Install the Connector using Connector Management

Before you begin

  • To enable secure communication between the Privilege Cloud backend and your on-premise components, provide CyberArk Support with the public-facing IP addresses that your organization uses to access the internet.

    Ensure you are providing an accessible public IP, which does not belong to a private reserved range.

  • Prepare user credentials. Ensure you have:

    • Privilege Cloud admin credentials

    • Installeruser password, as described in Set the Installeruser password.

    • Local Admin user, with full Admin rights. For In-domain deployments, this must be a domain user.

  • Ensure your local Admin user is assigned to a role in Identity Administration that includes permission to run the Connector Management service:

    • System Administrator role, which includes these permissions by default

    • Connector Management Admin role, which includes permissions for this service only

  • Ensure your Outbound traffic network and port requirements are defined in your organization firewalls. To download the Connector Management agent, ensure you have defined the appropriate region.

  • When installing multiple Connectors in a single environment, note that you must complete the full installation of each separate Connector before starting the installation of the next Connector. Concurrent installations are not supported.

  • Each environment can include a maximum of 60 registered CPMs.

  • Do not rename the Connector server hostname during or after Privilege Cloud deployment due to Microsoft renaming limitations.


Review the Security Fundamentals to fully secure the Connector server deployment.

Prepare your machine

  1. From the CyberArk marketplace software area, download the latest Privilege Cloud version software package. By default, the following components are selected, with their related files:


    Selected files

    Secure Tunnel Client Installer
    • Privilege Cloud Connector Unified Hardening

    • Privilege Cloud Connector Unified Hardening GPO-v2.2.0.txt

  2. To support UNIX and Linux machines, select and download the PSM for SSH component. Download the relevant file for your environment:

    Privileged Session Manager for SSH (PSM for SSH)


  3. Download and extract the Connector Management prerequisites check script:

    1. From the CyberArkIntegrations and Tools area, download the Privilege Cloud Tools package, including all available files, and store the package in a dedicated folder, commonly called Privilege Cloud Tools.

    2. In Privilege Cloud Tools > Connector Management Prerequisites, extract the file.

      The following files are extracted:

      • CM Readme.txt

      • ConnectorCheckPrerequisites_PrivilegeCloud.ps1

      • VaultOperationsTester folder

  4. Copy the Unified GPO Hardening packages to the domain server and extract the zip packages.

  5. Disable the antivirus agent if it is installed on your server.

Check the Privilege Cloud prerequisites

Before installing Privilege Cloud, ensure the environment has the necessary prerequisites installed. The prerequisites check applies to general environment, PSM, CPM connectivity and Secure Tunnel prerequisites.

The prerequisites script also installs the Remote Desktop Service (RDS) and the Remote Desktop Connection Broker (RD CB).

Learn which checks are run in Connector Management prerequisites checks .

To check machine prerequisites:
  1. From the Privilege Cloud Tools kit downloaded in Prepare your machine, copy the file to the Connector server and extract the zip file.

    The following files are extracted:

    • ConnectorCheckPrerequisites_PrivilegeCloud.ps1 PowerShell script

    • Readme.txt file

    • VaultOperationsTester folder, with files required for the CPM connectivity test

  2. Run the Powershell command with a Local Admin user:

    The prerequisites check displays a list of checked items, together with an indication if the item succeeded or failed.

    When installing CPM, the prerequisites check runs automatically for CPM.

    It is still recommended to run this step before the installation, to check prerequisites for the host machine and PSM.

    • For in-domain deployments

    • For out of domain deployments

      .\ConnectorCheckPrerequisites_PrivilegeCloud.ps1 -OutOfDomain
  3. Troubleshoot any displayed errors.

    Error indication

    Perform the following

    Link to a solution

    Click the link for relevant instructions

    Tip on how to resolve the issue

    Perform the necessary steps according to the tip

    Recommendation to rerun the script with a -troubleshooting flag

    1. Before repeating the check, in the folder where the check script is located, edit or delete the runtime file PSMCheckPrerequisites_PrivilegeCloud.ini.

    2. Rerun the check. For each error, a series of possible solutions is displayed.

    3. Select the relevant solution. A related script is run to automatically resolve the issue.

    Indication of failure

    For checks that are self-explanatory and need no further instructions, perform the necessary steps to resolve the issue.

    After the prerequisites check is run, a prompt appears recommending to run the CPM connectivity test.
    Ensure you have your InstallerUser user name and password, and choose one of the following:

    • Click Yes to run the test

    • At any time, run the CPM connection test Powershell command:

      .\ConnectorCheckPrerequisites_PrivilegeCloud.ps1 -CPMConnectionTest

Run the Connector Management Connector installer

  1. Sign in to the CyberArk Identity Security Platform Shared Services using the link provided in the CyberArk email.

  2. Click the service picker, and select Connector Management.

  3. On the Connectors page, click Add a connector.

  4. In the Add connector wizard > Define installation details tab define the following details for the Management Agent in the host machine:

    Installation location

    Define the installation location in the host machine.

    • Default location. This is the default installation location in the host machine. The Management Agent is installed by default in C:\Program Files. If your \Program Files folder is located in any other drive, it is installed there.

      The agent is installed in a subfolder \CyberArk\Management Agent.

      The folder name must be in English.

      In the Installation path field, enter the full path in English, including drive and folder path, for example, D:\Program.

    • Custom location. The Management Agent is installed by default in C:\Program Files. If your \Program Files folder is located in any other drive, it is installed there.

      • Optionally, enter a full path to an alternative installation folder.

      • The agent is installed in a subfolder \CyberArk\Management Agent.

      • The folder name must be in English.

      The Management Agent is installed in the selected location, in subfolder \CyberArk\Management Agent.

    Pool configuration

    In the Advanced settings section, the Connector is assigned by default to the Connector pool. This will enable high availability for components that support this option, are assigned to the pool, and are assigned to the same network targets.

    • This option will be available shortly. Retain the pool assignment.

  5. Click Next.

  6. In the Copy installation script tab, review the connector settings you defined:

    Defined agent installation details

    Installation location

    The default /Program Files folder


    A custom installation folder.

    Assigned to pool


  7. Click Copy script to later copy it to the connector host machine.

    The script is available for 5 minutes.


    • Click Renew to renew the script availability for an additional 5 minutes

    • Click Preview to view the script format

    Click Close.

  8. On the Windows instance you are using as the connector host, copy the installation script into a PowerShell command window, and run it.

    The installation script is valid for 5 minutes.

  9. In the Connector Management service, click Connectors. The Connector list displays all Connectors in the system and their details. Click a filter to display a shortlist of the required connectors.

    You can filter the Connector list based on the main characteristics

    In the connector list, click the newly added connector. Verify that the Management Agent is installed.

Install the CPM and PSM

When installing multiple Connectors, make sure to first complete the following installation steps, and only then move on to the next Connector.

The order of installing Privilege Cloud components does not affect the installation flow.

When selecting both components, the CPM is automatically installed before the PSM.

However, when install first one component and then the other, there is no requirement regarding the order of installation.

This also applies to cases where the PSM is already installed, and you now want to add the CPM.

  1. In the Connector Management service, select the row of the connector where you want to add the CPM and PSM components, and from the additional options menu click Add component.

  2. Select CPM and PSM, and click Next.

    If you install CPM only, and then at a later time install PSM on the same server, make sure you run the prerequisites script again.

  3. In the Privilege Cloud section, fill in the following details:



    Installation mode

    Select Production mode.

    Installeruser login name

    The built-in Identity Administration user used for installing on-prem components.

    Enter the installeruser name (installeruser@<suffix>) that you set in Identity Administration > Users > Service Users.

    Installeruser login password

    Enter the password you set for the Identity Administration installeruser.

    For details, see Set the installeruser password

    Vault FQDN in Privilege Cloud backend

    The Vault FQDN address is entered automatically.

    Retain the Vault FQDN address or enter the specific Vault IP address.

  4. In the CPM section, fill in the following details:



    Installation mode

    • Select Active if you are deploying CPM for the first time.

    • Select Passive if you are deploying CPM on an additional connector to support CPM in DR mode.

      For details, see Set up CPM in DR mode.

    CPM name (optional)

    Enter an identifier that can be easily recognized when assigning a Safe to CPM. If this is not specified, the instance hostname is used as the CPM name.

    Installation path (optional)

    Be default, CPM is installed on C:\Program Files, or any other drive where Program Files folder is defined, in a path of Connector Management subfolders.

    Optionally, change the default installation folder to any other installation folder in an alternative folder. The CPM is installed in a series of subfolders in this path.

  5. In the PSM section, fill in the following details:



    Local user

    For an in-domain environment, enter the Domain, User name, and Password. Make sure the user has administrative rights on the server.

    Installation partition (optional)

    Choose a logical partition for the PSM installation. If you do not chose a partition, the PSM is installed on C drive.

  6. Click Next.

  7. Click Install.

  8. Restart the machine where PSM is installed.

  9. In the Connector Management page, verify the status of the components.

Check the Connector status and details

  1. In the Connector Management service, click Connectors to view all installed connectors in your environment.

  2. Select the row of the required connector. The connector components are displayed together with a status indicator.

  3. Check the Status column to verify successful and active components, and check for failed components.

  4. For more information about the component, click the component row.

If the Connector installation fails, check logs and troubleshooting steps in Troubleshoot the connector and component installation/upgrade.

The Connector is installed with default local Windows service users. Learn about the CPM Local Windows service users and their permissions.

Apply GPO hardening for in-domain deployment

This section describes the automatic hardening procedure for in-domain deployments and the procedures for applying these files in your environment.

When the Connector is deployed on an in-domain server, the automatic hardening procedure is based on a predefined GPO (Group Policy Object), which sets the hardening policy.


Dedicated OU in the Active Directory

To ensure the GPO hardening applies to all Connector servers in the active directory, and does not affect other servers, make sure they are all located under a dedicated organizational unit (OU) in the active directory.

GPO file

The GPO hardening of the Connector server is based on a unified GPO file that applies to both the PSM and CPM.

To apply the hardening GPO

  1. Download the version's Privilege Cloud Unified Hardening GPO file as described in Prepare your machine.
  2. Import the GPO file to your Active Directory domain.

    1. Open the Group Policy Management Console (GPMC.msc).

    2. Create a GPO:   
      1. Expand Group Policy Management> <yourDomain>, then right-click Group Policy Objects and select New. The New GPO window appears.

      2. In the Name field, specify a name for the Unified GPO indicating the purpose and current version (for example, Unified Hardening vN.N), and click OK.

    3. In the list of Group Policy Objects, right-click the new Hardening GPO and select Import Settings.
    4. In the Welcome to the Import Settings Wizard window, click Next, and define the following:



      Backup GPO window

      Click Next.

      Backup location screen

      Click Browse and select the location where you stored the version's unified Hardening GPO settings, for example Privilege Cloud Connector Unified Hardening GPO and click OK.

      The folder path appears in the Backup Location window.

      Click Next.

      Source GPO window

      Click Next.

      Scanning Backup window

      Click Next.

      Completing the Import Settings Wizard window

      Click Finish.

      The Import window appears indicating the progress of the GPO import.

    5. When the GPO import process has completed. Click OK.
    6. After import, select the GPO and in the Settings tab verify the settings have been imported successfully.

  3. Link the GPO file to the dedicated CyberArk OU containing CyberArk servers.

    1. Make sure all Connector servers are located under the dedicated OU, so the GPO will not affect any other server.

    2. In the Group Policy Management Console, right-click the OU, then select Link an Existing GPO.

    3. Select the Unified Hardening GPO and click OK. The Unified Hardening GPO policy appears in the Linked Group Policy Objects tab.

  4. It is time to restart the Connector machine. Restart the machine so it will pull the updated GPO


    run gpupdate /force on the upgraded machines.

  5. Optionally, to support the following functions in Privilege Cloud, customize the GPO settings according to these guidelines:

    To support

    GPO update guidelines

    Direct RDP connections

    Add the following setting to the Group Policy with the appropriate Domain Security Group(s) or Users.

    Select Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies/User Rights Assignment > Access this computer from the network (NT AUTHORITY\NETWORK SERVICE, BUILTIN\Administrators, Domain\RDPUserGroup).

    See Connect using RDP.

    Domain-level PSMConnect/PSMAdminConnect

    See Move PSM application users to the domain level.

    Take care when adding any domain-specific settings to the GPO and configure domain-specific settings according to CyberArk guidelines and documentation.

Complete the Connector installation

  1. Complete PSM deployment, see Complete PSM deployment.

  2. Perform post-installation steps to complete the Connector deployment, see Perform Privilege Cloud Connector post-installation steps.

  3. Enable the existing antivirus agent, or install an industry standard antivirus software.