Skip to content
Two-factor authentication (2FA) is an identity and access management security method that requires two forms of identification to access data. Users of the 4me® Service can set up 2FA to securely access 4me, from the...
Category: Security & Privacy
4me can quickly, easily, and securely be set up to suit a wide variety of organizations, ranging from typical IT organizations and other service domains to enterprises and complete business ecosystems. 4me is also often...
It is now possible to add internal custom fields to configuration items. Internal custom fields on configuration items are only visible to people with the Specialist role in the account in which the configuration item...
Recently, the 4me Whistleblowing feature was announced, which means that people can be allowed to log in to 4me anonymously. Logging in without credentials, also known as guest login, can also be a very powerfull...
A small update has been made to the Activity monitor, which can be found in the Settings console. The 4me Password Age, showing the last time the password was reset for that user, is now...
Since the end of last year, the EU Whistleblower Directive came into force. According to the Directive, organizations must implement internal reporting channels. These have to be designed and operated in such a manner that...
It is now possible to read the permissions on a person record with automation rules. Permissions is an array of type permission that exposes the following fields and roles: Continue reading
Recently, UI extension fields that can be set to ‘Internal’ (by means of a checkbox named ‘Visible only to specialists, auditors, and account administrators of this account’) were made ‘Internal’ by default, following the principle...
With a UI extension, custom fields can be added to 4me forms. These fields can be given certain properties; to make them required, searchable, hidden, etc. For some categories, such as UI extensions for request...
The ‘Mention’ feature allows users to mention others when adding a note to, for example, a request or task. By mentioning someone, that person receives a notification with the note. A new setting has been...
An Interview with Thomas Fruhstuck — Chief Information Security Officer at 4me Thomas Fruhstuck is the primary contact for 4me customer’s information security and compliance officers. In this role, Thomas makes sure that 4me is...
Working in text fields is now considered user activity. To be clear: when a user has been inactive for a certain time, he or she must log in again. This time is the ‘Idle session...
The most recent audit of 4me’s System and Organization Controls (SOC) has been completed by Deloitte. The SOC 2 Type 2 report which resulted from this audit is now available. This SOC 2 Type 2...
Three new reports that are related to the Activity Monitor have been added to the ‘Reports’ section of the Analytics console: Logins agingPasswords agingCoverage of 2FA and When drilling down into the data of these...
4me allows attachments to be very large: files of up to 2 GB may be uploaded. It ensures that users do not need to worry about the size of the files they share in 4me. ...
4me has its own terms of use and privacy policy. These are published on our website, and on the bottom of the login screen. Organizations that use 4me may also want to show their terms...
When an account administrator or account owner deletes a note, this action is now visible in the audit trail for that record. It also shows up in the ‘Audit Entries’ section of the Settings console,...
The ‘Legal & Compliance’ section of the Settings console has been updated. Apart from the added ISO 27001:2013 and ISO 27018:2019 certifications in the ‘Security and Privacy Certifications’ section, a new section has been added...
A new log has been added to the ‘System Logs’ section of the Settings console. The Permission log keeps track of changes to user permissions. Organizations can use this log to see which users have...
Earlier this year, 4me announced its SOC 2 Type 2 attestation. To help customers that require their software vendors to be ISO 27001 certified, the 4me Software as a Service (SaaS) solution has now also...
Time entries can sometimes be visible between trusted accounts. For example, when a time entry is registered by a specialist of a service provider for a change or project task that was assigned by a...
Data security issues should be reported and taken care of as swiftly as possible. Organizations that work with both 4me service management and the Open Raven data security platform will therefore be pleased to learn...
When an approval task for a change or project is assigned to its approvers, 4me generates a separate approval summary for the recipients. This summary is attached as a PDF file to the email notification...
When the account owner of a newly created support domain account goes to the Settings console and opens the ‘Account Settings’ section, this person will see that the following checkbox is not checked: Internal notes...
The Sign In screen of the 4me service has undergone several updates. These updates were made to avoid situations where the 4me Sign In screen is regarded as a phishing site. When a 4me customer...
The buttons that allow users to select their preferred identity provider for accessing 4me have gotten a facelift. Their improved styling presents each single sign-on (SSO) option as a button. Each button now has the...
The email template 'Email Unknown' no longer exists. This email template was used to return an email after someone used the ‘Need help signing in?’ link and submitted an email address that does not match...
A few weeks ago, the ‘Apps’ section (edit: nowadays called the 'App Store') that can be found in the Settings console was given a makeover. Since then, every single sign-on (SSO) configuration is treated just...
When a customer has linked its 4me account with the 4me account of an external provider, and the provider has registered an SLA for the customer, then the customer is able to see the service...
The most recent audit of 4me's System and Organization Controls (SOC) has been conducted by Deloitte. The SOC 2 Type 2 report which resulted from this audit is now available. The difference between 4me's SOC...
The ability to create shareable dashboards URLs has been available for nearly two years already. Now an extra privacy feature has been added to ensure that a shareable dashboard URL cannot be used indefinitely. When...
It recently became possible to add import and export permissions to the scope of a personal access token or an application that is defined in the 'Applications' section of the Settings console. What has changed...
A new security feature has been added to 4me’s Webhooks API. This feature ensures that 4me verifies whether a webhook’s endpoint is actually owned by the organization that specified the endpoint in the webhook. Now, when...
Four new action options can be selected for a personal access token or an application to scope what their permissions in 4me. These new options concern the ability to import and export the 4me records...
4me’s support for IPv6 (Internet Protocol version 6) is now fully enabled in the QA and production environments. There are various advantages to IPv6. The most important advantages for 4me customers are: Enhanced security features...
4me's support for OAuth 2.0 has been extended to allow developers to build applications that need to interact with 4me, but which should not ask a 4me user for permission to use his or her...
Support for OAuth 2.0 has only just been introduced and now a new feature has been added that makes it easy to rotate OAuth tokens. An OAuth token is generated whenever someone creates a personal...
The 4me service now offers support for the OAuth 2.0 Authorization Code flow. This flow makes it possible for developers to have their application ask a user for permission to access 4me on behalf of...
As announced last week, the minimum retention periods is now drastically reduced in QA. Using the 'Retention Policy,' section of the Settings console, it is possible for the account owner to specify when a completed...
To make multi-factor authentication (MFA) a little easier for users, 4me now supports the use of hardware security keys, such as the ones provided by Yubico, Thetis and FEITIAN. A hardware security key does not...
Microsoft already offered its Azure Active Directory customers the benefits of enterprise-class single sign-on with 4me without any complex technical setup. This SSO integration allows an organization’s employees to sign in to 4me using their...
As enterprise organizations step up their compliance efforts, they require more, and more frequent, communication with the software vendors they rely on. Above all, enterprise SaaS vendors like 4me are required to demonstrate on a...
By default, 4me does not allow end users to see who is working on their requests. This reduces the risk of specialists being interrupted by end users reaching out directly to them. In most support...
Most organizations have activated single sign-on (SSO) in their 4me accounts. They rely on their identity provider (such as Azure AD, Okta or OneLogin) to ensure that people are authenticated before they can access 4me. ...
4me administrators are now able to add an extra layer of security to the payloads their webhooks send out. They can do this by creating a webhook policy in the 'Webhook Policies' section of the...
To help customers meet their compliance requirements, 4me is pleased to announce that its System and Organization Controls (SOC) report is now available. 4me's SOC 2 Type 1 report was issued by PricewaterhouseCoopers (PwC). This...
Now that the more secure personal access tokens have been introduced, organizations may want to stop people from using API tokens. Account owners can disable the use of API tokens by going to the Settings...
As announced during the 4me Connect 2020 event, 4me now makes it possible for all people who have access to the 4me Specialist Interface (i.e. auditors, specialists, designers and administrators) to generate personal access tokens....
When a 4me account is created for an organization, the security settings for this account now limit the file types that its 4me users are allowed to upload as attachments or inline images. By default,...
4me account owners are able to specify how quickly someone's 4me session should be terminated after that person stopped working in 4me. The idle session timeout can be set in the Security section of the...
Some provider organizations register their external customers and the key contact persons of those customers in the 4me account that their specialists use. When they do this, they run the risk of accidentally mentioning a...
Account administrators have the ability to remove notes. This makes to possible for them to act when someone accidentally included sensitive information in a note, or attached a file that contains information that should not...
An extra feature has become available for organizations that use the SAML protocol to give their people single sign-on access to 4me. This new feature allows them to add an extra layer of security by...
When someone attempted to log in to 4me several consecutive times with an incorrect password, his or her access to 4me is temporarily blocked. This is a basic security measure that stops people from trying...
4me may sometimes encourage users to switch on 2-factor authentication (2FA) or update their 4me password. Users will see these nudges as menu options when they click on their avatar in the upper right of...
As an extra security measure, people no longer automatically get an API token when their person record is created in the 4me. Going forward, an API token is generated for a person when he/she first...
All 4me demo environments have a special support domain account called 'Widget Data Protection'. This account is available at https://wdp.4me-demo.com/. It now includes several change templates to demonstrate how organizations can use 4me to manage...
The ability to delete (or redact) notes used to be reserved for the 4me administrators of the account in which the Person record of the person who added the note is registered. If someone whose Person...
4me Connect 2019 has come to an end. We welcomed delegates from over 20 countries aboard the ss Rotterdam. A record number of people attended the training sessions during the first day of the event....
4me's single sign-on (SSO) functionality has been extended further to provide even more flexibility. Enterprises could already integrate their 4me directory account with multiple identity providers (such as Azure AD, Okta and OneLogin). Now they...
Many organizations already require their employees to use two-factor authentication when they log on to the corporate network. The owner of such an organization’s 4me account may also have activated 4me’s security option that requires...
The owner of a 4me account is able to access the ‘Security ‘section of the Settings console. In this section, the account owner is now able to activate the new option 'Two-factor authentication is required'. This...
People who work for an organization that has activated single-sign-on (SSO) in their 4me account have always been able to bypass SSO and use 4me’s standard login page instead. That can be useful, for example,...
DKIM (DomainKeys Identified Mail) is an email authentication method that is designed to detect forged sender addresses in emails. 4me now allows organizations to use their own DKIM keys. Combined with DMARC (Domain-based Message Authentication,...
The ‘Email Policy’ section in the Settings console has two new options. The first is called ‘Allow inbound email to generate new requests’. When this option is checked, people are able to send email to...
DKIM (DomainKeys Identified Mail) is an internet standard used to detect forged sender addresses in email messages. This email authentication method is often used by organization to protect their email users from phishing and spam....
A new product category has been added, because several organizations indicated a need for it. This new category is called 'Security Certificate'. It was already possible for organizations to add this category by themselves in...
A new role has been added. It is called the ‘Account Designer’ role. This role can be given to people who need to be able to maintain the organization’s account design, Self Service design, PDF...
In the 'Security' section of the Settings console, it now possible for an organization's account owner to define a list of extensions that files are allowed to have when they are attached to a 4me...
When a specialist clicks on him/herself in the far right of the toolbar and selects the option 'My Profile', it used to be possible for this person to go to the 'API' section and see...
An important adjustment has been made to the access rights that the Directory Administrator role provides. In the past, this role made it possible to grant and revoke all roles of the directory account and...
Two more security enhancements have been added that will help users protect their access to 4me. Neither of these improvements should have a big impact on users, but they may notice a minor difference in...
Yet another security feature has been added. From now on, all files that are attached to a 4me record are subjected to a virus scan after they have been uploaded. If the virus scanner detects...
Service providers are now able to specify how long records, which could contain personally identifiable information (PII), should be retained. By specifying a retention period for such records, service providers can ensure that they are...
A new security enhancement had to be added. This enhancement is unfortunate, but necessary. It limits the ability to include URLs for images or videos from external sites. Continue reading
It is no longer be possible to create or update records if they contain insecure links in their HTML, JavaScript or CSS fields. Any pre-existing insecure content will continue to work for now. To help...
UI extension fields can now be marked as internal. The easy way to do this when adding a new field to a UI extension is to check the new Snippets option 'Internal'. Continue reading
Specialists of a trusted account can review a change when it includes a task that is assigned to a team of this trusted account. To avoid the unintentional sharing of the notes and attachments of...
When administrators or auditors access the Settings console of an organization's 4me account, they are able to open the Activity Monitor. The Activity Monitor provides an overview of all people who are registered in the...
Each record in 4me has an audit trail that shows who made which updates and when these updates were made. As an extra security feature, each audit entry includes not only the name of the...
A number of additional reports have become available in the 'Reports' section of the Analytics console. The new reports are: Continue reading
A restriction has been implemented to better secure the information in internal notes. Specialists can still add internal notes to requests, but after an internal note has been added, the people who are notified, will...
Auditors and administrators can review all the email that has been received by 4me's Mail API. They can do this in the 'Inbound Email' section of the Settings console. When they open one of those...
All 4me users are now able to see their personal history of security events. End users can see these events in Self Service when they go 'My Profile'. In 4me's full UI, specialists can find...
The ‘Attachments’ and ‘Notes’ sections of a change are no longer available to specialists, unless they have the Specialist or Auditor role of the account in which the change is registered. Continue reading
The Security section has been added to the Settings console. This section can be used to limit the length of time after which an inactive user's session is terminated. In the past, this timeout was...
4me users are now able to activate 2-factor authentication to better protect their 4me access. To set up 2-factor authentication, users can go to 'My Profile'. In Self Service, users can then follow the link...
The owner of an organization's 4me account is now able to customize the account's password policy. This makes it possible to adjust the rules for 4me passwords so that they align with the requirements of...
As the go-live date for the GDPR is approaching fast, organizations are doing their best to meet the requirements. For the most part, this is a process of finding out what kind of personal information...
The 'Legal & Compliance' section has been added to the Settings console. This section can only be accessed by the owner of a 4me account. The primary purpose of this section is to provide customers...
To make it easier for customers to comply with the GDPR, it is now possible to anonymize person records. This is important because from May 25 onwards, individuals can demand that their personal data is...
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) goes into effect. Because many of 4me's customers are based in the European Economic Area (EEA) or support users there, this is going...
The Support ID field is available in each person record. This field is used by support organizations to enter a number or code that service desk analysts can ask for when someone contacts the service...
To make it easier for organizations to meet all GDPR requirements, more actions are now getting logged in the Authentication Log. Continue reading
Currently, when customers connect to the 4me service, the HTTPS requests made accept the SSL protocols TLS v1.0, v1.1 and v1.2. To further improve the security of the 4me service, TLS v1.2 will soon be...
API tokens needs to be treated with great care because they allow people to access the 4me service through the 4me APIs. If someone believes that his/her API token has accidentally been shared with others, it is possible to...
By default, internal notes are visible when requests get passed between different support organizations within the same enterprise. When each of these support organizations has its own 4me support domain account and one support domain...
The production environment of the 4me service was recently migrated to an entirely new infrastructure. The QA environment has already been running on an identical infrastructure for several months to proof the quality of its...
Many organizations have already discovered that 4me can be used to provide a single Self Service portal for all kinds of support. That makes it easy for the employees. Whether they need a new laptop,...
The Key Contact role can now be limited to specific support domain accounts. This makes it possible, for example, to give someone the Key Contact role for the Facilities Management and IT domains, but not...
From time to time it happens that sensitive information is included in a note or one of the note's attachments. To prevent all support specialists from seeing this information, a new feature has been added...
Organizations that track time spent see the ’Time Entries’ section at the bottom of their requests, problems, releases, changes and tasks. Access to the time entries that are linked to these records has been restricted...
A typical 4me account can be accessed by more than one account administrator. Each account can have only one owner, though. To limit access to the single sign-on configuration of an 4me account as much...
A view has been added that you may find useful. It is the 'All People with Roles' view. It lists every person who has one or more roles (i.e. access profiles) of your organization's account....
