Highlights
- Informative Enrollment Failure Messages
Enhancements
Informative Enrollment Failure Messages
- When a user enrolls a mobile app or a desktop agent by completing an Identity Verification Workflow, there are times when enrollment fails due to policy. In the past, we used a single, generic message for all failure cases to prevent providing information that might help a threat actor to impersonate a user. However, there are times when enrollment fails due to policy violation where this generic message is not helpful to the end user. Making this messaging more specific would not make things easier for a threat actor to cause harm. With this release (and the upgrade of the Identity Server to 24.155, or higher), we give more informative error messages when enrollment fails due to one of the following policy violations:
- Biometrics are required but are not available on device.
- Private app is required but user tries to enroll with public app.
- Device must be managed but user tries to enroll an unmanaged device.
- Enrolling the device would violate the device limit policy.
Bug Fixes
- We have fixed an issue where IP address and location information was missing in some events in the Events table.
- We have improved error reporting to differentiate between a failed authentication attempt from an enrolled vs an unenrolled FIDO key.
- We have fixed an issue that prevented sms messages from being sent if phone number in directory had invalid characters (e.g., spaces are removed so numbers conform to E.164 standard).
- We have fixed an issue where failed registrations (where certificates were not being provisioned to computers) appeared as successful registrations.
Known Issues
| Ticket Number | Component | Summary |
|---|---|---|
| PLAT-9447 | Misc. | Unfriendly error message when Device is below Minimum Device Assurance Level for Application SSO |
| PLAT-9359 | Admin Console | The view of devices does not get updated immediately when dormant settings are modified. If the Admin changes the “Stale Device Handling” configuration under “Settings > Security”, the status for devices (Active / Dormant) may not be accurate for up to 15 minutes as the status is cached and updated every 15 minutes. |
| PLAT-9302 | Admin Console | In rare instances, Admin Console may fail to load. If this happens, refresh the page |
| PLAT-9891 | PIN Reset | If a PIN profile is updated from not requiring PIN rotation to require PIN rotation, already enrolled devices will not honor that policy. Workaround: manually set the enrolled device(s) to require a PIN change. This will force the user to change their PIN on next check-in, and updated PIN profile will be used moving forward. |
| WA-18595 | Policies | Failed policy evaluation events from iOS devices appear twice in the Events table. |
PLAT 24.157 Release Notes PLAT 24.153 Release Notes