Backend API Version 16.10.0

Bug Fixes

• KA-4968: In Keeper MSP: The list of Share Admins is not properly including the Managed Company admins, only the MSP share admins.

• KA-5322: Customers on a free trial were unable to access Record History and restore a record.

• KA-5506: Inviting a consumer account to an enterprise, then editing a user's email causes an error.

• KA-5482: "Disable email invites" was ignored by the "Automatically resend email invitations".

• KA-5460: Stay-logged-in works one time after restricting it via an enterprise role enforcement.

• KA-5146: User located on a sub-node with root node "Keeper Administrator" role isn’t able to perform Share Admin activities on root node records within the Shared Folder that is owned by a root user.

• KA-5211: Deletion of Shared Record by non-owner results in removal of associated security Data, affecting the security score.

• KA-5451: ARAM reports null,null,null and 0.0.0 for On-Demand Rotation Success/Failure

• KA-5028: ARAM event is not triggered when adding user to team in the scenario when it is done at the same time as the creation of the team.

• KA-5287: Sub-node admin is not able to run ARAM "all security events" report

• KA-5151: Enforce add-on and storage restrictions for MSP created by a distributor

• KA-5134: Implement PUT for editing groups via SCIM requests.

• KA-5376: Protection against creation of on-prem SSO accounts containing invalid data

• KA-4571: Invalid invites are sent to users in nodes with incomplete SSO provisioning set up

• KA-5420: Linked records are not showing in the user's deleted items when the record is deleted that contains links.

• KA-4652: User counts in the billing history page do not appear in the Billing History page 'Users” column.

Security Improvements

• KA-5497: User Presence now supported on FIDO2 security keys: Users who login with a Security Key that have a PIN configured, will now be requested to enter their PIN. The server now responds with "Preferred" instead of "Discouraged" in regards to User Presence. To learn more about this feature, read about it on the Yubico website.

• KA-5368: Bugcrowd report: User able to sign in to web vault after enabling platform restriction, as long as the session is still active.

• KA-5395: IP AllowList restriction allowed session resumption (stay logged in) to occur even when the IP address is restricted.

• KA-5341: If "stay logged in" enforcement is changed by the admin, the effect is not immediate. This information was being cached for some time in the Keeper infrastructure.

• KA-4682: If you deny 5 Keeper Push device approvals, no more device approval pushes are sent until the account owner acknowledges and re-activates device approvals via an automated email.

• KA-5474: Recovery process timeout was increased to 15 minutes from 10 minutes.

• KA-5455: PAM rotation APIs can be used even if a user is not within a provisioned role.

• KA-5408: Locked users should not be able to use KSM secrets manager API

• KA-5418: Within the Enterprise, ensure that rotation APIs can only be executed by user with edit rights on the record.

• KA-5409: Secrets Manager User with removed permissions can still edit and create applications.

Features

• KA-5208: Support for MSP Accounts in GovCloud

• KA-5479: Backend support for Exabeam SIEM provider. Console UI update coming.

• KA-5473: Support for shared folder array in permission changes (for Keeper Commander "apply-membership" bulk command in ticket KC-590).

• KA-5171, KA-5172: APIs to provide the Admin Console and Commander with a user's 2FA and transfer acceptance setting. Will be implemented in the UI in a later release.

• KA-5189: Endpoint to allow the Admin Console to flush security scores and re-calculate. Will be included in a future Admin Console release.

• KA-5386: Added 2 more ARAM events related to MSP distributor billing:

  • User ${username} activates MSP for enterprise ${enterprise}

  • User ${username} deactivated MSP for enterprise ${enterprise}

• KA-5426: New ARAM events for Keeper Secrets Manager client devices:

  • app_client_record_create

  • app_client_record_update

  • app_client_record_delete

  • app_client_folder_remove_record

  • app_client_folder_update

  • app_client_folder_delete

• KA-5143: Support for MSP "Business Starter" plan. Not yet implemented in the UI.

• KA-5222: Support for APIs to remove files and linked records from Keeper Secrets Manager.

• KA-5461: Support for an optional "path" parameter when setting up Splunk SIEM endpoints. "https://" + host + ":" + port + (path=="" ? "/services/collector" : path)

• KA-5456: SCIM "Get Group" command fails when a team is located in a subnode under SCIM node.

• KA-5500: Improved language in Sharing Notice emails.

• KA-5265: Support for new role enforcement policy MASTER_PASSWORD_MINIMUM_LENGTH_NO_PROMPT This role enforcement will allow a role to not require the user to immediately change their master password if the length of their password is less than the minimum.

• KA-5541: Support for sending "minutes" instead of "milliseconds" for logout timer setting.

• KA-5573: Support for logging into SSO Cloud from the user's default web browser when using Keeper Desktop. This new feature will be incorporated into an upcoming Keeper Desktop release 16.10.4.