Hello everyone! Here are the release notes for our most recent updates to Duo.
Public release notes are published on the Customer Community every other Friday, the day after the D-release is completely rolled out to commercial deployments. You can subscribe to notifications for new release notes by following the process described here. If you have any questions about these changes, please comment below.
Check out the Guide to Duo End-of-Life and End-of-Support Plans. This guide provides an up-to-date list of current and past end-of-life plans for Duo products.
Cisco Duo
New Features
Passwordless OS Logon is now available for customers to try as a public preview feature! Requires installation of Windows Logon 4.3.16 Public Preview release on test clients.
- The Microsoft RDP application in the Admin Panel now includes a setting to enable Passwordless OS Logon.
- New endpoints added to the AdminAPI to block a device from registration. Requires "Grant write resource" API permission.
- The Registered Devices page in the Duo Admin Panel is now renamed Device Registration. On the Device Registration page, you can view tables with your "Registered devices" and "Blocked devices". From here you can choose to remove or block registered devices.
- Admins can now use the Trusted Endpoint Google Workspace Integration with iOS and Android.
- Admins can now bypass the Trusted Endpoint policy if they configure the Trusted Network Exception and devices are using the IP address.
Now Generally Available: User Directory Sync “high frequency sync” opt-in
Enhancements
- Navigation to external directory sync in the Duo Admin Panel has changed from Users → Directory Sync to Users → External Directories.
New and Updated Applications
New Duo Single Sign-On (SSO) Application
There is now a named SAML application to protect Freedcamp using Duo Single Sign-On.
Updates to Existing SSO Applications
- Implemented Smartsheet domain-level support and made appropriate changes to existing plan-level.
- Added two sets of mapped attributes for domain-level and plan-level.
- Added two documentation references for domain-level and plan-level.
- Added two SSO login methods for domain-level and plan-level.
- Fortinet FortiGate now uses the UI instead of the CLI Console. The VPN, Firewall, and User Group sections were also removed.
Customers who use Let's Encrypt certificates should not update to the 3.2.1 release due to a known issue. This will be fixed in a future release.
- Fixes to allow security headers in DNG auth path and to allow wildcard hostnames in scripted configuration files.
- Updated Dependencies:Attributes to 24.2.0, Cryptography to 42.0.7, Incremental to 24.7.2, Pyjwt to 2.9.0, and pyOpenSSL to 24.1.0.
- Public preview of Passwordless OS Logon. Instead of entering their Windows password, users log in securely via Bluetooth connection to a mobile device with Duo Mobile platform biometric or PIN verification.
- Adds certificate pinning to enhance security of the connection between the Duo for Windows Logon client and Duo's cloud service.
- Now sends the Passport signature for every local authentication regardless of whether local remembered devices is enabled or checked. This removes the "Remember devices for Windows Logon" policy requirement for Duo Passport starting with the D304 cloud release.
- Expanded language support in the app to include Indonesian, Portuguese, Chinese, Italian, Polish, Korean, Thai, Hindi, Turkish, and Vietnamese.
- Fixed an issue where Microsoft Defender for Endpoint would be detected despite missing a valid license key.
- Added detection for Qualys, Sophos Home, and Forcepoint ONE.
- The app can now properly detect whether it is running in a virtual machine on Macs with Apple silicon.
- Expanded language support in the app to include Indonesian, Portuguese, Chinese, Italian, Polish, Korean, Thai, Hindi, Turkish, and Vietnamese.
- Added detection for Qualys, Sophos Home, and Forcepoint ONE.
- Fixed an issue where Windows Defender's version was not being reported.
- Minor improvements and enhancements.
- Minor improvements and enhancements.
- Miscellaneous bug fixes and behind-the-scenes improvements.
- Miscellaneous bug fixes and behind-the-scenes improvements.
Bug Fixes
- Directory sync behavior on syncing notes that exceed the length limit of 512 characters has been changed to truncate the notes text instead of raising an error and failing to sync the user.
- Fixed a bug with the Administrator Logins widget on the dashboard where the list was no longer scrollable.
- The Allow List functionality on the “Access from Denied Countries” check is now working properly.
- Fixed a bug where users were being checked for inactivity much more frequently than intended.
- Fixed a bug in passwordless trusted endpoints where a mobile device was identified in the authentication log as “Not a Trusted Endpoint - determined by Duo Desktop”.
New Features
- You can now see User Trust Level information throughout the Identity Intelligence platform through new dashboard widgets, new filters/columns on the Users page, in the Overview tab of the User 360, and more!
- User Trust Level identifies accounts that pose increased risk to your environment because of the events/activity happening on the account so that you can prioritize the investigation, and remediation if needed, of these users and better protect your organization.
New Microsoft Conditional Access Policy Report
- Navigate to the Reports page to download the csv report which contains information about your organization’s Conditional Access Policy usage over the last 30 days (if Entra ID is configured as an integration in Identity Intelligence) to identify policy misconfigurations or unexpected policy implementations that should be addressed.
- The report contains policy names, observed results to determine which policies were actually used, how many Conditional Access results were successful vs failed, how many times a policy did not apply to an event, how many events were successful, failed, blocked, etc, how many users made up those events, and the created and/or modified dates of a policy and its current status (enabled, disabled, etc).
Enhancements
Duo Bypass Code Visibility
- Duo bypass code usage counts and expiration dates have been added to the Factors table in the Overview tab of the User360 to help identify long standing bypass codes that should be revoked.
- This information can also be added to the table as additional columns by clicking the Columns button above the table headers and selecting “Uses Remaining” and/or “Expiration Date”.
Duo Enrollment Status in User 360
Duo enrollment status has been added to Duo source cards on Overview tab of User 360 to give more context about a user’s state in Duo.
Check compatibility Extended to Duo
- Login to Admin Console - Detects when a user has logged into the Duo Admin console over the last 7 days to monitor or investigate suspicious or unexpected behavior.
- Admin role Assigned to User - Detects when a new Duo Admin has been created.
ASN Tags Visibility
ASN Tags are now visible in the Tags column of both the User 360 Activity and Networks tab when the data is available.
Allow/Block Lists Enhancements
New items added to the Allow/Block lists under Check Settings are now reflected with an icon, making it easier to distinguish which items were added to the list by an Admin, or were part of the default list of items created by Identity Intelligence.
- If the default was a block list and an Admin switches to an allow list, the icon is added next to the list type title.