What’s New in UserLock 12
What's new in UserLock 12.2
- New: UserLock Credential Provider
- New: MFA for User Account Control (UAC) prompts
- New: MFA for “Run as administrator” requests
- Additional updates
New: Enhance MFA experience and security with UserLock’s custom credential provider
UserLock multi-factor authentication (MFA) now looks and feels even more like part of the native Windows logon process thanks to the new custom credential provider. Not only can you offer end users a more intuitive and familiar interface for MFA, but you can also now extend MFA capabilities beyond the Windows login.
Here’s how UserLock MFA now visually looks like part of the Windows login process, even when the user is offline:
The new credential provider also puts in place the necessary framework to tackle the most requested feature from our community: the ability to enforce MFA when a user asks to elevate privileges. You asked, we listened!
Thanks to the credential provider, you can enforce MFA on Windows UAC (user account control) credential prompts displayed when launching administrative tasks (e.g., when disabling the firewall) and during “Run as administrator” requests. This level of control over privileged access prevents lateral movement and stops privilege abuse.
Advantages of UserLock’s custom credential provider:
- Deliver a seamless user experience by visually embedding UserLock MFA into the Windows login process, even when the user is offline.
- Enhance security by enforcing MFA before your system logs a Windows session.
- Extend UserLock MFA to non-interactive sessions, including MFA on Windows UAC (User Account Control) credential prompts displayed when launching administrative tasks and during “Run as administrator” requests.
- Identify and remotely close an open session directly from the Windows login screen if you exceed your current session limit.
New: Enforce MFA on Windows UAC (User account control) credential prompts displayed when launching administrative tasks
Thanks to UserLock’s custom credential provider, you can apply an extra layer of security on elevated privilege requests with MFA on Windows User Account Control (UAC) prompts displayed when launching administrative tasks (e.g., when disabling the firewall).
You can set granular MFA policies for UAC prompts since UserLock recognizes UAC as a separate access type:
This ability to treat UAC as a separate access event also means you can manage, report on, and alert on UAC credential prompts displayed when launching administrative tasks, (e.g., when disabling the firewall) and during “Run as administrator” requests.
Here’s an example of UserLock’s UAC event alert options:
UserLock’s ability to apply UAC MFA on a granular level by protected account ensures you can more accurately report on, and better meet compliance requirements for, MFA on requests to elevate privileges. This is difficult to do with other MFA providers, which often only allow UAC MFA to be applied by machine, or show MFA on UAC requests as an RDP MFA event.
Here’s an example of a UserLock UAC event report:
When you require MFA on UAC events, users must complete MFA in addition to their password before they can perform actions requiring administrative privileges, such as permitting apps to make changes to the device. This added layer of security on privilege elevation requests significantly strengthens your security posture and hardens your Active Directory against common threats.
Advantages of MFA for UAC prompts:
- Mitigate the risk of credential compromise
- Block lateral movement
- Reduce the risk of privilege abuse
- Protect critical system files and folders from unauthorized modification or sharing
- Minimize an insider threat attack
- Meet compliance and cyber insurance requirements
New: Enforce MFA on Windows UAC (User Account Control) credential prompts displayed during “Run as administrator” requests
You can now also apply MFA on “Run as administrator” requests, thanks to the UserLock custom credential provider. Not only can you effectively prevent unauthorized privilege elevation and lateral movement within your network, but you can also implement a key element of “never trust, always verify” zero-trust security.
Advantages of MFA for “Run as administrator” requests:
- Reinforce privileged access management (PAM) security by blocking privilege abuse
- Prevent lateral movement
- Meet cyber insurance requirements to protect all admin access with MFA
- Protect against attackers’ ability to leverage stolen credentials
Additional updates
- The welcome message now appears only at the logon (no longer on session unlocks or reconnections).
- If upgrading from 12.1 or lower to 12.2, we recommend a gradual installation of the new desktop agent technology. To this end, automatic deployment will be disabled.
See the change log for more details on what's new, improved, and changed in the latest release.
What's new in UserLock 12.1
- New: Enable MFA and access management for all RemoteApp applications
- New: Configure MFA by session type
- New: Configure MFA frequency for every n minutes/hours/days
- New: Configuration wizard
- Improved: Support proxy for UserLock Anywhere
- Improved: View notification history for UserLock Push
New: Enable MFA and access management for all RemoteApp applications
UserLock is now compatible with all RemoteApp applications (before this, only RemoteApp applications with a desktop were supported). You can protect RemoteApp sessions with all of UserLock’s access management capabilities as well as MFA using all available MFA methods: push notifications, OTP codes and USB keys.
MFA for RemoteApp allows you to reduce lateral movement by allowing you to control which apps users can access via Remote App.
Note: You need to enroll users in MFA before you can apply MFA to RemoteApp sessions. If you have remote users, follow these instructions to enroll remote users in MFA.
New: Configure MFA by session type
You now configure MFA by session type, including:
- Workstation
- Server
- IIS
- VPN
- SaaS
When you enable MFA, you’ll see two edit modes available for modifying the MFA settings. In each case, make sure you’ve read the documentation for the use case on each type of session to ensure MFA will be prompted.
- All session types at once: By selecting this option, you can apply the same policy for all session types that are protected by UserLock.
- By session type: Select this option to apply different MFA policies for each session type.
For example, you can create different policies for local Server sessions and IIS sessions connecting from outside the network.
New: Configure MFA frequency for every n minutes/hours/days
You now have more granularity to choose how often you want to prompt for MFA. You can prompt users for MFA after a specific time period defined by minutes, hours, or days.
This means that, for each session type, you have new options to select how often you want to prompt the user with MFA (see current options for UserLock 12.0 here):
- After a given time: prompt users with MFA at their next logon after a specific time period defined by minutes, hours, or days (the option to choose minutes or hours is new in UserLock 12.1).
- After a given time since the last logon from each IP address: Same as the above, except the amount of time will be counted from the last connection to that IP address, not the last connection.
- Not configured: MFA will not be prompted unless another policy is applied through another protected account.
New: Configuration wizard
With UserLock 12.1, a new configuration wizard guides you step-by-step to configure the following features:
- UserLock server: server type, protected zone, etc.
- UserLock Web App
- MFA for IIS applications
- UserLock Anywhere
Improved: Support proxy for UserLock Anywhere
UserLock Anywhere now supports HTTP Proxies. Now, UserLock allows you to validate a list of trusted proxies to recover the real client IP address for the agents communicating through UserLock Anywhere.
Improved: View notification history for UserLock Push
Now users can view the notification history in the UserLock Push app. This allows users to show admins what IP address notifications are coming from, to more easily spot suspicious behavior. It also builds end-user awareness (and responsibility).
This update concerns only Push notifications. OTP accounts do not have history.
What's new in UserLock 12.0
- New: MFA push notifications & the UserLock Push App
- Improved: UserLock SSO
- Improved: UserLock Web App
- New: UserLock MSP Console
- New: UserLock VPN Connect
- Download UserLock
New: MFA push notifications & the UserLock Push App
UserLock push notifications are a subscription-only feature.
You can now choose to enable push notifications as the main or as an additional MFA method, giving you more flexibility to select the MFA method that works best for your team.
The all-new UserLock Push app provides safe, secure push authentication synced directly with UserLock.
Learn more about onboarding end users with push notifications
Learn more about setting up the UserLock Push app
Improved: UserLock SSO for Microsoft 365 and Google Workspace
- Federate to multi tenants for Microsoft 365 with UserLock SSO. Learn more.
- Use Google Profiles to configure MFA for Google Workspace with UserLock SSO. Learn more.
Improved: New features added to the UserLock Web App
The new features in the UserLock Web App include:
- Reporting: Access even more reports now added to the Web app from the UserLock Desktop app, get powerful filtering capabilities, and easily export reports in .csv, .pdf and .xsl format. Learn more.
- Server properties: Modify server properties from the UserLock Web app. Learn more.
- An improved user dashboard: Easily see primary and secondary MFA methods configured for each user along with the number of recovery codes available. Learn more.
To use the Web App in parallel to your use of the full-feature desktop software, download UserLock 12.
New: UserLock MSP Console
A web-based licensing management platform, the UserLock MSP console offers customized licensing and pricing options that align with an MSP business model.
Learn more about the UserLock MSP Console.
New: UserLock VPN Connect
The UserLock VPN Connector allows users to select their VPN, enter their credentials and complete MFA on Windows VPN connections without leaving the easy-to-use interface. You can access this tool when you download UserLock 12, or you can download it separately here.
Learn more about UserLock VPN Connect.