Release Notes: Property Manager

Performance improvements and bug fixes.

New Features

New frozen rule format available for PAPI users: v2021–07–30.

New version of ETP mobile client is now available

The Enterprise Threat Protector (ETP) mobile client is now in limited availability and supports bring your own device (BYOD). With BYOD, end users can activate ETP Client on their personal devices without using the enterprise-wide entitlement code.

The following applies in this update:

• After the client is installed, the user is prompted to activate the client with a one-time activation code (OTAC). If the user does not have this code, the client lets users request it. The activation code and a link to activate the client on the device is emailed to the authorized user’s corporate email address.
• To email activation codes, administrators must configure authorized corporate domains in Enterprise Center. Administrators should not provide email domains that are associated with public email providers and therefore, accessible to unauthorized users.
• From Enterprise Center, administrators can send users an email invitation that contains the activation code. Administrators can also choose to generate a CSV file with activation codes and manually distribute these codes to users offline. After the activation codes are generated, they are valid for one week (7 days).
• When generating an OTAC in Enterprise Center, administrators should specify the user’s email address or a user ID in the User’s List. This allows administrators to associate events with the users who trigger them. This email address or user ID appears in the Device Owner dimension that’s available in ETP event and activity reports.
• While users provide an activation code or use the deep link in the email to activate the client on their device, the entitlement code is still supported for administrators. Administrators can enter this code when performing client installations.

The new mobile client version is available for download in the Apple App store and Google Play. For more information on BYOD and distributing the mobile client, see the ETP documentation.

We’re excited to announce the release of new Billing and Invoicing APIs giving access to usage and invoicing information. 

What’s changing

The Billing API offers a programmatic alternative to Usage by Product, Usage by Contract, and Usage by Reporting Group reports available in the Billing Control Center interface, while the Invoicing API allows you to access your Akamai invoices and credit memos. For more information, refer to the documentation of Billing and Invoicing APIs.

The legacy Billing Center APIs will continue to work until August 24, 2022. 

Enterprise Threat Protector (ETP) Client 3.5.0 is now available

A new version of ETP desktop client is now available. This update includes bug fixes, as well as a feature that is in limited availability. Make sure you upgrade clients to this new version. If your enterprise is using version 3.4, upgrade the client or force an automatic upgrade to version 3.5.

This feature is now in limited availability:

• Walled Garden. You can use ETP Client to allow Internet access only to a specific set of domains.

To try this feature, contact your Akamai representative.

Enterprise Threat Protector (ETP) Release, August 18, 2021

The following updates are included in this release:

New Risky Threat Categories. Akamai has added risky categories to the threat settings of a policy. These risky categories include Adware, Coin Mining, Newly Seen Domains, Newly Registered Domains, Potentially Harmful Domains, and DNS Tunneling services. Before this update, risky domains were tracked in a policy setting where administrators could select an action that would send all risky domains to the proxy for scanning. With these new risky categories, you can select an action for each category.

Option to remove a risk level from a policy. When configuring application visibility and control (AVC) and an acceptable use policy (AUP), an administrator can now remove a risk level from the policy configuration.

File hash exception lists. File hash lists are now called file hash exception lists.

Bug fixes and UI enhancements. This release includes updates to the user interface and bug fixes.  
 
Important: The ETP legacy user interface will reach its end of life in December 2021. Please use the new Enterprise Center user interface to complete all your ETP operations.  
 
The following features are currently in beta:

Sub-locations. You can now configure sub-locations for ETP locations. A sub-location can represent different virtual local area networks (VLANs) that are routed to the Internet with the same IP address as the parent location. This feature allows you to apply different policies to your sub-locations and in turn, define more granular access.

Local breakout for bypass domains. The Local Breakout for Bypass Domains setting is enabled by default in a policy to ensure that domains configured in ETP for bypass are directed to the origin from the branch or enterprise network. Disable this option if your network does not have a direct route Internet and cannot access these origins.

Changes to ETP policy logic. These updates include:

• Prioritization of custom exception and block lists. If the domain, IP address, or URL found in a custom block or exception list is also found in Akamai Security lists, the Microsoft 365 list, or in an AUP and AVC configuration, the policy action associated with the custom exception or block list takes priority.

• Updated handling of policy conflicts. In addition to prioritizing the policy action of a custom exception or block list, the following also applies:

  • If the same domain with different suffix lengths is specified in multiple custom lists (for example, in multiple block or exception lists) or in multiple ETP lists (for example, in multiple acceptable use policies), ETP enforces the policy action assigned to the longest address.
  • If the same domain, IP address, or URL is configured in multiple custom lists or in multiple ETP lists with conflicting policy actions, ETP selects the action based on this priority:
    1. Bypass
    2. Block
    3. Monitor
    4. Classify
    5. Allow

 
To try any of these beta features, contact your Akamai representative.

Reporting August updates:

The data completeness information is now available in the UI and HTML reports. You can see it as the Complete data ends label.

Event Viewer - Interface enhancements and new features

Enhancements include:

• Redesigned interface to better align with other Control Center applications.
• Reordered event results columns in a more useful sequence.
• Renamed the Action column to Activity for clarity.
• Increased the screen width to improve usability.
• Renamed the Export as CSV option to Download visible events from the table to a CSV file and relocated it to the bottom of the event results for convenience.
• Added error handling with proper messaging.

New features include:

• A collapsible sidebar panel with the option to either scroll and select several event types at once, or use filtering to quickly search for common events.
• Global filtering that lets you search event results for information such as event types, activities, usernames, and details like IP address and hostname, without expanding the event.
• A copy option that lets you copy the details for a single event to a clipboard and paste them into a format of your choice.

Enterprise Application Access (EAA) August 2021 software release

EAA Client Versions

• EAA Client for Windows: version 2.5.3

• EAA Client for macOS: version 2.5.2

• EAA Client mobile app for iOS: version 1.04

• EAA Client mobile app for Android: version 1.02

Akamai EAA New Features

Azure SCIM Integration. You can provision users and user group memberships from Azure Active Directory (AD) to EAA Directory using the System for Cross-domain Identity Management (SCIM) 2.0. 

Certificate-authentication enhancements. Perform additional certificate attribute checks while verifying a certificate as part of the IdP authentication. We support Issuer Distinguished Name, Subject Distinguished Name, and Serial Number certificate attributes.

EAA Client Forward-proxy. You can use a forward proxy between the EAA Client and EAA cloud. The EAA Client can support both HTTP and HTTPS proxy using the underlying system settings to determine how to access the proxy. The EAA Client supports either no proxy authentication or NTLMV2 proxy authentication.

SentinelOne Anti-Malware support for Device Posture. In this release, we have added SentinelOne to the list of anti-malware products on both Windows and macOS. Customers may now detect if the SentinelOne client is active and use that as a device posture signal for any vendor list. Any vendor may be used when anti-malware is required but does not have to be a specific anti-malware product.

Akamai EAA End of Support/Service for EAA Client.

EAA Client versions 2.1.0 and 2.1.2 End of Service / Support - From February 28, 2022, Akamai will no longer support EAA Client versions 2.1.0 and 2.1.2. This is the last date to receive any support for these product versions. After this date, these versions are obsolete and no support will be available.

Product Migration - For customers using EAA Client versions 2.1.0 and 2.1.2, migrating to newer EAA Client versions, will require the older EAA Client to be uninstalled before the newer EAA Client is installed.

When moving to EAA Client version 2.1.0 and later, a new akamai-device-id is generated. EAA activity reports, Clients overview dashboard, Device Posture dashboard may include old akamai-device-id, resulting in inaccurate statistics until the old akamai-device-id is purged after 90 days. For more information, see Device ID (akamai-device-id) updates with EAA Client installation and upgrades.

EAA and EAA Client limitations.

• Admins may need to clear the cache to see EAA 21.02.00 UI changes when you log in to the Akamai Control Center.
• When you enable forward proxy in EAA Client and are using Safari browser, you cannot access client-access applications.
• To use forward proxy on Windows 7, users need to configure Proxy Auto-Config (PAC) file manually. See EAA Client Admin Guide.
• Upgrading the EAA Client to a version prior to 2.4 may cause database corruption. To avoid this you must uninstall and reinstall the EAA Client.
• For a SCIM directory in EAA, the Last Synced and Last Updated values indicate the last time the directory configuration was modified.

Fixed customer bugs.

• EAA Client rejects invalid DNS SRV response.
• When you use EAA Client with Akamai MFA as an MFA factor, no false error message, “Failed to post code to EAA Client, please log out and log in again” appears.
• Connector metrics display custom domain applications data.
• If you edit a certificate profile’s name, the previous name may still display on the Device Details page for up to 30 minutes.
• Fixed single sign-on issue observed when Device Posture is enabled, and an OpenID Connect Application is accessed before logging into the identity provider.
• EAA Client Authentication flow is fixed for the identity provider disabled with captive portal configuration.

Image and Video Manager July 2021 updates:

New features:

• Artistic transformation of Fit and Fill: Resizes an image to fit within a box of a specified size, then uses a blurred version of that same image to fill the transparent space at the edges.

• Image transformation to support circle crop: Trims the image to fit the geometry of a circle, which is commonly used for profile or avatar images.

IoT Edge Connect has been updated to help support the scale and stability requirements of users moving forward. Changes include:

• QoS 2 downgrade support. Message publication and subscription at QoS level 2 is no longer supported. Now, when a client attempts to subscribe to QoS 2, the service informs about supported QoS levels, and responds to the request with a maximum indicated QoS 1 level in the SUBACK response message. The service delivers messages at QoS 1 and QoS 0 as appropriate.

Other updates:

Several internal improvements to the overall stability and performance of the service.