We face challenges with SSL inspection. If anything intercepts the tool from outside, the tool disconnects itself. We faced some challenges with remote desktop sessions. Our vendors have their own service accounts to log in to the applications and Windows. The accounts get locked often. It is the only challenge we face.
Sometimes, it's difficult for other users to understand how accounts and servers are mapped, which is complex. How the accounts are presented in the solution's UI can be improved.
When working with the on-premises installation, the reporting process posed challenges, requiring the installation of SQL. The differences between EPO reports and the reporting console were observed, prompting a desire for equivalence, especially in specific report types critical to customer evaluation. Aligning these features across platforms would enhance the overall reporting consistency and user experience. A valuable enhancement could be the capability to deploy agents directly through the console. While it might not currently fall within the scope of the product, having the ability to uninstall or install agents seamlessly through the console would be a beneficial feature.
Information Technology System Analyst at a tech services company with 1,001-5,000 employees
Real User
Top 5
2023-06-09T15:24:00Z
Jun 9, 2023
BeyondTrust EPM is a very complicated tool. When I started using it, I struggled for six months just to configure it. It's not straightforward and requires more improvements, especially in the console. Currently, there is no console option available in BeyondTrust Endpoint Privilege Management. In comparison, other tools offer a simple certificate management system in Windows Server. I'm not familiar with Linux since we primarily use Windows. In Windows, we just open the console for application management. We open a browser, log in, and access the console interface. However, with BeyondTrust Endpoint Privilege Management, it's different. It's a certificate-based tool where you have to double-click the certificate to bring up the user interface. Unfortunately, the user interface (UI) is very ugly. But when it comes to the tool's features, they are awesome. The tool's features are awesome. The only drawback is they need to improve the UI. They should have the option to access a console and report. Yes, the reporting is also very bad. Let's say I want to export a file from BeyondTrust EPM to see how many devices we have given admin access to with high or medium flexibility; I cannot export that information. I cannot export. I always take screenshots. There should be an option to simply click "export" and have an Excel file. So, those improvements are required in the UI. Since BeyondTrust is not used by many companies, there are very few companies that use this product, and it's also very expensive by the way. It was very expensive. Moreover, they should have a good portal, like Jamf has Jamf Nation. If you have any issues, you can find help there. But with BeyondTrust, since very few people are using it, there is no community to help each other. And on top of that, it's a very complicated tool to implement. These are the things that, in my opinion, they need to improve. But when it comes to the features, whatever you are paying for, you are getting your money's worth.
There are three types of endpoints. If we need to use them in the solution, then we need to purchase the licenses separately. The tool needs to improve its licensing.
Learn what your peers think about BeyondTrust Endpoint Privilege Management. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
There is room for improvement in having the solution align more with standards. We're always shoehorning the product into the standards. It's not that it doesn't work for standards, it does. But Quick Start Policies are pretty close to what we need. The vendor needs to keep looking at GDPR, 27001, and 27701. That's why our clients buy the product. Having templates available to implement this product against the various standards and the mandates that are actually forcing this product's purchase would be really nice. There are some templates, but it would be better to have more.
At the moment, they don't support Linux. For this EPM, they have a different product for EPM, for Linux. The same company needs two different products for EPM. One works with Windows and Mac and the other solution is mainly created for Linux. They can try to merge these two and make one product. That would be an improvement. Being a policy administrator, I have to create, or maybe monitor, two different admin consoles for the policy due to the separation between the OS. They have a troubleshooting utility or a quick start utility, a quick start policy. They need to come up with better integrative options which should be customer-centric. At the moment, it is from their point of view. A quick start policy is something that helps customers to remove admin rights on day one.
Sr. Manager Cyber Security at a manufacturing company with 10,001+ employees
Real User
2022-01-31T17:21:00Z
Jan 31, 2022
Reporting analytics is one of the areas that can be improved. It is a new cloud-based solution. So, many more specific reports can come out natively. Currently, we get all the events, and we put them in plug-ins. From there, we generate our own design of reports. If there is a much more solid or robust reporting analytics framework within the product itself, it would be helpful. One of the requirements that I've already expressed is that they can unify the clients. We have got two clients: one for the iC3 adapter and one for the Defendpoint client itself within the EPM product. iC3 is used for connection to the SaaS or cloud, and Defendpoint is the actual product that does all the local admin privilege management. They can just unify them.
They are doing good for now, but they should start to consider tight integration with Mac solutions. There should be more integration with Mac. There should be Active Directory (AD) Bridging. Thycotic and Centrify have it currently because they merged and joined forces, and it was a feature available in Centrify. So, basically, they joined forces to create a kind of perfect product. If you have a hybrid or mixed environment with Windows and Mac, your Active Directory can only manage or enforce policies on Windows, but what about your Mac devices? How do you control them? So, AD Bridging will act as a bridge to bring all your Mac devices into your Active Directory. This way you have full control over your entire environment.
Windows Enterprise Engineer at a comms service provider with 1,001-5,000 employees
Real User
2021-07-01T16:44:19Z
Jul 1, 2021
We have installed BeyondTrust, however, it's not working as-is. There are two domains, and there's a trust between those two domains, however, just one of the domains is working. We've not been able to set it up such that we're able to use the second domain as well. That, unfortunately for us, that second domain is a valuable domain, it's very critical. BeyondTrust is trying to find a way to do it, however, we do not need it for some time. It's working at least, however, there are some times where it just freezes out. We have to fall back on RDP to do BeyondTrust. That was part of the reason I was doing the comparison between BeyondTrust and Broadcom - to see if there was a way to resolve this. The implementation process could be better. It's not as vast as we would like it to be. If you don't get the implementation right at the outset, you will struggle with the product.
What's bothering me, which is true of all of them, is that sometimes, the error codes that come up don't necessarily get reflected in the searches within their support sites or they're out of date. I would rather search by an error code than type in the text and search for it by text because the error code means that it is programmatic, and it is known. It might not be desired, but it at least is not unexpected. If you don't have an error code, you just get an anomalous error, and if it is lengthy, it can be difficult to search and find the specific instance you're looking for. This is something I would like all of them to improve. BeyondTrust, CyberArk, Centrify, and Thycotic could do some improvements in staying up to date and actually allowing you to search based on the product version. They are assuming that everybody is on their way to release. They put out a new release, but it is not reflected on the support site, which makes no sense to me, especially when they revamp all the error codes. They all have been guilty of this in some way.
General Manager, Head of Information Security at a tech services company with 51-200 employees
Reseller
2020-11-05T07:26:32Z
Nov 5, 2020
There are different vendors that are pretty competitive in terms of features. BeyondTrust is great in some areas, however, CyberArk is as well. The solution needs to continue to add features in order to stay competitive in the market. Their technical support could be more responsive and helpful. The solution is quite expensive.
Team Lead, Network Infrastructure Business at a tech services company with 51-200 employees
Reseller
2020-01-29T11:24:00Z
Jan 29, 2020
The help system should be improved to provide a quick help guide with each tab within the solution, which explains what each particular function does. This would help because sometimes, you can get lost and you find yourself going back to see what the functions do. Have at least a very small hint for some of the key functions would go a long way to help with deploying and using the system. Better pricing would help this solution to grow in the Nigerian market.
Team Lead, Network Infrastructure Business at a tech services company with 51-200 employees
Reseller
2020-01-27T06:39:00Z
Jan 27, 2020
The deployment process should be clarified or made simpler. It would be helpful if the solution had in-app tutorials for users to look at as they progress through the system. Sometimes we get lost and need to go back to check what exactly the function was. There should be small hints around major key functions. It would go a long way in speeding up the deployment process.
Consultant- Information Security at a tech services company with 11-50 employees
Consultant
2020-01-12T12:03:00Z
Jan 12, 2020
There are a few points that are lagging in the technology and I think updated versions should be available more frequently. So the program updates are very rare and the frequency is too far apart to take care of bug fixes and adding the latest features.
VP Cyber Risk at a tech services company with 501-1,000 employees
Real User
2019-12-04T05:40:00Z
Dec 4, 2019
This depends on the client. Some clients find the granular approach a lot better than the simplified approach and some clients prefer the simplified approach better than the granular approach. Depending on the type of organization and type of information that must be protected, there are obviously different requirements.
One issue, especially when you deploy HA actively and passively, is the synchronization. Usually, there is a large delay between the sync. The biggest problem is that it takes at least 14 minutes to detect that the primary is down. That is 14 minutes of downtime, which is a huge amount of time, especially for our enterprise customers. That delay should be reduced. The other area to improve is that they rely on MS SQL servers only. You cannot have any other database behind them. They have to be on MS SQL. If they can do something about these issues, this would be a better alternative for some customers. In terms of software, BeyondTrust should work on other operating systems other than Windows and support non-Windows operating systems also.
If you are specifically dedicated to Privileged Access Management, the definitions are a bit unclear throughout the world. I have been in contact with engineers around the world, in Canada, the U.S, and the U.K as well. Everyone has quite a different definition for Privileged Access Management or Identity Access Management or Identity Management. Because of the definition of PAM, I don't think they can provide anything in addition to what has been defined. If you want to include anything else in this product, it will deviate from the boundaries of PAM.
Senior Technical Consultant at a tech services company with 1,001-5,000 employees
Real User
2018-08-09T06:47:00Z
Aug 9, 2018
It should support XWindows Remote Desktop Access Protocol for Linux/Unix. I would like more connectors for other security software/systems. A password is needed to access their security systems.
BeyondTrust Endpoint Privilege Management enables organizations to mitigate attacks by removing excess privileges on Windows, Mac, Unix/Linux and networked devices. Remove excessive end user privileges and control applications on Windows, Mac, Unix, Linux, and networked devices without hindering end-user productivity.
Key Solutions Include:
-ENTERPRISE PASSWORD SECURITY
Discover, manage and monitor all privileged accounts and SSH keys, secure privileged assets, and report on all privileged...
We face challenges with SSL inspection. If anything intercepts the tool from outside, the tool disconnects itself. We faced some challenges with remote desktop sessions. Our vendors have their own service accounts to log in to the applications and Windows. The accounts get locked often. It is the only challenge we face.
Sometimes, it's difficult for other users to understand how accounts and servers are mapped, which is complex. How the accounts are presented in the solution's UI can be improved.
When working with the on-premises installation, the reporting process posed challenges, requiring the installation of SQL. The differences between EPO reports and the reporting console were observed, prompting a desire for equivalence, especially in specific report types critical to customer evaluation. Aligning these features across platforms would enhance the overall reporting consistency and user experience. A valuable enhancement could be the capability to deploy agents directly through the console. While it might not currently fall within the scope of the product, having the ability to uninstall or install agents seamlessly through the console would be a beneficial feature.
The product should improve its price.
BeyondTrust EPM is a very complicated tool. When I started using it, I struggled for six months just to configure it. It's not straightforward and requires more improvements, especially in the console. Currently, there is no console option available in BeyondTrust Endpoint Privilege Management. In comparison, other tools offer a simple certificate management system in Windows Server. I'm not familiar with Linux since we primarily use Windows. In Windows, we just open the console for application management. We open a browser, log in, and access the console interface. However, with BeyondTrust Endpoint Privilege Management, it's different. It's a certificate-based tool where you have to double-click the certificate to bring up the user interface. Unfortunately, the user interface (UI) is very ugly. But when it comes to the tool's features, they are awesome. The tool's features are awesome. The only drawback is they need to improve the UI. They should have the option to access a console and report. Yes, the reporting is also very bad. Let's say I want to export a file from BeyondTrust EPM to see how many devices we have given admin access to with high or medium flexibility; I cannot export that information. I cannot export. I always take screenshots. There should be an option to simply click "export" and have an Excel file. So, those improvements are required in the UI. Since BeyondTrust is not used by many companies, there are very few companies that use this product, and it's also very expensive by the way. It was very expensive. Moreover, they should have a good portal, like Jamf has Jamf Nation. If you have any issues, you can find help there. But with BeyondTrust, since very few people are using it, there is no community to help each other. And on top of that, it's a very complicated tool to implement. These are the things that, in my opinion, they need to improve. But when it comes to the features, whatever you are paying for, you are getting your money's worth.
There are three types of endpoints. If we need to use them in the solution, then we need to purchase the licenses separately. The tool needs to improve its licensing.
There is room for improvement in having the solution align more with standards. We're always shoehorning the product into the standards. It's not that it doesn't work for standards, it does. But Quick Start Policies are pretty close to what we need. The vendor needs to keep looking at GDPR, 27001, and 27701. That's why our clients buy the product. Having templates available to implement this product against the various standards and the mandates that are actually forcing this product's purchase would be really nice. There are some templates, but it would be better to have more.
At the moment, they don't support Linux. For this EPM, they have a different product for EPM, for Linux. The same company needs two different products for EPM. One works with Windows and Mac and the other solution is mainly created for Linux. They can try to merge these two and make one product. That would be an improvement. Being a policy administrator, I have to create, or maybe monitor, two different admin consoles for the policy due to the separation between the OS. They have a troubleshooting utility or a quick start utility, a quick start policy. They need to come up with better integrative options which should be customer-centric. At the moment, it is from their point of view. A quick start policy is something that helps customers to remove admin rights on day one.
Reporting analytics is one of the areas that can be improved. It is a new cloud-based solution. So, many more specific reports can come out natively. Currently, we get all the events, and we put them in plug-ins. From there, we generate our own design of reports. If there is a much more solid or robust reporting analytics framework within the product itself, it would be helpful. One of the requirements that I've already expressed is that they can unify the clients. We have got two clients: one for the iC3 adapter and one for the Defendpoint client itself within the EPM product. iC3 is used for connection to the SaaS or cloud, and Defendpoint is the actual product that does all the local admin privilege management. They can just unify them.
They are doing good for now, but they should start to consider tight integration with Mac solutions. There should be more integration with Mac. There should be Active Directory (AD) Bridging. Thycotic and Centrify have it currently because they merged and joined forces, and it was a feature available in Centrify. So, basically, they joined forces to create a kind of perfect product. If you have a hybrid or mixed environment with Windows and Mac, your Active Directory can only manage or enforce policies on Windows, but what about your Mac devices? How do you control them? So, AD Bridging will act as a bridge to bring all your Mac devices into your Active Directory. This way you have full control over your entire environment.
We have installed BeyondTrust, however, it's not working as-is. There are two domains, and there's a trust between those two domains, however, just one of the domains is working. We've not been able to set it up such that we're able to use the second domain as well. That, unfortunately for us, that second domain is a valuable domain, it's very critical. BeyondTrust is trying to find a way to do it, however, we do not need it for some time. It's working at least, however, there are some times where it just freezes out. We have to fall back on RDP to do BeyondTrust. That was part of the reason I was doing the comparison between BeyondTrust and Broadcom - to see if there was a way to resolve this. The implementation process could be better. It's not as vast as we would like it to be. If you don't get the implementation right at the outset, you will struggle with the product.
What's bothering me, which is true of all of them, is that sometimes, the error codes that come up don't necessarily get reflected in the searches within their support sites or they're out of date. I would rather search by an error code than type in the text and search for it by text because the error code means that it is programmatic, and it is known. It might not be desired, but it at least is not unexpected. If you don't have an error code, you just get an anomalous error, and if it is lengthy, it can be difficult to search and find the specific instance you're looking for. This is something I would like all of them to improve. BeyondTrust, CyberArk, Centrify, and Thycotic could do some improvements in staying up to date and actually allowing you to search based on the product version. They are assuming that everybody is on their way to release. They put out a new release, but it is not reflected on the support site, which makes no sense to me, especially when they revamp all the error codes. They all have been guilty of this in some way.
There are different vendors that are pretty competitive in terms of features. BeyondTrust is great in some areas, however, CyberArk is as well. The solution needs to continue to add features in order to stay competitive in the market. Their technical support could be more responsive and helpful. The solution is quite expensive.
The help system should be improved to provide a quick help guide with each tab within the solution, which explains what each particular function does. This would help because sometimes, you can get lost and you find yourself going back to see what the functions do. Have at least a very small hint for some of the key functions would go a long way to help with deploying and using the system. Better pricing would help this solution to grow in the Nigerian market.
The deployment process should be clarified or made simpler. It would be helpful if the solution had in-app tutorials for users to look at as they progress through the system. Sometimes we get lost and need to go back to check what exactly the function was. There should be small hints around major key functions. It would go a long way in speeding up the deployment process.
There are a few points that are lagging in the technology and I think updated versions should be available more frequently. So the program updates are very rare and the frequency is too far apart to take care of bug fixes and adding the latest features.
This depends on the client. Some clients find the granular approach a lot better than the simplified approach and some clients prefer the simplified approach better than the granular approach. Depending on the type of organization and type of information that must be protected, there are obviously different requirements.
One issue, especially when you deploy HA actively and passively, is the synchronization. Usually, there is a large delay between the sync. The biggest problem is that it takes at least 14 minutes to detect that the primary is down. That is 14 minutes of downtime, which is a huge amount of time, especially for our enterprise customers. That delay should be reduced. The other area to improve is that they rely on MS SQL servers only. You cannot have any other database behind them. They have to be on MS SQL. If they can do something about these issues, this would be a better alternative for some customers. In terms of software, BeyondTrust should work on other operating systems other than Windows and support non-Windows operating systems also.
If you are specifically dedicated to Privileged Access Management, the definitions are a bit unclear throughout the world. I have been in contact with engineers around the world, in Canada, the U.S, and the U.K as well. Everyone has quite a different definition for Privileged Access Management or Identity Access Management or Identity Management. Because of the definition of PAM, I don't think they can provide anything in addition to what has been defined. If you want to include anything else in this product, it will deviate from the boundaries of PAM.
It should support XWindows Remote Desktop Access Protocol for Linux/Unix. I would like more connectors for other security software/systems. A password is needed to access their security systems.
All products have room to improve. I would like to see support for many more systems, such as AS400.
It only has limited support for Mac.