KCM Version 2.20.0

Released on July 23, 2025

Overview

Keeper Connection Manager 2.20.0 includes several important updates. Please read through the full release notes prior to upgrading. The updates include:

  1. Mandatory changes to support Remote Browser Isolation (RBI)

  2. End of support for EL7

  3. Support for ignoring HTTPS certificate errors in RBI

  4. Configurable clipboard size limits

  5. Certificate authentication support for SSH

  6. Bug fixes

Mandatory changes to support Remote Browser Isolation (RBI)

IMPORTANT: Some of the changes to RBI in this release required additional services and sandboxing not required in previous releases. The operations used for this sandboxing have required updates to the seccomp profile used for Docker deployments, as well as the creation of an AppArmor profile.

This AppArmor profile must be loaded for RBI to function on any platform using AppArmor, such as Ubuntu.

Required Action: Download the latest version of the kcm-setup.run script:

curl -O https://keepersecurity.com/kcm/kcm-setup.run

Option 1: Add the AppArmor profile automatically using kcm-setup.run

If you have not modified your own docker-compose.yml since installing KCM, you can apply these changes automatically by:

  1. Downloading the latest copy of kcm-setup.run from Keeper Security.

  2. Running sudo ./kcm-setup.run upgrade to upgrade to the latest release.

  3. Running sudo ./kcm-setup.run reconfigure to regenerate docker-compose.yml.

If you manually changed docker-compose.yml, follow Option 2 below.

Option 2: Adding the AppArmor profile to a modified docker-compose.yml

If you have modified your own docker-compose.yml, these changes require some manual editing of docker-compose.yml to point the “guacd” container at the new profile:

  1. Downloading the latest copy of kcm-setup.run from Keeper Security.

  2. Running sudo ./kcm-setup.run upgrade to upgrade to the latest release.

  3. Editing /etc/kcm-setup/docker-compose.yml, adding an additional "apparmor:..." option to the security_opt section of the “guacd” container such that the section now matches the following:

security_opt:
    - "seccomp:/etc/kcm-setup/guacd-docker-seccomp.json"
    - "apparmor:guacd-apparmor-profile"

  1. Running sudo ./kcm-setup.run apply to apply these latest changes from docker-compose.yml.

Manually extracting the AppArmor profile

Only if necessary, the AppArmor profile is bundled in a standard location and can be extracted from the Docker image:

sudo docker run --rm --entrypoint=/bin/cat keeper/guacd /opt/keeper/share/guacd/guacd-apparmor-profile > guacd-apparmor-profile

The profile should then be copied beneath /etc/apparmor.d so that it is automatically loaded on boot:

sudo cp guacd-apparmor-profile /etc/apparmor.d/

The new profile can then be loaded either by rebooting or by manually running apparmor_parser:

sudo apparmor_parser -r /etc/apparmor.d/guacd-apparmor-profile

Important notice regarding Ubuntu Docker Installations

Do not use the docker.io package provided by Ubuntu. Testing has suggested that this older Docker package may not function correctly with AppArmor profiles. Containers have been observed to not correctly resume using the configured AppArmor profile after a reboot.

Instead, use the official Docker packages provided by Docker themselves: https://docs.docker.com/engine/install/ubuntu/

As long as Docker isn’t already installed, kcm-setup.run will install the official Docker packages automatically. This can be an easy method to both install KCM and the proper version of Docker.

End of support for EL7

With CentOS 7 having reached end-of-life in June 2024, and with RHEL 7 having reached end-of-maintenance at the same time, KCM will no longer provide EL7 builds. This means that the previous release (KCM 2.19.3) will be the last release with an EL7 build and KCM 2.20.0 will be the first release without EL7 support.

Users that are maintaining RPM-based installations of KCM but are still using RHEL 7, CentOS 7, or another EL7-derivative should upgrade to EL8 when possible so that they can upgrade to KCM 2.20.0. Support for EL9 and EL10 will be coming in future releases.

Support for ignoring HTTPS certificate errors in RBI

KCM-404: Add support for ignoring self-signed HTTPS certificates

Remote Browser Isolation (RBI) is strict in its enforcement of SSL/TLS certificate validation. If it is known that the domain of the initial URL of a connection has a self-signed or otherwise invalid certificate, and administrators wish to allow access to that server through RBI despite the invalid certificate, certificate validation can now be bypassed for the initial URL.

NOTE: This validation bypass affects only the domain of the initial URL. This means that bypassing SSL/TLS validation will not have any effect if:

  • There is no initial URL (the administrator leaves this connection parameter blank).

  • The domain with an invalid certificate does not identically match the domain of the initial URL (as may be the case if redirects are involved).

Configurable clipboard size limits

KCM-405: Allow connection clipboard limits to be configured

The clipboard within KCM has historically been limited to a maximum of 256 KB. If users will possibly need to copy larger amounts of data through a connection, this limit can now be overridden by the administrator on a per-connection basis.

Certificate authentication support for SSH

KCM-433: Support certificate authentication for SSH

For SSH servers that require certificate authentication, KCM now accepts a public key parameter in addition to the private key parameter that would otherwise be sufficient. The public key that was signed by your CA should be provided with this new parameter.

Bug Fixes

RBI

KCM-390: RBI connections may fail when loading YouTube Shorts KCM-396: Allowed URL Patterns list truncated without warning KCM-410: Autofill for KCM fails with a sufficiently large "autofill-rules.yml" KCM-413: RBI freezes when attempting to input Japanese KCM-417: RBI autofill of TOTP may cause memory error KCM-419: RBI autofill cannot be used with Cloudflare login + reCAPTCHA KCM-425: Touch interaction does not work in RBI on iPad KCM-431: RBI autofill interferes with manual interaction KCM-435: RBI cannot be used to log into Google services

Terminal-related Issues

KCM-399: Binary column data may disrupt terminal output of MySQL connection KCM-437: KCM terminal emulator can become garbled when "vim" is used

Miscellaneous bug fixes

KCM-380: KSM integration cannot be used on a RHEL system with FIPS mode enabled KCM-386: guacamole-db-mysql image appears to be broken on aarch64 KCM-392: Guacamole webapp warns "expected language resource does not exist" for Polish KCM-400: Mysterious "0:00" timestamps appear in the middle of keystroke logs KCM-403: Session recording playback heatmap broken for short videos KCM-411: File upload progress bar completes before file is fully uploaded KCM-426: KSM static token mapping does not work with a per user config KCM-427: Recording playback sometimes freezes KCM-439: __guac_wol_send_packet() uses incorrect structure for IPv6 address

Dependency updates

KCM-453: Update third-party dependencies of KCM

PreviousKCM Version 2.20.1NextKCM Version 2.19.3

Last updated

Was this helpful?