Configuring Privileged Identity to Launch Applications

Configure Privileged Identity to Launch Specific Applications

  1. Open the management console.
  2. Choose Settings > Manage Web Application > Application Launch.
  3. Click Applications. The Applications tab displays applications that can be launched from the web application and other related settings.
  4. Select an Application Launch Type item.
  5. Click Edit.
  6. Complete the form.

Edit the Remote Application Configuration

  • Remote application label: (Required) Friendly name of the application as it will appear in the web application.
  • Remote application description: (Optional) Enter a description for the application.
  • Remote application icon path: (Optional) To set a custom icon for the application, identify the location of the physical web application installation files, %inetpub%\wwwroot\PWCWeb. All file paths defined for the icons are relative to this path. It is recommended to create a custom folder and add your icons to this folder to persist through website upgrades. Then, for the icon path, add the path using the following convention, FolderName\IconName.gif. All GIF files should be 32x32 pixels.
  • Remote launch type:(Required) Select from the available launch types:
    • Launch application with command line parameters: Select if this application can be launched with command line options, such as SQL Management Studio, PuTTY, VMware vCenter, etc.
    • Open web application with form post: Select if the website requires a basic form post and does not make use of JSON, YAML, or other technologies for passing username and password information. When selected, fill out the Web Page and Name-Value pair fields. The webpage is the name of the login page, including the protocol, such as http://server.example/pwcweb/login.asp, and the name-value pair should consist of the variables for the username and password.
    • Launch terminal services client: Select if launching the Microsoft Terminal Services client.
    • Launch app through .NET assembly: Select if an external .NET assembly will be used to connect and pass credentials. Enter the Assembly Path and Type Name values. The Assembly Path is the full physical file path to the .NET assembly, and the Type Name is the name of the .NET interface.
    • Launch app through script automation: Select if launching MMCs or websites not passing username and password information from a basic form post, thick clients not using command line parameters, etc. Enter the Script Path and Automation URL. Script Path is the script name, including the extension. For example, login_azuremgmt.vbs. This script must be found in the pre-defined script automation directory on the global options or Application Launch Server configuration dialogs for the app launcher. Automation URL is the target URL. For example, http://manage.windowsazure.com or for a device, https://$(RemoteAccessTarget_TargetName)/login.html.
  • Run on the jump server: (Optional) Select if launching the target application from the jump server or from the user's workstation. If this option is not selected, the application attempts to launch from the user's local workstation. If selected, the application launches from the jump server. The application must be installed on the jump server. This is a per-application setting.
    • Use the targeted account to connect to the jump server: Select if a connection needs to be established with a domain account or a local jump server account. If a jump server is used and the account being targeted to launch the application is a domain account or a valid local account, this option will establish a connection with those credentials rather than the pre-configured jump server connection credentials. Do not use this option for non-Windows systems.
    • Application supports multi-tab: Select to enable a special set of configurations and launch scripts for applications with multi-branch or multi-tab capabilities.
    • Load user profile when starting application (Configure RDP connection parameters): Select if you wish to load the connecting user's user profile on the jump server, which enables additional items, such as color depth, mapped drives, clipboard capability, etc.
  • Enable session recording: (Optional) If session recording is configured, this option is available. Select if launching this application on a jump server should initiate session recording, and record only this application being run. This is a per-application setting.
  • Application:(Mandatory) Enter the application name, which is the name of the executable without the path.
  • Command line:(Mandatory) Enter the command line parameters to launch the executable with. Parameters are specific to the program being launched and not Privileged Identity. Specific replacement variables are provided by Privileged Identity, which can be used in place of otherwise static values.
  • Application location: (Optional) Define the application location. It can be a full physical path, or set up to search for and even download a ready-to-run executable from a predefined network path . A physical path MUST be defined when launching the application from a jump server. If a physical path is not defined in the application location field, the option to Search for application on local system should be enabled. Sub-options for application search include searching for the application on the system root or Program Files directories. In addition, subsequent include and exclude directories may be defined. Multiple values should be separated by a semicolon. There are no variable replacements, such as %systemroot% or %inetpub%. Full physical locations must be used.

Remote Application Configuration

  • Search for application on local system: (Optional) Select if the application launcher should search the jump server or the calling workstation's file system for the executable being launched, and launch the first valid application it comes across. If this option is deselected, the Application location field becomes active, and a static path can be defined. Using search adds time needed to launch the application. The locations that can be searched are the Program Files directories or the system root directory. Searching is controlled by the subsequent options.
    • Search for application on local system root directs searches to the %systemroot% location on the jump server or the calling workstation's file system when launching an application.
    • Search for application under the program files directory directs searches to %ProgramFiles% and %ProgramFiles(x86)% on the jump server or the calling workstation's file system when launching an application.
    • Subdirectory restriction indicates the directories to not search when searching the Program Files directory structure.
    • Additional search directories are the additional directories to search if there are any other directories on the system to search. The list is semicolon delimited.
    • Working Directory is the default search starting point.
  • Only run signed executables: (Optional) Select to ensure the program has a digital signature on it. If the option is enabled, an additional verification can be configured to validate specific fields of the digital signature, such as the certificate serial number, certificate issuer, etc.
    • Verify certificate fields of signing certificate: This option becomes available if Only run signed executables is selected. The resulting dialog allows definition around which fields to verify in the signing certificate.
  • Only run executables with expected hashes: (Optional) Select if admins should be allowed to define hashes of a target application. This is useful to ensure a malicious executable is not renamed or a specific patched version has run. From this dialog, multiple hashes can be calculated and defined.
  • At launch, download the file from path: (Optional) Define a network path or URL to download the application from if not already present on the host system.
  • Settings apply to client system configuration(Optional) Select if applications are launched from the user's workstation. This has no effect on applications launched using the jump server.
    • A 32-bit application running on a 32-bit Windows host installs to c:\ProgramFiles\application. Yet, the same 32-bit application running on a 64-bit Windows host installs to c:\ProgramFiles (x86)\application. This setting permits configuration of only one application to launch with multiple possible settings. When these settings are configured, the launcher determines which host it is running and retrieves the appropriate settings.
  • Application uses stored private key: (Optional) Select this option to allow programs using certificates to define which certificate to use when connecting. These certificates must be pre-imported and assigned via the management console by choosing Settings > User Keys > Import Keys.
  • Application uses gateway server: (Optional) If an SSH proxy/gateway is defined in the management console, this option is available. Select this option if a client should first connect to an SSH proxy before connecting to the final SSH target. This process uses plink.exe. The plink.exe download location must also be specified with the path on the jump server where the plink.exe executable is located. Plink.exe is installed in the launch app folder on the jump server if the PuTTy files are also installed. Plink.exe can also be downloaded from https://www.putty.org.
  • Configure Allowable Types:(Mandatory) Select which account types in the application are available. One account type, at minimum, must be selected. This option makes applications available to MySQL or Windows but not Linux, SQL Server, or Oracle.
  • Always use the specified account when starting this application: (Optional) Select this option to pull a predefined credential from the account store and always use this account to launch the application. The application will not be available in the Launch App section of the web application. It will instead be made available in the Applications section of the website. Applications is always available regardless of managed passwords. When this option is NOT selected, the application is available for the selected account types. Potentially any account could be used to launch this application.