Feature Request

Hello, After the last updates, I don't know which one, the problem of the security already discuss 2 years ago comes back. ( https://forum.devolutions.net/topics/41460/security-problem-on-personal-hub#190146 ). If there is an option to enable the disconnection I dont' find it. My request is the same, when I close the browser with extension Devoltuion workspace I must be logged out of Devolution Workspace. Currently somebody who is using my session (my children, a hacker) he has got all my passwords with Devolution whitout having to enter a password. That is bad. I hope you can update the version to make it more secure. Many thanks Marc

Hello, Would it be possible to accommodate using linked PAM accounts for the credential properties of propagation scripts? Similar to how DVLS allows a linked account to be used for connecting to a PAM identity provider. Being limited to explicit static credentials is somewhat incompatible with PAM lifecycle password rotation of all of a systems' privileged credentials. For example, if the built in Windows Administrator is used for a propagation script to update the password for a system service, the script parameters need to be manually updated whenever the Administrator password changes. Another way this feature would be useful is when multiple propagation scripts use the same credential. Without being able to use a linked account, the use of propagation scripts at scale becomes problematic because a password needs to be manually updated in multiple locations every time it changes. Please let me know if any additional info is required. Thanks Joe

Hello, With DVLS, email alerts are configurable to be sent to administrators when certain events occur, such as scheduler being offline or PAM heartbeat failures etc. Would it be possible to have equivalent behavior in Devolutions cloud. In particular, it would be very useful to be alerted when a hub services instance goes offline, or auto updates. Please let me know if you would like any additional info. Thanks Joe

the Bitwarden entry is not currently supported directly in the Devolutions Hub Business web interface for launching and pushing credentials to an RDP session. To use this workflow, you will need to open the session through Remote Desktop Manager or, at minimum, Devolutions Launcher.

Summary: The current Azure Log Analytics integration (cutom log) sends logs that are too sparse for real-world SIEM usage (Microsoft Sentinel, Splunk, etc.). We are requesting enrichment of the log schema and the Message field content. Issues Identified: 1. No readable user identity The UserID field only contains a GUID. A workaround using Get-HubUser was suggested, but this requires a manual PowerShell join and is not viable at scale in a SIEM. The UserDisplayName / Username should be natively included in each log entry. (Note: We understand a dev ticket has been opened for this — thank you. We are adding it here for community visibility and prioritization.) 2. Message field is too vague The current content of the Message field does not allow an analyst to determine what action was performed (read, create, modify, delete, login, etc.), on which resource (vault, entry, group, policy), from which source IP or client, or with what result (success, failure, denied). 3. Missing structured/queryable columns For a SIEM like Sentinel or Splunk, a flat text blob is insufficient. Logs should expose distinct, typed columns. At minimum, the following fields are expected: ActionType — e.g. EntryRead, VaultModified, UserLogin, PolicyChanged ResourceName — name of the vault or entry affected ResourceType — e.g. Vault, Entry, Group, Policy SourceIPAddress — origin IP of the request Result — e.g. Success, Failure, Denied UserDisplayName — human-readable username VaultName — name of the parent vault 4. No User Behavior Analytics (UBA) logs UBA is currently not a supported log type. We are formally requesting it as a feature. UBA is essential for detecting anomalous access patterns, privilege abuse, and insider threats in environments with PAM solutions. 5. Native Splunk HEC integration Azure Log Analytics works as an intermediate, but a direct Splunk HTTP Event Collector (HEC) output would be strongly preferred. Many enterprise security teams use Splunk as their primary SIEM, and routing through LAW adds latency and complexity. Business Impact: Without these improvements, the Azure Log Analytics integration cannot be used for security alerting and threat detection, privileged access reviews, or audit and compliance reporting. The logs as-is confirm that something happened, but provide no actionable context. Expected behavior: Each log entry sent to LAW should contain enough structured information to answer: Who did what, on what resource, from where, and with what result — without requiring any post-processing or external joins.

I would like to be able to see Entries before Subfolders when I look at Vault content. In a subfolder I prefer to see main entries on top and less important Entries stored in subfolders ! I asked Chatgpt : Current behavior The tree view is typically sorted as follows: Folders (subfolders) first Entries second Sorted alphabetically within each group This behavior is fixed in the web interface and in Remote Desktop Manager when connected to Hub Business.

Hello, Somewhat related to existing feature requests, could 'Hub privileged account' type entries be accommodated Cloud WebUI please? Credential type "DVLS Privileged Account" support in Web version of Devolutions Server WebUI unable to launch sessions using 'find by name (uservault)' that resolves to a PAM credential Thanks Joe

Hello, With DVLS as a data source, it is possible to check the option to use active data source when creating 'DVLS privileged account' type entries using RDM. When attempting to create an equivalent type entry with a Hub/Cloud datasource, the user has to either enter an email address (or preset their respective 'My Account' setting), and then manually select a Hub account for every entry, which is somewhat cumbersome. Could a 'use active datasource' option been accommodated to simplify the user experience for Hub/Cloud usage scenarios please? Please let me know if you would like any additional info. Thanks Joe [image] [image]

I'm opening this on behalf of a customer. This is a request to implement an automatic user creation using SCIM in Azure. Using provisioning on demand, it could be interesting to create this user in the Hub Cloud. Best regards,

Could you fix your two-step verification process for Devolutions Hub please? If you set a Yubikey, we should be able to: Not being forced to register a recovery email Considering two step verification process complete Allowing us to connect to Devolutions Hub with Yubikey + PIN and nothing more Being able to login in RDM with the Yubikey (WebAuthn and not Yubico OTP) Let me give you more context / troubleshooting: We're using Devolutions account instead of Microsoft for our administrators since we can't link a licence between two account like with the on premise version of DVLS... Obviously we would like to enforce MFA configuration on these accounts so I tried to implement this today. I went on portal.devolutions.com and configured multiple Yubikey on my account and check the "Use for passwordless login" option. In the "Two-Step Verification" menu I was forced to create a recovery mail to allow Yubikey being used as a 2FA. That's already odd since we already have recovery code... But I still have a message stating two step verification is partially configured. (See the screenshots) I tried to re-login on portal.devolutions.com , everything worked fine: prompting for Yubikey and asking pin. Great. I did the same for ourcompany.devolutions.app and it prompted Yubikey, then asking for the pin, then asking me a code sent by mail as a 2FA check. Once I entered the code received by mail it show an error message "You signed in using a recovery 2nd factor method, we reccomend that you configure a strong 2nd factor in your account to fix this issue". Available options are Push via Devolutions Workspace or TOTP. Neither of them are better than Yubikey regarding security. I retried but canceled the Yubikey prompt and clicked on another way of to sign in and choose password. I had to enter my password, it prompted for the Yubikey then asked for the pin. Without asking me to configure another 2FA method. This cause multiple issues: I can't enforce MFA for Devolutions account in the Hub Console, or we will all be forced to configure TOTP / Devolutions Workspace push. Obviously, not enforcing MFA isn't acceptable too We're forced to configure weaker factor than Yubikey, so it's decreasing the whole security level So from my interpretation, you didn't impleted security keys how it should work. Just to remember some basic concepts: Secure authentication: something you know, something you own. Yubikey is the physical device you own (instead of your phone), the PIN is the something you know. The strongest protocol MFA is webauthn and resident credential, TOTP is strong but still vulnerable, mail isn't really good, SMS/Phone is the worst and should be avoided Some company also use Yubikey with the account password and the touch confirmation on the device (without pin). In both scenario, you should keep recovery codes in case of device loss. I will be more than happy to show you in live if we schedule a call. Best regards

These days everyone has their own favorite browser to do everyday stuff, can you please remove your inbuilt browser and web preview from your ANDROID APP ( Devolution Workplace - ://play.google.com/store/apps/details?id=net.devolutions.authenticator ) This is my genuine request as my child using your app to watch youtube and other content from inbuilt browser of app in a parental control device. Thanks Nilu

Making this request on behalf of a client. He would like a Report similar to the "Vault Permissions" report, but for Entries within a vault directly. The goal would be to use this report in order to see which Users have been granted permissions at the entry level directly, without having to check each entry individually.

ood morning, Devolutions team, I’m looking for a way to clean up our Devolutions environment by auditing user activity specifically, identifying users who have not logged in within a defined period (for example, >180 days). We have the Devolutions Hub module installed, and I’m comfortable working with PowerShell. However, I haven’t been able to find any functions, methods, or properties that expose user login or audit data programmatically, even though this information is visible in the web UI. Ideally, whether via PowerShell or the GUI, I’d like the ability to: Identify the most active users Identify users who were onboarded but no longer use the platform (inactive for 180+ days) Determine which features users are licensed for See when users last logged into the system Generate reports based on this data (GUI and/or PowerShell) In our environment, some users are onboarded to Devolutions for specific projects. Once those projects end, their AD / Entra ID accounts may be disabled, but because licensing is based on directory headcount, those users can still consume a Devolutions license even though they’re no longer actively using the platform. Being able to correlate licensing with actual usage would be extremely helpful for right sizing our cost.

It would be helpful to have a list of entries that are and/or will be deprecated, along with the date they will no longer be supported by Devolutions. It is not possible to search for deprecated entries in either the Hub or RDM to correct the situation.

Hello, We are currently evaluating/deploying Devolutions Send and would like to limit its usage strictly to secure password sharing (internal and external). For security, compliance, and governance reasons, we would like to disable file sharing while keeping password sharing enabled. A configuration option allowing administrators to: Disable file sharing while keeping password sending enabled Apply this restriction globally or via roles/policies would be extremely valuable in environments with strict security controls. This would help organizations adopt Devolutions Send while ensuring it aligns with internal security policies. Thank you for considering this request. [image]

Hello, I would like admins to be able to disable the export functionality for a User's personal vault. ideally i would like to set this as default for the whole system/tennant. thanks in advance!

We are currently moving from DVLS to Hub and have noticed there is no way to easy import user vaults. We have many users that do not use RDM or have access to other tools and have tried to export from DVLS, which exports as .RDM-file. Which cannot be imported to the Hub.

Hello, While working on a SIEM integration for Devolutions, I’ve encountered several limitations regarding the Get-HubSiemLogs command. Since the solution currently cannot directly connect to a SIEM for live log forwarding, I started exploring possible automation approaches and noticed several issues related to how logs are generated and structured. Identified issues : The Data field appears to be encrypted, and no information is available about its content or decoding process. The UserIpAddress field always returns the class name Devolutions.Hub.Clients.LogIpAddress instead of the actual IP address. There is no clear way to identify the user who triggered the event — only their internal account ID is shown. There is no log severity level (e.g., INFO, WARN, ERROR), which makes it difficult to filter or prioritize log events. Would it be possible to consider improving the log structure to address the points listed above? A dditional feature requests : Real-time log streaming : It would be very useful to have a feature similar to the Linux tail -f command, allowing continuous and real-time log monitoring. Currently, the only available options are “Weekly” and “Daily” log packages, which are not practical for active monitoring of a critical service like Devolutions Hub. Log forwarding capability : For the SaaS version, could you add an option to forward logs to an external application using an authentication key? In our case, we use Sekoia, which doesn’t have a native intake for Devolutions yet — but we could build one, provided we can receive logs directly from your platform. Thank you in advance for your attention to these points and for considering these improvements. Please let me know if you need additional details or examples from my current integration tests. Kind regards.

Hello Devolutions team, We would like to submit a feature request regarding user activation/validation in Devolutions Hub Business when using Microsoft Entra ID. Summary In our environment (Ville de Saguenay), we need to onboard a group of Entra ID users (about ~50) who do not have mailboxes and therefore cannot receive validation emails . Currently, after a period of time (we were told ~30 days), the user must validate their Devolutions account and an email is sent to complete the validation. This becomes a blocker for these users since they will never receive email. Current behavior / problem We can add Entra ID users to Hub Business and they can initially authenticate. After the grace period, the platform requires a Devolutions account validation that relies on sending an email. Users without mailboxes cannot complete this step, so they lose access / cannot access the Hub. Why this matters Many organizations have service accounts, kiosk/shared workstation users, or specific security contexts where identities exist in Entra ID but no email mailbox is provisioned . Requiring email-based validation prevents us from using Hub for these users and complicates enterprise onboarding. Requested enhancement (options) Any of the following would solve the issue (in order of preference): Admin validation/approval flow (no email required) Allow a Hub admin to validate/activate a user account from the admin portal. For example: “Pending validation” → Admin clicks “Validate/Activate”. Disable email validation requirement for Entra ID (SSO) tenants If the user authenticates via Entra ID (OIDC/SAML), allow bypassing the Devolutions email validation requirement. Alternative validation method Validate via an admin-generated one-time code shown in the Hub UI (not sent by email), or Validate via another communication method configurable by the tenant (SMS, etc.). Tenant-level policy A setting such as: “Require Devolutions email validation: On/Off” Or “Require validation after X days: configurable/disable”. Expected result Users who authenticate successfully through Entra ID should be able to remain active and access Hub even if they do not have an email mailbox, using an admin-controlled validation method or an SSO-based validation approach. If needed, we can provide additional details about our setup and use case

Hello, Can we please get the ability to send requests for temporary access to more than a single approver at a time? There're situations in life like sick days, vacations, days off, g eneral unavailability and these requests sometime 'sit' for days... It would be nice to have a fallback or a secondary person receiving them at the same time. [image]

We would like to be able to manage temporary access via the API so that we can integrate it with our existing systems (like ticketing system). Right now we use a webhook to create a ticket when access is requested, but we need to manually grant the access via RDM or other platforms. We would like to make an API call to automate this. As this is the primary reason we are using this product (giving temporary access to our clients to our servers) we would like to see an API addition.

Hello Devolutions Team and Community, I would like to submit a feature request related to permission granularity in Devolutions Hub Business , specifically regarding segregation of duties for credential management. Use case In our environment, we need a group of users who are allowed to: Create entries Edit existing entries View passwords and sensitive data Manage attachments and documentation Edit VPN / Tunnel / Gateway configurations However, these users must not be able to delete entries . This is a very common requirement for environments with: Segregation of duties Audit and compliance controls Change management policies Credential lifecycle governance Current behavior We understand and confirm that: Entries inherit permissions from the vault (and optionally folder/entry overrides), regardless of who created the entry. Vault-level custom permissions allow granular control. However: There is currently no built-in role in Hub Business that allows Add + Edit while fully preventing Delete in a clear and enforceable way. The closest role, Privileged Operators , grants delete permissions, which is not acceptable for this scenario. Relying on complex inheritance combinations makes the permission model harder to audit and reason about. Feature request Introduce a dedicated role or explicit permission model that allows: Create and edit entries Full read access to credentials and sensitive fields Explicit and guaranteed prevention of entry deletion This could be implemented as: A new built-in role, or A more explicit separation between Edit and Delete actions with strict enforcement Business value This enhancement would: Improve security posture Simplify permission audits Support compliance frameworks (ISO 27001, SOC 2, etc.) Reduce the risk of accidental or unauthorized deletions Thank you for considering this request. I believe this feature would benefit many organizations using Devolutions Hub Business in regulated or enterprise environments. Best regards, Edson Eduardo Caetano Junior NOC, IT & Infrastructure Projects Manager

When we enforced SSO for our admin users on Devolutions Hub Business, we were adviced to create an application identity with admin level access to our business hub so we could connect via Powershell and disable SSO enforcement in case of emergency. We did that and wanted to "lock down" the public IP addresses that are allowed to sign into the Powershell API. Sadly we realized that - as of now - only one IP(v4) address per application identity can be whitelisted (automatically during first powershell connection). Since we have multiple offices and each offices has one to two WAN connections with different public IPs, we would like the ability to (manually) whitelist more than one IP(v4) address per application identity.

We want to update our users to specific versions via Settings in our Business HUB. On the SQL Database version, it was possible to set it to a minimum, so our users would get prompted on next RDM start. We don't want to use the 'always build new MSI and deploy it' method. It interrupts our users while they work and can be buggy.

After exporting our vaults from the server version and import into Hub, we have noticed many entries have lost their customfields where we have stored data which can no longer be accessed via the Hub. So we have kept our old devolution password server online. The bare minimum for me would be to be able to migrate 1 to 1 between your own services which we cant 100% do, when theres a few entries that dont even exist in Hub but do in password server, and fields are not shows. An example of this is old certificate entry, in hub the entries are just called document after import. Custom fields are shown when viewing the entries in RDM and connected to the Hub, so the data have been imported they just need to be shown. Connection-String as an entry cannot be added in Hub as a new entry, but old ones have been imported so the entry type exist since it recognize it as "Connection-String"-type.