Create and Deploy the BeyondInsight Client for Privilege Management for Mac

To establish communication between BeyondInsight and Privilege Management for Mac clients, a client certificate must be generated from BeyondInsight, and then installed on every Privilege Management for Mac client needing to transmit information to BeyondInsight.

Generate Client Certificate ZIP

  1. On the BeyondInsight Server, go to C:\Program Files (x86)\eEye Digital Security\Retina CS.
  2. Run REMEMConfig.exe, which opens the BeyondInsight Configuration Tool.
  3.  

    Image of the BeyondInsight Configuration Tool highlighting Certificate Management

  4. Click on the Certificate Management link.
  5.  

Image of Certificate Management dialog box with Export certificate selected

  1. In the Certificate Management dialog window, select Export Certificate.
  2. Select Client Certificate as the Certificate type.
  3. Enter a chosen Password. We recommend that you use the existing BeyondInsight Central Policy password.
  4. Click the ellipses () to browse to the desired location.
    • Enter a File name and select Certificate files (*.pfx) as the Save as type. We recommend that you name the certificate eEyeEmsClient.pfx.
    • Click Save.
    • Verify the Path has been filled in correctly.
  5. Click OK. A notification appears, stating The Client certificate has been exported. Click OK again.

Install the BeyondInsight Client Certificate on the Endpoint

For more information, please see the Rapid Deployment Tool Guide.

Install the Privilege Management for Mac Client

The client and the adapter are obtained from BeyondTrust after purchasing Privilege Management with BeyondInsight, and may be distributed to the endpoints using the method of your choice, including Mobile Device Management (MDM), such as Jamf or AirWatch.

You can create a settings package to set the adapter's configuration on all endpoints by using the Privilege Management for Mac Rapid Deployment Tool.

For more information, please see the Rapid Deployment Tool Guide.

The filenames are as follows, where x.x.x.x represents the version:

  • PrivilegeManagementForMac_x.x.x.x.pkg
  • BIAdapter_x.x.x.x.pkg

To install the Privilege Management for Mac client:

  1. Double-click the PrivilegeManagementForMac_x.x.x.x.pkg file.
  2. Click Continue on the Introduction page.
  3. On the Software License Agreement page, click Continue and then click Agree to agree to the terms and conditions.
  4. (Optional) To change the installation destination, click the Change Install Location button. The Destination Select page will allow you to choose from viable installation location options. Click Continue.

Image showing Installation Type page on Privilege Management for Mac install wizard

  1. Click the Install button on the Installation Type page. If prompted, enter your admin credentials to continue. Click OK if the Installer.app needs permission to modify passwords, networking, or system settings.

 

Image showing successful install of Privilege Management for Mac install wizard.

  1. The Summary page shows that the installation was successful. Click Close to complete the installation.

 

Verify Security Settings

Go through the following sections to ensure Privilege Management for Mac files have correct access.

Set Allow on com.beyondtrust.endpointsecurity.systemextension

After the agent and adapter are installed, ensure the security on the Privilege Management system extension is set to Allow.

For com.beyondtrust.endpointsecurity.systemextension, go to System Preferences > Security & Privacy > General, and then select Allow.

Verify Privacy Settings

The following Privilege Management for Mac files require the privacy settings Full Disc Access and Files and Folders:

  • com.beyondtrust.interrogator
  • PrivilegeManagement
  • defendpointd
  • com.beyondtrust.endpointsecurity.systemextension

To confirm the settings:

  1. Go to System Preferences > Security & Privacy > Privacy, and then select Full Disk Access. Ensure the Privilege Management files are listed.
  1. Select Files and Folders and confirm the Privilege Management files are listed.

Verify Finder Extensions is Enabled

One way to confirm Finder Extensions is on, go to the Applications folder and verify the Privilege Management shield icon is next to the applications.

Install the BeyondInsight Adapter

You may use the deployment method of your choice to get the BeyondInsight adapter to your endpoints, whether that be Mobile Device Management methods (such as Jamf or AirWatch), manual configuration, download from a shared resource, etc.

  1. Double-click the BIAdapter_x.x.x.x.pkg file.
  2. Click Continue on the Introduction page.
  3. On the Software License Agreement page, click Continue and then click Agree to agree to the terms and conditions.

Image showing Installation Type page in BeyondInsight adapter install wizard

  1. Click the Install button on the Installation Type page. If prompted, enter your admin credentials to continue. Click OK if Installer.app needs permission to modify passwords, networking, or system settings.

 

Image showing successful install page for BeyondInsight adapter

  1. The Summary page shows that the installation was successful. Click Close to complete the installation.

 

Check to See if the Endpoint has Connected

After the settings file has been configured, the Privilege Management endpoint is capable of checking into BeyondInsight and sending events to BeyondInsight. If you have access to the machine running the BeyondInsight Server, you can determine if the endpoint has checked in by using either of the following methods:

  1. The endpoint is visible on the Assets page, at Assets > Endpoint Privilege Management.

Configure the Activity Monitor to show all processes, as BIAdapter runs as user _defendpoint.

  1. Run the following SQL query:
select * from Asset_PBDInfo
select * from Asset_PBDInfoEx

Image showing BeyondInsight settings file with heartbeat and policy validation interval highlighted

If you want to force a policy update for a client getting an update for the first time, you can restart the BeyondInsight adapter. In the Activity Monitor, restart the BIAdapter process.

The default time for the policy update and for the heartbeat is six hours. These values can be changed on the BeyondInsight Server, and the policy can be applied to the endpoint, but this policy would not be applied until the initial 6 hour period has elapsed. Manually changing the RCSHeartbeatInterval and RCSPolicyValidationInterval values in the settings file will also cause the endpoint to check in more often. Enter the values in minutes.

If you have access to the endpoints, you can use either of the following methods to determine if they have checked in:

  • Open Console and filter on subsystem: com.beyondtrust.BIAdapter. Ensure that Info and Debug Messages are on. Logs about the connection will be displayed in real time. You can check when the next policy validation is scheduled, as well as the next heartbeat request.
  • Open Activity Monitor. The BIAdapter service is displayed as running.