MagicEndpoint Support
WinMagic strongly recommends that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and new features.
About This Release
This document contains important information about the current release. We strongly recommend that you read the entire document.
Recommended – WinMagic recommends this service release for all environments. Apply this update at your earliest convenience.
Previous Versions
ME 1.3.1 |
March 2, 2023 |
Updates, improvements, new features |
ME 1.3 |
December 9, 2022 |
Updates, improvements, new features |
ME 1.2 | July 20, 2022 |
Updates, improvements, new features |
ME 1.0 |
March 31, 2022 |
Initial Release of MagicEndpoint and |
Download the latest release notes for each version listed within Knowledge Base Article 1756.
System Requirements
- MagicEndpoint requires that the SecureDoc client agent software be installed and registered with a SecureDoc Enterprise Server before installing MagicEndpoint. NOTE: While it offers optimum security to permit SecureDoc to encrypt the disk drive, it is not a necessity; The SES Client can be installed with a Profile/Installation Package that specifies Removable Media Only (RMO) protection.
- If using MagicEndpoint Identity Provider (IdP) service as the delegated IdP to an Azure AD (AAD) domain (for instance, to use MagicEndpoint IdP for Microsoft 365/Office 365), it is important to note that new devices cannot be joined to that AAD domain.
a. In such a case, the environment needs to be a hybrid one, meaning devices need to be joined to the local domain, which is then synchronized to the Azure AD domain for O365.
- For TPM-based authentication (preferred), devices must have TPM 2.0. For devices having TPM 1.2 or earlier, or which lack a TPM completely, those devices will not be able to generate or use TPM-based Keys, but can still utilize Software Tokens for authentication. Software tokens still constitute strong security, but do not reach the level of strength that TPM-based tokens can provide.
Client OS Support
In this initial version, only Windows devices are supported.
Devices utilizing MagicEndpoint authentication must have Windows 10 or Windows 11 – Windows 7 is not supported.
Version 1.3.1 of MagicEndpoint
NOTE: This version does not support direct upgrade on top of a previous version. Existing customers having previous versions of MagicEndpoint installed should a) Uninstall the MagicEndpoint client, then b) Install this version, then c) Clear their Internet Browser’s cache before attempting to use MagicEndpoint for authentication.
Which customers should upgrade to ME version 1.3.1?
New customers should deploy this version. Existing customers who had been testing MagicEndpoint 1.0, 1.1, 1.2, or 1.3, or the same product under pre-release/Beta names like FIDO Eazy Diamond/3.0/Enterprise or SecureDoc Passwordless Authentication and who wish to explore new and updated functionality in this version should install this service release per the recommendation above.
New Features
The ability to "recycle" (and display) IdP keys has been added into the MagicEndpoint Client application
Issue: There can come a scenario, potentially due to network issues or an attack, that a user's IdP Key can become out of step with what a given Service Provider requires.
Solution: This new feature of the MagicEndpoint client permits a user to recycle a key, which has the effect of
deleting the user’s Private Key, then re-calling the FIDO registration process automatically now based on this new private key.
This feature also improves on previous versions of the client in that it IdP Keys will be shown among any “locally-created” keys the user may have registered with sites/services (e.g. without using the IdP). All these keys appear in the "Registered Sites" view.
This is a significant improvement over the original process which required the user to delete the existing key from the table and manually register a new Key to be its replacement.
Affected tickets: SD-44085
MagicEndpoint IdP now supports central management of Software Tokens, suitable as a fall-back where TPM is not available.
Issue: Customers can encounter devices on which there is no TPM Chip, the chip available is of the wrong version (e.g. no TPM 2.0), lacks suitable firmware or may already be fully used and cannot house a MagicEndpoint token key (among other reasons). For such devices a strong fall-back solution is needed.
Solution: MagicEndpoint IdP will now permit users to utilize software-based tokens, and these will be stored/escrowed in the SES Database.
Affected tickets: SD-43915, SD-43187, SD-43213, SD-43915
Improvements
Resolved Issues
Limitations
Group-defined access to Service Providers works at the direct group level - there is no attribution of rights from parent/grandparent groups
Issue: If creating Group rights to access specific Service Providers defined within the MagicEndpoint IdP, such attributions at a given Group level will not "cascade" down to Child-Level Groups within the Parent Group.
Work-Around: There is no work-around at this point, though WinMagic is researching this.
Please ensure that any Sub-Groups used to provide access to Service Providers are configured to repeat the same direct Service Provider relationship as their Parent Group, or preferably avoid the use of nested groups until a solution is found.
Affected tickets: SD-42923
Where setting up groups to be notified via Email of alarm events in SES, there is no support for sub-groups at present
Issue: SES allows for the configuration of groups (typically of administrators or security monitoring professionals) who will be sent an email when alarm-specific events occur. However, where a group contains a subgroup, and that subgroup references users, those subgroup users will not be sent a notification.
Solution: WinMagic is looking to find a solution for this issue, but for this version, where group members to be sent emails please ensure that those users are added directly to the specific group associated with alarm emails - and not to a sub-group of that group.
Affected tickets: SD-42910
Manual steps are required to re-create the user's IdP Account Key if user fails to log in to the IdP with error 500 following the deletion of the user's Device from the SecureDoc Database.
Issue: If user fails to log in to the IdP with error 500 following the deletion of the user's Device from the SecureDoc Database, although the user and device information will be re-created in the SES Database when the device communicates to the SES Server following the next re-boot, the user's IdP Account Key(s) are not re-created.
Solution: Steps necessary to create new IdP Account Key.
1 - The user must delete the key for MagicEndpoint (located on-disk in: C:\Users\YourUserName\AppData\Local\MagicEndpoint) and
2 - The user must then re-start computer and see if it can work again - the keys should be re-created following the re-start and will be communicated to the SES Server to be stored.
Affected tickets: SD-42095
Attempting to add MagicEndpoint to a Windows 8.1 device already protected with SecureDoc yields an error message: Failed to Setup OSC Environment,Status=0x0B0009A2
Issue: When attempting to add MagicEndpoint to a Windows 8.1 device
already protected with SecureDoc, upon attempting to register a user with TPM Protection, an errror message will appear: Failed to Setup OSC Environment,Status=0x0B0009A2. This does not occur if attempting to set up a software token, nor does it occur if attempting to set up a TPM token under Windows 10 or 11.
Reason: It appears to be that ownership of the TPM is not taken automatically under Windows 8.1. Starting with Windows 10 and Windows 11, the operating system automatically initializes and takes ownership of the TPM.
Work-Around: Customers are recommended to upgrade to Windows 10 or 11.
Affected tickets: SD-41914
User will be unable to login to a Service Provider if the WinMagic Authenticator app is opened after having earlier turned off 'Allow Notifications' in the WinMagic Authenticator app then closing it.
Issue: To understand this issue fully, the following conditions and steps will cause it to occur.
Precondition:
- Service Providers were added to the MagicEndpoint IdP Web portal
- The user has registered his account on the WinMagic Authenticator mobile app successfully
Steps to reconstruct this issue.
1. On the mobile device's WinMagic Authenticator app, turn off 'All Notification'
2. On an endpoint device that does NOT have MagicEndpoint installed, go to the Service Provider and login using the MagicEndpoint IdP.
2a) The 'Selectable authentication method' page will be displayed
3. Select the 'Mobile push' method, then fill in a valid email address
4. Click on the Login button
5. On the user's phone, launch the WinMagic Authenticator app and observe.
6. Normally one would expect a Notification to be displayed, but in this case nothing will be displayed.
NOTE: This issue does NOT occur with MS Authentication when trying to login with a MS account.
Work Around: Avoid disabling the 'All Notifications' option in WinMagic Authenticator if you intend to use Mobile Push-based authentication (or just generally, to ensure that all available means of authentication remain available to the end user).
Affected tickets: SD-41647
How to Install/Upgrade
Customers with an active support plan should contact support@winmagic.com to receive the latest download link for their MagicEndpoint / MagicEndpoint IdP upgrade.
Contacting WinMagic
WinMagic 5770 Hurontario Street, Suite 501 Mississauga, Ontario, L5R 3G5 Toll free: 1-888-879-5879 Phone: (905) 502-7000 Fax: (905) 502-7001 |
Sales: sales@winmagic.com Marketing: marketing@winmagic.com Human Resources: hr@winmagic.com Technical Support: support@winmagic.com For information: info@winmagic.com For billing inquiries: finance@winmagic.com |
This product includes cryptographic software written by Antoon Bosselaers, Hans Dobbertin, Bart Preneel, Eric Young (eay@mincom.oz.au) and Joan Daemen and Vincent Rijmen, creators of the Rijndael AES algorithm.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (https://www.OpenSSL.org/).
WinMagic would like to thank these developers for their software contributions.
©Copyright 1997 – 2023 by WinMagic Corp. All rights reserved.
Printed in Canada Many products, software and technologies are subject to export control for both Canada and the United States of America. WinMagic advises all customers that they are responsible for familiarizing themselves with these regulations. Exports and re-exports of WinMagic Inc. products are subject to Canadian and US export controls administered by the Canadian Border Services Agency (CBSA) and the Commerce Department’s Bureau of Industry and Security (BIS). For more information, visit WinMagic’s web site or the web site of the appropriate agency.
WinMagic, SecureDoc, SecureDoc Enterprise Server, MagicEndpoint, MagicEndpoint IDP, Compartmental SecureDoc, SecureDoc PDA, SecureDoc Personal Edition, SecureDoc RME, SecureDoc Removable Media Encryption, SecureDoc Media Viewer, SecureDoc Express, SecureDoc for Mac, MySecureDoc, MySecureDoc Personal Edition Plus, MySecureDoc Media, PBConnex, SecureDoc Central Database, and SecureDoc Cloud Lite are trademarks and registered trademarks of WinMagic Inc., registered in the US and other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2023 WinMagic Corp. All rights reserved.
© Copyright 2023 WinMagic Corp. All rights reserved. This document is for informational purpose only. WinMagic Corp. makes NO WARRANTIES, expressed or implied, in this document. All specification stated herein are subject to change without notice.