8 months ago

Security Update Package Installer 3.2.5 release notes

September 26, 2024

New features

Dependency management

Dependency management provides visibility into the underlying frameworks that support's a product suite. The frameworks are updated by the Security Update Package Installer (SUPI) as part of the monthly Supporting Software update, which automatically:

removes unnecessary .NET frameworks, freeing up resources and reducing potential security risks.
processes new additions and upgrades.
processes removals without dependent products.

ℹ️
Note
For removals with dependencies, guidance is provided directly within the product(s) that must be updated to allow for the safe removal of the dependency. You can run the removal again after you upgrade the dependent product(s).

Enhancements

SUPI service upgrade

We've upgraded the SUPI service from .NET 6 to .NET 8.

Known Issues:

If a 4.0/SUPI 3.2 box has multiple updates that include "cumulative" subscriptions, the packages that would be skipped are incorrectly included in the Estimated Time Required. This can significantly overstate the estimate.

Notes:

Upgrade to .NET 8.0.0 or later (available through BT Updater via Supporting Software SUPI subscription).

8 months ago

U-Series Appliance 4.3.0 Release Notes

September 26, 2024

Requirements

.NET 8.0.0 or later (available through BT Updater via Supporting Software SUPI subscription)
SUPI 3.2 (available through BT Updater)
BeyondInsight 24.1

New features

Dependency management provides visibility into the underlying frameworks that supports BeyondTrust’s product suite. The frameworks are updated by the Security Update Package Installer (SUPI) as part of the monthly Supporting Software update, which automatically:

removes unnecessary .NET frameworks, freeing up resources and reducing potential security risks.
processes new additions and upgrades.
processes removals without dependent products.

ℹ️
Note
For more information, see Manage product dependencies.

Enhancements

OAuth authentication is available as an authentication method when configuring the Discovery Agent on the Features page.

Set the event service (local or remote) and the authentication method.

New appliance on version 4.3: The only authentication method is OAuth Authentication.
Appliance on an earlier version: The authentication method is Certificate + User Authentication. If you are working on BeyondInsight 24.1 and database version 24.2.0.150 or later, then you can select OAuth Authentication.
Appliance upgraded from an earlier version to 4.3: Displays both authentication types.

ℹ️
Note
For more information, see Configure U-Series Appliance features

Issues resolved

Product Area	Description	Resolution
Appliance Features page	Cannot change the port to a number greater than 9999 for the BeyondInsight for Unix & Linux database.	Updated the maximum port number to 49151.
Client connections	Removing HHRS entries from the appliance UI does not remove the configuration from IIS.	When removing HHRS entries in the appliance removes the entry from IIS.
High availability	On the High Availability page, the database size is reporting 10 places after the decimal.	The database size show the value in a unit that is proportional to the size. (e.g. MB, KB, GB, etc.)
Upgrades	Appliance Management Update from 4.1 to Version 4.2 fails on Hyper-V.	Upgrades are successful from 4.2. to 4.3 on a Hyper-V environment.
Licensing	The Expiry Date field is blank on the License page is blank when the BIPS license expires.	The Expiry Date field displays the date when the license expired.
Email settings	On the Email page, an error displays when a valid port number greater than 2056 is enter.	Valid port numbers are confirmed and added successfully.
SQL free appliance	The SQL Server Database Password page fails to load in SQL free appliances.	Credentials aren't required on a SQL free appliance. The prompt is removed.
SQL free appliance	When configuring database access on the Appliance Feature Configuration page, an unclear error notification displays when the server name is wrong.	A readable error notification displays when there are configuration errors.
Backup configuration	The 15-character password requirement is not enforced when adding a password on the Backup page.	The 15-character limit is enforced on the Backups page.
SQL free appliance	BeyondTrust Instance unique ID does not get regenerated during Configuration wizard.
SQL free appliance	The Configure Performance Counter Thresholds page displays incorrect values on the usage sliders.	The usage counters display correct values.
High availability	Unnecessary text on High Availability configuration page. Text exists to describe a functionality in area on page that doesn’t apply.	The text is removed.
Installed Software page	Error occurs when selecting a product name listed on the Software and Licensing > Installed Software page.	Errors no longer occur when selecting a product in the list.
SQL Server	The SQL Server service (MSSQLSERVER) doesn't restart from Service Status page.	All SQL Server services restart correctly: SQL Server agent, SQL Server Launchpad, and SQL Server service.
Backup and Restore	Adding a backup location with an invalid path returns an error that one or more fields are invalid but does not indicate the invalid field.	A message displays with more accurate information on the error.
Backup and Restore	Editing an existing backup location can delete all backup files in the old location without warning.	The existing folder with existing backup files is deleted and created new folder with the same title.
Backup and Restore	A change to the backup location was not refreshing after editing the location a second time.	The changes to a backup location refresh after every change.
Network, IP Settings	Changing to DHCP network setting returns an error message that provides no information.	A warning message indicates it is not possible to redirect to the new IP address.
HA - Scheduler Service	On a passive node in a high availability pair (version 4.1), the Schedule Service was in a state of running but the status alert stated "Expected to be Stopped as a High Availability service".

Known issues

Product Area	Description	Workaround
SECURITY UPDATES - check mark icons showing under each step of a SUPI package	Blue arrow icons are appearing in step details of SUPI packages.	No workaround
HHRS - 404 page presented after updating HOST HEADERS	When you enter and save a value into Host Headers, you are taken to a 404 page.	No workaround
Appliance: Discovery Agent displays a notification error during switching it ON although the changes are saved successfully	In certain cases, Discovery Agent shows the following incorrect error message when switching it to ON: Failed to save all or some feature configuration. Please see details: Phoenix: Error execution some configuration commands: Command returned Error	Error 403: Forbidden.	No workaround
User is not notified if subscribing to hardware alerts fails	Appliance Service uses an eEyealert.exe to subscribe and listen for events from the hardware. There was an instance where this .exe was missing, and no errors or messages displayed to alert the user.
EPM - HA - when secondary is promoted to Primary, PMR reports will not work because configuration has primary's IP address	This issue only applies to a HA node set up as the PMR Database host, in a multi-node EPM deployment (i.e. has nodes other than the secondary attempting to access the database). A multi-node deployment typically uses the IP/machine name of the database host in the shared EPM config file, and this pointer will continue to point at the failed primary, causing the problem.	If the EPM solution is only made up of the HA pair itself, the config should be pointing to localhost, and will work with HA.
Appliance: Is not possible to create new local location with requires authentication option	When you create a new location with option Credentialed=Yes, the new location is actually created with option Credentialed=No.	After creating the new location, click Edit. Click the Backup Location requires authentication option again. Click Save, and Credentialed=Yes saves as expected.
Appliance: BT EPM Event Collector Service is missing in the log file if there are no files.	If there are no log files, on the Export Logs and Appliance Logs pages, in the Log File Export options section, the BeyondTrust EPM Event Collector Service option may be missing.	No workaround
EPM/PMR - HA - HA requires that the source EPM accounts match on each appliance, so how will we handle this since accounts require manual intervention to rename	Pre-existing accounts cannot be automatically paired because the EPM accounts don’t match.	You must manually create the EPM/PMR SQL Users in the database on the Secondary node.
LastPass can interfere with Config / Deployment Wizard	In v4.0 and 4.1, both Standard and SQL Free can be affected. When you run the Config and Deploy Wizard on an appliance with the LastPass extension installed, the Next button on the Configure Backups Page is broken.	Disable or log out of LastPass, OR configure the appliance in incognito mode in the browser so that the browser extensions are not interfering with the wizard.
Appliance - The beyondtrust_user is locked out after changing the Auth SQL Server password	The beyondtrust_user is locked out after changing the Auth SQL Server password.	No workaround
Appliance Self-signed certificate does not have subject alternate name (which does not support HSTS)	For Chrome 58 and later, only the subjectAlternativeName extension (not commonName), is used to match the domain name and site certificate. This will cause various validation problems.	Disable the check in Chrome.

Notes

Security Management Appliance Installer 4.3 is dependent on BeyondInsight 24.1.
Security Management Appliance package in BT Updater is dependent on BeyondInsight 24.1.
This update is available through BT Updater or as a manual installer from the download tool.

9 months ago

BeyondInsight and Password Safe 24.2.1

September 9, 2024

New features and enhancements

This is a maintenance release. There are no new features or enhancements with this release.

Product Area	Description	Resolution
Smart Rules	Managed account Smart Rules that contain a Link domain accounts to Managed Systems action that target an Asset-type Smart Group fails processing, and the logs displays a Transaction count after EXECUTE indicates a mismatching number of BEGIN and COMMIT statements error.	Managed account Smart Rules that contain a Link domain accounts to Managed Systems action that target an Asset-type Smart group are now processed without errors.

Known issues

Product Area	Description	Resolution
Analytics and Reporting interface	Using Firefox, clicking the browser back button while viewing a report causes the Analytics and Reporting interface to become unresponsive.	Clicking the browser back button again takes the user to the parameter entry view, and the UI becomes responsive again. Using the back button within the report viewer will allow for proper navigation.
Analytics and Reporting interface	Using Chrome, clicking the browser back button while viewing a sub-report takes the user back to the list of reports.	Use the back button within the report viewer for proper navigation. You may need to re-run the report if you’ve returned to the report list.
Analytics and Reporting interface	For on-premises only, if Analytics and Reporting is configured prior to SMTP settings being configured in the Report Server, the Send subscription by email option is not available.	Either configure SMTP settings prior to configuring Analytics and Reporting, or restart the SSRS service after configuring SMTP settings.
Analytics and Reporting interface	For on-premises only, when creating a report subscription with email delivery in Analytics and Reporting, if more than 2,000 characters are entered into the To field, the subscription wizard becomes unresponsive.	Ensure that the email addresses used in the To field are a total length less than 2,000 characters.
Purging Options: Database Index Maintenance page of the BeyondInsight Console	The Database Index Maintenance job does not run in an environment configured with a low privilege SQL user.	Configure the database connection to use a privileged account.
BeyondInsight Console	If a user allows their BeyondInsightsession to time out, their theme selection reverts to BeyondTrust brand colors. This becomes apparent if they had their preference set to dark mode colors. Signing out does not have this effect.	Avoid letting the session time out, or update your preferences after logging in.
Web Policy Editor	When upgrading to Web Policy Editor 24.5.372 from an older version using BT Updater, the setup may fail with an error that indicates the wpe.log file is in use.	Stop the Web Policy Editor Service prior to upgrading, complete the upgrade to WPE 24.5.372, and then restart the service. WPE 24.5.372 contains a fix that ensures any subsequent updates (to future WPE versions) will not require the manual service state changes.
Secrets Safe	There is an unintended difference in behavior when attempting to delete a non-empty subfolder of Personal secrets if the user is an administrator or non-admin; an admin can delete the subfolder and its secrets, but a non-admin cannot delete the subfolder without first deleting the secrets.	A non-admin must first delete the secrets within the subfolder, then delete the subfolder.
Password Safe	vSphere Managed Account password changes may occasionally fail with a passwords do not match error.	Initiate another password change.
Password Safe Propagation Actions	When performing propagation actions for a domain account (i.e., domain\svc_acc1), and a local account with the same name (i.e., svc_acc1) is found on the system in the same propagation target, the local account propagation may also be incorrectly updated.	Use accounts with different names for domain vs. local.
Password Safe Application Sessions	Launching remote applications with ps_automate fails with Chrome/Edge v128.	Use Chrome/Edge v127, or use Firefox, or a hotfix is available.
BeyondInsight Console - Activation Keys for Discovery Agent Installer Type	PowerShell cannot be used to configure OAuth for BeyondTrust Discovery Scanner Central Policy or Events.	Command prompt should be used for this.

ℹ️
Note
Issues discovered after release can be found within our Customer Portal.

Notes

Direct upgrades to 24.2.1 are supported from BeyondInsight versions 22.2.3 or greater.
BeyondInsight 24.2.1 supports SQL Server 2016 SP2 or greater.
This release is available by download for BeyondTrust customers at (https://beyondtrustcorp.service-now.com/csm) and by using the BeyondTrust BT Updater.
The MD5 signature is: f52eda445beb6055296c47ece4eff7ad
The SHA-256 signature is: bdf2b35773f636d8d742a78627090d095f5960cfc681e11c6c444427d109e553

Deprecation notice

Team Passwords public API endpoints have been deprecated and are no longer present in the 24.2.1 release. You must update scripts to use the corresponding Secrets Safe API endpoints instead.

BeyondInsight 24.2.1 still supports the following features, however these are planned to be removed in the next release:

Analytics & Reporting > Clarity: Clarity and related reports and configuration.
About > BeyondInsightAnalysis

The Password Safe platforms Cloud - Azure and Cloud - Office 365 will be removed in the 24.3 release. Customers should transition to using the Microsoft Entra ID platform, which offers additional functionality.

9 months ago

Password Safe Resource Kit 24.2 Release Notes

Resource Kit 24.2 Release Notes

September 3, 2024

Requirements

Requires BeyondTrust Password Safe version 24.2.0 or later release.

New features and enhancements

Updates:

Updated Python API sample (v5.10.2)
Updated Platform SDK to support Password Safe 24.2

Checksums:

Enhanced Session Utility
- pbpsmon-24.2.40.msi
  - SHA256: 25bc19e5e8b0738d815137f4569485bb40ef47143d0e7f3de54f19215e48d0f8
- pbpsmon-24.2.40.exe
  - SHA256: 78585c7ff28fe1f632c50a334329b7692090892b715760cdd094c8ef7f0fdfa4
Secrets Cache
- beyondtrust-secrets-cache-24.2.40-x64.exe
  - SHA256: 1a0add093fb702b569db06b315ee6039063b29492a7b8e80ff061c37e1ea6da1
- beyondtrust-secrets-cache-24.2.40-1.el9.x86_64.rpm
  - SHA256: d9d99a7c19519a6601170682960f1696835003534f919535c0ec8665e47e69cb
- beyondtrust-secrets-cache-24.2.40-1.el8.x86_64.rpm
  - SHA256: 63db163d9567eaf8e5057c7e76b3a512e1ec653fc0de9a4d77ff0cb5a007432d

Notes

The SHA-256 signature is: a2f9f8b1a2cb1a74650a37f06457b6524d003a9e58df93d27280ea38a867899d
This release is available to download for BeyondTrust customers at https://beyondtrustsecurity.force.com/customer/login.

9 months ago

Password Safe Cloud Resource Broker 24.1.1.1843 Release Notes

Password Safe Cloud Resource Broker 24.2.0.1869 release notes

September 3, 2024

Requirements

We recommend a restart after this update.

New features and enhancements

This release bundles version 24.2.0.1501 of the BeyondTrust Discovery Agent. Corresponding release notes are available on the BeyondInsight and Password Safe Release Notes page.
.NET hosting bundle v8.0.8 is included.

Issues resolved

None

Notes

Direct upgrades to 24.2.0.1869 are supported from all previous versions.
BeyondTrust customers can download this release from their Password Safe Cloud portal by navigating to Configuration > Resource Zones and clicking Download Installer.
The MD5 signature is: C1211ABDB9037A56E5566462D2719743
The SHA-1 signature is: 0CE31E6A98AA913E5EF51038D72CA2DF2B899F8E
The SHA-256 signature is: 702D24B19A9769D610BED08F529528930CFE3E39282D20E29A1C2C72CCF53B48

9 months ago

BeyondTrust Discovery Agent 24.2.0.1501 release notes

September 3, 2024

Requirements:

There is a product dependency on having the .NET 8 Hosting package installed.
OAuth authorization is dependent on having BI version 24.2.0.
A reboot of the system may be required.

New features and enhancements:

Enumerate domain users with access to a Linux target via the sssd.conf. Support for simple configuration only.
Enhanced secondary authentication prompt response to support prompts found during authentication, as opposed to after primary SSH authentication.
Added support for the use of OAuth authorization for connectivity with the Event Collector Service.
Added support for the use of OAuth authorization for connectivity to the Central Policy Service.
Added support to configure the use of certificate based authorization for connectivity to the Central Policy Service.
Improved the validation of command line options for configuration of Central Policy Service and Event Collector Service.

Issues resolved:

Resolved a scenario where a scan fails to complete when connecting to the target's registry. Changed the default value for the remote registry connect timeout to 60 seconds.
Handled additional error codes for group member enumeration. This prevented the command from being endlessly retried even after the scan completed.
Resolved an asynchronous task issue where impersonation might not be active for group member enumeration, resulting in domain users not being found.
Resolved handling of CR/LFs in the target prompt for SSH targets.
Resolved an issue when sending a CTRL-C when a command times out for Fortinet devices. This caused commands which succeeded to be seen as errors when no output was expected.
Resolved an issue that could cause a hung scan during the SSH secondary prompt handling.

Known issues:

PowerShell doesn't properly send the command line options for btdiscovery.cmd to the program. This command must be run in a standard windows command shell.

Notes:

The migration from an existing Retina configuration is deprecated and will be removed in a future release.
SSH Session encryption using the SHA1 cipher is deprecated. Use SHA256 or higher.
Direct upgrades to this version are supported from versions 20.1.0 and later releases.
This release is available by download from the BeyondTrust Client Portal at https://www.beyondtrust.com/support/.
The MD5 signature is: f096fba349c048935bd3580c3b4b59ec
The SHA-1 signature is: bc92a956ad9689b35c0c336e76de87e9fe34092e
The SHA256 (exe) signature is: f5a763095562c3191540df8741007601668abe8fa84f55755814d31ab3eb5685
The SHA256 (msi) signature is: f5ab0c22f088dbe01d98c709f311238e32aa326c7f268e73d27716059a329d13

9 months ago

BeyondInsight and Password Safe 24.2.0

September 3, 2024

ℹ️
Note
For a list of supported platforms for the latest version of BeyondInsight and Password Safe, see Supported Platforms.

New features

Increased security with Passwordless FIDO2 Authentication

Password Safe now supports Passwordless FIDO2 authentication, which allows local BeyondInsight users to authenticate more securely using a security key or a biometric method, such as a fingerprint or face recognition.

Enable the Passwordless FIDO2 Authentication option from the Configuration > Authentication Management > Authentication Options page in BeyondInsight.

Once enabled for your instance, users can then configure FIDO2-certified authenticators for their account. Administrators can also see/remove any authenticators that a user may have configured.

Automatically synchronize Microsoft Entra ID groups on a scheduled basis

Microsoft Entra ID group membership no longer requires manual synchronization for individual groups. Users can now enable global group synchronization and schedule it to occur automatically on a daily, weekly, or monthly basis.

Enable and schedule group synchronization from the Configuration > Role Based Access > Microsoft Entra ID Group Synchronization page.

Automate the onboarding of AWS Credentials

Administrators can now create a Smart Rule to discover and onboard AWS IAM users into Password Safe for credential management, without the need to perform a discovery scan.

Create a Managed Account Smart Rule with the new Amazon IAM Query condition for the selected the Amazon Cloud Managed System, set to re-run every X hours, and assign the Manage Account Settings action.

Synchronize K8s secrets and Password Safe secrets

The Kubernetes External Secrets Operator (ESO) now includes a Password Safe extension to retrieve secrets managed by Password Safe and synchronize them into K8s secrets. This ensures applications can continue to leverage K8s secrets without changing their applications or workflows.

New reports

Custom Attributes: A new report that lists assets and their custom attributes was added to the Assets folder for both on-premises and cloud.

Database User List: The Database User List is now available in the Account folder in Password Safe Cloud. It was previously only available in on-premises installs.

Administrator user group permissions

Users are now prevented from editing access levels and permissions on the administrators user group for the following:

POST UserGroups/{id}/Permissions/
DELETE UserGroups/{id}/Permissions/
POST UserGroups/{gid}/SmartRules/{sid}/AccessLevels/

This returns 400 Bad Request for Administrators user group (UserGroupID=1).

Enhancements

Increased security for SAML authentication

Password Safe now has a Force Re-authentication option when configuring a SAML identity provider in BeyondInsight. Enabling this option requires users to re-authenticate with the identity provider for each BeyondInsight session, even if they already have a valid session.

Enable the Force Re-authentication option for the identity provider from the Configuration > Authentication Management > SAML Configuration page.

Increased security for Discovery Agents

Discovery Agents can now be configured to use OAuth authentication for communications with BeyondInsight by leveraging the existing Installer Activation Keys feature.

Configure a key from the Configuration > Authentication Management > Installer Activation Keys page for use when setting up Discovery Agents with OAuth authentication.

Improved UI accessibility

Accessibility improvements made in many areas of the BeyondInsight and Password Safe UI:

Improved page responsiveness based on screen resolution
Appropriate screen reader cues added to input fields, drop-downs, and grids:
- Input fields can now indicate their invalid state or error messages to screen readers via ARIA tags.
- Searchable input fields and drop-downs now announce the number of results available and announce every time the number of results change.
- Areas in grids that have the focus are now announced.
Improved Session Replay Viewer progress bar to support keyboard interactions and added ARIA properties.

Report updates

Run reports for exact dates and date ranges

On-premises users can now quickly determine what actions were performed during specific time periods by running reports for exact dates and ranges.

More auditing information in the Password Release Activity report

The Password Release Activity report now includes the reason for the password release. The reason, ticket number, ticket system, and approver are now included when SIEM events are forwarded.

GET Users API now supports inactive users

The Password Safe GET Users API now has the ability to return users that are flagged as inactive. Releases prior to 24.2.0 only supported returning active users.

Encrypt secrets with an external hardware security module (HSM)

Password Safe now supports encryption of the Secrets Safe vault using an external HSM configuration. This builds on existing support for HSM encryption of the Password Safe vault and system credentials.

Remove dependency on IUser_REM account

The on-premises BeyondTrust Discovery Agent can now be configured to communicate via certificate or OAuth authentication, as is done in Password Safe Cloud. If set up this way, the BeyondTrust Discovery Agent does not require the account, and it can be removed.

Password complexity, use and lifetime restrictions

New Enforce Minimum Characters To Change option for policies

When creating or editing a local password policy, you can enable the Enforce Minimum Characters To Change option and configure it with a specific number of characters. This ensures your users change at least the configured number of characters in their old password for it to be accepted as their new password.

📘
Character limits for the Enforce Minimum Characters To Change option:

Minimum: 8

Maximum: 255

New default minimum lengths for password policies

We've changed the local user default password policy minimum length from 14 characters to 16 characters. Upon upgrade, this change takes effect only when the policy is edited.

Last login information message to users

Password Safe now displays the user's last login in the Profile and Preferences box.

Customizable SQL Server Port

The SQL Server Port is now customizable on various configuration pages.

Better insights with X-Forwarded-For IP

The X-Forwarded-For header ensures the source client IP address is included in User Audit details for both API and web console interactions.

Removed deprecated TeamPasswords PAPI endpoints

Legacy TeamPasswords public API endpoints have been removed:

POST TeamPasswords/Folders
GET TeamPasswords/Folders
PUT TeamPasswords/Folders/{folderId}
DELETE TeamPasswords/Folders/{folderId}
GET TeamPasswords/Folders/{folderId}
POST TeamPasswords/Folders/{folderId}/Credentials
PUT TeamPasswords/Credentials/{id}
GET TeamPasswords/Credentials/
DELETE TeamPasswords/Credentials/{id}
GET TeamPasswords/Credentials/{id}
GET TeamPasswords/Folders/{folderId}/Credentials

Terminate and cancel session option in Active Sessions

Password Safe Portal users with appropriate permissions can terminate an active or locked session and cancel the related request.

Support storing SSH host keys in PEM files

You can now store the ssh-dss, ssh-rsa, ssh-ed25519 and ecdsa-sha2-nistp256/384/521 host keys in PEM files identified by registry values. This can be useful to ensure that a cluster of nodes behind a load balancer all share the same SSH host keys.

.NET 8 runtime version

BeyondInsight and Password Safe Cloud's resource broker is now deployed with the .NET 8.0.8 hosting bundle.

Dedicated Account Smart Rule improvements

Dedicated Account Smart Rules now allow:

Actions
- Set attributes on each account
Filters
- Managed System Smart Group (new filter)
- Assigned Attributes
- Platforms

Quickly see "Disabled at Rest" status

A new column has been added to show if Managed Accounts are enabled for the Disabled at Rest mode.

Refreshed UI and improved UX

In the Analytics and Reporting > Report Subscription wizard and the Configuration > Analytics and Reporting > Configuration wizard, the user interface and user experience have been reviewed for consistency and correct layout.

Filter approvals by Request ID

The Approvals grid can now be filtered using the Request ID column.

Easier selection of Password Safe node, directory, and resolution filters

Filters are now multi-selectable drop-downs and are pre-populated with all available nodes, a number of standard RDP resolutions, and available directories.

View authentication status at a glance

Administrators can now use the Agents grid to see which Endpoint Privilege Management endpoint agents are using OAuth and which are still using certificate-based authentication.

Issues resolved

Product Area	Description	Resolution
Secrets Safe page of the BeyondInsight Console	Screen readers would show some unexpected behavior.	Resolved some accessibility issues involving screen readers.
Secrets Safe page of the BeyondInsight Console	When creating a new folder, focus was lost from the Secrets Safe page when the user clicked Create folder or Discard.	Focus now returns to the appropriate button when a folder is created or discarded.
Internal Smart Rules processing logic	A database stored procedure that affects bulk attribute updates was causing deadlocks.	The stored procedure was updated to avoid deadlocks.
Custom Platforms page of the BeyondInsight Console	When checking the password of a custom platform, the first step of elevationcommand was sometimes causing the attempt to time out.	The first step has been changed to a LANG=en_US; whoami response for the AIX, HP-UX, Linux, Mac and Solaris custom platforms
Submit request tab	If the max concurrent request for a managed account was set to 1, users could still request and retrieve the account’s password, even if another request was still valid and displayed as unavailable.	A message now states that the max concurrent requests has been reached.
Workforce Passwords Browser Extension	When a website has two or more credentials saved, the username and password had to be populated individually.	When a credential is selected, both the username and password populate together.
User Audits page of the BeyondInsight Console	In the Audits grid, a failed Direct Connect login attempt was not showing the username.	The Audits grid now shows the username that attempted to log in.
Connectors page of the BeyondInsight Console	When running a scan for Google Cloud, Middle East regions were not listed and could not be queried for scan targets.	All regions are now available.
Managed Accounts page of the BeyondInsight Console	Editing a managed account without changing the next scheduled change date was saving an incorrect date to the database.	Dates are now being saved correctly.
BeyondInsight API	Entra ID users who were members of more than 100 groups could not log in via the API.	Users are now able to log in and their groups are enumerated successfully.
User Management page in the BeyondInsight Console	When editing an Active Directory user, credentials were a required field and would display an error if not filled out. Selecting a credential would allow the user to save, but opening the field again showed that the value was not saved.	The credential field is no longer treated as a required field for the editing of a user. User details now save correctly.
Secrets Safe page of the BeyondInsight Console	When assigning ownership to a group or members of a group, the user could navigate away from the page without a Save/Discard prompt and lose changes.	The user is now prompted to continue editing or discard changes when navigating away.
Secrets Safe page of the BeyondInsight Console	A secret could be saved without any owners.	If a user attempts to save a secret without an owner, an error appears and the secret cannot be saved until an owner is assigned.
Workforce Passwords	Workforce Passwords was failing to import passwords from a CSV if the password contained a comma. Additionally, if an exported password contained a quote, Workforce Passwords would import the password with the escape characters that LastPass added to the CSV.	Passwords are now imported correctly.
BeyondInsight API	A SCIM PATCH request could not handle a path with a sub attribute after the filter, returning a 500 error.	The attribute is now correctly changed on the given object.
Users page of the BeyondInsight Console, extension login	Error messages for attempted login without access were always in English, even if the user was using a different language.	The error message is now translated.
Managed Accounts page of the BeyondInsight Console	After editing a synced managed account, the description became NULL.	The description is now retained when a synced managed account is edited.
Secrets Safe page of the BeyondInsight Console	Users who owned all secrets within a folder received an incorrect error message: “The folder cannot be deleted. You do not own all the secrets" when attempting to delete a folder.	Users now receive an accurate error message indicating that all secrets need to be deleted before the folder can be deleted.
Internal group synchronization logic	Syncing an AD Group after removing a user also removed that user from all their groups, not just the group being synced.	The user will now only be removed from the currently syncing AD Group during synchronization.
Smart Rules page of the BeyondInsight Console	There is an option to clear existing mappings when creating a Smart Rule to apply propagation mappings via an action. If users switched mapping from Smart Rule to scan data or vice versa, the previous mappings were not cleared correctly. This resulted in mappings for both scan data and discovery on a Smart Rule.	When the clear option is enabled, all previous mappings are now cleared.
Internal logic	When checking if a hostname had a valid DNS entry, the comparison was case-sensitive. Also, there was no debug logging on a failed DNS lookup.	DNS comparison is now case-insensitive, and debug logging has been added to improve troubleshooting.
Workforce Passwords Browser Extension	When the URL field on a Secrets Safe secret has a trailing space, the Workforce Passwords Browser Extension displayed an error when that Secret was used.	Trailing spaces in URLs on Secrets no longer cause errors with Workforce Passwords Browser Extension.
Secrets Safe Entitlement Report	When exporting a PDF or TIFF Software Entitlement Report, each page of the report would also generate a second blank page. The first entry into Secret Safe would not show in the report, but subsequent entries appeared.	Reports now generate with all data and without extra pages.
Configuration page of the BeyondInsight Console	SHA1 was available as a signature method option, but support was recently removed for this option.	Due to weaknesses in SHA1 and remove of support for it in various third-party libraries, we have removed it as a signature method option.
Smart Rules page of the BeyondInsight Console	If a child Smart Rule was a Managed Account quick group, processing any Smart Rules with the child could fail with an error referencing the DisabledAtRest column.	Smart Rule processing now runs without error.
Smart Rule internal processing	Some timeout errors may occur during onboarding Smart Rules processing.	Performance improvements were made to some queries that are executed during Smart Rule internal processing. This helps avoid timeout processing.
Secrets Safe page of the BeyondInsight Console	Insufficient validation checks in the Import Secrets API.	An authorization check now ensures the calling user has sufficient access to the target folder when using the Import Secrets API.
SCIM API	A long wait time occurred when a large number of results were returned when attempting to access /scim/v2/Users or /scim/v2/Groups via the SCIM API.	All results are returned as expected at a much faster speed.
SCIM API	An attempt to query more than one attribute for a SCIM endpoint was not supported.	The SCIM API now supports multiple attributes in a query.
User Management page of the BeyondInsight Console	The username field in the database was too short to handle Azure User Principal Names (UPNs), causing them to be truncated.	The username field size has been increased to accommodate Azure User Principal Names (UPNs).
Public API	Certain API calls were taking longer than expected. This was because a cache accessed by the API was reloading its entries after about ten minutes.	The cache was adjusted so that it no longer requires a reload after the first hit.
Internal logic	PBSMD SSH fingerprints were not unique across multiple U-Series Appliances in a user’s environment.	Internal logic has been updated to ensure that PBSMD receives unique SSH fingerprints across multiple U-Series Appliances in an environment.
Asset page of the BeyondInsight Console	The Users grid would fail to load when the last logon date contained certain non-English date formatting.	The Asset > Asset Advanced Details > Users grid now loads appropriately even if the last logon date contains non-English date formatting.
Internal logic	When the Graph API would throw ODataError exceptions, not much information was provided about what the specific error was.	More details are now captured in the log.
Start menu shortcuts for BeyondInsight Configuration and BeyondInsight Console	Shortcuts were displayed in the eEye Digital Security folder instead of the BeyondTrust folder.	Removed eEye Digital Security folder from Start menu. Shortcuts now display in the BeyondTrust folder.
Proxy Settings page of the BeyondInsight Console	Errors messages when retrieving Entra ID groups for EPM clients did not include helpful information.	More details are now captured in the log.
Installer Activation Keys page of the BeyondInsight Console	The Cloud installation command, BeyondInsight URL, and endpoint were incorrect when viewing system generated key details.	The installation command, BeyondInsight URL, and endpoint have been corrected for Cloud.
User Management page of the BeyondInsight Console	When large AD groups were added or synced, the stored procedure that updates external attributes caused blocking in the database.	The stored procedure has been modified to prevent blocks.
Password Update Activity page of the BeyondInsight Console	The Password Update Activity report was missing the Asset column for Functional Accounts.	The report now has an Asset column in the Functional Account table.
BeyondInsight Console	Customized logos were not appearing in the web console.	Updated how custom logos are handled so that existing instructions on replacing these will continue to work. Custom logos may still need to be replaced after product upgrades.
SCIM API	Updating a group via the SCIM API would cause unexpected settings changes.	Only the attributes what were changed in the request are now changed.
Password Safe Sessions	Password Safe was unable to validate system fields from a ServiceNow ticket.	If a user does not have access to a particular managed system, the ServiceNow ticket validator fails and the user is denied access.
BeyondInsight internal communication	Identity Service would not update the client ID when creating a client.	The client ID is now updated so that the two client IDs match.
User login (Active Directory)	Active Directory users were unable to log in to BeyondInsight after being renamed in Active Directory.	The logic in the login process has been updated to handle this scenario correctly. Renamed AD users can log in without requiring a group sync to occur first.
Smart Rule Processing	When deploying Endpoint Privilege Management Policy, the Smart Rule failed to process in some environments.	Performance has improved when processing Smart Rules that include the deploy Endpoint Privilege Management Policy action.
Password Safe Sessions	When selecting “User ID Mapping : UPN format” in a ServiceNow connector, an error was returned stating “Logged in user ID is null or empty”.	The UserPrincipalName (UPN) can now validate ServiceNow tickets for Entra ID users.
User Management page of the BeyondInsight Console	Details sometimes did not switch when editing a different Password Safe role for a mapped smart group.	Switching between roles now correctly switches the details.
API Registrations page of the BeyondInsight Console	Changes to API registrations were not being audited.	User Audits now appropriately shows changes.
BeyondInsight Password Services	Password Services could crash after attempting multiple “keyboard-interactive” mode connections via SSH if the initial connection attempt was only partially successful.	The service has been updated to limit the number of “keyboard-interactive” attempts made.
BeyondInsight API	Any failed API authentication would send an email to the administrator email account.	This has been deprecated, and emails for failed API authentications are no longer sent.
Access Policies page of the BeyondInsight Console	If an admin created an access policy not attached to a requestor group, and then a requestor with a different access policy created and actioned a request, admins were unable to delete the new access policy.	The dependency check logic around access policy deletion is improved. Admins can now delete new access policies in this scenario.
BeyondInsight Configuration > Secure Remote Access > Connect to Secure Remote Access area	Missing validation and empty default values could lead to errors in the log files if these values were saved by the user.	The field validation and default port value were updated on this form.
Internal logic	Insufficient validation was used on LDAP query creation.	Enhanced validation for directory queries to mitigate the creation of invalid LDAP queries.
Smart Rules	The ordering of actions displayed in a Smart Rule when editing was not consistent between creation and editing.	The Smart Rule actions are now sorted consistently regardless of whether the Smart Rule is being created or edited.
Sessions grid	On the Sessions grid in the Password Safe portal, the column picker contained a duplicate “Status” column entry.	The duplicate “Status” column has been removed.
BeyondInsight Configuration > IP Allow List	When configuring an IP Allow List rule with an IP range, there was no validation to prevent a user from entering a “From IP Address” value which was higher than the “To IP Address” value. Attempting to save a rule with this misconfiguration would display a generic error message.	The IP address range is now validated in the input form, with informative messaging if the data is not valid.
Password Safe	If a ticket was supplied when creating a request and ticket validation failed, only a generic validation error was shown, which may have been insufficient to troubleshoot the error.	Additional error messaging is now shown in the details of the error message that occurs in this scenario.
Workforce Passwords Browser Extension	If a Workforce Passwords extension was in use while the Password Safe instance was upgraded, new features did not always appear right away.	The Workforce Passwords Browser Extension now shows new features right away when the Password Safe instance is upgraded, even if the extension is in use.

Known issues

Product Area	Description	Workaround
Managed Account Smart Rules	Managed Account Smart Rules that contain a Link domain accounts to Managed Systems action that target an Asset-type Smart group will fail processing, and the logs display a Transaction count after EXECUTE indicates a mismatching number of BEGIN and COMMIT statements error.	Contact BeyondTrust Support for a hot fix. This issue will be resolved in an upcoming maintenance release.
Analytics and Reporting interface	Using Firefox, clicking the browser back button while viewing a report causes the Analytics and Reporting interface to become unresponsive.	Clicking the browser back button again takes the user to the parameter entry view, and the UI becomes responsive again. Using the back button within the report viewer will allow for proper navigation.
Analytics and Reporting interface	Using Chrome, clicking the browser back button while viewing a sub-report actually takes the user back to the list of reports.	Use the back button within the report viewer for proper navigation. You may need to re-run the report if you’ve ended up back at the report list.
Analytics and Reporting interface	For on-premises only, if Analytics and Reporting is configured prior to SMTP settings being configured in the Report Server, the “Send subscription by email” option is not available.	Either configure SMTP settings prior to configuring Analytics and Reporting, or restart the SSRS service after configuring SMTP settings.
Analytics and Reporting interface	For on-premises only, when creating a report subscription with email delivery in Analytics and Reporting, if more than 2,000 characters are entered into the To field, the subscription wizard becomes unresponsive.	Ensure that the email addresses used in the To field are a total length less than 2,000 characters.
Purging Options: Database Index Maintenance page of the BeyondInsight Console	The Database Index Maintenance job will not run in an environment configured with a low privilege SQL user.	Configure the database connection to use a privileged account.
BeyondInsight Console	If a user allows their BeyondInsight session to time out, their theme selection reverts to BeyondTrust brand colors. This becomes apparent if they had their preference set to dark mode colors. Signing out does not have this effect.	Avoid letting the session time out, or update your preferences after logging in.
Web Policy Editor	When upgrading to Web Policy Editor 24.5.372 from an older version using BT Updater, the setup may fail with an error that indicates the wpe.log file is in use.	Stop the WebPolicyEditor Service prior to upgrading, complete the upgrade to WPE 24.5.372, and the restart the service. WPE 24.5.372 contains a fix that ensures any subsequent updates (to future WPE versions) will not require the manual service state changes.
Secrets Safe	There is an unintended difference in behavior when attempting to delete a non-empty subfolder of Personal secrets depending on if the user is an administrator or not; an admin can delete the subfolder and its secrets, but a non-admin cannot delete the subfolder without first deleting the secrets.	As a non-admin, to delete a subfolder, first delete the secrets within the subfolder, then delete the subfolder.
Password Safe	vSphere Managed Account password changes may occasionally fail with a “passwords do not match” error.	Initiate another password change.
Password Safe Propagation Actions	When performing propagation actions for a domain account (i.e., domain\svc_acc1) and there exists a local account with the same name (i.e., svc_acc1) found on the system in the same propagation target, the local account propagation may also be incorrectly updated.	Use accounts of different names for domain vs. local.
Password Safe Application Sessions	Launching remote applications with ps_automate will fail with Chrome/Edge v128.	Use Chrome/Edge v127, or use Firefox, or a hotfix is available.
BeyondInsight Console - Activation Keys for Discovery Agent Installer Type	PowerShell cannot be used to configure OAuth for BeyondTrust Discovery Scanner Central Policy or Events.	Command prompt should be used for this.

Notes

Direct upgrades to 24.2.0 are supported from BeyondInsight versions 22.2.3 or later releases.
BeyondInsight 24.2.0 supports SQL Server 2016 SP2 or higher.
This release is available by download for BeyondTrust customers (https://beyondtrustcorp.service-now.com/csm) and by using the BeyondTrust BT Updater.
The MD5 signature is: aa5c3665679bb8b91ba179029a0711f2
The SHA-256 signature is: b32e3703a8cad701fe6487e611c278edfcf27ffb026baa0142777b5d71d8ff73
The ECM Plugin for Password Safe has been updated to version 24.1.3.

Deprecation notices

Team Passwords Public API Endpoints have been deprecated and are no longer present in the 24.2 release. You must update scripts to use the corresponding Secrets Safe API endpoints instead.

BeyondInsight 24.2.0 still supports the following features, but these are planned to be removed in the next release:

Analytics & Reporting > Clarity: Clarity and related reports and configuration.
About > BeyondInsight Analysis

The Password Safe platforms Cloud - Azure and Cloud - Office 365 are being removed in the 24.3 release. Instead, customers should transition to using the Microsoft Entra ID platform, which offers additional functionality.

9 months ago

Password Safe ECM plugin 24.1.3 release notes

August 27, 2024

Requirements

BeyondTrust ECM v1.6.0+
Modified the API call body to include rotateOnChecking=[false]. The Allow API Rotation Override option must be enabled on View Password Policy Type for relevant access policies.

New features and enhancements

This is a maintenance release and does not include any new features or enhancements.

Issues resolved

Addressed an issue which could result in misleading statuses when the option to include availability info was enabled.
Updated the conflict option used to create release requests to "reuse" to reduce the number of requests generated.
Modified the API call body to include rotateOnChecking=[false]. The Allow API Rotation Override option must be enabled on View Password Policy Type for relevant access policies.
Addressed an issue in which duplicate display values were used when a domain account was returned in multiple formats.

Notes

This maintenance release replaces any usage of v24.1.x.
Supports upgrades from any prior release.
This release will be included as part of the U-Series Appliance image for the BeyondInsight and Password Safe 24.2.0 release.

12 months ago

U-Series Appliance 4.2.1 Release Notes

BeyondTrust Appliance U-Series Software 4.2.1 release notes

June 6, 2024

Requirements

.NET 8.0.0 or later (available through BT Updater via Supporting Software SUPI subscription)
SUPI 3.2 (available through BT Updater)

New Features

This is a maintenance release and does not contain any new features.

Issues resolved

Resolved an issue where the Installed Software page was slow to load and sometimes would have an incorrect version listed for a product.
- Cause: The appliance was requesting product version information from BT Updater, causing a delay in loading the results on the page. Also, if an update had failed in BT Updater, it returned the version for the failed update, despite it not being installed.
- Resolution: The appliance no longer contacts BT Updater for product version information.
Resolved an issue where when attempting to create a backup on a SQLFree appliance, no options were displaying under Backup Options.
Resolved an issue where when a backup that was created on a SQLFree appliance and contained the BeyondInsight database, a restore of that backup on the same SQLFree appliance would fail.

Known issues

Endpoint Privilege Management (EPM) Event Collector Service is missing from the log download page or log export page if there are no log files present.
EPM and Privileged Management Reporting (PMR) High Availability requires that the source EPM accounts match on each appliance. Accounts require manual intervention to rename.
- Workaround: Users must manually create the EPM/PMR SQL Users in the database on the secondary node.
Last Pass can interfere with the Deployment and Configuration Wizard.
- Workaround: Disable or log out of Last Pass or configure the appliance in incognito mode in the browser so that the browser extensions are not interfering with the wizard.
When changing the EPM Database credentials on the host machine and remote collector password, if the EPM Database Access feature is turned off and then on, the user has to enter and confirm their password every time.
The beyondtrust_user account is locked out after changing the Auth SQL Server password.
Appliance self-signed certificate does not have subject alternate name (which does not support HSTS). For Chrome 58 and later, only the subjectAlternativeName extension (not commonName) is used to match the domain name and site certificate.
Using High Availability in a multi-node EPM deployment that has the secondary node set up as the PMR database, when the secondary is promoted to primary, the PMR reports do not display in BeyondInsight. A red X displays in place of the charts.
- Cause: A multi-node deployment typically uses the IP/machine name of the database host in the shared EPM config file. This pointer continues to point at the failed primary, causing the problem.
- Workaround:
  - In BeyondInsight, from the left sidebar, click Configuration > Endpoint Privilege Management > Privileged Management Reporting Database Configuration.
    - In the Server field, update the IP address to be that of the current appliance.
  - In the appliance software, from the left sidebar, click Service Status.
    - Restart the EPM Reporting Gateway Service.

Notes:

Security Management Appliance Installer is dependent on BeyondInsight 24.1.
Security Management Appliance package in BT Updater is dependent on BeyondInsight 24.1.
This update is available through BT Updater or as a manual installer from the download tool.

about 1 year ago

Password Safe Resource Kit 24.1.1 Release Notes

Resource Kit 24.1.1 Release Notes

May 23, 2024

Requirements

Requires BeyondTrust Password Safe version 24.1.1 or later release.

New features and enhancements

Updated Platform SDK to support Password Safe 24.1.1
- Platform plugins updated to use .NET 8

Notes

The SHA-256 signature is: a4ff16e52d5e322cfeae3e96f03d45554833f151ea7bf939139fa1da0cd63936
This release is available to download for BeyondTrust customers at https://beyondtrustcorp.service-now.com/csm.

September 26, 2024

New features

Dependency management

ℹ️Note

Enhancements

SUPI service upgrade

Known Issues:

Notes:

September 26, 2024

Requirements

New features

ℹ️Note

Enhancements

ℹ️Note

Issues resolved

Known issues

Notes

New features and enhancements

Known issues

ℹ️Note

Notes

Deprecation notice

Resource Kit 24.2 Release Notes

September 3, 2024

Requirements

New features and enhancements

Updates:

Checksums:

Notes

Password Safe Cloud Resource Broker 24.2.0.1869 release notes

September 3, 2024

Requirements

New features and enhancements

Issues resolved

Notes

September 3, 2024

Requirements:

New features and enhancements:

Issues resolved:

Known issues:

Notes:

September 3, 2024

ℹ️Note

New features

Enhancements

New Enforce Minimum Characters To Change option for policies

📘

New default minimum lengths for password policies

Issues resolved

Known issues

Notes

Deprecation notices

August 27, 2024

Requirements

New features and enhancements

Issues resolved

Notes

BeyondTrust Appliance U-Series Software 4.2.1 release notes

June 6, 2024

Requirements

New Features

Issues resolved

Known issues

Notes:

Resource Kit 24.1.1 Release Notes

May 23, 2024

Requirements

New features and enhancements

Notes

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note