Install the Endpoint Privilege Management ePO Extension

The Endpoint Privilege ManagementePO Extension:

  • Allows you to use Trellix ePolicy Orchestrator to manage your endpoints.
  • The installer is a ZIP file and includes the build number in its name.

Requirements

For more information, see Endpoint Privilege Management ePO Extension 22.7 Release Notes.

Install the Extension

To install the Endpoint Privilege Management ePO Extension extension:

Log on to McAfee ePO Orchestrator, clcik the Menu button and select Software > Extensions

  1. Log in to Trellix ePolicy Orchestrator and navigate to Menu > Software > Extensions.

 

  1. Click Install Extension in the top-left corner. The Install Extension dialog box appears.
  2. Enter or browse to the location of the Endpoint Privilege Management server extension package Defendpoint_x_x_x_xx.zip and click OK.
  3. On the Install Extension summary screen, click OK in the bottom-right corner to proceed with the installation.

The BeyondTrust Endpoint Privilege Management ePO Extension is now installed on your ePO server.

Configure ePO User Permission Sets

There are four permission sets in ePO by default. You can view these at Menu > User Management > Permission Sets, on the left menu. Installing the Endpoint Privilege Management ePO Extension grants some privilege management permissions to the following default ePO permissions sets:

  • Executive Reviewer: Privilege Management Policy Permission: View and Change Settings

    This enables the user to access the policy catalog, but not to view or change the policy. The user requires Run permission for BeyondTrust Endpoint Privilege Management under BeyondTrust Endpoint Privilege Management to view policy.

  • Global Reviewer: Privilege Management Policy Permission: View Settings

    This enables the user to access the policy catalog, but not to view or change the policy. The user requires Run permission for BeyondTrust Endpoint Privilege Management under BeyondTrust Endpoint Privilege Management to view policy.

  • Group Admin: No Endpoint Privilege Management permissions.
  • Group Reviewer: No Endpoint Privilege Management permissions.

Users need to be members of the permission sets required for Endpoint Privilege Management. Please refer to Trellix documentation for how to add users to permission sets.

Alternatively, you can create your own permission sets in ePO by selecting New Permission Set. After this is selected, you can name the permission set and assign users. Once you click Save, you can apply permissions.

If a user needs to view or change BeyondTrust policies, they require the Run permission for BeyondTrustEndpoint Privilege Management permission under BeyondTrustEndpoint Privilege Management and the View settings or View and change settings permission under BeyondTrustEndpoint Privilege Management Policy.

Assign Endpoint Privilege Management Permissions

Permissions that can be configured for each Endpoint Privilege Management permission set are:

  • Endpoint Privilege Management
  • Endpoint Privilege Management Policy
  • Policy Assignment Rule
  • Policy Management

Configure Permissions

To configure user permissions for Endpoint Privilege Management in the ePO Server.

  1. In Trellix ePolicy Orchestrator, navigate to Menu > User Management > Permission Sets.

On the Permission Sets page, click the permission set to configure from the menu.

  1. Select the permission set that you want to configure.

 

Endpoint Privilege Management

  1. Locate BeyondTrust Endpoint Privilege Management and click Edit.
  2. Select a permission:
    • Run permission for BeyondTrustEndpoint Privilege Management: Users can manage Endpoint Privilege Management only.
    • Run permission for BeyondTrust Response Generator: Users can manage the Endpoint Privilege Management ePO Response Generator only.
    • Run permissions for BeyondTrustEndpoint Privilege Management and for Response Generator: Users can manage both.
    • No permissions: Users cannot manage either component.
  3. Click Save.

Endpoint Privilege Management Policy

  1. Locate BeyondTrust Endpoint Privilege Management Policy and click Edit.
  2. Select a permission:
    • View and change task settings: Users can edit policy and Workstyles.
    • View settings: Users can read but not edit policy and Workstyles.
    • No permissions: Users cannot read or edit policy and Workstyles.
  3. Click Save.

Policy Assignment Rule

  1. Locate Policy Assignment Rule in the list and click Edit.
  2. Select a permission:
    • View and Edit Rules: Users can manage policy rules.
    • View Rules: Users can view but not manage policy rules.
    • No permissions: Users cannot view or manage policy rules.
  3. Click Save.

Policy Management

Add users who can make policy changes independently, including approving or rejecting policy change requests.

  1. Locate Policy Management in the list and click Edit.
  2. Select one of the following:
    • No Permission - Users with this permission must submit policy changes for approval
    • Approver Permission - Users with this permission can make policy changes independently. This includes the ability to approve or reject policy change requests
  3. Click Save.

Configure Additional Permissions

Other user permissions you, as an admin, may want to consider granting include those below, in order to:

  • Modify deployment of the Endpoint Privilege Management endpoint client
  • Access the System Tree tab
  • Edit the groups and systems within the System Tree
  • Wake and deploy agents
  • Assign policies or client tasks to a group
  • Create client tasks with the software or with the Software Catalog

To edit the permissions, navigate to Menu > User Management > Permission Sets and select the appropriate permission set. Alternatively, create a permission set by clicking the New Permission Set button. A list of settings you can edit appears in the right panel. Click Edit on the appropriate setting to edit it. Once finished, click Save.

Trellix Agent: Policy and Trellix Agent: Tasks

The Permission Set for the McAfee Agent

A user may need Trellix Agent permissions if they need to view or change client deployment tasks of Endpoint Privilege Management for Windows or Endpoint Privilege Management for Mac.

 

Systems

The Systems Permission Set

A user may need the Systems permission so they can access the System Tree tab, wake up agents, edit the groups and systems in the System Tree, and deploy agents.

 

System Tree

The Systems Tree Permission Set

A user may need the System Tree access permission if they need access to certain groups (assigning policies or client tasks to a group, for example).

 

Software and Software Catalog

User Management :: Permission Sets

A user may need the Software and Software Catalog permissions if they need to create client tasks with software.

 

User Management :: Permission Sets