Install EPM agents on endpoint machines

This topic gives a high level description of how Set administrators install agents on endpoint machines.

Overview

You can install EPM agents in any of the following ways:

Method

Description

Platform

Manual

Installs the EPM agent with an interactive wizard.

Windows, macOS

Manual with immediate enforcement

Installs the EPM agent with an interactive wizard, and enforces policies immediately after installation.

Windows

Software distribution system

Installs the EPM agent with a third party software distribution system.

Windows

CLI with a configuration file

Installs the EPM agent with a CLI command, using the configuration file you downloaded.

Windows, macOS, Linux

CLI with configuration details

Installs the EPM agent with a CLI command that includes configuration details.

Windows, macOS

For details, see the relevant installation topic for the platform.

EPM agents use approximately 100 MB of disk space, and between 20 and 50 MB of RAM, depending on the number of policies that are implemented. The agents sit on both kernel and user levels of the OS and use less than 1% of the CPU load, on average. Installation and upgrades of EPM agents do not require a reboot. Agent deployment can be seamless to endpoint users, so that an icon does not appear in the system tray and the product does not appear in Add/Remove programs.

The agent sends a one byte heartbeat to the EPM server every 30 seconds. The average size of a new policy file update is one KB per policy. The average total size of a policy file is between 0.5 and 1.5 MB.

Types of agents

EPM offers the following types of agents.

Windows regular agents

Windows regular agents are connected to the EPM service.

For details, see Install/upgrade EPM agents on Windows.

Windows immediate enforcement agents

On Windows machines, you can install immediate enforcement agents on endpoint computers that are not connected to the EPM service, and immediately enforce the policies installed with them on this machine.

These agents can also be installed on endpoint computers that are connected to the EPM service, so that the policies installed with them are enforced immediately. This differs from regular agents that do not begin enforcing policies until they first connect to the EPM service and begin receiving policies, which can take a few minutes. In this case, you must install the immediate enforcement agents with a Set ID and Dispatcher URL, so that agents can connect to the EPM service and become regular agents.

The agent installation kit for immediate enforcement agents contains the Set's policies. Store this installation in a secure place to prevent tampering.

 
  • To install immediate enforcement agents on Windows endpoints, the Enable downloading Immediate Enforcement Agent parameter must be set to On.
  • We recommend creating a dedicated Set for immediate enforcement agents policies.
  • The following functionality is not available for immediate enforcement agents
    • Agent self-defense
    • Threat protection
    • Local admin credentials rotation on the endpoint

For details, see Install/upgrade EPM agents on Windows.

macOS agents

EPM macOS agent installation creates a new CyberArk EPM.app on endpoint computers, which includes all the files that are required to run and maintain the EPM agent.

The EPM agent application is called CyberArk EPM, and you can start it in the same way as you start any other application.

For details, see Install/upgrade EPM agents on macOS.

Linux agents

EPM Linux agent installation creates a new CyberArk EPM.app on Linux endpoint devices, which includes all the files that are required to run and maintain the EPM agent.

The EPM agent application is called CyberArk EPM, and you can start it in the same way as you start any other application.

For details, see Install/upgrade EPM agents on Linux endpoints.

Install agents in an enterprise environment

CyberArk recommends the following procedure for installing agents in an enterprise environment:

  1. Deploy a pilot group of 25 to 50 agents.

  2. Collect privilege management events.

  3. Establish Trusted Sources, such as SCCM, Updaters, Publishers, and Network shares.

  4. Create specific policies based on Active Directory security groups.

  5. Remove Local Admin rights, using EPM's “Remove local administrators” policy.

  6. Create new policies as needed until the environment is stable.

  7. Install more agents on endpoint computers.

 

As you add more endpoints, the process is faster as trusted sources and policies are already configured accurately.

Third-party security programs

Agents can conflict with third-party security programs, such as antivirus programs, installed on endpoint computers.

Windows machines

To avoid this on Windows machines, exclude the EPM agent binary files (.exe, .dll and .sys files) from the checks performed by the third-party security programs.

The agent files for Windows are in the following location:

  • %ProgramFiles%\CyberArk\Endpoint Privilege Manager\Agent\ directory and its sub-directories.

The drivers for Windows are in the following location:

  • %SystemRoot%\System32\drivers directory during installation.

The EPM agent drivers are:

  • vfdrv.sys

  • vfnet.sys

  • vfpd.sys

  • CybKernelTracker.sys

macOS machines

To avoid this on macOS machines, exclude the EPM agent files from the checks performed by the third-party security programs. The EPM agent files are in the following locations:

  • /Applications/CyberArk EPM.app

  • /Library/Application Support/CyberArk

  • /Library/Keychains/CyberArkEPM.keychain

  • /Library/SystemExtensions/*/com.cyberark.CyberArkEPMEndpointSecurityExtension.systemextension

  • /Library/LaunchDaemons/com.cyberark.CyberArkEPMWebServiceSession.plist

  • /Library/LaunchAgents/com.cyberark.CyberArkEPMUIAgent.plist

  • /Library/LaunchAgents/com.cyberark.CyberArkEPM.plist

  • /Library/LaunchDaemons/com.cyberark.CyberArkEPMPrivilegedHelper.plist

  • /Library/PrivilegedHelperTools/com.cyberark.CyberArkEPMPrivilegedHelper

 

The endpoint computer requires a reboot after the new exclusions have been configured for third-party security programs.

Exclude third-party security programs from EPM checks

CyberArk recommends excluding third-party security programs from the checks performed by the EPM agents.

  1. In the EPM management console, go to Advanced > Agent Configuration.

  2. In the General configuration line, click the More actions (...) button, and select Edit parameters. You can now see a full list of the agent configuration settings and their values, the platforms where they can be applied, and whether or not the current values have been customized.

  3. Under Agent behavior, in the line of either Exclude files from policies (Windows) or Exclude files from policies (macOS), click the More actions (...) button, and select Edit.

  4. Click Add definition and then specify the file and its location, and, optionally, the user or group of the processes to exclude.

     

    In the File field, you can use wildcards. For example *.dll excludes all dll files in the defined location, while still monitoring other file types. Regular expressions cannot be used to exclude files.

    By default, the list of paths in the Exclude files from policies parameters includes the paths of several popular third-party anti-virus programs. It is important to remove paths that do not exist on endpoints from this list so that malware and intruders cannot use them.

  5. Add definitions for all relevant third-party security programs, then click Done and save the changes to the configuration.

An updated policy that contains the new exclusion rules is sent to endpoint computers according to the Policies > Policy update interval parameter.

 

For driver-level exclusions, you may be required to reboot the endpoint computer.