Release notes
Back to All

Apr 19, 2021 — Enterprise Application Access updates

almost 4 years ago by rskrzyck@akamai.com

Enterprise Application Access (EAA) new software release.

EAA Client versions

  • EAA Client for Windows: version 2.4.1
  • EAA Client for macOS: version 2.4.0
  • EAA Client mobile app for iOS: version 1.04
  • EAA Client mobile app for Android: version 1.02

​Akamai​ EAA new features

  • Akamai MFA Integration. Akamai MFA, a workforce MFA service, helps customers to strengthen their Zero Trust security posture by securely establishing trust in a user before allowing access to protected applications and resources. Akamai MFA features a unique authentication factor, ​Akamai​ phish-proof push, that combines the security provided by FIDO2 with the ease-of-use of the familiar push notification. Customers can use Akamai MFA as the second-factor authentication with the ​Akamai​ identity provider (IdP).

  • Certificate-authentication enhancements. With this release, we have enhanced the IdPs’ client certificate enforcement policy. Administrators now have the ability to only enforce client certificate verification when a request is not from the corporate network. We also added an option to skip OCSP validation when OCSP Responder is unreachable or returns unknown.

  • New capabilities for Device Posture. EAA supports additional capabilities for a better security posture for your devices:

    • Customers can now select the OS versions to include a subset of the major versions from the complete list of up-to-date versions that align with their compliance policies.

    • macOS version capabilities now recognize every build in addition to the patch versions previously tracked.

    • Customers can now configure custom and latest+ options for the EAA Client version.

    • Customers may now detect if the ​Akamai​ ETP client is installed and use that as a device posture signal.

    • The anti-malware signal may now be configured for a specific vendor in addition to the any vendor choice previously supported.

  • Improved interoperability and performance with Cisco Umbrella client. Previous versions of the EAA Client had interoperability issues with Cisco’s umbrella client. This was caused by Cisco Umbrella’s takeover of the DNS at a kernel-level for localhost traffic, leading to garbled DNS responses and perception of slow performance. With this release, the EAA Client uses 100.64.0.1 for DNS interception instead of 127.50.100.1 which was used in earlier releases.

  • Apple M1 Processor Support. With this EAA Client release, we are adding support for macOS-based devices with the Apple M1 processor. The EAA Client leverages Rosetta translation so a single binary can be used for both Intel-based and Apple M1-based devices.

EAA Client operating system support

The EAA Client 2.4.0 supports these operating systems: Microsoft Windows 7, current Microsoft supported versions of Windows 10 x86(32-bit) and x64(64-bit), Apple macOS 10.14 (Mojave), 10.15 (Catalina), and 11 (Big Sur).

​Akamai​ end of support/service for EAA Client

  • EAA Client versions 2.0.0, 2.0.1, and 2.0.2 end of service/support - from June 30, 2021, ​Akamai​ will no longer support EAA Client versions 2.0.0, 2.0.1, and 2.0.2. This is the last date to receive any support for these product versions. After this date, these versions are obsolete and no support will be available.

  • EAA Client versions 2.0.3 and 2.0.4 end of service/support - from November 30, 2021, ​Akamai​ will no longer support EAA Client versions 2.0.3 and 2.0.4. This is the last date to receive any support for these product versions. After this date, these versions are obsolete and no support will be available.

  • Product Migration. Customers using EAA Client versions 2.0.0, 2.0.1, 2.0.2, 2.0.3 and 2.0.4 are encouraged to upgrade to EAA Client version 2.1.2. Migrating to newer EAA Client versions, beyond 2.1.2, will require the older EAA Client to be uninstalled before the newer EAA Client is installed. When moving to EAA Client version 2.1.2 and later, a new akamai-device-id is generated. EAA activity reports, Clients overview dashboard, Device Posture dashboard may include old akamai-device-id, resulting in inaccurate statistics until the old akamai-device-id is purged after 90 days. For more information, see Device ID (akamai-device-id) updates with EAA Client installation and upgrades.

EAA and EAA Client limitations

  • The EAA Client Download page does not render properly on the Microsoft Edge browser version 44.19041.423.0. You must upgrade the browser to a later version.

  • If you log in from a domain-joined machine, using Integrated Windows Authentication (IWA) credentials and then be idle for more than the idle expiry duration of the identity provider, refreshing the page will prompt a form-based authentication instead of IWA. The user can either enter the credentials or can log in to the IdP URL using a new browser tab to re-trigger IWA.

  • If Akamai MFA and Device Posture are both enabled in the ​Akamai​ identity provider, you will see a Failed to post code to EAAClient, please log out and log in again error after the second-factor authentication. Refresh the browser to eliminate this message. This does not impact the usability of the product.

  • If Akamai MFA and Device Posture are both enabled in the ​Akamai​ identity provider, you will see a Failed to post code to EAAClient, please log out and log in again error after the second-factor authentication. Refresh the browser to eliminate this message. This does not impact the usability of the product.

  • For SSH audit reports, you may see incomplete session data, if the SSH browser session is terminated abruptly without using the exit command.

Device Posture limitations

  • When you try to create the fifth anti-malware profile, you see an error message informing you that you cannot create more than four profiles. Click Cancel, and then Continue to cancel the creation of the anti-malware profile.

  • The Anti-malware signal supports only English anti-malware names.

  • The Anti-malware signal displayed on the Inventory Reports Device Details page and Device History Device Details page has the following statuses depending on the device operating system: For Windows: the green means that the anti-malware software is installed and active on the device; the red X means that the anti-malware software is installed and inactive on the device; the yellow circle icon refers to older Windows devices and means that the anti-malware software is installed but its status is unknown. This state will not appear if you install the latest version of EAA Client. For macOS: the green means that the anti-malware software is installed on the device. The inactive and unknown statuses are not displayed for macOS devices as the active status is assumed with any anti-malware program installed on the device.

  • On the Inventory Reports Device Details page and Device History Device Details page, the Operating System (OS) versions display in the following format: for macOS: (); for Windows: ().

  • macOS devices are now evaluated based on their build numbers instead of version numbers. As a one-time change, any custom version entered as a macOS version number will be converted to build numbers and populated in the custom list.

  • Apple’s operating system is referred to as macOS instead of Mac OS X, in compliance with Apple’s branding guidelines.

  • When you use the EAA Client mobile app on iOS devices to log into an ​Akamai​ IdP, you may be directed to the EAA Client and are prompted to log in again using the in-app browser window. After you enter login credentials, the app may hang with a loading screen and a spinner. To recover, you must close and reopen the EAA Client application. Then, you must log out of the IdP using the browser and log in again to the IdP via the mobile browser a second time. Third-party IdPs are not affected and can be used with QR code or the Safari browser.

  • When you use the EAA Client app on iOS devices for authorization to a third-party IdP with or without MFA, the user is stuck in the authorization loop process (user accesses third-party IdP URL on iOS browser, OS opens EAA Client app, the user completes authorization and MFA, the user is redirected back to the browser again, OS opens EAA Client app again, loop repeats).

  • When you use the EAA Client app on iOS 14, iPadOS 14 devices and Safari is not the default browser, users will see a remediation message, Ensure EAA Client is installed or configured correctly when accessing a web app from the browser.

  • EAA Client mobile app on an Android device works only if Chromium-based Browser (Chrome, Samsung browser, Microsoft Edge) is set as the default browser. On other browsers, users will see a remediation message, Ensure EAA Client is installed or configured correctly.

  • When you use the EAA Client mobile app on mobile devices to log into an ​Akamai​ IdP with a QR code, you may have problems opening the app and may see a loading screen with a spinner. Close the application and re-open or, login to the IdP with a mobile browser. Another workaround is to do a second scan of the same QR code, after reopening the app when the first scan fails. Third-party IdPs are not affected.

  • When you install the EAA Client on Windows and open EAA Client, navigate to Device Posture > Signals, the username is the admin’s name and not the current user name. The workaround is to quit and restart the EAA Client.

  • When you use the EAA Client mobile app on mobile devices to log into an MFA enabled ​Akamai​ IdP, you may need to enter the MFA code twice, once while logging into the mobile browser, and second when redirected to the EAA Client mobile app login screen.

  • When you use the EAA Client mobile app on Android devices when logging into an IdP from either a Chrome browser or via the QR code, if the user switches apps before the configuration is complete, it may cause the EAA Client to crash.

Fixed customer bugs

  • You can configure nested organization units (OU) with the same name and different distinguished names (DN) in EAA AD, LDAP directories.

  • Fixed issues with traffic data in the connector performance metrics system graph.

  • Fixed issue where duplicate records are created for some users when performing Active Directory (AD) Sync.
    Fixed issue where user records were not deleted when Active Directory (AD) sync detected more than 10,000 users deleted in one batch.

  • Fixed user sync issues related to Windows 2003 AD server.

  • Reports can now be saved in .csv formats on Chrome browser.

  • Fixed issues for better interoperability between EAA Client and ETP Client.

  • The custom DNS setting for an EAA connector in Hyper-V is persistent after a reboot.

  • Resolved false positive messages when the application is not reachable.

  • Performance improvements for loading certificates while loading the application general settings page.

  • Pagination is supported on the certificates page.

  • The connector load indicator works properly when applications are deleted or moved to another connector.

  • The last synced time is displayed for organization units (OU) in directories.

  • Crashes while upgrading from EAA Client 2.0.4 to 2.3.0 have been fixed.

  • The EAA Client Versions tab displays the latest release of a given train (e.g. 2.1.2 instead of 2.1.0). To apply other versions to a tier or tag rule, enter them in the Custom version field.

  • If you edit a certificate profile’s name, the previous name may still display on the Device Details page for up to 30 minutes.

  • The Device Posture tiers' and tags’ criterion Anti-malware Status with value Good now displays as Anti-Malware Profile with value Any Vendor.