Unanswered questions

Hi all,Good day. I have a question regarding the EPM agent for macOS. For this test case, I have two types of endpoints, one Windows and one macOS.I have learned about the agent installation for the Windows endpoint. This one is straightforward for my case since I only have one Windows endpoint for product evaluation. All I need to do is download the package manager and run the command to install it.But, I am still unsure about macOS. Please note that Im not familiar with macOS and this is my first time working with it for a product evaluation. My question is, for macOS, can I use the same method for the agent installation? I mean using a package manager similar to the Windows endpoint since I only have a single macOS machine.Appreciate it if someone could provide the proper guideline and advise on this.Thanks again.

Hello Community! I guess at least one people had is problem.Some times depending on the environment (cloud or on-prem) when we are just navigating between the menus, when we click to go to configuration, smart rules or any other menu, simply the Webconsole gets logged out.Other scenario is when we are using the webconsole and stops to user for few seconds (and really is few seconds) and appears the message "will be logged out soon/extend session"Have someone get this case? If yes, exists a reason for that and consequently the fix for that?Obs: in System > Site Options > Session: the time for Session Timout is already on a high time.Regards,Felipe 

Hi Team,How to block dmg file installation in EPM-M we are unable to block installation for dmg file as well as package installer. The blocking rule is ineffective for application installations, whereas the actions related to allowing or requesting installations are functioning as intended.

We have several systems that, when viewing analytics/events there is no event activity reported on these systems. Yet if we view them in our RMM tool we see plenty of activity that should be appearing in analytics/events. What would be the best steps to take to address this issue?

Hi team,We have onboarded WINSCP as application in Beyondtrust password safe (cloud).  We are facing one challenge here where after application is launched using functional account , how can user transfer file from his local machine to RDS server. As WINSCP is launched to connect to target linux server , I want to understand since the file will be at user local machine , how can user move it to target linux system.I am sending the winscp application screen shot for reference . Awaiting response. Thanks in advance .Regards,Imran Aliyani

We are using a SmartRule with the Selection Attribute Criteria “Directory Attribute Match” using the employeeID attribute to map privileged account as dedicated account for a user only. This all works fine but we are worried if somehow the source system (e.g. AD) is messing with the data of this attribute employeeID, e.g. deleting the value (e.g. AD Admin not aware of that field, doing cleanup, etc.) or being tampered. This privileged acount then would be exposed to all the users (with access to that Managed Account group). How can this be prevented or found/reported which accounts may have an issue. I understand data quality is key here but with such a highly security related topic of privileged accounts one always has to assume that the source (AD) might be wrong and counter-measures must be possible on both side (source and consumer, i.e. PasswordSafe)

A client, and myself, all have the same error on our Azure connector: Unable to access Platform Environments: Insufficient privileges. Unable to access Platform Admin Applications: Insufficient privilegesIs anyone else seeing this issue? Bit of coincidence that we have this in three seperate sites. 

Hi Team,We’ve a use case as mentioned below:a user initiated a web jump from BT PRA to vSphere portal and was logged in successfully. Within the vSphere portal, user selects a VM wherein vSphere gives 2 types of logins- 1.Remote & 2.Web Console. User selects web console access which then launches a new tab within the Jump Item requiring password to be entered again. The key option is disabled and looking for suggestions to enable it.  

So, I’ve attempted this multiple times and took a short break to clear my head. Cannot seem to get this wrapped up, and it’s a necessity. Hi, I’m Robert and I’m a Security Engineer for my company. Part of my portfolio is Enterprise Software Management via Intune. I manage all software deployments for the company on a tenant level, using assignment groups to make certain apps available to pertinent groups. Over the past 3 years, I’ve learned a lot where Intune deployments and the Windows OS intersect. I’m still on the learning path, but I’m figuring out the nuances, the lowest common denominators and getting better at troubleshooting issues. This is where things get complicated: 100% of my experience in this arena is Windows 10 / Windows 11 based. And we now have a very small fleet (<10 devices) of Mac devices for our Marketing team. Now, I’ve tried everything I can find online, but the documentation on how to pull this off via Intune is scarce and incomplete. Reddit has been the mos

Hello Beekeeper Community,I’m curious to hear how others handle the following:Onboarding:easy: AD query, smart rules, and we have managed account. Offboarding:When a managed account deleted from AD , the password can’t locate the user. Also, there doesn’t seem to be a smart rule capability to identify which accounts are in Password Safe and which are not, to help with automated cleanup and management.How do you manage this process? Any tips or best practices would be appreciated!Regards,Maulik

Hi everyone,The end users are experiencing delay and slowness when taking RDP sessions through Password Safe on-prem. Usually they have to read logs and commands and the slow and delayed screen output is becoming a hassle for them, resulting in a very poor user experience.After some researching, I found a commonality in the solution that it an issue with the client’s network, however, they are not ready to accept it.According to them, when they take RDP directly from the U-series appliance, the session is much better but from the Web UI, it’s very delayed and slow.Has anyone here encountered an issue like this, if yes, how did you solve it.Thanks in advance.

Hi Beekepr ,  Does Password safe support password rotation base on managed asset /application session instead of time-based interval. Regards,Maulik

Hello team, could someone please share the prerequisites what we required to further onboard and the key information we need to request from the customer regarding this Azure? Below, I have outlined the relevant scenarios. Customer Mentioned: This is an Cloud SaaS Password Safe, Users are in Azure EntraID and servers are Domain-Joined. I have collected these below KB's :Configuration SAML Azure EntraID - https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sys_kb_id=dd8ff4a91b019e946fe95287624bcb37 EntraID FA MA - https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sys_kb_id=aad9352747511e50b77b3ddbd36d4384 Attached Asset requirement sheet.Thansk!

Employees with EPM installed are having issues printing with Excel and I cant seem to figure out what is holding that up when printing works fine with everything else. 

Hi  I would like to see if we can block commands in CMD for Windows Platform.If yes, how can we do a sample would help for building it.RegardsNaveen

I have a very unexpected behavior in my environment.I have multiple desktop applications and web applications created using both PS Automate and AutoIT.Sometimes a user tries to launch Application X, but instead Application Y is launched, and the wrong credentials are supplied.I need to know how to troubleshoot this issue.

Hi All, I am onboarding Toad in BeyondTrust Password Safe. If anyone has done this before, could you please share the .ini or .au3 file you used for passing connection details? Thanks in advance. 

I’m trying to see if it’s possible to utilize an SSH client manager like SuperPutty or mRemoteNG for managing SSH sessions that use SAML authentication.  We can not use the Direct Connect feature due to SAML being token based.  Any guidance would be greatly appreciated.

Hello Everyone,I’m working on password rotation for a custom (unsupported) application using the BeyondTrust Password Safe Cloud REST API. Before proceeding, I want to confirm whether such an application can be integrated for automated password rotation.Can someone clarify:What technical criteria or parameters must a custom application support in order to be compatible with Password Safe Cloud’s REST API-based password rotation?For example: Required authentication methods? Connectivity or protocol requirements? Ability to expose credentials or respond to rotation workflows? Any mandatory fields/settings needed in Password Safe for custom platforms? Any limitations or known restrictions for cloud API rotations? Any guidance or examples from your experience would be greatly appreciated.Thanks!

Hello,We have a on-demand rule for Command prompt for a set of users . This rule allows running of child processes with Basic Admin token for Windows Command Prompt - Run-As-Admin action.For same set of users , when they try to install another application using Run-As-Admin option , based on quick-start rules it gets Admin token which gets applied to child processes as well. But at one point in installation Command Prompt is launched by the installer , this results in additional prompt for the user . Logs show that it is hitting the Command Prompt on-demand rule. I think as the application is triggering the Command Prompt and it has application name as parent process, it should ideally get the admin token and not hit the CMD on-demand rule ?

Hi All,I'm provisioning a new on-prem BeyondTrust Password Safe to test the reporting and analytics features on BeyondInsight 25.1.1.The issue is that the Domain section shows 'This list contains no data,' which prevents me from proceeding with report generation.Did I miss a necessary configuration step? Any help with this issue is appreciated.Thanks. 

Hi Everyone, Has everyone encountered any impact regarding the cached credential on Linux servers with AD Bridge installed? Particularly if the cached credential is managed by Password Safe and is being rotated regularly?  Thanks!

So, been getting repeated ongoing asks from our Compliance Team, and this is their ask: for a specific Managed Account, produce a report of every user that can access that credential? Anyone ever been able to pull that off? Using Analytics would be fine, just have not been able to find a report like that.

Hi everyone,Can you please help me understand how to create the custom reports for On-Prem Password Safe. I tried the Pivot Grids feature and it is not much helpful. Thanks,

I am getting an invalid credential when launching a web application. I tested the managed account and password is correct but when I inject this using the ps_automate, it comes up with an invalid credential. I have also added the “FixupPassword=1” under the General section since my password contains spaces. Anything I am missing here or should be trying out? 2025/11/04 13:56:52 [TaskSequence1] BEGIN2025/11/04 13:56:52 [Function] execute_task_sequence_webapp (TaskSequence1)2025/11/04 13:56:52 [TaskSequence1] [INI] WaitLoginWindowDelay=02025/11/04 13:56:52 [TaskSequence1] [INI] XPathElement=//*[@id="username"]2025/11/04 13:56:52 [TaskSequence1] [INI] XPathValue=%username%2025/11/04 13:56:52 [TaskSequence1] [INI] XPathAction=2025/11/04 13:56:52 [Function] insert_custom_strings (*MASKED*)2025/11/04 13:56:52 [Custom string] username2025/11/04 13:56:52 [TaskSequence1] END2025/11/04 13:56:54 [TaskSequence2] BEGIN2025/11/04 13:56:54 [Function] execute_task_sequence_webapp (TaskSequence2)2025/1