Upgrade Privilege Management for Mac

ePO will not recognize Privilege Management for Mac if you upgrade the Privilege Management for Mac clients before the Privilege Management ePO extension. In addition, ePO Threat events will be rejected if this order is not followed, although they can be recovered once the upgrade to the Privilege Management ePO Extension has been completed.

Version 5 of the Privilege Management ePO Extension is compatible with older Privilege Management for Mac clients.

The recommended order to upgrade BeyondTrust Privilege Management for Mac software is:

  • Upgrade the Privilege Management ePO Extension
  • Upgrade Privilege Management Reporting (if in use)
  • Upgrade Privilege Management Clients

If you have a requirement to upgrade BeyondTrust software in a different order from that listed above, please contact your BeyondTrust representative.

Upgrade the Privilege Management ePO Extension

When you are upgrading, the newer version of the Privilege Management ePO Extension recognizes the existing Privilege Management ePO Extension installation and prompts you to upgrade it. We recommend upgrading, as removing the installed Privilege Management ePO Extension deletes your settings.

To upgrade the Privilege Management ePO Extension, you need to use ePO to install the latest extension from Software > Extensions. When you upload the new Privilege Management ePO Extension, ePO prompts you that this newer version of the ePO Extension will replace the previous extension. Click OK to upgrade the Privilege Management ePO Extension. You do not need to restart ePO for the upgrade to take effect. Existing registered servers, client tasks, and server tasks are not affected.

Upgrade Privilege Management Reporting (if in use)

To upgrade the Reporting database, you need to be on the server where the database is installed.

Please use the following process to upgrade the Privilege Management Reporting database and event parser:

  1. Stop the McAfee ePolicy Orchestrator Event Parser Service. Check that all events have finished being processed. Any events that are received after these tables are empty are queued on the ePO server until the service is restarted at the end of this process.

Query the following tables first to check that they are empty:

  • dbo.Staging
  • dbo.Staging_ServiceStart
  • Stop
  • dbo.Staging_UserLogon

Subsequently, query the following tables:

  • dbo.StagingTemp
  • dbo.StagingTemp_ServiceStart
  • dbo.StagingTemp_ServiceStop
  • dbo.StagingTemp_UserLogon

Once the tables are all empty all remaining events have been processed.

  1. Disable the Copy from Staging task. The easiest way to do this is to use SQL Server Management Server and navigate to Reporting database > Service Broker > Queues.
  2. Right-click on the PGScheduledJobQueue and click Disable Queue.
  3. Disable any of the ePO server tasks that rely on the Reporting database while you are upgrading it. For example, the Staging Server Task and Purge Server Task. These tasks will fail, as the database will be offline for a period of time.
  4. Open SQL Server Reporting Configuration Manager and connect to the database. Navigate to the Reporting link and use the dropdown to delete the top level folder.
  5. Run the Privilege Management for Mac database installer to upgrade the database. Ensure you point the installer to the existing database server and Privilege Management for Mac database name when prompted.
  6. Enable any server tasks that you previously disabled, as they rely on the Reporting database.
  7. Enable the Copy From Staging task. The easiest way to do this is to use SQL Server Management Server and navigate to Reporting database > Service Broker > Queues.
  8. Right-click on PGScheduledJobQueue and click Enable Queue.
  9. Start the McAfee ePolicy Orchestrator Event Parser Service service. Any incoming events can now be processed.
  10. You need to log off and on again to the ePO server to ensure the new database version is recognized. However, an ePO server restart is not required.

If you installed Reporting from version 5.4 or later, the default name for the database is BeyondTrustReporting. If you installed a previous version of Reporting, the default name is AvectoReporting (v5.1 - 5.3), or AvectoPrivilegeGuard for older versions. Alternatively, you may have chosen a different database name.

If you see an error message that states "Please stop CopyFromStaging from running before upgrading the database," make sure that no new events are being processed by querying the above tables and try again.

This upgrade path can be applied to both standalone Reporting configurations and to configurations spread over multiple machines.

Upgrade Privilege Management for Mac Clients

You can upload a newer version of the Privilege Management for Mac client to ePO and deploy it as required.

Depending on the type of installation, a restart of the endpoint may be required. When installing in silent mode, a reboot occurs automatically.

The Privilege Management ePO Extension maintains backwards compatibility with the Privilege Management for Mac client. You can use a later version of the Privilege Management ePO Extension with an earlier version of the Privilege Management for Mac client. However, not all features in the Privilege Management ePO Extension are supported with earlier versions of the client.

For more information, please see the Privilege Management for Mac Administration Guide.

Delete Old Application Definitions (Upgrade from 5.4)

Once all machines are running version 5.5, it is safe to delete the OLD application definitions created in Step 1 and to deploy that configuration.

Upgrade the Reporting Database Using SQL Scripts

Use these instructions to upgrade the Privilege Management Reporting database where you cannot use the installer or need to do a manual installation, for example, PMC in Azure. SQL scripts are provided to manage these upgrades.

To upgrade a Privilege Management Reporting database using SQL scripts:

  1. The SQL scripts are provided as part of the Reporting installers. Alternatively, you can contact BeyondTrust Technical Support for them.

There is a README file provided in this directory to assist you.

  1. Run the following SQL query to find the current version of the database. This returns the version of the database.

select * from DatabaseVersion

This SQL query works for Privilege Management Reporting databases 4.5 and later.

  1. Execute the upgrade script where the name is the next version number and carry on applying these until the desired version is reached.

If your current database version is 4.3.16 and you want to upgrade to version 5.0.0, execute the following scripts in order:
  1. Script_4.5.0_Updates.sql
  2. Script_5.0.0_Updates.sql

Please check the SQL log for any errors and contact BeyondTrust Technical Support if necessary.