Hi
I'm from the Cybersecurity team at my company. We provide users with elevated permissions using CyberArk Endpoint Privilege Management (EPM). This allows users to run programs as an administrator, without adding them to the local administrators group for the sake of increased security, by giving programs an admin token when it requests it.
CONNECTION client is definitely running as administrator, but fails on the download of the CONNECTION Client update and any other updates that it finds - for the CONNECTION Client update, this only seems to be the download part though. If the download is initiated when the user is a full local admin, and once it's completed, the full rights are removed and replaced with CyberArk EPM, then it will install the update without issue using the EPM elevated privileges. Any further updates will not download or install without the full administrator rights though.
So how does the CONNECTION Client work in terms of detecting administrator? Does it manually check if the user is a part of the Administrators group of the device? Is there a workaround in mind or some settings that can be changed so that it will recognise the admin privileges coming from EPM, and if not, how can I raise this as a feature request? Various endpoint privilege management solutions are only going to become more common so I wonder if this is happening across the others and needs to be fixed for future.
Adam
We are having the same issues here at our company while using Safeguard Privilege Manager. We are able to let the Connection Client run with Admin privileges using our EPM solution, but it seems to have trouble with the actual download of the update for some reason. We may have found a workaround though if you are still looking for an answer.
Go into the settings on the Connection Client app, go to the Updates tab, and change the setting in the first drop-down menu to 'Download updates but let me choose whether to install'. Then reboot the computer, launch Connection Client again with elevated permissions through your EPM, and it should automatically download the updates as soon as it launches. After that we were able to install them.
We tried to avoid having to reboot in between, but even killing the Bentley processes in the task manager did not get it to work. I assume there is something else running still that I am not seeing.
Literally figured this out 5 minutes ago, so I have not had a chance to test it much to see how it behaves with future updates.
Also, I have only worked with this one EPM solution, but I did need to give the application permission to 'run with user context' and to also apply the elevated permissions to all child processes as well after whitelisting the Connection Client.
Hope this helps!
Answer Verified By: Adam Beaumont
Hi, thanks for answering!
In the end we had to build out a process for Bentley users to get full admin rights as there were too many issues being caused between EPM and the programs, and I wasn't getting much help from either Bentley or CyberArk. However, what you've described above sounds like it could be promising. I'll certainly keep it in mind in future when I eventually revisit the issue. For now, I'll mark it as the answer!