Use Quickstart Templates

To get started quickly, create a new policy using either the QuickStart For Windows template or the Quickstart For Mac template.

Both QuickStart templates for Windows and Mac policies contain Workstyles, Application Groups, Messages, and Custom Tokens configured with Endpoint Privilege Management and Application Control. The QuickStart policy is designed from BeyondTrust’s experiences of implementing the solution across thousands of customers, and is intended to balance security with user freedom. As every environment is different, we recommend you thoroughly test this configuration to ensure it complies with the requirements of your organization.

For more information about creating and managing policy, see Policies.

Customize the QuickStart Policy

Before deploying the QuickStart policy to your users, you need to make some company-specific customizations to the standard template.

At a minimum you need to:

Configure the users or groups that can authorize requests that trigger messages.
Assign users and groups to the high, medium, and low flexibility Workstyles.
Populate the Block - Blocklisted Apps Application Group with any applications that you want to block for all users.
Set your shared key so you can generate an Endpoint Privilege Management for Windows for Mac Response code.

QuickStart Template Summary

This section provides information about the properties for the Windows and macOS QuickStart templates, including the Workstyles and Application Groups that comprise the template.

Workstyles

Name	Description
All Users	Contains rules that apply to all standard users regardless of the level of flexibility they need: Block any applications in the Block - Blocklisted Apps group. Allow Endpoint Privilege Management Support tools. Allow standard Windows functions, business applications, and applications installed through trusted deployment tools to run with admin rights (Windows QuickStart template). Allow standard macOS functions, business applications, and applications installed through trusted deployment tools to run with admin rights (Mac QuickStart template). Allow approved standard user applications to run passively.
High Flexibility	Contains rules for users that require a lot of flexibility, such as software developers: Allow known business applications and operating system functions to run. Allow users to run signed applications with admin rights. Allow users to run unknown applications with admin rights once they confirm that the application should be elevated. Allow applications that are in the Add Admin – High Flexibility group to run with admin rights. Allow unknown business application and operating system functions to run on-demand.
Medium Flexibility	Contains rules for users that require some flexibility, such as sales engineers: Allow known business applications and operating system functions to run. Allow users to run signed applications with admin rights once they confirm that the application must be elevated. Prompt users to provide a reason before they can run unknown applications with admin rights. Allow applications that are in the Add Admin – Medium Flexibility group to run with admin rights. Allow unknown business application and operating system functions to run on-demand. Restricted OS functions that require admin rights are prevented and require support interaction.
Low Flexibility	Contains rules for users that don't require much flexibility, such as helpdesk operators: Prompt users to contact support if a trusted or untrusted application requests admin rights. Prompt users to contact support if an unknown application tries to run. Allow known approved business applications and operating system functions to run (Windows only).
Administrators	Provides visibility on the Administrator accounts in use. Contains general rules to: Capture user and host information. Block users from modifying local privileged group memberships.
SYSTEM	Protects the Restricted System Functions application group against potentially malicious behaviour by a user who can perform elevated PowerShell commands.

Application Groups

Application Groups prefixed with (Default) or (Recommended) are hidden by default and do not need to be altered.

Name	Description
Add Admin - General (Business Apps) (Windows) Authorize - All Users (Business Apps) (macOS)	Contains applications that are approved for elevation for all users, regardless of their flexibility level.
Add Admin - General (Windows Functions) Authorize - All Users (macOS Functions)	Contains operating system functions that are approved for elevation for all users.
Add Admin - High Flexibility (Windows) Authorize - High Flexibility (macOS)	Contains the applications that require admin rights that should only be provided to the high flexibility users.
Add Admin - Low Flexibility	Contains the applications that require admin rights that should only be provided to the low flexibility users.
Add Admin - Medium Flexibility Authorize - Medium Flexibility (macOS)	Contains the applications that require admin rights that should only be provided to the medium flexibility users.
Add Admin - Protected Operations
Passive - High Flexibility (Business Apps)	Contains applications that are allowed for High Flexibility users without providing admin authorization.
Passive - Medium Business Apps	Contains applications that are allowed for Medium Flexibility users without providing admin authorization.
Passive - Low Flexibility (Business Apps)	Contains applications that are allowed for Low Flexibility users without providing admin authorization.
Block - Blocklisted Apps	Contains applications that are blocked for all users.
Passive - All Users Functions & Apps	Contains trusted applications, tasks and scripts that should execute as a standard user.
(Default) Any Application	Contains all application types and is used as a catch-all for unknown applications.
(Default) Any Trusted & Signed UAC Prompt (Windows) (Default) Any Trusted & Signed Authorization Prompt (macOS)	Contains signed (trusted ownership) application types that request admin rights or authorization.
(Default) Any UAC Prompt (Windows) (Default) Any Authorization Prompt (macOS)	Contains application types that request admin rights or authorization.
(Default) Any Sudo Command (macOS)	Contains all sudo commands and is used as a catch-all for unknown sudo commands.
(Default) Endpoint Privilege Management Tools	Provides access to a BeyondTrust executable that collects Endpoint Privilege Management troubleshooting information.
(Default) Child Processes of TraceConfig.exe
(Default) Signed UAC Prompt (Windows) (Default) Any Signed Authorization Prompt (macOS)	Contains signed (trusted ownership) application types that request admin rights or authorization.
(Default) Software Deployment Tool Installs	Contains applications that can be installed by deployment tools such as System Center Configuration Manager (SCCM).
(Default) Authorize - System Trusted	Contains operating system functions that are authorized for all users.
(Default) Passive - System Trusted	Contains system applications that are allowed for all users.
(Recommended) Restricted Functions	Contains OS applications and consoles that are used for system administration and trigger UAC/authorization when they are executed.
(Recommended) Restricted Functions (On Demand)	Contains OS applications and consoles that are used for system administration.
(Default) Trusted Parent Processes	Trusted processes for reference in parent-rules.

Messages

The following messages are created as part of the QuickStart policy and are used by Application Rules:

Name	Description
Allow Message (Authentication)	(Windows). Asks the user to provide a reason and enter their password before the application runs with admin rights.
Allow Authorize (Authentication & Reason)	(macOS). Asks the user to enter their password and provide a reason before the application is authorized to run.
Allow Message (Select Reason)	Asks the user to select a reason from a dropdown menu before the application runs with admin rights.
Allow Message (Support Desk)	Presents the user with a challenge code and asks them to obtain authorization from the support desk. Support can either provide a response code or a designated, authorized user can enter their login details to approve the request.
Allow Message (Yes / No)	Asks the user to confirm that they want to proceed to run an application with admin rights.
Block Message	Warns the user that an application has been blocked.
Block Notification	Notifies the user that an application has been blocked and submitted for analysis.
Notification (Trusted)	Notifies the user that an application has been trusted.

Use the Server Role Template

The Server Roles policy contains Workstyles, Application Groups, and Content Groups to manage different server roles such as DHCP, DNS, IIS, and Print Servers.

Server Roles Template Summary

This template policy contains the following elements.

Workstyles

Name	Description
Server Role - Active Directory - Template	Supports server management of the Active Directory role.
Server Role - DHCP - Template	Supports server management of the DHCP role.
Server Role - DNS - Template	Supports server management of the DNS role.
Server Role - File Services - Template	Supports server management of the File Services role.
Server Role - Hyper V - Template	Supports server management of the Hyper-V role.
Server Role - IIS - Template	Supports server management of the IIS role.
Server Role - Print Services - Template	Supports server management of the Print Services role.
Server Role - Windows General - Template	Supports general server management operations.

Application Groups

Server Role - Active Directory - Server 2008R2
Server Role - DHCP - Server 2008R2
Server Role - DNS - Server 2008R2
Server Role - File Services - Server 2008R2
Server Role - General Tasks - Server 2008R2
Server Role - Hyper V - Server 2008R2
Server Role - IIS - Server 2008R2
Server Role - Print Services - Server 2008R2

Content Groups

AD Management
Hosts Management
IIS Management
Printer Management
Public Desktop