Create a Privilege Management Workstyle
- Navigate to the Policy Catalog and select BeyondTrust Privilege Management from the Products list on the left side (for 5.9 and older, use the dropdown menu).
- Click the policy from the list that you want to add a Workstyle to.
If you want to create a new policy, see Create a Privilege Management Policy for more information.
- Click the number for Windows Workstyles. If this is a blank policy this is 0.
- Click Actions > Create Workstyle using Wizard to start creating your Privilege Management for Windows Workstyle. This launches the Workstyle Wizard and takes you through the following screens.
- Introduction. This page displays if you have not yet configured a Privilege Management license in the policy, prompting you to enter a valid license code for the policy.
- Choose a Workstyle. You can choose from Controlling or Blank for your Workstyle. A controlling Workstyle allows you to apply rules for access to privileges and applications. A blank Workstyle allows you to create an empty Workstyle without any predefined elements. If you select a blank Workstyle, the next screen is Finish, as there is nothing to configure.
- Filtering (Controlling Workstyle only). This determines who will receive this Workstyle. You can choose from standard users only or everyone. If you apply it to everyone, it will apply to administrators. You can modify the filters and apply more detailed filtering once the Workstyle has been created.
- Capabilities (Controlling Workstyle only). Allows you to choose Privilege Management, Application Control, or both. If you don't select either capability, the next screen is Finish. This Workstyle would only contain filtering information.
- Privilege Management (Controlling Workstyle with the Privilege Management capability). Allows you to choose:
- If you want to display a notification to the user when applications are elevated by Privilege Management for Windows
- How you want to manage Windows User Account Control (UAC) prompts
- If you want to allow the on-demand elevation of applications
If you select Present users with a challenge code from the dropdown, you are prompted to configure the challenge and response functionality at the end of creating your Workstyle, if your policy doesn't already have one.
- Application Control (Controlling Workstyle with the Application Control capability). Allows you to choose:
- How you want to apply application control. You can choose from an allow or block approach. We recommend you use an allow approach.
- If you select As an allow: How you want to handle non-allowed applications
- If you select As a block: How you want to handle blocked applications
If you select Present users with a challenge code from the dropdown, you are prompted to configure the challenge and response functionality at the end of creating your Workstyle, if your policy doesn't already have one.
- Finish. Allows you to enter a Name and Description for your new policy. If the Workstyle has been configured to use a Challenge / Response message and the policy doesn't have an existing key, you will be asked to set a key.
You can check the box on this screen to activate this Workstyle immediately or you can uncheck the box to continue to configure the Workstyle before you apply it to your endpoints.
After you change the policy, click Submit and then Save to save the policy. In ePO 5.10 and later, if you have Trellix Approvals workflow enabled, this workflow can be modified to change the Save button to Submit for Review based on user permissions.
Depending on the type of Workstyle you created and any capabilities that have been included, Privilege Management for Windows auto-generates certain Application Groups (containing rules), Content Groups, messages, and Custom Tokens. Filters are applied and subsequently configured as part of the Workstyle.
Disable or Enable Privilege Management Workstyles
You can enable or disable Workstyles to prevent them from being processed by the Privilege Management for Windows client.
- Navigate to the policy and select the Workstyles node.
- The Enabled column shows you which Workstyles are currently being processed by the Privilege Management for Windows client. Click Disable to stop Privilege Management for Windows from processing that Workstyle, or click Enable to allow the Privilege Management for Windows client to process that Workstyle.
Change Workstyle Precedence in Privilege Management
If you have multiple Workstyles, they are evaluated in the order in which they are listed. Workstyles that are higher in the list have a higher precedence. Once an application matches a Workstyle, no further Workstyles are processed for that application, so it is important that you order your Workstyles correctly, because an application could match more than one Workstyle.
- Select the Workstyles node in the left pane.
- In the right pane, check the box adjacent to the Workstyle you want to move.
- Select Actions and choose from the available options: Up, Down, Top, or Bottom as required.
You can drag the buttons from the Actions menu to the right and drop them onto the toolbar to access them faster next time.
Privilege Management for Windows Workstyle Parameters
Privilege Management for Windows settings include a number of features that allow customization of text and strings that are used for end user messaging and auditing. If you want to include properties that relate to the settings applied, the application being used, the user or the installation of Privilege Management for Windows, then parameters may be used that expand when the text is used.
Parameters are identified as any string surrounded by [square parentheses], and if detected, the agent attempts to expand the parameter. If successful, the parameter is replaced with the expanded property. If unsuccessful, the parameter remains part of the string. The table below shows a summary of all available parameters and where they are supported.
| Parameter | Description |
|---|---|
| [PG_ACTION] | The action which the user performed from an end user message |
| [PG_AGENT_VERSION] | The version of the Privilege Management Client |
| [PG_APP_DEF] | The name of the Application Rule that matched the application |
| [PG_APP_GROUP] | The name of the Application Group that contained a matching Application Rule |
| [PG_AUTH_USER_DOMAIN] | The domain of the designated user who authorized the application |
| [PG_AUTH_USER_NAME] | The account name of the designated user who authorized the application |
| [PG_COM_APPID] | The APPID of the COM component being run |
| [PG_COM_CLSID] | The CLSID of the COM component being run |
| [PG_COM_NAME] | The name of the COM component being run |
| [PG_COMPUTER_DOMAIN] | The name of the domain that the host computer is a member of |
| [PG_COMPUTER_NAME] | The NetBIOS name of the host computer |
| [PG_CONTENT_DEF] | The definition name of the matching content |
| [PG_CONTENT_FILE_DRIVE_TYPE] | The drive type of a matching content |
| [PG_CONTENT_FILE_HASH] | The SHA-1 hash of a matching content |
| [PG_CONTENT_FILE_IE_ZONE] | The Internet Zone of a matching content |
| [PG_CONTENT_FILE_NAME] | The file name of a matching content |
| [PG_CONTENT_FILE_OWNER] | The owner of a matching content |
| [PG_CONTENT_FILE_PATH] | The full path of a matching content |
| [PG_CONTENT_GROUP] | The group name of a matching content definition |
| [PG_DOWNLOAD_URL] | The full URL from which an application was downloaded |
| [PG_DOWNLOAD_URL_DOMAIN] | The domain from which an application was downloaded |
| [PG_EVENT_TIME] | The date / time that the policy matched |
| [PG_EXEC_TYPE] | The type of execution method: Application Rule or shell rule |
| [PG_GPO_DISPLAY_NAME] | The display name of the GPO (Group Policy Object) |
| [PG_GPO_NAME] | The name of the GPO that contained the matching policy |
| [PG_GPO_VERSION] | The version number of the GPO that contained the matching policy |
| [PG_MESSAGE_NAME] | The name of the custom message that was applied |
| [PG_MSG_CHALLENGE] | The 8 digit challenge code presented to the user |
| [PG_MSG_RESPONSE] | The 8 digit response code entered by the user |
| [PG_POLICY_NAME] | The name of the policy |
| [PG_PROG_CLASSID] | The ClassID of the ActiveX control |
| [PG_PROG_CMD_LINE] | The command line of the application being run |
| [PG_PROG_DRIVE_TYPE] | The type of drive where application is being executed |
| [PG_PROG_FILE_VERSION] | The file version of the application being run |
| [PG_PROG_HASH] | The SHA-1 hash of the application being run |
| [PG_PROG_NAME] | The program name of the application |
| [PG_PROG_PARENT_NAME] | The file name of the parent application |
| [PG_PROG_PARENT_PID] | The process identifier of the parent of the application |
| [PG_PROG_PATH] | The full path of the application file |
| [PG_PROG_PID] | The process identifier of the application |
| [PG_PROG_PROD_VERSION] | The product version of the application being run |
| [PG_PROG_PUBLISHER] | The publisher of the application |
| [PG_PROG_TYPE] | The type of application being run |
| [PG_PROG_URL] | The URL of the ActiveX control |
| [PG_SERVICE_ACTION] | The action performed on the matching service |
| [PG_SERVICE_DISPLAY_NAME] | The display name of the Windows service |
| [PG_SERVICE_NAME] | The name of the Windows service |
| [PG_STORE_PACKAGE_NAME] | The package name of the Windows Store App |
| [PG_STORE_PUBLISHER] | The package publisher of the Windows Store app |
| [PG_STORE_VERSION] | The package version of the Windows Store app |
| [PG_TOKEN_NAME] | The name of the built-in token or Custom Token that was applied |
| [PG_URL_ADDRESS] | The full address of the matching URL |
| [PG_URL_DEF] | The definition name of the matching URL |
| [PG_URL_GROUP] | The URL group name of the matching URL |
| [PG_URL_HOST] | The hostname of the matching URL |
| [PG_URL_IE_ZONE] | The Internet Zone of the matching URL |
| [PG_URL_PROTOCOL] | The protocol of the matching URL |
| [PG_USER_DISPLAY_NAME] | The display name of the user |
| [PG_USER_DOMAIN] | The name of the domain that the user is a member of |
| [PG_USER_NAME] | The account name of the user |
| [PG_USER_REASON] | The reason entered by the user |
| [PG_USER_SID] | The SID of the user |
| [PG_WORKSTYLE_NAME] | The name of the Workstyle |
