Paradox SE 3.3.7 (build 1)

Product Name: paradox_se 3.3.7 (Build GA

Valid on: 2024-03-08

– Remove debug tvpolicyd logging.

– Defer settings restoration if apps are already running. Warn the user to restart the app in this case.

– Added the ability to disable the use of the Print Screen button via device policy (requires BEM 9.1.1 or later)
– Added an SLE to support SafeNet smartcards

– Updated packages to address CVE-2023-4911 (glibc) and CVE-2023-4863 (webp)

– Updated the kernel to address vulnerabilities CVE-2023-32629 and CVE-2023-2640
– Only save and restore browser extensions settings for chrome or chromium if the specific browser is installed. This relies on any customer-packaged browsers containing specifically “chrome” or “chromium” in their name, as applicable.
– Changed saving and restoring browser extension settings to ignore network configurations for which there is no applicable browser enabled
– Fixed a problem where the screen reader had stopped working in browsers
– A new accessibility feature called Reverse Contrast has been added to allow the display of “light on dark” text and controls, with customisable foreground colour (first available in 3.2.0)

– Fixed an issue where the login screen would fail to appear on very high resolution displays

– Fixed an issue where browser extensions were not appearing
– Fixed an issue where the browser xdg-open dialog was not identifying the application to be used
– Fixed an issue where chromium wasn’t picking up system proxy settings

– Uncompressed os updates have been removed. This change is not compatible with Paradox SE 2.X. Upgrade 2.X devices to 3.0/3.1/3.2 first to enable support for compressed os updates.
– Enabled USB Mass Storage mounting, under the control of Device Policy in BEM (requires BEM 9.1.0 or later)
– Enabled SMB shares, under the control of Device Policy in BEM (requires BEM 9.1.0 or later)
– Added support for advanced Intel Audio chipsets
– Added support for machines using the latest AMD Ryzen graphics chipsets
– Fixed an issue where the ethernet settings could not be changed on the registration screen
– Fixed an issue where laptops with built-in ethernet ports would not fallback to a raw connection when connected to non-802.1X usb ethernet adaptors when 802.1X was enabled in policy
– Removed the restriction on editing the wired network connection on the registration screen

– Network configuration (formerly known as network namespaces) has moved to BEM. There can now be multiple network/vpn connections and the system and apps restricted to use just one of them. However, this feature is not compatible with user group application policies.
– Added the ability to login automatically without authentication, as determined by device policy on BEM
– Added the ability to set a Startup page to inform the user of any Terms & Conditions of using the device
– Added an SLE containing the USB Forwarding components of Horizon Client 8.4.1 (Becrypt app version 2.1.0) – not compatible with other versions
– Added an SLE containing the USB Forwarding components of Horizon Client 8.7.0 (Becrypt app version 2.2.0) – not compatible with other versions
– Made wired 802.1X authentication more robust
– Added support for USB-ethernet adapters when performing PXE installations
– Persisted the UI Scaling Factor as a machine-specific setting, so it only needs setting once on machines connected to very high definition displays
– Please note that uncompressed OS updates are deprecated and will be removed in the next release. Existing devices using Paradox version 2.X must be upgraded to 3.X using an uncompressed OS update before they are able to use compressed ones. They will not be able to upgrade directly from 2.X to versions beyond this one.

– Updated packages to address various vulnerabilities including CVE-2022-0847 AKA “Dirty Pipes”
– Added support for cross-domain gateways, specifically HITMAN
– Fixed disabling webcams on screen lock
– HDMI monitor attachment/removal logging
– Update soft token when device cert renewed
– Shutdown speed improvements
– OS update status in system info applet
– Added brightness control for desktops
– Fixed NumLock behaviour on lock screen
– Access to the PIN changer app is now controlled by Device Policy

– Updated the installation and provisioning guide to clarify how to deal with expired secure boot product keys

– Fixed an issue where checking the MTU size of a network link had stopped working

– Increased the saving user profile timeout from 20 seconds to 60 seconds to avoid failure when lots of apps and extensions are present

– Fixed an issue with printing where the user’s email address was being substituted in the printer config rather than their ID
– Fixed an issue where the user profile was not being saved on BEM

– Updated the underlying operating system to the latest long term support release.
– Added support for compressed os updates. The first v3.0 update must be uncompressed to install support but subsequent updates may save space and bandwidth by using the compressed update.
– Added support for updating the secure boot certificate. Please see accompanying documentation for the exact process. To install the packaging tool, bc-pkg.deb, an updated efitools package must first be installed. This can be found in the same folder as the packaging tool.
– Added support for Elliptic Curve Cryptography for device certificates, user login certificates and remote attestation
– Changed the lock screen to more closely mirror the login screen.
– All apps have been updated to work with this release. Some older versions still work with the following exceptions: Citrix Workspace App, Filezilla, Gnome Terminal, LibreOffice, Remmina, VLC. Old versions have a version number beginning with 1 while new versions begin with 2.
– When updating the os and apps at the same time there is a danger that app settings will be lost. To prevent this it is recommended that the system update is changed in BEM to v3.0 and only after machines have rebooted that the apps are updated.

Remote Attestation
The TPM quote operation may be unsuccessful showing a PCR-1 mismatch in the BEM service logs in these circumstances:
a. Bootable devices present at bootup. Please ensure there are no mass storage devices such as USB sticks plugged in at bootup
b. Bootable devices were plugged in during machine registration. The machine will need to b re-registered.
c. With some UEFI firmware different PCR-1 calculations are given depending on whether the device was warm or cold booted. This can be worked around by masking off PCR-1 within BEM policy. Also refer to the machine vendor in case there is a firmware update available.

If Remote Attestation is not configured properly then at BEM Web the following error will be observed in the Service Logs:
Could not enroll device <device name> for Remote Attestation.
Depending on the root cause of the error different error messages will be observed in the Device Activity Logs. If the RA CA is not properly configured then this message will be seen:
Server error 400: Paradox SE Remote Attestation is not yet configured on the server. (1007)
If the root cause is that an enrollment error has meant the correct keys were not persisted to the server this error will be seen:
Unknown TPM found (1024).

Known Issues
– Please note that cross-domain gateways will need to be added to any proxy PAC file manually .
– CRL checks are not done for the RADIUS server so it is possible to connect via a RADIUS server with a revoked certificate.
– The user is prompted to enter a password when trying to connect to a 802.1x network in the case where the device certificate is not trusted.
– Headset microphones already plugged in at boot will be muted by default.
– If using single sign on with two smartcards please wait until both cards have initialised before accessing services.
– The file contains the source for a package called qpdf that has test files that are known to trigger anti-virus software. This is a false positive and can be ignored:
– When using bookmarks, the ‘Where am I’ feature is not working – using the suggested ‘Alt + Shift + number’ does not yield anything.
– When locking and unlocking the system, using the ‘Tab’ key to hear the unlock dialogue does not work, nor does the audible sound when inserting and removing the token.
– Some Dell Latitude laptops have been found to not turn off the screen when the lid is closed, which can waste battery and make the keyboard hot.
– Trying to unlock a laptop with a closed lid or an external monitor that is off can sometimes put the unlock dialog on the wrong display. If it is not visible then moving the mouse to the active display should cause the unlock dialog to follow.
– When network namespaces are enabled it is not possible to drag and drop files from samba shares to the Desktop directly. They can be copy & pasted or dragged to another file explorer window instead.
– Certificate revocation using CRL does not apply to browsers which use their own mechanisms. Customers needing to revoke certificates need to stand-up the appropriate services.
– Custom network configurations are not supported with user group application policies

Interoperability with other Becrypt Products
– To fully manage the policy for this release BEM Web 9.1.0 or later is required

System Level Extensions (SLEs)
The following SLEs can be uploaded via BEM Web:
– Horizon Client USB Forwarding
– Horizon Client USB Forwarding 8.7.0
– PicoTTS
– PXE Server
– SafeNet Client
– StrongSwan VPN

Tested Hardware Platforms
Dell OptiPlex 7440 AiO with TPM 1.2
Dell OptiPlex 7450 AiO with TPM 2.0
Dell OptiPlex 7460 AiO with TPM 2.0
Dell Latitude 5480 with TPM 1.2
Dell Latitude 5580 with TPM 1.2
Dell Latitude 7390 with TPM 2.0
Dell Latitude 5510 with TPM 2.0
Dell Latitude 7310 with TPM 2.0
Dell Latitude 3500 with TPM 2.0
Dell Latitude 7300 with TPM 2.0
Dell Latitude 7420 with TPM 2.0
HP EliteBook 830 G8 with TPM 2.0
Lenovo ThinkPad E15 with TPM 2.0

– 0845 838 2070

We're here to help

Please Contact us

general enquiries

+44 (0) 845 8382050


+44 (0) 345 8382070

Join Our Newsletter

Receive our latest blog posts directly in your inbox!