Okta Privileged Access Device Tools release notes

Learn about new features, enhancements, and fixes in the latest version.

See the Okta Support website for the list of supported operating systems with End of Life (EOL) dates.

Current release

Version: 1.99.7

Deployment date: January 21, 2026

Release summary

Client

  • When a user initiated a Remote Desktop Protocol (RDP) session from the web interface, the session sometimes failed to use the correct team context if the client was already authenticated to a different team.

  • RSA keys created for proxy commands now use a larger key size to improve security.

  • After upgrading the Okta Privileged Access client to version 1.95.0 or higher on Windows, the scp command failed to work as expected.

Previous releases

Version: 1.99.5

Deployment date: December 16, 2025

Release summary

Server Agent

  • Okta Privileged Access now supports Linux systems with shared home directories. Admins can now configure the Okta Privileged Access server agent to bypass provisioning the authorized principals file to a user's home directory, which eliminates log pollution issues on systems using the Network File System (NFS).

  • The new JITGroupMembership and JITAccount configuration options in the server agent allow admins to override the default JIT provisioning settings for group membership and account creation.

Version: 1.99.3

Deployment date: December 03, 2025

Release summary

Client

  • When enrolling a Microsoft Windows 11 client, the enrollment approval page incorrectly displayed the operating system as Microsoft Windows 10.

  • You can use the following sft command to reveal the password associated with an Active Directory account: sft ad reveal.

  • You can now use the --account flag to connect to your server account for SSH or RDP access.

Server Agent

  • Domain controller options were case-sensitive, which caused authentication errors when the DomainRole options didn't match the required case exactly.

Version: 1.98.1

Deployment date: October 08, 2025

Release summary

Client

You can use the following sft commands to list Active Directory domains and accounts:

  • sft ad list-domains

  • sft ad list-accounts

Server Agent

You can now run Okta Privileged Access server agent on Windows Domain Controller. Okta Active Directory integration (AD Agent) and the Okta Privileged Access Active Directory Accounts feature are required to manage the user credentials and to sign in to Domain Controllers with RDP. See Windows domain controller.

Version: 1.97.1

Deployment date: September 18, 2025

Release summary

The binaries for device tools are compatible with both Okta Privileged Access and Advanced Server Access.

Client

  • The sft list-accounts command, which was previously deprecated, has now been officially removed. Use the sft list-teams command instead.

  • The SFT client now adds the server name to the username when connecting through RDP using the Windows and FreeRDP clients.
Gateway

  • A bug in Windows 10 and Windows 11 was sending the wrong channel ID to Windows Server 2025. This prevented RDP through the gateway from working.

  • When you connect from a Windows 11 version 24H2 client to a Windows Server 2016, the connection may fail if a gateway is used. If a gateway isn't used, the RDP session may disconnect and reconnect several times before stabilizing.

Client

Server Agent

  • Digital signature verification has been added for all DLLs loaded from outside the trusted system paths.

Version: 1.95.0

Deployment date: August 27, 2025

Release summary

Client

  • A new client command flag has been added to filter access methods by the display name of the sudo bundle.

  • The sft winscp <servername> command got disconnected approximately every forty five seconds. To fix the issue you must update the Okta Privileged Access server agent.

  • When connecting from a Windows 11, version 24H2 to a Windows Server 2016, the RDP session may be immediately terminated or return an error. This is a known issue affecting RDP sessions.

  • Connection from a Windows 11, version 24H2 to a Windows Server 2025 server through Okta Privileged Access gateway is terminated immediately after being established. This is a known issue affecting RDP sessions.
Gateway

  • Local account discovery, synchronization, and group membership management are now disabled for hosts that are Windows Domain Controllers.

Version: 1.94.1

Deployment date: August 21, 2025

Release summary

This release has updates only for Advanced Server Access. See Advanced Server Access release notes.

Version: 1.94.0

Deployment date: August 13, 2025

Release summary

The following releases are now in Production:

Client

  • The --account flag has been deprecated and is now replaced by the --team flag.

  • The Okta Privileged Access client now supports RDP connections to Active Directory (AD) accounts on Windows AD servers managed by the Okta Privileged Access server agent.

  • All versions of the Okta Privileged Access client older than version 1.66.4 are no longer available for download.

  • The sft winscp command now supports selecting user access methods (UAMs) for Okta Privileged Access servers. This command disconnects and automatically reconnects every 30 seconds.

Version: 1.93.0

Deployment date: August 07, 2025

Release summary

The following releases are now in Production:

Client

  • macOS 15 is now supported in Okta Privileged Access client and MacFreeRDP client.

  • Windows 10 (22H2) and Windows 11 (22H2, 23H2, and 24H2) are now supported in Okta Privileged Access client.

  • The ssh config command didn't work correctly on Windows when paths contained spaces.

  • A vulnerability was resolved where it was possible for an external actor to inject false successful login events into the System Log without actually authenticating to a server.

  • The sft putty command now supports selecting user access methods (UAMs) for Okta Privileged Access servers.

  • Enhanced security for transferring RDP credentials from the Okta Privileged Access client to MacFreeRDP

  • The sft command no longer adds the server name to the username when connecting through RDP with Windows and FreeRDP clients.
Gateway

  • The SSH logs are now included in the Linux gateway server support bundle.

Version: 1.92.0

Deployment date: July 09, 2025

Release summary

The following releases are now in Production:

Client

  • The ScaleFT CLI now only accepts HTTPS URLs.

Server Agent

  • The timeout setting for SSH connections has been updated to address stale logins.

  • Server tools running on Windows will no longer enable or disable vaulted accounts. Customers with disabled accounts must enable them manually.

Clients

Server Agent

  • Windows Server 2025 is now supported in Okta Privileged Access.
Okta Privileged Access

  • Okta Privileged Access package versions on dist.scaleft.com/repos are now sorted by name and file version, with directories grouped.

Version: 1.91.0

Deployment date: June 25, 2025

Release summary

The following releases are now in Production:

Client

  • Okta Privileged Access users with admin privileges were incorrectly removed from the admin group during login.

  • When enrolling a client, the hostnames in the URLs now match the hostnames in the enrollment request.

Gateway

Server Agent

  • The support command didn't capture the sshd_config.d and ssh_config.d file logs.

Version: 1.90.0

Deployment date: May 29, 2025

Release summary

The following releases are now in Production:

Client

  • An invalid MFA URL was generated when attempting to SSH from a Linux server with the Okta Privileged Access (OPA) client installed. This specifically occurred when the connection required multi-factor authentication.

  • Support for using ssh.save_privatekey_passwords with the compat keyring on the Mac client is no longer supported.

  • Default keyring used to protect SFT state.json has been changed from compat to the system keyring.

Version: 1.89.1

Deployment date: April 23, 2025

Release summary

The following releases are now in Production:

Client

  • Updated MacFreeRDP to upstream FreeRDP version 3.14.1.

  • When the command sft fleet enroll --token-file <tokenfile> was run multiple times on the same client for the same team, the first attempt succeeded, but subsequent attempts resulted in an error.

Version: 1.88.0

Deployment date: February 19, 2025

Release summary

The following releases are now in Production:

Client

  • Users can now set a timeout for how long the system waits for confirmation of a failed connection before terminating the process. This timeout activates when an SSH connection is initiated.

  • Some sft secrets command didn't work correctly on Okta Privileged Access client version 1.87.0
Gateway

  • Removed the unsupported Okta Privileged Access gateway for Windows OS.

Client

Server agent

  • The sft support bundles now include /etc/sudoers and /etc/sudoers.d/* files.

Client

Server agent

  • Wscapi.dll files now load from the system directory with a valid signature.

Release notes retention policy

Okta maintains release notes online for a period of 12 months following a release.

Contact Okta Support to request archived documentation for releases outside this window.