Recently active topics

Hello dear community,We are planning to update the U-Series software (PWS and AM). In addition to the recommendation regarding the BeyondInsight / Password Safe - Upgrade BeyondInsight Password Safe Active Passive appliance high availability pair, we would appreciate hearing from anyone who has already performed this upgrade in a similar setup.Could you please share your experience? Specifically: Were there any system resource requirements or constraints to consider? How long did the process take? Was the upgrade smooth, or did you encounter any challenges? Thank you in advance for your collaboration. Br,

Hi All I have been looking arround for a document that can help in building the Beyondinsight Using UVM for Privilege Management for Windows & Mac in Active Active mode for DC & DR. What are the prerequisites and how to establish the DC & DR scenarios, what are the things that we should be really looking into for the deployment. My another query is how does the Agent understand the DC & DR scenario as if we need to deploy 1 Management node in DC and 1 Management node in DR with 2 Event worker nodes in DC and 2 Event Worker nodes in DR. Where in DC we have SQL in Cluster with Always ON Availability Group and Same deployed seprately in DR too. Can some one explain as how it works and what are the precautionary measurements we need to take care of.

Hi Guys, Can anyone address this query? Does PRA Remote RDP Jump using SecureApp with Type Remote Desktop Agent requires Cal License. Use case is we have an application that needs to be accessed, so we configured the Remote RDP jump short cut and configured  SecureApp with Type selected Remote Desktop Agent. If Yes Cal is needed then why do we have two options one RemoteApp and the other Remote Desktop Agent. please let me know how to go ahead without the Cal license for this use case

Hello!I want to configure below use case. Basically a standard user , after logging in to PS, should be able to access their dedicated/mapped admin account on two different servers with separate Access Policies. They do not have access to the “standard to admin account” mapping rule but have access to separate smart groups as shown below with different policies. When the stnadard user log on they see both Access Policies as options.1. “Standard_User01”  Mapped to →    “Dedicated_Admin_User01”   Linked To→   “Server01”   →  AccessPolicyAuto-Approval2.  “Standard_User01”  Mapped to →    “Dedicated_Admin_User01”   Linked To→   “Server02”   →  AccessPolicyApprovalRequired

Hello All,We are trying to implement Rest API for different purposes. While executing Get ManagedAccounts API with powershell script, we found that it returns only first 1000 account records.Do we know how can we increase this limit to get result for more records. We have around 11000+ records.Thanks,Prasad 

Hi teamI have some requirement due to which I need to create 2 entries for same managed system .  I have created those entries . Both systems have same Name ,IP and port. Description is different only . I need to understand how can I create the smart rule which can target only one system. I want to write the smart rule for both assets individually.What condition shall I add such that only one system is returned when smart rule is executed.One of the option would be quick rule . But I want to understand is there any way I can use the smart rule and get this done .I was looking at the option for manage system smart rule and I could see there is an condition for alias I wanted to understand how can I set the alias for both systems? If it is possible then I can use it to distinguish both systems. I dont see any option to use the descriptionNeed help here please  Regards,Imran   

Hello , I see there is only TOTP MFA option in PRA . We are using PRA for external Vendor access where the accounts are quarterly reviewed but as the number of vendor grows , manual errors might increase. Also as the review can not be made more frequent , there is a possibility that Terminated vendor user still has access as they know their PRA login password and have TOTP MFA configured using a personal mobile device. These user identities are in Active Director as well as PRA internal DB. Is there any way to implement email-based MFA so that terminated user will immediately lose access as they wont have access to company email ?I see Radius auth and OKTA can be used both have separate trade-offs

The following articles were published last week. New Knowledge Base Articles: KB0022225 - User not appearing in Remote Support after syncing the Active Directory group KB0023436 - Can Jumpoints be installed on macOS ?

The following articles were published last week. New Knowledge Base Articles: KB0022141 - Web jump error: failed with exit code 2 KB0022157 - Error approving access for others. The approver key is invalid KB0022161 - Authenticate the current url icon is greyed out when Web Jump is launched KB0023436 - Can Jumpoints be installed on macOS ?

The following articles were published last week. New Knowledge Base Articles: KB0022139 - pbrun24.1.4-05[2730476]: Could not connect to run host

The following articles were published last week. New Knowledge Base Articles: KB0023082 - Preview of messages are missing the message header and OK and Cancel buttons KB0023133 - EPM-W 26.1 policy behavior change - Uninstallation with Challenge/Response messages KB0023385 - Identity Authentication feature in EPM FAQ and how to configure it KB0023432 - Windows MSI patches prompting UAC KB0023435 - Issues syncing MS Entra ID members and groups with EPM KB0023444 - Splunk Application data ingestion failing - Client event ingestion failed: Max retries exceeded

The following articles were published last week. New Knowledge Base Articles: KB0022158 - How to bulk map integration accounts via API if auto mapping is not happening

The following articles were published last week. New Knowledge Base Articles: KB0022148 - Discovery scan of Oracle database fails with error code 12514 KB0022150 - How to use EPMs Allow as Password Safe user option to grant access to Failover Cluster Manager KB0022166 - 2019 SQL 2502 (February 2025) update failure KB0022185 - WinSCP fails to switch user to Managed Account "Error listing directory '/root' permission denied" KB0022223 - Unable to create Smart Rule - error: "An unknown error occurred" when load balancer is in the environment KB0023408 - BT Updater message "This desktop client will be marked as obsolete and will be removed in version 4.0" KB0023450 - Password Release Activity report shows unknown Assets and Accounts

I saw a post on Reddit this morning and it reminded me of what I noticed when we performed an upgrade yesterday. When attending a Remote Support session with a customer and elevating the session, the only option is for the customer/end user to provide admin credentials - there is no option for the support engineer to provide their own credentials - is this expected behaviour? 

We have a EPM workstyle dedicated to the service desk, which takes effect at the start of Beyond Trust remote session. This makes use of Audit scripting / Rule scripting to sense the initiation of the session and change the effective workstyle until the session completes. During the session, support technician is able to elevate the application through Prompt.We have observed that this script provided by BT for this use case is executing the rule only once, when another application is open during the same session, the end user workstyle (Medium Flexibility prompt) is getting applied and application is not elevated. Please let us know, how to fix this.

Many organizations face the same challenging questions in their initial deployment of the EPM tool.Where do I even start with for the policy design? How can I use EPM to allow and block applications? How do I find local administrators privileges on the endpoints? How can I prevent users from running applications outside of these trusted folders (Windows, Program Files)EPM is designed with the flexibility to control and elevate applications, many of the above questions can be achieve with the out-of-the box QuickStart policy template that combines BeyondTrust best practices into a set of rules that make it easy to get started with proactive endpoint protection. Out-of-the-box, the user’s security level is immediately improved without degrading the user experience or by “locking them down”. This is designed to be successful even with very little knowledge of the applications installed in an environment before deployment. Workstyle purposeThe QuickStart Policy consists of six preconfigure

Greetings all I have a developer who is using AWS Secrets Manager for his code. However, he is passing the username and password from Active Directory over to the secret in AWS Secrets Manager and calling that JSON from Secrets Manager.Ideally, yes, he should be calling it from BT and not AWS Secrets Manager but that would involve a lot of code rewrite for him on a production system.We are looking at adding the secret in Secrets Manager as a synced account with the service account so that when we rotate the password on the service account, it would also rotate the password on the AWS Secrets Manager secret to the same password.What he needs though, complicates it. He is storing this in his AWS secret{"binddn":"cn=ldapauth_account,OU=Service,OU=Accounts,OU=company,DC=domain,DC=com","password":"abcabc"}When BT rotates the password on the service account in AD, it writes the password to the secret in AWS wiping out everything so he ends up with something like newpassword instead of the wh

This doc is a quick guide of finding potential instances of OpenClaw (aka Clawdbot, Moltbot) by using EPM Analytics. Please refer to Using Endpoint Privilege Management with local AI agents in our public docs. Where this worksThis works in the cases where:The application group is set up to log to EPM-SaaS The target system has the name as standard, and not obfuscated the tool with a renameQuick Analytics ChecksIn EPM SaaS, or in your SIEM / log aggregator of choice, search for Events → Filter by: Command Line → Search for any contains `openclaw`, `moltbot`, or `clawdbot` In EPM SaaS, or your SIEM / log aggregator of choice, I would recommend using the Custom Views options to save this for rechecks You can also check for file/folder contains those key wordsWhat returnsDepending on what is being logged, you could end up with a lot of noise. For instance, emails or browser visits to sites with those in the name, etc.  It could return scheduled tasks calling gateway.cmd, etc. which is a de

Hi AllI am trying to find a way to use the API to force check in of vault accounts which have had their password checked out for over 7 days,I think it is crazy to allow the PRA and the vault account members to checkout their password and allow it to stay checked out (this could be over a year) therefore they could use the password and put it into some automated tasks where it is in plain text and as it is never checked in this will always stay the same.It seems a lot safer if there was an option within PRA to force check in ( a tick box or something ) and a correct schedule that could be set that would check in all passwords on a set day and time and rotate them. Instead I am having to mess about with APIs which are not very well documented in my opinion.Therefore has anyone needed to do this and if so how did they go about it?Thank you in advance.

Hi All.I have identified two functions that are still missing in PM Cloud, and the available APIs force you into workarounds to accomplish some of these tasks.Moving a list of computer hostnames into a specific group.Overcoming two API hurdles: partial name matching, and the requirement to fetch computer IDs before using the CSV import option—since it does not support hostnames directly. 😖When you need to move computers between groups, doing it manually becomes a tedious process.In the classic Policy Editor MMC Snap-in, we had the advantage of browsing for a file and automatically pulling in its metadata. This capability has not yet been added to PM Cloud either.How have you resolved these options and are there any functions that you see missing in addition?I addressed these gaps, by creating a WebApp that handles both challenges, plus an application scanner for bulk rule uploads.Move Computers to Group allows me to upload a CSV file containing a hostname column with hostnames listed