Recently active topics

We are looking to build an automated BeyondTrust Password Safe onboarding process via API, driven by user provided details in a ServiceNow form and lookups against our CMDB.To facilitate this, I’m looking for a way to bulk export the available (and mandatory) fields for the below for every Platform:Creation of an Asset Creation of a Managed System Creation of a Managed Account Population of the ‘Manage Assets Using Password Safe’ Smart Rule Action Population of the ‘Managed Account Setting’ Smart Rule ActionWe need the details for each platform so that we can create branching to provide the right details in the relevant API calls for each platform.The intention is then to map each of the available fields in BeyondTrust to a field in another data source (in the ServiceNow form or CMDB) so that we can populate the API calls for onboarding.I understand Smart Rules can’t be created via API, so we’d instead be looking to pre-create the required ‘Manage Assets Using Password Safe’ and ‘Manag

We have Session Recording Archiving enabled and is working as designed. What happens when (if) I delete recordings from the Archive? Is there a dead link in PWS? Would be interested if anyone has a procedure they use to delete the recordings, say after 12 months. Would like to NOT see any references to the sessions once they are deleted from Archive.

Hello teams,I have a case like this:There is an application, let’s call it data_input.exe that installed in my RDS Jumphost server.Two users need to login this application using their own managed accounts (this is done using automation).However, I need both users to launch the application under different functional accounts within the same RDS jump host. For example, person A start the jumphost using FA-1, and person B start the jumphost using FA-2.Is BeyondTrust able to support this type of scenario? Or is there a workaround for this kind of scenario?I tried cloning the data_input.exe application in the BeyondTrust configuration, but it appears that only one functional account can be assigned per managed system. Note: This is not a multi-session issue, i can do multisession already. But more like each functional account must have different privileges for specific reasons. Thank you 

Hi All, Can someone suggest how we can migrate privileged passwords from one source password manager and cloud-based password manager to BeyondTrust Password Safe?

Hello We have EPM Windows agent 24.x version . When a user tries to install Notepad ++ Plugins it throws UAC prompt. I created a rule with all details shown in UAC prompt such as publisher and file name . Later I removed publisher and kept just the executable name , still I get the Windows prompt instead of EPM. Has anyone faced this issue?On 25.x EPM agent with same policy , EPM is able to detect it and elevate it with Notification message 

Apologies in advanced if this is common knowledge, I mainly support our Windows environment but I’m wanting to learn more about EPM on Mac.  Most of our Mac end users utilize an Active Directory group that we grant elevated privileges with.  A discussion came up recently about Homebrew, and I asked our support techs the current process for when they swap out machines for developers on Mac.  What I’m being told, is that possibly in the past EPM used to be able to allow standard users to install Homebrew via EPM for Mac however I’m being told Homebrew is incompatible with EPM for Mac.  End users are being added as local admin as part of the process which I’m not understanding why.If anyone has documentation, KB, or first-hand knowledge of using EPM for Mac and utilizing Homebrew without having to add users to local admin, it would be much appreciated.Example of what I’m being told from my End User Computing support team about the troubleshooting cadence of Homebrew for elevated privilege

We often hear from our techs that Jump Clients stay offline even though the PC is only and reachable.Trying to restart the sra-pin Service or the whole PC does nothing.The only way you get this client back online is with the user clicking onto “Reconnect now”.As soon as you click reconnect now the client comes back online.Does anyone else have this problem or has an idea how we can get around this?Another problem is that after a reboot the Jump Client often takes more than 10 minutes to get back online. 

Is it possible to launch multiple or duplicate tabs in a Web Jump?

For one of the end user is not able to access Linux machine and getting below error, tried uninstalled & Installed Desktop access but getting same error however it is working in Web console able to access the server.Could someone please assist to fix the issue?

Is there anyone worked on some kind of powershell script to generate policies, application groups etc.?Trying to create some policy automic policy making process. 

Hello All,We have a requirement for to not onboard Oracle user account while performing oracle DB scan. We only want ‘Oracle system accounts’ and ‘Oracle Service accounts’ to be onboarded. We have attributes (Same as in DB) defined in BeyondInsight configuration. When we attempt to onboard DB accounts using the smart rule, it captures all accounts. Consequently, when we use the 'Set attributes in each account' action within the smart rule, it assigns attributes to all accounts, regardless of the account type. Thanks,Prasad

Hey All.I’ve been working with the API for PM Cloud.Thanks to BT for making the Policy Editing API available for PM Cloud — it works great in this first iteration, but we do need some tweaks 🤔I’ve created a ticket with BeyondTrust because I ran into a limitation and would like to hear everyone’s thoughts.When creating applications through the API, we are limited to using “Product Description” as the unique identifier. This prevents us from uploading applications when multiple apps share the same Product Description, even though the File Name, SHA‑256, Product Name, Publisher, etc. are different. See the sample highlighted in purple below.Upload sampleMy view is that the only criterion that can guarantee a 100% certain duplicate is the SHA‑256 value. We need some additional logic to determine what should be classified as a duplicate. For example, if the File Name, Product Name, Product Description, and Publisher are the same for executables, but the versions differ, we could still clas

Hello, I am trying to setup an Azure SQL Database for a new AA BT PWS environment. Is there any way to use a serverless SQL with own key material for TDE?Right now the installer just gets stuck and although I can run the connection check I get a small window stating “validation failed” after I click next on the database configuration step.Any recommendations?  Thanks!

What is the recommended best practice for upgrading PAM Terminal Servers from Windows Server 2012 to Windows Server 2019, particularly when CAL licensing is involved and the servers are used for PAM applications?We currently operate two application servers behind a load balancer (TRM1 and TRM2). TRM1 was originally running Windows Server 2012 for our PAM application. After performing an in‑place upgrade to Windows Server 2019 using the ISO, the upgrade appeared to complete successfully. However, we encountered a significant issue: when launching any application session through PAM, users now receive full desktop access instead of the intended restricted application session.Additionally, after a recent restart, TRM1 began displaying an RDS Licensing error, and we were only able to access the server through the console. Although we resolved the licensing issue and applied the appropriate CALs, the problem with users receiving full desktop access persists.

Can there be multiple approvers in PRA to approve jump session?if yes, how it works, any one to approve or all must approve?

Has anyone come accross an issue when you set this gpo settings every 5 min you get a google notification but if you remove it everything is happy. It is only that setting.    Authenticate with a Password Safe URL (cloud or self-hosted) If State is set to Enabled , administrators can supply a Password Safe URL to authenticate with Pathfinder. When the user starts Workforce Passwords, they are brought to the URL entered in the GPO screen. The user is not able to modify the Password Safe URL from the pre-configured value, or switch to Pathfinder to login. The URL should follow the format https://ps-instance.local/webconsole

Hi, does anyone have a Huawei Switch/Router custom platform for Password Safe to share with us?

Hi,I lost several projects due to PRA dedicated accounts missing feature. I know that is existing in PasswordSafe but these projectw were really secure remote access use cases. Moreover, our main competitor in France is Wallix and they have this feature embedded. Is somebody in the community know if it could be possible to create automation with APIs to map a user with his user-adm account for example ? With a csv input file it could be good enough. Fabien

Hello team,I am currently testing the Jump Client for macOS in the PRA cloud. When initiating a jump, the session connects immediately without prompting for credentials.Could you please advise whether it is possible to configure credential injection before the jump is established? Thank you.

The following articles were published last week. New Knowledge Base Articles: KB0021974 - Why is there scheduled maintenance stating - "Your SRA Cloud site is not appropriately sized for its usage level"? KB0023125 - Vault Password Safe Discovery connection fails - Failed to connect to Password Safe Client KB0023205 - macOS screen and audio popup request messages appearing. "Remote Support Customer Client is requesting to bypass the system" KB0023248 - .Gitignore file is being exposed and can be viewed in web browser KB0023255 - Duplicate Jump Item report is failing with 500 internal server error KB0023256 - Keyboard shortcuts executing on the representatives machine instead of in the RDP jump session when in full screen

The following articles were published last week. New Knowledge Base Articles: KB0021974 - Why is there scheduled maintenance stating - "Your SRA Cloud site is not appropriately sized for its usage level"? KB0023125 - Vault Password Safe Discovery connection fails - Failed to connect to Password Safe Client KB0023248 - .Gitignore file is being exposed and can be viewed in web browser KB0023255 - Duplicate Jump Item report is failing with 500 internal server error KB0023256 - Keyboard shortcuts executing on the representatives machine instead of in the RDP jump session when in full screen

The following articles were published last week. New Knowledge Base Articles: KB0021898 - EPM-W and BITS transfer - How to allow installation KB0022280 - BeyondInsight EPM Reporting issue - Transparent details pane when in "Match System Theme" KB0023253 - BeyondInsight EPM policies not applying on some endpoints

The following articles were published last week. New Knowledge Base Articles: KB0021896 - How to add "sync Active Directory and asset descriptions" to Managed Systems in Password Safe KB0021957 - How to hide the Record Session option - How to record all sessions KB0022661 - Logoff on disconnect and Force termination settings are not working and therefore RDP session overlap is occurring. KB0023224 - Appliance page and Password Safe web console license expiry date is one day off KB0023246 - After upgrade to 25.3 - Certificate was not provided or Failed to authenticate due to one or more authentication rules

The following articles were published last week. New Knowledge Base Articles: KB0022480 - Hostname update and domain join fails "ERROR_FILE_NOT_FOUND"

Is there is a way to adjust the name of the client or customize the pop up to say, "COMPANY NAME - TECH SUPPORT" or something other than "Remote Support Customer Client" as it sounds incredibly suspicious.