MagicEndpoint V1.2

 

Release Notes

View All

 

MagicEndpoint Support

WinMagic strongly recommends that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and new features.


About This Release

This document contains important information about the current release. We strongly recommend that you read the entire document.

Recommended – WinMagic recommends this service release for all environments. Apply this update at your earliest convenience.

Previous Versions

Version

Release Date

Details

ME 1.0
IdP 9.0

March 31, 2022

Initial Release of MagicEndpoint and MagicEndpoint Identity Provider (IdP)

Download the latest release notes for each version listed within Knowledge Base Article 1756.

System Requirements

  1. MagicEndpoint requires that the SecureDoc client agent software be installed and registered with a SecureDoc Enterprise Server before installing MagicEndpoint. NOTE: While it offers optimum security to permit SecureDoc to encrypt the disk drive, it is not a necessity; The SES Client can be installed with a Profile/Installation Package that specifies Removable Media Only (RMO) protection.

  2. If using MagicEndpoint Identity Provider (IdP) service as the delegated IdP to an Azure AD (AAD) domain (for instance, to use MagicEndpoint IdP for Microsoft 365/Office 365), it is important to note that new devices cannot be joined to that AAD domain.

    a. In such a case, the environment needs to be a hybrid one, meaning devices need to be joined to the local domain, which is then synchronized to the Azure AD domain for O365.

  3. Devices must have TPM 2.0 – TPM 1.2 or earlier are not supported.

Client OS Support

In this initial version, only Windows devices are supported.
Devices utilizing MagicEndpoint authentication must have Windows 10 or Windows 11 – Windows 7 is not supported.

 

Version 1.2 of MagicEndpoint

Which customers should upgrade to ME version 1.2?

Customers who had been testing MagicEndpoint 1.0 or 1.1, or the same product under pre-release/Beta names like FIDO Eazy Diamond/3.0/Enterprise or SecureDoc Passwordless Authentication, should upgrade to the full release final version.

 

New Features

SD-38895 SecureDoc Client now permits authentication to Windows (on a device that may or may not be SecureDoc-protected) via an iPhone

Issue: Customers require more and more secure (yet easy to use) authentication methods to endpoint devices. Solution: With this new feature, Users can authenticate using the WMAuth application installed on an iPhone
Concept: The user approaches his/her Windows device which is in screen-locked or logged off state, but shows the Windows Logon screen.

  1. The user opens the WMAuth authenticator application on his/her iPhone
  2. The app offers the user the option to authorize the device to log the user in to Windows
  3. Upon successful authentication, the user's linked Windows user account is logged in.

SD-41061 MagicEndpoint IdP can now authenticate requests coming from RADIUS sources.

Issue: WinMagic is seeking to expand on MagicEndpoint IdP’s abilities.
Solution: MagicEndpoint IdP can now authenticate against RADIUS sources.


SD-41755 Add Web Services Federation to MagicEndpoint IdP

Issue: WinMagic is constantly seeking to add authentication functionality and integration with authentication services.
Solution: By adding Web Services Federation (WS-Fed) to MagicEndpoint IdP, Administrators can use the MagicEndpoint IdP with WS Fed-compatible SPs and IAMs.


Add AD Federation Services support to MagicEndpoint IdP

Issue: WinMagic is constantly seeking to add authentication functionality and integration with authentication services.
Solution: By adding AD Federation Services (ADFS) to MagicEndpoint IdP, Administrators can use the MagicEndpoint IdP with applications that are integrated with ADFS.


Improvements

SD-41189 MagicEndpoint IdP has been improved to handle relationship between a single User and several account/levels of authority in the site being accessed

Issue: A given user may have multiple accounts (either in the same domain or different domains), and any of them needs to be automatically authenticated by MagicEndpoint with no user action.

Solution: With this improvement, upon recognizing that a given user is linked to several accounts/domains, the MagicEndpoint IdP will return the list of accounts and request that the user identify which he/she wishes to use during this session. This handles the scenario where (for example) a user normally might use "regular" user access, but occasionally needs to use Admin-level access to the site. Once the desired account/level of access has been selected, the IdP will re-authenticate the user at that level/account.


SD-41561 MagicEndpoint IdP now sends AD Group attributes to Service Provider to identify users' group membership.

Issue: By providing Group information, Service Provider can use Groups to define rights of access. An example will illustrate this:
An application (e.g. Zoom) needs to assign different internal permissions to a group of users, not individual users.

Without this change, MagicEndpoint IdP could only send the user account to Zoom, so a Zoom admin had to use their own internal Zoom groups if they want to assign permissions.

Solution: MagicEndpoint IdP can now sent group attributes to Service Providers (SPs) within the SAML response so that SPs would know which group (local to the application) the user belongs to, which can also be Active Directory groups that have been imported via ADsync. With this improvement, MagicEndoint IdP is also sending the groups attributes, meaning it will send which SES groups (which is most of the time the AD groups) the user belongs to, in our response to the Service Provider.
Having received that Group information, the Zoom admin can then use that group attribute to assign the right permissions.


SD-41804, SD-41778 Authentication to endpoint devices using Remote Desktop now offers an enhancement for logging into Remote Desktop using SecureDoc Multi-Factor Authentication.

Issue: Given the strength that SecureDoc's enhancements offer to device authentication, it would be a dramatic improvement to permit such authentication improvements to be applied when using Remote Desktop.

Solution: This solution adds SecureDoc Login Enhancement functionality to the remoted-to endpoint, permitting the user to use SecureDoc Multi-Factor Authentication (MFA) to that endpoint. Upon the user's login attempt, the remoted-to endpoint will request use of a second factor (the user's phone) to strengthen the authentication.


 

 

Limitations

SD-41673 Accessing the IdP browser-based application from Internet Explorer browser will display a warning message

Issue: Internet Explorer (all versions including 11) are not supported for use with the MagicEndpoint IdP.

Solution: Accessing the IdP browser-based application from Internet Explorer browser will display a warning message, indicating that Internet Explorer is not supported.

Work-Around: Customers should only access the MagicEndpoint IdP using a current-technology browser such as Chrome or Microsoft Edge.


SD-42252 Creating Windows Enterprise Device Profiles using SESWeb will result in [MagicEndpoint] section clauses being out of order. This affects only Profiles that will use MagicEndpoint with the MagicEndpoint IdP.

Issue: A bug in version 9.0SR1 will cause the clauses in the [MagicEndpoint] profile section to be created out of order, and this incorrect order will cause problems.
Solution 1: This issue does NOT occur when creating Profile using the SES Console windows application, so this problem can be avoided completely if profiles are created using the SES Console.
Solution 2: For all Windows profiles created using SESWeb:
AFTER the MagicEndpoint Client has been installed on the endpoint device:

  1. - Find the SecureDoc Client in the SES Console
  2. - Send down the Profile to the endpoint device.

This will correct the out-of sequence issue with the GracePeriod clause.
INFO: The following example shows the [MagicEndpoint] section (with all possible options shown, your profile may differ), showing the GracePeriod= clause correctly in as the LAST clause
[MagicEndpoint] IdP_Cert_Checks=0
IdP_Address_List=<URL and port of your IdP site> e.g. http://WIN-QAUBHLAFVLU:8081 SDMode=1
FECKBackup=1 SilentFaceIDAuth=1 AutoLogin=1 GracePeriod=0

This will be fixed in a future version of SESWeb.


 

 

How to Install/Upgrade

Customers with an active support plan should contact support@winmagic.com to receive the latest download link for their SecureDoc upgrade. 

 

 

 

Contacting WinMagic

WinMagic
5770 Hurontario Street, Suite 501
Mississauga, Ontario, L5R 3G5
Toll free: 1-888-879-5879
Phone: (905) 502-7000
Fax: (905) 502-7001
Sales: sales@winmagic.com
Marketing: marketing@winmagic.com
Human Resources: hr@winmagic.com
Technical Support: support@winmagic.com
For information: info@winmagic.com
For billing inquiries: finance@winmagic.com

Acknowledgements

This product includes cryptographic software written by Antoon Bosselaers, Hans Dobbertin, Bart Preneel, Eric Young (eay@mincom.oz.au) and Joan Daemen and Vincent Rijmen, creators of the Rijndael AES algorithm.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.OpenSSL.org/).

WinMagic would like to thank these developers for their software contributions.
© Copyright 1997 – 2022 by WinMagic Corp. All rights reserved.

Printed in Canada Many products, software and technologies are subject to export control for both Canada and the United States of America. WinMagic advises all customers that they are responsible for familiarizing themselves with these regulations. Exports and re-exports of WinMagic Inc. products are subject to Canadian and US export controls administered by the Canadian Border Services Agency (CBSA) and the Commerce Department’s Bureau of Industry and Security (BIS). For more information, visit WinMagic’s web site or the web site of the appropriate agency.

WinMagic, SecureDoc, SecureDoc Enterprise Server, Compartmental SecureDoc, SecureDoc PDA, SecureDoc Personal Edition, SecureDoc RME, SecureDoc Removable Media Encryption, SecureDoc Media Viewer, SecureDoc Express, SecureDoc for Mac, MySecureDoc, MySecureDoc Personal Edition Plus, MySecureDoc Media, PBConnex, SecureDoc Central Database, and SecureDoc Cloud Lite are trademarks and registered trademarks of WinMagic Inc., registered in the US and other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2022 WinMagic Corp. All rights reserved.

© Copyright 2022 WinMagic Corp. All rights reserved. This document is for informational purpose only. WinMagic Corp. makes NO WARRANTIES, expressed or implied, in this document. All specification stated herein are subject to change without notice.

keyboard_arrow_up