Manage the Identity Connector

This section describes how to change Identity Connector configuration settings found in the Identity Connector Configuration Program, as well as disable and uninstall the connector.

View the Identity Connector Configuration Program Status tab

The Status tab displays the following read-only information about the connector.

Field Description

Server name

Displays the assigned name of this connector.

Customer ID

Displays the customer ID under which this connector is registered. You can install multiple connectors using the same customer ID for load balancing and failover. All active connectors are used by Identity Administration.

Connection to Identity Administration

Shows the date, time, and result of the last connection to Identity Administration.

Limit the scope of Identity Administrationconnectors to specific domains in a forest

You can enable the Identity Administrationconnector to restrict the scope of a search to specific domains instead of all the domains in a forest. When enabled, the connector discovers and monitors changes for only these domains. Query results are limited to only these domains when a Global Catalog search is performed. Users from the specified domain(s) can log in to the tenant.

See the Community article for more information. Access to this article requires a community sign-in.

Restart the connector

You can restart the connector to force settings updates, AD updates, and troubleshoot connection issues.

To restart the connector

  1. Go to the Connector tab, then click Stop to stop the connector if it is running.

  2. Click Start to restart the connector.

Use a web proxy server for Identity Administration connection

On the Connector tab, select Use a web proxy server for Identity Administration connection checkbox if your network is configured with a web proxy server that you want to use to connect to Identity Administration. Note that the web proxy must support HTTP 1.1 for a successful connection to Identity Administration. After you select this option, enter the following information to enable the web proxy connection:

  • Address is the URL of the web proxy server.
  • Port is the port number to use to connect to the web proxy server.
  • Click Credential to enter the user name and password for an account that can log in to the web proxy server.

Configure the connector settings update interval

When any connector in an installation changes its settings, it sends those settings to Identity Administration. When a connector checks settings with Identity Administration, if there are updated settings reported from any of the other connectors in the installation, the checking connector downloads and accepts those settings. This ensures that all connectors in an installation have the same settings.

To configure frequency of settings updates

  1. Log in to the server where the Identity Connector is installed.

  2. Open the Identity Connector Configuration Program.

  3. On the Connector tab, use the Settings update interval field to configure the frequency in minutes, then click Apply.

Configure the Active Directory user verification interval

Use the Active Directory user verification interval text box to set the number of minutes this connector takes between checks for active AD user accounts. When the connector checks Active Directory user accounts, it contacts Active Directory to see if the user account listed for each enrolled device is active. If a device’s associated user account is not active (is disabled or removed), Identity Administration unenrolls the device.

To configure frequency of Active Directory updates
  1. Log in to the server where the Identity Connector is installed.

  2. Open the Identity Connector Configuration Program.

  3. On the Connector tab, use the Settings update interval field to configure the frequency in minutes, then click Apply.

Update the Identity Connector

You can configure the Identity Connector to automatically poll Identity Administration for software updates and install them. The connector is enabled to poll automatically by default. You can also specify the auto-update time windows.

To enable and configure auto-update

  1. Log in to the Identity Connector server.

  2. Open the Identity Connector Configuration window.

  3. Use the Enable auto-update checkbox to enable the auto-update.
  4. Use the Schedule button associated with the Enable auto-update option to configure the auto-update time window.
  5. Click Apply.

To manually install updates

  1. Click the Windows Start menu and open the Identity Connector Configuration Program.
  2. Click Yes to allow this program to make changes to the computer.

  3. In the lower left of the Status tab, right-click the update icon and select Update.

    The connector updates and then displays a message indicating that the software is up to date.

Set the service connection point (SCP) object permissions

This topic describes how to set permissions for the SCP object for cases where you do not use the Local System account to start the connector service.

The connector creates a serviceConnectionPoint object when it starts for the first time after installation. When the Local System account starts the connector service, it has full control over the serviceConnectionPoint object.

If you use an Active Directory account other than the Local System account, the following procedure describes how to add the additional permissions required by that user.

If you change the connector’s account or modify Local System account permissions, be sure to make the same changes on all the connectors you install.

To set the permissions for a Service Connection Point (SCP) object for a selected user account

  1. Open ADSI Edit > Properties for the desired SCP object.

    The service connection is created when the connector is started for the first time. If the connector’s name is

    CN=MachineA,CN=Computers,DC=domain,DC=com

    the SCP object is located in ADSI Edit at the following:

    CN=proxy,CN=MachineA,CN=Computers,DC=domain,DC=com

  2. Select the Security tab, click Add to add the user account you are using to run theconnector service and click OK after you add the user account.
  3. Click the user account in Group or User Names and click Advanced.
  4. Click user account in the Permission entries tab and click Edit.

  5. In the Object tab, click Allow for the Write all properties permission.

    The Apply to field should be set to This object only. This is often the default. If it is not, use the drop-down menu to change it.

  6. Click OK.
  7. Click OK on the succeeding windows to exit ADSI Edit.

Delete a connector

This procedure describes how to delete an inactive connector from the Identity Administration portal.

You can only delete inactive connectors. An inactive connector is one that is offline. You cannot delete an active connector.

To delete a connector

Step 1: Take the connector offline

  1. Open the Identity Connector Configuration Program on the connector machine.

  2. Select connector > Stop.

  3. Click Close.

    When the connector is offline, there is no communication between it and Identity Administration.

Step 2: Delete the connector

  1. Log in the Identity Administration portal and go to Settings > Network > Identity Connectors.

  2. Right click the relevant connector and click Delete.

    The connector listing is removed from the page.

Deleting a connector removes the listing from the Identity Administration portal page. It does not uninstall the Identity Connector software from the computer. You can re-activate the connector by re-registering it.

Uninstall Identity Administration software

This topic describes how to uninstall the connector and console extensions.

All of the components are installed under the name Identity Administration Management Suite followed by the version number. Uninstalling this program removes all of the Identity Administration components installed on the computer. For example, you cannot delete the connector but leave the console extensions.

If you use just one Identity Connector, uninstalling the CyberArk Management Settings from the Active Directory Control Panel terminates mobile device policy enforcement. However, if you uninstall the CyberArk Management Suite from one computer but have the Identity Connector installed on one or more other computers, service is not interrupted. In this case, Identity Administration automatically switches to another connector.

To uninstall the Identity Administration software

  1. On a Windows computer on which you installed CyberArk Cloud Directory policy service Management Suite, close any open Microsoft Management Consoles, such as Active Directory Users and Computers and Group Policy Management Editor, that may be using the components.
  2. Click Start > Control Panel > (Programs) Uninstall Program, then right-click Identity Administration Management Suite version.

  3. Click Yes when the confirmation message appears.

    If no Microsoft Management Console applications are open, the installer finishes and removes the CyberArk Management Suite software. If applications are open, you are prompted for how to close them.

  4. If prompted to close open applications, do the following:

    • Leave the following option selected and click OK:

      Automatically close applications and attempt to restart them after setup is complete.

    • If prompted that a Microsoft Management Console application has stopped working, click Close the program.

      The connector and, if also installed, the console extensions are now removed from your computer. However, a directory and some files will still reside on your computer. To remove these files, complete the next step.

  5. To remove Identity Administration related files, navigate to and delete the C:\Program Files\CyberArk folder.