These release notes cover Blue Cedar Enterprise and Enforce release 3.20.2. Refer to the Blue Cedar product documentation for further detail on these items.
What's new in Blue Cedar 3.20
Local app authentication improvements
Blue Cedar 3.20.0+ includes limited support for local app authentication configuration migration. Previously, changing the local app authentication settings required users to delete the old version of the secured app and install the new one. Configuration migration allows users to update the app with new configuration settings in place (without requiring the user to delete and reinstall the app).
Local app authentication now includes a link for password recovery—users can now tap "Forgot passcode?" to trigger a recovery flow. This is the same recovery flow used when the user reaches the limit of invalid login attempts.
Updated policy console
The Enterprise Policy Console now runs in a Docker container, and is no longer delivered as an OVA file. This change requires a new policy console installation and upgrade process. See the Policy Console Installation Guide for details.
Only on-premises Enterprise deployments support app signing in the console. Hosted Enterprise users and Enforce users must export secured apps to sign locally before deploying the apps. See Signing Blue Cedar secured apps for details.
The policy console no longer supports the use of custom uploaded security injectable files. The following API methods related to custom injectables have been removed:
The Integrity and Posture policy (formerly the Device Posture policy) now includes the option to verify integrity for the secured app. If enabled and if files included in the app (the Blue Cedar injectable and the configured security policies) have been modified since the app was secured, the app cannot open. For more information, see Integrity and Posture in the Policy Console Documentation .
Drag and Drop (iOS)
The Data Sharing policy now includes the option to control whether mobile users may use drag and drop to copy text, images, or other data in a protected app and paste into another app. Drag and drop blocking is only available for iOS 11+ apps, and only when the secured app inherently supports drag and drop functionality. For more information, see Data Sharing in the Policy Console Documentation.
Dynamic policy rules
Enterprise 3.20.x expands the solution's ability to apply dynamic policy rules. You can apply these rules without having to re-secure the app with the policy console, in response to events on the mobile device or to incoming connections to the Blue Cedar Gateway. Use the Policy Console to define and apply static policies; use the Gateway to define and apply dynamic policies.
- To define policy rules to respond dynamically to events on the mobile device, see Defining policy rules for client events. These rules can check if the app or OS is out of date, alert users to maintenance downtime, and so on.
- To define post-authentication policy rules for managing incoming connections to the Gateway, see Defining post-authentication policy match rules. These post-authentication policy rules perform actions based on session attributes and apply them before the incoming connection is considered fully validated and allowed to pass traffic.
The gateway now includes SNMPv2c monitoring, including support for MIB-2 as well as traps, notifications, and events for certain key Gateway resources. For more information, see Configuring SNMP for gateway monitoring in the Blue Cedar Gateway Documentation.
Resolved in 3.20.2
|SPT-1498||Policy console||Can't delete duplicate Trusted Server Cert||Fixed an issue where duplicate trusted server certificate entries in the policy cannot be deleted.|
|SPT-1496||Policy console||Export for Code Signing, button text changed||Restored the text of the button to export a secured app for external signing to "Export for Signing".|
|SPT-1497||iOS||Poor layout for the start (PIN) screen||Fixed an iOS-specific layout bug in which long custom strings specified by the App Customization policy could overflow the intended display area.|
|SPT-1498||iOS||"Cannot Verify Server Identity" msg with DAR disabled||Fixed an issue where trusted server certificates were not being applied on iOS when the Data at Rest policy was not enabled.|
|SPT-1509||Android||Unable to secure app for Android||Fixed a failure to secure Android apps that use vector graphics for their main app icon. Blue Cedar does not currently support badging vector graphics with an overlay icon, but this will no longer prevent the apps from being secured.|
|SPT-1524||iOS||Unable to decrypt error when opening attachment||Fixed an issue where iOS apps configured using the Data at Rest and Data Sharing policies were incorrectly sharing encrypted data files to other apps.|
|SPT-1489||Android||Display issue for secured apps||Fixed an issue where Android Cordova apps configured with the Data at Rest policy would render incorrectly. In certain cases the file:// scheme was incorrectly returning encrypted data.|
Resolved in 3.20.0
|SPT-479||iOS, Android||Recover forgotten local authentication password|
As described above, local app authentication now includes a link for password recovery—users can now tap "Forgot passcode?" to enter a recovery flow. See Local App Authentication in the Policy Console documentation.
|Android||Incorrect "enter your credentials" pop-up|
Fixed an issue where secured Android apps could display a system notification indicating that the app needed user interaction when it did not.
|SPT-1283||Policy console||Corrupted Data Sharing profile in policy console||Fixed an issue with the policy console that could corrupt a Data Sharing profile and render it inaccessible.|
|SPT-1350||iOS||App opens with keyboard on initial screen||Fixed an issue with event handling that could trigger a race condition in which the app window was shown over the injectable window.|
App using Realm database stalls when using DAR
|Fixed an issue where apps using the Realm database would lock up due to conflicts between Blue Cedar encryption and the Realm database's encryption. Realm databases that are encrypted are now automatically exempted from the Data-at-Rest policy.|
Android Fiori SP13 and SP15 hang on Samsung 7.1.1
|Fixed an issue where the Fiori SP15 app would hang on startup on certain Android devices.|
|SPT-1419||Policy console||Custom logo image does not render properly||Fixed an issue in the App Customization preview display where custom logo images did not appear correctly.|
|SPT-1437||Android||Compass crashes on Pixel 2 XL||Fixed an issue where secured apps running on the Pixel 2 XL device would crash on startup.|
|SPT-1466||iOS, Android||Certificate with UPN in SAN enrolls but disappears at renewal|
Fixed an issue where certificates with UPNs did not include the UPN when the certificate was renewed. This happened if the connection was authenticated with certificate-only authentication, rather than the authentication provided that supplied the UPN.
Note that a UPN is not added to a certificate on a renewal if the original certificate did not contain one and if the connection is established with certificate only authentication.
|SPT-817||Gateway||Need a way to monitor Gateway||As described above, the gateway now includes SNMP v2c monitoring. See Configuring SNMP for gateway monitoring in the Gateway documentation.|
|SPT-824, SPT-900||Gateway||Automatic notification of outdated app versions||As described above, dynamic policy rules can be used to notify users that an app is obsolete and should be updated. See Defining policy rules for client events in the Gateway documentation.|
|SPT-1328||Gateway||AD credentials screen, re-enrollment appears in in already installed app||In previous releases, the client would discard the certificate after a certain number of failed attempts to connect, such as when the certificate was expired. 3.18.0+ has introduced a better mechanism for communicating expired certificates to the client. |
When connecting to older gateways, newer clients can get stuck if they present an expired certificate. Apps may need to be uninstalled and reinstalled in this case. Blue Cedar recommends upgrading both client and gateway at the same time to avoid this issue.
Technical note: Android cloud backup
Prior to version 3.20.0, Android apps running on an Android 6.0+ device configured to backup app data to Google Drive would backup app data even if the unprotected app was configured to disallow this behavior. Starting in 3.20.0, apps secured by Blue Cedar overwrite device backup policy, and disable backups to the cloud, even if enabled on the device. This behavior is always enabled and is not configurable on the Policy Console. For more information on this functionality see documentation from Google.
|AC-6061||Android||Biometric authentication failure||Android devices that use fingerprint authentication as part of the Local App Authentication policy can receive a "Biometric authentication temporarily unavailable" error after idle timeout.|
Documentation and technical support
This release includes online documentation, no longer in PDF format. To access this documentation, see the knowledge base at apollo.bluecedar.com or these direct links:
Blue Cedar Policy Console Documentation (http://apollo.bluecedar.com/policy-console-doc)
Blue Cedar Gateway Documentation (http://apollo.bluecedar.com/gateway-doc)
Technical support is provided online at success.bluecedar.com