BlokSec and BeyondTrust: Privilege Management for Windows and Mac
BeyondTrust Privilege Management for Windows and Mac pairs powerful least privilege management and application control capabilities to provide preventative endpoint security. Implement zero trust controls and benefit from advanced protection against lateral movement, ransomware, malware, and insider threats.
BlokSec provides BeyondTrust users with a frictionless experience using no password or response code, while also providing the highest levels of authentication and identity assurance through the use of zero-knowledge proofs to further complement the zero trust controls provided by BeyondTrust Privilege Management for Windows and Mac. BlokSec also provides the benefit of tamper-proof audit logging through the use of an immutable ledger allowing system administrators to confidently review elevation request history.
For more information about BlokSec, please see https://bloksec.com/.
- BeyondTrust Privilege Management Cloud (PM Cloud) instance
- BlokSec instance
- Users enrolled with BlokSec mobile app
PM Cloud includes in-policy multifactor authentication or step-up authentication, which needs to be configured to point to a BlokSec instance.
Create a PM Cloud App From a Template
- Create a new app from template.
- Select the BeyondTrust Privilege Management Cloud template.
- Set the Token Endpoint Auth Method to None, and then click Submit.
- Click the Generate App Secret button.
- Make note of the Application ID. This is the Client ID used in the Privilege Management Console's identity provider settings.
Configure PM Cloud
- Access the Messages tab in the Policy Editor and click Identity Provider Settings.
- Provide the BlokSec Issuer ID and Application ID as the Client ID.
- Click Save the Settings.
- Select the message you want to configure for BlokSec and check the box Verify their identity through an Identity Provider.
Test the Integration
Now we can use the test user and a test workstation to make sure the integration is properly configured.
- When a user is requesting elevation, they are redirected to a browser (the default set by the user) to authenticate through BlokSec, using their saved credentials on the workstation.
- A push notification is sent to the mobile app to authenticate the user.
- The user can click OK on the Reason Required message after BlokSec authentication.
- Next the requested elevation (printer driver .msi) is approved, and the executable starts with elevated permissions. The user is never elevated.