Paradox 3.3.5 (build 3) is now available as a GA release.

Valid on: 2023-08-09

3.3.5
-----
- Fixed an issue that was causing various visual artifacts on the login screen

3.3.4
-----
- Updated the kernel to address vulnerabilities CVE-2023-32629 and CVE-2023-2640
- Fixed an issue where smb shares sometimes don't appear in file explorer

3.3.3
-----
- Added a feature to allow Paradox to automatically connect to hidden wifi access points

3.3.2
-----
- Fixed an issue where modifications to ethernet connections were forgotten when 802.1X was enabled
- Updated AnyConnect to 4.10.07061

3.3.1
-----
- Fixed an issue where creating an installer stick could, under certain circumstances, lose its SLEs between reboots

3.3.0
-----
- Added support for machines using the latest AMD Ryzen graphics chipsets
- OpenVPN and GlobalProtect VPN clients are now supported in custom network configurations
- Added support for advanced Intel Audio chipsets

3.2.3
-----
- Fixed an issue where documents could not be opened directly from network shares

3.2.2
-----
- Added support for USB-to-ethernet adapters for PXE installation on laptops without ethernet ports
- Persist UI scaling display setting as a machine setting to make devices connected to very high resolution displays easier to use
- Reinstated missing power management settings
- Fixed an issue where the screen would still lock through inactivity when a video call was in progress
- Fixed an issue where a laptop could get into an inconsistent state after suspending due to a critically low battery

3.2.1
-----
- Network configuration (formerly known as network namespaces) has moved to BEM. There can now be multiple network/vpn connections and the system and apps restricted to use just one of them.
- Added support for letting the user connect to different wifi networks even when networks are defined in policy
- Added an SLE containing the USB Forwarding components of Horizon Client 8.4.1 (Becrypt app version 2.1.0) - not compatible with other versions
- Added an SLE containing the USB Forwarding components of Horizon Client 8.7.0 (Becrypt app version 2.2.0) - not compatible with other versions
- Made wired 802.1X authentication more robust
- Added an SLE containing the DisplayLink video driver software for use with DisplayLink USB-C hubs. See https://support.displaylink.com/knowledgebase/articles/641668 for known issues.
- Please note that uncompressed OS updates are deprecated and will be removed in the next release. Existing devices using Paradox version 2.X must be upgraded to 3.X using an uncompressed OS update before they are able to use compressed ones. They will not be able to upgrade directly from 2.X to versions beyond this one.

3.2.0
-----
- Added support for network namespaces. This enables multiple VPNs to be used simultaneously. Upload the bc-netns-manager.app to application policy to enable the use of network namespaces.
- Improved password authentication with length and complexity settings on BEM
- Added a kernel audit log monitor to detect potential malicious device activity
- Added fs-verity to detect application tampering at runtime
- Added support for eMMC-based devices
- Added OS update status to system info applet
- Added a high contrast light-on-dark theme known as Reverse Contrast
- Improved the logging of connecting and disconnecting external displays to include all displays and, where possible, the name of the display as well
- Enabled the AnyConnect Posture Check module
- Added power settings to control the lid closed action for laptops
- Added a battery applet (for laptops) and brightness control (for desktops) to the system tray
- Added PicoTTS SLE as an alternative voice for text-to-speech
- Enabled writing Paradox SE os updates from the disk installer app (16GB RAM required to do this from hard-disk)
- Device certificate renewal period changed to 90 days
- bc-disk-installer no longer needs to be run as root

3.1.4
-----
- GA release for non-AnyConnect customers

3.1.3
-----
- Updated AnyConnect to v4.10.04071

3.1.2
-----
- Disabled IPv6 as it wasn't fully supported and caused issues with some network adaptors
- Fixed the MTU size for network adaptors that use smaller values than the default 1500
- Added support for reading and writing CDs and DVDs
- Added a cert-expiry.txt file to the release to show when the signing certificate expires
- Enabled the AnyConnect Posture Check module

3.1.1
-----
- Updated the kernel packages to address vulnerability CVE-2022-0847 AKA "Dirty Pipes"

3.1.0
-----
- Added compressed os updates to the release. As long as a device is currently running Paradox 3.0.0 then it maybe be updated with a compressed os update, saving bandwidth and download times. If it is currently running a 2.X release then it will fail.
- Added support for VPN enforcement. A VPN-only version of AnyConnect has been added and corresponding versions of Firefox and Citrix Workspace are available.
- Access to the PIN changer app is now controlled by Device Policy.
- Fixed some High Contrast theme issues.
- A Create Folder button has been added to the File Explorer app toolbar.
- The soft token is now updated automatically when the device certificate is renewed.

3.0.0
-----
- Updated the underlying operating system to the latest long term support release.
- Added support for compressed os updates. The first v3.0 update must be uncompressed to install support but subsequent updates may save space and bandwidth by using the compressed update.
- Changed the lock screen to more closely mirror the login screen.
- All apps have been updated to work with this release. Some older versions still work with the following exceptions: Citrix Workspace App, Filezilla, Gnome Terminal, LibreOffice, Remmina, VLC. Old versions have a version number beginning with 1 while new versions begin with 2.
- The AnyConnect SLE, where available, must have the ExcludeFirefoxNSSCertStore key set to false in its AnyConnectLocalPolicy.xml config file

Known Issues
-------------------
- When using BEM server versions before 8.3.0 the Becrypt Product Intermediate CA certificate is not correctly processed. This results in a failure to register new Paradox devices or update the policies of updated machines. The workaround is to add the Product Intermediate CA certificate to the machine’s Intermediate CA certificate store. Paradox devices will then automatically correct themselves and policies will get refreshed. The Becrypt Product Intermediate CA certificate can be found in the OS update zip file as becrypt_intermediateca.crt.
- If locally cached user settings were not synchronised to BEM on shutdown (eg if the network cable was disconnected) then after a reboot, when the network is re-established, the BEM user settings will be downloaded and applied, even though they are older than the locally cached user settings.
- The sources.zip file contains the source for a package called qpdf that has test files that are known to trigger anti-virus software. This is a false positive and can be ignored: https://github.com/qpdf/qpdf/issues/216.
- Some Dell Latitude laptops have been found to not turn off the screen when the lid is closed, which can waste battery and make the keyboard hot.
- Trying to unlock a laptop with a closed lid or an external monitor that is off can sometimes put the unlock dialog on the wrong display. If it is not visible then moving the mouse to the active display should cause the unlock dialog to follow.
- When network namespaces are enabled it is not possible to drag and drop files from samba shares to the Desktop directly. They can be copy & pasted or dragged to another file explorer window instead.
- If the Reverse Contrast theme is applied after an application has been started then it can sometime fail to pick up all elements of the theme.
- If a single, non-fullscreen window is minimised and then restored it can sometimes become partially transparent. As a work-around launch another window such as the system info applet to force it to draw correctly.
- The GlobalProtect VPN SLE takes approximately 10 seconds to close its connection on shutdown.
- The disk installer app, if used with uncompressed os updates, needs to run on a machine with at least 16GB of RAM to avoid running out of space.
- On screen keyboard is not internationalized (if used).
- Where there are networking policy restrictions such as WiFi access points or 802.1x configured then the admin must also fully configure the OpenConnect VPN SLE (if used). This means they must build a configuration file on a vanilla ubuntu system and upload it to BEM Web.
- The firewall does not support whitelisting websites having multiple IP addresses (e.g. load balancing, redundancy).
- OpenAM has not been tested in this release and is therefore not supported.
- Devices may still lock if the keyboard or mouse isn't touched within the idle lock time even if a video or call is in progress.

Interoperability with other Becrypt Products 
---------------------------------------------------------
- BEM Web 8.4.0 or later version is required to fully manage devices with this release of Paradox

System Level Extensions (SLEs)
------------------------------
The following SLEs can be uploaded via BEM Web:
- DisplayLink
- GlobalProtect VPN
- Horizon Client USB Forwarding
- Horizon Client USB Forwarding 8.7.0
- OpenVPN
- PicoTTS
- PXE Server
- StrongSwan VPN
      
Support
------------
- support@becrypt.com
- 0845 838 2070