deviceTRUST 21.1.110
This release includes new features and bug fixes to the deviceTRUST Console, Agent and Client Extension for Microsoft Windows. Please refer to Compatibility for changes that may impact users upgrading from previous releases.
The deviceTRUST 21.1.110 patch release includes additional enhancements and bugfixes.
- Component Renames
- Properties Renames
- Quick Setup Use Cases
- ADMX policies replaced with new Settings
- Azure Active Directory Conditional Access Preview
- Time-based Access
- Whois Caching
- Context and Action Operator Changes
- Shortcut Task Enhancements
- VMware Horizon Support
- Chrome OS Support with Citrix Virtual Apps and Desktops
- Minor Enhancements in 21.1.100
- Minor Enhancements in 21.1.110
- Bug Fixes in 21.1.100
- Bug Fixes in 21.1.110
- Compatibility
Component Renames
We’ve used the terms deviceTRUST Host
and deviceTRUST Client
since the early days of deviceTRUST, when we were completely focused on providing context into remote environments. We’ve decided to move away from these names as we have numerous compelling use cases for the local environment. The latest 21.1 release strengthens our local device support further with the introduction of Time-based Access and Azure Active Directory Conditional Access.
The deviceTRUST Host has become deviceTRUST Agent
, and the deviceTRUST Client has become deviceTRUST Client Extension
. For more information, please refer to the Remote and Local architecture documentation.
Properties Renames
We’ve also renamed our properties to better reflect the environments that they run in. Properties created by the local deviceTRUST Agent are now prefixed with LOCAL
(previously HOST
) and properties created on the remote deviceTRUST Client Extension are now prefixed with REMOTE
.
For maximum compatibility, the deviceTRUST Agent will automatically convert properties from older clients, and the latest deviceTRUST Client Extension will send the old format to previous deviceTRUST Hosts. However additional steps may be needed if these properties are referenced from within scripts. More information can be found within Compatibility.
Quick Setup Use Cases
The deviceTRUST Console now provides a new home page which includes out of the box use cases for the quick setup of common deviceTRUST scenarios. When clicked, the new use cases display a dialog offering some simple configuration including user assignment and any messages to display to the user. We hope that these become a simple entry point for those with our more common use cases and do not require the additional control provided by context and actions.
ADMX policies replaced with new Settings
We are very pleased to announce that we have removed all of our most common ADMX templates and migrated the previous functionality directly into the deviceTRUST Console. As part of this work, we have introduced new Advanced Settings, Auditing Settings, Properties Settings and Security Settings.
Azure Active Directory Conditional Access Preview
We’ve added support for Azure Active Directory Conditional Access, which can be used to control access to Azure Active Directory secured websites based on the state of the deviceTRUST Context values. After configuring the Azure AD Preview Settings, the Azure AD Preview Task
can be used to set either the Compliant
attribute of the local device or any one of the 15 extension attributes.
The Azure AD Preview Settings and Azure AD Preview Task remain in preview while we gain feedback on this feature.
Time-based Access
We’ve introduced a new Time Of Day
operator, and a new Local -> Session -> Time
property which represents the time of the local machine, which can be combined to create time-based contexts.
Our new Time-based Access for Remote and Time-based Access for Local templates demonstrate how these features can be used to effectively control time-based conditional access to the user session, or conditional application access.
Whois Caching
The Whois properties are now calculated and held in-memory by the deviceTRUST Agent or Client Extension. By analysing the network adapter used to perform the IP request, and actively monitoring the state of the network adapters, we can now determine the real Whois properties (such as the country of the device), regardless of whether the device is connected over a VPN.
A new option within the Properties Settings allows the administrator to choose to Prefer WHOIS from a physical adapter when connected to a VPN
. When enabled, if a whois lookup has been determined over a physical network adapter, and that network adapter has remained connected, then the cached whois lookup from the physical network adapter will be returned.
In addition, the following properties new Whois properties have been added:
- Adapter - The name of the network adapter that performed the ip lookup.
- VPN - Set to true when the network adapter that performed the ip lookup is a VPN adapter.
Context and Action Operator Changes
The operators used to evaluate contexts, or to determine context filters within actions, have undergone some improvements to better define their functionality and also improve their ability to perform comparisons against multi-valued properties.
For single value properties (such as for a user name):
- The
Equals
operator passes if the property value equals the entered value. Accepts wildcards * and ?. - The
Not Equals
operator passes if the property value does not equal the entered value. Accepts wildcards * and ?. - The
Any Of
operator passes if any of the entered values are equal to the property value. Accepts wildcards * and ?. - The
None Of
operator passes if none of the entered values are equal to the property value. Accepts wildcards * and ?.
For multi valued properties (such as for pending Windows updates):
- The
Equals
operator passes if all of the property values equal all of the entered values. Accepts wildcards * and ?. - The
Not Equals
operator passes if any of the property values do not equal any of the entered values. Accepts wildcards * and ?. - The
All Of
operator passes if all of the entered values are equal to a property value. The property may contain other values. Accepts wildcards * and ?. - The
Any Of
operator passes if any of the entered values are equal to a property value. The property may contain other values. Accepts wildcards * and ?. - The
None Of
operator passes if none of the entered values are equal to a property value. Accepts wildcards * and ?. - The
Any Except
operator passes if the property has any value except those that match an entered value. Accepts wildcards * and ?.
The significant difference to previous releases, is that Equals
on a multi valued property now expects all items to be equal. The Equals
operator in previous releases behaved the same as the new Any Of
operator, and is automatically upgraded.
The Contains
operator has been deprecated, and automatically upgrades to the Any Of
operator with additional wildcards.
The Wildcard
operator has been deprecated, and automatically upgrades to the Any Of
operator.
Shortcut Task Enhancements
We’ve added support for some predefined shortcuts to our Shortcut Task, allowing shortcuts to Default Apps, Documents, Printers and Removable Storage.
VMware Horizon Support
We’ve added support for VMware Horizon protocols regardless of the platform of the remote connecting device. This will enable support for our forthcoming macOS, Ubuntu, IGEL and eLux clients.
Chrome OS Support with Citrix Virtual Apps and Desktops
We’ve added support for Chrome OS devices when connecting over Citrix ICA protocol. This will enable support for our forthcoming Chrome OS client.
Minor Enhancements in 21.1.100
- When
including a report detailing why this task is executing
within the Send Mail or Auditing tasks, we now include the logon and reconnect time providing clearer identification of the user session. The loaded policies are also included. We have removed the ‘Device OS Type’ field. - The
Deny Access
task option toallow shell interaction
now only applies when the context changes. Previously this task would allow shell interaction on other triggers, such as logon or reconnect. - The default log file size has been increased from 500MB to 1024MB.
- The UAC policy can now detect additional values.
- A new
Continuing Logon
message has been added to theSystem Message Settings
and is displayed during logon after deviceTRUST has finished delaying the logon process. - Added support for Windows 11.
- The content of the deviceTRUST policy file can now be encrypted on export.
- Network properties are now real-time on both the Agent and Client Extension.
- Whois lookup is now always an IPv4 lookup.
- Added support for additional quotation characters within the
Property Settings
queries.
Minor Enhancements in 21.1.110
- A warning message is now displayed within the Console when attempting to open a configuration created by a previous feature release. The warning message prompts the user to ensure that the deviceTRUST Agent is deployed before saving and deploying the upgraded configuration. Additional information about compatibility can be found here.
- An error message is now displayed within the Console when attempting to open a configuration from a newer feature release. Additional information about compatibility can be found here.
- An option to
Require connecting devices to forward their remote properties in a multihop scenario
has been added to theProperty Options
within theProperty Settings
.
Bug Fixes in 21.1.100
- Fixed an issue where a manual sign-out of the user was causing both disconnect and logoff triggers.
- Fixed an issue where the OS Release property was stuck on 2009.
- Fixed an incorrect message within the
Event ID 114 - Trusted Device Auto Update Failed
audit event. - Fixed an issue where multiple
Event ID 351 - Registry Updated
audit events were raised when reverting printer shortcuts. - Fixed an issue with the Windows Update Last Search and Last Install time detection where they could become Unavailable when using third party software to manage updates.
- Fixed a 5 second delay during Logon into a Citrix session when the Citrix Gateway could not be determined.
- Fixed various issues with a non-blocking logon when configured within the
Advanced Settings
. - Fixed a crash uninstalling the deviceTRUST Client Extension.
- Fixed an inconsistency handling environment variable expansion within a Microsoft AppLocker task.
- Fixed an issue where the Windows Update properties become Unavailable, as seen within
Event ID 101 - Logon
andEvent ID 102 - Reconnect
. - Fixed an issue where the OS Location properties do not wait for third party properties when the OS Location properties fail.
Bug Fixes in 21.1.110
- Fixed an issue where the User Password Age property was Unavailable when the user logged in with cached credentials. The password age property is obtained from Active Directory, hence still requires connectivity with a domain controller. However, the password age can now be determined when connectivity with the domain controller is re-established.
- Fixed an issue where the User Password Age property was determined from the domain controller whenever any of the User properties were enabled. This property is now only queried when enabled.
- Fixed an issue where some of the settings within the
Location
tab of theProperty Options
within theProperty Settings
could not always be toggled. - Fixed an issue where the uninstall of the deviceTRUST Client Extension could leave an empty folder behind.
- Fixed an issue where the
Shortcut Task
could use the wrong icon when creating aDefault Apps
shortcut on Windows Server 2022. - Fixed an issue where the queries within the
Property Settings
would fail entirely if one of the lines failed to parse. - Fixed an issue where some triggers and dynamic changes to properties would fail if the Remote Desktop Services role was added after the installation of the deviceTRUST Agent.
Compatibility
This compatibility section builds on our general approach to compatibility which can be found on the compatibility page.
If upgrading from a release earlier than deviceTRUST 20.2.400, be sure to refer to the deviceTRUST 20.2.400 Compatibility notes.
The deviceTRUST Agents can read policies created by previous releases of the deviceTRUST Console. However, they cannot read policies created by a newer console. Therefore, you must ensure that the deviceTRUST Agent 21.1.100 is deployed before applying policy that has been written by the deviceTRUST Console 21.1.100 or later.
The deviceTRUST Agent 21.1.100 cannot read the ADMX Administrative Templates created by previous releases.
ADMX policy definitions have largely been removed. Only the auto-update and mobile integration remain. If you are not using these policy definitions, there is no requirement to deploy them within Active Directory.
Citrix Virtual Channel Security
When using Citrix Virtual Apps and Desktops, a change to the Virtual channel allow list
may be required to accomodate the new name of the deviceTRUST Agent. More details can be found here.
Removal of the printer shortcuts
In previous releases, the Printer Settings
included an option to Create Printers desktop icon
. This option has been removed in 21.1 because the Shortcut
task can accomplish this and more. To recreate this functionality:
- Within an action, click
Add new trigger
, chooseTrigger
and ensureLogon
andReconnect (or Unlock)
are selected before clickingOK
. - Click
Add new task
under the new sequence and selectShortcut
. - Enter a
Shortcut Name
of ‘Printers’. - Choose a
Predefined
shortcut type and selectPrinters
within the dropdown. - Change to
Automatically undo when the user logs off
. - Click
OK
and ensure you save your changes.
Whois is now always IPv4
In previous releases, the Whois properties could return an IPv6 network address. Some users have reported that their Whois results can vary between IPv4 and IPv6 addresses, so for consistency we now always return an IPv4 address.
Removal of the Persistence settings
The Persistence Settings have been removed and the functionality has been moved into the Property Settings.
The global control of whether properties are written to the Windows Event Log, Windows Registry, Environment Variable, or made available on the Command Prompt can be configured by clicking on Options
button in the top right corner of the Property Settings
and selecting the General
tab.
Control of individual properties can be configured by clicking Create new local/remote property setting
on the Property Settings
page. Select the category of property and then choose whether the property is persisted to the desired location.
Control of individual contexts can be configured by clicking Options
in the top right corner when viewing or editing a context.
The previous Persist to a session specific location
has been moved into the Advanced Settings on the Properties
tab and labelled Persist properties to a session specific location
.
Upgrading legacy ADMX to new settings
The ADMX Administrative Templates have largely been removed and is no longer recognised by the deviceTRUST Agent 21.1.100. The following list details where the removed ADMX policies can now be found within the deviceTRUST Console.
Administrative Templates\deviceTRUST\Auditing
Control of which audit events to raise can now be found within Auditing Settings on the Settings
tab. Click Create new setting
and then choose Auditing
and click OK
. Locate the auditing events that you would like to enable or disable and toggle the state accordingly.
Administrative Templates\deviceTRUST\Properties\Device Filter (and Host Filter)
Property filters and queries can now be found within Property Settings on the Settings
tab. Click Create new setting
and then choose Properties
and click OK
.
Property settings can be used to control which properties are read by the local agent, or remote client extensions. This overrides the default behavior which collects only the properties referenced within a context. Choose either Local
or Remote
and then click Create new local/remote property setting
. Select the category of properties, and then toggle the Enabled
state accordingly for each property.
Property queries can be used to limit the array index properties (such as Networks, Printers, Access Points, etc) to only those required. Choose either Local Query
or Remote Query
and then click Create new local/remote query
. Select the category of property and then enter the query.
Administrative Templates\deviceTRUST\Properties\Location
Location have moved into the Property Settings on the Settings
tab. Click Create new setting
and then choose Properties
and click OK
. Click the Options
button in the top right corner of the Property Settings
and select the Location
tab. Configure the location services to the desired configuration.
Administrative Templates\deviceTRUST\Properties\Whois
Whois has moved into the Property Settings on the Settings
tab. Click Create new setting
and then choose Properties
and click OK
. Click the Options
button in the top right corner of the Property Settings
and select the WHOIS
tab. Configure whois to the desired values.
The ADMX Administrative Template Interval between WHOIS updates
has been deprecated. In 21.1, the WHOIS properties are automatically updated whenever there is a change to the connected network.
Administrative Templates\deviceTRUST\Properties\Multihop
Control of multihop properties has moved into the Property Settings on the Settings
tab. Click Create new setting
and then choose Properties
and click OK
. Choose Multihop
and the click Create new multihop property setting
and then toggle the Enabled
state accordingly for each property.
Administrative Templates\deviceTRUST\Security
The security policies have moved into the Security Settings on the Settings
tab. Click Create new setting
and then choose Security
and click OK
. Configure the security to the desired values.
Administrative Templates\deviceTRUST\Shell Access
The policy Method used to block logon whilst properties are read from the remote device
can now be found within the Advanced Settings on the Connection
tab and labelled Block the user session during logon and reconnect
.
The policy Remoting protocols that deviceTRUST will use when attempting to establish properties from the remote device
can now be found within the Advanced Settings on the Connection
tab. This policy has been split into multiple options labelled Establish connection with remote devices over <PROTOCOL>
.
The policy Timeout whilst waiting for properties from the remote device
can now be found within the Advanced Settings on the Connection
tab and labelled Maximum time to wait in seconds for properties from the remote device
.
The policy Timeout before automatically disconnecting users from an untrusted device
has been deprecated. Use a Deny Access
task instead to disconnect users and specify a suitable timeout within the task.
The policy Disallow connections from trusted devices not supporting application level encryption
can now be found within the Advanced Settings on the Connection
tab and labelled Deny access to remote devices not supporting application level encryption
.
The policy Disallow connections from trusted devices not meeting the minimum client version
has been deprecated. Create a suitable context to detect older deviceTRUST Client Extension versions and deny access using a Deny Access
task.
The policies Users allowed access from an untrusted device
and Users denied access from an untrusted device
have been deprecated. Create a suitable context to detect a missing deviceTRUST Client Extension, and another to select the users to target. Use these contexts to control when a Deny Access
task is executed.
Administrative Templates\deviceTRUST\Triggers
The policy Wait for LOGON triggers before displaying the virtual session
can now be found within the Advanced Settings on the Actions
tab and labelled Wait for Logon triggers before displaying the virtual session
.
The policy Wait for RECONNECT triggers before displaying the virtual session
can now be found within the Advanced Settings on the Actions
tab and labelled Wait for Reconnect triggers before displaying the virtual session
.
The policy Refresh host properties before LOGON SHELL START
can now be found within the Advanced Settings on the Properties
tab and labelled Refresh local properties before Logon Shell Start
.
The policy Refresh host properties before LOGON SHELL READY and RECONNECT SHELL READY
can now be found within the Advanced Settings on the Properties
tab and labelled Refresh local properties before Logon Shell Ready and Reconnect Shell Ready
.