Enroll Endpoints in a Disconnected Account List

To manage systems with disconnected account management (DAM), those systems must be enrolled in a DAM list. Endpoints can be enrolled as part of an online process, or they can be pre-enrolled. You can enroll disconnected systems either before or after you delegate permissions.

For more information on delegating permissions, please see Delegate Permissions for Disconnected Account Access.

 

The DAM client handles all management of enrolled systems and currently manages only one account per machine, specified at time of enrollment. If the DAM-managed account is "Administrator", then DAM manages only this account and no others. If Privileged Identity already has a password change job for this same account on the same system, then the Privileged Identity administrator must delete that job to prevent a password conflict.

Default Enrollment Process

From the disconnected account list, download and install the settings file and the client software on the endpoint.

For more information about installing the endpoint client , please see Configure Endpoint Clients.

When running the client software, the first thing an endpoint does is attempt to communicate with the web service to update its registration with the target list. If the system has not been previously enrolled, it receives an identifier that is stored in the local settings and that is used to identify the endpoint for all future actions that will run against the web service. This endpoint ID is a GUID, so multiple machines with the same DNS name or virtual system settings will not be confused.

The next step of enrollment is to gather the endpoint's DNS name, IP address, MAC address, and platform information. This information is stored in the local settings and pushed to the server through the web service. This step is run each time the client software runs to ensure the system information has not changed. If a change is detected (for example, if locally stored settings don't match what the system reports), the information is updated on the server through the web service.

After establishing the machine ID and endpoint machine settings, the next step is to download the password and secret renewal policy. This determines how often the password will change and how often the endpoint must reconnect to the web service to obtain a new secret. The client software now begins the randomization process. It is not required to connect to the back-end web service until a new secret is required.

After initial enrollment, the endpoint is not strictly required to connect to the web service. As scheduled by its policy, the endpoint will attempt to reach the web service to update its status and get a new shared secret. If it can't reach the web service, the endpoint will continue to use the existing secret and settings to generate derived passwords.

While password randomization will continue past the secret's expiration, the passwords on the web service will no longer match the passwords on the endpoint. This is not considered a failure, though the web app will warn you of the endpoint's expired secret. The endpoint will keep trying to reach the web server to update its secret, policy, and status.

Pre-Enrollment Process

To pre-enroll an endpoint, you must add an entry for the endpoint to an existing list. Then, that endpoint's specific settings file is downloaded, and the client software and specific settings.json file must be distributed to and installed on the endpoint.

Passwords > Disconnected Accounts

  1. Log into the web application as a user with appropriate permissions.
  2. Go to Passwords > Disconnected Accounts. You will see any lists you may access.

 

Disconnected Account Management - Enrolled Systems

  1. Click a list name to view its enrolled systems.
  1. Click the New Offline Machine button (+).

 

Offline Machine Configuration

  1. Enter the following information:
    • Name: Enter a descriptive name for the endpoint.
    • Machine Type: Select the endpoint's operating system.
    • Machine IP Address: (Optional) Enter the endpoint's IP address.
    • Machine MAC Address: (Optional) Enter the endpoint's MAC address.
    • Never Connect: Select this option if you know that this client will never connect to the web service to update its settings and status. This option poses no technical problems whether it is selected or not. However, selecting this option prevents misreporting of the client status in the web app.
    • Password Update Frequency: Select how many hours to wait between password rotations.
    • Simple Password Value: If you select this option, then a password derived from the client secret will be a 14-character, random string of uppercase letters, lowercase letters, and numbers.

      If you do not select this option, then set the following options for passwords derived from the client secret:

      • Password Length: Set how many characters to include in the password. The maximum is 127 characters.
      • Allow Numbers: Set if the password can contain numbers.
      • Allow Lowercase: Set if the password can contain lowercase letters.
      • Allow Symbols: Set if the password can contain special characters.
      • Symbol Set: You can leave the text field blank to allow all possible symbols, or you can define an allowed list of symbols.
        To avoid causing code issues, you may not specify a slash (/), backslash (\), colon (:), semicolon (;), or quotation mark (").

        Some databases accept only the special characters hash (#), underscore (_), and dollar sign ($)

  2. Click Create to add the endpoint.

Disconnected Account Management - Enrolled Systems

  1. You should now see the endpoint you just created. You can further edit its properties by clicking the buttons:
    • Show Password: View and copy the endpoint's current password and its next password, as well as how much longer the current password will remain valid.
    • Create Elevation Code: View, copy, or create an elevation code. You may also edit the elevation details, including the local group, the elevation duration, and the elevation start time.
    • Downloads: Download the settings file and the client software - either the Windows service or the Python script. You must download the settings.json file to the directory where you will run the client software installer.
    • Edit Offline Configuration: Modify the machine's name, type, IP address, MAC address, connection check, password update frequency, and password settings.
    • Show Logs: View event logs for this machine.
    • Delete Machine: Remove this machine from the disconnected account list.
  2. After you download and install the settings file and the client software, the client begins the randomization process. It is not required to connect to the back-end web service until a new secret is required.
    After initial enrollment, the endpoint is not strictly required to connect to the web service. As scheduled by its policy, the endpoint will attempt to reach the web service to update its status and get a new shared secret. If it can't reach the web service, the endpoint will continue to use the existing secret and settings to generate derived passwords.

    While password randomization will continue past the secret's expiration, the passwords on the web service will no longer match the passwords on the endpoint. This is not considered a failure, though the web app will warn you of the endpoint's expired secret. The endpoint will keep trying to reach the web server to update its secret, policy, and status.