miniOrange PAM 2.5.0 is a major release that takes Endpoint Privilege Management cross-platform with native macOS and Windows agents, introduces native database access through a secure proxy, adds a visual approval-workflow engine, and extends privileged access to network and OT/ICS devices. This release also delivers biometric authentication, a multi-tenant MSP dashboard, deeper auditing and SIEM coverage, significant performance gains, and a fully localized dashboard in 25+ languages.
WHAT'S NEW:
Workflows & Approvals
Visual Workflow Engine: Introduced a workflow orchestration engine for designing custom approval and access flows from triggers, conditions, and actions, supporting multi-level approvals, maker-checker, just-in-time auto-approval, and delegation, with if/else logic over attributes such as asset type, user role, and username.
Endpoint Privilege Management
EPM for macOS: Introduced a native macOS agent built on Apple's Endpoint Security Framework, enforcing Managed, Unmanaged, and Elevated launch policies across GUI apps, Terminal commands, and DMG-mounted apps. It completes .pkg installations without the native admin-password prompt and elevates or restricts specific commands while resisting alias, symlink, rename, and PATH-based bypass, with every elevation logged alongside its justification.
EPM for Windows: Delivered a new Windows agent release consolidating the latest policy-enforcement, device-management, and auto-update capabilities into a single coordinated build.
OS-Aware Policy Management: Engineered endpoints, policies, application groups, and definitions to be scoped by operating system (Windows, Linux, macOS), ensuring policies apply only to matching endpoints and eliminating cross-platform misconfiguration. macOS application definitions now capture Developer ID, Bundle ID, file path, and checksum.
Device Groups & Lifecycle Management: Introduced device groups with group-level policy assignment, and a managed device lifecycle where new endpoints are onboarded in a Pending state and require admin approval, with bulk enable, disable, agent uninstall, and full removal of decommissioned devices.
Ring-Based Agent Auto-Update: Introduced progressive agent rollout through configurable rings with per-ring success thresholds, maintenance windows, and automatic abort on failure, enabling controlled, observable updates at scale.
Kill-Switch Priority Policy: Added a Kill-Switch policy that always takes precedence over all other policies regardless of weightage, providing an instant containment control for endpoints and applications.
Non-Privileged Application Mode: Mark applications to run in non-privileged mode directly from the EPM application definition for finer control over execution under policy.
Database & Asset Access
Native Client Connectivity via Secure Proxy: Connect to managed databases directly using any native desktop tool or thick client of your choice. PAM proxies the connection to keep credentials securely vaulted while comprehensively capturing every execution (SELECT, INSERT, UPDATE, DELETE, etc.) in your audit logs. Seamlessly connect to major databases (MySQL, PostgreSQL, Oracle Database, Microsoft SQL Server, and MongoDB) across both SSL and non-SSL configurations. Automated protocol registration delivers a one-click experience directly from the PAM dashboard, launching your chosen local client securely connected and ready to use.
Automated Protocol Registration & Client Detection: Thick client setup is now fully automated within the XecureAccess Desktop installation, eliminating the need for manual script editing. You can easily map preferred tools like MobaXterm, PuTTY, and pgAdmin by simply selecting their executables. The system handles all secure registry configurations automatically, features enhanced path validation to prevent connection failures from invalid formatting, and allows you to securely launch multiple thick client connections simultaneously without session conflicts.
Network Device Management: Introduced first-class privileged access to routers, switches, and firewalls from leading vendors (Cisco, Juniper, Fortinet, Palo Alto, MikroTik, Huawei, Check Point, SonicWall, Sophos, Arista, and more) over SSH or Web UI.
OT / ICS Device Support: Extended privileged access to operational-technology assets (PLCs, HMIs, SCADA servers, RTUs, and DCS) over SSH, RDP, and Telnet, with OT-specific metadata including device type, vendor, Purdue level, and plant area.
Sessions, File Transfer & Discovery
FTP & FTPS Support: Delivered full FTP and SSL/TLS-secured FTPS access at parity with SFTP and SMB, covering browse, chunked/resumable upload, download, rename, move, and delete, all policy-enforced and fully recorded.
Granular File-Transfer Control: Introduced path-level access control defining exactly which file and folder operations (download, upload, rename, move, copy, delete, zip/unzip) are permitted, with a configurable base directory that confines users to a designated subtree.
RDP Web File Manager: Introduced multi-file and folder upload via drag-and-drop with live progress tracking, plus asynchronous streaming-ZIP folder downloads up to 10 GB, directly within the browser RDP session.
Granular Web-Application Policies (GoDaddy): Introduced element-level policy enforcement for GoDaddy, letting administrators hide, lock-behind-approval, or gate specific in-app actions on a per-role basis in real time, for fine-grained control over what each user can do inside the application.
SSH Local Account Discovery & Onboarding: Introduced automatic discovery of local accounts on SSH hosts, surfacing each account's detected authentication type (Password, Public Key, or None) with an admin override during onboarding. Detection was re-engineered into a single consolidated scan, reducing discovery time by approximately 80% regardless of account volume.
Hardcoded-Credential & Unmanaged Account Discovery: Introduced discovery of unmanaged accounts and hardcoded credentials across files, databases, and Git repositories (GitHub, GitLab, Bitbucket), with a full findings console to acknowledge, flag false positives, and recheck.
Authentication & Identity
Biometric (WebAuthn) Two-Factor Authentication: Introduced phishing-resistant biometric login (Windows Hello, Touch ID/Face ID, and hardware keys such as YubiKey) as a second factor for the dashboard and for step-up verification on protected resources, with no private key or biometric data ever leaving the device.
Central Identity Handler: Introduced a protocol-agnostic identity engine, beginning with SCIM, that standardizes how identities are provisioned, resolved, and deprovisioned across PAM.
Administration
Super Admin / MSP Dashboard: Introduced centralized multi-tenant control across PAM and EPM: onboard child customers, allocate licenses from a shared pool, and manage any tenant's full dashboard within an isolated, fully audited context.
Localization
25+ Language Support: The dashboard now supports 25+ languages, including English, Spanish, Hindi, Portuguese, and Arabic with full right-to-left layout. Switch languages instantly with no reload, and your preference persists across sessions.
IMPROVEMENTS:
Security & Access
Account Hygiene: Automatically lock users inactive beyond a configurable period, keep separate password policies for dashboard users and system-user rotation, and import password policies (including Fine-Grained Policies) directly from Active Directory.
Admin-Managed 2FA: Apply your organization's configured two-factor method to end users centrally, so they inherit it without configuring their own.
Custom Attributes from SSO & LDAP: Map custom profile attributes from SSO providers and LDAP/AD during login and directory import, with default-value fallback.
Administration & Licensing
Resource Availability Management: Administrators can now manage resource availability using Active and Inactive states. When a resource is marked Inactive, user access is blocked and the resource cannot be used; resources marked Active continue to function normally and remain accessible according to existing permissions.
Rebuilt Licensing Engine: Re-engineered licensing for faster, more accurate enforcement of user, admin, EPM-user, asset, and device entitlements, with consistent checks across manual creation, bulk upload, and SSO provisioning.
Faster Resource Setup: Clone an existing resource to provision similar ones instantly, save and allocate a resource in a single step, and prevent duplicate IP/port entries through uniqueness validation.
Flexible Scheduling: Added minute-level scheduling intervals for Active Directory user, group, and machine imports and network scans.
User Experience
Favourite Resources: Bookmark the servers, databases, and web applications you use most by starring them, then filter your dashboard to show only your favourites, saved per user and persistent across sessions.
Configurable Two-Factor Cool-Down: Reduce repeated MFA prompts with a configurable cool-down window. When enabled, users are not re-prompted for 2FA in the same browser for the configured duration after a successful verification. When disabled, 2FA is required on every login. Trust is browser-specific, and is automatically cleared when the user changes their MFA method or MFA is toggled off and back on.
Session Expiry Warning: A countdown warning ten minutes before session expiry lets users extend their session in place, with no abrupt disconnects mid-task and no reconnect required.
Custom Login Page: Support customer-specific login experiences tailored to individual branding requirements, with the default login page available when needed.
Selectable SSH Terminal Type & Jump-Host Support: Choose the terminal type per asset (xterm-256color, xterm, or ansi), and reach resources behind jump hosts via SSH tunnels, now supported for native thick-client sessions.
Auditing
Expanded SIEM Logging: Standardized and enriched SIEM messages now cover both PAM and the EPM microservice, with added network fields (source, destination, and host IP) and a fix ensuring the real host IP is reported instead of the container's internal address.
Policy & Allocation Auditing: The Policy section now logs all create, update, and delete actions across every policy type, and allocation audits capture the system user and policy used for each grant.
Elevation Visibility in EPM Audits: A new Elevation Status column shows whether each application or process ran with elevated privileges, making privileged activity instantly distinguishable for review and compliance.
Session Summary Notifications: Receive an emailed summary when a session ends (who connected, when, and which resources were accessed), with optional login notifications.
Advanced Recorded-Session Filtering: Filter recorded sessions by multiple criteria and date ranges for faster retrieval.
Performance
Faster RDP Streaming: Tuned the Redis channel layer for high-frame-rate RDP, delivering more reliable streaming with fewer timeouts under load.
Faster Bulk Operations: Optimized bulk user and object deletion with asynchronous index cleanup, reducing a 10-user deletion from roughly 60 seconds to 1 to 2 seconds.
Leaner Deployments: Reworked Docker images with multi-stage builds to substantially reduce container sizes, added configurable logging to eliminate redundant log growth, and made proxy services individually configurable at install time.
BUG FIXES:
Protocols & Sessions
MFA over SSH: Resolved an issue where enabling MFA broke keyboard-interactive SSH login; MFA now works across WebSSH and thick clients, interactive (TOTP) and push methods, and miniOrange, RADIUS, and TACACS+ providers.
File Transfer: Reworked SFTP and SMB copy, zip, and unzip to stream efficiently with progress indicators (zip/unzip up to 400 MB), eliminating slow, memory-heavy transfers of large files.
Authentication
SSO Reliability: Identity-provider errors are now surfaced clearly instead of failing silently, and IdPs that return identity claims inside the id_token (such as ADFS) now map attributes correctly.
Platform & Data
Log Retention: Fixed log cleanup so files beyond the configured retention are removed correctly, preventing disk exhaustion, with a configurable retention period.
Global Search: Bulk-uploaded users now appear in global search immediately.
Cloud Provisioning: Restored the default system users ("Dashboard Credentials" and "Prompt for Credential") for existing cloud customers via migration.
Application Credentials: Resolved a validation error when toggling application-credential permissions on inherited groups.
Localization Layout: Fixed button layout and text wrapping for non-English languages, and optimized email validation to prevent excessive resource use on long inputs.
For any questions regarding the upgrade or the new features in PAM 2.5.0, please contact our support team at pamsupport@xecurify.com.
