One Identity Safeguard for Privileged Passwords 7.2 - Connect for Safeguard Assets User Guide

Once you have added the Connect for Safeguard Assets service to your Starling organization, you have full access to the Connect for Safeguard Assets service which can be used in conjunction with Safeguard for Privileged Passwords to manage assets that are not connected to a corporate network.

To navigate through the service use the title bar along the top of the site, which contains the following links:

: If multiple organizations are associated with your account, this button (displaying the name of the organization you are currently viewing) appears and opens a drop-down menu that allows you to move between organizations.
: This button (displaying the first name of the account owner) opens a drop-down menu that allows you to select one of the following options:
- My Services: Clicking this link takes you to the Starling home page.
- Sign out: Clicking this link signs you out of Starling.
: Clicking this link opens the settings page where you can manage your entire Starling account. For more information, see the One Identity Starling User Guide.

The main pages available within Connect for Safeguard Assets are listed in the navigation bar, which is located beneath the title bar:

Downloads page: This is the home page of Connect for Safeguard Assets and provides insight into your service.
Collaborators page: This page is used to add additional collaborators to your Connect for Safeguard Assets service.

Downloads page

Upon opening Connect for Safeguard Assets, you will be directed to the Downloads page. This page contains a list of the platforms that Connect for Safeguard Assets supports connecting with in order to manage the associated assets. By connecting to these assets via Connect for Safeguard Assets instead of directly from Safeguard for Privileged Passwords, you are able to manage the assets without requiring they be connected to a corporate network.

Available Agents

This section contains the agent downloads for each of the supported platforms. Each agent tile displays the name of the platform it supports, the agent version, and a Download button.

Windows

For more information, see Downloading a Windows agent.

Mac

For more information, see Downloading a Mac agent.

Linux

For more information, see Downloading a Linux agent.

Tokens

This section contains token downloads.

Agent Enrollment

For more information, see Downloading an Agent Enrollment token.

Downloading a Windows agent

The following explains the process for downloading and installing a Windows agent on a disconnected asset. The same token and agent binaries can be used by multiple machines which (depending on your organization's environment) may allow for this to be pushed out to multiple machines rather than having to manually install an agent on each individual machine.

To download a Windows agent

On the Downloads page, click the Download button associated with the Windows tile.

A zipped ConnectForSafeguardWindowsAgent folder will be downloaded according to your browser settings.
Unzip the ConnectForSafeguardWindowsAgent folder.

To the extracted ConnectForSafeguardWindowsAgent folder, add the agent enrollment token file (Downloading an Agent Enrollment token).

CAUTION: Keep a copy of the enrollment token until the agent has been successfully enrolled. The token file will be automatically removed after each enrollment attempt (including failed attempts).

Open a Command Prompt or PowerShell session.
Run the enroll command on ConnectForSafeguardAssetsAgent.exe. The local service account used for enrollment must be a member of the local administrators group and have the Log on as a service permission either explicitly or via a group.

Once the agent has been successfully enrolled, the Safeguard Disconnected Asset Agent will be installed under the service account along with a ConnectForSafeguardAssets certificate that is valid for 60 days. The agent will automatically attempt to renew the certificate after 30 days have passed since the last certificate was issued. However, if an agent is unable to re-enroll and the certificate expires, the re-enroll command can be used to re-enroll the agent (for more information, see Re-enrolling an installed agent).
In Safeguard for Privileged Passwords, you can now add or discover the asset (using the Windows Desktop (Starling Connect) or Windows Server (Starling Connect) platforms). For more information, see the One Identity Safeguard for Privileged Passwords Administration Guide.

Make sure the Agent ID is the same as shown in Safeguard for Privileged Passwords (Assets > (select asset) > Properties > Connection > (Edit) > StarlingAgentID). If the Agent ID is different, you need to update the StarlingAgentID in Safeguard for Privileged Passwords to match the Agent ID.

NOTE: When running a password task in Safeguard for Privileged Passwords against a Windows agent, the task is created in a submitted state and will be updated once the agent processes the task. The amount of time this will take to update will vary depending upon the state of the machine the agent is running on.

Downloading a Mac agent

The following explains the process for downloading and installing a Mac agent on a disconnected asset. The same token and agent binaries can be used by multiple machines which (depending on your organization's environment) may allow for this to be pushed out to multiple machines rather than having to manually install an agent on each individual machine. There are 2 Mac agents to select from depending on your environment: