Secure Endpoint 9.0 release notes

This topic describes the software changes included in Secure Endpoint 9.0.

This release introduces performance, security, data integrity, and usability improvements that enhance the responsiveness, reliability, and ease of use of the system. It also introduces enhancements, improvements, and fixes to existing features and functionality.

To view the software changes introduced in this release that apply to the Secure Endpoint Agent, see the Secure Endpoint Agent release notes: Version 9.0.

Depending on the Absolute product licenses associated with your account, some of the following features, enhancements, and fixes may not be available to you.

Features and enhancements

SCIM integration is a new feature that lets you automatically provision users from your identity provider (IdP) to your Absolute account. If you have enabled Single Sign-on using any of the following SAML 2.0 IdPs, you can enable SCIM integration:

  • Microsoft Entra ID (formerly Azure AD)
  • Okta
  • PingFederate®

Absolute's SCIM integration solution supports the SCIM 2.0 protocol only.
Absolute has tested and validated SCIM integration using the IdPs listed above. If you are using another IdP, you should be able to enable SCIM integration with any IdP that supports the SCIM 2.0 protocol.

When SCIM integration is enabled, new IdP users are automatically synced to Absolute, as are updates to the following user information:

  • First and last name
  • Email
  • User status
  • IdP group

To learn more, see the following topics:

Investigations is now available if you use you use cc.eu2.absolute.com to log in to the Secure Endpoint Console. If you discover that a device has been stolen, and you've filed a police report, you can now enlist the help of the Absolute Investigations team to try to recover it.

The Investigations Team is staffed by former law enforcement professionals and other experts who use forensics tools and techniques to locate missing devices. The details provided on the police report and the information gathered by the device's Secure Endpoint Agent play key roles in the recovery process. After the device is located, the Investigations team connects with local law enforcement to coordinate its safe return.

To report a stolen device, create a theft report. Learn more

The Investigations feature is only supported on devices that are assigned the Absolute Resilience license.

This release introduces the following enhancements to anti-malware detection:

  • On Windows and Mac devices, the Secure Endpoint Agent:

    • Now detects all installed anti-malware applications supported by Absolute. You can view them in the Security Controls area of each device's Device Details page. Click the anti-malware application name to open a dialog showing the following information about each application:

      • Product name
      • Definition date
      • Definition
      • Status (Windows devices only)
    • Now attempts to detect new versions of supported anti-malware applications and report them in the console. The application's Definition and Definition date are also reported, if available.
  • On Windows devices, the agent can now detect the status of installed anti-malware applications. Possible statuses are Active, Disabled, and Expired. You can view the status in the Security Controls area on the device's Device Details page.

These enhancements are only available on devices running Secure Endpoint Agent 9.0 or higher.

By default, API tokens have the same permissions as the user role assigned to the token creator. Now, when you create a new token, you can change the token so it only has the minimum permissions required for its intended use.

Existing tokens that were created without permissions now have the same permissions and assigned device groups as the user that created them.

Permissions can't be edited after a token is created. This means that for both new and existing tokens, any changes made to the creator's user role or assigned device group won't result in a change to the token's permissions or assigned device group.

Learn more

The default expiry date applied when creating a new API token has been lowered to three months. You can still set the expiry to be one year from the creation date.

A new option, Include IP locations, is now available in Location rules. When this option is selected, the rule is triggered when a device's IP location changes, but only if Wi-Fi and GPS location data is unavailable. By default, the Include IP locations option is disabled. Learn more

This release introduces the following enhancements to the License Management (version 2) feature:

  • On the Report on Products page in the License management area, you can now search for a license by product name.
  • When a new purchase order becomes available in the console, a license is now automatically assigned to each unlicensed device, if possible. Learn more
  • An orange banner now shows at the top of the console when base licenses are due to expire within the next 30 days. Click View devices to view the devices with a license that needs to be renewed.

  • The following enhancements are now available in Device Details:

    • A status alert banner now shows at the top of a device's Device Details page if its license is due to expire within the next 30 days.
    • A device's assigned base and add-on licenses are now displayed in the Overview area in Device Details. Click the license name to view more license information in a dialog. The label Unlicensed shows if no license is assigned.

For added security and improved interoperability, all PowerShell scripts that are part of a Reach script are now signed. PowerShell scripts provided by Absolute are signed by Absolute. Custom PowerShell scripts can either be signed by you before your upload them, or by Absolute if there is no signature found when you upload them.

The Enable script signature check setting has been added to Settings > Action preferences. When this setting is turned on, the ANS component A lightweight software component of the Secure Endpoint Agent that is responsible for running a script on a device when a Run Script request is processed. validates the script's signature when the script is downloaded to the device as a part of the run script request. This setting is turned off by default. For improved security, we strongly recommend that you turn on Enable script signature check.

When you run a script signed by you on your Windows devices and you've enabled the script signature check, you need to make sure you have added your certificate to your devices' Trusted Root Certification Authorities and Trusted Publishers certificates stores before you use the script in Run Script requests.

Learn more

The Reach script library has been updated and now has a more modern and user-friendly interface. On the Settings > Script library page, you can see the following changes:

  • Scripts are now displayed in rows. Each row shows the following information:

    • The script name and description
    • The username of the creator of custom scripts
    • Icons to identify an Absolute or custom script

  • Click a script's row to open its overview. The overview has the following improvements:

    • Icons that indicate whether the script is supported on Windows or Mac devices
    • A View Script link to open a preview of the script
    • Details for both Windows and Mac devices without having to change tabs
    • The ability to show or hide advanced configuration options

Learn more

This release introduces the following enhancements to reports:

The following event is now logged to the Events page in the History area:

  • Firmware freeze removed by passcode

If desired, you can create an Alert rule based on this new event.

To support the new features and enhancements introduced in this release, the following permission has been added:

  • SCIM integration

This permission has been granted to the appropriate default roles. For example, System Administrators are granted Manage capabilities for this permission. To grant this permission to any custom roles you've created, update each role's permissions.

Improvements and fixes

Absolute 9.0 introduces the following improvements and fixes:

Feature/Area Details
Absolute APIs

  • The following parameters have been added to the GET /reporting/devices-advanced and GET /reporting/devices endpoints:

    • orgUnits: The distinguished name of the Active Directory organizational unit that the device is associated with
    • rnrSEPIOAGENT: An object containing information about the Application Resilience policy for Sepio Agent
Agent installer
  • When running the full agent installer on a Mac device with an M1 or M2 chip, you are now prompted to install Rosetta if it's not installed. Previously, the installation failed.
  • The Persistence Status Monitor is now included in the download package for the Windows full agent installer.
Application Health
Application Resilience
  • For applications that use PowerShell scripts for health checks, some errors messages were difficult to understand. The error messages have now been improved.
  • You now configure health check signers for the latest version of most supported applications.

  • The following Application Resilience policies have now been updated:

    • BitLocker

      In some cases, the RAR component is unable to get information for the OS. This doesn't indicate the BitLocker is unhealthy. When the RAR component is unable to get this information, BitLocker no longer reports as Not compliant.

      When the operating system doesn't support BitLocker, Status details now shows the operating system of the device.

    • Lightspeed Smart Agent

      Policies for Lightspeed Smart Agent now support versions 2.x or higher.

    • Microsoft Defender Antivirus

      Policies for Microsoft Defender Antivirus now allow you to specify the platform version you expect to be running on your devices.

    • Microsoft Defender for Endpoint

      Policies for Microsoft Defender for Endpoint now allow you to specify the version you expect to be running on your devices.

    • Microsoft SCCM

      Error messages have been improved for Microsoft SCCM when the error relates to the Admin Share health check.

      When a health check service isn't running or the registry key has an unexpected value, Status details now shows the name of the service or registry value.

    • Sepio Agent

      Application Resilience now supports Sepio Agent. Learn more

    • Tenable Nessus

      Policies for Tenable Nessus version 8.x or higher now check for Tenable Inc. and TENABLE, INC. as signers for the services being monitored for health checks. In addition, you can also configure more signers in the policy. Learn more
Chromebook support

  • When deploying the Chromebook extension, you now must download a Chromebook policy file from the Secure Endpoint Console and upload it in the Google Admin console.

    Learn more

  • You can now copy the Chromebook extension ID from Settings > Chromebook settings in addition to being able to copy it from Settings > Agent management.
  • If your Google Account fails to connect to the Absolute Monitoring Center for more than 24 hours, you receive an notification email. Previously, the link included in the email may have contained the wrong log in URL. This issue is now fixed.
DateExplorer builder

  • DataExplorer Builder version 1.0.12 has been released.

    Learn more

Device Details
  • Occasionally, when clicking View Action on the overview section in the History tab, the request would open momentarily in History > Actions, then the first request listed replaced the request. This issue is now fixed.
  • The request description and unfreeze code are now displayed in the overview section in the History tab for on-demand and scheduled Freeze requests. Learn more
  • While viewing a report, using the navigation bar's Search field to perform two consecutive searches caused the Device Details page to fail to load for the second device. This issue is now fixed.
Device groups
  • When moving a device group, the Devices sidebar may have continued to scroll after you stopped dragging the device group to its new location. This issue is now fixed.
Device Usage
  • In some cases, the wrong time was displayed for Lock events. This issue is now fixed.
Endpoint Data Discovery (EDD)
  • To prevent excessive matches, you can no longer use only wildcard characters (* and ?) with the @filename operator. This change prevents accidental matches to every file scanned during an EDD scan.
File Delete
  • When you create a Delete File request, you can now set the name of the request. You can use the request name to help identify the request in History > Actions.
History > Events
  • The Refurbishment Successful event has been changed to the Refurbishment Processing event to indicate that refurbishment is in progress, or it's completed.
  • For the events associated with a Remove Freeze request, the user who created the request is now shown in the Summary area. Previously, the user who created the original Freeze request was shown.
  • Date range filter conditions, such as Last 1 year, are now uniformly applied across both the Event History page and a device's History page in Device Details. Previously, events may have been filtered out on one page but included on the other.
History > Actions

  • Completed device action requests are now deleted five years after they are completed. If you require any of the following information after this time, create a copy outside the Secure Endpoint Console:

    • the Unfreeze code for a Freeze request
    • the Certificate of Sanitization for a Wipe request
    • the File Delete log file for a Delete File request or Delete All Files wipe request

    Learn more

License management (version 2)
  • Previously, when you exported the Report on Products page, the Product name column in the exported report showed the internal product code instead of the product name. This issue is now fixed.
Reach Scripts
  • When you create a Run Script request, you can now set the name of the request. You can use the request name to help identify the request in History > Actions.
Reports
  • Previously, some numbers were exported incorrectly. For example, when exporting a report that contained numbers with decimal values, the export only showed the whole number. This issue is now fixed.
  • Previously, after selecting a report action and then pressing the browser back button, the dialog would close, but you would be taken to the last area you had open. For example, if you opened the Activation report and clicked Export, then clicked back, the All Reports page was displayed. Now, the dialog closes, but the report or page remains open.
  • Previously, after selecting a device action in a report or page and then pressing the browser back button, the dialog didn't close. Now, the dialog closes successfully.
  • The OS > Security patch level column and filter, which apply to Android devices only, has been removed. Android devices are no longer supported.

  • After selecting devices in a report or page, the following actions no longer clear your selections:

    • Changing the sort order
    • Refreshing the page using the icon
    • Selecting a device action, such as Freeze, and then closing the dialog that opens
Rules
  • A notification is now displayed in the console if at least five percent of your active devices are expected to be frozen by an Offline Freeze rule within the next 14 days. The notification contains a link to a Knowledge Base article that provides information about next steps.

  • Users assigned to a single device group can now edit the device groups in the Apply to area of Location and custom rules. As a result, the following warning message shows:

    Changes you make to this rule will also apply to devices that you may not have access to.

    Learn more

  • Custom rules based on the Device user information updated > Domain changed event are no longer triggered when the domain name didn't change.
Unenroll Device
  • When you create an Unenroll Device request, you can now set the name of the request. You can use the request name to help identify the request in History > Actions.
Utilities
  • To view the Help for the Network Diagnostics Tool, you can now simply enter DDSNdt.exe at the command line.
Web Usage
  • When viewing the Web Usage (Last 7 Days) report, clicking a percentage in the Devices column for a particular website may have opened a report that showed duplicate records for each device. This issue is now fixed.
Wipe
  • In some rare cases, a Wipe request may have failed to progress past the Processing status in History > Actions, and the Certificate of Sanitization failed to be uploaded. This issue is now fixed.
  • When you create a Wipe request, you can now set the name of the request. You can use the request name to help identify the request in History > Actions.