PRIVILEGED REMOTE ACCESS 22.

4
AVAILABLE FEATURES

Privileged Remote Access 22.4 Available Features

Features for Access Console Users
Feature Name Description
Multi-Platform Support Endpoint Access
Console
Windows Windows 7 SP1 Windows 10
Windows 10 Windows 11
Windows 11
Windows Server 2016 - 2022
macOS macOS 10.14 - 10.15 macOS 10.14
macOS 11 (Big Sur) x86 and xApple - 10.15
macOS 12 (Monterey) macOS 11
macOS 13 (Ventura) (Big Sur) x86
and xApple
macOS 12
Note: PRA clients for macOS can run natively on Apple
(Monterey)
Silicon without relying on Rosetta 2.
macOS 13
(Ventura)
Linux Fedora 35-36
RedHat Enterprise 8.5, 8.6, 9.0 RedHat
Ubuntu 20.04 LTS, 22.04 LTS Enterprise
8.5, 8.6, 9.0
Ubuntu 20.04
LTS, 22.04
LTS
Mobile Devices N/A Apple iOS
12.0+
N/A Android 8.0+
Virtual Machines N/A Citrix
XenDesktop
7
VMWare
Horizon 8
Citrix XenApp
6.5
PRA Virtual Appliances vSphere 6.7 - 7.0
Azure
AWS - AMI Sharing
Unattended Systems Laptops, Desktops, Servers, ATMs, Kiosks, POS Systems, Raspberry Pi, etc.
Cloud Access Controls Securely connect to and manage your cloud infrastructure, including Windows, Red
Hat, CentOS, and Ubuntu Linux VMs powered by AWS, Azure, VMware, and other
IaaS providers. Headless Linux configurations are also supported.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 1

©2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 12/9/2022
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
 PRIVILEGED REMOTE ACCESS 22.4
AVAILABLE FEATURES

Feature Name Description

Cloud Access AWS KMS Support AWS Key Management Service (KMS) makes it easy to create and manage
cryptographic keys and control their use in AWS services and applications. AWS
KMS is a secure and resilient service that uses hardware security modules.
Network Devices Routers, Switches and Devices via SSH/Telnet
Multi-Language Support View BeyondTrust applications and interfaces in English, Dutch, French, German,
Italian, Japanese, Russian, Simplified Chinese, Polish, and Traditional Chinese.
BeyondTrust supports international character sets.
Access Console Toolset Use advanced access tools to interact with remote systems.
3D Touch Support for iOS The BeyondTrust mobile access console uses iOS 3D Touch Support capabilities
offered by the iPhone 6S and 6S Plus devices to start sessions faster and more
efficiently. By tapping and holding the BeyondTrust Access Console icon on your iOS
device, you can quickly access the three most viewed Jump Items, and you can
seamlessly transition between active sessions.
Access Console Access remote endpoints by connecting to them through the B Series Appliance.
Advanced Web Access Advanced Web Access enables administrators to appropriately manage privileged
access controls over assets that utilize modern web technology in a secure, scalable,
and controlled manner. The auditing capability gives your organization the visibility it
needs to adhere to both internal security policies and any applicable industry
compliance requirements.
Annotations While screen sharing, use annotation tools to draw on the remote screen. Drawing
tools, including a free-form pen and scalable shapes, can aid in collaborating with
other users.
BeyondTrust Access Extender BeyondTrust Protocol Tunneling extends the remote connectivity and auditing
capabilities of proprietary and/or 3rd party applications, such as integration control
systems or custom database tools. BeyondTrust simplifies this complex task into a
consumable process that removes the need for an intricate VPN solution.
BeyondTrust SUDO Manager Shell Jump credential injection can be used in conjunction with SUDO.
Vault BeyondTrust Vault is an on-appliance credential store that enables your users to
access privileged credentials and inject them directly into an endpoint. Eliminate the
need for users to memorize or manually track passwords, increasing productivity and
security. Add privileged credentials to Vault manually, or try the built-in Discovery
tool to automatically find and protect AD and local credentials.
The Vault Accounts tab in the Access Console enables users to check in and out
Vault accounts that the administrator has defined. This enables users to leverage
Vault accounts for session activity or locally on their own device, improving user
experience and productivity by enabling access to Jump Items and Vault accounts
from one location.

Cancel Access Request Users can cancel pending Jump Access authorization requests from the Web
Console, providing more flexibility and control over the authorization process,
extending the existing functionality of the desktop Access Console.
Canned Scripts Use pre-written scripts from either the Command Shell interface or the Screen
Sharing interface, increasing session efficiency by automating common processes.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 2

©2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 12/9/2022
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
 PRIVILEGED REMOTE ACCESS 22.4
AVAILABLE FEATURES

Feature Name Description

Command Filtering Protect against common user mistakes during SSH sessions by applying basic
filtering to the input at the command line. For devices or B Series Appliances where
agents are not practical or possible, command filtering provides an extra layer of
control for administrators who need to provide access to that endpoint.
Command Shell Directly access the command shell for system diagnostics, network troubleshooting,
or low-bandwidth access, without screen sharing.
Command Shell Display Settings Command shell settings allow for changing the font, color, and size of the displayed
text within the access console. Unicode characters are supported within a command
shell.
Copy and Paste with Web Jump Users can now utilize the Copy/Paste functionality during a Web Jump session,
enabling users to continue to utilize their current processes while using the Web
Jump feature.
Credential Injection When accessing a Windows-based Jump Client, perform credential injection into the
login screen as well as the Run As special action. Additionally, gain access to SQL
Server using credentials from your endpoint credential manager.
Credential Injection with Web Jump Users can now inject a vaulted account with MFA enabled during a Web Jump
Access session, enabling users to utilize the same credential injection experience
they are used to using in the other access methods.
Credential Store Search Vault users can now search the credential list when Jumping into a remote system.
To leverage this new functionality, a user must only begin typing an account name
and the Credential Store presents the matching credentials to the user. This search
functionality is limited to credentials that are available in the access console.
Custom Links From within a session, click a button to open your browser to an associated CRM
record.
Custom Special Actions Create access console special action shortcuts for tasks specific to your
environment, streamlining the effort for your team to complete repetitive tasks.
Customizable Notifications Configure which events trigger alerts in the access console and upload custom audio
files.
Dark Mode – Desktop Access Console Users can select Use Dark Mode in the desktop console, letting those who prefer to
avoid bright screens and reduce eye strain enjoy the updated colors and icons
optimized for this theme.
Dark Mode – WEB Access Console Users can select Use Dark Mode in the privileged web access console, letting those
who prefer to avoid bright screens and reduce eye strain enjoy the updated colors
and icons optimized for this theme.
Elevate Endpoint Client Elevate the endpoint client to have administrative rights. Special actions can be run
in the current user context or in system context.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 3

©2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 12/9/2022
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
 PRIVILEGED REMOTE ACCESS 22.4
AVAILABLE FEATURES

Feature Name Description

Endpoint Credential Management Use credentials stored in a password vault for nearly all session types. Credentials
from the endpoint credential manager can be used for RDP login, Run As from
special actions, performing Remote Push, and Shell Jump initiation (SSH). Install
multiple endpoint credential managers on different systems to avoid downtime.
You can define which Vault users can inject credentials while in a session, and which
Vault users can view credentials when checked out in /login.
Endpoint Credential Managers can be mapped to Jump Groups. This optional
functionality allows administrators using multiple disconnected credential providers,
such as Managed Service Providers, to support disconnected environments while
leveraging the internal credential providers on those networks for the associated
Jump Group. This functionality is not standard; for more information please reach out
to BeyondTrust Technical Support.
Transfer files to and from the remote file system. Appliances now can be enabled for
File Transfer an integration with an ICAP server for in transit file scanning adding additional layers
to allowing and securing how files are transferred.
Most Recently Used Jump Items Most Recently Used Jump Items provides an easy way to find your most frequently
accessed Jump Items which saves time by not having to search for frequently
accessed endpoints.
Multi-Monitor Support View multiple monitors on the remote desktop.
Multi-Session Support Run multiple simultaneous sessions.
Password Injection with Password Safe Password Injection with BeyondTrust Password Safe is available for Privileged
Remote Access, enabling your users to securely use passwords during access
sessions with the click of a button. In addition, it provides an integrated approach to
secure third-party vendor access.
Peer-to-Peer Sessions Network and protocol enhancements allow for direct peer-to-peer connections. A
direct connection between a user and an endpoint bypasses the B Series Appliance,
thus enhancing the performance of screen sharing, file transfer, and remote shell.
Privacy Screen The Privacy Screen feature of Privileged Remote Access has been updated to
support Windows 10 20H1+ and Windows 11, without the need for a secondary
driver.
Privileged Web Access Console A web-based BeyondTrust Access Console that uses HTML5 to provide access to
endpoints. The privileged web access console removes the requirement of having to
download and install the BeyondTrust access console client.
Privileged Web Access Console - System System Information is now available for sessions within the privileged web access
Information console. This functionality was previously limited to the desktop access console.
-Privileged Web Access Console Access Users can invite external users or vendors into their existing session for collaboration
Invite from the privileged web access console. This functionality was previously limited to
the desktop access console.
Privileged Web Access Console The privileged web access console's authentication is now separate from the /login
Authentication Improvements interface. This enhancement also prevents users from being logged out of /login
while using the /console interface.
Privileged Web Access Console RDP File Users can send and receive files in RDP sessions from the privileged web access
Transfer console.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 4

©2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 12/9/2022
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
 PRIVILEGED REMOTE ACCESS 22.4
AVAILABLE FEATURES

Feature Name Description

1
Reboot/Auto-Reconnect Reboot and automatically reconnect to the remote computer.
Remote Registry Editor Access and edit the remote Windows registry without requiring screen sharing.
Remote Screenshot Capture a screenshot of the remote system.
2
Restrict Endpoint Interaction Disable the endpoint's mouse and keyboard input and conceal the screen to avoid
interference and ensure privacy while you are working.
Smart Card Support In a session, use authentication credentials contained on a smart card that physically
resides on the user's system. This feature has been enhanced to support Extended
APDU.
Special Actions Access common actions such as Registry Editor, Event Viewer, System Restore,
etc. Perform actions in User or System context. With the Run As special action on a
Windows system, you may select credentials from an endpoint credential manager.
Syslog Access in Reports Users can download the available syslog files directly from the /login interface. To
download the syslog files, you must have the new permission Allowed to View
Syslog Reports. This setting is available in both the User and Group Policy pages of
the /login interface.
System Information View in-depth system information in an easily navigable interface. Interact with
services and processes and uninstall software without requiring screen sharing.
Touch ID Authentication for iOS Authenticate to the access console via the iOS device's built-in Touch ID capability.
Virtual Pointer Display a pointer on the remote screen, helpful when collaborating with another user.
Wake-on-LAN Remotely access computers, even when they are turned off. Send Wake-on-LAN
packets to a Jump Client host to turn on that computer, if the capability is enabled on
the computer and its network.
Collaboration Work with other users and experts to resolve support cases.
Access Invite Invite anyone – internal or external – into a shared session with one-time, limited
access.
Extended Availability Users can be in notification mode. If invited to share a session, you will receive an
email notification.
Portal Branding Upload an image of your company logo to display on the public-facing web pages of
your Privileged Remote Access site. This logo is visible when someone accepts an
access invite, goes to the public recording page, responds to an extended availability
message, or responds to a request for Jump approval.
Session Sharing Collaborate with other users by sharing a session with a team member.
Teams Collaborate with other users who share similar skill sets or areas of expertise.
User-to-User Screen Sharing Collaborate with other users by instantly sharing your screen with a team member.
Jump Technology Access unattended remote desktops, servers, and other systems.
Atlas - Jump Client Traffic Node Connectivity Customers using the Atlas configuration can route Jump Clients to route through an
Atlas traffic node, enabling greater scalability and geospecific connections.

1Reboot/Auto-Reconnect is not supported on Mac computers.

2Restrict Endpoint Interaction is limited to disabling the mouse and keyboard on Windows 8 and above.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 5

©2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 12/9/2022
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
 PRIVILEGED REMOTE ACCESS 22.4
AVAILABLE FEATURES

Feature Name Description

Copy Jump Items You can copy Jump Items and assign them to multiple Jump Groups. This allows
setting separate policies and group permissions without requiring additional client
installations on the endpoint. Users with appropriate permissions can right click
individual or multiple Jump Items to copy them.
External Endpoint Search - Password Safe Privileged Remote Access users can search for and remotely access Password
Integration Safe-Managed RDP and Shell Jump systems that are accessible with a Jumpoint.
Group Policy/Jump Group Search The Group Policy and Jump Group lists in /login provide a search field to make it
easier to find the item you're looking for.
Headless Linux Jump Client & Jumpoint The headless Linux Jump Client and Linux Jumpoint include an optional systemd
Persistence template file to enable easier system service creation on various Linux distributions.
Jump Authorization Requests As soon as it is not needed, an active authorization request can now be revoked by
the user who made the request, as can any approver.
Linux Jumpoint – VNC support The Linux Jumpoint supports VNC Jump Shortcuts.
Privileged Remote Access Users Can Jump requests can be approved by selected Privileged Remote Access users in
Approve Jump Requests addition to emails. This allows for better tracking and auditing of who approved a
given request.
Jump Client Access any Windows, Mac, or Linux system. Centrally manage and report on all
deployed Jump Clients. Where permitted by the endpoint's platform, elevated
functionality including File Transfer, Command Shell, and Registry Access can be
allowed by the administrator.
Jump Client Headless Support for Raspberry Enables Raspberry Pi secure access to allow privileged users to connect to more
Pi OS types of unattended systems, perform administrative actions, and secure who has
access to manage these devices. May work on any Raspberry Pi device that runs
Raspberry Pi OS, but only certified against Pi 3B+ and Pi 4B. Supported Operating
Systems:

l Raspberry Pi OS Desktop (2020-08-20-raspios-buster-armhf)

l Raspberry Pi OS Lite (2020-08-20-raspios-buster-armhf-lite)
Jump Client Upgrade Flexibility Administrators can control when their Jump Clients upgrade after upgrading their site
to a newer version. Administrators can also test the upgrades of a few endpoints
before rolling out the new version to the rest of their environment.
Jumpoint Access unattended Windows systems on a network, with no pre-installed client.
Connect through proxy servers by storing credentials. Unattended Linux systems,
with a Jump Point agent, can also be accessed through RDP and SSH sessions.
Jump Policies Approval – Time Overlap Jump Policy approvals can overlap, granting access to different users to the same
Jump Item simultaneously.
Linux Jumpoint – Protocol Tunneling The Linux Jumpoint supports the creation of Protocol Tunnel Jump Shortcuts.
Bring Your Own Tools – Jump Clients This functionality enables users to leverage their existing native terminal for Jump
(Command Shell) Client sessions without needing to use the solution's built-in functionality. A setting is
available in the access console to configure this extension of the BYOT functionality.
It is available for the access console only.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 6

©2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 12/9/2022
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
 PRIVILEGED REMOTE ACCESS 22.4
AVAILABLE FEATURES

Feature Name Description

The Bring Your Own Tools functionality enables you to leverage your existing native
Bring Your Own Tools – RDP RDP tool for Remote RDP Jump Shortcuts, while maintaining the benefits of the
audit trail and session recordings. This setting enables Remote RDP Jump Shortcuts
to include existing native RDP functionality, expanding Jump Item capabilities and
improving user experience.
We have improved security and user experience when accessing non-domain linked
endpoints via RDP. This new functionality allows administrators to directly associate
non-domain linked accounts discovered via Jump Clients to RDP Jump Items for that
endpoint. The associated API functionality for this feature is also available, allowing
administrators to more easily scale and automate the associated administrative
tasks.
Bring Your Own Tools – SSH The Bring Your Own Tools functionality enables you to leverage your existing native
SSH tool for SSH Jump Items, while maintaining the benefits of the audit trail and
session recordings. This new setting enables SSH Jump Items to include existing
native SSH functionality, expanding Jump Item capabilities and improving user
experience. This functionality is available in the access console as a setting that can
be enabled or disabled. Administrators can control access to this feature using a
global setting in the /login interface located under Jump > Jump Items > Jump
Item Settings.
RDP Multi-Monitor Support View multiple monitors on the remote desktop. Traditional Remote RDP Jump
Shortcuts support more native RDP screen sizing and scaling of a session across
multiple monitors.
Jump Zone Proxy Use a Jumpoint as a proxy on a remote network to access systems that do not have
a native Internet connection. This feature has been enhanced to allow Linux systems
to be used as proxy servers. This functionality is no longer limited to Windows
Jumpoints.
Microsoft Remote Desktop Protocol (RDP) Conduct remote desktop protocol (RDP) sessions through BeyondTrust. Users can
Integration collaborate in sessions, and sessions can be automatically audited and recorded.
Settings in the access console allow users to connect with the resolution best suited
for their working environment.
Protocol Tunnel Jump Item API The Configuration API allows the creation, deletion, and modification of Protocol
Tunnel Jump Items within the system.
Scripted Jump Automatically start a session from an external program by initiating a Jump Item via a
script.
Connect to SSH/telnet-enabled network devices through a deployed Jumpoint. SSH
Shell Jump sessions can now support in-line multi-factor prompts following the user
authentication for added security to remotely access those systems requiring
additional multi-factor controls for more native functionality.
Web Jump Web Jump has been enhanced to support Linux Jumpoints.
Web Jump – Multi-tab Improvements The multiple-tab support for Web Jump sessions has been enhanced to allow users
to open additional tabs using a + click on the link. This is Ctrl+Click on Windows and
Linux and ⌘ +Click on macOS. Additionally, users can specify whether the new tab
opens in the foreground or background.
VNC Integration Connect to VNC servers through BeyondTrust. Users can collaborate in sessions,
and sessions can be automatically audited and recorded.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 7

©2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 12/9/2022
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
 PRIVILEGED REMOTE ACCESS 22.4
AVAILABLE FEATURES

Feature Name Description

Chat Communicate easily with teammates both in and out of shared sessions.
Session Chat Chat with other users in a shared session.
Spell Check Catch misspellings and view suggested corrections.
Team Chat Chat with all users on a team or with an individual.
The Team Chat feature within the access console has been enhanced to now
preserve the chat history. This allows users to pick up the conversations between
other team members so that the history is available when they log back into the
console. The administrator can configure a minimum time that this information is
replayed in the access console.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 8

©2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 12/9/2022
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
 PRIVILEGED REMOTE ACCESS 22.4
AVAILABLE FEATURES

Features for Managers

Feature Description
User Management Centrally manage users and groups.
Access Console Device Verification Enforce the networks on which your access consoles may be used, or require two factor
authentication to log into the access console.
Access Invite Create profiles so that users can invite anyone – internal or external – into a shared session
with one-time, limited access.
Administrative Dashboard Oversee team activity, monitor users' access consoles, and join or take over sessions owned
by someone else.
Amazon Web Services (AWS) Matching customers' needs with different deployment options, the B Series Appliance is now
Deployment Option available in Amazon Web Services. Whether you are a new Privileged Remote Access
customer or an existing customer that has an initiative to move your on-premises B Series
Appliance to AWS, AWS deployment provides more options for your preferred deployment.
Application Sharing Restrictions Limit access to specified applications on the remote Windows or Linux system by either
allowing or denying a list of executables. You may also choose to allow or deny desktop
access.
Privileged Remote Access can now proxy the Microsoft SQL Server protocol, enabling
BYOT Database Proxy credential injection and improved auditing capabilities for Privileged Remote Access
customers. There is a new setting under Protocol Tunnel Jump items for Database Tunneling.
Privileged Remote Access customers now have a simpler method to leverage and interact with
CLI Tool for APIs the Configuration APIs using a new CLI tool provided by BeyondTrust. When bundled with our
expanded documentation, this new tool makes it easier to integrate your Privileged Remote
Access instance with cloud environments or other infrastructure. It is available in the API
Management section of /login.
This set of APIs enables Privileged Remote Access administrators to automate and
Configuration APIs orchestrate administrative tasks within /login and the Access Console. There are specific
methods exposed via an API that enable a programmatic way to create, list, update, and delete
certain configuration items in Privileged Remote Access. For example, administrators can use
the API to create local user accounts or delete Jump Clients that have been offline for a
specified number of days. Other enabled use cases include tasks for managing Jump Groups,
Jump Items, Vendor Groups and Users, Group Policies, Vault Accounts, Vault Account
Groups, and Personal Vault Accounts.
The Group Policy Configuration APIs (GET, POST, and PATCH) have been enhanced to allow
administrators to read and set the access permission settings.
The Configuration API documentation can be found under /login > Management > API
Configuration.
Privileged Remote Access administrators can now benefit more easily from the automation
and onboarding improvements that come with the usage of existing Configuration APIs. In this
release, these administrators now have prebuilt scripts that enable automation use cases more
simply for specific situations, particularly Jump Item management and automation with AWS,
AD, and Azure.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 9

©2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 12/9/2022
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
 PRIVILEGED REMOTE ACCESS 22.4
AVAILABLE FEATURES

Feature Description
Configurable Login Banner Configure a banner to display before users can log into either the /login interface or the
/appliance interface. If the banner is enabled, then users attempting to access either /login or
/appliance must agree to the rules and restrictions you specify before being allowed to log in.
The Login Agreement can be presented as part of the access console as a granular setting.
Administrators can choose where this agreement is displayed, and the same message is
presented when launching the access console or accessing the web administration interface.
Delegate Password Administration Delegate the task of resetting local users' passwords to privileged users, without also granting
full administrator permissions.
Delegate User Management Administrators can create a group policy type to onboard and manage vendors and other
users. An assigned vendor admin for a policy can manage onboarding and offboarding of
managed users for that policy.
Administrators can define up to 50 vendor groups.
HTTP Outbound Event Administrators can view the latest status of existing HTTP outbound recipients and have
Enhancements visibility into the number of events queued for each configured recipient.
Vendor Onboarding Improved the user interface for vendor groups, providing more visibility and a streamlined
workflow for vendor management. Administrators can see users requiring immediate action,
and Vendor User expiration information can be displayed for each user.
Vendor Onboarding - User Administrators can enable Vendor Users to request or sign up for access through a
Registration Portal customizable portal page. This functionality is an addition to the Vendor Groups section on
the Users & Security > Vendors page. Administrators can create and customize portal pages
for specific vendors, allowing users to register for the access they need, when they need it. The
Vendor Portal can be restricted to specific email domains as well as existing network
restrictions for the vendor group. Vendor User self-registration through the Vendor Portal
always requires approval for user creation by the defined administrator of the vendor group.
Vendor Group Increase The vendor group limit is 100.
Vendors - PRA Admin Granularity PRA administrators have the option to delegate all notifications and workflow approvals to any
PRA user in an associated vendor group. PRA administrator privileges are still required to
change security and configuration settings for the vendor group. Previously, all vendor groups
required a full PRA administrator to be the recipient of notifications and approvals.
Vendor User Expiration Notification Vendor Users can be notified of an upcoming expiration date as well as a notification of
expiration. The PRA administrator or the PRA user overseeing the vendor group can extend a
Vendor User’s expiration date before it is expired. Additionally, vendor administrators can
reactivate expired Vendor Users. User activation was limited to the PRA administrator
overseeing the vendor group in previous versions.
Vendor User Password Reset Vendor Users can now receive a password reset link. Anyone who can edit the Vendor User
page can click the Email Password Reset Link button.
Notification and Approval Notification and approval workflows are available for user onboarding. This decreases manual
Workflows administration of vendor management and allows faster access for new users.
Message Broadcast Send a pop-up message to all users logged into the access console.
Multi-Factor Authentication Gain the security of multi-factor authentication for your local and LDAP user accounts by
enabling time-based, one-time passwords. When logging into BeyondTrust, users must
provide a one-time password generated by a separate device or authentication app.
Multiple /appliance User Accounts Create multiple user accounts for the /appliance interface. Set rules regarding account
lockouts and password requirements. SAML can also be used to log directly into /appliance.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 10

©2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 12/9/2022
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
 PRIVILEGED REMOTE ACCESS 22.4
AVAILABLE FEATURES

Feature Description
Search Functionality in /login Users can search for specific sections and settings throughout the administrative interface.
This functionality allows easier discovery and access to various information and configuration
that would have previously been more difficult to find. This functionality is available everywhere
in the /login interface.
Scheduled Discovery The Vault administrator can define a preset day and time to automatically run Vault domain
discovery jobs. This feature can provide continuous visibility for administrators regarding
domain accounts, endpoints, and local accounts associated with discovery jobs. Accounts and
endpoints found in the new discovery job can then be imported into Vault for management.
Service Account Management Vault can discover and import Windows service accounts for management. Administrators can
leverage this new discovery functionality to gain visibility into the service accounts in the
domains managed by Vault, as well as the descriptions and associated services for the
accounts.
Session Permission Policies Customize session permissions to fit specific scenarios, not just specific users. You can
change the permissions allowed in a session based on the specific endpoint being supported.
Session permission policies provide flexibility in building the security model for each specific
scenario.
Session Policies for All Jump Items Administrators can assign session policies to all Jump Items, enabling additional granularity for
Jump Item policies.
Teams Create teams based on skill set or experience level.
Team Collaboration Define how multiple teams may interact.
Templates Copy an existing security provider, session policy, or group policy to create a new object with
similar settings. You also can export a session policy or group policy and import those
permissions into a policy on another site.
User Accounts Create an unlimited number of named user accounts.
User Account Details Reporting Export account information about your user accounts for auditing purposes.
User Collaboration Define session sharing options.
User Login Schedule Exert control over access console availability to specific users by restricting when users are
able to log in.
Vault Account Groups Vault administrators can organize Vault accounts into account groups, providing a better
management experience for Vault admins. Admins can assign account groups to group
policies, rather than only individual Vault accounts, and Vault accounts can be assigned to an
account group during the import process.
Vault Accounts associated with Vault accounts are automatically associated with endpoints, providing a better user experience
Endpoints when injecting credentials into Privileged Remote Access sessions. Admins use the Vault
Discovery and Import functions to bring accounts and endpoints under Vault management.
Once under Vault management, the credential-to-endpoint association automatically occurs
for the relevant Jump Items. Users are presented with the associated Vault accounts when
injecting during session initiation.
Vault – Auto Update Stale Data Discovery jobs can automatically detect and update stale read-only attributes on accounts,
endpoints, or services that have been onboarded into Vault.
Vault Bulk Rotation Users and administrators can select groups of Vault credentials and perform a password
rotation on all credentials in the selected group, with just one click. This functionality provides
administrators with a simple and efficient method to rotate user-selected groups of credentials
or all Vault credentials at once, making it simpler to manage large numbers of credentials with
Vault, while eliminating the need for time-consuming manual rotation of individual credentials.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 11

©2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 12/9/2022
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
 PRIVILEGED REMOTE ACCESS 22.4
AVAILABLE FEATURES

Feature Description
Vault – Account Policies Vault account policies can be assigned to Vault accounts or Vault account groups, providing
administrators with additional granularity regarding Vault account settings. Vault account
policies can define whether the account is included in scheduled password rotation, the
account’s maximum password age, automatic rotation after check-in, and whether the account
is available for simultaneous checkout.
Vault - Account Rotation Azure AD Privileged Remote Access enables organizations to properly manage and inject credentials
Domain Services managed by Azure AD Domain Services. Administrators can now leverage the Vault to rotate
account credentials managed by Azure Active Directory Domain Services. This new
functionality is an addition to the existing ability to discover credentials managed by Azure AD
Domain Services.
Vault Configuration APIs List Vault accounts with the Vault Configuration API. Vault administrators can also create
generic username/password and username/SSH key accounts using the API. This provides a
programmatic way to onboard Vault accounts that can't be automatically discovered through
Domain Discovery (Active Directory).
Vault - Configurable Columns Vault administrators can customize and configure the columns which are shown on the Vault
Accounts page.
Vault-Configurable Password Vault administrators can define the password length requirements for Windows local, domain,
Length and Azure AD accounts currently managed by Vault. Administrators can define these
requirements by navigating to the /login > Vault > Options page.
Vault Domain Filtering Users can traverse Organizational Units (OUs) within the targeted Active Directory Domain
when using the Vault Discovery functionality. Vault Discovery allows administrators to discover
credentials in the specified network. Administrators can then import credentials into Vault,
enabling users to inject and use the discovered credentials within Privileged Remote Access
sessions. Being able to traverse the OU's provides greater flexibility, while saving time and
resources. Instead of running a general discovery to the domain, admins can specifically target
the OUs of the teams and credentials that they wish to manage with Vault, decreasing the
amount of managed credentials in Vault, and making it easier to use and control the most
important credentials.
Vault – Jump Item Association Administrators can limit the credentials available for injection in a Jump session by associating
Vault accounts and Vault account groups with Jump Items. Associations can be direct or
dynamic with the help of match criteria based on Jump Item properties.
Vault Personal Accounts All Privileged Remote Access users can create private generic accounts in their own private
Vault. This functionality allows users to manage their own Vault accounts privately for use
during Privileged Remote Access sessions. The maximum number of personal accounts per
user is 50.
Vault - Search Discovery Results The Vault Discovery Results page in /login provides a search field to make it easier to find
the endpoint, account, or service you're looking for. The discovery results also include two
additional endpoint columns: Distinguished Name and Operating System name.
Vault Scalability Vault can now import, rotate, and manage up to 60,000 accounts.
Vault - Windows Service Account Vault can rotate Windows service accounts (local and domain). In addition to account rotation,
Rotation Vault can restart any services associated with the service account. This feature provides Vault
administrators with visibility and control over Windows services and service accounts,
improving their security posture and quality of service. Service cluster password rotation is not
supported in this release.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 12

©2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 12/9/2022
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
 PRIVILEGED REMOTE ACCESS 22.4
AVAILABLE FEATURES

Feature Description
Jump Client Discovery and Rotation Jump Clients can perform discovery and rotation of local credentials (Windows only). This
functionality allows administrators to manage machines individually and set who has access to
those machines without the need to set up a local or shared account on the remote system.
This feature is to complement the use of Jumpoints in the network for domain-based rotation
but also allow for more singular control over smaller groups of machines.
Access Console Toolset Equip your users with the specific access tools they need.
Canned Scripts and Custom Special Create command shell scripts and custom special actions for users to run during sessions,
Actions increasing efficiency by automating common processes.
Centralized Access Console Define the access console settings for your entire organization. Enforce settings to ensure a
Settings consistent experience.
Jump Technology Create Jump Item Roles to easily assign sets of Jump Item permissions to users.
Collect Jump Items into Jump Groups, granting members varying levels of access to those
items.
Set expiration dates for Jumpoints.
Create Jump Policies to enforce when Jump Items can be accessed, if a notification of access
is sent, or if approval must be granted prior to access.
Jump Clients unable to connect to the B Series Appliance are automatically marked as lost,
allowing an administrator to diagnose the reason for the lost connection. Both the lost date and
the date at which a Jump Item is deleted can be configured.
After a software update, Jump Clients update automatically. Users can see which Jump Clients
have completed upgrade and can access them right away. While a Jump Client is awaiting
upgrade, users can still modify properties without having to wait for the upgrade to complete.
Post Session Lock Set the endpoint client to automatically lock or log out the remote Windows computer when an
elevated session ends.
User Permissions Restrict or enable toolset components (ex., View or Control, File Transfer, System Information,
etc.)
Reports Report on all session activity; customize, filter and export reports.
Report Sort Order Changed Items listed on the Reporting pages are ordered from newest to oldest.
Endpoint Surface Analyzer Know and control how critical endpoints are accessed throughout your organization. Be aware
of the listening network port exposure for systems that you manage. Report and keep a
running log of critical endpoint network exposure.
Policy-Based Recordings Disable recordings at the Jump Policy level. If this option is checked, sessions started with this
Jump Policy are not recorded, even if recordings are enabled on the Configuration > Options
page. This affects screen sharing, user recordings for Protocol Tunnel Jump, and command
shell recordings.
License Reporting and Auditing Keep track of the number of endpoint licenses used. You can download a zip file containing
detailed information on your BeyondTrust license use. This file contains a list of all Jump Items
(not counting uninstalled Jump Clients), daily counts for Jump Item operations and license
usage, and a summary for the B Series Appliance and its endpoint license usage and churn.
RDP Session Forensics A setting for RDP Jump Items provides administrators with additional logging details for RDP
Jump sessions. Users can leverage this functionality by enabling the Session Forensics
setting in the RDP Jump Item properties. This feature captures additional session events, such
as Focused Window Changed Even and Mouse Click Event. RDP Session Forensics
enhances security by providing administrators with RDP Jump session details that previously
were only supported in Jump Client sessions.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 13

©2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 12/9/2022
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
 PRIVILEGED REMOTE ACCESS 22.4
AVAILABLE FEATURES

Feature Description
Reporting Permissions Manage each user's reporting privileges.
Jump Item Reporting Administrators can now leverage a new report type specific to the administration and
configuration of Jump Items. For example, reports can be run for historical Jump Item events,
such as creation, deletion, copy, move, etc.
Session Forensics Session Forensics is a powerful feature that allows you to search across all sessions based on
session events. The feature empowers administrators to quickly and effectively identify critical
security events, and aids in the prevention of potential security breaches, as well as evidence
discovery. Searchable events include chat messages, file transfer, registry editor, session
foreground window changed, and shell recordings. Successful matches in stored shell
recordings automatically take the user to that point in time in the recording.
Session Reports View details of each session. Session reports include basic session information along with
links to session details, chat transcripts, and video recordings. Also included are details
regarding the Access Approver Name, Email Address, and Comments for sessions that
require approval. Additionally, the session report contains the Request Reason for sessions
that require users to specify a reason for their access request.
Session Recording Videos Record and view annotated videos of sessions and command shell sessions, including
command shell sessions.
Summary Reports See an overview of user activity over time.
Team Activity Reports View details of activity within a team, including login and logout times, team chats, and files
shared.
GDPR Pseudonymization Support Allow your organization to meet its GDPR initiatives with pseudonymization and consent
support in BeyondTrust. BeyondTrust administrators can respond to Right to Erasure requests
by searching for specific criteria supplied by the requester. Once reviewed, the results can be
anonymized with an automatically generated term or a custom replacement.
Session Anonymization Administrators using the anonymization functionality can now run additional anonymization
Improvement jobs on the same session reports in case a detail was missed in the initial effort. This helps
administrators honor a user's right to erasure requests more quickly.
Updates
During the update process, clients now download the update to their own install location and
Auto-Update Process for Hardened begin the update from there. By executing from the same location, the proper permissions are
Linux already in place and allow the update process for hardened Linux systems to be more
seamless for Privileged Remote Access administrators.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 14

©2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 12/9/2022
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
 PRIVILEGED REMOTE ACCESS 22.4
AVAILABLE FEATURES

Features for System Administrators

Feature Description
Mass Deployment Install BeyondTrust applications on multiple systems simultaneously.
Extractable Access Console Download a mass-deployable access console to distribute to users prior to or in parallel with
upgrading the B Series Appliance.
Mass Deployment Installers Create mass deployable installer packages for access consoles and Jump Clients.
Mass Import of Endpoints When creating a large number of Jump shortcuts, you can import them via a spreadsheet in the
/login interface or via the API. Importing Jump Items saves time and effort over manually
adding each one in the access console.
Identity Management Define BeyondTrust accounts using existing data on directory servers.
LDAP/Active Directory Use LDAP/Active Directory to manage BeyondTrust users.
RADIUS [Multifactor] Use RADIUS for authentication.
Kerberos [Single Sign-on] Use Kerberos for single sign-on.
Let's Encrypt Support Let's Encrypt is a service provided by the Internet Security Research Group (ISRG). It is a free,
automated, and open certificate authority (CA). In /appliance, you can request and
automatically renew SSL/TLS certificates used by your B Series Appliance. Let's Encrypt is
configured in the SSL/TLS Configuration section in /appliance for on-premises deployments
and the Appliance tab for Cloud deployments.
SAML [Single Sign-on] Use SAML with an Identity Provider to authenticate BeyondTrust users. Admins can set
launching the /login or the /console interfaces after using an IdP. SAML can also be used to log
directly into /appliance.
SAML Security Provider API The Configuration API can enable updates to the available group names within a SAML
provider. This facilitates automating the onboarding of new user groups.
Password Managers Use a password manager such as 1Password or LastPass to log into a mobile access console.
SCIM [Provisioning] Use SCIM for user provisioning.
TLS 1.3 Protocol Transportation Layer Security protocol 1.3 is used to ensure secure communication between
browsers and webservers. Symmetric cryptography is used to encrypt the data transmitted.
The keys are uniquely generated for each connection and are based on a shared secret
negotiated at the beginning of the session.
Outbound Proxy Support A proxy server can be used to send outbound events to a single destination rather than
multiple applications. This feature allows administrators to control dataflow from B Series
Appliances for outbound events and APIs. This feature allows you to test the connection to
verify your settings are correct.
Backup and Redundancy Monitor and back up the B Series Appliance.
Backup Integration Client Schedule automatic retrieval and storage of software backups.
B Series Appliance Failover Define and automate redundancy and failover options.
BeyondTrust Atlas Cluster Atlas technology is available for Privileged Remote Access. With Atlas technology,
Technology organizations can manage multiple B Series Appliances across the globe from a single
administration interface.
NIC Teaming Combine your system's physical network interface controllers (NICs) into a single logical
interface, adding an additional layer of fault tolerance for your B Series Appliance.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 15

©2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 12/9/2022
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
 PRIVILEGED REMOTE ACCESS 22.4
AVAILABLE FEATURES

Feature Description
Appliance Migration Migrate from one appliance type to another.
Appliance Migration Tool Administrators can use the application migration tool to move from an on-premises appliance
to a cloud-based appliance, as well as migrate from a physical appliance deployment to a
different deployment type. This functionality can be set up under the new section at /login >
Management > Software > Site Migration. It allows API-based communication between the
appliances and supports migrations from version 19.2.4 to current.
Integration Integrate BeyondTrust with external systems.
BeyondInsight Integration: Administrators can leverage the BeyondInsight platform for session details and reports of
Reporting and Session Details Privileged Remote Access sessions. This integration includes a Dashboard view for Privileged
Remote Access sessions, which users can access in the BeyondInsight interface.
Administrators who utilize the existing reporting functionality of /login can continue to view
session details, reports, and session recordings in the /login interface.
DevOps Secrets Safe Integration This functionality allows for an integration to DevOps Secrets Safe in the /appliance interface,
expanding the options for storing secrets off the appliance for expanded security.
Change Management Workflow BeyondTrust access requests can now require a Ticket ID to be entered as part of the request
Integrations process. Once entered, the request is sent to your change management system where it can
programmatically be denied or allowed using the BeyondTrust API.
Custom Links Configure custom links to include a variable for a session's external key, pointing the URL to an
associated CRM record. A user can access this link from within a session.
API Integrate with external systems and set API permissions.
Custom Fields Create custom API fields to gather information about the endpoint, enabling you to more
deeply integrate BeyondTrust into your organization. You can also make fields and their values
visible in the access console.
Password Safe Integration – The External Jump Groups integration with BeyondTrust Password Safe provides users with a
External Jump Group – Multiple simple workflow to extend access capabilities to systems managed by BeyondTrust Password
Jumpoints Safe via RDP and SSH. Administrators can define multiple Jumpoints for flexible access to
managed systems within Password Safe. It also includes reporting enhancements related to
credential injection events.
SNMP Monitoring Monitor the B Series Appliance using Simple Network Management Protocol (SNMP). You can
set up SNMP v3 and v2 on the /appliance interface.
Syslog Integration Send log messages to an external syslog server.
Integration Client Transfer session logs, session recordings, and software backups from the B Series Appliance
to an external system. Supported systems are Windows-based file systems and Microsoft SQL
server. Schedule data transfers to take place automatically.
Governance Integration Utilize SCIM 2.0 REST Endpoints to provision users and groups to the available security
providers.

For more information on DevOps Secrets Safe Integration, please see Secure Secrets Management for Enterprise DevOps at
https://www.beyondtrust.com/resources/datasheets/devops-secrets-safe.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 16

©2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 12/9/2022
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.
 PRIVILEGED REMOTE ACCESS 22.4
AVAILABLE FEATURES

Additional Integration Options

Additional integration options are available to BeyondTrust customers. Some integrations must be purchased separately from the
BeyondTrust software. Contact BeyondTrust Sales for details.

Integration Option Requirements

Service Desk/Systems Management Integrations Contact BeyondTrust Sales.

Automate your integration of BeyondTrust with various service desk and

systems management tools by requesting pre-packaged integration adapters,
drastically reducing integration time.
CRM/Ticketing Integration BeyondTrust API 1.19.0+
Use the BeyondTrust API to create a simple integration between your CRM and For a list of which API versions correspond with
BeyondTrust, allowing users to access a CRM record directly from the which BeyondTrust software versions, see
BeyondTrust access console. www.beyondtrust.com/docs/privileged-remote-
access/how-to/integrations/api/api-version-
reference.htm
3rd Party Professional Integration Services Contact BeyondTrust Sales for references.
Because BeyondTrust's API and Integration Client conform to industry protocols,
it is possible for customers to contract with a third-party professional services
provider to outsource integration needs.
BeyondTrust Professional Services Contact BeyondTrust Sales.
Contract with BeyondTrust for custom integration needs.
Security Products Contact BeyondTrust Sales.
Programmatically import BeyondTrust access control logs into your SIEM tool
and leverage your password management solution for privileged endpoints.

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 17

©2003-2022 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or TC: 12/9/2022
depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.