Messages

You can define any number of end user messages and notifications. Messages and notifications are displayed when a user’s action triggers a rule (application/on-demand or content rule). Rules can be triggered by an application launch or block, or when content is modified.

Messages provide an effective way of alerting the user before an action is performed. For example, before elevating an application or allowing content to be modified, or advising that an application launch or content modification is blocked.

Messages give the user information about the application or content, the action taken, and can be used to request information from the user. Messages also allow authorization and authentication controls to be enforced before access to an application is granted.

Messages are customizable with visual styles, corporate branding, and display text, so you are offered a familiar and contextual experience. Messages are assigned to Application Rules. A message can display different properties, depending on which of these targets it is assigned to. To view the differences, a Preview option allows you to toggle between the Application Preview and the Content Preview. This is available from the Preview dropdown menu, located in the top-right corner of the details pane.

Once defined, a message may be assigned to an individual rule in the Workstyles Rules tab by editing the rule. Depending on the type of Workstyle you’ve created, Endpoint Privilege Management for Windows may auto-generate certain messages for you to use.

Types of messages

Messages: Messages take focus when they're displayed to the user.
Notifications: (Windows only) Message notifications appear on the user's task bar. Message notification text is fully customizable, so that users are given concise and relevant information about the action performed. You can edit the strings in the Message Text tab.

Message notifications are displayed either as a systray bubble (Windows 7), or as a toast notification (Windows 8 and higher).

ℹ️
Note
Message notifications are not supported for SYSTEM processes.

Create messages

You can create two types of messages:

Message or notification
ActiveX Message

Message or notification

To create a message or notification:

Navigate to Privilege Management Settings > Windows > Messages.
Right-click and click New Message.
Select a message template from either the Use a Message Box template or Use a Notification (balloon) dropdown menus and click Next.

ℹ️
Note
Messages can be interactive (the user may be asked to input information before an action occurs). Notifications are descriptive (displaying information about an action that has occurred).

Customize the message (more advanced message configuration can be performed after the message is created).
Click Finish.

A new message is created. You can further refine the message by selecting it and editing the Design and the Text options available beneath each message.

ActiveX message

When Endpoint Privilege Management for Windows is configured to elevate the installation of an ActiveX control, a built-in progress dialog box of the installation process appears. You can create and configure this message in the Messages node.

Navigate to Privilege Management Settings > Windows > Messages.
Right-click and click Manage ActiveX Message text.
- Title: The title text of the progress dialog box.
- Download Message: The text displayed during the download phase.
- Install Message: The text displayed during the installation phase.

The display text can be configured for multiple languages. Endpoint Privilege Management for Windows detects the regional language of the end user, and if ActiveX strings in that language are configured, the correct translation is displayed.

ℹ️
Note
If language settings for the region of the end user are not configured, then the default language text is displayed. To change the default language, select the desired language and click Set Default.

Set ActiveX message text

Right-click on the Messages node and select Manage ActiveX Message text.

Title: The title text of the progress dialog box.
Download Message: The text displayed during the download phase.
Install Message: The text displayed during the installation phase.
Cancel Button: The text displayed for the button that cancels the ActiveX installation.

ℹ️
Note
If language settings for the region of the end user are not configured, then the default language text is displayed. To change the default language, select the desired language and click Set Default.

Multifactor authentication

Multifactor authentication (MFA) using an identity provider can be configured for messages in Endpoint Privilege Management. Identity providers supported by Endpoint Privilege Management include those using OpenID Connect (OIDC) and RADIUS protocols, and BeyondTrust should be setup as a Native or Desktop app within your Identity Provider configuration.

The RADIUS protocol is supported on Windows OS only.

In Endpoint Privilege Management, messages can be designed with a combination of authentication and authorization settings.

Authentication: MFA with an identity provider, user credential, and smart card
Authorization: Challenge / response authorization

Authentication and authorization groupings in Endpoint Privilege Management

Groupings support and/or logic:

Groupings by authentication: Setting more than one way the end user can authenticate, which can include the typical authentication methods (user credential, designated user, and smart card) and MFA with an identity provider.

In the Message Designer, pair Step 1a - User Authentication with Step 1b - Multifactor Authentication. This can be and/or configuration.
Groupings by authentication and authorization: Authentication methods paired with authorization always use or logic. Authorization applies an additional challenge / response layer to the end user accessing an application. The challenge / response provides an alternative to MFA authentication if that method is unavailable (for example, the browser is unavailable or the end user phone is not available).

Here are some grouping scenarios:

MFA and Designated User or challenge / response: The end user must successfully respond to all authentication prompts to access an application. Challenge / response is optional.
MFA or Designated User or challenge / response: The end user must successfully enter either MFA or Designated User credentials. Challenge / response is optional.
MFA and User authentication or challenge / response: The end user must successfully respond to all authentication prompts to access an application. Challenge / response is optional. When this authentication is combined, the Step 1c - Authentication Grouping is automatically set to and logic.
MFA or None as the Authentication Type or challenge / response: The end user must access the application through the identity provider or challenge / response method.

Workflow

The workflow depends on the combination of settings configured on the Message Design page. In the following screen capture, the authentication methods are joined with and logic.

The end user must click the link which opens the default browser to the identity provider logon page. The end user must successfully authenticate with the identity provider, then return to the Confirm Elevation dialog box to enter the user credential.

Alternatively, the end user enters the response code to gain access.

Add an identity provider

You can configure the identity provider in the following places:

Endpoint Privilege Management Settings node
Messages node

Identity provider configuration is a global setting and applies to all Windows messages.

To add the identity provider:

Expand the Windows node or OS X node.
Right-click Messages > Set Idp Authentication.
Click the relevant tab for the authentication protocol required by your Identity Provider (OIDC or RADIUS).
Enter the identity provider details:

OIDC Settings
- Authority URI: The address of your identity provider.
- Client ID: Must match the same value configured for your identity provider's BeyondTrust application.
- Redirect URI: Must match the same value configured for your identity provider's BeyondTrust application. The format is http://127.0.0.1:port_number, where port_number is an open port on your network. The port_number is only needed if required by your identity provider.
RADIUS Settings
- Authentication Mechanism: The authentication type that is required by your RADIUS server. Supported authentication mechanisms are MS-CHAPV2 or PAP.
- Host: The hostname of your RADIUS server.
- Port: The port number for connecting to your RADIUS server.
- Shared Secret: The secret key required by your RADIUS server.

You can also configure the identity provider on the Message Design page.

Add the Endpoint Privilege Management application to Microsoft, Okta, or Ping Identity

The procedures in this section are specific to OIDC implementations.

Create an app registration in Microsoft Entra ID

ℹ️
Note
Microsoft can change functionality at any time. The screen captures in the following procedure were accurate at the time of writing.

Navigate to your Microsoft Entra ID.
Click App registrations.
Select New registration.
Enter a name for your app registration. Use a name related to Endpoint Privilege Management.
Click Register.
Copy and note your Application (Client) ID for use in the Policy Editor later.
Click Add a Redirect URI.
Click Add a platform.
Select Mobile and Desktop Applications.
Add a Custom Redirect URIs and set the value to:

http://127.0.0.1
Click Configure.
Go back to your newly created app registration.
Click Endpoints. The endpoints display on the right.
Copy the value from the OpenID Connect metadata documentbox. Only this part of the URL is required: https://login.microsoftonline.com/87549b3f-a6ba-4ca4-9d99-ff2944ac4234/v2.0

The configuration is now complete. The following values are required to configure the IdP in the Endpoint Privilege Management Policy Editor for both Windows and macOS.

Authority URI: The value copied in step 14.
Client ID: Application (Client) ID from step 6.
Redirect URI: Custom redirect URIs set in step 10.

Enforce MFA for every logon attempt

In Entra ID, you might want users to always go through the multi-factor authentication process every time they try to access an application in a rule (if multi-factor authentication is configured in the message).

ℹ️
Note
For more information, see the BeyondTrust Knowledge Base article, Using Additional Scopes and max_age to enforce always-auth with messages in Azure AD.

Add Endpoint Privilege Management to Okta

Start your Okta instance.
Click Create App Integration.
In the Create a new app integration section, select OIDC - OpenID Connect.
Select Native Application as the application type.
Select Authorization code for the Grant type.
Add the sign-in and sign-out URIs.
- Sign-in redirect URI: https://{dns}-services.pm.beyondtrustcloud.com/oauth/signin-oidc
- Sign-out redirect URI: https://{dns}-services.pm.beyondtrustcloud.com/oauth/signout-callback-oidc
Select the controlled access applicable to your organization, and then click Save.

After you add EPM to Okta, you can get the information you need to set up the OpenID Connect authentication.
Go to the application instance for Endpoint Privilege Management.
Select General Settings, and then click Edit.
For the EPM OpenID Connect Setup Wizard, you need to copy the following information from the Edit page
- Domain: Prefix the protocol HTTPS://
- Client ID
- Client Secret

ℹ️
Note
Confirm the domain name configured in Okta. This domain name might be different than the domain configured for your email address. For example, while the domain managed in Okta might be domain.com, the email address might be [email protected]. Both pieces of information are required.

You can now visit the set-up URL and enter the domain, client ID, and client secret information.

Add Endpoint Privilege Management for Mac to Ping Identity

ℹ️
Note
We currently support PingOne, the SaaS service from Ping Identity.

Start your Ping Identity instance.
In the menu, click Connections, and then click Applications.
At the right of the Applications title, click the plus sign (+) to add an application.
Enter a name for the application (required), and then add a short description (optional).
Select OIDC Web App and click Save.
Click the Configuration tab.
To edit the configuration, click the pencil/edit icon.
Under Redirect URLs, click + Add, and then add the sign-in and sign-out URLs. If you are modifying an existing instance, you might need to open the General section dropdown first.
- Sign-in redirect URL: https://{dns}-services.pm.beyondtrustcloud.com/oauth/signin-oidc
- Sign-out redirect URL: https://{dns}-services.pm.beyondtrustcloud.com/oauth/signout-callback-oidc
Under Token Endpoint Authentication Method, select Client Secret Post, and then click Save.
Click the Resources tab.
To edit the resource, click the pencil/edit icon.
In the Scopes list, click the + next to profile openID to add it to the Allowed Scopes. You can also filter the list of options by OpenID to access this option.
Click Save.
To close the panel, at the top right of the Edit panel, click the X.
At the right of the new application entry, toggle the switch to on to give access to users.
Click the Configuration tab again. For the EPM OpenID Connect set-up wizard, you need to copy the following information from the Configuration page.

The Ping identify provider (IdP) configuration is now complete. The following values are required to configure the IdP in the Endpoint Privilege Management Policy Editor for both Windows and macOS.

Issuer: Prefix the protocol HTTPS://
Client ID
Client secret

Message name and description

You may edit a message name or description by clicking on either element:

Select the Message (in either the left or right pane).
Select either the Message Design tab or the Message Text tab to make further changes to your message.

Message design

Messages have a wide array of configuration options, which are detailed below.

As you change the various message options, the preview message is automatically updated. To test the message box, use the preview facility (program and content information contains appropriate placeholders).

Once you configure the message options, you should configure the Message Text for the message, which includes full multi-lingual support.

Design settings

Message header settings

Header Style: Select the type of header, which can be No header, Endpoint Privilege Management, Warning, Question, or Error.
Show Title Text: Determines whether to show the title text.
Text Color: Select the color for the title text (the automatic color is based on the Header Style).
Background Type: Set the background of the header, which can be Solid background, Gradient background, or Custom image (the default Background Type is Custom Image, making the Color 1 and Color 2 options initially unavailable).
Color 1: Select the color for a Solid background or the first color for a Gradient background (the automatic color is based on the Header Style).
Color 2: Select the second color for a Gradient background (the automatic color is based on the selected Header Style).
Custom Image: Select the image for a Custom image background. This option is only enabled if you have selected Custom Image for the Background Type. Click the ellipsis (…) button to import, export, modify, or delete images using the Image Manager.

Image manager

The Image Manager associated with message creation allows you to Add, Modify, Export, and Delete images that are referenced in message headers. All images are stored inside the Workstyles as compressed and encoded images.

We recommend you delete any unused images to minimize the size of the policies, as Endpoint Privilege Management for Windows does not automatically delete unreferenced images.

The Image Manager is accessible from the Message Design tab. Click the Manage Images button next to the Custom Image dropdown menu.

To upload an image:

Click Upload Image. The Import Image status dialog box appears. Click Choose file and browse to the location of the file.
Select the image and enter an Image Description. Click OK.
The image is uploaded into Image Manager.

ℹ️
Note
Images must be PNG format. The recommended size is 450x50.

To edit an image:

In the Custom Image field, select Manage Images.
Select the image in the list and click Edit.
The Image Properties dialog box appears.
Alter the description and click OK.

To delete an image:

Select the image in the list and click Delete.
When prompted, click Yes to delete the image.

ℹ️
Note
If an image is referenced by any messages, you are not allowed to delete it.

Message body settings

The Message Body Settings display specific information about the program or content. These can be configured on the Message Text tab; they can display Automatic default values or Custom values. The Automatic default values are:

Show Line One: The Program Name or the Content Name.
Show Line Two: The Program Publisher or the Content Owner.
Show Line Three: The Program Path or the Content Program.

Custom values are configured on the Message Text tab.

Show reference Hyperlink: This option determines whether to show a hyperlink in the message below the body settings (the hyperlink is configured on the Message Text tab).

Authentication and authorization settings

Step 1a - user authentication

Authentication Type: Set this option to User must authenticate to force the user to reauthenticate before proceeding. If you want to use this option for over the shoulder administration, then set this option to Designated user must authenticate.
Password or Smart Card: Set this option to Any to allow authentication using any method available to the user. If you want to enforce a specific authentication method, then set to either Password only or Smart card only.
Windows Hello: Set this option to Yes to allow authentication using the Windows Hello service. For this service to work, Windows Hello must first be set up on the user's endpoint.
- Windows Hello is not supported with the Designated User option.
- Set Authentication to the Password or Smartcard or Password only option.
- Windows Hello is unavailable when using Secure Desktop.

ℹ️
Note
If you select a method that is not available to the user, then the user cannot authenticate the message.

Designated Users: If the Authentication Type is set to Designated user must authenticate, then click the ellipsis (…) button to add one or more user accounts or groups of users that are allowed to authenticate the message. A designated user can be selected from a local account, Active Directory domain, or Microsoft Entra ID (groups only). Entra ID is only supported on the EPM platform.
Run application as Authenticating User: If the Authentication Type is set to Designated user must authenticate, then this option determines whether the application runs in the context of the logged on user or in the context of the authenticating user. The default is to run in the context of the logged on user as opposed to the authenticating user.

ℹ️
Note
When Run application as Authenticating User is set to Yes, Endpoint Privilege Management for Windows attempts to match a Workstyle of the same type (Application Rule or on-demand rule) for the authenticating user. If no Workstyle is matched, Endpoint Privilege Management for Windows falls back to the original user Workstyle.

Designated user must authenticate

When this option is enabled, a designated user, such as a system administrator, can authorize the elevation in place of (or in addition to) a Challenge Response code.

Input	Outcome
Valid Challenge/Response code only is provided	Application runs as logged on user
Valid Challenge/Response code is provided and valid (but not required) credentials are provided	Application runs as logged on user
Invalid Challenge/Response code is provided but valid credentials are provided	Application runs as authorizing user
No Challenge/Response code is provided but valid credentials are provided	Application runs as authorizing user

ℹ️
Note
In Endpoint Privilege Management for Windows 22.9 and later, when authenticating as a Designated User using Microsoft Entra ID credentials, use your UPN as the username: "[email protected]"

Step 1b - multifactor authentication

Identity Provider: To use an identity provider, select Idp - Yes from the list. If you have not already set up your global identity provider settings, then you are prompted to add these now.
Authentication Context Class References values (acr values): Enter the acr value. The value is optional and required only if your identity provider uses it.
Suppress Message when Authenticated for (Mins): Enter a value (maximum 720) to set the number of minutes that the authentication message will be suppressed. The message will not be shown again for the given number of minutes after a successful authentication.

⚠️
Important
The Suppress Message when Authenticated for (Mins) setting does not support messages that are configured to use multiple authentication types using the AND operator. For example, if the message requires "user authentication And MFA", then the message is not suppressed. However, if the message uses "user authentication Or MFA", then the message is suppressed.

Step 1c - authentication grouping

Requirements: Select a requirement from the list. You can combine authentication methods. The authentication grouping can be and/or logic. For example, you can require that your users provide both a user name and password and authenticate with an identity provider. In this case, the end user is required to successfully authenticate with user credentials and with the identity provider. In the "or" scenario, the user is required to authenticate using at least one of the authentication methods.

Step 2 - authorization

Challenge Response (C/R): Set this option to Yes to present the user with a challenge code. For the user to proceed, they must enter a matching response code. You can click Edit Key to change the shared key for this message.

ℹ️
Note
When this option is enabled for the first time, you are requested to enter a shared key.

Authorization Period (per-application): Set this option to determine the length of time a successfully returned challenge code is active for. Choose from:
- One use Only: A new challenge code is presented to the user on every attempt to run the application.
- Entire Session: A new challenge code is presented to the user on the first attempt to run the application. After a valid response code is entered, the user is not presented with a new challenge code for subsequent uses of that application until they next log on.
- As defined by helpdesk: A new challenge code is presented to the user on the first attempt to run the application. If this option is selected, the responsibility of selecting the authorization period is delegated to the helpdesk user at the time of generating the response code. The helpdesk user can select one of the three above authorization periods. After a valid response code is entered, the user does not receive a new challenge code for the duration of time specified by the helpdesks.
Suppress messages once authorized: If the Authorization Period is not set to One Use Only the Suppress messages once authorized option is enabled and configurable.
Show Information tip: This option determines whether to show an information tip in the challenge box.
Maximum Attempts: This option determines how many attempts the user has to enter a successful response code for each new challenge. Set this option to Three Attempts to restrict the user to three attempts, otherwise set this option to Unlimited.

ℹ️
Note
After the third failure to enter a valid response code, the message is canceled and the challenge code is rejected. The next time the user attempts to run the application, they are presented with a new challenge code. Failed attempts are accumulated even if the user clicks Cancel between attempts.

📘
For more information, see Challenge/response authorization, and Message text.

Step 3 - user authentication & authorization grouping

Requirements: Select a grouping from the list. You can use authentication and authorization settings together, grouped by and/or logic. This always uses or logic when the Identity Provider (Idp) value is set to IdP - Yes.

Miscellaneous settings

Show message on secure desktop: (Windows only)

Select this option to show the message on the secure desktop. We recommend this if the message is being used to confirm the elevation of a process, for enhanced security. Secure desktop cannot be used with Identity Provider configurations; using Identity Provider for authentication requires opening the user's browser.

User reason settings

This option determines whether to prompt the end user to enter a reason before an application launches (Allow Execution message type) or to request a blocked application (Block Execution message type).

Show User Reason Prompt: Select between Text box and dropdown menu. The Text Box allows users to write a reason or request. The dropdown allows users to select a predefined reason or request from a dropdown menu. The predefined dropdown entries can be configured on the Message Text tab.
Remember User Reasons (per-application): Reasons are stored per-user in the registry.

Email settings

The email settings are only enabled for blocking messages.

Allow user to email an application request: Select this option to allow the user to email a request to run an application (only available for the Block Execution message type).
Mail To: Email address to send the request to (separate multiple email addresses with semicolons).
Subject: Subject line for the email request.

The Mail To and Subject fields can include parameterized values, which can be used with email based automated helpdesk systems.

Challenge/response authorization

Challenge/Response authorization provides an additional level of control for access to applications and privileges, by presenting users with a challenge code in an end user message. For the user to progress, they must enter a corresponding response code into the message.

Any policy that has a message in with challenge/response needs a shared key. This key is defined when you set up the first challenge/response message in your policy, although you can change it later if required. If you create a Workstyle containing a challenge/response message or you create a new challenge/response message and you are not prompted to create a shared key, then there is already a shared key for the policy. You cannot view this shared key, however you can change it if required in the Design page of a Message.

Challenge/Response authorization is configured as part of an end user message, and can be used in combination with any other authorization and authentication features of Endpoint Privilege Management for Windows messaging.

Authorization is applied per user, per token, per application, meaning that each user is presented with challenge codes that when authorized, only apply to them, the token used to request access, and the specific application.

If there is still a valid Endpoint Privilege Management for Windows response code available to the endpoint when the user runs the application with a Power Rule assigned to it, the application opens using the existing Endpoint Privilege Management for Windows response code and the Rule Script is not run.

Challenge and response codes are presented as 8 digit numbers, to minimize the possibility of incorrect entry. When a user is presented with a challenge code, the message may be canceled without invalidating the code. If the user runs the same application, they are presented with the same challenge code. This allows users to request a response code from IT helpdesks who may not be immediately available to provide a response.

Shared key

The first time you create an Endpoint Privilege Management for Windows end user message with a challenge, you are asked to create a shared key. The shared key is used by Endpoint Privilege Management for Windows to generate challenge codes at the endpoint.

Once you enter a shared key, it is applied to all end user messages that have challenge/response authorization enabled in the same Endpoint Privilege Management for Windows settings.

To change the shared key:

Right-click the Messages node of a Workstyle and select Set Challenge/Response Shared Key.
In the Challenge/Response Shared Key dialog box, edit the Enter Key and Confirm Key with the new shared Key.
Click OK to complete. If the key entered is not exact, you will be presented with a warning message.

ℹ️
Note
We recommend your shared key be at least 15 characters and include a combination of alphanumeric, symbolic, upper, and lowercase characters. As a best practice, the shared key should be changed periodically.

Generate a response code

There are two ways to generate a response code. You can either use the PGChallengeResponseUI.exe utility that is installed as part of the Endpoint Privilege Management Policy Editor, or you can generate the the codes in the MMC.

ℹ️
Note
To generate a response code, you must have set a Challenge/Response shared key. You are prompted to do this when you create any policy that has a Challenge/Response message assigned to it. Alternatively, you can set the Challenge/Response shared key from the home page of the Privilege Management Settings node by clicking Set Challenge/Response Shared Key.

You can generate a response code from the Endpoint Privilege Management Policy Editor. This launches a tool called PGChallengeResponseUI.exe. This tool is part of your installation and can be used independently of the Endpoint Privilege Management Policy Editor. The tool is installed to the <Installation Dir>\Avecto\Privilege Guard Management Consoles\ path:

To generate a response code in the Endpoint Privilege Management Policy Editor:

Click the Endpoint Privilege Management Settings node and then Tools on the right side.
Click Response Code Generator.
Enter the shared key you defined, and the challenge code from the end user.
The response code is generated once both the Shared Key and the 8 character challenge code are entered.

The response value can then be sent to the end user to enter into their challenge dialog box.

Generate a response code from the command line

Response codes can also be generated from the command line using the PGChallengeResponse.exe command line utility, which is installed as part of the Endpoint Privilege Management Policy Editor installation, and is located in the <Installation Dir>\Avecto\Privilege Guard Management Consoles\ directory:

To generate a response code from the command line:

Open the Command Prompt by clicking the Start Menu and typing cmd.exe.
In the Command Prompt, type the following command, then press Enter:
```
cd "\program files\avecto\privilege guard management consoles"
```
Once you open the privilege guard management consoles directory, type the following command (where `challenge` is the challenge code presented to a user):
```
pgchallengeresponse.exe <challenge>
```
At the Shared Key prompt, enter the correct shared key, then press Enter.

ℹ️
Note
PGChallengeResponseUI.exe is a standalone utility and can be distributed separately from the Endpoint Privilege Management Policy Editor.

Automating response code generation

The PGChallengeResponse.exe utility supports full command line use, allowing it to be easily integrated into any third party workflow that supports the execution of command line executables. The command line is as follows:

PGChallengeResponse.exe <challenge code> <shared key> <duration>

ℹ️
Note
The duration parameter is optional.

In the command line argument above, `challenge code` is the code presented to the user and `shared key` is the key that was configured within the Endpoint Privilege Management for Windows settings which presented the end user message.

The utility returns the response code as an exit code, so it can be captured from within a custom script or wrapper application. The options for the optional `duration` parameter are once | session.

Message text

All of the text in the message can be configured in the Message Text section. You can add an additional language here and localize the text that you enter for the message text.

We recommend you change the default text strings, as they are all English placeholders. After you change the message text, click Update to see your changes applied to the preview message.

The text in any text string can include parameterized values which provide more personalized messages for users.

Languages

You can configure the text in the messages to display a language of your choice. To add a new language, click Add Languages and select the language you want to use from the dropdown list. You can set this language to be the default language by clicking Set As Default.

Endpoint Privilege Management for Windows checks the locale of the user's language and tries to match it to a language that you've set up in Endpoint Privilege Management for Windows. If it finds a match, the strings for that language are displayed for the message text. If it doesn't find a match, the language you have assigned to be the default language is used.

ℹ️
Note
Endpoint Privilege Management for Windows doesn't localize the text into the language you selected. You must edit the message text in your chosen language.

If you have more than one language, you can set the default language. This is the language that will be used if an end user is using a language that is not defined. The default language is set to English, but you may change the default language:

Select the language you want to set as the default language.
Click Set As Default.

ℹ️
Note
If you delete a language that has been set to the default language, the language at the top of the language list is set to the default language. You must always have at least one language defined.

General

Caption controls the text at the top of the dialog box.
Header Message controls the text to the right of the icon in the header if it's shown.
Body Message controls the text at the top of the main message.
Refer URL controls the hyperlink for the Reference URL if you selected to show it in the Message Design.
Refer Text controls the text of the hyperlink for Reference URL if you selected to show it in the Message Design.

Information

Message Mode determines where the message can be assigned. Messages can be assigned to Application Rules, On-Demand Application Rules, and Content Rules. Select Automatic to allow the rule type to determine the information that is displayed (Application or Content). Select Manual to enter your own information in the custom fields. This information is displayed irrespective of the type of rule.
Application Line One Label controls the first line. For Automatic mode, this is the Application Program Name.
Application Line Two Label controls the second line. For Automatic mode, this is the Application Program Publisher.
Application Line Three Label controls the third line. For Automatic mode, this is the Application Program Path.
Content Line One Label controls the first line. For Automatic mode, this is the Control Content Name.
Content Line Two Label controls the second line. For Automatic mode, this is the Content Owner.
Content Line Three Label controls the third line. For Automatic mode, this is the Control Program.

Publisher

Program Publisher (Unknown) controls the text that is displayed for the variable [PG_PROG_PUBLISHER] if it's not known.
Verification Failure controls the text that is displayed next to Publisher if the publisher verification fails.

Endpoint Privilege Management for Windows verifies the publisher by checking that there is a publisher and also checking that the certificate associated with that publisher is signed. Endpoint Privilege Management for Windows does not check to see if the certificate has been revoked due to the length of the lookup process that would rely on network connectivity. Instead, Endpoint Privilege Management for Windows relies on the certificate store to be kept up to date with revoked certificates, which would be a standard operation as the full chain should be in the local certificate store.

User reason

Reason controls the text above the field where the end user can enter their reason.
Reason Error Message controls the text that is displayed if the end user clicks Yes and doesn't enter a reason.
dropdown list prompt controls the text above the user reason prompt.
User Reason List allows you to select from the user reasons. You can modify the User Reason List using the Add, Edit, and Delete buttons.

User authentication

User name controls the text adjacent to the field where the user enters their user name.
Password controls the text adjacent to the field where the user enters their password.
Domain controls the text below the password field that introduces the domain.
Unauthorized credentials controls the text that is displayed if the end user enters credentials that aren't valid for the requested operation.

Challenge / response authorization

Header text controls the text that introduces the challenge/response authorization.
Hint text controls the text that is in the response code field for challenge/response messages.
Information Tip Text controls the text above the challenge and response code fields.
Error Message Text controls the text that is displayed to the end user if they enter an incorrect response code and click Yes.
Maximum Attempts Exceeded Message Text controls the text that is displayed to the end user if they exceed the allowed number of challenge/response attempts.

Smart card authorization

Card Prompt controls the text that introduces the card prompt.
Card Reading controls the text that is displayed when the card is being read.
Card Pin controls the text that is displayed when the card pin is provided.
Card Error controls the text that is displayed if there is an error reading the card.
No Certificate Error controls the text that is displayed when there is no certificate.
Incorrect Certificate Error controls the text that is displayed when there is an incorrect certificate.

Buttons

Depending on the message options the message box has either one or two buttons:

For a prompt, the message box has OK and Cancel buttons.
For a blocking message with Allow user to email an application request enabled, the message box has OK and Cancel buttons. We recommend you change the OK button text to Email, unless you make it clear in the message text that the OK button sends an email request when clicked.
For a blocking message with Allow user to email an application request disabled, the message box has only an OK button.

You can change the OK Button and Cancel Button text. For instance, you can change it to Yes and No if you are asking the end user a question.

Types of messages

ℹ️Note

Create messages

Message or notification

ℹ️Note

ActiveX message

ℹ️Note

Set ActiveX message text

ℹ️Note

Multifactor authentication

Authentication and authorization groupings in Endpoint Privilege Management

Workflow

Add an identity provider

Add the Endpoint Privilege Management application to Microsoft, Okta, or Ping Identity

ℹ️Note

Enforce MFA for every logon attempt

ℹ️Note

ℹ️Note

ℹ️Note

Message name and description

Message design

Design settings

ℹ️Note

ℹ️Note

Authentication and authorization settings

ℹ️Note

ℹ️Note

Designated user must authenticate

ℹ️Note

⚠️Important

ℹ️Note

ℹ️Note

📘

Miscellaneous settings

Challenge/response authorization

Shared key

ℹ️Note

Generate a response code

ℹ️Note

Generate a response code from the command line

ℹ️Note

Automating response code generation

ℹ️Note

Message text

Languages

ℹ️Note

ℹ️Note

General

Information

Publisher

User reason

User authentication

Challenge / response authorization

Smart card authorization

Buttons

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

⚠️
Important

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note