Release Notes

In order to ensure that the Akamai is not marking SG Desktop requests as ones that come from bot, the teams collectively agreed to implement specific HTTP headers. Those are now added in all Client > Server requests which should help Akamai identify that the requests are coming from a trusted Client.

Please note: We added an extra parameter for this feature so the final installation command is:

msiexec /i "SessionGuardianDesktop_v2.18.7.msi" serverurl={endpoint} requesttoken={secretToken}

In the future, if you need to change the token, you will be able to modify "IdentityToken" parameter in the Registry: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\SGE.IVA.BAServiceBLL

Screenshot Deletion feature allows an Admin user with the permissions to Manage desktop screenshots (evidence) to delete screenshots that are received along with Alerts on violations.

In order to grant that permission to a Console User, make sure you tick the box for the role that Console user is assigned.

In the scope of Screen capture access feature, we check who has access to view screenshots of the content that was on display during a violation. Those screenshots are included, if configured, in the Alerts.

Following the same logic, when a console user wants to delete a screenshot, he/she must have the appropriate permission assigned. If so, on the screenshot preview page that user will see a button [Delete] which will trigger the image removal from the system.

When a user deletes a screenshot, he/she must confirm the action and then provide a reason (for audit purposes). In the scope of the MVP the action cannot be undone so the system warns the user about that.

Once the image is removed, the user sees a success notification and the following message:

All Screenshot deletion events are logged in Change History.

SessionGuardian is improving the auto-update process which ensures that there is no idle time on session security and the PC is protected. This version includes the initial changes that are required for the auto-update changes to work. However, the auto-update process itself will be happening on Shutdown/Log out starting from the next build. Same logic as it was when SG initially implemented and delivered the auto-update feature.

Starting with the next build, when a new version of SG Desktop Service is available to the end users, it will be downloaded and installed when the users shut down the PC.

The auto-update is not triggered by lock/ unlock action on the PC anymore.

The two cases when the download and installation of the newer builds are done are:

If the user performs a force quit on Windows, the Service will not upgrade.

Quick note, the auto-update is tied to Windows log on/log out. However, deletion of the older version in case of enabled auto-update is tied to the PC shutdown/turn on.

SG Desktop Service switches proxy settings based on network environment (Proxy configuration).

What we did is we added proxy for the server API provider and external Internet check request. In case of a network change the proxy is overwritten automatically.

By default the level of logs was always WARN. In this build we ensured that when a user profile configuration, specifically logging level, changes in the SG Console to INFO, we pull all details that INFO level logs.

Camera Device Detection is part of the Phone Detection model but is configurable separately (please see more in the release notes for SG Console 2.4.1).

Camera Device Detection is aimed to find and trigger an alerts for cases when someone is trying to take a picture of the screen content using a camera device (

When SG Desktop Service is running with both Camera and Mobile device detections enabled, the system will log the event with higher confidence score. For example, if the system has 91% confidence in detection of a camera and 94% in detection of a mobile phone, Mobile Device Detected will be logged and, if Lock Screen enabled, corresponding image and text will appear on the end-user’s screen.

Please note: Camera Detection feature is using a newly trained model so the performance can provide false negative results. Please provide feedback on test runs so further improvements can be planned and implemented.

In order to ensure transparency on the registration process SG Service Desktop now shows user notifications for each activation step. See examples below:

SG Desktop Service also shows the error message in case of any issues. See example below:

To avoid confusion on User Profile and Service state, we added “Deactivated by Admin” status.

When the Agent’s Service is Deactivated through the console by the Admin, it will say “Deactivated by Admin”.

According to the requirements that were shared by BA team, SessionGuardian team implemented the following features:

Camera Device Detection is a separate feature with its own parameters that can and should be configured separately from Mobile Device Detection.

There are three parameters that affect and determine Camera detection performance:

The same is applicable to User Profile and Security Group configurations:

In case of Violation events, if configured, an alert is sent to a dedicated distribution list.

Screen Capture feature allows to capture the content of the screen once the violation occurs and include the link to the image stored in BA’s S3 in the email.

The ability to view the captured contents of the screen depends directly on Permissions, specifically “View desktop screenshot (evidence)”.

When the email is received, there is a link to the image that is stored in S3.

When the email recipient clicks the lick, we check whether the user is logged in to SG Console and has the View desktop screenshot (evidence) permission assigned. These two conditions must be met in order to view the image.

Screen Capture Email Template configuration

Please note the following steps to ensure a proper clickable link is included in the emails.

Go to Alerts > find any Violation and a related template > Screen Capture file reference

1. Copy or cut ‘${scref}’

2. Delete ‘${scref}’ in template

3. Select ‘Screen Capture file reference’

4. Click on the Link icon in the toolbar template

5. Paste ‘${scref}’

6. Save Changes

Webcam Covered is an event that is triggered in cases when a user intentionally or unintentionally covers his/her webcamera with a hand, with an object, or with a webcamera shutter.

This event is logged in the system, can trigger an email alert, and can enforce a screen lock.

Partial Face Detection

In order to cover the case described in IVA_:19 - When an unauthorized user shoulder surf covering his half face (eyes open), system is not getting locked and Unauthorized User Detected - message did not displayed - we added a “Partial Face Detection” parameter.

It can be configured Globally: Console > Configurations > Defaults > Recognition

As well as on Security Group level and User Profile Level.

Go to a Security Group or any User Profile > Recognition > Continuous Face Recognition > Partial Face Detection.

Important notes on the Partial Face Detection parameter:

• Shoulder Surfing Protection must be on for proper Unauthorized User Detection to work when the face is only partially visible.

• Shoulder Surfing Protection must be to enable tracking of Unauthorized users (so to track Unauthorized User Detection events).

• When Continuous Face Recognition is off, all configurations related to it are off automatically.

Open the SG Console and go to Configurations > Alerts.

If the Alerts feature is enabled, the system will send an email to the email address defined in the Recipient field every time a violation happens. Exception, when a Delayed Alert feature is enabled.

Under each Violation configuration block you’ll find a new checkbox: Screen Capture.

Once the checkbox is ticked, it tells the SG Service Desktop to capture the screen’s content at every moment of the violation’s occurrence.

In order to receive a link to the image in the Alert email, email template has to be configured so the screen content can be reviewed by the Alert Recipients.

By default the application is configured to store the images of captured screen content in the main S3 bucket (the bucket that the application uses for file storage).

However, if you’d like to overwrite and use another S3 storage, please refer to the following two environment variables which can be updated:

One of the new features added to the SG Console is the ability to disable Security Checks once the end-users are working under certain IP addresses.

In SG Console go to Security Groups > Advanced > Scroll down to General section.

Find option “Disable Service Based on IP Range”.

Once you enable it, you’ll be able to add single IP Addresses or IP Ranges which are considered save so that when the end-users are in those IP Ranges, the SG Desktop Service will pause it work. That means that no security checks will be forced, no violations will be tracked, no alerts will be sent.

The only checks that remain in place are

To cover cases when users have both a USB camera and an integrated camera on their PC, there is an option to switch the default camera for SG Desktop Service. This will allow redundancy should the default camera cease working.

When the SG Desktop Service is running, go to the System tray > open Hidden Apps > find the SessionGuardian icon. Click on it.

Once you click on it, you’ll see a list of all checks.

Next to Web Camera you’ll see a dropdown. It shows which web camera device, if there is more than one available, is selected by default.

If you’d like to switch to a different camera, simply click on the dropdown and select the option you prefer.

One of most important updates we have in SG Console is the ability to configure the Face Detection Key.

This Key is responsible for proper connection to the software that is responsible for face detection, recognition, and monitoring.

Please ensure you copy the key into both fields, Face Detection Key and Face Detection Key (Mobile).

This also means that you can remove the Face Detection Key from the following places: