Paradox 3.4.1 (build 9)

Release Notes

Product Name: paradox 3.4.1 (Build GA

Valid on: 2024-06-19

– Persisted Global Protect VPN SLE settings files PanPortalCfg_*.dat
– Added the Cisco Secure Client VPN SLE – only customers who have explicitly requested us to package this for them are allowed to receive this

– Fixed an issue where the DisplayLink SLE would not work on certain hardware platforms
– Added the ability to restrict device login to specific users, either via the registration wizard or post-registration via BEM device policy
– Fixed an issue with GlobalProtect that meant it wouldn’t auto-start correctly
– Added support for the GlobalProtect pre-deployment config file
– Added support for using NTP servers specified by DHCP
– Updated the linux kernel to v6.2
– Fixed an issue where smb shares sometimes weren’t mounted
– Added the ability to control print screen by device policy
– Added the ability to prevent editing network settings by device policy
– Fixed an issue where the screen reader did not work on the lock & unlock dialogue boxes
– Updated the Horizon Client USB forwarding SLE to version 8.9.0
– Added support for hidden wifi connections via device policy
– Updated the AnyConnect VPN SLE to version 4.10.07061
– Added support for remote wipe via BEM when a device is revoked
– Added a Secure Network Device Monitor and applet, initially supporting the AltoCrypt Stik
– Added support for changing network settings during registration
– Added support for OpenVPN and GlobalProtect on custom network configurations
– Added new functionality to monitor file transfer to USB drives
– Added the device certificate expiry date to the system info applet
– Updated the Yubikey PIN changer app to enforce PIN complexity requirements as set on BEM
– Added the ability to access the Orca settings applet from System Settings
– Added the ability to lock the system timezone controlled by device policy via BEM
– Removed PicoTTS SLE as it wasn’t being used

– Added a restricted SLE for Sales support to allow altering the frequency of policy refresh. Set the interval in seconds as an integer launcher parameter (default 30 seconds if not set). Set auto-launch on user login and hide from menu and panel for invisible operation.

– Fixed an issue that was causing various visual artifacts on the login screen

– Updated the kernel to address vulnerabilities CVE-2023-32629 and CVE-2023-2640
– Fixed an issue where smb shares sometimes don’t appear in file explorer

– Added a feature to allow Paradox to automatically connect to hidden wifi access points

– Fixed an issue where modifications to ethernet connections were forgotten when 802.1X was enabled
– Updated AnyConnect to 4.10.07061

– Fixed an issue where creating an installer stick could, under certain circumstances, lose its SLEs between reboots

– Added support for machines using the latest AMD Ryzen graphics chipsets
– OpenVPN and GlobalProtect VPN clients are now supported in custom network configurations
– Added support for advanced Intel Audio chipsets

– Fixed an issue where documents could not be opened directly from network shares

– Added support for USB-to-ethernet adapters for PXE installation on laptops without ethernet ports
– Persist UI scaling display setting as a machine setting to make devices connected to very high resolution displays easier to use
– Reinstated missing power management settings
– Fixed an issue where the screen would still lock through inactivity when a video call was in progress
– Fixed an issue where a laptop could get into an inconsistent state after suspending due to a critically low battery

– Network configuration (formerly known as network namespaces) has moved to BEM. There can now be multiple network/vpn connections and the system and apps restricted to use just one of them.
– Added support for letting the user connect to different wifi networks even when networks are defined in policy
– Added an SLE containing the USB Forwarding components of Horizon Client 8.4.1 (Becrypt app version 2.1.0) – not compatible with other versions
– Added an SLE containing the USB Forwarding components of Horizon Client 8.7.0 (Becrypt app version 2.2.0) – not compatible with other versions
– Made wired 802.1X authentication more robust
– Added an SLE containing the DisplayLink video driver software for use with DisplayLink USB-C hubs. See for known issues.
– Please note that uncompressed OS updates are deprecated and will be removed in the next release. Existing devices using Paradox version 2.X must be upgraded to 3.X using an uncompressed OS update before they are able to use compressed ones. They will not be able to upgrade directly from 2.X to versions beyond this one.

– Added support for network namespaces. This enables multiple VPNs to be used simultaneously. Upload the to application policy to enable the use of network namespaces.
– Improved password authentication with length and complexity settings on BEM
– Added a kernel audit log monitor to detect potential malicious device activity
– Added fs-verity to detect application tampering at runtime
– Added support for eMMC-based devices
– Added OS update status to system info applet
– Added a high contrast light-on-dark theme known as Reverse Contrast
– Improved the logging of connecting and disconnecting external displays to include all displays and, where possible, the name of the display as well
– Enabled the AnyConnect Posture Check module
– Added power settings to control the lid closed action for laptops
– Added a battery applet (for laptops) and brightness control (for desktops) to the system tray
– Added PicoTTS SLE as an alternative voice for text-to-speech
– Enabled writing Paradox SE os updates from the disk installer app (16GB RAM required to do this from hard-disk)
– Device certificate renewal period changed to 90 days
– bc-disk-installer no longer needs to be run as root

– GA release for non-AnyConnect customers

– Updated AnyConnect to v4.10.04071

– Disabled IPv6 as it wasn’t fully supported and caused issues with some network adaptors
– Fixed the MTU size for network adaptors that use smaller values than the default 1500
– Added support for reading and writing CDs and DVDs
– Added a cert-expiry.txt file to the release to show when the signing certificate expires
– Enabled the AnyConnect Posture Check module

– Updated the kernel packages to address vulnerability CVE-2022-0847 AKA “Dirty Pipes”

– Added compressed os updates to the release. As long as a device is currently running Paradox 3.0.0 then it maybe be updated with a compressed os update, saving bandwidth and download times. If it is currently running a 2.X release then it will fail.
– Added support for VPN enforcement. A VPN-only version of AnyConnect has been added and corresponding versions of Firefox and Citrix Workspace are available.
– Access to the PIN changer app is now controlled by Device Policy.
– Fixed some High Contrast theme issues.
– A Create Folder button has been added to the File Explorer app toolbar.
– The soft token is now updated automatically when the device certificate is renewed.

– Updated the underlying operating system to the latest long term support release.
– Added support for compressed os updates. The first v3.0 update must be uncompressed to install support but subsequent updates may save space and bandwidth by using the compressed update.
– Changed the lock screen to more closely mirror the login screen.
– All apps have been updated to work with this release. Some older versions still work with the following exceptions: Citrix Workspace App, Filezilla, Gnome Terminal, LibreOffice, Remmina, VLC. Old versions have a version number beginning with 1 while new versions begin with 2.
– The AnyConnect SLE, where available, must have the ExcludeFirefoxNSSCertStore key set to false in its AnyConnectLocalPolicy.xml config file

Known Issues
– When using BEM server versions before 8.3.0 the Becrypt Product Intermediate CA certificate is not correctly processed. This results in a failure to register new Paradox devices or update the policies of updated machines. The workaround is to add the Product Intermediate CA certificate to the machine’s Intermediate CA certificate store. Paradox devices will then automatically correct themselves and policies will get refreshed. The Becrypt Product Intermediate CA certificate can be found in the OS update zip file as becrypt_intermediateca.crt.
– If locally cached user settings were not synchronised to BEM on shutdown (eg if the network cable was disconnected) then after a reboot, when the network is re-established, the BEM user settings will be downloaded and applied, even though they are older than the locally cached user settings.
– The file contains the source for a package called qpdf that has test files that are known to trigger anti-virus software. This is a false positive and can be ignored:
– Some Dell Latitude laptops have been found to not turn off the screen when the lid is closed, which can waste battery and make the keyboard hot.
– Trying to unlock a laptop with a closed lid or an external monitor that is off can sometimes put the unlock dialog on the wrong display. If it is not visible then moving the mouse to the active display should cause the unlock dialog to follow.
– When network namespaces are enabled it is not possible to drag and drop files from samba shares to the Desktop directly. They can be copy & pasted or dragged to another file explorer window instead.
– If the Reverse Contrast theme is applied after an application has been started then it can sometime fail to pick up all elements of the theme.
– If a single, non-fullscreen window is minimised and then restored it can sometimes become partially transparent. As a work-around launch another window such as the system info applet to force it to draw correctly.
– The GlobalProtect VPN SLE takes approximately 10 seconds to close its connection on shutdown.
– The disk installer app, if used with uncompressed os updates, needs to run on a machine with at least 16GB of RAM to avoid running out of space.
– On screen keyboard is not internationalized (if used).
– Where there are networking policy restrictions such as WiFi access points or 802.1x configured then the admin must also fully configure the OpenConnect VPN SLE (if used). This means they must build a configuration file on a vanilla ubuntu system and upload it to BEM Web.
– The firewall does not support whitelisting websites having multiple IP addresses (e.g. load balancing, redundancy).
– OpenAM and Okta has not been tested in this release and is therefore not supported.
– Devices may still lock if the keyboard or mouse isn’t touched within the idle lock time even if a video or call is in progress.
– Laptops with the screen reader enabled use Caps Lock as a shortcut key so it has to be double-tapped to toggle on or off
– Upgrades from versions prior to 3.3 lose their audio settings due to changes in the way the data is stored by upstream packages. Once updated, settings will be retained again.
– Versions of BEM prior to 9.2.0 will allow Paradox USB Installer sticks to register to groups that are TPM only. This must be avoided as it will cause issues with later use.
– The Brasero DVD burning app will not write data projects to a blank disk. Burning iso images always works so the work-around is to write a data project to an iso image file then burn the iso image file to disk.
– When connecting a DisplayLink-compatible device, Paradox may briefly display a black screen along with “display link service failed” message.

Interoperability with other Becrypt Products
– BEM Web 9.2.0 or later version is required to fully manage devices with this release of Paradox

System Level Extensions (SLEs)
The following SLEs can be uploaded via BEM Web:
– DisplayLink
– GlobalProtect VPN
– Horizon Client USB Forwarding
– Horizon Client USB Forwarding 8.7.0
– Horizon Client USB Forwarding 8.9.0
– OpenVPN
– PXE Server
– StrongSwan VPN

– 0845 838 2070

We're here to help

Please Contact us

general enquiries

+44 (0) 845 8382050


+44 (0) 345 8382070

Join Our Newsletter

Receive our latest blog posts directly in your inbox!