24.2.0 release notes (Sept 3, 2024)
Note
For a list of supported platforms for the latest version of BeyondInsight and Password Safe, see Supported Platforms.
Supported Platforms for previous versions of BeyondInsight and Password Safe can be found in the BeyondInsight, Password Safe, and U-Series Appliance Documentation Archive.
New features
Increased security with Passwordless FIDO2 Authentication
Password Safe now supports Passwordless FIDO2 authentication, which allows local BeyondInsight users to authenticate more securely using a security key or a biometric method, such as a fingerprint or face recognition.
Enable the Passwordless FIDO2 Authentication option from the Configuration > Authentication Management > Authentication Options page in BeyondInsight.
Once enabled for your instance, users can then configure FIDO2-certified authenticators for their account. Administrators can also see/remove any authenticators that a user may have configured.
Automatically synchronize Microsoft Entra ID groups on a scheduled basis
Microsoft Entra ID group membership no longer requires manual synchronization for individual groups. Users can now enable global group synchronization and schedule it to occur automatically on a daily, weekly, or monthly basis.
Enable and schedule group synchronization from the Configuration > Role Based Access > Microsoft Entra ID Group Synchronization page.
Automate the onboarding of AWS Credentials
Administrators can now create a Smart Rule to discover and onboard AWS IAM users into Password Safe for credential management, without the need to perform a discovery scan.
Create a Managed Account Smart Rule with the new Amazon IAM Query condition for the selected the Amazon Cloud Managed System, set to re-run every X hours, and assign the Manage Account Settings action.
Synchronize K8s secrets and Password Safe secrets
The Kubernetes External Secrets Operator (ESO) now includes a Password Safe extension to retrieve secrets managed by Password Safe and synchronize them into K8s secrets. This ensures applications can continue to leverage K8s secrets without changing their applications or workflows.
New reports
Custom Attributes
A new report that lists assets and their custom attributes was added to the Assets folder for both on-premises and cloud.
Database User List
The Database User List is now available in the Account folder in Password Safe Cloud. It was previously only available in on-premises installs.
Enhancements
Increased security for SAML authentication
Password Safe now has a Force Re-authentication option when configuring a SAML identity provider in BeyondInsight. Enabling this option requires users to re-authenticate with the identity provider for each BeyondInsight session, even if they already have a valid session.
Enable the Force Re-authentication option for the identity provider from the Configuration > Authentication Management > SAML Configuration page.
Increased security for Discovery Agents
Discovery Agents can now be configured to use OAuth authentication for communications with BeyondInsight by leveraging the existing Installer Activation Keys feature.
Configure a key from the Configuration > Authentication Management > Installer Activation Keys page for use when setting up Discovery Agents with OAuth authentication.
Improved UI accessibility
Accessibility improvements made in many areas of the BeyondInsight and Password Safe UI:
- Improved page responsiveness based on screen resolution
- Appropriate screen reader cues added to input fields, drop-downs, and grids:
- Input fields can now indicate their invalid state or error messages to screen readers via ARIA tags.
- Searchable input fields and drop-downs now announce the number of results available and announce every time the number of results change.
- Areas in grids that have the focus are now announced.
- Improved Session Replay Viewer progress bar to support keyboard interactions and added ARIA properties.
Report updates
Run reports for exact dates and date ranges
On-premises users can now quickly determine what actions were performed during specific time periods by running reports for exact dates and ranges.
More auditing information in the Password Release Activity report
The Password Release Activity report now includes the reason for the password release. The reason, ticket number, ticket system, and approver are now included when SIEM events are forwarded.
GET Users API now supports inactive users
The Password Safe GET Users API now has the ability to return users that are flagged as inactive. Releases prior to 24.2.0 only supported returning active users.
Encrypt secrets with an external hardware security module (HSM)
Password Safe now supports encryption of the Secrets Safe vault using an external HSM configuration. This builds on existing support for HSM encryption of the Password Safe vault and system credentials.
Remove dependency on IUser\_REM account
The on-premises BeyondTrust Discovery Agent can now be configured to communicate via certificate or OAuth authentication, as is done in Password Safe Cloud. If set up this way, the BeyondTrust Discovery Agent does not require the account, and it can be removed.
Password complexity, use and lifetime restrictions
Changed local user default password policy minimum length from 14 characters to 16 characters. Upon upgrade, this change takes effect only when the policy is edited.
Last login information message to users
Password Safe now displays the user's last login in the Profile and Preferences box.
Customizable SQL Server Port
The SQL Server Port is now customizable on various configuration pages.
Better insights with X-Forwarded-For IP
The X-Forwarded-For header ensures the source client IP address is included in User Audit details for both API and web console interactions.
Removed deprecated TeamPasswords PAPI endpoints
Legacy TeamPasswords public API endpoints have been removed:
- POST TeamPasswords/Folders
- GET TeamPasswords/Folders
- PUT TeamPasswords/Folders/{folderId}
- DELETE TeamPasswords/Folders/{folderId}
- GET TeamPasswords/Folders/{folderId}
- POST TeamPasswords/Folders/{folderId}/Credentials
- PUT TeamPasswords/Credentials/{id}
- GET TeamPasswords/Credentials/
- DELETE TeamPasswords/Credentials/{id}
- GET TeamPasswords/Credentials/{id}
- GET TeamPasswords/Folders/{folderId}/Credentials
Terminate and cancel session option in Active Sessions
Password Safe Portal users with appropriate permissions can terminate an active or locked session and cancel the related request.
Support storing SSH host keys in PEM files
You can now store the ssh-dss, ssh-rsa, ssh-ed25519 and ecdsa-sha2-nistp256/384/521 host keys in PEM files identified by registry values. This can be useful to ensure that a cluster of nodes behind a load balancer all share the same SSH host keys.
.NET 8 runtime version
BeyondInsight and Password Safe Cloud's resource broker is now deployed with the .NET 8.0.8 hosting bundle.
Dedicated Account Smart Rule improvements
Dedicated Account Smart Rules now allow:
- Actions
- Set attributes on each account
- Filters
- Managed System Smart Group (new filter)
- Assigned Attributes
- Platforms
Quickly see "Disabled at Rest" status
A new column has been added to show if Managed Accounts are enabled for the "Disabled at Rest" mode.
Refreshed UI and improved UX
In the Analytics and Reporting > Report Subscription wizard and the Configuration > Analytics and Reporting > Configuration wizard, the user interface and user experience have been reviewed for consistency and correct layout.
Filter approvals by request ID
The Approvals grid can now be filtered using the Request ID column.
Easier selection of Password Safe node, directory, and resolution filters
Filters are now multi-selectable drop-downs and are pre-populated with all available nodes, a number of standard RDP resolutions, and available directories.
View authentication status at a glance
Administrators can now use the Agents grid to see which Endpoint Privilege Management endpoint agents are using OAuth and which are still using certificate-based authentication.
Issues resolved
Product Area | Description | Resolution |
---|---|---|
Secrets Safe page of the BeyondInsight Console | Screen readers would show some unexpected behavior. | Resolved some accessibility issues involving screen readers. |
Secrets Safe page of the BeyondInsight Console | When creating a new folder, focus was lost from the Secrets Safe page when the user clicked Create folder or Discard. | Focus now returns to the appropriate button when a folder is created or discarded. |
Internal Smart Rules processing logic | A database stored procedure that affects bulk attribute updates was causing deadlocks. | The stored procedure was updated to avoid deadlocks. |
Custom Platforms page of the BeyondInsight Console | When checking the password of a custom platform, the first step of ELEVATIONCOMMAND was sometimes causing the attempt to time out. | The first step has been changed to a LANG=en_US; whoami response for the AIX, HP-UX, Linux, Mac and Solaris custom platforms |
Submit request tab | If the max concurrent request for a managed account was set to 1, users could still request and retrieve the account’s password, even if another request was still valid and displayed as unavailable. | A message now states that the max concurrent requests has been reached. |
Workforce Passwords Browser Extension | When a website has two or more credentials saved, the username and password had to be populated individually. | When a credential is selected, both the username and password populate together. |
User Audits page of the BeyondInsight Console | In the Audits grid, a failed Direct Connect login attempt was not showing the username. | The Audits grid now shows the username that attempted to log in. |
Connectors page of the BeyondInsight Console | When running a scan for Google Cloud, Middle East regions were not listed and could not be queried for scan targets. | All regions are now available. |
Managed Accounts page of the BeyondInsight Console | Editing a managed account without changing the next scheduled change date was saving an incorrect date to the database. | Dates are now being saved correctly. |
BeyondInsight API | Entra ID users who were members of more than 100 groups could not log in via the API. | Users are now able to log in and their groups are enumerated successfully. |
User Management page in the BeyondInsight Console | When editing an Active Directory user, credentials were a required field and would display an error if not filled out. Selecting a credential would allow the user to save, but opening the field again showed that the value was not saved. | The credential field is no longer treated as a required field for the editing of a user. User details now save correctly. |
Secrets Safe page of the BeyondInsight Console | When assigning ownership to a group or members of a group, the user could navigate away from the page without a Save/Discard prompt and lose changes. | The user is now prompted to continue editing or discard changes when navigating away. |
Secrets Safe page of the BeyondInsight Console | A secret could be saved without any owners. | If a user attempts to save a secret without an owner, an error appears and the secret cannot be saved until an owner is assigned. |
Workforce Passwords | Workforce Passwords was failing to import passwords from a CSV if the password contained a comma. Additionally, if an exported password contained a quote, Workforce Passwords would import the password with the escape characters that LastPass added to the CSV. | Passwords are now imported correctly. |
BeyondInsight API | A SCIM PATCH request could not handle a path with a sub attribute after the filter, returning a 500 error. | The attribute is now correctly changed on the given object. |
Users page of the BeyondInsight Console, extension login | Error messages for attempted login without access were always in English, even if the user was using a different language. | The error message is now translated. |
Managed Accounts page of the BeyondInsight Console | After editing a synced managed account, the description became NULL. | The description is now retained when a synced managed account is edited. |
Secrets Safe page of the BeyondInsight Console | Users who owned all secrets within a folder received an incorrect error message: “The folder cannot be deleted. You do not own all the secrets" when attempting to delete a folder. | Users now receive an accurate error message indicating that all secrets need to be deleted before the folder can be deleted. |
Internal group synchronization logic | Syncing an AD Group after removing a user also removed that user from all their groups, not just the group being synced. | The user will now only be removed from the currently syncing AD Group during synchronization. |
Smart Rules page of the BeyondInsight Console | There is an option to clear existing mappings when creating a Smart Rule to apply propagation mappings via an action. If users switched mapping from Smart Rule to scan data or vice versa, the previous mappings were not cleared correctly. This resulted in mappings for both scan data and discovery on a Smart Rule. | When the clear option is enabled, all previous mappings are now cleared. |
Internal logic | When checking if a hostname had a valid DNS entry, the comparison was case-sensitive. Also, there was no debug logging on a failed DNS lookup. | DNS comparison is now case-insensitive, and debug logging has been added to improve troubleshooting. |
Workforce Passwords Browser Extension | When the URL field on a Secrets Safe secret has a trailing space, the Workforce Passwords Browser Extension displayed an error when that Secret was used. | Trailing spaces in URLs on Secrets no longer cause errors with Workforce Passwords Browser Extension. |
Secrets Safe Entitlement Report | When exporting a PDF or TIFF Software Entitlement Report, each page of the report would also generate a second blank page. The first entry into Secret Safe would not show in the report, but subsequent entries appeared. | Reports now generate with all data and without extra pages. |
Configuration page of the BeyondInsight Console | SHA1 was available as a signature method option, but support was recently removed for this option. | Due to weaknesses in SHA1 and remove of support for it in various third-party libraries, we have removed it as a signature method option. |
Smart Rules page of the BeyondInsight Console | If a child Smart Rule was a Managed Account quick group, processing any Smart Rules with the child could fail with an error referencing the DisabledAtRest column. | Smart Rule processing now runs without error. |
Smart Rule internal processing | Some timeout errors may occur during onboarding Smart Rules processing. | Performance improvements were made to some queries that are executed during Smart Rule internal processing. This helps avoid timeout processing. |
Secrets Safe page of the BeyondInsight Console | Insufficient validation checks in the Import Secrets API. | An authorization check now ensures the calling user has sufficient access to the target folder when using the Import Secrets API. |
SCIM API | A long wait time occurred when a large number of results were returned when attempting to access /scim/v2/Users or /scim/v2/Groups via the SCIM API. | All results are returned as expected at a much faster speed. |
SCIM API | An attempt to query more than one attribute for a SCIM endpoint was not supported. | The SCIM API now supports multiple attributes in a query. |
User Management page of the BeyondInsight Console | The username field in the database was too short to handle Azure User Principal Names (UPNs), causing them to be truncated. | The username field size has been increased to accommodate Azure User Principal Names (UPNs). |
Public API | Certain API calls were taking longer than expected. This was because a cache accessed by the API was reloading its entries after about ten minutes. | The cache was adjusted so that it no longer requires a reload after the first hit. |
Internal logic | PBSMD SSH fingerprints were not unique across multiple U-Series Appliances in a user’s environment. | Internal logic has been updated to ensure that PBSMD receives unique SSH fingerprints across multiple U-Series Appliances in an environment. |
Asset page of the BeyondInsight Console | The Users grid would fail to load when the last logon date contained certain non-English date formatting. | The Asset > Asset Advanced Details > Users grid now loads appropriately even if the last logon date contains non-English date formatting. |
Internal logic | When the Graph API would throw ODataError exceptions, not much information was provided about what the specific error was. | More details are now captured in the log. |
Start menu shortcuts for BeyondInsight Configuration and BeyondInsight Console | Shortcuts were displayed in the eEye Digital Security folder instead of the BeyondTrust folder. | Removed eEye Digital Security folder from Start menu. Shortcuts now display in the BeyondTrust folder. |
Proxy Settings page of the BeyondInsight Console | Errors messages when retrieving Entra ID groups for EPM clients did not include helpful information. | More details are now captured in the log. |
Installer Activation Keys page of the BeyondInsight Console | The Cloud installation command, BeyondInsight URL, and endpoint were incorrect when viewing system generated key details. | The installation command, BeyondInsight URL, and endpoint have been corrected for Cloud. |
User Management page of the BeyondInsight Console | When large AD groups were added or synced, the stored procedure that updates external attributes caused blocking in the database. | The stored procedure has been modified to prevent blocks. |
Password Update Activity page of the BeyondInsight Console | The Password Update Activity report was missing the Asset column for Functional Accounts. | The report now has an Asset column in the Functional Account table. |
BeyondInsight Console | Customized logos were not appearing in the web console. | Updated how custom logos are handled so that existing instructions on replacing these will continue to work. Custom logos may still need to be replaced after product upgrades. |
SCIM API | Updating a group via the SCIM API would cause unexpected settings changes. | Only the attributes what were changed in the request are now changed. |
Password Safe Sessions | Password Safe was unable to validate system fields from a ServiceNow ticket. | If a user does not have access to a particular managed system, the ServiceNow ticket validator fails and the user is denied access. |
BeyondInsight internal communication | Identity Service would not update the client ID when creating a client. | The client ID is now updated so that the two client IDs match. |
User login (Active Directory) | Active Directory users were unable to log in to BeyondInsight after being renamed in Active Directory. | The logic in the login process has been updated to handle this scenario correctly. Renamed AD users can log in without requiring a group sync to occur first. |
Smart Rule Processing | When deploying Endpoint Privilege Management Policy, the Smart Rule failed to process in some environments. | Performance has improved when processing Smart Rules that include the deploy Endpoint Privilege Management Policy action. |
Password Safe Sessions | When selecting “User ID Mapping : UPN format” in a ServiceNow connector, an error was returned stating “Logged in user ID is null or empty”. | The UserPrincipalName (UPN) can now validate ServiceNow tickets for Entra ID users. |
User Management page of the BeyondInsight Console | Details sometimes did not switch when editing a different Password Safe role for a mapped smart group. | Switching between roles now correctly switches the details. |
API Registrations page of the BeyondInsight Console | Changes to API registrations were not being audited. | User Audits now appropriately shows changes. |
BeyondInsight Password Services | Password Services could crash after attempting multiple “keyboard-interactive” mode connections via SSH if the initial connection attempt was only partially successful. | The service has been updated to limit the number of “keyboard-interactive” attempts made. |
BeyondInsight API | Any failed API authentication would send an email to the administrator email account. | This has been deprecated, and emails for failed API authentications are no longer sent. |
Access Policies page of the BeyondInsight Console | If an admin created an access policy not attached to a requestor group, and then a requestor with a different access policy created and actioned a request, admins were unable to delete the new access policy. | The dependency check logic around access policy deletion is improved. Admins can now delete new access policies in this scenario. |
BeyondInsight Configuration > Secure Remote Access > Connect to Secure Remote Access area | Missing validation and empty default values could lead to errors in the log files if these values were saved by the user. | The field validation and default port value were updated on this form. |
Internal logic | Insufficient validation was used on LDAP query creation. | Enhanced validation for directory queries to mitigate the creation of invalid LDAP queries. |
Smart Rules | The ordering of actions displayed in a Smart Rule when editing was not consistent between creation and editing. | The Smart Rule actions are now sorted consistently regardless of whether the Smart Rule is being created or edited. |
Sessions grid | On the Sessions grid in the Password Safe portal, the column picker contained a duplicate “Status” column entry. | The duplicate “Status” column has been removed. |
BeyondInsight Configuration > IP Allow List | When configuring an IP Allow List rule with an IP range, there was no validation to prevent a user from entering a “From IP Address” value which was higher than the “To IP Address” value. Attempting to save a rule with this misconfiguration would display a generic error message. | The IP address range is now validated in the input form, with informative messaging if the data is not valid. |
Password Safe | If a ticket was supplied when creating a request and ticket validation failed, only a generic validation error was shown, which may have been insufficient to troubleshoot the error. | Additional error messaging is now shown in the details of the error message that occurs in this scenario. |
Workforce Passwords Browser Extension | If a Workforce Passwords extension was in use while the Password Safe instance was upgraded, new features did not always appear right away. | The Workforce Passwords Browser Extension now shows new features right away when the Password Safe instance is upgraded, even if the extension is in use. |
Known issues
Product Area | Description | Workaround |
---|---|---|
Managed Account Smart Rules | Managed Account Smart Rules that contain a Link domain accounts to Managed Systems action that target an Asset-type Smart group will fail processing, and the logs display a Transaction count after EXECUTE indicates a mismatching number of BEGIN and COMMIT statements error. | Contact BeyondTrust Support for a hot fix. This issue will be resolved in an upcoming maintenance release. |
Analytics and Reporting interface | Using Firefox, clicking the browser back button while viewing a report causes the Analytics and Reporting interface to become unresponsive. | Clicking the browser back button again takes the user to the parameter entry view, and the UI becomes responsive again. Using the back button within the report viewer will allow for proper navigation. |
Analytics and Reporting interface | Using Chrome, clicking the browser back button while viewing a sub-report actually takes the user back to the list of reports. | Use the back button within the report viewer for proper navigation. You may need to re-run the report if you’ve ended up back at the report list. |
Analytics and Reporting interface | For on-premises only, if Analytics and Reporting is configured prior to SMTP settings being configured in the Report Server, the “Send subscription by email” option is not available. | Either configure SMTP settings prior to configuring Analytics and Reporting, or restart the SSRS service after configuring SMTP settings. |
Analytics and Reporting interface | For on-premises only, when creating a report subscription with email delivery in Analytics and Reporting, if more than 2,000 characters are entered into the To field, the subscription wizard becomes unresponsive. | Ensure that the email addresses used in the To field are a total length less than 2,000 characters. |
Purging Options: Database Index Maintenance page of the BeyondInsight Console | The Database Index Maintenance job will not run in an environment configured with a low privilege SQL user. | Configure the database connection to use a privileged account. |
BeyondInsight Console | If a user allows their BeyondInsight session to time out, their theme selection reverts to BeyondTrust brand colors. This becomes apparent if they had their preference set to dark mode colors. Signing out does not have this effect. | Avoid letting the session time out, or update your preferences after logging in. |
Web Policy Editor | When upgrading to Web Policy Editor 24.5.372 from an older version using BT Updater, the setup may fail with an error that indicates the wpe.log file is in use. | Stop the WebPolicyEditor Service prior to upgrading, complete the upgrade to WPE 24.5.372, and the restart the service. WPE 24.5.372 contains a fix that ensures any subsequent updates (to future WPE versions) will not require the manual service state changes. |
Secrets Safe | There is an unintended difference in behavior when attempting to delete a non-empty subfolder of Personal secrets depending on if the user is an administrator or not; an admin can delete the subfolder and its secrets, but a non-admin cannot delete the subfolder without first deleting the secrets. | As a non-admin, to delete a subfolder, first delete the secrets within the subfolder, then delete the subfolder. |
Password Safe | vSphere Managed Account password changes may occasionally fail with a “passwords do not match” error. | Initiate another password change. |
Password Safe Propagation Actions | When performing propagation actions for a domain account (i.e., domain\svc_acc1) and there exists a local account with the same name (i.e., svc_acc1) found on the system in the same propagation target, the local account propagation may also be incorrectly updated. | Use accounts of different names for domain vs. local. |
Password Safe Application Sessions | Launching remote applications with ps_automate will fail with Chrome/Edge v128. | Use Chrome/Edge v127, or use Firefox, or a hotfix is available. |
BeyondInsight Console - Activation Keys for Discovery Agent Installer Type | PowerShell cannot be used to configure OAuth for BeyondTrust Discovery Scanner Central Policy or Events. | Command prompt should be used for this. |
Notes
- Direct upgrades to 24.2.0 are supported from BeyondInsight versions 22.2.3 or later releases.
- BeyondInsight 24.2.0 supports SQL Server 2016 SP2 or higher.
- This release is available by download for BeyondTrust customers (https://beyondtrustcorp.service-now.com/csm) and by using the BeyondTrust BT Updater.
- The MD5 signature is: aa5c3665679bb8b91ba179029a0711f2
- The SHA-256 signature is: b32e3703a8cad701fe6487e611c278edfcf27ffb026baa0142777b5d71d8ff73
- The ECM Plugin for Password Safe has been updated to version 24.1.3.
Deprecation notices
Team Passwords Public API Endpoints have been deprecated and are no longer present in the 24.2 release. You must update scripts to use the corresponding Secrets Safe API endpoints instead.
BeyondInsight 24.2.0 still supports the following features, but these are planned to be removed in the next release:
- Analytics & Reporting > Clarity: Clarity and related reports and configuration.
- About > BeyondInsight Analysis
The Password Safe platforms Cloud - Azure and Cloud - Office 365 are being removed in the 24.3 release. Instead, customers should transition to using the Microsoft Entra ID platform, which offers additional functionality.