Business Suite Policy Manager 16.x Changelog
This thread is a changelog for the WithSecure Policy Manager and Policy Manager Proxy products.
📝 Click here to see the most recent change log and bookmark the discussion to be notified of any updates.
Comments
-
WithSecure Policy Manager 16.00 and WithSecure Policy Manager Proxy 16.00
Policy Manager is an on-premise application providing a central location for managing security applications across different operating systems.
Policy Manager can be used for:
- setting and distributing security policies,
- installing application software to local and remote systems,
- monitoring the activities of all systems in the enterprise for compliance with corporate policies and centralized control
Policy Manager and Policy Manager Proxy support following operating systems
Microsoft Windows:
- Windows 10 (64-bit), not recommended for the Policy Manager Server
- Windows 11 (64-bit), not recommended for the Policy Manager Server
- Windows Server 2012 R2; Essentials, Standard or Datacenter editions
- Windows Server 2016; Essentials, Standard or Datacenter editions
- Windows Server 2019; Essentials, Standard or Datacenter editions (Server Core is not supported)
- Microsoft Windows Server 2022; Essentials, Standard, or Datacenter editions
Linux (only 64-bit versions of all distributions listed are supported):
- AlmaLinux 8.5
- CentOS 7, 8
- CentOS Stream 8
- Debian GNU Linux 9, 10
- openSUSE Leap 43, 15
- Oracle Linux 8
- Red Hat Enterprise Linux 6, 7, 8
- SUSE Linux Enterprise Server 11, 12, 15
- SUSE Linux Enterprise Desktop 11, 12, 15
- Ubuntu 16.04, 18.04, 20.04
Note: see user guides for full list of system requirements.
Changes in this release
New domain names
As of version 16 managed clients are now using new backends to function. In case external network connections are controlled in the company, please allow all connections to *.fsapi.com or white-list this list explicitly:
- guts2.fsapi.com
- guts2-old.fsapi.com
- corp-reg.fsapi.com
- api.doorman.fsapi.com
- baseguard.doorman.fsapi.com
- a.karma.sc2.fsapi.com
- restmc.mind.sc2.fsapi.com
Policy Manager server address in Root domain
It is now required to have Policy Manager server address defined at the Root domain level. It is still possible to override values for subdomains, i.e. Policy Manager host has specific alias for certain location.
New Windows MSI
Windows editions of Policy Manager and Policy Manager Proxy are now using MSI for installation.
New directories
New directories and registry keys are now used for both Policy Manager and Policy Manager Proxy
- Program files location: C:\Program Files\WithSecure\Policy Manager\
- Program data location: C:\ProgramData\WithSecure\NS\Policy Manager\
- Registry: HKLM\SOFTWARE\WithSecure\Policy Manager
If you use KB instructions written for earlier versions of the Policy Manager (i.e. requiring additional_java_args overrides) adjust locations correspondingly.
MSI arguments
By default Policy Manager MSI always installs both Policy Manager Console and Policy Manager Server. In case Server is not required and you are installing Console to connect to remote Server, use 'NOSERVER' MSI argument overridden to ‘true’, for example by running an MSI file from the command line and passing the arguments to it:
msiexec /i policy-manager.msi NOSERVER=true
If you wish to override destination directory for the installation, use 'TARGETDIR' MSI argument to override it, for example by running an MSI file from the command line and passing the arguments to it:
msiexec /i policy-manager.msi TARGETDIR=C:\CustomDirectory
Changes in services names
Main Policy Manager and Policy Manager Proxy services are now called wspms (WithSecure Policy Manager).
F-Secure Automatic Update Server service is no longer used, there is no replacement service.
New features and improvements
- Ultimate mode – managed clients without direct internet connection are now able to proxy Karma lookups through the connected Policy Manager.
- EOLed products notification – if used version of the client software has reached the end-of-life, admin will get the corresponding warning in the Policy Manager Console.
- Added an option to export domain policies to prepare environment for migration to Elements.
- Added an option to configure Web Content Control alerts per category.
- Added an option to disable alerts for certain Application control rules.
- Added an option to change sample submit URL in browser block pages.
- Added an option to include the blocked URLs in all alerts.
- Separate toggle to activate EDR subscription – it is now possible to keep Sensor subscription entered, but not activated at the target device.
- Business Suite + EDR installation experience is now improved.
- WithSecure Firewall has a new feature to allow certain rules and groups of rules when "disable all rules" option is selected. It's useful if you want, for instance, to disable all rules except Network Discovery.
- User specific environment variables (i.e. %LOCALAPPDATA%, %USERPROFILE%) are now supported in Firewall rules.
- Remove unnecessary built-in inbound Firewall rules.
- Premium features are now marked in the Policy Manager Console’s editors.
- Enriched info for scanning alerts.
- Added an option to show Effective exclusions to end users.
- The whole URL for the malicious/suspicious/harmful links is now included to alerts.
- New application control rule is now added on top of the profile (instead of the end).
- The list of possible malware scanning actions for the inserted USB devices has been extended
Bug fixes:
- Fixed inability to renew Policy Manager Proxy certificate in some cases.
- Isolate/release operations behavior is now fixed.
- Not all alerts forwarded to the QRADAR issue is now fixed.
- Memory leak on policy generation is now fixed.
- GUTS2 cache corruption leading to inability to start PMS is now fixed.
- Automatic Database Backup logic is now fixed.
- Username in now shown in DataGuard alerts.
Dropped functionality:
- Policy Manager no longer supports running database on MySQL 5.5, 5.6.
- Support for clients 13.x and older is now removed. FSAUS (F-Secure Automatic Update Server) service is no longer installed.
Limitations
- After the Policy Manager upgrade to version 16.00, automatic Firewall rule for Policy Manager ports created by Server Security 14.10 and newer will stop functioning. You would need to create corresponding Firewall rule manually or upgrade Server Security to version 16.00 and install HF 16.00HF1 to allow external connections to Policy Manager ports.
0 -
WithSecure Policy Manager 16.01 and WithSecure Policy Manager Proxy 16.01
Changes in this release
New MSI arguments support is added.
If the Policy Manager or Policy Manager Proxy host does not have a direct internet connection, specify the HTTP proxy configuration as 'PROXY_SERVER' MSI argument for example by running an MSI file from the command line and passing the arguments to it:
msiexec /i policy-manager.msi PROXY_SERVER=http://proxy.example.com:8080
Use percent encoding for any reserved URI characters in the user name or password. For example, if the password is ab%cd, you need to enter it as follows:http://user:ab%25cd@proxy.example.com:8080
Installation improvements:
- non-default installation directories are now supported for upgrades.
- service stop hangling during upgrade is now improved.
- web reporting shortcut is now created.
Push-installation issue is now fixed.
Scanning reports not being opened from the Console is now fixed.
Tool to import malware definitions in isolated networks is now called import-definition-updates.
Additional troubleshooting information is now collected with wsdiag.
0 -
WithSecure Policy Manager 16.02 and WithSecure Policy Manager Proxy 16.02
Changes in this release
MSI arguments
This release introduces changes in MSI arguments. Now, during a clean installation, the non-default locations for Policy Manager Server and Policy Manager Console data folders can be set using the MSI parameters DATADIR and CONSOLE_DATADIR.
For installing Policy Manager with data folders at D:\WithSecure\, use the following command:
msiexec /i policy-manager.msi DATADIR=D:\WithSecure\PMData CONSOLE_DATADIR=D:\WithSecure\PMCData
Note: By default, the installation process places the Policy Manager Server and Policy Manager Console data folders under the
C:\ProgramData\WithSecure
directory.New features and improvements
- It is no longer required to have Policy Manager server address defined at the Root domain level.
- Support tool improvements.
- Added support for following Linux distributions:
- Rocky Linux 8
- Debian 11 & 12
- Ubuntu 22.04 LTS & 24.04 LTS
Bug fixes:
- WinInet error 12157 on Windows Server 2022 in Status Monitor.
- NullPointerException bugfix and other improvements in fspm-definition-update-tool and import-definition-updates -tools.
- Installation of Policy Manager/Policy Manager Proxy Windows services as unrestricted to configure Windows Firewall for inherited Java process when Client Security/Server Security is on the same server.
- Policy distribute wizard incorrectly showing WMI as disabled.
- Removal of duplicated Software Updater settings in Policy Manager Console.
- Failures in exporting Policy and Inheritance reports in Policy Manager 16.
- Installation wizard of Policy Manager allowing only 4-digit ports.
- Miscalculation of selected hosts number in Policy Manager 16.01.
- Policy Distribution changes are slow after upgrading to Policy Manager 16.
- Non-functional password reset when Policy Manager 16 is installed in a custom location.
- Fsiinst.exe crash during push installation.
- Configure forwarding -link in Alerts view opens a wrong view.
- Policy Manager upgrade from 15.x to 16.x migrates the wrEnabled registry value.
- Policy Manager Proxy clean installation problem on localized Windows Servers.
Dropped functionality:
- Policy Manager Server no longer supports access via host names containing characters that are not permitted in RFC 1738. For instance, underscores are no longer acceptable symbols in the host name for Policy Manager.
Other changes:
- Vulnerability fixes (CVE-2024-22243, CVE-2023-24998)
- Include the 'pinned-certificates-unix' channel in the default channels.json of the fspm-definitions-update-tool.
- The Software Updater maximum cache size limit for Policy Manager and all managed Policy Manager Proxies can be globally configured via the Policy Manager Console’s Server configuration -page (Tools > Server configuration > Updates cache).
- URI wrapping for client alerts to avoid forwarded alerts getting blocked by email filtering.
Limitations
- After the Policy Manager upgrade to version 16.xx, automatic Firewall rule for Policy Manager ports created by Server Security 14.10 and newer will stop functioning. You would need to create corresponding Firewall rule manually or upgrade Server Security to version 16.00 and install HF 16.00HF1 to allow external connections to Policy Manager ports.
0 -
WithSecure Policy Manager 16.03 and WithSecure Policy Manager Proxy 16.03
Changes in this release
Bug fixes:
- Policy Manager alerts: Fixed an issue where the Policy Manager was not receiving alerts from endpoints if the URI scheme in alerts could not be resolved.
- Isolated environment: Resolved DNS issues in ultimate proxy mode when the Policy Manager host had no direct access to DNS.
- Upgrade installation: Addressed a problem where upgrading the Policy Manager Proxy from version 16.01 to 16.02 removed a required registry key.
Other changes:
- LDAPS connections: Extended the list of supported security groups in LDAPS connections.
- New Installation Launcher version: Updated to ilaunchr.exe version 13.6.174.
- Security enhancements: Added the
includeSubDomains
directive in the Strict-Transport-Security header for admin and host interface ports. - File exclusions: Client products’ locally added file exclusions can now be found with Policy Manager Data Mining.
- Improved indexing: Enhanced indexing for long lists of exclusions.
- Vulnerability fixes: CVE-2024-22262, CVE-2024-38809.
0
Categories
- All Categories
- 4.7K WithSecure Community
- 3.6K Products
- 1 Get Support