Messages

You can define two types of end user messages:

  • Messages: Messages take focus when they are displayed to the user.
  • Notifications: (Windows only). Message notifications appear on the user's task bar. A notifications is displayed as a toast notification.

Messages (and Notifications) are displayed when a user’s action triggers a rule (application/on-demand or content rule). Rules can be triggered by an application launch or block, or when content is modified.

Messages provide an effective way of alerting the user before an action is performed, for example, before elevating an application or allowing content to be modified, or advising that an application launch or content modification is blocked.

Messages give the user information about the application or content, the action taken, and can be used to request information from the user.

Messages are assigned to Application Rules. A message displays different properties, depending on the targets it is assigned to.

Create a Message

Message templates vary between Windows and macOS.

Dialog box for creating a message in Privilege Management Cloud

  1. In the Policy Editor, go to Messages.
  2. Click Create New Message (Windows options shown in image at right).
  3. (Windows only). Select a message type: message box or notification.
  4. Select a message template from the list.
  5. Enter a name. The default name is the name of the template.
  6. Enter a description.
  7. (Windows only). Enter the title that displays in the title bar of the window.
  8. Enter text for the message header.
  9. Enter text for the body.
  10. (Windows only). Select Show Message On Secure Desktop to show the message on the secure desktop.
  11. (Windows only). Turn off Show the details of application being executed to hide the details from being displayed. This option is enabled by default.
  12. Click Create New Message.

You can edit or delete messages at any time.

 

Customize a Message

There are attributes of a message that you can choose to use when configuring messaging:

  • General message features such as Header and Body options.
  • User Reason settings when you want your end users to provide a reason before proceeding.
  • User Authorization where a user must provide password, smart card, or both types of authentication information.
  • Multifactor Authentication where an Identity Provider is configured.
  • Challenge/Response Authorization where a user must enter a response code before proceeding.

Select the Edit menu for a message template to customize the message properties.

Set up the Message Header Options

You can configure the following message header options:

  • Show Message On Secure Desktop: (Windows only). Select to show the message on the secure desktop. We recommend this if the message is being used to confirm the elevation of a process, for enhanced security.
  • Title Text: (Windows only). Add text that appears in the title bar of the dialog box.
  • Header Type: Select the type of header: Default, Error, None, Question, Warning.
  • Header Background Type: Select Solid or Custom Image.
    • If you select Solid, use the color picker to select a header background color.
    • If you select Custom Image, you must select an image from the Select Image dropdown list. To use additional images, see Manage Images.
  • Show Header Text: Select if you want to display header text.
  • Header Text: Add text that displays next to the header type icon.
  • Header Text Color: Select the color for the header text.

(Windows only). For a Notification type of message, you can only configure the Title Text.

Additional header message design properties are available when using the User Request Message template. You can customize the text for the interactive prompts displayed during the request workflow, such as request text, pending text, and approval text.

Manage Images

To use different images in the header than the default BeyondTrust ones (such as your own company's logo, for branding purposes), you can import images into this list.

The image type must be .png, with a maximum size of 240KB. The recommended size for the image is 450x50 pixels. Images smaller than 450x50 and greater than 600x100 will be rejected.

To add images to the list:

  1. At the right of the Select Image field, click Manage Images.
  2. At the top-left above the grid list, click Import Image.
  3. On the Upload Image panel, drag or click to select an image to upload.
  4. Enter the image name and a description.
  5. Click Upload Image. The image is added to the list and is available for selection as a custom image.

You can also delete images you have imported into the list, but not the default set of BeyondTrust images.

You cannot delete an image that is currently in use. You must select a different image for use first, and then delete the image you intended to delete.

To delete images from the list:

  1. At the right of the Select Image field, click Manage Images.
  2. Select an image (not in use) from the list.
  3. At the top-left above the grid list, click the Delete button.

Edit an Image

To edit an image that you have uploaded to the list:

  1. At the right of the Select Image field, click Manage Images.
  2. At the right of an image name entry, click the vertical ellipsis menu, and then select Edit.
  3. Update the name and/or description for the image, and then click Save Changes.

Set up the Message Body Options

You can configure the following message body options:

  • Body Text: Add additional information for the end user.
  • Message Mode: (Windows only). From the list, select Automatic or Custom. You can decide what information you want to display on the message. By default, all rows are on and will be displayed as part of the message. The Automatic default values are:
    • Show Line One: The Program Name or the Content Name.
    • Show Line Two: The Program Publisher or the Content Owner.
    • Show Line Three: The Program Path or the Content Program.
  • Show Reference Hyperlink: Turn the option on (it is off by default). Update text for existing link on the message. In some cases, you might want to provide a website with more information for your end users. The URL appears below the body text.
Here are some sample use cases.
  • Linking users to web pages that provide support resources, terms of use statements, and web-based submission forms
  • Linking users to web based ITSM solutions, including those that support parameterization of URLs for prepopulation of fields
  • Linking users to teams, and other community support products
  • Linking users to email via mailto links, for integration with email based ITSM solutions

Mac blocked message sample image

  • Publisher: Enter a publisher name and information to display if the verification for the publisher fails.
  • Buttons: Customize the labels for the OK and Cancel buttons (Mac sample message shown in image at right).

(Windows only). For a Notification type of message, you can only configure the Body Text.

Additional body message design properties are available when using the User Request Message template. You can customize the text for the interactive prompts displayed during the request workflow, such as request text, pending text, approval text, denial text, and referral text.

 

Add User Reason

You can configure the message to prompt the user to provide a reason for the request.

To set up the User Reason option:

  1. Under section 3 on the left, check the Provide a Reason box.
  2. Select the User Reason Type, a textbox or a dropdown.
  3. (Optional). Select if you want to Remember the User Reason (per application).
  4. (Optional). You can change the default Reason Text and Reason Error Message Text.
  5. (Optional). If you select the drop-down type, you can change the default Drop-down List Prompt Text.
  6. (Optional). With the drop-down option, you can use the default User Reason List to be displayed for the user to choose from. You can also:
    • Change the text of the default list options.
    • Delete one or more of the default options.
    • Click the Add User Reason option to add your own user reason to the list.
  7. Click Save Changes.

Email Settings (Windows Only)

Block Message Settings

Email settings can be configured when using the Block Message template.

To access email settings, you must first create the message then edit the properties for the message.

Configure the following:

  • Mail To: Email address to send the request to (separate multiple email addresses with semicolons).
  • Subject: Subject line for the email request.

 

Add Challenge/Response Authorization

There are two parts to setting up Challenge/Response Authorization:

  • Set a shared key: The Challenge/Response Key must be set to use Challenge/Response Authorization in your messages. The key is encrypted. The key is required by the Challenge/Response generator to generate response codes. The only way to change the shared key is by setting a new one.
  • Add the authorization type to a message: When configuring your message, configure the Challenge/Response settings.

The Challenge/Response feature is a global setting and can be configured for Windows and macOS messages. Challenge/Response Authorization only applies to Allow message types.

To add a shared key:

  1. In the Policy Editor, go to Messages.
  2. Select Challenge/Response Keys.
  3. Enter a key value and enter again to confirm.
  4. Click Set Key.

To configure Challenge/Response Authorization:

  1. In the Policy Editor, go to Messages.
  2. Create a message following the steps provided earlier. If this is an existing message, select Edit from the menu.
  3. Under section 3 on the left, check the Request Access via Challenge/Response box.

Challenge/Response Authorization settings in PM Cloud

  1. Open the Challenge / Response Authorization dropdown, and set the following:
    • Header text: The text that introduces the challenge/response authorization.
    • Hint text: The text that is in the response code field for challenge/response messages.
    • Authorization Period (per application): Set this option to determine the length of time a successfully returned challenge code is active for.
      • One Use Only: A new challenge code is presented to the user on every attempt to run the application.
      • Entire Session (Windows only): A new challenge code is presented to the user on the first attempt to run the application. After a valid response code is entered, the user is not presented with a new challenge code for subsequent uses of that application until they next log on.
      • As defined by helpdesk (Windows only): A new challenge code is presented to the user on the first attempt to run the application. If this option is selected, the responsibility of selecting the authorization period is delegated to the helpdesk user at the time of generating the response code. The helpdesk user can select one of the three above authorization periods. After a valid response code is entered, the user does not receive a new challenge code for the duration of time specified by the helpdesks.
    • Suppress messages once authorized (Windows only): Select to suppress messages. This setting is not shown when set to One Use Only.
    • Show Information Tip (Windows only): Select to add helpful information for the end user.
    • Information Tip Text: Add text that appears above the challenge and response code fields. In Windows, this only appears if the Show Information Tip option above is selected.
    • Error Message Text: Add text to display to the end user if they enter an incorrect response code.
    • Maximum Attempts: Select from Unlimited and Three Attempts.
    • Maximum Attempts Exceeded Message Text: The message is only displayed when Three Attempts is selected. Add text to display to the end user if they exceed the allowed number of challenge/response attempts.

Add User Authorization

When using a message to allow access to an application, you can enforce strict access to network resources using the authorization settings. When configured, users are required to enter credentials to proceed. The credential can be a password, smart card, or both.

User authorization settings can be configured on both Windows and macOS messages.

  1. Select the message where you want to add user authorization as part of the access workflow.
  2. Select Verify the requestor's identity, on behalf of:.
  3. Choose either The User or Designated User. If you select Designated User, see the following procedure for details on adding users and groups.
  4. Select the authorization method: Password or Smartcard, Password only, or Smartcard only.

 

Click User Authorization to expand and further customize labels and description.

  1. Click User Authorization to expand and customize labels and descriptions. The available fields will change depending on which method of authorization is selected, as noted here:
    • The User: When selected, enter the password. Optionally, customize the message that displays to users when the credentials are not approved.
    • Designated User: When selected, click the Edit Designated Users/Groups button to add the authorized users/groups. A designated user can be selected from a local account, Active Directory domain, or Azure Active Directory. Only Azure Active Directory groups are supported.
      • After the groups are added, enter the user name, password, and domain.
      • (Optional). Select Run application as Authorizing User. When selected, the application runs in the context of the authenticating user. When not selected, the application runs in the context of the logged on user.
      • (Optional). Customize the message that displays to users when the credentials are not approved.
    • Smart Card: When smart card authorization is included, you can:
      • (Optional). Customize the Smart Card Authentication Labels that display to the user.
      • (Mac only). Select the Sudo User Authorization option.

At this time, you must fill out all of the fields under User Authorization to confirm your changes.

Edit Designated Users

You can add, edit, and remove users and groups from the Designated Users/Groups List list in the message configuration. You can manage multiple accounts at once from the Designated Users/Groups List page.

Designated User must be selected on step 3.Verify the requestor's identity, on behalf of: for the Edit Designated Users/Groups button to appear in User Authorization.

Click Edit Designated User/Groups to add and edit available users.

  1. With User Authorization expanded, click Edit Designated User/Groups.

 

  1. Click Add Account.

Add designated users in the message configuration for PM Cloud.

  1. Select User or Group, and then add the information.
  2. If you select a built-in group, click Insert to automatically populate the account name and security identifier (SID).
  3. After providing account the information, click Add Account.
  4. After adding your accounts, click Save Changes to return to the message configuration page.

 

  1. Click Save Changes again to close the message configuration page.
  2. Click Save at the top left of the Policies page to save your message changes, or they will not be confirmed in the Web Policy Editor.

Configure Multifactor Authentication Using an Identity Provider

Multifactor authentication (MFA) using an identity provider can be configured for messages in Privilege Management. Identity providers supported by Privilege Management include those using OpenID Connect (OIDC) and RADIUS protocols, and BeyondTrust should be setup as a Native or Desktop app within your Identity Provider configuration.

The RADIUS protocol is supported on Windows OS only.

Add an Identity Provider

  1. In the Policy Editor, go to Messages.
  2. Click Identity Provider Settings.
  3. On the Identity Provider Settings panel, select an identity provider from the list: OIDC or RADIUS.
  4. Enter the following details for the identity provider:
    • OIDC Settings
      • Authority URI: The address of your identity provider.
      • Client ID: Must match the same value configured for your identity provider's BeyondTrust application.
      • Redirect URI: Must match the same value configured for your identity provider's BeyondTrust application. The format is http://127.0.0.1:port_number, where port_number is an open port on your network. The port_number is only needed if required by your identity provider.
    • RADIUS Settings
      • Authentication Mechanism: The authentication type that is required by your RADIUS server. Supported authentication mechanisms are MS-CHAPV2 or PAP.
      • Host: The hostname of your RADIUS server.
      • Port: The port number for connecting to your RADIUS server.
      • Shared Secret: The secret key required by your RADIUS server.
  5. Click Save RADIUS Settings or Save OIDC Settings depending on the type you selected.

After an identity provider is added you can configure any allow message type to use multifactor authentication.

Set up a Multifactor Authentication Message

  1. In the Policy Editor, go to Messages.
  2. Click Create New Message.
  3. Select the template Allow Message (with Authentication), and then click Create New Message.
  4. Select the message in the Messages navigation pane.
  5. Select Verify their Identity through an Identity Provider.
  6. Expand Multifactor Authentication.
  7. Select Idp - OIDC or Idp - RADIUS.
  8. ln the Suppress Message when Authenticated for (Mins) box, enter a value (maximum 720) to set the number of minutes that the authentication message is supressed. The message will not be shown again for the given number of minutes after a successful authentication.
  9. Enter information that displays on the message dialog box such as authentication failure text and authentication success text. Optionally, you can use the default text provided.
  10. The following fields are specific to configuring Azure AD conditional policies. If you are using conditional policies, contact BeyondTrust Technical Support for configuration details.
    • Additional Scopes (optional): Some IdPs can trigger additional authentication policies server-side based on the scopes requested. This field can be used to provide that context to the IdP.
    • Max age (seconds) (optional): The lifetime of the authorization request. The authorization runs out when the maximum age is reached.
  11. Click Save Changes.