Privileged Remote Access 25.3.1 release notes
December 18, 2025
🆕 New features
Automatic import of Password Safe managed credentials and endpoints
Say goodbye to manual drudgery! Vault admins can now automatically import domain accounts, endpoints, and local accounts right after scheduled discovery runs, thanks to smart, predefined filters. With Import Rules, you can assign filters to apply during a predefined scheduled discovery. This keeps your Vault fresh and secure, while still giving you the freedom to manually import anything that falls outside the filters.
This works across all scheduled discovery job types supported by Vault.
For more information, see:
ECM Plugin - New Credentials Supported
Goodbye limitations, hello flexibility!
ECM now returns credentials for SSH, SSH Keys, Webjump, and databases (MSSQL, PostgreSQL, and MySQL Protocol Tunnel Jump Items).
Why it matters:
- Seamless access for your database Jump Items
- Faster workflows, fewer roadblocks
- More power for your integrations
This update requires a new plugin download. For more information, see Install the Endpoint Credential Manager.
Support for MacOS Tahoe
Get ready for the future of macOS! With the launch of Apple’s latest version, we have you covered. Enjoy instant compatibility, expert guidance, and tips to unlock the newest features without missing a beat.
Slow-roll Releases
Remember that automatic update feature from Base 8.0? It’s back, but smarter and friendlier!
What’s Changing in 25.3:
- No surprise pushes. You get to choose when you update.
- You’ll get a heads-up when a new update is available.
- Download and install when it works for you. Full control, zero stress.
- Staggered releases mean no mass rollout chaos.
Simply check the auto install checkbox and select your update cadence.
This is updates done right: transparent, flexible, and customer-first.
For more information, see:
✨ Enhancements
Increased vendor group size limit
More Room for Vendors!
We’ve cranked up the vendor group limit to 500.
Go big, group bigger!
For more information, see:
Prioritize external representative invite session policy over jump item session policies
Managing Jump Client sessions just got easier, and way more intuitive. You can now prioritize Session Policies assigned to external reps/access invites, ensuring expected policy enforcement in external session/access scenarios.
What’s New?
- The policy selected during the invitation process is the only policy applied to the invited Rep.
- Jump Item and Public Portal policies are skipped for external invitees.
For more information, see:
Additional security controls for Command Shell context
Flexibility meets control! Shells start in the context of the endpoint’s logged in user and use a button in the console to open an elevated shell tab that runs in the system/root context (only if the Jump Client is elevated).
- Match the Logged-In User for a familiar experience
- Go System/Root when Jump Client is elevated for full power
Allow Shell rules
Allow elevated access
Open elevated shell tab running on system/root context
Your shell, your rules. Simple, secure, and ready to roll!
For more information, see:
Kubernetes Proxy - Support AKS (Cloud-only)
We’re making life easier for cloud-native teams:
Create Kubernetes Jump Items that work seamlessly with Azure Kubernetes Service (AKS) endpoints.
Why you’ll love it:
- Simplifies secure access to AKS clusters
- Keeps your workflows cloud-ready and efficient
- Your Kubernetes game just leveled up!
For more information, see Install a Linux Jumpoint | PRA.
Granular /login admin permissions
We’re introducing granular RBAC magic to make remote access management a breeze.
Remote Access Management Role
- Non-admins can add members to group policies
Why it matters:
Delegate /login administrative tasks to others that don’t need global admin rights to enable zero trust.
Non-admins:
- Can see the Group Policy tab
- Cannot create a new group policy or change the order
- Can only see and edit group policies they are in and
- Only membership section
For more information, see:
Grey out Vault accounts already in use
If a Vault account doesn’t allow simultaneous checkout and you try to grab it while someone else already has, no worries! The account still displays, but is grayed out with a little lock icon. Hover over it, and you’ll see a friendly message letting you know it’s currently checked out by another user.
Desktop Console
Web Console
For more information, see:
Force close windows in elevated sessions
We’re adding new functionality to force close windows in an elevated session:
- New Config Option in /login > Management > Security
- Force-close any windows opened during an elevated session
- Applies to Windows elevated sessions only
- Off by default. Enable when you need that extra lockdown!
E.g.: Pathfinder - Management > Security > Representative Console
For more information, see:
🛠️Issues Resolved
| Product area | Description | Resolution |
|---|---|---|
| Reporting | Duplicate Jump Items report sometimes fails.. | Resolved: Duplicate Jump Items report no longer fails.. |
| API | Configuration API version updated to 1.11. | Resolved: The perm_edit_group_policy_memberships property was added to the GroupPolicy schema. |
| Web Jump | Copy and Paste are slow to update in Web Jump. | Resolve: Copy and Paste work as expected in Web Jump. |
| Vault | Issue when creating RDP Jump Items from the Vault -> Endpoints -> Jump Items Link page. | Resolved: Issue no longer occurs. |
| Vault | Issue when moving an account from a Default Group to an Account Group that doesn’t have any users. | Resolved: Issue no longer occurs. |
| Vault | Unable to cancel Password Safe Discoveries once they are started. | Resolved: Password Safe discoveries can be canceled once started. |
| Pathfinder | API Docs page only displays in Dark Mode. | Resolved: API Docs page displays in Dark and Light Modes. |
| Pathfinder | When upgrading a Pathfinder site, some users are not able to login due to their account being marked as Disallowed. | Resolved: Users can now log in as expected. |
| Atlas | Public Label field is empty on Atlas traffic nodes. | Resolved: Public Label field is no longer empty on Atlas traffic nodes. |
| Text Updates | Custom Field Display name is sometimes blank. | Resolved: Custom Field Display name is no longer blank. |
| Text Updates | Jump method types for Protocol Tunnel types in the Vault Account Groups table must match those displayed in the Access Console. | Resolved: Updated the Jump method types for the Protocol Tunnel types in the Vault Account Groups table to match those displayed in the Access Console. |
| Text Updates | File name incorrect in error messages for WebJump through Linux Jumpoints | Resolved: Updated the file name listed in the error messages displayed for WebJump through Linux Jumpoints. |
| Text Updates | Escaped characters in the error message display when a Password Safe credential doesn’t have a schedule to be released. | Resolved: Escaped characters in the error message no longer display when a Password Safe credential doesn’t have a schedule to be released. |
| Text Updates | Grammar error in a VNC error message. | Resolved: corrected grammar error. |
| Text Updates | Message vague when Remote Jumps fail. | Resolved: Now providing a more detailed message when Remote Jumps fail. |
| Text Updates | “Default:” string should be removed from the Portal drop-down menu for External invites. | Resolved: Removed the “Default:” string from the Portal drop-down menu for External invites. |
| Misc | UI scaling issue with smaller display sizes causing some characters to overlap on the Reports page. | Resolved: Smaller display sizes no longer cause characters to overlap on the Reports page. |
| Misc | Custom Field Display name is sometimes blank. | Resolved: Custom Field Display name no longer blank. |
| Misc | Uploading a Canned Script Resource File with character greater than the character limit causes the Upload button to not be displayed until the page is refreshed. | Resolved: Uploading a Canned Script Resource File with character greater than the character limit no longer causes the Upload button to not be displayed. |
| Misc | Pressing Enter in a field while editing or creating a User causing the change to be cancelled. | Resolved: Pressing Enter in a field while editing or creating a User no longer causes the change to be cancelled. |
| Misc | Issue when uploading Network Tunnel Jump Items in templates when Network Tunnels are not allowed. | Resolved: Issue no longer occurs |
| Access Console | Vague wording for ‘Credential’ column in RepConsole. | Resolved: Updated the “Credential” column in the RepConsole to “Initiating Credential”. Updated the tooltip to reflect the change. |
| Access Console | Credential List takes a long time to load from Password Safe. | Resolved: Credential List no longer takes a long time to load from Password Safe. |
| Access Console | Resolved: Credential List no longer takes a long time to load from Password Safe. | Resolved: BT CLI can now check out Domain Vault accounts. |
| WebAccessConsole | WebAccessConsole Shell Jump sessions not showing any characters when dead-keys are hit twice. | Resolved: WebAccessConsole Shell Jump sessions now show characters when dead-keys are hit twice. |
| Protocol Tunnels | Issue with the Network Tunnel shutdown process. | Resolved: Network Tunnel shutdown process works as expected. |
| Protocol Tunnels | Kubernetes Tunnel window not similar to the other Protocol Tunnel windows. | Resolved: Updated the Kubernetes Tunnel window to be more like the other Protocol Tunnel windows. |
| Protocol Tunnels | Issue with the Network Tunnel Service not shutting down correctly. | Resolved: Network Tunnel Service shuts down as expected. |
| Virtual Smart Card | Filtering Smart Card certificates must conform with Microsoft standards. | Updated the method for filtering Smart Card certificates to conform with Microsoft standards. |
| Jump Client | Jump Client logs errors to the Windows Event Viewer if it cannot connect to the appliance for over an hour. | Resolved: Jump Client no longer logs errors to the Windows Event Viewer if it cannot connect to the appliance for over an hour. |
| Jump Client | No “auto” option available for the --startup command line option for Linux Jump Clients. | Resolved: Added an “auto” option to the --startup command line option for Linux Jump Clients. |
| Jumpoint | New Jumpoint Docker image required in Docker Hub. | Resolved: Jumpoint Docker image updated in Docker Hub. |
| Shell Jump | Issue with submitting credentials from an ECM to a Shell Jump session. | Resolved: Submitting credentials from an ECM to a Shell Jump session works as expected. |
| Shell Jump | Issue with timestamp not being preserved when transferring a file through Shell Jump from Windows to Linux. | Resolved: Timestamp is now preserved when transferring a file through Shell Jump from Windows to Linux. |
| Shell Jump | Issue with transferring a file to a Linux system through Shell Jump not overwriting the file as expected. | Resolved: When transferring a file to a Linux system through Shell Jump , the the file is overwritten as expected. |
| Mac | Issue with the Option key + a number key not sent correctly in Command Shell sessions when Finnish language is used. | Resolved: Option key + a number key are sent correctly in Command Shell sessions when Finnish language is used. |
| Mac | Issue with Command + keypad numbers not been sent correctly through screen sharing to a Mac Customer Client. | Resolved: Command + keypad numbers are now sent correctly through screen sharing to a Mac Customer Client. |
| Mac | Issue when sending an extra Shift key stroke through screen sharing when using modifier keys with capital letters from Mac RepConsoles to Mac Customer Clients. | Resolved: Sending an extra Shift key stroke through screen sharing when using modifier keys with capital letters from Mac RepConsoles to Mac Customer Clients works as expected. |
| Mac | Issue with Jump Clients sometimes going offline after an hour or so on Macs running macOS 15. | Resolved: Jump Clients no longer go offline after an hour or so on Macs running macOS 15. |
| Mac | Issue with Screen Sharing sometimes displaying a black screen when the Customer Client was running on macOS 14. | Resolved: Screen Sharing no longer displaying a black screen when the Customer Client was running on macOS 14. |
| Linux | Issue with customer presence detection on Linux. | Resolved: Customer presence detection on Linux works as expected. |
| Linux | Issue spawning unnecessary processes from the Customer Client on newer Linux distributions. | Resolved: Unnecessary processes no longer spawning from the Customer Client on newer Linux distributions. |
| Linux | Issue with SELinux displaying a warning about the JumpClient after RedHat 9 systems were rebooted. | Resolved: SELinux no longer displaying a warning about the JumpClient after RedHat 9 systems were rebooted. |
| Linux | Issue with the coloring when selecting text through a session with a Linux Jump Client. | Resolved: Color looks as expected when selecting text through a session with a Linux Jump Client. |
📝 Requirements
- Requires Base 8.1.0
- Supports ECM Protocol 1.6
- Supports upgrades from 25.1.1 Privileged Remote Access+.
- Validated with ECM 1.6.5
- Validated with Integration Client 25.1.1
- Includes VSC 1.2.10.2
Before upgrading, ensure any SSL certificates used are either from a trusted Certificate Authority, or, for self-signed certificates, the certificate is either trusted on all endpoints or explicitly included in their installation.
