Recently active topics

Hi community,I have an integrated PASM environment deployed in Pathfinder. I have a group of dedicated admin accounts that I want to make available to a specific group of users.I configured requester permissions for this user group over the dedicated admin account smart group. The access policy is configured for auto-approval.I want to prevent users from requesting the password directly from the Password Safe user console, so they cannot access the servers without using PRA. To achieve this, I enabled the “API Only Access” option in the access policy, but the users are still able to request the accounts through Password Safe.I verified that:The users belong to only one user group. The only smart group with configured permissions is the one described above.Am I missing something, or is there another way to restrict managed account access?Thank you.

I am trying to configure my SNMP connector but the guides I am seeing (SNMP Trap and Syslog Event Forwarding | BI) have outdated screenshots and new features are not on the details.Has anybody implemented the SNMP event connector yet on their environment? Was wanting to know what are the recommended Authentication protocols and the privacy protocols are.

Is it possitble to generate a Jump Client Installer, that can only be installed once, or that is restricted to specific endpoint? I think the answer is no, but a client really wants this.

Hi All, We are working on a use case where we are observing password change failures due to multiple reasons, to eliminate funtional account failure and get the systems where it is failing, we need either an API or a way where we can test it.  Any idea on how we can do it for bulk systems?Account Type:Local account on Windows Functional account:Domain account on the domain where the servers are hosted Regards,Neha

 Scenario:1. User connects to the target Linux server through PAM using an AD account.2. After login, the user switches to the Oracle/service account using su - oracle.3. When executing the dbca command, the GUI does not launch.Observed Error: DISPLAY not set. Set DISPLAY environment variable, then re-run.However, when connecting directly through SecureCRT SSH (without PAM) using the same AD account and switching to the Oracle account, the dbca GUI launches successfully. SO, the user wants the same dbca GUI to launch through the PAM also, Could anyone suggest how we can proceed further? 

Has anybody ever created a dashboard or some statistics query to show how many RDP (successful and failed) connections were made including session recording? I was just asked by management if we can show them the metrics, say previous month as compared to this month, for example.I did look at the Completed Sessions in Password Safe but even that shows a failed RDP connection as completed so I cannot tell just by looking at that stats whether the RDP has actually connected  successfully or failed. If you actually view the session, I can see a “Failed to connect RDP session” on the screen. And this view is also not exportable

I’m currently testing an agent provided by support to alleviate performance issues and the IC3Adapter service won’t start on the test laptop. Due to Agent Protection being enable I cannot manually start the service either. I’ve tried manually starting the service via command prompt and that does not work either. I’m about to go through the process of reinstalling using safe mode but I’m wondering if someone might have any input. Thanks. 

Use case - someone knows they are working on the weekend and they will need access to a bundle so want to schedule when the request will start I know you can use pagerduty or similar on call tools but in the absense of these…Seems a pretty standard requirement so wonder if I’m just missing a trick somewhere? :)

Hello!We have a recurring issue. There are end-user endpoint devices with the RS client installed. After reinstalling the OS and reinstalling the client, the client no longer connects. Could this be related to an issue with the installed client? We have already performed network tests and everything appears to be working correctly at that level. There are no visible errors; the client simply does not connect.Thanks in advance

Hi,Is the FedRamp version of Password Safe is same as the Password Safe Cloud with Recourse Brokers or Is it a Password Safe On-Prem hosted and maintained by UberEther in their FedRamp environment?If anyone has deployed Password Safe FedRamp, Could you please share your experience, Is it a true Password Safe Cloud?

Hi All,I want to check how long the a generated report via subscriptions on password safe Cloud is retained in the password safe. Post generation the report is available on the “Download Reports” tab / page.  Thanks in advance.

We are currently using BeyondTrust EPM for Windows and macOS under a cloud subscription.On every device where the BT Agent and Adapter have been deployed, the devices stopped reporting back to Intune and the sync services are no longer functioning.Is anyone else experiencing this issue? We would greatly appreciate input from anyone who has faced a similar situation and can share guidance on resolving it as soon as possible.

Hey BeeKeepers! Welcome to another edition of suggesting AI EPM policy rules. This advice is geared at creating a separate AI Workstyle for the exact reason that the space is highly dynamic. This is an evolution from using the All Users workstyle for a global block, and then trying to navigate how to handle exceptions. Note: This space is still highly dynamic! The initial notes in Hunting for Lobsters in EPM Analytics - Openclaw (Clawdbot, Moltbot) | Community still stand. The goal isn’t artisanal policies, or boiling the ocean to catch a few lobsters - they will mutate before being totally captured anyways.   💡 There’s a whiteboard at the bottom of the post from my my analogue thinking to provide a visual of the logic.  TLDRUse an AI workstyle rule to allow for faster changes than typically seen in policy updates All Users - AI - bypass some unintended consequences of AI block rules, or AI that’s actually for all users Block Rule - the default block without any exception handling Blo

Hi Everyone,I have a query regarding session archiving.If a 90-day retention period is configured for session recordings, the recordings are moved to the archive location after 90 days. Later, if the retention period is changed to 30 days, will this new setting apply only to newly generated recordings, while the existing recordings continue to follow the original 90-day retention? Kind Regards,

Hi everyone,Has anyone tested or enabled TOTP for the Managed Accounts, new feature released in v25.3.0.1996? Could you share your experience, is it a good feature to consider for high risk accounts?When I try to enable, I noticed Secret Key should be in a format of “Valid Base32 Secret” or “otpauth://URI”. Looking for more information on the Secret Key integration. Couldn’t find a dcumetation related to this. Thank you

The following articles were published last week. New Knowledge Base Articles: KB0021349 - Freshservice Remote Support or Privileged Remote Access integration receiving: Error validating parameter 'queue_id': No queue exists with the code name "general" KB0022367 - Show my screen option is missing from Representative Console KB0022393 - Is Local Jump supported for Linux Server OS? KB0022396 - What is the average input or output operations per second (IOPS) of the virtual SRA appliance under load? KB0022409 - Is there a way to remove the pop-ups that appear when a support session ends? KB0023456 - Is MFA step-up supported for RS and PRA for credential injection during an active session? KB0023577 - Jump Client screen blank when jumping to RHEL 9.1 and 9.7 machines with Wayland enabled

The following articles were published last week. New Knowledge Base Articles: KB0021349 - Freshservice Remote Support or Privileged Remote Access integration receiving: Error validating parameter 'queue_id': No queue exists with the code name "general" KB0022393 - Is Local Jump supported for Linux Server OS? KB0022396 - What is the average input or output operations per second (IOPS) of the virtual SRA appliance under load? KB0023456 - Is MFA step-up supported for RS and PRA for credential injection during an active session? KB0023536 - PRA outbound email stops working after Microsoft OAuth secret expires KB0023538 - Can vendor users self-activate without approval in Privileged Remote Access? KB0023556 - Jumpoint or Gateway not working on Linux. BeyondTrust Jumpoint is not running KB0023577 - Jump Client screen blank when jumping to RHEL 9.1 and 9.7 machines with Wayland enabled

The following articles were published last week. New Knowledge Base Articles: KB0022226 - Azure Files incompatibility with EPM-W features using Alternate Data Streams (ADS) KB0022378 - What is the difference between elevation and allowing an application? KB0022392 - How to block specific application installs via Homebrew using EPM-M KB0023521 - Admin Access Request API issues - after approval or denial response values are switched KB0023549 - Users still get Windows UAC prompts for credentials while in a JIT Admin session KB0023551 - Issue with JIT authorization approval via API – 'decision is not a valid value' KB0023565 - EPM-W policy does not work when computer is offline KB0023576 - Logstash does not truncate oversized fields for Azure Sentinel causing rejected batches with error 413

The following articles were published last week. New Knowledge Base Articles: KB0021627 - Authenticator Type roaming and platform missing when configuring FIDO2 KB0022604 - The Worker Node is not pulling scan data from the Discovery Agent KB0023290 - Password Safe Enhanced Session Utility (ESA) install fails with error message 0x80072efd or 0x80072ee7 "Unspecified error" KB0023374 - Does Password Safe support Windows Server 2025? KB0023457 - Can the auto-enrollment prompt be skipped when opening Password Safe mobile with Intune application protection policies? KB0023537 - BeyondInsight OAuth API integrations fail after upgrading due to ASP.NET_SessionID session cookie name change KB0023553 - Entitlement by user report shows extra users KB0023554 - Warning message "Disabling network security rule '', as it does not exist in Azure" after enabling IP allow list in Password Safe Cloud

The following articles were published last week. New Knowledge Base Articles: KB0022728 - Can AD Bridge be used to unlock Active Directory accounts remotely?

I have a question regarding use of BeyondTrust Password Safe Cloud, specifically around application session security controls.We are currently experiencing several security concerns when launching application sessions through the platform:1. File Access via Chrome DownloadWhen an application session is initiated, users can successfully access the target application via Chrome. However, if a user downloads a file and clicks “Show in folder”, it opens File Explorer on the application server.This behavior allows users to:Browse system directories Access sensitive locations (e.g., C:\ drive)2. Unrestricted Browser UsageWithin the same application session, users are able to:Open new browser tabs Navigate to other websites or internal applications Perform actions outside the intended application scopeSecurity ConcernsThis creates a significant risk, as users may gain unintended access to:Unauthorized system resources Sensitive files and directories Has anyone implemented similar restrictions

Hi AllI need to verify below query In our production environment , under global setting , session initialization timeout is set to 60 sec. We need to change it to 90 seconds to meet customer requirement .However we need clarity that , if when user tries to access Windows server and if the downloaded RDP file it is shared with other user, will other user be able to access the server if the time span is less than 90 sec?Does BT has any algorithm that check the RDP file should only be accessible from machine from where it is originated ?Any pointer on this will be very helpful. Any supporting KB article will surely help Thanks in advance .Regards,Imran

The supported platform matrix for the PRA Integration Client only goes up to SQL Server 2022. Is their a roadmap/timeline for supporting for Azure SQL PaaS offering (@2025), or is there a configuration on it which can be made to make it supportable? ThanksChris

Hello! Does the EPM W Package Manager automatically update itself or we can control it . I see we can control the adapter and client version while using the Package Manager but don’t see a setting to control the version of PM .

Qurestion for beekepers , has anyone onboarded XEN hypervisor as password sase does not have a platform for this as default . Require guidance on how we can onboard XEN hyperviors onto PS