Discover local accounts on Windows, macOS, and Linux endpoints

This topic presents the workflow for discovering unmanaged local Windows, macOS, and Linux accounts using the Account Discovery service. This discovery option is based on EPM scanning of endpoints, including loosely connected devices, that is devices that are not always connected to the network.

Set up the Account Discovery service

The Privilege Cloud and EPM tenants must be located in the same AWS region.

In the EPM portal, select Advanced > Server Configuration.
Prepare the following details:
- Subdomain
- Installeruser user name and password. If necessary, reset the Installeruser password.
- Tenant ID. Click here to learn your tenant ID.
  1. In CyberArk Marketplace, download the Privilege Cloud Tenant ID Tool.
  2. Extract the downloaded zip file. The output file is GetPrivilegeCloudTenantID.exe.
  3. Run the following command:
    
    GetPrivilegeCloudTenantID.exe <installer user username> <subdomain>
  4. Copy the displayed tenant ID and store it for use in subsequent steps.
In the EPM portal, select Advanced > Server Configuration.

Expand Configuration > Credentials Rotation and set the following parameters:

Local Admin Discovery	On
Privilege Cloud tenant ID	Enter your CyberArk tenant ID.

EPM starts to collect accounts of loosely connected devices.

Step 1: Automatic discovery scanning

The EPM agent scans endpoints according to the settings defined in the EPM configuration. The result of each scan is a list of local accounts, including accounts from loosely connected devices. The scans are run automatically, every 24 hours, and do not require any manual intervention.

Learn about discovery scan settings in Set up the Account Discovery service.

Step 2: Analyze discovered accounts

At any time, you can review the list of discovered accounts for onboarding.

To analyze discovered accounts:

In the Privilege Cloud Portal, click Accounts > Accounts Feed > Discovered Accounts (new).

The account list displays the Windows, macOS, and Linux accounts discovered using EPM. A Windows, macOS, or Linux icon indicates the account type.

Search for required accounts using one of the following options:

Search option	Description
Filter	Click Filter and define parameters to filter the account list: Category: Privileged, Non-privileged, Unknown Platform type: Windows, Mac, Linux. Platform subtype: Loosely - refers to devices that are not always connected to the network The list is updated according to your selected filters. The filters are displayed at the top of the account list together with the total number of matching accounts. Click Clear All to remove your selected filters.
Search	In the text entry field, start typing the name or string that appears for the account of interest. The search is case-sensitive. The account list is filtered to display matching accounts.

Search option

Description

Filter

Click Filter and define parameters to filter the account list:

Category: Privileged, Non-privileged, Unknown
Platform type: Windows, Mac, Linux.
Platform subtype: Loosely - refers to devices that are not always connected to the network

The list is updated according to your selected filters. The filters are displayed at the top of the account list together with the total number of matching accounts.

Click Clear All to remove your selected filters.

In the text entry field, start typing the name or string that appears for the account of interest. The search is case-sensitive.

The account list is filtered to display matching accounts.

Click the account in the grid to display the account details including ID, user name, OS groups, and more.
Decide which account you want to onboard and continue to Step 3: Onboard discovered accounts and next steps.

This account may already exist in Privilege Cloud. Check for accounts of the same type, with similar user name and password.

Step 3: Onboard discovered accounts and next steps

Review the list of discovered devices and decide on your next step.

For accounts that are discovered as part of EPM-enabled Discovery that runs on local Windows, macOS, and Linux accounts, only manual onboarding is applied. Onboarding rules only apply to CPM Scanner-based Discovery that runs on Windows and Unix machines.

Onboard discovered accounts

To onboard multiple accounts at once, ensure you select accounts of the same type and subtype.

In the discovered accounts list, select the required account(s) and click Onboard.

You can select up to 100 accounts of the same type and subtype.

Fill in the following account details:

Field	Description
Safe	Select an existing Safe or create a new Safe. A Safe appears in the Safe list only when you: Are a member of the Safe Have the Add accounts permission Internal Safes are not displayed.
Assign Platform	Select one of the existing platforms.
Password	Define the account password in one of the following ways: Automatically reset password. Privilege Cloud automatically generates new passwords and syncs the target. Set a default password. Set a password and confirm it. This sets the passwords for the accounts in Privilege Cloud; it does not reset actual passwords on target systems. For more information about synchronizing passwords, see Reconcile passwords.

Field

Description

Safe

Select an existing Safe or create a new Safe.

A Safe appears in the Safe list only when you:

Are a member of the Safe
Have the Add accounts permission

Internal Safes are not displayed.

Assign Platform

Select one of the existing platforms.

Password

Define the account password in one of the following ways:

Automatically reset password. Privilege Cloud automatically generates new passwords and syncs the target.
Set a default password. Set a password and confirm it. This sets the passwords for the accounts in Privilege Cloud; it does not reset actual passwords on target systems. For more information about synchronizing passwords, see Reconcile passwords.

Click Onboard. The account is added to the Accounts View.

Remove discovered accounts

Review accounts according to Step 2: Analyze discovered accounts.

In the accounts list, remove in one of the following ways:

Account removal options
Option	Step
Remove selected discovered accounts	Removes only selected accounts from the current discovered accounts list. In the discovered accounts list, select the required account(s) and click Remove from list. You can select up to 100 accounts.
Remove all discovered accounts	Removes all accounts currently displayed in the discovered accounts list. In the top right corner of the Discovered Accounts display, click Remove all accounts.

The removed accounts are removed from the current list and may appear again in a future list after the next EPM scan.

Learn about related REST APIs

See New discovered accounts.