Blue Cedar 3.20.2 Release Notes

What's new

Blue Cedar Platform is now known as Blue Cedar Enterprise.

Blue Cedar Enterprise includes:

  • Blue Cedar Policy Console, which injects security into mobile apps, providing fine-grained controls and configurable usage policies.
  • Blue Cedar Gateway, which uniquely terminates secure in-app microtunnel connections from Blue Cedar-secured apps to backend services, providing seamless authentication, identity integration, and trust services between any Blue Cedar-secured app and trusted corporate networks.

Blue Cedar Enterprise is available as a full cloud-hosted solution as well as an on-premises deployment.

Blue Cedar also offers Blue Cedar Enforce, a cloud-native solution that is designed to deliver local, in-app protection to corporate mobile apps that don't require the microtunnel connectivity capabilities enabled by the Blue Cedar Gateway. Enforce delivers the app-level security policies that do not require connectivity, such as local app-level authentication, device posture, integrity verification, encryption, and data sharing.

These release notes cover Blue Cedar Enterprise and Enforce release 3.20.2. Refer
to the Blue Cedar product documentation for further detail on these items. 

What's new in Blue Cedar 3.20

Local app authentication improvements 

Blue Cedar 3.20.0+ includes limited support for local app authentication configuration migration. Previously, changing the local app authentication settings required users to delete the old version of the secured app and install the new one. Configuration migration allows users to update the app with new configuration settings in place (without requiring the user to delete and reinstall the app).

Local app authentication now includes a link for password recovery—users can now tap "Forgot passcode?" to trigger a recovery flow. This is the same recovery flow used when the user reaches the limit of invalid login attempts.

For more information, see Local App Authentication in the Policy Console documentation.

Updated policy console

The Enterprise Policy Console now runs in a Docker container, and is no longer delivered as an OVA file. This change requires a new policy console installation and upgrade process. See the Policy Console Installation Guide  for details.

Only on-premises Enterprise deployments support app signing in the console. Hosted Enterprise users and Enforce users must export secured apps to sign locally before deploying the apps.  See Signing Blue Cedar secured apps for details.

The policy console no longer supports the use of custom uploaded security injectable files. The following API methods related to custom injectables have been removed:

  • settings/map-next-dex
  • settings/map-next-ios-policy-file
  • settings/map-version-info

Integrity verification

The Integrity and Posture policy (formerly the Device Posture policy) now includes the option to verify integrity for the secured app. If enabled and if files included in the app (the Blue Cedar injectable and the configured security policies) have been modified since the app was secured, the app cannot open. For more information, see Integrity and Posture in the Policy Console Documentation .

Drag and Drop (iOS)

The Data Sharing policy now includes the option to control whether mobile users may use drag and drop to copy text, images, or other data in a protected app and paste into another app. Drag and drop blocking is only available for iOS 11+ apps, and only when the secured app inherently supports drag and drop functionality. For more information, see Data Sharing in the Policy Console Documentation.

Dynamic policy rules

Enterprise 3.20.x expands the solution's ability to apply dynamic policy rules. You can apply these rules without having to re-secure the app with the policy console, in response to events on the mobile device or to incoming connections to the Blue Cedar Gateway. Use the Policy Console to define and apply static policies; use the Gateway to define and apply dynamic policies.

  • To define policy rules to respond dynamically to events on the mobile device, see Defining policy rules for client events. These rules can check if the app or OS is out of date, alert users to maintenance downtime, and so on.
  • To define post-authentication policy rules for managing incoming connections to the Gateway, see Defining post-authentication policy match rules. These post-authentication policy rules perform actions based on session attributes and apply them before the incoming connection is considered fully validated and allowed to pass traffic. 

SNMP support

The gateway now includes SNMPv2c monitoring, including support for MIB-2 as well as traps, notifications, and events for certain key Gateway resources. For more information, see Configuring SNMP for gateway monitoring in the Blue Cedar Gateway Documentation.

Resolved issues

Resolved in 3.20.2

SPT-1498Policy consoleCan't delete duplicate Trusted Server CertFixed an issue where duplicate trusted server certificate entries in the policy cannot be deleted.
SPT-1496Policy consoleExport for Code Signing, button text changedRestored the text of the button to export a secured app for external signing to "Export for Signing".
SPT-1497iOSPoor layout for the start (PIN) screenFixed an iOS-specific layout bug in which long custom strings specified by the App Customization policy could overflow the intended display area.
SPT-1498iOS"Cannot Verify Server Identity" msg with DAR disabledFixed an issue where trusted server certificates were not being applied on iOS when the Data at Rest policy was not enabled.
SPT-1509AndroidUnable to secure app for AndroidFixed a failure to secure Android apps that use vector graphics for their main app icon. Blue Cedar does not currently support badging vector graphics with an overlay icon, but this will no longer prevent the apps from being secured.
SPT-1524iOSUnable to decrypt error when opening attachmentFixed an issue where iOS apps configured using the Data at Rest and Data Sharing policies were incorrectly sharing encrypted data files to other apps.
SPT-1489AndroidDisplay issue for secured appsFixed an issue where Android Cordova apps configured with the Data at Rest policy would render incorrectly. In certain cases the file:// scheme was incorrectly returning encrypted data.

Resolved in 3.20.0

SPT-479iOS, AndroidRecover forgotten local authentication password

As described above, local app authentication now includes a link for password recovery—users can now tap "Forgot passcode?" to enter a recovery flow. See  Local App Authentication in the Policy Console documentation.


AndroidIncorrect "enter your credentials" pop-up

Fixed an issue where secured Android apps could display a system notification indicating that the app needed user interaction when it did not.

SPT-1283Policy consoleCorrupted Data Sharing profile in policy consoleFixed an issue with the policy console that could corrupt a Data Sharing profile and render it inaccessible.
SPT-1350iOSApp opens with keyboard on initial screenFixed an issue with event handling that could trigger a race condition in which the app window was shown over the injectable window.

App using Realm database stalls when using DAR

Fixed an issue where apps using the Realm database would lock up due to conflicts between Blue Cedar encryption and the Realm database's encryption. Realm databases that are encrypted are now automatically exempted from the Data-at-Rest policy.

Android Fiori SP13 and SP15 hang on Samsung 7.1.1

Fixed an issue where the Fiori SP15 app would hang on startup on certain Android devices.
SPT-1419Policy consoleCustom logo image does not render properlyFixed an issue in the App Customization preview display where custom logo images did not appear correctly.
SPT-1437AndroidCompass crashes on Pixel 2 XLFixed an issue where secured apps running on the Pixel 2 XL device would crash on startup.
SPT-1466iOS, AndroidCertificate with UPN in SAN enrolls but disappears at renewal

Fixed an issue where certificates with UPNs did not include the UPN when the certificate was renewed. This happened if the connection was authenticated with certificate-only authentication, rather than the authentication provided that supplied the UPN.

Note that a UPN is not added to a certificate on a renewal if the original certificate did not contain one and if the connection is established with certificate only authentication.

SPT-817GatewayNeed a way to monitor GatewayAs described above, the gateway now includes SNMP v2c monitoring. See Configuring SNMP for gateway monitoring  in the Gateway documentation.
SPT-824, SPT-900GatewayAutomatic notification of outdated app versionsAs described above, dynamic policy rules can be used to notify users that an app is obsolete and should be updated. See Defining policy rules for client events in the  Gateway documentation.
SPT-1328GatewayAD credentials screen, re-enrollment appears in in already installed appIn previous releases, the client would discard the certificate after a certain number of failed attempts to connect, such as when the certificate was expired. 3.18.0+ has introduced a better mechanism for communicating expired certificates to the client. 

When connecting to older gateways, newer clients can get stuck if they present an expired certificate. Apps may need to be uninstalled and reinstalled in this case. Blue Cedar recommends upgrading both client and gateway at the same time to avoid this issue.

Technical note: Android cloud backup

Prior to version 3.20.0, Android apps running on an Android 6.0+ device configured to backup app data to Google Drive would backup app data even if the unprotected app was configured to disallow this behavior. Starting in 3.20.0, apps secured by Blue Cedar overwrite device backup policy, and disable backups to the cloud, even if enabled on the device. This behavior is always enabled and is not configurable on the Policy Console. For more information on this functionality see documentation from Google.

Known issues

AC-6061AndroidBiometric authentication failureAndroid devices that use fingerprint authentication as part of the Local App Authentication policy can receive a "Biometric authentication temporarily unavailable" error after idle timeout.

Documentation and technical support

This release includes online documentation, no longer in PDF format. To access this documentation, see the knowledge base at or these direct links: 

Blue Cedar Policy Console Documentation (

Blue Cedar Gateway Documentation (

Technical support is provided online at