ADSelfService Plus Fixes and Enhancements [2020]
Release Notes for build 6100 (Dec 31, 2020)
Enhancement:
- The Tomcat server bundled with the product has been upgraded to version 8.5.57.
- The ADSelfService Plus database backup archives are now password protected.
Issue Fixes:
- A security issue due to the use of fixed ciphering keys has been fixed (Zoho Bug Bounty ID: ZVE-2018-1790).
- A security issue that caused improper authorization of end user actions has been fixed (Zoho Bug Bounty ID: ZVE-2020-4164).
Release Notes for build 6013 (Nov 25, 2020)
Enhancement:
- Support for SAML Authentication as an MFA method in the ADSelfService Plus mobile app (both iOS and Android) for self-service password reset and account unlock.
Issue Fix:
- Issue in SAML SSO logins when reverse proxy server is configured has been fixed.
Release Notes for build 6012 (Nov 13, 2020)
Features:
- MFA backup codes for authentication: Users can now prove their identity using backup codes when they cannot access the enrolled MFA authenticators or their mobile devices used for authentication. These backup codes can be generated by both users and the admins, and used for identity verification during machine and VPN logins, self-service actions, and ADSelfService Plus portal logins.
- Custom Time-based One-time Passcode (TOTP) Authenticator Support: Admins can now configure any TOTP authenticator [Eg: Symantec VIP Access, FortiToken, Free-OTP, etc] as per organizational usage to verify users' identities during password reset and account unlock actions, and ADSelfService Plus, machines and VPN logins.
Enhancements:
- Smart card multi-factor authentication: Smart
card authentication will now be available as an authenticator in
multi-factor authentication for ADSelfService Plus web portal login.
- ADSelfService
Plus has been upgraded from two-factor authentication to multi-factor
authentication for machine (Windows, macOS, and Linux), VPN and product
logins.
- Admins can now link domain user accounts based on any attribute of choice with the Duo accounts for multi-factor authentication.
- Idle time limit during multi-factor authentication can be configured for machine, VPN, and product logins.
Issue Fixes:
- During
user identity verification through SMS and email verification codes,
the drop-down menu at the end-users portal will prioritize the
mail/mobile values added by the end-user during enrollment over those
stored in Active Directory.
- The time taken to load Change Password tab has been reduced.
- Fixed an issue that prevented including more than 10 mail addresses in the Admin Mail Address field under Mail Settings.
- While
logging into ADSelfService Plus through SAML single sign-on, it is now
possible to use any authentication technique provided by the identity
provider (Okta, OneLogin). Password authentication is not mandatory.
Release Notes for build 6009 (Sep 30, 2020)
Enhancements:
New customization options available to help you rebrand the ADSelfService portal to best suit your requirements.With these new options you can:
Make a custom color theme selection from the color picker.
Customize the buttons present in the users' login page.
Set a background image for the end users' login page.
Issue fixes:
The issue of license consumption by both the primary and secondary user accounts when password synchronization is enabled between two Active Directory domains.
The issue in AltGr key usage in the Windows login agent when ADSelfService Plus' end-user portal is configured to display in languages other than English.
Encoding failure during mail attachment when using languages other than English.
The issue where Organization Chart generation was slowed down and CPU usage was higher than usual when the number of users in the domain increased.
Release Notes for build 6008 (Sep 09, 2020)
Issue Fixes:
- Fixed an issue that prevented proper embedding of image in email content.
- If the Password Expiration Notification's retry option is disabled, managers receive an empty Soon-To-Expire Password Users Report on the specific days configured when no users fall under the report that day. This has been fixed.
Release Notes for build 6007 (Sep 04, 2020)
Enhancement:
- Trusted devices option for Endpoint Machine Login MFA : Users can now mark their machines (Windows, macOS, or Linux) as trusted during login to skip multi-factor authentication for subsequent logins. Admins can define how long a machine should remain trusted.
Release Notes for build 6006 (Aug 27, 2020)
Highlights:
- Load Balancing : ADSelfService Plus now comes with a built-in load-balancing server, to help you set up multiple instances of ADSelfService Plus, and distribute incoming requests among them. This helps improve performance, eliminate downtime, and provide a better experience for end users.
- Reverse Proxy : Enable reverse proxy, by integrating with ManageEngine AD360, to improve security when making ADSelfService Plus accessible for remote access.
Release Notes for build 6005 (Aug 15, 2020)
Highlight:
- Multi-factor authentication (MFA) for VPN : Secure your VPN by enabling MFA via fingerprint/Face ID, Push Notification, Google Authenticator, Yubico OTP, and other wide range of authentication factors.
Release Notes for build 6004 (Aug 12, 2020)
Issue fixes:
- Users were not able to login using the mobile browser during SP-initiated SAML SSO. This has been fixed.
- Password change using the PowerShell API has been secured.
- Custom questions were not properly displayed when configuring the Auto Enrollment Scheduler using CSV file. This has been fixed.
Release Notes for build 6003 (Jul 24, 2020)
Enhancement:
- Face ID authentication is now supported for MFA in the ADSelfService Plus iOS app.
Issue fix:
- Security fix to prevent unauthenticated remote code execution attacks.
Release Notes for build 6002 (Jul 10, 2020)
Issue fixes:
- Fixed
an issue which prevented sending the password expiration notification
and expired password notification to users with the Password Setting
Object applied to them.
- Fixed
an issue that prevented saving multiple mail addresses under Notify
Admin in the Notifications tab of Advanced Policy Configuration
settings.
- Provision for verification of user enrollment status with Duo Security has been added for enhanced security. [ZVE-2019-6362]
Release Notes for build 6001 (Jul 6, 2020)
Highlight:
- Conditional Access Policy: Use
various risk factors such as IP address, device type, time of access,
and geo location to determine which self-service policy will be assigned
to users. With Conditional Access Policies, you can enforce endpoint
MFA or restrict access to self-service features for high-risk users,
thus improving security posture without affecting user experience.
Issues Fixed :
- Fixed an issue which prevented changing the SMS provider from GSM Modem to Custom HTTP.
- The drop-down fields for directory self-update were not displayed properly. This has been fixed.
- Password
expiration notifications were not sent to secondary email addresses
even when the Enable Notification to All Secondary Mails of Users option
was enabled. This has been fixed.
- Autocomplete has been turned off for the answer fields during security questions and answers-based authentication.
- Fixed an MS SQL migration issue which prevented fetching all the MS SQL instances.
Release Notes for build 6000 (Jun 3, 2020)
Highlights:
- This release comes with a service pack that can be used to update your ADSelfService Plus to get the flat GUI as well as the enhancements and bug fixes released in builds 5816 and 5817.
Enhancement :
- An option to renew the SAML certificate has been implemented.
Issues Fixed :
- The SMS notifications sent during MFA contain HTML code.
- Improper functioning of CAPTCHA when reverse proxy is configured.
Release Notes for build 5817 (May 16, 2020)
Issues Fixed :
- Fixed a vulnerability which allowed a user to enable integration with other supported ManageEngine products bypassing authentication.
- Issue in using Push Notification authentication for logging into ADSelfService Plus when TFA is enabled.
Release Notes for build 5816 (April 23, 2020)
Features:
- Improved look and feel with flat UI: The ADSelfService Plus admin portal has been revamped with a sleeker and more streamlined flat user interface.
- Embed dashboard widgets: The dashboard graphs can be embedded in any web page using the HTML snippet provided. A URL is also provided to access the graph separately.
- Language customization: Personalize ADSelfService Plus by customizing any text displayed in the portal for your language of choice.
- SSL deployment through UI: Easily apply a SSL certificate and enable HTTPS to secure ADSSP in just a few clicks with the all new UI-based SSL certification tool.
Enhancements :
- Technician: Administrators now have the option of providing the technician privileges to groups.
- Password Policy Enforcer has been enhanced with several new password policy rules for improved security:
- Disallow the use of specific numbers of consecutive characters from user names and old passwords
- Disallow the use of a character specific number of times consecutively.
- Ensure the password starts with an uppercase letter, lowercase letter, number, or special character.
- Disallow the last character of the password to be a number.
- Fix the number of old passwords to be restricted during password resets.
- The customized message that displays the password policy requirements during password reset or change can be reset to default.
- Directory Self-Update has been improved with the following options:
- Administrators can set the self-update layout as read only.
- Show or hide the Report To and Direct Report fields and the left panel of the self-update layout with these fields and photo upload.
- Enforce the format of information provided in the self-update fields (mobile number, email address, or letters).
- All notification messages can been enhanced with rich text editors.
- Employee Search: Administrators now have the option to enable the Employee Search based on self-service policy.
- Force enrollment logon script: Administrators now have the option to customize the enrollment logon script window's title and button text.
- IP-based restriction for admin login:
- Admin login can now be restricted to some specific or a range of IP addresses using the restrict IP address option.
Release Notes for build 5815 (April 3, 2020)
Issue Fix:
- Security fix to ensure ADSelfService Plus is immune to unauthenticated remote code execution (RCE) vulnerability.
Release Notes for build 5814 (Mar 11, 2020)
Issue Fixes:
- Issue of unnecessary characters in SMS notifications when using the SMTP provider due to improper encoding type.
- Issue in generating the Enrollment Reports graph in the Dashboard tab.
- A vulnerability issue in the ADSelfService Plus login agent has been fixed.
- Issue of password reflection during password reset.
- Issue of a Cross-site Scripting vulnerability.
Release Notes for build 5813 (Feb 25, 2020)
Issue Fix:
- A security issue that arises when the 'User must change password at the next logon' option is enabled in Active Directory has been fixed.
Release Notes for build 5812 (Jan 27, 2020)
Issue Fix:
- Issue in enforcing the default minimum password length (i.e, 7) when product technicians change their account passwords.