Please ensure to review all information about important or breaking changes provided with all versions that have been released since the version you are updating.
Authorization with PKCE Flow
To increase the application security, the DWP from version 10.1.1 supports a new more secure authorization flow based on OAuth 2.0 Authorization Code Flow with the Proof Key for Code Exchange (PKCE). PKCE provides dynamic client secrets, meaning your app’s client secrets can stay secret. PKCE is better and more secure than the implicit flow.
To guarantee no negative effects on authorization approach transition, version 10.1.1 still use the old authorization mechanism (OAUTH Implicit Flow) by default. The PKCE can be activated in the WM/config.json file:
In the next version (11.0.0) the PKCE flow becomes the default authorization mechanism.
If you use any applications (own or 3-d Party) which are integrated with DWP and use the OAUTH flow for the authorization, please make sure the new DWP authorization flow keeps working with your application.
New Dependency control (Infrastructure Forensics)
Please note that with Matrix42 Enterprise Service Management release 10.1 the new dependency control used for Infrastructure Forensics needed to be changed as well.
The control itself will be provided as an extension and was extracted from the core product. In case you update or install the new extension version of Infrastructure Forensics version starting 1.1.x) the dependency control will be automatically installed thus resulting in resetting all custom set up dependencies and icon / display string over writes.
In addition to the system changes the administration settings have been moved to the application 'Assets'.
Workflow activity "Export to SQL Lite" is deprecated
Workflow activity "Export to SQL Lite" does NOT support Worker technology but AppFabric only. This activity is declared as deprecated and will be removed with next release. Accordingly support for Worker is not planned.
Security improvements for accessing Custom SSRS Reports
The System requires to implicitly grant access permissions for the custom Reports which are deployed to the custom SSRS Folder. If after Update you start receiving a message "The report could not be loaded!" on an attempt to open the Report in UUX, then follow the instructions provided in article Reports Security to provide missing security configurations
Azure Active Directory & Active Directory Data Providers
With 10.0 Update 3, we have changed the matching mechanism for Persons and Accounts to avoid duplicates. When Active Directory and Azure Active Directory are connected with AD Sync, and both Data Providers are activate - the system will create only one Person for both Accounts. Because of that change, custom settings for matching Accounts and Users will be overwritten and needs to be configured again.
It is highly recommended to configure a list of extended attributes in configurations of Active Directory Data Provider and Azure Active Directory Data Provider at the same time when both data providers are in use!
Background processing after running EMPIRUM Connector
EMPRIUM Connector does NOT trigger background processing for license management anymore. This was redundant and could have caused unnecessary work load for the system. Background processing for license management is solely made by "License Management - Batch Processing" activation.
Make sure you check your engine activation schedules.
The system stops publishing Worker-ready Workflows
For improving the Product performance the Workflows which are ready to be executed on Matrix42 Worker are not published anymore, and the Workflows previously published to folder "svc/WF" are also removed on Product update. In the case of an emergency, the Workflows can be manually rollbacked to legacy AppFabric Workflow Engine by implicitly setting the engine using Workflow action "Set Execution Engine" and then publishing the Workflow
Mandatory Category on Enterprise Queue Profiles
In order to set up a category tree for each Enterprise Queue the Queue Profiles have been extended with a mandatory root category.
Child categories can later be assigned to Activities. Please note that the root category itself will not be available for Activity processing.
In case Queue Profiles are already in place the category needs to be defined as well, otherwise workflows for assignment will fail.
The Secure Token Service is the only available option for authentication
The Secure Token Service is the only available option for authentication. STS will be automatically enabled for existing installations. There will be no possibility to deactivate the option. In addition, Force SSL option will be set. It means that when someone opens the console or the portal with the HTTP URL, they will be redirected to the HTTPS URL.
Since 10.0.1 parameter HostName is mandatory in commandlet Set-WMSTS
If you use a custom powershell scripts to update from previous versions you should add a call of Set-WMSTS commandlet if it is not there yet
Default Workflows starts executing on Matrix42 Worker Engine
All Workflow delivered out-of-the-box by default starts executing on Matrix42 Workflow Engine. All custom workflows have to be evaluated and marked for compatibility with the Worker Engine. See Workflows Migration for more details.
Default Level for Workflow Monitoring changed to Error Only
All Workflows that are executed using Matrix42 Workflow Workers are configured for log only Errors. Enabling Troubleshooting mode can be done Settings
Workflow Infinite Loops Protection enabled
If the Workflow is badly designed it can lead to infinite loops on Workflow Instance execution and overall blocking of the Workflow Engine, as some instances are always running and there is no capacity to execute new Workflow commands. To disable such negative impacts of the Infinite loops the System uses the protection mechanism which automatically terminates the Workflow Instances in case the infinite loop detected, and the amount of iterations exceeds the configured number in the Production database
By default, the System supports 10000 iterations in Workflow Instance before it will be classified as an infinite loop.
Data Gateway tasks run on Matrix42 Worker
Data Gateway tasks (except Inventory of Citrix XenServer, Inventory of Microsoft Hyper-V, Inventory of VMware vCenter, LIS - Online Update, Unix Inventory, Windows Inventory) assigned to the local Data Gateway (App Server) are executed on the local Matrix42 Worker.
Ticket only mode for new installations
Due to the latest changes with ITIL4 the Incident only function will no longer be available on new installed environments. From now on Tickets need to be classified as either Incident or Service Request.
In case disaster recovery needs to be performed Version 10.0.0 needs to be installed followed by an update to 10.0.1
Service Level Agreement (SLA) only support
To reduce overall complexity ITIL4 did change the handling of Underpinning Contracts (UCs) and Operational Level Agreements (OLAs). Service Level Agreements (SLAs) will substitute OLAs and UCs which have been migrated automatically. In order to identify the origin of the initial Configuration Item a dropdown showing the type was introduced. The corresponding CIs have been removed from the schema.
API Tokens Invalidation
Due to Security reasons in some particular cases, the Product Update automatically regenerates the Client Secret used for encoding the Security Token, what could lead to invalidation of the used API Token. If your Environment(-s) implement any Integration which based on API Token Authentication, please ensure right after the Update it still operates, otherwise, you need to generate a new API Token and use it in all related Clients.
Changes in OAUTH2 authentication endpoint
Changes need to be applied in case you did connect Matrix42 Service, Software & Asset Management and a 3rd party application using OAUTH2 authentication.
Until version 10.0.0 this endpoint '.../M42Services/Authorize/OAuth2Reply' was used.
Starting with version 10.0.0 the endpoint has changed and needs to be adjusted to: '.../M42Services/api/sts/oauth2reply'.
The system no longer manages mobile devices as a separate type of asset. One type of object is used for managing both computers and mobile devices. It is known as Unified Endpoint Management. If you update from an earlier version, all mobile device records will be merged into the computer entity. This way you can manage all endpoint devices under one navigation item and using the same dialog.
After you install the update, you can see that all existing mobile devices have been transformed into computers.
Please note that during update all existing mobile devices will be migrated to computer CIs which depending on the amount of devices might take some time. During the migration the progress bar of the update wizard will not change, which might lead to the impression that the update stopped working.
In such a case check the log 'Matrix42.Setup.log' for an entry like '...\Matrix42 Workspace Management\Config\Compliance_UUX\C021000002001.post'. Please do not cancel the update in case above line is the last in the log.
Changes in User Interface
The following changes in the user interface have been made:
- Dialog and preview for mobile devices as well as the Create Mobile Device and Import Mobile Devices actions will disappear
- Mobile devices imported via data providers and created manually will be copied as computers
- The computer dialog and preview will be extended with attributes specific for mobile devices
Changes in Database
The system creates a computer record for each mobile device and moves all related objects to the computer record.
The following data gets reassigned:
- Ownership (organizational unit, cost center, and location)
- Principal User
- Stock Keeping Unit
- Installed Profiles and Applications
- Purchase Data (Contract, Supplier, Internal Contact, Contract Item, Cost Plans)
- Attachments, Comments, Journal, Tasks, and Appointments
- SIM Cards
- Licensing Information (License Requirements, Restricted and Reserved Licenses)
- AD Groups
- Services, primary and indirectly affected Incidents, Problems, Change Requests, and Outages
Provisioning of Catalog Services
Silverback and AirWatch services are automatically adjusted to a computer target. Therefore, provisioning of services is now made for computers that represent imported mobile devices (you can filter them by management type Mobile Device Management). All previously assigned services get reassigned to new computer records.
Check your Customizing
As for the standard product, all necessary changes will be made automatically preserving all your data. However, if you have any customizing around "Mobile Device" in your environment, you will need to review and possibly adjust them, e.g.:
- Attributes, Relations or Data Definitions
- Non-standard Data Providers
- Import Definitions
- Compliance Rules
- User Interface
- Search Queries
Discontinue Alerting Email Engine
According to the Alerting Engine Discontinue Plan, which was presented in 9.1.3 release, in version 10.0.0 all email notifications, including custom, use the new Email Engine. If for some reason the Email Notification was not properly migrated, it could be manually fallback to use the legacy Alerting Engine, using Compliance Rule action "Switch Mailing Engine".
The Alerting Engine will be fully removed from the Product 2020/Q3 Release
UUX Security Vulnerability Eliminated
The potential security issue, related to XSS attacks, has been discovered and eliminated in version 10.0.0. All weaknesses of the standard Product have been removed. But, there is a possibility the System customizations (configurations) could open other vulnerabilities that cannot be automatically detected and resolved.
To protect the System proceed with the following steps:
- Find the Custom Schema Attributes which stores the HTML
Usually, such attributes bound to RichTextbox control.
- Edit the corresponding Data Definition, and set the flag "Contains HTML" for such attribute
For more details check Data Definition Attributes
.NET Framework Version Update to 4.7.2
The Product .NET framework version is elevated to the latest released version 4.7.2. This change could impact the custom assemblies which have been previously installed on Product and reference the Product assemblies of the strict version. To avoid potential problems it is recommended to at least to check the custom assemblies still working on a version 10 and above, or better, rebuild all such assemblies with .NET 4.7.2 Framework.
Also in a new Product version, some 3d Party libraries (Nuget packages) have been updated to a newer version. If you using these libraries in your Projects please recompile these assemblies to guarantee they are compatible with the new Product.
Powershell scripts, that uses CMDLETs referencing mentioned dlls, must be also checked for compatibility
Version in 10.0.0
Migrating Workflows from AppFabric to Matrix42 Worker Engine
Matrix42 Worker Engine is in a pre-released state (Technical Preview) and will be fully released in version 10.0.1. Please check the schedule of the Workflow Engines transition plan.
Starting from version 10.0.0 the compatibility of the Custom Workflows and Workflow Activities with the Matrix42 Worker Engine can be evaluated on Testing Environment. See Workflows Migration for more details.
Version 9.1 Update 3
Matrix42 Worker is a Windows Service introduced in the version 9.1.2 as Technical Preview. More details can be found in Workflow Engine.
By default, the Matrix42 Worker is not installed by the Setup, and in case it was not installed manually the breaking change is not affected, and the actions list can be ignored. Otherwise, the Worker needs to be manually updated.
- Stop "Matrix42 Workers" Windows Service before Matrix42 Workplace Management update.
- Update Matrix42 Workplace Management.
- Clean up Matrix42 Worker directory
- Follow the Install Worker instructions to install new version of the Worker
The concept of the Matrix42 Worker presumes the Matrix42 Worker is self updated whenever the relevant resources on the Application Server are updated, means in future Product updates the Workers will be updated automatically regardless of the way they have been installed.
Version 9.1 Update 2
With this new release, our software supports you in auditing your Matrix42 software licenses. The software now has a function that requests information about the licensing of the Matrix42 software at regular intervals and transmits the number of licenses used (by devices and users) to us. Personal data is not collected. The data transmitted with each process can be viewed on the server in the 'metering' sub-directory.
Further details can be found in the product documentation.
Version 9.1 Update 1
SaaS Compliance Data Provider
Installed data provider from SaaS Compliance subscription (Office 365 and Adobe Creative Cloud) needs to be updated after upgrading your environment to version 9.1.1.
Configuration of Remote Usage Tracking
Configuration of Remote Usage Tracking Agent is now made in settings for "License" application and not directly in config-files anymore. Accordingly make sure that your settings are correct, if you are using Remote Use Tracking Agent in your environment.
Please refer to online help for details about configuration.
Compatibility of Empirum SDK
Due to a breaking change in Empirum SDK v1.20 compatibility with earlier versions is affected.
Be careful when using Empirum SDK of earlier versions with PowerShell activities in workflows!
Since Software Asset & Service Management 9.1 Update 1 installs Empirum SDK version 1.20 coexistence with previous version may lead to execution errors!
Don't be confused if your scripts run nicely inside PowerShell IDE. This is misleading.
- Adjust your PowerShell scripts to match with SDK 1.20 and remove old SDK-version (recommended!)
- Manually remove SDK 1.20 after updating to Software Asset & Service Management 9.1 Update 1
.NET Framework changed
Please note that this version was compiled with .NET Framework 4.6.1 for the first time. Please ensure it is available on your server prior to installing the product. Setup of the .NET Framework is contained in the REDIST file provided with this release. Please note that users of Workflow Studio need this .NET version also on their client device.
Service Desk – 2 new configurations added
Two new configuration settings have been added to allow better information handling on new received data. The two options, defined in the Service Desk – Settings area, are
- Mark ticket as "New information received" when adding Journal entry (enabled by default)
- Mark ticket as "New information received" when adding Journal entry by responsible person (disabled by default)
Especially the second option might result in changed behavior on filters checking the new information status.
Version 9.0 Update 4
Removed Exception (for Developers only)
“PandoraException” was moved from Matrix42.Pandora.Contracts to Matrix42.Common. If you have already used “PandoraException” in your projects, please change the namespaces in all usages.
Version 9.0 Update 2
"Users are not able to change their data in User Profile"
This change comes from a bug fix. Setting, that was always present, saying "Allow Users to Change Personal Data" was not working in UUX. Now it is considered, and can be changed by customer
Workflows will be validated during update
Setup contains new feature validating existing workflows to avoid unexpected failures during their execution. This validation checks if workflows have references to components that are missing on the environment or have a wrong version.
If validation detects a corresponding issue, a message is displayed:
There are two options to deal with this issue:
- Instant Fix
- Keep small message box with caption “Skip” open
- Deploy required but missing component
- Click ‘No’ on small message box to repeat validation
- Subsequent Fix
- Click ‘Yes’ on small message box with caption “Skip” to skip validation
- Continue with the setup
- Deploy required but missing component after the setup has finished
We recommend first option.
More details can be found in online help.
Office 365 Data Provider
In case you have installed the data provider for Office 365, please download new version of this data provider from Matrix42 Marketplace and install it after updating your environment.
Version 9.0 Update 1
Auto-Migration of Volume License Agreements
Please note that with upgrading your environment to this version, existing volume license agreements of following types are automatically migrated to CI “Volume License Agreement”:
- Microsoft Enterprise Agreement
- Microsoft Enterprise Enrolment
- Microsoft Select Agreement
- Microsoft Select Enrolment
- Adobe CLP Agreement
- General Volume License Agreement
Automatic migration will not copy data records, but just change the type (Configuration Item). Object-ID and any other data remains untouched.
In case obsolete Configuration Items from above have been customized, having added Data Definitions to them, make sure that these Data Definitions are also present in CI “Volume License Agreements” prior to updating. Otherwise migration will fail for those records.
SQL Server 2008 R2 not supported anymore
With product version 9.0 we do not support SQL Server 2008 R2 anymore. If you operate your environment on this SQL Server make sure you update your SQL Server to one of the supported versions prior to updating your environment to this product version.
Also please check system requirements in our online help.
Version 8.1 Update 7
Workflow Activity "UpdateObjects"
Implementation of workflow activity "UpdateObjects" was changed. Parameters validation becomes stricter so custom workflows that use this activity may fail in case of passed "Object IDs" is not related to specified "CI Type". Please review your custom workflows before updating to version 8.1.7 or higher.
Filter in UUX Navigation
With previous product version 8.1.7 we changed behavior of filters in UUX navigation.
If a user, who belongs to Administrators role, creates new navigation filter:
- This user will not be set as Owner of this filter anymore
- This user will now be added to the Audience that is able to see that filter
- Any user sees all filters in navigation that are marked as “to-be-shown in navigation” where user has access through the Audience setting or the user is the owner of respective filters.
- If a user creates a new filter for navigation, this user was previously automatically set as “Owner” of that filter.
- In case that a user creates a filter as an administrator and shares it with all other users – there was previously no way to hide this filter from his personal navigation.
If you update an existing system with product version 8.1.7, all owners are removed from those navigation filters where the current owner is in role Administrators. In addition, the corresponding user will be added to the audience entry. As a result, member of role Administrator will still see same filters in navigation as before update, but he will be able to hide for himself specific one using action Audience.
In addition, Administrator can use Administration => Search Filters to create new or configure existing filters.
Version 8.1 Update 4
CI Approval and ChangeApproval
With previous product version 8.1.4, the structure of “Approval” and “ChangeApproval” CI have been changed for performance improvement reasons. Both CI do not include Data Definition SPSActivityClassBase anymore.
Relevant attributes have been moved to SVCApprovalTaskClassBase instead:
Since product version 8.1.0, only accounts with a status that is equal to Active (2001) and with the unselected Deny Workspace Management Logon checkbox are allowed to log in toMatrix42 Workspace Management. Prior to that version, all accounts with a status value other than Deleted (2004) and with the unselected Deny Workspace Management Logon checkbox were allowed to log in to Matrix42 Workspace Management.