iO release notes & changelog

iO Agent Version 9.8.1618

New features:

• Added support for Series 9 smartcards. Series 9 smartcards can now be used by all clinicians for NHS Spine Authentication
• Added support for the latest NHS Credential Management v1.3.1.0, allowing RAs to perform Virtual Smartcard issuance with it

Enhancements:

• Stability and security enhancements
• Enhancements to smartcard communication performed by the client

iO Agent Version 9.7.1610

Fixes

• Fixed issues with very large number of Spine roles causing crashes

• Fixed issues with not displaying Spine roles to select from for users whose certificate is about to expire in less than 7 days

• Fixed issues with not being able to authenticate the user with generic authentication method (e.g QR code) after 'Not me' button was clicked on login prompt with associated AD account

• Stability, security and performance enhancements

iO Identity Agent 9.6

Enhancements

• Enhancements to Virtual Smartcard issuance
• Minor UI/UX enhancements
• Security enhancements

Defects

• Miscellaneous defect corrections
  
  

iO identity agent

Fix

• Issue with performance when issuing VSCs fixed

Enhancements

• Updated TicketAPI to allow support for a wider range of clinical systems
• Active Directory users are now prompted to reset their passcode if it is locked

iO Identity Agent

Fixes

• Fixed improper handling of some use-cases where no user feedback was given
• Security fixes
• Other enhancements to stability

Enhancements

• Various UX enhancements
• Added support for large dialogues (Accessibility enhancements)
• Added support for latest certificates issued by the new CA on LIVE and INT NHS Spine

iO Identity Agent

New features:

• added new native interface - Isosec's vendor agnostic API that enables EPS signing using Isosec's Virtual Smartcard

Fixes:

• Fixed issues with Virtual Smartcard issuance failing at the very last step (storing certificate) for some Virtual Smartcard users

iO Identity Agent

Changes

Added user friendly handling for expired certificates for Virtual Smartcards.

Added new NHS Spine certificates to iO installer to support NHS CIS Spine changes being made on 15th June 2022.

• End-User machines now only require Gemalto Classic Client Toolbox when using Virtual Smartcards against their clinical systems (Adastra, SystmOne and EMIS) for authentication and EPS (pending accreditation)
  
• Registration Authority machines still require both Gemalto Classic Client Toolbox and Oberthur for Virtual Smartcard issuance
• For ePrescribing, P11 Tools must be installed for use with SystmOne

Fixes/Feature Updates:

• General bug fixes & code refinements.
• Added functionality to Suppress Spine Certificate & replaced with custom Isosec messaging for Virtual Smartcards
• Implemented ability to configure emulation card type and use series 6 card by default
• Added frequently used registry fixes to iO installer, now applied by default - These include Imprivata fixes, Smartcard emulation and device blacklist
• Implemented deleting of legacy issuance DLLs
• Added 2 config items to control iO’s passcode prompt window focus priority (FLAG_AllowPasscodeDialogueEnforceFocusTakover & FLAG_AllowPasscodeDialogueInitializationAsTopMostWindow)
• Added config item to disable physical card checks for use in RPA environments (FLAG_DisablePhysicalSmartcardUsage = 1)
• Added STR_AuthWarningCustomMessage config item where the custom message can be specified and will be appended to the message warning the user about spine session expiry.
• Changed iO to open URLs in a system default browser. This includes vRA Manager and Self-Service automatically opening in browser. CMD_Browser can be specified as a custom browser in which iO will be opening all links (including vRA Manager and Self-Service portal).

iO Identity Agent

• Security and stability improvements
• Blacklist reader functionality used for VSC emulation
• Fixed issues with authentication for 'push notification only' based on a linked AD account authentication use-case

iO Identity Agent

• Bug resolved with large log files failing to send when using the "Send Logs" function
• Logging improvements and optimisation - Additional logging can now be enabled from the iO Identity Agent tray icon 

iO Identity Agent

• Removal of vSC Reader Driver for Virtual Smartcard issuance - Registration Authorities now ONLY require the iO Identity Agent to be installed
• Support added for NHSD Credential Manager for MS Edge & Chrome Virtual Smartcard issuance
• Added support for issuing v8 Virtual Smartcards; functional for authentication and ePS signing - V8 cards are issued with iO 9.1 or higher and will be displayed as "Oberthur" in CIS.  
• Fixed key creation issue during Virtual Smartcard issuance in CIS, no errors are now presented to users
• Fixed issues with not being able to issue Virtual Smartcards to users with very long names (longer than 50 characters)
• Several other minor fixes and improvements related to the VSC issuance process
• Fixed an issue with the iO icon incorrectly displaying an unauthenticated state
• Logging improvements and optimisation
• Added support for AWS WSP environments

• Added support for AdES (Advanced Electronic Signature) Virtual Smartcards (V2)
• Bulk electronic prescription signing (EPS) support added for AdES functionality
• Added Virtual Smartcard passcode reset functionality from iO log in box
• iO Client pop up menu restructured for vRA Manager & Self-Service items.
• Added detection and notification of RA user for non-intended / wrong user user issuance
• Added automatic detection of NHS Level 1C certificate (Trusts who previously added configuration items to resolve this can now remove)
• Fixed cached user profiles from being deleted when capitalisation was detected
• Disabled manual ticket for “Insert VSC button” for RA’s - Now auto-ticked during issuance.
• Removed HR Card and FIDO2 support from iO and vRA Manages
  

Fixes

• Many fixes and improvements made to iO functionality & issuance.
• Improved error logging/messages and made clearer
• Security fixes and patches

• Improvements made to the Isosec WinSCard.dll file to support Virtual Smartcard EPS with Adastra 3.31.12 - This requires AWP Oberthur middleware to be installed.
  
  
• Additional functionality made to the Isosec WinSCard.dll to support virtual environments with a broken physical layer.
  
  
• This version uses V6 Smartcards by default. A registry entry can be added to default specific applications to use V8.

• Fixed an issue where by iO would not use the I.E or System proxy for spine related services. iO will now use the detected proxy servers for spine connectivity (authactivate, authvalidate, roleSelection, authLogout) by default.
  
  
• Additional configuration item FLAG_DisableProxyUseForSpineConnections = 1 to allow organisations to prevent spine connectivity to go through the proxy file. 

• Fix implemented to prevent iO crashing Clinical applications if supplied with an empty PIN for Smartcard login - This is relevant when Isosec's P11 files are installed.
• Additional changes made to the copy/delete functionality used for local folder WinSCard placement:
  
  The copy operation is now triggered every time a user initiations signing in with a Virtual Smartcard (any vSC auth method)
  
  The delete operation is now triggered every a user initiations signing in with a physical Smartcard (after supplying the PIN) 
  
  This functionality is dependent on the configuration items entered into the ISOSEC.properties file. 

• Additional configuration item added to work along side the local file placement of Isosec's WinSCard.dll.
  
  CMDList_ProcessKillBeforeSpineAuthComplete - A semi-colon separated list of process names to kill before a spine authentication is completed (normally before role selection is carried out)

• Additional functionality added to Isosec's WinSCard.dll to handle addition attribute calls for EPR systems.
• Added functionality to enable iO to automatically delete Isosec's WinSCard.dll from the EPR folder upon a physical Smartcard being inserted.This is only relevant for when local WinSCard.dll placement is used to enable Virtual Smartcard functionality.
• Added functionality to kill required processes on card presence.
• Added ability to configure WinSCard to emulate Series 8 Smartcards by adding the application process to a registry entry. The registry item is called WinSCard_S8CardProcesses and can be found under the below key:
  
  \HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Isosec\iO Identity Agent
  
  To note, by default, iO will emulate Service 6 Smartcards.
  
  
• Additional configuration items added as below - These can also be found in our Virtual Smartcard Installation Guide.
  
  NumOnCardSignFailRetryAttempts - Number of attempts iO will try to sign an authentication challenge (with physical Smartcard only) if the challenge signing fails for whatever reason
  
  STR_EPRSystemProcessNames - A semi-colon separated list of process names that iO should search for in sub-folders specified by 'STR_EPRProcessesRootSearchFolders' config item. Isosec's WinSCard can be copied to / deleted from folders in which the processes are found
  
  STR_EPRProcessesRootSearchFolders - A semi-colon separated list of search folders in which iO should search for the EPR processes specified by their name by 'STR_EPRSystemProcessNames' config item. 
  
  FLAG_WinSCardCopyOnVSCAuthToEPRSearchSubFolders - Enables copying Isosec's WinSCard dll into folders (sub-folders of folders specified in 'STR_EPRProcessesRootSearchFolders' ) in which the EPR processes (specified by 'STR_EPRSystemProcessNames') are found. The 'copy' operation happens upon the Virtual Smartcard passcode prompt being displayed 
  
  FLAG_WinSCardDeleteOnPhysicalCardAuthFromEPRSearchSubFolders - Deletes Isosec's WinSCard dll from folders (sub-folders of folders specified in 'STR_EPRProcessesRootSearchFolders' ) in which the EPR processes (specified by 'STR_EPRSystemProcessNames') are found. The 'delete' operation happens upon the Physical Smartcard passcode prompt being displayed 
  
  CMDList_ProcessKillOnCardPresence - A semi-colon separated list of process names that iO should kill when a Smartcard is presented and user has not yet authenticated.

• Fixed introduced for SystmOne EPS - A bug had been introduced by a SystmOne update resulting in an error message appearing when EPS was signed and completed.
• Improved logging to iO and Isosec's WinSCard to assist with troubleshooting.

Additions:

• Changed the behaviour of the Self-Service Portal menu option when right clicking on the iO Identity Agent. This will now use the default browser set by the Operating System and will not forcibly use Google Chrome (if available)

Fixes 

• Resolved an issue where physical cards could not consistently be read, resulting in the users being informed the Smartcard was "Locked"
• The ProcessKill functionality has been rewritten due to an issue with Internet Explorer failing to close when the following configuration items are used:
  
  CMDList_ProcessKillOnCardRemoval 
  CMDList_ProcessKillOnDisconnect
  CMDList_ProcessKillOnExit
  CMDList_ProcessKillOnPostDeauth 

Fixes

• WinSCard and gclib.dll files amended to cater for EPS applications
• Silent Installation method now stops automatic system reboot
• Fixed a bug where local WinSCard placement was not correctly detecting directories and sub-directories as searchable folders.
• Additional error logging added to capture failed attempts at local WinSCard file placement.

Additions:

• Added the ability for iO to place Isosec's WinSCard into local application folders, specified by configurations items in the ISOSEC.properties file.
• Introduced IsosecWinSmartcardUsage.log to capture all processes using the Isosec WinSCard.dll file - Stored in the iO Installation directory. This allow support to understand which processes use the Isosec WinSCard without having to first turn the logging on via the registry. 
• Forced restarted added to the iO Installation process
• Improved EPS signing request
• Added the ability to switch between different vSC services once the user has already authenticated - This is in place ahead of future functionality to allow authentication against other spine environments (DEP, Training..etc)
• Improved Installation process for Isosec's WinSCard.dll & gclib.dll - Stopping and starting services to perform this installation was removed and replaced with renaming and rebooting.

Additions

Major version increase - 8.0+ 

• iO now supports electronic prescriptions (EPS) with Virtual Smartcard in EMIS
• Added new configuration items to support EPS
• Added Extras folder in iO installation folder. Contains files necessary for EPS signing with Virtual Smartcard

Fixes

• Optimised speed of Virtual Smartcard log in
• Fixed rare issue with GetTokenInfo failing when iO authenticated with physical smartcard and card is removed, as well as it not returning the CardUID of the authenticated smartcard

Internal Changes 

• Huge amount of changes to support EPS functionality

Additions

• Added new issuer pattern (NHS TRA Level 1C) to be automatically recognised and used with the correct test NHS spine for authentication

Fixes

• Fixed the issue with iO not closing the TOTP authentication dialogue when user responded 'NO' to a received push notification. The dialogue will be now immediately closed upon responding negatively to the received push notification.

Additions

• Changed VirtualAuthManager to enable randomly picking the server instance to talk to for redundant VSC servers
• Added a new config item 'FLAG_ForceServerSpineTicketCheckForVRAManagerAccess' that can be set to 1 for when the enforcement of spine ticket check is needed with the VSC service anyway.

Fixes

• Changed iO to not display QR code for when QR code is disabled for VSC auth.
• Fixed dialogue being dismissed when users use email + passcode for VSC auth
• Improved optimisation of iO VRA manager access checks

Additions

• Improved the speed of smartcards data being read in gemalto and other clinical applications using gclib

Fixes

N/A

Internal Fixes & Improvements

• Added better encryption
• Improved optimization of Virtual Smartcard service

Additions  

• Added a configuration item and functionality that enables iO to not to disconnect the user on card removal immediately after the card removal event happened, but instead allow a specified amount of time to wait for the card to be reinserted back (become present) and ignore the disconnect event if that (card insertion) happens in that time period

Fixed

• Fixed the issue with not being able to load the Oberthur's P11 library due to invalid path

Internal Fixes & Improvements

• 1

Additions

• Updated iO version number to 7.3 to reflect minor changes

• Added new functionality to allow users to send logs via system tray icon

• Updated iO installer to always set log level to 7

• Added much better logging for CardReader when carrying out operations

• Added functionality that enables local caching of the passcode for VSC using Active Directory association

 Fixed

• Fixed some warnings with CardReader logs

• Changed some logging to better explain what is happening

Known Issue

• There is an issue on first card insert where iO may report incorrectly that the Smartcard failed or the Card was locked. If you encounter this issue, please enable the config item FLAG_CardCheckV5V6CardsFirst = 1 and this should resolve the issue

12 internal fixes and changes

Additions

• Added ability to authenticate a Virtual Smartcard with a FIDO2 device using 32bit iO

• Added functionality to allow “inserting” the Virtual Smartcard when not issuing. This will allow programs that require a Smartcards presence (EMIS) to work on physical machines

• Improved logging when carrying out initial card connection

Fixed

• Fixed some misleading logs

• Resized the verify dialog

Known Issue

• There is an issue on first card insert where iO may report incorrectly that the Smartcard failed or the Card was locked. If you encounter this issue, please enable the config item FLAG_CardCheckV5V6CardsFirst = 1 and this should resolve the issue

6 internal fixes and changes

Additions

• Updated the version number of iO to indicate that a new feature was added. Full Fido2 device support for registration, authentication with vSC, and Fido2 device management

• Added a configuration item into iO - 'TIMEOUT_vSCSignChallengeRequest' that can be set to number of seconds after which vSC challenge signing requests will timeout (for better user experience with redundant vsc servers)

• Added detection of Mifare Standard 1K RFID Tags

• Changed iO to push the WAKE FROM SLEEP EVENT to queue only if the VerifyUserAfterWakeFromSleep is defined in the iO's licence

Fixed

• Fixed issue with iO asking for physical smartcard insertion to unlock session when authenticated with a virtual smartcard

• Fixed issue where users could not complete self-service certificate renewal with iO installed 

Known Issue

• There is an issue on first card insert where iO may report incorrectly that the Smartcard failed or the Card was locked. If you cancel the pin dialog and right click iO and click Login you should face no further issues.  

50 internal fixes and changes

Increased version number for iO to reflect additions to iO

Additions

• Added new session time out warning for when spine ticket is due to expire

• Added configuration item to adjust when warning is given for session expiry

• Added ability to set local %AppData%as the shared folder path for the licence

• Added new config item to suppress warning message for inaccessible shared folder location

• Added ability to redirect iO's logs to App data folder (this is useful for when multiple users are using the same iO at the same time from an image - e.g Microsoft's Azure cloud)

• Changed iO to push the WAKE FROM SLEEP EVENT to queue only if the VerifyUserAfterWakeFromSleep is defined in the iO's licence 

Fixes

• Changed the DummyNHS_IA to log only messages that are of DEBUG level or lower (this will omit the extra logs from the pipe communication between iO)

• Changed an error message and updated iO to display the option to plug in a vSC for issuance only when users are already authenticated

• Updated clickable button name in iO's tray icon

6 internal fixes and changes

Virtual Smartcard

Additions

• Added message boxes and better indicators for RAs to see better what issues there are on misconfigured RA machines for vSC issuance

• Made sure that vRA Manager and VSC service is backwards compatible with older versions of iO identity agents

• Added a pop up message for the vSC issuance to be displayed when the vSC service is not available

If you are a Virtual Smartcard user please view the Virtual Smartcard changelog at – https://www.isosec.co.uk/changelog/Virtual%20Smartcard/

Additions

• Added reader pattern ignore list config item and functionality that enables the user to specify patterns for readers (names of readers) to be ignored

Increased version number for iO to reflect additions to iO

Additions

• Addition of 2 factor authentication support for Virtual Smartcard
• Application white listing enabled for Virtual Smartcard
• Smartcard Certificate auto-renewal support
• Added new config item to always clear certificate data cache from memory and force the application to always read the card data before every authentication

Fixes

• Fixed issue with continuous launching that caused issues in some environments

12 Internal changes and fixes

Additions

• Improved logging capabilities for when a VSC is supposed to be connected / disconnected from the / to a VSC reader driver 
• Extended iO to enable authentication with VSC using a generic win account by providing VSC email address and password.
• Changed the Insert Card dialogue to enable authentication using email + VSC password
• Changed iO to recognise card not by ATR but by sending command to the card instead and added configuration to iO that allows configuring iO to recognise cards by ATR if needed
• Changed iO to disable closing the smarctard session by default but allow users to enable by configuring iO to close smartcard sessions if needed
• Added functionality to iO that enables configuration for GetTicketNoAuthOut calls to map them to GetTicket calls
• Added functionality to enforce 2 Factor authentication (2FA) for VSC
• Added a dialogue that is brought up when 2FA is enforced for VSC, the dialogue enables the user to enter the TOTP code and validate it, successful validation completes the VSC authentication
• Added functionality to iO to complete 2FA for VSC or cancel the VSC authentication if the second factor is not provided
• Added configuration to iO and licensing server to enable configuring whether single factor authentication is enough for VSC or 2FA has to be enforced

Fixes

• Fixed issues with iO not being able to connect or disconnect a smartcard from a VSC driver

Internal Fixes & Changes

• 19 Internal changes and fixes

Additions
n/a

Fixes

• Fixed an issue with Electronic Prescription Services where if the card was left in the reader after authentication it could cause the EPS to fail on EMIS.
  
  

Internal Fixes & Changes

8 internal changes and fixes

Additions

• Increased the version number of iO client to 6.2.xxxx
• Added support for spine session persistence for any white-listed applications 
• Added setting of card type for Mifare cards and Barclaycard bank cards, such that the cards are distinguished straight after insertion and are handled as HR cards
• Added functionality to log user out if no SSP is set and PC wakes from sleep (This is the default behaviour for non SSP iO unless FLAG_VerifyUserAfterWakeFromSleep flag is not set)

Fixes

• Fixed the issues with verify pin dialogue counter
• Implemented new functionality that enables user verification after the PC is brought back from sleep mode
• Added a new configuration item FLAG_VerifyUserAfterWakeFromSleep. If enabled will trigger user verification after PC awakes from sleep and user is authenticated 
• Fixed the issue with whitelisted applications not being able to see a real smartcard if it's inserted

Internal Fixes & Changes

36 internal changes and fixes

Additions

• Increased the version number of iO client to 6.1.xxxx
• Added functionality that enables configuring iO's configuration file to delay/wait before BeginCardSession and GetCardUID operations are executed upon card insertion
• Added functionality to set and clear VSC authentication context upon successful authentication with VSC and logout
• Added some additional logs to iO

Fixes

• The increased wait time can solve issues in some environments where multiple programs connect to card at session start

Internal Fixes & Changes

N/A 

Additions

• Added more logging

• Added ability to determine card version/type as soon as the ATR is read off of the card

Fixes

N/A

Internal Fixes & Changes

N/A

Additions

• Added ability for shared folder to be read only (no central licence updates)

• Added self-service functionality for Virtual Smartcard

• Added ability to change colour of Virtual Smartcard passcode dialog box

• Added implementation for launching vRA manager by clicking on a button in iO's menu

• Added HR Card usage for Virtual Smartcard

• Added another configuration item that enable to configure how many times iO should repeat the authentication as well as which authentication method to use (ticketAPI vs mouse clicking)

• Added configuration item that enables configuring a placeholder for pin entry when asking for Virtual Smartcard

• Added functionality to continually extend vRA Manager session whilst iO's session is alive

• Added support for interaction with vRA Manager to enable HR cards registration (for VSC)

Fixes

• Fixed issue with Shared Folder giving error message about permissions

• Commented out a notification that was being displayed to users who were supposed to use shared folder but no shared folder file was available

• Cleaned some inconsistencies in iO's dialogues

• Fixed the issue with not correctly detecting the physical smartcard pin dialogue because of an incorrectly defined dialogue name

Internal Fixes & Changes

35 internal changes along with some fixes

Additions

• Version number updated to 6.0 with addition of Virtual Smartcard  

• As part of our continuing security improvements, iO has been updated to use the latest version of Open SSL (1.0.2k) which eliminates potential security risks inherent in the earlier versions of Open SSL

• iO version 6.0.6823 includes all the functionality to support the new Virtual Smartcard product from Isosec

Fixes

• Fixed issue with multiple audits being sent due to third party apps continually reloading TicketAPI.dll

• Fixed issue with multiple ‘Failed to send Audit!’ messages popping up

• Fixed issue with blank screen not being removed if Smartcard services weren’t started

• Fix to the issue with occasional losing focus on the passcode entry field, especially upon incorrect pin entry

• Improved logging

Internal Fixes & Changes

28  internal changes and fixes to provide minor improvements to performance and behaviour

Additions

• As part of a major security improvement, iO has been updated to use the latest version of Open SSL (1.0.2j) which eliminates potential security risks inherent in the earlier versions of Open SSL

• iO version 5.0.6000 includes new functionality to work with the Analytics tools from Isosec

• iO now has the ability to have the licence updated via a shared folder meaning that there is no need for a new installer when the licence is extended

• Added new configuration options that are listed here - www.isosec.co.uk/iO/iO_Installation_Instructions_and_ISOSEC_Properties.pdf

• Added better security to Single Sign On password storage

• Added functionality for Single Sign On to automate Windows and iO logon using the NHS smartcard

• Added functionality that enables web applications the ability to obtain the ticket from iO via a javascript interface

Fixes

• Fixes an issue with Version 8 smartcards occasionally not being detected by card readers

• Fixes an issue with Version 8 smartcards occasionally causing Citrix applications to fail to launch

• Fixes an issue where iO would not be closed when attempting to uninstall

• Fixes an issue that caused the Verify Pin screen to flash on reconnect

• Fixes an issue that caused iO to fail to see a Smartcard on reconnect

• Made some improvements to card interaction software

• Fixes the issue with complete card removal from the system when the passcode has been entered incorrectly by SSO

• Improved the logging system

• The verify PIN dialogue should now not be displayed if the same card is present when the authenticated user reconnects into his session

Internal Fixes & Changes

57 internal changes and fixes to provide minor improvements to performance and behaviour