Manage loosely connected devices

This topic describes how to manage privileged accounts for devices that are not always connected to the network.

Overview

One of the challenges in privileged account security is managing privileged accounts on devices that are not often connected to the network. For example, the local built-in administrators on laptops that can be disconnected from the network for long periods of time, making it difficult for the security and operational teams to enforce security policies.

Privilege Cloud uses CyberArk Endpoint Privilege Manager (EPM) to rotate credentials of accounts on Windows and macOS devices that are not always connected to the enterprise network. These devices are called loosely connected devices.

This solution does not manage local accounts with dependencies (usages) or local accounts that belong to an account group.

Supported actions

• Change request

Non-supported actions

• Verify

• Reconcile

How does it work?

As EPM operates over the internet, and is not restricted to an enterprise network, it can communicate with the corporate Privilege Cloud Portal, retrieve the new password, and change it on the device.

EPM uses a security key to authenticate to the Privilege Cloud Portal. This key is created as part of the EPM policy configuration, and can be used by multiple EPM agents to authenticate.

You can benefit from additional security by using a client certificate to communicate between the Privilege Cloud Portal and the EPM agents. This certificate is created by the EPM server when you configure the Credentials Rotation Policy.

Before you begin

• You must have EPM in order to manage loosely connected devices using Privilege Cloud.

• EPM agents must be installed on the relevant endpoints. For details, see Agent Installation.

• Download the the required platform from the CyberArk Marketplace:

  • For macOS devices, download the CyberArk MAC Loosely Device platform

  • For Linux devices, download CyberArk Linux Loosely Device platform

  The platform that manages loosely connected devices on Windows is installed out-of-the-box.

Configure a credentials rotation policy in EPM

Activate the loosely connected device platform

Depending on the type of devices you want to manage, activate the relevant platforms in the Privilege Cloud Portal:

Device	Target Account Platform
Windows	Windows Loosely Device
macOS	MAC Loosely Device
Linux	Linux Loosely Device

For details, see Activate and deactivate a platform.

Add or edit accounts

You can add new accounts for managing loosely connected devices, or edit existing accounts by changing their associated platforms.

1. Follow the instructions in Add individual accounts manually.

2. When you reach the platform association step, select one of the following platforms, depending on the device:

   Device	Target Account Platform
   Windows	Windows Loosely Device
   macOS	MAC Loosely Device
   Linux	Linux Loosely Device

3. In the account properties, do the following:

   Property	Description
   Address	specify the FQDN of the target device. To find the FQDN, on the target device, click Computer > Properties . The Full computer name is the FQDN. If this is not displayed, specify the computer name, which is the BIOS name. Note: This value is case-sensitive and must be specified exactly as it appears in the target device properties.
   Username	Specify the exact name of the local account on the remote device.