CloudBees Jenkins Operations Center Enhanced Security Policy Available in 1.7.109 / 1.8.19

Just a quick post to say that we have consolidated and enhanced the security policy portion of the client controller security setting enforcement provided by CloudBees Jenkins Operations Center:

You can now force connected controllers to mirror the CJOC configuration for:

• Cross Site Request Forgery protection

• Markup formatter settings

• Remoting channel (used by build agents, the Jenkins CLI and CJOC to controller communication) security settings

• Remember me functionality (e.g. if there is a corporate policy to disable remember me functionality)

• Metadata download settings

If you want to be able to configure the policy you need to ensure the following:

• If your CJOC server is running the 1.7 release of CJOC you need to ensure on your CJOC server that the operations center server plugin has been upgraded to at least 1.7.109 (if you are upgrading from a version less than 1.7.100 then you will also need to ensure all operations center plugins are upgraded to at least 1.7.100 as for CJOC you must be either all below 1.7.100 or all above 1.7.100)

• If your CJOC server is running the 1.8 release of CJOC you need to ensure on your CJOC server that the operations center server plugin has been upgraded to at least 1.8.19

The policy will only be enforced on connected controllers that are running a version of the operations center client plugin that enforces the policy:

• If your connected controller is running the 1.7 line of operations center plugins, you need to ensure on that connected controller that the operations center client plugin has been upgraded to 1.7.109 (if you are upgrading from a version less than 1.7.100 then you will also need to ensure all operations center plugins are upgraded to at least 1.7.100 as for connected controllers you must be either all below 1.7.100 or all above 1.7.100)

• If your connected controller is running the 1.8 line of operations center plugins you need to ensure on that connected controller that the operations center client plugin has been upgraded to at least 1.8.19 .

Some other things to note:

• Only connected controllers that have been upgraded to 1.7.109 / 1.8.19 will enforce the policy

• On any one Jenkins instance do not mix 1.7 and 1.8 operations center plugins

• In any CloudBees Jenkins Operations Center cluster , in order to support rolling upgrades, the connected controllers must be running the same or an adjacent release line of operations center plugins

  • If CJOC is running the 1.7 line then connected controllers can be a mix of 1.6 (already end of support since November 2015), 1.7 and 1.8, but each individual controller must not mix plugin lines

  • If CJOC is running the 1.8 line then connected controllers can be a mix of 1.7 and 1.8 (and the next release line of CJOC) but each controller must be

• For the 1.7 line of operations center plugins, do not mix versions of operations center plugins below 1.7.100 with those above 1.7.100