Auto-Update Computers using Package Manager
The EPM Package Manager (Package Manager) is an optional feature in EPM which helps organizations install and maintain the Endpoint Privilege Management client and the EPM adapter. Package Manager can also automatically update when a new version is detected, taking even more burden off estate administrators.
In EPM, you can:
- Configure the Package Manager installation string
- Download the Package Manager installation executable
- Configure update settings for a computer group
- Track computer and computer group updates
- Set throttling and preferred update times so that updates can be strategically and safely installed.
When setting up auto update, you can complete the tasks in any order. The main configuration tasks are:
- Install Package Manager
- Set group updates
How Updating Works
Package Manager is designed to check for updates on these components: Endpoint Privilege Management Windows and macOS clients, EPM Adapter, and Package Manager.
- Package Manager checks in with EPM after the initial installation. This occurs within three minutes of the Package Manager installation.
- After the initial check-in, Package Manager checks in with EPM every two hours.
Package Manager self-updates automatically when a new version is detected. There is no configuration required for Package Manager updates.
An update may not take place for a number of reasons, including:
- Endpoint Privilege Management or the EPM Adapter are already updated to the version configured in EPM.
- The throttling threshold is reached and the endpoint must wait for updates.
- The computer group is not yet configured for updates to take place.
- Package Manager might not be enabled for the group.
- Automatic updates or updates to a specific version are not configured for the group.
Automatic updates do not work with adapters using the ic3Adapter user. Those adapters must be upgraded manually to version 21.8 and the ic3Adapter user changed to the LocalSystem user.
For more information, see Track Computer Updates.
Install Package Manager (Windows)
The Package Manager runs as a Windows service on the endpoint. The name of the service is BeyondTrust Endpoint Privilege Management Package Manager.
To install Package Manager:
- Go to the Configuration > Package Manager Installation page.
- Select an installation key and group name. These settings are required. Without both of these fields, Package Manager will not install.
- Select the operating system: macOS or Windows.
- Optionally, click the Start Package Manager automatically toggle to automatically start the Package Manager service running on the endpoint.
- The install command is automatically populated with default settings based on the installation key and computer group.
- Click Download Package Manager.
For more information about Endpoint Privilege Management for Windows installation commands, see Install the Windows Adapter.
Use Proxy Settings
You can pass the proxy settings as arguments to the Package Manager installer. Use the following parameters:
PROXYADDRESS=<proxyUrl|NONE|""> AUTODETECT=<true|false> USESYSTEMDEFAULT=<true|false> BYPASSONLOCAL=<true|false> SCRIPTLOCATION=<script_location_url>
The proxy setting can be used by the adapter if the proxy setting is updated first, and then the adapter is installed by Package Manager. The Package Manager uses only the PROXYADDRESS parameter; all other parameters are saved for the adapter and not used by the Package Manager.
Restart Services
After resetting the Adapter or Package Manager, the respective service must be restarted.
Doing so causes the Adapter and Package Manager to attempt to activate and register with EPM, resulting in two active entries for the same computer.
In this scenario, stop the Package Manager service, uninstall the Adapter, and then reset the Package Manager. Once the Package Manager is active, the Package Manager installs the Adapter with the auto-update configuration.
Set Group Updates
There are two parts to setting up Package Manager on a computer group:
- Set the version to apply
- Latest version: The connected computers try to install the newest version available.
- Specific version: The connected computers try to install versions selected on the Manage Updates panel.
- Configure Endpoint Privilege Management for Windows installation parameters to include in the package
Package Manager self-updates automatically. No configuration is required.
To configure a computer group to receive Package Manager updates:
- Go to Computer Groups, and then select the View Group Details menu for the group you want to set up.
- Select the Updates tab.
- Click the Enable Package Manager toggle.
- After Package Manager is enabled, click Manage Updates.
- (Applies to macOS and Windows). Select the preferred method to update computers:
- Select Latest Version to update Endpoint Privilege Management and the EPM Adapter to the latest version of each component.
- Select Other Version, and select a specific version for the client and adapter. You cannot select a previous version after selecting and deploying a version; there is no downgrade process in place.
- Click Save Changes.
After setting up how the group will receive updates, there are specific installation settings for the endpoint that you can configure. Continue with the next steps.
- Click Client Settings.
- Select the options to apply to your endpoints.
- Click Save Client Settings.
For more information:
For Endpoint Privilege Management for Windows installation settings, see the Administration Guide.
For Password Safe configuration details, see Password Safe Integration Guide.
For macOS client settings, see Create a Package with Base Settings.
Set Rate Limit Preferences
Set the rate limit when there is a large number of endpoints in your environment. Limit the number of endpoints that update at the same time to reduce the load on your network.
- Go to Configuration > Package Manager Settings.
- Click the Enable Rate Limit for Package Manager toggle.
- Configure the number of computers to update on an hourly basis. We recommend using the default value of 5,000 computers.
- Click Save Changes.
Track Computer Updates
A status displays during updates to help you determine the state of the update. The status of an update is displayed on the Computer Groups page and the Computers page in the following areas.
- Computer Groups page on the Update Settings
- Computer Groups page (Client/Adapter Status columns)
- Computer Groups Details page on the Updates tab
- Computers page (Adapter Status and Client Status columns)
- Computer Details page on the Summary tab
Computer status messages are listed in the following tables.
Status Messages at the Computer Groups Level
| Status | Description |
|---|---|
| (Group is) Awaiting Updates | At least one of this group’s computers have started updating and the remaining computers are expected to follow. |
| (The Group’s) Update Failed | At least one of this group’s computers has encountered an error during its update. |
| (Group is) Up to Date | Every one of this group’s computers have been updated to the current settings for the group. |
| (Group is set to) Manual Updates | The Package Manager is not enabled for the group. |
Status Messages at the Computer Level
| Status | Description |
|---|---|
| (Computer is) Awaiting Update |
|
| (The Computer’s) Update Failed | An error occurred when the computer was trying to update. An error message is captured and sent to EPM to help diagnose the issue. |
| (Computer is) Up to Date | The computer is up to date with the Update Settings configured on its group. |
| (Computer is set to) Manual Updates | The Package Manager is not enabled for the computer’s group. |
Windows Adapter Reset Tool
The Adapter Reset tool is installed with Package Manager. Use the tool to reset the adapter to factory default values.
For more information, see Reset the EPM Windows Adapter.
