BeyondInsight and Password Safe 24.1.1 Release Notes

May 23, 2024

New Features and Enhancements

Configuration

Added a new option to the Configuration page: Identity Security Insights > Connect to Identity Security Insights.
- Enabling this connector key allows Password Safe to forward discovery scan events to Identity Security Insights. This provides visibility into possible attack paths, identity-based threats, and identity hygiene issues.
SAML Configuration has been updated so that incoming SAML communications (Assertions, Response) can no longer be signed using SHA1 by the Identity Provider. This is disabled for security purposes.

Developer Platform

All components and services using .NET 6/7 have been updated to .NET 8.

Analytics & Reporting

Added a Retrieval Reason column to the Password Safe > Activity report to display the comments for any release request listed in the report.

Password Safe

Changed API Authentication Failure email notification logic so that new deployments of BeyondInsight and Password Safe do not send email notifications when API authentication failures occur.
Updated the bundled ECM Password Safe Plugin to version 24.1.2.
Added Change Password after Release and Enable API Access options to the Disable at Rest onboarding Smart Rule action.

Password Safe Cloud

Renamed the Update column on Resource Broker grids to Update Available.
Added links to release notes in the Update Available column on Resource Brokers grids, for resource brokers that can be updated or are being updated.
Added a DNS Name filter to the Resource Zones > Brokers grid when accessing that area from a specific resource broker.

Issues Resolved

Resolved a foreign key constraint issue with the daily sync job (relating to the Change Queue fact table and Managed Account dimension table).
- Now, the sync job handles the data in a way that avoids this constraint issue.
Increased security around Smart Rule editing.
Resolved an issue where updating an existing SAML configuration prompted the user to include the IdP certificate.
- Now, the certificate is only required on the Create page.
Resolved an issue in the Web Policy Editor, where sometimes a Save button appeared on the policy editing page, which caused the editor to hang when used.
- Now, only the appropriate Save & Unlock button appears, and the editor works without hanging.
Resolved an issue in the Activation Key generated command line text that prevented OAuth communications with Endpoint Privilege Management agents in Password Safe Cloud environments.
- New users created using the API now respect the TOTP Two-Factor Authentication restrictions as set in BeyondInsight configuration, the same as manually created users do.
Resolved an issue affecting proper generation of user audits of Secrets Safe activity.
IP and X-Forwarded-For authentication rules are now evaluated on every API call instead of only on authentication/sign-in.
Resolved an issue with the IP Allow List, where attempting to enable network restrictions would fail if at least one resource broker exists that has not yet been upgraded to at least version 24.1.0.
Resolved an issue with the IP Allow List where, upon resource broker validation, if a large number of resource brokers were not in the allow list, the notification message was taking up the entire screen.
- The notification message has been adjusted and scrollbars added for proper visibility.
Improved the performance for Managed Account onboarding Smart Rules for some scenarios.
Resolved an issue where a Secrets Safe secret could not be deleted if the ownership is assigned to Entire Team.
Resolved an issue where upgrades from versions 23.1.1 and earlier would reset the TOTP configuration settings.
Resolved an issue where a Password Mismatch email notification was incorrectly sent when a Password Test failed against a Windows system because it was unreachable or failed to connect.
Resolved an issue where scans were not updating the IP address for managed systems when the IP address is reverted to a previous IP.
Resolved an issue where the Events grid in Managed Account Advanced Details was slow to populate.
Resolved an issue where Smart Rule processing would fail due to propagation actions being applied to accounts that were not inserted into the database.
- Now, managed accounts that are not onboarded do not cause the propagation action to fail.
Increased the timeout for HttpClient used to proxy Endpoint Privilege Management requests.
- Now, exports from Privilege Management Reporting within BeyondInsight succeed even with very large data sets.

Known Issues

When establishing a connection between the Workforce Passwords extension and your Password Safe instance, if there is a space at the end of the URL in the extension, a DNS address could not be found error occurs.
- Workaround: Avoid adding any extra spaces at the end of the URL when using the Workforce Passwords extension. This issue is being resolved for an upcoming release.

Issues discovered after release can be found within our product Knowledge Base.

Notes

Direct upgrades to 24.1.1 are supported from BeyondInsight versions 22.2 or later releases.
BeyondInsight 24.1.1 supports SQL Server 2016 SP2 or higher.
This release is available by download for BeyondTrust customers (https://beyondtrustcorp.service-now.com/csm) and by using the BeyondTrust BT Updater.
The MD5 signature is: cfee455464f5589b49d2143872441f55
The SHA-1 signature is: 1bdcef294a47e6e201a62b5edaafcd435d3deaab
The SHA-256 signature is: ce70c722ba9c99e4b3e791a94eef88d5ce8b22ef6cebe286c0ac0c7f9abf2756

Deprecation Notice

BeyondInsight 24.1.1 still supports the following features that are planned to be removed in upcoming releases:

Team Passwords Public API Endpoints: Planned for the 24.2 release. You must update scripts to use the corresponding Secrets Safe API endpoints.
Analytics & Reporting > Clarity: Clarity and related reports and configuration. Release to be determined.
About > BeyondInsight Analysis: Release to be determined.