What's New in DVLS 2025.3

Thank you for updating Devolutions Server to version 2025.3!

For the full list of changes, check out the release notes

Here’s a quick look at the most exciting updates:

Support linking to an external vault

Reduce duplication by linking credentials stored in another vault, even those external to the vault where the entry resides. Link once, reuse many times, and maintain a single source of truth for rotations and audits across multiple vaults.

Deploy virtual Devolutions Gateway instances

Operate multiple virtual Gateway instances to segment traffic as needed. Separate by IP, subnet, IP range, or DNS while combining multiple allow and deny rules. This, along with Gateway farms, improves isolation and flexibility without requiring the deployment of additional Gateway instances.

Generate user-specific API keys

Individual DVLS users can now generate user-scoped API keys to call the DVLS REST API with least privilege and full audit trails. Keys inherit the user’s permissions and can be rotated or revoked at any time. Reduce administrative overhead and empower users to control their own automations.

You will need to enable Allow API Key in the Administration > System Settings > Users section to generate personal API keys. Next, navigate to an individual user in Administration > Users > edit a user and in the Settings section, change Allow API key to Yes.

Streamline Devolutions Server instance onboarding with a guided setup

We’ve streamlined the first-run administrator onboarding process with guided documentation, which confirms server basics, adds your first additional administrative user, creates your initial shared vault, sets default permissions, and configures users and groups. The new experience shortens time-to-value and bakes in recommended practices from our documentation.

You can always open or re-open the onboarding by navigating to Help & Tools and clicking the Onboarding button under How-tos. Any checked item will be displayed as checked for all administrators who view the onboarding.

Enable webhooks for event-driven integrations

You can now push DVLS events to external systems via webhooks. Send JSON messaging on triggers to your SIEM, ticketing platform, or chat tools (e.g., Slack or Microsoft Teams) to automate reviews, create tickets, or notify runbooks. Configure endpoints and event scopes in Administration, then point them at standard incoming webhooks.

Enable users to configure their own MFA

We’ve added a self-service MFA (multi-factor authentication) setup experience, configurable under user preferences, that respects organizational policies (RADIUS/SMS/TOTP, etc.). DVLS administrators set defaults, and users complete enrolment themselves, thereby lowering the helpdesk load and increasing coverage. In addition, a user's ability to remove their MFA can be restricted.

Change the default password policy from System to Inherited

The default password policy now follows your inheritance chain to reduce unintended behaviors. This may be a breaking change depending on your configuration. Defaulting to inheritance enables organization-wide changes to propagate predictably, while allowing exceptions to be set as needed.

Previously, the default setting mapped to the Administration > System settings > Password management section, where you could set the Password policy to a default. Now, this uses inherited settings.

Restrict entry rights assignment to vault users only

Only allowed vault users can be granted entry rights to prevent misconfigurations and simplify rights assignment. Only allowing existing vault users to have rights assigned to an entry makes it easy to see which users do not have access.

Enforce biometric unlock for Workspace client connections

For organizations using Workspace desktop and mobile apps with DVLS, administrators can enforce a master password or biometric unlock (e.g., Face ID/Touch ID/Windows Hello) before a client connects. Requiring the additional step ensures that connecting clients are securely authenticated.

Disconnect the Workspace browser extension on idle or close

Enforcing idle-timeout and on-close disconnect behaviors for the Workspace browser extension reduces long-running browser sessions, minimizing the window for misuse on shared, unattended machines or potentially compromised systems.

Apply password-expiration policies in password templates

Password policies now include expiration policy settings so new credentials inherit required rotation timelines automatically. Define your password templates in Administration > Password policies and pair with reports to monitor upcoming expirations and enforce renewal at scale.

Password expirations do not apply to privileged accounts (PAM accounts).

Create custom dictionaries for passphrase generation

DVLS administrators can now upload organization-specific word lists for the passphrase generator to produce strong, memorable phrases that still meet policy requirements. Use this with password templates to enforce additional complexity requirements your organization needs.

Any passphrase file must have a minimum of 15 entries. The automatically calculated minimum passphrase length is derived based on the number of entries in your dictionary file, decreasing in size as your dictionary file increases.

Automatic entry checkout on editing

Entries automatically check out when a user begins editing and check back in when the entry is saved or closed. Automatic checkouts prevent conflicts and ensure the correct editing of a record.

Merge duplicate images

Administrators can merge duplicate system images to reduce storage use, confusion, and conflicts. You can quickly run the image cleanup, and uploading new duplicate images is prevented through a run-time duplicate check.

Transfer files with Devolutions Send

Beyond sharing secure notes, you can now securely share files via Devolutions Send from DVLS. Create time-limited, access-controlled links and keep sensitive attachments out of email.