BeyondTrust Endpoint Privilege Management Reviews

There are three components for BeyondTrust. Password Safe is where we privilege the accounts like server accounts, domain accounts, local accounts, or custom third-party applications. We use the application to monitor and fix the recordings of third-party applications. You can also use it for Cisco integrations and multi-factor authentication.

I find the solution’s features like section management, password management, and analytics valuable.

There are three types of endpoints. If we need to use them in the solution, then we need to purchase the licenses separately. The tool needs to improve its licensing.

I have been using the solution for four and a half years.

The solution is stable.

The solution is scalable. There are around 10,000 users for the solution in our organization.

The tool’s setup is straightforward compared to other products. The solution’s deployment depends on remote databases. We should also install a challenge-response code. For Password Safe, we need to install the EPM database, challenge-response code, etc.

The product’s licensing is different for Windows, Linux, and Mac. The tool’s licensing is yearly.

I would rate the solution an eight out of ten. You can deploy the solution to Azure, AWS, or on-premises. This solution will be very helpful for organizations for security purposes. The tool is very user-friendly. The solution’s graphic user interface is also very easy compared to other products.

Its use cases are mostly around all the 65,000 endpoints. The use cases are mostly for privileged access and the application control across all endpoints throughout the organization to make sure we have the least privileged model with zero-trust enabled at the endpoints.

We started with on-prem, but now, we've moved to the SaaS cloud.

It has helped in multiple ways. We have more than 30 years of legacy of having local admins on our endpoints. With this solution, we have removed the local admins from the users. Now, we are giving them privileges on their machine only for the applications and not for everything. It has reduced the unwanted risk and increased the security posture. 

It also helps with some robotic process automation. It helps with certain actions that we have been engaged in for certain RPA-type behaviors.

We are able to increase the security by blocking a lot of applications, such as encrypted chat applications and blacklisted applications. Data exfiltration is a big concern in our company, and this solution helps us to tighten up those controls in many different ways. We are able to control the access.

The privileged access and the application control are helpful in making sure we have good, robust challenge responses. Blacklisting with trusted application protection is also beneficial for us.

Reporting analytics is one of the areas that can be improved. It is a new cloud-based solution. So, many more specific reports can come out natively. Currently, we get all the events, and we put them in plug-ins. From there, we generate our own design of reports. If there is a much more solid or robust reporting analytics framework within the product itself, it would be helpful.

One of the requirements that I've already expressed is that they can unify the clients. We have got two clients: one for the iC3 adapter and one for the Defendpoint client itself within the EPM product. iC3 is used for connection to the SaaS or cloud, and Defendpoint is the actual product that does all the local admin privilege management. They can just unify them. 

We've probably been using this solution for three years.

In the on-premise version, stability is okay. However, it takes time to sync up policies. That's because it depends on the environment that you have. From the Active Directory perspective, it depends on how the group policies are going to be advertised back to the endpoints. So, there was some delay, but it was completely because of our environment. 

In the cloud version, the deployments are pretty quick. Policies get deployed pretty quickly. Overall, the cloud experience has been good. However, because it's a SaaS service in the cloud, we often have to reach out to the BeyondTrust team to make sure that our backend compute, which is not visible to us, is completely solid. The databases, servers, and other things are running in the cloud, and they're properly, adequately beefed up to have the right resources because we don't have visibility on that. With on-prem, we know how much compute, memory, or CPU cores we are putting to the servers at the backend. On the SaaS cloud compute, we don't know that. The initial few registrations took a toll. It was because BeyondTrust was also trying to figure out the volume of traffic that was coming their way. It took a while to baseline the compute configuration at their end, but once it was all figured out and resolved, the performance has been fairly consistent.

The solution is scalable to the level of security posture that we wanted to deploy in our environment. From a scalability perspective, we are pretty good with the way we have used the product so far.

Their support line is good. They're familiar with the product, and they have expertise with the product. So far, any tickets raised by my team have been dealt with fairly with the right solutions. I would give them an eight out of 10 because there is always room for improvement. There are instances where you expect a solution to come faster with more accurate details. There are always back and forth conversations, until and unless you figure out the final solution.

We didn't use any other solution previously. This was the first time we were trying to do an endpoint privilege management solution. 

It was a straightforward process. We were on-premise. We were using group policies to manage this whole EPM solution, and it was easy to move to the cloud. Wherever you have agent-based deployments, there is always a little bit of complication, but we were able to make it work.

On-prem deployment took almost three to four months. We had a very large and wide-scale environment. A lot of legacies were also built-in, so it took a while to build the policies around, get the local admins out from the endpoints, and take over with Defendpoint or the BeyondTrust EPM solution.

The migration to the cloud was pretty good. It wasn't that bad. When we had it on-prem, it was a single client. When we had to go to the cloud, two clients were needed. One was the iC3 web adapter that makes a connection to the SaaS cloud, and the second one was the existing Defendpoint client. Having an extra client adapter needed a little bit more packaging on the endpoint side, which added a little bit more to the transition to the cloud. Policy-wise, everything was straightforward.

We did it by ourselves. In the initial deployment, it was a team of six or seven people. They came from different groups. We had group policy administrators, Windows administrators, and security administrators from my team. There was also the endpoint provisioning team that does the packaging work.

In the cloud migration, the same team was there, but we didn't have the Windows team and the admin team. That's because they weren't required from a group policy perspective. It mostly had security administrators. The packaging team was also very important. We also have a test team that does the validation from a testing perspective across a variety of endpoints in different regions. So, there were around six or seven people during the cloud migration.

We have definitely been getting an ROI, and we want to maximize that ROI. We have a zero-trust adoption process going on continuously for the next two to three years, so we are trying to maximize the ROI. We haven't yet got the full ROI, and we will try to maximize the ROI from the product going forward.

Its pricing and licensing are okay. We were in the perpetual model when it was on-prem, and now, with the SaaS service, we have a subscription model. As a customer, I would always like to see a lower price, but it seems to be priced at the right model currently, and we are trying to get the maximum benefits out of it.

In addition to their standard licensing fees, there is just the internal infrastructure cost for the license, indexing, etc. There is nothing additional from any other components that we use for the job. These are the resources for managing the solution at our end.

We did take a look at several other products, but we finalized on BeyondTrust. We looked at some of the Microsoft solutions, and we also looked at some of the CyberArk solutions to do a comparison. What was more interesting with BeyondTrust was the flexibility in the policies. The clarity in the policy writing was a little better, and the deployment of the solution was easier. The overall product simplicity was fairly okay. When you're going from a hardcore local admin to a zero local admin stage, simplicity in the product is extremely important. So, simplicity and flexibility were the key factors.

I would advise going for the cloud-based solution. The cloud-based solution has come a long way from its initial stage. 

It is a very simplified solution. Their licenses are very straightforward, simple, and accommodating. The support has been really good, and their flexible policy model has really been instrumental in going for a stage-by-stage approach. You don't have to go all the way to impact your environment from day one. You can define your policies using their quick policy wizard and other processes to simplify your environment. You should proceed step-by-step to get rid of the local admin and the environment. Evaluation with their simplistic and flexible model is going to make it much easier and faster for you to pick up the solution.

I would rate it a nine out of 10. There is always a scope for improvement.

We use it primarily for Jamf Pro. Most of our users who use Jamf Pro are on Mac. We work on artificial intelligence and machine learning, specifically for the military and healthcare sectors. We have developers and many DevOps professionals who use MacBooks. We manage Jamf Connect and Jamf Pro, and since developers need admin access on their MacBooks to execute code and perform coding tasks, we can't give full admin access to everyone in the company. 

We use EPM (Endpoint Privilege Management) as the agent, which communicates with the server and is deployed on the machines. The agent follows specific rules defined on the server. Users on Mac can only use these 100 specified commands. Anything beyond those commands won't work. 

We provide limited privileges, such as changing Wi-Fi or network settings, but users cannot create admin accounts on the machine. However, as an administrator, I can create admin accounts using EPM. But we have restricted that option in APM (Application Privilege Management). If you have admin access, you can create an admin account, but it will automatically be downgraded to a standard account. These are the situations we have implemented using EPM.

The most valuable features are the development tools. We use them for coding, such as VS Code, iTerm, and Brew. These activities often require sudo access to execute the code. So, we have granted sudo access to standard users through EPM.

BeyondTrust EPM is a very complicated tool. When I started using it, I struggled for six months just to configure it. It's not straightforward and requires more improvements, especially in the console. Currently, there is no console option available in BeyondTrust Endpoint Privilege Management. In comparison, other tools offer a simple certificate management system in Windows Server. I'm not familiar with Linux since we primarily use Windows. In Windows, we just open the console for application management. We open a browser, log in, and access the console interface.

However, with BeyondTrust Endpoint Privilege Management, it's different. It's a certificate-based tool where you have to double-click the certificate to bring up the user interface. Unfortunately, the user interface (UI) is very ugly. But when it comes to the tool's features, they are awesome. The tool's features are awesome.

The only drawback is they need to improve the UI. They should have the option to access a console and report. Yes, the reporting is also very bad. Let's say I want to export a file from BeyondTrust EPM to see how many devices we have given admin access to with high or medium flexibility; I cannot export that information. I cannot export. I always take screenshots. There should be an option to simply click "export" and have an Excel file. So, those improvements are required in the UI. 

Since BeyondTrust is not used by many companies, there are very few companies that use this product, and it's also very expensive by the way. It was very expensive.

Moreover, they should have a good portal, like Jamf has Jamf Nation. If you have any issues, you can find help there. But with BeyondTrust, since very few people are using it, there is no community to help each other.

And on top of that, it's a very complicated tool to implement. These are the things that, in my opinion, they need to improve. But when it comes to the features, whatever you are paying for, you are getting your money's worth.

We have been using BeyondTrust Privilege Management for two years. I first used it at my previous company. We are using version 2.12.

Stability is good. 

Scalability is good. I would rate the scalability a nine out of ten. There are around 600 users in our organization using BeyondTrust. I can say around 50% of total users are using BeyondTrust Endpoint Privilege Management.

The initial setup was very difficult. Even if you are an expert in EPM, it is still very difficult. It's not straightforward like Jamf.

The deployment was done in-house. Moreover, it will take time, actually. Let's say you are an expert. Maybe it will take months or two months to deploy.

I would advise if you're using BeyondTrust Endpoint Privilege Management for the first time, seek professional services directly from BeyondTrust, not from a vendor or supplier role. Take professional services directly from BeyondTrust EPM.

Overall, I would rate the solution an eight out of ten because I'm also missing something on the pricing side. I'm missing something on the configuration side. Those things are missing.

It's mainly for privilege management when you log in to any Windows system, so you'll be able to execute only what you have to and can.

Everyone in the company uses BeyondTrust Endpoint Privilege Management—about 3000 to 4000 in South Africa and another 1000 in the UK.

One of the valuable features is the absence of any local user in a unique system. All users are defined in the AD; communication is only between Unix and AD. When you log in, there are no local users on any unique system you access.

Another valuable feature is privilege management, where only the command steps needed to be executed given to the user, and they cannot execute more than that.

There is always room for improvement. One thing that would be helpful is if it was easier to define which commands can be used. Currently, we use a program to automate all of this, but it's not a default feature of BeyondTrust Endpoint Privilege Management. It can be a bit more difficult if we're not using our own script. We have a script that checks the day from the AD group to see if any users have certain privileges, and we execute it to make any necessary changes. We've automated the process by creating our own script. We run it four times a day.

In the future release, I would like to see it easier to configure without adding all the scripts. It would be helpful if it had a user-friendly manual that allows you to change things easily. It would make BeyondTrust Endpoint Privilege Management a lot easier to use.

I've been working with it for a long time. It's the latest version.

We started with AD Bridge about four years ago, only AD Bridge, and then we added the privilege management about two years after finishing the credit bridge.

I would rate stability a seven out of ten. Sometimes we lose the connection to the domain, but just the domain joins and resolves the problem.

It is a scalable product. We have over 1000 systems that we scan every day. We check every day if the system is not there in full. If it has been more than twenty days, we take it out of the assets. If there is a new system, it will join the asset. We have a contract running four times a day that checks for all this. If there is a user that left the company and was deleted from the database, it's all automated.

The customer service team is okay. I've had a few issues with them, but they were reasonable. However, I have one issue that has been ongoing for a year, and they have not been able to solve it yet. It could be a difficult issue, I'm not sure. I managed to resolve it myself with my own programs that check and solve it automatically, but it persists after over a year. They are unable to identify or replicate the problem.

We need two to three people for solution administration. We have a big configuration and complicate it with the script that we are running. These scripts are very complicated, and it took us quite a few times to wind it to this case. But now that it is automated, we need half a person to do it. But in the beginning, we needed a lot of people.

And now that it is running and automated, every user has been added automatically without any intervention.

Before, we had a division where we had to add local users all over the systems. But now we are using BeyondTrust Endpoint Privilege Management. All are controlled by the privilege management, and we don't have so many problems.

I suggest starting with AD Bridge and implementing it properly before installing the privilege management. Doing them together will be very difficult. First, enable the AD Bridge fully and make it available to all users, and then install Privilege Management.

I would rate it around eight out of ten.

The solution's least privilege enforcement has helped us ensure access is given to only the required people.

Sometimes, it's difficult for other users to understand how accounts and servers are mapped, which is complex. How the accounts are presented in the solution's UI can be improved.

I have been using BeyondTrust Endpoint Privilege Management for five to six years.

I rate the solution an eight out of ten for stability.

I rate the solution an eight out of ten for scalability.

I rate the solution an eight out of ten for its ease of deployment and integration with our infrastructure.

On a scale from one to ten, where one is cheap and ten is expensive, I rate the solution's pricing a seven out of ten.

The solution is doing a good job of enhancing the endpoint security posture by managing the overall application life cycle and helping us block unwanted applications. The solution's scanning feature helps identify the unmanaged accounts within the console itself. We do not have to do a DNA scan like CyberArk separately, which is a separate license.

The solution's least privilege enforcement has helped us ensure access is given to only the required people. It is easy to maintain the solution.

The solution helps identify the unmanaged accounts and then develop a plan for managing those transferred accounts, which were used as service accounts in multiple critical applications.

Users should have an in-house person to manage the environment. If they completely depend upon the vendors, they might be unable to do things at the right pace.

Overall, I rate the solution an eight out of ten.

We are using the solution to access the servers remotely.

The solution's most valuable feature is its ability to publish the application remotely instead of logging into the server. You can just run the software from the remote server. 

The solution's features for customizing access for the engineers, creating forms, and establishing workflows need improvement. Also, they should provide integration with VDI solutions. It would be great to run it from the Citrix Storefront or VMware Horizon.

I have been using the solution for three years.

The solution is stable.

The solution's technical support is good.

Positive

The solution is easy to deploy. However, it is complex in terms of configuration and customization. The process takes nearly two weeks to complete.

We implemented the solution with the help of two or three executives and an integrator.

The solution's pricing is high.

The solution's enterprise features align precisely with our organizational focus. I advise others to evaluate it and compare, considering the variations in each environment.

Overall, I rate it seven out of ten.

There are three use cases that you can target. The first use case is the fact that some of your users may need admin rights for launching custom applications, such as Visual Studio, or they may want to install something on their machine on their own, or they may want to start, stop some services, change maybe system font, if the need arises, or install a custom font or change the driver, update the driver. Also, instead of giving full blanket admin rights, we can give selective admin rights using EPM in order to protect the company and the infrastructure from abuse. This is the first major use case.

The second use case is where we implement application blacklisting and whitelisting. If I don't want Adobe applications to run within my company, I can create a policy around that. Or, for example, if I have Adobe licenses, and those are only valid for version two to version three. Anything below two, I don't own and anything above three, I am not allowed to upgrade. Therefore, whitelisting based on version control also can be implemented. 

The third use case, which not popular in my region, is where cyberattacks can be mitigated or zero-day attacks can be mitigated, by making sure we whitelist only the browser and only Outlook. If the browser tries to invoke a script or if Outlook launches say Excel or PDF as an attachment, and from there, if a script tries to launch, we will be able to block it. Therefore, making sure that the entry point of the malware itself is blocked is possible. That said, having said that, it has zero intelligence in checking whether the script is legitimate or bad. It's going to block everything. It blocks all and later you can enable it, if the need arises.

The solution can scale.

It's relatively straightforward to set up, especially if you are deploying to the cloud.

Technical support has gotten more responsive.

At the moment, they don't support Linux. For this EPM, they have a different product for EPM, for Linux.

The same company needs two different products for EPM. One works with Windows and Mac and the other solution is mainly created for Linux. They can try to merge these two and make one product. That would be an improvement. Being a policy administrator, I have to create, or maybe monitor, two different admin consoles for the policy due to the separation between the OS.

They have a troubleshooting utility or a quick start utility, a quick start policy. They need to come up with better integrative options which should be customer-centric. At the moment, it is from their point of view. A quick start policy is something that helps customers to remove admin rights on day one.

I've been dealing with the solution for the last eight years. 

The solution is definitely stable. That's why within the last eight years, we are able to satisfy the most demanding customers in the world. It supports 10 users. It supports 10,000 users or even 100,000 users. It's scalable.

I'm not sure how many people collectively are using it in our company. I happen to have one specific area within my control. There are other technicians who will be implementing this from my own company.

I've used technical support in the past. 

The product was initially developed by Avecto. Then BeyondTrust purchased that company and they both merged together. Initially, the team was quite small. The company itself was small, and its support was not that good, in terms of response time. However, when they used to come online, their technical expertise was at par. It was way beyond our expectations. The only trouble was to bring them on a call, as the company was slightly small.

Fast forward six years, seven years. Now, the strength of BeyondTrust being a larger organization, we have better access to the technical team. Today, we raise a support ticket and someone will definitely assist by tomorrow. That's progress.

However, technical expertise becomes a challenge sometimes. Not always. Just sometimes. Any big organization will not assign an L3 person on day one. That's the architecture problem. Not the company's problem.

I may scream at the top of my lungs that I don't think this is something that an L1 can handle and they will not believe me. They would like to go through L1, and L2 and then eventually reach L3. That's the only issue with any big organization. It's an architectural problem. 

The ease of deployment depends on your requirement and your setup. If you are handling the cloud, then it's fairly easy. You simply download the agent and install the agent. The reporting is inbuilt. Policy management is inbuilt. If you consider other deployments, there is some friction, depending on the architecture.

The licensing is paid on a yearly basis. I can't speak, however, to the actual cost of the solution.

We are a partner and we sell and support this EPM solution to other customers.

We use both cloud and on-premises deployment options. 

I'd suggest new users go slow. Instead of going bold. It's a powerful solution. If I create a beautiful policy, the product will behave beautifully. However, if I create an ugly policy, the product will show its ugly face to you, as it's just a brainless bull running around. You have to give it a direction. Otherwise, it can harm you. 

Overall, I would rate the solution an eight out of ten.

It is straightforward. It is a good technology, and it is made to do one single thing.

They are doing good for now, but they should start to consider tight integration with Mac solutions. There should be more integration with Mac. There should be Active Directory (AD) Bridging. Thycotic and Centrify have it currently because they merged and joined forces, and it was a feature available in Centrify. So, basically, they joined forces to create a kind of perfect product. If you have a hybrid or mixed environment with Windows and Mac, your Active Directory can only manage or enforce policies on Windows, but what about your Mac devices? How do you control them? So, AD Bridging will act as a bridge to bring all your Mac devices into your Active Directory. This way you have full control over your entire environment.

I have been selling this solution for three years.

It is stable. 

It is scalable.

I never had a problem for which I needed their technical support. The product is simple and easy to use. Our team is also capable of solving all the problems.

It is easy to deploy. The deployment duration depends on how many servers or routers you have, what kind of IT stuff you need to grant access to, and how much stuff you have. I am referring to the entire environment with all the customers and all the users. If you have five routers, five firewalls, it might take up to two to three days to deploy the entire solution. It also depends on the number of administrators you have.

Price-wise, it is very competitive. In our area, government entities and banks don't go for the monthly payment. It is a headache even for us in terms of finance and procurement to go for monthly payments. Quarterly might be more logical and reasonable, but the minimum that we go for is one year, and sometimes, we even try to compile and give one offering for three years.

It is mainly deployed on-prem. About 95% of the sales that I do are on-prem solutions. That's because we're talking about security.

It is a good technology. I would definitely recommend this solution. I would never sell it if I can't recommend it. I would give it an eight out of 10.