BeyondTrust Endpoint Privilege Management Reviews

We are using it in our organization for whitelisting a set of applications. In addition, we provide access in terms of access rules from low flexibility to higher flexibility. We also have various other use cases.

It is a cloud product. It is completely on BeyondTrust's cloud. They're using some cloud product, and we're just accessing the console from our end. We haven't deployed it on our cloud provider.

In terms of the version, the client version is 21.7, and the adapter version is 21.8. That's the latest one that we are testing right now.

It is helpful for security. We have thousands of applications and a lot of users who are using these applications. We don't have to provide each and every user admin rights to install those applications. We can just whitelist those applications and provide them to the users. We don't have to provide admin rights to the users, which makes it secure because once the users have admin rights, they can do anything on their devices. We don't have to provide them with admin rights just for installation purposes. We can just whitelist those applications in the environment, and we're good.

It is very important that we can add events straight from event logs and/or the database. Those logs are used for creating rules.

It allows us to elevate approved applications and actions without broad admin rights. It reduces the support tickets because a user is able to use applications without any problems.

It has reduced the tickets for application installation. We don't get any tickets because an application first gets analyzed and only then gets deployed in the production environment. So, if there is any issue regarding the deployment of an application, it gets sorted out initially, and we don't get any support tickets related to that. It has reduced the support tickets from the end-user perspective.

By reducing the number of tickets, it has reduced desktop support costs. From the application perspective, whitelisting and other things are handled remotely once, which reduces the support tickets. When the support tickets are reduced, the workforce required to attend to and resolve those issues is also reduced. The cost savings depend on the number of applications you have in your environment and the number of users you are dealing with. 

It provides a single solution for managing endpoint security preferences. Its impact on our endpoint management operations is good. We don't have to provide admin rights to all the users. It has increased the security of the environment, and it has reduced the exposure score from the vulnerability perspective. It is a very good solution. It has improved our security posture.

The whitelisting feature is valuable. It is a good feature. My organization is using more than 10K applications, and we are using EPM to whitelist applications in our environment and allow those applications to provide some tokens and make them work. If users want to install an application on any device, instead of giving rights to them, we basically whitelist that application, and we provide the token to the application so that they don't prompt for elevation.

The logs are also good. Logs that get collected on the Privilege Management console from the agents are very good. They help us to identify the aspects from which we have to whitelist an application.

It keeps on breaking every now and then. It is not yet mature. Every time something new comes up or we run into some new issues, the culprit is BeyondTrust because the agents and the adapter are not mature. The new development process goes on, and they're not able to handle things. It should be mature. It shouldn't break every now and then. 

Their support members should be very proactive in responding and providing the resolution. Their support team takes a lot of time to resolve the issues.

When it comes to whitelisting and implementing policy changes, if the application doesn't have the complete set of parameters based on which you whitelist an application or application is still under development and the versions keep on changing, that sometimes creates problems because you have to revisit the rules again and again. That could be simpler.

It has been a year since I have been using it.

It is not a stable product. 

It is scalable. We are going to use it for 100K users. Currently, we have 10K users, but we have seen a lot of instability in the product.

Some of them are very good, and some of them are not good. Sometimes, you get a quick resolution, but sometimes, it prolongs for a month or even more than a month. I would rate them a seven out of ten.

It was complex because every organization has its own needs. Initially, we were looking for some solution, but they didn't have that. We had to work around that, and finally, we devised a solution. It was a little bit complex for us to achieve what we were looking for. It took about a month.

It doesn't require much maintenance. The upgrades are done at the backend by BeyondTrust. So, there is not much, but for testing, three to four people are enough. They are from the operations teams.

BeyondTrust Endpoint Privilege Management has the flexibility to enforce privilege across Windows and Mac endpoints as well as Unix and Linux machines, but I've only worked with Windows machines. So far, we have had a good experience.

I would recommend this product. It is a good product, but it needs to be more mature. Overall, I would rate it an eight out of ten.

I was part of the project, I collaborated with a Privileged Access Management consultant and incorporated it with their existing password safe from BeyondTrust. This allowed for a comprehensive approach to security within the designated area of focus.

When it comes to FSO security, a prevalent objective is the removal of admin rights for users and many security teams aim to transition users from admin to standard status, even while ensuring the seamless operation of critical business applications. Challenges arise as some users find it difficult to complete their tasks without admin rights. Avecto Defendpoint addresses this by allowing specific business applications to run with elevated privileges through the Advantage Token. Striking a balance, it empowers users in standard mode to run essential business applications with the necessary admin rights, while maintaining a secure posture.

The notable aspect is its ability to capture the application's behavior comprehensively and this thorough analysis is crucial for effective policy management. During troubleshooting, the event capture feature, known as PG capture, proves invaluable. By leveraging this functionality, administrators can quickly identify processes through Windows Event Viewer. The obtained insights from these events can be utilized for immediate problem resolution. Furthermore, the reporting feature facilitates the seamless addition of policies based on the gathered information, making it a standout and practical feature. In the event of attackers attempting to execute malicious files that require admin privileges, it intervenes at the initial stage, blocking such attempts outright. The incorporation of a chat feature and the adoption of BeyondTrust's Trusted Application Protection further enhance security measures. Organizations often opt for implementing policies from this application suite, safeguarding fundamental applications like Office, Adobe, and browsers.

When working with the on-premises installation, the reporting process posed challenges, requiring the installation of SQL. The differences between EPO reports and the reporting console were observed, prompting a desire for equivalence, especially in specific report types critical to customer evaluation. Aligning these features across platforms would enhance the overall reporting consistency and user experience. A valuable enhancement could be the capability to deploy agents directly through the console. While it might not currently fall within the scope of the product, having the ability to uninstall or install agents seamlessly through the console would be a beneficial feature.

I have been using it for six years.

It is notably stable, especially evident through its tamper protection feature. Even attempts to tamper with the product, such as through registry settings, proved unsuccessful in our testing, attesting to its robustness.

The ability to seamlessly uninstall or install agents through the console would be highly advantageous. Presently, dependency on SSE for scalability and deployment tasks involves setting up groups and pushing tasks to endpoints, including the configuration of policies for certificates.

Their support was excellent, providing valuable responses within a few hours. However, during the transition period, typical of major changes, responsiveness slightly declined, taking a day or two to receive a response. Fortunately, things have improved, and we now receive prompt responses.

CyberArk is a significant rival, offering a multitude of features, some of which may not necessarily align with the fundamental needs of the customers. Avecto Defendpoint, on the other hand, caters to the precise requirements articulated by the customers. This thorough comparison involves not only feature sets but also financial considerations and other pertinent aspects.

The initial setup is straightforward, requiring the fulfillment of certain prerequisites. This includes setting up ports and, if opting for reporting through SQL, configuring the SQL server along with the necessary accounts. When all these prerequisites are in place, the implementation process is smooth and not overly complicated.

The process involves several steps, starting with initial discussions to understand the existing infrastructure and identifying the necessary knowledge about the current state. Subsequently, approvals need to be obtained from relevant workflow departments based on the proposed changes. Once the groundwork is established, the next phase entails getting the servers up and running for it. The decision-making process then extends to choosing the appropriate deployment model, whether on-premises or in the cloud. For customers with the Password Safe, considerations regarding the Password Safe console come into play. This comprehensive approach ensures a thorough understanding of the client's requirements before making informed decisions about the deployment. Our process typically involves progressing from Proof of Concepts to real-time production deployment. The entire timeline for this transition spans approximately three months.

By consistently reviewing and adjusting policies, and implementing stringent measures, this product can provide enhanced security, ensuring a substantial return on investment.

It is relatively more cost-effective compared to the competing product.

When evaluating this product, it's more effective to base the assessment on your specific use cases rather than comparing it to other products. If the product aligns with ninety percent of your use cases and meets your needs, it would strongly indicate that proceeding with this product is a favorable choice. Overall, I would rate it eight out of ten.

It's mainly for privilege management when you log in to any Windows system, so you'll be able to execute only what you have to and can.

Everyone in the company uses BeyondTrust Endpoint Privilege Management—about 3000 to 4000 in South Africa and another 1000 in the UK.

One of the valuable features is the absence of any local user in a unique system. All users are defined in the AD; communication is only between Unix and AD. When you log in, there are no local users on any unique system you access.

Another valuable feature is privilege management, where only the command steps needed to be executed given to the user, and they cannot execute more than that.

There is always room for improvement. One thing that would be helpful is if it was easier to define which commands can be used. Currently, we use a program to automate all of this, but it's not a default feature of BeyondTrust Endpoint Privilege Management. It can be a bit more difficult if we're not using our own script. We have a script that checks the day from the AD group to see if any users have certain privileges, and we execute it to make any necessary changes. We've automated the process by creating our own script. We run it four times a day.

In the future release, I would like to see it easier to configure without adding all the scripts. It would be helpful if it had a user-friendly manual that allows you to change things easily. It would make BeyondTrust Endpoint Privilege Management a lot easier to use.

I've been working with it for a long time. It's the latest version.

We started with AD Bridge about four years ago, only AD Bridge, and then we added the privilege management about two years after finishing the credit bridge.

I would rate stability a seven out of ten. Sometimes we lose the connection to the domain, but just the domain joins and resolves the problem.

It is a scalable product. We have over 1000 systems that we scan every day. We check every day if the system is not there in full. If it has been more than twenty days, we take it out of the assets. If there is a new system, it will join the asset. We have a contract running four times a day that checks for all this. If there is a user that left the company and was deleted from the database, it's all automated.

The customer service team is okay. I've had a few issues with them, but they were reasonable. However, I have one issue that has been ongoing for a year, and they have not been able to solve it yet. It could be a difficult issue, I'm not sure. I managed to resolve it myself with my own programs that check and solve it automatically, but it persists after over a year. They are unable to identify or replicate the problem.

We need two to three people for solution administration. We have a big configuration and complicate it with the script that we are running. These scripts are very complicated, and it took us quite a few times to wind it to this case. But now that it is automated, we need half a person to do it. But in the beginning, we needed a lot of people.

And now that it is running and automated, every user has been added automatically without any intervention.

Before, we had a division where we had to add local users all over the systems. But now we are using BeyondTrust Endpoint Privilege Management. All are controlled by the privilege management, and we don't have so many problems.

I suggest starting with AD Bridge and implementing it properly before installing the privilege management. Doing them together will be very difficult. First, enable the AD Bridge fully and make it available to all users, and then install Privilege Management.

I would rate it around eight out of ten.

There are three components for BeyondTrust. Password Safe is where we privilege the accounts like server accounts, domain accounts, local accounts, or custom third-party applications. We use the application to monitor and fix the recordings of third-party applications. You can also use it for Cisco integrations and multi-factor authentication.

I find the solution’s features like section management, password management, and analytics valuable.

There are three types of endpoints. If we need to use them in the solution, then we need to purchase the licenses separately. The tool needs to improve its licensing.

I have been using the solution for four and a half years.

The solution is stable.

The solution is scalable. There are around 10,000 users for the solution in our organization.

The tool’s setup is straightforward compared to other products. The solution’s deployment depends on remote databases. We should also install a challenge-response code. For Password Safe, we need to install the EPM database, challenge-response code, etc.

The product’s licensing is different for Windows, Linux, and Mac. The tool’s licensing is yearly.

I would rate the solution an eight out of ten. You can deploy the solution to Azure, AWS, or on-premises. This solution will be very helpful for organizations for security purposes. The tool is very user-friendly. The solution’s graphic user interface is also very easy compared to other products.

There are three use cases that you can target. The first use case is the fact that some of your users may need admin rights for launching custom applications, such as Visual Studio, or they may want to install something on their machine on their own, or they may want to start, stop some services, change maybe system font, if the need arises, or install a custom font or change the driver, update the driver. Also, instead of giving full blanket admin rights, we can give selective admin rights using EPM in order to protect the company and the infrastructure from abuse. This is the first major use case.

The second use case is where we implement application blacklisting and whitelisting. If I don't want Adobe applications to run within my company, I can create a policy around that. Or, for example, if I have Adobe licenses, and those are only valid for version two to version three. Anything below two, I don't own and anything above three, I am not allowed to upgrade. Therefore, whitelisting based on version control also can be implemented. 

The third use case, which not popular in my region, is where cyberattacks can be mitigated or zero-day attacks can be mitigated, by making sure we whitelist only the browser and only Outlook. If the browser tries to invoke a script or if Outlook launches say Excel or PDF as an attachment, and from there, if a script tries to launch, we will be able to block it. Therefore, making sure that the entry point of the malware itself is blocked is possible. That said, having said that, it has zero intelligence in checking whether the script is legitimate or bad. It's going to block everything. It blocks all and later you can enable it, if the need arises.

The solution can scale.

It's relatively straightforward to set up, especially if you are deploying to the cloud.

Technical support has gotten more responsive.

At the moment, they don't support Linux. For this EPM, they have a different product for EPM, for Linux.

The same company needs two different products for EPM. One works with Windows and Mac and the other solution is mainly created for Linux. They can try to merge these two and make one product. That would be an improvement. Being a policy administrator, I have to create, or maybe monitor, two different admin consoles for the policy due to the separation between the OS.

They have a troubleshooting utility or a quick start utility, a quick start policy. They need to come up with better integrative options which should be customer-centric. At the moment, it is from their point of view. A quick start policy is something that helps customers to remove admin rights on day one.

I've been dealing with the solution for the last eight years. 

The solution is definitely stable. That's why within the last eight years, we are able to satisfy the most demanding customers in the world. It supports 10 users. It supports 10,000 users or even 100,000 users. It's scalable.

I'm not sure how many people collectively are using it in our company. I happen to have one specific area within my control. There are other technicians who will be implementing this from my own company.

I've used technical support in the past. 

The product was initially developed by Avecto. Then BeyondTrust purchased that company and they both merged together. Initially, the team was quite small. The company itself was small, and its support was not that good, in terms of response time. However, when they used to come online, their technical expertise was at par. It was way beyond our expectations. The only trouble was to bring them on a call, as the company was slightly small.

Fast forward six years, seven years. Now, the strength of BeyondTrust being a larger organization, we have better access to the technical team. Today, we raise a support ticket and someone will definitely assist by tomorrow. That's progress.

However, technical expertise becomes a challenge sometimes. Not always. Just sometimes. Any big organization will not assign an L3 person on day one. That's the architecture problem. Not the company's problem.

I may scream at the top of my lungs that I don't think this is something that an L1 can handle and they will not believe me. They would like to go through L1, and L2 and then eventually reach L3. That's the only issue with any big organization. It's an architectural problem. 

The ease of deployment depends on your requirement and your setup. If you are handling the cloud, then it's fairly easy. You simply download the agent and install the agent. The reporting is inbuilt. Policy management is inbuilt. If you consider other deployments, there is some friction, depending on the architecture.

The licensing is paid on a yearly basis. I can't speak, however, to the actual cost of the solution.

We are a partner and we sell and support this EPM solution to other customers.

We use both cloud and on-premises deployment options. 

I'd suggest new users go slow. Instead of going bold. It's a powerful solution. If I create a beautiful policy, the product will behave beautifully. However, if I create an ugly policy, the product will show its ugly face to you, as it's just a brainless bull running around. You have to give it a direction. Otherwise, it can harm you. 

Overall, I would rate the solution an eight out of ten.

Its use cases are mostly around all the 65,000 endpoints. The use cases are mostly for privileged access and the application control across all endpoints throughout the organization to make sure we have the least privileged model with zero-trust enabled at the endpoints.

We started with on-prem, but now, we've moved to the SaaS cloud.

It has helped in multiple ways. We have more than 30 years of legacy of having local admins on our endpoints. With this solution, we have removed the local admins from the users. Now, we are giving them privileges on their machine only for the applications and not for everything. It has reduced the unwanted risk and increased the security posture. 

It also helps with some robotic process automation. It helps with certain actions that we have been engaged in for certain RPA-type behaviors.

We are able to increase the security by blocking a lot of applications, such as encrypted chat applications and blacklisted applications. Data exfiltration is a big concern in our company, and this solution helps us to tighten up those controls in many different ways. We are able to control the access.

The privileged access and the application control are helpful in making sure we have good, robust challenge responses. Blacklisting with trusted application protection is also beneficial for us.

Reporting analytics is one of the areas that can be improved. It is a new cloud-based solution. So, many more specific reports can come out natively. Currently, we get all the events, and we put them in plug-ins. From there, we generate our own design of reports. If there is a much more solid or robust reporting analytics framework within the product itself, it would be helpful.

One of the requirements that I've already expressed is that they can unify the clients. We have got two clients: one for the iC3 adapter and one for the Defendpoint client itself within the EPM product. iC3 is used for connection to the SaaS or cloud, and Defendpoint is the actual product that does all the local admin privilege management. They can just unify them. 

We've probably been using this solution for three years.

In the on-premise version, stability is okay. However, it takes time to sync up policies. That's because it depends on the environment that you have. From the Active Directory perspective, it depends on how the group policies are going to be advertised back to the endpoints. So, there was some delay, but it was completely because of our environment. 

In the cloud version, the deployments are pretty quick. Policies get deployed pretty quickly. Overall, the cloud experience has been good. However, because it's a SaaS service in the cloud, we often have to reach out to the BeyondTrust team to make sure that our backend compute, which is not visible to us, is completely solid. The databases, servers, and other things are running in the cloud, and they're properly, adequately beefed up to have the right resources because we don't have visibility on that. With on-prem, we know how much compute, memory, or CPU cores we are putting to the servers at the backend. On the SaaS cloud compute, we don't know that. The initial few registrations took a toll. It was because BeyondTrust was also trying to figure out the volume of traffic that was coming their way. It took a while to baseline the compute configuration at their end, but once it was all figured out and resolved, the performance has been fairly consistent.

The solution is scalable to the level of security posture that we wanted to deploy in our environment. From a scalability perspective, we are pretty good with the way we have used the product so far.

Their support line is good. They're familiar with the product, and they have expertise with the product. So far, any tickets raised by my team have been dealt with fairly with the right solutions. I would give them an eight out of 10 because there is always room for improvement. There are instances where you expect a solution to come faster with more accurate details. There are always back and forth conversations, until and unless you figure out the final solution.

We didn't use any other solution previously. This was the first time we were trying to do an endpoint privilege management solution. 

It was a straightforward process. We were on-premise. We were using group policies to manage this whole EPM solution, and it was easy to move to the cloud. Wherever you have agent-based deployments, there is always a little bit of complication, but we were able to make it work.

On-prem deployment took almost three to four months. We had a very large and wide-scale environment. A lot of legacies were also built-in, so it took a while to build the policies around, get the local admins out from the endpoints, and take over with Defendpoint or the BeyondTrust EPM solution.

The migration to the cloud was pretty good. It wasn't that bad. When we had it on-prem, it was a single client. When we had to go to the cloud, two clients were needed. One was the iC3 web adapter that makes a connection to the SaaS cloud, and the second one was the existing Defendpoint client. Having an extra client adapter needed a little bit more packaging on the endpoint side, which added a little bit more to the transition to the cloud. Policy-wise, everything was straightforward.

We did it by ourselves. In the initial deployment, it was a team of six or seven people. They came from different groups. We had group policy administrators, Windows administrators, and security administrators from my team. There was also the endpoint provisioning team that does the packaging work.

In the cloud migration, the same team was there, but we didn't have the Windows team and the admin team. That's because they weren't required from a group policy perspective. It mostly had security administrators. The packaging team was also very important. We also have a test team that does the validation from a testing perspective across a variety of endpoints in different regions. So, there were around six or seven people during the cloud migration.

We have definitely been getting an ROI, and we want to maximize that ROI. We have a zero-trust adoption process going on continuously for the next two to three years, so we are trying to maximize the ROI. We haven't yet got the full ROI, and we will try to maximize the ROI from the product going forward.

Its pricing and licensing are okay. We were in the perpetual model when it was on-prem, and now, with the SaaS service, we have a subscription model. As a customer, I would always like to see a lower price, but it seems to be priced at the right model currently, and we are trying to get the maximum benefits out of it.

In addition to their standard licensing fees, there is just the internal infrastructure cost for the license, indexing, etc. There is nothing additional from any other components that we use for the job. These are the resources for managing the solution at our end.

We did take a look at several other products, but we finalized on BeyondTrust. We looked at some of the Microsoft solutions, and we also looked at some of the CyberArk solutions to do a comparison. What was more interesting with BeyondTrust was the flexibility in the policies. The clarity in the policy writing was a little better, and the deployment of the solution was easier. The overall product simplicity was fairly okay. When you're going from a hardcore local admin to a zero local admin stage, simplicity in the product is extremely important. So, simplicity and flexibility were the key factors.

I would advise going for the cloud-based solution. The cloud-based solution has come a long way from its initial stage. 

It is a very simplified solution. Their licenses are very straightforward, simple, and accommodating. The support has been really good, and their flexible policy model has really been instrumental in going for a stage-by-stage approach. You don't have to go all the way to impact your environment from day one. You can define your policies using their quick policy wizard and other processes to simplify your environment. You should proceed step-by-step to get rid of the local admin and the environment. Evaluation with their simplistic and flexible model is going to make it much easier and faster for you to pick up the solution.

I would rate it a nine out of 10. There is always a scope for improvement.

We are using the solution to access the servers remotely.

The solution's most valuable feature is its ability to publish the application remotely instead of logging into the server. You can just run the software from the remote server. 

The solution's features for customizing access for the engineers, creating forms, and establishing workflows need improvement. Also, they should provide integration with VDI solutions. It would be great to run it from the Citrix Storefront or VMware Horizon.

I have been using the solution for three years.

The solution is stable.

The solution's technical support is good.

Positive

The solution is easy to deploy. However, it is complex in terms of configuration and customization. The process takes nearly two weeks to complete.

We implemented the solution with the help of two or three executives and an integrator.

The solution's pricing is high.

The solution's enterprise features align precisely with our organizational focus. I advise others to evaluate it and compare, considering the variations in each environment.

Overall, I rate it seven out of ten.

It is straightforward. It is a good technology, and it is made to do one single thing.

They are doing good for now, but they should start to consider tight integration with Mac solutions. There should be more integration with Mac. There should be Active Directory (AD) Bridging. Thycotic and Centrify have it currently because they merged and joined forces, and it was a feature available in Centrify. So, basically, they joined forces to create a kind of perfect product. If you have a hybrid or mixed environment with Windows and Mac, your Active Directory can only manage or enforce policies on Windows, but what about your Mac devices? How do you control them? So, AD Bridging will act as a bridge to bring all your Mac devices into your Active Directory. This way you have full control over your entire environment.

I have been selling this solution for three years.

It is stable. 

It is scalable.

I never had a problem for which I needed their technical support. The product is simple and easy to use. Our team is also capable of solving all the problems.

It is easy to deploy. The deployment duration depends on how many servers or routers you have, what kind of IT stuff you need to grant access to, and how much stuff you have. I am referring to the entire environment with all the customers and all the users. If you have five routers, five firewalls, it might take up to two to three days to deploy the entire solution. It also depends on the number of administrators you have.

Price-wise, it is very competitive. In our area, government entities and banks don't go for the monthly payment. It is a headache even for us in terms of finance and procurement to go for monthly payments. Quarterly might be more logical and reasonable, but the minimum that we go for is one year, and sometimes, we even try to compile and give one offering for three years.

It is mainly deployed on-prem. About 95% of the sales that I do are on-prem solutions. That's because we're talking about security.

It is a good technology. I would definitely recommend this solution. I would never sell it if I can't recommend it. I would give it an eight out of 10.