Routing policy naming is now more flexible, and directory sync status messaging now gives partners clearer, more accurate guidance during sync activity. These updates help keep the ControlOne portal easier to manage while reducing uncertainty during identity provider syncs.

What's New

• Rename routing policies in the ControlOne portal to better match naming conventions across your environments. Cytracom-managed policies remain protected and cannot be renamed.
• Identity provider directory sync messaging now reflects more accurate status throughout the sync process. Status updates reflect realistic timing and clearly indicate that it is safe to navigate away while a sync continues.

Why You'll Love It

Routing policy renaming makes it easier to keep environments organized as they grow and evolve rather than working around fixed policy names. Clearer sync messaging reduces guesswork during directory syncs, so partners can move on with confidence rather than wondering whether a sync is still progressing normally.

How to Access It

These updates are live now in the ControlOne portal and are automatically enabled. No action is required.

ControlOne now gives partners direct influence over fail-open behavior, helping MSPs tune resiliency settings to match each site's connectivity and uptime needs. Hardware node visibility in the admin portal makes it easier to identify shared infrastructure issues when multiple agents degrade at the same time. A refreshed interface across key reporting and admin pages rounds out the release with a cleaner, more consistent portal experience.

What's New

• Fail-open settings are now configurable at the bridge and tenant levels. Partners can set probe intervals, failure thresholds, success thresholds, probe timeout, and a hold-down timer that prevents fail-back until full health is confirmed.
• A custom HTTP health check endpoint can also be configured for sites with non-standard connectivity requirements, giving partners additional flexibility in how health is verified.
• The admin portal now shows which hardware node each agent gateway and aggregator is running on. Shared hardware issues are easier to spot when multiple agents show degraded or retrying states at the same time.
• Reporting and admin pages now use the modern ControlOne theme and table component. The Events, Sessions, and Bridge Inventory pages, along with additional admin and reporting pages, have been updated to match the current portal design.

Why You'll Love It

Configurable fail-open settings make it easier to tune ControlOne's resiliency behavior to match the uptime requirements of each site rather than relying on fixed system defaults. The hold-down timer helps prevent connections from oscillating during marginal connectivity, so clients stay on a stable path rather than repeatedly switching states. Hardware node visibility removes a manual correlation step during outages, helping partners and support teams get to the root cause faster. The refreshed portal pages reduce visual friction during routine work, making it easier to move through reports and admin tasks without the context shifts caused by mixed UI generations.

How to Access It

These features are live now and are automatically enabled. No configuration is required to see hardware node identifiers in the admin portal or to access the updated portal pages. Fail-open configuration settings are available at the bridge and tenant levels in the ControlOne admin portal.

Configurable fail-open triggers give partners more control over how bridges respond to service disruptions, with customizable health checks and recovery settings that can be tailored to each client environment.

What's New

• Configure fail-open behavior with customizable probe intervals, failure thresholds, recovery thresholds, probe timeouts, and hold-down timers.
• Define custom HTTP health-check endpoints to check service availability using a specific web address. Probes follow redirects automatically and count the destination as healthy only when it returns a successful 2xx response, such as 200 OK.
• Apply fail-open settings at the bridge level for granular control or at the tenant level for more consistent behavior across environments.

Why You'll Love It

• Adjust fail-open behavior to match each client environment rather than relying on fixed defaults.
• Reduce unnecessary switching between fail-open and normal operation with more controlled recovery behavior.
• Get more precise visibility into service availability with targeted health checks.

How to Access It

• Fail-open settings. Open the ControlOne Portal and select a bridge or tenant to configure fail-open settings, including probe intervals, thresholds, and custom endpoints. This feature is currently available in Early Access. Contact your Cytracom representative to request access.

ControlOne now helps you stay ahead of issues with proactive alerts for offline connectors and sites, self-service executive reports you can generate on demand, and more flexible static routing for complex network environments.

What's New

• Global Alerts for connectors and sites are now available. Receive automatic email notifications when a connector or site stays offline beyond your configured threshold, and another notification when it comes back online.
• Global Alerts batches multiple connector state changes into a single email to reduce noise.
• A centralized Global Alerts Settings page lets you configure recipients, thresholds, and notification behavior in one place.
• Executive Reports are now self-service. You can generate, download, and share professional PDF reports for network security posture and endpoint inventory directly from a dedicated page in the ControlOne portal.
• Static routing now supports /32 host routes and overlapping destination networks. Existing routes remain unchanged.
• Executive Reports includes usability improvements such as clearer descriptive text, knowledge base links, bold table headers, and a date picker limited to the last two years.
• Global Alerts includes clearer labels, contextual descriptions for each alert type, and a "Learn more" link to the knowledge base.
• A new "Learn more" link next to the Early Access opt-in section makes it easier to explore upcoming features and understand how to participate.

Why You'll Love It

Global Alerts helps you respond faster by notifying you when connectivity issues occur, rather than relying on someone to notice a dashboard change. Executive Reports makes it easier to generate polished documentation for customer reviews, compliance conversations, and internal reporting without waiting on another team. More flexible routing support also removes previous limitations for overlapping subnets and complex multi-site environments, so you can manage traffic paths with greater precision.

How to Access It

Most features are available now and are automatically enabled.

• Executive Reports. Open the Executive Reports page in the ControlOne portal to generate and download reports.
• Global Alerts. Open the Global Alerts Settings page to add recipients, enable Site Alerts and Connector Alerts, and set offline thresholds.
• Static routing enhancements. Available now in static route configuration. Existing routes are preserved.
• Early Access features. Use the "Learn more" link in the portal's Early Access section for details on participation.

1:1 outbound NAT for IPSec connectors expands deployment flexibility for more complex network environments. Global Status accuracy improvements make outage conditions easier to trust at a glance, and Global Alert Settings provide a centralized way to manage alerting behavior across environments. Admins also gain per-agent release channel overrides, plus bug fixes that improve responsiveness and reporting clarity.

What’s New

• IPSec connectors now support 1:1 outbound NAT, enabling more predictable source mapping for customer environments that require outbound address translation.
• Global Alert Settings add a centralized way to configure alerting behavior across your environment, improving consistency for operational notifications.
• Per-agent release channel overrides allow admins to assign a specific release channel to an individual agent when targeted testing or staged rollouts are needed.
• Global Status data quality improvements better align Global Status page results with real-time outage conditions, improving confidence in what the page reports.
• Bridge assignment views now respond more reliably, improving usability when reviewing or updating assignments.
• Device posture check failure summaries now display clearer failure reasons in reporting, improving troubleshooting and audit readiness.

Why You’ll Love It

Expanded NAT options reduce networking workarounds when deploying IPSec in environments that need strict outbound mapping. Centralized alert settings and improved Global Status accuracy make it easier to monitor service health and respond quickly when issues occur. Release channel overrides support more controlled rollouts, and the UI and reporting fixes reduce time spent waiting on pages to load or digging for the real reason a device failed posture requirements.

How to Access It

• 1:1 outbound NAT for IPSec connectors, Global Alert Settings, Global Status improvements, and per-agent release channel overrides are available now.
• The bridge assignment responsiveness and reporting failure summary fixes are included in this release.

Advanced IPSec connector options add the flexibility needed for more complex network designs, including broader Phase 2 selector support and configurable NAT mappings. The macOS agent also adds macOS Tahoe device posture check support, along with usability and analytics improvements for a more consistent day-to-day experience.

What’s New

• IPSec connectors now support custom local subnet input for NAT scenarios, improving flexibility for non-standard internal networks.
• IPSec connectors now support a 0.0.0.0 Phase 2 selector, making it easier to deploy in environments that require broader selector definitions.
• IPSec connectors now support bidirectional NAT mappings to better accommodate routed and policy-based IPSec configurations.
• The macOS agent now supports macOS Tahoe device posture checks, improving compatibility with newer macOS environments.
• Analytics reliability and maintainability improvements reduce noise and improve overall telemetry consistency.
• The macOS agent now keeps the app window positioned correctly across multi-monitor setups.

Why You’ll Love It

More flexible IPSec NAT and Phase 2 selector options reduce deployment friction in complex customer environments and help avoid one-off configurations. macOS updates keep device posture checks current with the latest OS releases, while improved multi-monitor behavior makes the agent easier to use for people who regularly switch between displays. Reliability improvements to analytics also help teams trust what they see when reviewing device and connection signals.

How to Access It

• Advanced IPSec NAT configuration is available now for IPSec connectors.
• macOS Tahoe device posture check support and the multi-monitor window behavior improvement are available in the latest macOS agent build.

Advanced NAT options for IPSec connectors make it easier to support complex customer networking requirements without one-off configurations. Device Posture Check (DPC) now supports macOS Tahoe, and the macOS agent window placement update improves usability for multi-monitor setups.

What’s New

• IPSec connectors now support bidirectional NAT mappings, expanding flexibility for routed and policy-based network designs.
• IPSec connectors now support 0.0.0.0 in Phase 2 configuration, simplifying deployments that require broader selector definitions.
• IPSec connectors now allow custom local subnet input, improving support for environments that do not use standard local subnet defaults.
• Device Posture Check (DPC) now supports macOS Tahoe (macOS 15), improving compatibility for customers on newer macOS versions.
• The macOS agent now opens on the monitor nearest the user’s cursor, rather than always defaulting to the primary display.

Why You’ll Love It

Advanced IPSec NAT options reduce deployment friction in complex customer environments and help avoid special-case configurations when NAT mappings, selectors, or non-standard subnets are required. macOS updates keep posture checks up to date with the latest OS releases, and improved window behavior makes day-to-day use smoother for people working across multiple displays.

How to Access It

• Advanced NAT configuration is available now for IPSec connectors.
• macOS Tahoe DPC support and the multi-monitor window placement improvement are available in the latest macOS agent build.

Policy-based routing now supports fully qualified domain names (FQDNs), making it easier to route traffic based on the destinations customers actually use. Device Posture Check (DPC) presets and global policy templates help standardize posture and agent settings across customers, endpoints, and zones without repetitive setup. Additional reliability updates improve licensing defaults, platform resiliency, reporting accuracy, and agent connectivity.

What’s New

• Policy-based routing now supports full FQDN matching for bridges and agents, expanding routing flexibility without relying on static IP lists.
• DPC presets are now available, making it faster to apply standardized posture policies without manual, per-policy setup.
• DPC templates now support global, reusable posture policy templates that can be created once and applied across customers, endpoints, and zones.
• Agent Control Policy templates now support global, reusable agent settings that can be created once and applied across customers and endpoints.
• Onboarding now disables auto-license assignment by default, reducing friction during initial setup.
• The platform now recovers more reliably from bridge tunnel configuration inconsistencies, reducing provisioning risk during drains and migrations.
• DNS static records now support underscores, improving compatibility with common naming patterns.
• Agent status indicators now display consistently across portal pages, reducing confusion during troubleshooting.
• Reporting exports now align blocked versus allowed status correctly for security information and event management (SIEM) workflows.
• Reporting now consistently displays blocked events with the correct red indicator.
• Authentication sessions are now more reliable by preventing cases where users appear signed in but cannot reconnect due to expired refresh tokens.
• Windows agents now block IPv6 traffic while connected, preventing IPv6 bypass scenarios.

Why You’ll Love It

FQDN-based routing reduces maintenance overhead by allowing policies to follow real-world destinations rather than shifting IP ranges. Presets and global templates help teams quickly standardize posture requirements and agent settings across many customers, improving consistency without repetitive configuration work. The stability and reporting fixes reduce troubleshooting time, improve confidence in enforcement and reporting signals, and remove common friction points in onboarding and daily operations.

How to Access It

• Policy-based routing with FQDN support is available now. Learn more: https://help.cytracom.com/hc/en-us/articles/35438291924493-ControlOne-Policy-Based-Routing
• DPC templates and Agent Control Policy templates are available now. Learn more: https://help.cytracom.com/hc/en-us/articles/42436217059469-ControlOne-Global-Policies-Overview-Configuration-Guide
• DPC presets are available now. Learn more: https://help.cytracom.com/hc/en-us/articles/42232146859149-Cytracom-ControlOne-Configure-DPC-process-presets-in-Device-Posture-Policies

This update refines existing onboarding workflows, improves customer list accuracy in the portal, and restores expected behavior when entering larger network ranges in firewall rules. These enhancements help partners complete setup tasks more efficiently and reduce noise in day to day administration.

What’s New

• Initial Bridge setup and configuration now follows a more guided and predictable flow. The Bridge section stays open during setup, Available and Assigned panes are easier to interpret, and a modal helps admins create a Site and automatically assign the selected Bridge. The Site creation dropdown also distinguishes Assigned and Available Bridges and can auto assign an available Bridge when confirmed.
• Deleted tenants no longer appear in portal drop down lists, keeping customer navigation focused on active environments.
• The UI now accepts larger subnets and IP ranges in firewall rules and address groups. Entries save correctly and no longer require workarounds when configuring broader networks.

How to Access It

These enhancements are live now in ControlOne.

Summary

This update adds versioned release tiers for the ControlOne Desktop Agent: Beta, General Availability (GA), and Long-Term Support (LTS). Partners now have more control over when and how new versions roll out. It also improves Teleport for partners using the Unity platform by honoring the Unity MFA code instead of requiring a separate ControlOne code for authentication. Endpoint performance on Windows and macOS has been improved by fixing high background CPU usage in recent ControlOne Agent versions.

What’s New

• Partners can now choose when and how updates are deployed through defined release tiers: Beta, General Availability (GA), and Long-Term Support (LTS). This gives greater visibility into the state of each release and more control over which version is applied to each customer. For example, partners can restrict a customer to LTS to receive only essential security updates and fewer feature changes, or assign power users to Beta for immediate access to new capabilities and the opportunity to share feedback with developers.
• For partners using the Unity platform, Teleport now honors the Unity MFA code instead of requiring a separate ControlOne code for authentication.
• The Agent’s background performance has been improved by fixing an issue that caused the app to use more CPU than expected when idle.
  
  

Why You’ll Love It

Defined release tiers give partners meaningful control over how updates reach their customers. You can align each tenant to the release cadence that best fits their needs, choosing between Beta for early adopters, General Availability for standard rollouts, or Long-Term Support for customers who prioritize stability. This flexibility simplifies update planning, reduces risk, and builds confidence in the update process.

This release also resolves two issues: Teleport now correctly honors Unity MFA for partners using the Unity platform, and the ControlOne Agent’s background CPU usage has been reduced to restore normal performance levels.

How to Access It

These updates are available now for Windows and macOS.

• Release tiers (Beta, GA, and LTS) can be managed in the Unity Admin Portal under Agent Settings.
• Step-up verification is automatically available for Unity users once the feature is enabled in their environment.
• Review the detailed Knowledge Base release notes here: https://help.cytracom.com/hc/en-us/articles/40018181149581-ControlOne-Managing-Agent-Updates-and-Automatic-Upgrade-Settings