BlokSec and BeyondTrust: Endpoint Privilege Management for Windows and Mac

BeyondTrust Endpoint Privilege Management for Windows and Mac pairs powerful least privilege management and application control capabilities to provide preventative endpoint security. Implement zero trust controls and benefit from advanced protection against lateral movement, ransomware, malware, and insider threats.

BlokSec provides BeyondTrust users with a frictionless experience using no password or response code, while also providing the highest levels of authentication and identity assurance through the use of zero-knowledge proofs to further complement the zero trust controls provided by BeyondTrust Endpoint Privilege Management for Windows and Mac. BlokSec also provides the benefit of tamper-proof audit logging through the use of an immutable ledger allowing system administrators to confidently review elevation request history.

For more information about BlokSec, see


  • BeyondTrust Endpoint Privilege Management (EPM) instance
  • BlokSec instance
  • Users enrolled with BlokSec mobile app

EPM includes in-policy multifactor authentication or step-up authentication, which needs to be configured to point to a BlokSec instance.

Create an EPM App From a Template

  1. Create a new app from template.

Endpoint Privilege Management in Application Templates

  1. Select the BeyondTrust Endpoint Privilege Management template.


  1. Set the Token Endpoint Auth Method to None, and then click Submit.
  2. Click the Generate App Secret button.
  3. Make note of the Application ID. This is the Client ID used in the EPM's identity provider settings.


Configure EPM

Configure Identity Provider settings for Bloksec in EPM

  1. Access the Messages tab in the Policy Editor and click Identity Provider Settings.


Identity Provider settings for BlokSec

  1. Provide the BlokSec Issuer ID and Application ID as the Client ID.
  2. Click Save the Settings.


  1. Select the message you want to configure for BlokSec and check the box Verify their identity through an Identity Provider.

Test the Integration

Now we can use the test user and a test workstation to make sure the integration is properly configured.

Requesting elevation in a EPM and BlokSec integration.

  1. When a user is requesting elevation, they are redirected to a browser (the default set by the user) to authenticate through BlokSec, using their saved credentials on the workstation.


Push notification to mobile app in a EPM BlokSec integration.

  1. A push notification is sent to the mobile app to authenticate the user.


Click OK on the IT Security Policy dialog box to authenticate access.

  1. The user can click OK on the Reason Required message after BlokSec authentication.


Elevated application in EPM BlokSec integration.

  1. Next the requested elevation (printer driver .msi) is approved, and the executable starts with elevated permissions. The user is never elevated.