CyberArk PSM connection workflow clarification

Ctrl + k

Published 14 hours ago

Hello,

I would like to confirm whether my understanding of the CyberArk PSM workflow in RDM is correct, and to raise a feature request based on a limitation we are hitting with multiple CyberArk environments.

My current understanding of the setup

1. Create a CyberArk Dashboard entry.
2. Create a CyberArk PSM Server entry (defining the PSM host and the authentication used to connect to the PSM server itself).
3. Create a CyberArk PSM Connection entry that references the PSM Server entry and specifies the privileged account and connection component.

My current understanding of how to launch a connection

1. Log in to the CyberArk Dashboard.
2. Open a safe that contains the account/entry I want to reach.
3. Right-click the PSM Connection entry and choose "Connect Using" and the previously defined CyberArk PSM Server.

Questions

1. Is this the correct/intended way to open connections through a PSM proxy using the PSM Server + PSM Connection entry types?

2. If I am not logged in to the CyberArk Dashboard, the "Connect Using" option does not appear on the PSM Connection entry. Is this intended, even though the PSM Server entry itself can hold a username/password (Custom mode)? If so, what is the intended purpose of those credentials stored on the PSM Server entry and when are they actually used versus the Dashboard session?

---

Fortunately, we can work around this with a plain RDP entry> connecting directly to the PSM server and specifying the program to run on connection as psm /u <user>@<address> /a <address> /c PSM-RDP. However, this wouldn't scale if we had multiple SAML-authenticated CyberArk environments that need to be defined through the Dashboard entry.

Thanks!

Kind regards,
Daniil

CyberArk Dashboard configuration and use - Devolutions Documentation

CyberArk PVWA (credentials) entry - Devolutions Documentation

All Comments (1)

William Alphonso

Published 12 hours ago

Hello Daniil,

Thank you for reaching out.

My name is William, and I’ll be assisting you with this.

The CyberArk PSM Server and CyberArk PSM Connection entries are no longer the recommended approach for launching sessions through CyberArk PSM.

The recommended approach is to use the CyberArk Dashboard with standard RDP entries.

In this workflow, you would:

Open and authenticate to the CyberArk Dashboard.
Navigate to the desired safe/account.
Select the desired account in the Dashboard.
Launch the standard RDP entry.

Please also ensure that the Connect using dashboard on double-click option is enabled in the RDP entry properties under the Advanced tab. When you double-click the RDP entry, RDM should prompt you to select the connection component to use. You can then select the appropriate PSM component, and the session should launch through CyberArk PSM.

Alternatively, you can use a CyberArk PVWA credential entry instead of the Dashboard. With this entry type, you can set the Resolving mode to PSM Connection and link the credential entry to a standard RDP entry. When launching the RDP entry, RDM will use the account configured in the CyberArk PVWA credential entry and route the session through PSM if the resolving mode is configured accordingly.

For more information, you can refer to the following documentation pages:

Regarding the Connect Using option not being available when you are not authenticated to the CyberArk Dashboard, this is expected. RDM only offers this option when a CyberArk Dashboard is opened and authenticated successfully.

Best regards,