DocumentationAPI ReferenceRelease Notes
Log In
Documentation

EPM ADAPTER INSTALLATION GUIDE

Suggest Edits

What is the EPM adapter?

The EPM adapter is responsible for delivering policies and events between EPM for Windows and Mac and all computers managed by it.

How is it useful?

The EPM adapter polls for policy updates every 5 minutes, and for pending commands every 60 minutes.

Prerequisites

For Macs

None.

For Windows

  • .NET 4.6.2

  • Installer parameter requirements Before running the installer, copy the values for the following parameters:

    • TenantID: Go to Configuration > Adapter Installation to copy the Tenant ID for the installer script.

    • InstallationID: Go to Configuration > Adapter Installation to copy the Installation ID for the installer script.

    • InstallationKey: Go to Configuration > Adapter Installation to copy the Installation Key for the installer script.

    • ServerURI: This is the URL for EPM. For example, https://-services.pm.beyondtrust.cloud.com, where customerhost is the DNS name for EPM.

    ℹ️

    Note

    Do not include a port number or slash character on the end of the ServerURI.

    For example, neither https://test.pm.beyondtrustcloud.com/ nor https://test.pm.beyondtrustcloud.com:8080/ will work.

    • UserAccount (Optional): The default account name is LocalSystem.
    • GroupID: A computer must be added to a group as part of the EPM onboarding process. The group determines the policy applied to a computer. The default groupID is automatically assigned to a computer during the adapter install if one is not provided. Computers are then automatically assigned an Authorized status.

Add your URLS to the EPM Allowlist

Depending on the access restrictions in place for your web communications or if you use proxies, you may need to add URLs used by EPM to the allowlist.

Azure region

We recommend allowlisting the Azure URL for your region to ensure employee computers managed by EPM can contact the Azure instance to download assets including policy.

Azure regions and corresponding URLs

RegionAllowlist URL
East UShttps://prdpmpolicyeastus.blob.core.windows.net
https://prdpmpolicy2eastus.blob.core.windows.net
Central UShttps://prdpmpolicycentralus.blob.core.windows.net
https://prdpmpolicy2centralus.blob.core.windows.net
West UShttps://prdpmpolicywestus2.blob.core.windows.net
https://prdpmpolicy2westus2.blob.core.windows.net
Canada Centralhttps://prdpmpolicycanadacentral.blob.core.windows.net
https://prdpmpolicy2canadacentra.blob.core.windows.net
UK Southhttps://prdpmpolicyuksouth.blob.core.windows.net
https://prdpmpolicy2uksouth.blob.core.windows.net
Germany West Centralhttps://prdpmpolicygermanywestce.blob.core.windows.net
https://prdpmpolicy2germanywestc.blob.core.windows.net
North Europehttps://prdpmpolicynortheurope.blob.core.windows.net
https://prdpmpolicy2northeurope.blob.core.windows.net
South Africa Northhttps://prdpmpolicysouthafricano.blob.core.windows.net
https://prdpmpolicy2southafrican.blob.core.windows.net
Central Indiahttps://prdpmpolicycentralindia.blob.core.windows.net
https://prdpmpolicy2centralindia.blob.core.windows.net
South East Asia (Singapore)https://prdpmpolicysoutheastasia.blob.core.windows.net
https://prdpmpolicy2southeastasi.blob.core.windows.net
East Japanhttps://prdpmpolicyjapaneast.blob.core.windows.net
https://prdpmpolicy2japaneast.blob.core.windows.net
Australia Easthttps://prdpmpolicyaustraliaeast.blob.core.windows.net
https://prdpmpolicy2australiaeas.blob.core.windows.net

EPM URLs

Add the following URLs to your allowlist to ensure Package Manager can download the files to install or update computers:

The following URLs are used for communication between managed endpoints and Package Manager and adapter components.

  • https://<yourtenant>.pm.beyondtrustcloud.com:443
  • https://<yourtenant>-services.pm.beyondtrustcloud.com:443

Install the Mac adapter

1. Distribute the adapter

The Mac adapter can be distributed to computers using the method of your choice, including Mobile Device Management (MDM) tools, such as Jamf or AirWatch.

We recommend using the Endpoint Privilege Management Rapid Deployment Tool for macOS.

  1. Download the Rapid Deployment Tool. You can download the tool from the Configuration page in EPM. Go to Configuration > Privilege Management Installation.
  2. Create a package that will include the information to facilitate communication between Endpoint Privilege Management and the macOS computers. Copy values from Configuration > Adapter Installation. See Create a Package for Endpoint Privilege Management.
  3. Create a package that includes settings specific to the macOS computer. This includes settings like, anonymous logging, sudo management control, biometric authentication, and policy sources, among others. See Create a Package with Endpoint Privilege Management for Mac Base Settings.
  4. Download and install the client package from the Configuration page. Go to Configuration > Privilege Management Installation. Click the macOS download link.
  5. Download and install the adapter package. Go to Configuration > Adapter Installation.

ℹ️

Note

For more information, see the Rapid Deployment Tool Guide.

2. Set your installer parameters.

The installer parameters include the following:

  • TenantID for your chosen method of authentication. This was recorded when EPM was installed.
  • InstallationID: Click Configuration > Adapter Installation to copy the Installation ID for the installer script.
  • InstallationKey: Click Configuration > Adapter Installation to copy the Installation Key for the installer script.
  • ServiceURI: The URL for your EPM portal.
  • TenantID for your chosen method of authentication. This was recorded when EPM was installed.
  • InstallationID: Click Configuration > Adapter Installation to copy the Installation ID for the installer script.
  • InstallationKey: Click Configuration > Adapter Installation to copy the Installation Key for the installer script.
  • ServiceURI: The URL for your EPM portal.

ℹ️

Note

Do not include a port number or slash character on the end of the ServerURI.

For example, neither https://test.pm.beyondtrustcloud.com/ nor https://test.pm.beyondtrustcloud.com:8080/ will work.

  • GroupID: A computer must be added to a group as part of the EPM onboard process. The group determines the policy applied to a computer. A groupID is automatically assigned to a computer during the adapter install if one is not provided.
3. Run the installer.

You must install the Mac adapter using Terminal.

To install adapters:

  1. Go to Configuration > Adapter Installation to download the Endpoint Privilege Management adapter installer.
  2. Also on the Adapter Installation page, note the Tenant ID, Server URL, Installation Key, and Installation ID. You need these required parameters for the installer script.
  3. Navigate to the location of the adapter installer. By default, this is the AdapterInstallers folder.
  4. Mount the DMG.
  5. From Terminal, run the installer command as shown in the example below with the parameters. The adapter installer launches. Proceed through the installation wizard.

Example

sudo /Volumes/PrivilegeManagementConsoleAdapter/install.sh tenantid="750e85d1-c851-4d56-8c76-b9566250cf1d" installationid="95a10760-2b96-4a0e-ab65-ed7a5e8f1649" installationkey="VGhpcyBzZWNyZXQgaTYzIGJlZW4gQmFzZTY0IGVuY29kZWQ=" serviceuri="https://test.ic3.beyondtrust.com" groupid="fcc4022e-12fa-4246-87w8-0de9a1483a68"

Uninstall EPM for Mac

ℹ️

Note

The uninstall scripts must be run from their default locations.

1. Uninstall Endpoint Privilege Management locally on the Mac.

Run the sudo /usr/local/libexec/Avecto/Defendpoint/1.0/uninstall.sh command.

2. Uninstall the Mac adapter

Run the sudo /usr/local/libexec/Avecto/iC3Adapter/1.0/uninstall_ic3_adapter.sh command.

📘

After running the uninstall script, some related directories remain if they are not empty (such as /Library/Application Support/Avecto/iC3Adapter).

3. Remove the Endpoint Privilege Management policy

❗️

WARNING

Do not remove the Endpoint Privilege Management policy unless you have already uninstalled Endpoint Privilege Management.

  • Once you've uninstalled EPM, to remove the policy, run the sudo rm -rf /etc/defendpoint command.

Install the Windows adapter

You must install the Windows adapter using the Windows command line.

1. Run the installer.
  1. Go to Configuration > Adapter Installation to download the Endpoint Privilege Management adapter installer.
  2. Also on the Adapter Installation page, note the Tenant ID, Server URL, Installation Key, and Installation ID. You need these required parameters for the installer script.
  3. Navigate to the location of the adapter installer. By default, this is the AdapterInstallers folder.
  4. From the command line, enter the install command with the required parameters and press Enter. The adapter installer launches. Proceed through the installation wizard.
  5. Go to Configuration > Adapter Installation to download the Endpoint Privilege Management adapter installer.
  6. Also on the Adapter Installation page, note the Tenant ID, Server URL, Installation Key, and Installation ID. You need these required parameters for the installer script.
  7. Navigate to the location of the adapter installer. By defaul,t this is the AdapterInstallers folder.
  8. From the command line, enter the install command with the required parameters and press Enter. The adapter installer launches. Proceed through the installation wizard.

Example

The line breaks must be removed before you run the script.

msiexec.exe /i "PrivilegeManagementConsoleAdapter_x64.msi"
TENANTID="&lt;TenantID_GUID&gt;"
INSTALLATIONID="&lt;InstallationID&gt;"
INSTALLATIONKEY="&lt;InstallationKey&gt;"
SERVICEURI="&lt;EPM URL&gt;"
USERACCOUNT=LocalSystem
GROUPID="&lt;EPM GroupID GUID&gt;"

Add the following argument if you don't want the adapter service to start automatically:

SERVICE_STARTUP_TYPE=Disabled

This option is useful when Endpoint Privilege Management for Windows and the adapter are being installed on an > > image that will be reused to create many individual computers. If the adapter is not disabled in this scenario, > the adapter will immediately join the EPM instance indicated.

ℹ️

Note

If the adapter starts up and registers with EPM prior to creating the VM image, then all VMs created from this image will contain the same adapter identifier and will not work properly.

You can start the IC3Adapter service manually later in the Services.

Example

msiexec.exe /i "PrivilegeManagementConsoleAdapter_x64.msi" TENANTID="6b75f647-d3y7-4391-9278-002af221cc3f" >INSTALLATIONID="08A1CD8F-FAE4-479F-81B4-00751A55EEB8" INSTALLATIONKEY="ABCDEFGHIJKLMNO" >SERVICEURI="https://CUSTOMERHOST-services.pm.beyondtrustcloud.com"
USERACCOUNT=LocalSystem GROUPID="e531374a-55b9-4516-g156-68f5s32f5e57"
SERVICE_STARTUP_TYPE=Disabled

CUSTOMERHOST is the hostname. For example, if the hostname were test, the desired input would be:

https://test-services.pm.beyondtrustcloud.com
2. Upgrade the Windows adapter.

To upgrade to a full system-level DPAPI adapter:

  1. Upgrade to the 22.1 adapter, where the adapter continues to run as the IC3 user, but at the system level.
  2. Upgrade from 22.1 to a later version of the adapter allows the adapter to run as any system-level user, like LocalSystem.

ℹ️

Note

For a new adapter install, starting in version 22.1, this 2-step process is not required.

3. Configure the Windows EPM adapter.

The adapter uses HTTPS when communicating with EPM. If a proxy is in place, this communication must go through it, which must be configured for the adapter user account, which is separate from the logged-on user account.

The computer must be configured to use proxy settings for the machine rather than the individual user. The following registry key needs to be edited to make this change:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

The Data value must read 0. This specifies the machine (1 specifies per user).

NameTypeData
ProxySettingsPerUserREG_DWORD0
4. Set up a proxy during adapter install.

Starting in version 23.1, the Windows adapter installer supports setting up a proxy during installation using the following command line parameters:

PROXYADDRESS, BYPASSONLOCAL, USESYSTEMDEFAULT, and SCRIPTLOCATION

An example command using a proxy configuration parameter looks like the following:

msiexec.exe /l*v adapter_install.log /i "PrivilegeManagementConsoleAdapter_x64.msi" TENANTID="02fe4a89-ae4b-316c-d026-da8acc80b33f" INSTALLATIONID="0066f094-7f73-4c47-bfca-e7d4849d1449" INSTALLATIONKEY="angUArsM39Mk/MRD44o4Mn8dmOBGVBA6l01BBk7ljek=" SERVICEURI="https://tenantid-services.epm.btrusteng.com" GROUPID="bfac11e7-bf82-40c7-b5ee-3a0b34a304cd" usesystemdefault=”false” PROXYADDRESS=”http://&lt;PROXY URL&gt;:&lt;PORT&gt;”

The proxy settings are written to the Avecto.Ic3.Client.Host.exe.config file on the computer’s file system.

When using a non-authenticated proxy configuration, you can install an adapter by passing the command line parameters USESYSTEMDEFAULT='false' PROXYADDRESS='http://:'

&lt;http://system.net &gt;
&nbsp; &lt;defaultProxy enabled="true" useDefaultCredentials="true"&gt;
&nbsp;&nbsp;&nbsp; &lt;proxy usesystemdefault="false" proxyaddress="http://&lt;PROXY URL&gt;:&lt;PORT&gt;" /&gt;
&nbsp; &lt;/defaultProxy&gt;
&lt;/system.net&gt;``msiexec.exe /l*v adapter_install.log /i "PrivilegeManagementConsoleAdapter_x64.msi" TENANTID="02fe4a89-ae4b-316c-d026-da8acc80b33f" INSTALLATIONID="0066f094-7f73-4c47-bfca-e7d4849d1449" INSTALLATIONKEY="angUArsM39Mk/MRD44o4Mn8dmOBGVBA6l01BBk7ljek=" SERVICEURI="https://tenantid-services.epm.btrusteng.com" GROUPID="bfac11e7-bf82-40c7-b5ee-3a0b34a304cd" usesystemdefault=”true” scriptLocation=”http://pactest/adaptertest.pac”``&lt;http://system.net &gt;
&nbsp;&nbsp;&nbsp; &lt;defaultProxy enabled="true"&gt;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;proxy usesystemdefault="true" scriptLocation="http://pactest/adaptertest.pac" /&gt;
&nbsp;&nbsp; &nbsp;&lt;/defaultProxy&gt;
&lt;/system.net&gt;

Remove proxy configuration

To remove the proxy address configuration, pass PROXYADDRESS='' as a command line parameter during upgrade.

This removes the proxy address configuration from the Avecto.Ic3.Client.Host.exe.config file.

Install and upgrade considerations when using a proxy

Keep the following in mind when installing and upgrading the adapter using proxy settings:

  • If you install an adapter with proxy command line parameters and later upgrade to a newer version without proxy command line parameters, the older config file proxy settings are retained and persisted.
  • If you install an adapter without proxy command-line parameters and later upgrade to a newer version with proxy command-line parameters, the newly added proxy configuration is reflected.
  • If you install an adapter version with proxy command line parameters and later upgrade to a newer version with a different proxy configuration, the newly added proxy configuration is used.
  • If you install or upgrade an adapter with an invalid proxy address, the computer is not registered in EPM.
  • Leaving the proxy address field empty does not set the proxy address in the Avecto.Ic3.Client.Host.exe.config file.

Updated 3 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.