Welcome to the PPA installation and configuration guide.
For ESXi or VMware Workstation you will need to download the PPA ISO.
Provision a machine with at least 2 CPU cores, 8GB of RAM, and a 40GB disk.
For production use we recommend 4 CPU cores, 16GB of RAM, and an 80GB disk.
Mount the ISO and boot the machine.
- Browse & install tasks from an external playbooks index
- Requests page for auditing, viewing, & responding to approval requests
- Editable network configuration via Config page
- Admin user password policy with lockout
- Reset admin user password via Config page
- Present task payloads in YAML format
- Restructure Config page to improve UX
- Show warning when task has a large number of revisions
- Add 'Update Plugins' button to Task Editor
- Allow admin user only access if Licence is invalid
- Allow users to edit Docker daemon config if required
- Improved cloud provider metadata probe to validate hostname
- Remove orphaned image records before migrating playbooks & images
- Task Builder should check that appliance services are ready before attempting to load default platforms
- Error reporting via email for tasks & schedules
- Added General tab to Task page for managing basic task metadata & revisions
- Removed 'metadata only' task revisions
- Improved download task dialog
- Draggable task cards
- Remove managed users when deleting the last configured sync group
- Re-synchronise users whenever a sync group is deleted
- More detailed LDAP error messages when importing users or groups
- Users page - show roles & permissions for synced users (who have not yet logged in)
- Task Builder - new 'when_any' & 'when_all' keywords
- Task Builder - warnings for deprecated language features
- Display task payloads correctly
- Migrate legacy formatted playbooks
- Allow users to re-attempt licence upload during setup
- Correct data for undeployed tasks on task reporting tab
- Removed Playbooks page
- New task event for revealing/copying secrets
- Added 'is not' operator to table filters
- Better errors for missing images when starting tasks
- Show correct values for 'Can Start Tasks' permission on delegations summary & report
- Fixed broken delegated users tooltip
- Fixed filtering by state on the Tasks page
- Agent sync errors should not disrupt agent initialisation on boot
- Handle special characters in task log file names
- Retention policy for task logs - delete permanently or push to an external SFTP server
- System event email notification subscriptions
- Bulk actions for dismissing or deleting system events
- Export delegations for deployed tasks only
- Added links to plugins documentation on Plugins page
- Improved User Sync logging and error reporting
- Failed schedule notifications
- Better handling for Object-Sid conflicts when importing users
- Ability to select which logs are included when downloading a techout
- Rename task logs to have readable file names
- Show previous label when deploying a task
- Added metadata flag to relevant playbook revisions
- Remove old files from /trash directory used by Postgres migration
- Meaningful errors when handling bad payloads from tasks for message/syslog
- OpenSSH 9.1
- Removed support for restoring deleted users
- Individual delegations for tasks & roles
- Downloadable task platforms to simplify playbook & plugin upgrades
- Self-destructive task events
- MFA for tasks
- Custom colours for task outputs
- Improved audit trail for task & role delegations
- Task specific reporting
- Exportable delegations reports
- Exportable combined Activity report
- Enable wait hook approval responders to provide a reason
- Added refresh button to page tables
- Tabbed tables export to multiple XLSX sheets
- Support for exporting all playbooks (YAML)
- More detailed filename for techout
- Removed support for playbook maintainer groups
- Removed build plugin functionality
- Removed PAM profile integration
- Fixed user/passsword task event
- Reinstated support for SAML authentication with Azure AD.
- Multi-factor authentication with TOTP for users.
- Ability to modify multiple records at once via the UI (Users, Groups, Tasks, Playbooks etc).
- Configurable session inactivity timeout.
- Reporting graphs showing average task activity over time (daily and hourly).
- Allow users to select which playbooks to install during initial deployment.
- Add a system event notification when the licence will expire in 30 days or less.
- Increase maximum size of task logs displayed in UI to 5000 lines.
- Require password for
sudocommands if set by support user.
- Removed support for SAML authentication.
- Allow users to re-submit Active Directory credentials if stored credentials are no longer valid.
- Change type filter on System Events table to use dropdown input.
- Task Insights reporting enables users to search task events for greatly improved auditing.
- New input/form task event supports grouped task input fields and enhanced validation.
- New input/date task event.
- Retain correct file modification time when creating a techout.
- Added controls for column hiding, row density, and enhanced search (additive filters) to data tables.
- Performance optimisations for task events data.
- Support Windows line endings when uploading certificates to PPA.
- Task Builder v3.x supports dynamic validation by identifying the latest supported platform for a given task.
- PostgreSQL 13
- Dropped support for editing tasks built with Task Builder v1.x.
- Better handling of database connections on User Sync errors.
- Update playbook task parser so that action output is saved correctly when using a for_each loop.
- Added support for automatically synchronising users from selected Active Directory groups.
- New input/checklist task event.
- Added default option to input/choice task event.
- Updated the Task Editor to use the Monaco editor.
- Improved input/table selected view.
- Added system event notifications for licence seats exceeded and licence expired.
- Improved session expiry handling so that users will not be logged out whilst editing a playbook.
- Changed handling of revisions deletion to eradicate socket timeout errors.
- Updated used credits calculation to account for expired credit licences.
- Updated Task Builder to support plugins with improved startup time.
- Add support for including playbooks bundle with the OVA (Active Directory Edition only).
- Improved validation for missing plugins that are not supported by the specified task platform.
- Handle badly formatted JSON error during licence setup.
- Show deploy option after a successful task upload.
- Improved export playbook functionality.
- Add health check for Task Builder service.
- Simplify System Events page styling.
- Better error handling when loading task images.
- Handle exceptions when processing sequences for tasks built using the Playbook Editor.
- Return error when importing a playbook with the same name as an existing task.
- Added a System Events page for viewing system event logs and warnings.
- Low disk space, low credits, and user authentication warnings are displayed on the System Events page.
- Added Management View to the Tasks page, and removed the Inventory page.
- Updated deployment setup wizard to include licence upload and Active Directory configuration.
- Enable users to select a trigger type when testing Tasks from the Playbook Editor.
- Improvements to Users, Groups, & Roles page tables providing additional context to data.
- PGP encryption key rotation.
- Gracefully handle starting a task when a user does not have the attach permission.
- Inaccurate metrics on the Reporting page when task volume is low.
Version 2.8.3 (Azure & AWS only)
- Use FQDN for wait hooks and API access from Tasks on Azure and AWS deployments.
- The maximum combined size for attachments in an email has been increased from 10MB to 25MB.
- Regenerate Osirium PAM secrets automatically.
- Add visual feedback when deleting revisions or tasks.
- Interacting with the PPA API from a task when using the FQDN.
- Delayed Start tasks allow users to create 'one-off' tasks that start after a period of time.
- Added Groups page for administration of Active Directory groups and PAM profiles.
- Enable administrators to select whether a user is authenticated via Active Directory or SAML.
- Date Picker task input.
- Removed auto enrolment and replaced with an Import Users dialog.
- Update user attributes for improved integration with Azure AD.
- Add checkbox option for overwriting plugins.
- Improved handling of email attachments.
- License verification accepts host or IP address.
- Tasks can access secrets from AWS Secrets Manager.
- API users can start tasks by name.
- Tasks can save result JSON for retrieval via API.
- Add version endpoint to API.
- Tasks can use Kerberos authentication to interact with remote Windows devices.
- Tasks can access secrets from Azure Key Vault.
- Tasks can send email attachments.
- Users can add extra files to a playbook.
- Improves performance of Inventory, Task Editor, and Task Events pages.
- Improves performance of Tasks, Activity, and Reporting pages.
- Support provision of SAML configuration Identity Provider metadata with file upload.
- Add support for multiple security group types in Active Directory config.
- Tag task images consistently.
- Do not grant user permissions to start tasks except via the UI.
- Move task logs into files.
- Add support for deleting and restoring users.
- Add a prompt for installing missing plugin versions when using the Task Editor.
- Add the ability to start a task with a payload from the Task Editor.
- Enable users to delete multiple task revisions in a single operation.
- Add support for sensitive files task event which obfuscates secret values.
- Enable user to configure key store for signing SAML requests via UI.
- Update Task Builder to include SVG graphs.
- Golang 1.15
- Linuxkit 0.8
- open-vm-tools 11.1.5
- Improve handling of reverse PTR records when configuring default Vault
- Fix clearing error codes in playbook metadata
- If the vault is failing to initialize, please set a FQDN (/var/disk/config/fqdn) that matches your reverse PTR settings.
- Tasks can now have multiple revisions. Test new task versions without disrupting your users.
- PPA will now prompt to unlock the built in vault on startup.
- PPA will autoconfigure the built in vault on initial deploy if required.
- New graph view for tasks that visualizes the steps a task will perform.
- Better blank states and help tooltips.
- API and schedules now require credits to run.
- Tasks will no longer block on outputs when unattended.
- The builder will now clean up intermediate build containers.
- You can now specify a task timeout in the builder metadata.
- New task editor!
- Improved syslog events
- Improved hook submitted page that can now be white labeled with Markdown frontmatter
- Task metadata can now be edited from the inventory page
- Updated open-vm-tools to 10.3.10
- Updated haproxy to 2.0.13
- Updated hashicorp vault to 1.3.4
- Drop support for upgrades from version 2.2 and earlier.
- Drop support for opus.* labels
- Fix a deadlock that could occur when scheduling tasks for the same time.
- You can now hide the splash screen on boot by holding left control.
- Tasks can now be scheduled to run automatically
- SMTP and Syslog support for tasks
- Task inventory page
- SAML support
- API support
- New sidebar that makes navigating to task activity easier
- Notification disc when a task you own is running
- You can now lock the console to prevent unauthorized access without using VSphere permissions
- You can now see the roles users have on the Users page
- PostgreSQL 12
- Alpine 3.11
- Speed up nested group membership for very large Active Directory deployments
- Fix rare race condition between backend and private key server
- Improve resilience of the appliance when a critical error occurs
- Roles and granular permissions are now supported.
- OVA image is now signed.
- Nested AD group membership is now supported.
- AD security groups can now be imported into the UI,
- Improved page load speed when attaching to tasks.
- New sidebar layout.
- Improved data tables with filtering and ordering.
- You can now clone the appliance in VMWare.
- Better handling of CSRF token.
- PostgreSQL 11
- Docker 19.03.4
- Alpine 3.10
- Golang 1.13
- Relay and gateway will set the nobody account to never expire.
- The admin tables will now show the correct number of rows.
- Task tables will now correctly sort large numbers of rows.
- Agent support. Run tasks on remote Docker servers (including Windows).
- Added a reporting page for an overview of the appliance.
- Better error messages when adding a Hashicorp Vault that is uninitialised or sealed.
- Consistency pass on user interface.
- Tasks now time out after 15 minutes by default. This is configurable with the
- Performance improvements for large numbers of historical tasks.
- The password strength meter now only appears for a password input if you provide
- You will need to manually refresh in Chrome to see the updated user interface
- API gateway now no longer uses invalid latin1 characters
- API gateway now correctly returns 407 when not authenticated
- Space remaining now reports the unit correctly
- You can now specify multiple hosts for active directory (comma separated).
- The input table has a toggle for what was selected once submitted.
- Enable Linux page poison to secure old page data
- Virtual machine will now correctly shutdown when triggered from VMware tools.
- Virtual machine will automatically sync time with host on resume.
- Self-signed certificate will not regenerate on reboot unless the IP or DNS settings have changed.
- Users can now no longer submit an input after a task has failed.
- UI will not time out if a task upload takes longer than 10 seconds.
- The JWT used by the API will be regenerated after each reboot.
- Fixed the input table reloading unnecessarily causing flickering.
- Fixed large task upload in Chrome
- Loopback alias 172.16.123.1 has been removed.
- Servername override in AD configuration removed. Insecure LDAPS certificates are no longer allowed.
- Remove axios dependency (fixes CVE-2019-10742)
- Update Linux Kernel to 4.19.37
- Update containerd to 1.2.6
- Update openssh-server to 7.9
- Update vault to 1.1.2
- Compile with Go 1.12.4
- Add a range of syslog events in the CEF format.
- Add a config page to upload licences and generate techouts.
- Add a CSV report of all tasks that have been run to the task history page.
- Add 'Admin Login Groups' to the Configure Active Directory dialog.
- Remote support removed now beta has concluded.