4. Release Notes

Security Enhancement Notification

MetaAccess is scheduling a security enhancement on December 8th, 2020. Within this change, MetaAccess is changing the algorithm used to store/exchange sensitive data that secures your account. While this improves the security for all customers, those with the “Require PIN when a user uninstalls agents on a device" setting enabled will be impacted. We encourage you to take the suggested actions.

What is changing?

In adherence with best practices, MetaAccess is shifting to use SHA-2 rather than MD5 for storing/exchanging sensitive data.

What is the impact?

For most customers there is no impact, including no downtime. However, for those with “Require PIN when a user uninstalls agents on a device” (Settings > Global Settings > Device Agent) enabled, users couldn’t uninstall the client manually if the device is running an out-of-date agent, other client functions are not be impacted. To migrate this impact, we encourage you enable “Allow agents to automatically update to the latest version” setting (Settings > Global Settings > Device Agent) on your account to allow the OPSWAT Client to auto-upgrade to the latest version before December 8th, 2020.

Domain Update Notification

On September 29 at 7PM PDT, The MetaAccess console will be hosted in different domains. The system will auto-redirect you to the new domain when you access the old domain.

Tenant

Old Domain

New Domain

Console

API

Console

API

US Tenant A

metaaccess-a.opswat.com

metaaccess-a.opswat.com

console.metaaccess-a.opswat.com

metaaccess-a.opswat.com

US Tenant B

gears.opswat.com

gears.opswat.com

dapi.opswat.com

console.metaaccess-b.opswat.com

gears.opswat.com

dapi.opswat.com

EU Tenant

gears-eu.opswat.com

gears-eu.opswat.com

console.metaaccess-eu.opswat.com

gears-eu.opswat.com

Release Date: October 13, 2020

Console Version: 3.1.1

Release Updates

1. Bugs fixed:

  • Admins could not log into MetaAccess console through Okta

  • The system stopped Webhook setting even the callback API has not responded any error

  • A user couldn't add a protected app with the application type as Other

  • The system did not update MAC address of network adapters when local IP address is enabled on Privacy Settings

Release Date: September 29, 2020

Console Version: 3.1.0

Agent Release Version:

  • Windows persistent agent: 7.6.349.0

  • Windows On-demand agent: 7.3.519.0

  • macOS persistent agent: 10.4.293.0

  • macOS on-demand agent: 10.5.221.0

  • Debian-based Linux persistent agent: 15.4.19.0

  • Readhat-based Linux persistent agent: 15.6.15.0

Release Updates

MetaAccess Cloud

1. The MetaAccess console will be hosted in different domains. The system will auto-redirect you to the new domain when you access the old domain.

Tenant

Old Domain

New Domain

Console

API

Console

API

US Tenant A

metaaccess-a.opswat.com

metaaccess-a.opswat.com

console.metaaccess-a.opswat.com

metaaccess-a.opswat.com

US Tenant B

gears.opswat.com

gears.opswat.com

dapi.opswat.com

console.metaaccess-b.opswat.com

gears.opswat.com

dapi.opswat.com

EU Tenant

gears-eu.opswat.com

gears-eu.opswat.com

console.metaaccess-eu.opswat.com

gears-eu.opswat.com

2. The console is refreshed with a new look and and user experience.

  • The system will walk you through steps to protect your applications

  • Policy management is re-organized to improve navigation and usability

  • The left navigation is re-organized

    • "Device Groups" is moved into "Inventory"

    • "Access Control" is renamed to "Secure Access" and offers more access control options to protect your applications and networks.

    • "Single sign-on" settings for admin log into the console is moved into "User Management"

    • "Event Log" is broken down to "Admin Events", "Device Events", and "Webhook Events"

images/download/attachments/4343999/image2020-9-23_15-59-54.png

3. Software Defined Perimeter (SDP) is now offered on MetaAccess platform to protect your applications and networks. The SDP approach to zero trust networking flips the traditional approach of securing access to network resources on its head. Instead of connecting then authorizing, the client is required to first authenticate, authorize, be checked for compliance, and only then is it allowed access. Check out our document for more details. SDP requires and additional license.

  • Administrators can now protect applications and networks in their critical infrastructure via SDP no matter where a user connects from. The users' devices will be checked to make sure they are complied with your organization's security policies.

images/download/attachments/4343999/image2020-9-23_20-50-14.png

  • Administrators can configure access rules to grant/deny access to applications

images/download/attachments/4343999/image2020-9-23_21-16-2.png

  • Administrators can grant users/groups access to applications.

images/download/attachments/4343999/image2020-9-23_21-21-51.png

  • Administrators can control device groups that users can use to access to protected applications and networks

images/download/attachments/4343999/image2020-9-23_22-41-48.png

  • Administrators can integrate with 3rd party single sign-on service for end-users authentication and import groups from IdP to MetaAccess.

images/download/attachments/4343999/image2020-9-24_15-13-30.png

  • Administrators can audit user sessions.

images/download/attachments/4343999/image2020-9-23_20-58-55.png

  • Administrators can also select either Private Gateway or OPSWAT Hosted Gateway to be their applications' gateway

    • Private Gateway: admins need to install SDP gateways in their datacenter or their own cloud infrastructure

    • OPSWAT Hosted Gateway: no need to install any thing, but it requires an additional license.

images/download/attachments/4343999/image2020-9-23_21-10-38.png

4. User experience enhancements

  • Users can filter vulnerabilities based on a whitelist status

  • Users can search packages on a Linux device

images/download/attachments/4343999/image2020-9-24_0-1-34.png

  • Users can select how many items shown in one page

images/download/attachments/4343999/image2020-9-24_0-0-14.png

5. Bug fixes:

  • Read-only users couldn't export device inventory

  • The system couldn't load devices when a user navigated to the last pages in some cases.

  • The Get Devices API returned error when the page parameter is set to last pages in some cases.

OPSWAT Client

Windows Persistent Client (7.6.349.0)

  1. Offer SDP capability to allow an authorized user access a protected applications or networks

    1. The OPSWAT Client only enables SDP capability if a group the device belongs to is enabled for SDP (a new setting on Groups in MetaAccess)

    2. A user needs to authenticate to gain access to assigned resource on a enabled-SDP device

    3. The SDP service handshakes with the SDP Controller and SDP Gateway to grant a user access to protected applications/networks based on access rules

    4. The User can access protected applications/networks as (s)he normal does, i.e.: from the browser, launching from desktop, or command line

  2. Added support for the following encrypted USB devices:

    1. Kingston DataTraveler 4000

    2. Kingston DTL GP3

    3. Kanguru Defender Elite 200

  3. Removed the local IP and MAC address information from About box

  4. Bug Fixed:

    • OPSWAT Client couldn't copy sanitized files from a removable media if the filename contains Chinese characters

    • Cross-domain API was not available after the OPSWAT Client was stopped by an unexpected reason

    • OPSWAT Client failed to upgrade if the upgrade is interrupted for some reasons such as the device is started, a user kills the service, ...

  5. Built-in SDP version: 1.1.6.3085

  6. Built-in SDK signature version: 4.3.1498.0

Known issues:

- Windows 7 and Windows Server 2008 devices must install KB2533623 and KB3033929 in order to upgrade to the latest version

- If a user exits the agent tray icon, the agent can’t popup approved actions when a user inserts a portable media

- A user needs to enable Show Notifications on the agent tray icon to see notifications about portable media

- The agent has not supported portable media feature if user 2 logs into a device while user 1 is still logged in

- OPSWAT Client does not support iTunes drive. If a user inserts an iOS device on an endpoint which has iTunes installed, the user will still have access to the phone via iTunes

- OPSWAT Client can't detect mobile devices, the user needs to unplug and plug in the mobile device again

Windows On-demand Agent (7.3.519.0)

  1. Removed the local IP and MAC address information from About box

  2. Bugs fixed

    • Cross-domain API was not available after the OPSWAT Client was stopped by an unexpected reason

  3. Built-in SDK signature version: 4.3.1498.0

macOS Persistent Agent (10.4.290.0)

  1. Removed the local IP and MAC address information from About box

  2. Bugs fixed

    • The client consumed high resources on macOS Big Sur

  3. Built-in SDK signature version: 4.3.1301.0

macOS on-demand Agent (10.5.218.0)

  1. Removed the local IP and MAC address information from About box

  2. The client now generates log in /Users/<username>/Library/Logs/Gears/logs instead of Desktop folder

  3. Add a new CLI argument, groupid, to indicate what device group the client should enroll to.

  4. Bugs fixed

    • The client consumed high resources on macOS Big Sur

    • The client did not send group information when it enrolled to an account even the group information is embedded in the filename

  5. Built-in SDK signature version: 4.3.1301.0

Redhat-based Linux persistent Agent (15.6.15.0)

  1. Built-in SDK signature version: 4.3.1210.0

Known issues:

  • To upgrade to this version from version 15.x.y.1/14.x.y.0, a user needs to uninstall old Linux agent version and reinstall this version

  • The agent doesn't have UI/tray icon, the agent only supports command line

Debian-based Linux persistent Agent (15.4.19.0)

  1. Built-in SDK signature version: 4.3.1210.0

Known issues:

  • To upgrade to this version from version 15.x.y.1/14.x.y.0, a user needs to uninstall old Linux agent version and reinstall this version

  • The agent doesn't have UI/tray icon, the agent only supports command line