Policy Editor Utilities

Policy Editor Licensing

Privilege Management for Windows requires a valid license code to be entered in the Privilege Management Policy Editor. If more than one policy is applied to a computer, you need at least one valid license code for one of those policies.

For example, you could add the Privilege Management for Windows license to a Privilege Management policy that is applied to all managed endpoints, even if it does not have any Workstyles. This ensures all endpoints receive a valid license if they have Privilege Management for Windows installed. If you are unsure, then we recommend you add a valid license when you create the Privilege Management policy.

To add a license:

  1. On the sidebar menu, click Policies.
  2. To the right of the policy you want to edit, click the vertical ellipsis menu icon and select Edit & Lock Policy.
  3. Expand the Utilities node.
  4. Click the Licenses node.
  5. Click Add.
  6. Enter the license key, and then click Add License.

Import Policy

Privilege Management policies can be imported to and exported from Group Policy as XML files, in a format common to other editions of Privilege Management, such as the Privilege Management ePO Extension. Policies can be migrated and shared between different deployment mechanisms.

  1. In the Policy Editor, expand Utilities.
  2. Select Import Policy.
  3. Select one of the following:
    • Merge Policy
    • Overwrite Policy: If you select to overwrite, you can optionally select Export Existing Policy to save a copy before overwriting the policy.
  4. Drop the file onto the box or click inside the box to navigate to the file.
  5. Click Upload File.

Import Template Policies

You can import a template and merge or overwrite the settings in an existing template.

  1. In the Policy Editor, expand Utilities.
  2. Select Template Policies.
  3. Select one of the following:
    • Merge Policy: Merges the configuration to the existing template.
    • Overwrite Policy: If you select to overwrite, you can optionally select Export Existing Policy to save a copy before overwriting the policy.
  4. Select a template from the list: Discovery, QuickStart for Mac, QuickStart for Windows, Server Roles, TAP (High Flexibility), TAP (High Security).
  5. If you are merging, select Merge Template Policy to save the settings. If you are overwriting, select Overwrite Policy.

Manage Audit Scripts

When an application is allowed, elevated, or blocked, an event is logged to record details of the action. Actions are recorded in a third party tracking system by using Audit Scripts. You can write Audit Scripts in Powershell, VBScript, or Javascript and configure these scripts through the web policy editor.

  1. In the Policy Editor, expand the Utilities node.
  2. Select Manage Audit Scripts.
  3. Click Upload Script to expand the Upload Script panel.
  4. Click the following dropdown menus to further configure the script:
    • Timeout Options
    • Context Options
  5. Click inside the upload box to select the script.

Manage Rule Scripts

You can upload, view, and delete Power Rules from within the Web Policy Editor.

  1. In the Policy Editor, expand Utilities.
  2. Select Manage Rule Scripts.
  3. Click Upload Script to expand the Upload Script panel.
  4. Drag and drop the new script into the upload box or click to select a file.

The script uploaded must be a Powershell script.

  1. Click inside the Timeout options field to select a value.
  2. Click Upload Script to save your changes.

For more information, please see Apply Power Rules Scripts to Your Application Rules.

Upload and Delete Settings

You can upload settings for an existing Rule Script by clicking the vertical ellipsis icon and selecting Upload Settings from the dropdown menu.

The file that is uploaded must be in JSON format.

To delete the settings file, click the vertical ellipses again and select Delete Settings from the dropdown menu.

Advanced Agent Settings

You can configure the Advanced Agent Settings utility through the web policy editor to deploy additional registry based settings to endpoints that are running Privilege Management for Windows and Mac.

  1. In the Policy Editor, expand Utilities.
  2. Select Advanced Agent Settings.
  3. Click Add to create a new setting.
  4. Type the desired value name.
  5. Select one of the following to designate the type:
    • DWORD
    • String
    • Multi-String
  6. Click Create to confirm your changes and create the new setting, or Discard to delete your work.

Set Up Agent Protection

Add agent protection to your endpoints to prevent users from uninstalling Privilege Management for Windows.

The setup is a two-part process:

  • Generate public-private key pair.
    • The public key is stored in a policy and distributed to all computers. The public key is automatically inserted into the policy.
    • The password-protected private key must be stored securely by the administrator. The private key and private key password are required when you want to disable agent protection.
  • Enable protection.

Generate Key Pairs

To generate the key pair:

  1. In the Policy Editor, expand Utilities.
  2. Select Agent Protection Settings.
  3. Click Generate Key.
  4. Enter a password to encrypt the private key.
  5. Click Generate Key.
  6. The private key is automatically downloaded to the local computer. The file name is private.pem. The public key is automatically inserted into the policy.

Enable Agent Protection

To enable protection:

  1. In the Policy Editor, expand Utilities.
  2. Select Advanced Agent Settings.
  3. Click Add.
  4. Enter AgentProtectionState in the Name box.
  5. Select 64 bit.
  6. Ensure type is DWORD.
  7. In the Decimal box, set the value to 1. The Hex value automatically populates with the same value. There are three possible states: 0 = off, 1 = enabled, 2 = disabled.

Agent protection is enabled after the policy is deployed and loaded by the Windows computers.

For more information about using agent protection, please see Set up Agent Protection.

Regenerate UUIDs

When importing and exporting policies from external sources, it can sometimes be necessary to regenerate the internal policy Universally Unique Identifier (UUID), so that Reporting manages the events correctly. For most normal scenarios in which this is required (policy duplication, for example), this is handled seamlessly.

However, duplication by importing a text XML file will not be covered because sometimes you will not want to regenerate the UUIDs, such as when restoring a policy from a backup.

To regenerate UUIDs:

  1. In the Policy Editor, expand Utilities.
  2. Select Regenerate UUIDs.
  3. Click the Regenerate UUIDs button.

A success message displays at the bottom center of the page.