Prepare the Privilege Management Policy Editor System

Create and Deploy the BeyondInsight Client Certificate for Privilege Management Policy Editor

In BeyondInsight version 6.10 and later releases, you can run the certinstaller.msi to deploy the certificate to your Policy Editor machines. Generating and deploying the certinstaller.msi is described earlier in this guide.

For more information, please see Installation Information for BeyondInsight and Privilege Management for Windows.

In BeyondInsight version 6.9, go through the following procedure. Export the eEyeEmsClient certificate from your BeyondInsight Server and import the eEyeEmsClient.pfx file to the Local Computer Personal certificate store on all Policy Editor machines.

Image of the BeyondInsight Configuration Tool highlighting Generate Certificate.msi

  1. Export the eEyeEmsClient certificates from your BeyondInsight instance using the BeyondInsight Configuration application and click Generate Certificate Zip.


Image of the Zip file info dialog box. Enter an output folder and password for the zip file.

  1. Choose an export directory and a password.


  1. Log on to the Policy Editor machine as the user who is responsible for editing policy.
  2. Open Manage Computer Certificates (certlm.msc).
  3. Import the eEyeEmsClient.pfx file to the Certificates > Local Computer (Personal) certificate store. Provide the password from the previous step.

Select Personal > All Tasks > Import to start the Certificate Import Wizard

  1. Right-click the Personal store and go to All Tasks > Import in the pop-up menu to start the Certificate Import Wizard.


Select a certificate store location. Local machine is selected by default.

  1. Click Next.


  1. Click Browse.

Browse to the location of the certificate zip file.

  1. Change the file type to *.pfx and browse to the eEyeEmsClient.pfx file (previously exported from BeyondInsight).


Enter the password. Leave other values as the default.

  1. Enter the password you chose when exporting from BeyondInsight. Leave other settings as default.


Select Personal for the Certificate store location.

  1. Import to the Personal store (default), click Next, and then Finish.


  1. Copy eEyeEmsCA from Personal\Certificates to Trusted Root Certification Authorities\Certificates.


Configure the Privilege Management Policy Editor

After you deploy the client certificate to your Privilege Management Policy Editor machines, you can set up the Privilege Management Policy Editor and configure the editor to work with BeyondInsight.

Screenshot of the Add/Remove Snap-in option in MMC

  1. Launch the Microsoft Management Console (mmc.exe) as an admin and go to File > Add/Remove Snap-in.


Privilege Management BeyondInsight add snap-in to mmc console

  1. In the Available snap-ins menu, locate and select the Privilege Management Settings (BeyondInsight) snap-in.
  2. Click Add >, and then click OK. The Privilege Management Settings (BeyondInsight) snap-in appears in the Console Root menu.


Test the Connection

Before continuing on with the remainder of the integration setup, you should test the following:

  • Test to ensure that a client certificate of the correct name is available in the certificate store.
  • Test to ensure the policy editor can reach the BeyondInsight Server.

Privilege Management for Windows remote server details

To test, click on Remote Server Details from the Welcome page. From the BeyondInsight Server Details dialog, enter the server details. Then click Test by Certificate Name and BeyondInsight Server to check each component.

The Certificate Name and Workgroup Name fields are populated with default values.


Image of a valid certificate message

If a certificate of the correct name is found, a message appears stating Valid certificate found in certificate store.


Image of the BeyondInsight Server test message

If the BeyondInsight Server can be reached, a message appears stating The server was reached successfully.

When finished testing, click Save.