ADSelfService Plus Fixes and Enhancements [2022]
Release Notes for build 6212 (Nov 14, 2022)
Feature:
- Hardware TOTP token support:
Hardware tokens such as Protectimus hardware TOTP token and Deepnet
Security hardware token can now be configured as a custom TOTP
authenticator for identity verification.
Enhancements :
- SMS and email verification support for VPN MFA: SMS and email verification can now be configured as an authenticator for VPN MFA.
- Bulk enrollment support for authenticators:
Admins can now enroll end users for Google Authenticator, Microsoft
Authenticator, Zoho OneAuth TOTP authenticator, and custom TOTP
authenticators through bulk enrollment either using a CSV file or
through a database fetcher.
- An option to skip the Select your mobile number/email address drop-down in the MFA verification page for SMS and email verification has now been included.
Issue Fixed :
- An issue in the working of Linux agent (Cent OS 7) has now been resolved.
Release Notes for build 6211 (Oct 28, 2022)
Important Update:
- Third-party requirement for NTLMv2 SSO: To enable NTLMv2 SSO for ManageEngine ADSelfService Plus in builds 6211 and above, you have to manually download the Jespa JAR file and add it to the lib folder of the product's installation directory. For more information, click here.
Issue fix:
Release Notes for build 6208 (Sep 21, 2022)
- The forced enrollment using login scripts feature didn't work for partially enrolled users. This issue has been fixed.
- A critical RCE security vulnerability (CVE-2022-47966) caused due to a vulnerable .jar file used when SAML SSO is/was enabled in the product, has been fixed. This was reported by Khoadha of Viettel Cyber Security. The forced enrollment using login scripts feature didn't work for partially enrolled users. This issue has been fixed.
Release Notes for build 6210 (Oct 21, 2022)
Enhancements :
- Notification Center: To ensure product security, a notification center has now been included to display important alerts that require admin attention.
- To ensure security, the Spring JAR files used in the product have been updated to version 5.3.21.
- To ensure security, the Commons Text JAR files used in the product have been updated to version 1.10.
Issues fixed :
- An issue that caused an infinite password sync loop when password sync is configured for Active Directory bidirectionally has now been resolved.
- An issue that caused the login agent to crash when Have I been Pwned integration was enabled and HTTP was configured has now been fixed.
- An authorization issue in Talkback APIs has now been resolved.
- A memory leak issue which caused the domain controller to restart abruptly in rare scenarios when Password Sync Agent version 2.0 was configured has now been fixed.
Release Notes for build 6209 (Sep 30, 2022)
Issues fixed :
- An issue in the Restrict Users scheduler under License Management when there were different domains containing the same usernames has now been fixed.
- An issue that occurred while searching for a username containing '_' in reports when using an external MS SQL database has now been fixed.
- An issue in prompting MFA during VPN login when the username format was domain name/username has now been fixed.
Release Notes for build 6208 (Sep 21, 2022)
Features:
- MFA for Windows User Account Control: All UAC elevation prompts that require credentials such as installing an application, editing the registry, and so on can now be secured using MFA.
- Machine-based MFA: Secure business-critical machines in your organization by enforcing Machine-based MFA. This allows users to access the machine only upon successful identity verification through MFA, irrespective of their enrollment status, self-service policy membership, and ADSelfService Plus server connectivity.
Issue fixed:
- An issue which caused MFA to not function as intended in Windows 11 machines during system unlock has now been fixed.
Release Notes for build 6207 (Aug 29, 2022)
Features:
- MFA for mobile app login: ADSelfService Plus mobile app logins can now be secured with an additional layer of authentication using MFA.
- Passwordless login:
Provide easy and secure access to log in to the mobile app using modern
authentication factors such as biometric authentication, push
notification authentication, TOTP authentication, and so on.
- Support for additional authenticators:
The ADSelfService Plus mobile app now supports Zoho OneAuth
authentication, custom TOTP authentication and backup recovery code
support during self-service actions and mobile app logins.
- Manage device enrollment:
An option to restrict the number of devices users can use to enroll for
mobile app authenticators like push notification, biometric, and
QR-code authentication has now been included.
Enhancement:
- User enumeration prevention: An option to prevent attacks through user enumeration in the mobile app has now been introduced.
Issue fixed:
- An issue with the functioning of Accessibility VoiceOver in iOS devices has now been resolved.
Release Notes for build 6206 (Aug 18, 2022)
Issues Fixed :
- An
issue with the functioning of the custom range filter in Audit Reports,
when there were a large number of audit records, has now been fixed.
- A
performance issue while derestricting users under License Management
when there were a large number of restricted users has now been fixed.
Release Notes for build 6205 (Aug 9, 2022)
Enhancements :
- Enrollment report customization: The Enrolled Users Report and Non-enrolled Users Report can now be customized to view additional user information, such as their active status, last logon time, etc.
- Cloning existing policies: Existing self-service policy configuration settings can be copied to create multiple policies across domains now.
- Granular control over trust periods: The MFA trust period for browsers and machines can now be customized in terms of minutes, hours, or days.
Issue fixes :
- An issue with deleting licensed users who have an apostrophe character in their names has been fixed.
- An XSS issue that could potentially occur in the Conditional Access rule assignment section has been fixed.
Release Notes for build 6204 (Jul 29, 2022)
Enhancement :
- The MFA and Password Policy Enforcer features have now been extended to technicians who use product authentication.
Issue fixed :
- An
issue in which the functioning of the Password Sync Agent was affected
when a domain flatName was specified during domain configuration has now
been fixed.
- A
security vulnerability which caused authenticated remote code execution
in quick enrolment configuration by super admin when connecting to
MySQL database has now been fixed.
Release Notes for build 6203 (Jun 30, 2022)
Issue fixed :
- A denial-of-service attack issue (CVE-2022-34829) in the ADSelfService Plus Mobile App Deployment API has now been fixed.
For more information, refer to our security advisory page.
Release Notes for build 6202 (Jun 27, 2022)
Security enhancement:
- An option to prevent user enumeration by initiating a mock MFA process has now been included. This has been implemented to mitigate CVE-2022-28987.
Issue fixed:
- An issue in which the Change Password notification was not triggered when the operation was performed via the mobile application or mobile web browser has now been fixed.
Release Notes for build 6201 (Jun 9, 2022)
Enhancements :
- Mac Agent support has now been extended to macOS Monterey.
- XLSX format is now supported for exporting reports.
- An option to extend the portal session expiration duration to one day has now been provided.
Issues fixed :
- Performance-related issues in User Reports, Restricted Users report, Password Expiration Notification, and Unrestrict Users scheduler have now been fixed.
- An issue that blocked the database query while sending enrollment push notifications has now been resolved.
- An issue in VPN MFA when the configured MFA method was push notification has now been fixed.
Release Notes for build 6200 (May 24, 2022)
Issues fixed:
- The communication between the Password Sync Agent and the ADSelfService Plus server has now been secured with the inclusion of an access key (CVE-2021-37423) . For more information, refer to our security advisory page.
- An issue which exposed the username information in the request URL sent to the ADSelfService Plus server upon successful IdP authentication has now been fixed.
- An issue where the embedded employee search option was not displaying the desired results has now been resolved.
- To enhance security, the Spring JAR files used in the product have now been updated to version 5.3.18.
Note : If you are already using the Password Sync Agent and wish to upgrade to build 6200, you must reinstall the Password Sync Agent to ensure proper functioning of the agent. Click here for the Password Sync Agent installation steps.
Release Notes for build 6123 (Apr 13, 2022)
Issue fixes :
- A
security vulnerability which exposed admin credentials if the
ADSelfService Plus server access was compromised while installing the
login agent using Remcom and RemoteExec methods has now been fixed.
- A security vulnerability which caused XSS script execution in the Configured Domains page has now been fixed.
Release Notes for build 6122 (Apr 09, 2022)
Issue fix :
- In
product instances where post-action custom scripts are enabled, a
security vulnerability (CVE-2022-28810) which could lead to remote code
execution during password reset and password change, has been fixed.
This vulnerability was reported by Hernan Diaz, Andrew Iwamaye, and Jake
Baines of Rapid7.
Release Notes for build 6121 (Mar 03, 2022)
Issue Fix:
- A
security vulnerability (CVE-2022-24681) which allowed XSS script
execution in the reset password, unlock account, and user must change
password pages has now been fixed.
- A vulnerability causing the NTLM Hash to be disclosed to operators when configuring the storage path of a remote machine in the Reports tab has now been fixed.
Release Notes for build 6120 (Feb 11, 2022)
Enhancements:
- Site-based DC Update:
Let's you assign a particular set of domain controllers (DCs) to an OU
so that self-service changes made by users from that OU are quickly
updated in the DCs assigned to that OU.
- Password
Sync tab is now equipped with the capability to deselect all the linked
accounts for password reset, account unlock, and password change
operations.
- An
option that allows domain display name to be shown or hidden in the
end-user portal/pages has now been added in the Reset & Unlock tab.
- IP-based portal restriction will now deny technician logins from black listed IP addresses.
- Windows MFA, which was prompted for user login and screen unlock earlier will now be prompted only during user login.
Issues fixed:
- Glitches pertaining to MFA application to macOS machines whose names contained spaces have been resolved.
- When
the login page was customized to display only the login button, the
drop-down list had glitches. This issue has now been resolved.
- An
issue which caused the failure of SAML SSO for custom applications
since only "Exclusive Canonicalization with Comments" XML
Canonicalization method was supported has now been fixed.
- An issue in which mail content was added to the syslog files has now been removed.
- An issue specific to the Germany locale in displaying the number in the password policy enforcer text has now been fixed.
- Text
customizations done in Language Customization tab for languages other
than English were not reflecting. This has been fixed.
- A memory leak issue in VPN MFA's NPS extension has now been fixed.