Add-on installation command-line options
This section describes syntax requirements, and MSI features and property options for installing add-on software from the command line or using a Windows Installer Transform file.
For more information on running msiexec at the command line, see https://docs.microsoft.com/en-gb/windows/desktop/Msi/command-line-options .
Selecting features
You use the ADDLOCAL parameter to set which features you want installed. The format for the ADDLOCAL parameter on the command line is:
ADDLOCAL=<feature>,<feature>,...
Selecting an add-on selects the parent feature as well.
Setting parameters
If using the command line, you can specify parameters for non-interactive installation, or preset values for interactive installation. The syntax for setting parameters on the command line is:
<addon>.msi <parameter>=<value> <parameter>=<value>
Key-value pairs must be separated by spaces. If a value contains spaces, the value must be enclosed in double quotes.
For details on individual installers, see:
Local Workstation Service software
You can use command line options to install Bravura Privilege client software silently on Windows workstations. You must specify a Bravura Privilege server if no INF file is available. If other options are not included, default values are used.
If the idmsetup.inf file has been generated for this local workstation installation, and is being used at install time (present in the directory the msi is installed from), then the hipamlws MSI will automatically populate all available parameters.
You can use the local workstation service package installation page to export the hipamlws*.msi file as well as the idmsetup.inf file.
The
idmsetup.inffile can be edited to change any pre-generated parameter value, or to add other values, to simplify the msiexec command line in the deployment package.The Bravura Privilege URL auto-generated in
idmsetup.infis based on Manage the system > Workflow > Email configuration > BASE IDSYNCH URL, which should be the server address where end users and LWS systems can reach the Privilege app. This is usually the server name of the load balancer used to reach the Privilege app.In order for the msiexec installer to load the
idmsetup.infand populate MSI parameters, the .inf file must be in the same location as the .msi file, and msiexec has to be started from that directory.
The values provided to the LWS at install time are saved in registry entries on the system where the LWS is being installed, and they become the default configuration for that LWS from service/laptop/workstation startup until the LWS can contact the Bravura Privilege server to collect the centrally configured values.
Property | Description |
|---|---|
AUTHKEY | The unencrypted authentication key. This is the Authentication key that was entered when Bravura Privilege was first installed. While this parameter can be used in manual execution, it is never recommended to use an un-encrypted, plain-text authentication key in a deployment script. For automated deployment, consider using AUTHKEY_ENC. |
AUTHKEY_ENC | The encrypted authentication key. This can only be retrieved from the |
INSTALLDIR | Target directory to install. You should leave this as the default <Program Files path\>Bravura Security\hipamlws\. |
SERVER | Specify the Bravura Privilege server address and cgi path. The format should be: "http://<server>/<instance>/cgi/pamlws.exe" . |
PROXY | Proxy server if client services must contact Bravura Privilege through a proxy. The format is <address:port>. The default is to use values configured in the browser settings. |
VERIFY_CERT | Use SSL connection. Set to 1 if your Bravura Privilege server is running HTTPS. Set to 0 if it is not. The default is 0. |
DISABLE_SERVICE | Set this property to 0 to enable the Privileged Access Manager Local Workstation Service ( |
DEFER_INITIAL_START_SERVICE | Postpone running the Local Workstation Service until system restart. The default is 0. If you set this to 1 (true) the DISABLE SERVICE property must be set to 0 (false). |
INITIAL_POLL_DELAY | Set the initial delay time in seconds. The default is 3600 seconds. Setting this value causes the managed system to wait for the initial delay time to pass before attempting the first poll to the Bravura Privilege server following the installation of the Local Workstation Service. |
CUST_ATTR_FILE | Specify the path of the customized attribute file. This is optional. |
WS_ID | Specify the managed system ID that will be used. The default value for this is blank, and the Bravura Privilege server will use the system’s virtualdnshostname for its ID. |
REREGISTER | Specify if the system is reinstalling the Local Workstation Service or not. The default is 0. If the system was previously discovered on the Bravura Privilege server this value needs to be set to 1 (true), otherwise it will be treated as a system with a conflicting ID and the Local Workstation Service will be shut down. |
PAMLWS_EPO | Set ADDLOCAL=PAMLWS_EPO to enable integration with McAfee ePolicy Orchestrator. |
DEFAULT_RESYNC_INTERVAL | Set default resynchronization interval on client upon install. |
DEFAULT_POLL_TIME | Set the default poll time in seconds upon installation of the Local Workstation Service. The default is 300 seconds. This value will be overridden by received configurations from the Bravura Privilege server. |
DEFAULT_ATTRIBUTE_UPDATE_DELAY | Set the default attribute update delay in seconds upon installation of the Local Workstation Service. The default is 3600 seconds. This value will be overridden by received configurations from the Bravura Privilege server. |
UPDATE_INTERVAL | Set the configuration update interval in seconds upon installation of the Local Workstation Service. The default is 86400 seconds. This value will be overridden by received configurations from the Bravura Privilege server. |
Note
If the installation fails, an event viewer error message is displayed. To produce a log file, you can use the /log <logfile> option at the end of the install command.
The following are examples:
For installing on a "golden image" to deploy on many laptops or workstations, with the LWS deferred, and disabled so it does not install right away and cause issues with duplicate tokens:
hipamlws-win.msi INSTALLDIR="C:\Program Files\Bravura Security\Hipamlws"AUTHKEY_ENC="0123456789abcdef0123456789abcdef" SERVER="http://privilege.example.com/paminstance/cgi/pamlws.exe" PROXY="" VERIFY_CERT="1" DISABLE_SERVICE="1" DEFER_INITIAL_START_SERVICE="1" INITIAL_POLL_DELAY="3600" /qn
For non-SSL installation for testing purposes:
hipamlws-win.msi INSTALLDIR="C:\Program Files\Bravura Security\Hipamlws" AUTHKEY="0123456789abcdef0123456789abcdef" SERVER="http://10.0.xxx.xxx/paminstance/cgi/pamlws.exe" PROXY="" VERIFY_CERT="0" DISABLE_SERVICE="0" DEFER_INITIAL_START_SERVICE="1" INITIAL_POLL_DELAY="3600" /qn
To disable the Local Workstation Service after installation:
hipamlws-win.msi INSTALLDIR="C:\Program Files\Bravura Security\Hipamlws "AUTHKEY_ENC="ad452da2491e543f6f4754193922ffd893019916cabfde71" SERVER="http://10.0.xxx.xxx/idsynch/cgi/pamlws.exe" PROXY="" VERIFY_CERT="1" DISABLE_SERVICE="1" DEFER_INITIAL_START_SERVICE="0" INITIAL_POLL_DELAY="3600" /qn
To disable the Local Workstation Service after installation but defer starting the service until system restart:
hipamlws-win.msi INSTALLDIR="C:\Program Files\Bravura Security\Hipamlws" SERVER="http://10.0.xxx.xxx/idsynch/cgi/pamlws.exe" PROXY="" VERIFY_CERT="1" DISABLE_SERVICE="0" DEFER_INITIAL_START_SERVICE="1" INITIAL_POLL_DELAY="3600" /qn
To re-register the Local Workstation Service:
hipamlws-win.msi INSTALLDIR="C:\Program Files\Bravura Security\Hipamlws" AUTHKEY_ENC="ad452da2491e543f6f4754193922ffd893019916cabfde71" SERVER="http://10.0.xxx.xxx/idsynch/cgi/pamlws.exe" PROXY="" VERIFY_CERT="1" DISABLE_SERVICE="0" DEFER_INITIAL_START_SERVICE="1" INITIAL_POLL_DELAY="3600" REREGISTER="1" /qn
See also
Upgrading Local Workstation Service software
Configuration files
When the Local Workstation Service is installed on the system, it first attempts to register with the Bravura Privilege server. After it has contacted the Bravura Privilege server for the first time, it retrieves configuration settings from the Bravura Privilege server. The service saves the settings in a configuration file, hipamlwsinst.dat, in the <Program Files path\>Bravura Security\hipamlws\ directory.
The hipamlwsinst.dat file contains settings such as poll time (pt), resynchronization interval (ri), resynchronization failure retry interval (rfri), transaction failure retry interval (trfi), and the calculated machine ID (id). The file also records tasks, assigned by the Bravura Privilege server when contacted by the local service, that need to be done on the managed system. The service reports the tasks' results at the next server poll.
The wait time is defined by the initial delay value setup during the installation of the Local Workstation Service (or the registry key initial-poll-delay). After it first registers with the Bravura Privilege server as a discovered system, it will continue to contact it at the poll time, defined by the pt value in the hipamlwsinst.dat configuration file. The default is 300 seconds. Once the system is managed, it adopts the poll time defined on the Bravura Privilege server’s RES POLL INTERVAL setting (Manage the system > Privileged access > Options > General > Managed system policies). The default is 60 minutes.
Warning
These files should not be modified as they may send incorrect data back to the Bravura Privilege server or cause the Local Workstation Service to behave improperly.
Data files
The Local Workstation Service keeps track of all attributes and discovered accounts found locally on the system in data files in the <Program Files path\>Bravura Security\hipamlws\ directory. These files determine what data should be sent back to the Bravura Privilege server when changes occur. The following data files can be created:
hipamlwsmachinekeeps track of the system attributes, including local workstation mode system’s name, address, IP settings, and custom attributeshipamlwsusrkeeps track of the user accounts discovered on the systemhipamlwsgrpkeeps track of groups and group memberships discovered on the sysem
The service detects changes to local system settings, and updates the data files and updates settings on the Bravura Privilege server, at poll time. These changes can trigger import rule evaluations, depending on the import rules setup and which attributes are used.
These configuration files can only be accessed after the local system administrator takes ownership of the files and grants users access to them.
Warning
These files should not be modified as they may send incorrect data back to the Bravura Privilege server or cause the Local Workstation Service to behave improperly.
Access disclosure plugins
ActiveX controls removed in version 12.5
Installing ActiveX controls is no longer a supported method. Use an alternative disclosure plugin such as Guacamole, as Internet Explorer is no longer a supported browser.
intcpt.msi / intcpt-x64.msi
Features
Feature | Description |
|---|---|
INTCPTFEATURE | Parent feature, installs the Password Change Notification service; intcptsvc |
PASSWORDFILTERFEATURE | Installs the workstation password filter. |
CFGUTILSFEATURE | Installs the utilities used to set up and test service configuration. |
CFGSAMPLESFEATURE | Installs the service configuration samples. |
Properties
Property | Description |
|---|---|
INSTALLDIR | The directory in which that the interceptor will be installed. The default is <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ . |
INSTALLLEVEL | This parameter is used for silent installation and is mutually exclusive with ADDLOCAL. Set to a value from 1 to 100 for a typical installation: INTCPTFEATURE and PASSWORDFILTERFEATURE. Set to a value from 101 to 32767 for complete installation. The default is 1. |
COMMKEY | The 64 hexadecimal-digit key used for 256-bit encrypted communication between the Bravura Security Fabric sub-systems. |
PMPORT | The TCP port number that the Password Manager service is listening on (default is 3344). |
PMSERVER | The DNS host name or IP address of the Bravura Pass server. |
TARGETID | The ID of the Bravura Pass target system on which the interceptor is being installed. |
LONGID | The longid format of the target system. Should be one of the following values: %sAMAccountName%, DomainName\\%sAMAccountName% (where DomainName is the actual domain name of the accounts on the target), or %distinguishedName%. |
ntfclient.msi / ntfclient-x64.msi
Features
Feature | Description |
|---|---|
PSNTFCLIENT | Installs the notification client. |
Properties
Property | Description |
|---|---|
BROWSERTITLE | This parameter is used to change the browser title of the ntfclient window. |
INSTALLDIR | The directory in which the notification client will be installed. The default is C:\Program Files\Bravura Security\\Notification Client\. |
INSTALLLEVEL | This parameter is used in a silent installation and is mutually exclusive with ADDLOCAL. Set to a value of 1 or more (up to 32767) to install the PSNTFCLIENT feature. The default is 1 . |
NTFTIMEOUT | The inactivity timeout value used by the notification client for force-level notifications. |
PSNURL | The url of the User notifications (psn) module on the Bravura Security Fabric server; for example, https://server:443/instance/cgi/psn.exe . |
psns.msi
Feature | Description |
|---|---|
PSNSFEATURE | Parent feature – Installs the Lotus Notes Extension. |
PSNSSCRIPTFEATURE | Installs the Lotus Notes Extension EXE. |
PSNSSCRIPTSHORTCUT | Installs a shortcut to the EXE in the Startup folder. |
PSNSCREDSERVICEFEATURE | Installs the Lotus Notes SSO synchronization service. |
Property | Description |
|---|---|
INSTALLDIR | The directory in which the Lotus Notes Extension will be installed. The default is |
INSTALLLEVEL | This parameter is used in a silent installation and is mutually exclusive with ADDLOCAL. Set to a value from 1 to 100 for a typical installation: PSNSFEATURE, PSNSSCRIPTFEATURE, PSNSSHORTCUT. Set to a value greater than 100 (up to 32767) for complete installation. The default is 1. |
CODEPAGE | Sets the code page for Lotus Notes API calls. The default is 850 – OEM Multilingual Latin 1; Western European (DOS). |
CGIURL | The URL to |
CGIIGNORECERT | 0|1 Set to 1 to ignore security certificates. |
NOTESTARGET | The Bravura Security Fabric target system ID for the Lotus Notes server. |
NOTESINIPATH | The path to the notes.ini file; for example, This argument is required when the Notes desktop shortcut has been modified to explicitly specify the path to the notes.ini file. If not specified on the command line, then |
ska.msi / ska-x64.msi
The ska.msi and ska-x64.msi installers require Windows Installer 4.5.
Features
Feature | Description |
|---|---|
SKA | Parent feature, installs the Login Assistant SKA (secure kiosk account). |
CREDPROV | Installs the Bravura Pass Credential Provider for Windows clients. |
Properties
Property | Description |
|---|---|
INSTALLDIR | The directory in which Login Assistant will be installed. The default is C:\Program Files\Bravura Security\Login Assistant\. |
INSTALLLEVEL | This parameter is used in a silent installation and is mutually exclusive with ADDLOCAL. Set to a value of 1 or more (up to 32767) for a complete install: SKA+CREDPROV. |
ADMIN_USERNAME | Specify the username of a privileged administrator. When you need to launch the installer from an account with insufficient privileges, use this and ADMIN_PASSWORD to specify a more privileged account to perform the installation. |
ADMIN_PASSWORD | Specify the password of a privileged administrator. When you need to launch the installer from an account with insufficient privileges, use this and ADMIN_USERNAME to specify a more privileged account to perform the installation. |
Property | Description |
|---|---|
SKATIMEOUT | The maximum amount of minutes the Login Assistant secure kiosk account will stay open before it automatically closes. Default is 15 minutes. |
URL | The full path to the Front-end (psf) on the Bravura Pass server; for example, https://server:443/instance/ . |
USEVPN | 0|1 If set to 1, use a VPN connect program. |
HELPADMINENABLED | 0|1 No longer used. |
HELPACCOUNT | The name of the Login Assistant "help" account (default is help). |
HELPPASSWORD | The password for the help account specified by HELPACCOUNT. If this option is not set, you must set RANDOM_HELPPASSWORD to generate a random password. If neither option is set, a blank password is created. |
RANDOM_HELPPASSWORD | 0|1 Set to 1 to create a random password for HELPACCOUNT. This setting is off by default. This setting defaults to 0 for Login Assistant SKA-only installations and to 1 for CREDPROV installs – it is not recommended to use a random password in Login Assistant SKA-only installations. Note that when HELPPASSWORD and RANDOM_HELPPASSWORD are both specified, the RANDOM_HELPPASSWORD setting is ignored. |
IMAGEFILE | Fully-qualified file name for the bitmap file used to replace the the Credential Provider tile for CREDPROV installations. The MSI can also be modified, using an msi editing tool, to add an "ImgFile" entry into the Binary table, where the binary file is the bitmap to use. |
LANGUAGEFILES | Specifies a pipe-separated list of gina.z files to use as additional languages for the secure kiosk account and Credential Provider. These must be fully-qualified file names. The gina.z files are generated in the 12.3.0 language packs. The list must be enclosed in double quotes. The MSI can also be modified, using an msi editing tool, to add an entry into the Binary table, of the form Lang_<language>-Rest of World, where the binary file is the gina.z file for the corresponding language. For example, Lang_fr-ca can be added with the contents of the gina.z file from the fr-ca skin. |
EN_US, <LANGUAGE>_Rest of World | 0|1 Indicates whether the specified language is enabled for use. EN_US is installed by default. Additional languages are specified with the LANGUAGEFILES setting. |
SHELLOPTIONS | Command-line options for the |
RUNURLCFG | Provide any additional options that may be required for runurl. This replaces the shell options with "-cfg runurl.cfg", and generates a runurl.cfg file that includes the shell options and any additional options specified by this property. The default is no value. |
HIDEERRORS | This setting applies only to Bravura Security Fabric 12.4 or older. |
Option | Description |
|---|---|
REMOTESKAACCESSENABLED | 0|1 Enable or disable remote access to the SKA. |
VPN_CONNECT_PROGRAM | Name and full path of the VPN connect program to run in order to establish a VPN connection. |
VPN_CONNECT_CMDLINE | Command-line arguments for VPN connect program; for example -u %USERID% -p %PASSWORD% . This value cannot be blank. |
VPN_DISCONNECT_PROGRAM | Name of the VPN disconnect program to run to disconnect from the VPN. |
VPN_DISCONNECT_CMDLINE | Command-line arguments for VPN disconnect program; for example -u %USERID% -p %PASSWORD%. |
VPN_USER | VPN user ID to be used with the VPN connect and disconnect programs. |
VPN_PASSWORD | Password to be used with the VPN user ID. |
VPN_TIMEOUT | The number of seconds to wait between retries. The default is 30. |
VPN_RETRIES | The number of VPN retries to test for connectivity. If this value is blank, there will only be one retry attempt. The default is 3. |
VPN_CONNECT_STDINPUT | Standard input lines for Cisco anyConnect connections. See Command-line Cisco AnyConnect APN parameters for details. |
VPN_CONNECT_TERMINATE | For Cisco anyConnect, terminate any running programs before trying to launch the VPN client. |
VPN_HIDE_WINDOW | For Cisco anyConnect, hide the pop-up console window that vpncli.exe starts. |
VPN_URL | Set this to a URL to use as a test page for the SKA. If this page cannot be accessed by the SKA, then a VPN connection will be established to access it. |
VPN_URL_SEARCH | Set this to a marker in the HTML code to search for in the page set by VPN_URL. |
Option | Description |
|---|---|
RUNURL_EXTERNAL_URL | This will be the URL of a website that used to determine if the computer is connected to the Internet, or still behind a registration screen or captive portal. This defaults to http://www.msftncsi.com/ncsi.txt. Other options for the external URL are http://detectportal.firefox.com/success.txt with RUNURL_EXTERNAL_URL_EXPECTED_DATA set to success Or http://captive.apple.com/hotspot-detect.html with RUNURL_EXTERNAL_URL_EXPECTED_DATA set to Success |
RUNURL_EXTERNAL_URL_EXPECTED_DATA | This is a string that is expected from the above website. It should be unique enough to ensure that a registration page will not have the data, but always present on the external URL. The default is Microsoft NCSI. |
RUNURL_EXTERNAL_CONNECT_PROGRAM | If users will be using an AirCard or Internet stick, this is the name of the program to run in order to connect. This program will be run from the SKA to allow the user to connect. |
RUNURL_EXTERNAL_CONNECT_PROGRAM_TITLE | If the Program to use to create a connection is used, this is the main window title of the program when run. In AirCard, this is listed under the Task column on the Applications tab. |
RUNURL_PORTAL_TIMEOUT | The number of seconds to wait for a captive portal connection. The default is 300. |
RUNURL_REMOTE_HOST | The address of the VPN server to test if the server is reachable. |
RUNURL_REMOTE_PORT | The port that the VPN server is listening on to test if the server is reachable. |
Option | Description |
|---|---|
PROXY_ENABLE | 0|1 Enable or disable the installer to modify proxy configuration. |
PROXY_AUTODETECT | 0|1 Enable or disable proxy to use "Automatically detect settings". |
PROXY_AUTOCONFIGURATION_ENABLE | 0|1 Enable or disable proxy to use "Use automatically configuration script". |
PROXY_AUTOCONFIGURATION_URL | Use this to set the URL of an automatic configuration script. |
PROXY_URL | Use this to set the proxy server’s address. |
PROXY_PORT | Use this to set the proxy server’s port number. |
The following parameters are available with ADDLOCAL=CREDPROV for Windows:
Property | Description |
|---|---|
HIDEFASTUSERSWITCHING | 0|1 Hides Fast User Switching on this machine, preventing multiple concurrent logins. The default is 1. This property is no longer used and will be removed in future releases. Fast User Switching must be enabled. |
USECLASSICLOGON | 0|1 Provides a more traditional interface for login (rather than individual tiles) for users. It prompts for a user ID and a password. The default is 1. |