Manage loosely connected devices

This topic describes how to manage privileged accounts for devices that are not always connected to the network.


One of the challenges in privileged account security is managing privileged accounts on devices that are not often connected to the network. For example, the local built-in administrators on laptops that can be disconnected from the network for long periods of time, making it difficult for the security and operational teams to enforce security policies.

PAM - Self-Hosted uses CyberArk Endpoint Privilege Manager (EPM) to rotate credentials of accounts on Windows and macOS devices that are not always connected to the enterprise network. These devices are called loosely connected devices.

This solution does not manage local accounts with dependencies (usages) or local accounts that belong to an account group.

Supported actions

  • Change request

Non-supported actions

  • Verify

  • Reconcile

How does it work?

As EPM operates over the internet, and is not restricted to an enterprise network, it can communicate with the corporate PVWA, retrieve the new password, and change it on the device.

EPM uses a security key to authenticate to the PVWA. This key is created as part of the EPM policy configuration, and can be used by multiple EPM agents to authenticate to a single Vault. In multi-Vault deployments, each Vault requires its own security key.

You can benefit from additional security by using a client certificate to communicate between the PVWA and the EPM agents. This certificate is created by the EPM server when you configure the Credentials Rotation Policy.

Before you begin

  • You must have EPM in order to manage loosely connected devices using PAM - Self-Hosted.

  • EPM agents must be installed on the relevant endpoints. For details, see Agent Installation.

  • Download the the required platform from the CyberArk Marketplace:

    The platform that manages loosely connected devices on Windows is installed out-of-the-box.

Configure a credentials rotation policy in EPM

Store the security key using PrivateArk

In the PrivateArk Administrative Client, create a password to store the security key you created for the Credentials Rotation Policy.


Whenever you change the security key in the EPM policy, you must also change it in the PrivateArk Client and synchronize with all EPM agents.

Store the security key

  1. Log on to the PrivateArk Administrative Client with a user that belongs to the Vault Admins group, and open the SharedAuth_Internal Safe.

  2. From the File menu, select New File > PrivateArk Protected Object.

  3. In the New Password Object window, do the following, and then click OK:



    Object Name

    Enter EPM_PAS_Gateway


    Copy/paste the security key created in EPM and confirm it.

Activate the loosely connected device platform

Depending on the type of devices you want to manage, activate the relevant platforms in the PVWA:


Target Account Platform


Windows Loosely Device


MAC Loosely Device


Linux Loosely Device

For details, see Activate and deactivate a platform.

Add or edit accounts

You can add new accounts for managing loosely connected devices, or edit existing accounts by changing their associated platforms.

Add a loosely connected device account:

  1. Follow the instructions in Add Accounts.

  2. When you reach the platform association step, select one of the following platforms, depending on the device:


    Target Account Platform


    Windows Loosely Device


    MAC Loosely Device


    Linux Loosely Device

  3. In the account properties, do the following:




    specify the FQDN of the target device. To find the FQDN, on the target device, click Computer > Properties . The Full computer name is the FQDN. If this is not displayed, specify the computer name, which is the BIOS name.

    Note: This value is case-sensitive and must be specified exactly as it appears in the target device properties.


    Specify the exact name of the local account on the remote device.

Configure the EPM integration in the PVWA

  1. Log on to the PVWA with a user that belongs to the Vault Admins group.

  2. In the Administration > Configuration Options page, click Endpoint Privilege Manager Integration.

  3. Select Credential Rotation, and in the EPMCertificateValidationSubject property, select the subject type of your certificate.

Use a client certificate for Windows and macOS endpoints (optional)

When you define a credentials rotation policy in EPM, as described in Configure a credentials rotation policy in EPM you have the option of using a client certificate as an additional security layer between the PVWA and the EPM agents installed on the endpoints. Implementing a client certificate fortifies the trust established between the PVWA and EPM.

This option applies only to Windows and macOS enpoints.

All client certificates must be signed with a valid Certificate Authority (CA) that is installed in the PVWA’s local computer certificate store.

Perform the following procedures on Windows and macOS endpoints.

Add a CA to the Local Computer Certificate Store

  1. In the Microsoft Management Console, from the File menu, select Add/Remove Snap-in.

  2. On the Add/Remove Snap-in, click Add.

  3. On the Add Standalone Snap-in window, select Certificates, and then click Add.

  4. On the Certificates snap-in window, select Computer Account, and then click Next.

  5. On the Select Computer window, select Local Computer, then click Finish.

  6. On the Add Standalone Snap-in window, click Close, and then click OK.

  7. On the main Console window, expand Certificates (Local Computer), then expand Trusted Root Certification Authorities.

  8. In the Certificates folder, select Certificates, then from the Action menu, select All Tasks, and then Import ….

  9. In the Certificates Import Wizard, click Next.

  10. On the File to Import window, select the certificate file to import, and then click Next.

  11. On the Certificate Store window, select Place all certificates in the following store, and then complete the wizard

Configure the IIS config file

  1. Open the IIS config file (by default in %WinDir%\System32\Inetsrv\Config\ applicationHost.config).


    Do not open this file with Notepad++.

  2. At the end of the file, add the following:

    <location path="Default Web Site/PasswordVault/api/EPM">
    <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" />

Install the client certificates

Install the client certificates in the in the Local Computer Certificate Store (Certificates > Local Computer > Personal > Certificates).

EPM users

The following user is created in the PVWA environment to manage loosely connected devices.




The EPMAgent user is created automatically in the Vault to facilitate credential rotation on loosely connected devices.

Activity logs

Activities are recorded in the Vault audit log and can be viewed in the Activities Log under the following activity groups:

  • Privileged Accounts Access Activities

  • Privileged Accounts Management Activities