Configure Privilege Management Endpoints

You need to install Privilege Management on the target operating system as well as the PMC adapter.

 

Install Privilege Management first and then the adapter. Failure to do so in this order results in specific events not being generated which PMC needs. Should you happen to install the client and the adapter out of order, you can restart the adapter service to force it to detect the client.

The adapters poll every 60 minutes by default. An additional delay is applied, based on the CPU load of the node that the adapter is connected to. The minimum supported adapter poll time is 5 minutes.

For more information on endpoint management, please see the PMC Administration Guide at https://www.beyondtrust.com/docs/privilege-management/mac/index.htm.

Privilege Management for Mac Clients

You need to choose your Privilege Management client as described below.

  • For 32-bit (x86) systems, run PrivilegeManagementForWindows_x86.exe.
  • For 64-bit (x64) systems, run PrivilegeManagementForWindows_x64.exe.

You can also install the Privilege Management for Windows MSI in silent mode with the PMC switch enabled:

Msiexec.exe /i PrivilegeManagementForWindows_x.xxx.x.msi IC3MODE=1 /qn /norestart

		

This will install the Windows client in silent mode with the PMC switch enabled.

  • Run PrivilegeManagementConsoleMacOSAdapter.dmg.

For compatible versions, please see the Release Notes.

Privilege Management Adapters

You can choose to automatically assign endpoints to groups and authorize them in one step using the GroupID parameter for the Mac adapters. PMC computer groups should be created in PMC prior to installing agents on a large scale. You should work with your implementation consultant to determine the best computer grouping approach for your needs.

The Privilege Management adapters are installed using the command prompt in Windows or the terminal for Mac.

For more information, please see Install the Mac Adapter for Privilege Management.

Install the Mac Adapter for Privilege Management

The PMC client adapter installers can be found in the AdapterInstallers folder of the PMC deployment. You need to use the Terminal to install the Mac PMC Adapter.

You can install and automatically authorize Mac machines to connect to PMC using the command line.

You must uninstall any existing PMC Mac Adapter prior to installing a new Mac adapter for PMC.

There are six parameters, two of which are optional:

  • TenantID. For Windows Directory and LDAPS, this GUID is generated for you by the deployment tool and you should already have a note of it.
  • InstallationID. You get this from PMC. Click AdministrationAgent Installation. Copy the Installation ID for this script.
  • InstallationKey. You get this from PMC. Click AdministrationAgent Installation. Copy the Installation Key for this script.
  • ServiceURI. This is the URL for your PMC portal.

There is no port number or slash on the end of this URL. For example, https://test.pmc.avecto.com/ or https://test.pmc.avecto.com:8080/ will not work.

  • GroupID (Optional). If supplied, this will auto authorize the endpoint and assign it to the specified group. If that group doesn't exist the computer will remain in the pending state. You obtain this from PMC. Click the Group you want to use. The Group ID is shown in the Summary page. Copy the Group ID for this script.
  • Cacertificateid (Optional). If you are using a Root CA certificate that is trusted by a global provider, you do not need to add this parameter. If it's not, the Root CA certificate must be added to the System keychain (not Login). The Root CA certificate must also be set to Trusted in the System keychain. The SHA-1 thumbprint of the Root CA certificate is the required value for the field.

To install adapters:

Include the GroupID to automatically group and authorize the endpoint.

  1. Navigate to the location of the Adapter installer. By default, this is the AdapterInstallers folder.
  2. Mount the DMG and run the following command line from the Terminal. Once the Adapter installer launches, proceed through the installation wizard as required.

Below is an example command line. The line breaks must be removed before you run the script.

sudo /Volumes/PrivilegeManagementConsoleAdapter/install.sh tenantid="750e85d1-c851-4d56-8c76-b9566250cf1d" installationid="95a10760-2b96-4a0e-ab65-ed7a5e8f1649" installationkey="VGhpcyBzZWNyZXQgaTYzIGJlZW4gQmFzZTY0IGVuY29kZWQ=" serviceuri="https://test.ic3.avecto.com" groupid="fcc4022e-12fa-4246-87w8-0de9a1483a68" cacertificateid="b36b7345ff30aa7fb15fcd985fe2989c3e11aba7"

The computers with Privilege Management for Mac client and the PMC adapter installed with the Installation ID and Installation Key will now appear in the Computers grid in PMC.

For more information on getting the GUID for Microsoft Azure authentication, please see Directory ID.