Configure BeyondInsight and Privilege Management

To establish communication between BeyondInsight and Privilege Management for Mac clients:

  • Generate a client certificate in BeyondInsight
  • Install the certificate on every Privilege Management for Mac client that needs to send information to BeyondInsight

Generate Client Certificate ZIP

  1. On the BeyondInsight Server, go to C:\Program Files (x86)\eEye Digital Security\Retina CS.
  2. Run REMEMConfig.exe, which opens the BeyondInsight Configuration Tool.

 

Image of the BeyondInsight Configuration Tool highlighting Certificate Management

  1. Click on the Certificate Management link.

 

Image of Certificate Management dialog box with Export certificate selected

  1. In the Certificate Management dialog window, select Export Certificate.
  2. Select Client Certificate as the Certificate type.
  3. Enter a password. We recommend using the existing BeyondInsight Central Policy password.
  4. Enter a file name and select Certificate files (*.pfx) as the file type. We recommend using the name eEyeEmsClient.pfx. Click Save.
  5. Click OK. Click OK again.

Deploy the BeyondInsight Client Certificate

For more information, please see the Rapid Deployment Tool Guide.

Install the Privilege Management for Mac Client

The client and the adapter are obtained from BeyondTrust after purchasing Privilege Management with BeyondInsight, and may be distributed to the endpoints using the method of your choice, including Mobile Device Management (MDM), such as Jamf or AirWatch.

You can create a settings package to set the adapter's configuration on all endpoints by using the Privilege Management for Mac Rapid Deployment Tool.

For more information, please see the Rapid Deployment Tool Guide.

The filenames are as follows, where x.x.x.x represents the version:

  • PrivilegeManagementForMac_x.x.x.x.pkg
  • BIAdapter_x.x.x.x.pkg

To install the Privilege Management for Mac client:

  1. Double-click the PrivilegeManagementForMac_x.x.x.x.pkg file.
  2. Click Continue on the Introduction page.
  3. On the Software License Agreement page, click Continue and then click Agree to agree to the terms and conditions.
  4. (Optional) To change the installation destination, click the Change Install Location button. The Destination Select page will allow you to choose from viable installation location options. Click Continue.

Image showing Installation Type page on Privilege Management for Mac install wizard

  1. Click the Install button on the Installation Type page. If prompted, enter your admin credentials to continue. Click OK if the Installer.app needs permission to modify passwords, networking, or system settings.

 

Image showing successful install of Privilege Management for Mac install wizard.

  1. The Summary page shows that the installation was successful. Click Close to complete the installation.

 

Verify Security Settings

Go through the following sections to ensure Privilege Management for Mac files have correct access.

Set Allow on com.beyondtrust.endpointsecurity.systemextension

After the agent and adapter are installed, ensure the security on the Privilege Management system extension is set to Allow.

For com.beyondtrust.endpointsecurity.systemextension, go to System Preferences > Security & Privacy > General, and then select Allow.

Verify Privacy Settings

The following Privilege Management for Mac files require the privacy settings Full Disc Access and Files and Folders:

  • com.beyondtrust.interrogator
  • PrivilegeManagement
  • defendpointd
  • com.beyondtrust.endpointsecurity.systemextension

To confirm the settings:

  1. Go to System Preferences > Security & Privacy > Privacy, and then select Full Disk Access. Ensure the Privilege Management files are listed.
  2. Select Files and Folders and confirm the Privilege Management files are listed.

Verify Finder Extensions is Enabled

One way to confirm Finder Extensions is on, go to the Applications folder and verify the Privilege Management shield icon is next to the applications.

Install the BeyondInsight Adapter

The best practice to deploy the BeyondInsight adapter is to use the Privilege Management for Mac Rapid Deployment Tool.

However, you can choose the deployment method. Examples include: Mobile Device Management methods (such as Jamf or AirWatch), manual configuration, download from a shared resource, etc.

For more information, please see the Rapid Deployment Tool Guide.

  1. Double-click the BIAdapter_x.x.x.x.pkg file.
  2. Click Continue on the Introduction page.
  3. On the Software License Agreement page, click Continue and then click Agree to agree to the terms and conditions.

Image showing Installation Type page in BeyondInsight adapter install wizard

  1. Click the Install button on the Installation Type page. If prompted, enter your admin credentials to continue. Click OK if Installer.app needs permission to modify passwords, networking, or system settings.

 

Image showing successful install page for BeyondInsight adapter

  1. The Summary page shows that the installation was successful. Click Close.

 

Confirm the Endpoint is Connected

The Privilege Management endpoint can check in and send events to BeyondInsight after the settings file is configured.

If you can access the machine running the BeyondInsight server, use one of the following methods to confirm the endpoint has checked in:

  1. Go to Assets > Endpoint Privilege Management to see if the endpoint is displayed.

Configure the Activity Monitor to show all processes, as BIAdapter runs as user _defendpoint.

  1. Run the following SQL query:
    select * from Asset_PBDInfo
    select * from Asset_PBDInfoEx

Image showing BeyondInsight settings file with heartbeat and policy validation interval highlighted

To force a policy update for a client getting an update for the first time, you can restart the BeyondInsight Adapter. In the Activity Monitor, restart the BIAdapter process.

The default time for the policy update and for the heartbeat is six hours. These values can be changed on the BeyondInsight server, and the policy can be applied to the endpoint, but this policy is not applied until the initial 6 hour period has elapsed. Manually changing the RCSHeartbeatInterval and RCSPolicyValidationInterval values will also cause the endpoint to check in more often. Enter the values in minutes.

If you can access the endpoints, you can use either of the following methods to determine if they have checked in:

  • Open Console and filter on subsystem: com.beyondtrust.BIAdapter. Ensure that Info and Debug Messages are on. Logs about the connection are displayed in real time. You can check when the next policy validation is scheduled and the next heartbeat request.
  • Open Activity Monitor. The BIAdapter service is displayed as running.