Absolute 7.21 Release Notes

This topic describes the software changes included in Absolute 7.21. It also describes the changes included in all hotfixes since the release of Absolute 7.20.

This release introduces performance, security, data integrity, and usability improvements that enhance the responsiveness, reliability, and ease of use of the system. It also introduces enhancements, improvements, and fixes to existing features and functionality.

To view the software changes introduced in this release that apply to the Secure Endpoint Agent, see the Secure Endpoint Agent release notes: Version 7.21.

Depending on the Absolute product licenses associated with your account, some of the following features, enhancements, and fixes may not be available to you.

Features and enhancements

A new pre-defined report is now available in the Reports area.

The Device Freeze Passcode report allows you to track devices with an outstanding Freeze request or an active Offline Freeze rule. The report includes details about each request or rule, including its unfreeze code, request type, status, and the user that requested it.

The report is available in the Device report category, and Absolute view of the Reports area. You can also navigate to it from a device's Unfreeze code history dialog.

To view this new report, your user role needs to be granted Perform permissions for Remove Freeze. The following default user roles are granted these permissions: System Administrator, Security Administrator, and Security Power User.

Learn more about the report

The agent installers for Windows and Mac have been updated. You no longer need to wait for full agent installer packages to be generated before you download them; your account metadata is now seamlessly added to the installer package as part of the download process.

To download the platform-specific installers for the latest agent version, go to Settings > Agent Management and click Get Absolute Agent. From the dialog that opens you can download the following installers for Windows and Mac:

  • Full agent
  • Core agent

The Chromebook extension ID is also shown on this dialog.

Learn more about downloading an installer

Also note that the filename of the agent installer packages, and the package contents, have been updated:

Platform Installer type Filename Package contents
Windows Full agent AbsoluteWinFullAgent-<version>-<account ID>.zip View
Core agent AbsoluteWinCoreAgent-<version>-<account ID>.zip
Mac Full agent AbsoluteMacFullAgent-<version>-<account ID>.zip View
Core agent AbsoluteMacCoreAgent-<version>-<account ID>.zip

The Download Packages page is now retired.

The Agent Management page in the Settings area has been improved. It now includes two page views:

View Details

Default (New!)

This view is displayed when automatic agent updates are enabled (slider is green), and your devices are on the latest version of the Secure Endpoint Agent. The default view persists until automatic agent updates are disabled.

  • To view the release notes for the latest agent version, click the icon.
  • To download a platform-specific installer for the latest agent version, click Get Absolute Agent.

Agent version control

This view is displayed when automatic agent updates are disabled (slider is gray). It contains improvements over the existing Agent Management page and is now more intuitive and easier to work with.

For example:

  • By default, the page now shows only those agent versions that are currently assigned to one or more policy groups. If any of these agent versions were released more than 18 months ago, an Unsupported label is applied. To show all versions released within the last 18 months, select the Show unused versions check box.
  • The Latest agent version and the Default agent version are labeled for easy reference.
  • The number of policy groups and devices assigned to each agent version are presented as icons with helpful tooltips.
  • Actions, such as downloading an agent version's installer, are also presented as icons.
  • Each agent version's More menu () contains additional actions, such as assigning policy groups to the version.

For more information about managing agent updates using the new interface, see the following topics:

The main Rules page has been enhanced. From this page you can now:

  • Search for a rule by rule name or description.
  • Click a rule's background to view details about the rule in the new rule overview dialog.
  • Click a slider to activate or deactivate a rule.
  • Hide inactive rules.
  • Change the level of detail shown on the page by clicking Collapse and Expand icons.
  • View details about the most recent update to the rule.

Learn more

You can now use bulk upload to report a large number of missing devices found at one time. The results from using Report Found with bulk upload are provided in a CSV file.

Application Persistence policies, which collect information about the functional status of third party applications installed on your Windows devices, now support persistence of the following applications:

You can now persist the following application versions:

  • Dell Encryption version 11.x or higher
  • Sophos Endpoint Protection version 2.20.10.x and 2022.x or higher

In additional to all of the newly added applications and versions, the latest version of the following applications now support file hosting:

  • Cortex XDR™ Agent
  • ESET® Endpoint Antivirus
  • F5® BIG-IP® Edge Client®
  • Ivanti® Security Controls
  • Netskope®
  • Plurilock Defend™
  • Pulse Connect Secure

The Secure Endpoint Agent is now supported on devices running the macOS 13 operating system.

The Device volume nearly full event is now logged to Event History. This event is triggered when a volume's available space drops below 10%.

If desired, you can create a custom rule based on this new event.

System Administrators will now receive email notifications when Absolute Service Provider certificates are about to expire and new files are available for download from the Secure Endpoint Console. These notifications begin 30 days prior to the certificate expiration date, which is 3 years from their creation date. An announcement will also be displayed in the console.

When the time comes to download new files, authorized users can click View Identity Provider to open the SSO properties page and then use the following links:

  • Download Encryption and Signing Certificates
  • Download Metadata

Learn more

Endpoints for the following features have been added to the version 3 API:

Features Details
Wipe

Use the Wipe API to submit Wipe requests, query existing requests by device or request, cancel requests, and download Certificates of Sanitization.

Learn more

File Delete

Use the File Delete API to submit File Delete requests, query existing requests by device or request, cancel requests, and download Certificates of Sanitization.

Learn more

Messaging

Use the Messaging API to submit Send Message requests, query existing requests by device or request, and cancel requests.

Learn more

Custom Data policy

Use the Custom Data API to query, add, enable, and disable Custom Data policy data point configurations, get a list of data points and their scan results for devices, and query errors that occurred during data point collection.

Learn more

Features at or nearing end-of-life

Absolute has retired the following features:

Feature Details
Classic Device Freeze

For the few accounts that were using the Classic Device Freeze feature, this feature is no longer available and the Device Freeze area in the Settings area has been removed.

To submit an On-demand or Scheduled Freeze request, use the ABS 7 Freeze feature. To freeze a device that has been offline for too many days, create an Offline Freeze rule.
Classic End User Messaging

The Classic End User Messaging feature is no longer available. That is, you can no longer submit new requests, edit existing requests, or resend messages. Any existing requests that are currently in progress will still be processed, unless you cancel or suspend them.

To send a new message to your end users, use the Messaging feature.
Classic Download Packages page

The Classic Download Packages page is no longer available. Use the updated Agent Management area to download the Secure Endpoint Agent.

Note that with the retirement of the Download Packages page, the Secure Endpoint Agent for Android is no longer available for download.
Azure Information Protection

The Endpoint Data Discovery feature no longer supports Azure Information Protection. As a result:

  • The Microsoft Azure Information Protection (AIP) section has been removed from the Configure EDD dialog.

  • On a device's EDD Summary page in Device Details, the following items have been removed:

    • AIP supported/AIP not supported indicator
    • Protect Files with AIP option in the File Actions menu
Import Device Data for iPad The Import Device Data for iPad option is no longer available in the Import/Export menu of the quick access toolbar.

In an upcoming hotfix, or the next release of Absolute in early 2023, Absolute plans to retire the following features:

Feature Details
Single Sign-On using SHA1 Support for SHA1 hash algorithms and RSA-SHA1 signing algorithms will end. If you have not already done so, update your existing Absolute SP configuration in your IdP to use SHA256 hash algorithms with RSA-SHA256 signing algorithms.
Investigations Report Contact List The Classic Investigations Report Contact List in the Settings area will be replaced by new contact list functionality. All email addresses included on the Classic contact list will be automatically migrated to the new list.
Service Guarantee setting The Service Guarantee Licenses section will be removed from the Classic Account Settings page in Settings. To assign Service Guarantee licenses to devices, you will only need to update the devices' Has Service Guarantee Custom Device Field.

Improvements and Fixes

Absolute 7.21 introduces the following improvements and fixes:

Feature/Area Improvements and fixes
Application Persistence
  • The scan frequency for some applications has been increased from every six hours to every 15 minutes.
  • In some cases, when the installer failed to download for some applications, the status details would incorrectly show that a restart was required to complete the reinstallation. This issue is now fixed.

  • The following Application Persistence policies have now been updated:

    • CrowdStrike Falcon®

      If a device has multiple versions of CrowdStrike Falcon installed, Application Persistence reports now show information on the most recently installed version of the application

    • FortiClient® VPN

      Policies for FortiClient VPN now check for both Fortinet Technologies (Canada) Inc. and Fortinet Technologies (Canada) ULC as signers for the services being monitored for health checks

    • Kaseya Agent

      Policies for Kaseya Agent now check for both Kaseya Corporation and KASEYA HOLDINGS INC. as signers for the services being monitored for health checks

    • ManageEngine Desktop Central

      Policies for ManageEngine Desktop Central now support versions of endpoint agent that are named Manage Engine Desktop Central - Agent, Manage Engine Central - Agent, or ManageEngine Endpoint Central.

    • McAfee® ePolicy Orchestrator

      Policies for McAfee ePolicy Orchestrator have been renamed to Trellix ePolicy Orchestrator® and support both McAfee ePolicy Orchestrator or Trellix ePolicy Orchestrator as the application name for versions 5.6.x or higher.

    • Microsoft Defender Antivirus

      If Policies for Microsoft Defender Antivirus had Cloud-delivered protection, Automatic sample submission, Tamper protection (report only), or Potentially unwanted applications (PUA) protection selected in the Application Persistence policy configuration, but they were not enabled in Windows Security, the Status details for the device showed status: Non-compliant, reason: The command task is not executed(expect to execute). This has been changed so the Status details now show the script return code that was expected and the code that was returned, as well as a scriptErrorMessage that indicates the configuration that didn't match. For example, if Tamper protection (report only) is selected in the Application Persistence policy, but it is not enabled in Windows security, the Status details now shows status: Non-compliant, reason: returnValue(expected/actual):1/2 and scriptErrorMessage: Tamper protection: disabled.

    • Microsoft SCCM

      • In some cases when you configured an Application Persistence policy for Microsoft SCCM that included a configuration file, the policy wasn't able to repair or reinstall Microsoft SCCM. This issue is now fixed.
      • Policies now allow you to enter the location of the folder that contains ccmrepair.exe for cases where the location has been changed from the default

    • Symantec Endpoint Protection

      Policies for Symantec Endpoint Protection now support multiple signers for version 14.2.x or higher. Some files used in the health checks for Symantec Endpoint Protection are now signed by Broadcom Inc. If Symantec Endpoint Protection is reporting Not Compliant because the signer is incorrect, you can now configure the signers in the policy. See more

    • Zscaler Client Connector

      Policies now only check to see if the ZSATrayManager (ZSATrayManager.exe) service is installed, and no longer check if the service is running
Assets
  • When exporting the All Devices page, the report name now shows as All Devices, not Active Devices.
Chromebook support
  • The Chromebook Settings now displays more detailed error reporting when there is an error syncing with the Google Admin console.
  • When you clear the selection beside an OU on the Chromebook Settings page, a warning now appears to let you know that the devices in the OUs will be unenrolled from the Secure Endpoint Console if you continue.
Dashboard
  • When opening a report from a widget, the Save and Reset to default options are no longer available in the menu. To save the filtered view of the report, use the Save As option.
Device Details
  • To remove ambiguity, the banner text has been updated in all Pending status alert banners. For example, the text "Pending Freeze request on <date and time>" is now "Freeze requested <date and time>".
  • All device action buttons are now grayed out when a device is Disabled or Reported Stolen. Device actions are not supported on unenrolled or stolen devices.
  • If a Report Found button shows in a missing device status alert banner, the Report Found action no longer shows in the device action menu.
  • If a Cancel button shows in the status alert banner for a pending script, the Cancel All Scripts action no longer shows in the device action menu.
Device Usage

  • You can now export up to 30 days of device usage information for multiple devices. The new Export usage… action is available in the menu of the following console pages:

    • Device Usage report
    • Assets > All Devices page
    • Assets > Missing Devices page

    Learn more

Email services
  • In some cases, users received multiple email notifications when a single location change occurred on a device. This issue is now fixed.
Full-Disk Encryption

  • A new encryption status has been added to all pages, reports and widgets that show a device's encryption status. The Used Space Encrypted status is now shown for a Windows device when all disk space that contains data is encrypted by BitLocker Drive Encryption, but free space is not encrypted.

    This status indicates that the Used Disk Space Only encryption option is enabled in BitLocker. For more information about this option, see Microsoft BitLocker Drive Encryption documentation.

  • When Dell Encryption is enabled on a device with a TCG self-encrypting drive, Dell Encryption is now reported as the detected encryption product.
  • When Dell Encryption is installed but not enabled on a device with a TCG self-encrypting drive, scan results are now uploaded as expected.
Geolocation
  • While working in map view (), you can now click in the page footer to refresh the map and show your device's most recently reported location.
Hardware data collection
  • For the M2 chip models of MacBook Air and MacBook Pro, the device's Model is now reported correctly.
History > Actions
  • A Certificate of Sanitization is now generated for completed Delete All Files wipe requests. You can view and download the certificate from Action History. Learn more
Insights
  • Usernames are now displayed in the correct letter case in the Application Usage dashboard.

  • The following changes were made to the Application Health Status - IT Dashboard:

    • Removed the following visualizations:

      • Persistence Event Count
      • Report and Repair Heatmap (also removed from the Executive Summary Dashboard)

    • Added the following visualizations:

      • Device Count & Map: coordinate map showing the device count by geographical location
      • Top Devices with Repair Status (New!): shows the 50 devices with the most repairs, broken down by repair status
    • Changed the Application Repair/Reinstall Status visualization to a time series that shows the change in status, week over week
    • The Non-Compliance Week over Week visualization now shows application and device count breakdowns across both Compliant apps and Non-compliant apps.
Messaging
  • You can now include a link to a webpage in a message.
  • You can now successful schedule a message for a later time on the current date.
  • On a Chromebook, you no longer need to scroll to the bottom of a long message to snooze a message or submit a response.
  • In some cases, a new message was not displayed on a Chromebook until the user logged out and logged back in. This issue is now fixed.
Reports
  • You can now delete a user-defined report directly from the Reports page. To do so, click > Delete to the right of the report name.
  • Previously, if your user role was assigned to a single Classic device group, the Installed Applications report was not limited to the device group's devices when the report was exported. This issue is now fixed.
  • When the Application Persistence report was opened from the Application Health widget, or the Application Persistence Events report was opened from the Repairs and Reinstalls widget, the reports opened with the correct filters, but they only showed the columns for BitLocker and SCCM. This issue is now fixed.
Rules
  • Users no longer receive multiple email notifications when a single location change occurs on a device.
  • Previously, in some cases, Operating system updated events were triggered when no actual change occurred. If a rule was based on this event, this issue caused multiple false email notifications to be sent. This issue is now fixed.
  • When the Secure Endpoint Agent makes a self healing call that triggers a rule, the email notification is now sent in a more timely manner.
SIEM integration
  • Previously, you could not successfully install the SIEM Connector if you entered one or more IP addresses in the Approved IP Address field of the API token. This issue is now fixed.
User Management and permissions
  • The Geofences permission has been removed from all user roles. The ability to view and work with geofences in the Rules area is now controlled by View and Manage permissions for Rules.
  • Previously, roles with only View permissions for both Policies and Insights were able to change the configuration of the Include Application Usage data setting for the Installed Applications policy on a policy group's Settings page. This issue is now fixed. The setting is now grayed out for these roles.

  • Custom roles based on one of the following roles and also granted View permissions for Endpoint Data Discovery reports can now view a device's EDD Summary page:

    • Security Power User
    • Power User
    • Guest User
Utilities
  • The Windows Image Prep Tool has been updated to support the new core agent installer package (AbsoluteWinCoreAgent-<agent version>-<account_id>.zip ). Learn more
Web Usage
  • When filtering the Web Subscriptions report by Average Usage, the usage time is now entered in hours and minutes, not seconds.

  • The following Custom Field columns can no longer be added to the Web Usage (Last 7 Days) report: Classroom, Grade Level, Program Type, School, and User Type.

    These columns were available to select accounts only.
Wipe
  • Devices with an encryption status set to Used Space Encrypted, which is a new status, are eligible for Cryptographic Wipe.