January 9, 2024

Requirements:

• There is a product dependency on having the .NET 6 Hosting package installed.

New features and enhancements:

• Added checks to ensure that Sudo is installed on the target before elevating target commands.
• The scanner now returns all DNS Aliases and DNS Addresses as part of the Asset Event NVP data, ensuring accuracy when discovering and naming scanned databases and their hosts.
• Added new methods to determine if a target is a DC.

Issues resolved:

• Resolved an issue with data parsing for Palo Alto devices where the echo of the command was being returned in NVP data, causing scanning of the devices to onboard the prompt as a user.
• Resolved an issue where Error 400: BadRequest was occurring when running the testc command to test the central policy setup.

Known issues:

• The installation dialogs have string substitutions errors.

Notes:

• Direct upgrades to this version are supported from versions 20.1.0 and later releases.
• This release is available by download from the BeyondTrust Client Portal at https://www.beyondtrust.com/support/.
• The MD5 signature is: 2b8055bcfca1c7c277e3584568c8cfdc
• The SHA-1 signature is: 6650de9f72ccae0c2dcf65b4a3f9b618f9d85852
• The SHA256 signature is: 20a3b1a852b2a1d21d52aaa8fde5bdf4b7ba3773c1b367241b1e10dc2b759ff8

December 14, 2023

Requirements:

Requires BeyondTrust Password Safe version 23.3.0 or later release.

New features and enhancements:

• Updated Enhanced Session Utility:
  • Updated PSAutomate utility, which addresses webdriver download issues for some browsers.
  • Checksums:
    • pbpsmon-23.3.7.msi SHA256: d48c071851480e439ed0cecaaeb179bdf18b504b0af71af2f566a9b6c725ac07
    • pbpsmon-23.3.7.exe SHA256: c6788cd32c71e407d19cd23b765396f2428c2be64a565f6f87add53e3f9de595
• Updated Python API sample
• Updated Password Safe Cache:
  • No functionality changes.
  • Updated 3rd party library dependencies.
  • Checksums:
    • PSCache-23.3.7-x64.exe SHA256: a56b44c45be4bb86715b3c415a0062085f59ae7bb5c0b579a6b5c9cba452f948
    • beyondtrust-secrets-cache-23.3.7-1.el9.x86_64.rpm SHA256: d87ec4ba3ff57b9598601c26aa6432ee662224f3bb7bea2de300e1eccebdd801
    • beyondtrust-secrets-cache-23.3.7-1.el8.x86_64.rpm SHA256: 975412247dca4e39ed3a8b5742b9095f378ea7f5c0aac10bfe05a152c1bad610
• Updated Platform SDK to support Password Safe23.3.

ℹ️

Note

New versions of the Password Safe Cache are available for RHEL 8 and 9. There are no new versions for RHEL 7. The last supported version for RHEL 7 is 23.1.24.

Notes:

• The SHA-256 signature is: 326d963d59a75fc2ac87830974711fe32f04b070f89440488382a65c14feb969
• This release is available to download for BeyondTrust customers at https://beyondtrustcorp.service-now.com/csm.

December 14, 2023

Requirements

• A restart of the resource broker host may be required after upgrading to the 23.3 release.

New features and enhancements:

• Optimized architecture for resource brokers, as follows:
  • In previous versions of Password Safe, there was a limit of 10 resource brokers per zone. With the release of 23.3, we have optimized the architecture to expand to 200 resource brokers across 50 zones.
  • In previous versions of the resource broker, it was necessary to include a list of Azure endpoints when configuring customer firewall rules. With the release of 23.3, this process has been streamlined, and now only a single outbound rule is needed for "`customer-key`.ps.beyondtrustcloud.com" on port 443. This top level DNS also points to a static IP that can be used in the creation of firewall rules.

Issues resolved:

• None

Notes:

• .NET Core hosting bundle updated from 6.0.21 to 6.0.25.
• .NET hosting bundle updated from 7.0.10 to 7.0.14.
• Direct upgrades to 23.3.0.1789 are supported from all previous versions.
• BeyondTrust customers can download this release from their Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.
• This release bundles version 23.2.0.1370 of the BeyondTrust Discovery Scanner. Corresponding release notes are available here: https://www.beyondtrust.com/docs/release-notes/beyondinsight-password-safe/index.htm.
• The MD5 signature is: CBE0AFD793BC84AC2E67903748B3CCA0
• The SHA-1 signature is: 98FE111B8935FFF241872B8F94D1B0CD96C86E2C
• The SHA-256 signature is: 81375A9651C19E61C3FCD6836B50001D74B6C2C0BD69DFA684B11BA503A6B465

December 14, 2023

Requirements:

• A restart might be required after installing this update.

New features and enhancements:

General

• Workforce Passwords (Browser Extension) now offers the ability to create, update, and delete saved credentials directly from the browser.
• Workforce Passwords (Browser Extension) now has support for localization to the same languages as supported by BeyondInsight and Password Safe.
• All Azure Active Directory functionality (Users, Groups, Directory Credentials, Policy Editor Azure AD Search, Managed Accounts Test and Change) now support communication through a web proxy (not applicable to Password Safe Cloud).
• Modified scheduled, active, and completed scans features to ensure history of completed scans is maintained. Scheduled scans can now be deactivated instead of deleted. Completed scans can no longer be deleted. Data retention limits still apply to completed scans.
• Removed the Minimum Password Age and Maximum Password Age options from the Configuration > Role Based Access > Local Account Settings page in BeyondInsight. Guidance from experts in the field indicates that these settings no longer offer significant value.

Password Safe

• Added an Advanced Details view for remote applications, providing a simplified read-only view of the application configuration, as well as a global view of all associated managed accounts.
• Added a new global configuration setting for sessions, Hide record check box for Admin Sessions, which allows the user to control whether the admin session is recorded.
• Added a new Account Status column to the Password Safe Accounts grid, which shows whether the specified account is currently available for use (Available / Not Available).
• Added a new default filter to the Password Safe Approvals grid to show pending requests from the last 7 days.
• Updated the integrated BeyondTrust Endpoint Credential Manager (ECM) to version 1.6.1 and the ECM Plugin for Password Safe to version 23.1.2.

Password Safe Cloud

• BeyondTrust Identity Insights App Switcher is now supported in BeyondInsight and Password Safe Cloud (not applicable to BeyondInsight on-premises).
• Completed recorded sessions older than 6 months are now automatically archived to Azure Blob Storage (ABS). Recordings in ABS are unavailable to be replayed without first using the Restore action on the recorded session.
• For BeyondInsight and Password Safe Cloud only, discovery scan data is now purged after 30 days. Previously it was purged after 90 days.
• For BeyondInsight and Password Safe Cloud only, added optional Processing Elapsed Time and File Format columns in the Report Subscriptions grid on the Download Reports window.
• Optimized architecture for resource brokers, as follows:
  • In previous versions of Password Safe, there was a limit of 10 resource brokers per zone. With the release of 23.3, we have optimized the architecture to expand to 200 resource brokers across 50 zones.
  • In previous versions of the resource broker, it was necessary to include a list of Azure endpoints when configuring customer firewall rules. With the release of 23.3, this process has been streamlined, and now only a single outbound rule is needed for "`customer-key`.ps.beyondtrustcloud.com" on port 443. This top level DNS also points to a static IP that can be used in the creation of firewall rules.

Issues resolved:

Analytics and Reporting

• Removed the Subscribe to Report option from the Discovery report when launched from the Completed Scans grid, since a subscription cannot be created from this location. This prevents users from being taken to a dialog that does not load properly.
• Corrected the report title that appears in the header of the Managed Account Password Age report to properly reflect the name of the report. Now the report title and the report name in the report list both reflect the correct name of Managed Account Password Age.
• Corrected the display name of the blank value in the Authentication Alert parameter on the Authentication Alert Summary report. The blank label in the parameter has been replaced with (Blank), and selecting it returns any records that have a blank Authentication Alert.
• Resolved an issue where some previously deprecated reports displayed in the report list in Analytics & Reporting when this upgrade path was taken: 7.2.1 to 22.1 to 23.3. This fix ensures that reports that have been deprecated remain removed from the application report list regardless of upgrade path.
• Resolved an issue with the Workforce Passwords Usage Summary report, which showed an error instead of the header when run from the Console Reports > Licensing folder. Now the report shows the header regardless of which path it is run from.
• Resolved an issue with the Managed filter and data point on the Service Account Usage report. The Managed data point now displays correctly and the Managed parameter selection filters the report data accordingly.
• Updated several Password Safe Cloud reports (Admin Session Activity, Entitlement by User, Password and Session Activity, and Remote Session Activity) to exclude records related to built-in system activity.
• Resolved an issue in the Days Since Last Login column of the Managed vs Unmanaged Account Details report in Password Safe. If the last login date was between the 1st and 9th of any month, this column displayed Never, even though a last login date was known. This fix improves report data integrity.
• Resolved an issue with the Event List and Events by Hour reports from the PBUL folder returning an error in the SSRS log when running, indicating a problem with the PowerBroker UL Accept Reject Time dimension. Now the report runs without error as expected.
• Resolved an issue in Password Safe Cloud, where a report subscription listed under Subscriptions was not automatically moved from the New tab to the All tab upon completion. Now the report subscription shows up in the All tab when it has successfully completed. This makes it easier for users to find.
• Removed deprecated Risk field from the Asset > Software report. This ensures that the report reflects only data that is currently relevant.
• Resolved an issue where the Asset > Software report often included recently removed software, not respecting the selected scan parameter. Now the report displays the software associated with the selected scan.

Active Directory Group Sync

• Improved Active Directory Group Sync logic to reduce database usage in instances where the sync fails repeatedly. Reduced database usage in this scenario has less impact on other database activities, which might result in improved performance.
• Corrected inaccurate labeling of success messages as warnings in the Active Directory Group Sync processing to reduce noise in the Omniworker log file. Fewer warnings in the logs might mean smaller log files and less irrelevant data points there.

Minor Localization, Keyboard Navigation, Verbiage, and UI Changes

• Removed grid refresh and expand buttons, as well as the grid page navigation bar, from the Query Test Results grid in a Directory Query, as they are not helpful to have here. Now the Query Test Results grid is simplified and does not contain extra actions that could confuse users.
• Resolved some minor issues with focus, localization, verbiage, spelling, translation and screen reader announcements in various places in the application. This improves keyboard navigation and screen reader usage for all users, and should aid non-English users in reading labels on our UI.
• Aligned UI with UX guidelines by replacing Save buttons with the more specific Update and Create buttons on pages including Scan Details and Configuration > Mail Templates, Worker Nodes, and Ticket Systems. This improves consistency across the application.
• Resolved an issue where an incorrect validation message appeared on IP address during the manual creation of a new asset.
• Resolved an issue in the Smart Rules grid where the right Details panel stayed open even if the grid filters and contents changed. Now the side panel is closed whenever the user changes the filters, removing a potential cause for confusion.
• Improved the Smart Rule grid so that after requesting a Smart Rule to process, upon grid refresh, the grid scrolls to the selected Smart Rule. This makes it easier to see the current status of that Smart Rule.
• Resolved an issue where the deprecated Use Private IP Address option appeared unexpectedly in the Smart Rule configuration Selection Criteria section, when Cloud Asset Connectors to Filter With criteria was added. This option is no longer valid and no longer appears in the user interface.
• Resolved an issue where the Server Keys panel would not load under Advanced Details for a managed system if no server keys were present. Now the panel loads whether or not there are server keys present.
• Resolved an issue where the format of the Account string on a new Password Safe request contained a forward slash (/) character instead of the correct backslash (\) character. Now if a user copies this string and pastes it elsewhere, they won’t have to edit the text in order to use it.
• Resolved an issue where the configured resource zone did not appear after saving a change to the RADIUS alias. The change was being saved, but did not show up in the user interface. Now it shows up.

Discovery Scanning

• Resolved an issue where editing the start date and time on a one time scheduled scan gave an error message. Now the start date and time on a one-time scheduled scan can be edited, so customers can fine tune the timing of an upcoming one-time scheduled scan.
• Resolved an issue where, occasionally, editing some scan credentials resulted in the edit form missing several fields. All form fields now display properly when editing these credentials.
• Resolved an issue with the Credentials list in the Scan Details and Scan Wizard so that it now refreshes when changing organizations. Customers editing scheduled scans in multi-org environments now see a Credentials list refresh if they switch to another organization while on this screen.
• Resolved an issue in the Scan Wizard where a newly added credential did not show up in search results on the Enter Credentials step without a refresh. Now, when a new credential is added, it shows up in the Credentials list and can be found in searches. This might improve a customer’s experience in finding appropriate credentials to use during a scan.
• Resolved an issue with 1200 x 800 screen resolution where a number of UI elements were not displayed properly on the Enter Credentials step of the Scan Wizard. Now the UI elements align properly at all supported screen resolutions. This might make it easier for a customer to use this screen if they are using a 1200 x 800 screen resolution.
• Resolved an issue where key validation is prompted in the Scan Wizard if a stored credential with a key was selected, then deselected and replaced with a custom credential. We have improved the logic used to determine when to show the key validation panel, so users should only see it when it’s truly needed.
• Resolved an issue where when viewing scan details for a scheduled scan, and selecting the Deselect All action in the Credentials list, and then clicking Update Credentials, did not save the changes appropriately in some cases. A change was made to improve the logic used to determine which credentials in the Credentials list are selected at any given time, so that updating credentials should now reflect the user’s choices.
• Resolved an issue where when editing the details for an existing scheduled scan, changes made to Deploy Local Scan Service under Detailed Discovery Options was not always sent to the scanner. Now, regardless of the selected choice for the Deploy Local Scan Service value, the appropriate value is sent to the scanner.
• Resolved an issue where the count on the History section of the Scan Data details of a scheduled scan was not updating to reflect the items in the history for the scanner selected in the Details and Attributes section. Now, when saving the change to select a different scanner (only possible on scans originally set up with multiple scanners), the count beside the History section is updated to reflect the number of items in the corresponding History grid.
• Improved the credential key validation workflow in the scheduled scan details editing process, so that if the user has already typed the key to validate a credential, they are not prompted to do so again if another credential requires validation, as long as they have not left the page.
• Added validation so that a one-time scan cannot be scheduled to start in the past. This reduces the opportunity for users to encounter errors.
• Resolved an issue where the Abort setting configured for a one-time immediate scheduled scan was not always passed to the scanner, causing the scanner to ignore the scan restrictions in those instances.
• Resolved an issue where occasionally, editing the schedule details of a scheduled scan showed blank fields for some of the schedule data points. This might have been misleading as the schedule details were still present and stored in the database.

Endpoint Privilege Management

• Resolved an issue that prevented the Policy Editor in BeyondInsight from accommodating policies that are between 10 and 20 MB in size in anticipation of an increase in maximum policy size coming in Policy Editor 24.1.
• Resolved an issue where changing the selected organization did not refresh the Policies grid until the user did so manually. Now, changing the organization triggers the grid to refresh automatically. This contributes to a better user experience.
• Added required field validation to most fields in Configuration > Endpoint Privilege Management > Privilege Management Reporting. Now all fields except SQL Connection Options are required to successfully save this configuration. This reduces the likelihood of invalid configuration settings in this area.
• Restored a clickable Events link under Asset Details for Endpoint Privilege Management Events, taking the user to the appropriate grid and filtered to show the events for the currently selected asset. Now the events for a particular asset can be viewed via a single click instead of having to load and filter the Events grid.

Password Safe

• Resolved an issue where if a local functional account is configured to be used as a login account on a managed system and also enabled for automatic rotation, the password rotation fails. Now all functional accounts that have automatic rotation enabled, rotate properly even if used only as a login account.
• Resolved an issue where case mismatches between a system’s local user account name and that same account name stored in BeyondInsight caused the account to be excluded from managed account Smart Rules with a user account attribute selection criteria that would otherwise have included it.
• Resolved an issue causing the MSSQL functional account test in on-premises environments to always return a bad gateway error.
• Resolved an issue causing the Password Safe Omniworker log to incorrectly log an error. Now that error is no longer logged.
• Resolved an issue where linking applications to managed system Smart Rules was not working as expected. Now you see the application listed on all managed systems of the Smart Rule.
• Resolved an issue with the PUT and POST Secrets Safe Secret APIs where trying to add a URL with more than 2048 characters returned the wrong error code. Now the request fails with an error that the URLs max length was exceeded.
• Resolved an issue in the PUT Secrets-Safe/Folders/{id} API where users were able to update the ParentID of Secrets Safe folders. This parameter is now ignored.
• Resolved an issue in the PUT Secrets-Safe/Secrets/{id}/file API where the URL field was not being properly updated. Now the URL is successfully updated when changed to a valid value.
• Resolved an issue were where RDP direct connect sessions always fail when the passwords start with the character used as the delimiter and multi-factor authentication is not enabled. Now the RDP direct connect session can successfully connect in this scenario.
• Resolved an issue where MSSQL password rotation fails in cloud environments. The password now successfully rotates.
• Resolved an issue where searching for a requestor's name in the Approvals tab failed to find results when the search included a space. Now the correct results are returned.
• Resolved an issue where testing the functional account fails with an unauthorized error when testing against SAP and vSphere Web API platforms. Now the test successfully completes.
• Resolved an issue where a managed system for MongoDB can't manually be created or edited if a database already exists using the same port.
• Resolved an issue with a naming inconsistency when displaying the SSH-DSS Key authentication type. All areas previously displaying DSS now correctly display SSH-DSS Key.
• Resolved an issue where users were able to update the name of a Secrets Safe folder to an already existing folder name using the public API.
• Resolved an issue with the HTTP error code being returned in the public API when a user attempts to create a duplicate Secrets Safe folder name. Now error 409, Folder already exists is returned.
• Resolved an issue where functional accounts always fail to update the first time they are edited. Now functional accounts update on the first attempt with valid settings.
• Resolved an issue where the public API incorrectly returned a success code when attempting to create a Secrets Safe folder with invalid parameters. The API now returns an error code.
• Resolved an issue where disabled user groups were visible to users in Secrets Safe.
• Resolved an issue where users who should only be able to access Secrets Safe were also able to navigate to an empty configuration menu. Now these users have no option to access the configuration menu.
• Resolved an issue in Secrets Safe where some symbols were shown as html code in the toast messages. Now the symbols are displayed correctly.
• Resolved an issue in Secrets Safe when navigating the menu with a keyboard, where the focus does not shift to the correct input after clicking to edit a secret. Now the focus shifts to the correct input automatically.
• Resolved an issue in Secrets Safe where a user would receive an incorrect HTTP error code when refreshing the page if that user was already logged into the console and had been deleted from the server. Now a 403 error code is returned.
• Resolved an issue where the Include Disabled Accounts Smart Rule criteria was not being honored for all database platforms. Now this criteria affects the results being returned.
• Resolved an issue in User Audits where the audit details were potentially confusing when changing the owner of a secret in Secrets Safe to or from an entire team. Now OwnersDisplay detail shows the ownership change details for both users and groups.
• Corrected a formatting issue when viewing the schedule for an access policy where there was an unnecessary gap between the All Day and schedule entries.
• Resolved an issue where inaccessible sections of the configuration screens were displayed to read-only users. Now these sections are hidden from view.
• Resolved an issue in User Audits which showed the owner being set to null when assigning ownership of a secret to the entire team.
• Resolved an issue in Secrets Safe with displaying the selected owners when managing ownership on multiple pages of users. Now when navigating between pages all selected owners remain checked.
• Resolved an issue where the audit log was not displaying the change when modifying an attribute in a secret's value from null. Now the audit log displays the original and new values.
• Resolved an issue where the account and system concurrency behavior was not being calculated correctly. Now the correct availability is calculated.
• Resolved an issue where users were unable to start cloud application sessions when a directory account is linked with a Cloud MS. Previously the user would receive an error that the TargetURL was not assigned. Now the session successfully opens.
• Resolved an error where the Direct Connect Connection String and Connection Command values do not include the host name value after a host name override has been removed. Now the host name value is added when the override is removed.
• Resolved an issue in the Password Safe Accounts grid where sorting columns did not work after applying a filter. Now the columns sort with a filter applied.
• Resolved an issue in the Linked Systems section of managed accounts when the Show filter is set to Linked and Filter by is set to Platform. Previously cloud platforms were not listed for selection.
• Resolved an issue in Quick Launch where users were unable to create a request for the maximum configured duration. Previously the calculation of end time was incorrectly calculating the max duration.
• Resolved an issue where a Mac managed account with temp lock applied gave a false positive when testing the account.
• Resolved an issue in Password Safe where starting a session from an existing request sent a preferred node when not expected. Now, when node selection is not enabled, a node is not included when creating a session from an existing request
• Resolved an issue with the Password Safe Enhanced Session Utility standalone installer where the scheduled task was unable to start the service after an installation was performed. Now the scheduled task is able to successfully start the service.
• Resolved an issue in the PSAutomate utility where the correct browse webdriver was not always successfully downloaded, which would prevent successful remote application launches.

Other

• Resolved an issue that prevented session timeout configuration change from working properly in Password Safe Cloud. Now session timeout updates take effect within 30 seconds and do not require any manual intervention from the user or administrator
• For BeyondInsight on-premises only, restored the Machine Name column to the System Event Viewer grid so it is now visible and can be filtered on. There is no change to the System Event Viewer grid when using BeyondInsight Cloud.
• Resolved an issue that was preventing the Hide All Maintenance Banners setting on the About page being retained. Now the toggle retains the user’s preferred setting. This ensures that the maintenance banner remains hidden if the administrator has set the toggle for it to do so.
• Resolved an issue where Azure AD API Authentication was not working if the user in question is also a member of a local group in BeyondInsight. Now, API logins succeed even if the Azure AD user is a member of a local group.
• Ensured that the deprecated, unused Event Server Windows Service has been removed in any new installation scenarios. Removing deprecated elements of the software improves engineering quality of life and reduces complexity.
• Resolved an issue in User Audits where an LDAP directory query edit might result in the audit record indicating that a platform changed, even if the platform did not change. This improves the integrity of the User Audits data.
• Resolved an issue that caused an error when the API GetUserAudits endpoint is called for all audits and all details, if an audit of type PMR Database Settings existed. Now, the presence of this particular type of audit record does not cause errors with this API call.
• Resolved an issue on the SAML Configuration page to ensure that the URLs are validated appropriately. Now URLs with uppercase letters, custom ports, and longer TLDs do not fail validation, so SAML configuration can be completed in more cases without having to obtain assistance from support.
• Resolved an issue where Azure AD API Authentication was not working if the user in question is also a member of a local group in BeyondInsight. Now, API logins succeed even if the Azure AD user is a member of a local group's shared folder found under All Secrets. If the user is enabled for Workforce Passwords, this is their Personal Folder.
• Resolved an issue in the Smart Rules editor for a managed account Smart Rule, where selecting the domain when using the action to Assign preferred Domain Controller on each Active Directory account might have caused an error to appear. Now this action does not cause an error.
• Improved performance of Azure Active Directory logins when the API user is a member of a large number of Azure Active Directory groups in BeyondInsight.
• Resolved an issue where the Configuration > Authentication Management > Authentication Options > Disable Forms Login for new directory accounts setting was not applying to new directory users if their account was created via forms login.

Known issues:

• Endpoint Privilege Management Policy Editor version 23.9 or earlier cannot open any policy that is 20 MB or larger. If a policy of this size is created (for example, by merging 2 large policies) in the Policy Editor, it can be saved in BeyondInsight 23.3, but not checked out for edit. If this occurs, it could cause delays in making edits to very large policies.
  • Workaround: Avoid creating policies that are of a size close to 20 MB, upgrade to Policy Editor 24.1 or newer (when available), or work with support to edit the policy XML outside of the editor if the policy has already been created and upgrading is not an option.
• When creating or editing a Password Safe Password Policy, it is not possible to change the First Character Value setting from the default value of Any Character Permitted.
  • Workaround: None, this will be addressed in a future release.
• When accessing a report subscription in an on-premises installation of BeyondInsight and Password Safe, the Download Reports menu item is non-functional. This option is for Password Safe Cloud only, and should not be visible in the user interface.
  • Workaround: None needed, this menu item is being removed in a future release.
• When viewing the details of a user in the User Management configuration screen, the Groups grid is incorrectly repeating the group name in the group Type column.
  • Workaround: To determine the group type, navigate to the User Management > Groups configuration screen.
• When attempting to use a remote application that is configured to not use RemoteApp Mode and the assigned functional account has administrative privileges on the RDS server, the application fails to launch.
  • Workaround: Enable RemoteApp Mode for the application.
• If a user has marked a domain linked account as a favorite in Password Safe and the domain account link is subsequently removed (but the managed account and target managed system still exist), then the favorite entry still remains in the users Favorites list but will be non-functional.
  • Workaround: Un-favorite the domain linked account. This is being addressed in a future release.
• When making a call to the GET UserGroups API, the GroupType field is incorrectly (since version 23.2) returned as an int value, when it was previously documented as a string. This is being addressed in a hotfix and included in a future release.
• If an Active Directory group has been granted the Secrets Safe feature and is subsequently renamed, the new group name is not reflected in the Secret Safe folder name.
  • Workaround: None - this does not affect access to the folder or its secrets, and the folder name display is being resolved in a future release.
• The Reviewed Sessions report in Analytics & Reporting may not correctly identify the Reviewed By and Reviewed Date for reviewed sessions. As a result, the Reviewed parameter, when set to Yes, may not return the Reviewed rows as expected.
  • Workaround: None, this is being fixed in a future version and may be available earlier in a hotfix.
• In some environments with a large amount of request data, attempting to view request details can take an excessive amount of time to load, or returns in an error causing the details not to be displayed. Improvements have been made in this release; however, further improvements are in progress and will be available as a hotfix.
• If a user attempts to use SAML Login for the Workforce Passwords extension, while already logged into the web interface using SAML, they cannot log into the extension.
  • Workaround: If using SAML, and needing to be logged into the extension and web interface at the same time on the same browser, log into the Workforce Passwords extension first and then log into the web interface.
• Creating a new secret via the API POST Secrets-Safe/Folders/{folderId:guid}/secrets returns an empty string in the FolderPath property of the response body. This is being addressed in a hotfix.

ℹ️

Note

Issues discovered after release can be found within our Customer Portal Knowledge Base.

Notes:

• Direct upgrades to 23.3 are supported from BeyondInsight version 22.1 or later releases.
• .NET hosting bundle updated from v6.0.21 -> 6.0.25
• .NET hosting bundle updated from v7.0.10 -> 7.0.14
• This release is available to download for BeyondTrust customers from https://beyondtrustcorp.service-now.com/csm using BeyondTrust BT Updater.
• The MD5 signature is: e701bcaa470a98c974f3bbb8a7b0b36d
• The SHA-1 signature is: 46efbf297bf9f84b5636f4e2a4150bf3d40eb813
• The SHA-256 signature is: ade9b8b642848fbe19adb10b37de35421f1347744793a91afcc6175bcb18ac21

December 5, 2023

New features and enhancements:

• This is a maintenance release. There are no new features or enhancements.

Issues resolved:

• None

Notes:

• Direct upgrades to 23.2.0.1748 are supported from all previous versions.
• BeyondTrust customers can download this release from their Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.
• This release bundles version 23.2.0.1370 of the BeyondTrust Discovery Scanner. Corresponding release notes are available here: https://www.beyondtrust.com/docs/release-notes/beyondinsight-password-safe/index.htm.
• The MD5 signature is: F865DD9B53DCEC2497284FF121ED18A6
• The SHA-1 signature is: FFEE85DB274022ACFB61DBAF3615EE4E810288C7
• The SHA-256 signature is: 871F4B5FBE91142AE83EB7587CC50038BFA57AF35C37EB96F5945E96D2A294E1

November 28, 2023

Requirements:

• There is a product dependency on having the .NET 6 Hosting package installed.

New features and enhancements:

• Added support for SonicOS devices.
• Added support for F5/BigIP devices.
• Added support for Fortigate Virtual Document Object Models (VDOMs).
• Added an additional method for obtaining Fortigate admin users.
• Added logic to retrieve the BTExecService log files from the remote targets before shutting down the connection.
• Added a runtime option to use the BeyondInsight provided name for the asset name.
• Added a runtime option to return the NetBIOS domain name in the asset record.

Issues resolved:

• Resolved an issue with domain group recursion levels which increased the scan times.
• Added more timeouts to scan logic to reduce the possibility of a hanging scan.
• Added more abort checks to help speed up the abort detection and processing.
• Added logic to flush the SSH buffers when a command fails.

Known issues:

• The installation dialogs have string substitutions errors.

Notes:

• Direct upgrades to this version are supported from versions 20.1.0 and later releases.
• This release is available by download from the BeyondTrust Client Portal at https://www.beyondtrust.com/support/.
• The MD5 signature is: 14bb01b82ee5a3e7aeff342f7b71e066
• The SHA-1 signature is: de36e637b9d44b796f7eb566052326cfa625af85
• The SHA256 signature is: bfede01ab759fb52dbcb2a956bd6b83bfd350ffe476ec3e9d259719c20f8b376

November 9, 2023

Requirements:

• BeyondTrust ECM v1.6.0+

New features and enhancements:

• Added support for the retrieval of credentials for Web endpoints for External Jump Items list.
• Added support for the retrieval of directory accounts that are linked to cloud managed systems in Password Safe for Web Jump Items.

Issues resolved:

• Resolved an issue in which the plugin was attempting to process the same CredentialsUsed request multiple times at session end, which caused an unexpected value to return and stopped the ECM service.
• Resolved an issue in which the plugin was making duplicate authentication attempts to Password Safe for the same request and caused an authentication failure for credential injection.

Notes:

• Certified for GA
• Supports upgrades from any prior release

October 26, 2023

New features and enhancements:

• None

Issues resolved:

• Resolved an issue where management (Test and Change) of Microsoft SQL Server credentials - both Functional and Managed Accounts - was failing with an error.

Notes:

• Direct upgrades to 23.2.0.1744 are supported from all previous versions.
• BeyondTrust customers can download this release from their Password Safe Cloud portal by navigating to Configuration > Privileged Access Management Agents > Resource Zones and clicking Download Installer.
• This release bundles version 23.1.3.1310 of the BeyondTrust Discovery Scanner. Corresponding release notes are available here: https://www.beyondtrust.com/docs/release-notes/beyondinsight-password-safe/index.htm.
• The MD5 signature is: E316B1CDF69C03D1B542F632CC3DA731
• The SHA-1 signature is: 1C84C60E4DF05FD5C0C9F02650C9D56769BDB4BD
• The SHA-256 signature is: A3244D63179F74EDF6FB1AA46044E715E950145BB15202EFF9B72A16D79DB23B

October 17, 2023

Requirements

Requires BeyondTrust Password Safe version 23.2.0 or later release.

ℹ️

Note

For more information, please see at https://www.beyondtrust.com/docs/beyondinsight-password-safe/ps/supported-platforms/index.htm.

New features and enhancements:

This is a maintenance release. There are no new features to note.

Issues resolved:

• Resolved an issue where autofill of username and/or password was not working on various websites. Improvements were made to determine the appropriate fields for autofill for these sites. Now autofill works as expected.
• Resolved an issue where if a user had thousands of secrets, the icons for autofill took some time to appear on the website where they were required. Changes were made to improve the performance of initial extension load to show the icons in a more timely manner, regardless of the number of secrets. Now there is no delay in showing the icons even if the user has a large number of secrets.
• Resolved an issue where there was not a 1:1 relationship of secret retrieval to user audits. Changes were made to improve auditing of credential data retrieval, and now there is a 1:1 relationship of secret retrieval to user audits.
• Resolved an issue where users searching within a large number of secrets could take some time, but the user did not see any indication in the user interface that a search was taking place. Visual representation was added to the search action taking place so that now the user has feedback about it.
• Resolved an issue where search input was causing problems in the user interface while credential synchronization was occurring. Previously, the search input remained populated after a credential sync, even though no search was taking place at that time. The search input is now cleared after synchronizing credentials to more accurately reflect the current status of the user’s searching activity.
• Resolved an issue where session expiration sometimes happened unexpectedly when the user interacted with the extension popup. Improved management of the session lifespan so that now the session is routinely validated and quietly ended when appropriate.
• Minor user interface updates were made as follows:
  • Improved placement of inline menu trigger in form elements, which resolved multiple issues where the B icon could appear in the wrong place.
  • Ensured inline menu always appears over the top of page contents when opened. This resolved issues where form elements appeared inside containers whose overflow properties prevented the inline menu from being seen/used.
  • Updated the user experience and formatting of the browser extension options user interface to more closely resemble the Password Safe options user interface.

Known issues:

There are no known issues in this release.

ℹ️

Note

Issues discovered after release can be found within our product Knowledge Base.

Notes:

• Workforce Passwords is an add-on product which leverages the power of BeyondTrust Password Safe 23.2 or later release.
• This release is available in the Chrome Web Store and the (https://microsoftedge.microsoft.com/addons/Microsoft-Edge-Extensions-Home).

October 12, 2023

New features and enhancements:

• Redesigned the Appliance Software User Interface, including upgraded controls and Shell features, to improve usability.
• Upgraded Angular versions to 15 for the Deployment & Configuration Wizard, Web Console, and SCL.
• Added a dark mode option in the Appliance Software User Interface user preferences.
• Improved functionality for Notifications in the Appliance Software User Interface:
  • Top 10 notifications more visible in the UI with more details provided
  • Added a link to view all notifications in Notifications grid where you can manage notifications and view more details about each notification.
• Replaced the Roles Editor page with the Appliance Feature Configuration page to better reflect the functionality it provides, which is the ability to modify the features and services running on your BeyondTrust U-Series Appliance. Also, updated the design of the functionality to improve usability as follows:
  • Replaced the tile design for each role with a toggle switch for each feature.
  • Each feature contains an expandable panel that allows the same settings customization that was available in the previous Roles Editor, with dependency checking built-in, and the ability to compare your pending changes against the current configuration.
• Replaced the Diagnostics application with a Performance Counters Dashboard that is now the Home page for the Appliance Software User Interface and added the following functionality:
  • Updated performance meters and a new performance over time graph, which allows you to switch from CPU to the other built-in performance counters.
  • Added the ability to view historical data and export it to CSV format.
  • Added a graphical slider to represent the performance counter thresholds, including the optional counters.
• Added a new Service Status page where you can:
  • Enable and disable alerts for status changes in services.
  • View the status of services.
  • Stop, start, and restart services.
• Added the ability to create a remote BeyondInsight database when configuring the BeyondInsight Database Access feature.
• Added new scheduling options, new logs, and granular control over which logs get exported on Log File Export page.
• Added new appliance health events to track both successful and failed logon attempts, as well as appliance reboots.
• Improvements made to the BeyondInsight for Unix & Linux feature configuration to make it more stable.
• Relocated the configuration settings for RDP and Console Access, IP, and BITS from the deprecated Maintenance application to the new Network page.
• Relocated the Ping Command and Network Configuration features from the deprecated Diagnostics application to the new Network page.
• Relocated the Backup and Restore settings from the deprecated Maintenance application to the new Business Continuity page and added granular visibility and control over backup contents.
• Relocated the Cold Spare setup from the deprecated Roles Editor to the new Business Continuity page.
• Relocated the ability to schedule an appliance reboot from the deprecated Maintenance application to the new Business Continuity page, under Power Options.
• Relocated the configuration of High Availability from the deprecated Roles Editor to the new Business Continuity page.
• Implemented a new wizard-like design for configuring High Availability, improving the user experience.
• Relocated the following features from the deprecated Maintenance application to the new Security and Compliance page: Administrator Credentials, Certificate Management, Security Protocols, Client Connections, Local Computer Policy, Pre-Login Banner, Data Encryption Key, and LCD Panel.
• Improved appliance hardening:
  • Added security event logs for exporting and downloading.
  • Added 15 character minimum password length.
• Relocated license validation features to implement banner warnings indicating which licenses are expired.
• Updated the Deployment & Configuration Wizard to reflect new appliance application terminology.
• Enforced custom password complexity rules set within BeyondInsight when changing the BeyondInsight Admin password.
• Proxy settings and database upgrades depend upon BeyondInsight version 23.2.
• Updated the Installer by removing outdated code and checks and support for Windows 2012.

Feature Mapping

Many features were relocated and renamed in the Appliance Software User Interface. The below table provides a mapping between the features in the 4.0 release and the new features in the 4.1 release.

Issues resolved:

• Resolved an issue where after an API key exchange, the appliance could not communicate.
• Resolved an issue where duplicate schedule records were created in conjunction with Cold Spare.
• Resolved an issue where disabling the option to allow incoming remote database connections for the SQL Server database was not taking affect.
• Resolved several Backup and Restore bugs.
• Resolved an issue where the Deployment & Configuration Wizard was forcing a re-run of the wizard when it timed out on the Completion page.
• Resolved an issue where restarting the BT Appliance System Info Service was causing dependent services to stop.
• Resolved an issue where testing email settings in an air-gapped environment was generating 500 Unexpected Internal error has occurred.
• Resolved an issue where applying roles was timing out when disabling multiple roles at once.

Known issues:

• Receive error when trying to change the timezone on a hardware image.
• Grid title bar in right corner on the Security Updates page doesn't hide the titles when scrolling the grid title.
• On the Appliance API Keys page, when the cursor is pointed at the center of the X button, the name of the button is not displayed, and it is not possible to delete the registration code.
• On the Backup and Restore page, the text above the Password box is too small. It is 10 pixels as opposed to the required 12 pixels.
• When resuming an incomplete deployment wizard, the machine name is populated but must be altered before proceeding.
• When an admin account is disabled, and you attempt to create the admin user in the deployment wizard, an error message is not returned to indicate the account is disabled.
• On the Appliance API Keys and Diagnostic Tools pages, the padding between the banner and white card is off for the Microsoft banner.

Notes:

• The installation of version 4.1 is dependent on BeyondInsight 23.2.
• This update is available through BT Updater or as a manual installer from the download tool.
• .NET Core 3.1.22 or later is required (available through BT Updater via Supporting Software SUPI subscription).
• .NET 6.0.13 or later is required (available through BT Updater via Supporting Software SUPI subscription).
• SUPI 3.2 is required (available through BT Updater).
• RADIUS Support within the Appliance Software (not BeyondInsight) has been removed. Users desiring RADIUS authentication to the Appliance application can enable single-signon for BeyondInsight user accounts.
• Medium Availability (a High Availability feature) has been removed. After upgrade to the 4.1 release, users with this configured automatically fail over without waiting for approval.