Important or Breaking Changes

Queue Profile “Managed By” Now Supports Only a Single User

Starting with this release, the “Managed By” field in Queue Profiles is limited to a single user. It is no longer possible to assign multiple users to manage a single queue.

Impact:

• Any existing Queue Profiles with multiple users assigned will need to be updated.

• Business processes relying on multiple managers per queue (e.g., activity reassignment, escalations, ownership transitions) must be reviewed and adapted accordingly.

Action Required:

• Review and update Queue Profiles to ensure only one user is set as “Managed By”.

• Adjust any custom logic, automation, or integrations that previously relied on multiple managers per queue.

E-mailing mode configuration

When the "Write E-mails to Specified Folder" option is selected in the E-mails configuration of the Global System Settings, all emails are now only saved to the specified folder and not saved to the database. Previously, this option saved emails to the folder if they were explicitly addressed to email addresses not associated with any user accounts in the system. Emails that were associated with existing user accounts were saved to the folder and additionally saved to the database.

Feedback in Self-Service Portal for Incidents/Service Requests on status Resolved

When the Incident or Service Request is on status Resolved, the end user can provide feedback via replying to an email sent out when the incident was resolved or, starting with ESM v.12.1.3, directly from the Self Service Portal by leaving a comment in the journal. After receiving such a reply, the ticket status will be set to In Progress while previously the status was changed to On Hold. See also, Resolving incidents and service requests.

Demand Detection for Obsolete Bookings in Retired Services

Demand detection is now also available for Obsolete bookings in Retired Services. But in this case, Demand detection logic detects only Obsolete bookings (and not Missing bookings). The demand detection for Operational Services remains the same. See also, Service Demand Detection.

Metric Card uniqueness configuration attribute change

Now in Metric Card another configuration attribute stands for getting unique values - Show Uniques by Column (previously it was Group by Column). System Widgets are corrected but if there are custom ones that needs uniqueness by some field should be set manually by customer.

It is done in order not to have ambiguation while switching widget types.

Use of Extra Origins

Since 12.1.2 Administration->Global System Settings->Security "Extra Origins" is the only place for configuring Extra Origins for Matrix42 Enterprise modules. 
Use of similar setting in PDRDwpConfigurationClass or sps.config is discontinued. Ensure that all required "Extra Origins" are set.

Multi-Selection for Favorite Filters Now Requires Modifier Key

In previous releases, multi-selection of favorite filters worked by default with a single click. Starting from this update, users must hold down the ⌘ (Command) key (Mac) or Ctrl key (Windows) while clicking to apply multiple filters simultaneously.

This update introduces more control over filtering behavior, reducing accidental multi-selections and improving usability across different workflows.

Discontinuation of WCF Service Layer

The WCF Service Layer has been completely removed from the product and replaced by the WebAPI Service Layer. All WCF endpoints previously accessible via URIs such as /m42services/*.svc are no longer available.

New Information Received triggers changes

In Service Desk Settings checkboxes are replaced and placed to the New Information Received section

• Mark tickets as "New information received" when adding Journal entry by responsible person is replaced by Comments by Responsible User
• Mark tickets as "New information received" when adding Journal entry is replaced by Comments by Other Users

Also their behavior changed accordingly: 

• if Comments by Responsible User is checked - the New Information Received flag will be raised when responsible user leaves a comment
• if Comments by Other Users is checked - the New Information Received flag will be raised when any other user (except responsible) leaves a comment

Deprecation of "Access Database Engine" for Import Engine (GDIE)

The "Microsoft Access Database Engine", used by GDIE for filtering data sources with OLEDB SQL expressions, is not a prerequisite for a new installation. The system does not allow the creation of new Import Definitions based on Excel/CSV sources with OLEDB filters. However, these can still be added via Extensions. In such cases, the "Microsoft Access Database Engine" must be manually installed on the Application Server to ensure proper functionality.

See also, Adjusting Import Definitions to Replace Deprecated Source Filtering Method page.

New navigation in the Assets application

In 12.1.2 the navigation in the Assets application has been reworked. It now reflects a stronger emphasis on different business case scenarios and initially groups assets according to their affiliation with either Workplaces or Infrastructure. See Navigation in Asset Management for the detailed update.

Metric Card uniqueness configuration attribute change

Since version 12.1.2.5295 in Metric Card widget another configuration attribute stands for getting unique values - Show Uniques by Column (previously it was Group by Column). System Widgets are corrected but if there are custom ones that needs uniqueness by some field should be set manually by customer.

It is done in order not to have ambiguation while switching widget types.

Introduction of "Recipients" Field , in addition to "Recipient"

With introduction of Multi-Recipient Mode Field for Service (See Provisioning tab), The "Recipient" field in ServiceDetails for ServiceForm can now be used when Service is configured to have Unique Form per each Recipient. In case of Copying Service Form mode - "Recipients" field should be used instead. 

See related article for more details

Impact:

• If a service form relies on the "Recipient" field, Serfice must be configure to Require Unique Form per Recipient or be disable for multi -recipient use
• In case it is enough to have 1 Service Form for all Recipients, it is recommended to update  service forms to use the new "Recipients" field

Recipients filter in the Self Service Catalog introduced

In the latest update, a security enhancement has been introduced to the Recipients filter in the Self Service Catalog.

By default, the filter now restricts actors to viewing only recipients who are their subordinates.

Previous Behavior:

• In earlier releases, all users could see all recipients without any filtering.

New Behavior:

• The Recipients filter is now enforced by default.
• Users will only see recipients who are their subordinates.
• The filtering logic is aligned with the managed role, organizational unit, location, or cost center delegation settings.

Impact:

• Users who were previously able to see all recipients in the Self Service Catalog will now have a restricted view based on their management scope.
• Service ordering workflows relying on unrestricted recipient selection may need adjustment.

Resolution & Configuration Options:

• If needed, the Recipients filter can be adjusted in Service Catalog Global System Settings.
• Custom recipient filtering rules can be configured to match specific organizational requirements.

Cloned dataset view of "Catalog Services Tiles (Self Service Portal)" may stop working after update

In the latest update, systems with a cloned dataset view of "Catalog Services Tiles (Self Service Portal)" will encounter an issue where the service catalog displays an empty list. This behavior occurs because the cloned dataset view is no longer aligned with the product default configuration, which has been updated to accommodate new functionality and improvements.

Impact:

• Any modifications made through a cloned dataset view will not work as intended, leading to a non-functional catalog display.

• Customers relying on the cloned dataset view will need to take action to restore proper functionality.

Resolution: To resolve this issue, customers must switch to using the product default dataset view "Catalog Services Tiles (Self Service Portal)" and apply their customizations directly within this default view, instead of cloning it. This ensures compatibility with the latest system updates and prevents future issues.

Important Update: Explicitly Set [HttpGet] Attribute in Version 12.1.1

As part of the application security improvements, version 12.1.1 now requires all custom web service operations registered in the Product to explicitly declare the HTTP method using the [HttpGet] attribute.

In previous product versions, methods without a defined HTTP method type were implicitly treated as HttpGet, which posed potential security risks.

What’s Changing:
You must now explicitly define the HTTP method for all operations. For example:

[HttpGet]  public IEnumerable<Order> FindOrdersByCustomer(int customerId) { ... }  

For more details on attribute routing and HTTP method definitions, please refer to the official Microsoft documentation:
Attribute Routing in Web API 2

Please review your codebase to ensure all custom web service methods comply with this new requirement. If you have any questions or need assistance, feel free to reach out.

Renaming and Relocation of Dashboards and widgets

To improve clarity and organization, the following changes have been applied to existing dashboards and widgets:

1. "Escalation Overview":

   • Renamed to "SLA and OLA Performance Insights".
   • Moved to the Reports section.
   • Includes the 4 widgets previously present under Operational Efficiency:
     • SLA Adherence Rate (Incidents)
     • SLA Adherence Rate (Service Requests)
     • OLA Adherence Rate (Incidents)
     • OLA Adherence Rate (Service Requests)

2. "Operational Efficiency":

   • Moved to the Dashboards section.
   • The above 4 SLA/OLA widgets have been removed and consolidated into SLA and OLA Performance Insights.

Impact:

• Users familiar with the Escalation Overview dashboard will now find it under Reports with a new name and additional consolidated metrics.
• Widgets related to SLA/OLA adherence are no longer available in Operational Efficiency but have been relocated for a better reporting experience.

Global search "All" category deactivated

The "All" category in Global Search has been deactivated as part of this update to address performance concerns and improve search result accuracy, particularly when using AI Search.

Impact:

• Users will no longer see the "All" option in Global Search by default.
• Search performance and relevance are improved by focusing on specific search categories.

Action Required:

• Administrators can re-enable the "All" category via the Global System Settings, but this is not recommended due to potential performance degradation and less accurate result rankings.

Recommendation:
Leverage the updated category-specific search filters for better search performance and relevance. Configure a default search category to optimize user experience.

Account Description Field No Longer Localizable

The Account Description field (SPSAccountClassBase.Description) is no longer localizable. This change simplifies field behavior and aligns with system performance optimizations.

Impact:

• Users can no longer provide localized versions of the Account Description field.
• Existing localized values will be removed and cannot be maintained.

Stopping WCF Service Layer Endpoints

Starting with this release, the system no longer exposes WCF endpoints that were previously accessible via URIs such as /m42services/*.svc. Although WCF service implementations remain in the product, they are now deactivated by default.

If any of your customizations still depend on these WCF endpoints and cannot be quickly migrated to use the supported WebAPI service layer, you can manually activate the necessary WCF service in the database and restart IIS.

update PLSLServiceClassBase
set IsPublished = 1
where UsedInTypePLSLServiceTypeWCF is not null and IsPublished = 0 and Name = 'Name of the Service'

Important: WCF services will be completely removed in version 12.1.2. Please plan to transition any remaining WCF-based customizations to WebAPI before then to ensure compatibility and support.

Deprecation of "Access Database Engine" for Import Engine (GDIE)

The GDIE currently relies on the "Microsoft Access Database Engine" component for tasks such as reading Excel and CSV files during Import Definition authoring (Preview feature) and runtime. Additionally, it enables filtering source data using OLEDB SQL Expressions. However, due to security concerns and deployment challenges in cloud environments, this component will be discontinued according to the following timeline:

Version	Changes
12.1.1	"Excel 97-2003" Data Source Type Changes: The "Excel 97" data source type will be hidden and unavailable for creating new Import Definitions. Existing Import Definitions using "Excel 97" will remain functional. All default out-of-the-box Import Definitions will be migrated from "Excel 97" to "Excel." Introduction of ASQL Expression Filtering: A new ASQL Expression filtering capability will replace OLEDB SQL Filtering for filtering Text and Excel data sources. Limited Use of "Access Database Engine": The application will continue to support the "Access Database Engine" only for existing Import Definitions of types "Excel," "Excel 97," and "Text" where OLEDB SQL Expressions are specified. The system will restrict the creation of new Import Definitions using deprecated OLEDB SQL Filters. However, existing definitions will remain functional and will be highlighted in the system with a recommendation to migrate to ASQL Expressions.
12.1.2	Prerequisite Removal: The "Microsoft Access Database Engine" will no longer be a prerequisite for new installations. System Diagnostics: The system will list all Import Definitions in diagnostics, highlighting any inconsistent definitions and providing options to migrate them to ASQL Expressions or install the "Microsoft Access Database Engine" for on-premise environments.

See also, Adjusting Import Definitions to Replace Deprecated Source Filtering Method page.

Default Limits on Data Query Operations

To address performance issues stemming from improper product configuration, which could cause system outages, new default limitations have been introduced in the latest release to improve stability and mitigate potential risks.

1. Data Query Response Records Count

The setting PDRDwpConfigurationClass.DataQueryMaxResponseRecords defines the maximum number of records returned by the "Data Query" Web Service.
Default Value: 10,000 records. 
If your business case requires retrieving more data than this limit, it is recommended to use paging for data retrieval. The client should accumulate results from multiple requests into a single result set. For more details, refer to the Integration with Power BI guide.

2. SQL Data Query Timeout

The setting PDRDwpConfigurationClass.SQLDataQueryTimeoutSeconds specifies the maximum time (in seconds) allocated for executing a SQL-based Data Query.
Default Value: 60 seconds.
If the Data Query utilizes the "Allow Cache" option, the timeout is doubled (default: 2 minutes).

Configuration Adjustments

• For on-premise systems, these settings can be modified at any time to suit your specific requirements.
• For cloud systems, review and adapt your customizations to ensure compatibility with the new limitations. 

PowerShell Setup Directives for Packages

As already announced, installing Extensions with PowerShell setup directives is disabled in M42Cloud

Transferring Product Configuration Settings from files to Database

Multiple Product settings which for many years handles in various configuration files are moved to Production database

Original File	Action
Matrix42.Auth.STS.dll.config	For more details check STS Configuration
sps.config	The sps.config moves most settings to PDRDwpConfigurationClass. See more details on Advanced system settings
wm\config.json	The sps.config moves most settings to PDRDwpFrontendConfigurationClass. See more details on Advanced system settings
svc\Config\connectionStrings.config	The configurarion file has been removed. The connection strings are stored in PDRDwpConfigurationClass See more how to add and use connection strings

Unified Search activated in Service Desk / Service Catalog

For users, who use Classic Look, Unified Search will be activated by default in the applications for all navigation items in the mentioned applications.

In New Look, Unified Search is activate for Home pages only.

In case, you are willing to go back to previous mode, just deactivate Unified Search in Administration -> Service Desk/Service Catalog application settings

Global Search Manager is discontinued in New Look 

Global Search Manager control, because of bringing issues with User Experience, will be ignored in the New Look user interface. In case it is available in layout, it will continue working for Classic Look, but will not show up in the same layout for New Look. Functionality is replaced with equal representation of standard Global Search.
For instance,  users who use New Look for accessing Self Service Portal->Management Area, will not see additional search control on the layout, but only one - standard Global Search. This is provided for informational purposes only; no action is required at this time.

Microsoft Entra ID / Microsoft 365 data provider

Now data provider name is changed to Microsoft Entra ID in product and documentation

Parametrized Filter Expressions

The ability to filter using plain ASQL Where Expressions for the generic data access API can be disabled in the Global System Settings. This is controlled by the option Enable less secure filtering methods for data in REST API requests (not recommended) found in the Security  section. For security reasons, it is strongly recommended to ensure that all layouts use only secure filtering methods and to deactivate the deprecated filtering method.

Beginning with version 12.1.0, the "unsafe" filtering method is disabled by default for new installations.

System Prerequisites for Install & Update

 For new installations and system updates to v.12.1.0 the minimum required prerequisites are:

• OS: Windows Server 2016 64-bit Operating System or higher
• SQL Server:  Microsoft SQL Server 2016 SP3, 2017 or higher.

Prerequisite components that must be updated to 64Bit Windows-compatible components:

• Office System Driver Data Connectivity Component: The system update requires a newer version of the Office System Driver Data Connectivity Component for processing Text and Excel file imports. Previously to process such GDIE processes, the 32-bit Windows system-compatible version was suggested during system installation, but as of v.12.1.0 the Setup & Runtime Redistributables folder has a 64Bit Windows compatible component.
• AccessDatabaseEngine: Starting from EAP v.12.1.0,  the system update will not proceed if the 64Bit Windows-compatible component is not installed. In such case, it is necessary to uninstall the component that is compatible with 32-bit Windows systems and install from the redistributable an AccessDatabaseEngine component compatible with 64Bit Windows.  It can be found in  Setup & Runtime Redistributables → Office System Driver Data Connectivity Components folder. 

Keyword search update

Global & Keyword search uses now Display String when searching dataquery with no keyword columns defined. Before the change, all columns were considered during search, what resulted to performance issues.​

Action: review all dataqueries without keyword columns defined, and set needed.

 

Powershell Setup Directives for Packages

The current Configuration Package (Extensions) setup allows for the inclusion of Powershell scripts that are executed during the installation or uninstallation of an Extension. However, due to the significant security risks associated with this feature, it has been decided to gradually phase out support for Powershell scripts. The deprecation will follow these stages:
 

12.1.0	Powershell script controls will be removed from the Configuration Project dialog. Existing Powershell scripts tied to Configuration Project objects will remain intact and will continue to be included when the package is exported.
12.1.1	Installing Extensions with Powershell setup directives will be disabled in M42Cloud
12.1.2	The Configuration Project export will no longer include Powershell scripts in the package. Powershell scripts will also be ignored during the installation of Extensions.

Obsolete Components Removal

In the next release, version 12.1.0, we have scheduled a comprehensive cleanup of obsolete and deprecated components. Please review the table below to ensure that your System(-s) are not impacted by these changes.

Component	Description
AppFabric Workflow Engine	The discontinued Workflow Execution Engine based on Microsoft AppFabric will be removed. Update to 12.1.0 will not be available on a System with active AppFabric Workflow and Workflow Instances. Follow the guide on Workflows Migration to prepare your Matrix42 Systems for the update.
Hostcommon Workflow Engine	The first Workflow Engine hosted in the HostCommon process.
DTS Connector Framework	The first version of the Connector Framework was later fully replaced with Data Provider Connector Framework. The clean up includes also removal of the "M42Staging" database. Make sure your System use not legacy connector (Administration/Intergration/Connector) Migration from Empirum Connector (legacy) - Matrix42 Self-Service Help Center
Matrix42 Engine Common X86  (Windows Service)	The Windows Service “HostCommon x86” is installed on Application Server, and designed to execute tasks which require x86 windows components, like DTS or ODBC connectors.
Matrix42.Packaging	Legacy technology for delivering the customizations. Not supported starting from the version 9.0. Related Powershell Cmdlets  WmInstalledPackages, WmInstalledPackages are removed.
Database	Configuration Items Data Definitions SPSDashboardWidgetTemplateType SPSDashboardType SPSRESTDataSourceType SPSConnectorTypeAltiris SPSTargetingMailType SVCEnteoConnectorType SPSWizardTypeWizard SPSContentTypeStructureStatic SPSQueryType SPSContentTypeTabulator SPSContentTypeObjectDialogTab SPSContentTypeGridLayoutEx SPSContentTypeStaticContentTab PLThemeType SPSHistoryDataSourceType SPSSqlQueryDataSourceType SPSContentTypeQuickStartTab SPSAlertDescriptorType DashboardConfigurationItem SPSJsonDataSourceType SPSContentTypeWorkspace SPSContentTypeSearchTab SPSWizardTypeWizardPage SPSContentClassObjectDialogTab SPSContentClassStructureStatic SPSDashboardClassBase SPSRESTDataSourceClassBase SPSAlertDescriptorClassEvent SPSAlertDescriptorClassBase SPSContentClassStructureNodeStatic SPSContentClassWorkspace SPSActionPickupVisibility SPSContentClassSearchTabLink SPSContentClassSearchTabType SPSGenericDataSourceClassBase SPSAlertDescriptorClassSubscribers PLDashboardContainerClassBase SPSWizardClassWizardPage SPSContentClassTabulator SPSDashboardWidgetTemplateClass SPSContentClassSearchTab SPSContentClassGridLayoutColumn SPSContentClassStaticContentTab ColorDefinitionClassBase SPSHistoryDataSourceClassBase SPSAffectedObjectsClassDescriptor SPSSqlQueryDataSourceClassBase SPSWizardClassWizard SPSQueryClassBase SPSJsonDataSourceClassBase SPSContentClassGridLayoutBase SPSSchedulerTabMapping SPSContentClassQuickStartTabBase SPSCustomStringsClass

 

Display Expression for Person changed

The display expression for Person shown in the UUX changed to "<FirstName> <Lastname>"

Several Controls marked as Obsolete 

"Prominent Search" and "Search" controls are discontinued and not supported anymore. "Global Search Manager" is recommended for use instead of these controls. In layouts where they are used, controls are automatically replaced with "Global Search Manager". No additional changes are required.

Azure AD renamed to  Microsoft Entra ID 

Azure AD is renamed to Microsoft Entra ID in product and documentation

NuGet Packages Updated

When Applicable?

• In case of custom coded extensions
  • if any of the updated dlls is referenced with specific version - version should be updated
• if for some reason a package ships any of the added/updated dlls - remove them from package 
• token operations like encode/decode/protect/unprotect might be affected - such operations should be thoroughly checked
• auth operations should be tested if they are a part of a package/customization
• if for some reason a package/customization contains deleted dlls - consider redesign not to include them or ship it along (not recommended)

Packages updated:

• System.IdentityModel.Tokens.Jwt 4.0.40306.1554 -> 6.35.0.0
• Microsoft.IdentityModel.Tokens -> 6.35.0.0
• Newtonsoft.Json 13.0.2.0 -> 13.0.3.0
• Microsoft.Web.Infrastructure 1.0.0.0 -> 2.0.0.0
• System.Memory 4.0.1.1 -> 4.5.5
• StackExchange.Redis 2.2.50 -> 2.7.33
• Matrix42.STS 1.0.0.27 -> 24.0.1.0
• Microsoft.Owin 3.1.0.0 -> 4.2.2.0
• Microsoft.Owin.Security 3.1.0.0 -> 4.2.2.0
• Microsoft.Owin.Security.OAuth 3.1.0.0 -> 4.2.2.0
• Microsoft.Owin.Host.SystemWeb 3.1.0.0 -> 4.2.2.0
• Microsoft.Owin.Security.Cookies 3.1.0 -> 4.2.2.0
• Microsoft.Owin.Security.Jwt 3.1.0 -> 4.2.2.0
• Microsoft.AspNet.WebApi 5.2.3.0 -> 5.2.9
• Microsoft.AspNet.WebApi.Client 5.2.3.0 -> 5.2.9
• Microsoft.AspNet.WebApi.Core 5.2.3 -> 5.2.9
• Microsoft.AspNet.WebApi.WebHost 5.2.3 -> 5.2.9
• Microsoft.AspNet.Mvc 5.2.3 -> 5.2.9
• Microsoft.AspNet.WebPages 3.2.3 -> 3.2.9
• Microsoft.AspNet.Razor 3.2.3 -> 3.2.9
• log4net 2.0.7 -> 2.0.17

New packages added by dependencies:

• Microsoft.Bcl.AsyncInterfaces 1.1.0
• Microsoft.IdentityModel.Abstraction 6.35.0
• Microsoft.IdentityModel.JsonWebToken 6.35.0
• Microsoft.IdentityModel.Logging 6.35.0
• System.Buffers 4.5.1
• System.Numerics.Vectors 4.5.0
• System.Runtime.CompilerServices.Unsafe 4.7.1
• System.Text.Encoding 4.3.0
• System.Text.Encodings.Web 4.7.2
• System.Text.Json 4.7.2
• System.Threading.Tasks.Extensions 4.5.4
• System.ValueTuple 4.5.0

Removed dlls:

• Infragistics35.WebUI.UltraChart.v10.2.Design.dll
• Infragistics35.WebUI.UltraGauge.v10.2.Design.dll
• Infragistics35.WebUI.UltraWebCalcManager.v10.2.Design.dll
• Infragistics35.WebUI.UltraWebGrid.DocumentExport.v10.2.Design.dll
• Infragistics35.WebUI.UltraWebGrid.ExcelExport.v10.2.Design.dll
• Infragistics35.WebUI.UltraWebGrid.v10.2.Design.dll
• Infragistics35.WebUI.UltraWebListbar.v10.2.Design.dll
• Infragistics35.WebUI.UltraWebMenu.v10.2.Design.dll
• Infragistics35.WebUI.UltraWebTab.v10.2.Design.dll
• Infragistics35.WebUI.UltraWebToolbar.v10.2.Design.dll
• Infragistics35.WebUI.UltraWebTree.v10.2.Design.dll
• Infragistics35.WebUI.WebCombo.v10.2.Design.dll
• Infragistics35.WebUI.WebDataInput.v10.2.Design.dll
• Infragistics35.WebUI.WebDateChooser.v10.2.Design.dll
• Infragistics35.WebUI.WebHtmlEditor.v10.2.Design.dll
• Infragistics35.WebUI.WebNavBar.v10.2.Design.dll
• Infragistics35.WebUI.WebSchedule.v10.2.Design.dll
• Infragistics35.WebUI.WebScheduleDataProvider.v10.2.Design.dll
• Infragistics35.WebUI.WebSpellChecker.v10.2.Design.dll
• Infragistics35.Web.Design.v10.2.dll
• Infragistics35.WebUI.Design.v10.2.dll
• Infragistics35.WebUI.Misc.v10.2.Design.dll

 

Obsolete Components removal

The following table list the components removed in version 12.0.5

Component	Description
Business Rule Engine	Files: update4u.SPS.BizLayer.RuleEngine.* Obsolete component used in early versions of the Legacy Console for defining Business Rules with Microsoft Visio.
Performance Monitoring	Files: Matrix42.PerformanceMonitoring.*# The range of tools used in Legacy Console for automatic detection of performance bottlenecks.
Compliance Rule actions “Execute Script” and “Execute Process”	Namespace: update4u.SPS.ComplianceRules.BizLogic.Component Class: ScriptExecutor, PowerShellExecutor , ExecutableScriptExecution The Compliance Rule actions previously available for configuration in Legacy Console “Execute Script” and “Execute Process” for security reasons have not been migrated to UUX

Theme Colors are required

Starting from version 12.0.4,  all colors in Themes are required. In rare cases,  when someone removes color from the Theme manually, or imports theme generated on 12.0.2 or earlier versions to 12.0.3/12.0.4 without newly added colors (for example Base Layout color is not defined), theme may look as corrupted.  Direct fix in such situation requires setting a value for all colors in the Theme. For extension owners, it is recommended  to update extensions with Themes so they include all colors set and are supported with 12.0.4.  

File/Attachments Security 

Starting from version 12.0.4, operations for uploading and downloading files stored in the configured File Storage now consider the Configuration Item (CI) permissions granted to the interactive user. Access to reading or adding files to the Object is governed by security permissions assigned to the Object for each user. This mechanism is fully aligned with the security framework used for displaying the Object in the UUX (User Experience).

The access conditions is the following:

1. The user must possess "Read" CI permissions for the object.
2. No Data Query is specified for the CI 
   or
   a Data Query with Audience exist for the user, and the Data Query filter must match the Object. 

If errors occur after an update when attempting to download or upload files, it is essential to reassess whether the user truly has permission to access the file. If necessary, extend the CI permissions for the User Role or introduce a Data Query to the affected Data Definition with the appropriate Audience.

Parametrized Filter Expressions

Starting from version 12.0.3 REST API for generically reading data supports the Parametrized Filter Expressions. The controls and Additional Data Sources in the Layout Designer that support the filtering mechanism (Picker Controls, Grids, and Charts)  also have been extended to utilize the Parametrized Filter Expressions.

Due to performance and security reasons, all standard Layouts where the data filtering mechanism had been configured either for control or for Data Source were migrated to the Parametrized Filter Expression. The update could cause the breaking change for cases when the default Filter expression delivered with the core Product was customized on the Customer side.

Legacy Component Removal in Update 12.0.2

As part of our efforts to maintain a modern and efficient platform, certain legacy components that have been previously discontinued and are no longer supported will be permanently removed. We recommend that you review the list of legacy components that will be affected in this update and prepare for the transition.

• Classic UI
  The Web Application "Web" is removed.  All the images from the folder "Web/Images" are replaced under UUX Web Application to folder "WM/Images"
• Data Gateway
   
• Alerting notification Engine

License Management Background Processing

The background processing in license management is set to "Workflow" for new installations as well as for updates. You can find this parameter in the "Licenses" application settings. Up to now, the creation of license requirements via Workflow was a selectable option. The advantage of this new processing is a much faster creation and consolidation of license requirements. 

The classic calculation of the effective license requirements is still available in this version, but it is now an option that is also considered " deprecated" as of now. With the next product version, the classic background calculation will no longer be available. Accordingly, we recommend that you no longer use it.

Changes in Data Queries

With an update, we introduce the Set Audience action for Data Queries. All Data Queries audiences were migrated to inherit related Navigation Item Audience. You may need to review Audience configuration for specific Data Queries when:

1. Data Query is not assigned to any Navigation Item
2. Data Query is directly used in some Dialogs, Previews, or Wizards

For both cases, the solution is to Set Audience manually.  For more details, see also How to Set Audience in SolutionBuilder page. 

All non-system Data Queries that were created before the update get unrestricted audience, adjust them if necessary.

After the update, when you create a new Data Query, it is initially restricted to Administrators only. Use the added Set Audience action to modify the access.

Data Queries based on the Data Definition have new configurable properties that affect data displayed to the end-users:

• Priority
• Primary Filter

For more details, see Data Query page.

After the update, in rare cases, your data results might have changed due to the following reasons: 

1. Other Data Query with a higher priority is currently applied. To fix the issue, change the Data Query Priority. See Data Query page.
2. You are using one of the default Data Queries that received a Primary Filter:
   • Announcements_Portal
   • Changes_Portal
   • Changes_Portal_Approvals
   • Changes_Portal_Overview
   • Changes_Portal_MyChangeRequests
   • Tickets
   • Portal My Hardware
     If the Primary Filter is the reason why you received an unexpected result, please, verify the use case. A possible solution would be to duplicate the Data Query for your purposes and adjust the settings accordingly. 

     Removing Primary Filters from the default Data Queries is not recommended.

Data Query Column to Display

After the update, "Display Expression" is replaced with "Data Query Column to Display” property in Object Links and Object Pickers controls.

All existing static expressions are substituted with Display Expression from Data Definition. 

All static expressions are highlighted by the System Diagnostics and must be replaced with Data Query Column to Display property. To restore the same expression in your Layout as it was before the update, create a column in the Data Query with the same Display Expression and select it in the new Data Query Column to Display property in the Layout as described here. 

License Certificates Monitoring Dashboard

Implemented License Certificates monitoring dashboard allows you to be sure that you always have up-to-date information about the use of your licenses. This includes a monitoring panel and several new system diagnostic rules. All messages regarding License Certificates monitoring in the system diagnostics are displayed for informational purposes only and the system continues running as before.
If your system encounters issues with licenses, please contact Sales Administration.

For more details, see also License Certificates page.

UUX Session Lifetime

For security reason, the maximum possible UUX Session lifetime period is 48 hours. In case the System configuration exceeds the maximum value, on Update it is automatically reset to 48 hours.

Contract Management

The application "Contracts" requires a certificate for "Contract Management" for activation as of version 12.0. The incorrect certificate check in previous versions has been corrected.

UUX Session Lifetime

Session lifetime configuration has been moved from Root/bin/Matrix42.Auth.STS.dll.config to the Global System Settings: Security area.

Authorization with PKCE Flow

To increase the application security, the DWP from version 11.0.2 supports only the secure authorization flow based on OAuth 2.0 Authorization Code Flow with the Proof Key for Code Exchange (PKCE). 

Attachment Storage

The meta info content of the table Files was moved to the new table DWPFileInfo. Especially the column "Folder" was removed and all the meta info of attachments can now be found in the new table DWPFileInfo. This table is a part of the product Schema and can be queried by ASQL.

Replacing the Data Gateway Technology 

The Data Gateway Service is being discontinued and no more supported.

The Data Gateways are being replaced with new technology based on the Matrix42 Worker Technology. 

The migration will happen automatically in the background for all Data Gateways except Remote Data Gateways. Remote Data Gateways have to be replaced until they are discontinued.

New Workflow Engine 

The Workflow Execution Engine based on Microsoft AppFabric is being discontinued and no more supported. 

 For more details please check Workflow Engine.

Reference Database is obsolete

The Reference Database <MAIN DB>_REF (by default M42Production_REF) is obsolete and the update will try to delete the database during the update. If the Reference database is part of a High Availability Group you should remove it from the HA group before the update. For more details on a High Availability Group, see also SQL Cluster Support page.
The reference Schema is now a part of the production database.

Authorization with PKCE Flow

To increase the application security, the DWP from version 10.1.1 supports a new more secure authorization flow based on OAuth 2.0 Authorization Code Flow with the Proof Key for Code Exchange (PKCE). PKCE provides dynamic client secrets, meaning your app’s client secrets can stay secret. PKCE is better and more secure than the implicit flow. 

To guarantee no negative effects on authorization approach transition, version 10.1.1 still use the old authorization mechanism (OAUTH Implicit Flow) by default. The PKCE can be activated in the WM/config.json file:

  "authentication": {
      "auth_with_pkce": "true"
   }

For version 11.0.1 use the SQL query to activate the PKCE:

update PDRDwpFrontendConfigurationClass
set Value = 'true'
where [Key] = 'authentication.oauth2.auth_with_pkce'

In the version (11.0.2) the PKCE flow becomes the default authorization mechanism.

New Dependency control (Infrastructure Forensics)

Please note that with Matrix42 Enterprise Service Management release 10.1 the new dependency control used for Infrastructure Forensics needed to be changed as well.

The control itself will be provided as an extension and was extracted from the core product. In case you update or install the new extension version of Infrastructure Forensics version starting 1.1.x) the dependency control will be automatically installed thus resulting in resetting all custom set up dependencies and icon / display string over writes.

In addition to the system changes the administration settings have been moved to the application 'Assets'.

Workflow activity "Export to SQL Lite" is deprecated

Workflow activity "Export to SQL Lite" does NOT support Worker technology but AppFabric only. This activity is declared as deprecated and will be removed with next release. Accordingly support for Worker is not planned.

Security improvements for accessing Custom SSRS Reports

The System requires to implicitly grant access permissions for the custom Reports which are deployed to the custom SSRS Folder. If after Update you start receiving a message "The report could not be loaded!" on an attempt to open the Report in UUX, then follow the instructions provided in article Reports Security to provide missing security configurations

Azure Active Directory & Active Directory Data Providers 

With 10.0 Update 3, we have changed the matching mechanism for Persons and Accounts to avoid duplicates. When Active Directory and Azure Active Directory are connected with AD Sync, and both Data Providers are activate - the system will create only one Person for both Accounts. Because of that change, custom settings for matching Accounts and Users will be overwritten and needs to be configured again.

It is highly recommended to configure a list of extended attributes in configurations of Active Directory Data Provider and Azure Active Directory Data Provider at the same time when both data providers are in use! 

Background processing after running EMPIRUM Connector 

EMPRIUM Connector does NOT trigger background processing for license management anymore. This was redundant and could have caused unnecessary work load for the system. Background processing for license management is solely made by "License Management - Batch Processing" activation.

Make sure you check your engine activation schedules.

The system stops publishing Worker-ready Workflows

For improving the Product performance the Workflows which are ready to be executed on Matrix42 Worker are not published anymore, and the Workflows previously published to folder "svc/WF" are also removed on Product update. In the case of an emergency, the Workflows can be manually rollbacked to legacy AppFabric Workflow Engine by implicitly setting the engine using Workflow action "Set Execution Engine" and then publishing the Workflow  

Mandatory Category on Enterprise Queue Profiles

In order to set up a category tree for each Enterprise Queue the Queue Profiles have been extended with a mandatory root category.
Child categories can later be assigned to Activities. Please note that the root category itself will not be available for Activity processing.
In case Queue Profiles are already in place the category needs to be defined as well, otherwise workflows for assignment will fail. 

The Secure Token Service is the only available option for authentication

The Secure Token Service is the only available option for authentication. STS will be automatically enabled for existing installations. There will be no possibility to deactivate the option. In addition,  Force SSL option will be set. It means that when someone opens the console or the portal with the HTTP URL, they will be redirected to the HTTPS URL.

Default Workflows starts executing on Matrix42 Worker Engine

All Workflow delivered out-of-the-box by default starts executing on Matrix42 Workflow Engine. All custom workflows have to be evaluated and marked for compatibility with the Worker Engine. See Workflows Migration for more details.

Default Level for Workflow Monitoring changed to Error Only

All Workflows that are executed using Matrix42 Workflow Workers  are configured for log only Errors.  Enabling Troubleshooting mode can be done  Settings

Workflow Infinite Loops Protection enabled

  If the Workflow is badly designed it can lead to infinite loops on Workflow Instance execution and overall blocking of the Workflow Engine, as some instances are always running and there is no capacity to execute new Workflow commands. To disable such negative impacts of the Infinite loops the System uses the protection mechanism which automatically terminates the Workflow Instances in case the infinite loop detected, and the amount of iterations exceeds the configured number in the Production database SPSGlobalConfigurationClassWorkflowEnginetableActivityLoopLimitattribute. 

By default, the System supports 10000 iterations in Workflow Instance before it will be classified as an infinite loop.

Data Gateway tasks run on Matrix42 Worker

Data Gateway tasks (except Inventory of Citrix XenServer, Inventory of Microsoft Hyper-V, Inventory of VMware vCenter, LIS - Online Update,  Unix Inventory, Windows Inventory) assigned to the local Data Gateway (App Server) are executed on the local Matrix42 Worker.

Ticket only mode for new installations

Due to the latest changes with ITIL4 the Incident only function will no longer be available on new installed environments. From now on Tickets need to be classified as either Incident or Service Request.
In case disaster recovery needs to be performed Version 10.0.0 needs to be installed followed by an update to 10.0.1

Service Level Agreement (SLA) only support

To reduce overall complexity ITIL4 did change the handling of Underpinning Contracts (UCs) and Operational Level Agreements (OLAs). Service Level Agreements (SLAs) will substitute OLAs and UCs which have been migrated automatically. In order to identify the origin of the initial Configuration Item a dropdown showing the type was introduced. The corresponding CIs have been removed from the schema.

API Tokens Invalidation 

Due to Security reasons in some particular cases, the Product Update automatically regenerates the Client Secret used for encoding the Security Token, what could lead to invalidation of the used API Token. If your Environment(-s) implement any Integration which based on API Token Authentication, please ensure right after the Update it still operates, otherwise, you need to generate a new API Token and use it in all related Clients.

Changes in OAUTH2 authentication endpoint

Changes need to be applied in case you did connect Matrix42 Service, Software & Asset Management and a 3^rd party application using OAUTH2 authentication.
Until version 10.0.0 this endpoint '.../M42Services/Authorize/OAuth2Reply' was used.
Starting with version 10.0.0 the endpoint has changed and needs to be adjusted to: '.../M42Services/api/sts/oauth2reply'.

UEM-Mode

The system no longer manages mobile devices as a separate type of asset. One type of object is used for managing both computers and mobile devices. It is known as Unified Endpoint Management. If you update from an earlier version, all mobile device records will be merged into the computer entity. This way you can manage all endpoint devices under one navigation item and using the same dialog.

After you install the update, you can see that all existing mobile devices have been transformed into computers.

Changes in User Interface

The following changes in the user interface have been made:

• Dialog and preview for mobile devices as well as the Create Mobile Device and Import Mobile Devices actions will disappear
• Mobile devices imported via data providers and created manually will be copied as computers
• The computer dialog and preview will be extended with attributes specific for mobile devices

Changes in Database

The system creates a computer record for each mobile device and moves all related objects to the computer record.

The following data gets reassigned:

• Ownership (organizational unit, cost center, and location)
• Principal User
• Stock Keeping Unit
• Workplace
• Environment
• Installed Profiles and Applications
• Purchase Data (Contract, Supplier, Internal Contact, Contract Item, Cost Plans)
• Attachments, Comments, Journal, Tasks, and Appointments
• SIM Cards
• Licensing Information (License Requirements, Restricted and Reserved Licenses)
• AD Groups
• Dependencies
• Services, primary and indirectly affected Incidents, Problems, Change Requests, and Outages

Provisioning of Catalog Services

Silverback and AirWatch services are automatically adjusted to a computer target. Therefore, provisioning of services is now made for computers that represent imported mobile devices (you can filter them by management type Mobile Device Management). All previously assigned services get reassigned to new computer records.

Check your Customizing

As for the standard product, all necessary changes will be made automatically preserving all your data. However, if you have any customizing around "Mobile Device" in your environment, you will need to review and possibly adjust them, e.g.:

• Attributes, Relations or Data Definitions
• Non-standard Data Providers
• Import Definitions
• Compliance Rules
• Workflows
• User Interface
• Search Queries
• ...

Discontinue Alerting Email Engine

According to the Alerting Engine Discontinue Plan, which was presented in 9.1.3 release,  in version 10.0.0 all email notifications, including custom, use the new Email Engine. If for some reason the Email Notification was not properly migrated, it could be manually fallback to use the legacy Alerting Engine, using Compliance Rule action "Switch Mailing Engine".

UUX Security Vulnerability Eliminated

The potential security issue, related to XSS attacks, has been discovered and eliminated in version 10.0.0. All weaknesses of the standard Product have been removed. But, there is a possibility the System customizations (configurations) could open other vulnerabilities that cannot be automatically detected and resolved.

To protect the System proceed with the following steps:

1. Find the Custom Schema Attributes which stores the HTML
   Usually, such attributes bound to RichTextbox control.
2. Edit the corresponding Data Definition, and set the flag "Contains HTML" for such attribute
   For more details check Data Definition Attributes

.NET Framework Version Update to 4.7.2 

The Product .NET framework version is elevated to the latest released version 4.7.2.  This change could impact the custom assemblies which have been previously installed on Product and reference the Product assemblies of the strict version. To avoid potential problems it is recommended to at least to check the custom assemblies still working on a version 10 and above, or better, rebuild all such assemblies with .NET 4.7.2 Framework.

Also in a new Product version, some 3d Party libraries (Nuget packages) have been updated to a newer version.  If you using these libraries in your Projects please recompile these assemblies to guarantee they are compatible with the new Product. 

Powershell scripts, that uses CMDLETs referencing mentioned dlls, must be also checked for compatibility

Name	Previous Version	Version in 10.0.0
Microsoft.Owin.Cors.dll Microsoft.Owin.Diagnostics.dll Microsoft.Owin.dll Microsoft.Owin.Host.SystemWeb.dll Microsoft.Owin.Security.Cookies.dll Microsoft.Owin.Security.dll Microsoft.Owin.Security.Jwt.dll Microsoft.Owin.Security.OAuth.dll	3.0.40213.64	3.1.60405.82
Newtonsoft.Json.dll	7.0.1.18622	12.0.l2.23222
nlog.dll	3.1.00	4.6.7.10445

Migrating Workflows from AppFabric to Matrix42 Worker Engine

Matrix42 Worker Engine is in a pre-released state (Technical Preview) and will be fully released in version 10.0.1.  Please check the schedule of the Workflow Engines transition plan.

Starting from version 10.0.0 the compatibility of the Custom Workflows and Workflow Activities with the Matrix42 Worker Engine can be evaluated on Testing Environment. See Workflows Migration for more details.

 

Matrix42 Worker

Matrix42 Worker is a Windows Service introduced in the version 9.1.2 as Technical Preview. More details can be found in Workflow Engine.

By default, the Matrix42 Worker is not installed by the Setup, and in case it was not installed manually the breaking change is not affected, and the actions list can be ignored. Otherwise, the Worker needs to be manually updated.

1. Stop "Matrix42 Workers" Windows Service before Matrix42 Workplace Management update.
2. Update Matrix42 Workplace Management.
3. Clean up Matrix42 Worker directory
4. Follow the Install Worker instructions to  install new version of the Worker

The concept of the Matrix42 Worker presumes the Matrix42 Worker is self updated whenever the relevant resources on the Application Server are updated,  means in future Product updates the Workers will be updated automatically regardless of the way they have been installed. 

License Metering

With this new release, our software supports you in auditing your Matrix42 software licenses. The software now has a function that requests information about the licensing of the Matrix42 software at regular intervals and transmits the number of licenses used (by devices and users) to us. Personal data is not collected. The data transmitted with each process can be viewed on the server in the 'metering' sub-directory.

Further details can be found in the product documentation.

SaaS Compliance Data Provider

Installed data provider from SaaS Compliance subscription (Office 365 and Adobe Creative Cloud) needs to be updated after upgrading your environment to version 9.1.1.

Configuration of Remote Usage Tracking

Configuration of Remote Usage Tracking Agent is now made in settings for "License" application and not directly in config-files anymore. Accordingly make sure that your settings are correct, if you are using Remote Use Tracking Agent in your environment.

Please refer to online help for details about configuration.

Compatibility of Empirum SDK

Due to a breaking change in Empirum SDK v1.20 compatibility with earlier versions is affected.

Since Software Asset & Service Management 9.1 Update 1 installs Empirum SDK version 1.20 coexistence with previous version may lead to execution errors!
Don't be confused if your scripts run nicely inside PowerShell IDE. This is misleading.

Solution: 

1. Adjust your PowerShell scripts to match with SDK 1.20 and remove old SDK-version (recommended!)
2. Manually remove SDK 1.20 after updating to Software Asset & Service Management 9.1 Update 1

.NET Framework changed

Please note that this version was compiled with .NET Framework 4.6.1 for the first time. Please ensure it is available on your server prior to installing the product. Setup of the .NET Framework is contained in the REDIST file provided with this release. Please note that users of Workflow Studio need this .NET version also on their client device.

Service Desk – 2 new configurations added

Two new configuration settings have been added to allow better information handling on new received data. The two options, defined in the Service Desk – Settings area, are

1. Mark ticket as "New information received" when adding Journal entry (enabled by default)
2. Mark ticket as "New information received" when adding Journal entry by responsible person (disabled by default)

Especially the second option might result in changed behavior on filters checking the new information status.

Removed Exception (for Developers only)

“PandoraException” was moved from Matrix42.Pandora.Contracts to Matrix42.Common. If you have already used “PandoraException” in your projects, please change the namespaces in all usages.

User Profile

"Users are not able to change their data in User Profile"

This change comes from a bug fix. Setting, that was always present, saying "Allow Users to Change Personal Data" was not working in UUX. Now it is considered, and can be changed by customer

Workflows will be validated during update

Setup contains new feature validating existing workflows to avoid unexpected failures during their execution. This validation checks if workflows have references to components that are missing on the environment or have a wrong version.

If validation detects a corresponding issue, a message is displayed:

There are two options to deal with this issue:

• Instant Fix
  • Keep small message box with caption “Skip” open
  • Deploy required but missing component
  • Click ‘No’ on small message box to repeat validation
• Subsequent Fix
  • Click ‘Yes’ on small message box with caption “Skip” to skip validation
  • Continue with the setup
  • Deploy required but missing component after the setup has finished

We recommend first option.

More details can be found in online help.

Office 365 Data Provider

In case you have installed the data provider for Office 365, please download new version of this data provider from Matrix42 Marketplace and install it after updating your environment.

Auto-Migration of Volume License Agreements

Please note that with upgrading your environment to this version, existing volume license agreements of following types are automatically migrated to CI “Volume License Agreement”:

• Microsoft Enterprise Agreement
• Microsoft Enterprise Enrolment
• Microsoft Select Agreement
• Microsoft Select Enrolment
• Adobe CLP Agreement
• General Volume License Agreement

Automatic migration will not copy data records, but just change the type (Configuration Item). Object-ID and any other data remains untouched.

SQL Server 2008 R2 not supported anymore

With product version 9.0 we do not support SQL Server 2008 R2 anymore. If you operate your environment on this SQL Server make sure you update your SQL Server to one of the supported versions prior to updating your environment to this product version.

Also please check system requirements in our online help.

Workflow Activity "UpdateObjects"

Implementation of workflow activity "UpdateObjects" was changed. Parameters validation becomes stricter so custom workflows that use this activity may fail in case of passed "Object IDs" is not related to specified "CI Type". Please review your custom workflows before updating to version 8.1.7 or higher.

Filter in UUX Navigation

With previous product version 8.1.7 we changed behavior of filters in UUX navigation.

New Behavior:

If a user, who belongs to Administrators role, creates new navigation filter:

• This user will not be set as Owner of this filter anymore
• This user will now be added to the Audience that is able to see that filter

Previous Behavior:

• Any user sees all filters in navigation that are marked as “to-be-shown in navigation” where user has access through the Audience setting or the user is the owner of respective filters.
• If a user creates a new filter for navigation, this user was previously automatically set as “Owner” of that filter.
• In case that a user creates a filter as an administrator and shares it with all other users – there was previously no way to hide this filter from his personal navigation.
• Migration:

If you update an existing system with product version 8.1.7, all owners are removed from those navigation filters where the current owner is in role Administrators. In addition, the corresponding user will be added to the audience entry. As a result, member of role Administrator will still see same filters in navigation as before update, but he will be able to hide for himself specific one using action Audience.

In addition, Administrator can use Administration => Search Filters to create new or configure existing filters.

CI Approval and ChangeApproval

With previous product version 8.1.4, the structure of “Approval” and “ChangeApproval” CI have been changed for performance improvement reasons. Both CI do not include Data Definition SPSActivityClassBase anymore.

Relevant attributes have been moved to SVCApprovalTaskClassBase instead: 

Data Definition	Attribute
SVCApprovalTaskClassBase	ClosedDate
SVCApprovalTaskClassBase	CreatedDate
SVCApprovalTaskClassBase	Creator
SVCApprovalTaskClassBase	Recipient
SVCApprovalTaskClassBase	RecipientRole
SVCApprovalTaskClassBase	TicketNumber
SVCApprovalTaskClassBase	WorkflowID

Deny Logon

Since product version 8.1.0, only accounts with a status that is equal to Active (2001) and with the unselected Deny Workspace Management Logon checkbox are allowed to log in toMatrix42 Workspace Management. Prior to that version, all accounts with a status value other than Deleted (2004) and with the unselected Deny Workspace Management Logon checkbox were allowed to log in to Matrix42 Workspace Management.