Password Safe Integration

You can integrate Endpoint Privilege Management for Mac and Password Safe to rotate passwords on your macOS endpoints.

This section applies only to Password Safe on-premises.

Prerequisites

  • BeyondInsight Adapter 21.2

Configure the BeyondInsight Adapter Settings

BeyondInsight Adapter installation instructions are provided earlier in the guide.

For more information, see Install the BeyondInsight Adapter.

Configure the following settings in the settings_app.xml:

  • PasswordSafeState: The state of the feature: Enabled, Disabled, and Not_Configured (case sensitive). The default is Not_Configured.
  • PasswordSafeHeartBeatInterval: The time span, in minutes, the endpoint polls Password Safe checking for updated passwords. Valid values are 1 to <max unsigned 32 bit integer>. The default is 60 minutes.

You can change settings in two ways:

  • Add the settings
  • Send an Endpoint Privilege Management for Mac policy that contains Password Safe settings. When an asset has multiple policies, the first policy with valid settings is used. The policy's settings are written to settings_app.xml.

Example section of the Password Safe settings in Endpoint Privilege Management for Mac policy:

<Configuration>
    <!-- Omitted usual nodes -->
    <PasswordSafeLocalRotation>
        <State>Enabled</State>
        <PasswordHeartbeatInterval>60</PasswordHeartbeatInterval>
    </PasswordSafeLocalRotation>
</Configuration>

Configure Password Safe

The macOS endpoints must be added to Password Safe as assets.

For more information, see Add Assets to Password Safe in the Password Safe Administration Guide.

Configure Off-Network Account Management

In a typical password rotation using Password Safe, the appliance or Resource Broker reaches out to the target system to trigger the password change using the functional account credentials. However, off-network clients that are not ever or not consistently accessible by a Password Safe appliance or Resource Broker cannot use this mechanism.

Using Password Safe integration settings in the Policy Editor, Endpoint Privilege Management clients can check in with Password Safe at a configured interval for password change commands, including password rotation.

The Endpoint Privilege Management client is the password agent. A functional account is not required, however a limitation in 22.1 requires a dummy functional account to be created and assigned if using a Smart Rule to onboard.

Supported Scenarios

  • Password Safe Cloud/On-prem with EPM
  • Password Safe Cloud/On-Prem with GPO/webserver
  • Password Safe on the same server as BeyondInsight for Endpoint Endpoint Privilege Management.

Requirements

  • Password Safe: Endpoints require a Password Safe asset license.
  • Endpoint Privilege Management client: Endpoint Privilege Management license not required for this use case.
  • Endpoint Privilege Management policy: Required to deliver the integration settings.

 

Install the Endpoint Privilege Management client on computers before you run a Password Safe discovery scan. If you run the scan first, then the computers are onboarded to Password Safe with Password Safe as the change agent with an asset ID. If you install the Endpoint Privilege Management client on the same computer later, the asset has a unique install ID. A duplicate record is created with the same asset name but different asset ID.

The following section provides information on how to set up the off-network scenario. The high-level steps are:

  • Download a client certificate for authentication
  • Install Endpoint Privilege Management client and adapter
  • Create a policy in Endpoint Privilege Management
  • Onboard the managed system in Password Safe
  • Add accounts to Password Safe

For more information and detailed step-by-step instructions, see our Knowledge Base article.

Download a Client Certificate

Communication between EPM and the BeyondInsight server are encrypted over port 443. The Endpoint Privilege Management computers need a client certificate to authenticate to BeyondInsight or Password Safe.

The certificate must be deployed to all EPM client machines and Policy Editor machines.

Download client certifcate from BeyondInsight to Endpoint Privilege Management computer.

Download the client certificate to the Endpoint Privilege Management computer, from PS Cloud or BeyondInsight console: Configuration > System > Client Certificate.

  • PS Cloud: The client certificate Issued to PS Cloud authentication.
  • BeyondInsightU-Series Appliance: Default certificate is issued to eEyeEmsClient.

 

Use Wildcards to Match on Certificate Name

To improve the deployment with Password Safe, use wildcards in the RCSCertName (also known as the certificate name) in the settings_app.xml located here:

/Library/Application Support/BeyondTrust/PasswordSafe/

Use wildcards to provide a partial certificate name. For example, Hostname.PS Cloud Authentication can match *.PS Cloud Authentication.

Wildcard examples that match on a certificate named PS Cloud Authentication:

  • <RCSCertName>*authentication</RCSCertName> (Not case sensitive).
  • <RCSCertName>?S Cloud Authentication</RCSCertName>
  • <RCSCertName>*Authenticatio?</RCSCertName>

Create a Policy

You must configure integration settings in the Policy Editor.

Use the following procedure when EPM SaaS is managing the policy. If you are using the on-premises Policy Editor, see the knowledge base article for instructions.

  1. Click the Policies menu, and then click Create Policy.
  2. Select Blank on the Policy Creator page, and then click Use Blank Template.
  3. Enter a name and description, and then click Create Policy.
  4. Create a workstyle.
  5. Expand the workstyle, and then click Application Rules.
  6. Click Integration Settings.

Password Safe integration settings in the EPM Policy Editor

  1. Select Enabled.
  2. Enter a heartbeat interval. The default value is 60 minutes. This is the time span the computer polls Password Safe unless the time is determined by Password Safe. The Endpoint Privilege Management computer checks in for missed jobs such as scheduled password rotations, forced resets, and password releases. Password rotations run at this time.

 

  1. Click Update Settings.

 

Install Steps for macOS Endpoints

 

When creating the adapter settings package in the Rapid Deployment Tool:

  • Use the PS Cloud certificate when managing the macOS computer in PS Cloud.
  • Use the appliance certificate when managing the macOS computer in the appliance.

To install packages for macOS integration:

  1. Create settings package for EPM or BeyondInsight adapters using the Rapid Deployment Tool. Follow the steps in this guide: Create Packages With the Rapid Deployment Tool
  2. Install Endpoint Privilege Management client and adapters. Install the packages in the following order:
    • EPM
      1. PMC Settings XX.pkg
      2. PMC_Adapter_XX.pkg
      3. BI Settings XX.pkg
      4. BIAdapter_XX.pkg
      5. Pwsclient_xx.pkg
      6. PrivilegeManagementForMac.pkg
    • BeyondInsight Appliance
      1. BI Settings XX.pkg
      2. BIAdapter_XX.pkg
      3. Pwsclient_xx.pkg
      4. PrivilegeManagementForMac.pkg

Onboard the Managed System in Password Safe

During the Endpoint Privilege Management client installation, the computer registers as an asset with the Endpoint Privilege Management solution flag set. Therefore, you can onboard the asset manually, using a Smart Rule, or the API.

The Endpoint Privilege Management client is the password agent. A functional account is not required, however a limitation in 22.1 (and earlier) requires a dummy functional account to be created and assigned if using a Smart Rule to onboard accounts.

Sample Smart Rule

Criteria

Currently the Endpoint Privilege Management identifier is hidden in PS Cloud. Other identifiers are needed to include all Endpoint Privilege Management computers in the criteria.

Action

Actions to set on the Smart Rule:

  • Add to Password Safe
  • Set password agent to Endpoint Privilege Management
  • Select a functional account

Currently a limitation prevents adding "none" for functional account even though it is not needed. Create a dummy functional account first.

Default values for the following account settings in Password Safe are applied in an Endpoint Privilege Management off-network integration and cannot be changed in this scenario:

  • Change Services (Yes)
  • Restart Services (No)
  • Change Tasks (No)

Add the Account as a Managed Account

The Endpoint Privilege Management client only registers basic information and does not provide an account list and usually cannot be scanned due to the distributed nature. Therefore, an API script is likely required to onboard the local privileged accounts.

For more information, see Add Assets to Password Safe in the Password Safe Administration Guide.