Install Endpoint Privilege Management Reporting in BeyondInsight

Endpoint Privilege Management Reporting (PMR) can be installed and configured to integrate with BeyondInsight (BI), allowing you to view PMR dashboards and reports using the BeyondInsight console. The below sections detail how to install the PMR database, UI, and event collector components in your BeyondInsight instance.

Once the PMR in BI integration is installed and configured, for more information on working with the Endpoint Endpoint Privilege Management Reporting in the BeyondInsight console, see "View Endpoint Endpoint Privilege Management Reports" in the BeyondInsight User Guide.

Prerequisites

The following prerequisites must be in place before installing and configuring PMR with BI:

  • BeyondInsight must be at minimum version of 23.1.
  • Supports up to SQL Server 2022. If installing the Endpoint Privilege Management Reporting database on the SQL Server 2022 platform, it is recommended to use the EXE installer rather than the MSl. If you prefer to use the MSI, you must ensure that Microsoft SQL Server 2012 Native Client (x64) TLS 1.2 Support is installed on your database server.
  • To use the Add To Policy functionality from the Endpoint Privilege Management Reporting > Events grid in BI, the Endpoint Privilege Management Web Policy Editor version 23.4 or later must be installed and configured with BI.

    • If installed prior to installing PMR, ensure the BeyondInsight.EPM.WebPolicyEditor.Services, BeyondInsight.EPM.ReportingGateway.Services, and BeyondInsight.EPM.EventCollector.Services are restarted after installing Endpoint Privilege Management Reporting and Endpoint Privilege Management Web Policy Editor.

  • Only SQL authentication is supported between BI and the PMR database. Windows authentication is not supported. The SQL server must be in mixed mode. To configure this in SQL Management Studio:
    • Go to SQL server name > Properties > Security.
    • Select SQL Server and Windows Authentication mode.

    • Enable Remote Desktop on the UU-Series Appliance

  • Remote Desktop Protocol (RDP) must be enabled on the U-Series Appliance. This is required only during the PMR installation and can be disabled once the install is complete. To enable RDP on the appliance:
    • Go to Maintenance > Network and RDP Settings.
    • Click the toggle to turn on the Enable Remote Desktop option.

    •  

To integrate PMR in versions of BeyondInsight prior to 23.1, please contact your BeyondTrust representative for assistance with installing and configuring.

Install BeyondTrust Endpoint Privilege Management Reporting Database

The PrivilegeManagementReportingDatabase MSI must be at least version 23.2 to support the new user interface for Endpoint Privilege Management Reporting (PMR).

  1. On the server where you want to host the PMR database, run the PrivilegeManagementReportingDatabase EXE file as administrator, either from the folder where it is stored or from a command prompt. The PMR database can be hosted on the BI server or on an external database server.

 

There is currently a requirement to install the PrivilegeManagementReportingDatabase executable or MSI on the BeyondInsight Management Server to see the Endpoint Privilege Management Reports link, and the Endpoint Privilege Management Reporting Database Configuration tile in BI.

If you are hosting the PMR database on an external database server, you must install the PrivilegeManagementReportingDatabase twice - once on the external database server, and again on the BeyondInsight Management server. When you set the configuration for the database, you can specify the external database server here to ensure that the remote database is used for event ingestion and reporting. See Configure Advanced SQL and Event Collector Settings for PMR in BI Integration.

Endpoint Privilege Management Reporting Configure Database Wizard

  1. Check Endpoint Privilege Management Reporting for BeyondInsight Installation and click Next.

    2. Check this box to use SQL Server authentication for the event collector, report reader, and data admin users configured in subsequent stages of the wizard.

Windows authentication to the PMR database is not supported.

 

Set Event Collector User details in the Endpoint Privilege Management Reporting Database wizard.

  1. Continue through the wizard to create the event collector, report reader, and data admin user accounts by checking the option to create or configure the user in the database and entering the SQL credentials. An example of creating the event collector user account is shown.

 

PMR database users listed in SQL Server Management Studio

  1. Following the database installation, ensure the PMR database is created and accessible from Microsoft SQL Server Management Studio with the users created, as shown.

We recommend using the SQL Server Agent job to run the CopyFromStaging process rather than using the default Service Broker queue. To switch to using the SQL Server Agent job, execute the Create_ER_Database_Agent.sql script against the PMR database. This removes the Service Broker queue and creates and enables the SQL Server Agent job.

 

Install BeyondTrust Endpoint Privilege Management Reporting UI

As of version 23.4, PMR in BI includes a new user interface known as PMR UI, which is based on Angular, to replace the discontinued Unified Reporting (UR) user interface, which was based on the out-of-support AngularJS.

  1. On the BI server, run the BeyondInsight.EPM.ReportingGateway.Services MSI file as administrator, either from the folder where it is stored or from a command prompt.

BeyondTrust Endpoint Privilege Management Reporting Gateway Service Setup: Destination Folder

  1. Keep the default destination folder. This service must be installed in its default location for the PMR in BI integration to work

 

BeyondTrust PMR UI Setup: Software License and Subscription Agreement

  1. Run the BeyondTrust PMR UI MSI on the BI server. The reporting gateway service starts automatically as part of the installation.

 

Install the BeyondTrust EPM Event Collector

  1. On the BI server, run the BeyondInsight.EPM.EventCollector.Services MSI file as administrator, either from the folder where it is stored or from a command prompt.

Beyondrust EPM Event Collector Service Setup: Destination Folder

  1. Keep the default destination folder. This service must be installed in its default location for the PMR in BI integration to work

 

BeyondTrust Event Collector Setup: Software License and Subscription Agreement

  1. Run the BeyondTrust EventCollector MSI on the BI server. The event collector service starts automatically as part of the installation.

 

 

If using U-Series Appliance, before continuing with configuration, disable RDP access again by going to Maintenance > Network and RDP Settings on the appliance and clicking the toggle to turn off the Enable Remote Desktop option.

It is common to configure BI with external event collector worker nodes, which are separate from the main BI management server.

For more information on configuring PMR in the BeyondInsight console and configuring optional advanced options, see: