Arculix Device Trust release notes

Now supporting macOS 15 Sequoia

Upgraded to the latest libfido2 to get CVE-2022-3786 fixes

The install size has been reduced by 11.6mb and external dependencies have been removed

The countdown timer has been removed from the UI

Fixed an issue when trying to login using Yubikey where it takes time to be recognized after waking up the workstation

Fixed an issue with password factor as a post authentication policy resulting in a pending MFA request

Enhanced memory efficiency for network operations and security key handling

Symbol answer is now reported in the log.

Policy for Post-Authentication w/ action Require Password Factor requires password factor enabled.

Support logging in with multiple users on the same MAC via VNC.

Authentication message isn't initialized at times.

Avoid multiple ADCS re-enrollments in case of expiration.

Added CEPolicyServerUrl RTC setting to specify the enrollment policy server.

Add the following RTC settings:

If CEPolicyServerURL is empty, the url will be discovered.

Symbol answer is now reported in the log.

Policy for Post-Authentication w/ action Require Password Factor requires password factor enabled.

Retrieve and use credentials for RDP sessions.

Other providers Sign-in option appears on first lock for standard user.

Support using system-wide proxy settings.

ATAgent crash when switching users.

Enable Control Flow Guard.

Cert expiration doesn’t renew.

Enrollment metadata no longer outputted in info logs.

KSP is now MS signed after switching to HSM signing.

Builds are now SA signed using sha256.

KSP certificate login causes double MFA on next launch.

Authentication message isn’t initialized at times.

macOS - Extensive logs around the proxy detection logic

macOS - Enabled install for macOS Sonoma 14 minor revisions (14.1 etc)

Windows - Improve Username/Password mode

Windows - Password field shown while passwordless

Windows - Enable Windows 11 KSP support by submitting the KSP module to Microsoft for signing

macOS - Ensures system proxy detection on macOS only kicks in when the RTC file allows it

macOS - Several fixes for handling corner cases when executing PAC files

macOS - Crash when policy to auto login is enabled

macOS - SALock cancel button doesn’t reappear when the MFA window closes with an error

macOS - In SA Lock Screen: You can see 1 fraction of a second the desktop when unlock in a specific circumstance

Windows - Win 10 with TPM - remote locking crashes credential provider

Support using system wide proxy settings

“Sign in >” on the login window has been changed to a button

Added another change for broken Sonoma beta. Now SALock runs after login

Improve Username/Password mode

Emergency help desk code

Device Trust does not accept more than 6 digits (Temporary PIN)

The login window functionality has returned for macOS Sonoma (Apple fixed their issues)

Added padding around button images

Various UI changes

SALock crashes on SMS

Enabled system proxy support

No “Sign-in request denied” message after 3 incorrect SMS/Email codes.

Push doesn’t work with PasswordLessEnabled = false (temporary pin)

SALock - Only part of the screen is covered

Crash if system proxy port is empty

Add Windows Native HTTP Client

Add support for Emergency help desk code

Device Trust does not accept more than 6 digits (Temporary PIN)

Improve Username/Password mode

Various UI changes

AllowTOTPFactor set to false on Windows not blocking TOTP code

Fixed pair QR scaling and spacing

BLE QR scaling and horizontal centering

Fix for Faye connection not working when intermediate cert is missing in the chain

No “Sign-in request denied” message after 3 incorrect SMS/Email codes

Password field shown while passwordless

SALock – The Cancel button is now hidden while the MFA window is running

SALock – The Sign in button is now hidden when the MFA window is automatically shown

SALock – Add user’s profile picture like the Lock Screen

Net check fails when using system proxy

Implement ReplaceLockScreen setting. When enabled, SALock will show after boot. It will also appear when the user is locked, after Apple’s lock screen has been authenticated.

Certificate authentication doesn’t work from the lock screen

Added a new Lock Screen option to require 2 factors (SALock)

General fixes and improvements to overall functionality

Added logging to output authentication result when debug is enabled

Certificate authentication doesn’t work from the lock screen

Configure log level output at runtime. Currently, a rebuild is required to enable debug/trace log output. This causes back and forth communication and time which could be avoided with this new ability.

macOS - HTTP proxy can now be disabled using RTC files

Show the user’s Display Name instead of the username on the MFA window

Make agent settings available on the command prompt.

Add User-Agent string to HTTP headers in Faye

Added optional symbol support to Push Notifications for enhanced security

Added App Link support allowing users to scan QR codes with device cameras invoking a link to the Arculix mobile app

Added support for pinning intermediate issuers

Added performance improvement for faster startup

Factors can now be removed based on risk score

Improve network diagnosis checks in ATAgent command-line tool

Fixed an issue where user parsing fails when computer name is the same as the username

Fixed an issue where users are randomly unpaired on macOS

Support for eGuardian certificates issued by enterprise CA’s

Windows - Capture the device serial number to send with the heartbeat

Handle new error message to show “Time is out of sync for this device” instead of ”No response from server…”

macOS - Support login with users that have no identity

macOS - Capture the device serial number to send with the heartbeat

Fixed an issue related to authentication via SMS causing a “TOTP Failure” message in Recent Transactions

Device Trust has been rebranded to Arculix

Authentication is no longer required after pairing

macOS - Fixed an issue where macOS gets blocked booting with Arculix installed

Fixed an issue with pairing via TOTP

macOS - Added new settings used to disable login under macOS safe mode

macOS - Provide help on the pair dialog

macOS - Add Security key PIN support

macOS - Smart card readers displaying wrong messages and not signing in

User unpairs when connected through WiFi portal

macOS - Upgrade from Big Sur to Monterey disables the authorization plugin

Windows - ATAgent doesn’t shutdown on upgrade

Windows - Security key improvements

Windows - Support PIN for Security Key

macOS - Provide the ability to skip pairing

Windows - Step up authentication with password based on last login time

macOS - Require MFA on reboot if user required MFA before reboot

macOS - Touch ID not detected on M1

macOS - Lock after FileVault boot not working

Windows - Add Offline Authenticator UI issue

Windows - Provide the ability to skip pairing.

Windows - Provide help on the pair dialog.

macOS - Add the ability to disable requiring MFA after loss of internet

macOS - Unpair doesn’t always lock the user.

Added SSL certificates for new environments to improve security.

Hide 'More Options' field when all of the UI elements it hides are disabled.

macOS - Can now be installed on Monterey 12.2

Settings are now applied when AutoPushEnabled is disabled

Added setting AllowAddOfflineAuthenticator - Enable/Disable the use of external TOTP authenticators

Settings are now stored in the secure store which means even admins with the ability to take ownership cannot change settings locally.

Settings can no longer be configured via the command-line

Runtime configuration. In order to change MFAUrl, FayeUrl or HttpProxyAddress an administrator will need to use the new ATAgent command ‘ATAgent rtc install company.rtc’.

macOS - Enabled support for Monterey 12.1 installs

Windows - Add the ability to sign in via a QR code scan.

Windows - Add the ability to use BLE Authentication to sign in.

Fixed an issue with Device Trust still waiting for a push notification when It’sMe is unpaired.

Windows - Added the ability to login using a Certificate instead of a password

Windows - Added HTTP proxy support for eGuardian communications (HTTP and Faye)

Added support for Kensington VeriMark Guard. Device Trust now supports the following security keys: YubiKey 5 series (C/NFC), Feitian BioPass, YubiKey Bio, Kensington VeriMark Guard

macOS Login Configurations added: Basic, Hybrid and Advanced. Depending on the value of settings MFAFileVaultEnabled and MFALockEnabled, these 3 modes require MFA at either the Login screen, on Boot and/or the Lock Screen.

Unpairing a workstation now sends the user to the login screen if they are currently logged in/unlocked.

File Logging can now be enabled/disabled by eGuardian.

Logging now reports setting changes made by eGuardian.

macOS - Always MFA after FileVault boot. When a macOS workstation has FileVault enabled and boots up, MFA will always be required.

Limit rapid security key attempts to prevent potential UI issues.

Holding the enter key for the password or holding number keys for TOTP causes numerous entries in the audit trail.

Security key timeout issue. Verification will now be restarted as soon as the security key times out until either the user logs in or closes the MFA dialog.

Windows - If Security key is plugged in while the MFA dialog is up, then login or unlock is required to use it again. Security key presence will now be detected after MFA dialog is canceled.

ATAgent user list command to display users on the system

Enhanced Event reconnection

macOS - Don’t lock immediately after losing internet connection

macOS - Agent doesn't supply gateway mac address

Fixed: Windows - ATAgent Stop not synchronous

Fixed: Windows - Biometric crash via RDP

macOS - Now detects macOS 12 Monterey and verified working

macOS - Use Apple Lock Screen by default if Touch ID is present

Windows - Changed system login timeout to 3 minutes.

Windows - Now detects Windows 11 and verified working.

macOS - Send the user to login window if loss of internet, only if MFALoginEnabled is true

macOS - Notarized build

Regression: Timer incorrect after channel reuse change

Add Push button instead of “send another push” link

Push icon

Windows - Improved DPI scaling

Windows - Security Key slowing down pairing process

Windows - Kanji error message on an English system

Windows - UI username cutoff

Timer reset is delayed when requesting SMS or Email after auto push

Security key changes cause a random crash while pairing