Join Our Newsletter
Receive our latest blog posts directly in your inbox!
Product Name: BEM Web V9.1.6 (Build: 8) GA
Valid on: 2024-01-26
New Features and Improvements
– BCE-3462 – Fix for an issue where Paradox SE user application policy was failing to be applied to devices.
– Added extra validation checks when adding and editing a domain in BEM.
– Fix for an issue where service user credentials were not hidden in config file.
– BCE-3455 – Fixed an issue where BEM installations and upgrade would fail if the hostnames begin with a number.
– BCE-3419 – Fixed various issues with BEM setup tool that were seen when running upgrade.
– BCE-3440 – Fixed an issue where setup tool did not run due to an issue with signing of files.
– BCE-3431 – Fixed and issue where Paradox SE user application policy UI was defaulting to first domain that was added.
– BCE-3430 – Fixed an issue where Paradox SE user application policy was failing when User LDAP domain was added along with port number.
– BCE-3427 – Fixed an issue where reopening setup tool was resetting appsettings.json file.
– Added support for accessing BEM UI externally.
– Made changes to setup tool to support Paradox SE device management on a split environment where registration/communication and BEM UI services are installed on different servers
– Added USB Mass Storage support for Paradox similar to Paradox SE.
– Resolved an issue where the Yubikey database install would fail when database encryption was enabled.
– BCE-3408 – Fix for an issue where scheduler service failed to run when the DB is on a remote machine and the SQL authentication is set to Windows user.
– BCE-3398 – Fix for an issue where BEM console has slowed down when Yubikey was enabled and not configured.
– BCE-3400 – BEM now returns body content confirming successful receipt in response to healthcheck updates from remote ES and TPS proxies.
– BEMD-11786 Fix for an issue where a clear cache was needed for the BEM UI changes to stay persistent.
– Fix for an issue appsettings.json was not configured with correct login urls.
– Remove dependency on .Net Framework 3.5 for installation of BEM.
– Fix for an issue where a new Yubikey DEK was not being generated during BEM installation.
– Added Paradox policy option to Wifi entries to hide/unhide Wifi access points.
– Added a Paradox and SE device policy option to disable print screen
– Added a Paradox and SE device policy option to disable the ability to edit network configuration on the device.
– BCE-3396 – Fix for an issue where BEM dashboard was loading slowly after logging in.
– BEMD-11607 – Added ability to set Login Page hostname which will resolve an issue where login page will show a 500 error after upgrading.
– Dropped support for multi tenancy.
– Dropped macOS device management.
– BEM setup tool migrated to .Net Core.
– Global Admin role has been removed .
iOS Features and Fixes:
– BCE-3346 – Fixed an issue where refresh DEP devices would fail due to an expired cursor.
– BCE-3164 – Fixed an issue where report filtering was not working based on last contact time interval.
– BCE-3375 – Fixed an issue where Rapid security responses install status was not shown correctly in BEM UI
– BEMD-11010 – Resolved an issue where a failed VPP licence request will unintentionally set the app status to failed for all apps on the device.
– BEMD-10201 – Allow access to USB Accessories.
– Introduced certificate pinning for iOS device management.
Paradox and Paradox SE Features and Fixes:
– BEMD-11184 – Added an option to set SAM account name to the device name in device certificates.
– Added the option to choose whether or not Paradox and Paradox SE devices are created as computer objects in Active Directory.
– Added SMB share support in Paradox SE.
– Added USB Mass Storage support for Paradox SE devices.
– Added new column to Paradox SE devices page to display OS Version installed on the device.
– Paradox USB Device Control expanded to include Read-Only / Read-Write and SID options.
Yubikey New Features and Fixes:
– Enrollers can be restricted to enroll Yubikeys to the users in the same OU as enroller.
– Restricted Enrollers can be promoted to global enrollers to enroll devices to any user from the estate/domain.
– Introduced Strict mode which means OTP enrollments are blocked when BEM is this mode.
– Added the ability to renew user certificates by enroller.
BCES Features and Fixes:
– Improved BCES registration process.
– Introduced “Strict mode” in BCES.
– Added support for Postgres SQL.
– Added new feature, Becrypt Resident CA that issues and manages device, user and server certificates.
– Added Becrypt Identity Provider that is used to create, authenticate and manage local BEM users.
– Added silent installer that supports easy deployment of BEM.
– User assignment is now option for DEP device enrolment.
iOS Features and Fixes:
– Added support for ECC device certificates for iOS devices
– Added ECC signature verification in BEM
– Added support for use of HiTMAN as High Assurance Gateway when using BEM with MDM Proxies
– Improved support for configuring outgoing Docker proxies when using BEM with MDM Proxies
– After upgrading to BEM 9.1.6, please update the credentials used for domain to sAMAccountName@domain or user principal name (ensure that user principal name has a domain)
– When BEM is rolled back to 9.1.1 , please copy the contents from appsettings.json.bak into appsettings.json. The file is located here: C:\Program Files\Becrypt\BEMM\config and restart IIS.
– After upgrading to BEM 9.1.0 the login url for BEM will be changed, therefore existing browser bookmarks will not work. Please create new browser bookmarks.
– All the existing BEM console users with super user role before upgrade will have permissions equivalent to a Global Admin.
– It is recommended to decide on the type of CA (BEM CA or Direct CA or BCSE) before installing BEM.
– Please ensure that a Yubikey licence file is uploaded before installing Yubikey database using BEM setuptool.
– Please ensure that users are synchronised from Domains page before configuring BEM to manage Yubikey devices.
– Please ensure that the PUK code you enter when importing the first user using Yubikeyimport tool is set to 8 characters.
Paradox specific :
– Please use the username in the format .\<username> when registering PDX devices in an off domain environment using IDP / Resident users.
– Please remove from BEM any browser extensions that were uploaded after upgrading to 8.1.0, and re-upload them before assigning to an application policy.
– After upgrading BEM Web, update the authorisation url to introspect url when using OAuth2 as your authentication method in Paradox device policy.
– After upgrading BEM Web, all the Paradox device groups will have “TPM required” checkbox ticked. Please do untick if you would like to modify those device groups.
– yubikeys and Human Interface Devices will be implicitly allowed as part of the device control policy for Paradox devices.
– In order for the Xerox printer to be discovered, add both Presets under the firewall rules in BEM Web Policy:
i) Generic Printer Discovery
ii) Xerox Printer Discovery
Paradox SE :
– Revoking a device certificate manually from CA may not prevent the device from communicating to BEM Web server. Either use the “Revoke Device” function from BEM Web console or follow the below steps on BEM Web server:
– From command prompt run certutil -setreg chain\ChainCacheResyncFiletime @now
– Restart cryptographic services.
iOS Specific :
– It is recommended to purchase ample licenses for required apps in your VPP to avoid licensing issues.
– It is recommended that all devices are un-supervised before re-profiling.
– Note that if the MDM Profile is set to be removable, any devices which are still within Apple’s grace period after first being added to DEP will display the option “Leave Remote Management”. If a user actions this it will completely wipe the device and remove it from DEP – and BEM will receive no notification of this.
– As per Android (Convex) design, BEM CA generates RSA type device certificates for Android devices when BEM CA is set to ECC type.
iOS Device Management issues:
– If Home Screen wallpaper is not set in policy, any Lock Screen wallpaper configured is also being displayed on the Home Screen.
– Devices may fail to keep up with policy and/or application changes if moved between multiple device groups rapidly.
BEM 9.0.1 BETA Limitations:
– BEM Web setup tool is not fully functional .
– Silent installation only supported for Postgres with Resident CA and Resident Users.
– Apple configurator devices cannot be enrolled when the CA is set to use ECC.
BEM Web specific issues:
– Requesting user certificates fails when CA is set to issue certificates using KSP.
– Internet Explorer 11 is known to fail loading important items in the Paradox Application Policy page. It is recommended that an alternate browser is used while managing Paradox and Paradox SE devices.
– The error “No DEK loaded” may be seen when doing an initial synchronize with Active Directory. An IIS restart is required, to fix this issue.
– Paradox SE Applications with (.) character in the file name when added are lost on saving the application policy.
– Template names set in general settings will only be checked against templates published on the Active Directory the server is located in.
– Changing the device certificate template does not affect certificate renewals for certificates already issued.
– Side by side installation of multiple .NET core versions can occasionally cause BEM Web to not load.
iOS and macOS Device Management issues:
– The “Delete VPN certificate” command for iOS devices will not remove the certificate whilst a VPN profile is still deployed on the device. The profile must also be removed (from Policy) to complete deletion of the certificate.
– The iOS policy restriction to disallow “Erase All Contents and Settings” is not obeyed by devices running iOS 15.0.
– Enabling bluetooth on the device during provisioning only is now deprecated. Bluetooth may now be enabled/disabled within Device Policy at any time.
– If an iOS device with only Wi-Fi connectivity available has been placed into Lost Mode and then subsequently powered off, it may not be possible to disable Lost Mode again. This is because although the device is powered on again it may not be possible to start Wi-Fi without unlocking the screen.
– In iOS Device Policy editing an existing Standard VPN item into a PerApp VPN will fail. Remove the Standard VPN first and then apply a new PerApp VPN.
– Make sure “Send all traffic” is ticked for IPSEC VPN profile.
– IKEv2 VPN profile installation is currently failing for macOS devices.
– Enabling “Allow configuring restrictions” in iOS policy allows screen time settings on devices running iOS12 and later.
– iOS device may not register a correct push notification secret (Push Magic) after preparation. This will cause the device to stop communicating with the server.
– The values displayed for iOS device “Capacity” and “Available Capacity” may be incorrectly reported in the Details tab. This is an issue that requires a fix from Apple.
– Enabling profile encryption is currently not supported for EC certificates.
– If a new VPP account is used, apps from the previous account may remain.
Installation BEM Web
– Framework prerequisites to be installed on the server prior to BEM Web installation/Upgrade.:
– .NET 4.7.2 framework
– .NET Core 6.0 Hosting Bundle (download from https://dotnet.microsoft.com/download/dotnet/6.0).
– Latest version of 6.0 recommended, product tested with 6.0.11
– Visual C++ Redistributable for Visual Studio 2019 (download from https://aka.ms/vs/17/release/vc_redist.x64.exe).
– An admin document on how to perform an installation can be found in the full package of the product.
Upgrades from BEM 9.1.5
Supported Operating Systems
The BEM Web Server components support installation on the following Windows OS:
– Windows server 2019 64 bit
– Windows server 2022 64 bit
Supported Database Systems
The BEM Web Server components support installation on the following SQL servers:
– SQL Server 2014
– SQL Server 2019
– POSTGRES 13
Interoperability with other products
Provisioning iOS devices require:
– Apple Configurator 2.14
The supported email servers are:
– Microsoft Exchange 2016
The supported VPN are:
-Cisco ASA IPSEC VPN Concentrator.
Supported End User Devices
BEM Web Supports:
– iPad Air and iPhone platforms running iOS 17.2.1
– 0345 838 2070
+44 (0) 845 8382050
+44 (0) 345 8382070
Receive our latest blog posts directly in your inbox!