Unanswered questions

Hello we are on PRA 24.3.4. I see that now we cannot install multiple jump clients on same machine. We have a use case where users have multiple computers (laptop\workstations) and use PRA to connect to those. For provisioning, we had made the Personal jump client option available per user and they were instructed to download client under their PRA login and install on their machine. Same machine has second instance of client which is pushed via SCCM. This is for IT support use case. Now that the multiple installations are not working , we need to find a way to copy existing jump client when a new user requests this type of access. We already have large number of computers and groups which are handled by API , trying to figure out a way to copy existing client when new users gets access to personal Jump item. Anyone else faced similar challenge any suggestions

Hi, I need to analyze all event logs and see which ones belong to end users who used privileged elevations to categorize them into the high-flex category. The filters in the Analytics tab seem limited and there are a lot of event logs.How can I quickly go about identifying which users belong in the high flex category?  Thanks all!

We have a requirement in our environment wherein we want to restrict users from modifying certain registry keys/ hives. We want to know:whether we can enforce this using EPM policies or do we need to use group policies for this?Will EPM Policy be able to block users from modifying registry values within their respective endpoints? Can Avecto Defendpoint Service identify such events related to registry modifications i.e. will we see event logs (in Event Viewer and BT EPM cloud console) related to every unique registry key/ hive?

In an on-premises Password Safe and PRA environment using the PASM model:I have two jumppoint clusters in PRA.Is it possible to configure certain servers, for example, the production area, to establish connections through the PRD jumppoint cluster, and for development servers, to establish connections through the QA jumppoint cluster?Could you please guide me on whether I should create multiple workgroups in Password Safe and configure them in PRA, and if so, how?Thank you.

Hi All,In PRA, we have a SAML security provider configured for user authentication and provisioning. User will only be provisioned when they first-time logged in.Is there anyway we can pre-provision the users by LDAP/AD Group synchronization similar functionality as Password Safe (without using SCIM). Thanks, 

Hello Is it possible to disable the personal folder in secret safe? can btadmin see the secrets in personal folder? If a user stores in personal folder , and the user leaves organization, we still need to be able to fetch the secrets saved by the user for the enterprise applications. So can we not show personal folders and only show the safes we create for the users?

Hi everyone,We’re currently working on implementing BeyondTrust Password Safe Cloud in a multi-tiered architecture and are looking for detailed documentation or a white paper that outlines recommended setup for Data Center (DC), Disaster Recovery (DR), and UAT environments.If anyone has access to or has previously received the official BeyondTrust Password Safe Cloud architecture white paper ?Appreciate any pointers from the community 🙏

I am getting an invalid credential when launching a web application. I tested the managed account and password is correct but when I inject this using the ps_automate, it comes up with an invalid credential. I have also added the “FixupPassword=1” under the General section since my password contains spaces. Anything I am missing here or should be trying out? 2025/11/04 13:56:52 [TaskSequence1] BEGIN2025/11/04 13:56:52 [Function] execute_task_sequence_webapp (TaskSequence1)2025/11/04 13:56:52 [TaskSequence1] [INI] WaitLoginWindowDelay=02025/11/04 13:56:52 [TaskSequence1] [INI] XPathElement=//*[@id="username"]2025/11/04 13:56:52 [TaskSequence1] [INI] XPathValue=%username%2025/11/04 13:56:52 [TaskSequence1] [INI] XPathAction=2025/11/04 13:56:52 [Function] insert_custom_strings (*MASKED*)2025/11/04 13:56:52 [Custom string] username2025/11/04 13:56:52 [TaskSequence1] END2025/11/04 13:56:54 [TaskSequence2] BEGIN2025/11/04 13:56:54 [Function] execute_task_sequence_webapp (TaskSequence2)2025/1

Hi Everyone, I have the following use case:How can i target the git command in the terminal?The Git binary was installed by the user via Homebrew.I’ve tried matching File / Folder Name criteria with git, and also using the absolute path /usr/local/Cellar/git/2.51.1/bin/git in the Application Groups, but it still didn’t work.I tried matching it with parent process and even using the hash (SHA-256).I tested sample commands like ls -la, as shown in the documentation website, and the ls -la were successfully captured.The git command filtering is only work when i use a sudo command application type. i.e. if i type sudo git pull...But the case i want is not using sudo.Does EPM-M only process binary that are signed by Apple?Because the git from homebrew is not signed. I’m using macOS 13 Ventura and PMC 25.6.580 Thanks

Hi Everyone , For our Password Safe cloud instance,  We have created the Mainframe system and onboarded the accounts on it . On this account under password safe, we have enabled check password and enabled “reset password on mismatch” option.However when the password of account is changed outside of Password Safe i. e directly on Mainframe system, at that time , even though reset password on mismatch is enabled on account under password safe, doesn’t trigger the password change option and hence password remain mismatched unless Admin reset is manually .My requirement , If password of account managed in password safe, gets changed outside of BT, then password should get reset under BT as well. At any given point , BT should have the correct password .Can anyone please let me know how to achieve this? With current setup I have done , what’s the thing I am missing ? Thanks in Advance. Regards,Imran

You can enable in Authentication Option that all new users are enabled with TOTP. but those accounts that are already synced, they are not affected by that setting, is there a smart way to do this then to open up 200 account and enable TOTP on each of them?

We have a requirement to onboard Cisco devices into Password Safe. For privilege escalation, we need to use the 'enable' secret. The non-privileged user account and the enable secret use separate passwords.Is there a way to manage this scenario in Password Safe?

trying to scan SQL server databases getting all the databases but no local accounts any help will be greatly appreciated

Hi All,We are facing one problem for DR activity .We are having one Resource Zone say Zone1 which as 2 RBS. During DR activity both RBs are set to be shutdown for few hours . We have another Resource Zone Say Zone 2 which has 2 RBS. My question is , is it possible that when RBs of ZOne 1 are unhealthy , Server access should be attempted from RB2 in Zone2? We have already verified and managed system’s port are open from RBs in Zone 2. I know one approach would be rescan the asset and select RB from Zone 2 but it will take lot of manual effort hence want to keep this option as fall back. If anyone is aware of any other approach , please let me know .Thanks in Advance.Regards,Imran

Hello, we typically have multiple new SDA switches created on regular basis. They have IP address and a hostname when provisioned but will not be added to a DNS server yet. Admins need access to these devices for configuration before they are available in DNS.  What is the best way to add these devices.For existing switches which are in DNS , we add the hostname to Address Group and run IP Scan. The same address group is referenced in Managed Account smart rule. Q1. Add IP address to Address Group via API and trigger a scan . I think this will only add the system = IP address.Q2. when the Address Group is scanned next , PS will know the hostname of it but will it update the same managed system with system = hostname (and IP = IP) ? or it will create two separate managed systems/assets.Even if the system name gets updated with hostname , the managed account smart rule will not apply as it references the Address Group which does not have hostname of the system but only IP address. Q3. So

I have a user that launches the representative console, successfully authenticates with SSO and is redirected to the desktop application which then prompts with “The Representative Console appears to be running already, but the existing instance failed to activate.”  I have seen this before and a reboot fixes it, but not with this user.This issue persists through reboots as well as a full uninstall/reinstall of the representative console for this user. The web console works for this user. If they sign in as a local Remote Support user (different than the SSO account) it will work through the desktop application.  I see in the debug logs it says, “Failed to obtain singleton lock”, but not much else for details. We are running version 24.2.3. Has anyone else experienced this before or have a solution?  

Hi All, I am trying to explore options for bringing in 1500+ AD objects from AD domain without using AD group option (I agree which is best and most suitable option). Kindly help to share if there are any other options to achieve this apart from using AD group.   

Hi,Has anyone seen issues with Win11 AutoPilot laptops and PatchMyPC where EPM is now prompting users trying to install anything in Company Portal.I found thisPreviously: EPM probably trusted these scripts through a Publisher rule or Parent process allow rule.Now: After a recent Patch My PC update (around Oct 2025), the background script is signed or launched differently, possibly under the System Functions policy group, and no longer matches the older rule conditions.Anyone any ideas?

Hi We have proxy enabled for external applications in jump point, the web jump is not working when proxy set manually in the system or when PAC is used. Any way to get this working? or is it a bug? is it in road map?

So, I’ve attempted this multiple times and took a short break to clear my head. Cannot seem to get this wrapped up, and it’s a necessity. Hi, I’m Robert and I’m a Security Engineer for my company. Part of my portfolio is Enterprise Software Management via Intune. I manage all software deployments for the company on a tenant level, using assignment groups to make certain apps available to pertinent groups. Over the past 3 years, I’ve learned a lot where Intune deployments and the Windows OS intersect. I’m still on the learning path, but I’m figuring out the nuances, the lowest common denominators and getting better at troubleshooting issues. This is where things get complicated: 100% of my experience in this arena is Windows 10 / Windows 11 based. And we now have a very small fleet (<10 devices) of Mac devices for our Marketing team. Now, I’ve tried everything I can find online, but the documentation on how to pull this off via Intune is scarce and incomplete. Reddit has been the mos

What level of customization is available in Password Safe Cloud?The customer is specifically interested in customizing elements such as banners, logos, admin messages, and approval email templates

Hi Experts! We’re slowly growing our user base in the Password Safe pilot we’re running. Since last week, non of our users are able to see their T0 accounts.The administrators were able to search for the accounts in the Password Safe module last week, but since Friday the cap of 1000 accounts were reached. Any suggestion on how to make the accounts visable? We have them as managed accounts in the managed accounts module, and they’re picked up by the smart rules that are identical to T2 and T1 accounts. We run a tierd model where rdp access is granted on T2, local/server admin is granted on T1 and domain admin is granted on T0. So each user can have up to 3 personal accounts per domain. Best regards,Joakim Andersson

Hi All, We have migrated from one Password Safe appliance to another, as part of the migration, we moved the sessionmonitoring folder to the new appliance, with all the recordings. Database is migrated successfully; I can see all the Completed Sessions on the portal. When I try to view any session recording which is migrated from old appliance, getting below error: New appliance name is different from old one. Any advice to fix the issue? Thank you.

This might be a bit too big of a question for this forum. However, I am not sure where to start. We are still somewhat new to PRA. I am wanting to start using Docker containers for our jumpoints instead of putting them on Linux instances. First, where do I go to download the container image? I heard that there is a stock image that we would use and then just input the key to start the connection to our system. Second, can we put the container in a service like AWS container service or Azure container service? Third, and this will show my very beginner level of experience with containers, would we do the firewall rules for the containers the same way that we do them for the Linux servers that are jumpoints?I have a feeling there are other items that I am totally missing, but I figured this is a good start. If you know of documentation you can point me to I am more than happy to start reading and testing things out. 

Dear Team,I need your assistance with onboarding an MSSQL database into Password Safe using the application-based method (credential injection or API-based access). The goal is to allow applications to retrieve SQL Authentication credentials from Password Safe, rather than directly onboarding the database as a managed system.Could you please provide the relevant documentation, configuration guidelines, and example .ini files needed to set this up?Additionally, we would like to configure this setup for the following RDS (Remote Desktop Services) server environment: [Include your RDS server requirements or details here if applicable] Your guidance on the setup process, including best practices for securely retrieving and managing SQL credentials through the application, would be highly appreciated.