EPM for Windows and Mac (Cloud and Pathfinder) 25.8.840
November 4, 2025
🆕 New features
EPM for Mac
Identity authentication
In this initial release, identity authentication is available on macOS and will be available on Windows in a future release.
In this release, we are introducing an identity authentication feature integrating Endpoint Privilege Management for Mac with Microsoft Entra ID. This means your users can now confirm their Entra ID identity right from the menu bar dropdown or through EPM messages. Once verified, policies can use your Entra ID group membership to manage access.
For admins, it’s now possible to set up Entra ID groups for Mac workstyles. Plus, EPM events will include user email addresses after identities are confirmed making tracking and management easier.
Configuration in the Policy Editor
Confirmation message
For more information, see Identity authentication.
✨Enhancements
EPM for Windows
Policy Editor API
In this initial release, the Policy Editor API is available on Windows and will be available on macOS in a future release.
We've added a Policy Editor API to allow customers to READ, CREATE, and DELETE Windows application definitions. This simplifies the process to manage and work with larger policies.
📘
For more information, see Policy Editor API.
EPM for Windows and Mac
Management API
Added the ItsmRequestId field to the GET method for AuthorizationRequest in management API.
Policies page: New Last Modified column
Added a new Last Modified column to the Policies page that shows the date and time the policy was last modified.
📘
For more information, see Policies.
Group and OS type filtering in webhooks
Added filters for computer groups and OS type for webhooks. When the filters are applied, the webhook will only include events from the selected groups and OS type.
This enables you to send different notifications to different groups of users or systems, by computer group.
📘
For more information, see Webhook settings.
🛠️ Issues resolved
EPM
| Description | Resolution |
|---|---|
| Entra ID group synchronization fails when encountering deleted or non-existent resources in the customer’s Entra ID tenant. | Now, proper messaging displays when the sync encounters deleted or non-existent groups. |
Non-interactive system users, such as scheduledjob@pmc, are incorrectly included in the list of users when viewing members of a permission group (e.g., Administrators) in the User Management Roles UI. | Only interactive users display in the membership lists. |
| The OK Button label in JIT App Access Request messages is not editable. | Can now change the label. |
| In the Windows QuickStart, the Spanish message templates contain partial French strings. | The Spanish strings are corrected and no longer display French. |
JIT Applications list page fails to render if AuthorizationRequests does not contain SystemId. | The JIT App Access page renders correctly. |
| Created a new version of the endpoint (v5) for adapter and Package Manager that requires a signature check and does not rely on request headers. | New version of the endpoint (v5) enhances security framework for EPM. |
| The Computers page displaying a different computer count than the Home page. | The correct number of computers is displayed in both places. |
| When regenerating Agent Protection key, the success toast notification that displays is blank. | The toast notification now displays Success or Failure text when generating keys. |
Adapters
| Description | Resolution |
|---|---|
| IC3 adapter excessive logging. | Resolved an issue that was causing the IC3 adapter to excessively log the PolicySyncUrl job and the Audit Event job in the Windows Application Event Log. |
| In 25.7, memory usage issue when deployed to a standard VM. | Resolved the issue. |
EPM for Windows
| Description | Resolution |
|---|---|
| Intune AutoPilot Fails Since July OS Update | Resolved compatibility issue causing Microsoft AutoPilot to fail during computer setup. |
| 'Requires Elevation' does not work when elevation is required via the Compatibility tab | Resolved an issue where the service was not respecting the "Run this program as administrator" setting in the Windows Explorer File Properties Compatibility menu for the current user. |
| Defendpoint Service crashes from indefinite recursions caused by identical parent-child PIDs | Resolved an issue where advanced parent tracking could incorrectly identify a process as its own parent instead of the actual parent process. |
| Failure occurs when elevating COM classes as a domain admin. | Added engineering key SetMandatoryAccessLevelForCOMElevation that when set ensures COM class activated from high integrity process show dialogs. |
| [PG_POLICY_NAME] value not displaying correctly | A new PGVariable - [PG_CONFIGURATION_NAME] - has been added that can display the name of the configuration. |
| Oracle Wallet Manager | Resolved an issue where the start menu would remain open after launching an elevated process |
| Balloon messages only appear once for customer in environment. | Resolved an issue where Toast notifications would sometimes not show up on older versions of Windows. |
Windows security updates
| Description | Resolution |
|---|---|
| Anti-tamper group can be deleted with elevated PowerShell | Resolved an issue where local groups could incorrectly be removed. |
EPM for Mac
| Description | Resolution |
|---|---|
| Local Admin is blocked from running sudo commands | Elevated users and SSH admins now cannot execute actions on BeyondTrust install paths when anti-tamper is enabled. |
Standard users with JIT admin and anti-tamper activated, could change permissions of files in /Library/Application/Support/Avecto | Standard users with JIT admin and anti-tamper active can no longer change permissions in this directory. |
| EPM-M inadvertently controlling the authorization right that allows standard users to kill root processes in Activity Monitor app. | Resolved from macOS Sequoia and later. |
EPM-M component com.beyondtrust.epm.gui logs were excluded from Capture Config logs when "Defendpoint" only logs are selected. | The com.beyondtrust.epm.gui logs are now recorded. |
| Standard users allowed to run permissive sudo commands could change the file permissions of EPM-M uninstall scripts. | We now ensure access to installation paths is not permitted when users are allowed to run sudo commands. |
defendpointd was applying incorrect permissions when recreating the BIAudit folder at /Library/Application Support/Avecto/BIAudit. | Resolved an issue where defendpointd was applying incorrect permissions when re-creating the BIAudit folder at /Library/Application Support/Avecto/BIAudit. |
| Admin requests older than 90 days become out of sync with EPM causing users to be unable to use the request. | Users can now create a new request. |
| Unexpected results when removing a right from the AlwaysAllowRight section and adding to the IgnoreRights section. | Resolve an issue when authorization rights were being moved from Custodians IgnoreList to AlwaysAllowRootRights, causing the authorization right to have the incorrect delegates controlling the right. |
Audit event 120 (process-start-cancelled-by-user) not raised when a user cancels a JIT application access request. | The event is now raised so admins can see when a request was generated but then canceled by the user. |
🧩 EPM components
- Policy Editor: 25.8.0
- PM Cloud: 25.8.840
- PM Reporting Database: 24.6.10
🔄 Compatibility
🔃 Supported product versions for EPM
| Product | Recommended | Supported |
|---|---|---|
| EPM Windows adapter | 25.8.840 | 25.7.509 | 25.6.554 | 25.5.440| 25.4.598 | 25.3.671 | 25.2.485 | 24.8.446 | 24.7.831 | 24.6.697 | 24.5.1037 | 24.4.361 | 24.3.766 | 24.2.499 | 24.1.581 |
| EPM for Windows | 25.8.12.0 | 25.4.270.0 | 25.4.184.0 | 25.2.1.0 | 24.8.98.0 | 24.7.425.0 | 24.5.361.0 | 24.5.351 | 24.3.294.0 | 24.1.108.0 |
| EPM Response Generator for Windows | 25.8.12.0 | 25.4.270.0 | 25.4.184.0 | 25.2.1.0 | 24.8.98.0 | 24.7.425.0 | 24.5.361.0 | 24.5.351.0 | 24.3.294.0 | 24.1.108.0 |
| EPM for macOS | 25.8.0.53 | 25.4.2.2 | 25.4.1.2 | 25.2.0.1 | 24.8.0.1 | 24.7.0.1 | 24.5.2.3 | 24.5.1.1 | 24.5.0.1 | 24.3.0.1 | 24.1.0.1 |
| PM macOS adapter | 25.8.0.53 | 25.6.0.48 | 25.4.1.2 | 25.2.0.1 | 24.8.0.1 | 24.7.0.1 | 24.5.2.3 | 24.5.1.1 | 24.5.0.1 | 24.3.0.1 | 24.1.0.1 |
| PM Rapid Deployment Tool for macOS | 25.8.0.1 | 25.4.1.2 | 25.2.0.1 | 24.8.0.1 | 24.7.0.2 | 24.5.0.1 | 24.3.0.1 | 24.1.0.1 |
| PM Response Generator for macOS | 25.8.0.53 | 25.4.2.2 | 25.4.1.2 | 25.2.0.1 | 24.8.0.1 | 24.7.0.1 | 24.5.2.3 | 24.5.1.1 | 24.5.0.1 | 24.3.0.1 | 24.1.0.1 |
