Recently active topics

Can BeyondTrust Password Safe support strict logical segregation between two departments (Network Division and IT Security Division) within the same Password Safe deployment, ensuring no visibility of assets, accounts, users, or sessions across divisions? Component Network Division IT Security Division PAM Admin Network PAM Admin Security PAM Admin Assets Network devices Security infrastructure Accounts Network privileged accounts Security privileged accounts Users Network engineers Security engineers Policies Network-specific Security-specific Reports Network only Security only Configuration Network Only Security Only

PRA requires a user to login a first time in order to be available in PRA for example to assign vault accounts.Unfortunately this is causing problems with new employees which are onboarded into PRA.Unless they have never logged in, administrators cannot assign personal vault accounts. If the user logs in, and does not see his/her vault account, they create tickets. This is a very large customer and it is difficult to orchestrate / communicate such a process and they would like to automatically provision new users (from AD). How do other customers provision users up-front and define vault accounts, etc. and not depend on a user’s first login?  

hi guys, is there a way to get a list of AD managed systems without linked accounts? thank you

Jump SQL management studio with credential injection on PRA

I have multiple Database admins I need to give access to our database for. We have no resources for PAW or Internal Admin machines. Is it the purpose of Beyondtrust SQL server tunnels to be ran on BYOD device and have them tunnel SQL Studio traffic to my on prem SQL server? Has anyone done this? I believe I have the tunnel up. How do you use Management studio? My “Open datasource Client” is grayed out. How do the credentials work? Do the credentials I use for the tunnel work for everyone using the tunnel? Or do I need to create one tunnel per person? 

I have strange behavior in my PasswordSafe.I am using an application session, and when I try to start an RDP Session / Start Application Session: When using the option to run on a different system with the functional account, it works perfectly. When using the option to run on the current system with the user account, the RDP session does not start. It shows a black screen for some time and then closes. When I checked the logs in the second case, I found the following: INFO: Accepted RDP session 1234 for 1.2.3.4:1234 INFO: RDP Handler 1234 starting INFO: Found RDP certificate: My:.... INFO: Reading self signed cert INFO: (RDP server) Client Security: NLA:1 TLS:1 RDP:0 INFO: (RDP server) Negotiated Security: NLA:0 TLS:1 RDP:0 INFO: (RDP server) Server Security: NLA:0 TLS:1 RDP:0 ERROR: (RDP server) BIO_read returned a system error 0: No error ERROR: (RDP server) transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] ERROR: (RDP) BIO_should_retr

I can see several old sessions still appearing in the Active Sessions list in Password Safe, even though only today’s sessions should be showing. 

Hi everyone, have any of you implemented High Availability using a proxy server, or worked with customers who have deployed this setup? If so, I’d appreciate hearing about your experience, challenges, and overall results.Please share any relatable articles, would appreciate it. Thanks! 

Does anyone know how to implement this remediation - the instructions are very vague. BT23-08 | BeyondTrust

I would to like to know the any limitation for copying file from  local to remote by using shell jumpafter updating the PRA 25.2.3 users are unable to copy the file from local to remote by using shell jump but vise versa it is possible.if file size is less than 32 kb its copying fine but it its bigger then its corrupted to 32kbI am using  Copy paste only.

Dear colleagues,I have a bunch of feature requests on the ideas portal, which I would like to get some traction on.So, if you agree with me on any of these give them a vote so BT can start making things happen.https://beyondtrust-public.ideas.aha.io/ideas/T2EPM-I-2180https://beyondtrust-public.ideas.aha.io/ideas/T2EPM-I-2167https://beyondtrust-public.ideas.aha.io/ideas/T2EPM-I-1922https://beyondtrust-public.ideas.aha.io/ideas/T2EPM-I-2161https://beyondtrust-public.ideas.aha.io/ideas/T2EPM-I-1813These are specific for just the PM Cloud.Kind regardsJens 

The following articles were published last week. New Knowledge Base Articles: KB0022556 - Linux Debian 11 Jumpoint down after update - error while loading shared libraries KB0022857 - Representatives cannot see Remote RDP jump assigned to them KB0022963 - What version of RS and PRA supports the Password Safe connection for Vault discoveries? KB0023125 - Vault Password Safe Discovery connection fails - Failed to connect to Password Safe Client KB0023140 - What is Secure Remote Access (SRA)?

The following articles were published last week. New Knowledge Base Articles: KB0022556 - Linux Debian 11 Jumpoint down after update - error while loading shared libraries KB0022857 - Representatives cannot see Remote RDP jump assigned to them KB0022870 - SQL Server Tunnel fails - Access Console SQL Jump error: "Unable to find suitable datasource client" KB0022963 - What version of RS and PRA supports the Password Safe connection for Vault discoveries? KB0023125 - Vault Password Safe Discovery connection fails - Failed to connect to Password Safe Client KB0023130 - Session starts after one approval despite two approvers being set in Jump Policy KB0023140 - What is Secure Remote Access (SRA)?

The following articles were published last week. New Knowledge Base Articles: KB0021755 - How to enable the policy cache for Endpoint Privilege Management for Mac KB0021847 - EPM-W client failing to install "Error 2738. Could not access VBScript run time for custom action" KB0022165 - Application group rule filter is not working for Entra ID groups KB0023122 - Installer package fails even when elevated by EPM-M policy - Permissions error KB0023136 - How to change the driver method to IDT KB0023142 - Quick Start template changes regarding Microsoft Recommended Blocks for WDAC-bypassing applications KB0023144 - EPM Quick Start template and policy changes - Changelog

The following articles were published last week. New Knowledge Base Articles: KB0021856 - After upgrading to 24.3 or higher, Create New Safe button is missing KB0023132 - Resource Broker fails to update with error - [Providers.IdentityServerSettingsProvider.RegenerateToken] Failed to regenerate token. KB0023134 - Where are the files for the Workforce Password Group Policy administrative template (ADMX) found?

Hi,I’m trying to find a good way to secure these generic accounts and still to be able to use them as bt- and buadmin are used on a regular basis for updates and support cases. As I have 4 appliances to manage and have high security requirements I’d need to have individual passwords, with regular changes and changes after access for each of them. It would be a challenge to manage the regular changes and make performing regular tasks challenging.I had posted an idea to use the Enterprise Updater as SPOC (Single Point of Control) which would have it’s own credentials and would have an encrypted key based connection to all appliances. From the Updater one could create individual schedules for the updates and unlock/lock them centrally. This would make tracking, planning and handling of updates a lot easier and only one generic user (buadmin) would need to be secured. I’d prefer a personal account though and leaving the generic account as a breaking glas solution. This would only cover the

Hi All, I wanted to check if there is any API available that I can use to retrieve the password of account ? We are using cloud version of Password safe. With my initial analysis , I found there is any API available that can be used to Set password for account But want to understand if there is any API available to retrieve the password as well?Awaiting response .thanks in advance.

Hi everyone,The end users are experiencing delay and slowness when taking RDP sessions through Password Safe on-prem. Usually they have to read logs and commands and the slow and delayed screen output is becoming a hassle for them, resulting in a very poor user experience.After some researching, I found a commonality in the solution that it an issue with the client’s network, however, they are not ready to accept it.According to them, when they take RDP directly from the U-series appliance, the session is much better but from the Web UI, it’s very delayed and slow.Has anyone here encountered an issue like this, if yes, how did you solve it.Thanks in advance.

Hello All, We have created the custom Mainframe platform to onboard the Mainframe account under Password safe. This functionality is working fine . We have a requirement to onboard the shared Ids on the custom Platform wherein one Id will be accessed  by 8 users.  Here we are facing issue that when one user checks out the Id other user gets the error saying “The account is not available during requested time”. I have seen the below KB article which says concurrent session is not available on Custom/Generic platforms and it asks to change the platform type of system to Windows/Linux which is not possible for us .https://beyondtrustcorp.service-now.com/csm?sys_kb_id=cf6c24fc47a2669015c43e7d826d4394&id=kb_article_view&sysparm_rank=2&sysparm_tsqueryId=6c5caa3f47d436501bf1db37536d43b3 My requirement here is , is there any workaround available which we can use from which users can at least  view the password from Password safe for these shared ids ?.  If users can view the passwo

Hi all,Good day. I have a question regarding the EPM agent for macOS. For this test case, I have two types of endpoints, one Windows and one macOS.I have learned about the agent installation for the Windows endpoint. This one is straightforward for my case since I only have one Windows endpoint for product evaluation. All I need to do is download the package manager and run the command to install it.But, I am still unsure about macOS. Please note that Im not familiar with macOS and this is my first time working with it for a product evaluation. My question is, for macOS, can I use the same method for the agent installation? I mean using a package manager similar to the Windows endpoint since I only have a single macOS machine.Appreciate it if someone could provide the proper guideline and advise on this.Thanks again.

Common challenges with PasswordSafe User Provisioning comes down to the confusion between Smart Rules and Smart Groups, and the concept that PasswordSafe groups are only provisioned if they have permissions assigned to them. You cannot give access to users who are in a group with no permissions.  📌 If you’re wanting an overall yes/no flow if a user can access PasswordSafe or a managed account, please see Whiteboard Workflow Diagrams for PasswordSafe Authentication and Permissions | Community In the effort to share the knowledge, I’m sharing the raw whiteboard notes I have around an approach to thinking about PasswordSafe User Provisioning. Whiteboards are my first step in understanding any system, and, quite frankly, I’ll never get this article posted if I were to transpose this into writing.  🚩 This is a general case. There are different ways of altering what a user is provisioned to access by using the PasswordSafe configurations.  PasswordSafe Users need a provisioned reasonPasswo

Hi Elevate registry and allow changes only to particular section in registry HKEY_LOCAL_MACHINE\SOFTWARE\xxx and nothing else. So we know we can elevate any .reg files but we need to control because anyone can add anything into the reg file and do changes in registry. So is there any way to do this?

Hi Team,How to block dmg file installation in EPM-M we are unable to block installation for dmg file as well as package installer. The blocking rule is ineffective for application installations, whereas the actions related to allowing or requesting installations are functioning as intended.

The following articles were published last week. New Knowledge Base Articles: KB0022933 - Option missing in Representative Console to deploy support buttons after upgrade KB0023084 - Unable to Jump to the unattended machine. Error "failed to lock session singleton... exiting" KB0023094 - Users can see other team reports despite "View their teams' sessions" policy being set

The following articles were published last week. New Knowledge Base Articles: KB0023016 - What is Session Forensics? KB0023084 - Unable to Jump to the unattended machine. Error "failed to lock session singleton... exiting" KB0023094 - Users can see other team reports despite "View their teams' sessions" policy being set KB0023101 - Do SQL tunnel Jumps record the SQL tunnel session?