Post

#18 - CyberArk EPM – Loosely Connected Devices

Posted Updated
By cybrad
2 min read
#18 - CyberArk EPM – Loosely Connected Devices

This video covers the process of configuring CyberArk EPM to support rotating local privileged accounts on loosely connected devices. We’ll explore both the manual and automated methods for installing the EPM agent and onboarding local privileged accounts into CyberArk Privilege Cloud.

Video Preview

Objectives

  • Configure EPM Credentials Rotation Policy
  • Onboard EPM LCD Key
  • Prepare Windows Loosely Device Platform
  • Manually Install EPM Agent
  • Manually Onboard and Rotate Local Privileged Accounts
  • Automate EPM installation and Privileged Account Onboarding
  • Confirm LCD Privileged Accounts Onboarding

EPM LCD Documentaiton

Cyberark Docs - Manage loosely connected devices

CyberArk Marketplace - EPM LCD Key Platform

CyberArk Docs - Discover local accounts using EPM

PVWA Server URL Format

This is the PVWA URL format that is required when creating the Credentials Rotation Policy in EPM.

1

https://<subdomain>.privilegecloud.cyberark.cloud/

EPM LCD KEY Platform

This is the username and account name for the EPM LCD Key to be used in Privilege Cloud.

1

EPM_PAS_Gateway

EPM Agent Commands

Use this command to monitor the EPM agent log.

1

cat -wait -tail 100 "C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\PASAgent\Trace\PASAgentLog.txt"

Use the fllowing commands to stop the EPM agent and force LCD account rotation.

1
2
3
4

cd 'C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\'
.\vf_agent.exe -UseToken <Generated_Secure_Token>
.\vf_agent -StopServ
.\vf_agent.exe -ImmediateLCDRotation

Start EPM agent via services.msc

PowerShell EPM Agent Install Script

This is a sample script that can be used to install the EPM agent. There are many other ways to automate the EPM agent install. Please find the more information here. CyberArk Docs - Install EPM agents on Windows endpoints

1
2
3
4
5
6
7
8
9
10

$filepath = "C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\vf_agent.exe"
$epminstallerdir = "\\<domain_name>\NETLOGON\EPM"

if (Test-Path $filepath) {
    # The EPM agent exists, so run your command
    Write-Output "The EPM Agent is present. Closing Script"
} else {
    Write-Output "The EPM agent does not exist. Installing EPM"
    MsiExec.exe /i "$epminstallerdir\vfagentsetupx64.msi" INSTALLATIONKEY="<INSTALLKEY_HERE>" CONFIGURATION="$epminstallerdir\CyberArkEPMAgentSetupWindows.config" /qn
}

Timeline

  • Intro 0:00
  • Setup EPM Credentials Rotation Policy 2:10
  • Setup EPM LCD Key Platform 4:33
  • Setup Windows LCD Safe and Platform 6:11
  • Manually Install EPM Agent 7:21
  • Manually Onboard Localadmin Account 8:52
  • Setup EPM Accounts Discovery 13:20
  • Setup Discovery Rule 14:53
  • Automate EPM Agent Install 16:16
  • Test EPM Agent Install and Account Onboarding 17:05
EPM, CyberArk Privilege Cloud
cyberark privilegecloud EPM Identity
This post is licensed under CC BY 4.0 by the author.