Configure agent settings

This topic describes how to configure EPM agent settings and apply them to endpoints computers in the Set.

Overview

Agent configuration determines how EPM manages endpoint computers. By default, EPM applies predefined configuration settings to all endpoints in the Set, and you can create custom configurations for specific endpoints when necessary.

The agent configuration parameters appear in a clear, expandable table, which also displays the platform on which each setting can be applied. You can also see the current value and whether it is the default value. At any point, you can reapply the default settings.

You can also search for specific parameters and filter the table according to platform.

In the list of the parameters for the previous UI, you can see the new category name and parameter name for each one. For details, see Configure EPM service settings.

View the predefined agent configuration

EPM applies the predefined agent configuration to all endpoint computers in the Set.

In the EPM management console, go to Advanced > Agent Configuration.
Click General configuration to open a split screen and view the predefined configuration details and target computer.

Edit agent configuration

Set admins who have edit permissions in their user role can edit the agent configuration, as described below. Users who only have view permissions cannot edit this configuration.

In the agent configuration grid, in the line of the configuration to add, click the More actions (...) button, and select Edit parameters. You can now see a full list of the agent configuration settings and their values, whether those values are default or have been customized, and the platforms where they can be applied.
In the line of any setting, click the More actions (...) button and select a different value.
Click Save to apply the changes or Reset to default to apply the default EPM values to all settings in the configuration.

Create a custom configuration

Set admins who have edit permissions in their user role can create and apply custom agent configuration to specific endpoint computers that require different settings.

Only one custom configuration can be applied to any single endpoint computer.

Custom configurations have a higher priority than general agent configurations, so the customized values override the general agent configuration settings.

In the Agent Configuration page, click Create custom configuration.
In the Create custom configuration window, specify the name and description of this custom configuration.
Select the set of values on which to base the new configuration. You can choose between the system's default set of values and the general configuration set of values.
Specify a single target endpoint computer for this configuration, then click Continue.

The Agent Configuration page displays the settings for the configuration. At the top of the page, you can see the name of this customized configuration and the name of the target computer.
In the line of any setting, click the More actions (...) button and select a different value.
When you have finished customizing this configuration, click Create, and confirm that you want to create this configuration.

The customized configuration now appears in the list of agent configurations.

Agent configuration settings

Each parameter in the tables below displays the new setting name and location.

Extended protection

These parameters determine the level of protection for the EPM agent.

Parameter

Description

Agent self-defense

Protects the EPM agent from attempts to perform unauthorized activities. When this is enabled on Windows and macOS, you require a security token to uninstall agents, which you can generate in the My Computers page, as described in Bypass agent protection.

Valid values: On, off

Default value: On

Supported platforms: Windows, macOS, Linux

Previous parameter name: This parameter name was not changed.

Support info file password

The password used to access the Support Information file. Use a strong password to ensure maximum protection.

To see the default password, go to Administration > Account Management, right click the set whose password you want to see and select Show default support info file password. For more details, see Collect agent support information.

To open the Support Information file, use the DSI commands described in Agent commands.

Default value: Default password

Supported platforms: Windows, macOS

Previous parameter name: This parameter name was not changed.

Protect Administrative User Groups

Prevents elevated applications from modifying administrative user groups.

When this setting is enabled, the functionality of certain applications might be limited, such as "Local User and Group" administrative tasks.

Valid values:

Off

From elevated applications (applies to non-admin users)

From all users and programs (for all users and programs)

Default value: Off

Supported platform: Windows

Previous parameter name: This parameter name was not changed.

Anti-tampering protection

Protects EPM agent requests from interception by third party DLLs.

Values:

Strong: A process call stack can only contain Windows DLLs. EPM does not allow third party DLLs to be injected.
Moderate: A process call stack can contain a DLL signed by any publisher.
Minimal: Provides minimal anti-tampering protection.

This option is supported from version 23.10.0. If you are still working on a previous agent version and you apply Minimal, EPM displays Minimal, but applies Strong.
Off: Disables anti-tampering protection.

Default value: Strong

Supported platform: Windows

Previous parameter name: This parameter name was not changed.

Protect elevated processes from DLL hijacking

Protects processes elevated by EPM by only permitting them to load DLLs that a non-admin user cannot modify.

Valid values: On, off

Default value: Off

Supported platform: Windows

Previous parameter name: This parameter name was not changed.

Data collection

These parameters determine which data is collected by the agent.

Parameter

Description

Collect policy audit data

Determines whether audit collection can be set in a policy. When this is set to On, users can control audit collection when they create or update an advanced policy.

Valid values: On, off

Default value: On

Supported platforms: Windows, macOS, Linux

Previous parameter name: Collect Policy Usage Data

Exclude new files from the Application Catalog and Events Management

Events of specific application files that will not be collected in the Application Catalog. Launch events are not excluded and are collected in the Events Management page.

Specify the following values:

Name of the file to exclude
File location
User or group to exclude

Valid values: On, off

Default value: Off

Supported platforms: Windows

Previous parameter name: Exclude new or changed files from Application Catalog and Inbox

File types to scan for Application Catalog

Application files to collect during application catalog scans.

Valid values: Multiple extensions for executables, installation packages, DLLs, and script files.

Default values:

Windows: EXE, MSI, MSP, MSU

macOS: DMG, PKG, MPKG, All executable files

Supported platforms: Windows, macOS

Previous parameter name: Application Catalog Scanning File Types

Event queue flush period

How often events of unhandled applications that are managed by default policies are sent to the server.

Valid values: Number of seconds between 30 - 86400 (30 seconds - 24 hours)

Default value: 1800 (30 minutes)

Supported platforms: Windows, macOS, Linux

Previous parameter name: Event Queue Flush Period (Seconds)

Policy audit event flush period

How often policy audit events are sent to the server, where users can see them in the Policy Audit page.

Valid values: Number of seconds between 30 - 86400 (30 seconds - 24 hours)

Default value: 28800 (8 hours)

Supported platform: Windows, macOS, Linux

Previous parameter name: Policy Usage event queue flush period (Seconds)

Threat protection: Event queue flush interval

How often the PAS event queue is flushed.

Valid values: Number of seconds between 5 - 86400 (5 seconds - 24 hours)

Default value: 5

Supported platform: Windows

Previous parameter name: Event queue flush interval (Seconds)

Collect events in Event Log

Collect events and policy usage data in the Windows application event log.

Valid values: On, off

Default value: Off

Supported platform: Windows

Previous parameter name: This parameter name was not changed.

Collect events in WMI

Create WMI instances for events and policy usage data.

This setting must be enabled (On) for Data Location end-user computers and event collection by third-party tools. For example, SCCM.

Valid values: On, off

Default value: Off

Supported platform: Windows

Previous parameter name: This parameter name was not changed.

Collect events triggered by service accounts

Report events triggered by processes that are run by system, local service, and network service built-in service accounts.

To protect local administrator users against ransomware, set this parameter to On.

Valid values: On, off

Default value: Off

Supported platform: Windows

Previous parameter name: This parameter name was not changed.

Collect child command events

Collect events for child commands whose parent command is elevated or detected by default policies.

Valid values: On, off

Default value: On

Supported platform: Linux

Previous parameter name: This parameter is new.

Report user groups in events

Collect a list of user groups in event sources. To reduce the size of events significantly, we recommend you turn this off if users who trigger events belong to multiple user groups.

When this parameter is turned off, the trusted user/group policies defined for a user group will not affect events in the Events Management page.

Valid values: On, off

Default value: On

Supported platform: Windows

Previous parameter name: User Groups in Events

Collect protected accounts

Collect credential accounts that are stored on endpoint computers.

When this value is set to On, specify how frequently EPM collects accounts, in hours.

Valid values: On, off

Default value: On

Supported platform: Windows

Previous parameter name: This parameter name was not changed.

Policies

These parameters determine EPM policy behavior.

Parameter	Description
Enable policy suspension	Enable users in a specific user group to temporarily suspend policies. Specify the user group to enable. You can use the CyberArk EPM Admin Utility to specify a custom user or group. For details about installing and using this utility, see Add file definitions and users to groups and policies. This doesn't apply to threat protection policies. Valid values: On, off Default value: Off Supported platform: Windows Previous parameter name: Enable Suspending of Policies
Confirm elevation	Specify a user group whose members can confirm elevation. On Windows, you can use the CyberArk EPM Admin Utility to specify a custom user or group. For details about installing and using this utility, see Add file definitions and users to groups and policies. Valid values: Customs, Administrators Default value: Administrators Supported platforms: Windows, macOS Previous parameter name: Elevation Confirmation
Threat protection: Excluded applications	A global list of applications to exclude from Threat Protection policies. This does not include the applications listed in the Exclude files from policies (Windows) parameter under Agent behavior. Specify the following values: Application filename Location Publisher's signature Whether to include child processes For more details, see Protect against credential theft. Valid values: Threat Protection, Excluded applications Default value: - Supported platform: Windows Previous parameter name: Elevation Confirmation
Heartbeat timeout	How frequently EPM checks script/network policy conditions. Valid values: Number of seconds between 5 - 3600 (5 seconds - 1 hour) Default value: 60 (1 minute) Supported platforms: Windows, macOS Previous parameter name: Heartbeat Timeout (seconds)
Policy condition timeout	The script/network policy condition timeout after which the agent resumes checking the policy condition. Valid values: Number of seconds between the value of Heartbeat timeout and 7200 (2 hours) Default value: 300 (5 minutes) Supported platforms: Windows, macOS Previous parameter name: Condition Timeout (Seconds)
Script timeout	The script execution timeout. Valid values: Number of seconds between the value of Heartbeat timeout and 7200 (2 hours) Default value: 300 (5 minutes) Supported platforms: Windows, macOS Previous parameter name: Script Timeout (Seconds)
Policy update interval	How frequently policies are pushed to endpoints. When this value is set to Daily, specify the following values: Policy update time Maximum random delay Valid values: Immediately, Daily Default value: Immediately Supported platform: Windows Previous parameter name: Policy Update Rate
Refresh Windows desktop after policy update	Refreshes the endpoint desktop if changes in the settings or policies affect the desktop appearance. Valid values: On, off Default value: On Supported platform: Windows Previous parameter name: Refresh Windows Desktop on Policy Update
Trace policy usage on agents	Create a list of each policy that is applied to every launched process in trace files. Valid values: Trace all, Trace no Policy Usage, Trace elevated/blocked processes Default value: Trace all Supported platform: Windows Previous parameter name: Policy Usage in Agent Trace
Well known publishers	A list of well known publishers that generate a High digital signature reputation, matched as Prefix. Specify the exact publisher's name. Valid values: Valid publishers Default value: A list of publishers Supported platforms: Windows, macOS Previous parameter name: This parameter name was not changed.
Exclude service accounts from access restrictions	Access restrictions rules are not applied to processes run by built-in service accounts, such as system, local service, network service. Valid values: On, Off Default value: On Supported platform: Windows Previous parameter name: Policy Usage in Agent Trace
Elevate SCCM "for user" installations	Elevate SCCM software distribution package installations that are configured to run as user. Select install for user for installation behavior. Valid values: On, Off Default value: On Supported platform: Windows Previous parameter name: This parameter name was not changed.
Restrict CMD special characters	Restrict special characters in BAT/CMD script paths and command lines to prevent elevation of multiple scripts in a single command line. Valid values: On, Off Default value: On Supported platform: Windows Previous parameter name: This parameter name was not changed.
Allowed interpreters	A list of approved interpreters for script execution. Sudo commands that run a script with an interpreter that are not in this list will fail, as the interpreter is defined in the shebang line in the script. Valid values: Interpreters defined in this parameter Default values: /usr/bin/bash /bin/bash /usr/bin/sh /bin/sh /usr/libexec/platform-python /usr/bin/python /usr/bin/python3 /usr/bin/perl /usr/bin/ruby Supported platform: Linux Previous parameter name: This parameter is new.
Environment variables	Default lists of environment variables that are either preserved (keep list) in sudo command processes or removed (delete list) from them. Valid values: Valid environment variables Default value: A predefined keep list and a predefined delete list Supported platform: Linux Previous parameter name: This parameter is new.

Agent behavior

These parameters determine EPM agent behavior.

Parameter	Description
Exclude files from policies (Windows)	Files that CyberArk EPM policies will never manage. Use this for programs that protect themselves, such as anti-virus software. This does not include the applications listed in the Configure agent settings parameter under Policies. Specify the following values: Filename Location User or group Description of each file See Install EPM agents on endpoint machines for details about avoiding conflicts with third-party security programs. Valid values: Filenames Default value: A list of files Supported platform: Windows Previous parameter name: Files To Be Ignored Always (Windows)
Exclude files from policies (macOS)	Files that CyberArk EPM policies will never manage. Use this for programs that protect themselves, such as anti-virus software. Specify the following values: Filename Location Publisher's signature Description of each file Whether to monitor offspring process launches Whether to monitor file operations See Install EPM agents on endpoint machines for details about avoiding conflicts with third-party security programs. Valid values: Filenames Default value: A list of files Supported platform: macOS Previous parameter name: Files To Be Ignored Always (macOS)
Monitor system processes	Monitor new application files that are created by system (NT Kernel & System) processes, such as remote CIFS clients. When this feature is activated, application events can be triggered. Valid values: On, Off Default value: On Supported platform: Windows Previous parameter name: This parameter name was not changed.
Store file info in extended attributes	Use extended attributes to securely store information about application files. This option must be turned on for trusted updater policies and to view application sources. Valid values: On, Off Default value: On Supported platforms: Windows, macOS Previous parameter name: This parameter name was not changed.
Enable DLL support	Monitor and apply policies to dynamic link libraries (DLLs). Valid values: On, Off Default value: Off When this parameter is set to On, performance may be impacted. Supported platform: Windows Previous parameter name: This parameter name was not changed.
Verify digital signature on scripts	Verify digital signature on scripts. Valid values: On, Off Default value: On Supported platform: Windows Previous parameter name: This parameter name was not changed.
Discover source URL	Discover the source URL for application files downloaded from the internet. When this parameter is set to Off, the Trusted URL feature will no longer apply to new downloaded applications. Valid values: On, Off Default value: On Supported platform: Windows Previous parameter name: This parameter name was not changed.
Discover source email	Discover the sender's address for the application file saved from an email attachment. Valid values: On, Off Default value: On Supported platform: Windows Previous parameter name: This parameter name was not changed.
Support network shares	Set this mode to Limited only when Full (default) mode results in issues on certain network file systems, such as delays or disconnections. When this mode is set to Limited, some file operations on network shares are ignored, and blocking scripts on network shares is disabled. Valid values: Full, Limited Default value: Full Supported platform: Windows Previous parameter name: Network Shares Support
Boot-start driver	The CyberArk EPM kernel mode component is always loaded in Safe Mode (not including self-defense). This setting is effective from the next restart of the endpoint computer. Valid values: Yes, No Default value: No Supported platform: Windows Previous parameter name: This parameter name was not changed.
Monitor SIP files	Monitor macOS files protected by SIP (System Integrity Protection). The system always monitors applications under /system/applications/* Valid values: Yes, No Default value: No Supported platform: macOS Previous parameter name: This parameter name was not changed.
Allow root permission for root programs	Automatically grant rights for the processes run by the root user. This is used by programs that request to run a tool as root. For example, some installers. Valid values: Yes, No Default value: Yes Supported platform: macOS Previous parameter name: Allow root delegation for root programs
Sudo grace validation period	Number of seconds the verdict on a sudo-launched process is valid for policies configured with dialogs. Valid values: Number of seconds between 0 - 300 (0 - 5 minutes) Default value: 30 Supported platform: macOS Previous parameter name: Sudo grace validation period (seconds)
Prevent sudoers file modification	Determines whether the EPM agent will prevent the modification of the sudoers file, to protect the sudo configuration. On Linux endpoints, this protection can only be applied when agent self-defense is on. Valid values: Yes, No Default value: Yes Supported platform: macOS, Linux Previous parameter name: Prohibit sudoers file modification
Trace new files	Log trace information when new files are created in the system. Valid values: On, Off Default value: Off Supported platform: Windows Previous parameter name: New files in agent trace
Sudo no password	Whether a password is required to run a sudo command. For details about configuring policies to run sudo commands without policies, see Linux policies in Linux policies. Valid values: On, Off Default value: Off Supported platform: Linux Previous parameter name: This parameter is new.
Sudo secure path	On macOS, this parameter defines the secure path property in the sudoers file. On Linux, this parameter defines the PATH environment variable for sudo commands. Valid values: Secure paths Default value: A list of 5 predefined secure paths Supported platform: macOS, Linux Previous parameter name: This parameter is new.
Allowed preloader	Allow sudo commands to be executed when another tool that uses a preloader is installed. To configure the preloader of the tool to allow, change this setting to On and set the full path and, optionally, the checksum of the preloader. Although the checksum is optional, CyberArk recommends that you use it for security reasons. Valid values: On, Off Default value: Off Supported platform: Linux Previous parameter name: This parameter is new.

Endpoint UI

These parameters determine how the EPM endpoint interface is displayed.

Parameter	Description
Show icon in task/menu bar	Customize the EPM menu on the endpoint computer. You can enable the following values: EPM Icon Hide Get Support Info option Show notification balloons Show balloon on policy update Valid values: On, Off Default value: On Supported platforms: Windows, macOS Previous parameter name: Show notification area icon
Show CyberArk EPM tab in File Properties	Show CyberArk EPM information that is relevant to a file in a custom tab of the File Properties window. Valid values: On, Off Default value: Off Supported platform: Windows Previous parameter name: This parameter name was not changed.
Show CyberArk EPM Control Panel on desktop	Define the CyberArk EPM Control Panel on endpoint computer desktops. End users can remove this icon. Specify the following values: EPM icon that appears on the desktop Name of the control panel Valid values: Icon and name of control panel Default value: CyberArk icon and 'CyberArk EPM Control Panel' Supported platform: Windows Previous parameter name: This parameter name was not changed.
Hide Windows "Run As..." menu items	Hide standard Run As and Run as Administrator items from the Windows Explorer context menu. Valid values: On, Off Default value: Off Supported platform: Windows Previous parameter name: This parameter name was not changed.
Hide CyberArk EPM agent from installed programs	Whether to display the EPM agent in lists of installed Windows programs. For example, Uninstall or Change Programs, Add or Remove Programs. Valid values: On, Off Default value: Off Supported platform: Windows Previous parameter name: This parameter name was not changed.
Shell elevate menu text	The text of the menu item in the Windows Explorer context menu that enables users to launch an application with elevated privileges. To add this option to the Windows Explorer context menu, in Elevate if necessary policies, under End User UI set the relevant option to On. Valid values: Up to 256 characters Default value: Run with Elevated Privileges Supported platform: Windows Previous parameter name: This parameter name was not changed.
Enable tabbed browsing	Enables/disables tabs in the EPM web browser, which is displayed when running elevated web applications. Valid values: On, Off Default value: Off Supported platform: Windows Previous parameter name: This parameter name was not changed.

Step-up authentication

These parameters determine the information that is displayed in the step-up authentication dialogs.

Parameter	Description
CyberArk Identity	Set the configuration for CyberArk Identity. Valid values: On, Off Default value: Off Supported platform: Windows Previous parameter name: This parameter name was not changed.
Custom identity provider	Set the configuration for the identity provider that supports the OpenID Connect protocol. Specify the following values: Name and clientID of the identity provider. User domain for the identity provider connection. URL that returns the OpenID Connect configuration values. Use the following format: https://${domain}/.well-known/openid-configuration. Redirect URI for the Identity Provider. Valid values: On, Off Default value: Off Supported platform: Windows, macOS Previous parameter name: Identity Provider

Parameter

Description

CyberArk Identity

Set the configuration for CyberArk Identity.

Valid values: On, Off

Default value: Off

Supported platform: Windows

Previous parameter name: This parameter name was not changed.

Custom identity provider

Set the configuration for the identity provider that supports the OpenID Connect protocol.

Specify the following values:

Name and clientID of the identity provider.
User domain for the identity provider connection.
URL that returns the OpenID Connect configuration values. Use the following format: https://${domain}/.well-known/openid-configuration.
Redirect URI for the Identity Provider.

Valid values: On, Off

Default value: Off

Supported platform: Windows, macOS

Previous parameter name: Identity Provider

Cloud environments

These parameters determine how EPM connects agents to cloud environments.

Parameter	Description
Enable Azure Active Directory	Support for Microsoft Azure Active Directory. Specify the following values: Azure type Tenant ID Client ID Client Secret Valid values: On, Off Default value: Off Supported platform: Windows Previous parameter name: This parameter name was not changed.

Parameter

Description

Enable Azure Active Directory

Support for Microsoft Azure Active Directory.

Specify the following values:

Azure type
Tenant ID
Client ID
Client Secret

Valid values: On, Off

Default value: Off

Supported platform: Windows

Previous parameter name: This parameter name was not changed.

Offline policy authorization generator

These parameters determine how the Offline policy authorization generator works.

Parameter	Description
Enable Offline Policy Authorization Generator	Enable the Offline Policy Authorization Generator (OPAG) to manage the privileges of endpoint users who do not have access to the CyberArk EPM service. Specify the following values: Public certificate (only on Windows) Encryption phrase Number of attempts Shell run authorization menu text (only on Windows) Valid values: On, Off Default value: Off Supported platforms: Windows, macOS Previous parameter name: This parameter name was not changed.
Enable 'Run with Authorization token'	Enable users to request temporary access to applications that are currently unavailable to them. Specify the following values: Public certificate Shell run authorization menu text Valid values: On, Off Default value: Off Supported platform: Windows Previous parameter name: This parameter name was not changed.

Parameter

Description

Enable Offline Policy Authorization Generator

Enable the Offline Policy Authorization Generator (OPAG) to manage the privileges of endpoint users who do not have access to the CyberArk EPM service.

Specify the following values:

Public certificate (only on Windows)
Encryption phrase
Number of attempts
Shell run authorization menu text (only on Windows)

Valid values: On, Off

Default value: Off

Supported platforms: Windows, macOS

Previous parameter name: This parameter name was not changed.

Enable 'Run with Authorization token'

Enable users to request temporary access to applications that are currently unavailable to them.

Specify the following values:

Public certificate
Shell run authorization menu text

Valid values: On, Off

Default value: Off

Supported platform: Windows

Previous parameter name: This parameter name was not changed.

Audit video configuration

The Video Recording Configuration section has been removed from the Advanced configuration page. We have moved some of the parameters to the Agent Configuration page and some to the Server Configuration page. The following table lists the parameters that determine how audit videos are managed and saved on the endpoint computer.

For details about the parameters that were moved to the Server Configuration page, see Configure EPM service settings.

Parameter	Description
Allow application to run if recording is unavailable	Allow applications to run if the recording functionality is unavailable. Valid values: On, Off Default value: On Supported platform: Windows Previous parameter name: Allow Program Run if Recording Unavailable
Maximum movie length	The maximum length of recorded movies in minutes. Valid values: 1 - 1440 Default value: 10 Supported platform: Windows Previous parameter name: Max Movie Length (Minutes)
Video file retention period	The number of days for which video files are saved. Valid values: 1 - 365 Default value: 14 Supported platform: Windows Previous parameter name: Video Audit Retention (Days)
Video file destination	The folder where video audit movies are stored. Specify the following values: Minimum free disk space Maximum used disk space Valid values: End user computer Default value: End user computer Supported platform: Windows Previous parameter name: Movie Location