Release Notes
Release 7.0.6
Maintenance Release
Stability improvements and bug fixes to enhance overall system performance and reliability, specifically in native SSH connectivity, Remote Assistance, and certificate management.
Release 7.0.5
Maintenance Release
Stability improvements and bug fixes to enhance overall system performance and reliability, specifically in supervised access workflows, the macOS Cyolo Connect Agent, and core infrastructure.
Release 7.0.4
Maintenance Release
Stability improvements and bug fixes to enhance overall system performance and reliability.
Release 7.0.3
New Features
Session Intelligence
Accelerate incident response with clear, human-readable session summaries that reduce investigation time, MTTR, and review workload. Session Intelligence analyzes recorded RDP sessions and transforms them into searchable transcripts with concise summaries of user actions. This enables plant managers, OT engineers, cybersecurity analysts, and auditors to quickly understand what occurred during remote access sessions without replaying lengthy recordings, improving operational oversight and forensic efficiency. Available as an add-on subscription.
New Operational Dashboards
Cyolo introduces new dashboards that provide administrators with immediate, actionable visibility into platform activity, enabling faster insights and improved operational control. The Active Sessions tile displays which applications (assets) users are currently connected to, along with active sessions, pending supervision approvals, and open remote assistance requests. It also includes a global map view showing active sessions by country of origin.
The Users tile provides real-time insight into user status across the platform, including currently connected users, enrolled users, and users awaiting enrollment. It also displays enabled groups by type (Cyolo, external, and dynamic), as well as enabled users by identity source, offering clear visibility into user distribution across connected IdPs.
The Applications tile presents configured applications by type or protocol (for example, RDP, HTTPS, and others) and shows how many applications are published per site, giving administrators a consolidated view of application distribution across the environment.
User Interface Updates
This release introduces enhanced table capabilities, including quick search, filtering, and pagination, improving usability and data navigation for administrators and end users.
The UI infrastructure has been migrated from custom legacy components to a standardized framework, aligned with Cyolo’s commercial color theme and refreshed styling. This delivers a more consistent, modern experience and enables faster rollout of future UX improvements.
Asset and Network Traffic Visibility
Cyolo introduces asset and network traffic visibility for OT environments through fully passive, agentless discovery integrated with the network management plane (this release introduces Cisco switches integration). This switch-based approach requires no OT network scanning, active probing, or network traversal, ensuring zero impact on controllers, PLCs, or safety systems. The solution continuously builds and enriches a detailed asset inventory while providing real-time insight into who communicates with whom and over which protocols. By highlighting remote access traffic that does not pass through Cyolo, it simplifies Secure Remote Access (SRA) enforcement and helps security teams quickly identify potential bypass paths or policy gaps.
At the core of this capability is the new Fabric Controller, which collects passive telemetry from onboarded switches and securely forwards enriched asset and traffic data through the Cyolo Private Gateway to the IDAC, enabling automated and accurate asset classification. Fully aligned with the existing IDAC and Connector deployment architecture, this enhancement establishes a segmentation-ready foundation, delivering the traffic insights and asset context required to support future policy-based OT segmentation.
New Cyolo Components Launcher
A redesigned, browser-based installer for deploying Cyolo PRO components, including Private Gateway, IDAC, Connector, and Fabric Controller. Running in its own Docker container and accessible directly from the tenant, the launcher provides a clean and simple UI that streamlines installation and simplifies component setup.
Enhancements
Introduction of Access Groups for Access Control
This release introduces Access Groups as a new concept, separating organizational structure from access control responsibilities to improve clarity and flexibility. Categories are now UI-only and are used solely to organize applications in the Applications Portal through static administrative assignment.
Access control is now managed through Access Groups, which can be either static (explicit application assignment) or dynamic (automatic assignment based on asset and application attributes). Applications inherit their access rules from the assigned Access Group, enabling clearer policy management and more scalable access governance.
Malware Detection Policy
Admins can configure a global malware detection policy that includes file hash checks, ICAP deep scanning, or both, and define how unknown file hashes are treated by the system (benign or malicious). The policy applies across SMB-based file sharing and File Transfer, ensuring consistent protection. Action policies can be used for exceptional cases where specific files are trusted and require different handling.
Authentication-Level Condition Policies
Platform access is hardened with the ability to assign Condition Policies directly to Users, Groups, and IdPs. During authentication, conditions are validated hierarchically (User → Group → IdP) before application-level policies are evaluated, ensuring consistent enforcement at login. Activity logs indicate which Condition Profile triggered a block, improving visibility and troubleshooting.
Timed and Scheduled Access Requests
This release introduces Timed Access, enabling users to request access starting immediately for a defined duration, subject to approval.
Immediate Access begins once approved and remains active until logout or one hour elapses, whichever occurs first.
Scheduled Access can be initiated only within the approved start and end timeframe. Once initiated within that window, access remains active even if the timeframe expires, but users cannot initiate a new session after the timeframe ends.
Timed Access begins upon approval and remains active across logouts for the full approved duration. Similar to Scheduled Access, users must initiate access within the approved timeframe and cannot initiate access after it expires.
Remote Assistance
Cyolo Remote Assistance includes several enhancements to improve visibility, control, and auditability. Administrators can view all Assistant-to-Recipient assignments in a single centralized table with accurate counts of users and groups, making it easier to understand who can assist whom, simplify audits, and reduce the risk of outdated or misconfigured access. Assignments can also be created, edited, and removed directly from the table for faster day-to-day management.
Remote Assistance sessions can now be recorded and played back to provide a reliable audit trail for compliance, investigations, and knowledge-sharing.
In addition, Elevation Mode lets authorized admins choose whether sessions run as the signed-in user (limited permissions) or as System (full privileges for User Account Control prompts and locked screens), with the setting stored per tenant, pushed to agents, and fully audit-logged. Multi-monitor support is also available, enabling assistants to switch between remote displays, optionally view them in a combined layout, and, when supported, place each remote monitor on a separate local screen.
Admin-Defined User Validity Timeframe
Cyolo now enables administrators to define a user’s validity period directly within the user profile by configuring “Valid From” and “Valid Until” dates. This allows organizations to enforce time-bound access for temporary users, contractors, and project-based roles without requiring manual deactivation. By automatically restricting access outside the defined timeframe, the feature strengthens least-privilege enforcement and improves overall access governance.
In addition, a new IdP-level setting allows administrators to suspend user accounts after a defined period of inactivity automatically. This ensures dormant accounts do not remain active indefinitely, reducing the attack surface and supporting compliance requirements. Together, time-bound access and inactivity-based suspension provide stronger lifecycle management and tighter control over user access across the organization.
User Enumeration Protection in Authentication Flow
Enhanced authentication security by requiring full credential submission before error feedback to prevent user enumeration.
Chinese Language Support (UI)
In addition to the languages already supported by the platform, Cyolo also supports Chinese for the user interface, further expanding accessibility for global organizations.
Application-Level Control of CredSSP for Native RDP
In previous versions, CredSSP for native RDP was configured globally across the system. This release introduces application-level control, allowing admins to enable or disable CredSSP per RDP application for greater flexibility across different environments. During migration, all applications inherit the previous global setting, and the global configuration is removed.
Device Posture
Cyolo Connect device posture includes updated capabilities to support OS data fetching with native support for Windows on ARM (ARM64) endpoints. This update expands visibility and posture assessment to modern ARM-based devices, ensuring consistent policy enforcement and uniform access decisions across heterogeneous Windows environments.
Configurable Screen Resolution for RDP
Administrators can now define a fixed screen resolution for RDP applications, preventing blank-screen connection failures when users with high-resolution or ultra-wide monitors access legacy RDP servers.
In Web RDP sessions, the configured resolution is enforced to ensure stable rendering.
Configurable Approval Window for Immediate Requests
Admins can configure the approval time window for immediate access requests, replacing the fixed 15-minute default. Approvers can approve requests via the Supervision page, SMS, or email within the configured timeframe.
Secure Collaboration Link
RDP, VNC, and SSH session initiators can generate a one-time, view-only guest link so others can join the session in read-only mode with no mouse/keyboard input, clipboard access, file actions, or session commands.
Direct Contact Testing from User Profile
Administrators can now send a test SMS or email directly from the user page to validate newly added contact details. This capability helps quickly verify that phone numbers and email addresses are configured correctly when users report not receiving messages.
If a phone number or email address exists for the user, a corresponding action icon is displayed next to the relevant field, allowing administrators to easily trigger a test message.
IDAC Logs Role
Logs role assignment is available for selected IDACs, enabling log storage and indexing to run on a specific subset of nodes instead of the entire cluster. A dedicated API manages these assignments with built-in validation to ensure safe operation, such as preventing the removal of the final log node.
Management Nodes
A Management Node is a cluster node that participates fully in cluster control and consensus. An IDAC is considered a management node when it is assigned all three roles: voter, log, and recording. Management nodes participate in RAFT leadership elections, maintain cluster logs, and store session recordings.
The Admin Portal IDAC page now clearly indicates which IDACs are designated as management nodes, providing improved visibility into cluster configuration.
Multi-Upstream Registration and Shortest-Path Routing
Cyolo introduces multi-upstream registration and enhanced routing logic to optimize connectivity and reduce intra-region traffic. IDACs and Private Gateways (PGs) now register application SNIs with all upstream gateways within their configured region (defined by the ZONE parameter), eliminating the need for routing between gateways in the same region. Cross-region routing occurs only when no valid registration exists within the user’s region.
Gateways select the shortest gateway-to-application path for each user connection, improving performance and resiliency. As part of this enhancement, administrators can configure weights for IDACs to influence routing decisions and traffic distribution.
Proxying Upstream Traffic from the Private Gateway
Private Gateway deployments can route upstream traffic through an external proxy, reducing the need to expose multiple firewall rules directly to the Internet and supporting environments where outbound internet access must go via proxy.