DocumentationRelease Notes
Log In
Documentation

Endpoint Privilege Management for Windows and Mac

Suggest Edits

The Endpoint Privilege Management for Windows and Mac (EPM) and Password Safe integration supports the following features:

  • Off-network account management: EPM contacts Password Safe for password tests or password changes.
  • Allow as Password Safe user: You can run an application using managed account credentials sourced from Password Safe.

You can integrate EPM and Password Safe on the following platforms:

  • BeyondInsight
  • Webserver
  • EPM

Installation documentation is available for each platform.

Configure allow as Password Safe user

In EPM, you can run an application using Managed Account credentials sourced from Password Safe.

Prerequisites

Ensure the following prerequisites are in place if you are configuring the Allow as Password Safe User integration.

Use the installation commands that apply to your implementation.

The prerequisites apply to on-premises and EPM Cloud platforms.

Endpoint Privilege Management for Windows endpoints

The endpoint must be set up as a managed system in Password Safe.

Communication to Password Safe relies on BeyondInsight communication channels and the appropriate client certificate. Therefore EPM must be installed using the BIMODE=1 flag.

BeyondInsight and Password Safe install
PrivilegeManagementForWindows_x64.exe /v"BIMODE=1 PSMODE=1 BEYONDINSIGHTURL=https://useries002.btrusteng.com/EventService/Service.svc"
EPM-WM Cloud install

EPM-W must be installed using the Password Safe mode flags, BIMODE=1 and IC3MODE=1, as shown:

PrivilegeManagementForWindows_x64.exe /v"BIMODE=1 IC3MODE=1 BEYONDINSIGHTURL=https://useries002.btrusteng.com/EventService/Service.svc"
Webserver install

Endpoint Privilege Management for Windows must be installed using the Password Safe mode flags, BIMODE=1 and WEBSERVERMODE=1, as shown:

PrivilegeManagementForWindows_x64.exe /v"BIMODE=1 WEBSERVERMODE=1 BEYONDINSIGHTURL=https://useries002.btrusteng.com/EventService/Service.svc"
Password Safe

The Password Safe account name must be a managed account associated with the managed system (Endpoint Privilege Management endpoint).

For more information, see Add Assets to Password Safe.

Create an application rule

To configure the Password Safe user in the EPM client, you need to set up an Application Rule that includes the Password Safe user.

To add a Password Safe user in the Policy Editor:

  1. In the Edit Application Rule panel, select Allow as Password Safe User from the Action list.
  2. In the Password Safe Account Name field, enter the name of the account exactly as configured in Password Safe. This is the Managed Account configured in Password Safe for the endpoint.

End user messaging is not available in this release.

Configure off-network account management

In a typical password rotation using Password Safe, the appliance or Resource Broker reaches out to the target system to trigger the password change using the functional account credentials. However, off-network clients that are not ever or not consistently accessible by a Password Safe appliance or Resource Broker cannot use this mechanism.

Using Password Safe integration settings in the Policy Editor, EPM clients can check in with Password Safe at a configured interval for password change commands, including password rotation.

Supported scenarios

  • Password Safe Cloud/On-prem with EPM
  • Password Safe Cloud/On-Prem with GPO/webserver
  • Password Safe on the same server as BeyondInsight for EPM.

Requirements

  • Password Safe: Endpoints require a Password Safe license.
  • EPM client: EPM license not required for this use case.
  • EPM policy: Required to deliver the integration settings.

Install the EPM client on computers before you run a Password Safe discovery scan. If you run the scan first, then the computers are onboarded to Password Safe with Password Safe as the change agent with an asset ID. If you install the Endpoint Privilege Management client on the same computer later, the asset has a unique install ID. A duplicate record is created with the same asset name but different asset ID.

Workflow

The following section provides information on how to set up the off-network scenario. The high-level steps are:

  • Download a client certificate for authentication
  • Install Endpoint Privilege Management client and adapter
  • Create a policy in Endpoint Privilege Management
  • Onboard the managed system in Password Safe
  • Add accounts to Password Safe

For more information and detailed step-by-step instructions, see our Knowledge Base article.

Download a client certificate

Communication between EPM and the BeyondInsight server are encrypted over port 443. The Endpoint Privilege Management computers need a client certificate to authenticate to BeyondInsight or Password Safe.

The certificate must be deployed to all EPM client machines and Policy Editor machines.

Download the client certificate to the Endpoint Privilege Management computer, from PS Cloud or BeyondInsight console: Configuration > System > Client Certificate.

  • PS Cloud: The client certificate is issued to PS Cloud authentication.
  • BeyondInsight U-Series Appliance: Default certificate is issued to eEyeEmsClient.

For more information on deploying the certificates to EPM machines, see Configure BeyondInsight and Endpoint Privilege Management.

Install EPM for Mac

When creating the adapter settings package in the Rapid Deployment Tool:

  • Use the PS Cloud certificate when managing the macOS computer in PS Cloud.
  • Use the appliance certificate when managing the macOS computer in the appliance.

To install packages for macOS integration:

  1. Create settings package for EPM or BeyondInsight adapters using the Rapid Deployment Tool.
  2. Install EPM client and adapters. Install the packages in the following order:
    • EPM
      • PMC Settings XX.pkg
      • PMC_Adapter_XX.pkg
      • BI Settings XX.pkg
      • BIAdapter_XX.pkg
      • Pwsclient_xx.pkg
      • PrivilegeManagementForMac.pkg
    • BeyondInsight Appliance
      • BI Settings XX.pkg
      • BIAdapter_XX.pkg
      • Pwsclient_xx.pkg
      • PrivilegeManagementForMac.pkg

Configure the BeyondInsight adapter settings

See EPM-WM Installation Guide for complete step-by-step instructions.

Configure the following settings in the settings_app.xml:

  • PasswordSafeState: The state of the feature: Enabled, Disabled, and Not_Configured (case sensitive). The default is Not_Configured.
  • PasswordSafeHeartBeatInterval: The time span, in minutes, the endpoint polls Password Safe checking for updated passwords. Valid values are 1 to <max unsigned 32 bit integer>. The default is 60 minutes.

You can change settings in two ways:

  • Add the settings
  • Send an Endpoint Privilege Management for Mac policy that contains Password Safe settings. When an asset has multiple policies, the first policy with valid settings is used. The policy's settings are written to settings_app.xml.
Example section of the Password Safe settings in Endpoint Privilege Management for Mac policy 
<Configuration>
    <!-- Omitted usual nodes -->
    <PasswordSafeLocalRotation>
        <State>Enabled</State>
        <PasswordHeartbeatInterval>60</PasswordHeartbeatInterval>
    </PasswordSafeLocalRotation>
</Configuration>

Install EPM for Windows

The following sections provide information on installing Endpoint Privilege Management for Windows client and adapter software on either the EPM or BeyondInsight platform.

Install the EPM Windows client

msiexec /I PrivilegeManagementForWindows_x64.msi BIMODE=1 PSMODE=1 IC3MODE=1 BEYONDINSIGHTURL="https://xxxxxxxx.beyondtrustcloud.com/EventService/Service.svc" BEYONDINSIGHTCERTNAME="PS Cloud Authentication" BEYONDINSIGHTWORKGROUP="<if not using default>" /qn /norestart

Install the adapter

Installing the adapter on U-Series Appliance with Password Safe run the following command:

msiexec.exe /i PrivilegeManagementForWindows_x64.msi BIMODE=1 PSMODE=1 BEYONDINSIGHTURL="https://xxxxxxxxx/EventService/Service.svc" BEYONDINSIGHTCERTNAME="<if not using eEyeEmsClient>" BEYONDINSIGHTWORKGROUP="<if not using default>" /qn /norestart

Verify endpoints are registered in BeyondInsight

Verify EPM clients are registered in BeyondInsight on the Assets page.

Create a policy

You must configure integration settings in the Policy Editor. An EPM license is not required if using only password rotation.

Use the following procedure when EPM Cloud is managing the policy. If you are using the on-premises Policy Editor, see the knowledge base article for instructions.

  1. Click the Policies menu, and then click Create Policy.
  2. Select Blank on the Policy Creator page, and then click Use Blank Template.
  3. Enter a name and description, and then click Create Policy.
  4. Create a workstyle.
  5. Expand the workstyle, and then click Application Rules.
  6. Click Integration Settings.
  7. Select Enabled.
  8. Enter a heartbeat interval. The default value is 60 minutes. This is the time span the computer polls Password Safe unless the time is determined by Password Safe. The Endpoint Privilege Management computer checks in for missed jobs such as scheduled password rotations, forced resets, and password releases. Password rotations run at this time.
  9. Click Update Settings.

Onboard the EPM assets to Password Safe

During the client installation, the computer registers as an asset with the Endpoint Privilege Management solution flag set. Therefore, you can onboard the asset manually, using a Smart Rule, or the API.

The client is the password agent. A functional account is not required, however a limitation in 22.1 (and earlier) requires a dummy functional account to be created and assigned if using a Smart Rule to onboard accounts.

Sample Smart Rule

Create a Smart Rule that includes the following criteria and actions.

Criteria

Currently the Endpoint Privilege Management identifier is hidden in PS Cloud. Other identifiers are needed to include all Endpoint Privilege Management computers in the criteria.

Action

Actions to set on the Smart Rule:

  • Manage Assets using Password Safe
  • Platform: Windows
  • Change Agent: Endpoint Privilege Management Client
  • Account Name Format: Domain\Username
  • Functional Account: None (or dummy account)
  • Enable Automatic Password Management: Yes
  • Enable Account for AD Queries: No
  • Password Rule: Select a policy

Default values for the following account settings in Password Safe are applied in an Endpoint Privilege Management for Windows off-network integration and cannot be changed in this scenario:

  • Change Services (Yes)
  • Restart Services (No)
  • Change Tasks (No)

Add EPM for Windows systems and local account to Password Safe

  • Password Safe 22.4 (and later) and Endpoint Privilege Management for Windows 22.9 agent: The Endpoint Privilege Management agent can run a discovery scan on a scheduled basis. This eliminates the need to run a discovery scan in BeyondInsight. The agent, running on a Windows system, publishes local user data to the Assets grid in BeyondInsight. You can then add the local accounts to Password Safe using a Smart Rule or manually.
  • Password Safe 22.4 (and earlier): You can onboard well-known local admin accounts using a Smart Rule as documented in the next section. This eliminates the need to run a discovery scan.

Add known local admin managed accounts using a Smart Rule

In some cases, it can be useful to onboard well-known local admin accounts, such as the Windows administrator or the Linux root account, from endpoints to Password Safe without the need to run a discovery scan against the endpoints. You can create a managed system Smart Rule that uses the Create Managed Account on each system action to accomplish this.

One scenario in which this is useful is when you have EPM clients in your environment. You can create a managed system Smart Rule to add local accounts as managed accounts from the EPM client endpoints so that a password rotation event exists when the EPM agent requests it. Having these preconfigured managed accounts saves time by not having to configure and run a discovery scan after the EPM agent makes the request.

To create the Smart Rule:

  1. From the left navigation menu, click Smart Rules.
  2. From the Smart Rule type filter list, select Managed System.
  3. Click Create Smart Rule +.
  4. From the Category dropdown menu, select Managed Systems.
  5. Provide a name and description.
  6. For the Selection Criteria, select Asset Smart Group and Endpoint Privilege Management Clients from the dropdown menus.
  7. For Actions, select Show managed system as a Smart Group and Create Managed Account on each system from the dropdown menus.
  8. Leave the remaining settings for Actions as default or modify as required.

📘

The default account name is Administrator as this is standard for Windows systems. You can modify the name if you configured something other than default standard local admin account name in your environment. If setting up in a macOS environment, you can change the name to root.

You can also add multiple Create Managed Account on each system actions if you have additional local admin accounts you want to manage with Password Safe.

  1. Click Create Smart Rule.

Set up a discovery scan in EPM Policy Editor

Configure a discovery scan to detect unmanaged accounts on an endpoint. The scan results are sent to Password Safe.

This setup applies to Password Safe 22.4 (and later) and Endpoint Privilege Management for Windows 22.9 agent.

  1. On the Policy Editor page, expand Utilities.
  2. Select Password Safe Settings.
  3. Set an account discovery interval.
  4. Click Update Settings.

Updated 2 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.