# Installing PAM360 Agent on Remote Devices

The PAM360 agent can be deployed on remote devices to facilitate PAM360-related operations or to collect device data for implementing a Zero Trust security model, depending on the installation option selected. This guide offers comprehensive instructions for installing the PAM360 agent on remote devices that are not directly connected to the PAM360 server.

By the end of this guide, you will be able to install, manage, and uninstall the agent on Windows, Windows Domain, Linux, and macOS systems, as well as configure the required agent settings.

Ensure you have an account with sufficient administrative privileges on the target system for installation and further modifications. After downloading the PAM360 agent, extract the files onto the target machine where the agent will be installed.

**Additional Detail**

The PAM360 agent can also be installed in bulk using SCCM, GPO, or Endpoint Central. Refer to [this document](https://download.manageengine.com/privileged-access-management/images/resources/agentbulk-installation.pdf) for more details.

At the end of this document, you will have learned the following topics in detail:

1. [Configuring the PAM360 Agent Settings](#Configuring_Agent_Settings)
2. [Installing the Windows/Windows Domain Agent](#Installing_Windows_or_Windows_Domain_Agent)
3. [Installing the Linux Agent](#Installing_Linux_Agent)
4. [Installing the macOS Agent](#Installing_macOS_Agent)

**Caution**

- Administrative or root privileges on the target system are required to manage the PAM360 agent using the following operations or commands.
- Ensure that both the privileged account and the user account have full permissions for the folder where the agent is installed.

## 1. Configuring the PAM360 Agent Settings

**Applicability**

The agent settings configuration applies to builds prior to 7500. For builds starting from 7500, the agent settings can be customized from the PAM360 web interface after completing the agent installation on the target server (Windows and Windows Domain). Once installed, navigate to Admin >> Agents >> Manage Agents, and click **Edit** under **Agent Actions** next to the corresponding agent to update its settings. For more details, refer to [this document](https://www.manageengine.com/privileged-access-management/help/agent-operations.html#edit).

While installing the PAM360 Windows agent, the agent properties are displayed on the agent installation wizard, allowing you to modify the parameters during installation. For Linux and macOS agents, the agent properties can only be updated by editing the `agent.conf` or `agent.json` file.

Open the **agent.conf** / **agent.json** file from the downloaded agent package. Below are the parameters listed in the agent file, many of which can be customized:

1. **AgentType:** Denotes the type of agent, i.e., agent with PAM360 features.
2. **ServerName:** The server/IP address that the PAM360 agent will contact.
3. **ServerPort:** The port on which the PAM360 server is running. If you have changed the default port (e.g., to 443), update it here.
4. **ScheduleInterval:** By default, the agent pings the server every 60 seconds. Modify the value (in seconds) as needed.
5. **UserName:** The admin user account under which the agent server will be added as a resource.
6. **OSType:** Denotes the OS to which the agent belongs - Windows/Windows Domain/Linux.
7. **TrustedCertifcate:** If you do not have a valid SSL certificate for the PAM360 server, update this value to `no`.
8. **IncludeDisabledAccounts:** Indicates whether disabled accounts on the resource should be included during account discovery. Set this to **False** to exclude disabled accounts. Applicable only to the Mac agent.

### 1.1 Filtering Accounts by Agent

PAM360 allows restriction of user accounts added via agents (C# and Go) during account discovery using regex patterns. Use the following commands:

- **UserQuery:** To filter accounts in Linux (Go Agent).

```bash
UserQuery = "awk -F: '$1 ~ /^admin.*/ {print$1}' /etc/passwd"
```

*To discover accounts that start with `admin`.*

- **accountFilter:** To filter accounts in Windows/Windows Domain (C# Agent).

```bash
accountFilter = ^admin.*
```

*To discover accounts that start with `admin`.*

**Caution**

Windows Domain agent will not automatically add user accounts unless you specify the pattern in the account filter.

- **fetchDisabledAccount:** To fetch disabled accounts in Windows/Windows Domain (C# Agent).

```bash
fetchDisabledAccount = True
```

The commands **UserQuery**, **accountFilter**, and **fetchDisabledAccount** are applicable only for build 5301 and later. After modifying any of these parameters, restart the agent service.

## 2. Installing the Windows/Windows Domain Agent

### 2.1 Installation using Agent Installer

To install the Windows/Windows Domain agent, run the downloaded `PAM360AgentInstaller.exe` with administrator privileges. For builds prior to 7500, navigate to the downloaded agent folder and run `AgentInstaller.exe` with administrator privileges.

On the PAM360 **Agent Installer** wizard:

1. Select **Install**, enter the **Installation Key**, and verify the **Installation Path**. Click **Next**.

**Applicability**

Starting from build 7500, the PAM360 agent is installed by default in:

**C:\Program Files (x86)\ManageEngine**

![pam360-agent](https://cdn.manageengine.com/sites/meweb/images/privileged-access-management/help/pam360-agent-1.webp)

2. Enter or modify agent settings such as **Resource Type**, **Server Name**, **Port**, **Schedule Interval**, and **Resource Owner**. Enabling **Include Disabled Accounts** includes all disabled accounts in the resource.

![pam360-agent-2](https://cdn.manageengine.com/sites/meweb/images/privileged-access-management/help/pam360-agent-2.webp)

3. Choose the appropriate **Usage Type**:
   - **User Device:** For fetching device data for user trust score calculation. Enter the PAM360 username.
   - **Resource:** For fetching device data for resource trust score calculation or performing PAM360 operations.

**Caution**

If **Usage Type** is set to **User Device**, the **Zero Trust** module is selected by default. Devices installed with **User Device** will not be added as resources in PAM360. Operations such as **Self-Service Privilege Elevation** and **Password Management** will not apply.

4. If **Usage Type** is **Resource**, enable required modules:

   i. **Manage Passwords:** Verify or reset account passwords.  
   ii. **Self-Service Privilege Elevation:** Configure privilege elevation. See [self-service privilege elevation](https://www.manageengine.com/privileged-access-management/help/sspe-windows.html).  
   iii. **Zero Trust:** Requests system data for [resource trust score](https://www.manageengine.com/privileged-access-management/help/zerotrust.html#Installing_PAM360_Agent).  
   iv. **SSL Management:** Perform [certificate management](https://www.manageengine.com/privileged-access-management/help/ssl-agent.html).  
   v. **System Event Logging:** Monitor [system events](https://www.manageengine.com/privileged-access-management/help/session-events.html).  
   vi. **Keystroke Logging:** Record user [keystrokes](https://www.manageengine.com/privileged-access-management/help/session-events.html).

5. By default, **SSL Certificate Installed** is set to **Yes**. If no valid SSL certificate is installed, change it to **No** and click **Next**.

**Caution**

If set to **Yes** without a valid SSL certificate, the **Test Server Connection** will fail.

6. On the **Operations** page, verify prerequisites and click **Install**.

![pam360-agent-3](https://cdn.manageengine.com/sites/meweb/images/privileged-access-management/help/pam360-agent-3.webp)

You have now successfully installed the agent.

**Additional Details**

- By default, all files and applications (.exe, .msc, .msi, .cmd, .bat) will show **Run as PAM360 Privilege Account** in the right-click menu. Elevation applies only to configured applications.
- When Self-Service Privilege Elevation is enabled, the agent will not appear in the services console.

To update the agent, repeat the installation procedure and select **Reinstall**.

![pam360-agent-4](https://cdn.manageengine.com/sites/meweb/images/privileged-access-management/help/pam360-agent-4.webp)

### 2.2 Installation using Command Prompt

**Caution**

- Ensure the `agent.conf` file contains correct values.
- If no valid SSL certificate exists, set `TrustedCertificate` to `no`.

To install:

1. Open Command Prompt with administrator privileges.
2. Navigate to the agent directory and execute:

```bash
AgentInstaller.exe install <Agent Key copied from the PAM360 UI> 1,2,3,4,5,6
```

Install for password management, privilege elevation, zero trust, SSL management, system events logging, and keystroke logging.

```bash
AgentInstaller.exe install <Agent Key copied from the PAM360 UI> 1
```

Password management only.

```bash
AgentInstaller.exe install <Agent Key copied from the PAM360 UI> 2
```

Self-service privilege elevation.

```bash
AgentInstaller.exe install <Agent Key copied from the PAM360 UI> 3
```

Resource trust score calculation.

```bash
AgentInstaller.exe install <Agent Key copied from the PAM360 UI> 4
```

SSL management.

```bash
AgentInstaller.exe install <Agent Key copied from the PAM360 UI> 5
```

System event logging.

```bash
AgentInstaller.exe install <Agent Key copied from the PAM360 UI> 6
```

Keystroke logging.

```bash
AgentInstaller.exe install <Agent Key copied from the PAM360 UI> userdevice <PAM360 username>
```

User trust score calculation.

To update, replace `install` with `update`.

To start/stop:

```bash
AgentInstaller.exe start
```

```bash
AgentInstaller.exe stop
```

## 3. Installing the Linux Agent

**Caution**

- Ensure `agent.conf` contains correct values.
- Set `TrustedCertificate` to `no` if no valid SSL certificate exists.

**Additional Details**

- Supports Linux flavors with default OpenSSL library.
- Works with most Linux distributions.

### Installation Steps

1. Open Terminal with administrator privileges.
2. Navigate to the agent directory.

**Applicability (Build 7500 and later)**

If the file is `PAM360GOAMD64LinuxAgent.bin`:

```bash
chmod a+x PAM360GOAMD64LinuxAgent.bin
sudo ./PAM360GOAMD64LinuxAgent.bin
```

If the file is `PAM360GOARM64LinuxAgent.bin`:

```bash
chmod a+x PAM360GOARM64LinuxAgent.bin
sudo ./PAM360GOARM64LinuxAgent.bin
```

Then execute:

```bash
sh installAgent-service.sh install <Agent Key copied from the PAM360 UI> 1,2,3
```

Password management, privilege elevation, zero trust.

```bash
sh installAgent-service.sh install <Agent Key copied from the PAM360 UI> 1
```

Password management.

```bash
sh installAgent-service.sh install <Agent Key copied from the PAM360 UI> 2
```

Self-service privilege elevation. See [self-service privilege elevation](https://www.manageengine.com/privileged-access-management/help/sspe-linux.html).

```bash
sh installAgent-service.sh install <Agent Key copied from the PAM360 UI> 3
```

Resource trust score calculation.

```bash
installAgent-service.sh install <key> userdevice <PAM360 username>
```

User trust score calculation.

To update, replace `install` with `update`.

To start/stop:

```bash
sh installAgent-service.sh start
```

```bash
sh installAgent-service.sh stop
```

## 4. Installing the macOS Agent

**Caution**

- Ensure `agent.json` contains correct values.
- Set `TrustedCertificate` to `no` if no valid SSL certificate exists.

### Installation Steps

1. Access the resource with root privileges and extract the agent package.
2. Open Terminal, navigate to the extracted folder, and execute:

```bash
sh installMacAgent-service.sh install <Agent Key copied from the PAM360 UI>
```

3. After installation, navigate to:

**Library >> ManageEngine >> macOS Agent**

To start/stop:

```bash
sh installMacAgent-service.sh start
```

```bash
sh installMacAgent-service.sh stop
```

To uninstall:

```bash
sh installMacAgent-service.sh uninstall
```

To reinstall:

```bash
sh installMacAgent-service.sh reinstall <Agent Key copied from the PAM360 UI>
```