Configuring the agent

By default, when you click Finish, the setup program opens the agent configuration panel. In the agent configuration panel, you can enable the agent to connect to Centrify services that are installed on the main administrative computer as described in Installing the Centrify Agent for Windows . After a service is enabled, you can use the agent configuration panel to configure settings that define how the agent will interact with each service.

The first time the agent configuration panel opens, it does not display any services for you to enable. Services display in the agent configuration panel only after you manually instruct the configuration panel to check for services and display those that are eligible to be enabled.

Only services that are installed and configured as required are eligible to be enabled. For example, if you installed the Privilege Elevation Service earlier (as described in Preparing to evaluate access management) but did not create a zone, the Privilege Elevation Service does not display on the list of services that you can enable.

To enable services using the agent configuration panel:

  1. If the agent configuration panel is not open, open it by clicking Agent Configuration in the list of applications in the Windows Start menu.
  2. In the agent configuration control panel, click Add service.

    All Centrify services that are available to be enabled are displayed.

  3. In the list of Centrify services, highlight a service and click OK.

  4. Provide additional information about the service that you are enabling:

    • Centrify Audit & Monitoring Service:

      In the Select an Audit Installation page, select an audit store from the list of available audit stores. Click Next, and the computer is connected to the audit store.

    • Centrify Identity Services Platform Settings:
      1. In the Connect to Identity Platform page, type the URL of the identity platform instance to connect to, or select an instance from the list of registered platform instances in the forest. Click Next.
      2. In the Multi-factor authentication for Windows Login page, ensure that the check box to enable multi-factor authentication is selected. Next, use the All Active Directory accounts button or Accounts below button to specify which Active Directory accounts are enabled for multi-factor authentication login. If you select Account below, use the Add and Remove buttons to select accounts. Click Next when you are finished.
    • Centrify Privilege Elevation Service:
      1. In the Join to a zone page, type a zone or select a zone from the list of available zones. You can also choose to select the option to retrieve the zone data before the computer restarts. This option can be helpful in situations where you might lose connection to the domain after restarting, such as when you're using a VPN connection.

        Click Next, and the computer is joined to the zone.

      2. After the computer is joined to a zone, you must reboot the computer to activate all privilege elevation service features on the computer.

        If the zone that you select is already configured with a Privileged Access Service tenant, the message Centrify Identity Services Platform enabled displays after the computer joins the zone. In this situation, the instance is managed by the zone, and is shown as read-only.

  5. To add additional services, click Add service and repeat the preceding steps.

    When you are done, the services that you enabled are shown in the Enabled services section of the agent configuration panel.

  6. If necessary, continue to configure Centrify services after their initial configuration during enablement as described in these sections:

Configure agent settings for audit and monitoring service

If you want to reconfigure agent settings for auditing on a Windows computer after initially configuring them during enablement (or if you did not use the agent configuration panel when you enabled the service), you can open the agent configuration panel manually and configure the agent as described in this section.

To configure agent settings for audit and monitoring service:

  1. In the Windows Start menu, click Agent Configuration in the list of applications.

    The agent configuration panel opens, and displays the Centrify services that are currently enabled. You can configure any service listed in the Enabled services section.

  2. Click Centrify Audit & Monitoring Service, and then click Settings.

  3. In the General tab, click Configure.

  4. Select the maximum color quality for recorded sessions, then click Next.

    See Selecting the maximum color quality for recorded sessions for more information on the configuration of this setting.

  5. Specify the offline data location and the maximum percentage of disk that the offline data file should be allowed to occupy, then click Next.

    See Configuring agent settings for offline audit and monitoring service storage for more information on the configuration of this setting.

  6. Select the installation that the agent belongs to, then click Next.

  7. Review your settings, then click Next.

  8. Click Finish.

  9. Click Close in the General tab to save your changes.

For information about using the Troubleshooting tab, see Monitoring collector status locally.

Selecting the maximum color quality for recorded sessions

Because auditing Windows computers captures user activity as video, you can configure the color depth of the sessions to control the size of data that must be transferred over the network and stored in the database. A higher color depth increases the CPU overhead on audited computers but improves resolution when the session is played back. A lower color depth decreases network traffic and database storage requirements, but reduces the resolution of recorded sessions.

The default color quality is low (8-bit).

Configuring agent settings for offline audit and monitoring service storage

The “Maximum size of the offline data file” setting defines the minimum percentage of disk space that should be available, if needed, for audit and monitoring service. It is intended to prevent audited computers from running out of disk space if the agent is sending data to its offline data storage location because no collectors are available.

For example, if you set the threshold to 10%, auditing will continue while spooling data to the offline file location as long as there is a least 10% of available disk space on the spool partition. When the available disk space reaches the threshold, auditing will stop until a collector is available.

The agent checks the spool disk space by periodically running a background process. By default, the background process runs every 15 seconds. Because of the delay between background checks, it is possible for the actual disk space available to fall below the threshold setting. If this were to occur, auditing would stop at the next interval. You can configure the interval for the background process to run by editing the HKLM\Software\Centrify\DirectAudit\Agent\DiskCheckInterval registry setting.

Configure agent settings for the Centrify Identity Services Platform

If you want to reconfigure agent settings for Privileged Access Service on a Windows computer after initially configuring them during enablement (or if you did not use the agent configuration panel when you enabled the service), you can open the agent configuration panel manually and configure the agent as described in this section.

To configure agent settings for the Centrify Identity Services Platform:

  1. In the Windows Start menu, click Agent Configuration in the list of applications.

    The agent configuration panel opens, and displays the Centrify services that are currently enabled. You can configure any service listed in the Enabled services section.

  2. Click Centrify Identity Services Platform, and then click Settings.

  3. In the General tab, review the Status field in the Features area:

    • If the status is Enabled, the computer is not joined to a zone, and you can configure all Identity Platform settings that are shown in the General tab.
    • If the status is Enabled per zone settings, the computer is joined to a zone, and most Identity Platform settings are based on the zone configuration. In this situation, the Browse and Details buttons in the General tab are disabled, because those features are controlled by the zone configuration. The only configuration that you can perform in the General tab is to change the proxy server settings.
  4. To change proxy server settings:
    1. Click Change.

    2. Specify a new proxy server address.

    3. Click OK.

  5. To change to a different Identity Platform instance (only configurable if the computer is not joined to a zone):
    1. Click Browse.

    2. Select an instance from the list of registered platform instances in the forest.

    3. Click OK.

  6. To specify which Active Directory accounts require multi-factor authentication (only configurable if the computer is not joined to a zone):
    1. Click Details.

    2. Use the All Active Directory accounts button or Accounts below button to specify which Active Directory accounts are enabled for multi-factor authentication login. If you select Account below, use the Add and Remove buttons to select accounts.

    3. Click OK.

  7. Click Close in the General tab to save your changes.

For information about using the Troubleshooting tab, see the Multi-factor Authentication Quick Start Guide.

Configure agent settings for privilege elevation

If you want to reconfigure agent settings for privilege elevation on a Windows computer after initially configuring them during enablement (or if you did not use the agent configuration panel when you enabled the privilege elevation service), you can open the agent configuration panel manually and configure the agent as described in this section.

To configure agent settings for privilege elevation:

  1. In the Windows Start menu, click Agent Configuration in the list of applications.

    The agent configuration control panel opens, and displays the Centrify services that are currently enabled. You can configure any service listed in the Enabled services section.

  2. Click Centrify Privilege Elevation Service, and then click Settings.
  3. In the General tab, click Change.
  4. In Change the Centrify zone for this computer, click Browse.
  5. Click Find Now to search for an appropriate zone for the agent.
  6. Select a zone from the list of search results, then click OK.
  7. Click OK to use the zone you selected.
  8. Click Close in the General tab to save your changes.

For information about using the Troubleshooting tab, see Running diagnostics and viewing logs for the agent.