Privilege Management Console QuickStart
This section details the most likely tasks to get started with PMC, including automatically authorizing and assigning computers to groups in PMC.
After you deploy PMC, you can
- Manage policy
- Create groups and assign policy
- Use scripts to authorize and assign computers to these groups
- Navigate to and click the Groups tile.
- Select Actions > Create Group.
- Enter a Group Name. The Description and Annotations fields are optional.
- Click Submit. Your group is created and appears in the grid list below.
Once the group is created, you can set it as the Default group. If set, the Default group will be selected by default when you add one or more computers to a group. To set the group as the Default group, right-click the group, and then select Set Default.
- Navigate to and click the Groups tile.
- Select Actions > Assign Policy. The row briefly flashes green to indicate that PMC has processed your request.
- Select the policy you want to assign from the dropdown and the associated revision. By default, the revision is the most recent.
- The text at the bottom tells you how big the policy is and how many computers it will be assigned to. Click Assign to assign the policy to your group.
For details on how you can control the deployment of your policy, please see Policy Deployment Settings in PMC.
You need to install Privilege Management for the target operating system and the PMC adapter.
The Privilege Management installation packages differ based on your operating system.
For macOS endpoints run:
The PMC client adapter installers can be found in the AdapterInstallers folder of the PMC deployment. Use the Terminal to install the Mac PMC Adapter.
The adapters poll every 60 minutes.
You must install the PMC adapters using this process. You can optionally choose to automatically assign computers to groups and authorize them in one step, using the GroupID parameter for the adapters. This is detailed in the following sections.
When PMC clients are managed by the operating system, the PMC adapter is responsible for delivering policies and events between the computer and PMC servers.
If you are not using the GroupID to automatically assign and authorize computer groups, you can assign and authorize computers in PMC.
You can install and automatically authorize Mac machines to connect to PMC using the command line.
There are six parameters for the PMC Adapter:
- TenantID for your chosen method of authentication. This was recorded when PMC was installed.
- InstallationID: You get this from PMC.
Click Administration > Agent InstallationAccess Settings. Copy the Installation ID for this script.
- InstallationKey: You get this from PMC.
Click Administration > Agent InstallationAccess Settings. Copy the Installation Key for this script.
- ServiceURI: The URL for your PMC portal.
There is no port number or slash on the end of this URL. For example, neither https://test.pmc.avecto.com/ nor https://test.pmc.avecto.com:8080/ will work.
- GroupID: (Optional). If supplied, this will auto authorize the computer and assign it to the specified group. If that group does not exist, the computer will remain in the pending state. You obtain this from PMC.
- Cacertificateid: (Optional). The thumbprint of your SSL certificate. If you are using an SSL certificate that is trusted by a global provider, you do not need to add this parameter. If it is not, the SSL certificate must be added to the System keychain (not Login). The SSL certificate must also be set to Trusted in the System keychain.
To install the private key of the SSL Certificate:
You only need to do these steps if your SSL certificate is not issued by a trusted global provider that is preinstalled on the Mac.
- Obtain the .pfx portion of your SSL certificate.
- Double-click the .pfx file to install it into the Keychain application on the Mac. You need to enter the password for the SSL certificate. By default the certificate will be placed in the login keychain folder.
- Move the root certificate from the login keychain folder to the System folder keychain.
- Set the root certificate to Always Trust.
- Extract the thumbprint of your SSL certificate from the certificate. You need the thumbprint to install the Mac Adapter.
To install adapters:
Include the GroupID to automatically group and authorize the computer.
Include the Cacertificateid if your SSL certificate is not issued by a trusted global provider.
- Navigate to the location of the adapter installer. By default this is the AdapterInstallers folder.
- Mount the DMG.
- Run the command line as in the example shown below from the Terminal with your substituted values.
- Once the adapter installer launches, proceed through the installation wizard as required.
sudo /Volumes/PrivilegeManagementConsoleAdapter/install.sh \ tenantid="750e85d1-c851-4d56-8c76-b9566250cf1d" \ installationid="95a10760-2b96-4a0e-ab65-ed7a5e8f1649" \ installationkey="VGhpcyBzZWNyZXQgaTYzIGJlZW4gQmFzZTY0IGVuY29kZWQ=" \ serviceuri="https://test.ic3.beyondtrust.com" groupid="fcc4022e-12fa-4246-87w8-0de9a1483a68" \ cacertificateid="b36b7345ff30aa7fb15fcd985fe2989c3e11aba7"
For more information, please see Authorizing and Assigning Computers to a Group.