Privilege Management Console QuickStart

This section details the most likely tasks to get started with PMC, including automatically authorizing and assigning computers to groups in PMC.

After you deploy PMC, you can:

  • Create policy
  • Create groups and assign policy
  • Use scripts to authorize and assign computers to these groups

Manage Policy

There are various approaches you can take to PMC. For example, if you are new to PMC you may want to create a group, assign it as the Default group, add all your computers to that group, and then assign the Privilege Management QuickStart policy to that group.

If you are migrating to PMC, you may want to replicate your existing groups and assign the same policy to them, before authorizing and placing your computers in those groups.

Once you have your policy, you can create groups in PMC and assign policies to those groups.

For more information, please see Manage Privilege Management Console Policy.

Create Groups and Assign Policy

Create Groups

  1. Navigate to and click the Groups tile.
  2. Select Actions > Create Group.
  3. Enter a Group Name. The Description and Annotations fields are optional.
  4. Click Submit. Your group is created and appears in the grid list below.

Once the group is created, you can set it as the Default group. If set, the Default group will be selected by default when you add one or more computers to a group. To set the group as the Default group, right-click the group, and then select Set Default.

Assign Policy

  1. Navigate to and click the Groups tile.
  2. Select Actions > Assign Policy. The row briefly flashes green to indicate that PMC has processed your request.
  3. Select the policy you want to assign from the dropdown and the associated revision. By default, the revision is the most recent.
  4. The text at the bottom tells you how big the policy is and how many computers it will be assigned to. Click Assign to assign the policy to your group.

For details on how you can control the deployment of your policy, please see Policy Deployment Settings in PMC.

Install Privilege Management

You need to install Privilege Management for the target operating system, as well as the PMC adapter.

You can view installation package details in the console. Go to Administration > Access Settings.

The Privilege Management installation packages differ based on your operating system.

Windows

For 32-bit (x86) systems run:

PrivilegeManagementForWindows_x86.exe

For 64-bit (x64) systems run:

PrivilegeManagementForWindows_x64.exe

You need to install Privilege Management for Windows with the iC3MODE switch enabled:

Msiexec.exe /i PrivilegeManagementForWindows_x.xxx.x.msi IC3MODE=1 /qn /norestart

Optionally, use the /qn switch to run a silent install. Using this switch requires administrative rights.

MacOS

PrivilegeManagementForMacOS_{version}.pkg

Install the Windows Adapter for PMC

The PMC client adapter installers can be found in the AdapterInstallers folder of the PMC deployment. You need to use the Windows Command Prompt to install the Windows PMC Adapter.

The adapters poll every 60 minutes by default. An additional delay is applied based on the CPU load of the node that the adapter is connected to. The minimum supported adapter poll time is 5 minutes.

You must install the Privilege Management adapters using this process. You can optionally choose to automatically assign endpoints to groups and authorize them in one step using the GroupID parameter for the adapters. This is detailed in the following sections.

When Privilege Management agents are managed by the operating system, the PMC adapter is responsible for delivering policies and events between the endpoint and PMC servers

If you are not using the GroupID to automatically assign and authorize computer groups, you can assign and authorize endpoints in PMC.

You can install and automatically authorize Windows machines to connect to PMC using the command line.

There are five parameters for the PMC Adapter:

  • TenantID. For Windows Directory and LDAPS, this GUID is generated for you by the deployment tool and you should already have a note of it.
  • InstallationID: You get this from PMC. Click AdministrationAgent Installation. Copy the Installation ID for this script.
  • InstallationKey: You get this from PMC. Click AdministrationAgent Installation. Copy the Installation Key for this script.
  • ServiceURI: The URL for your PMC portal.

Do not include a port number or slash character on the end of the ServiceURI. For example, https://test.pmc.avecto.com/ or https://test.pmc.avecto.com:8080/ will not work.

  • GroupID: (Optional). If supplied, this will auto-authorize the endpoint and assign it to the specified group. If that group does not exist the computer will remain in the pending state. You get this from PMC. Click the Group you want to use. The Group ID is shown in the Details page for the script. Copy the Group ID for this script.

To install adapters:

Include the GroupID to automatically group and authorize the endpoint.

  1. Navigate to the location of the Adapter installer. By default this is the AdapterInstallers folder.
  2. Enter the command line with the required attributes and press enter. The Adapter installer launches. Proceed through the installation wizard as required.

Example command line

The line breaks must be removed before you run the script.

msiexec.exe /i "PrivilegeManagementConsoleAdapter_x64.msi"
TENANTID="<TenantID_GUID>"
INSTALLATIONID="<InstallationID>"
INSTALLATIONKEY="<InstallationKey>"
SERVICEURI="<PMC URL>"
GROUPID="<PMC GroupID GUID>"

Add the following argument if you don't want the Adapter service to start automatically. This option is useful when Privilege Management for Windowsand the PMC adapter are being installed to an image that will be reused to create many individual computers. If the adapter is not disabled in this scenario, the PMC adapter will immediately join the PMC instance indicated.

SERVICE_STARTUP_TYPE=Disabled

You can start the IC3Adapter service manually later in the Services.

Example

msiexec.exe /i "PrivilegeManagementConsoleAdapter_x64.msi" TENANTID="6b75f647-d3y7-4391-9278-002af221cc3f" INSTALLATIONID="08A1CD8F-FAE4-479F-81B4-00751A55EEB8" INSTALLATIONKEY="ABCDEFGHIJKLMNO" SERVICEURI="https://test.ic3.avecto.com" GROUPID="e531374a-55b9-4516-g156-68f5s32f5e57"
SERVICE_STARTUP_TYPE=Disabled

For more information, please see Authorizing and Assigning Computers to a Group.

Configure the Windows PMC Adapter

When the PMC Adapter communicates with the PMC portal it uses HTTPS. If there is a proxy in place that this communication goes through, it must be configured for the PMC adapter user, which is separate from the logged on user account.

The endpoint needs to be configured to use proxy settings for the whole machine rather than the individual user. The following registry key needs to be edited to make this change:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

The Data value must read 0. This specifies the whole machine (1 specifies per user).

Name Type Data
ProxySettingsPerUser REG_DWORD 0

Ensure the iC3Adapter User Has the "User Can Log on as a Service" Right

When you install the PMC adapter, a user account is created called iC3Adapter. The iC3Adapter user is granted the right to Log on as a Service by the installation process. If you have a Group Policy in place that revokes this permission, you need to ensure the iC3Adapter user is excluded as it needs the Log on as a Service right.

msiexec.exe /i "PrivilegeManagementConsoleAdapter_x64.msi" TENANTID="6b75f647-d3y7-4391-9278-002af221cc3f" INSTALLATIONID="08A1CD8F-FAE4-479F-81B4-00751A55EEB8" INSTALLATIONKEY="ABCDEFGHIJKLMNO" SERVICEURI="https://test.ic3.avecto.com" GROUPID="e531374a-55b9-4516-g156-68f5s32f5e57"
SERVICE_STARTUP_TYPE=Disabled

For more information, please see Add the Log on as a service Right to an Account.