Contents
- Manage updates and notifications
- Apply the version control ID to devices
Introduction
An organization may want to manage installations and updates to verify a release to ensure:
- There are no issues with the software.
- It doesn't cause issues with other applications within their environment.
- Everyone within the organization is using the same software release.
Beyond Identity is moving towards universal end-point software automatic updates.
The current status of the universal automatic updates is:
- macOS PA - starting from version 2.88.0, by default, automatic updates are enabled.
- Windows PA - by default, the user gets notified if a new version is available.
- Windows PA System install - Starting from version 2.95.0, version control and manual updates are available.
- Windows Desktop Login (WDL) - starting from version 2.88.0, version control is available. Starting from version 2.94.0, manual updates for WDL are available.
- iOS/iPadOS - Updates managed via Apple Store.
- Android devices - Updates managed via the Google Play Store.
Version control policies can be applied to the macOS PA, Windows PA, and Windows Desktop Login, starting from version 2.88.0. Version control policies can be applied to the Windows System PA install, starting from version 2.95.0.
By default, the automatic update will install the released updates and notify the user that the software has been updated. The user can also invoke the check updates from the UI.
If the organization has deployed version control policies and enabled automatic updates, it can then control the updates, and users will not get a notification of the update.
Manage updates and notifications
Turn off update notifications
Depending on the company's policy regarding software downloads, automatic notifications, and checking for updates, companies can turn these off, restricting users from downloading and installing updates.
The left image shows the Check for Updates item included in the drop-down menu when enabled. The right image shows the menu item removed after notifications have been disabled. The method to disable update notifications and to check for updates depends on the platform.
macOS platform authenticator
Use the BIConfigure command line utility and run it through MDM to disable update notifications, which removes the Check for Updates menu option.
Keep the following points in mind when using the utility:
- After installing the macOS Authenticator, you can find the utility at:
/Applications/Beyond Identity.app/Contents/Resources/BIConfigure
- You must run the utility as the root user; otherwise, the Must be run as root message displays.
- When running the command to enable the update notification, the /Library/Preferences/com.beyondidentity.preferences.plist file gets created, which contains the default updateEnabled = 0 value.
- Running the utility with any argument not listed in the following table or running the utility without any argument displays the Invalid Arguments message.
Commands
The following arguments are available to use with BIConfigure.
| Command/Arguments | Description |
|---|---|
./BIConfigure --disable-updates |
Disables updates |
./BIConfigure --show-updates |
Displays updates |
./BIConfigure --enable-updates |
Enables updates (required for version control) |
./BIConfigure --get-version-control-id |
Returns the Version Control ID |
Examples
The following examples provide the output that is displayed when the command/argument combination is a root user and a non-root user.
| Command/Arguments | Output |
|---|---|
./BIConfigure --disable-updates |
Must be run as root |
sudo ./BIConfigure --disable-updates |
Updates disabled |
./BIConfigure --show-updates |
Updates enabled |
defaults read /Library/Preferences/com.beyondidentity.preferences.plist |
2021-05-27 21:03:51.851 defaults[58215:4039346]
Domain /Library/Preferences/com.beyondidentity
.preferences.plist does not exist
|
./BIConfigure --show-updates |
Updates disabled |
defaults read /Library/Preferences/com.beyondidentity.preferences.plist |
{
updatesEnabled = 0;
}
|
sudo ./BIConfigure --enable-updates |
Updates enabled |
defaults read /Library/Preferences/com.beyondidentity.preferences.plist |
{
updatesEnabled = 1;
}
|
./BIConfigure |
Invalid arguments |
./BIConfigure --invalid |
Invalid arguments |
./BIConfigure --get-version-control-id |
Version Control ID: 12345-qwerty |
Windows platform authenticator
By default, update notifications are enabled. If you want to disable update notifications, you must change it in the Registry Editor in Windows, which will remove the Check for Updates menu option.
- Open the Registry Editor and go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies.
- If it doesn't already exist, add the following sub keys:
BeyondIdentity\Authenticator
- Add the following value to the Authenticator key:
DisableUpdates (DWORD)
- Set the DisableUpdates value to 1 to disable the updates. Then close the Registry and restart the Authenticator application for the change to take effect.
Once restarted, users will not receive notification updates, and the Check for Updates menu item is no longer displayed.
NOTE. If another instance of the Authenticator is running in the application tray located in the screen's bottom-right, restart that application.
TIPTo re-enable notification updates and add the Check for Updates menu item back to the drop-down menu, remove the DisableUpdates key. If you're using version control policies, you'll need to enable updates by removing the DisableUpdates key.
Windows Desktop Login
Windows Desktop Login support manual updates starting in version 2.94.0. This feature mimics exactly the manual updates feature in the User install of the Beyond Identity Authenticator. Manual updates include the following features:
- Windows Desktop Login will check to see if there are new updates on a regular basis. If there are updates, it will notify the user and they can choose to install the update or wait to be reminded again later.
- The user can also invoke the Check for Updates menu option in the UI and it will inform the user about any updates it discovers.
- The Admin Console allows an Administrator to control which version a user is allowed to update to in the Settings > Authenticator Version Control section. Windows Desktop Login already supports the Automatic option in this section, which updates the application automatically and silently. Version 2.94.0 of Windows Desktop Login leaves this feature unchanged and any Administrators who use that feature will be unaffected by this update.
- However, as part of the 2.94.0 update, the Manual option in the Authenticator Version Control setting is now supported for Windows Desktop Login. Previously this was only supported in the Windows User install. The Manual option does the same thing as the Automatic option, except that the user is notified there is an update available and can choose when to install it, instead of the update being immediate and silent.
- If you want to disable the Manual Updates feature, please see the Turn off Manual Updates section below.
The Manual Updates feature is on by default. To turn off the Manual Updates features in Windows Desktop Login, do ONE of the following:
- Add the parameter “DISABLEUPDATES=1” to the command line for the .msi file when pushed through MDM (SCCM, InTune, PDQ, etc.) For example:
msiexec.exe /i BeyondIdentityDesktopLoginSetup.msi DISABLEUPDATES=1 /qn
OR
- Add an MDM script to:
- Add the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\BeyondIdentity\Authenticator
- In the above registry key, add the registry value DisableUpdates as a DWORD and set the value to 1.
Control which update notifications are displayed on devices
In addition to enabling and disabling update notifications, you can create policies to:
- Set a specific version or a range of allowable versions.
- Require users to always update to the latest version.
Restrict users to a specific version
You can create a policy restricting users to a specific Authenticator version on devices. Once configured, whenever the Authenticator performs an authentication, a request gets sent to validate the version on the device.
- From the Admin console, select Settings and click the Authenticator Version Control tab. If existing version control policies have already been created, they will be listed here.
- Click Add version control to display the Add version control dialog.
- Provide a name for the policy, and for the Update Preference, select the Manual option.
- Under the appropriate device type section, select Custom from the drop-down list.
- Select the version you want from the Set custom range drop-down lists. In this example, we're specifying the 2.70.0 version only.
- Click Add version control.
Any time a user attempts to authenticate, a request is sent to verify if the specified version is installed on the device.
- If the device is installed with the version specified, for example 2.70.0, authentication is successful.
- If the device is installed with any other version, a message displays prompting the user to update to the specified version.
Restrict users to a specific range of versions
You can create a policy restricting users to a range of Authenticator versions on devices. The policy specifies the minimum and maximum versions allowed on devices. Once configured, whenever the Authenticator performs an authentication, a request gets sent to validate the version on the device.
| IF | THEN |
|---|---|
| The policy within the range configures the installed version | No update is needed, and no message displays. |
| The installed version is outside the range set by the policy | A message displays, prompting the user to update to the recommended version (the version set in the maximum field). |
- From the Admin console, select Settings and click the Authenticator Version Control tab. If existing version control policies have already been created, they will be listed here.
- Click Add version control to display the Add version control dialog.
- Provide a name for the policy, and for the Update Preference, select the Manual option.
- Under the appropriate device type section, select Custom from the drop-down list.
- Select the versions you want from the Set custom range drop-down lists. In this example, we're specifying the 2.70.0 to 2.73.1 versions.
- Click Add version control.
Any time a user attempts to authenticate, a request is sent to verify if an allowable version is installed on the device.
- If the device is installed with the range of versions specified, for example 2.70.0 to 2.73.1, authentication is successful.
- If the device is installed with versions outside of the range set, a message displays prompting the user to update to the specified version.
Configure automatic updates
You can push updates to the managed endpoints silently.
- From the Admin console, select Settings and click the Authenticator Version Control tab. If existing version control policies have already been created, they will be listed here.
- Click Add version control to display the Add version control dialog.
- Provide a name for the policy, and for the Update Preference select the Automatic option for your policy.
- Under the appropriate device type section, select Latest version from the drop-down list.
- Click Add version control to save the policy.
Edit a version control policy
You can edit an existing policy at any time.
- From the Authentication Version Control page, for the version control policy you want to edit, click the Edit icon.
- Make the desired edits and click Save changes.
Delete a version control policy
- From the Authentication Version Control page, for the version control policy you want to edit, click the Edit icon.
- Click Delete version control. The policy setting is immediately removed, and you are returned to the Authenticator Version Control tab.
Apply the version control ID to devices
After creating the version control policy, configure the device with the Version Control ID created above. The method to apply the Version Control ID depends on the device platform.
Configure a macOS device with the version control ID
Use the command line utility, BIConfigure, to set the version control ID on a Mac device.
Set the version control ID
After creating the version control ID, run the BIConfigure command line utility (run via MDM) using the following syntax:
sudo ./BIConfigure --set-version-control-id <version_control_id>
For example, BIConfigure --set-version-control-id “sdafdfd“
The app will use the version control ID to check for updates.
Get the version control ID
sudo ./BIConfigure --get-version-control-id
When run it will return the following:
Version Control ID: 12345-qwerty
Clear version control restrictions for the device
sudo ./BIConfigure --get-version-control-id
Which returns the following:
No Version Control ID set
Configure a Windows device with the version control ID
- Open the Registry Editor and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies.
-
Add the following subkeys if they do not already exist:
BeyondIdentity\Authenticator -
Add the following value to the Authenticator key: VERSION_CONTROL_ID = string value
The value of this string must be the Version Control ID from the Version Control policy you created in the Admin Console.
For customers whose Beyond Identity data center is hosted outside the United States, there is an additional registry entry that you must configure: VERSION_CONTROL_URL. Contact Beyond Identity Support for instructions.
Comments
0 comments
Please sign in to leave a comment.