Cisco Duo 

New Features 

Now Generally Available: Sunsetting Remember Me and transitioning to Risk-Based Remembered Devices. 

Advantage and Premier customers now have the option to switch over from the Remember Me session policy to the Remember Devices policy with risk-based protection and have the trusted sessions carry over into a risk-based remember me session. Users no longer experience additional friction from a remember me policy change. This update does not change existing policies but will make it so that the risk-based remember devices policy is selected by default in new policies.

Enhancements

• Security key registration in Self-Service Portal (SSP) and during Duo Enrollment will now try to emphasize use of a security key more in browsers that support WebAuthn hints.
• Newly-created applications now default User Access to "Disable for all users" to adhere to least privilege access practices. 
  • User access settings for existing applications remain unchanged. 
• Applications List page enhancements: 
  • Application logos are now displayed next to their names in the Applications List view to help users visually identify integrations more easily. 

• • Export dropdown on the Applications List has changed to Export CSV button.  
  • Added a Table customizer that lets you change the visibility of chosen columns. It is accessed through the gear icon.
  • The default number of results displayed per page is now 10, and an option to display 20 results per page is also added.
• SSO Enhancements - Added a new “Default bridge attribute”. The attribute’s name is “<Entra Federated User ID>”, and will resolve to mS-DS-ConsistencyGuid from Active Directory authentication sources and EntraImmutableID authentication sources from SAML authentication sources. 

• Added Passwordless Verified Duo Push and Duo Desktop Authentications as secure factors. 
• Admin API Enhancements:
  • All named SSO integrations can now be retrieved. Up until now, it was only sso-generic, sso-oauth-client-credentials and sso-oidc-generic. 
  • Added Webauthn (User and admin) last used date. 
  • Updated the Passport Admin API to include the new custom_supported_browsers field. 
  • Added a new set of /admin/v3/integrations endpoints to support the Deny by Default updates.  

New and Updated Applications  

Five new named applications with Duo Single Sign-On (SSO) 

• There are now five named SAML applications to protect PandaDoc, Parallells, Parallells RAS, Persona  and Zapier, with Duo Single Sign-On (SSO), our cloud identity provider. 

Duo Authentication for macOS 2.0.3 released 

• Improved accessibility with initial keyboard focus on first available authentication option and ability to traverse through all options. 
• Users can now cancel and go back to previous UI screens during offline enrollment. 
• Additional user interface fixes and improvements. 

Duo Desktop public beta 7.5.2 for Windows released 

• Minor improvements and enhancements. 

Duo Desktop public beta 7.5.2.0 for macOS released 

• Minor improvements and enhancements.  

Duo Desktop public beta 7.5.1 for Windows released 

• Added detection for Trellix HX. 
• Fixed an issue where Desktop Authenticator enrollments could get stuck after a period of inactivity. 

Duo Desktop public beta 7.5.1.0 for macOS released 

• Minor improvements and enhancements. 

Duo Desktop 7.5.0 for Windows released 

• Fixed an issue where new versions of Sophos Home were not being detected. 
• Improved logging in the event of a failed connection from Cisco Secure Client. 
• Internal changes to support using CrowdStrike agent identifiers for trusted endpoints. 
• Minor security improvements. 

Duo Desktop 7.5.0.0 for macOS released 

• Fixed an issue where new versions of Sophos Home were not being detected. 
• Removed support for macOS 10.15. 

Duo Mobile for Android version 4.84.0 released   

• Miscellaneous bug fixes and behind-the-scenes improvements. 

Duo Mobile for Android version 4.85.0 released   

• Miscellaneous bug fixes and behind-the-scenes improvements. 

Duo Mobile for iOS version 4.84.0 released 

• Miscellaneous bug fixes and behind-the-scenes improvements. 

Duo Mobile for iOS version 4.85.0 released 

• Miscellaneous bug fixes and behind-the-scenes improvements.

Duo for Remote Desktop Gateway version 2.3.1 released 

• Adds the new Duo Secret Key Rotation tool in the RD Gateway installation directory to assist administrators with updating the application's secret key to a new value when required. 
• Security fixes. 
• Bug fixes. 
• Supports Windows Server 2025.  

Duo Access Gateway version 2.1.0 released 

Reminder: Duo Access Gateway reached end of support for commercial customers on October 26, 2023. It remains supported only for Duo Federal customers.

• Addresses multiple vulnerabilities, including all CVEs reported in 2024 and earlier: CVE-2024-5535, CVE-2024-1874, CVE-2023-3824, CVE-2022-37454. 
• New Duo and OIDC certificates. 
• Support for IPv6. 
• First .msi installer release. Future releases will use MSI format instead of EXE. (applies for Windows only) 
  • Uninstall the current release on Windows before installing v2.1.0. See Upgrading the Duo Access Gateway for details. 

Bug Fixes 

• Admin Panel - Fixed a bug where the Passwordless page would not load when navigating from the Applications page. 
• Admin Panel - Fixed bugs in the search functionality in the Phones table. You can now search for iOS models like "iPhone 13" and terms like "Apple" to find all relevant devices, where previously these searches would return unexpected results. Searches for usernames, entries with “Unknown” models, and specific Duo Mobile versions will now return accurate results. 

Identity Security 

New Features 

Failing users per type

Customers have frequently expressed that user context is important when reviewing check failure results because it can help them segment and therefore, better prioritize certain users for clean up or for investigation. To help with this, we have added a new widget to the failing check pages that makes it easier to understand at a glance the breakdown of a check’s failures based on the users' Identity Intelligence User Types. Selecting a value within this widget will take you to the Users page, pre-filtered on the chosen user type. 

New Report: Check Compliance Report 

We have added a new report under the Reports menu item to help track your progress with checks over time, especially if your team is undergoing a clean-up project. This report contains the number of users failing each check, along with some other high level check information, on any given day which can be used to make visualizations or provide progress updates to stakeholders. Like all reports, you can select to export the data from a specific day - so if you decide to report on data from the 5th of every month, but forgot to get the report until the 8th, you can still go back and select the 5th of that month to see the data as it was on that day. 

New Check: Google Drive File with Excessive Sharing Permissions 

This new check detects when users have a Google Drive File that has been shared with overly permissive settings. Whether shared this way, intentionally or not, having a file exposed so publicly can lead to unintended data exposure or unauthorized access to sensitive organizational data or info and should be modified quickly. By default, the check will fail users who have shared Google Drive files as people with link or public on the web but if desired, you can set additional sharing permissions to fail the check if added to the include list via the custom check settings  

Enhancements 

• We have made improvements to the Mark as normal behavior and Mark as suspicious check triage options. You can now leave a brief comment when using either triage option so that you can submit an explanation with the results of an investigation or paste a link to a ticket, for better visibility and record keeping across the team. Additionally, you can now “Reset Feedback” if a mistake was made and leave a comment as part of this flow as well.  
• Within Salesforce, a user can be granted a user license that correlates to a user type. This Salesforce user type indicates what baseline features the user can access. If you have connected Salesforce to your Identity Intelligence tenant, it will collect this info for each Salesforce user and display it under the “Provider User Type” in the Salesforce card on the Overview tab of the User 360. We recently updated the Identity Intelligence user type classification of Salesforce users to better align with the definitions of the provider’s user types. For example, a user whose Salesforce provider type is listed as “Power Customer Success” and is therefore a customer who can only access an organization’s Salesforce instance through a customer portal will now get an Identity Intelligence type of External instead of Internal. This update also means that users will be evaluated against the appropriate checks, with External Salesforce users evaluated against the “Inactive Guest Users” check rather than the “Inactive Users” check, which can help you better focus your clean-up efforts.