Password Safe Integration

You can integrate Privilege Management for Mac and Password Safe to rotate passwords on your macOS endpoints.

This section applies only to Password Safe on-premises.

Prerequisites

BeyondInsight Adapter 21.2

Configure the BeyondInsight Adapter Settings

BeyondInsight Adapter installation instructions are provided earlier in the guide.

For more information, please see Install the BeyondInsight Adapter.

Configure the following settings in the settings_app.xml:

PasswordSafeState: The state of the feature: Enabled, Disabled, and Not_Configured (case sensitive). The default is Not_Configured.
PasswordSafeHeartBeatInterval: The time span, in minutes, the endpoint polls Password Safe checking for updated passwords. Valid values are 1 to <max unsigned 32 bit integer>. The default is 60 minutes.

You can change settings in two ways:

Add the settings
Send a Privilege Management for Mac policy that contains Password Safe settings. When an asset has multiple policies, the first policy with valid settings is used. The policy's settings are written to settings_app.xml.

Example section of the Password Safe settings in Privilege Management for Mac policy:

<Configuration>
    <!-- Omitted usual nodes -->
    <PasswordSafeLocalRotation>
        <State>Enabled</State>
        <PasswordHeartbeatInterval>60</PasswordHeartbeatInterval>
    </PasswordSafeLocalRotation>
</Configuration>

Configure Password Safe

The macOS endpoints must be added to Password Safe as assets.

For more information, please see Add Assets to Password Safe in the Password Safe Administration Guide.

Configure Off-Network Account Management

In a typical password rotation using Password Safe, the appliance or Resource Broker reaches out to the target system to trigger the password change using the functional account credentials. However, off-network clients that are not ever or not consistently accessible by a Password Safe appliance or Resource Broker cannot use this mechanism.

Using Password Safe integration settings in the Policy Editor, Privilege Management clients can check in with Password Safe at a configured interval for password change commands, including password rotation.

The Privilege Management client is the password agent. A functional account is not required, however a limitation in 22.1 requires a dummy functional account to be created and assigned if using a Smart Rule to onboard.

Supported Scenarios

Password Safe Cloud/On-prem with PM Cloud
Password Safe Cloud/On-Prem with GPO/webserver
Password Safe on the same server as BeyondInsight for Endpoint Privilege Management.

Requirements

Password Safe: Endpoints require a Password Safe asset license.
Privilege Management client: Privilege Management license not required for this use case.
Privilege Management policy: Required to deliver the integration settings.

Install the Privilege Management client on computers before you run a Password Safe discovery scan. If you run the scan first, then the computers are onboarded to Password Safe with Password Safe as the change agent with an asset ID. If you install the Privilege Management client on the same computer later, the asset has a unique install ID. A duplicate record is created with the same asset name but different asset ID.

The following section provides information on how to set up the off-network scenario. The high-level steps are:

Create a policy in Privilege Management
Retrieve a client certificate for authentication
Install Privilege Management client and adapters
Onboard the managed system in Password Safe
Add accounts to Password Safe

Configure Privilege Management Policy

You must configure integration settings in the Policy Editor.

A Privilege Management license is not required if using only password rotation.

Click the Policies menu, and then click Create Policy.
Select Blank on the Policy Creator page, and then click Use Blank Template.
Enter a name and description, and then click Create Policy.
Create a workstyle.
Expand the workstyle, and then click Application Rules.
Click Integration Settings.

Select Enabled.
Enter a heartbeat interval. The default value is 60 minutes. This is the time span the computer polls Password Safe unless the time is determined by Password Safe. The Privilege Management computer checks in for missed jobs such as scheduled password rotations, forced resets, and password releases. Password rotations run at this time.

Click Update Settings.

Retrieve BeyondInsight or Password Safe Client Certificate

The Privilege Management computers need a client certificate to authenticate to BeyondInsight or Password Safe.

Download the client certificate to the Privilege Management computer, from PS Cloud or BeyondInsight console: Configuration > System > Client Certificate.

PS Cloud: The client certificate Issued to PS Cloud authentication.
BeyondInsight U-Series Appliance: Default certificate is issued to eEyeEmsClient.

Use Wildcards to Match on Certificate Name

To improve the deployment with Password Safe, use wildcards in the RCSCertName (also known as the certificate name) in the settings_app.xml located here:

/Library/Application Support/BeyondTrust/PasswordSafe/

Use wildcards to provide a partial certificate name. For example, Hostname.PS Cloud Authentication can match *.PS Cloud Authentication.

Wildcard examples that match on a certificate named PS Cloud Authentication:

<RCSCertName>*authentication</RCSCertName> (Not case sensitive).
<RCSCertName>?S Cloud Authentication</RCSCertName>
<RCSCertName>*Authenticatio?</RCSCertName>

Install Steps for macOS Endpoints

When creating the adapter settings package in the Rapid Deployment Tool:

Use the PS Cloud certificate when managing the macOS computer in PS Cloud.
Use the appliance certificate when managing the macOS computer in the appliance.

To install packages for macOS integration:

Create settings package for PM Cloud or BeyondInsight adapters using the Rapid Deployment Tool. Follow the steps in this guide: Create Packages With the Rapid Deployment Tool
Install Privilege Management client and adapters. Install the packages in the following order:
- PM Cloud
  1. PMC Settings XX.pkg
  2. PMC_Adapter_XX.pkg
  3. BI Settings XX.pkg
  4. BIAdapter_XX.pkg
  5. Pwsclient_xx.pkg
  6. PrivilegeManagementForMac.pkg
- BeyondInsight Appliance
  1. BI Settings XX.pkg
  2. BIAdapter_XX.pkg
  3. Pwsclient_xx.pkg
  4. PrivilegeManagementForMac.pkg

Onboard the Managed System in Password Safe

During the Privilege Management client installation, the computer registers as an asset with the Privilege Management solution flag set. Therefore, you can onboard the asset manually, using a Smart Rule, or the API.

Sample Smart Rule

Criteria

Currently the Privilege Management identifier is hidden in PS Cloud. Other identifiers are needed to include all Privilege Management computers in the criteria.

Action

Actions to set on the Smart Rule:

Add to Password Safe
Set password agent to Privilege Management
Select a functional account

Currently a limitation prevents adding "none" for functional account even though it is not needed. Create a dummy functional account first.

Default values for the following account settings in Password Safe are applied in a Privilege Management off-network integration and cannot be changed in this scenario:

Change Services (Yes)
Restart Services (No)
Change Tasks (No)

Add the Account as a Managed Account

The Privilege Management client only registers basic information and does not provide an account list and usually cannot be scanned due to the distributed nature. Therefore, an API script is likely required to onboard the local privileged accounts.

For more information, please see Add Assets to Password Safe in the Password Safe Administration Guide.