Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.13.1 - Appliance Setup Guide

Azure deployment

IMPORTANT: Before deploying, make sure you have read Cloud deployment considerations

Safeguard for Privileged Passwords (SPP) can be run in the cloud using Azure. A version of Safeguard for Privileged Passwords is available in the Azure Marketplace and an Azure Virtual Machine (VM) is required. See Windows virtual machines in Azure for details of setting up your VM.

When using Azure, Safeguard for Privileged Passwords is available on HTTPS X0. The Azure deployment does not use the MGMT service. The Recovery (Serial) Kiosk is used to view appliance information, Administrator password reset, power restart or shut down, and generating a support bundle. For more information, see Recovery Kiosk (Serial Kiosk) in the Safeguard for Privileged Passwords Administration Guide.

Disk size considerations

Safeguard for Privileged Passwords (SPP) deploys with a minimal OS disk size. You should increase the size of the OS disk based on your estimated usage and budget. SPP on hardware comes with 1TB of disk. You can use more or less than this depending on how many assets, accounts, and daily users you expect to have. 500GB is a minimal production disk size and 2TB is the maximum.

  1. Deploy SPP.
  2. Verify you can log in.
  3. Shut down the VM (stopped and deallocated).
  4. Follow Microsoft’s guidance for increasing the disk size: How to expand the OS drive of a virtual machine.

When you start up the VM, SPP automatically resizes the OS disk volume to use the available space.

Azure security considerations

Running Safeguard for Privileged Passwords (SPP) in Azure comes with some security considerations that do not apply to the hardware appliance. We recommend:

  • Do not give Safeguard a public IP address.
  • Use the Azure key vault to encrypt the disk.
  • Limit access within Azure to the Safeguard virtual machine. SPP in Azure cannot protect against rogue Administrators in the same way the hardware appliance can.

Static IP address recommended

Configure the SPP VM with a static IP address in Azure. In Azure, the IP address must not change after the VM is deployed. If you need to change the IP address, take a backup, deploy again, and restore the backup. You can script the VM deploy to pick up an existing virtual NIC with the IP address configuration. For details, see Microsoft’s Virtual Network documentation.

Deployment steps

Safeguard for Privileged Passwords is deployed from the Azure Marketplace. Azure automatically licenses the operating system during the deployment with an Azure KMS.

The Azure base image includes the required configuration necessary to deploy into Azure following Microsoft's guidance, Prepare a Windows VHD or VHDX to upload to Azure.

  1. Log into the Azure portal.
  2. Under Azure services, click Create a resource.
  3. Search for “One Identity Safeguard for Privileged Passwords” and click the tile.

  4. On the One Identity Safeguard for Privileged Passwords screen, click Create.
  5. Advance through the resource creation screens. Considerations follow:
    • For small deployments, it is recommended to choose at least VM size Standard D2s v3. Larger deployments warrant larger sizing choices. Safeguard hardware appliances have 32GB of RAM and 4 processors with at least 1 TB of disk space.
    • You must set an administrator user name and password as part of the image creation, however, SPP will disable this account during initial setup.
    • Set public inbound ports to None.
    • Choose your Windows licensing option.
    • Make sure to enable boot diagnostics and the serial kiosk. The Azure Serial console will be used to provide access to the Safeguard Recovery Kiosk.
  6. Once you are finished configuring the VM, click Create. Azure will deploy the SPP virtual machine.
  7. When the virtual machine deployment is finished, SPP will automatically start initializing and configuring itself for the first use. This usually takes between 5-30 minutes, depending on the VM sizing. During initialization, Safeguard will enable the firewall and disable remote access to the VM. You can monitor the progress of initialization from the Azure Serial console. While the initialization is running, do not log in to the VM or power off or restart the VM.
  8. When initialization is complete, you will see the Safeguard Recovery (Serial) Kiosk on the Azure Serial console screen.
  9. Log in to the appliance via the web using the default username and password admin / Admin123. You should change the admin password immediately. For details, see the Safeguard for Privileged Passwords Administration Guide, Setting a local user's password.
  10. After clustering, change the trusted servers, CORS and redirects setting.
    As a best practice, after you have created your Safeguard for Privileged Passwords cluster (or if just using a single VM), change the Trusted Servers, CORS and Redirects setting to the empty string or a list of values to integration applications you wish to allow. For more details, see the Safeguard for Privileged Passwords Administration Guide, Trusted Servers, CORS and Redirects.
View or change the cloud virtual appliance setup

You can view or change the virtual appliance setup.

The Administrator uses the Recovery Kiosk (Serial Kiosk) to perform the following.

  • Get appliance information

  • Reset the Administrator password

  • Restart or shut down the virtual appliance

  • Generate a support bundle

  • Resolve a quarantine ( For more information, see What do I do when an appliance goes into quarantine in the Safeguard for Privileged Passwords Administration Guide.)

For more information, see Recovery Kiosk (Serial Kiosk) in the Safeguard for Privileged Passwords Administration Guide.

To patch to a new version, use the desktop client or API.

Virtual appliance backup and recovery

Use the following information to back up and recover a Safeguard for Privileged Passwords virtual appliance. Factory reset is not an option for virtual appliances. To factory reset a virtual appliance, just redeploy the appliance.

Backing up the virtual appliance

To ensure security of the hardware appliance, backups taken from a hardware appliance cannot be restored on virtual appliances and backups taken from a virtual appliance cannot be restored on a hardware appliance.

Backup is handled via Administrative Tools | Settings | Backup and Retention. For more information, see Backup and Retention settings in the Safeguard for Privileged Passwords Administration Guide.

Recovery of the virtual appliance

A Safeguard for Privileged Passwords virtual appliance is reset by using the following recovery steps.

On-prem virtual appliance (for example, Hyper-V or VMware)

  1. Redeploy the virtual appliance and run Initial Setup. For more information, see Setting up the virtual appliance in the Safeguard for Privileged Passwords Administration Guide.
  2. Restore the backup. For more information, see Backup and Retention settings in the Safeguard for Privileged Passwords Administration Guide.

Cloud virtual appliance (for example, AWS or Azure)

  1. Redeploy using the deployment steps:

System requirements and versions

One Identity Safeguard for Privileged Passwords allows you to manage access requests, approvals, and reviews for your managed accounts and systems:

  • The Windows desktop client consists of an end-user view and administrator view. The fully featured desktop client exposes all of the functionality of Safeguard based on the role of the authenticated user.
  • The web client is especially useful for requesters, reviewers, and approvers. Many administration functions are available as well.
  • The web management console displays whenever you connect to the virtual appliance and is used for first time configuration.
    When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. See One Identity's Product Support Policies for more information on environment virtualization.

CAUTION: The Safeguard for Privileged Passwords client version must match the installed Safeguard for Privileged Passwords version.

Ensure that your system meets the minimum hardware and software requirements for these clients.

If a Safeguard Sessions Appliance is linked to Safeguard for Privileged Passwords, session recording is handled via Safeguard for Privileged Session. The link is initiated from Safeguard for Privileged Sessions. For details about the link steps and issue resolution, see the One Identity Safeguard for Privileged Sessions Administration Guide.


It is recommended that connection, including overhead, is faster than 10 megabits per second inter-site bandwidth with a one-way latency of less than 500 milliseconds. If you are using traffic shaping, you must allow sufficient bandwidth and priority to port 655 UDP/TCP in the shaping profile. These numbers are offered as a guideline only in that other factors could require additional network tuning. These factors include but are not limited to: jitter, packet loss, response time, usage, and network saturation. If there are any further questions, please check with your Network Administration team.

Desktop client system requirements

The desktop client is a Windows application suitable for use on end-user machines. You install the desktop client by means of an MSI package that you can download from the appliance web client portal. You do not need administrator privileges to install One Identity Safeguard for Privileged Passwords.

NOTE: PuTTY is used to launch the SSH client for SSH session requests and is included in the install. The desktop client looks for any user-installed PuTTY in the following locations:

  • Any reference to putty in the PATH environment variable
  • c:/Program Files/Putty
  • c:/Program Files(x86)/Putty
  • c:/Putty

If PuTTY is not found, the desktop client uses the version of PuTTY that it installed at:


If the user later installs PuTTY in any of the locations above, the desktop client uses that version which ensures the user has the latest version of PuTTY.

Table 1: Desktop client requirements
Component Requirements

Microsoft .NET Framework 4.7.2 (or later)

Windows platforms

64-bit editions of:

  • Windows 7
  • Windows 8.1
  • Windows 10
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

If the appliance setting, TLS 1.2 Only is enabled, (Administrative Tools | Settings | Appliance | Appliance Information), ensure the desktop client also has TLS 1.2 enabled. If the client has an earlier version of TLS enabled, you will be locked out of the client and will not be able to connect to Safeguard for Privileged Passwords.

IMPORTANT: The Windows 7 Desktop client has additional requirements in order to enable TLS 1.2. For information, see Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows.


  • To use FIDO2 two-factor authentication, you will need a web browser that supports the WebAuthn standard.

Desktop Player

See One Identity Safeguard for Privileged Sessions Safeguard Desktop Player User Guide available at: One Identity Safeguard for Privileged Sessions - Technical Documentation.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating