Enterprise Application Access (EAA) 03/23/20 software release

Akamai EAA New Features

Block Users. It allows the EAA Identity administrator to kill all existing sessions and prevent new sessions for the specified user within five to ten minutes. Blocked users can be  unblocked if required. Works on Akamai identity provider and third party IdPs like Okta or Azure AD.

MFA Recovery code. When end-users forget to bring their 2nd-factor device this can be used as a fallback mechanism to allow validated users to access the login portal. This will work only with Akamai MFA that is part of an Akamai IdP.

Connector in-place upgrades. When an updated connector package is available, such as a patch to address security vulnerabilities, admins can now  update the connector without having to roll out new connectors. Admins can choose the connector to apply the patch. Please note, customers are advised to use 2+ connectors per application or directory. You should upgrade one connector at a time, which will ensure disruption is minimal. Connector update packages will be tested by EAA.

  Akamai EAA Client New Features

Device Posture New Features. With Device Posture (DP) you can improve your application security. DP collects signals about a device via the EAA client, the EAA mobile app for iOS, or integrations with Enterprise Threat Protector (ETP) or VMware Carbon Black (ETP and VMware Carbon Black licenses required). Admins then configure rules to classify devices into low, medium, or high risk tiers or, optionally, into risk tags. Risk tiers or tags can be used as criteria along with Enterprise Application access control rules, thus improving application security. DP includes a full set of device inventory and device posture reporting tools.

Mac OS X 10.15 Catalina Support. The EAA client (including Device Posture capabilities) will be supported on Catalina, which is Apple’s newest Mac operating system.

Windows 10 Home Edition Support. The EAA client (including Device Posture capabilities) will be supported on Microsoft’s Windows 10 Home Edition.

TunnelApp 2.0. Tunnel App 2.0 eliminates the need for admins to configure access for several applications individually, which becomes a tedious task for customers having many applications. With this new feature, admins can configure several destinations under the same client-application in tunnel mode. Multiple destination definitions can be combined, such as FQDN wildcard with * syntax, IPv4 CIDR block, protocol support for UDP, TCP or both, and port selection using range or multiple port/range. This application pooling capability saves time and reduces the chance of any error.

Silent Install Improvements. Admins can install or upgrade the EAA client on many machines using software deployment/patch management solutions, such as KACE, SCCM/Intune, and JAMF. During this process, end-users will no longer need to click on download and configure the EAA client.

Enterprise DNS. The EAA client will intercept PTR (pointer records) and SRV (service records) queries and forward it to the enterprise’s DNS server. This supports Kerberos based authentication, which requires DNS SRV to work.  

Known Limitations

EAA and EAA Client Limitations

• No warning is displayed when you modify an existing IP based tunnel-type client-access application by adding or deleting IP addresses.

• Silent installation of EAA Client cannot be done on a Windows 7 Enterprise 32 bit machine. Work around is to perform a manual installation.

• If you are using Outlook on a Windows machine, and you switch EAA Client from Wi-Fi to LAN or hotspot and back to Wi-Fi within 30 seconds, Outlook will be stuck in connecting state. The workaround is to quit Outlook and launch again.

• If you have Oracle Virtualbox installed on Windows 7 machine, EAA Client works intermittently.

• On-premise detection does not work if the DNS is manually modified on the machine’s network adapter’s interface. As a work-around, log out and log back into the EAA Client.

• In Windows, on-premise detection uses DNS addresses from all interfaces to resolve hostnames. If there are any disabled interfaces, it triggers false on-premise detection. As a work-around, you should clear the DNS configuration for disabled interfaces.

• The EAA administrator cannot customize the Enterprise DNS application URL.

• You cannot attach an IdP to an Enterprise DNS application. It is not possible to have specific DNS servers for the same search domain for users in a particular region served by an identity provider. This can increase the latency for the users.

Device Posture Limitations

• Device Posture sends signals only when you are logged into the EAA Client mobile app or desktop app.

• On mobile devices, if you switch out of the EAA Client app before completing registration, the application stops working.

• Device Posture does not work if applications have a form-based user-facing or certificate-based user-facing authentication.

• When using the EAA Client mobile app with a third-party IdP, if you experience a browser session timeout, you will see the erroneous device posture remediation message “Ensure your EAA Client is installed or configured correctly. Device posture not found” and is re-directed to the Akamai IdP. Users should logout of the Akamai IdP and device posture should work properly.

• After a silent install of the EAA Client on Windows machines, the “User Id” field may be incorrect. This issue can be corrected by restarting the EAA Client or rebooting the system.

• Device Posture anti-malware detection may display the same anti-malware signal multiple times. This does not impact functionality.

• On macOS platform, the OS last update time field incorrectly displays the last time the OS was checked for updates instead of the last time the OS was updated. This does not impact to functionality.

• When updating from Windows EAA Client version 1.x.x, the OSQUERY directory and files may not be deleted. They can be safely removed when running Windows EAA Client version 2.0.0.

• If you login to an application that has Device Posture controls, using EAA Client mobile app, you maybe be denied access for the first time. Subsequent access using the retry button or accessing any other application should work.

• If you log into the EAA Client mobile app, using Safari, Device Posture might not work. The user might have to log out and then log back into the EAA Client. Or log in to EAA mobile app with the QR code.

The latest update to mPulse includes an enhancement that improves bot detection and classification capabilities. Learn more about the Integration with Bot Manager.

Property Manager CLI: Minor version release updates

The version 0.6 maintenance release of the Property Manager CLI includes these updates:

• Pipeline environment order. You can now update environments in any order you want without editing templates or using the --force argument. Out-of-order environment promotion is available by default.
• Number of environments. The Property Manager CLI now supports pipelines with 1 to 30 environments. Previously, the CLI supported 2 to 10 pipelines.
• Account switching support. added for teams with access to multiple Akamai accounts.
• Support for npm. Updated npm support to version 6.13.4.
• Bug fixes. Fixes to these issues:
  • New pipeline from existing property. Creating a new pipeline based off of an existing property now properly retains the rule format of the source property.
  • Status conflicts. Updated envInfo.json to prevent status conflicts for multi-developer and Jenkins-managed projects. The EnvInfo etag field was removed and is no longer required.  

Property Manager CLI: Planned major version

The next major version of the Property Manager CLI is planned for this year. It’s expected to include these updates as well as others:

• UI enhancements. The Property Manager UI will include an indicator when a property is managed by a pipeline.
• Pipeline property locking. By default, you won’t be able to use PAPI or the Property Manager UI to edit properties managed by a pipeline. You’ll be able to override this default if needed.
• Workflow support. Support will be added for more Property Manager workflows.

Secure log delivery to NetStorage via HTTPS for log formats related to non-delivery products such as GTM, Fast DNS, IP Accelerator, and NetStorage is temporarily unavailable. This functionality will be available in the middle of April, 2020.

Enhancements in Identity and Access Management Application

• If you change any roles or block any existing group access for a user, these changes also impact any existing API clients owned by that user. Please review all API clients that belong to the user before updating their roles, to ensure the changes do not cause any undesired consequences to the impacted API clients.
• Removed Support for Web Services Identities.

General Updates

Cloudlets Origins are now called Conditional Origins in Property Manager. For example, the Cloudlets Origin Definition behavior is now the Conditional Origin Definition behavior.

Enhancements

• Activations. The Audience Segmentation, Edge Redirector, Forward Rewrite, and Input Validation Cloudlets now have:
  • Faster activation times. Most policy activations for these Cloudlets are live on the network in less than 15 minutes. Activations that impact more than 50 properties won’t see these improvements. The next version of the Cloudlets API will address this issue.
  • Faster response times. An activation request from these Cloudlets may receive a response in under two seconds. The next version of the API will extend the faster response times to all Cloudlets.

• Chrome v80 update. Cloudlets now support Chrome’s secure-by-default cookie model. Going forward, cookies created by Cloudlets will have HttpOnly, SameSite, and Secure attributes set correctly for HTTP and HTTPS clients.

• Custom header support for Application Load Balancer liveness tests. Liveness tests for Application Load Balancer now support custom HTTP headers. If you use a custom header in your load balancing configuration, all liveness requests sent to your data centers will include the custom header value.

Bug Fixes

• Cloudlets Origin IDs. Previously, you couldn’t have a Cloudlets Origin ID that was all numbers. This release fixes this issue.
• Application Load Balancer failover requests. In some cases, Application Load Balancer sent requests to a downed data center before failing over to a second data center.
• Application Load Balancer failover assignment. If Requests before Origin Stickiness Reassignment was set to 1, Application Load Balancer didn’t reassign clients back to original data center.
• Invalid CSV characters. The Edge Redirector CSV download function added invalid characters to regular expressions.

The latest update for the Test Center release includes the following UX changes in the comparative testing:

• No test definition is selected by default.
• Run test is not the primary button in the test definition details section.
• Overflow menu is replaced with action buttons that appear upon selection.
• The label Details of <test definition name> changed into Details of test definition.
• Minor bug fixes.

The latest update for the Support release includes:

• Software and documentation download links in the Aura LMS and Aura LCDN user developer guides.
• Bug fixes.

Android Library

This includes multiple releases of this component.

Version 3.6

The following updates have been included with this release:

Enhancements:

• Downgrading Android minSdkVersion version support to 16.

Version 3.6.3

The following updates have been included with this release:

Bug fix:

• Fixed crashes that were seen with devices using Android API 18 and earlier.

Enhancement:

• Selective application of “SameSite” cookie attributes.  We recently enhanced the AMD Cookie-based Token Authentication functionality to maintain compatibility with Google’s updates to their SameSite Cookie attribute, with Chrome version 80 and later. With this new change, Akamai is more selective when explicitly setting the “SameSite=None” and “Secure” attributes for token cookies. Akamai identifies cross-site requests by looking for the presence of the “Origin” header and sets the “SameSite=None” and “Secure” attributes only if this request header is present.