Endpoint Privilege Management (Cloud and Pathfinder) 25.4
May 15, 2025
Starting in 25.4, release notes for EPM Cloud/Pathfinder, EPM for Windows and EPM for Mac are combined in one release notes page.
These features, enhancements, and resolved issues apply to both Cloud and Pathfinder users. For our on-premises release notes, see ePO BT PM App release notes.
π New features
Two new filters on the Events page
We've added two new filters on the Events page.
Matched as Child Process
The Matched as Child Process filter refines your results to the most significant events for your use case.
Options include:
- Yes: Filter events to only those matched due to the Treat child processes in the same way if the child process setting.
- No: Filters out child process events raised because the parent application definition had the Treat child processes in the same way if the child process criterion enabled.
This allows you to add the most efficient application definitions possible to policy.
For more information, see Event analytics.
Application URI
The Application URI filter is for the macOS Application URI event property, and refines your results to aid in making policy decisions for macOS events.
Options include your organization's application URI properties.
For more information, see Event analytics.
Added a Reputation Score panel to view VirusTotal info for JIT Application Access requests
We've added a handy Reputation Score panel that appears when you click on a reputation score for a Just-in-Time (JIT) Application Access request. This panel provides additional information from VirusTotal, helping you make more informed decisions about the applications you're evaluating.
Click the Reputation Score link on the Application Access Requests page to open the Reputation Score panel:
For more information, see JIT application access requests.
New engineering key to enable/disable Source URL file tagging (EPM for Windows)
We've introduced a new engineering key that lets you turn Source URL file tagging on or off in the service. This is especially helpful for customers transitioning to file systems that donβt support Alternate Data Streams (ADS).
For more information, see EPM for Windows EPM for Windows application definitions and types
View the latest JIT request notes on macOS
You can now easily access the most recent approval and denial notes for Just-in-Time (JIT) requests directly within your Endpoint Privilege Management (EPM) app on macOS. To make this feature available, ensure that your app is configured to display notes in EPM.
- For more information about configuring apps in EPM, see Just-in-time (JIT) Settings.
β¨ Enhancements
You can now assign the Administrator role at user creation
Now when you create a new user, you can assign the Administrator role to any users requiring that job function. For all other users, select specific roles or custom permissions as usual. Administrators are indicated on the User Management page via an icon:
Administrators are also indicated on the Users page via the Account Privilege column:
For more information, see User management.
The System Preferences application type is now the System Settings application type (EPM for Mac)
We've changed the name of the System Preferences application type to System Settings to be more in sync with macOS naming conventions.
This change impacts the Policy Editor, Analytics page, and the EPM for Mac application types (including the Quickstart template).
Important information
- No policy changes are required to control System Settings applications.
- There is no functionality change with this. It is a naming update only.
Refreshed Prepare Download dialog box on the Events page
On the Events page, when you select the download icon, you'll see the new Prepare Download dialog box where we've updated the design to align with product standards. All settings remain the same.
Easily identify the BeyondTrust Recommended Views on your Events and Applications pages
To differentiate the BeyondTrust Recommended Views from the user's Saved Views, we have added the BeyondTrust logo alongside the view name.
Clarified the System Group label on the Management Rules page
On the Management Rules page, weβve added (default) to the System Group label so it now reads System Group (default). This makes it easier to find the group when you are creating a rule with the Move action and selecting System Group from the Destination Computer Group list.
π οΈ Issues resolved
π§ EPM
| Description | Resolution |
|---|---|
| UTF-16LE encoding upload is not supported for Rule Settings scripts | Enhanced the rule scripts import functionality. JSON settings files encoded in UTF-16LE are now supported. |
| Policy Editor: Copying app groups creating duplicates. | Duplicates are no longer created when copying application groups or application definitions. |
| Window Store App application types not being added to policy. | Analytics is now collecting the correct version for Windows Store App application types so they are added to policy now. |
| The Management API was not returning all computers. | Updated the Management API to accurately reflect the number of computers. |
π§ EPM for Windows
| Description | Resolution |
|---|---|
| Sessions ending prematurely in βrunasβ scenarios. | Resolved parent matching failing in some scenarios for designated user. |
| Smart card certificates that do no support authentication (signature only) were displaying in messages. | Smart card certificates that do no support authentication (signature only) no longer show up in messages. |
| ARM Install on Windows 11 24H2 is not installing the Privilege Management agent. | Resolved an issue where installation would fail following a Push-button reset on ARM64 systems. |
| PG Client (ARM) Fails Post-Autopilot or Windows Reset Due to Residual Driver | Resolved an issue where installation would fail following a Push-button reset on ARM64 systems. |
| Domain name truncation causing login authentication failure on systems with multiple domains configured. | Added an engineering key that defaults to using the pre-Windows-2000 domain name for authentication. Changing this setting results in the user's full UPN being used for message authentication by default. The Customer Support Portal is available for customers, for additional guidance. |
| Granular filters not working on COM rules. | Resolved an issue were Granular filters don't work on COM rules. |
| Cannot log on with authenticated user profile when elevating PowerShell. | Resolved user account profiles failing to load in designated user 'runas' scenarios. |
| Content Rules no longer allow paste overwrite of specific system files since Windows 10 21H1 | Resolved content control being unable to transfer some files |
π§ EPM for Mac
| Description | Resolution |
|---|---|
| The EPM adapter sends Auth Token Request to EPM every minute. | Resolved an issue where the Mac PMC Adapter was requesting an OAuth token too frequently, causing increased server traffic. |
| EndpointUtility is blocked while in a JIT Admin session due to tamper detection | Resolved an issue where the Endpoint Utility CLI tool could not be used while in an active JIT Admin session. |
| JIT Application Access notifications reference User Request Management | Updated JIT Application request notifications to provide more information to the user. JIT Application request notification now contains the request ID, Application name and current status of the request. |
| 130 (installable-action) Events are not generated the first time a JIT Application Approval is used | Resolved an issue where auditing events for installing applications using the Finder Extension were not being generated for JIT Application Access requests. |
| macOS Internet Sharing: Unable to Apply Wi-Fi SSID/Password Changes After Upgrading to 24.8.0.1 | Resolved an issue where the Internet Sharing WiFi option could not be authorized in System Settings. A policy allow rule with no message assigned to the application group that matches on /System/Library/ExtensionKit/Extensions/Sharing.appex and the Auth Request URI as * now allows this to be authorized. |
| EPM-M not handling bash scripts executed with stdin redirect operator. | Resolved an issue where EPM-M does not correctly handle bash scripts being executed with stdin redirect operator. |
| Rules processing was permitting any process to be killed in Activity Monitor. | Resolved an issue where processes could be killed in Activity Monitor when removing the com.apple.activitymonitor.kill from the IgnoreRights key of the Custodian.plist as rules processing did not occur correctly. |
π Security updates
| Description | Resolution |
|---|---|
| JIT admin sessions won't complete if the user is removed from administrator group by an authority outside of Defendpoint. | Resolved an issue where JIT Admin sessions would not terminate correctly under specific conditions. |
𧩠Components
- PM Cloud: 25.4.598
- Policy Editor: 25.4.207
- PMR UI: 25.4.88
- PM Reporting Database: 23.9.13
- Event Collector: 25.4.7
π Requirements
ποΈ EPM
- Microsoft .NET Framework 4.6.2 (required to use PM Cloud Windows Adapter)
ποΈ EPM for Windows
- Microsoft .NET Framework 4.6.2 (required to use Power Rules, PowerShell audit scripts, PowerShell API, and Agent Protection)
- Microsoft .NET Framework 4.8 (required to use Multifactor Authentication with an OIDC provider)
- PowerShell 3.0 (required to use Power Rules, PowerShell audit scripts, and PowerShell API)
- Trellix (formerly McAfee) Agent (required if you are installing the Privilege Management client with switch EPOMODE=1)
ποΈ EPM for Mac
- None
π Compatibility
π Supported product versions for EPM
| Product | Recommended | Supported |
|---|---|---|
| EPM Windows adapter | 25.4.598 | 25.3.671 | 25.2.485 | 24.8.446 | 24.7.831 | 24.6.697 | 24.5.1037 | 24.4.361 | 24.3.766 | 24.2.499 | 24.1.581 | 23.9.578 | 23.8.515 | 23.7.356 | 23.6.562 | 23.5.516| 23.4.424 |
| EPM for Windows | 25.4.184.0 | 25.2.1.0 | 24.8.98.0 | 24.7.425.0 | 24.5.361.0 | 24.5.351 | 24.3.294.0 | 24.1.108.0 | 23.9.225.0 | 23.7.150.0 | 23.6.76.0 | 23.5.212 |
| EPM Response Generator for Windows | 25.4.184.0 | 25.2.1.0 | 24.8.98.0 | 24.7.425.0 | 24.5.361.0 | 24.5.351.0 | 24.3.294.0 | 24.1.108.0 | 23.9.225.0 | 23.7.150.0 | 23.5.212 |
| EPM for macOS | 25.4.0.9 | 25.2.0.1 | 24.8.0.1 | 24.7.0.1 | 24.5.2.3 | 24.5.1.1 | 24.5.0.1 | 24.3.0.1 | 24.1.0.1 | 23.9.0.1 | 23.7.0.3 | 23.5.0.3 |
| PM macOS adapter | 25.4.0.9 | 25.2.0.1 | 24.8.0.1 | 24.7.0.1 | 24.5.2.3 | 24.5.1.1 | 24.5.0.1 | 24.3.0.1 | 24.1.0.1 | 23.9.0.1 | 23.7.0.3 | 23.5.0.3 | 22.5.1.1 |
| PM Rapid Deployment Tool for macOS | 25.4.0.1 | 25.2.0.1 | 24.8.0.1 | 24.7.0.2 | 24.5.0.1 | 24.3.0.1 | 24.1.0.1 | 23.1.0.1 | 23.9.0.1 | 23.7.0.1 | 23.5.0.1 |
| PM Response Generator for macOS | 25.4.0.9 | 25.2.0.1 | 24.8.0.1 | 24.7.0.1 | 24.5.2.3 | 24.5.1.1 | 24.5.0.1 | 24.3.0.1 | 24.1.0.1 | 23.9.0.1 | 23.7.0.3 | 23.5.0.3 |
π Supported product versions for EPM for Windows
| Product | Supported |
|---|---|
| Endpoint Privilege Management Policy Editor | 25.4 |
| Privilege Management ePO Extension | 25.4 |
| Privilege Management Console Adapter | 25.4 |
| BeyondInsight/Password Safe | 24.3 |
| Trellix Agent 5.7+ | 5.7+ |
| Trellix ePO Server | 5.10 Service Pack 1 Update 4 (recommended), Update 13+ |
π Supported OS versions for EPM for Mac
- macOS 13 Ventura
- macOS 14 Sonoma
- macOS 15 Sequoia
β° Upcoming deprecation notice: EPM for Windows tools
As per the deprecation notice provided in 2019 via the 5.5 admin guide (BeyondTrust End User Utilities section), the following tools will be removed with the EPM for Windows 25.6 release:
- PGProgramsUtil.exe
- PGNetworkAdapterUtil.exe
- PGPrinterUtil.exe
If you or your team rely on any of these executables, or have concerns about their deprecation, reach out to us immediately. We value your input and will work to ensure a smooth transition.
