Credentials Rotation

This topic describes how EPM manages credentials on endpoints that are not always accessible from the network.


CyberArk credentials policies manage an organization's credentials, changing them at regular intervals. However, it becomes difficult to enforce the credentials policy when endpoints are not always accessible from the network.

To mitigate this issue, the EPM agent manages these devices, integrating with PVWA when the device has access to PVWA, and changing the password as required, according to the PVWA policy. For details about how PVWA interacts with EPM, see Loosely Connected Devices.

The EPM agent for Linux only manages passwords, not SSH keys.

Create Credentials Rotation policies in EPM to designate these devices and determine how often the agent attempts to contact PVWA.

For details about managing, exporting, and importing existing policies, see Apply policies.



The following REST API calls must be accessible in the PVWA:

  • POST /PasswordVault/API/EPM/RetrieveEndpointPassword

  • POST /PasswordVault/API/EPM/NotifyEndpointPasswordChange

Create or customize a credentials rotation policy

You can create credentials rotation policies to manage endpoints that are not always accessible from the network.

  1. In the EPM management console, click Policies.

  2. From the Policies dropdown list, select Credentials rotation policies, and then click Create credentials rotation policy.

  3. Under Details, specify the name of the new policy and a description.

  4. Under Password Vault, define the PVWA integration:



    PVWA server

    The URL of the PVWA server. This URL determines the access mode, which depends on your organization's installation:

    • Privileged Access Management: The URL of the self-hosted PVWA. E.g.,

    • Privilege Cloud Shared Services - https://<subdomain>

    • Privilege Cloud Standard - https://<subdomain>

    The PVWA server must be accessible by the EPM agent and must be version 10.2 or higher.

    Connection retrial interval

    The minimum time between attempts by the agent to access the PVWA Server.

    Security key

    The security key used by the PVWA server to identify the agent attempting to connect. Click Generate to create a security key, or Paste to add an existing key that you copied from another policy.

    Click Copy to copy the key and save it in PVWA. The security key must be the same in EPM and PVWA, and you must copy any change to this key to the key stored in PVWA. For details, refer to Store the security key.

    Client certificate

    Another optional level of security between the PVWA server and the agent. Use the current EPM client certificate, or define a new certificate. If you use the client certificate, you must configure the same certificate in PVWA. For details, refer to Use a client certificate.

    This is only supported by Windows and macOS endpoints.

  5. Under Local user groups, you can see the groups for which account credentials will be rotated. This is not configurable.

  6. Under Targets, define the computers and groups to include and exclude from this policy.



    Computers in this set

    This policy is applied to computers in this Set that are defined by this target.

    Computers in AD security groups

    This policy is applied to computers that are identified by EPM agents as members of the specified AD security computer groups.

    Click Add or Edit then specify or select the target to add.

  7. Under Options, define the following:




    Activates or deactivates the policy when the policy is created.


    Prioritizes policies in order of precedence.

    For more details, see Policy priority.

  8. Click Create.

The new policy is created and appears in the list of policies in the list of credentials rotation policies. It is activated immediately.

Verify the macOS agent identifier

PAM uses the LocalHostName property to uniquely identify each macOS machine and find accounts. Set the LocalHostName property in the macOS machine's system properties, then make sure that it is set in the corresponding account properties in PVWA.

  1. On the macOS machine:

    1. In the System Preferences > Sharing window, in the Computer Name area, click Edit.

    2. In Local Hostname, enter the LocalHostName of the macOS device, then click OK.

  2. In PVWA, set the LocalHostName property in the relevant accounts.

Verify the Linux agent identifier

PAM uses the LocalHostName property to uniquely identify each Linux machine and find accounts.

  1. On the Linux machine, make sure the hostname is unique in your domain.

    Use the hostname command to check.

  2. In PVWA, set the hostname in the corresponding account properties.

Discover local admin accounts

EPM can discover local admin accounts on endpoints, including loosely connected devices, on all supported platforms. After these accounts have been discovered, EPM can manage credential rotation on endpoints or Privilege Cloud can onboard them to the Digital Vault.

For details, see Discover local accounts on Windows, macOS, and Linux endpoints.