Endpoint Privilege Management

BeyondTrust Endpoint Privilege Management (EPM) for Windows and Mac pairs powerful least privilege management and application control capabilities to provide preventative endpoint security. Implement zero trust controls and benefit from advanced protection against lateral movement, ransomware, malware, and insider threats.

BlokSec provides BeyondTrust users with a frictionless experience using no password or response code, while also providing the highest levels of authentication and identity assurance through the use of zero-knowledge proofs — further complementing the zero trust controls provided by EPM. BlokSec also provides tamper-proof audit logging through an immutable ledger, allowing system administrators to confidently review elevation request history.

Tip

BeyondTrust maintains their own version of this integration guide at docs.beyondtrust.com/epm-wm/docs/bloksec.

Prerequisites

• BeyondTrust Endpoint Privilege Management (EPM) instance
• BlokSec instance
• Users enrolled with the BlokSec mobile app

How it works

EPM includes in-policy multifactor authentication (step-up authentication) that can be configured to redirect elevation requests to a BlokSec instance. When a user requests elevated access, they are sent to BlokSec to authenticate — no password or response code required. BlokSec sends a push notification to the user’s mobile app, the user approves with biometrics, and the elevation is granted.

Setup

1. Create an EPM application in BlokSec

1. In the BlokSec admin console, go to Applications and click + Add Application
2. Select Create from Template
3. Select the BeyondTrust Endpoint Privilege Management template
4. Set the Token Endpoint Auth Method to None and click Submit
5. Click Generate App Secret
6. Note the Application ID — this is the Client ID used in EPM’s identity provider settings

Note

The Application ID displayed after submission is what EPM refers to as the Client ID. Keep this value handy for the next step.

2. Configure EPM to use BlokSec

1. In the EPM Policy Editor, open the Messages tab and click Identity Provider Settings
2. Enter the following values:

Field	Value
Issuer ID	BlokSec Issuer ID (from the BlokSec admin console)
Client ID	Application ID noted in the previous step

3. Click Save the Settings

3. Enable BlokSec on an EPM message

1. In the EPM Policy Editor, navigate to the Messages tab
2. Select the message you want to configure for BlokSec authentication
3. Check the box Verify their identity through an Identity Provider
4. Save the policy

Test the integration

Use a test user and a test workstation to confirm the integration is properly configured.

1. A user requests elevation (for example, installing a printer driver .msi)
2. The user is redirected to a browser to authenticate through BlokSec using their saved credentials on the workstation
3. BlokSec sends a push notification to the user’s mobile app
4. The user approves the request — the device performs a biometric authentication (fingerprint or facial recognition), and a digital signature is sent to BlokSec to verify the user’s identity
5. The user clicks OK on the Reason Required message after BlokSec authentication completes
6. The requested elevation is approved and the executable launches with elevated permissions

Note

The user themselves are never elevated — only the specific application runs with elevated permissions. This is the core least-privilege model EPM enforces.

Test before rolling out

Verify the integration end-to-end with a test user and test workstation before applying the policy broadly. Confirm that push notifications are delivered and that elevation requests complete successfully.