Adapter installation

The adapter is responsible for delivering policies and events between the computer and EPM when computers are managed by Endpoint Privilege Management.

The adapter polls for pending commands every 60 minutes, which can include policy updates.

EPM for Mac

Distribute the adapter

The Mac adapter can be distributed to computers using the method of your choice, including Mobile Device Management (MDM) tools, such as Jamf or AirWatch.

We recommend using the Endpoint Privilege Management Rapid Deployment Tool for macOS.

The workflow for using the Rapid Deployment Tool:

Download the Rapid Deployment Tool. You can download the tool from the Configuration page in EPM. Go to Configuration > Privilege Management Installation.
Create a package that will include the information to facilitate communication between Endpoint Privilege Management and the macOS computers. Copy values from Configuration > Adapter Installation.
Create a package that includes settings specific to the macOS computer. This includes settings like, anonymous logging, sudo management control, allow biometric authentication, and policy sources, among others.
Download and install the client package from the Configuration page. Go to Configuration > Privilege Management Installation. Click the macOS download link.
Download and install the adapter package. Go to Configuration > Adapter Installation.

Installer parameters

The installer parameters include the following:

TenantID for your chosen method of authentication. This was recorded when EPM was installed.
InstallationID: Click Configuration > Adapter Installation to copy the Installation ID for the installer script.
InstallationKey: Click Configuration > Adapter Installation to copy the Installation Key for the installer script.
ServiceURI: The URL for your EPM portal.
Do not include a port number or slash character on the end of the ServiceURI. For example, neither https://test.pm.beyondtrustcloud.com/ nor https://test.pm.beyondtrustcloud.com:8080/ will work.
GroupID: A computer must be added to a group as part of the EPM onboard process. The group determines the policy applied to a computer. A groupID is automatically assigned to a computer during the adapter install if one is not provided.

Run the installer

You must install the Mac adapter using Terminal.

To install adapters:

Go to Configuration > Adapter Installation to download the Endpoint Privilege Management adapter installer.
On the Adapter Installation page, note the Tenant ID, Server URL, Installation Key, and Installation ID. You need these required parameters for the installer script.
Navigate to the location of the adapter installer. By default this is the AdapterInstallers folder.
Mount the DMG.
From Terminal, run the installer command as shown in the example below with the parameters. The adapter installer launches. Proceed through the installation wizard.

sudo /Volumes/PrivilegeManagementConsoleAdapter/install.sh tenantid="750e85d1-c851-4d56-8c76-b9566250cf1d" installationid="95a10760-2b96-4a0e-ab65-ed7a5e8f1649" installationkey="VGhpcyBzZWNyZXQgaTYzIGJlZW4gQmFzZTY0IGVuY29kZWQ=" serviceuri="https://test.ic3.beyondtrust.com" groupid="fcc4022e-12fa-4246-87w8-0de9a1483a68"

EPM for Windows

Prerequisites

.NET 4.6.2

Installer parameters

Before running the installer, copy the values for the following parameters:

TenantID: Go to Configuration > Adapter Installation to copy the Tenant ID for the installer script.
InstallationID: Go to Configuration > Adapter Installation to copy the Installation ID for the installer script.
InstallationKey: Go to Configuration > Adapter Installation to copy the Installation Key for the installer script.
ServiceURI: This is the URL for EPM. For example, https://-services.pm.beyondtrust.cloud.com, where customerhost is the DNS name for EPM.
Do not include a port number or slash character on the end of the ServiceURI.
For example, neither https://test.pm.beyondtrustcloud.com/ nor https://test.pm.beyondtrustcloud.com:8080/ will work.
UserAccount (Optional): The default account name is LocalSystem.
GroupID: A computer must be added to a group as part of the EPM onboarding process. The group determines the policy applied to a computer. The default groupID is automatically assigned to a computer during the adapter install if one is not provided. Computers are then automatically assigned an Authorized status.

Run the installer

You must install the Windows adapter using the Windows command line.

To install adapters:

Go to Configuration > Adapter Installation to download the Endpoint Privilege Management adapter installer.
Also on the Adapter Installation page, note the Tenant ID, Server URL, Installation Key, and Installation ID. You need these required parameters for the installer script.
Navigate to the location of the adapter installer. By default this is the AdapterInstallers folder.
From the command line, enter the install command with the required parameters and press Enter. The adapter installer launches.
Proceed through the installation wizard.

Line breaks must be removed before you run the script

msiexec.exe /i "PrivilegeManagementConsoleAdapter_x64.msi"
TENANTID="<TenantID_GUID>"
INSTALLATIONID="<InstallationID>"
INSTALLATIONKEY="<InstallationKey>"
SERVICEURI="<EPM URL>"
USERACCOUNT=LocalSystem
GROUPID="<EPM GroupID GUID>"

Add the following argument if you don't want the adapter service to start automatically. This option is useful when Endpoint Privilege Management for Windows and the adapter are being installed on an image that will be reused to create many individual computers. If the adapter is not disabled in this scenario, the adapter will immediately join the EPM instance indicated.

If the adapter starts up and registers with EPM prior to creating the VM image, then all VMs created from this image will contain the same adapter identifier and will not work properly.

SERVICE_STARTUP_TYPE=Disabled

You can start the IC3Adapter service manually later in the Services.

Example

msiexec.exe /i "PrivilegeManagementConsoleAdapter_x64.msi" TENANTID="6b75f647-d3y7-4391-9278-002af221cc3f" INSTALLATIONID="08A1CD8F-FAE4-479F-81B4-00751A55EEB8" INSTALLATIONKEY="ABCDEFGHIJKLMNO" SERVICEURI="https://CUSTOMERHOST-services.pm.beyondtrustcloud.com"
USERACCOUNT=LocalSystem GROUPID="e531374a-55b9-4516-g156-68f5s32f5e57"
SERVICE_STARTUP_TYPE=Disabled

CUSTOMERHOST = the hostname. For example, if the hostname were test, the input would be:

https://test-services.pm.beyondtrustcloud.com

Configure the adapter

The adapter uses HTTPS when communicating with EPM. If there is a proxy in place that this communication goes through, it must be configured for the adapter user account, which is separate from the logged-on user account.

The computer must be configured to use proxy settings for the machine rather than the individual user. The following registry key needs to be edited to make this change:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

The Data value must read 0. This specifies the machine (1 specifies per user).


ProxySettingsPerUser	REG_DWORD	0

Set up a proxy during adapter install

Starting in version 23.1, the Windows adapter installer supports setting up a proxy during installation using the following command line parameters:

PROXYADDRESS, BYPASSONLOCAL, USESYSTEMDEFAULT, and SCRIPTLOCATION

An example command using a proxy configuration parameter looks like the following:

msiexec.exe /l*v adapter_install.log /i "PrivilegeManagementConsoleAdapter_x64.msi" TENANTID="02fe4a89-ae4b-316c-d026-da8acc80b33f" INSTALLATIONID="0066f094-7f73-4c47-bfca-e7d4849d1449" INSTALLATIONKEY="angUArsM39Mk/MRD44o4Mn8dmOBGVBA6l01BBk7ljek=" SERVICEURI="https://tenantid-services.epm.btrusteng.com" GROUPID="bfac11e7-bf82-40c7-b5ee-3a0b34a304cd" usesystemdefault=”false” PROXYADDRESS=”http://<PROXY URL>:<PORT>”

The proxy settings are written to the Avecto.Ic3.Client.Host.exe.config file on the computer’s file system.

When using a non-authenticated proxy configuration, you can install an adapter by passing the command line parameters USESYSTEMDEFAULT='false' PROXYADDRESS='http://:'

<http://system.net >
  <defaultProxy enabled="true" useDefaultCredentials="true">
    <proxy usesystemdefault="false" proxyaddress="http://<PROXY URL>:<PORT>" />
  </defaultProxy>
</system.net>

To configure a PAC file, use the command line parameters USESYSTEMDEFAULT='true' SCRIPTLOCATION='http://pactest/adaptertest.pac'.

msiexec.exe /l*v adapter_install.log /i "PrivilegeManagementConsoleAdapter_x64.msi" TENANTID="02fe4a89-ae4b-316c-d026-da8acc80b33f" INSTALLATIONID="0066f094-7f73-4c47-bfca-e7d4849d1449" INSTALLATIONKEY="angUArsM39Mk/MRD44o4Mn8dmOBGVBA6l01BBk7ljek=" SERVICEURI="https://tenantid-services.epm.btrusteng.com" GROUPID="bfac11e7-bf82-40c7-b5ee-3a0b34a304cd" usesystemdefault=”true” scriptLocation=”http://pactest/adaptertest.pac”

Remove proxy configuration

To remove the proxy address configuration, pass PROXYADDRESS='' as a command line parameter during upgrade.

This removes the proxy address configuration from the Avecto.Ic3.Client.Host.exe.config file.

Install and upgrade considerations when using a proxy

Keep the following in mind when installing and upgrading the adapter using proxy settings:

If you install an adapter with proxy command line parameters and later upgrade to a newer version without proxy command line parameters, the older config file proxy settings are retained and persisted.
If you install an adapter without proxy command line parameters and later upgrade to a newer version with proxy command line parameters, the newly added proxy configuration are reflected.
If you install an adapter version with proxy command line parameters and later upgrade to a newer version with a different proxy configuration, the newly added proxy configuration is used.
If you install or upgrade an adapter with an invalid proxy address, the computer is not registered in EPM.
Leaving the proxy address field empty does not set the proxy address in the Avecto.Ic3.Client.Host.exe.config file.