Installing PAM360 Agent

The PAM360 agent can be deployed on remote devices that are not directly connected to the PAM360 server to facilitate PAM360-related operations or to collect device data for implementing a Zero Trust security model, depending on the installation option selected. Installing the PAM360 agent on your target systems is essential for extending the capabilities of PAM360, enabling secure management of privileged remote resources that are not directly connected to the PAM360 server. This document provides detailed steps to install, manage, and uninstall the PAM360 agents on Windows, Windows Domain, Linux, and Mac devices along with the necessary information to configure the required agent settings. Before proceeding with the installation procedure, ensure that the account you use to install the agent on the remote host has sufficient privileges to carry out these operations.

Note: Administrative/root privilege is required in the target system for agent installation and management.

This help document covers the following topics in detail:

  1. Downloading the PAM360 Agents
  2. Configuring Agent Settings
  3. Installing Windows/Windows Domain Agent in the Resources/User Devices
  4. Installing Linux Agent in the Linux Resources/User Devices
  5. Installing macOS Agent

1. Downloading the PAM360 Agents

Follow these steps to download the PAM360 agent package on your machine from the PAM360 web interface.

  1. Log into your PAM360 account and navigate to the Admin tab.
  2. Under the PAM360 Agents section, you will find the following agent packages available for download:
    1. Windows Agent
    2. Windows Domain Agent
    3. Linux Agent
    4. macOS Agent
  3. In the pop-up that appears, copy the Agent Key using the Copy icon beside it. This agent key is necessary to install the PAM360 agent on the target system and can only be used once. Once utilized for an installation, the key will become invalid.
    pmp-agent1
  4. To extend the validity duration of the Agent Key, enable the Allow the key to be active for X hours checkbox and enter a number in the given field. For example, If you enter 4, the agent installation key will be valid for 4 hours, and the same agent key can be used to install any number of agents in the remote machines within this time frame. This is useful during bulk deployments.

    Notes:
    1. Please do not share this key as it might cause the unauthorized use of the agent.
    2. Navigate to the <PAM360 Installation Folder>/conf/system_properties.conf directory and mention the following command to extend the key validity up to 999 hrs.
    - agent.gpo.time=999

  5. Click the Download Agent button to download the agent package as a zip file.
  6. Once the agent package zip file is downloaded, unzip its contents on the respective device you wish to manage via the agent.

2. Configuring Agent Settings

Note: While installing the PAM360 Windows agent, the agent properties are displayed on the agent installation wizard, allowing you to modify the parameters during installation. For Linux and macOS agents, the agent properties can only be updated by editing the agent.conf file.

Open the agent.conf / agent.json file from the downloaded agent package. Below are the parameters listed in the agent file, many of which can be customized to meet your specific requirements:

  1. AgentType: This denotes the type of agent i.e., agent with PAM360 features.
  2. ServerName: This is the server/IP Address that the PAM360 agent will try to reach to contact the PAM360 server.
  3. ServerPort: This indicates the port in which the PAM360 server is running. If you have changed the default port of PAM360 to any other port such as 443, the same port number must be updated here.
  4. ScheduleInterval: By default, the agent pings the server once every 60 seconds. To configure the time interval at which the agent should ping the PAM360 web server, modify the time interval value in seconds.
  5. UserName: This is the admin user account under which the agent server will be added as a resource.
  6. OSType: Denotes the OS to which the agent belongs - Windows/Windows Domain/Linux.
  7. TrustedCertifcate: If you do not have a valid SSL certificate for the PAM360 server update this value to 'no'.
  8. IncludeDisabledAccounts: This parameter indicates whether disabled accounts on the resource should be included during account discovery. Set this value to False if you do not wish to include disabled accounts during the discovery process. This parameter is only applicable to the Mac agent.

PAM360 allows the restriction of user accounts that are added via agents (C# and Go) during account discovery, using regex patterns. To do the same, use the below UserQuery and accountFilter commands:

  • UserQuery: To filter the accounts in Linux (Go Agent).

    UserQuery = "awk -F: '$1 ~ /^admin.*/ {print$1}' /etc/passwd"

    //to discover accounts that starts with admin.


  • accountFilter: To filter accounts in Windows/Windows Domain (C# Agent).

    accountFilter=^admin.*

    // to discover accounts that starts with admin.

    Note: Windows Domain agent will not automatically add user accounts unless you specify the pattern in the account filter.


  • fetchDisabledAccount: To fetch disabled accounts in Windows/Windows Domain (C# Agent).

    fetchDisabledAccount=True

The commands UserQuery, accountFilter and fetchDisabledAccount are applicable from build 5301 and later only.

Once any of the above parameters are modified, restart the agent service.

3. Installing Windows/Windows Domain Agent in the Resources/User Devices

3.1 Installation using Command Prompt

a. To Install the Agent in the Resources

  1. Open a command prompt and navigate to the PAM360 agent installation directory.
  2. Execute the following command as per your agent installation requirements:
    1. To install the agent as a service for password management, self-service privilege elevation, and zero trust implementation, execute the command AgentInstaller.exe install <Agent Key copied from the PAM360 UI> 1,2,3.
    2. To install the agent as a service for password management, execute the command AgentInstaller.exe install <Agent Key copied from the PAM360 UI> 1.
    3. To install the agent as a service for self-service privilege elevation, execute the command AgentInstaller.exe install <Agent Key copied from the PAM360 UI>2.
      To learn more about configuring Self-Service Privilege Elevation in Windows, click here.
    4. To install the agent as a service for zero trust implementation, execute the command AgentInstaller.exe install <Agent Key copied from the PAM360 UI>3.
      To learn more about zero trust implementation in PAM360, click here.
  3. Upon the respective action, the Windows/Windows Domain agent will be installed and the respective PAM360 agent service will start automatically.

b. To Install the Agent in the User Devices for Zero Trust Approach

  1. Execute the command - AgentInstaller.exe install <Agent Key copied from the PAM360 UI> userdevice <PAM360 username>.

    Note:
    If you install the agent as a service for a user device, it will be utilized to retrieve data from the user device for user trust score calculation. However, any device that has the agent configured in this manner will not be added as a resource in PAM360. Therefore, operations such as Self-Service Privilege Elevation and Password Management will not apply to those devices.

c. To Start the Agent Service in the Resources/User Devices

    1. Open a command prompt and navigate to the PAM360 agent installation directory.
    2. Execute the command AgentInstaller.exe start.
    3. The previously installed PAM360 agent service will start now.

d. To Update the Agent in the Resources

In case the PAM360 agent was previously installed by a different administrator, use this command to update the user account under which the agent server will be added as a resource. The agent server will be added as a resource under the new admin user without the need to uninstall and reinstall the agent. However, the new administrator will not have access to the accounts that were previously under the agent server. To gain access to the accounts, the previous admin has to transfer the ownership of the resource to the new admin.

  1. Open a command prompt and navigate to the PAM360 agent installation directory.
  2. Execute the following command as per your agent update requirements:
    1. To update the agent as a service for password management, self-service privilege elevation, and zero trust implementation, execute the command AgentInstaller.exe update <Agent Key copied from the PAM360 UI> 1,2,3.
    2. To update the agent as a service for password management, execute the command AgentInstaller.exe update <Agent Key copied from the PAM360 UI> 1.
    3. To update the agent as a service for self-service privilege elevation, execute the command AgentInstaller.exe update <Agent Key copied from the PAM360 UI>2.
      To learn more about configuring Self-Service Privilege Elevation in Windows, click here.
    4. To update the agent as a service for zero trust implementation, execute the command AgentInstaller.exe update <Agent Key copied from the PAM360 UI>3.
      To learn more about zero trust implementation in PAM360, click here.
  3. Upon the respective action, the Windows agent will be updated and the PAM360 agent service will start automatically.

e. To update the Agent in the User Devices for Zero Trust Approach

  1. Execute the command - AgentInstaller.exe update <Agent Key copied from the PAM360 UI> userdevice <PAM360 username>.

    Note:
    If you update the agent as a service for a user device, it will be utilized to retrieve data from the user device for user trust score calculation. However, any device that has the agent configured in this manner will not be added as a resource in PAM360. Therefore, operations such as Self-Service Privilege Elevation and Password Management will not apply to those devices.

f. To Stop the Agent Service in the Resources/User Devices

    1. Open a command prompt and navigate to the PAM360 agent installation directory.
    2. Execute the command AgentInstaller.exe stop.
    3. Now the PAM360 agent service will stop and it will be uninstalled.

3.2 Installation using PAM360 Agent Installer


Prerequisite: Ensure that the agent-installed folder has complete permission for both the privileged account and the user account.

After downloading the agent, extract the folder and navigate to PAM360Agent >> bin.

a. To Install the Agent in the Resources/User Devices

  1. Right-click AgentInstaller.exe and select Run as administrator.
  2. The PAM360 Agent Installer wizard appears on the screen.
  3. Select the Install option.
  4. Enter the Installation Key and mention the  Installation Path. Click Next.
  5. In the Configurations page that opens:
    1. Enter/modify the fields, such as Resource Type, Server Name, Port, Schedule Interval, Resource Owner, etc., based on your agent installation requirements.
    2. Select the respective Usage Type of the agent. If you are installing the PAM360 agent in a user device to fetch user device data for user trust score calculation, select the Usage Type as User Device and enter the PAM360 user name to whom the user device is associated. If you are installing the PAM360 agent in an organization resource to fetch device data for resource trust score calculation, select the Usage Type as Resource.

      Notes:
      If you choose User Device as the Usage Type, the Modules section will automatically select Zero Trust by default. Any device that has the PAM360 agent installed with Usage Type - User Device will not be added as a resource in PAM360. The operations such as Self-Service Privilege Elevation and Password Management will not apply to those devices.

    3. Select the desired modules for your requirements from the PAM360 agent by enabling the corresponding checkboxes for 'Manage Passwords', 'Self-Service Privilege Elevation', and/or 'Zero Trust' in the Modules section.
      1. If you enable Manage Passwords, a service will be added that will request the server periodically to verify and/or reset the password of accounts.
      2. If you enable Self-Service Privilege Elevation, a Self-Service Privilege Elevation module will be added.
        To learn more about configuring Self-Service Privilege Elevation, click here.
      3. If you enable Zero Trust, a service will be added that will request the user devices or resources' system data periodically, as defined above in the Usage Type for the trust score parameter validation.
        To learn more about implementing the Zero Trust approach in an organization, click here.
    1. By default, the SSL Certificate Installed field will be selected with Yes. If there is no valid SSL certificate installed in the PAM360, change this SSL Certificate Installed field to No.

      2. Notes: The Test Server Connection status will be failed if selected Yes in the SSL Certificate Installed field, with no valid SSL certificate installed in the PAM360 server.

  6. On the Operations page, check if the first two conditions are met and click Install.

You have now successfully installed the Windows/Windows Domain agent.

Notes:

  1. By default, all the files/applications(.exe, .msc, .msi, .cmd, and .bat) will have "Run as PAM360 Privilege Account" in the right-click menu. But the privilege elevation works only for those files/applications that are configured in PAM360.
  2. When Self-Service Privilege Elevation is installed, the agent information will not be available in the services console.

b. To Start the Agent Service in the Resources/User Devices:

  1. Right-click AgentInstaller.exe and select Run as administrator.
  2. The PAM360 Agent Installer wizard appears on the screen.
  3. Click the Operations icon.
  4. Right-click the three dots beside Agent Service Status and click Start.
  5. From here, you can also Stop, Restart the agent and Go to the Service Console.

c. To Update the Agent in the Resources/User Devices

  1. Right-click AgentInstaller.exe and select Run as administrator.
  2. The PAM360 Agent Installer wizard appears on the screen.
  3. Select the Reinstall option.
  4. Enter the Installation Key and mention the Installation Path. Click Next.
  5. In the Configurations page that opens:
    1. Modify the fields, such as Resource Type, Server Name, Port, Schedule Interval, Resource Owner, etc., based on your agent installation requirements.
    2. Select the respective Usage Type of the agent. If you are updating the PAM360 agent in a user device to fetch user device data for user trust score calculation, select the Usage Type as User Device and enter the PAM360 user name to whom the user device is associated. If you are updating the PAM360 agent in an organization resource to fetch device data for resource trust score calculation, select the Usage Type as Resource.

      Notes:
      If you choose User Device as the Usage Type, the Modules section will automatically select Zero Trust by default. Any device that has the PAM360 agent updated with Usage Type - User Device will not be added as a resource in PAM360. The operations such as Self-Service Privilege Elevation and Password Management will not apply to those devices.

    3. Select the desired modules for your requirements from the PAM360 agent by enabling the corresponding checkboxes for 'Manage Passwords', 'Self-Service Privilege Elevation', and/or 'Zero Trust' in the Modules section.
      1. If you enable Manage Passwords, a service will be added that will request the server periodically to verify and/or reset the password of accounts.
      2. If you enable Self-Service Privilege Elevation, a Self-Service Privilege Elevation module will be added.
        To learn more about configuring Self-Service Privilege Elevation, click here.
      3. If you enable Zero Trust, a service will be added that will request the user devices or resources' system data periodically, as defined above in the Usage Type for the trust score parameter validation.
        To learn more about implementing the Zero Trust approach in an organization, click here.
    1. By default, the SSL Certificate Installed field will be selected with Yes. If there is no valid SSL certificate installed in the PAM360, change this SSL Certificate Installed field to No.

      2. Notes: The Test Server Connection status will be failed if selected Yes in the SSL Certificate Installed field, with no valid SSL certificate installed in the PAM360 server.

  6. On the Operations page, check if the first two conditions are met and click Next to reinstall the agent.

You have now successfully reinstalled the C# agent.

d. To Uninstall the Agent from the Resources/User Devices

  1. Right-click AgentInstaller.exe and select Run as administrator.
  2. In the wizard that appears, select Uninstall and click Next.
  3. In the Configurations page, select the Modules (Manage Passwords, Self-Service Privilege Elevation, and/or Zero Trust) you want to uninstall and click Next.
  4. In the Operations page, check if the first two conditions are met. Click Uninstall.

You have now successfully uninstalled the Windows/Windows Domain agent.

4. Installing Linux Agent in the Linux Resources/User Devices


Notes:

  1. You need root privileges in the target system to execute the above commands.
  2. PAM360 agents (32bit, 64bit) support the Linux flavors with the default OpenSSL library only.
  3. Go-Agent supports all Linux flavors.

4.1 To Install the Agent in the Resources

  1. Open a command prompt and navigate to the PAM360 agent installation directory.
  2. Refer to the below steps to install the agent as per your requirement (bash command applicable for Go Agent only):
    1. To install the agent as a service for password management, self-service privilege elevation, and zero trust implementation, execute the command sh installAgent-service.sh/bash installAgent-service.bash install <Agent Key copied from the PAM360 UI> 1,2,3.
    2. To install the agent as a service for password management, execute the command sh installAgent-service.sh/bash installAgent-service.bash install <Agent Key copied from the PAM360 UI> 1.
    3. To install the agent as a service for self-service privilege elevation, execute the command sh installAgent-service.sh/bash installAgent-service.bash install <Agent Key copied from the PAM360 UI>2.
      To learn more about configuring Self-Service Privilege Elevation in Linux, click here.
    4. To install the agent as a service for zero trust implementation, execute the command sh installAgent-service.sh/bash installAgent-service.bash install <Agent Key copied from the PAM360 UI>3.
      To learn more about zero trust implementation in PAM360, click here.
  3. The Linux agent will be installed and the PAM360 agent service will start automatically.

4.2 To Install the Agent in the User Devices for Zero Trust Approach

  1. Execute the command - installAgent-service.sh install <key> userdevice <PAM360 username>.

    Note: If you install the agent as a service for a user device, it will be utilized to retrieve data from the user device for user trust score calculation. However, any device that has the agent configured in this manner will not be added as a resource in PAM360. Therefore, operations such as Self-Service Privilege Elevation and Password Management will not apply to those devices.

4.3 To Start the Agent Service in the Resources/User Devices

    1. Open a command prompt and navigate to the PAM360 agent installation directory.
    2. Execute the command sh installAgent-service.sh/bash installAgent-service.bash start (bash command applicable for Go Agent only).
    3. The previously installed PAM360 agent service will start now.

4.4 To Update the Agent in the Resources

In case the PAM360 agent was previously installed by a different admin user, use this command to update the user account under which the agent server will be added as a resource. The agent server will be added under the new admin user without the need to uninstall and reinstall the agent. However, the new admin will not have access to the accounts that were previously under the agent server. To gain access to the accounts, the previous admin has to transfer the ownership of the resource to the new admin.

  1. Open a command prompt and navigate to the PAM360 agent installation directory.
  2. Refer to the below steps to update the agent as per your requirement (bash command applicable for Go Agent only):
    1. To update the agent as a service for password management, self-service privilege elevation, and zero trust implementation, execute the command sh installAgent-service.sh/bash installAgent-service.bash update <Agent Key copied from the PAM360 UI> 1,2,3.
    2. To update the agent as a service for password management, execute the command sh installAgent-service.sh/bash installAgent-service.bash update <Agent Key copied from the PAM360 UI> 1.
    3. To update the agent as a service for self-service privilege elevation, execute the command sh installAgent-service.sh/bash installAgent-service.bash update <Agent Key copied from the PAM360 UI>2.
      To learn more about configuring Self-Service Privilege Elevation in Linux, click here.
    4. To update the agent as a service for zero trust implementation, execute the command sh installAgent-service.sh/bash installAgent-service.bash update <Agent Key copied from the PAM360 UI>3.
      To learn more about zero trust implementation in PAM360, click here.
  3. The Linux agent will be updated and the PAM360 agent service will start automatically.

4.5 To Update the Agent in the User Devices for Zero Trust Approach

  1. Execute the command - installAgent-service.sh update <key> userdevice <PAM360 username>.

    Note: If you update the agent as a service for a user device, it will be utilized to retrieve data from the user device for user trust score calculation. However, any device that has the agent configured in this manner will not be added as a resource in PAM360. Therefore, operations such as Self-Service Privilege Elevation and Password Management will not apply to those devices.

4.6 To Stop the Agent Service in the Resources/User Devices

    1. Open a command prompt and navigate to the PAM360 agent installation directory.
    2. Execute the command sh installAgent-service.sh/bash installAgent-service.bash stop (bash command applicable for Go Agent only).
    3. The Linux agent service will be stopped.

4.7 To Uninstall the Agent from the Resources/User Devices

    1. Open a command prompt and navigate to the PAM360 agent installation directory.
    2. Execute the command sh installAgent-service.sh/bash installAgent-service.bash remove (bash command applicable for Go Agent only).
    3. The Linux agent will be uninstalled and removed.

5. Installing macOS Agent


Prerequisites:

  1. Before proceeding with the agent installation, ensure that the agent.json file contains correct values for the following settings: server port, schedule interval, username, etc., as they are initially set to default values.
  2. If you do not have a valid SSL certificate for the PAM360 server, set the TrustedCertificate field in the agent.json file to no.

Follow these steps to install the PAM360 macOS agent on the remote resource:

  1. Access the remote resource with root privileges and extract the contents of the agent package zip file at any location on the system.
  2. Open a terminal, navigate to the agent package extracted folder, and execute the command sh installMacAgent-service.sh install <Agent Key copied from the PAM360 UI> to install the agent as a service. The PAM360 agent will be installed on your Mac device.
  3. Upon installation, navigate to the Library >> ManageEngine >> macOS Agent folder on your device to access the agent.
  4. To start or stop the PAM360 agent service, execute the following commands as required:
    1. Execute the sh installMacAgent-service.sh start command to start the agent.
    2. Execute the sh installMacAgent-service.sh stop command to stop the agent.
  5. To uninstall the agent, execute the sh installMacAgent-service.sh uninstall command on the terminal window from the agent folder.
  6. Execute the sh installMacAgent-service.sh reinstall <Agent Key copied from the PAM360 UI> command to reinstall the agent.
Top