DocumentationAPI ReferenceRelease Notes
Log In
Documentation

Client installation

Suggest Edits

EPM for Windows client installs

Requirements

  • VBScript to run the client installer. Microsoft has made VBScript a Feature on Demand (FOD) to allow the use of VBScript when required. See our Knowledgebase article for more information.
  • Microsoft .NET Framework 4.6.2 (required to use Power Rules, PowerShell audit scripts, PowerShell API, and Agent Protection)
  • Microsoft .NET Framework 4.8 (required to use Multifactor Authentication with an OIDC provider)
  • PowerShell 3.0 (required to use Power Rules, PowerShell audit scripts, and PowerShell API)
  • Trellix (formerly McAfee) Agent (required if you are installing the Privilege Management client with switch EPOMODE=1)

📘

Note

The executable version of the client package includes all necessary prerequisites (excluding .NET Framework) and automatically installs them as necessary. If you use the MSI or ZIP package, you must manually install any necessary prerequisites.

Client packages

To install Endpoint Privilege Management for Windows, run the appropriate installation package:

  • For 32-bit (x86) systems, run PrivilegeManagementForWindows_x86.exe.
  • For 64-bit (x64) systems, run PrivilegeManagementForWindows_x64.exe.

The installation prompts you to install missing prerequisites.

Endpoint Privilege Management for Windows may be installed manually, but for larger installations we recommend you use a suitable third-party software deployment system.

Unattended client deployment

When deploying Endpoint Privilege Management for Windows with automated deployment technologies, such as System Center Configuration Manager (SCCM), you can deploy the client silently and postpone the computer from restarting.

To install the client executable silently, without a reboot, use the following command line (the double quotes are required and the syntax must be copied exactly):

PrivilegeManagementForWindows_x86.exe /s /v" /qn /norestart"

To install the client MSI package silently, without a reboot, use the following command line:

Msiexec.exe /i PrivilegeManagementForWindows_x86.msi /qn /norestart

📘

Endpoint Privilege Management for Windows will not be fully operational until a reboot. To perform an unattended deployment with a reboot, omit the /norestart switch.

Configure an alternate event log location

You can configure an alternate event log location in the following ways:

  • From the client installer (initial installation or upgrade)
  • In Windows registry after installation

The default location is Windows Logs\Application. The alternate location is Application and Services Logs\BeyondTrust Privilege Management.

Set the event log location using the installer

When running the installer, enter the parameter and value as shown:

msiexec.exe /i PrivilegeManagementForWindows_x64.msi APPEVENTLOGTYPE=1

or

PrivilegeManagementForWindows_x64.exe /v"APPEVENTLOGTYPE=1"

Change the event log location in Windows Registry

If the client is already installed, set the value in the registry.

📘

If agent protection is configured, you must first disable agent protection on the machine before you can change settings in the Registry Editor.

Run regedit.exe with elevated privileges and navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Avecto\Privilege Guard Client

ApplicationEventLogType=1

where:

0: Windows Logs\Application

1: Application and Services Logs\BeyondTrust Privilege Management

You must restart the service after changing the value.

EPM for Mac client installs

Install the Endpoint Privilege Management for Mac client to apply Endpoint Privilege Management policy to macOS computers.

Endpoint Privilege Management for Mac can be installed manually. We recommend using the EPM for Mac Rapid Deployment Tool for larger installations. Other third-party software deployment tool are also supported.

📘

There is no license to add during the client installation, as this is deployed with the Endpoint Privilege Management Workstyles, so the client may be installed silently.

Requirements

  • Trellix (formerly McAfee) Agent (required if you are installing the Privilege Management client with Trellix).

Install Endpoint Privilege Management for Mac

To install Endpoint Privilege Management for Mac, download and run the client installer package (*.pkg).

During the installation, the _avectodaemon account is created and added to the local Admin group. Do not remove this account from the group.

Configure macOS system settings

Endpoint Privilege Management for Mac client uses system extensions for application control where available.

Configure the following macOS system settings for Endpoint Privilege Management for Mac:

  • Authorization
  • Full Disk Access permission

You can use a macOS configuration profile (.mobileconfig file) available with the Endpoint Privilege Management for Mac download to apply these settings. We recommend importing the configuration profile into MDM to enable the new functionality.

To access the .mobileconfig file, log on to the BeyondTrust Customer Portal and go to File Downloads. Select Endpoint Privilege Management for Mac and the version.

The best way to configure the system settings is using the configuration profile provided by BeyondTrust. Optional ways are provided below.

Add authorization

There are two ways to configure authorization on system extensions:

  • Manually: Configure Privacy & Security in System Settings.
  • MDM: Use the BeyondTrust configuration profile provided in the installer download. Alternatively, Apple provides MDM settings to auto-authorize system extensions.

Grant full disk access on system extensions

The system extensions require the Full Disk Access permission. In System Settings, go to the Privacy & Security and select Full Disk Access.

Instructions to configure disk access vary depending on the version of your OS.

📘

For more information, see our Knowledge Base article How to Enable Full Disk Access for the Endpoint Privilege Management Components

Activate anti-tamper protection

A safety mechanism in the Endpoint Privilege Management for Mac agent automatically blocks attempts to change or disable any footprint of the agent or policies. The built-in anti-tamper protection does not require adding explicit block rules.

The anti-tamper protection prevents Standard Users from tampering with the Endpoint Privilege Management for Mac client, all platform adapters, policies, and settings files.

By default, anti-tamper protection is turned off.

There are two ways to turn on anti-tamper:

  • Use the Rapid Deployment Tool and distribute the settings package to endpoints
  • Use the tool installed with Endpoint Privilege Management for Mac

Turn on anti-tamper protection

From the command line, run:

sudo pmfm protection enable

Turn off anti-tamper protection

From the command line, run:

sudo pmfm protection disable

Confirm the status of the tool

sudo pmfm status

The response indicates if the tool is on or off:

{protection":{enabled":true}

Updated 4 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.