Enterprise Threat Protector (ETP) Release June 1, 2021

The following new features are now generally available:

• Application Visibility and Control. This feature is available in all ETP editions and allows your organization to grant or block access to specific applications based on risk, category, or application type. Additionally, if your organization is licensed for ETP Standard or Advanced Threat editions, you can define the application operations that you want to allow or block.

• Data Loss Prevention (DLP). Akamai is restarting the Data Loss Prevention beta in response to findings in the first beta. The DLP engine is now improved to better support Google Drive. DLP also now automatically bypasses applications that encrypt data, which previously resulted in false positives. Please note that you can still block any application using the Application Visibility and Control feature.

• Mobile ETP Client Support. Clients to allow ETP policies to be enforced for Apple IoS, Android, and Chromebook devices are now available. This capability also enables you to easily add protection to unmanaged devices.

• File Type Blocking. Customers may now block specific types of files from being downloaded.

• End of Support For ETP UI. The classic ETP UI is now no longer supported and all functionality has been migrated to the Enterprise Center. Please update your bookmarks accordingly.

The following features are currently in beta:

• Scheduled Reports Enhancements. You can now schedule reports for all Acceptable Use Policy (AUP) violations in addition to threats. Additionally, you can schedule Summary Proxy Activity and DNS activity reports on a daily or weekly basis.

Minor changes and fixes. This release includes a number of minor changes and bug fixes to improve the usability of the product.

Please note that legacy AUP categories are now no longer supported. Please migrate to the new categories if you have not done so already.

Akamai MFA 19/05/2021 release

New Features

New reporting features help you troubleshoot more effectively. You can generate Authentication Events reports by applying multiple filtering criteria. Additionally, you can download the report in the CSV format for sharing and further investigation.

Improved Policies page lets you apply additional conditions that end users’ devices should meet, such as browser and OS versions. You can also enable the hardware token as the authentication method.

Passwordless authentication is now available for your Okta logins. This new feature enables end users to authenticate with a single, highly secure authentication factor, such as biometrics or security key.

With enhancements available on Users, Groups and Integrations pages, you can conveniently assign and visualize assigned policies. The improved Akamai MFA user interface allows you to associate and dissociate policies ​in bulk to the selected user, group or integration.

Supported browsers and versions

Firefox 87.0

Google Chrome 89.0.4389.90

Microsoft Edge 89.0.774.57

Safari 14.0.3

Internet Explorer is not yet supported.

Supported mobile devices

iOS 12 and above (iPad, iPhone, iPod Touch)

Android 7 and above (phones and tablets)

Supported integrations

ADFS integration supports Microsoft ADFS on Windows Server 2016.

Integration with Akamai EAA IdP requires that both EAA and Akamai MFA are on the same contract.

Okta integration supports Custom IdP factor authentication as an integration point. You have to contact Okta to enable this early access feature.

Shibboleth integration supports Shibboleth version 4.0.1.

Akamai MFA Unix PAM supports the following distribution versions: CentOS 5, 6, 7/8, Red Hat 5, 6, 7/8, Ubuntu 14, and 16/18/20.

Akamai MFA Windows Logon plugin supports Windows 10 (64 bit) and Windows Server 2016.

Enterprise Threat Protector (ETP) Client Version 3.3.2

A new version of the ETP Client is now available. This release contains a number of bug fixes, including improved support for Static DNS configurations in machines, a minor IPv6 support fix, and fixes to DNS-Over-TLS handling.

Enterprise Application Access (EAA) May 2021 software release

EAA Client Versions

• EAA Client for Windows/macOS: version 2.4.0

• EAA Client mobile app for iOS: version 1.04

• EAA Client mobile app for Android: version 1.02

Akamai EAA New Features

Akamai MFA Integration. Akamai MFA, a workforce MFA service, helps customers to strengthen their Zero Trust security posture by securely establishing trust in a user before allowing access to protected applications and resources. Akamai MFA features a unique authentication factor, Akamai’s phish-proof push, that combines the security provided by FIDO2 with the ease-of-use of the familiar push notification. Customers can use Akamai MFA as the second-factor authentication with the Akamai identity provider (IdP).

 Certificate-authentication enhancements. With this release, we have enhanced the IdPs’ client certificate enforcement policy. Administrators now have the ability to only enforce client certificate verification when a request is not from the corporate network. We also added an option to skip OCSP validation when OCSP Responder is unreachable or returns unknown.

New capabilities for Device Posture. EAA supports additional capabilities for a better security posture for your devices:

• Customers can now select the OS versions to include a subset of the major versions from the complete list of up-to-date versions that align with their compliance policies.
• macOS version capabilities now recognize every build in addition to the patch versions previously tracked.
• Customers can now configure custom and latest+ options for the EAA client version.
• Customers may now detect if the Akamai ETP client is installed and use that as a device posture signal.
• The anti-malware signal may now be configured for a specific vendor in addition to the ‘any vendor’ choice previously supported.

Improved interoperability and performance with Cisco Umbrella client. Previous versions of the EAA Client had interoperability issues with Cisco’s umbrella client. This was caused by Cisco Umbrella’s takeover of the DNS at a kernel-level for localhost traffic, leading to garbled DNS responses and perception of slow performance. With this release, the EAA Client uses 100.64.0.1 for DNS interception instead of 127.50.100.1 which was used in earlier releases.

Apple M1 Processor Support. With this EAA Client release, we are adding support for macOS-based devices with the Apple M1 processor. The EAA Client leverages Rosetta translation so a single binary can be used for both Intel-based and Apple M1-based devices.

EAA Client Operating System Support.

The EAA Client 2.4.0 supports these operating systems: Microsoft Windows 7, current Microsoft supported versions of Windows 10 x86(32-bit) and x64(64-bit), Apple macOS 10.14 (Mojave), 10.15 (Catalina), and 11 (Big Sur).

Akamai End of Support/Service for EAA Client.

EAA Client versions 2.0.0, 2.0.1, and 2.0.2 End of Service / Support - From June 30, 2021, Akamai will no longer support EAA Client versions 2.0.0, 2.0.1, and 2.0.2. This is the last date to receive any support for these product versions. After this date, these versions are obsolete and no support will be available.

EAA Client versions 2.0.3 and 2.0.4 End of Service / Support - From November 30, 2021, Akamai will no longer support EAA Client versions 2.0.3 and 2.0.4. This is the last date to receive any support for these product versions. After this date, these versions are obsolete and no support will be available.

Product Migration - Customers using EAA Client versions 2.0.0, 2.0.1, 2.0.2, 2.0.3 and 2.0.4 are encouraged to upgrade to EAA Client version 2.1.2. Migrating to newer EAA Client versions, beyond 2.1.2, will require the older EAA Client to be uninstalled before the newer EAA Client is installed. When moving to EAA Client version 2.1.2 and later, a new akamai-device-id is generated. EAA activity reports, Clients overview dashboard, Device Posture dashboard may include old akamai-device-id, resulting in inaccurate statistics until the old akamai-device-id is purged after 90 days. For more information, see Device ID (akamai-device-id) updates with EAA Client installation and upgrades.

EAA and EAA Client limitations.

• The EAA Client Download page does not render properly on the Microsoft Edge browser version 44.19041.423.0. You must upgrade the browser to a later version.
• If you log in from a domain-joined machine, using Integrated Windows Authentication (IWA) credentials and then be idle for more than the idle expiry duration of the identity provider, refreshing the page will prompt a form-based authentication instead of IWA. The user can either enter the credentials or can log in to the IdP URL using a new browser tab to re-trigger IWA.
• If Akamai MFA and Device Posture are both enabled in the Akamai identity provider, you will see a “Failed to post code to EAAClient, please log out and log in again” error after the second-factor authentication. Refresh the browser to eliminate this message. This does not impact the usability of the product.
• If Akamai MFA and Device Posture are both enabled in the Akamai identity provider, you will see a “Failed to post code to EAAClient, please log out and log in again” error after the second-factor authentication. Refresh the browser to eliminate this message. This does not impact the usability of the product.
• For SSH audit reports, you may see incomplete session data, if the SSH browser session is terminated abruptly without using the exit command.

Device Posture limitations.

• When you try to create the fifth anti-malware profile, you see an error message informing you that you cannot create more than four profiles. Click ‘Cancel’, and then ‘Continue’ to cancel the creation of the anti-malware profile.
• The Anti-malware signal supports only English anti-malware names.
• The Anti-malware signal displayed on the Inventory Reports Device Details page and Device History Device Details page has the following statuses depending on the device operating system: For Windows devices: the green tick means that the anti-malware software is installed and active on the device; the red cross means that the anti-malware software is installed and inactive on the device; the yellow circle refers to older Windows devices and means that the anti-malware software is installed but its status is unknown. This state will not appear if you install the latest version of EAA Client. For macOS devices: the green tick means that the anti-malware software is installed on the device. The inactive and unknown statuses are not displayed for macOS devices as the active status is assumed with any anti-malware program installed on the device.
• On the Inventory Reports Device Details page and Device History Device Details page, the Operating System (OS) versions display in the following format: for macOS: (); for Windows: ().
• macOS devices are now evaluated based on their build numbers instead of version numbers. As a one-time change, any custom version entered as a macOS version number will be converted to build numbers and populated in the custom list.
• Apple’s operating system is referred to as “macOS” instead of “Mac OS X”, in compliance with Apple’s branding guidelines.
• When you use the EAA Client mobile app on iOS devices to log into an Akamai IdP, you may be directed to the EAA Client and are prompted to log in again using the in-app browser window. After you enter login credentials, the app may hang with a loading screen and a spinner. To recover, you must close and reopen the EAA Client application. Then, you must log out of the IdP using the browser and log in again to the IdP via the mobile browser a second time. Third-party IdPs are not affected and can be used with QR code or the Safari browser.
• When you use the EAA Client app on iOS devices for authorization to a third-party IdP with or without MFA, the user is stuck in the authorization loop process (user accesses third-party IdP URL on iOS browser, OS opens EAA Client app, the user completes authorization and MFA, the user is redirected back to the browser again, OS opens EAA Client app again, loop repeats).
• When you use the EAA Client app on iOS 14, iPadOS 14 devices and Safari is not the default browser, users will see a remediation message, “Ensure EAA client is installed or configured correctly” when accessing a web app from the browser.
• EAA Client mobile app on an Android device works only if Chromium-based Browser (Chrome, Samsung browser, Microsoft Edge) is set as the default browser. On other browsers, users will see a remediation message, “Ensure EAA client is installed or configured correctly”.
• When you use the EAA Client mobile app on mobile devices to log into an Akamai IdP with a QR code, you may have problems opening the app and may see a loading screen with a spinner. Close the application and re-open. Or, login to the IdP with a mobile browser. Another workaround is to do a second scan of the same QR code, after reopening the app when the first scan fails. Third-party IdPs are not affected.
• When you install the EAA Client on Windows and open EAA Client, navigate to Device Posture > Signals, the username is the admin’s name and not the current user name. The workaround is to quit and restart the EAA Client.
• When you use the EAA Client mobile app on mobile devices to log into an MFA enabled Akamai IdP, you may need to enter the MFA code twice, once while logging into the mobile browser, and second when redirected to the EAA Client mobile app login screen.
• When you use the EAA Client mobile app on Android devices when logging into an IdP from either a Chrome browser or via the QR code, if the user switches apps before the configuration is complete, it may cause the EAA Client to crash.

Fixed customer bugs.

• You can configure nested organization units (OU) with the same name and different distinguished names (DN) in EAA AD, LDAP directories.
• Fixed issues with traffic data in the connector performance metrics system graph.
• Fixed issue where duplicate records are created for some users when performing Active Directory (AD) Sync.
• Fixed issue where user records were not deleted when Active Directory (AD) sync detected more than 10,000 users deleted in one batch.
• Fixed user sync issues related to Windows 2003 AD server.
• Reports can now be saved in .csv formats on Chrome browser.
• Fixed issues for better interoperability between EAA Client and ETP Client.
• The custom DNS setting for an EAA connector in Hyper-V is persistent after a reboot.
• Resolved false positive messages when the application is not reachable.
• Performance improvements for loading certificates while loading the application general settings page.
• Pagination is supported on the certificates page.
• The connector load indicator works properly when applications are deleted or moved to another connector.
• The last synced time is displayed for organization units (OU) in directories.
• Crashes while upgrading from EAA Client 2.0.4 to 2.3.0 have been fixed.
• The EAA Client Versions tab displays the latest release of a given train (e.g. 2.1.2 instead of 2.1.0). To apply other versions to a tier or tag rule, enter them in the Custom version field.
• If you edit a certificate profile’s name, the previous name may still display on the Device Details page for up to 30 minutes.
• The Device Posture tiers’ and tags’ criterion “Anti-malware Status” with value “Good” now displays as “Anti-Malware Profile” with value “Any Vendor”.

Enterprise Threat Protector (ETP) now includes these features and enhancements:

Policy Deprecations. Based on updates to external threat feeds, ETP now alerts you to needed deprecations of policy actions that are defined for applications, categories, and operations. When you display the policy in the UI, a window indicates the needed deprecations. You can then confirm the deprecations and deploy the policy update.

Bypass Microsoft 365 Traffic. The Optimize Microsoft 365 Traffic option on the policy Settings tab has been changed to Bypass Microsoft 365 Traffic. Select this setting to bypass all Microsoft 365 traffic. NOTE: Any policy actions defined for Microsoft 365 applications, categories, or operations are ignored if you enable the Bypass Microsoft 365 Traffic field on the policy’s Setting tab.

Akamai MFA LA 29/03/2021 release

Akamai MFA, a workforce MFA service, helps customers to strengthen their Zero Trust security posture by securely establishing trust in a user before allowing access to protected applications and resources. Akamai MFA features a unique authentication factor, Akamai’s phish proof push, that combines the security provided by FIDO2 with the ease of use of the familiar push notification. Akamai MFA can be integrated with Akamai’s EAA IDP, Okta, Microsoft Azure AD (with ADFS), and Shibboleth identity providers as well as with UNIX platforms (for MFA with SSH) and Windows RDP servers for Windows Logon. Automated user provisioning can be accomplished using the SCIM framework. A full suite of authentication factors is supported to address any use case. Akamai MFA operates on the Akamai Intelligent Edge platform and is centrally managed using Enterprise Center on Akamai Control Center. See the Admin Guide and the User Guide to learn more.

Supported browsers and versions

• Firefox 87.0

• Google Chrome 89.0.4389.90

• Microsoft Edge 89.0.774.57

• Safari 14.0.3

Internet Explorer is not yet supported.

Supported mobile devices

• iOS 12 and above (iPad, iPhone, iPod Touch)

• Android 7 and above (phones and tablets)

Supported integrations

• ADFS integration supports Microsoft ADFS on Windows Server 2016.

• Integration with Akamai EAA IdP requires that both EAA and Akamai MFA are on the same contract.

• Okta integration supports Custom IdP factor authentication as an integration point. You have to contact Okta to enable this early access feature.

• Shibboleth integration supports Shibboleth version 4.0.1.

• Akamai MFA Unix PAM supports the following distribution versions: CentOS 5, 6, 7/8, Red Hat 5, 6, 7/8, Ubuntu 14, and 16/18/20.

• Akamai MFA Windows Logon plugin supports Windows 10 (64 bit) and Windows Server 2016.

Akamai MFA (Beta3) 03/03/2021 release

Akamai MFA New Features

Role-based access controls for administrators. With Akamai MFA role-based access control, you can empower admins by giving them access privileges they need and ensure that your enterprise data is protected.

Akamai MFA mobile app and browser extensions are now available via the App Store and Google Play Store. You can download the Akamai MFA mobile app and pair your device with the selected browser to provide your logins with strong, phish-proof authentication. See Installation Help.  

New Policy UI. With the updated user experience, you gain an immediate insight into the all configured policies and restrictions. You can flexibly assign policies to integrations, groups and users, which lets you apply fine-grained access control over your protected resources. With device policies, you can ensure that the end user’s authentication device is secure and has not been compromised. Akamai MFA also supports iOS DeviceCheck and Android SafetyNet, which lets you confirm the authenticity of the Akamai MFA mobile app and the overall device.

EAA Client 2.3.0 patch release - 1/27/2021

EAA Client Versions

• EAA Client for Windows/macOS: version 2.3.0.21012201

Akamai EAA Client 2.3.0 New Features

Big Sur support. This version of EAA Client fully supports Big Sur (MacOS 11.0) on Intel-based processors.

Known limitations

• Customers using this EAA Client patch release on the macOS platform will see ‘empty’ values for Process Name and Process Path fields in Client Details Preset Report (EAA Management portal > Reports > Activity > Preset Reports, Select Report > Client Detail) and Discovered Apps User Report (EAA Management portal > Clients > Discovered Apps, Provide a date range, select any App, click Users). If you are using device posture, the remediation message may not have the Process Name for client-access apps.

Bug fixes for EAA Client

• Device Posture supports Carbon Black Sensor 3.5.1 version.

• Device Posture supports the Crowdstrike Falcon sensor v6.14 version.

• When you open EAA Client, the complete OS name is shown for macOS Big Sur. Earlier it was just macOS.

• When there are many TCP-type or IP-based client-access applications using the same Identity provider, Run Diagnostics results were not meaningful. It has been fixed.

• DNS SRV records are supported on macOS.

• Resolved issues with SRV records on Windows for Enterprise DNS.

• Bogus EAA Client notifications have been suppressed.

Enterprise Threat Protector (ETP) now includes these features and enhancements:

Bulks Actions in Enterprise Center. The Enterprise Center user interface for ETP now allows you to complete some operations in bulk. These operations include:

• Deploying multiple identity providers
• Deleting multiple identity providers
• Deleting multiple identity connectors
• Enabling or disabling remote debugging for identity connectors

New ETP Status Page. To improve communications during service incidents, Akamai has created a public status page for ETP. Customers may subscribe to service impact notifications through email, text, or Slack. To subscribe, go to https://etp.status.akamai.com/.

Improved Enterprise Center Experience. The Enterprise Center experience now shows resource usage statistics for locations, policies, lists, and more.

Enhanced Monitor policy action. With the Monitor policy action, requests resolve to the origin and a user is able to access the website they requested. This action generates a threat or access control event in ETP. If ETP Proxy is set up as a full web proxy, traffic is forwarded to ETP Proxy where it’s scanned by multiple anti-malware engines. If a threat is detected, then the user is unable to access the URL or website they requested.

Minor changes and fixes. A number of minor changes and bug fixes are included in this release to improve the usability of the product.

Secure DNS Forwarder is now generally available with Security Connector 2.7.0

In addition to functioning as a DNS sinkhole, Security Connector can now act as a DNS forwarder that directs traffic to Enterprise Threat Protector (ETP) for resolution. Secure DNS Forwarder detects the internal client IP address and the internal hostname of the client machine. It also protects connections to ETP with DNS over TLS (DoT).

In the Security Connector console, a new menu is now available for DNS Forwarder. You can:

• View traffic statistics about connections that are directed from DNS Forwarder to ETP.
• View the health status of DNS Forwarder
• Enable or disable DNS Forwarder. By default, DNS Forwarder is enabled.
• Temporarily enable query and response logging in your enterprise for Akamai to investigate and troubleshoot an issue.
• Change the DNS Forwarder port. By default, DNS Forwarder uses outbound TCP port 443. However, you can choose to use outbound TCP port 853.
• Configure a local DNS server. If your organization’s corporate DNS server is not recursive and is used for internal domains only, you can configure it as a local DNS server for DNS Forwarder. This configuration sets the DNS server that you configured in the Security Connector setup as a fallback server in case ETP is not reachable. If you apply a local DNS server configuration, you can then set the Security Connector DNS name server to use the ETP DNS server IP addresses.

ETP also now includes new reporting dimensions to show the internal client IP address and the internal hostname of the user’s machine.

Note the following:

• When you upgrade Security Connector, the virtual machine will temporarily hop to version 2.6.9 before it upgrades to version 2.7.0. This upgrade process also restarts your virtual machine twice. Make sure you do not interrupt this upgrade process. If you find that Security Connector is stuck on version 2.6.9, contact Akamai Support.
• If you intend to use DNS Forwarder, the virtual machine requires 4 GB of RAM and can be increased to 8 GB. If you don’t intend to use Security Connector as a DNS Forwarder, 2 GB of RAM is enough for the Security Connector virtual machine.

For more information about this update, see the online help or the Security Connector Setup and Configuration Guide.