Added a limitation to the One Credential Profile Request Per Person configuration option.

See the Devices page (Operation Settings) section.

Added the Allow Self-Service at Logon configuration option.

See the Logon page (Security Settings) section.

Added a note that the Domain must contain the NetBIOS domain name and not the DNS format when configuring Integrated Windows Logon.

See the Integrated Windows Logon section.

Added details of the Limit derived credential lifetime to deriving credential configuration option.

See the Certificates page (Operation Settings) section.

Added notes about the behavior of different CAs when requesting certificates using the Expire Cards at End of Day configuration option to specify expiry dates and times.

See the Issuance Processes page (Operation Settings) section.

Added a cross-reference to the information on viewing audit details in the MyID Operator Client.

See the Running the audit report section.

Updated the Show Full Name at Logon and Show Photo at Logon options which now affect the MyID Operator Client.

See the Logon page (Security Settings) section.

Updated the details of the Device Friendly Name credential profile option to indicate that it now also affects the MyID Operator Client.

See the Credential profile options section.

Added information about the notification schemes available in the Credential Profiles workflow for issuing mobile devices.

See the Issuance Settings section.

Updated the details of the Certificate Recovery Password Complexity option to cover its use in providing authentication codes for mobile device issuance.

See the Certificates page (Operation Settings) section.

Updated the details of the App Download URL – ANDROID and App Download URL – iOS options to detail their use on the provisioning page for mobile device issuance.

See the Issuance Processes page (Operation Settings) section.

Added a note to the Integrated Windows Logon section about restrictions relating to the Protected Users group in Active Directory.

See the Protected Users group in Active Directory section.

Information on configuring a maximum file size and a backup location for registry-based logging.

See the Registry logging section.

Added details of configuring logging for the MyID Client WebSocket Service.

See the MyID Client WebSocket Service section.

Details of the ImportPIVDN option in the configuration file.

See the Configuration file format section.

Added error 0009, CardProfileRequisiteDataCheckFailed.

See the Error code reference section.

Added details of the Limit derived credential lifetime to deriving credential configuration option.

See the MyID configuration options section.

Updated details on setting the Certificate Lifetime option in the Certificate Authorities workflow.

See the Enabling certificate policies section.

Added details of Entrust behavior when recovering a revoked archive certificate where the certificate is configured in the credential profile for Historic Only.

See the Key archival and recovery section.

Added extra details on obtaining the value for the CA Path.

See the Set up the MyID Entrust certificate authority section.

Listed the versions of the Entrust CA tested for the current release.

See the Supported Entrust CA Gateway versions section.

Added details of Entrust behavior when recovering a revoked archive certificate where the certificate is configured in the credential profile for Historic Only.

See the Key archival and recovery section.

Added the following MyID Operator Client error codes:

• OA10060 – The credential profile to be collected requires user data approval, but the target user has no such approval.

• OA10061 – The credential profile to be collected requires terms and conditions to be accepted, but assisted collection of updates does not support this.

• OA10062 – MyID client service is not running.

• OA10063 – You cannot retrieve security questions for this client.

• OA10064 – The security questions logonmechanism is disabled for this client.

• OA10065 – You cannot retrieve a challenge for this client.

• OA10066 – The smartcard logon logonmechanism is disabled for this client.

• OA10067 – Key-pair authentication failed, or you may not have permission to access this client.

• OA10068 – Windows logon failed, your windows account is unknown or untrusted.

• OA10069 – Windows logon failed, your user account is not permitted to logon.

• OA10070 – Windows Authentication is disabled on the server.

• OA10071 – Refresh Token failed to retrieve token.

• OA10072 – Authorization failure, missing data for Token Refresh.

• OC10015 – At least one record must be selected in order to perform this operation.

• OC10016 – Your login has expired. Please re-authenticate to the MyID Operator Client.

• OC10017 – You have re-authenticated to the MyID Operator Client with a different user. For security reasons, the operation has been canceled.

• OC10018 – You have re-authenticated to the MyID Operator Client with a different logon mechanism. For security reasons, the operation has been canceled.

• WS10005 – Unable to generate the requested EFT export file.

• WS50058 – The selected user has no suitable biometric samples for EFT export.

See the MyID Operator Client error codes section.

Updated the details of the following errors:

• WS50019 – Requests created using this API must include an appropriate encoding type.

• WS50053 – The capabilities of the selected credential profile are not supported by this operation.

See the MyID Operator Client error codes section.

Added the following web service error code:

• 9007151 – An existing request or device exists with a different exclusive group.

See the Web Service error codes section.

Updated the description of the following errors:

• 800551 – now includes the Protected Users group in Active Directory as a possible cause of the error.

• 881044 – now includes the Protected Users group in Active Directory as a possible cause of the error.

• 890588 – now specified the MyID Operator Client method for approving requests as well as the MyID Desktop method.

• 9007098 – now includes Lost as a disposal status that prevents a device from being reissued.

See the Web Service error codes section.

Updated the following MyID Client Service error:

• 10000228 – This error has been updated to add a reference to the MyID Client WebSocket Service, misconfiguration of which may cause the error.

See the MyID Client Service error codes section.

Added a workaround for the following error:

• REST007 – Unrecoverable error has occurred.

See the MyID Identity Agent error codes section.

Updated instructions for obtaining the FIDO metadata.

See the Setting up the FIDO metadata section.

Updated configuration to include multiple origins.

See the Configuring the server settings section.

Updated troubleshooting information.

See the Troubleshooting section.

Added information about the Windows Logon Certificates utility.

See the Windows Logon Certificates utility section.

Added information about the Key Migration Utility.

See the Key Migration Utility section.

Updated the instructions for upgrading MyID from a pre-MyID 11 system.

See the Upgrading MyID from a 32-bit application to 64-bit section.

Updated the instruction for moving a database to a new server.

See the Upgrading to a new server section.

Added information about running the Installation Assistant from the PowerShell command line.

See the Running the Installation Assistant section.

Added a note about an expected delay between the installer window closing after completing the installation and the log results window appearing in the MyID Installation Assistant.

See the Starting the server installation section.

Updated the list of required features for the MyID database server to remove PowerShell 2.0 Engine.

See the Setting up Windows server roles and features section.

Made clearer that you must log on as the MyID COM+ user to run the SetHSMPIN utility.

See the Setting the HSM PIN section.

Corrected instructions for providing non-default ports for SQL Server. This information is provided on the Port Selection screen, not the database screen.

See the Configuring the databases section.

Added a new section on installing and configuring the MyID Client WebSocket Service.

See the Installing the MyID Client WebSocket Service and Installing the MyID Client Service sections.

Added a new section on the tests that the MyID Installation Assistant carries out to ensure that the web services have been installed and are running.

See the Checking the web services section.

Added information on updating the installation folder before carrying out an upgrade or update.

See the Upgrading or updating the MyID Installation Assistant section.

Added notes about the behavior of different CAs when requesting certificates using the Expire Cards at End of Day configuration option to specify expiry dates and times.

Details of running a PowerShell script to populate the list of available websites before installing the web service for the Remote Microsoft Certificate Authority.

See the Installing the web service section.

Updated the name of the application pool used by the Remote Microsoft Certificate Authority.

See the Installing the web service section.

Added instructions for setting up an external system for VMWare Workspace ONE.

See the Setting up an external system for Workspace ONE section.

Added a step for restarting the Edefice_BOL component after making changes to an MDM connector.

See the Setting up your MDM system section.

Updated throughout to cover configuring, requesting, canceling, enabling, disabling, unlocking, updating and renewing mobile devices through the MyID Operator Client.

See the Configuring SMS and email notifications for the MyID Operator Client, Creating the Identity Agent credential profile, Requesting a mobile ID for another user, Requesting replacement mobile IDs, Canceling mobile IDs, Enabling and disabling mobile IDs, Unlocking mobile IDs, Updating mobile IDs, and Renewing mobile IDs sections.

Updated the list of supported mobile operating systems

See the Supported devices section.

Added EnablePassphraseLogin and EnableCardLogin to the list of logon mechanisms you can disable on a client type basis using the appsettings file.

See the Editing the configuration file section.

Added information on using the acr_values and login_hint parameters when requesting an authorization code.

See the Requesting an authorization code section.

Added the EnableSelfService option for clients that determines whether the Manage My Credentials option appears on the MyID Authentication screen.

See the Editing the configuration file and Requesting an authorization code sections.

Added the EnableWindowsLogin option for clients that determines whether operators can log in using their Windows credentials.

See the Editing the configuration file and Requesting an authorization code sections.

Added the EnableHeadlessCardLogin and EnableHeadlessPassphraseLogin options for key pair authentication for mobile identities.

See the Editing the configuration file section.

Added details of the AlwaysIncludeUserClaimsInIdToken option that allows claims other than sub to be returned in the identity token.

See the Editing the configuration file section.

Information about using refresh tokens to extend authentication to the server.

See the Using refresh tokens section.

Added information on using the Self-Service App to manage your credentials from the MyID Authentication screen.

See the Managing your credentials from the MyID Authentication screen section.

Added details of customizing the number of buttons displayed in the button bar.

See the Using the button bar and Changing the number of buttons displayed in the button bar sections.

Adding information on canceling multiple requests.

See the Canceling multiple requests section.

Added details of configuring the MyID Operator Client to allow logon using Windows authentication.

See the Signing in using Windows authentication section.

Added a new section on working with the audit trail in the MyID Operator Client, including viewing stored binary objects.

See the Working with the audit trail and Viewing audit details sections.

Updated the instructions for the existing audit functionality to include viewing audit details.

See the Viewing a person's history and Unrestricted Audit Report sections.

Added details of timeouts and re-authentication.

See the Timeouts and re-authentication, Configuring re-authentication timeout periods, and Enabling or disabling re-authentication sections.

Added a reference to the MyID Client WebSocket Service.

See the Changing the port section.

Added details of the additional fields available on the Person search form.

See the People report section.

Added details of the Enable Device and Disable Device operations.

See the Enabling and disabling devices section.

Added details of launching the Identify Device (Administrator) workflow in MyID Desktop from the MyID Operator Client.

See the Viewing extended information about a device section.

Added details of configuring the Select Security Device screen in the MyID Operator Client to display the associated user image and full name of the cardholder.

See the Signing in to MyID section.

Added details of using the MyID Operator Client to request mobile devices.

See the Requesting a mobile device for a person and Requesting a replacement mobile device sections.

Updated the details of date entry.

See the Entering dates and times section.

A disposal status of Lose prevents the card from being reissued.

See the Disposing of cards section.

Added a note that the Domain must contain the NetBIOS domain name and not the DNS format when configuring Integrated Windows Logon.

See the Integrated Windows Logon section.

Information about SafeNet eToken 5110+ FIPS Level 2 tokens has been added.

See the Thales authentication devices section.

Deprecated the following devices:

• SafeNet eToken 5110 FIPS

• SafeNet eToken 5110+

See the Thales authentication devices section.

Updated information on enabling and disabling capabilities for YubiKey devices to include both NFC and USB interfaces.

See the Enabling and disabling device capabilities section.

Added information about configuring MyID to save data written to smart card containers to the database.

See the Saving container data section.

Clarified the meaning of the options for the Per Container PIN Policy for Yubico devices.

See the PIN policy settings section.

Clarified the effects of disabling the PIV capability for the USB interface.

See the Enabling and disabling device capabilities section.

Test SIU-123 has been removed, as the MyID database server does not require the PowerShell 2.0 Engine feature.

See the Description of derived tests section.

Added tests SIU-323 to SIU-330 to cover checking that the web services have been installed and are running.

See the Description of derived tests section.

Clarification on the Show Full Name at Logon and Show Photo at Logon configuration options, which now affect the MyID Operator Client.

See the Visibility of user data section.