Release Notes
The release notes provide updates, enhancements, and fixes for SessionGuardian Desktop Service and the SessionGuardian Admin Console. Review the latest changes to stay informed about new features, improvements, and resolved issues.
SG Admin Console 2.7.0
April 19, 2025
Added support for SSO admin logins to the SG Admin Console using any OIDC-compliant identity provider, such as Microsoft Entra ID. Setup requires backend configuration by SecureAuth Support.
Improved overall User Import feature with performance enhancements and bug fixes.
Upgraded the log system for better clarity and tracking; renamed Change History to Audit Trail. To learn more, see View and filter Audit Trail logs.
During profile photo registration, end users can select their preferred web camera from the list if more than one camera is available.
Face in the screenshot is blurred for privacy reasons.
SG Desktop now defaults to the same camera selected during photo registration when users start a session.
SG Admin Console 2.5.4
November 27, 2024
Improvements
Updated Server side logic to handle cases when the Database is down.
When the Server experiences a database connection failure and the Client initiates a request to the start endpoint, the system will return a 503 Service Unavailable response with a 'Retry-After: 60' header.
In cases where connection loss occurs during an active Client session, the system will respond with a 500 Internal Server Error status code.
All other HTTP status codes remain unchanged:
401 Unauthorized: Returned when user authentication fails (e.g., user account removed or credentials reset)
403 Forbidden: Returned when Client access is restricted (e.g., IP restrictions, resource deletion during active session)
SG Admin Console 2.5.3
October 25, 2024
Improvements:
Changes in code response from Server to Client on registration check: Added more informative message on unsuccessful device registration
Performance improvement on Users page
Fixed library vulnerability
Bug fixes:
Fixed floating bug on end user connection
SG Admin Console 2.5.2
September 12, 2024
Improvements:
Disable Service Based on IP Range field now accepts CIDR format for IP addresses
Security update: Password reset request after 90-day expiration is triggered only after all (username, password, MFA) values are validated.
SG Admin Console 2.5.1
August 12, 2024
Improvements:
Enabling Manage desktop screenshots (evidence) permissions now automatically enables View desktop screenshots (evidence) permission
Bugs:
Error fixed: Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden
SG Admin Console 2.5.0
August 5, 2024
New features:
Audit logs (Splunk) - please see Audit Trail documentation provided in BA-SessionGuardian collaboration site on Sharepoint
Screenshot deletion (MVP)
Improvements:
Password Requirements: tracking failed OTP rather than username/password combination only
Automated Log Out redirects Console users to login page
BA Penetration Test Result: Critical Issue with snakeyaml
Bugs:
Password related Admin unlock feature fix
Incorrect data format on Logs page
Screenshot deletion (MVP)
Screenshot Deletion feature allows an Admin user with the permissions to Manage desktop screenshots (evidence) to delete screenshots that are received along with Alerts on violations.
In order to grant that permission to a Console User, make sure you tick the box for the role that Console user is assigned.
 |
In the scope of Screen capture access feature, we check who has access to view screenshots of the content that was on display during a violation. Those screenshots are included, if configured, in the Alerts.
Following the same logic, when a console user wants to delete a screenshot, he/she must have the appropriate permission assigned. If so, on the screenshot preview page that user will see a button [Delete] which will trigger the image removal from the system.
 |
When a user deletes a screenshot, he/she must confirm the action and then provide a reason (for audit purposes). In the scope of the MVP the action cannot be undone so the system warns the user about that.
 |
 |
Once the image is removed, the user sees a success notification and the following message:
 |
All Screenshot deletion events are logged in Change History.
 |
SG Admin Console 2.4.1
June 19, 2024
New features:
Password History Requirements
Camera Device Detection (Server side configuration)
Improvements:
Updated and New Environment Variables
Screen Capture access through SG Console Permissions
Safe IP Range field validation
Set up trust relationship between SG and BA staging accounts on AWS
Bugs:
SW Update configuration changes were not logged
Password Security and History Requirements
According to the requirements that were shared by BA team, SessionGuardian team implemented the following features:
User Password Refreshed every 90 days;
A password history, minimum the last four passwords must be maintained to prevent reuse;
After a maximum of six unsuccessful password attempts the User ID shall be locked. The lockout duration shall last at least thirty minutes or less if an administrator enables the User ID again.
 |
 |
Camera Device Detection
Camera Device Detection is a separate feature with its own parameters that can and should be configured separately from Mobile Device Detection.
There are three parameters that affect and determine Camera detection performance:
Frequency - period of time during which the system checks for cameras
Protection Screen Timeout - delay of lock screen appearance once a camera is detected
Match confidence - level of confidence at which we show that a camera device is recognized
 |
The same is applicable to User Profile and Security Group configurations:
 |
 |
Screen Capture access through SG Console Permissions
In case of Violation events, if configured, an alert is sent to a dedicated distribution list.
Screen Capture feature allows to capture the content of the screen once the violation occurs and include the link to the image stored in BA’s S3 in the email.
 |
The ability to view the captured contents of the screen depends directly on Permissions, specifically “View desktop screenshot (evidence)”.
 |
When the email is received, there is a link to the image that is stored in S3.
 |
When the email recipient clicks the lick, we check whether the user is logged in to SG Console and has the View desktop screenshot (evidence) permission assigned. These two conditions must be met in order to view the image.
Screen Capture Email Template configuration
Please note the following steps to ensure a proper clickable link is included in the emails.
Go to Alerts > find any Violation and a related template > Screen Capture file reference
Copy or cut ‘${scref}’
Delete ‘${scref}’ in template
Select ‘Screen Capture file reference’
Click on the Link icon in the toolbar template
Paste ‘${scref}’
Save Changes
 |
 |
 |
 |
SG Admin Console 2.4.0
New features:
[BA.9] Additional Events for Webcam Blocking
Improvements:
SG Console Admin log in time out
Face Recognition Key (Mobile) not mandatory
Webcam Covered Configuration on SG Console
Webcam Covered Alerts
Webcam Covered is an event that is triggered in cases when a user intentionally covers his/her webcamera with a hand, with an object, or with a webcamera shutter.
This event is logged in the system and can also be configured for Alert notifications. In order to set up the email Alerts on Webcam Covered event, Escalated or Delayed ones, please do the following:
Go to Console > Configurations;
Go to Alerts,
Ensure the Notifications toggle is on,
Scroll down the Violations list (Events) to find Webcam Covered
Per need, update the Subject field, tick the Screen Capture, configure Escalated or Delayed alerts.
Please note, the email recipient is configured at the very beginning and can only have 1 email address.
 |
Webcam Covered Lock Screen
If in case of Webcam Covered event you want the user’s screen to lock, you can configure the setting through the Console.
Go to the Console > Configurations
Go to Lock Screen Templates
Locate Webcamera Covered menu item
Ensure the Lock Screen toggle is on. Per need, upload an image and update the message to display when the screen gets locked.
Please note, this is a Global Configuration which will apply to all end users of the SG Desktop Service application.
Improvements:
SG Console Admin log in time out
The Admin Console users will not be automatically logged out only in case of continuous inactivity. If the Admin is active within the configured time period, he/she will not be logged out of the console.
Face Recognition Key (Mobile) not mandatory
It is no longer required to input the Face Recognition Key (Mobile) value
SG Admin Console 2.3.1
April 27, 2024
Bug fixes:
Service-Server connection time out
Minor UI bugs in SG Console
Configuration updates:
Face Detection Threshold (from 3 to 2)
Validity Token (set to 15 min)
Phone Match Confidence (95%, but we recommend 98%)
Face Recognition Key configuration is now done in GUI (SG Console Configurations > Global Client)
SG Desktop Service 2.19.5
November 21, 2024
Improvements:
Removal of
ignoreAdminAccountparameterignoreAdminAccountis no longer available in SG Desktop Service configurations. End users (Agents) can only use non-Admin accounts on their PCs to run the application without having the ability to run it as Admins.If Administrators need to run the application as both Admin and non-Admin users, they are now required to have two accounts on their PCs. No alternative parameter in the configurations can be used as a workaround.
Bug fixes:
British Airways Support Escalation -- Internal Reference BA-IVA-T1-011
Desktop app has reset his profile locally when profile reset not requested.
British Airways Support Escalation -- Internal Reference BA-IVA-T1-008
When 2.18.7 is auto updated to 2.18.9 all connections fail when on Internet only. Akamai identity token value is missing in registry which previously was added manually, not via the installer.
Important to note: BA provided the identity token which SessionGuardian has input into the installer to resolve the issue with missing token value.
SG Desktop Service 2.18.9
November 13, 2024
Bug fixes:
British Airways Support Escalation -- Internal Reference BA-IVA-T1-007
identityTokenwas missing in an HTTP request when the desktop setup has no activated profile. Status of user could not be updated on SGE Server to "not invited" and was stuck at New.
SG Desktop Service 2.18.7
October 24, 2024
New Features:
HTTP Headers
Improvements:
Updated root folder name
Downgrade feature
Auto-update notification message display time
Uninstall process
Logs encryption (please see details in SG Logs Viewer documentation shared earlier)
Bug fixes:
Service reacting to Power Events: Suspend & ResumeSuspend events
HTTP Headers
In order to ensure that the Akamai is not marking SG Desktop requests as ones that come from bot, the teams collectively agreed to implement specific HTTP headers. Those are now added in all Client > Server requests which should help Akamai identify that the requests are coming from a trusted Client.
Please note: We added an extra parameter for this feature so the final installation command is:
msiexec /i "SessionGuardianDesktop_v2.18.7.msi" serverurl={endpoint} requesttoken={secretToken}In the future, if you need to change the token, you will be able to modify "IdentityToken" parameter in the Registry: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\SGE.IVA.BAServiceBLL
Updated root folder name
Previously the root folder name was:
C:\Program Files (x86)\SessionGuardian Enterprise\SGE.IVA.
It is now changed to C:\Program Files (x86)\SessionGuardian Enterprise\SG.DesktopService.
Please note: with this version we also included a script which updates user profiles. With this script there is no need to reset registration manually for the users to ensure proper workflow of the service after the update of the root folder name.
Downgrade feature
SW Update global configuration allows to manage which version has to be up and running across all end-users. However, there could be cases when we need users to go back to an older version and that is also managed through SW Update configuration.
In cases when an older version is set, there is no need for any manual uninstallation or re-installation of the software.
SG Desktop supports the Downgrade process which is also automatic, like the auto-update.
Auto-update notification message display time
When a newer version of SG Desktop is selected in the SG Console as the version that has to be installed across all end-users, the end-users see a notification.
The notification states that there is a new version of the software and that it will be installed on the PC on the next shut down.
The notification remains open until the end-user closes it manually in order to avoid having users that miss the update.
Service reacting to Power Events: Suspend & ResumeSuspend events
There was an issue when a user had the service run all night while the PC was in hibernation. That resulted in 401 error upon the session start and blocked the user. In this SG Desktop version we cover such cases by tracking the power events to prevent error responses from the Server.
SG Desktop Service 2.16.13
August 2, 2024
Improvements:
Seamless auto-update when the PC is shut down
Improved performance on BA VPN connection - added ability to configure Proxy Address and Proxy Port in registry
Updated frequency of Antivirus check to avoid SG Service Desktop work interruptions
Bug fixes:
IVA_I51: Andy is getting server connection error in SG
IVA_I52: Abhishek has received user profile error once after restarting the laptop. Upon Screen lock/unlock, SG started working as expected.
Seamless auto-update on shut down
SessionGuardian is improving the auto-update process which ensures that there is no idle time on session security and the PC is protected. This version includes the initial changes that are required for the auto-update changes to work. However, the auto-update process itself will be happening on Shutdown/Log out starting from the next build. Same logic as it was when SG initially implemented and delivered the auto-update feature.
Starting with the next build, when a new version of SG Desktop Service is available to the end users, it will be downloaded and installed when the users shut down the PC.
The auto-update is not triggered by lock/ unlock action on the PC anymore.
The two cases when the download and installation of the newer builds are done are:
When the user shuts down the PC, turns it back on, logs in to Windows account;
When the user restarts the PC and logs back in to Windows account.
If the user performs a force quit on Windows, the Service will not upgrade.
Quick note, the auto-update is tied to Windows log on/log out. However, deletion of the older version in case of enabled auto-update is tied to the PC shutdown/turn on.
SG Desktop Service 2.16.5
July 4, 2024
New features:
SG Desktop Service switches proxy settings based on network environment (Proxy configuration)
Logging Level configuration
Improvements:
Broader error and event logging to help investigate incidents like IVA_I47 and IVA_I48
Bug fixes:
IVA_I44: If ALT+F4 pressed in desktop, Watermark is disappearing
IVA_I45: When VPN is connected during startup, SG software showing server connection error
IVA_I46: When VPN is connected during mid session, SG software showing server connection error
IVA_I47: UAT - Software fails to initialise once Paul has complete his photo registration without issue.
IVA_I48: UAT - Software is failing to initialise for Vicci.
Proxy configuration
SG Desktop Service switches proxy settings based on network environment (Proxy configuration).
What we did is we added proxy for the server API provider and external Internet check request. In case of a network change the proxy is overwritten automatically.
Logging Level
By default the level of logs was always WARN. In this build we ensured that when a user profile configuration, specifically logging level, changes in the SG Console to INFO, we pull all details that INFO level logs.
SG Desktop Service 2.15.29
June 19, 2024
New features:
Camera Device Detection
User Registration Status notifications
Improvements:
Status update on Deactivate Service action
Added retry on Auto-update to help with cases described in IVA_|35
Webcamera Covered event logic update (improved UX)
Bugs:
IVA_I21: Font size in watermarks is not getting changed after updating in console. Its only getting changed if the Across field is changed from 1 to multiple lines
IVA_I28: Webcam Covered, Unauthorized user detected and authorize user not present – these errors are coming randomly while working in laptop
IVA_I35: SG AutoUpdate service is on but SG software latest version (2.15.20) is not getting installed in system
IVA_I36: SG service is throwing up Authorized User not found for couple of times and not going off. As a result, laptop cannot be used until Lock/unlock is done. Once unlocked, the SG service is resumed, throwing up the same lock screen which is not going off.
IVA_I38: When AWS is offline (mid session), SG software is not locking the screen immediately when an event occurred (i.e. webcam covered, mobile phone detected etc.)
IVA_I43: Intermittently observed SG software is getting crashed while system is locked, upon unlocking the screen, SG software is working as expected.
Camera Device Detection
Camera Device Detection is part of the Phone Detection model but is configurable separately (please see more in the release notes for SG Console 2.4.1).
Camera Device Detection is aimed to find and trigger an alerts for cases when someone is trying to take a picture of the screen content using a camera device (
When SG Desktop Service is running with both Camera and Mobile device detections enabled, the system will log the event with higher confidence score. For example, if the system has 91% confidence in detection of a camera and 94% in detection of a mobile phone, Mobile Device Detected will be logged and, if Lock Screen enabled, corresponding image and text will appear on the end-user’s screen.
Please note: Camera Detection feature is using a newly trained model so the performance can provide false negative results. Please provide feedback on test runs so further improvements can be planned and implemented.
User Registration Status notifications
In order to ensure transparency on the registration process SG Service Desktop now shows user notifications for each activation step. See examples below:
 |
 |
SG Desktop Service also shows the error message in case of any issues. See example below:
 |
 |
Status update on Deactivate Service action
To avoid confusion on User Profile and Service state, we added “Deactivated by Admin” status.
When the Agent’s Service is Deactivated through the console by the Admin, it will say “Deactivated by Admin”.
 |
SG Desktop Service 2.15.20
June 6, 2024
Improvements:
Checking Service state at the initiation process (a change that fixes IVA_26 bug report)
If service has been deactivated through the Console and the Agent opens/unlocks his PC, the Service sends a request to the Server to check the state at the initiation to ensure it does not start (no watermarks are displayed, screen doesn’t lock on violations events, etc)
Version upgrade doesn’t force PC to reboot
When the auto-update happens (SG Desktop Service is upgraded) a sudden reboot was forced upon the end-user’s PC. Starting with this version, there is no forced reboot.
Bug Fixes:
IVA_I26 Even though profile has been deactivated through console, when a user is logging in laptop, SG service is getting started
IVA_I27 SG software is getting crashed if multiple times camera shutter is closed
IVA_I28 Webcam Covered, Unauthorized user detected and authorized user not present – these errors are coming randomly while working in laptop
SG Desktop Service 2.15.8
May 23, 2024
New features:
[BA.9] Additional Events for Webcam Blocking
Improvements:
Partial Face Detection configuration
Profile changes from SG Console are applied automatically
SG Desktop Service to work when Antivirus checks fails
Changes to the code to ensure SG Desktop Service’s proper performance under BA VPN
Bug fixes:
IVA_:17 Session Guardian software is not working when an Agent is connected to the VPN. Security status is showing as Failed.
IVA_:18 When an authorise user leaves and an unauthorize user seats Infront of the camera, system is waiting for 15 seconds and then it is showing authorize user not found message. Expectation - system should prompt the following message immediately - Unauthorized User Detected
IVA_:19 When an unauthorized user shoulder surf covering his half face (eyes open), system is not getting locked and Unauthorized User Detected - message did not displayed
IVA_:20 Profile has been deactivated for few days for a user. When user profile is re-activated through console, SG software is not getting turned on
[BA.9] Additional Events for Webcam Blocking
Webcam Covered is an event that is triggered in cases when a user intentionally or unintentionally covers his/her webcamera with a hand, with an object, or with a webcamera shutter.
This event is logged in the system, can trigger an email alert, and can enforce a screen lock.
Partial Face Detection
In order to cover the case described in IVA_:19 - When an unauthorized user shoulder surf covering his half face (eyes open), system is not getting locked and Unauthorized User Detected - message did not displayed - we added a “Partial Face Detection” parameter.
It can be configured Globally: Console > Configurations > Defaults > Recognition
 |
As well as on Security Group level and User Profile Level.
Go to a Security Group or any User Profile > Recognition > Continuous Face Recognition > Partial Face Detection.
 |
 |
Important notes on the Partial Face Detection parameter:
Shoulder Surfing Protection must be on for proper Unauthorized User Detection to work when the face is only partially visible.
Shoulder Surfing Protection must be to enable tracking of Unauthorized users (so to track Unauthorized User Detection events).
When Continuous Face Recognition is off, all configurations related to it are off automatically.
Additional improvements
Profile changes from SG Console are applied automatically
There is no more need for end user to lock/unlock the PC in order for changes done on the SG Console (server) to apply for the user (client).
SG Desktop Service to work when Antivirus checks fails
If there is a need to update the antivirus, SG Desktop Service would log that as Antivirus Check failure and won’t allow to start the work. In the latest build we made sure that in cases when AV Check fails, we allow the users to start and/or continue the work.
Changes to the code to ensure SG Desktop Service’s proper performance under BA VPN
To check the internet connection the external request is now sent from the service side, not desktop. Also, the check endpoint is now using https protocol instead of http.
SG Desktop Service 2.14.6
May 2, 2024
Improvements:
Removed requirement on presence of "https://" in Server URL
Server connection Time-out increase (from 10sec to 30sec)
Improved Camera Resolution Selection Algorithm
Bug fixes:
Fix Agent’s Status Not Activated (Abhishek’s issue with User Profile)
SG Desktop Service 2.14.5
April 29, 2024
Improvements:
Implemented additional logic with regards to Screen Capture feature.
SG Desktop Service 2.14.4
April 27, 2024
The latest versions of the SG Console and SG Desktop Service include the following
New features:
[BA.4] Screen Capture of desktop violations
[BA.11] Disable enforcement and monitoring based on IP Address
Ability to select Web Camera
Software Auto-update process
Bug fixes:
Service not stopping when Windows PC is in Sleep mode
Web Camera connection retry process improvement
[BA.4] Screen Capture of desktop violations
Open the SG Console and go to Configurations > Alerts.
If the Alerts feature is enabled, the system will send an email to the email address defined in the Recipient field every time a violation happens. Exception, when a Delayed Alert feature is enabled.
 |
Under each Violation configuration block you’ll find a new checkbox: Screen Capture.
 |
Once the checkbox is ticked, it tells the SG Service Desktop to capture the screen’s content at every moment of the violation’s occurrence.
 |
In order to receive a link to the image in the Alert email, email template has to be configured so the screen content can be reviewed by the Alert Recipients.
By default the application is configured to store the images of captured screen content in the main S3 bucket (the bucket that the application uses for file storage).
However, if you’d like to overwrite and use another S3 storage, please refer to the following two environment variables which can be updated:
sge.escalated-alerts.screen-capture.s3-storage.bucket=sge.escalated-alerts.screen-capture.directory-name=- the default value isalert/screen-capture
[BA.11] Disable enforcement and monitoring based on IP Address
One of the new features added to the SG Console is the ability to disable Security Checks once the end-users are working under certain IP addresses.
In SG Console go to Security Groups > Advanced > Scroll down to General section.
Find option “Disable Service Based on IP Range”.
Once you enable it, you’ll be able to add single IP Addresses or IP Ranges which are considered save so that when the end-users are in those IP Ranges, the SG Desktop Service will pause it work. That means that no security checks will be forced, no violations will be tracked, no alerts will be sent.
 |
 |
The only checks that remain in place are
Internet Connection
Server Connection
User profile
 |
Web Camera selection
To cover cases when users have both a USB camera and an integrated camera on their PC, there is an option to switch the default camera for SG Desktop Service. This will allow redundancy should the default camera cease working.
When the SG Desktop Service is running, go to the System tray > open Hidden Apps > find the SessionGuardian icon. Click on it.
Once you click on it, you’ll see a list of all checks.
Next to Web Camera you’ll see a dropdown. It shows which web camera device, if there is more than one available, is selected by default.
If you’d like to switch to a different camera, simply click on the dropdown and select the option you prefer.
 |
Face Recognition Key configuration
One of most important updates we have in SG Console is the ability to configure the Face Detection Key.
This Key is responsible for proper connection to the software that is responsible for face detection, recognition, and monitoring.
Please ensure you copy the key into both fields, Face Detection Key and Face Detection Key (Mobile).
 |
This also means that you can remove the Face Detection Key from the following places:
Secret Manager
Task Definition
CodeBuild (credential initializer)
Auto-update functionality
Auto-update feature is now available in the new version of SG Desktop Service.
Please go to SG Console > Configurations > SW Updates
Enable version management (switch the toggle).
Once enabled, the auto-update is forced across all end-users and it is a global configuration.
In the Download URL link paste the path where production builds of the SG Desktop Service are located.
Example of Download URL from SessionGuardian’s development environment
Once the link is added, click the refresh icon to pull all available production versions.
Example of SessionGuardian’s development build available for Auto-update
In the Current version field select the version which should be downloaded to and installed on each of the end-users’ PCs on their next session launch.
Save the changes made on the page by clicking ‘Save’.
Please note: once a newer version is selected, the end-users won’t have the ability to stop, pause or intervene with the upgrade process. The new version will be downloaded and installed.
From the end-user’s perspective, the process will be seamless.
They will receive a notification that a new version is available and will be downloaded.
 |
When the users lock and unlock their Windows after receiving the notification, that is when the application will start to install.