Message Design in Privilege Management
Messages have a wide array of configuration options, which are detailed below.
You can use the preview tool to obtain a preview of how your message will look on the endpoint (program and content information will replace the appropriate placeholders). As you change the various message options, you can update the preview message by clicking the Update button underneath the preview image.
Once you have configured the message options, you should configure the Message Text for the message, which includes full multilingual support.
- Show message on secure desktop: Select this option to show the message on the secure desktop. We recommend this if the message is used to confirm the elevation of a process, for enhanced security.
Message Header Settings
- Header Style: Select the type of header, which can be No header, BeyondTrust Privilege Management, Warning, Question, or Error.
- Show Title Text: Determines whether to show the title text.
- Text Color: Select the color for the title text (the automatic color is based on the Header Style).
- Background Type: Set the background of the header, which can be Solid background, Gradient background, or Custom image. The default Background Type is Custom Image, making the Color 1 and Color 2 options initially unavailable.
- Color 1: Select the color for a Solid background or the first color for a Gradient background (the automatic color is based on the Header Style).
- Color 2: Select the second color for a Gradient background (the automatic color is based on the selected Header Style).
- Custom Image: Select the image for a Custom image background. This option is only enabled if you have selected Custom Image for the Background Type. Click the ellipsis (…) button to import, export, modify, or delete images using the Image Manager.
The Image Manager associated with message creation allows you to Add, Modify, Export, and Delete images that are referenced in message headers. All images are stored inside the Workstyles as compressed and encoded images.
We recommend that you delete any unused images to minimize the size of the policies, as Privilege Management for Windows does not automatically delete unreferenced images.
To upload an image:
- In the Custom Image field select Manage Images.
- Click Upload Image. The Import Image status dialog box appears. Click Choose file and browse to the location of the file.
- Select the image and enter an Image Description. Click OK.
- The image is uploaded into Image Manager.
Images must be *.png format and be sized between 450 x 50 and 600 x 100. The recommended image size is 450 x 50.
To edit an image:
- In the Custom Image field select Manage Images.
- Select the image in the list and click Edit.
- The Image Properties dialog box appears.
- Alter the description and click OK.
To delete an image:
- Select the image in the list and click Delete.
- When prompted, click Yes to delete the image.
If an image is referenced by any messages then you will not be allowed to delete it.
Message Body Settings
The options in the Message Body Settings section display specific information about the program or content. These can be configured on the Message Text page; they can display Automatic default values or Custom values. The Automatic default values are:
- Show Line One: The Program Name or the Content Name.
- Show Line Two: The Program Publisher or the Content Owner.
- Show Line Three: The Program Path or the Content Program.
Custom values are configured on the Message Text tab.
- Show reference Hyperlink: This option determines whether to show a hyperlink in the message below the body settings (the hyperlink is configured on the Message Text tab).
User Reason Settings
This option determines whether to prompt the user to enter a reason before an application launches (Allow Execution message type) or to request a blocked application (Block Execution message type).
- Show User Reason Prompt: Select between Text box and dropdown menu. The Text Box allows users to write a reason or request. The dropdown allows users to select a predefined reason or request from a dropdown menu. The predefined dropdown entries can be configured on the Message Text tab.
- Remember User Reasons (per-application): Reasons are stored per-user in the registry.
- Authorization Type: Set this option to User must authorize to force the user to reauthenticate before proceeding. If you want to use this option for over the shoulder administration, then set this option to Designated user must authorize.
Authentication Method: Set this option to Any to allow authentication using any method available to the user. If you want to enforce a specific authentication method, then set to either Password only or Smart card only.
If you select a method that is not available to the user, then the user will be unable to authorize the message.
- Designated Users: If the Authorization Type has been set to Designated user must authorize then click the ellipsis (…) button to add more user accounts or groups of users that to be allowed to authorize the message.
- Run application as Authorizing User: If the Authorization Type has been set to Designated user must authorize then this option determines whether the application runs in the context of the logged on user or in the context of the authorizing user. The default is to run in the context of the logged on user as opposed to the authorizing user.
When Run application as Authorizing User is set to Yes, then Privilege Management for Windows attempts to match a Workstyle of the same type (Application Rule or On-Demand Application Rule) for the authorizing user. If no Workstyle is matched, then Privilege Management for Windows falls back to the original user Workstyle.
For more information, please see Designated User Must Authorize.
When this option is enabled, a designated user such as a system administrator can authorize the elevation in place of (or in addition to) a Challenge / Response code.
|Valid Challenge / Response code only is provided||Application runs as logged on user|
|Valid Challenge / Response code is provided and valid (but not required) credentials are provided||Application runs as logged on user|
|Invalid Challenge / Response code is provided but valid credentials are provided||Application runs as authorizing user|
|No Challenge / Response code is provided but valid credentials are provided||Application runs as authorizing user|
Challenge / Response Authorization
- Enabled: Set this option to Yes to present the user with a challenge code. In order for the user to proceed, they must enter a matching response code. When this option is enabled for the first time, you are prompted to enter a shared key. You can click Edit Key to change the shared key for this message.
- Authorization Period (per-application): Set this option to determine the length of time a successfully returned challenge code is active for. Choose from:
- One use Only: A new challenge code is presented to the user on every attempt to run the application.
- Entire Session: A new challenge code is presented to the user on the first attempt to run the application. After a valid response code has been entered, the user is not presented with a new challenge code for subsequent uses of that application until they next log on.
- Forever: A new challenge code is presented to the user on the first attempt to run the application. After a valid response code has been entered, the user is not presented with a new challenge code again.
- As defined by helpdesk: A new challenge code is presented to the user on the first attempt to run the application. If this option is selected them the responsibility of selecting the authorization period will be delegated to the helpdesk user at the time of generating the response code. The helpdesk user is given the ability to select one of the three above authorization periods. After a valid response code has been entered, the user does not receive a new challenge code for the duration of time specified by the helpdesks.
- Suppress messages once authorized: If the Authorization Period has not been set to One Use Only the Suppress messages once authorized option is enabled and configurable.
- Show Information tip: This option determines whether to show an information tip in the challenge box.
- Maximum Attempts: This option determines how many attempts the user has to enter a successful response code for each new challenge. Set this option to Three Attempts to restrict the user to three attempts; otherwise, set this option to Unlimited.
After the third failure to enter a valid response code, the message is canceled and the challenge code is rejected. The next time the user attempts to run the application, they are presented with a new challenge code. Failed attempts are accumulated even if the user clicks Cancel between attempts.
If Authorization Type has been set to Designated user must authorize this field becomes active. It allows you to choose between either:
- Yes – Both required: Both the Challenge / Response and the designated user credentials are required.
- No – Either one sufficient: Either the Challenge / Response or the designated user credentials are required.
The email settings are only enabled for blocking messages.
- Allow user to email an application request: Select this option to allow the user to email a request to run an application (only available for the Block Execution message type).
- Mail To: Email address to send the request to (separate multiple email addresses with semicolons).
- Subject: Subject line for the email request.
The Mail To and Subject fields can include parameterized values, which can be used with email based automated helpdesk systems.
For information on using parameters, please see Privilege Management for Windows Workstyle Parameters.