PACKAGE MANAGER INSTALLATION GUIDE
What is the EPM Package Manager?
The EPM Package Manager (Package Manager) is an optional feature which helps organizations install and maintain the Endpoint Privilege Management client and the EPM adapter.
The Package Manager runs on the endpoint as a Windows service (named BeyondTrust Endpoint Privilege Management Package Manager) on the endpoint.
The Package Manager runs on the endpoint as a macOS process (named PMCPackageManager).
How is it useful?
The EPM Package Manager installs and maintains the EPM client and adapter across your estate, and it can automatically update your endpoints when it detects a new version of the EPM client and/or adapter.
In EPM, you can:
- configure the Package Manager installation string
- download the Package Manager installation executable
- configure update settings for a computer group
- track computer and computer group updates
- set throttling and preferred update times so that updates can be strategically and safely installed.
Package Manager is designed to check for updates on the EPM-Mac and EPM-Windows clients, the EPM Adapter, and the Package Manager.
- Package Manager checks in with EPM after the initial installation. This occurs within three minutes of the Package Manager installation.
- After the initial check-in, Package Manager checks in with EPM every two hours.
Note
Package Manager self-updates automatically when a new version is detected. There is no configuration required for Package Manager updates.
Why did an update not occur on my installed Package Manager?
An update may not take place because:
- The client or adapter is already updated to the version configured in EPM.
- The throttling threshold is reached and the endpoint must wait for updates.
- The computer group is not yet configured for updates to take place.
- Package Manager is not enabled for the group.
- Automatic updates or updates to a specific version are not configured for the group.
Installation workflow for auto-update
When setting up auto-update, you can complete the tasks in any order. The main configuration tasks are:
- Install Package Manager
- Set group updates
Important information about the Package Manager
The Package Manager is designed to check for updates on these components: EPM-M and EPM-W clients, EPM Adapter, and Package Manager.
- Package Manager checks in with EPM after the initial installation. This occurs within three minutes of the Package Manager installation.
- After the initial check-in, Package Manager checks in with EPM every two hours.
Note
Package Manager self-updates automatically when a new version is detected. There is no configuration required for Package Manager updates.
An update may not take place for several reasons, including:
- The client or adapter is already updated to the version configured in EPM.
- The throttling threshold is reached and the endpoint must wait for updates.
- The computer group is not yet configured for updates to take place.
- Package Manager might not be enabled for the group.
- Automatic updates or updates to a specific version are not configured for the group.
Note
Automatic updates do not work with adapters using the ic3Adapter user. Those adapters must be upgraded manually to any supported version and the ic3Adapter user changed to the LocalSystem user.
Install the Package Manager to a Windows machine
1. Download the Package Manager to your Windows machine.
- From the left menu, click Configuration > Package Manager Installation.
- Select an installation key and group name.
These settings are required. Without both of these fields, Package Manager will not install. - Select Windows.
- Optionally, enable Start Package Manager automatically to automatically start the Package Manager service running on the endpoint.
The install command automatically populates with default settings based on the installation key and computer group. - Click Download Package Manager.
- Follow the on-screen prompts to complete installation on the machine.
2. Use proxy settings.
You can pass the proxy settings as arguments to the Package Manager installer. Use the following parameters:
PROXYADDRESS=<proxyUrl|NONE|""> AUTODETECT=<true|false> USESYSTEMDEFAULT=<true|false> BYPASSONLOCAL=<true|false> SCRIPTLOCATION=<script_location_url>
The proxy setting can be used by the adapter if the proxy setting is updated first, and then the adapter is installed by Package Manager. The Package Manager uses only the PROXYADDRESS parameter; all other parameters are saved for the adapter and not used by the Package Manager.
3. Restart services.
After resetting the Adapter or Package Manager, you must restart the services.
Note
It is not recommended to reset both the Adapter and Package Manager on the same machine.
Doing so causes the Adapter and Package Manager to attempt to activate and register with EPM, resulting in two active entries for the same computer.
In this scenario, stop the Package Manager service, uninstall the Adapter, and then reset the Package Manager. Once the Package Manager is active, the Package Manager installs the Adapter with the auto-update configuration.
Windows Adapter Reset tool
The Adapter Reset tool is installed with Package Manager. Use the tool to reset the adapter to factory default values.
Install the Package Manager to a macOS machine
Note
We recommend using Mobile Device Management (MDM) software to deploy the macOS Package Manager.
1. Download the Package Manager.
- From the left menu, click Configuration > Package Manager Installation.
- Select an installation key and group name.
These settings are required. Without both of these fields, Package Manager will not install. - Select macOS.
The install command is automatically populated with default settings based on the installation key and computer group. - Click Download Package Manager.
- Click Download script or Copy script to clipboard.
2. Optionally, install the Package Manager locally on a single macOS machine.
After downloading the Package Manager:
- Using Terminal.app, run the downloaded script from the portal.
For example:
sudo bash ~/Downloads/PrivilegeManagementConsolePackageManagerInstallerScriptForMac.sh
- Run the downloaded Package Manager package.
3. Optionally, install the Package Manager to multiple macOS machines with mobile device management (MDM) software.
After downloading the Package Manager:
- Access your MDM.
- Upload the Package Manager package.
- To do this in Jamf, go to Settings > Packages > Add
- Upload the downloaded or copied script.
- To do this in Jamf, go to Settings > Scripts > Add
- Create a policy to deploy the uploaded package and script.
- To do this in Jamf, Computers → Policies → New
- Add a policy name and select a trigger option.
- Configure the package section with the downloaded package.
- Configure the script section with the downloaded script.
- Ensure to select Before in the priority section.
- Add a scope.
- Save the new policy.
<details><summary>3a. Deploy a configuration profile from your mobile device management software.</summary>
Most software that deploys via MDM software requires a configuration profile to ensure the correct permissions are set on the macOS endpoints. BeyondTrust provides a configuration profile for Packager Manager and EPM for Mac software to work correctly.
- From the left menu, click Configuration > Privilege Management Installation.
- Download the Privilege Management Configuration Profile for macOS file.
The minimum version required is 2.1.0. - Access your MDM software.
- Create a configuration profile to deploy the configuration profile.
- To do this in Jamf, go to Computers > Configuration Profiles > Upload.
- Select the downloaded configuration profile.
- Click Upload.
- Add a scope.
- Save the configuration profile.
Uninstall the Package Manager from a macOS machine
To uninstall the macOS Package Manager for any reason, run the uninstall script similar to other BeyondTrust macOS products.
- On an endpoint where the Package Manager is installed, run the following command with sudo access:
sudo /Applications/BeyondTrust/PMCPackageManager.app/Contents/Resources/uninstall.sh
The command removes all settings files of the Package Manager and the application but not any installed client or adapters.
Set rate limit preferences
Set the rate limit when there is a large number of endpoints in your environment. Limit the number of endpoints that update at the same time to reduce the load on your network.
- Go to Configuration > Package Manager Settings.
- Click the Enable Rate Limit for Package Manager toggle.
- Configure the number of computers to update on an hourly basis. We recommend using the default value of 5,000 computers.
- Click Save Changes.
Set group updates
There are two parts to setting up Package Manager on a computer group:
Apply a version.
- Latest version: The connected computers try to install the newest version available.
- Specific version: The connected computers try to install versions selected on the Manage Updates panel.
Configure EPM-M and EPM-W installation parameters to include in the package.
Package Manager self-updates automatically. No configuration is required.Set the updates:
- Go to Computer Groups, and then select the View Group Details menu for the group you want to set up.
- Select the Updates tab.
- Select Manage Updates for your OS.
The Enable Package Manager toggle activates after you select and save settings. Disable Package Manager if you want to manage updates on one or more computer groups at a time. - Select the preferred method to update computers:
- Select Latest Version to update Endpoint Privilege Management and the EPM Adapter to the latest version of each component. Select Other Version, and select a specific version for the client and adapter. You cannot select a previous version after selecting and deploying a version; there is no downgrade process in place.
- Click Save Changes.
- Click Client Settings.
- Select the options to apply to your endpoints.
- Click Save Client Settings.
Track computer updates
A status displays during updates to help you determine the state of the update. The status of an update displays on the Computer Groups page and the Computers page in the following areas:
- Computer Groups page in the Update Settings section
- Computer Groups page in the Client/Adapter Status columns
- Computer Groups Details page on the Updates tab
- Computers page in the Adapter Status and Client Status columns
- Computer Details page on the Summary tab
Status messages at the Computer Groups level
- (Group is) Awaiting Updates: At least one of this group’s computers have started updating and the remaining computers are expected to follow.
- (The Group’s) Update Failed: At least one of this group’s computers has encountered an error during its update.
- (Group is) Up to Date: Every one of this group’s computers have been updated to the current settings for the group.
- (Group is set to) Manual Updates: The Package Manager is not enabled for the group.
Status messages at the Computer level
- (Computer is) Awaiting Update: This is one of the following:
- The Package Manager is enabled for the computer’s group.
- The Update Settings for the group are set (auto or specific version).
- The Package Manager is actively checking into EPM to see if it needs to update the computer.
- (The Computer’s) Update Failed: An error occurred when the computer was trying to update. An error message is captured and sent to EPM to help diagnose the issue.
- (Computer is) Up to Date: The computer is up to date with the Update Settings configured on its group.
- Computer is set to) Manual Updates: The Package Manager is not enabled for the computer’s group.
Updated 3 days ago