Configure endpoint user notifications

This topic describes how to customize users' experience when EPM is deployed on their endpoints.

Overview

You can customize the endpoint user's experience with EPM by determining how they are notified about policies that apply to applications. Customization options include the possibility to replace the native Windows User Account Control (UAC) dialog box with customizable EPM dialog boxes.

You can manage notifications according to your End-User UI role permissions. These permissions are relevant for both balloons and dialogs.

View existing notifications

The End-user UI page displays a list of the notifications that are available to your EPM deployment. EPM creates predefined notifications during installation, and you can add and customize more notifications as you need.

You can filter the displayed notifications to view a list of just balloons (Windows only) or dialogs.

In the EPM management console, go to Policies > End-user UI.
In the main page filter, select the type of notifications to view. This displays a list of all the default and customized balloon or dialog notifications.

The EPM provides several types of predefined notifications that can be used as templates.

Dialog category	Description
Informative	An informative message. No action is required.
Success	Permissions were granted successfully.
Restrict	The application that the user tried to access is blocked.
Working form	A request initiated by the endpoint user which they need to fill in.

Create new notifications

The EPM management console enables you to configure application policies to display notifications to endpoint users. You can customize the graphics and text in these notifications to reflect your specific enterprise needs, and you can also add additional controls and support.

Threat Protection policies can only use balloons to display notifications to end users, not dialogs.

Best Practice: Before you start creating custom notifications, establish a naming convention for the display name so that custom notifications do not become confused with predefined notifications.

Create dialogs

In the EPM management console, expand Policies and select End-user UI.
From the End-user UI dropdown filter list, select Dialogs and then click Create dialog to open the Create application dialog window.
Specify the name of the dialog and the platform on which it will be used, then select the trigger type that will display the dialog.
Click Continue to display the Dialog form.
In the Dialog sections, expand each section and specify the content that will appear in the dialog, using either plain text or variables. For details, see End user interface variables.

EPM supports icons in PNG and ICO format only.
Each time you make changes, the preview automatically updates after 5 seconds.

To see the change immediately, click Refresh
When you have finished customizing the dialog sections, click Create to create the dialog.
If the dialog will be triggered by a policy, configure the policy to display the dialog, as described in Configure policies to display notifications.

Create balloons

EPM includes a small number of predefined balloon notifications, which are enabled by default. You can disable them in the Endpoint UI section of the agent configuration. For details, refer to Customize interface settings.

Balloons can only be displayed by Windows policies.

In the EPM management console, expand Policies and select End-user UI.
From the End-user UI dropdown filter list, select Balloons and then click Create balloon to open the Create application balloon window.
In the Name field, specify the name of the balloon.
In the Balloon sections, specify the Headline and the Main message to display. Use either plain text or variables. For details, see End user interface variables.
Each time you make changes, the preview automatically updates after 5 seconds.

To see the change immediately, click Refresh
When you have finished customizing the balloon sections, click Create to create the balloon.
If the dialog will be triggered by a policy, configure the policy to display the dialog, as described in Configure policies to display notifications.

Edit existing notifications

You can edit notifications to display specific content or graphics to end users.

We recommend that you do not directly edit predefined notifications. Instead, duplicate the one you want to copy and rename it, then edit the new notification.

In the line of any notification, click the More actions (...) button, and select Edit.
Update the name of the notification, if necessary.
Edit the notification sections. To edit variables, see End user interface variables.
Click Save.
If the notification will be triggered by a policy, configure the policy, as described in Configure policies to display notifications.

If you edited a predefined notification and want to revert to the default values, click the More actions (...) button, and select Reset to default.

Configure policies to display notifications

When you create policies, you can determine whether or not to display a notification, and select which one.

In the Policy form, under End user UI, select the notification type and the name of the notification to display.

Manage notifications

You can manage any of the notifications in the list with the available options.

In the line of the notification to manage, click the More actions (...) button and select the relevant option, as described in the following table.

Option	Allows you to ...
Preview	Display a preview of the notification.
Edit	Display the notification details and edit existing settings.
Duplicate and edit	Copy the notification and edit its settings.
Delete	Delete the selected notification. This is only available in custom notifications.
Reset to default	Reset the default notification values in a predefined notification that was customized.
Export	Export the selected notification to an external file.

Manage notification languages

The EPM service comes with multi-language support for the dialog and balloon endpoint user UI messages. Once messages have been created for other languages, the EPM agent is able to detect the endpoint OS language settings and display the message in the correct language that matches the endpoint environment.

For example, if messages have been created in English, French, and Spanish with the default language set to English:

Endpoint users who use a computer with a Spanish OS will see messages in Spanish.
Endpoint users who use a computer with a Dutch OS will see messages in English

If the default language is changed to Spanish, the endpoint users who has a Dutch OS will see messages in Spanish.

You can translate notifications into languages that have been defined at set level. We recommend that you duplicate notifications and then translate them, instead of translating the default notifications.

In the EPM management console, expand Policies and select End-user UI.
Click the More actions (...) button next to the Create dialog/balloon button, and select Manage languages.
In the Manage languages window, you can see the fallback (default) language, which is the default language used in dialogs and balloons on the endpoint computer, depending on user locale and available languages. This is automatically set to English, and you can change this to any other language that you have added.
In Available languages, click Add language, and select the language to add.
Click Done.
When you create or edit a notification, click Edit dialog languages > Add language and select the language to display for this notification, then click Done.
From the Displayed languagedropdown, select the language for this notification.
In the notification form, expand each section and specify the content that will appear in the dialog, using either plain text or variables. For details, see End user interface variables.

Import notifications

You can import notifications using either an epmp file or a vfp file.

Import balloon notifications

In the End-User UI page, select the Balloons (Windows only) filter.
Click the More actions (...) button next to the Create balloon button, and select Import balloons.

To import balloons that use the previous format, select Import balloons - old End User UI format.
In the Import window, click Browse... and select the notifications file, then click OK.

EPM imports the notifications, and displays them in the list of balloons.

Import dialog notifications

In the End-User UI page, select the Dialogs filter.
Click the More actions (...) button next to the Create dialog button, and select Import dialogs.

To import dialogs that use the previous format, select Import dialogs - old End User UI format.
In the Import window, click Browse... and select the notifications epmp file, then click OK.

EPM imports the notifications, and displays them in the list of dialogs.

Export notifications

You can export notifications to an external file, either individually or all together. When EPM exports notification files, it saves them in an epmp file.

Export a single notification

In the notifications list, in the row of the notification to export, click the More actions (...) button and then select Export.

Export all balloons

In the list of balloon notifications, click the drop-down arrow next to the Create balloon button, and select Export all balloons.

Export all dialogs

In the list of dialog notifications, click the drop-down arrow next to the Create dialog button, and select Export all dialogs.

EPM exports the notifications, and saves them in an epmp file in your downloads folder. This file uses the following naming convention: End User UIs-<timestamp>.epmp.

Reset invalid values

EPM cannot export notifications which use values that are no longer supported. When EPM identifies these notifications, it displays a list of the balloons and dialogs to update. After you have specified valid values in the relevant notifications, export them again.

Valid HTML tags

EPM validates the following elements in valid HTML tags:

HTML element	Values
Tag	ul div strong a li p em ol u br img b
Attribute	class="ql-align-right" class="ql-align-center" class="ql-align-justify" href rel="noopener noreferrer" target="_blank" class="ql-indent-[NUMERIC]" style="regex(^([a-z]+:+[a-z]+;*)+$)"
More values for href	mailto, cc, bcc, subject, body

End user interface variables

Variables can be used in dialogs and balloon messages. Some variables may be unavailable depending on the scenario and target type.

Threat Protection policies only use the following variables:

$VF_FILE_PATH
$VF_FILE_NAME
$VF_COMMAND_LINE
$VF_USER (includes user and domain)

Dialog variables

The table below specifies the available variables in end user dialogs.

Dialog Type	Available Variables
Restart computer Policy update Kill blocked application	EPM agent only. No target variables are available.
Audit video Audit video initialization Audit video error	All target variables are available, except $VF_ERROR_TEXT, which is only available for Audio video error.
Request for authorization Request administrative privileges	EPM agent only. No target variables are available, except $VF_ERROR_TEXT, which is available for Request for authorization.
Application block notification Application launch alert Elevate, Elevate trusted Privilege Management Inbox (UAC) Privilege Management Inbox (non-UAC) Privilege Management Inbox for admins Restricted access	All EPM agent and target variables are available.
Run using authorization code	All target variables are available, including $VF_ERROR_TEXT.

Agent variables

All EPM agent-specific variables are available for all dialog types.

Name	Description
$VF_COMPUTERNAME	NetBIOS name of the local computer.
$VF_USER	User name in down-level logon name format (domain\account).
$VF_USERNAME	User account name. Also known as the logon name.
$VF_USERDOMAIN	NetBIOS domain name.
$VF_USER_DISPLAYNAME	A "friendly" display name (for example, Jeff Smith).
$VF_AGENT_VERSION	EPM Agent product version (for example, 23.8.0.1).
$VF_AGENT_PRODUCTNAME	EPM product string
$VF_AGENT_LAST_POLICY_UPDATE	Last policy update time in DD-MMM-YYYY HH:MM format.
$VF_AGENT_COMPANYNAME	CyberArk Software Ltd.
$VF_AGENT_COPYRIGHT	Copyright © 1999-20XX CyberArk Software Ltd. All Rights Reserved.

Target variables

Application target-specific variables are available based on the rules specified below.

Name

Description

$VF_TARGET_DISPLAY_NAME

A "friendly" target description. Depends on target type. Can be File Description property, ActiveX display name, etc.

$VF_ACCESS_TYPE

Type of specific accessed resource: Internet, Intranet, Local Path, Registry, Network Share, Process memory.

$VF_ACCESS_TARGET

Name of specific accessed resource.
For example:

■

For Internet or Intranet - specific URL or IP of the site.

■

For Registry - specific registry key.

$VF_FILE_PATH

File path. Valid if target is a file.

$VF_FILE_NAME

File name. Valid if target is a file.

$VF_FILE_DESCRIPTION

File Description property from version info. Valid if target is a file.

$VF_VERSION

File Version property from version/MSI info. Valid if target is a file.

$VF_PRODUCT_VERSION

Product Version property from version/MSI info. Valid if target is a file.

$VF_PRODUCT_NAME

Product Name property from version/MSI info. Valid if target is a file.

$VF_COMPANYNAME_NAME

Company Name property from version/MSI info. Valid if target is a file.

$VF_LEGAL_COPYRIGHT

Legal copyright property from version info. Valid if target is a file.

$VF_PUBLISHER

Publisher name from Digital Signature. Valid for digitally signed files.

$VF_COMMAND_LINE

Command line. Valid if target is process.

$VF_CLSID

CLSID property. Valid for ActiveX installations.

$VF_CODE_URL

CodeURL property. Valid for ActiveX installations.

$VF_MIME_TYPE

MIME Type property. Valid for ActiveX installations.

$VF_IMAGE_NAME

ActiveX installation image (usually CAB file) name without path.

$VF_BUNDLE_ID

Identifies the application to the system. Valid for macOS applications.

$VF_BUNDLE_NAME

Name of the application. Valid for macOS applications.

$VF_BUNDLE_PATH

Bundle path of the application. Valid for macOS applications.

$VF_BUNDLE_VERSION

The build version number of the bundle. Valid for macOS applications.