Aakami Mac OS

broken image
Akamai Macos
Akamai Mac Os Update
The Mac Client (especially all Mac models from 2013 and later) works best when run with the default graphics settings. Launch the Launcher - do not enter your userid and password! In the upper right corner of the main window click on the down arrow and select 'Options.' Go to the Preferences tab in Safari (or any other Mac browser). Check the Homepage tab. Make sure that your homepage is the one you have selected and not search28374278-a.akamaihd.net or something similar. Now go to the Extensions tab. Look for any Akamaihd.net extension as well as other suspicious entries.
macOS Server brings even more power to your business, home office, or school. Designed to work with macOS and iOS, macOS Server makes it easy to configure Mac and iOS devices. Its also remarkably simple to install, set up, and manage. Add macOS Server to your Mac from the Mac App Store for just $19.99. Your command center.
macOS Server lets you set up and manage multiple Mac computers and iOS devices, right from your Mac. And its so simple to use, you dont need an IT department. macOS Server resources.
Everything you want to know about macOS Server, including training, services, and documentation.
2017-12-01
The Enterprise Application Access (EAA) November 2017 software release includes new features, performance improvements, and EAA component bug fixes.
New features include:
SAML IdP (Beta only) : EAA can communicate with the native application directly as the SAML IdP source. This feature is available for preview only.
Connector troubleshooting tools : From the EAA Management Portal, administrators can test connectivity between the connector and its associated applications using common networking tools such as dig, Ping, Traceroute, LFT, and cURL.
Service/debug mode : If you are working with support, professional services, or an Akamai representative to resolve an EAA issue, you can enable service/debug mode to allow Akamai to remotely troubleshoot the issue.
Active Directory (AD) password reset : A workflow for administrators to configure the Active Directory (AD) from the EAA Management Portal to allow EAA to manage password complexity and reset requirements for the end user Login Portal.
AD LDS support : Lightweight Directory Services (AD LDS) support for the user-facing authentication mechanism for applications.
OCSP - On Premise CA : Online Certificate Status Protocol support is now available with on premise configuration to validate certificates.
Time-based access control rules : EAA administrators can configure time based access control restrictions for applications.
Additional language support : The EAA Login Portal is now available in French, Chinese, German, and Spanish languages.
The following bugs were addressed and resolved in this release:
RemoteSpark time zone menu now includes additional common time zones.
When more than 20 identity providers (IdPs) are configured in the EAA Management Portal, the UI now displays all of them.
EAA now validates the IdP hostname before creating the IdP.
The SAN extensions are now included in self-signed certificates.
SSH audit reports now appear in the EAA Management Portal.
EAA NGINX now retains the ETag header.
The EAA Login Portal no longer redirects to a lock screen when the authStatus is 200.
EAA applications configured with a custom domain that is switched to an Akamai domain now delete the certificate-to-application mapping so that the old certificate may be deleted.
EAA administrators can upload their own certificates for the SAML request signature.
EAA OPTIONS requests with redirect-based flow no longer result in cookie build up.
The following are known issues and planned improvements for the EAA Management Portal:
Time-based access control rules only support HTTP applications.
Password reset is not supported for the AD LDS.
Language support is not available for the password change page.
2018-03-23
+New features+ * Duo Security integration. From the EAA Management Portal, enable and configure Duo Security two-factor authentication for users who access your applications from the EAA Login Portal. In addition to EAAs primary authentication methods, end-users are challenged by the authentication methods set within your Duo Security account. Enable this capability in EAA on a per-IdP basis. To use this feature in EAA, _Akamai Enterprise Application Access_ must be added as an application in Duo Securitys administration portal. * SAML IdP with Microsoft enhanced client or proxy support. Configure Microsoft enhanced client or proxy (ECP) mode for SaaS applications. This feature allows users to use their local Outlook or Mail clients with Microsoft Office 365. * Open LDAP custom schema support. When you use the EAA identity provider between your LDAP environment and service provider for SAML and SaaS applications, you can map both the EAA default and custom attributes to the LDAP directory for both groups and users. * Native Security Assertion Markup Language (SAML) based IdP. Support for SAML 2.0 based identity management for both on-premise and SaaS applications is available. This capability allows your users to Single Sign On to their Access and SaaS applications from the same login portal. * Custom Schemas in OpenLDAP directories. EAA allows you to map custom user, group, an dorganization units (ous) attributes from your EAA OpenLDAP directory configuration to the native OpenLDAP directory. Also, creation of dynamic attributes as required by your SAML based SaaS applications is supported in this feature
+ The following bugs were addressed and resolved in this release + * DSA health-check traffic appeared in the customer facing access logs when it should not have. * The EAA Login Portal now supports text changes of the change password text. * In the Korean locale users can now see the log in prompt in their browser. * Custom Group Members attribute is no longer ignored for LDAP. * The base DN for Group Search is now correct for LDAP. * Connectors and origin not support Secure and httpOnly flags for Sticky Cookies. * The Help Desk email now supports the character. * Assigning applications to an application group (rewrite) no longer causes significant performance issues. * Certificate to app mapping is now deleted when the app group changes from custom to Akamai domain.
+ The following are known issues and planned improvements for the EAA Management Portal + * Duo Security integration. ** _Akamai Enterprise Application Access_ must also be added as an application from _Duos administrator portal_ to enable this feature. ** When a change or modification to the Duo UserID attribute option occurs, user access is denied to the application until the one time password (OTP) is reset within EAA. ** A limitation based on Duos current design displays the user multi-factor (MFA) settings in English irrespective of the language chosen in the login portal. * Native Security Assertion Markup Language (SAML) based IDP. Outlook/Apple mail client support for Microsoft Office 365 is only available in Windows and MacOS environmentscolor:d04437.color
Application query for specific SAML SaaS application name with having space, : or will return no log line. Workaround: run query without application selected will also give result for all SAML SaaS application report
Before entering the EAA SAML settings, the SAML service provider (SP) entity ID, ACS URL, and log out URL must be XML-unescaped.
IdP settings sometimes do not persist if the Save and go next button is clicked. Workaround is to make changes and use the Save and exit button.
2018-10-26
The release includes new features, performance improvements, and EAA component bug fixes. New features and performance improvements User experience improvements: Login Portal (end-user) customization
Italian Language support. The end-user portal can be configured to display content in Italian. Once enabled, the browsers language settings are used to determine the language being displayed, and users can override the language being selected.
Customization for help desk email addresses. The help desk email address found under EAA Management Portal System Settings can be customized to any address the organization chooses and all references to help desk will point to the new address provided.
Organization name customization in MFA notifications. All MFA notifications are sent from Akamai today. This release will provide customers with the capability to customize the Organization name presented in MFA notifications.
URL for new user sign up. An optional field can be exposed in the end-user Login Portal that allows EAA administrators to customize the URL for new users to sign up.
Customization for application headers. EAA supports sending LDAP attributes as a custom header for applications.
Email Notification On/Off. EAA supports the ability to toggle system email notifications on or off from the EAA Management Portal. Identity capability improvements
Support for Integrated Windows Authentication (IWA). IWA allows end users to single sign on to their apps by virtue of logging into their device (desktop SSO). This feature can be leveraged when users are on a trusted network. EAA supports multiple operational modes for IWA.
Authentication only based on client certificates. Provides an SSO-like experience without the need of username and passwords. Users are logged into the IdP on presenting a valid certificate.
WS-Federation with SAML 1.1 support. WS-Federation and SAML 1.1 support facilitates SAML authentication to Sharepoint.
Multi-auth support per PCI-DSS guidance. PCI-DSS 3.2 defines multi-auth capability to require traversal through all factors of authentication before a success or failure is revealed at login. EAA supports multi-auth as part of the TOTP based mutli-factor authentication workflow, which provides additional protection against brute force attacks. Enhancements with third party IdP integration using EAAs identity access aware capabilities
Support for EAA user workplace with third party IdP (eg.Shibboleth). EAA admins can present the EAA user workspace in conjunction with third party IdPs.
Authorization for third party IdP. Ability to leverage group information in policies when using third party IdPs, and an updated IdP deployment workflow. EAA Management Portal Dashboard enhancements
The new dashboard provides a tiled view with actionable widgets. New tiles include OS/Browser distribution, login failure details, and user activity details. Application off-loading when on trusted (on-prem) networks
Allows customers to define trusted networks on the basis of subnets within the IdP. When traffic comes in from a user inside a trusted network, admins can optionally allow the data path to flow directly through without being proxied via EAA. In such scenarios, EAA will still handle the authentication flow. SIEM updates
Expanded information is provided to Splunk via the EAA Splunk app. Updates include information on response times, login event details, and resource IDs. There is no change required on the Splunk application available on Splunkbase. Reporting enhancements
EAA users can query for a report without selecting any query parameters. EAA supports these new preset reports,
Applications Accessed
Applications Failed login
Login Failure Details
Unique Users Count Known limitations
Italian Language Support. The EAA remote-desktop aide and EAA Management Portal will continue to display content in English regardless of language selection.
Application Templates. SaaS apps cannot have profiles assigned at this time. Only access applications can have profiles assigned.
Certificate Limitations. When an existing CA certificate is updated, applications using this certificate are not marked for deployment.
Application Off-loading when on trusted (on-prem) networks. Only web applications are supported at this time; VNC/RDP/SSH application profiles are not currently supported.
Report enhancements. IdP URL will not be shown for the Applications Accessed and Applications Failed preset reports.
IWA Error. If a user performs a save on the Advanced Settings page and goes to the deployment page they may receive an error on the IWA field if there are changes to another previously enabled IWA. The work-around is to hard-reload the browser to clear the error. Bug fixes
These bugs were addressed and resolved in this release, Text and displays in the EAA Management Portal
Increased the size of the the external hostname configuration field in the EAA Management Portal Preview Configuration tab.
Status tab is now Diagnostics
Moved the sync option in the Status tab to the Advanced tab
Removed the Diagnostic Tools from the tray
Reduced the size of the window on the EAA Management Portal Settings page InstallBuilder Package Code
Added support for InstallBuilder Package Code signing for MacOS and Windows 64 bit.
2019-04-05
Enterprise Application Access (EAA) 04/05/19 software release
The release includes new features, performance improvements, and bug fixes for EAA and EAA Client Connector products. New features and performance improvements
Crazy treat! mac os . EAA Connector migration:
Enterprise Application Access (EAA) connector migration. EAA connectors running on Ubuntu version 18.04 LTS is available for deployment. It provides increased security and better performance. Customers should migrate the connectors to run on Ubuntu 18.04 LTS before August 2019. See Enterprise Application Access Connector Migration for best practices and migration process. Identity capability improvements:
Responsive Mobile UI for identity provider (IdP). User can login to the IdP login portal from tablet or mobile device for better productivity.
Favorite Apps in login Portal. You can customize EAA login portal by moving the frequently accessed applications to the favorites section of the IdP login portal.
OIDC/Oauth 2.0 for Internal Apps. OpenID Connect 1.0 (OIDC) is a federated protocol that provides an identity layer that is built upon OAuth 2.0. It enables clients (applications or user agents, relying party) to verify the identity of the end user based on the authentication performed by the authorization server, or OpenID provider.
Chase Referral Support for Active Directory (AD). Organizations can have multiple Active Directory (AD) domains for different geographical regions. To sync all of the users in all groups, EAA has the global catalog server option.
Dashboard 2.0 Reports. EAA administrator can drill down to obtain detailed reports by clicking the hyperlinks on the dashboard.
Access the EAA Management Portal from Control Center. Enterprise Application Access (EAA) Management Portal is accessible from the Control Center. You can manage groups and properties for your Akamai accounts and monitor, configure, resolve, and plan your products from the menu.
Login Portal languages. An EAA administrator can customize the text that appears in the Login Portals welcome banner, page title, legal disclaimer, username hint, password change label and new user signup label field. EAA supports text in English, German, French, Spanish, Japanese, Italian and Chinese.
Customize the Login Portal tab name in the browser. User can change the browser tab name for the Login Portal. The default tab name for the login portal of the IdP is Login in the browser window. EAA Client Connector Enhancements:
Support for Apple Mojave OS. The EAA Client Connector runs on these operating systems (OS): * Microsoft Windows 7 or Windows 10 Enterprise (32-bit and 64-bit) * Apple macOS 10.11 El Capitan, macOS 10.12 Sierra, 10.13 High Sierra, or 10.14 Mojave
See network diagnostics in client skin. The Run Diagnostics function examines the status of the installation, connectivity, components, and configuration downloads from the EAA solution. Green check marks indicate success and red X marks indicate failure.
Save logs to local hard disk. EAA Client Connector allows the end user to save and also send a zipped version of the logs, device ID and version to the EAA administrator. The administrator can provide this information to Akamai support for troubleshooting.
Changes to configuration on-boarding. The configuration is manual to enhance security posture of the client.
Display client logs in Admin portal. The admin can click on View Logs to view all of the log types: INFO, DEBUG, and ERROR. To check a specific type of log, click Level and select the log types you want to view.
Common Interface File System (CIFS) Support. CIFS is supported in EAA Client Connector.
Self-Upgrade of EAA Client Connector. Users can check for updates in the client, and perform a self-upgrade if necessary. Bug Fixes
Italian Email Notification enhancements. Added Italian language support email and SMS MFA templates.
Discovered apps performance improvements. Discovered apps page in client dashboard has faster performance.
Active Directory (AD) Group Search Improvement. AD group search performance is improved when admin searches for groups. Admins see faster results with less latency.
Software Design Kit (SDK) Improvements. Added all application related functionality, IdP deployment capability to the SDK.
Support for mixed IP environments. This release adds better support for both IPv4 and IPv6 environments. EAA Client Connector will fallback to IPv4, if IPv6 support is incorrectly configured in user network. Known limitations
When upgrading EAA Client Connector from beta to LA release (retaining the configuration), IdP page shows reconfigure as an option because IdP tokens have changed. It is a benign condition. This status will remain on the IdP page until the user clicks the reconfigure option and gets the new IdP token added for the LA release.This does not affect new seeding or configuration.
When client is in disconnected state, status of the IdP page on first refresh incorrectly says client is not installed, the second refresh displays the right status that client is not running.
When configuring the EAA Client Connector for the first time, clicking the diagnostics button may result in a configuration error while the TCP apps being configured. This is because EAA Client Connector diagnostics does not distinguish TCP with tunnel apps. As soon as all the tcp apps configured are started, all checks in diagnostics will become green. This only affects first time configuration.
Changing MFA Helpdesk email: When the helpdesk email option is changed in System - Settings (for MFA), only the default IdP prompts to redeploy. Any other IdPs that have MFA enabled do not prompt Ready for Deployment. These can be deployed manually, but this may cause confusion for customers.
IdP Configuring max session duration: When max session duration is configured to be less than Idle expiry IdP deployment will fail.
IdP portal rendering issues: When logged in user resizes the IdP portal browser window, users may experience these issues: a) EAA client download button will disappear. b) MFA registration buttons wont work. c) User account actions such as account settings, logout and change password will come as mobile browser.
EAA Client Connector upgrade on Windows 7 or Windows 10: When trying to reinstall EAA Client Connector on an existing installation, upgrade may fail in cases with this error: There has been an error. Could not kill process with pid [pid]. This is due to Windows OS locking the old processes. Work around is to try again and re-run the upgrade of EAA Client Connector.
EAA Client Connector and IdP interaction: If the user closes the auth form by mistake during the authentication, user then has click re-authenticate/sync button.
IdP default POP and configuration: When admin changes POP of the default IdP instance, corresponding directory configuration wont be deployed the newly selected IdP POP. Customer admins can reach out Akamai support to correct the problem.
EAA Client Connector does not support domains that use non-ASCII characters (EAAC003)
EAA Client Connector intercepts traffic based on fully qualified domain names (FQDN) only (EAAC005)
EAA Client Connector user interface language only supports English (EAAC012)
EAA Client Connector may not work with forward proxies in the network (EAAC013)
EAA Client Connector does not support Kerberos authentication (EAAC014)
EAA Client Connector does not support Service Records (SRV) in a Domain Name System (DNS). Applications like Microsoft Exchange, which rely on this, require a VPN or corporate network.The EAA Client Connector can then access the application (EAAC022)
EAA Client Connector does not support Extensible Messaging and Presence Protocol (XMPP) in DNS. The Pidgin application, which relies on this, requires a VPN or corporate network for this initial setup. The EAA Client Connector can then access the application (EAAC023).
File transfer protocol (FTP) does not work with EAA Client Connector. To work around this issue, modify the FTP server settings to select an external IP address of the firewall (or server external IP address). Provide an unroutable loopback IP like 127.50.100.1. Now the FTP client can use the server hostname instead of IP (EAAC024).
Client-access applications are not supported with docker-based connectors. (EAAC025)
EAA Client Connector is not supported on macOS 10.13 High Sierra with case- sensitive Apple File System (APFS) (EAAC026)
When an ACL rule is set to deny a user access to a client-access application, and if that user tries to access the application, the EAA Client Connector will only update the denied users eeaclient.log with a generic 403 error message (EAAC027)
For tunnel-type client-access applications, if the application server is running multiple applications on the same IP address , same port, and using the same protocol , the access control list (ACL) rules might not be applied reliably and there is a vulnerability (EAAC028)
VoIP applications like Skype have not been tested on EAA Client Connector and may have performance issues (EAAC029)
EAA Client Connector will not work when Nmap Projects packet sniffing (and sending) library (NPCAP) loopback adaptor is installed on a Windows machine (EAAC035).
The macOS firewall rule allowing EAA Client Connector traffic may be removed on Mac machines. When the machine reboots, users need to click Allow when prompted to accept incoming connections (EAAC037).
When you first install the EAA Client Connector on Windows, a Windows Security dialog prompts to install the network TAP driver. Click Install . Silent installation may be impacted by this limitation. To resolve the issue, deploy the TAP driver certificate before the silent install command line (EAAC040).
EAA Client Connector zipped log files contains an empty akamai_dpclient.log. It can be ignored by user. (EAAC041)
2019-07-26
Enterprise Application Access (EAA) 07/26/19 software release
Akamai EAA Client New Features
IPv4-based access for tunnel applications . EAA Client extends zero trust access functionality to access applications defined by IPv4 addresses.
Captive portal detection . EAA Client detects the presence of captive portals and gracefully reconnects when network connectivity is established. See Captive portal support in EAA Client Admin Guide.
On-premises network detection . Based on network policies configured by an EAA administrator, EAA Client can detect if a user is on-premises. In this situation, the client allows direct access to enterprise applications that bypass access through the proxy.
Akamai EAA Client Usability Improvements
Client menu simplification . The EAA Client menu is now more intuitive and includes tooltips to guide end users. The Setting menu provides improved logging capabilities. New settings names and menu organization allows users to complete advanced operations more easily. These operations include checking diagnostics, viewing the network type and status, accessing the synchronize and reset functions, and downloading the latest version of the client software.
Known Limitations
EAA Client * After you upgrade to the latest version of EAA Client (version 1.3.X), you cannot downgrade to the previous version (version 1.2.X). Rolling back to version 1.2.X requires that you uninstall version 1.3.X and reinstall version 1.2.X of the EAA Client.
You will not be able to configure the EAA Client from the IdP login portal on a Microsoft EDGE browser. Use alternative browser like Chrome.
When connecting to a captive portal on a Mac, the captive portal may block all outgoing traffic. In this situation, the client shows that the network type is NONE. EAA Client cannot reliably detect whether the end user is on a public network or a captive portal.
When the user is connected to both trusted and untrusted networks on two different networks, EAA Client inconsistently detects whether the user is on a trusted network or a public network.
The identity provider (IdP) name may not appear in the EAA Client. To resolve this issue, quit and restart the EAA Client.
On macOS, clicking logout in the client may cause all menu options to gray out. To resolve this issue, open the Activity Monitor application in the Utilities folder of the Mac. Select EAA Client and then click the quit icon. In the dialog that appears, select Force Quit .
macOS type
When adding multiple IPv4 addresses to a Tunnel type application, you are limited to adding a maximum of 214 IPv4 addresses to an application. If you have more than 214 addresses, you must add additional tunnel applications as needed.
Enterprise Application Access * When accessing an application, an IdP session is not saved between browser tabs on these versions of Microsoft Edge and Internet Explorer: Microsoft EdgeHTML: 17.17134, Microsoft Edge: 42.17134.10, IE: 11.590.17143. If a user opens a new tab in these browsers, they are prompted to enter their Login Portal credentials again.
When using the Login Portal with a Microsoft Edge or Internet Explorer browser, a user may experience multiple UI issues such as long loading times, the favorite icon (heart symbol) not appearing, and more.
If you open the print dialog in a remote desktop protocol (RDP) server session and you then click the desktop before making your selections, the dialog may disappear. To workaround this issue, you must open the print dialog again.
If only DNS server settings are changed in network interfaces, on-premise network monitoring may not detect that the network type has changed from or to a trusted network.
When there are multiple data centers that have the same network configuration, connectors assigned to these data centers should not be associated to a single tunnel application.
2020-03-22
Enterprise Application Access (EAA) 03/23/20 software release
Akamai EAA New Features
Block Users. It allows the EAA Identity administrator to kill all existing sessions and prevent new sessions for the specified user within five to ten minutes. Blocked users can be unblocked if required. Works on Akamai identity provider and third party IdPs like Okta or Azure AD.
MFA Recovery code. When end-users forget to bring their 2nd-factor device this can be used as a fallback mechanism to allow validated users to access the login portal. This will work only with Akamai MFA that is part of an Akamai IdP.
Connector in-place upgrades. When an updated connector package is available, such as a patch to address security vulnerabilities, admins can now update the connector without having to roll out new connectors. Admins can choose the connector to apply the patch. Please note, customers are advised to use 2+ connectors per application or directory. You should upgrade one connector at a time, which will ensure disruption is minimal. Connector update packages will be tested by EAA.
Akamai EAA Client New Features
Device Posture New Features. With Device Posture (DP) you can improve your application security. DP collects signals about a device via the EAA client, the EAA mobile app for iOS, or integrations with Enterprise Threat Protector (ETP) or VMware Carbon Black (ETP and VMware Carbon Black licenses required). Admins then configure rules to classify devices into low, medium, or high risk tiers or, optionally, into risk tags. Risk tiers or tags can be used as criteria along with Enterprise Application access control rules, thus improving application security. DP includes a full set of device inventory and device posture reporting tools.
Mac OS X 10.15 Catalina Support. The EAA client (including Device Posture capabilities) will be supported on Catalina, which is Apples newest Mac operating system.
Windows 10 Home Edition Support. The EAA client (including Device Posture capabilities) will be supported on Microsofts Windows 10 Home Edition.
TunnelApp 2.0. Tunnel App 2.0 eliminates the need for admins to configure access for several applications individually, which becomes a tedious task for customers having many applications. With this new feature, admins can configure several destinations under the same client-application in tunnel mode. Multiple destination definitions can be combined, such as FQDN wildcard with * syntax, IPv4 CIDR block, protocol support for UDP, TCP or both, and port selection using range or multiple port/range. This application pooling capability saves time and reduces the chance of any error.
Silent Install Improvements. Admins can install or upgrade the EAA client on many machines using software deployment/patch management solutions, such as KACE, SCCM/Intune, and JAMF. During this process, end-users will no longer need to click on download and configure the EAA client.
Enterprise DNS. The EAA client will intercept PTR (pointer records) and SRV (service records) queries and forward it to the enterprises DNS server. This supports Kerberos based authentication, which requires DNS SRV to work.
Known Limitations
EAA and EAA Client Limitations
No warning is displayed when you modify an existing IP based tunnel-type client-access application by adding or deleting IP addresses.
Silent installation of EAA Client cannot be done on a Windows 7 Enterprise 32 bit machine. Work around is to perform a manual installation.
If you are using Outlook on a Windows machine, and you switch EAA Client from Wi-Fi to LAN or hotspot and back to Wi-Fi within 30 seconds, Outlook will be stuck in connecting state. The workaround is to quit Outlook and launch again.
If you have Oracle Virtualbox installed on Windows 7 machine, EAA Client works intermittently.
On-premise detection does not work if the DNS is manually modified on the machines network adapters interface. As a work-around, log out and log back into the EAA Client.
In Windows, on-premise detection uses DNS addresses from all interfaces to resolve hostnames. If there are any disabled interfaces, it triggers false on-premise detection. As a work-around, you should clear the DNS configuration for disabled interfaces.
The EAA administrator cannot customize the Enterprise DNS application URL.
You cannot attach an IdP to an Enterprise DNS application. It is not possible to have specific DNS servers for the same search domain for users in a particular region served by an identity provider. This can increase the latency for the users.
Device Posture Limitations
Device Posture sends signals only when you are logged into the EAA Client mobile app or desktop app.
On mobile devices, if you switch out of the EAA Client app before completing registration, the application stops working.
Device Posture does not work if applications have a form-based user-facing or certificate-based user-facing authentication.
When using the EAA Client mobile app with a third-party IdP, if you experience a browser session timeout, you will see the erroneous device posture remediation message Ensure your EAA Client is installed or configured correctly. Device posture not found and is re-directed to the Akamai IdP. Users should logout of the Akamai IdP and device posture should work properly.
After a silent install of the EAA Client on Windows machines, the User Id field may be incorrect. This issue can be corrected by restarting the EAA Client or rebooting the system.
Device Posture anti-malware detection may display the same anti-malware signal multiple times. This does not impact functionality.
On macOS platform, the OS last update time field incorrectly displays the last time the OS was checked for updates instead of the last time the OS was updated. This does not impact to functionality.
When updating from Windows EAA Client version 1.x.x, the OSQUERY directory and files may not be deleted. They can be safely removed when running Windows EAA Client version 2.0.0.
If you login to an application that has Device Posture controls, using EAA Client mobile app, you maybe be denied access for the first time. Subsequent access using the retry button or accessing any other application should work.
If you log into the EAA Client mobile app, using Safari, Device Posture might not work. The user might have to log out and then log back into the EAA Client. Or log in to EAA mobile app with the QR code.
2020-06-21
Enterprise Application Access (EAA) 06/22/20 software release
EAA Client Versions
EAA Client for Windows/macOS: version 2.0.3.1b7852fe
EAA Client mobile app for iOS: version 0.99
Akamai EAA New Features
Certificate validation for origin servers: Administrators can enable or disable certificate validation for specific directories, web Applications, SSH Applications, and RDP Applications. Origin server certificate validation must be enabled for such applications and directories that are used in production environments with HTTPS/LDAPS. For more information, see Certificate-based validation of origin servers
Akamai EAA End of Support
With this release, Akamai Enterprise Application Access is officially announcing the end of support for Ubuntu 14.04 LTS based connectors. Customers are required to migrate to Ubuntu 18.04 LTS based connectors for continued service. For more information, see Enterprise Application Access Connector Migration
Known Limitations
EAA and EAA Client Limitations
Browser-based SSH applications in EAA currently supports only RSA and DSA keys for key verification.
Origin server certificate validation for HTTPS applications does not support SAN (Subject Alternative Name) of the type - IP address.
Origin server certificate used to validate servers mentioned in the load balancing groups of URL path polices will use the certificate specified in the general settings screen.
If a users password is reset outside of EAA, the user might get a 556 error while accessing NTLM applications during an active session. Refreshing the page will prompt the user to enter the new password and after successful authentication, the user will be granted access to the application.
Modifying an IP based tunnel-type client-access application may make it inaccessible from a 1.x EAA Client. The workaround will be to upgrade to the 2.x EAA Client.
Silent installation of EAA Client cannot be done on a Windows 7 Enterprise 32 bit machine. The workaround is to perform a manual installation.
If you are using Outlook on a Windows machine, and you switch EAA Client from Wi-Fi to LAN or hotspot and back to Wi-Fi within 30 seconds, Outlook will be stuck in connecting state. The workaround is to quit Outlook and launch again.
If you have Oracle Virtualbox installed on Windows 7 machine, EAA Client works intermittently. Ocean combat mac os.
On-premise detection does not work if the DNS is manually modified on the machines network adapters interface. As a work-around, log out and log back into the EAA Client.
In Windows, on-premise detection uses DNS addresses from all interfaces to resolve hostnames. If there are any disabled interfaces, it triggers false on-premise detection. As a work-around, you should clear the DNS configuration for disabled interfaces.
The EAA administrator cannot customize the Enterprise DNS application URL.
You cannot attach an IdP to an Enterprise DNS application. It is not possible to have specific DNS servers for the same search domain for users in a particular region served by an identity provider. This can increase the latency for the users.
Device Posture Limitations
When you use the EAA Client mobile app on mobile devices to log into an Akamai IdP with a QR code, you may have problems opening the app and may see a loading screen with a spinner. Close the application and re-open. Or, login to the IdP with a mobile browser. Another workaround is to do a second scan of the same QR code, after reopening the app when the first scan fails. Third-party IdPs are not affected.
From the Device Posture Dashboard, when you click on the Internet Explorer, the report doesnt correctly populate. A workaround is to go to the Device Posture Reports and then select Browser Internet Explorer from the advanced filters, to see the list of devices.
If you refresh the browser while editing ACLs with device risks or device posture settings, the configured values may disappear from the UI only. To recover the view, navigate to any other screen and return.
Using the EAA Client mobile app on mobile iOS devices to log into an IdP with a private self-signed certificate is not supported.
When you use the EAA Client mobile app on mobile devices to log into an MFA enabled Akamai IdP, you may need to enter the MFA code twice, once while logging into the mobile browser, and second when re-directed to the EAA Client mobile app login screen.
If you login to an application that has Device Posture controls, using EAA Client mobile app, you may be denied access for the first time. Subsequent access using the retry button or accessing any other application should work.
If you log into the EAA Client mobile app using Safari, Device Posture might not work. The user might have to log out and then log back into the EAA Client mobile app. Or log in to EAA Client mobile app with the QR code.
Device Posture based ACLs are not supported if an application has a user-facing mechanism set to either certificate only or basic authentication. The access to the application is blocked; the workaround is to remove the device posture ACLs from the application or to change the authentication mechanism to form.
On mobile devices, if you switch out of the EAA Client mobile app before completing registration, the application stops working. Return to the EAA Client mobile app and complete registration.
On the macOS platform, the OS last update time field incorrectly displays the last time the OS was checked for updates instead of the last time the OS was updated. This does not impact functionality.
After a silent install of the EAA Client on Windows machines, the User Id field may be incorrect. This issue can be corrected by restarting the EAA Client or rebooting the system.
2020-10-15
Enterprise Application Access (EAA) 10/23/2020 software release
EAA Client Versions
EAA Client for Windows/macOS: version 2.1.2 (build number is 20110505)
EAA Client mobile app for iOS: version 1.0
EAA Client mobile app for Android: version 1.0
Akamai EAA New Features
User diagnostics and troubleshooting. End-user diagnostics workflow can be used by administrators to quickly diagnose and find the root-cause for commonly faced issues during application access. Designed as a workflow, customers provide the username, identity provider (IdP URL) accessed, a time window, and devices used. The retrieved data includes the top applications accessed by the user, ACL and authorization policies violated by the user and network performance as viewed from within the EAA service.
Connector health monitoring. The connector health monitoring widget has been significantly upgraded in this release. The load indicator on the connector card provides a simple stop-light view on its health. The performance tab provides rich information like state of system resources, nature of EAA dial-outs, as well as number of active connections per connector are now available for each connector that is active.
Application configuration versioning. Starting with this release, the EAA service supports application configuration versioning. Administrators can automatically roll back to a previous version where possible, and easily compare different configuration versions and identify changes.
Bypass of Multi-factor authentication. Administrators can enable bypass MFA criteria like a managed device check or a corporate network IP check, to determine if MFA is prompted for end-users during the sign-in process. Corporate gateway subnet verification is used to determine if a request from the corporate network. Client certificate (User Store) validation is used to determine if a device is managed.
EAA APIs. The Open API documentation provides better API segmentation, clearer documentation for the user, group, application, IdP, directory, and includes Device Posture API.
Support for customer configurable ciphers. Allows the administrator to select a default or custom cipher suite to be used for TLS client-server handshake before starting a TLS secure communication. It can be configured in the advanced settings within an applications configuration.
Crowdstrike Integration for Device Posture. Customers using Crowdstrike Falcon Error Detection and Response (EDR) can enable EAA to check the Crowdstrike cloud to validate the health and validity of the Falcon sensor on the device. This can be used as a device posture signal which can be used for application access control rules (ACL).
Device Posture checks device certificate validity. Administrators can enable a new device posture signal to confirm the presence of a valid device certificate on the device. A valid certificate helps EAA distinguish an organizations owned and managed device from others, and can also be used as a signal for an ACL for applications. Akamai Macos
VMware Carbon Black for Device Posture. An updated API from VMware has been integrated with Device posture to provide an additional layer of security and protection between Akamai EAA cloud and VMware Carbon Black cloud communication.
Identity provider username in Device Posture reports. Device Posture reports show the identity provider (IdP) username that is present in authentication login sessions, correlating device posture signal to the user.
Akamai EAA End of Support
EAA Client
With this release, Akamai is announcing the end of support for all EAA 1.x.x Clients. Customers using 1.x.x Clients are requested to migrate to 2.1.2 Clients. When you upgrade to EAA Client 2.1.2, a new akamai-device-id is generated. EAA activity reports, Clients overview dashboard, Device Posture dashboard may include old akamai-device-id, resulting in inaccurate statistics until the old akamai-device-id is purged after 90 days. The recommended upgrade procedure for the 2.1.2 release is to directly upgrade over the existing 2.0.x installations. If the user is running a 1.x version of the EAA Client they must uninstall it before installing version 2.1.2. For more information, see Device ID (akamai-device-id) updates with EAA Client installation and upgrades.
EAA and EAA Client limitations
User diagnostics do not show Device Posture ACL policy violations for access-applications (clientless apps).
User diagnostics do not show browser-based SSH, bookmark, or SaaS applications.
User diagnostics is not supported on Internet Explorer version 11 due to unsupported fonts.
Connector health monitoring is not supported on Internet Explorer version 11 due to unsupported fonts.
Integrated Windows Authentication (IWA) fails intermittently while accessing from a new browser session and the identity provider (IdP) will prompt for form-based authentication. Authentication will succeed if we refresh the browser session or open the IdP URL in a new tab.
If you access an application that has bypass MFA criteria set to certification validation check enabled and appropriate settings are done, you are redirected to the identity provider login portal after authentication. The user should then access the application from the login portal.
Bypass MFA feature is not supported when the Certificate Identity is Username field is unchecked in the General settings of the identity provider and Device is Managed is used as a Bypass MFA criteria. Users will be prompted for MFA.
Device Posture limitations.
When you use the EAA Client mobile app on Android devices when logging into an IdP from either a Chrome browser or via the QR code, if the user switches apps before the configuration is complete, it may cause the EAA Client to crash.
When you use the EAA Client mobile app on mobile devices to log into an MFA enabled Akamai IdP, you may need to enter the MFA code twice, once while logging into the mobile browser, and second when redirected to the EAA Client mobile app login screen.
When you install the EAA Client on Windows and open EAA Client, navigate to Device Posture Signals, the username is the admins name and not the current user name. The workaround is to quit and restart the EAA Client.
When you use the EAA Client mobile app on mobile devices to log into an Akamai IdP with a QR code, you may have problems opening the app and may see a loading screen with a spinner. Close the application and re-open. Or, login to the IdP with a mobile browser. Another workaround is to do a second scan of the same QR code, after reopening the app when the first scan fails. Third-party IdPs are not affected.
EAA Client mobile app on an Android device works only if Chromium-based Browser (Chrome, Samsung browser, Microsoft Edge) is set as the default browser. On other browsers, users will see a remediation message, Ensure EAA client is installed or configured correctly.
When you use the EAA Client app on iOS 14, iPadOS 14 devices and Safari is not the default browser, users will see a remediation message, Ensure EAA client is installed or configured correctly when accessing a web app from the browser.
When you use the EAA Client app on iOS devices for authorization to a third-party IdP with or without MFA, the user is stuck in the authorization loop process (user accesses third-party IdP URL on iOS browser, OS opens EAA Client app, the user completes authorization and MFA, the user is redirected back to the browser again, OS opens EAA Client app again, loop repeats).
When you use the EAA Client mobile app on iOS devices to log into an Akamai IdP, you may be directed to the EAA Client and are prompted to log in again using the in-app browser window. After you enter login credentials, the app may hang with a loading screen and a spinner. To recover, you must close and reopen the EAA Client application. Then, you must log out of the IdP using the browser and log in again to the IdP via the mobile browser a second time. Third-party IdPs are not affected and can be used with QR code or the Safari browser. Akamai Mac Os Update
Fixed customer bugs.
Tunnel-type client-access application sessions are terminated within 5 minutes for a user, who is blocked by block user functionality.
Tunnel-type client-access applications can be saved when login credentials are used with Firefox Lockwise.
Tunnel-type client-access applications have a case-sensitivity check for application hostnames.
User and groups sync improvements for better integration between Okta IdP and Active-Directory.
Client Details reports have been increased up to 10000 records.
Use sticky cookies for connectors for tunnel-type client-access applications with TCP optimization enabled is supported.
False EAA client upgrade notifications have been resolved.
Added pagination support for the Groups page under Active Directory.
Any custom application inside the RDP application window is not maximized any more.
SSH Audit report download support is extended from three months to one year.
2020-11-12
Mac OS 11 (Big Sur) Support for EAA Client
Apple has announced the general availability of macOS Big Sur (version 11.0) across its platforms starting November 12, 2020.
Akamai has been working closely in the Apple Developer Network to validate the EAA Client with various Apple Developer builds. As a result, the EAA Client 2.1.2 will install in macOS Big Sur-based environments. However, full qualification is only possible once the production release of macOS Big Sur is made available.
Following Apples announcement today, Akamai will undertake a final round of testing on macOS Big Sur to ensure that EAA Client 2.1.2 is fully qualified. Once the testing is complete, Akamai will update appropriate Client release notes to reflect this.
Sound of my town mac os . EAA Client versions below 2.1.2 will not support Big Sur. Customers using EAA Client who wish to run macOS Big Sur must upgrade to corresponding supported Client versions when they have been fully qualified.
See macOS Big Sur for more information.
2021-01-22
EAA Client 2.3.0 patch release - 1/27/2021
EAA Client Versions
EAA Client for Windows/macOS: version 2.3.0.21012201
Akamai EAA Client 2.3.0 New Features
Big Sur support. This version of EAA Client fully supports Big Sur (MacOS 11.0) on Intel-based processors.
Known limitations
Customers using this EAA Client patch release on the macOS platform will see empty values for Process Name and Process Path fields in Client Details Preset Report (EAA Management portal Reports Activity Preset Reports, Select Report Client Detail) and Discovered Apps User Report (EAA Management portal Clients Discovered Apps, Provide a date range, select any App, click Users). If you are using device posture, the remediation message may not have the Process Name for client-access apps.
Bug fixes for EAA Client
Device Posture supports Carbon Black Sensor 3.5.1 version.
Device Posture supports the Crowdstrike Falcon sensor v6.14 version.
When you open EAA Client, the complete OS name is shown for macOS Big Sur. Earlier it was just macOS.
When there are many TCP-type or IP-based client-access applications using the same Identity provider, Run Diagnostics results were not meaningful. It has been fixed.
DNS SRV records are supported on macOS.
Resolved issues with SRV records on Windows for Enterprise DNS.
Bogus EAA Client notifications have been suppressed. 1 - 10 of 11
broken image