Support for Privileged Accounts (CyberArk/PAM) in Macros/Scripts/Tools Execution

Support for Privileged Accounts (CyberArk/PAM) in Macros/Scripts/Tools Execution

3 votes

avatar

We would like to request an enhancement to the Tools functionality to allow individual tools to be executed using privileged accounts from CyberArk and ideally any PAM solution.
We have already discussed this topic in the following thread:
https://forum.devolutions.net/topics/41215/rdp-secret-macro--remote-tools--tool-credential#236502

Use case:
In Remote Desktop Manager (RDM), we configure an RDP session. From the Macros / Scripts / Tools tab, we want to launch built-in tools such as Computer Management, Event Viewer, or Services against a remote server.
In the RDP session properties under Management Tools → Tools, we can select either My Privileged Account or a CyberArk PVWA entry.
However, when launching any tool from this section, it does work with CyberArk privileged account. We have also confirmed with Devolutions Support that this functionality is currently not supported.

Expected behavior:
When a privileged account (e.g., CyberArk PVWA) is configured in Management Tools → Tools, all tools launched from the Macros / Tools / Scripts tab should run under that CyberArk privileged account.
This would allow administrators to launch remote tools (Computer Management, Event Viewer, Services, etc.) without opening a full RDP session and while securely using privileged credentials managed by CyberArk (or other PAM solutions)
This improvement would significantly streamline daily administrative tasks and enhance secure privileged access workflows.

All Comments (2)

avatar

Hello,

Thank you for the request. We will open a ticket for this.

Regards,

Hubert Mireault

avatar

Hello,

I've begun investigating your specific case, and I want to bring some clarifications as well as make sure I correctly understand your current workflow.
I understand that you have a CyberArk PVWA credential entry. And that in an RDP's entry properties, under Management Tools - Tools, you've set the credentials to Linked (Vault), and are targeting that particular CyberArk entry.

As far as I can tell, everything should be working correctly. However, It's worth noting that most of the Tools you're referring to simply trigger windows event, and several of those events cannot receive credentials directly. This isn't a limitation from our application so much as a limitation by the windows events/tools themselves.

To be sure that the issue lies in the CyberArk PVWA entry setup, use the mode Username and password instead of Linked (Vault), and input the username, domain and password that the CyberArk PVWA entry would provide.

If it works while using Username and password, then there may indeed be an issue with our support of CyberArk entry linking that I'm not finding, so I might need a bit more help understanding your setup:

  1. Which datasource are you using?
  2. Are there any particular GPOs active in your environment?
  3. Any variables involved inside the CyberArk entry?
  4. Anything else you can think of that would be outside of a "basic" setup.


But if it still doesn't work, it is much more likely that the issue is with the specific event you are attempting to execute. Quite a few of these events are limited to be executed remotely only under specific environment, and that is outside of our control.

I know for instance, that Event Viewer and Computer Management cannot receive a password. In the event that a username/domain is enough to connect, it can still work, but a password isn't something we can pass to the windows event. In which case, if your setup needs one, there is nothing we can do at this time.

Know that support for passing credentials in these events is an already opened feature request, but as I've explained previously, it is not exactly within our control. If this feature is ever supported, it will likely take a different form than the workflow you are currently describing.

Regards,

Jafran Majeau