Recently active topics

I have a question regarding use of BeyondTrust Password Safe Cloud, specifically around application session security controls.We are currently experiencing several security concerns when launching application sessions through the platform:1. File Access via Chrome DownloadWhen an application session is initiated, users can successfully access the target application via Chrome. However, if a user downloads a file and clicks “Show in folder”, it opens File Explorer on the application server.This behavior allows users to:Browse system directories Access sensitive locations (e.g., C:\ drive)2. Unrestricted Browser UsageWithin the same application session, users are able to:Open new browser tabs Navigate to other websites or internal applications Perform actions outside the intended application scopeSecurity ConcernsThis creates a significant risk, as users may gain unintended access to:Unauthorized system resources Sensitive files and directories Has anyone implemented similar restrictions

Hi Everyone,I have a query regarding session archiving.If a 90-day retention period is configured for session recordings, the recordings are moved to the archive location after 90 days. Later, if the retention period is changed to 30 days, will this new setting apply only to newly generated recordings, while the existing recordings continue to follow the original 90-day retention? Kind Regards,

I’m currently testing an agent provided by support to alleviate performance issues and the IC3Adapter service won’t start on the test laptop. Due to Agent Protection being enable I cannot manually start the service either. I’ve tried manually starting the service via command prompt and that does not work either. I’m about to go through the process of reinstalling using safe mode but I’m wondering if someone might have any input. Thanks. 

The supported platform matrix for the PRA Integration Client only goes up to SQL Server 2022. Is their a roadmap/timeline for supporting for Azure SQL PaaS offering (@2025), or is there a configuration on it which can be made to make it supportable? ThanksChris

Hello! Does the EPM W Package Manager automatically update itself or we can control it . I see we can control the adapter and client version while using the Package Manager but don’t see a setting to control the version of PM .

I am trying to configure my SNMP connector but the guides I am seeing (SNMP Trap and Syslog Event Forwarding | BI) have outdated screenshots and new features are not on the details.Has anybody implemented the SNMP event connector yet on their environment? Was wanting to know what are the recommended Authentication protocols and the privacy protocols are.

Qurestion for beekepers , has anyone onboarded XEN hypervisor as password sase does not have a platform for this as default . Require guidance on how we can onboard XEN hyperviors onto PS

We are currently facing a challenge in securely providing users with sudo/root access. Our requirement is to allow users to log in to servers and perform tasks with elevated permissions without retrieving or exposing the root password.Currently, when users launch a PuTTY session, it does not prompt for additional permissions initially. However, once they attempt to execute commands using sudo (the user is LDAP-authenticated with sudo privileges), the system requests a password.We have enabled password retrieval from  Password Safe. Our concern is that enabling password retrieval for such access would violate our internal security policies. We are looking for a secure solution that allows users to perform sudo tasks during the PuTTY session without compromising password security. 

Hello!I am curious to know what type of filtering and packet inspection controls are typically recommended/used for on-prem PRA/RS appliances. As typical use cases (e.g. remote users, vendor access etc.) require the appliance to be external network facing , it is not feasible to restrict access to IP ranges. Based on KB articles SSL Offloading is not supported for client to appliance communication.Question: What typical network security controls are recommended apart from restricting the outbound from appliance, blocking known-bad source IPs, and segmentation.Anyone using Web App Firewalls , NGFWs or IDPS effectively ? Are there any resources available that can help identifying know benign traffic vs malicious traffic ?

Hi community,I have an integrated PASM environment deployed in Pathfinder. I have a group of dedicated admin accounts that I want to make available to a specific group of users.I configured requester permissions for this user group over the dedicated admin account smart group. The access policy is configured for auto-approval.I want to prevent users from requesting the password directly from the Password Safe user console, so they cannot access the servers without using PRA. To achieve this, I enabled the “API Only Access” option in the access policy, but the users are still able to request the accounts through Password Safe.I verified that:The users belong to only one user group. The only smart group with configured permissions is the one described above.Am I missing something, or is there another way to restrict managed account access?Thank you.

Initial Pairing ConfigurationSetting up the pairing takes a few steps.Test sequence was resetTest heartbeat communication passedTest file transfer from Active to Passive failed. TEST FAILED - Error occurred during test steps: Doing ensure file doesn''t exist on target... "" ERROR on test: sending file to remote system The request channel timed out while waiting for a reply after 00:01:00. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout. ERROR on test setup: trying to get file from remote system The request channel timed out while waiting for a reply after 00:01:00. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout.  This error is coming when configuring active and passive HA configuration on vmware workstation. Ple

Hi everyone. I have a question about the concurrent connection capacity of BI Password Safe.Let’s say our appliance has 16 cores and 32 GB of RAM. 1. What is the limit on concurrent connections based on the specs above?2. When and under what circumstances should we upgrade the RAM or CPU if necessary? Thank you. I’d appreciate your guidance.

I need to execute MSEDGE in kioskmode but the INI configuration only works when I test in the Remote Server, when I try to open the published application the browner opens in regular mode.I'm testing using the same command lines configured in the application.What am I doing wrong?

Hi community,I’m Andrew Rivera, a Product Manager at BeyondTrust, and I’d like to invite interested customers to participate in an upcoming beta for a new product we’re actively developing on the BeyondTrust Pathfinder platform: Workload Credentials.Workload Credentials is designed for modern cloud-native and DevOps environments, enabling workloads such as CI/CD pipelines, Kubernetes workloads, Terraform, and AI agents to authenticate using workload identity (OIDC) and receive short-lived, automatically expiring credentials — eliminating the need for static secrets and manual credential rotation.We’re looking for customers interested in evaluating the current functionality and helping shape the future direction of the product through real-world feedback and collaboration with our product and engineering teams.Current areas of focus include:OIDC federation Dynamic AWS credentials Kubernetes and CI/CD integrations Policy-based access controls This beta is best suited for DevOps, SRE, Clo

Hi community,I’m Andrew Rivera, a Product Manager at BeyondTrust, and I’d like to invite interested customers to participate in an upcoming beta for a new product we’re actively developing on the BeyondTrust Pathfinder platform: Workload Credentials.Workload Credentials is designed for modern cloud-native and DevOps environments, enabling workloads such as CI/CD pipelines, Kubernetes workloads, Terraform, and AI agents to authenticate using workload identity (OIDC) and receive short-lived, automatically expiring credentials — eliminating the need for static secrets and manual credential rotation.We’re looking for customers interested in evaluating the current functionality and helping shape the future direction of the product through real-world feedback and collaboration with our product and engineering teams.Current areas of focus include:OIDC federation Dynamic AWS credentials Kubernetes and CI/CD integrations Policy-based access controls This beta is best suited for DevOps, SRE, Clo

Hi community,I’m Andrew Rivera, a Product Manager at BeyondTrust, and I’d like to invite interested customers to participate in an upcoming beta for a new product we’re actively developing on the BeyondTrust Pathfinder platform: Workload Credentials.Workload Credentials is designed for modern cloud-native and DevOps environments, enabling workloads such as CI/CD pipelines, Kubernetes workloads, Terraform, and AI agents to authenticate using workload identity (OIDC) and receive short-lived, automatically expiring credentials — eliminating the need for static secrets and manual credential rotation.We’re looking for customers interested in evaluating the current functionality and helping shape the future direction of the product through real-world feedback and collaboration with our product and engineering teams.Current areas of focus include:OIDC federation Dynamic AWS credentials Kubernetes and CI/CD integrations Policy-based access controls This beta is best suited for DevOps, SRE, Clo

Hi everyone,I was trying to automate credential injection for Kaspersky Security Center and apparently PS_Automate does not support applications in .msc format.Is there a workaround to get this application successfully automated with credential injection through password safe. Thank you.

We have enabled Log "Run As" Special Action Commands in the Session Reports, but is there a way to extract just this specific details to see on which devices this has been run? I've checked back and forth the reportings, exported many reports, but none seem to have this data..

The following articles were published last week. New Knowledge Base Articles: KB0021273 - Remote Support Shell Jump greyed out: unable to create Shell Jump shortcut KB0021911 - Remote Support error - Your BeyondTrust Remote Support license has expired KB0022284 - Linux Jumpoint installation error - Failed at step EXEC spawning /home/beyondtrust/jumpoint/init-script: Permission denied KB0022322 - Can RS or PRA failover be configured so a specific appliance automatically reclaims the primary role once it comes back online? KB0022323 - Unable to remove users from a Jump Group KB0022345 - Where is the download license usage report? KB0022348 - Unable to override Jump Policy. Error - The Jump Policy's schedule does not permit a session to start at this time KB0022355 - Why do remote sessions default to the EN-US keyboard layout? KB0022366 - How many concurrent sessions does a Jump

The following articles were published last week. New Knowledge Base Articles: KB0022243 - Privileged Remote Access report types and how to create them KB0022284 - Linux Jumpoint installation error - Failed at step EXEC spawning /home/beyondtrust/jumpoint/init-script: Permission denied KB0022321 - What application parameters are available for the PRA BeyondTrust Desktop agent? KB0022322 - Can RS or PRA failover be configured so a specific appliance automatically reclaims the primary role once it comes back online? KB0022323 - Unable to remove users from a Jump Group KB0022345 - Where is the download license usage report? KB0022348 - Unable to override Jump Policy. Error - The Jump Policy's schedule does not permit a session to start at this time KB0022366 - How many concurrent sessions does a Jump Client Support? KB0022375 - Can session recordings be deleted? KB002

The following articles were published last week. New Knowledge Base Articles: KB0022403 - Issue with computer or adapter IDs (GUIDs) being overwritten KB0023505 - Trying to start the EPM cloud adapter results in Error 1053: The service did not respond to the start or control request in a timely fashion KB0023531 - Performance issue in EPM-M - Failed to look up group account KB0023543 - Add to Policy from Analytics v2 creates definition that does not work KB0023545 - Endpoint Utility connection test error - Unexpected communication error. Access to the path 'C:\...\EventService' is denied.

The following articles were published last week. New Knowledge Base Articles: KB0022368 - Pathfinder account permissions do not carry over to Entitle account - Only Requests and My Settings are available KB0023213 - Mongo DB connection string does not show when performing an Access Request

The following articles were published last week. New Knowledge Base Articles: KB0021586 - Start Application with option "Launch Application in RemoteApp mode" fails with error: "Because of a protocol error this session will be disconnected..." KB0022431 - When the user goes to share the secret, they do not see or get the option to select which safe to add it to. KB0022731 - Archived session monitoring files consuming large amount of disk space on the Resource Broker KB0023284 - Is TOTP secret associated with Authenticator App and the user stored and encrypted in Password Safe? KB0023529 - Can the btadmin account for Password Safe Web Console logins be deleted? KB0023559 - Why does the appliance backup process use so much RAM? KB0023560 - How does the download feature work on the Backup and Restore page in the appliance? KB0023561 - Is it possible to move a U-Series Appliance configuratio

Hi there,We have set up MFA-Messages to authenticate admins when installing software on a client. This also needs to be done on “user-clients”. The problem is that you actually can use the admin mfa session to access various ressources such as microsoft admin portal if youre not actively sign out or do the authentication in private-tab.I already tried to use the following in my entra application, but this does not seem to work: Has anyone setup an MFA-Authentication in Messages for EPM-W and may assist?Many Thanks!