Impex release information

Information about the IMPEX release 5.9.0

Release Type: General

The IMPEX 5.9.0 release

This release adds SSO support as a technical preview to the ICC. This first implementation supports OpenID Connect with Keycloak1. We will add support for OpenID Connect with Microsoft ADFS in a future release. Please let us know if your organisation uses another OpenID Connect provider that you want support for.

We also added support for the Kingston Datavault 3.0 crypto drives and added a popup modal window for when inserted USB drives cause I/O errors which usually is a sign that they or the attached cables are faulty.

For Datalock users we have added timestamps for Last Used and on eventual errors uploading the scanned files to the final destination.

The Xtransfer product is now complete in that it now supports importing AND exporting from a Windows AD environment to USB drives using the USBProtect station with smartcards.

This release also bumps the underlying operating system from Sysctl Linux 42 to Sysctl Linux 43.

ICC changes

  • Add OpenID Connect support to the ICC, initially only tested with Keycloak
  • Minor cosmetic fixes; like a new button for the ICC Signify Key download
  • The ICC user listning now includes pure Django accounts, like the initial admin user
  • This release contains UEFI CA certificate updates for the USBProtect stations. The station card will show a green shield if the UEFI CA 2023 certificate was successfully imported. On some very old Gen1 stations with an older BIOS version the BIOS will not be able to import the new certificate. The shield will then be red and more information on will be available in the detailed station view.

ICC fixes

  • The BitLocker “filesystem” was added to the filesystem filter list so one can allow BitLocker drives if filtering filesystem has been enabled
  • Station registration status race condition fixed
  • Security fix: non-super-admin users can no longer modify or update super-admin accounts

USBProtect changes

  • Network configuration is now done directly over the internal D-Bus instead of the json setting files on disk. This improves feedback when something is not right.
  • Re-wrote the USB device handling service to run in Storaged, a service written in Golang handling all device specific things. This consolidates the code handling physical devices into one service which will make USB handling more robust and easier to add features to.
  • We now have Kingston Datavault 3.0 crypto drive support again which needed the re-written USB device handling service changes done in this release
  • Any USB hardware errors are now detected and shown to the user in the station frontend. This is purely an informational service to the user which can help to understand why a certain device does not work in the kiosk
  • The UEFI CA 2023 certificate will be enrolled automatically if needed

USBProtect fixes

  • The network edit cards used when configuring the network now flip back to view mode after a successful save
  • Registration state handling has been improved which fixes an installation problem for new USBProtect station
  • Certificate recovery, the service talking to the ICC now automatically restarts when it hits an unrecoverable certificate error instead of staying stuck until next restart

DataLock changes

  • Now each Flow has a last used time stamp and any error messages are also timestamped

Xtransfer

  • Exporting files from an AD file share to a USB drive is now supported. Previously, only importing files from a USB drive to an AD file share was possible. This required adding a file browsing feature for selecting a directory or files from a file share.

Documentation

  • OpenID configuration documentation has been added to the ICC manual

Information

Operating system packages

This release bumps the underlying operating system from Sysctl Linux 42 to Sysctl Linux 43 which means all system components get updated to their respective versions. Due to OS upgrades some packages get orphaned which linger around on the system. We have decided to extend the /usr partition with 2GB before doing to OS upgrade. This should work on all standard installations we know of. If your system is not upgrading to 5.9.0 but gets stuck on 5.8.5 please let us know. We have some more options for making room on /usr which we can roll out if needed.

Online Documentation

Further details and configuration guidance are available in the official documentation:

https://sysctl.se/impex/documentation/

SBOM

Each ISO and VHD release has a software bill of materials (SBOM), to make introspection of the release easy to integrate with a number of security tools.

Update Instructions

For networked Impex stations this release will be automatically installed as part of the regular update process. No manual steps are required from administrators or users. The system will apply the update seamlessly in the background, ensuring that the latest fixes are in place without any interruption to normal operations.

For standalone Impex stations, your organisation needs to download the update from portal.sysctl.se in accordance with the update instructions in chapter “USBProtect in offline mode” in the Impex USB Protect user manual.

Sysctl portal

https://portal.sysctl.se/

Sysctl rss/atom

https://sysctl.se/feed.xml

  1. https://www.keycloak.org/