Skip to main content

v26.06

Knocknoc 26.06 is one of our largest releases yet! Six new platform integrations, a native iOS app, improved CGNAT handling, SAML validation for Admins along with admin-group provisioning, smarter self-healing orchestration agents for less-reliable control layers, improvements to user experience flows plus more. It builds on the threat-intelligence and validation work from 26.05 and rounds it out with stronger admin tooling, richer auditing, and experience improvements across the board.

πŸš€ Highlights

  • Six new native integrations to protect resources behind Check Point, Okta, Microsoft Entra Named Locations, MikroTik, OPNsense and pfSense, all configured straight from the Knoc wizard.
  • Knocknoc on iPhone and iPad. The Knocknoc mobile app now runs on iOS, joining Android - for use cases like email (hosted Exchange) or persistent, non-interactive access from roaming cellular devices.
  • Self-healing access. Agents now continuously verify that the access they granted is still in place on the orchestrated device (eg: firewall or control layer), and quietly restore anything that drifted, without user disruption.
  • Override blocked grants. When threat intelligence blocks a connection, an admin can now manually grant it anyway, with a required reason recorded for the audit trail.

✨ New native integrations

All six new backends are native and active integrations, moving from passive/polling or scripted integrations - to simplify the admin experience whilst improving performance.

  • Check Point: High performance active integration. Includes live validation from the Knoc configurator.
  • Okta: You can now gate Okta-protected apps to a successful Knoc. Validation confirms the zone before you deploy.
  • Microsoft Entra ID: Update Conditional Access Named Locations, letting Entra policies follow your users network.Β 
  • pfSense: Active integration, and if the alias doesn't exist yet, Knocknoc creates it on the first grant.
  • OPNsense: Keeps a firewall alias in sync and reloads the ruleset so changes take effect immediately.
  • MikroTik: Active integration of firewall address list on RouterOS v7 and later, with full IPv4 and IPv6 support.

Live configuration validation (introduced for Fortinet in 26.05) now covers Check Point, Okta, Entra ID, MikroTik and pfSense. Check connectivity, credentials and the target object before you ever deploy a change.

πŸ”Œ AgentΒ 

  • Continuous reconciliation: Agents periodically compare what they've granted against what the device actually holds, and re-apply anything missing. Access survives a firewall reload, a device reboot or a key rotation, with no re-knock from the user. Rules your team added by hand are always left untouched.Β 
  • Hardened AWS handling: Repeated knocks for the same IP, key rotations and transient errors are now handled cleanly, so access stays consistent without spurious failures.
  • Smoother automated registration: Agents registered through infrastructure-as-code now name themselves after their hostname automatically, with collisions resolved without manual intervention.

πŸ“± Mobile

  • iOS support: The Knocknoc app is now available for iPhone and iPad. It keeps your access alive in the background for status updates, detects network changes (Wi-Fi to cellular and back), matches your chosen theme and accent, and updates itself over the air. A clear prompt guides users through granting the one permission iOS needs, with an easy way to re-enable it if it was dismissed. Knocknoc routes none of your traffic, the connection exists only to keep access current. No additional hops or untrusted cloud, just direct, clean but verified and persistent access. Magic.
  • Android background reliability: The Android app now reliably resumes background status updates after the operating system stops it, so access stays current without reopening the app.

πŸ” Identity and SAML

  • Provision admins from a SAML group: Optionally promote any user who carries a configured group from your identity provider to a Knocknoc admin on first sign-in. Removing someone from the group blocks their next admin sign-in. Predefined SAML admins continue to work as before. Admins can manage this trust setting.
  • Test SAML before you rely on it: A new Test SAML flow performs a real round-trip to your identity provider and shows you exactly what it returned; the user, every attribute, and the access decision Knocknoc would make, without creating a session. There's a matching test for the admin-group mapping.

πŸ› οΈ Admin and auditing

  • Richer, filterable audit log: Filter the audit log by free text, action type, user, target, IP address and date range, with filters grouped for easy scanning. CSV exports respect the active filter, so you export exactly what you're looking at.
  • Dynamic SNAT, configurable ports: Client IP Discovery helps in cases where one protocol (eg: HTTPS) is dynamically SNAT'd from one network range, with other stateful protocols (eg: SSH) SNAT'd from another. Knocknoc discovers those extra addresses from the browser and grants access, configured per-Knoc by the Admin prior of course. You can now tailor the set of ports Knocknoc probes, along with a Test discovery button for Admins.
  • Override blocked grants: When GreyNoise or threat-intel blocks a connection an admin genuinely trusts,Β Grant anyway applies the grant alongside a required comment, and records the admin username, the reason provided and the time, along with the IP address. Overridden grants are clearly badged and fully audited.
  • Clearer admin and review screens: the Admins list shows auth type at a glance and flags login-disabled accounts; the create-Knoc review screen shows each agent's version; and the post-create dialog is streamlined to just the connection details you need.

πŸͺŸ Windows

  • Custom scripts on Windows agents: The custom-script backend now runs on Windows, executing PowerShell scripts. It's opt-in on Windows for safety (default deny, default disabled) and remains available on Unix as before.
  • Silent Windows installer: The Windows agent installer now supports unattended, silent installation, making large-scale and automated rollouts straightforward.

β™Ώ Accessibility

  • Sidebar and activity controls are now fully keyboard-operable, dialog inputs are properly labelled, and we've added descriptive labels throughout for screen-reader users. Accessibility is now checked automatically in every build so it stays that way.

✨ User experience

  • The redirecting page (for auto-redirects) now waits just long enough for the change to propagate, before sending the user onward. Local backends redirect instantly; cloud (eg NSGs) and remote backends wait a brief moment so users never land on a still-blocked port or service.

πŸ› Bug fixes and polish

  • Grant history for displaying predefined-IP addresses has been corrected.
  • General reliability improvements: client-cancelled requests and read-only-database conditions are now handled gracefully and quietly, rather than surfacing as errors.

πŸ”’ Security

  • Updated Golang cryptography and networking libraries to pick up the latest published CVE fixes. No behaviour change. Not a material risk but upgrade regardless.

Release date: 4th June 2026

Β 

How do I upgrade?

Agents and the server are backwards-compatible during the upgrade; some new capabilities (such as on-demand sync) require agents to be on this release. See the upgrade guide in the documentation for full details.

We intentionally require the use of the operating system package management subsystem (eg: Apt/dpkg and Yum) for updates, for security and supply-chain control risk reasons. Ensuring you have complete control on the timing of upgrades and state of your machine, and intentionally avoid automatically updating of the Server and Agent components.

Follow this guide to upgrade when you're ready.

Back to top