BeyondInsight for Unix and Linux 26.1

🆕 Features

Automated certificate management

BIUL 26.1 supports the new enhanced security for EPM-UL 26.1 on-premises installations. EPM-UL on-premises now uses your primary license server as a trusted certificate authority (CA), automatically generating and managing SSL certificates across your enterprise installation.

Now in BIUL, certificate-related flags are decided automatically by checking the current (live) state of your Primary License Server (specifically: whether a CA fingerprint is present).

Exclusively available when deploying or upgrading to EPM-UL version 26.1 or later.

For more information, see EPM-UL release notes.

Certificate flags for EPM-UL and Sudo Manager

EPM-UL: Install

During a EPM-UL install, certificate flags (if needed) are added to the end of the installer’s option string (for example: -eigmTXZrulowx).

EPM-UL version	Primary License Server found?	CA fingerprint present?	Installing on the Primary License Server?	Flags added
Earlier than 26.1	Any	Any	Any	None
26.1 or later	No	Not applicable	Not applicable	None
26.1 or later	Yes	No	Any	`-n no`
26.1 or later	Yes	Yes	Yes	`-n yes`
26.1 or later	Yes	Yes	No	`-G '<fingerprint>' -n yes`

EPM-UL: Upgrade

During a EPM-UL upgrade, the base flag is always _ -e_. If certificate flags are needed, they are added after -e.

Upgrading to (EPM-UL) version	Primary License Server found?	CA fingerprint present?	Upgrading the Primary License Server?	Flags added (after -e)
Earlier than 26.1	Any	Any	Any	None
26.1 or later	No	Not applicable	Not applicable	`-n no`
26.1 or later	Yes	No	Yes	`-k -n yes`
26.1 or later	Yes	No	No	`-n no`
26.1 or later	Yes	Yes	Yes	`-k -n yes`
26.1 or later	Yes	Yes	No	`-G '<fingerprint>' -k -n yes`

Sudo Manager: Install

During a Sudo Manager install, certificate flags (if needed) are included directly in the installer command, between -S and the alias flag.

Sudo Manager version	Primary License Server found?	CA fingerprint present?	Installing on the Primary License Server?	Flags included
Earlier than 26.1	Any	Any	Any	None
26.1 or later	No	Not applicable	Not applicable	None
26.1 or later	Yes	No	Any	`-n no`
26.1 or later	Yes	Yes	Yes	`-n yes`
26.1 or later	Yes	Yes	No	`-G '<fingerprint>' -n yes`

Sudo Manager: Upgrade

During a Sudo Manager upgrade, the command always includes -c no to keep your existing sudo configuration. If certificate flags are needed, they appear before -c no.

Upgrading to (Sudo Manager) version	Primary License Server found?	CA fingerprint present?	Upgrading the Primary License Server?	Flags included
Earlier than 26.1	Any	Any	Any	None
26.1 or later	No	Not applicable	Not applicable	None
26.1 or later	Yes	No	Yes	`-n yes`
26.1 or later	Yes	No	No	`-n no`
26.1 or later	Yes	Yes	Yes	`-n yes`
26.1 or later	Yes	Yes	No	`-G '<fingerprint>' -n yes`

MFA and authentication services

We’ve added multi-factor authentication (MFA) to help keep console access more secure. You can set it up from the Authentication Services tile in Settings.

RADIUS integration: Connect to external RADIUS servers using the PAP protocol to verify user passwords or six-digit MFA tokens.
Local groups: A new Local Group type has been added to Console Access. Administrators can now group local users and link them to specific Authentication Services.
Adaptive login UI: For users in MFA-enabled groups, the login screen dynamically updates. After entering a standard username and password, a second prompt for a token appears only if the primary credentials are correct.

✨ Enhancements

Lock client registration during new installs

During a new 26.1 installation, the Client Registration setting is now automatically set based on whether the instance is primary or not and is intentionally locked.
This prevents misconfiguration by ensuring client registration is off for a primary install and on for a non-primary install.

Show alerts when profiled hosts use insecure certificates

BeyondInsight for Unix & Linux now displays a notification when a profiled Endpoint Privilege Management for Unix & Linux 26.1.x host is using an insecure certificate.
The notification includes the host version and whether the installed certificate is legacy or invalid, helping you quickly identify hosts that should be remediated.

Updated Password Safe API paths

The Password Safe integration has been updated to use the current public API base path and to better handle environments where Password Safe is hosted under a URL prefix.
This helps maintain connectivity after Password Safe upgrades when endpoint paths differ from older deployments.

🛠️ Issues Resolved

Description	Resolution
Primary license server with dependent services could be removed potentially disrupting certificate-chain communication.	BeyondInsight for Unix & Linux now blocks deletion or uninstall of a Primary License Server when other EPM-UL services depend on it. This helps prevent certificate-chain loss that could break communication with secondary services.
Refreshing web pages repeatedly could cause the server process to continuously increase memory usage.	Memory usage now stabilizes over time, reducing the risk of resource exhaustion and avoiding the need to restart services to reclaim memory.
Upgrading Sudo Manager through the Host Action wizard could fail immediately with a server error.	The upgrade workflow now runs normally instead of returning a 500 error at the start of the action.
The profiling tool could fail to recognize a primary RNS server as a Primary License Server.	Primary license server detection is now consistent, improving accuracy for licensing and dependency-related workflows.

🗒️ Notes

Upgraded to Angular 20 for bug fixes, security upgrades, functional and performance improvements.
Removed the license key field on AD Bridge installations. In AD Bridge 26.1, a license key will no longer be required.