could have a negative effect when also using an Allow Copy to Applications policy. The DMG could be copied without the user being prompted with the appropriate HTML action if assigned to the policy.
    580697 For the macOS agent, an issue was fixed where it was possible to copy an application to the Applications folder or the Trash Bin without the use of the Allow Copy to /Applications/ Directory action as a standard user. Going forward, to allow users to copy applications to these locations with silent elevation, you must also add the Allow Copy to /Applications/ Directory action to elevate this operation, otherwise standard users will be prompted for administrator credentials.
    582910 Fixed an issue where a link to the Antivirus Exclusions topic in a UI banner was broken.
    626385 Previously, when using an elevation policy targeting SystemSettingsAdminFlows.exe (Reset PC option) that included either a XAML or HTML action, elevation did not function correctly. This issue has now been resolved.
    637121 Resolved an issue with the Endpoint Group Member Authenticated Approvals report. The report now only correctly displays policies using Endpoint Group Member Approval Action (Application Action) Action. Previously, all Approval types were being displayed, although with information missing. The report description has also been updated to provide a more informative message.
    641559 An issue was addressed to correctly display both Windows server 2022 and 2025 data center additions under the appropriate operating system definitions of agents.
    655692 Updated the macOS Agent Utility, so that when the Agent Utility help option is selected, the IBM Security documentation will open the Agents on macOS Systems topic.
    660317 The Purge Maintenance - Application Control Events task now ensures events are correctly removed when using servers based in different time zones.
    661462 Updated the macOS agent to only allow one .pkg file to be opened at any time. Previously, an unapproved .pkg file could be elevated for installation if opened while another approved .pkg was already open.
    663047 Enhancements have been made to the Audit Changes to Managed Groups report. The report now accurately captures and reflects audit changes for all managed groups. Additionally, a new Show All option has been introduced to the Report Filter. When selected, users can view all group membership changes within the environment, extending beyond just those groups and computers governed by a management policy.
    663798 More than 13 Security Groups are now supported when importing Azure AD users and groups.
    664452 Improved the elevation cache clearing for the macOS agent to ensure pkgs can not be elevated when policies have been disabled.
    665291 Improvements have been made to the macOS agent to standardize the naming convention when sending hostname\username approval requests to the Privilege Manager Server. Previously, approval requests would occasionally include only the username, omitting the hostname.
    665787 The prior webhook functionality for approval events has been restored for most approval processes. To prevent duplicate requests, approval processes that inherently target foreign systems (e.g., ServiceNow) will not trigger custom webhooks. Those approvals that target foreign systems will continue to work normally if they're properly configured in the foreign systems area.
    670109 Previously, if a user attempted to re-open an app while awaiting approval, a read-only approval modal was displayed. However, an issue occurred where, after receiving the approval notification and launching the app from it, the read-only modal could not be closed. This has now been resolved. When a user selects any action from the approval notification, the read-only modal will close automatically.
    675478 Fixed an issue where a change made in a previous bug fix to the Group Management screen created a regression in the enhancements to Group Management from 12.0.4 where an entry for a user was not respecting the setting in the All Other Users and Groups catch-all rule.
    676723 An update was made to the macOS agent to resolve an issue with focus being stolen from applications due to the macOS agent security helper.
    677183 Fixed how the macOS agent handles the SecurityAgentHelper process, which loads the Mac agent's AuthPlugin, which has been seen to prevent all the processes that are dependent on the Mac agent authorization logic to proceed further.
    688947 Updates now that the final syslog entry in a TCP stream ends with \n or \r\n before socket termination, in order to conform to RFC expectations and ensure easier parsing.