Skip to content

Overview

Welcome to the PPA installation and configuration guide.

Info

For ESXi or VMware Workstation you will need to download the PPA ISO.

Provision a machine with at least 2 CPU cores, 8GB of RAM, and a 40GB disk.

For production use we recommend 4 CPU cores, 16GB of RAM, and an 80GB disk.

Mount the ISO and boot the machine.

Releases

Version 3.3.0

Features

Browse & install tasks from an external playbooks index
Requests page for auditing, viewing, & responding to approval requests
Editable network configuration via Config page
Admin user password policy with lockout
Reset admin user password via Config page

Enhancements

Present task payloads in YAML format
Restructure Config page to improve UX
Show warning when task has a large number of revisions
Add 'Update Plugins' button to Task Editor
Allow admin user only access if Licence is invalid

Version 3.2.3

Enhancements

Allow users to edit Docker daemon config if required
Improved cloud provider metadata probe to validate hostname

Version 3.2.2

Fixes

Remove orphaned image records before migrating playbooks & images

Version 3.2.1

Fixes

Task Builder should check that appliance services are ready before attempting to load default platforms

Version 3.2.0

Features

Error reporting via email for tasks & schedules

Enhancements

Added General tab to Task page for managing basic task metadata & revisions
Removed 'metadata only' task revisions
Improved download task dialog
Draggable task cards
Remove managed users when deleting the last configured sync group
Re-synchronise users whenever a sync group is deleted
More detailed LDAP error messages when importing users or groups
Users page - show roles & permissions for synced users (who have not yet logged in)
Task Builder - new 'when_any' & 'when_all' keywords
Task Builder - warnings for deprecated language features

Fixes

Display task payloads correctly
Migrate legacy formatted playbooks
Allow users to re-attempt licence upload during setup
Correct data for undeployed tasks on task reporting tab

Breaking

Removed Playbooks page

Version 3.1.2

Enhancements

New task event for revealing/copying secrets
Added 'is not' operator to table filters
Better errors for missing images when starting tasks

Fixes

Show correct values for 'Can Start Tasks' permission on delegations summary & report
Fixed broken delegated users tooltip
Fixed filtering by state on the Tasks page
Agent sync errors should not disrupt agent initialisation on boot

Version 3.1.1

Fixes

Handle special characters in task log file names

Version 3.1.0

Features

Retention policy for task logs - delete permanently or push to an external SFTP server
System event email notification subscriptions
Bulk actions for dismissing or deleting system events

Enhancements

Export delegations for deployed tasks only
Added links to plugins documentation on Plugins page
Improved User Sync logging and error reporting
Failed schedule notifications
Better handling for Object-Sid conflicts when importing users
Ability to select which logs are included when downloading a techout
Rename task logs to have readable file names
Show previous label when deploying a task
Added metadata flag to relevant playbook revisions

Fixes

Remove old files from /trash directory used by Postgres migration
Meaningful errors when handling bad payloads from tasks for message/syslog

Upgraded

OpenSSH 9.1

Breaking

Removed support for restoring deleted users

Version 3.0.0

Features

Individual delegations for tasks & roles
Downloadable task platforms to simplify playbook & plugin upgrades
Self-destructive task events
MFA for tasks
Custom colours for task outputs

Enhancements

Improved audit trail for task & role delegations
Task specific reporting
Exportable delegations reports
Exportable combined Activity report
Enable wait hook approval responders to provide a reason
Added refresh button to page tables
Tabbed tables export to multiple XLSX sheets
Support for exporting all playbooks (YAML)
More detailed filename for techout

Breaking

Removed support for playbook maintainer groups
Removed build plugin functionality
Removed PAM profile integration

Fixes

Fixed user/passsword task event

Version 2.12.1

Features

Reinstated support for SAML authentication with Azure AD.

Version 2.12.0

Features

Multi-factor authentication with TOTP for users.
Ability to modify multiple records at once via the UI (Users, Groups, Tasks, Playbooks etc).
Configurable session inactivity timeout.

Enhancements

Reporting graphs showing average task activity over time (daily and hourly).
Allow users to select which playbooks to install during initial deployment.
Add a system event notification when the licence will expire in 30 days or less.
Increase maximum size of task logs displayed in UI to 5000 lines.
Require password for sudo commands if set by support user.

Breaking

Removed support for SAML authentication.

Version 2.11.1

Fixes

Allow users to re-submit Active Directory credentials if stored credentials are no longer valid.
Change type filter on System Events table to use dropdown input.

Version 2.11.0

Features

Task Insights reporting enables users to search task events for greatly improved auditing.
New input/form task event supports grouped task input fields and enhanced validation.
New input/date task event.

Fixes

Retain correct file modification time when creating a techout.

Enhancements

Added controls for column hiding, row density, and enhanced search (additive filters) to data tables.
Performance optimisations for task events data.
Support Windows line endings when uploading certificates to PPA.
Task Builder v3.x supports dynamic validation by identifying the latest supported platform for a given task.

Upgraded

PostgreSQL 13

Breaking

Dropped support for editing tasks built with Task Builder v1.x.

Version 2.10.1

Fixes

Better handling of database connections on User Sync errors.
Update playbook task parser so that action output is saved correctly when using a for_each loop.

Version 2.10.0

Features

Added support for automatically synchronising users from selected Active Directory groups.
New input/checklist task event.

Enhancements

Added default option to input/choice task event.
Updated the Task Editor to use the Monaco editor.
Improved input/table selected view.
Added system event notifications for licence seats exceeded and licence expired.
Improved session expiry handling so that users will not be logged out whilst editing a playbook.

Fixes

Changed handling of revisions deletion to eradicate socket timeout errors.
Updated used credits calculation to account for expired credit licences.

Version 2.9.2

Enhancements

Updated Task Builder to support plugins with improved startup time.
Add support for including playbooks bundle with the OVA (Active Directory Edition only).

Fixes

Improved validation for missing plugins that are not supported by the specified task platform.
Handle badly formatted JSON error during licence setup.
Show deploy option after a successful task upload.

Version 2.9.1

Enhancements

Improved export playbook functionality.
Add health check for Task Builder service.
Simplify System Events page styling.
Better error handling when loading task images.

Fixes

Handle exceptions when processing sequences for tasks built using the Playbook Editor.
Return error when importing a playbook with the same name as an existing task.

Version 2.9.0

Features

Added a System Events page for viewing system event logs and warnings.

Enhancements

Low disk space, low credits, and user authentication warnings are displayed on the System Events page.
Added Management View to the Tasks page, and removed the Inventory page.
Updated deployment setup wizard to include licence upload and Active Directory configuration.
Enable users to select a trigger type when testing Tasks from the Playbook Editor.
Improvements to Users, Groups, & Roles page tables providing additional context to data.
PGP encryption key rotation.

Fixes

Gracefully handle starting a task when a user does not have the attach permission.
Inaccurate metrics on the Reporting page when task volume is low.

Version 2.8.3 (Azure & AWS only)

Fixes

Use FQDN for wait hooks and API access from Tasks on Azure and AWS deployments.

Version 2.8.2

Enhancements

The maximum combined size for attachments in an email has been increased from 10MB to 25MB.

Version 2.8.1

Enhancements

Regenerate Osirium PAM secrets automatically.
Add visual feedback when deleting revisions or tasks.

Fixes

Interacting with the PPA API from a task when using the FQDN.

Version 2.8.0

Features

Delayed Start tasks allow users to create 'one-off' tasks that start after a period of time.
Added Groups page for administration of Active Directory groups and PAM profiles.
Enable administrators to select whether a user is authenticated via Active Directory or SAML.
Date Picker task input.

Updated

Removed auto enrolment and replaced with an Import Users dialog.

Enhancements

Update user attributes for improved integration with Azure AD.
Add checkbox option for overwriting plugins.

Fixes

Improved handling of email attachments.
License verification accepts host or IP address.

Version 2.7.1

Features

Tasks can access secrets from AWS Secrets Manager.

Enhancements

API users can start tasks by name.
Tasks can save result JSON for retrieval via API.
Add version endpoint to API.

Version 2.7.0

Features

Tasks can use Kerberos authentication to interact with remote Windows devices.
Tasks can access secrets from Azure Key Vault.
Tasks can send email attachments.
Users can add extra files to a playbook.

Enhancements

Improves performance of Inventory, Task Editor, and Task Events pages.

Version 2.6.5

Fixes

Improves performance of Tasks, Activity, and Reporting pages.

Enhancements

Support provision of SAML configuration Identity Provider metadata with file upload.

Version 2.6.4

Enhancements

Add support for multiple security group types in Active Directory config.

Version 2.6.3

Fixes

Tag task images consistently.
Do not grant user permissions to start tasks except via the UI.
Move task logs into files.

Enhancements

Add support for deleting and restoring users.
Add a prompt for installing missing plugin versions when using the Task Editor.
Add the ability to start a task with a payload from the Task Editor.
Enable users to delete multiple task revisions in a single operation.
Add support for sensitive files task event which obfuscates secret values.
Enable user to configure key store for signing SAML requests via UI.
Update Task Builder to include SVG graphs.

Upgraded

Golang 1.15
Linuxkit 0.8
open-vm-tools 11.1.5

Version 2.6.2

Fixes

Improve handling of reverse PTR records when configuring default Vault

Version 2.6.1

Fixes

Fix clearing error codes in playbook metadata

Known Issues

If the vault is failing to initialize, please set a FQDN (/var/disk/config/fqdn) that matches your reverse PTR settings.

Version 2.6.0

Features

Tasks can now have multiple revisions. Test new task versions without disrupting your users.
PPA will now prompt to unlock the built in vault on startup.
PPA will autoconfigure the built in vault on initial deploy if required.
New graph view for tasks that visualizes the steps a task will perform.

Enhancements

Better blank states and help tooltips.

Breaking

API and schedules now require credits to run.

Version 2.5.2

Enhancements

Tasks will no longer block on outputs when unattended.

Version 2.5.1

Bugfixes

The builder will now clean up intermediate build containers.

Enhancements

You can now specify a task timeout in the builder metadata.

Version 2.5.0

Features

New task editor!

Enhancements

Improved syslog events
Improved hook submitted page that can now be white labeled with Markdown frontmatter
Task metadata can now be edited from the inventory page
Updated open-vm-tools to 10.3.10
Updated haproxy to 2.0.13
Updated hashicorp vault to 1.3.4

Breaking

Drop support for upgrades from version 2.2 and earlier.
Drop support for opus.* labels

Version 2.4.1

Fixes

Fix a deadlock that could occur when scheduling tasks for the same time.

Enhancements

You can now hide the splash screen on boot by holding left control.

Version 2.4.0

Features

Tasks can now be scheduled to run automatically
SMTP and Syslog support for tasks
Task inventory page
SAML support
API support

Enhancements

New sidebar that makes navigating to task activity easier
Notification disc when a task you own is running
You can now lock the console to prevent unauthorized access without using VSphere permissions
You can now see the roles users have on the Users page

Upgraded

PostgreSQL 12
Alpine 3.11

Version 2.3.2

Fixes

Speed up nested group membership for very large Active Directory deployments

Version 2.3.1

Fixes

Fix rare race condition between backend and private key server
Improve resilience of the appliance when a critical error occurs

Version 2.3.0

Features

Roles and granular permissions are now supported.

Enhancements

OVA image is now signed.
Nested AD group membership is now supported.
AD security groups can now be imported into the UI,
Improved page load speed when attaching to tasks.
New sidebar layout.
Improved data tables with filtering and ordering.

Fixes

You can now clone the appliance in VMWare.
Better handling of CSRF token.

Upgraded

PostgreSQL 11
Docker 19.03.4
Alpine 3.10
Golang 1.13

Version 2.2.1

Fixes

Relay and gateway will set the nobody account to never expire.
The admin tables will now show the correct number of rows.
Task tables will now correctly sort large numbers of rows.

Version 2.2.0

Features

Agent support. Run tasks on remote Docker servers (including Windows).
Added a reporting page for an overview of the appliance.

Enhancements

Better error messages when adding a Hashicorp Vault that is uninitialised or sealed.
Consistency pass on user interface.
Tasks now time out after 15 minutes by default. This is configurable with the ppa.run.timeout label.

Fixes

Performance improvements for large numbers of historical tasks.

Breaking

The password strength meter now only appears for a password input if you provide meter=true.

Known Issues

You will need to manually refresh in Chrome to see the updated user interface

Version 2.1.2

Fixes

API gateway now no longer uses invalid latin1 characters
API gateway now correctly returns 407 when not authenticated
Space remaining now reports the unit correctly

Version 2.1.1

Enhancements

You can now specify multiple hosts for active directory (comma separated).
The input table has a toggle for what was selected once submitted.
Enable Linux page poison to secure old page data

Fixes

Virtual machine will now correctly shutdown when triggered from VMware tools.
Virtual machine will automatically sync time with host on resume.
Self-signed certificate will not regenerate on reboot unless the IP or DNS settings have changed.
Users can now no longer submit an input after a task has failed.
UI will not time out if a task upload takes longer than 10 seconds.
The JWT used by the API will be regenerated after each reboot.
Fixed the input table reloading unnecessarily causing flickering.
Fixed large task upload in Chrome

Breaking

Loopback alias 172.16.123.1 has been removed.
Servername override in AD configuration removed. Insecure LDAPS certificates are no longer allowed.

Security

Remove axios dependency (fixes CVE-2019-10742)

Version 2.1.0

Updated

Update Linux Kernel to 4.19.37
Update containerd to 1.2.6
Update openssh-server to 7.9
Update vault to 1.1.2
Compile with Go 1.12.4

Enhancements

Add a range of syslog events in the CEF format.
Add a config page to upload licences and generate techouts.

Features

Add a CSV report of all tasks that have been run to the task history page.
Add 'Admin Login Groups' to the Configure Active Directory dialog.

Breaking

Remote support removed now beta has concluded.