Global MFA is enabled by default for new orgs

15 December 2022

bzero v. 7.3.1

For those who use Helm to install the Kubernetes bzero agent, you must update the Helm repository to chart version >= 1.1.3 before doing a fresh install of the bzero agent. You can do this with helm repo update.
This action updates the bctl-agent role to include permissions for retrieving logs from pods within the deployed namespace for the zli send-logs feature. Even if you do not intend to use send-logs, you must be using chart version >= 1.1.3 for any new Helm installations to be compatible with the new backend changes. We strongly recommend everyone who uses Helm takes this action.


  • [Released 8 December] Agent re-registration. Resolved issue if bzero agent is attempting to register on top of an existing registration, bzero will prompt user to use the -f flag to force a new registration

Web app & backend


  • Onboarding tool. To help aid users in onboarding targets to BastionZero, a self-serve, interactive onboarding guide is available within the web app underneath the support (?) icon in the top right corner. This tool provides guides for remote hosts, databases, Kubernetes clusters, web servers, and SSH tunnels. If you give it a try, let us know what you think!


  • Policies without a subject. Target connect, Kubernetes, and proxy policies can be created from the web app without any specified subjects. This enables you to mandate target access through just-in-time access only
  • Global MFA. New BastionZero organizations will have global MFA enabled by default. Users will be prompted upon first log in to set up their MFA using their chosen authenticator app. While it is not possible to disable MFA for the entire org, administrators may choose to disable, re-enable, or reset an individual user's MFA


  • Onboarding tool. Resolved minor issues in the onboarding tool
For questions or to give us feedback on how we can make our updates better, reach out to [email protected].