Regular 4.16

macOS 4.2.0

This release contains bug fixes and the following updates.

AES 256 support for Kerberos encryption

Following the 2023.1 release, we now support AES 256 encryption for Kerberos, however we no longer support RC4 and 3DES. Going forward, we only support AES 128 and AES 256 encryption when using Kerberos authentication.

Please note that third-party storage filers such as NetApp may need to have AES enabled in order to continue to work with this release if they have not been configured to use AES 128 and 256 encryption.

Fission resource limit improvements

Previously, expired entries within Fission would only be cleaned up when reading entries from the Fission store or during a periodic clean-up thread. If write attempts were made during this time, an exception would be returned. We have improved this behavior, so that we now attempt to perform a clean-up of expired entries when writing to the Fission store if it has reached its capacity before returning the exception. We have also improved the logging and error handling in this area so more meaningful error messages are shown in the server logs and syslog audit stream.

FreeBSD upgrade to 12.4

The operating system has been upgraded to FreeBSD 12.4 as the current version (12.3) is expected to be end of life from 31st March 2023.

Documentation: Microsoft patches remove support for encryption

Microsoft has tightened security encryption, including suggesting that Kerberos RC4 be disabled. The documentation has been updated with links and information to fix this issue.

Kerberos Authentication

Exclusion Rules Enhancements

Exclusion rules for macOS have been expanded to include size as well as AND/OR functions. Syntax has also been slightly enhanced in that spaces around operators are ignored.

For further information, see Mac Exclusions.

Improved Setting of Log Levels

The log level can now be set by running the Defaults tool from the Terminal.

The AdminConfig.sh contains examples.

File Director on Apple Silicon (M1) Macs

The File Director app is now universal, which means it runs natively on both Intel and Apple Silicon (M1) Macs.

In addition to code enhancements and bug fixes the following features are included in this release.

UDP Support for Syslog Auditing

Syslog auditing has been extended to support the UDP protocol as well as the default TCP. If the UDP protocol is required, it is configured from within the Admin console.

Refer to Syslog Server for further information.

NTP Troubleshooting - Notification

File Director 2021.3 introduces an Administrative Console notification for Network Time Protocol (NTP) issues. The notification alerts those managing File Director of possible problems and so assists in prompt resolution.

Refer to Network Time Protocol (NTP) for further information.

Subject Alternative Names support for Certificate Signing Requests (CSRs)

Administrators can now specify a SAN name when generating a Certificate Signing Request (CSR) from the Administration Console. Multiple fully qualified domain names (FQDNs) can be added where a Load Balanced environment is in place.

Refer to the Help section: Create a CSR from the File Director appliance (Public CA or Private CA) for further information.

In addition to code enhancements and bug fixes the following features are included in this release.

New base image

File Director 2021.1 is delivered as both a patch and a new appliance base image. Deploying a new base image is the recommended upgrade method.

The patch can be applied to existing deployments (version 2019.3 or later). Base images can be deployed on VMWare (ESXi 6.7 or later) and HyperV (2012R2 or later) hypervisors. Refer to 2021.1 ugrade for important information.

Removal of shared external database requirement

The 2021.1 release of File Director removes the requirement for an external SQL database. This development simplifies infrastructure requirement and File Director configuration.

Database tab removed

The Database settings options have been removed from the web admin and text-based console.

With user and device data no longer stored in a database, this development results in a number of further, associated changes.

Snapshots are configuration-only

Without user or logged-in device data any appliance configuration snapshot you create will be configuration only. Refer to Backup an appliance configuration for more information.

Verified device functionality removed

Without stored device data, devices are no longer assigned Verified status. This has resulted in simplification of a number of policies and workflows.

Account lockout

The policy for Failed Login Attempts is determined from Web Admin console (Policy > Global). If a user exceeds the attempts permitted, their account is temporarily locked for a configurable period no greater than one hour. Once unlocked, the failed login counter is reset.

Refer to Locked users for more information

Remote wipe

Remote wipe functionality has been removed.

Refer to Failed login attempts

IP restriction

The IP based restriction policy has been removed.

Refer to IP address login restrictions

Change appliance password from web admin

A link has been added to the Status page of the web admin console to enable the appliance password to be reset at any time. Previously the password could be reset only from the text console.

Refer to Change appliance password for more information.

Kerberos authentication

A Test button has been added to the Kerberos Preauthentication dialog. The test allows you to quickly validate the Kerberos authentication credentials entered. Refer to Kerberos authentication.

10GB compatible network adapter for VMware appliances

The base image for File Director 2021.1 includes the VMXNET3 network adapter providing support for a 10GB network capability. Refer to Appliance prerequisites for more information.

Client logging

The log file size for the circular logging mode is now configurable via an engineering key or via the Client Policy Tool. The default log size for the circular logging mode is 512 MB. Configuring this option allows the client to create a larger log file and so increases the likelihood of capturing the issue.

Environment variable support

The use of environment variables in Path based expressions is now supported. Refer to Expressions for further information.

Dashboard updates

This release includes updates to the existing Overview and Performance dashboards. Dashboards visualize the File Director syslog stream and are a valuable monitoring tool. They can be downloaded for free from the Ivanti Marketplace and used as they are, or further tailored for your own requirements.

For a description of dashboard components and how to interpret their data refer to Dashboards.

In addition to code enhancements and bug fixes the following features are included in this release:

Windows Client Policy Tool

The Policy Tool transforms the way you can configure settings fundamental to how File Director operates.

This short video summarizes the use of the Policy Tool:

Windows Client Policy Tool video

The tool has two components:

•Client Config
Lists all the engineering keys available, enabling you to see at-a-glance both the settings, and an overview of what they do.

•Sync Rules page
Provides an expression builder tool; it allows you to quickly and simply build rules that will further control which files and folders File Director will include – or exclude - from synchronization.

Refer to Windows Client Policy Tool.

Scan Outside Profile

File Director 2020.3 introduces a new feature to discover data outside of the user’s profile.

The scan is performed using a configuration which includes parameters that administrators can set. It identifies files that match these parameters.

Reports are generated to show an administrator which files have been found on a user’s endpoint outside the profile, and the administrator can then decide whether or not these files require managing using File Director.

Refer to Scan Outside Profile.

DHCP Support

Support for DHCP and the ability to configure File Director network settings via the admin console has now been added. Refer to Appliance Network Identity.

REST API

File Director now offers a supported public API which allows customers to deploy appliance upgrades either to their standalone appliance or to a cluster of appliances. Refer to REST API.

Deprecation of WebDAV map points

Support for WebDAV is deprecated from 2020.3. Existing WebDAV connection strings will remain valid but new connections cannot be created and saved.

Note: Removal of link-based sharing

The 2020.3 release of File Director no longer supports link based sharing. When the upgrade is applied, any quick links created previously will no longer work and external logon will no longer be possible.

The removal of file sharing functionality impacts the following areas:

Note, links to older versions of user help open in a new window.

•Link based sharing, Set automatic expiration for link based sharing.

•Setting up the SMTP server, SMTP configuration

•Staging map points

•Map point policy

Web Proxy Support

File Director can now be configured to use a web proxy for external services connections such as OneDrive, Google Drive and Box for example. Refer to Advanced Configuration Options.

Cluster Wide Maintenance Mode Activation

A cluster of File Director appliances can now be disabled simultaneously with a single click, reducing the time and effort previously demanded when performing environment wide maintenance or troubleshooting.

Refer to Clustering.

OneDrive Storage – Additional Character Support

Paths containing the characters # and % will now successfully sync with OneDrive storage.

Easier Access to Further Information

In addition to this online help system, Ivanti provides a wealth of supporting information in the form of online documents, help videos and curated community articles.

In the 2020.2 release we have collated these resources into a summary table and made this available via the Release Notes and from the online Help landing page.

Box Cloud Connector

File Director can now be configured to connect to utilize Box cloud storage for user home map points. Once configured, users can update files within their home directory using File Director on any of the supported platforms and will see the changes seamlessly sync with their corporate Box storage.

For configuration and deployment steps please refer to the
Box connector for home map points.

This short video summarizes the use of Box cloud storage with File Director.

Box Cloud Connector video

Persistent ghost files

The Windows client can now present local and non-local files to the user based on a cached listing from the server. This allows non-local (ghost) files to be presented even where a connection to the network has not yet been established or has been temporarily dropped.

The offline user is prevented from interacting with files that are present on the server but not yet downloaded or held locally and they are notified accordingly via a (customizable) tray message .

For user information on the display and availability of Windows files see Windows file transfer status.

For information about management of this feature see
Tray notifications and Client-side Auditing.

File Director and secure LDAP

Administrators can now configure secure LDAP communication between the File Director appliance and Active Directory.

If you are not using a publicly trusted root certificate you will need to add the certificate from your internal (or private) Certificate Authority (CA) to the File Director appliance.

This can be done from the SSL Certificates section within the File Director Admin console. Adding the certificate enables validation of the certificate signature.

For further details see Trusted root CA.

Upgrading to 2019.3

Best advice on how to upgrade your appliances can be found on our Upgrades help page.

Performance and user data dashboard updates

File Director provides a syslog stream which can be configured to point to third party applications. The data can then be indexed and reported upon in order to monitor the health of the File Director cluster and status of user data sync.

We have produced a sample set of dashboards using open source Elastic Stack. The dashboards can be downloaded for free from the Ivanti Marketplace and used as they are, or further tailored for your own requirements.

In this update we have introduced the User Data dashboard, and updates to the existing overview and performance dashboards.

For a description of dashboard components and how to interpret their data refer to Dashboards.

Improved Troubleshooting and Supportability

Several new features have been added to the Admin console:

•Manage cluster

The Clustering tab is now always visible to facilitate the configuration of the cluster via the web Admin console.

See Clustering for further information.

•Kerberos secondary authentication

File Director can now support 2-factor authentication to further protect web interface access.

Refer to Kerberos Authentication.

•Backup configuration-only

It is now possible to specify Configuration-only and exclude user data from your backup files.

Refer to Backup and Restore.

•Secure Shell (SSH) access improvement

Previously SSH could be configured only via your VM console. Now you can configure this via the Advanced configuration dialog.

•Service_user account

Linked to SSH, the appliance service_user account provides shell access and requires key-based authentication for its use. It enables you to perform an authenticated vulnerability scan, for example.

File Director telemetry

Basic telemetry has been in place since 2019 SP1and is used to help us measure the reliability and usage of our products. It can help us prioritize, and focus upon the areas which are most valuable to customers.

The current release of File Director, sees telemetry data expanded to include feature usage from the client, and server.

For further information refer to Telemetry.

Cache Statistics - auditing enhancement

A local event log entry is now created at every logon, providing local cache statistics on a per user basis. For further information see Cache management.

Cache management – pause logoff until sync completed

Our market leading cache management feature now provides the ability for Administrators to delay user logoff until the user’s local cache is fully in sync with the server.

The messaging presented to the user whilst the pause is in progress is configurable as is the pause duration. Both parameters are configurable on a per machine basis.

In addition, if you manage PST files using File Director you can configure the logoff pause to wait for files that require a shadow sync to complete prior to logging off. For details on how to configure this feature please refer to Cache management.

Logoff pause reporting

Two local event log entries are created for each instance of a logoff pause. This data can then be reported centrally via the Ivanti Management Center:

•Event ID: 9820 – Source: Ivanti File Director – Error: Timeout occurred waiting for cache to be in-sync.

•Event ID: 9821 – Source: Ivanti File Director – Information: Sync status of the user’s local cache.

•Event ID: 9822 – Source: Ivanti File Director – Information: Duration of the Logoff pause in seconds.

Finally, over a 24-hour period the logoff pause data on each client is aggregated and included within the Syslog stream outputted by the server(s). This data could then be tracked and presented within a syslog dashboard.

File Director telemetry

Telemetry data can help us measure the quality, scalability, reliability and capabilities of our products. Using such data could enable us to deliver the solutions our customers demand faster, and alert us to areas which customers would find less useful.

In this release of File Director, we have introduced some basic telemetry into the product. For further information refer to Telemetry.htm

Database encryption

It is now possible to enforce SSL encryption on the connection to the external MS SQL Server database. It can be enabled by checking the Require SSL checkbox in the Database Settings section of the Cluster tab. For further information refer to Clustering.htm

Improvements in online help usability

There is a wealth of user information contained within File Director product help and we continue to work towards improving access and usability.

In this product release we have introduced the use of context-sensitive help. Many File Directordialogs and screens now carry a help icon which, when clicked, will open the relevant help topic directly.

Google Drive connector

File Director can now be configured to connect to and utilize Google Drive storage for user home shares. Once configured, users can update files within their home directory using File Director on any of the supported platforms and will see the changes seamlessly sync with Google storage.

The end user does not have to change the way they work, and there is no training required to adapt to a different storage location. File Director will simply take the files from the native profile locations such as the user’s desktop (In-Location-Sync), and sync them with Google storage, with files delivered either on demand or automatically at logon as defined by the Administrator.

For further information see Google Drive connectors for home map points.

Cache management – remove all local cache at user logoff

In a significant extension to the client-side cache management capabilities, the ability to selectively remove the local copy of the user’s cache at logoff has been provided.

With this enabled, Administrators can ensure local disk space is managed efficiently with File Director leaving zero-touch at the end of the session.

For further information see Cache management.

Enhanced map point configuration

•New map points are now disabled by default.
In previous versions of File Director new map points would instantly apply to all users by default. From this release onwards Administrators can add, configure, and delegate map point policy access based upon the desired target user group(s).

For further information see Map Point Policy.

•Home (private) map point configuration.
This can be now configured to point to different storage sources based upon AD conditional policy rules.

Cluster wide log collection

With previous versions of File Director gathering appliance logs from each node within a clustered environment could be a time-consuming task. We now provide Administrators with the ability to download logs from across the cluster from the Cluster Management page of any node.

For further information see Clustering.

Improved troubleshooting

•FDmon: Endpoint Analysis Tool forFile Director.

FDmon provides detailed, graphical analysis of File Director Windows client activity to enable troubleshooting and improved configuration.

FDmon will present you with a set of dashboards and reports that give both an overview of File Director activity and performance. It is available from the Ivanti Marketplace.

•File Director Performance Monitoring Dashboards.

File Director already provides a syslog stream which can be configured to point to third party applications such as Splunk or Graylog. The syslog stream can then be indexed and reported upon in order to monitor the health of the File Directorcluster.

The Performance Dashboards are available for download from the Ivanti Marketplace.

For further information see Sizing and Monitoring your Deployment.

Option to disable PST Smart Unlinking

The background task of PST unlinking and relinking takes place to prevent any user delay at logon. By default, this background activity is enabled. The File Director 2018.3 SP1 release introduces an engineering key to disable this activity. See PST smart linking

Cloud Connectors tab

Within the Admin console, OneDrive registration has been moved from the Directory Services tab to a new Cloud Connectors tab. This will allow us to add future cloud connectivity functions to the same location and enable improved user navigation. See One Drive Registration

Specify backup for Kerberos authentication

It is now possible to specify a backup server for Kerberos authentication. See Configure Kerberos in the File Director Admin console

New File Director base image

Security and compliance are further enhanced with the release of a new base image. Previously, the base image utilized a version of the operating system FreeBSD which is no longer supported. File Director 2018.3 introduces a brand-new base image making use of version 11.2p3 of FreeBSD.

• For new installations, the new base image is available.
• For existing installations, a patch is available which will upgrade the image to make use of the latest supported version of FreeBSD.
  See Apply a File Director Patch.

Windows client cache management

File Director 2018.3 introduces an automatic cache cleanup function configurable to your requirements. This can help simplify maintenance and reduce endpoint hard disk usage.

The cache cleanup removes inactive files from the cache. It will apply only to files that have been synced, where the user is online, and where no uploads are pending. As an administrator, you determine the length of time unused files may remain in the cache before being removed. When this period expires the cached files are removed from the local cache.

Rules can be specified to exclude specific file types from the cleanup, and processes (such as web browser applications) that frequently open and close files without user action. See Cache Cleanup.

New version numbering

File Director version numbering has been changed to reflect the rest of our product portfolio.

One Drive for Business connector scalability

This version introduces several improvements to both the File Director server and Windows client when used with OneDrive for Business connector:

• Handling of SharePoint Online HTTP 429 “Too Many Requests” messages: These messages occur when a process or user exceeds predefined usage limits and as a result are throttled for a brief period. With 2018.1, when the HTTP 429 message indicates that throttling is in effect, the rate of requests is reduced accordingly until the throttling messages cease.
• Multiple application IDs: Previously, the OneDrive for Business Connector used a single application ID when connecting to the SharePoint Online API. With 2018.1, administrators can specify multiple application IDs. The result is more balanced usage and improved efficiency of the connector when trying to retrieve many folder listings from OneDrive. See OneDrive connector for Home map points.
• Resumable uploads: Previously when the upload of a file was interrupted by an event such as a user logging off from their device, the file upload would need to be restarted. With 2018.1, the upload of the file is resumed following the interruption.
• Notifications set to Off by default: File Director can be configured to provide notifications to the client when a file, a map point or policy change occurs. Whilst this mechanism provides value in smaller implementations, it can cause performance problems when used at scale. With 2018.1 the default setting for notifications is now changed to off. Notifications to be set to on when and if required.

Internationalization of the Windows client

With 2018.1 it is now possible to configure the Windows Client to display end-user messages in the following, local languages:

▪ French

▪ German

▪ Dutch

▪ Portuguese Brazilian

▪ Spanish

▪ Japanese

▪ Chinese Simplified

▪ Chinese Traditional

▪ Russian

▪ Italian

Bidirectional OneDrive synchronization

Updates made to files on map points using any File Director client or the OneDrive for Business web or desktop clients are now synchronized.

Cluster health check

File Director now provides information relating to the performance and health of appliances. It is now possible to monitor and report upon a wide range of metrics including:

• Number of threads in use
• CPU Usage
• Memory usage
• Load average
• OneDrive for Business connector performance statistics

This new functionality provides the File Director administrator with the ability - via tools such as Splunk and Graylog - to monitor the health of their appliances and clusters, giving them the insight they need to drive operational performance and ensuring a high level of end user experience.

Improvements to file delta synchronization

With this release File Director now synchronizes the changes (or Deltas) that are made to files asynchronously. This means that files are now synchronized in a more robust, scalable and efficient way improving the end user experience whilst reducing the amount of bandwidth and server resources that are required.

This approach also ensures that uploads are not affected by any issues such as infrastructure timeouts, for example.

Smart PST linking

When opening Outlook on a new endpoint for the first time and the Outlook profile is expecting to find a local PST file, the end user will experience an application hang whilst the file is downloaded. This is a scenario that can be common when a user is migrating to Windows 10 from Windows 7, for example.

File Director now offers the ability to unlink any remote Outlook Data Files (PST) before a user opens Outlook on a new endpoint for the first time. This occurs before the desktop has been loaded, ensuring that the end user experience is not affected whilst potentially large PST files download.

Once PST files are downloaded, File Director then performs a relink in the background, ensuring a smooth onboarding process for the end user throughout.

Removal of the 200 Worker Thread Limit per server

The introduction of HTTP Persistent Connections also called HTTP keep-alive, or HTTP connection reuse in this release, introduces improved resource management for the File Director server. This has allowed the number of processing threads that are available to each server to be increased from 200 to 400.

The introduction of more threads means that each server can now process more requests at the same time resulting in faster response times to the File Director client.

These changes enhance the user experience when interacting with files that are being managed by File Director.

Storage connector for OneDrive for Business

File Director brokers users access to existing storage infrastructures without the need for administrators to ring-fence storage solely for the service. This unique on-premises server-agent architecture means we can solve problems companies face when trying to utilize the free storage every Office 365 user has. Using cloud storage successfully means its implementation should not impact the user experience or remove the existing enterprise control.

File Director 4.3 is our first release with a cloud storage connector. Customers upgrading to 4.3 can utilize each users 1TB of OneDrive storage for break/fix or Windows migration projects, and in virtual desktop environments.

Watch a related video

For more information, see: OneDrive connector for Home map points

Command Line Interface

The File Director Appliance provides a sealed operating environment for the server application, configuration options for customer environments, and gives the ability to cluster the service. As part of the new OneDrive storage connector we have introduced a lightweight CLI for customers to perform more advanced tasks, such as diagnosing network communication issues.

Watch a related video

For more information, see: Command Line Interface

Product rename

Over time the features and functionality of DataNow has moved from a file access and sharing product, to a mature synchronization technology uniquely positioned to solve the common IT headaches around migration, break fix and multi-endpoint access.

As part of the Ivanti rebrand we felt it was the right time to take the opportunity to rename DataNow with a more descriptive product name. DataNow has been renamed File Director.

Rebrand

File Director has been updated to reflect the new company name of Ivanti (see here for more details). In addition, components on the endpoint have been updated to reflect these changes.

You may still see references to the ‘AppSense’ name used in certain areas, such as the Registry or Windows Services. This is to make the transition as least disruptive as possible for existing users of File Director.

Kerberos constrained delegation in cross realm environments

Credential Guard was introduced in Windows 10 Enterprise and uses virtualization-based security to isolate NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials, all so that only privileged system software can access them.

File Director 4.2 now supports constrained delegation with support for crossing realms for customers who have a requirement to use Kerberos authentication in their environment.

For more information, see Kerberos constrained delegation.

Toggle TLS 1.0

PCI compliance required us to disable SSL v3/TLS 1.0 in File Director. As outlined in this Microsoft support article configuring endpoints to default to a secure protocol (TLS 1.1 or TLS 1.2) requires the implementation of registry settings and potentially an update. Customers that are unable to implement this change can now toggle TLS 1.0 on in File Director 4.2.

In the File Director web Admin console, navigate to Configuration > Advanced. TLS 1.0 support can be enabled for endpoints in the TLS 1.0 (for legacy clients) pane. Note that when enabled this is done across the cluster.

Ivanti recommends turning off TLS 1.0 support as soon as all legacy endpoints in the environment are updated or replaced.

For more information, see TLS 1.0.

New Server delta sync mechanism

DataNow 4.1 provides a new delta sync feature, built to reduce the both network traffic and the time to calculate and upload file deltas. Our SMB library supports block copies from the client endpoints.

Every step of the sync request had been optimized from client endpoint to DataNow server and on from DataNow server to the back end storage.

For more information, see File Sync.

Windows PST sync optimizations

In DataNow 4.1 we have heavily optimized the syncing of PST files, leveraging the new delta sync feature in the DataNow server. PST files can now be synchronized from the endpoint based on amount changed or time period.

PST synchronization in 4.1 sends only the local changes to the PST (that is, the delta), significantly reducing the network traffic and the time to complete the sync activity.

For more information, see PST Synchronization.

Windows client sync prioritization

Earlier versions of the Windows client would synchronize content based on discovery. In DataNow 4.1 we have moved to sync content based on age - newest first. The new sync prioritization provides users a better experience when moving from old to new devices but syncing the important content first. This is ideal in migration or break fix IT workloads.

Administrators can actively exclude files from the age priority list. This can be done by file type or size.

For more information, see File Prioritization

Global

Mobile

Policy Global

MobileMap Point Policy

Users and Devices