Configure offline access to target machines

This topic describes how to configure offline access to target machines when the Privilege Cloud service is unavailable.

 

If your Privilege Cloud environment is not integrated with CyberArk Remote Access, you will need the assistance of CyberArk support to configure offline access. For details, see Before you begin.

Overview

Privilege Cloud strives to provide you with secure, uninterrupted access to your accounts whenever you want to access them.

On very rare occasions we may experience a service outage. On such occasions we would like to provide you with an alternative method of accessing accounts that you typically access using Privilege Cloud, in a secure way.

 

  • You must configure this capability in order to make it available to end-users. For details on the end-user experience, see Connect when Privilege Cloud is unavailable .

  • Offline access is available to Privilege Cloud users only when the Privilege Cloud service is unavailable.

Accessing accounts when Privilege Cloud is offline is done using the CyberArk Mobile app.

Through CyberArk Mobile , users can retrieve the credentials for the accounts and access their target systems and devices directly. To do that, you need to first integrate with CyberArk Remote Access, for which you require the assistance of CyberArk support, and then turn on the offline access capability.

Offline access is relevant only for accounts for which you can retrieve the credentials yourself (show and copy password).

  • Accounts under certain policies cannot be saved offline:

    • Enforced check-in/check-out exclusive access

    • Requires dual control password access approval

    • Enforced one-time password access

    • Ticketing systems integration

Before you begin

This section describes how to integrate with CyberArk Remote Access . If you already have a Privilege Cloud-Remote Access integration, skip this section.

How do I know if I'm integrated with CyberArk Remote Access?

If you have already configured remote access for vendors in you organization, as described in Configure remote access for vendors it means that you are already integrated with Remote Access.

  1. Contact CyberArk support and request integration with Remote Access in order to enable the offline access capability.

  2. After CyberArk support begins the integration process, you will receive a verification email. Scan the barcode provided in the email using the CyberArk Mobile app in order to complete the integration.

  3. After the integration is complete, configure the IdP in the Privilege Cloud tenant in Remote Access. For details, see Configure the IdP.

  4. Invite users to register, as described in Invite users to register to CyberArk Remote Access.

Configure offline access for Privilege Cloud users

All configuration tasks for this capability are done in Remote Access.

  • Turn on/off the offline access in the Privilege Cloud tenant settings, in production. You can also turn on offline access for testing purposes (while the Privilege Cloud is up).

  • Set the synchronization interval for updating the credentials in the accounts downloaded to Remote Access according to your password rotation policies defined in Privilege Cloud Portal.

    To activate offline access in Remote Access:

    As an administrator, activate offline access for each of your tenants.

    1. Log in to the Remote Access Admin portal: https://portal.alero.io/ (change the URL according to your datacenter).

    2. Select a tenant. In the Remote Access menu, click Settings > General.

    3. In the Offline Access to PAM accounts section, select Allow company users to cache account credentials offline to maintain access when CyberArk PAM is unavailable.

    4. Select Allow offline access for vendors if you want to allow vendors to access offline credentials.

    5. Enter the amount of days to send an app reminder to sync offline accounts.

       

      Set a reminder according to your tenant policy for password rotation.

    6. Optionally, you can also select the following:

      Setting

      Description

      Allow access to offline credentials when Remote Access service is unavailable

      When enabled, allows company users or vendors to download and view their account password if the Remote Access service is unavailable.

       

      Users won't be verified against your organization authentication before accessing their saved offline credentials

      Allow access to offline credentials when no network connection is available to the CyberArk Mobile app

      When enabled, allows company users or vendors to download and view their account password if their CyberArk Mobile app has no network connection.

       

      Users won't be verified against your organization authentication before accessing their saved offline credentials

      Unrestricted mode

      When enabled, allows company users or vendors to download and view their account password when all services are unavailable.

      This option can be used for testing the availability of your account offline password. Make sure this option is disabled when your tests are completed.

       

      Users won't be verified before accessing their saved offline password.

Restrict offline access for Privilege Cloud users

As an administrator, you can restrict offline access for specific accounts from the Privilege Cloud Portal.

This feature is supported from CyberArk Mobile app version 7.0 and up. Users using previous versions of the CyberArk Mobile app will continue to be able to cache the password of any account they have permissions to access.

  1. Download the Restrict Offline Access platform from CyberArk Marketplace.

  2. Log in to the Privilege Cloud Portal as a user with administrative rights and go to Administration > Platform Management.

  3. Click Import platform and select the Restrict Offline Access platform you downloaded.

    The platform is added in the Windows platform section, for viewing purposes only, and the parameter DisableforOfflineAccess as an optional parameter that can now be added to the system platforms.

    To hide this platform from the active platforms list when adding a new account, you can deactivate the platform. The new parameter remains available but the platform does not appear in the active platforms list.

  4. To apply this parameter to a system platform, select the required platform and add this parameter to the platform's properties:

    1. From the more actions button click Edit and go to UI & Workflows>Properties>Optional.

    2. Right-click Optional, select Add Property, and enter the following parameter details:

      Name

      DisableForOfflineAccess

      DisplayName

      Disable for offline access

      Click OK. The property name is updated according to the name you entered.

      The parameter is now added to this platform and is available for subsequent platform-based accounts.

  5. In Accounts View, click Add account>Define properties, and in the Disable For Offline Access field enter True. Click Add to save.