Enterprise Threat Protector (ETP) Client 3.5.0 is now available

A new version of ETP desktop client is now available. This update includes bug fixes, as well as a feature that is in limited availability. Make sure you upgrade clients to this new version. If your enterprise is using version 3.4, upgrade the client or force an automatic upgrade to version 3.5.

This feature is now in limited availability:

• Walled Garden. You can use ETP Client to allow Internet access only to a specific set of domains.

To try this feature, contact your Akamai representative.

Enterprise Threat Protector (ETP) Release, August 18, 2021

The following updates are included in this release:

New Risky Threat Categories. Akamai has added risky categories to the threat settings of a policy. These risky categories include Adware, Coin Mining, Newly Seen Domains, Newly Registered Domains, Potentially Harmful Domains, and DNS Tunneling services. Before this update, risky domains were tracked in a policy setting where administrators could select an action that would send all risky domains to the proxy for scanning. With these new risky categories, you can select an action for each category.

Option to remove a risk level from a policy. When configuring application visibility and control (AVC) and an acceptable use policy (AUP), an administrator can now remove a risk level from the policy configuration.

File hash exception lists. File hash lists are now called file hash exception lists.

Bug fixes and UI enhancements. This release includes updates to the user interface and bug fixes.  
 
Important: The ETP legacy user interface will reach its end of life in December 2021. Please use the new Enterprise Center user interface to complete all your ETP operations.  
 
The following features are currently in beta:

Sub-locations. You can now configure sub-locations for ETP locations. A sub-location can represent different virtual local area networks (VLANs) that are routed to the Internet with the same IP address as the parent location. This feature allows you to apply different policies to your sub-locations and in turn, define more granular access.

Local breakout for bypass domains. The Local Breakout for Bypass Domains setting is enabled by default in a policy to ensure that domains configured in ETP for bypass are directed to the origin from the branch or enterprise network. Disable this option if your network does not have a direct route Internet and cannot access these origins.

Changes to ETP policy logic. These updates include:

• Prioritization of custom exception and block lists. If the domain, IP address, or URL found in a custom block or exception list is also found in Akamai Security lists, the Microsoft 365 list, or in an AUP and AVC configuration, the policy action associated with the custom exception or block list takes priority.

• Updated handling of policy conflicts. In addition to prioritizing the policy action of a custom exception or block list, the following also applies:

  • If the same domain with different suffix lengths is specified in multiple custom lists (for example, in multiple block or exception lists) or in multiple ETP lists (for example, in multiple acceptable use policies), ETP enforces the policy action assigned to the longest address.
  • If the same domain, IP address, or URL is configured in multiple custom lists or in multiple ETP lists with conflicting policy actions, ETP selects the action based on this priority:
    1. Bypass
    2. Block
    3. Monitor
    4. Classify
    5. Allow

 
To try any of these beta features, contact your Akamai representative.

Enterprise Application Access (EAA) August 2021 software release

EAA Client Versions

• EAA Client for Windows: version 2.5.3

• EAA Client for macOS: version 2.5.2

• EAA Client mobile app for iOS: version 1.04

• EAA Client mobile app for Android: version 1.02

Akamai EAA New Features

Azure SCIM Integration. You can provision users and user group memberships from Azure Active Directory (AD) to EAA Directory using the System for Cross-domain Identity Management (SCIM) 2.0. 

Certificate-authentication enhancements. Perform additional certificate attribute checks while verifying a certificate as part of the IdP authentication. We support Issuer Distinguished Name, Subject Distinguished Name, and Serial Number certificate attributes.

EAA Client Forward-proxy. You can use a forward proxy between the EAA Client and EAA cloud. The EAA Client can support both HTTP and HTTPS proxy using the underlying system settings to determine how to access the proxy. The EAA Client supports either no proxy authentication or NTLMV2 proxy authentication.

SentinelOne Anti-Malware support for Device Posture. In this release, we have added SentinelOne to the list of anti-malware products on both Windows and macOS. Customers may now detect if the SentinelOne client is active and use that as a device posture signal for any vendor list. Any vendor may be used when anti-malware is required but does not have to be a specific anti-malware product.

Akamai EAA End of Support/Service for EAA Client.

EAA Client versions 2.1.0 and 2.1.2 End of Service / Support - From February 28, 2022, Akamai will no longer support EAA Client versions 2.1.0 and 2.1.2. This is the last date to receive any support for these product versions. After this date, these versions are obsolete and no support will be available.

Product Migration - For customers using EAA Client versions 2.1.0 and 2.1.2, migrating to newer EAA Client versions, will require the older EAA Client to be uninstalled before the newer EAA Client is installed.

When moving to EAA Client version 2.1.0 and later, a new akamai-device-id is generated. EAA activity reports, Clients overview dashboard, Device Posture dashboard may include old akamai-device-id, resulting in inaccurate statistics until the old akamai-device-id is purged after 90 days. For more information, see Device ID (akamai-device-id) updates with EAA Client installation and upgrades.

EAA and EAA Client limitations.

• Admins may need to clear the cache to see EAA 21.02.00 UI changes when you log in to the Akamai Control Center.
• When you enable forward proxy in EAA Client and are using Safari browser, you cannot access client-access applications.
• To use forward proxy on Windows 7, users need to configure Proxy Auto-Config (PAC) file manually. See EAA Client Admin Guide.
• Upgrading the EAA Client to a version prior to 2.4 may cause database corruption. To avoid this you must uninstall and reinstall the EAA Client.
• For a SCIM directory in EAA, the Last Synced and Last Updated values indicate the last time the directory configuration was modified.

Fixed customer bugs.

• EAA Client rejects invalid DNS SRV response.
• When you use EAA Client with Akamai MFA as an MFA factor, no false error message, “Failed to post code to EAA Client, please log out and log in again” appears.
• Connector metrics display custom domain applications data.
• If you edit a certificate profile’s name, the previous name may still display on the Device Details page for up to 30 minutes.
• Fixed single sign-on issue observed when Device Posture is enabled, and an OpenID Connect Application is accessed before logging into the identity provider.
• EAA Client Authentication flow is fixed for the identity provider disabled with captive portal configuration.

Akamai MFA 14/07/2021 release

New Features

Akamai MFA Dashboard provides you with an overview of the key authentication data that supports you in investigating and troubleshooting access issues.

With the new Help Desk administrative role, you can delegate tasks related to the users’ support such as the generation of bypass codes.

The latest enhancements to the Users page let you search and filter more effectively.

Akamai MFA now allows third-party authenticators such as Duo Mobile or Google Authenticator to be enrolled as OTP device allowing users to authenticate with passcodes generated by those authenticators.

Supported browser versions

The following are the minimum browser versions that support the installation of the Akamai MFA extension

• Firefox 87.0

• Google Chrome 89.0.4389.90

• Microsoft Edge 89.0.774.57

• Safari 14.0.3

Internet Explorer is not supported.

Supported mobile devices

The following mobile device OS versions support the installation of the Akamai MFA mobile app

• iOS 13 and above (iPad, iPhone, iPod Touch)

• Android 7 and above (phones and tablets)

Enterprise Threat Protector (ETP) Release, July 7, 2021

The following features and enhancements are now available:

• Deploy individual lists. If a list is ready for deployment, an administrator can now select the specific lists they are allowed to manage and would like to deploy. Before this update, a deploy operation would publish all lists that the administrator was permitted to manage.
• New filters and dimensions added to DNS Summary and Proxy Summary reports. New filter criteria and dimensions for access control are now available in the DNS Summary and Proxy Summary activity reports.
• Scheduled Reports Enhancements. You can now schedule reports for access control events, as well as threat events. Additionally, you can schedule a report for DNS Summary or Proxy Summary activity data. The DNS Summary and Proxy Summary scheduled reports show the top activity based on ETP reporting dimensions such as location, domain, geographical region, and more.  
• Updated firewall hostname for DoT. The Security Connector DNS Forwarder and ETP Client now use the *.akaetp.net hostname for DNS-over-TLS (DoT) connections. Make sure you update your firewall, on-premise proxy, and allowlists to use this hostname with outbound TCP port 443 or 853. Note: For ETP Client, the port you must allow depends on the port that’s configured in the policy. In a policy, you can select port 443 or 853 for DoT. For DNS Forwarder, the port you must allow depends on the port configured in Security Connector for a DNS Forwarder configuration.

The following features are currently in beta:

• Sublocations. An administrator can now configure sublocations for ETP locations. A sublocation can represent different virtual local area networks (VLANs) that are routed to the Internet with the same IP address. This feature allows you to apply different policies to your sublocations and in turn, define more granular access.
• New Threat Categories. Akamai has added risky categories to the threat settings of a policy. These risky categories include Adware, Coin Mining, Newly Seen Domains, Newly Registered Domains, Potentially Harmful Domains, and DNS Tunneling services. Before this update, risky domains were tracked in a policy setting where administrators could select an action that would send all risky domains to the proxy for scanning. With these new risky categories, you can select an action for each category.

To participate in the beta of these features, contact your Akamai representative.

Enterprise Threat Protector (ETP) Client 3.4.0 is now available

A new version of the ETP desktop client is now available. This release contains the following updates:

Bring Your Own Device (BYOD) Support. ETP Client 3.4.0 can now protect a user’s personal computer or laptop. A new installation process allows users to activate ETP Client on their personal machines without using the enterprise-wide entitlement code. The following applies in this update:

• After the client is installed on the user’s machine, the user is prompted to activate the client with a one-time activation code (OTAC). If the user does not have this code, the client lets users request it. The activation code is emailed to the authorized user’s corporate email address.
• To email activation codes, administrators must configure authorized corporate domains in Enterprise Center. Administrators should not provide email domains that are associated with unauthorized users.
• From Enterprise Center, administrators can send users an email invitation that contains the activation code. Administrators can also choose to generate a CSV file with activation codes and manually distribute these codes to users. After the activation codes are generated, they are valid for one week (7 days).
• When generating an OTAC in Enterprise Center, administrators should specify the user’s email address in the User’s List. This allows administrators to easily associate events with the users who trigger them. This email address appears in the new Device Owner dimension that’s available in ETP event and activity reports.
• End users are not prompted for an entitlement code during the installation of the client. The entitlement code is used by administrators only. After installing ETP Client with the user interface, administrators enter the entitlement code in the ETP Client interface. Installations that are performed with the command line can still use the entitlement code.

ETP Client Access Logs. New log files provide detailed information on all ETP Client traffic. These logs are formatted to make them easier for analysis. These CSV files are available in the client Log directory:

• etp_Proxy_Access.csv: Contains logs of web traffic forwarded from ETP Client to ETP Proxy. Log data includes the time that activity occurred, ID associated with the request, requested domain, and more.
• etp_Client_Access.csv: Contains logs of DNS traffic forwarded from ETP Client to ETP DNS resolvers. Log data includes the time that activity occurred, ID associated with the request, whether DNS over TLS (DoT) or DNS over UDP was used, and more.

When a log file reaches 40 MB, an index value is appended to the filename and a new log file is created with the original filename. These logs can be used by your organization to review requests and troubleshoot technical issues. Administrative privileges are required to view these logs.

Note: These logs contain all traffic, including logs for private browsing. Make sure these logs are handled securely to maintain the user’s privacy.

ETP Client is enabled for logging by default. However, administrators can disable logging in Enterprise Center.

Support for Apple M1 chip. ETP Client now supports Mac computers with the Apple M1 chip.

Enterprise Threat Protector (ETP) Release June 1, 2021

The following new features are now available:

• Application Visibility and Control. This feature is available in all ETP editions and allows your organization to grant or block access to specific applications based on risk, category, or application type. Additionally, if your organization is licensed for ETP Standard or Advanced Threat editions, you can define the application operations that you want to allow or block.

• Data Loss Prevention (DLP). Akamai is restarting the Data Loss Prevention beta in response to findings in the first beta. The DLP engine is now improved to better support Google Drive. DLP also now automatically bypasses applications that encrypt data, which previously resulted in false positives. Please note that you can still block any application using the Application Visibility and Control feature.

• Mobile ETP Client Support. Clients to allow ETP policies to be enforced for Apple IoS, Android, and Chromebook devices are now available. This capability also enables you to easily add protection to unmanaged devices.

• File Type Blocking. Customers may now block specific types of files from being downloaded.

• End of Support For ETP UI. The classic ETP UI is now no longer supported and all functionality has been migrated to the Enterprise Center. Please update your bookmarks accordingly.

The following features are currently in beta:

• Scheduled Reports Enhancements. You can now schedule reports for all Acceptable Use Policy (AUP) violations in addition to threats. Additionally, you can schedule Summary Proxy Activity and DNS activity reports on a daily or weekly basis.

Minor changes and fixes. This release includes a number of minor changes and bug fixes to improve the usability of the product.

Please note that legacy AUP categories are now no longer supported. Please migrate to the new categories if you have not done so already.

Akamai MFA 19/05/2021 release

New Features

New reporting features help you troubleshoot more effectively. You can generate Authentication Events reports by applying multiple filtering criteria. Additionally, you can download the report in the CSV format for sharing and further investigation.

Improved Policies page lets you apply additional conditions that end users’ devices should meet, such as browser and OS versions. You can also enable the hardware token as the authentication method.

Passwordless authentication is now available for your Okta logins. This new feature enables end users to authenticate with a single, highly secure authentication factor, such as biometrics or security key.

With enhancements available on Users, Groups and Integrations pages, you can conveniently assign and visualize assigned policies. The improved Akamai MFA user interface allows you to associate and dissociate policies ​in bulk to the selected user, group or integration.

Supported browsers and versions

Firefox 87.0

Google Chrome 89.0.4389.90

Microsoft Edge 89.0.774.57

Safari 14.0.3

Internet Explorer is not yet supported.

Supported mobile devices

iOS 12 and above (iPad, iPhone, iPod Touch)

Android 7 and above (phones and tablets)

Supported integrations

ADFS integration supports Microsoft ADFS on Windows Server 2016.

Integration with Akamai EAA IdP requires that both EAA and Akamai MFA are on the same contract.

Okta integration supports Custom IdP factor authentication as an integration point. You have to contact Okta to enable this early access feature.

Shibboleth integration supports Shibboleth version 4.0.1.

Akamai MFA Unix PAM supports the following distribution versions: CentOS 5, 6, 7/8, Red Hat 5, 6, 7/8, Ubuntu 14, and 16/18/20.

Akamai MFA Windows Logon plugin supports Windows 10 (64 bit) and Windows Server 2016.

Enterprise Threat Protector (ETP) Client Version 3.3.2

A new version of the ETP Client is now available. This release contains a number of bug fixes, including improved support for Static DNS configurations in machines, a minor IPv6 support fix, and fixes to DNS-Over-TLS handling.

Enterprise Application Access (EAA) May 2021 software release

EAA Client Versions

• EAA Client for Windows: version 2.4.1

• EAA Client for macOS: version 2.4.0

• EAA Client mobile app for iOS: version 1.04

• EAA Client mobile app for Android: version 1.02

Akamai EAA New Features

Akamai MFA Integration. Akamai MFA, a workforce MFA service, helps customers to strengthen their Zero Trust security posture by securely establishing trust in a user before allowing access to protected applications and resources. Akamai MFA features a unique authentication factor, Akamai’s phish-proof push, that combines the security provided by FIDO2 with the ease-of-use of the familiar push notification. Customers can use Akamai MFA as the second-factor authentication with the Akamai identity provider (IdP).

 Certificate-authentication enhancements. With this release, we have enhanced the IdPs’ client certificate enforcement policy. Administrators now have the ability to only enforce client certificate verification when a request is not from the corporate network. We also added an option to skip OCSP validation when OCSP Responder is unreachable or returns unknown.

New capabilities for Device Posture. EAA supports additional capabilities for a better security posture for your devices:

• Customers can now select the OS versions to include a subset of the major versions from the complete list of up-to-date versions that align with their compliance policies.
• macOS version capabilities now recognize every build in addition to the patch versions previously tracked.
• Customers can now configure custom and latest+ options for the EAA client version.
• Customers may now detect if the Akamai ETP client is installed and use that as a device posture signal.
• The anti-malware signal may now be configured for a specific vendor in addition to the ‘any vendor’ choice previously supported.

Improved interoperability and performance with Cisco Umbrella client. Previous versions of the EAA Client had interoperability issues with Cisco’s umbrella client. This was caused by Cisco Umbrella’s takeover of the DNS at a kernel-level for localhost traffic, leading to garbled DNS responses and perception of slow performance. With this release, the EAA Client uses 100.64.0.1 for DNS interception instead of 127.50.100.1 which was used in earlier releases.

Apple M1 Processor Support. With this EAA Client release, we are adding support for macOS-based devices with the Apple M1 processor. The EAA Client leverages Rosetta translation so a single binary can be used for both Intel-based and Apple M1-based devices.

EAA Client Operating System Support.

The EAA Client 2.4.0 supports these operating systems: Microsoft Windows 7, current Microsoft supported versions of Windows 10 x86(32-bit) and x64(64-bit), Apple macOS 10.14 (Mojave), 10.15 (Catalina), and 11 (Big Sur).

Akamai End of Support/Service for EAA Client.

EAA Client versions 2.0.0, 2.0.1, and 2.0.2 End of Service / Support - From June 30, 2021, Akamai will no longer support EAA Client versions 2.0.0, 2.0.1, and 2.0.2. This is the last date to receive any support for these product versions. After this date, these versions are obsolete and no support will be available.

EAA Client versions 2.0.3 and 2.0.4 End of Service / Support - From November 30, 2021, Akamai will no longer support EAA Client versions 2.0.3 and 2.0.4. This is the last date to receive any support for these product versions. After this date, these versions are obsolete and no support will be available.

Product Migration - Customers using EAA Client versions 2.0.0, 2.0.1, 2.0.2, 2.0.3 and 2.0.4 are encouraged to upgrade to EAA Client version 2.1.2. Migrating to newer EAA Client versions, beyond 2.1.2, will require the older EAA Client to be uninstalled before the newer EAA Client is installed. When moving to EAA Client version 2.1.2 and later, a new akamai-device-id is generated. EAA activity reports, Clients overview dashboard, Device Posture dashboard may include old akamai-device-id, resulting in inaccurate statistics until the old akamai-device-id is purged after 90 days. For more information, see Device ID (akamai-device-id) updates with EAA Client installation and upgrades.

EAA and EAA Client limitations.

• The EAA Client Download page does not render properly on the Microsoft Edge browser version 44.19041.423.0. You must upgrade the browser to a later version.
• If you log in from a domain-joined machine, using Integrated Windows Authentication (IWA) credentials and then be idle for more than the idle expiry duration of the identity provider, refreshing the page will prompt a form-based authentication instead of IWA. The user can either enter the credentials or can log in to the IdP URL using a new browser tab to re-trigger IWA.
• If Akamai MFA and Device Posture are both enabled in the Akamai identity provider, you will see a “Failed to post code to EAAClient, please log out and log in again” error after the second-factor authentication. Refresh the browser to eliminate this message. This does not impact the usability of the product.
• If Akamai MFA and Device Posture are both enabled in the Akamai identity provider, you will see a “Failed to post code to EAAClient, please log out and log in again” error after the second-factor authentication. Refresh the browser to eliminate this message. This does not impact the usability of the product.
• For SSH audit reports, you may see incomplete session data, if the SSH browser session is terminated abruptly without using the exit command.

Device Posture limitations.

• When you try to create the fifth anti-malware profile, you see an error message informing you that you cannot create more than four profiles. Click ‘Cancel’, and then ‘Continue’ to cancel the creation of the anti-malware profile.
• The Anti-malware signal supports only English anti-malware names.
• The Anti-malware signal displayed on the Inventory Reports Device Details page and Device History Device Details page has the following statuses depending on the device operating system: For Windows devices: the green tick means that the anti-malware software is installed and active on the device; the red cross means that the anti-malware software is installed and inactive on the device; the yellow circle refers to older Windows devices and means that the anti-malware software is installed but its status is unknown. This state will not appear if you install the latest version of EAA Client. For macOS devices: the green tick means that the anti-malware software is installed on the device. The inactive and unknown statuses are not displayed for macOS devices as the active status is assumed with any anti-malware program installed on the device.
• On the Inventory Reports Device Details page and Device History Device Details page, the Operating System (OS) versions display in the following format: for macOS: (); for Windows: ().
• macOS devices are now evaluated based on their build numbers instead of version numbers. As a one-time change, any custom version entered as a macOS version number will be converted to build numbers and populated in the custom list.
• Apple’s operating system is referred to as “macOS” instead of “Mac OS X”, in compliance with Apple’s branding guidelines.
• When you use the EAA Client mobile app on iOS devices to log into an Akamai IdP, you may be directed to the EAA Client and are prompted to log in again using the in-app browser window. After you enter login credentials, the app may hang with a loading screen and a spinner. To recover, you must close and reopen the EAA Client application. Then, you must log out of the IdP using the browser and log in again to the IdP via the mobile browser a second time. Third-party IdPs are not affected and can be used with QR code or the Safari browser.
• When you use the EAA Client app on iOS devices for authorization to a third-party IdP with or without MFA, the user is stuck in the authorization loop process (user accesses third-party IdP URL on iOS browser, OS opens EAA Client app, the user completes authorization and MFA, the user is redirected back to the browser again, OS opens EAA Client app again, loop repeats).
• When you use the EAA Client app on iOS 14, iPadOS 14 devices and Safari is not the default browser, users will see a remediation message, “Ensure EAA client is installed or configured correctly” when accessing a web app from the browser.
• EAA Client mobile app on an Android device works only if Chromium-based Browser (Chrome, Samsung browser, Microsoft Edge) is set as the default browser. On other browsers, users will see a remediation message, “Ensure EAA client is installed or configured correctly”.
• When you use the EAA Client mobile app on mobile devices to log into an Akamai IdP with a QR code, you may have problems opening the app and may see a loading screen with a spinner. Close the application and re-open. Or, login to the IdP with a mobile browser. Another workaround is to do a second scan of the same QR code, after reopening the app when the first scan fails. Third-party IdPs are not affected.
• When you install the EAA Client on Windows and open EAA Client, navigate to Device Posture > Signals, the username is the admin’s name and not the current user name. The workaround is to quit and restart the EAA Client.
• When you use the EAA Client mobile app on mobile devices to log into an MFA enabled Akamai IdP, you may need to enter the MFA code twice, once while logging into the mobile browser, and second when redirected to the EAA Client mobile app login screen.
• When you use the EAA Client mobile app on Android devices when logging into an IdP from either a Chrome browser or via the QR code, if the user switches apps before the configuration is complete, it may cause the EAA Client to crash.

Fixed customer bugs.

• You can configure nested organization units (OU) with the same name and different distinguished names (DN) in EAA AD, LDAP directories.
• Fixed issues with traffic data in the connector performance metrics system graph.
• Fixed issue where duplicate records are created for some users when performing Active Directory (AD) Sync.
• Fixed issue where user records were not deleted when Active Directory (AD) sync detected more than 10,000 users deleted in one batch.
• Fixed user sync issues related to Windows 2003 AD server.
• Reports can now be saved in .csv formats on Chrome browser.
• Fixed issues for better interoperability between EAA Client and ETP Client.
• The custom DNS setting for an EAA connector in Hyper-V is persistent after a reboot.
• Resolved false positive messages when the application is not reachable.
• Performance improvements for loading certificates while loading the application general settings page.
• Pagination is supported on the certificates page.
• The connector load indicator works properly when applications are deleted or moved to another connector.
• The last synced time is displayed for organization units (OU) in directories.
• Crashes while upgrading from EAA Client 2.0.4 to 2.3.0 have been fixed.
• The EAA Client Versions tab displays the latest release of a given train (e.g. 2.1.2 instead of 2.1.0). To apply other versions to a tier or tag rule, enter them in the Custom version field.
• If you edit a certificate profile’s name, the previous name may still display on the Device Details page for up to 30 minutes.
• The Device Posture tiers’ and tags’ criterion “Anti-malware Status” with value “Good” now displays as “Anti-Malware Profile” with value “Any Vendor”.