https://worldofeuc.com logo
Join Slack
Powered by
CyberArk EPM - any good? Any bad reports? How does...
# _general
j
CyberArk EPM - any good? Any bad reports? How does it compare to the likes of Ivanti/MS solutions?
n
I'm not on the team that owns/manages it, but it seems to work well in our environment. I like that I can be added to a group that has admin rights, and can then right-click on any process to run elevated and not have to re-enter my creds. Sealing our persistent images has been a fucking nightmare with them because a) their official documentation isn't entirely accurate, b) the support people we've spoken with about this topic are simply not knowledgeable in virtual technologies (not everything is a non-persistent VM, which they can't grasp), and c) requires a lot of testing. I finally have a working sealing script with everything that we needed to do in order to generalize the agent so that duplicate records did not appear in their console. I can provide that if it helps.
j
Thanks. They confirm they're not too good at normalization 🙂
Apparently installing EPM as part of the actual sealing script is a way to make it work
n
That definitely isn't the case for us - the EPM service generates the GUID at start, not at connection to the server. That was the big issue for us.
And it was made worse with MCS. Since Citrix basically boots the VM to do the sysprep stuff quickly, that service would start and generate a GUID which would be baked into every single VDA built using that master.
To get around that, my sealing script sets the service to Manual, and we have a domain GPO setting it back to Automatic. It's the only way to 100% ensure that the images are generalized properly
j
Will pass all this on, thanks. Seems pretty feature-rich to be fair, and doesn't come with all the infra attached to something like UWM
Not sure how it stacks up to the latest MS offerings though
n
In case it helps, here's the CyberArk portion of my sealing script:
Copy code
$CyberArk_Exec = "vf_agent.exe"
$CyberArk_Arg1 = "-StopPasServ"
$CyberArk_Arg2 = "-StopServ"
If ((Get-Service -Name "vf_agent").Status -ne "Stopped") {
	Write-ToLog "Stopping the CyberArk EPM Agent service"
	$Proc = Start-Process -FilePath $CyberArk_Exec -ArgumentList $CyberArk_Arg1 -WorkingDirectory "C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent" -Wait -WindowStyle Hidden
	$Proc = Start-Process -FilePath $CyberArk_Exec -ArgumentList $CyberArk_Arg2 -WorkingDirectory "C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent" -Wait -WindowStyle Hidden
	Start-Sleep -s 5
	If (!((Get-Service -Name "vf_agent").Status -eq "Stopped")) {
		Write-ToLog "Error: Failed to stop the CyberArk EPM Agent service" -ErrTrap $True
		Exit 333
	}
}
Set-Service -Name "vf_agent" -StartupType Manual | Out-Null
Write-ToLog "Generalizing the CyberArk Agent"
Remove-Item "C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\Trace\" -Recurse -Force -ErrorAction SilentlyContinue | Out-Null
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Viewfinity\Agent\" -Name "AgentID" -Force -ErrorAction SilentlyContinue | Out-Null
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Viewfinity\Agent\" -Name "AgentIDPrev" -Force -ErrorAction SilentlyContinue | Out-Null
Remove-Item HKLM:\SOFTWARE\ViewfinityUpgrade -Recurse -Force -ErrorAction SilentlyContinue | Out-Null

If ((Get-ItemProperty -Path "HKLM:\SOFTWARE\Viewfinity\Agent\").PSObject.Properties.Name -contains "AgentID") {
	Write-ToLog "Error: Failed to generalize the CyberArk client" -ErrTrap $True
	Exit 444
} Else {
	Write-ToLog "Successfully generalized the CyberArk client"
}
👍 1
k
Beyond Trust is another EPM solution. Another team is responsible for it and just rolled it out but they need like 5 people just to manage it with all the rules and configurations.
s
Make sure to do performance testing. I have seen it cause performance issues
Open in Slack
PreviousNext
Powered by