Unanswered questions

Hi All,We’re relatively new to BeyondTrust PRA and are deploying multiple on‑prem PRA systems (one large Atlas system plus several HA systems for data‑residency). As we plan appliance upgrades (e.g. 24.2.3 → 24.3.3), we have concerns around remote access disruption and network impact, particularly related to Jumpoints. Environment24x7 OT environments 100+ Jumpoints (growing significantly) Jumpoints used as Jump Zone proxies aligned to Purdue/network segmentation JumpItems - primarily JumpClients and RDP. Remote sites connect via low‑bandwidth, often congested satellite linksKey ConcernsJumpoints are not backward compatible Remote access is unavailable until Jumpoints are upgraded to match the appliance version. Upgrade size & network impact ​​​​​​​Latest guidance suggests Jumpoint upgrades are full installers (~130 MB), creating risk of network congestion at scale. Lack of upgrade controls for Jumpoints ​​​​​​​No way to defer/disable auto‑updates, limit concurrency, throttle ban

Hello team,I am currently testing the Jump Client for macOS in the PRA cloud. When initiating a jump, the session connects immediately without prompting for credentials.Could you please advise whether it is possible to configure credential injection before the jump is established? Thank you.

Hi BeyondTrust Community,I recently deploy the BeyondTrust PasswordSafe (On-Prem) for 2 nodes, 1 for Management (Single Appliance Deployment solution)  and 1 for Worker (SQL less solution no HA) with a single-standalone remote database. After fully deploy those UVM, I try to test the credential on both Management Account, and Functional account but resulted in the mentioned error. Will there be any solution for this issue? I try to looking for the KB within the BeyondTrust customer portal and found nothing.I do appreciate for any solution I will try what suggested. Thank you,

Hello All,We have a requirement for to not onboard Oracle user account while performing oracle DB scan. We only want ‘Oracle system accounts’ and ‘Oracle Service accounts’ to be onboarded. We have attributes (Same as in DB) defined in BeyondInsight configuration. When we attempt to onboard DB accounts using the smart rule, it captures all accounts. Consequently, when we use the 'Set attributes in each account' action within the smart rule, it assigns attributes to all accounts, regardless of the account type. Thanks,Prasad

Hello everyone!We are facing a possible configuration issue, we believe.Is there any setting for using BeyondTrust Workforce Passwords in a fixed browser window? The problem is that every time we authenticate, a new browser window opens, causing us to lose visibility and usability. Has anyone else encountered this situation?Thank you very much.  

We are trying to use API query for creating session request using dedicated API account. using API , we are pushing the request to PAM including asset ID and admin account ID and duration ...etc.when we login on the PS user interface using API account, we can find the requests pushed using API.when we login on PS UI using the user login account, the session request isn't listed/viewed in his list. We tried to use Runas option in the authorization but there is no changes. session request is only viewed under the API account UI.  Please advise what could be the option to create the request for the admins using dedicated API account.

Hi AllI am trying to find a way to use the API to force check in of vault accounts which have had their password checked out for over 7 days,I think it is crazy to allow the PRA and the vault account members to checkout their password and allow it to stay checked out (this could be over a year) therefore they could use the password and put it into some automated tasks where it is in plain text and as it is never checked in this will always stay the same.It seems a lot safer if there was an option within PRA to force check in ( a tick box or something ) and a correct schedule that could be set that would check in all passwords on a set day and time and rotate them. Instead I am having to mess about with APIs which are not very well documented in my opinion.Therefore has anyone needed to do this and if so how did they go about it?Thank you in advance.

I’m starting to onboard users and computers to password safe and I want to allocate certain users to certain servers.So to illustrate.Team A has 5 users each user has a std AD account and a dedicated admin AD account.This team is responsible for several servers which I have put in an AD group. I can do the directory queries and onboard the servers and manage them. I can also onboard and manage the dedicated admin accounts and link them to the std accounts.I’ve hit a road block linking the accounts to the servers.There is an existing onboarding rule which sets an attribute (Tier1Server) on Servers and a rule which sets an attribute (Tier1account) on T1 accounts. The servers I want to sort now and the team users are a subset of Tier 1 so I should be able to use the similar process using attributes.So I create a managed account smart rule with selection criteria of the directory query relating to that user group so I can set an attribute of the team name on those users. But when I save an

Hello all, We are experiencing a behavior with RDP sessions via Password Safe initiated from machines with Windows 11.The session has a slow image loading, appearing to load in rows of images and in blocks.A simple movement of windows within the RDP session causes the image loading of this movement to be very slow.This does not occur if the RDP session is direct with the destination server.But if the connection is through Password Safe being Windows 11 > Resource Broker > Destination server, this slowness is noticed. Has anyone else noticed this problem in your environments? Additionally, this behavior does not occur in Windows 10.Points that I have already checked:- The software installed on the computers are the same between Windows 10 and 11;- The network settings are the same. This behavior occurs on both wireless and wired networks;- The GPOs of the Windows 10/11 stations, Resource Brokers and destination servers have already been checked. No Remote Desktop configurations th

Can BeyondTrust Password Safe support strict logical segregation between two departments (Network Division and IT Security Division) within the same Password Safe deployment, ensuring no visibility of assets, accounts, users, or sessions across divisions? Component Network Division IT Security Division PAM Admin Network PAM Admin Security PAM Admin Assets Network devices Security infrastructure Accounts Network privileged accounts Security privileged accounts Users Network engineers Security engineers Policies Network-specific Security-specific Reports Network only Security only Configuration Network Only Security Only

PRA requires a user to login a first time in order to be available in PRA for example to assign vault accounts.Unfortunately this is causing problems with new employees which are onboarded into PRA.Unless they have never logged in, administrators cannot assign personal vault accounts. If the user logs in, and does not see his/her vault account, they create tickets. This is a very large customer and it is difficult to orchestrate / communicate such a process and they would like to automatically provision new users (from AD). How do other customers provision users up-front and define vault accounts, etc. and not depend on a user’s first login?  

Hello Everyone, Is it possible to use the file transfer option via Remote VNC?

Hi All,I have got the PWS to PRA connection working, I can see my managed test account in PRA but when I try and use the cred store to connect, I get the following error. (Could not find a schedule to use with this release request)I have followed the guide (BeyondInsight / Password Safe - Unable to pull Password Safe Credential via ECM. Error: "Could not find a schedule to use with release request".)Any ideas where I can start to look? log? or have I missed something simple?

How do you manage Microsoft Edge browser updates on RDS servers used for web applications?Do we need to allow continuous internet access for Edge updates and WebDriver checks, or do you manage updates in a controlled/whitelisted manner?  What are the best practices to follow ?

So, I’ve attempted this multiple times and took a short break to clear my head. Cannot seem to get this wrapped up, and it’s a necessity. Hi, I’m Robert and I’m a Security Engineer for my company. Part of my portfolio is Enterprise Software Management via Intune. I manage all software deployments for the company on a tenant level, using assignment groups to make certain apps available to pertinent groups. Over the past 3 years, I’ve learned a lot where Intune deployments and the Windows OS intersect. I’m still on the learning path, but I’m figuring out the nuances, the lowest common denominators and getting better at troubleshooting issues. This is where things get complicated: 100% of my experience in this arena is Windows 10 / Windows 11 based. And we now have a very small fleet (<10 devices) of Mac devices for our Marketing team. Now, I’ve tried everything I can find online, but the documentation on how to pull this off via Intune is scarce and incomplete. Reddit has been the mos

I’d like to understand the recommended approach for onboarding local Linux dedicated accounts. Additionally, from a Linux server perspective, is there a recommended method to configure these accounts so that sudo does not prompt for a password? Thank you.

we have 2 PRA appliance in cluster.  The primary appliance was initially deployed as stand alone in 2020 and only in 2022 ,the second appliance was deployed. So, in secondary appliance, we can see the data encryption is already enabled but in Primary , this is not enabled and says we need to free up space. we needed a confirmation, if we fail over to current secondary, will we face issue in this scenario with one appliance data encrypted and other not?  Also, in the documents and in KB, it says secret store is required to be added but since in secondary its already enabled without external secret store, we can assume the encryption keys are stored locally? since only AWS is supported for external secret store, we are unable to add external secret store.  

What is the recommended approach for securely managing and remotely accessing macOS systems using a password safe? Specifically, does a managed application for a VNC client support this use case, and is there an implementation guide? Thank you.

I would like to connect to a specific computer by hostname to perform queries via API. The problem I’m running into is the API requires the jump client ID, not the host name. And there is no server side filtering for the hosts to find the jump client ID. I then tried to pull a list of all hosts and jump client IDs to filter on my end, but the maximum number of results I get is 13. I have extensively consulted with chatgpt and it came to this conclusion:Ah — that clarifies things. The reason your earlier scripts didn’t work is the Command API only supports listing all connected clients; it does not support a server-side filter by hostname. That’s why trying to query a single host returns nothing — the API only gives batches of connected clients, and without paging through, your host might not be in the first page.Ah — now it’s clear why you’re still only seeing 13 Jump Clients: the BeyondTrust Cloud Command API get_connected_client_list does not return all connected clients at once. On

Hello everyone,I am currently encountering an issue when performing a managed account password change on F5 BIG-IP. I would like to describe the issue as follows:On the F5 BIG-IP device, I created a user named "btfunctional" and configured this user in PAM as a Functional Account (FA). I performed a Test Functional Account, and it completed successfully. However, when I attempt to change the password of another managed account, I encounter the following error:[btfunctional@ltm01:Active:Disconnected] ~ # Thread was interrupted from a waiting state. Password change failed.I would greatly appreciate your support and assistance with this issue.Thank you very much.