Changelog

This page tracks the release history Twingate. Visit our documentation for detailed instructions on Upgrading Connectors and Managed Windows Deployments.

Connector Real-time Logs & Metadata

Connector Real-time Logs & Metadata

Connector Real-time Connection Logs

We’ve added real-time network logging to the Connector to enable feeding this information directly into a SIEM system. Logs are output in JSON format and are identity-indexed, allowing you to link user identity directly to the resource that was accessed, the rule that allowed access, which device was used, and how much data was transferred. For more detailed information, please see our documentation.

Connector Metadata

We’ve augmented the Connector detail page in the Admin console to display additional information about each Connector. We now:

  • Report the Connector’s current version
  • Indicate if an update is available for the Connector
  • Display any custom metadata

See our documentation for information on setting custom metadata. We will be continuing to enhance the Connector information we provide over the coming weeks.

Minor Fixes and Improvements

Clients

  • Added NixOS distribution support in Linux
    1.0.12
    .
  • macOS and iOS Clients are now available in the corresponding French Apple App Stores.

General

  • Improved the Twingate Universal 2FA experience by introducing a sliding window for code entry. This prevents user codes from being rejected just after the 2FA code transitions.

Device Trust & Visibility

Device Trust & Visibility

Device Details

Twingate now displays information about all of your users’ devices across all platforms. This information is exposed in both the user detail page for an individual user and in the new Devices tab in the Admin console. At a glance, you are now also able to see what devices are connected to Twingate, detailed information about devices, and whether the device is trusted. This information can also be sorted, exported, and summarized in the Devices tab.

Over time we will be expanding the range of device information that we collect, both via the Twingate client application and from 3rd party integrations with MDM and EDR products our customers already have deployed. We will also be enriching our existing identity-based network analytics information with collected device information to continue to provide our customers with the most complete picture of network activity.

Devices running Twingate Clients of the following versions or later support sending device details to Twingate:

  • Windows
    1.0.8
  • macOS
    1.0.9
  • iOS
    1.0.8
  • Android
    1.0.11

Clients running prior versions of Twingate will be shown as a generic Device without additional details or metadata. We recommend that your users update to the latest version of the Twingate Client to take advantage of this and future functionality.

Trusted Devices

The Trusted Device functionality that we’re launching today is a very first step towards building a dynamic trust status. Admins are now able to mark devices as trusted, which allows defining Security Policies that take this status into account. This policy requirement can be enforced for any device, on any platform, and in any location with nothing but the Twingate client app required.

While this trusted/untrusted status is suitable for many scenarios where access must be restricted to known devices, we see this functionality as a fundamental building block for more nuanced policies in the future. We will soon be extending this concept to make device trusted status be conditional on a number of factors, including the destination resource that is being accessed, 3rd party reporting from MDM and EDR systems, and additional context collected from the Twingate client application itself.

Minor Fixes and Improvements

Clients

  • Modified the Client authentication flow so that users no longer need to click a deeplink notification to open Twingate and complete the authentication flow.
  • Improved the Admin console sign-in experience by allowing login directly from twingate.com.

Twingate Terraform Provider

Twingate Terraform Provider

Today we’re proud to release Twingate Terraform Provider

0.1.0
, which is available now in Terraform’s Provider Registry. Many of our customers have fully standardized on Infrastructure-as-Code processes, and we’re pleased that they can now integrate secure zero trust access into these processes automatically using our Terraform Provider.

One of the major benefits of Twingate is that it allows you to decouple planning decisions around network infrastructure from user access. By deploying Connectors in any network segment where access is needed, it’s no longer necessary to route traffic between networks to accommodate the need for access. You can focus on managing and securing your network to best practices, knowing that access can be provided anywhere it’s needed.

We’ve gotten valuable early feedback on our Provider as we were developing it, and if you have any feedback once you’ve given it a try, we’d love to hear from you, too.


Security Policies

Security Policies

We’re excited to announce Twingate Security Policies, which is a new framework to help you manage access to Resources. This will enable you to apply more granular security rules to sensitive assets. For example, you may want to require 2FA, but only for users accessing billing systems with customer financial data.

Twingate has three types of Security Policies, each of which come together to protect access to your Twingate network. Different Policy types may have different rules available to them, based on what is appropriate for the use case.

  • Resource Policies: These policies are applied to Resources at the time they are accessed by a user. Use these policies to apply extra security to more sensitive Resources on your Network. There is always one Default Policy which is applied to all new Groups by default. You can create additional Resource Policies in the Admin Console.
  • Network Sign In: This policy is applied to all users of Twingate when they attempt to log into the network. Users must fulfill the criteria in this Policy before attempting to access any Resources, even if those Resources have more permissive Security Policies than the Network Sign In policy.
  • Admin Console Sign In: This policy is only applied to Twingate administrators when they sign into the Admin Console. Admins do not need to sign into Twingate to access the Admin Console, so the Network Sign In policy is not applied here.

General Product Updates

  • Twingate now has a SOC 2 Type 2 report available on request from our team.

Minor Fixes and Improvements

Clients

  • Added Windows “Start on Login” support in
    1.0.4
    .
  • Added support for unqualified DNS names on macOS
    1.0.7
    and Windows
    1.0.5
    .
  • Fixes Sophos incompatibility issues on macOS
    1.0.7
    .
  • Added support for Arch Linux in Linux
    1.0.6
    .

Connectors

  • Improved the speed and resiliency of Connectors when switching between different Relay cluster regions.

Admin console

  • Added wanrning for admins when attempting to create multiple Resources with the same address.
  • Added ability to disable group sync for Google Workspace.
  • Added Universal 2FA support for non-IdP configurations.

Universal 2FA & Identity-indexed network flow logs

Universal 2FA & Identity-indexed network flow logs

Universal 2FA

Today we’re launching native two-factor authentication to our Business and Enterprise customers, which will allow more fine-grained controls independent of your chosen identity provider and independent of the destination resource. We call this experience Universal 2FA because it can be applied to any type of resource with zero application changes.

One of the “wow” moments for our customers is using Twingate’s Universal 2FA to apply discretionary security levels to resources according to their sensitivity. For example, admins can ensure that users with production network SSH access are subject to an additional 2FA challenge. The lack of application changes, and flexibility to work with any protocol or resource, means that security changes can be made immediately. The user experience is also seamless, operating in-line with the user’s workflow thanks to Twingate’s transport-level network routing.

Identity-indexed network flow logs

Every network connection in your Twingate network is authenticated against a central IdP and authorized by security policies defined in Twingate. This means that for the first ever, our customers now have an identity-first view of their private network flow. All private traffic is always directly associated with user identity, including the authorization rule that allowed the connection, network path information, data volume transferred, and port details.

Identity-indexed network analytics make it straightforward to not only determine who accessed internal resources, but to quickly identify usage patterns, trends, and spot anomalous behavior. For forensic investigations, gone are the days of piecing together time-stamped network logs and IP addresses from disparate systems to try to understand a sequence of events. Identity ties all access information together, regardless of location, device, operating system, or network.

General Product Updates

  • You can now specify ports and ranges that are allowed as part of resource definitions. Any port restrictions are checked and applied before any traffic leaves the user’s device, meaning that traffic for disallowed ports will never enter your private network.
  • We now support group sync updates for Okta, OneLogin, Google Workspace, and Azure AD. SCIM is used for updates where supported by the identity provider.
  • We’ve updated our macOS and Windows clients to make them compatible with DNSFilter. You can read more about our partnership announcement on our blog.
  • The Connector provisioning workflow has been completely overhauled, and we now have pre-configured deployment scripts for Docker, Linux (via systemd), AWS EC2, AWS AMI, K8s (via Helm Chart), and Azure (via ContainerInstance).
  • ChromeOS is now an officially supported platform for Twingate clients, starting with Android/ChromeOS
    1.0.5
    .

Minor Fixes and Improvements

Clients

  • Added correct handling of CNAME chains on bypass (non-protected) traffic.
  • Added “Start on Login” support in macOS
    1.0.5
    .
  • Added native Apple M1 support in macOS
    1.0.5
    .
  • Addresses performance improvements for any traffic that tends to send small packets (eg. SSH).
  • Added ability for the macOS client to have its Twingate network name pre-configured via plist, which is useful for MDM/EMM deployments.
  • Added ICMP proxy support so that
    ping
    requests are correctly handled via both bypass and protected routes.

Connectors

  • Reduced overall Connector memory usage.