Paradox SE 3.5.0 (build 85)

Release Notes

Product Name: paradox_se 3.5.0 (Build GA

Valid on: 2024-05-31

– Converted the package-list.txt file in the OS release to use windows line-endings
– Added an Eclypt Remote Disk Services SLE to support Viasat encrypted USB disks (does not work when running from USB, requires the Eclypt Management App)
– Fixed an issue where the lock screen wouldn’t always say “screen locked” when the screen reader was enabled
– Made silent device registration fetch SLEs before rebooting
– Removed the PicoTTS SLE
– Added a Voxin SLE – a more natural voice for the screen reader
– Fixed an issue with adding NTP servers from DHCP
– Fixed an issue where the Secure Network Device Monitor did not open if the systray applet was already active
– Fixed some UI issues where the Secure Network Device Monitor did not always update correctly
– Added a secure keyring for storing credentials that is persisted if smartcard authentication is being used and the device is using a TPM version 2.0
– Converted SMB share credentials to use the keyring
– Automount SMB shares if their credentials are already in the keyring
– Added SMB share information to the system info applet
– Enabled CD/DVD mounting (requires the Brasero app for writing)
– Increased the limit for process memlocks, fixing an issue that was preventing the Brasero app from writing to DVD in some circumstances
– Prevented the file explorer appearing in the right-click “Open With” -> “Other application” menu for icons on the desktop (please note that old versions of File Explorer will not work with this release)
– Ensured gets removed from the data partition if an error occurs during a system update
– Persisted any static IP address set in the default connection profile during registration
– Prevented settings being lost when a user renews their own yubikey cert and key (user must shutdown with yubikey still inserted and not be using guest mode)
– Deleted the test version of secure-network-device-monitor.json that accidentally got included in the OS
– Implemented an apparmor profile for the keyring
– Implemented an apparmor profile for the secure network device monitor
– Added a boolean option “waitForPolicyFiles” to the silent registration config file to wait for all app, config and policy files to download before rebooting
– Added a checkbox to the registration wizard to wait for all app, config and policy files to download before completing
– Updated data partitions from very old original installations to support fsverity hashes
– Fallback to the old sha256 app hash check if fsverity can’t be enabled on the data partition and send an audit log
– Added audit logs for unencrypted data partitions and whether they are subsequently encrypted or not
– For reference, CVE-2022-29901, a new Spectre variant affecting Intel microprocessor generations 6 to 8, was addressed in version 3.2.0
– Reduced policy daemon logging levels
– Prevented rsyslog from trying to reach the fake destination if remote logging is not enabled
– Prevent systemd-timesyncd from restarting if an error occurs or if NTP isn’t enabled in policy. A change of network connectivity will still restart it, if enabled.
– Registration device names are no longer allowed to start or end with a hyphen
– Made checking for http request headers case-insensitive towards supporting HTTP/2. However, use of HTTP/2 has not been fully tested and HTTP/1.1 must still be used for the time being.
– Switched the sound system back to timing-based scheduling to prevent occasional distortion of the screen reader voice
– Automatically enable any USB ethernet adapters if there is not one built in and the machine suffers a yellow screen of death due to a missing policy file

– Added the ability to restrict device login to specific users, either via the registration wizard or post-registration via BEM device policy
– Added support for using NTP servers specified by DHCP
– Updated the linux kernel to v6.2
– Fixed an issue where smb shares sometimes weren’t mounted
– Added the ability to control print screen by device policy
– Added the ability to prevent editing network settings by device policy
– Fixed an issue where the screen reader did not work on the lock & unlock dialogue boxes
– Updated the Horizon Client USB forwarding SLE to version 8.9.0
– Added support for remote wipe via BEM when a device is revoked
– Added a Secure Network Device Monitor and applet, initially supporting the AltoCrypt Stik
– Added support for changing network settings during registration
– Added new functionality to monitor file transfer to USB drives
– Added the device certificate expiry date to the system info applet
– Updated the Yubikey PIN changer app to enforce PIN complexity requirements as set on BEM
– Added the ability to migrate installed devices to use APP-XD. When the address and key are added to the group in BEM then they will be downloaded on the next policy refresh. Then when the device is rebooted it will switch to communicating with BEM via APP-XD.
– Added the ability to access the Orca settings applet from System Settings
– Added the ability to lock the system timezone controlled by device policy via BEM
– Added an SLE to support SafeNet smartcards

– Remove debug tvpolicyd logging (issue still present in 3.4.0)

– Defer settings restoration if apps are already running. Warn the user to restart the app in this case.

– Added the ability to disable the use of the Print Screen button via device policy (requires BEM 9.1.1 or later)
– Added an SLE to support SafeNet smartcards

– Updated packages to address CVE-2023-4911 (glibc) and CVE-2023-4863 (webp)

– Updated the kernel to address vulnerabilities CVE-2023-32629 and CVE-2023-2640
– Only save and restore browser extensions settings for chrome or chromium if the specific browser is installed. This relies on any customer-packaged browsers containing specifically “chrome” or “chromium” in their name, as applicable.
– Changed saving and restoring browser extension settings to ignore network configurations for which there is no applicable browser enabled
– Fixed a problem where the screen reader had stopped working in browsers
– A new accessibility feature called Reverse Contrast has been added to allow the display of “light on dark” text and controls, with customisable foreground colour (first available in 3.2.0)

– Fixed an issue where the login screen would fail to appear on very high resolution displays

– Fixed an issue where browser extensions were not appearing
– Fixed an issue where the browser xdg-open dialog was not identifying the application to be used
– Fixed an issue where chromium wasn’t picking up system proxy settings

– Uncompressed os updates have been removed. This change is not compatible with Paradox SE 2.X. Upgrade 2.X devices to 3.0/3.1/3.2 first to enable support for compressed os updates.
– Enabled USB Mass Storage mounting, under the control of Device Policy in BEM (requires BEM 9.1.0 or later)
– Enabled SMB shares, under the control of Device Policy in BEM (requires BEM 9.1.0 or later)
– Added support for advanced Intel Audio chipsets
– Added support for machines using the latest AMD Ryzen graphics chipsets
– Fixed an issue where the ethernet settings could not be changed on the registration screen
– Fixed an issue where laptops with built-in ethernet ports would not fallback to a raw connection when connected to non-802.1X usb ethernet adaptors when 802.1X was enabled in policy
– Removed the restriction on editing the wired network connection on the registration screen

– Network configuration (formerly known as network namespaces) has moved to BEM. There can now be multiple network/vpn connections and the system and apps restricted to use just one of them. However, this feature is not compatible with user group application policies.
– Added the ability to login automatically without authentication, as determined by device policy on BEM
– Added the ability to set a Startup page to inform the user of any Terms & Conditions of using the device
– Added an SLE containing the USB Forwarding components of Horizon Client 8.4.1 (Becrypt app version 2.1.0) – not compatible with other versions
– Added an SLE containing the USB Forwarding components of Horizon Client 8.7.0 (Becrypt app version 2.2.0) – not compatible with other versions
– Made wired 802.1X authentication more robust
– Added support for USB-ethernet adapters when performing PXE installations
– Persisted the UI Scaling Factor as a machine-specific setting, so it only needs setting once on machines connected to very high definition displays
– Please note that uncompressed OS updates are deprecated and will be removed in the next release. Existing devices using Paradox version 2.X must be upgraded to 3.X using an uncompressed OS update before they are able to use compressed ones. They will not be able to upgrade directly from 2.X to versions beyond this one.

– Updated packages to address various vulnerabilities including CVE-2022-0847 AKA “Dirty Pipes”
– Added support for cross-domain gateways, specifically HITMAN
– Fixed disabling webcams on screen lock
– HDMI monitor attachment/removal logging
– Update soft token when device cert renewed
– Shutdown speed improvements
– OS update status in system info applet
– Added brightness control for desktops
– Fixed NumLock behaviour on lock screen
– Access to the PIN changer app is now controlled by Device Policy

– Updated the installation and provisioning guide to clarify how to deal with expired secure boot product keys

– Fixed an issue where checking the MTU size of a network link had stopped working

– Increased the saving user profile timeout from 20 seconds to 60 seconds to avoid failure when lots of apps and extensions are present

– Fixed an issue with printing where the user’s email address was being substituted in the printer config rather than their ID
– Fixed an issue where the user profile was not being saved on BEM

– Updated the underlying operating system to the latest long term support release.
– Added support for compressed os updates. The first v3.0 update must be uncompressed to install support but subsequent updates may save space and bandwidth by using the compressed update.
– Added support for updating the secure boot certificate. Please see accompanying documentation for the exact process. To install the packaging tool, bc-pkg.deb, an updated efitools package must first be installed. This can be found in the same folder as the packaging tool.
– Added support for Elliptic Curve Cryptography for device certificates, user login certificates and remote attestation
– Changed the lock screen to more closely mirror the login screen.
– All apps have been updated to work with this release. Some older versions still work with the following exceptions: Citrix Workspace App, Filezilla, Gnome Terminal, LibreOffice, Remmina, VLC. Old versions have a version number beginning with 1 while new versions begin with 2.
– When updating the os and apps at the same time there is a danger that app settings will be lost. To prevent this it is recommended that the system update is changed in BEM to v3.0 and only after machines have rebooted that the apps are updated.

Remote Attestation
The TPM quote operation may be unsuccessful showing a PCR-1 mismatch in the BEM service logs in these circumstances:
a. Bootable devices present at bootup. Please ensure there are no mass storage devices such as USB sticks plugged in at bootup
b. Bootable devices were plugged in during machine registration. The machine will need to b re-registered.
c. With some UEFI firmware different PCR-1 calculations are given depending on whether the device was warm or cold booted. This can be worked around by masking off PCR-1 within BEM policy. Also refer to the machine vendor in case there is a firmware update available.

If Remote Attestation is not configured properly then at BEM Web the following error will be observed in the Service Logs:
Could not enroll device <device name> for Remote Attestation.
Depending on the root cause of the error different error messages will be observed in the Device Activity Logs. If the RA CA is not properly configured then this message will be seen:
Server error 400: Paradox SE Remote Attestation is not yet configured on the server. (1007)
If the root cause is that an enrollment error has meant the correct keys were not persisted to the server this error will be seen:
Unknown TPM found (1024).

Known Issues
– Please note that cross-domain gateways will need to be added to any proxy PAC file manually.
– CRL checks are not done for the RADIUS server so it is possible to connect via a RADIUS server with a revoked certificate.
– The user is prompted to enter a password when trying to connect to a 802.1x network in the case where the device certificate is not trusted.
– Headset microphones already plugged in at boot will be muted by default.
– If using single sign on with two smartcards please wait until both cards have initialised before accessing services.
– The file contains the source for a package called qpdf that has test files that are known to trigger anti-virus software. This is a false positive and can be ignored:
– When using bookmarks, the ‘Where am I’ feature is not working – using the suggested ‘Alt + Shift + number’ does not yield anything.
– Some Dell Latitude laptops have been found to not turn off the screen when the lid is closed, which can waste battery and make the keyboard hot.
– Trying to unlock a laptop with a closed lid or an external monitor that is off can sometimes put the unlock dialog on the wrong display. If it is not visible then moving the mouse to the active display should cause the unlock dialog to follow.
– When network configurations are enabled it is not possible to drag and drop files from samba shares to the Desktop directly. They can be copy & pasted or dragged to another file explorer window instead.
– Certificate revocation using CRL does not apply to browsers which use their own mechanisms. Customers needing to revoke certificates need to stand-up the appropriate services.
– Custom network configurations are not supported with user group application policies.
– Laptops with the screen reader enabled use Caps Lock as a shortcut key so it has to be double-tapped to toggle on or off.
– Upgrades from versions prior to 3.3 lose their audio settings due to changes in the way the data is stored by upstream packages. Once updated, settings will be retained again.
– Upgraded machines will show a PCR-4 mismatch during TPM quote validation due to changes in the bootloader.
– If a connection to an AltoCrypt Stik using 802.1X is turned off or switched to raw then it will not reconnect when switched back. The Stik will need to be unplugged and plugged back in to restore the connection.
– Locking and unlocking the screen with the Orca settings page open renders the settings unresponsive until you close them and open them again.
– Folders created on the desktop will not open the File Manager (if installed) when double-clicked. Please start the File Manager separately.
– The library libmozjs-52-0 is known to contain a High-rated vulnerability CVE-2019-11707. This library is used internally to render the UI and is not exploitable by outside input that might otherwise affect the stability of the system.
– The screen reader on some hardware does not announce “unlock window” when the screen is woken up from being locked.
– The Dell Inspiron 5440 laptop is known to crash during shutdown on occasion.
– If an AltoCrypt Stik is inserted, causing the password prompt to appear, then removed and re-inserted, the password prompt will not appear the second time and the app has to be opened manually.

Interoperability with other Becrypt Products
– To fully manage the policy for this release BEM Web 9.2.1 or later is required.

System Level Extensions (SLEs)
The following SLEs can be uploaded via BEM Web:
– Horizon Client USB Forwarding
– Horizon Client USB Forwarding 8.7.0
– Horizon Client USB Forwarding 8.9.0
– PXE Server
– Remote Disk Services
– SafeNet Client
– StrongSwan VPN
– Voxin

Supported Hardware Platforms
Dell OptiPlex 7440 AiO with TPM 1.2
Dell OptiPlex 7450 AiO with TPM 2.0
Dell OptiPlex 7460 AiO with TPM 2.0
Dell Latitude 5480 with TPM 1.2
Dell Latitude 5580 with TPM 1.2
Dell Latitude 5430 with TPM 2.0
Dell Latitude 7390 with TPM 2.0
Dell Latitude 5510 with TPM 2.0
Dell Latitude 7310 with TPM 2.0
Dell Latitude 3500 with TPM 2.0
Dell Latitude 7300 with TPM 2.0
Dell Latitude 7420 with TPM 2.0
HP EliteBook 830 G8 with TPM 2.0
Lenovo ThinkPad E15 with TPM 2.0

– 0845 838 2070

We're here to help

Please Contact us

general enquiries

+44 (0) 845 8382050


+44 (0) 345 8382070

Join Our Newsletter

Receive our latest blog posts directly in your inbox!