🚀 New Features
Reset User 2FA and management improvements
Administrators now have more control and visibility when managing user authentication.
Reset 2FA for individual users
Domain admins can reset 2FA directly from the user details page, user list sidebar, or the 2FA Status section. This is useful when users lose access to their device or need to reconfigure authentication.
- The user’s existing 2FA setup is removed
- A notification email is sent automatically
- An audit log entry is created
Web Portal >Administration > Users > Reset 2FA
Improved 2FA visibility in user management
- 2FA status is now displayed in the sidebar for newly created users
- User exports include detailed 2FA information, including status and enrolled methods (Phone, Email, TOTP, Passkey)
These updates make it easier to audit coverage and quickly identify users who are not yet protected.

Web Portal >Administration > Users > Columns (2FA, 2FA Email, 2FA Phone…)
Control 2FA methods
Administrators can now define which authentication methods users are allowed to register:
- Authenticator apps (TOTP)
- Passkeys
- Phone numbers

Web Portal >Administration > Settings > Security > Two-factor Authentication Methods
Disabling a method:
- Prevents new registrations
- Does not remove already registered devices
To fully remove a method already in use, disable it first and then reset 2FA for affected users.
2FA enforcement and fallback protection
We’ve strengthened how 2FA is enforced and added a fallback protection layer for accounts without 2FA.
Please note: A valid email address must be configured for the user, otherwise login cannot be completed.
Enforce 2FA
When Require 2FA is enabled:
- Users must enroll in at least one 2FA method before login completes
- The Turn OFF 2FA button is disabled for affected users
- Users can still manage their existing methods
Email verification for non-2FA users
A new server/domain/user level setting, “Require email verification (non-2FA configured)”, adds protection for users who do not yet have 2FA.
When enabled:
- Users without 2FA receive a one-time code at login
- No setup or additional app is required
- Once users enroll in 2FA, this step is no longer used
This ensures all accounts have at least a second layer of protection.
Audit 2FA
Audit logs
- New audit events track 2FA email lockout scenarios
- 2FA reset actions are fully logged for traceability’

Web Portal >Administration > Settings > Security > Two-factor Authentication Methods
Tag Manager
A new Tag Manager page was added where users can view and manage all their computer tags in one place. Tags are listed with columns showing whether each tag is in use or unused, making it easy to identify and clean up stale tags. Tags can be sorted by usage and bulk deleted directly from the list. Removing a tag also removes it from any owned computer connections. Tags from shared computers also appear in the All Tags dropdown.

Web Portal >Computers > All Tags (dropdown) > Manage Tags > Computer Tags
In the All Tags dropdown, search uses full-text matching, so typing any part of a tag name returns results. For example, typing pharmacy will find windows-pharmacy-london tag.
Tags can be deleted when they are owned by the user, or when they belong to a computer in a group where the user has computer manager or group admin role. Tags on computers shared with connect-only permission are visible in the list but cannot be deleted.
License usage history and reporting
License usage is now tracked over time and available through a new License Usage report on the Reports page. The report shows key metrics such as maximum license usage, connection counts, new session counts, and license limit hits, with support for server-wide or per-domain views, as well as hourly and daily aggregation. Data can also be exported for further analysis.
Access is permission-based: “View/control server sessions” allows full visibility across all domains, while “View/control domain sessions” limits access to the user’s own domain.
Password block list upgrade
The built-in password block list used to reject weak or compromised passwords has been significantly expanded, growing from around 40,000 to roughly 10 million entries sourced from widely known leaked password datasets. Users attempting to set a common or previously exposed password will now have it rejected, while passwords not on the list remain accepted.
Administrators can still override the default list by providing a custom password_blocklist.txt file in private storage.
SSL: External Account Binding and certificate lifecycle improvements
The SSL module now supports External Account Binding (EAB), which is required by some commercial certificate authorities. EAB links the ACME account to a CA account using a Key ID and HMAC key, both provided by the CA.
Additional improvements to the certificate lifecycle: the ACME client private key is now persistent across certificate actions (install, renew, revoke) instead of being regenerated each time. Certificate expiry warning emails are now only sent in the last 14 days before expiry, since certificates managed by the SSL module are automatically renewed at the one-third validity mark. Previously, expiry emails were sent just before auto-renewal triggered, causing unnecessary alerts.
ISL Meeting: session controls and improvements
ISL Meeting is now the default meeting application on web portal and is no longer marked as beta. The primary “New Meeting” button opens ISL Meeting in a new window, and the Reports dashboard shows a single “Meetings” tile for ISL Meeting sessions.

Web Portal >Meetings > New Meeting / Meeting Table > Meeting
A new “Default meeting application” setting is available under Server Administration (/conf) Settings > ISL Meeting > Basic, allowing administrators to choose between ISL Meeting and the legacy ISL Groop. When set to “ISL Groop (legacy)”, the interface reverts to the previous options, including multiple meeting types and separate report tiles for Groop and ISL Meeting. If the ISL Meeting module is not installed, the system automatically falls back to legacy behavior.
Several improvements were made to the meeting experience for both hosts and participants.
- Chat design: message bubbles were updated with a new visual design.
- Host controls: hosts can now control feature access for all attendees from a new Host Controls sidebar. Permissions for microphone, camera, screen sharing, and chat can be set when creating a meeting and adjusted in real time. If a permission is removed while a user is actively using that feature, it is disabled immediately.
- License usage: ISL Meeting sessions now consume ICP licenses, with usage assigned to the host. The first 2 participants use 1 license, and each additional participant consumes additional license. License usage is visible on the Clients page and in the License Usage (ICP) view, where all licenses for a meeting are grouped together and can be ended at once. If no licenses are available, hosts cannot start a meeting.
- Participant limit: Each meeting supports a maximum of 10 participants. When the limit is reached, additional participants receive a “Meeting is full” message and cannot join.
- Side stream paging: side streams are now paginated instead of scrollable. Streams not currently visible are limited to audio only, reducing bandwidth usage. Video is loaded only for visible streams, with full quality reserved for the spotlight.
ISL Meeting: Cloudflare Realtime SFU support
Cloudflare Realtime SFU is now supported as an alternative streaming backend to Galene. The backend is selected based on server configuration. Cloudflare credentials are stored server-side and never exposed to the browser, and all API calls are proxied through ICP to ensure a consistent experience regardless of the backend in use.
Additional improvements were made to SFU performance and stability. Meetings with multiple participants toggling cameras on and off could previously become slow to respond, with delays as participants joined or changed streams. SFU behavior has been optimized so that video routing no longer blocks meetings and streams are not prepared for participants who are not actively sending audio or video. This results in improved responsiveness and overall meeting stability.
TCP TURN server support
The ISL Light module now supports ICE servers using TCP protocol. TCP TURN connection usage is also included in stats reporting.
Mail send throttle
Email sending is now rate-limited to prevent abuse. Separate limits apply per IP address, per recipient email, and for system/integrator emails. The throttle period and limits are configurable in server settings, and tracking can optionally be enforced GRID-wide.
reCAPTCHA score and reason code blocking
Web API requests protected by reCAPTCHA can now be automatically rejected based on a minimum score threshold or a list of specific reason codes. Two new settings were added under the reCAPTCHA category: Reject requests with score and Reject requests with reason codes.
Database writes statistics logging
The number of database writes (insert, update, delete) is now periodically logged. The flush interval is configurable via the Database writes statistics logging interval setting. Setting the interval to 0 disables logging.
SSL management moved to /conf
SSL pages are now available under Server Administration (/conf) via the new “SSL Certificate” button, including deployments using the SSL module.
The separate /users/ssl page is no longer available. As part of this change, the “User can create SSL certificates” permission has been removed from Security settings. SSL module operations are now handled exclusively through the administration interface and require administrator access.
Backup pages moved to /conf
Backup management has been moved from user pages to Server Administration (/conf) scope. Backups are now available under Configuration via the “Backups” button. The separate /users/backup page is no longer available.
As part of this change, the “User can create backups” permission has been removed from Security settings. Backup operations are now handled exclusively through the administration interface and require administrator access.
Content Security Policy, Permissions Policy and X-Frame-Options improvements
CSP and Permissions Policy now support per-path configuration. Different policies can be applied to different URL path prefixes, with top-to-bottom matching. Existing single-policy configurations continue to work without changes.
The Content Security Policy setting now has three modes: None, Report only, and Enforce (default). The same applies to the Permissions Policy setting. Policy violations are reported to the internal reporting API and logged.
The Disable framing of web pages setting was renamed to HTTP header X-Frame-Options mode with three options: None, Enforce with SAMEORIGIN (default), and Report use of frames.
The default CSP value was also updated to remove blob: from script-src, tightening the default security posture.
ISL AlwaysOn: connection options blocklist
Administrators can now specify a list of ISL AlwaysOn start option keys that should be hidden from the client. When configured, listed keys are filtered out of the options info returned to the client without being removed from storage. Useful for restricting which connection options are visible or accessible to end users.
ISL Light v5 version selector
The ISL Light Client version selector was updated to include v5 and now works as a boost rather than a filter. This means if v5 is incompatible with the client OS version, earlier versions are still available as a fallback. The v3 tag now applies only to 32-bit Windows programs. Version filtering can still be forced using isl_light_v3=1 or isl_light_v5=1.
Integrator: session tagging and new webapis
ISL Light sessions are now tagged with the integrator key of the user or domain that started the session. A new webapi allows integrators to query their own ISL Light session history filtered by time range with pagination support. A separate webapi allows integrators to query ISL AlwaysOn computer info for computers tagged with their integrator key.
A new integrator call was added to create integrators with a domain-scoped key. Empty key ID values in JWT requests are now automatically rejected without querying the database.
TLS 1.2 cipher tracking
TLS 1.2 connections are now split into two categories. Connections using stronger ciphers are counted as “TLS 1.2 (v2)”, while those using older or weaker ciphers remain under “TLS 1.2”, making it easier to identify less secure clients.
Connection log entries for “computer is online”, “supporter logged in”, and “session started” now include the TLS version and cipher used by the connecting client. For sessions, both the desk and client side are reported.
OpenSSL 3.0.21
OpenSSL has been upgraded to version 3.0.21.
PostgreSQL 16.13
PostgreSQL has been upgraded from version 16.8 to 16.13.
Go 1.26.3
Go has been upgraded to version 1.26.3.
Galene 1.0
Galene has been upgraded from version 0.9.1 to 1.0.
🐞 Bug Fixes
Main account could not log in with password when SSO was enabled on its domain
When SSO was configured on a domain, the main account was redirected to the identity provider instead of being allowed to use username and password login. An additional check was added so the main account can always log in with credentials regardless of domain SSO settings.When querying action info on web page, “events” field is now being updated between calls, so only new events are returned.
iPadOS join page offered macOS installer instead of iOS app link
Joining an ISL Light session from Safari on iPadOS routed to the macOS .dmg installer instead of the iOS app. iPadOS Safari defaults to requesting the desktop site and reports a macOS user agent, causing platform detection to misclassify the device as a Mac. The join page now detects touch-capable devices and correctly routes iPadOS users to the iOS app.
Deleted ICP files reappeared after server reconnect
Files deleted on ICP could reappear when a server that was offline or out of sync reconnected. The file synchronization algorithm was redesigned to track deletion confirmations across all servers in the GRID. Deleted file metadata is retained for 14 days to ensure all servers sync the deletion before cleanup.
Granted to and Owned by filters could not be changed on the Computers page
The Access granted to and Owned by filter dropdowns on the Computers page did not update correctly when switching between filter types. The filter state handling was corrected.
Computer action status did not return new events between calls
When polling action status on the web page, the events field was not updating between calls, so only the initial events were returned, which could lead to actions failing or requiring additional authentication attempts. The events field is now correctly updated, and each call returns only new events since the last query.
Uptime calculated incorrectly for machines running more than 48 days
The uptime counter overflowed for machines with an uptime longer than approximately 48 days. Switched from GetTickCount to GetTickCount64 to handle any practical uptime correctly.
Graceful GRID connection handling fix
File transfers between GRID servers previously generated misleading warning-level “grid connection down” log entries, and uploads to remote server storage via the configuration page could result in empty files. This has been redesigned so that file transfer connections now close gracefully, are logged at the correct notice level with proper server identification, and remote uploads preserve file contents correctly. The issue is no longer reproducible.
Domain delete check failed when domain had no users
In previous versions, attempting to delete a domain that contained no users would fail during the required actions check, preventing the domain from being removed. This was redesigned, and empty domains can now be checked and deleted as expected. The issue should no longer be reproducible.
Guest display name not shown in meeting remote control request
The remote control request dialog in a meeting showed an internal guest ID instead of the guest’s display name. The dialog now uses the resolved display name.
“Log in with browser” option missing from Try another way dialog
The Log in with browser option was not shown in the Try another way login dialog view. It is now included alongside other available login methods, with its visibility still controlled by the Allow “Log in with browser” in native applications permission.
Other fixes and improvements
Bug fixes, security updates, missing translations, and other general improvements.




















