Manage loosely connected devices

This topic describes how to manage privileged accounts for devices that are not always connected to the network.

Overview

One of the challenges in privileged account security is managing privileged accounts on devices that are not often connected to the network. For example, the local built-in administrators on laptops that can be disconnected from the network for long periods of time, making it difficult for the security and operational teams to enforce security policies.

PAM - Self-Hosted uses CyberArk Endpoint Privilege Manager (EPM) to rotate credentials of accounts on Windows and macOS devices that are not always connected to the enterprise network. These devices are called loosely connected devices.

This solution does not manage local accounts with dependencies (usages) or local accounts that belong to an account group.

Supported actions

Change request

Non-supported actions

Verify
Reconcile

How does it work?

As EPM operates over the internet, and is not restricted to an enterprise network, it can communicate with the corporate PVWA, retrieve the new password, and change it on the device.

EPM uses a security key to authenticate to the PVWA. This key is created as part of the EPM policy configuration, and can be used by multiple EPM agents to authenticate to a single Vault. In multi-Vault deployments, each Vault requires its own security key.

You can benefit from additional security by using a client certificate to communicate between the PVWA and the EPM agents. This certificate is created by the EPM server when you configure the Credentials Rotation Policy.

Before you begin

You must have EPM in order to manage loosely connected devices using PAM - Self-Hosted.
EPM agents must be installed on the relevant endpoints. For details, see Agent Installation.
The platform that manages loosely connected devices on Windows is installed out-of-the-box. For macOS devices, download the MAC Loosely Device platform from the CyberArk marketplace.

Configure a credentials rotation policy in EPM

In the EPM, follow the instructions in configure a credentials rotation policy.

Store the security key using PrivateArk

In the PrivateArk Administrative Client, create a password to store the security key you created for the Credentials Rotation Policy.

Whenever you change the security key in the EPM policy, you must also change it in the PrivateArk Client and synchronize with all EPM agents.

Store the security key

Log on to the PrivateArk Administrative Client with a user that belongs to the Vault Admins group, and open the SharedAuth_Internal Safe.
From the File menu, select New > File > PrivateArk Protected Object.

In the New Password Object window, do the following, and then click OK:

Property	Description
Object Name	Enter EPM_PAS_Gateway
Password	Copy/paste the security key created in EPM and confirm it.

Activate the loosely connected device platform

Depending on the type of devices you want to manage, activate the relevant platforms in the PVWA:

Device	Target Account Platform
Windows	Windows Loosely Device
macOS	MAC Loosely Device

For details, see Activate and deactivate a platform.

Add or edit accounts

You can add new accounts for managing loosely connected devices, or edit existing accounts by changing their associated platforms.

Add a loosely connected device account

Follow the instructions in Add accounts

When you reach the platform association step, select one of the following platforms, depending on the device:

Device	Target Account Platform
Windows	Windows Loosely Device
macOS	MAC Loosely Device

In the account properties, do the following:

Property	Description
Address	specify the FQDN of the target device. To find the FQDN, on the target device, click Computer > Properties . The Full computer name is the FQDN. If this is not displayed, specify the computer name, which is the BIOS name. Note: This value is case-sensitive and must be specified exactly as it appears in the target device properties.
Username	Specify the exact name of the local account on the remote device.

Property

Description

Address

specify the FQDN of the target device. To find the FQDN, on the target device, click Computer > Properties . The Full computer name is the FQDN. If this is not displayed, specify the computer name, which is the BIOS name.

Note: This value is case-sensitive and must be specified exactly as it appears in the target device properties.

Username

Specify the exact name of the local account on the remote device.

Configure the EPM integration in the PVWA

Log on to the PVWA with a user that belongs to the Vault Admins group.
In the Administration > Configuration Options page, click Endpoint Privilege Manager Integration.
Select Credential Rotation, and in the EPMCertificateValidationSubject property, select the subject type of your certificate.

Use a client certificate (optional)

When you define a credentials rotation policy in EPM, as described in Configure a credentials rotation policy in EPM you have the option of using a client certificate as an additional security layer between the PVWA and the EPM agents installed on the endpoints. Implementing a client certificate fortifies the trust established between the PVWA and EPM.

All client certificates must be signed with a valid Certificate Authority (CA) that is installed in the PVWA’s local computer certificate store.

Perform the following procedures on all endpoints.

Add a CA to the Local Computer Certificate Store

In the Microsoft Management Console, from the File menu, select Add/Remove Snap-in.
On the Add/Remove Snap-in, click Add.
On the Add Standalone Snap-in window, select Certificates, and then click Add.
On the Certificates snap-in window, select Computer Account, and then click Next.
On the Select Computer window, select Local Computer, then click Finish.
On the Add Standalone Snap-in window, click Close, and then click OK.
On the main Console window, expand Certificates (Local Computer), then expand Trusted Root Certification Authorities.
In the Certificates folder, select Certificates, then from the Action menu, select All Tasks, and then Import ….
In the Certificates Import Wizard, click Next.
On the File to Import window, select the certificate file to import, and then click Next.
On the Certificate Store window, select Place all certificates in the following store, and then complete the wizard

Configure the IIS config file

Open the IIS config file (by default in %WinDir%\System32\Inetsrv\Config\ applicationHost.config).

Do not open this file with Notepad++.

At the end of the file, add the following:

<location path="Default Web Site/PasswordVault/api/EPM">
 <system.webServer>
 <security>
 <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" />
 </security>
 </system.webServer>
</location>

Install the client certificates

Install the client certificates in the in the Local Computer Certificate Store (Certificates > Local Computer > Personal > Certificates).

EPM users

The following user is created in the PVWA environment to manage loosely connected devices.

User	Description
EPMAgent	The EPMAgent user is created automatically in the Vault to facilitate credential rotation on loosely connected devices.

Activity logs

Activities are recorded in the Vault audit log and can be viewed in the Activities Log under the following activity groups:

Privileged Accounts Access Activities
Privileged Accounts Management Activities

Manage platforms v10 interface