New features in version 5.0
Ansible support (224151)
Infrastructure Administrators can use Ansible 2.9 or later for the following functions, including generating reports.
- Install, upgrade, and uninstall Safeguard Authentication Services (SAS) software packages and create reports to summarize software deploy status
- Configure and join Safeguard Authentication Services to my AD domain including:
Perform preflight checks
Modify users/groups.allow and users/groups.deny
Modify user/group overrides
Join/unjoin SAS from domain
Create reports to summarize configure/join status
Authentication Services Ansible Collection
The One Identity Authentication Services Ansible Collection, referred to as ansible-authentication-services, consists of roles, modules, plugins, report templates, and sample playbooks to automate software deployment, configuration, Active Directory joining, profiling, and report generation for Safeguard Authentication Services. Go to: https://github.com/OneIdentity/ansible-authentication-services.
For Ansible information consult:
NOTE: One Identity open source projects are supported through One Identity GitHub issues and the One Identity Community. This includes all scripts, plugins, SDKs, modules, code snippets or other solutions. For assistance with any One Identity GitHub project, please raise a new Issue on the One Identity GitHub project page. You may also visit the One Identity Community to ask questions. Requests for assistance made through official One Identity Support will be referred back to GitHub and the One Identity Community forums where those requests can benefit all users.
Explicit mapping of users to valid certificates (smart card) (198067)
Mapping certificates to users can be done implicitly or explicitly. Authentication Services supports mapping one cert to one user or mapping multiple certs to one user. Mapping one cert to multiple users is not supported. For details, see the Smart Cards Administration Guide, Map certificate to user (implicit and explicit).
Group policy updates (198055)
Safeguard Authentication Services can apply additional policies to Unix systems:
- mac OS X policies are updated
- Privileged Manager Policies are updated
License validator (198066)
New licenses have to be added prior to upgrading to version 5.0. If you have a mixed environment with some clients running on 5.0 and some running on an older version, you will need to have both licenses available.
CAUTION: If you upgrade Safeguard for Authentication Services before adding the license, the caches will empty and SAS will be unusable. You can add the license then either rejoin or restart vasd and run vastool flush. You can update the Control Center any time without issue.
Windows Administrators can load the Safeguard Authentication Services license into Active Directory.
Unix Administrators must have a current license.
macOS: Added functionality (198050)
The following functionality was added for macOS platforms. For additional information, see KB 322901.
- Installation is from the One Identity Support page.
- In Application Properties, an Options tab has been added to control App Store and Game Center settings. For example, you can choose to allow software update notifications.
- In Media Access Properties, there are two new settings:
- Allow AirDrop
- Allow transfers with Finder or iTunes
- Software Update Properties have been added related to purchasing or installing apps.
- System Preference Properties selection was enhanced.
- Wireless Profile Properties now include the ability to use hidden networks, auto join networks, proxies, protocol configurations, and authentication. This policy also works with vascert to provide a certificate that can be used to join a network.
Support for unattended join using Windows Offline Domain Join (ODJ) credentials (198057)
An Administrator can use a Windows Offline Domain Join (ODJ) credential instead of a keytab for scripting an unattended installation of Safeguard Authentication Services to enhance security.
There must be connectivity from the Unix machine to domain controllers. When using this method of joining AD, the [domain] is not needed on the vastool join command, nor credentials. That information will come from the file. More information is in the vastool man page.
The join can work in the following ways:
- vastool join -j <path to the offline join file>
- vastool join and use the ENV option AUTHENTICATION_SERVICES_DJOIN_FILE set to the location of a valid djoin file.
- vastool join and /tmp/AUTHENTICATION_SERVICES_DJOIN file will be used if that file exists, and is a valid djoin file.
For more information, see vastool man page and search for djoin.