IBM Support

IBM Security Secret Server fix pack 10.7-ISS-SS-10.7.000059-PM-10.7

Fix Readme


Abstract

The fix pack for IBM Security Secret Server 10.7 contains enhancements or fixes for issues.

Content

Upgrade notes

  • Fixed an issue with Legacy SAML. You are encouraged to migrate to Secret Server’s updated SAML if you are still using the Legacy version. See the SAML 2.0 Configuration Guide.
  • This release launches a new web password filler. To update your web password filler extension, go to the extension download site for your browser and platform.
  • If you have multi-node environments that use Advanced Session Recording, you must update all ASR agents after your Secret Server upgrade to take advantage of the RabbitMQ failover updates in this release. It is suggested that you do this action. However, if you do not take this action, current functionality is not affected. See the RMQ Failover section and the Secret Server Advanced Session-Recording Agent Installation KBA.
  • You will be directed to the dashboard Overview tab for your first login after upgrading.

Download

Download Release Date Size (bytes) Download Options
10.7-ISS-SS-10.7.000059-PM-10.7 7 Jan 2020 336,681,795 FC

What's new

Data Retention

Secret Server now allows administrators to permanently delete audit records for tables that either contain Personal Identifiable Information (PII) or tables that can grow large in enterprise environments. To configure these settings admins need to add the permission “Administer Data Retention” to the user’s role and then the user can navigate to Admin > Data Retention. See the “Data Retention” section in the Secret Server Administration Guide.

Manual Rolling Upgrades

A new “Manual Rolling Upgrade” feature is available when upgrading from Secret Server version 10.7.000059 or later. Using this process, clients that use clustered web nodes with a load balancer can experience little-to-no downtime during the upgrade process. However, this process requires an administrator to perform some manual steps with Web node and database access. See the Minimizing Upgrade Downtime KBA.

RMQ Failover

Updated Secret Server to support durable exchanges for RabbitMQ (RMQ). This allows clustered site connectors to fail over without impacting Secret Server  processing. Distributed engines will auto-update after Secret Server upgrade to also support durable exchanges through RMQ.

Note: Older Advanced Session Recording Agents (ASRA) can be used with this version of Secret Server but ASRAs will not benefit from this change to failover handling. To include failover capability for ASRA an updated agent must be deployed. See the Secret Server Advanced Session-Recording Agent Installation KBA.

Technical Details: The ExchangeDeclare logic in MessageQueue client was altered to attempt to create durable exchanges with logging. A durable exchange is automatically re-created if RabbitMQ restarts for any reason. Non-durable exchanges disappear when RMQ goes down and can only be re-created by some external action. If the new logic detects that creating the durable queue failed, it will log an error and attempt to create a non-durable queue.

Time-Based One-Time Passwords (TOTP)

Added a feature where Secret Server can now generate time-based one-time passwords (TOTP) for web secrets. This allows users to implement TOTP on shared secrets. Configuring secrets for TOTP begins at the secret template level. See the Secret Server Administration Guide.

Truncated Log Data

Added the ability to truncate table logs for several types of data that log to the “Status Message” table. These messages can contribute to excessive log data and slow performance. The option to truncate each message type is called “Days to Keep Operational Logs” and is under the “Advanced” sections on the following list of configuration pages. Minimum message retention time is one day and the default is 30 days. The logs include:

  • AdminDiscovery.aspx (Admin > Discovery)

  • AdminSearchIndexer.aspx (Admin > Search Indexer)

  • ConfigurationActiveDirectory.aspx (Admin > Active Directory)

  • ConfigurationPasswordChanging.aspx (Admin > Remote Password Changing)

  • ConfigurationSshProxy.aspx (Admin > SSH Proxy)

  • ConnectWiseConfiguration.aspx (Admin > Folder Sync) Setting only available when using the “Database” Folder Synchronization Method on this page.

Go to the Secret Server Administration Guide and search for “Days to Keep Operational Logs” to see all the locations where this can be configured.

Technical details: A background task was added that scans the status message table every 12 hours and checks the status messages against configured values for how long they must be retained. These configured values were added to applicable UI pages.

Web Browser Extensions

The Web browser extensions for Secret Server have a new look and feel and now have added browser and site support. These new extensions are available for:

  • Google Chrome

  • Mozilla Firefox

These features from the old browser extensions are improved to allow more flexibility:

  • Create secrets

  • Select secret template

  • Generate complex password

Users can now authenticate to Secret Server directly from the Web extension, including support for 2FA options, such as DUO. Log in via Secret Server is also available for users with single sign-on, SAML, or other multi-factor authentication mechanisms. Web extensions automatically identify manual entry of new credentials in a Web page and offer to save the credentials as a secret. There is also improved support for sites that use multi-page login mechanisms.

See the Web Password Filler section of the Secret Server Administration Guide for more information.

Enhancements

This release includes enhancements for the following components
Privilege Manager

Enhancements available with the 10.7 On-premises release of Privilege Manager:

  • Security Manager migration support added. The migration path to the latest Local Security implementation provides an analysis report of issues like missing account credentials, or accounts that are not unique across targets, which can then be remediated before the migration.
  • Change History auditing is available for resource items providing information on who initiated the change, at what date and time, and what type of change was made.
  • The Remove Programs Utility in previous versions available via Configuration Feeds has been fully integrated with Privilege Manager Server and the Agents installation packages. The functionality has been expanded to also include Windows 10 App Store applications.
  • Export and import of policies – including all dependent filter, action, and user context type items.
  • New Reset Licensing task added.
  • Support filtering on the subject name of a signed digital certificate allowing for much more generic certificate management.
  • Dependency checks added to Privilege Manager for:
  • Agents Enhancements:
  • Support for configurable session and inactivity timeouts added.
  • Allow right-click as a Thycotic Admin for .msu and .msc files.
  • ServiceNow ticket request numbers are displayed within Privilege Manager’s prompts.
  • Restrict access rights of File-Open dialogs that are launched from elevated processes.
  • Domain User support in User Context Filters.
  • When choosing a resource target, if an OU (Organizational Unit) is synced, the UI will display the computer and site names in their proper hierarchical structure
  • When choosing a domain user for a Role, the picker now shows the domain and group membership of that user.
  • Ability to bypass policy inspection during endpoint boot-up time in order to not affect boot-up time.
  • Performance improvements during agent registration.
  • Admin controlled list of extensions that are excluded from agent hashing.
  • Application’s friendly name displayed in approval workflow prompts.
  • The default log size can be set using configuration settings in the administrative policies tab.
  • The default permissions on the Application Control Agent Configuration Policies have been updated as follows:
    • TMS Admins and Windows Admins have read/write to the Application Control Agent Configuration Policy (Windows)
    • TMS Admins and Mac Admins have read/write to the Application Control Agent Configuration Policy (MacOS)
    • TMS Admins, Windows Admins, and Mac Admins have Read/Create/Revoke access to Install codes
  • MacOS specific features:
    • Target specific commands on macOS using wildcards (starts with, ends with, contains) and regular expressions.
    • Secure Token support.
    • MacOS discovery settings are more readily accessible on the discovery configuration page.
    • PKG files can now directly be uploaded within the Privilege Manager UI, alleviating the need to first perform file inventory of those applications on the endpoints. The application policy manager has added ability to inventory a PKG file to allow building of policies prior to the discovery of the package.
    • MacOS Catalina support.
Secret Server

Advanced Session Recording

Added a new setting to disable keystroke data from advanced session recording metadata. The new setting is called “Default Keystroke Recording Configuration” and can be configured under Admin > Configuration > Session Recording > Configure Advanced Session Recording. Click Collection name to edit individual collection settings or agent settings. By default, advanced session recording keystrokes are enabled. See the Secret Server Administration Guide.

Database SQL Indexes

Added new SQL indexes for the following areas:

  • Column LauncherSessionGuid on the Launcher Session Video (tbLauncherSessionVideoSegment)
  • Event Queue Monitor (tbEventQueue)
  • Expired Secret Monitor (tbSecretDependency table)
  • Folders (tbFolder, tbFolderGroupPermissions)
  • General Navigation (tbUserSession)
  • Launcher Activities (tbSecretSession)
  • Log In (tbUser)
  • Node Activation Check (tbNodeLicenseActivation)
  • Secret Log table (tbSecretLog)
  • System Reports (tbAuditUser, tbAuditSecret)

Discovery

Added messaging for when computer or dependency scans do not run due to having no scanners configured for a discovery source.

Distributed Engine Offline Status

Updated the definition of distributed engines’ offline status to be the configured heartbeat interval times three. For instance, if your heartbeat interval is configured at 5 minutes, the engine will report offline if Secret Serverand the engine do not successfully communicate within a 15-minute time period. Engine online and offline states were also added to subscription actions to allow notification to admins when engine states change. See the Event Subscriptions section in the Secret Server Administration Guide.

Licensing

A second distributed engine is now available, by default, for the local site.

New User Interface

  • Redesigned the Admin landing space. Click Admin > “See All” to explore the new layout.

  • Redesigned Doublelock. See the DoubleLock section in the Secret Server Administration Guide.

  • Added new “Recent Activity” section to the Home dashboard page to display recent activity at a glance.

  • Updated the Security Hardening tab in the Reports page.

  • Updated the IP Address Management pages under Admin.

  • Added custom logos. Added custom “full-sized” and “collapsed” logos for the new UI in Admin > Configuration under in the User Interface section.

  • Added dark mode theme option in the new UI. To change theme mode preferences, go to Account Settings > Color Mode. Options include Light Mode, Dark Mode, or Default (mode will update based on user’s OS color mode settings).

  • Added a new setting to configure the inactivity time before the new UI goes into dark screen “sleep mode.” To configure go to Admin > Configuration > User Experience > UI Inactivity Timeout.

  • Converted the Groups page to the new UI.

  • Updated error messaging in the new UI to display folder synchronization and deletion errors.

  • Updated the date picker to allow for future start dates and time selection without first adjusting the end date when requesting secret access. End dates are automatically adjusted to align with the start date +1 hour.

  • Updated grid downloads in the new UI to download according to new options. User options now include choices to download all data or specific rows of data, and specify date format. You can also choose time zone options of UTC, server time zones, or the local browser time zones.

    Note: for downloaded reports users’ time zone options are limited to UTC or the server time zone.

  • Updated behavior of new UI so that clicking the “Select All” check box at the top of a secret grid selects all rows. Previously the check box selected only the items currently loaded on the page.

  • Added the “View Audit” button to the reports page of new UI.

  • Added the “Upgrade Available” banner to display in the new UI.

  • Added the ability to drag-and-drop child folders into the root folder. Folders will automatically re-order alphabetically in the left navigation pane.

    Note: This action is only allowed if users have the “Create root folder” permission and own folders that they are attempting to move.

  • Added folders to the “Shared With Me” page.

  • Added new inbox notifications including “getting started” notifications for new installs and administrator alerts when an instance is close to hitting licensing limits.

  • Added the ability to mark Inbox notifications as read or unread for most notification types.

  • Added the ability to browse by folder name using the URL format [SecretServerURL]/SecretServer/app/#/lookup?folderPath=[FolderName]. If multiple folders exist with the same name, this URL search schema only directs users to the first folder listed within the left navigation pane.

  • Updated Favorite star icons to remain in column view when the Name column is resized.

  • Expanded file-size allowance on file uploads. File uploads can now be up to 10 MB.

  • Grid results updated to auto-load 30 results instead of 15.

Remote Password Changing upon Regex-Defined Error

Added a new regex setting to automatically retry a remote password change (RPC) with a regenerated password if the original RPC failed due to a specific type of error.

Go to Admin > Remote Password Changing, click Advanced under the Configure Password Changers section. The new setting is Attempt Password Change with new password when error contains (regex). Edit it to provide the regex failure code that will trigger the automatic next password RPC. See the Secret Server Administration Guide.

Reports

  • Updated several reports to no longer show deleted secrets.
  • A new out-of-the-box report called “Secret Templates without an expiration field” was added to display any secret templates that have a password field but do not have an expiration field set.

Secret Template Import and Export

Updated secret template settings for importation and exportation to include:

  • Is Required?

  • Edit Requires

  • Hide on View

  • Secret template icon

  • Keep Secret Name History

  • Validate Password Requirements on Create/Edit

  • Field Slug Name

  • Type Description

  • One Time Password settings

The secret template settings that do not transfer include:

  • Launcher settings

  • Password changing settings

  • Session recording enabled

  • Associated secrets

See the Can I import or export data between Secret Servers? KBA for more information.

SSH Proxy

  • Updated “connect as” to accept key-based SSH authentication without also requiring a manual password.

  • For SSH proxy sessions, added the option set:

    • Only record keystrokes
    • Only record video for sessions.

    By default new installs will only record keystrokes on SSH proxy sessions to preserve disk space. To configure this setting go to Admin > Configuration > Session Recording tab > SS Proxy Session Recording. Edit the SSH Proxy Session Recording Options list. The options include:

    • Record keystrokes and video

    • Record keystrokes only

    • Record video only

    • Do not record

See the Session Recording section in the Secret Server Administration Guide.

Verbose Logging

Added Verbose Logging for:

  • AWS password changers
  • AWS discovery scanner
  • ComPlus dependency scanner
  • PowerShell discovery scanner
  • Flat file discovery scanner
  • ODBC discovery scanner
  • SSH discovery scanner
  • ESX discovery scanner

Terminal

  • Added terminal instructions for how to view SSH proxy credentials in the new UI under Secret Options > Show SSH Terminal Details.
  • Removed restrictions from the allowed number of concurrent logins for SSH terminal. Previously, terminal logins were tied to the “Maximum concurrent logins per user” setting that establishes this number for UI-based users.
  • Added Unicode support for SSH command menu items (names and descriptions).
  • Added “clear” command to terminal.

Unique Field Slug IDs

Added a new “Unique Field Slug” ID column for secret templates to allow users to create secrets with duplicate field names without compromising the ability to target each field name with a unique identifier for API calls. See the Secret Template Field Types section in the Secret Server Administration Guide.

User Variables for Scripting

Added the following user-based script variables to be used in API calls as arguments:

  • $SECRETSERVERUSERID

  • $SECRETSERVERUSERNAME

  • $SECRETSERVERDISPLAYNAME

  • $SECRETSERVEREMAILADDRESS

This allows, for example, that when a specific user runs a check-out hook, they can pass a user email, ID, username, or display name as a parameter into the script to use a check-out hooks and related AD functionality in Secret Server through the API. See the “Checkout Hooks” section in the Secret Server Administration Guide.

API and Scripting

API General

  • Added a setting that allows users with view permission on a secret to get the secret’s “autoChangeNextPassword” field in the API. This setting is enabled under Admin > Configuration > Permission Options. Set Allow View User To Retrieve Auto-Change Next Password to Yes.
  • Fixed issue with  /api/v1/secret-templates/{id} to allow a user with AddSecret and global template permissions is allowed to call the service. Before this fix the AddSecret user was required to have specific access to a template.

New API Calls

  • Get one time password code and seconds: GET /one-time-password-code/{id}

  • Search secrets by URL: POST /secret-extensions/search-by-url

  • Get AutoFill values for URL by secret ID: POST /secret-extensions/autofill-values

  • Update secret field: PUT /secrets/{id}/fields/{slug}

  • Update secret: PUT /secrets/{id}/restricted

  • Get SSH Terminal details: POST /secrets/sshterminal

  • Get extended regex values by secret: GET /extended-fields/regex/{secretId}

Removed API Calls

  • Search app clients: GET /app-clients

Integrations

Performance Improvements

  • Added server-side paging to reports in the new UI to address performance issues when attempting to load reports with large numbers of records.

  • The new user interface will no longer load the subfolders if a parent folder has more than 30 subfolders within it on the grid page. Instead, a folder picker will display above the folder’s secrets that will allow users to select a specific subfolder.

  • Applied enhanced SQL querying logic on the groups pages so that environments with large groups no longer experience page timeouts when processing group data.

  • Improved the shutdown performance in distributed engine.

  • Removed the welcome widget from the dashboard on the classic UI due to page load issues in large environments.

  • Enhanced SQL query for the unlimited admin report to improve performance for large environments.

  • Added a new “use database paging” setting for the custom reports page. Database paging allows the database to load large reports more quickly. We recommend database paging if the query is expected to pull large amounts of data for the report. Implementing database paging may not work if the SQL query uses some keywords, including TOP, OPTION, INSERT, UNION, WITH, or aliases containing the word FROM.

    Example queries:

    • Works using database paging: SELECT * FROM tbSecret WHERE NAME LIKE 'Test%'

    • Does not work using database paging: SELECT TOP 10 * FROM tbSecret WHERE SecretName LIKE 'Test%'

Security

  • Updated PuTTY to version 0.73. Updated version addresses several PuTTY vulnerabilities, including one critical and two high severity items. CVE-2019-17067, CVE-2019-17068, CVE-2019-17069

  • Addressed a vulnerability with the SDK client account handler.

  • Fixed a permissions issue in the new UI where password requirements did not obey the “administer custom password requirements” permission.

  • Added audits and event subscriptions for viewing passphrases and SSH keys.

  • Addressed a Remote Code Execution (RCE) vulnerability that allowed parameter changes for an action without validating user permissions.

  • Resolved an issue for SSH scripts and SSH remote password changers where sensitive information was being written to log files:

    • SSH remote password changers will now only log the comment for each command as it runs.
    • SSH scripts will only log that they ran because they have no comment for each command.

    Note: If you manually test an SSH script or password changer, the full output will still be shown for debugging purposes, because you just entered the credentials yourself.

  • Resolved a URL redirection vulnerability.

  • Added configurable parameter quoting for custom launchers.

  • Resolved three cross-site scripting (XSS) vulnerabilities.

  • Fixed an XML external entity (XXE) injection vulnerability.

  • Removed user information that was returned in an API call.

  • Added auditing for changes made to the session recording configuration page on the Admin > Configuration > Session Recording tab.

  • Added auditing for test script actions in the Custom Command Edits section in the Admin > Scripts pages.

  • Added auditing to the Admin > Configuration > Ticket System tab. Audits are logged under Admin > Configuration > General tab > View Audit.

  • Updated missing secure cookie attributes when “Force HTTPS” is enabled.

  • New installs running 10.7.000059 or later will now automatically apply zero information disclosure.

  • Added SHA1 and SHA256 hashes for protocol handler.

  • All Thycotic DLLs and EXEs are now signed with the Thycotic Software certificate including distributed engine, advanced session recording agent, and MemoryMQ applications.

Bug Fixes

This release includes bug fixes for the following components:
Privilege Manager

Listed below are the bugs that have been addressed in this release. The description below reflects the product behavior prior to the fix and specific details about the fix for some of the items.

  • Changing the selected collection for an SCCM collection does not correctly update membership.
  • Page goes blank when navigating to Admin | Configuration and “Enable Automatic Refresh of Privilege Manager Alerts in Browser” is disabled.
  • Clear remote scheduled policy parameters when the command is changed.
  • Message Action text editor in UI should support formatting included in XML.
  • Double-clicking on column width adjustment in the Agent Log Viewer gives an Unhandled Exception.
  • The Advanced Display Message Action is running in the background.
  • New schedule updates do not display clearly in the schedule.
  • The Application Justification Report returns no results.
  • The Resource Monitor doesn’t show counters after elevation.
  • The COM Objects Elevation showing Windows UAC after canceling Thycotic prompt.
  • The “folder” view in the item selector does not work.
  • The Event Counts on the Privilege Manager home are incorrect.
  • Events are duplicated in the Event Discovery view.
  • Win32Exe filter correctly handles files that have the internal attributes stripped.
  • Remote/cloud connected clients that pull tasks are broken with service hardening tasks.
  • The Password Age chart is broken and does not return any results.
  • The Agent falls back to using legacy services and no longer retries to connect to current services.
  • Offline Approval access is not available for the Privilege Manager HelpDesk User role.
  • MacOS Resource Targets are not updating when trying to add to a policy.
  • On mouse-over the Statistics | Changes Period to Past Month report throws an exception.
  • Changing an Azure User’s Role membership in Azure is not reflected in Privilege Manager.
  • An exception is thrown when navigating back to the Privilege Manager home after a session timeout.
  • System does not handle logins to a machine without standard SIDs.
  • The horizontal scrollbar is showing in the table for Windows Privilege Personas.
  • The Policies table is congested when opened in smaller resolution.
  • Reports displayed from the homepage may scroll pass the pagination controls.
  • The Top Applications widget on the homepage throws an exception
  • Several reports on the home page are not loading properly in Firefox.
  • Updates to an exclusion filter name are not displayed after editing.
  • The no licenses installed banner is missing.
  • Redundant warnings appear about the anti-virus exclusion settings.
  • An exception is thrown when navigating to the Foreign Systems tab on the Configuration page.
  • AD synchronization does not work correctly for users with distinguished names in excess of 256 characters.
  • The report generated from Purge Maintenance - Files Undiscovered has duplicate messages.
  • The Agent configuration form does not show previous values when a user clicks cancel.
  • Privilege Manager instances with Secret Server integration:
    • Secrets deleted from Secret Server create duplicate user credentials.
    • The expiration of a Secret Server session does not prevent access to Privilege Manager.
    • Changing Secret Server Role Permissions for Privilege Manager requires recycling TMS application pool.
Secret Server
  • Fixed an issue where creating folders through the API failed to set a secret policy.
  • Fixed a memory leak issue where leaving Mac launcher sessions open for extended periods of time consumed increasing amounts of memory on the machine hosting the session. This issue was incorrectly believed to be fixed in the Secret Server version 10.7.000002 release.
  • Fixed an issue where an access approval email link did not work if Integrated Windows Authentication (IWA) and two-factor authentication were enabled.
  • Fixed an issue where Unix secrets were not reported in the “Password Last Changed” report because the Unix Account template did not have a password expiration field by default. Unix password fields are now set to expire at 30 days by default.
  • Fixed an issue where pressing Enter with the cursor in the Search bar on the Discovery Network View page would open the create rule dialog.
  • Fixed an issue where new users were not adequately loading in the dropdown option for subscribers in the “discovery rule alerts” setting if users increased from under 40 to over 40 users.
  • Added clear error and validation in entering credentials for a discovery scanner.
  • Fixed an issue where localized language customization did not apply to some product pages due to default cache keys or inconsistent HtmlHelper methods implemented on those pages.
  • Fixed a bug where some pages in the old UI did not follow customized headers from CSS stylesheets.
  • Fixed an issue where extended search terms were not applied for URLs. Updated BookmarkletSecretSearcher so that it will not do extended hashes on URLs that might result in many erroneous matches. For instance, example.com would match exa.org
  • Fixed issue where non-AD discovery sources (ESX, PowerShell) would not match dependencies with domain to an existing AD Domain. If the dependency scan item has a field called “domain,” it will attempt to map to an existing domain.
  • Fixed a bug where the REST API “daysUntilExpiration” field returned a blank value when calling for a secret summary.
  • Added a query to resolve sort ordering issues for dependency numbering.
  • Fixed an issue in the new UI where deleted secrets remained on display on the favorites widget in the home tabs.
  • Fixed a “bad token” error on login for mobile apps (Windows Desktop, iOS, or Android) for local users.
  • Fixed an issue where SSH keystroke data was not searchable from the session playback page due to proxy session data not being correctly hashed in the database.
  • Fixed a ticketing system bug where the option to require users to either provide a ticket number or a comment for requesting access incorrectly required both a comment and a ticket number to access the secret. This issue existed when requesting access to the secret through the UI, workflows, or terminal.
  • Fixed a bug where hashed terms were intermittently slow to return search results in the new UI.
  • Fixed a rendering issue for the group edit page when using the IE browser.
  • Fixed a localization issue in the SSH command menus where setting non-English as the global or user preference threw an exception when trying to save a secret policy.
  • Fixed an issue where an “object disposed” exception was thrown when navigating away from the new UI soon after application pools were recycled. This occurred because of an incorrect re-use of a service that is for processing the first Web request to the application.
  • Fixed a bug in the new UI where personalized preferences for launcher settings on a secret were not allowing users with view access to save.
  • Fixed a bug where custom columns on grids in the new UI occasionally tried to display the same column twice and threw an error.
  • Fixed an issue where a syslog header was missing the hostname when logging from an engine.
  • Fixed an issue where Duo authentication was not checking for valid fallback device options when the configured “default device” failed to authenticate.
  • Updated the “find new dependencies” feature to be available to users with edit permissions on the secret. Previously the new UI required users to have owner permissions.
  • Resolved a timing issue where secrets with scheduled password changes enabled would get erroneous heartbeat fails due to remote password change (RPC) expiration and heartbeat occurring at the same time. Now heartbeats are skipped for an interval of five minutes before and after a scheduled password change to allow password change completion before heartbeat is attempted.
Known Issues
The following issues are known at the time of this release:
  • If an issue is encountered with local UI preferences, Thycotic recommends clearing the local storage cache to remove old preference values. This can be done by going to Admin | Diagnostics and clicking the Clear Local Storage Cache button.
  • Creating copies of a Persona or currently selected task schedule does not work.
  • The File Specification Filter definition does not work on macOS 10.15 (Catalina) when the File Names field starts with com.apple.preference and/or Path field starts with /System/Library/PreferencePanes/. Any Policies leveraging these filter definitions is also impacted.
  • In Safari and Edge browsers column filtering for the Agent Policy State and Agent Policy State - Drilldown reports does not work.
  • The macOS self-elevation feature is not supported for systems running macOS 10.11 (El Capitan). The Privilege Manager Finder Extension does not work when installed on macOS 10.11. Thycotic recommends upgrading macOS endpoints to a newer version of the macOS operating system to utilize the latest feature enhancements in the Privilege Manager 10.7 macOS endpoint agent.
  • Privilege Manager macOS Administrator and Privilege Manager Windows Administrator roles:
    • If you are using the Privilege Manager macOS Administrator either or both the Privilege Manager Windows Administrator roles, you must also add those members to the Privilege Manager Users role or they may not be able to view some of the application filters or actions. If you are using Secret Server authentication, restarting the Privilege Manager app pools may be required to have this take effect.
    • Members of the Privilege Manager macOS Administrator either or both the Privilege Manager Windows Administrator roles may not be able to delete some items such as policies, actions and filters, even though they are editable. Have a member of the Privilege Manager Administrators role delete those items if this occurs.

[{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSWHLP","label":"IBM Security Secret Server"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.7","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 January 2020

UID

ibm11166866