deviceTRUST 23.1.400 for Windows, Ubuntu, macOS and iOS is now available.
×

deviceTRUST 21.1.110

This release includes new features and bug fixes to the deviceTRUST Console, Agent and Client Extension for Microsoft Windows. Please refer to Compatibility for changes that may impact users upgrading from previous releases.

The deviceTRUST 21.1.110 patch release includes additional enhancements and bugfixes.

  1. Component Renames
  2. Properties Renames
  3. Quick Setup Use Cases
  4. ADMX policies replaced with new Settings
  5. Azure Active Directory Conditional Access Preview
  6. Time-based Access
  7. Whois Caching
  8. Context and Action Operator Changes
  9. Shortcut Task Enhancements
  10. VMware Horizon Support
  11. Chrome OS Support with Citrix Virtual Apps and Desktops
  12. Minor Enhancements in 21.1.100
  13. Minor Enhancements in 21.1.110
  14. Bug Fixes in 21.1.100
  15. Bug Fixes in 21.1.110
  16. Compatibility
    1. Citrix Virtual Channel Security
    2. Removal of the printer shortcuts
    3. Whois is now always IPv4
    4. Removal of the Persistence settings
    5. Upgrading legacy ADMX to new settings

Component Renames

We’ve used the terms deviceTRUST Host and deviceTRUST Client since the early days of deviceTRUST, when we were completely focused on providing context into remote environments. We’ve decided to move away from these names as we have numerous compelling use cases for the local environment. The latest 21.1 release strengthens our local device support further with the introduction of Time-based Access and Azure Active Directory Conditional Access.

The deviceTRUST Host has become deviceTRUST Agent, and the deviceTRUST Client has become deviceTRUST Client Extension. For more information, please refer to the Remote and Local architecture documentation.

Properties Renames

We’ve also renamed our properties to better reflect the environments that they run in. Properties created by the local deviceTRUST Agent are now prefixed with LOCAL (previously HOST) and properties created on the remote deviceTRUST Client Extension are now prefixed with REMOTE.

For maximum compatibility, the deviceTRUST Agent will automatically convert properties from older clients, and the latest deviceTRUST Client Extension will send the old format to previous deviceTRUST Hosts. However additional steps may be needed if these properties are referenced from within scripts. More information can be found within Compatibility.

Quick Setup Use Cases

The deviceTRUST Console now provides a new home page which includes out of the box use cases for the quick setup of common deviceTRUST scenarios. When clicked, the new use cases display a dialog offering some simple configuration including user assignment and any messages to display to the user. We hope that these become a simple entry point for those with our more common use cases and do not require the additional control provided by context and actions.

The new home page showing out of the box use cases.
The new home page showing out of the box use cases.
The Unauthorized USB For Remoting use case.
The Unauthorized USB For Remoting use case.

ADMX policies replaced with new Settings

We are very pleased to announce that we have removed all of our most common ADMX templates and migrated the previous functionality directly into the deviceTRUST Console. As part of this work, we have introduced new Advanced Settings, Auditing Settings, Properties Settings and Security Settings.

The new Properties settings page.
The new Properties settings page.

Azure Active Directory Conditional Access Preview

We’ve added support for Azure Active Directory Conditional Access, which can be used to control access to Azure Active Directory secured websites based on the state of the deviceTRUST Context values. After configuring the Azure AD Preview Settings, the Azure AD Preview Task can be used to set either the Compliant attribute of the local device or any one of the 15 extension attributes.

The new Azure AD Preview Settings.
The new Azure AD Preview Settings.
The new Azure AD Preview Task, allowing compliance or extension attributes to be set for the local device.
The new Azure AD Preview Task, allowing compliance or extension attributes to be set for the local device.

The Azure AD Preview Settings and Azure AD Preview Task remain in preview while we gain feedback on this feature.

Time-based Access

We’ve introduced a new Time Of Day operator, and a new Local -> Session -> Time property which represents the time of the local machine, which can be combined to create time-based contexts.

The new Time Of Day operator and Time property.
The new Time Of Day operator and Time property.

Our new Time-based Access for Remote and Time-based Access for Local templates demonstrate how these features can be used to effectively control time-based conditional access to the user session, or conditional application access.

Whois Caching

The Whois properties are now calculated and held in-memory by the deviceTRUST Agent or Client Extension. By analysing the network adapter used to perform the IP request, and actively monitoring the state of the network adapters, we can now determine the real Whois properties (such as the country of the device), regardless of whether the device is connected over a VPN.

A new option within the Properties Settings allows the administrator to choose to Prefer WHOIS from a physical adapter when connected to a VPN. When enabled, if a whois lookup has been determined over a physical network adapter, and that network adapter has remained connected, then the cached whois lookup from the physical network adapter will be returned.

In addition, the following properties new Whois properties have been added:

  • Adapter - The name of the network adapter that performed the ip lookup.
  • VPN - Set to true when the network adapter that performed the ip lookup is a VPN adapter.

Context and Action Operator Changes

The operators used to evaluate contexts, or to determine context filters within actions, have undergone some improvements to better define their functionality and also improve their ability to perform comparisons against multi-valued properties.

For single value properties (such as for a user name):

  • The Equals operator passes if the property value equals the entered value. Accepts wildcards * and ?.
  • The Not Equals operator passes if the property value does not equal the entered value. Accepts wildcards * and ?.
  • The Any Of operator passes if any of the entered values are equal to the property value. Accepts wildcards * and ?.
  • The None Of operator passes if none of the entered values are equal to the property value. Accepts wildcards * and ?.

For multi valued properties (such as for pending Windows updates):

  • The Equals operator passes if all of the property values equal all of the entered values. Accepts wildcards * and ?.
  • The Not Equals operator passes if any of the property values do not equal any of the entered values. Accepts wildcards * and ?.
  • The All Of operator passes if all of the entered values are equal to a property value. The property may contain other values. Accepts wildcards * and ?.
  • The Any Of operator passes if any of the entered values are equal to a property value. The property may contain other values. Accepts wildcards * and ?.
  • The None Of operator passes if none of the entered values are equal to a property value. Accepts wildcards * and ?.
  • The Any Except operator passes if the property has any value except those that match an entered value. Accepts wildcards * and ?.

The significant difference to previous releases, is that Equals on a multi valued property now expects all items to be equal. The Equals operator in previous releases behaved the same as the new Any Of operator, and is automatically upgraded.

The Contains operator has been deprecated, and automatically upgrades to the Any Of operator with additional wildcards.

The Wildcard operator has been deprecated, and automatically upgrades to the Any Of operator.

Shortcut Task Enhancements

We’ve added support for some predefined shortcuts to our Shortcut Task, allowing shortcuts to Default Apps, Documents, Printers and Removable Storage.

The new predefined shortcuts.
The new predefined shortcuts.

VMware Horizon Support

We’ve added support for VMware Horizon protocols regardless of the platform of the remote connecting device. This will enable support for our forthcoming macOS, Ubuntu, IGEL and eLux clients.

Chrome OS Support with Citrix Virtual Apps and Desktops

We’ve added support for Chrome OS devices when connecting over Citrix ICA protocol. This will enable support for our forthcoming Chrome OS client.

Minor Enhancements in 21.1.100

  • When including a report detailing why this task is executing within the Send Mail or Auditing tasks, we now include the logon and reconnect time providing clearer identification of the user session. The loaded policies are also included. We have removed the ‘Device OS Type’ field.
  • The Deny Access task option to allow shell interaction now only applies when the context changes. Previously this task would allow shell interaction on other triggers, such as logon or reconnect.
  • The default log file size has been increased from 500MB to 1024MB.
  • The UAC policy can now detect additional values.
  • A new Continuing Logon message has been added to the System Message Settings and is displayed during logon after deviceTRUST has finished delaying the logon process.
  • Added support for Windows 11.
  • The content of the deviceTRUST policy file can now be encrypted on export.
  • Network properties are now real-time on both the Agent and Client Extension.
  • Whois lookup is now always an IPv4 lookup.
  • Added support for additional quotation characters within the Property Settings queries.

Minor Enhancements in 21.1.110

  • A warning message is now displayed within the Console when attempting to open a configuration created by a previous feature release. The warning message prompts the user to ensure that the deviceTRUST Agent is deployed before saving and deploying the upgraded configuration. Additional information about compatibility can be found here.
  • An error message is now displayed within the Console when attempting to open a configuration from a newer feature release. Additional information about compatibility can be found here.
  • An option to Require connecting devices to forward their remote properties in a multihop scenario has been added to the Property Options within the Property Settings.

Bug Fixes in 21.1.100

  • Fixed an issue where a manual sign-out of the user was causing both disconnect and logoff triggers.
  • Fixed an issue where the OS Release property was stuck on 2009.
  • Fixed an incorrect message within the Event ID 114 - Trusted Device Auto Update Failed audit event.
  • Fixed an issue where multiple Event ID 351 - Registry Updated audit events were raised when reverting printer shortcuts.
  • Fixed an issue with the Windows Update Last Search and Last Install time detection where they could become Unavailable when using third party software to manage updates.
  • Fixed a 5 second delay during Logon into a Citrix session when the Citrix Gateway could not be determined.
  • Fixed various issues with a non-blocking logon when configured within the Advanced Settings.
  • Fixed a crash uninstalling the deviceTRUST Client Extension.
  • Fixed an inconsistency handling environment variable expansion within a Microsoft AppLocker task.
  • Fixed an issue where the Windows Update properties become Unavailable, as seen within Event ID 101 - Logon and Event ID 102 - Reconnect.
  • Fixed an issue where the OS Location properties do not wait for third party properties when the OS Location properties fail.

Bug Fixes in 21.1.110

  • Fixed an issue where the User Password Age property was Unavailable when the user logged in with cached credentials. The password age property is obtained from Active Directory, hence still requires connectivity with a domain controller. However, the password age can now be determined when connectivity with the domain controller is re-established.
  • Fixed an issue where the User Password Age property was determined from the domain controller whenever any of the User properties were enabled. This property is now only queried when enabled.
  • Fixed an issue where some of the settings within the Location tab of the Property Options within the Property Settings could not always be toggled.
  • Fixed an issue where the uninstall of the deviceTRUST Client Extension could leave an empty folder behind.
  • Fixed an issue where the Shortcut Task could use the wrong icon when creating a Default Apps shortcut on Windows Server 2022.
  • Fixed an issue where the queries within the Property Settings would fail entirely if one of the lines failed to parse.
  • Fixed an issue where some triggers and dynamic changes to properties would fail if the Remote Desktop Services role was added after the installation of the deviceTRUST Agent.

Compatibility

This compatibility section builds on our general approach to compatibility which can be found on the compatibility page.

If upgrading from a release earlier than deviceTRUST 20.2.400, be sure to refer to the deviceTRUST 20.2.400 Compatibility notes.

The deviceTRUST Agents can read policies created by previous releases of the deviceTRUST Console. However, they cannot read policies created by a newer console. Therefore, you must ensure that the deviceTRUST Agent 21.1.100 is deployed before applying policy that has been written by the deviceTRUST Console 21.1.100 or later.

The deviceTRUST Agent 21.1.100 cannot read the ADMX Administrative Templates created by previous releases.

ADMX policy definitions have largely been removed. Only the auto-update and mobile integration remain. If you are not using these policy definitions, there is no requirement to deploy them within Active Directory.

Citrix Virtual Channel Security

When using Citrix Virtual Apps and Desktops, a change to the Virtual channel allow list may be required to accomodate the new name of the deviceTRUST Agent. More details can be found here.

Removal of the printer shortcuts

In previous releases, the Printer Settings included an option to Create Printers desktop icon. This option has been removed in 21.1 because the Shortcut task can accomplish this and more. To recreate this functionality:

  • Within an action, click Add new trigger, choose Trigger and ensure Logon and Reconnect (or Unlock) are selected before clicking OK.
  • Click Add new task under the new sequence and select Shortcut.
  • Enter a Shortcut Name of ‘Printers’.
  • Choose a Predefined shortcut type and select Printers within the dropdown.
  • Change to Automatically undo when the user logs off.
  • Click OK and ensure you save your changes.

Whois is now always IPv4

In previous releases, the Whois properties could return an IPv6 network address. Some users have reported that their Whois results can vary between IPv4 and IPv6 addresses, so for consistency we now always return an IPv4 address.

Removal of the Persistence settings

The Persistence Settings have been removed and the functionality has been moved into the Property Settings.

The global control of whether properties are written to the Windows Event Log, Windows Registry, Environment Variable, or made available on the Command Prompt can be configured by clicking on Options button in the top right corner of the Property Settings and selecting the General tab.

Control of individual properties can be configured by clicking Create new local/remote property setting on the Property Settings page. Select the category of property and then choose whether the property is persisted to the desired location.

Control of individual contexts can be configured by clicking Options in the top right corner when viewing or editing a context.

The previous Persist to a session specific location has been moved into the Advanced Settings on the Properties tab and labelled Persist properties to a session specific location.

Upgrading legacy ADMX to new settings

The ADMX Administrative Templates have largely been removed and is no longer recognised by the deviceTRUST Agent 21.1.100. The following list details where the removed ADMX policies can now be found within the deviceTRUST Console.

Administrative Templates\deviceTRUST\Auditing

Control of which audit events to raise can now be found within Auditing Settings on the Settings tab. Click Create new setting and then choose Auditing and click OK. Locate the auditing events that you would like to enable or disable and toggle the state accordingly.

Administrative Templates\deviceTRUST\Properties\Device Filter (and Host Filter)

Property filters and queries can now be found within Property Settings on the Settings tab. Click Create new setting and then choose Properties and click OK.

Property settings can be used to control which properties are read by the local agent, or remote client extensions. This overrides the default behavior which collects only the properties referenced within a context. Choose either Local or Remote and then click Create new local/remote property setting. Select the category of properties, and then toggle the Enabled state accordingly for each property.

Property queries can be used to limit the array index properties (such as Networks, Printers, Access Points, etc) to only those required. Choose either Local Query or Remote Query and then click Create new local/remote query. Select the category of property and then enter the query.

Administrative Templates\deviceTRUST\Properties\Location

Location have moved into the Property Settings on the Settings tab. Click Create new setting and then choose Properties and click OK. Click the Options button in the top right corner of the Property Settings and select the Location tab. Configure the location services to the desired configuration.

Administrative Templates\deviceTRUST\Properties\Whois

Whois has moved into the Property Settings on the Settings tab. Click Create new setting and then choose Properties and click OK. Click the Options button in the top right corner of the Property Settings and select the WHOIS tab. Configure whois to the desired values.

The ADMX Administrative Template Interval between WHOIS updates has been deprecated. In 21.1, the WHOIS properties are automatically updated whenever there is a change to the connected network.

Administrative Templates\deviceTRUST\Properties\Multihop

Control of multihop properties has moved into the Property Settings on the Settings tab. Click Create new setting and then choose Properties and click OK. Choose Multihop and the click Create new multihop property setting and then toggle the Enabled state accordingly for each property.

Administrative Templates\deviceTRUST\Security

The security policies have moved into the Security Settings on the Settings tab. Click Create new setting and then choose Security and click OK. Configure the security to the desired values.

Administrative Templates\deviceTRUST\Shell Access

The policy Method used to block logon whilst properties are read from the remote device can now be found within the Advanced Settings on the Connection tab and labelled Block the user session during logon and reconnect.

The policy Remoting protocols that deviceTRUST will use when attempting to establish properties from the remote device can now be found within the Advanced Settings on the Connection tab. This policy has been split into multiple options labelled Establish connection with remote devices over <PROTOCOL>.

The policy Timeout whilst waiting for properties from the remote device can now be found within the Advanced Settings on the Connection tab and labelled Maximum time to wait in seconds for properties from the remote device.

The policy Timeout before automatically disconnecting users from an untrusted device has been deprecated. Use a Deny Access task instead to disconnect users and specify a suitable timeout within the task.

The policy Disallow connections from trusted devices not supporting application level encryption can now be found within the Advanced Settings on the Connection tab and labelled Deny access to remote devices not supporting application level encryption.

The policy Disallow connections from trusted devices not meeting the minimum client version has been deprecated. Create a suitable context to detect older deviceTRUST Client Extension versions and deny access using a Deny Access task.

The policies Users allowed access from an untrusted device and Users denied access from an untrusted device have been deprecated. Create a suitable context to detect a missing deviceTRUST Client Extension, and another to select the users to target. Use these contexts to control when a Deny Access task is executed.

Administrative Templates\deviceTRUST\Triggers

The policy Wait for LOGON triggers before displaying the virtual session can now be found within the Advanced Settings on the Actions tab and labelled Wait for Logon triggers before displaying the virtual session.

The policy Wait for RECONNECT triggers before displaying the virtual session can now be found within the Advanced Settings on the Actions tab and labelled Wait for Reconnect triggers before displaying the virtual session.

The policy Refresh host properties before LOGON SHELL START can now be found within the Advanced Settings on the Properties tab and labelled Refresh local properties before Logon Shell Start.

The policy Refresh host properties before LOGON SHELL READY and RECONNECT SHELL READY can now be found within the Advanced Settings on the Properties tab and labelled Refresh local properties before Logon Shell Ready and Reconnect Shell Ready.