BlokSec and BeyondTrust: Privilege Management for Windows and Mac

BeyondTrust Privilege Management for Windows and Mac pairs powerful least privilege management and application control capabilities to provide preventative endpoint security. Implement zero trust controls and benefit from advanced protection against lateral movement, ransomware, malware, and insider threats.

BlokSec provides BeyondTrust users with a frictionless experience using no password or response code, while also providing the highest levels of authentication and identity assurance through the use of zero-knowledge proofs to further complement the zero trust controls provided by BeyondTrust Privilege Management for Windows and Mac. BlokSec also provides the benefit of tamper-proof audit logging through the use of an immutable ledger allowing system administrators to confidently review elevation request history.

For more information about BlokSec, please see


  • BeyondTrust Privilege Management Cloud (PM Cloud) instance
  • BlokSec instance
  • Users enrolled with BlokSec mobile app

PM Cloud includes in-policy multifactor authentication or step-up authentication, which needs to be configured to point to a BlokSec instance.

Create a PM Cloud App From a Template

  1. Create a new app from template.

Privilege Management Cloud in Application Templates

  1. Select the BeyondTrust Privilege Management Cloud template.


  1. Set the Token Endpoint Auth Method to None, and then click Submit.
  2. Click the Generate App Secret button.
  3. Make note of the Application ID. This is the Client ID used in the Privilege Management Console's identity provider settings.


Configure PM Cloud

Configure Identity Provider settings for Bloksec in PM Cloud

  1. Access the Messages tab in the Policy Editor and click Identity Provider Settings.


Identity Provider settings for BlokSec

  1. Provide the BlokSec Issuer ID and Application ID as the Client ID.
  2. Click Save the Settings.


  1. Select the message you want to configure for BlokSec and check the box Verify their identity through an Identity Provider.

Test the Integration

Now we can use the test user and a test workstation to make sure the integration is properly configured.

Requesting elevation in a PM Cloud and BlokSec integration.

  1. When a user is requesting elevation, they are redirected to a browser (the default set by the user) to authenticate through BlokSec, using their saved credentials on the workstation.


Push notification to mobile app in a PM Cloud BlokSec integration.

  1. A push notification is sent to the mobile app to authenticate the user.


Click OK on the IT Security Policy dialog box to authenticate access.

  1. The user can click OK on the Reason Required message after BlokSec authentication.


Elevated application in PM Cloud BlokSec integration.

  1. Next the requested elevation (printer driver .msi) is approved, and the executable starts with elevated permissions. The user is never elevated.