Recently active topics

Hi Team,I am trying to create the EntraId group in Beyondtrust password using API. I am calling below API to do it https://jlr-uat.ps.beyondtrustcloud.com/BeyondTrust/api/public/v3/usergroupsBelow is the body param I am providing {"isActive":"true","groupType":"EntraID","groupName" :"LINADMINXX-LIN-T-USR","description" :"LINADMINXX-LIN-T-USR","TenantId" : "5....","ClientId" : "3873..","ClientSecret" : "d....."}Client Id and client secret is correct. I have provided below permission to group which has API key configured   When I am trying to create the group for group type as Entra Id I am getting error message which says ""Unsupported group type: EntraID"I am following below documentationhttps://docs.beyondtrust.com/bips/reference/post-api-public-v3-usergroupsIn event logs I see below error Warning DetailsMessageBadRequest (400) - "Unsupported group type: EntraId"Exception--ThreadId102HttpRequestIde7d013ef-d20f-46c9-9e37-066becb213b0SourceServicepublicapiStatusCode0ElapsedMilliseconds0

Hello Everyone, I had a quick question and wanted to check with the group. Is there a way to discover all the databases on an OS without providing any DB credentials? Basically, does the scan agent use OS-level creds to get into the system and pick up the available databases the same way it finds accounts? Thanks,Prasad

Hello Team, We are looking for KBA article, pointer to know how MongoDB instances can be configured in BeyondTrust Password safe. We are looking for similar option as we do while performing asset scan (with database option checked) for Oracle type databases. Thanks,Prasad

Hello, we have BI PasswordSafe on-prem . When we do IP Discovery scan against 50+ network devices for some of the devices , IP address is added as an Asset after the scan, instead of hostname , I think IP Discovery scan would just query the DNS and add the hostname as an asset along with IP address as details for that asset. All devices have similar DNS entries (hostname : IP ). But for some devices the scan add hostname as an asset - which is the desired outcome , but for others IP address is added as asset

Hi All,In PRA, we have a SAML security provider configured for user authentication and provisioning. User will only be provisioned when they first-time logged in.Is there anyway we can pre-provision the users by LDAP/AD Group synchronization similar functionality as Password Safe (without using SCIM). Thanks, 

We would like to confirm the current behavior of the sorting function on the Events page in Privilege Management Console.Environment : Privilege Management Console 25.8.865Location in the UI : Home > Analytics > EventsObservationOn this page, only a few fields such as the following display a triangle sorting indicator next to the column label: VirusTotal Score Time Since Last Lookup Other fields do not display this indicator.In addition, when the triangle icon is clicked, the icon changes direction (upward / downward), but the actual list order does not appear to change.Questions Is it expected that only certain fields show the sorting indicator? Is the sorting function currently implemented only for specific fields? Enhancement requestIf sorting is intended to be available, it would be helpful if: the sorting indicator and functionality were consistently available across sortable fields, and clicking the indicator clearly changed the sort order of the list. For reference,

Hi All,I have got the PWS to PRA connection working, I can see my managed test account in PRA but when I try and use the cred store to connect, I get the following error. (Could not find a schedule to use with this release request)I have followed the guide (BeyondInsight / Password Safe - Unable to pull Password Safe Credential via ECM. Error: "Could not find a schedule to use with release request".)Any ideas where I can start to look? log? or have I missed something simple?

I am opening this post to discuss solutions for upgrading Remote Support in an enterprise environment where all software, including the Representative Console, must be distributed via Microsoft Intune. Users cannot install or upgrade software themselves directly from the Download Console page, which often leads to downtime during upgrades.Our current approach is:Upgrade the backup appliance first to obtain the latest software and prepare the Intune package in advance. On rollout day, ensure the new version is available in Intune, then temporarily switch the backup appliance to primary so users experience minimal interruption. Behind the scenes, we will upgrade the original primary appliance, then revert to the normal setup.However, this method has limitations: during the backup/primary appliance upgrade, there is no failover, and data synchronization may be affected.What strategies have you used to handle similar upgrade challenges in Intune-managed environments?

For those who are looking to start out on building block lists for EPM, below are some tips and resources available. Analytics can shift this exercise from ‘blocking by vibes’ to data-informed changes. Tips for Implementing a Block Rule: Check your analytics for application definitions that match your anticipated block rule This can help determine estimated impact Check your policy for allow rules that may match your block (either on purpose or by accident) If so, then your allow or block may need to be altered to not conflict Block Rules are the only time you’re going to want to be more generic, and typically the widest net possible. It’s the opposite of allow rules where we recommend more than one definition Examples: One rule for the Publisher One rule for the file name of the executable One rule for the Product Name Block rules will only block what can be managed by EPM - seems redundant but a general guide I have is that if the configuratio

I tried to install my EPM for Windows Local AD connector on a server but it failed on the activation part.Error is:[ERR] [BT.LocalAdConnector.Services.ActivationService] [9] Activation failed.System.Net.Http.HttpRequestException: No such host is known. (xxxxxx-xxxxxxxxx-services.pm.beyondtrustcloud.com:443) ---> System.Net.Sockets.SocketException (11001): No such host is known. My server is connected to my proxy server for external access and I have the policy opened from my server to xxxxxx-xxxxxxxxx-services.pm.beyondtrustcloud.com but it is not getting triggered at all. Am I missing something here? do I need any additional URL for the activation of the AD connector?

We have seen an issue where in some scenarios, it may be possible to connect to a user’s screen without requiring their acceptance. When you initially establish a jump session and perform Shell work to fix an issue, users may have their screen locked or logged out.  Unfortunately, the session policies do not appear to re-evaluate, so whatever the status of the device was when you established the jump session is held throughout the session. A workaround would be to disconnect the jump session and establish a fresh session before you use the screenshare function, which would then pick up the user is logged on and present the prompt.For example:User reports an issue on desktop, walks away.The machine is connected to (Shell, System etc but not screen sharing).User returns and unlocks the machine.Screen sharing is started from the Rep Console.Due to the existing session already established (using Shell and System Information), no prompt for the user to accept is required, and it connects to

Can anybody let me know what are the BeyondTrust certifications on Endpoint Privilege Management and how can I get those certifications?I am unsure of all the certifications and the process involved in acquiring them. So, any help would be greatly appreciated. 

Hello Everyone,We are currently developing API scripts to automate some functionalities within BeyondTrust. As part of this effort, we seek guidance on an API script that can provide comprehensive information about a user group.We are aware of the "GET UserGroups" API, but it does not include details about assigned users, Smart groups, and enabled features. Although we know there are separate calls to retrieve this information individually, we are looking for a way to obtain all this data in a single call. Thanks,Prasad

Recently, we upgraded several customers to versions 25.1.1 and 25.3 of Password Safe/BI, and we have encountered an issue when accessing some SSH devices:"Managed system host key check is enabled but the list of accepted host keys is empty."In some cases, enabling the Auto Accept Initial Key property on the Managed System resolves the issue.However, for certain managed systems, this setting causes access problems.Has anyone else experienced this behavior or found an definitive and clear solution?

Dear all,I am seeking your assistance regarding a challenge we are facing in our current project to present events generated by the EPM-W Agent in PowerBI.As you are aware, the GUI allows us to download up to 5 million records, but this process is often time-consuming, especially when the data size reaches several gigabytes. Additionally, I recently learned that the API has a limit of only 10,000 events per request, which is insufficient for our environment. We generate approximately 455,882,549 events over a 30-day period. While I am actively working to reduce the number of events, this is our current situation.Your advice on how to efficiently process and visualize such large datasets in PowerBI would be greatly appreciated. Specifically, if there are ways to increase the API limit or alternative best practices for handling this scale of data, please let me know.

HiI am facing one issue with Application onboarding i have onboarded ssms as application however when i am trying to launch it from password safe, rdp session connects and automatically disconnects within seconds. it simply signs out me of rds server. login account has access to rds server.have you faced this issue any idea how to solve this RegardsImran

Hello everyone, Is there any way to filter the linking of domain accounts in Oracle databases?In my environment, I have some accounts that are linked to Windows servers. However, this link is extending to Oracle databases located on these same servers.So when I go to Password Safe > Directory Linked Accounts and filter by the server in question, the credentials appear duplicated, pointing to the Server system and the Database system.We don't use these domain accounts to access the Oracle databases, and I understand that this link is being replicated by the smart rule created for linking the accounts to the server only. This is also causing me problems with the Secret Cache replication, which is collecting the passwords of these accounts and registering the database as the System, and not the System I registered for these accounts to be linked. Regards,Rudolf.

Hi Team, I have requirement wherein I need to open Browser as RunApp. I cannot use TargetURL option as targetULR option will open Browser in Private Mode.  We have some restriction and due to which we cannot open the URL in private mode. I am insisted trying to open the chrome/Edge as RunApp option which opens the browser in Normal Mode and ULR is also getting opened.  My next target is click some other link which are present on landing page. I am using TAB key to bring the cursor to link but Tab key is not working and it is not bring the cursor to link on which I want to click.   Hence I am unable to move a head.Below is my basic INI file [General]RunApp="C:\Program Files (x86)\Google\Chrome\Application\chrome.exe %targeturl%"[TaskSequence1]SendKeys={TAB}{TAB}{TAB}{TAB}{TAB} Has any one face similar issue ? can anyone please tell me how was it solved. thanks in advance Regards,Imran Aliyani

Hello everyone. In managing accounts in our environment, I've identified some accounts that fail during password testing. "Error[9] - code: 49, error: The supplied credential is invalid.The password for 'ACCOUNT' on domain 'DOMAIN' is invalid..." What I've identified is that this is caused by the account only being able to log in on two devices on the network, defined in the "Log on to..." option of Active Directory.Removing any device from this list makes the test work correctly.This makes sense because the password test is simply a login to a Domain Controller to validate if it's correct. Now comes the question... Is there any way to make this password test work even with devices listed in Log on to...?The only way I thought of would be to add the domain controller to the "Log on to" list. But then I would have to add all the Domain Controllers in our environment or limit it to a single Domain Controller that this account will be managed on, right? Has anyone else experienced this? R

In BeyondTrust Password Safe, Cloud  why are some manually added assets unable to change the assigned workgroup? The option appears unavailable & disabled.  

For one of the end user is not able to access Linux machine and getting below error, tried uninstalled & Installed Desktop access but getting same error however it is working in Web console able to access the server.Could someone please assist to fix the issue?

 Context: The Endpoint Credential Manager (ECM) Software Development Kit for BeyondTrust Privileged Remote Access (PRA)  and Remote Support (RS)  allows developers to leverage a Credential Provider other than the one included (Vault) to allow Users to inject credentials when for accessing a Jump Client, a Web Jump, etc. This guide covers a specific example:  CyberArk Self-Hosted aka on-premises, Cloud. This guide also shows how to create a Custom Source to manage the configuration and credentials needed for the Plugin to authenticate to PRA and RS on one side, and to CyberArk on the other side. ######  IMPORTANT:  A new version is available via Reply below.  ####### Jump Client example leveraging CyberArk  secret. Note: Secure Remote Access (SRA) is used to refer to both PRA and RS. IMPORTANT: The example ECM Plugin covered in this tutorial has not been tested yet against a live instance of CyberArk Self-Hosted or Cloud, and is based on documentation only for the CyberArk Cloud REST AP

Hello, how are you?Has anyone else encountered problems importing a .csv file and received this message?I tried downloading credentials directly from the vault and then tried importing them to another folder within the vault.The profile already has a Workforce license.I also tried with the administrator profile without success.I also used the documentation without success.https://docs.beyondtrust.com/bips/docs/secrets-safe-configure-bi-cloud The import could not be performed. 

I’m posting this to see if anyone has run into this situation to see what their outcome was. We currently have two devices that do not show an active policy on the client, the platform shows a policy and that it is connected, but the device will not pull a policy. We have tried using the agentprotectionutility to generate a token but that token does not work. We have tried this with several computers, verified the token does work on a device that is not having the issue. Now we’ve tried moving that device to a test policy with agentprotectionstate set to 0, requested update from the device through the BT platform, rebooted the device, same issue. This device will not show a BT prompt for anything, UAC for everything, unable to modify any registry settings regarding BT, token does not work, moving to another policy with agentprotection disabled didn’t change anything. Reinstalling the agent doesn’t change anything. At this point it seems like there is nothing else that can be done and s

Out shop is using BeyondTrust 25.2 and soon upgraded to 25.3  I find the current reporting and analysis is quite limited in terms of functionality.  I would like to see if you faced the same or any other circumventions.  I regarded my requirements quite elementary however, it turns out to my very big despair. In fact, my intention is to produce a holistic entitlement report for review purpose.  Our interest is to export an excel like format with  user id                            list of managed accounts                                       role (requestor/auditor/approver)  Now, I try to use smart rule details of password safe.   However, the structure of this is totally unacceptable as if you want to download.   100 Smart rules will need to download 200 times which is very time consuming other next, is to associate by table join to group entitlement report as I don’t want reviewers to know which groups and in particular smart groups which are no meaning to them as well as they are