Bluink Enterprise Server

The Bluink Enterprise server is distributed using Docker, installable on most Linux distributions. To upgrade: cd bluent ; git pull ; ./utils upgrade



  • Added support for Microsoft Intune via a new configuration flag

    • To use it, if you need Intune support, add the following below your entMode config in config.tml
    # Whether this server uses Microsoft's Intune
    useIntune = true
  • Added an option under Settings > Enterprise > Management Console to upload a custom attestation certificate

  • This enforces that only phone apps that are using that attestation certificate may register with the server. Currently this is only supported in the Intune version of our apps, where Intune can push configuration to the apps pre-registration.

  • Enabled attestation certificate validation

  • This is now always on. When Intune mode is disabled, this uses our default attestation certificate. When Intune mode is enabled, it uses the custom certificate configured via Intune.

  • Minor interface fixes and improvements


PLEASE NOTE: Users of the new version of the apps will not be able to register with older versions of the server. Existing registered phones will still work. Please upgrade to the latest version of the server to be able to register new users or additional phones.


  • New usage policy system for credentials

    Usage policies now allow restricting credential usage by geofence and require reauthentication. They are now configured per credential rather than per credential item, to improve usability. There are 5 policy modes, each with increased restrictiveness:

    • Always allow
    • Only reauthenticate when outside geofences (Allowed without reauthentication while inside)
    • Always reauthenticate
    • Inside geofences, always allow (Denied otherwise)
    • Inside geofences, always reauthenticate (Denied otherwise)
  • Rework geofencing

    Geofences are now assigned to credentials, instead of being assigned to specific user-credential pairs. They are no longer automatically applied for all usages but rather determined by the usage policies on the credential items.

    Geofences that are marked as applying to specific users are considered "personal". Personal geofences are now conditionally applied to credentials if the "Include Personal Geofences" policy is enabled. If enabled, the user will be allowed to use their credential if they are within any of their personal geofences.

  • Improve credentials user interface

    Major changes were made to the "Update Credential" page to streamline configuration and bring additional clarity to the features. The layout was broken into tabs to reduce the amount of information on the screen at any given time.

    The "Add Credential" page also received some improvements to make it easier to choose the type of credential.

    The "Shared" credential mode was renamed to "Ownership" to clarify the opposite mode, being "Individual" mode, which allows each user to have their own unique values for their credentials rather than sharing the same login with everyone else.

  • Improve credential items user interface

    The "Update Item" page layout has been redone to group related fields together.

    The "Value is Constant" item mode has been renamed to "Value Handling", to clarify that the opposite mode is "Encrypted". "Encrypted" means the values are stored securely on users' phones and never on the server, except while encrypted in transit during sync. "Constant" means the values are stored in plain text and are not secured, and cannot be changed by users.

  • New credential policy "Allow User Editing"

    This policy was considered on by default in the past. Now, this can be turned off to prevent users from being able to modify credential values. Note that they are still allowed to fill in the initial values for the credential if they did not previously have values for their credentials. Once values are set, then an administrator must be the one to change the values using the "Set Values" button in the credential update page. This is especially useful for shared credentials that you do not want users to self manage. Be aware that users may still be able to change the password on remote systems. If so, they should contact an administrator to let them know the new password so they can update it via the "Set Values" feature.

  • New global smarphone app policies

    • Use App Password

      This policy was considered already on by default in the past. Now, this can be turned off to let the apps instead use the phone's built-in security such as the phone's PIN and if available, biometric (fingerprint scanner, touch ID, face ID, etc.) to unlock their app instead of having to use a master password.

    • Allow Personal Credentials

      This policy was considered already on by default in the past. Now, this can be turned off to disallow users to create personal credentials on their app, if you want to restrict them from managing their own accounts in the app. Users can instead use our non-Enterprise version of the app "Bluink Key" to manage their personal credentials, if they wish.

    • Maximum Offline Time

      This policy will prevent the user from unlocking their app if their phone has not connected to the Enterprise server since the the number of days has elapsed. If the time is reached, then when attempting to unlock the app, an attempt to connect to the Enterprise server will be made. If the attempt to connect fails, then the app will stay locked. This can be used to prevent a potential bad actor from disconnecting their phone from the internet to continue to have access to credentials for extended periods of time. Please note that if the server is brought down, the attempt to connect will fail, potentially causing users to be unintentionally locked out. The time is specified in number of days, so this should be unlikely to happen.

  • Minor fixes and improvements

    • Style the checkboxes throughout the application to improve clarity and usability
    • User and Group update pages now use a tabbed layout
    • Bluink Identity users and application sections have been split onto their own pages
    • Bluink Identity application update pages now use a tabbed layout
    • Bluink Identity applications now use the new usage policy system (see above)
    • Renamed "Geolocation restrictions" to "Geofences"
    • When logging back in after an expired session, you'll now be properly redirected to the page you were last visiting
    • Add chevrons to expandable sections in the user update and geofence create pages to clarify that they can be expanded
    • Fix a long-standing bug where apps would sometimes get tags that read "Null"
    • Improve validation when doing certain actions
    • Improve user feedback after saving changes on some settings pages
    • Now uses short-lived cookies to help smooth out the user experience while navigating pages that use a tabbed layout
    • Fix an issue where two invites could be mistakenly sent at the same time if cancelling the first one
    • Add functionality to allow setting a value for a password on a shared credential via the password credential item page
    • Fix a race condition when phones send back their logs to the server


PLEASE NOTE: If you are upgrading from version 3.7 or earlier, please consult the release notes from previous versions for the additional steps required while upgrading.

Additionally, if you are upgrading from version 3.9 or earlier, please use your package manager to upgrade to the latest version of docker before upgrading the application. For example on Ubuntu, run sudo apt update && sudo apt upgrade, and for CentOS, run sudo yum update. To confirm that this worked, run docker -v to confirm that the version is 17.05.0-ce or greater, which is now the minimum version of docker we require.

Hotfix release v3.10.4

  • Add support for a future release of Bluink Key Desktop

  • Allow setting Bluink Identity registered smartphones to LOST

    Prevents new auth requests from being sent out to those phones and prevents them from responding to auth requests.

Hotfix release v3.10.2

  • Fix a problem with cyclic group references in AD

    When searching for groups, a warning will appear if the application detects that there is a group that references itself (either directly or via another group).

  • Fix a problem with duplicate assignments of users to credentials

    This causes some problems with app behaviour, such as geolocation restrictions sometimes not being applied, and the credentials count when syncing with the server showing larger than it really was.

  • Add ability to delete groups imported from AD

    This doesn't delete the users contained in the group from Enterprise.

  • Minor interface fixes and improvements


  • Credential template improvements

    • When deploying a new application, a credential is automatically created and configured to be your enterprise credential. This is also available to be run manually for existing deploys with ./utils initentcred
    • All the templates' categories are added as tags when creating a new credential
    • When attaching a new template to a credential, it now automatically creates any credential items that are required by the new templates
    • Deleting a credential item that was created by attaching a template now detaches the template if it is no longer valid
    • The name of first template on a credential is now editable
    • When generic web login credentials are created, the first template now uses the credential title instead of "Web Login" as the template name
  • Implement support for tracking nested groups assignments from AD for users

    • On group import or on AD Sync, users are assigned to group if they are directly in the group or they belong to any subgroups
    • Membership in nested groups is maintained through AD Sync functionality
  • Update Add Geolocation view

    Allow for visually choosing a geolocation and its radius with a map, via client-side geocoding

  • Improve interface to better support mobile browsers

  • Change enterprise registration emails

    Use a button which opens the Bluink Enterprise app with the registration code data. Replaces the email attachment as a method to start the registration.

  • Major application performance improvements (PHP opcache)

  • The application will now automatically restart when the host machine is rebooted

    Uses Docker's restart policies. We also implemented a script to prevent Caddy from getting stuck in restart loops which would trigger Let's Encrypt rate limits, preventing the domain from getting a certificate for some amount of time.

  • Add update button to the Bluink Identity Update User page to get the latest list of registered smartphones

  • Add tracking of the time phones were last seen by the server

    See this information on the Update User page, hover your mouse over the phone's name to see the time in the tooltip

  • Minor interface improvements

    • Remove the # items column from the Manage Credentials page
    • Fix a problem with the credential title in the delete modal dialog on the Manage Credentials page
    • Table headers on some pages are now sticky
    • The header stays at the top of the screen when scrolling past them
    • Remove the type column from the attached templates section in the credential update pages
    • The type is still accessible by opening the edit modal for attached templates
    • Fix a problem where the timestamps for registered smartphones were converted to the application's timezone twice, causing them to be inaccurate


PLEASE NOTE: If you are upgrading from version 3.7 or earlier, use the following steps to run the upgrade:

  • Run

    git pull
    ./configutils init
  • Add the below to your config/config.tml below the timezone setting

    # A secret key used by the application to verify that the cookies have not
    # been tampered with. Should be unique for each installation.
    cookieValidationKey = ''
  • Run ./configutils wiz_cookievalidationkey to set up this new required property

  • Run ./configutils wiz_dbbackupcron if you want to set up automated DB backups

  • Finally, ./utils upgrade to upgrade to the latest version


  • Now uses redis for sessions and caching

  • A keypair is now generated on the server

    This will allow the apps to encrypt data for the server using the server's public key, and allows the server to encrypt data for itself (sensitive data in sessions). The apps are now passed the server's public key on sync.

  • Sync Identity users and AD groups with Bluink Identity on Sync with AD

  • Update adminer with new plugins and a theme

  • Enable the 'secure' flag on cookies set by the application

    This tells the browsers to never send the cookies on an insecure connection


PLEASE NOTE: For this release, use the following steps to run the upgrade:

  • Run

    git pull
    ./configutils init
  • Add the below to your config/config.tml below the timezone setting

    # A secret key used by the application to verify that the cookies have not
    # been tampered with. Should be unique for each installation.
    cookieValidationKey = ''
  • Run ./configutils wiz_cookievalidationkey to set up this new required property

  • Run ./configutils wiz_dbbackupcron if you want to set up automated DB backups

  • Finally, ./utils upgrade to upgrade to the latest version

  • Implement automated database backup support

    See the upgrade notes at the top of this release to configure this

  • Improve deploy tools

    • Add configuration-time testing tool to verify that emails are working correctly with the given configuration options
    • Add configuration-time testing tool to verify connectivity with the remote LDAP server and that authentication works correctly
    • Improve Settings > Management page to display more information about the application and configuration
  • Configure cookie validation key

    This is a secret key that the application uses to verify that the cookies from the browser have not been tampered with. The application will not work without this value being set. Please refer to the upgrade notes at the top of this release.

  • Track objectSIDs for users and groups for Active Directory mode

  • Sync group membership with Bluink Identity

    Useful for SAML SPs that expect groups assignments for authentication, such as ADFS.


  • Add support for FIDO U2F as a mode of 2FA for admins

  • Implement template updates as an automated console command


  • Improve the LastPass credential import

  • Replace Google Maps with LeafletJS

    Uses OpenStreetMap as the map source

  • Display improvements for the dashboard graphs

    New colours, improved legend on hover

  • Fix column widths for the admin roles page


  • Import credentials from LastPass for Teams via the command line interface

  • Allow usage of TOTP if the user has both methods of 2FA enabled

  • Disable email address sync for the "Sync with AD" tool

  • Improve performance in loading the maps on the geolocation admin page

  • Enhance log filtering user interface

  • Add ability to delete Bluink Identity applications


  • New 2FA feature for admins to enable stronger authentication to Bluink Enterprise

    See your own user's update page for the Configure 2FA button!

  • Add SAML support for the Bluink Identity plugin

  • Improve the Bluink Identity plugin interface for ease of use and support for multiple protocols

  • Add indicators to hint where tooltips are available


  • Geolocations can be set by region in addition to radius

  • Geolocations can be visible to all users or to a subset of users

  • New policies for Relying Parties on Bluink Identity

    • Global setting for Enforce Location synced with Requires Location global policy on Identity
    • Policies for Relying Parties can be set for Identity Server via the Bluink Identity section of the UI.
      • Reauthentication and Biometric: Can be set per relying party on the relying party update page
      • Geolocations: Can be set per relying party or per user on the relying party via the relying party update page
  • Bluink Identity transaction logs display success or failure of authentication and the reason for any authentication failure


  • Improve performance by sending all emails via job queues

  • Log additional Bluink Identity actions in the App Logs

  • Display registered phones in Bluink Identity

  • Fix for Known Issue in v3.1 on registering users in Bluink Identity

    Users can be selected sequentially or all at once for registration through the UI without refreshing page.

  • User registration in Bluink Identity now uses buttons instead of checkboxes

  • Add global policy to enforce location tracking

    Settings > Smartphone App > Enforce Location

  • Track location on most app actions

  • View locations in the logs with a popup map

  • Add a manual user creation to standalone mode

  • Add an auth demo for Bluink Identity to the plugin (a default RP is included)

    Bluink Identity > Auth Demo

  • Various interface fixes and improvements, better mobile responsiveness


  • Add Bluink Identity interface to Enterprise

  • Register (and remove) users on Identity server imported into Enterprise from AD

  • Register Relying Party on Identity server and collect Bluink Identity configuration information for the Relying Party

  • Enable/disable a user on Identity server as well as sync user status in AD with user status on Identity server

  • Set whether user registered on Identity is also registered in Enterprise and receives credentials on their Bluink Enterprise app

  • Phone registrations from Bluink Identity are shown in the App Logs

    There is also a refresh button to explicitly pull the latest logs from the Identity server


  • Rebrand from Injector to Bluink

  • Changes to config files:

    • To change Injector images to Bluink images:

      In config/config.tml file change:

      • emailImageLarge = '/img/injector-enterprise-large.png' to emailImageLarge = '/img/bluink-enterprise-large.png'

      • emailImageSmall = '/img/injector-enterprise-small.png' to emailImageSmall = '/img/bluink-enterprise-small.png'

    • Caddy server to automatically redirect http:// requests to https://

      In config/Caddyfile, remove https:// from the front of the line, on line 3 and line 16

      Those lines should look like this, respectively:

      3: {$CADDY_WEB_HOST} {

      16: netdata.{$CADDY_WEB_HOST} {


  • A dashboard now greets administrators when logging in

    Note: Click on a graph or markers in the map to drill down for more details

    • Number of users, groups, credentials and geolocations in the system
    • Map of the recent login events
    • Activity graph for the top five users
    • Activity graph for the top five credentials
  • Implement fixes to the AppGate connector

  • Backup viewer now available when logged in as an administrator

  • Update password-based key derivation scheme for backups

  • Display the list of assigned users in a group on its update page

  • Move timezone setting from Settings > Enterprise view to the config file

    See upgrade steps for details on moving your timezone setting into the configuration file

  • Improve error messages for problems with LDAP and Active Directory

  • Stability improvements and bug fixes

    • Consolidate the LDAP operations

    • Update to the latest version of our framework and dependencies

    • Change the wording from Rescind to Revoke for registration invitations

    • Change the landing page's call to action button to link to the dashboard

    • For AppGate OTP, accounts with multiple phones are now supported

      Assigns the value to the first registered phone

    • Improve error reporting

    • Change Assign Credentials option on user and group pages to display only credentials with individual ownership.

      Shared credentials can be assigned to users and groups via update page for the particular shared credential.


  • Fix issue with new registrations

  • Improve AppGate connector

    • Support getting past the AppGate application prompt
    • Improve the AppGate OTP user interface
  • Move the Shared label on credentials to a new column called "Ownership"

    Individual means the credential has different values per user or per group; Shared means all the users with the credential have the same values

  • Allow navigation with small screen sizes

  • Optimizations for publishing high number of credentials

  • Support for Docker deployment

    Configuration changes to allow for deployment of code on Docker platform.

  • Efficiency improvement to credential updates on API

    Only changed credentials are passed to the user via the API on certain credential actions on the Enterprise server rather than triggering an update of all the user's credentials.

  • Support for OTP values synced with AppGate server

    New AppGate OTP connector allows admin to generate an OTP seed, register the value with an AppGate server via an SSH connection and then send the value encrypted to a user.

  • Efficiency improvement to publishing of shared values

    Publishing code modified to support a high volume of publish logs coming from a user. Involved change on user-credential model to include marker of which users need a published value for a credential. This changed allowed server to limit publishes to users who needed the value rather than to all users belonging to that credential.

  • UI changes related to user permissions

    Changes to what data is shown and what functionality is available based on whether the admin has full or only partial permissions.

  • Improvements on credentials import from csv file

    Changes made to handle the complexity of the data from PMP credentials csv file. Adds template to each created credential based on data in each row of the csv.

  • New templates added

    MS SQL Server, Solaris, a generic Account Login and AppGate OTP & Login

  • Removal of package dependency from auto-change functionality

  • Database change: Default values set for all NOT NULL columns

    Due to stricter constraints on newer MySQL version, default values were set for all NOT NULL columns in every table where they were not already set, in order to correct errors on SQL insert calls to the database.


Hotfix v1.9.0-2

  • Fixed a critical bug that caused emails to not be sent out


  • Support for multiple templates per credential

    This allows for one credential to be used to login to multiple different sites

  • Tagging functionality for credentials

    The company name setting from the parameters (companyName) is added as a tag to all new credentials by default

  • Quick Unlock setting in the Smartphone App settings

    Allows the app users to enable the feature, to allow using the first four characters of their app password to unlock

  • Support for finer Autolock Timeout

    Shorter timeouts for security

  • New method of registering via the email

    As a workaround for Outlook for Android, which has issues with opening attachments with other apps, users can now copy a code from the email to the apps as an alternative way to begin the registration process

  • New Notes credential item type

    Supports multi-line constant values

  • Ability to filter for the target name in the logs

  • Push notification support on user suspension and reactivation

    The apps receive a push notification, triggering an enterprise sync to more quickly revoke access to the credentials when the user is suspended

  • Command-line support for importing Password Manager Pro (PMP) credentials

  • Improved performance on the credentials sync

    And on other heavy operations on the enterprise administrative interface

  • Improved credential type selection fields

    Now includes a filter and the template images

  • Improved transactional email styling

    Now uses inline CSS


  • New template for AD Login

  • Shared values published when user is reactivated

  • Reset device page added under Settings > Enterprise (takes a SN and outputs a reset code)

  • Bind to device option removed for credentials (pending reissue device functionality)

  • Enterprise user in AD group added to group on import of group from AD

  • Display template name on credential type columns