2024.01.

08

Privilege Cloud On Identity Security Platform

Pre-Implementation Checklist

Check Date

☐ ___/___/___ Customer has registered for a login to the Technical Community Portal
 Go to https://cyberark.my.site.com/s/login/
 Sign up as a customer
 Review the CAMP KB for instructions on managing additional portal
users
o https://cyberark.my.site.com/s/article/Community-Access-
Management-Portal-CAMP-FAQs

☐ ___/___/___ Customer has completed the Recommended Basic Administration (includes a

Hands-on Lab) and Introduction to CyberArk Identity Training
 Login to Technical Community
 Register for Privilege Cloud basic administration
 Introduction to CyberArk Identity as a Shared Service (ISPSS)

☐ ___/___/___ Customer has viewed the Privilege Cloud Service Status & Global Support page
 Subscribe to all Privilege Cloud & Identity Status updates
o https://privilegecloud-service-status.cyberark.com/
o https://trust.idaptive.com/
 Resource Center
o Privilege cloud admin resource center

☐ ___/___/___ Customer has activated their Identity tenant by following the instructions in the
email with the subject line “Your new CyberArk tenant”
 CyberArk Initial Email Tenant Action Troubleshooting and FAQ

☐ ___/___/___ Customer has downloaded and staged the software on the Connector Servers
Downloaded the latest Privilege Cloud software from CyberArk Marketplace
 CyberArk Privilege Cloud
o Unified Hardening GPO
o CyberArk Privilege Cloud Tools
o PSM for SSH (Optional as needed)

Connector Management (CM) will be used for the component installation

© Cyber-Ark Software, Inc. | cyberark.com 1

Check Date

☐ ___/___/___ Customer has run of ConnectorCheckPrerequisites ps1 script prior to your

implementation on all Windows Servers provisioned to be CyberArk Connector
Servers
 Privilege Cloud - How to run the ConnectorCheckPrerequisites script

☐ ___/___/___ Customer has added their Public IPv4 address range(s) to CyberArk Privilege
Cloud > Advanced Settings > IP AllowList menu.
 Round robin fault tolerance is supported
 CIDR ranges are supported (/22 - /32 ranges)
 Documentation for Configure AllowList

☐ ___/___/___ Directory integration for external user management

(e.g. Active Directory, AADDS, etc.)
 For information on integrations:
o Directory integrations
 If integrating with Active Directory
o Identity Connector Network Requirements
o Customer has created CyberArk Administrator, CyberArk Auditor
and CyberArk User groups.
 Recommended naming convention is CA-Admins, CA-Auditors,
and CA-EndUsers
 Customer defined naming conventions can be used so long as
an indication is made that these are CyberArk groups for
Identity role assignment for the specific (Admin, Auditor,
SafeManager or EndUser) role

☐ ___/___/___ ISP Connector Network Requirements

 All outbound traffic
 Palo Alto or Next Gen Firewalls

☐ ___/___/___ Hardware Requirements

 Privilege Cloud Hardware Requirements
o The Connector server is configured to, at least, the minimum
System Requirements (8GB Memory/8 CPU)

© CyberArk Software, Inc. | cyberark.com 2

Check Date

☐ ___/___/___ Customer has deployed dedicated servers with system levels according to
Software Requirements:
 Connector Server – Windows 2019/2022 (en-US)
o CyberArk recommends deploying on a clean ISO image
 Common corporate VM template image customizations can
cause delays in the software installation and configuration
process
o Deployed into an OU with GPO inheritance disabled
 For initial software installation only
 CyberArk Hardening GPOs will be provided to fully harden the
component servers from the domain level
 Joined to the Windows Domain (for PSM RemoteApp feature support)
 .NET Framework 4.8 is installed
 Antivirus not installed or disabled
 RDS should not be installed on the machine preemptively. Our install
handles this automatically and needs the machine clean of RDS for it to
work.

☐ ___/___/___ Microsoft Patches and Updates:

 Install latest Microsoft patches and updates for the operating system.

☐ ___/___/___ Customer has an RDS Licensing server with an appropriate number of RDS CAL
licenses provided by Microsoft
 RDS License type and usage - Licensing requirements for Microsoft RDS
when deploying CyberArk PSM
 (optional) If TLS security layer is required by customer for RDP
connections, a signed certificate must be issued to the PSM server(s)
from an internal or public trusted certificate authority. All end user
machines must trust the certificate authority.

☐ ___/___/___ Applicable in environments where the Privilege Cloud Connector server:

 Will run Windows Server 2019/2022, and
 Remote Desktop Services on Privilege Cloud Connector servers will be
licensed per-user, and
 Sessions delivered through Privilege Cloud may last longer than 1 hour
Two additional domain accounts should be created according to the following
documentation page: Move PSM users to the domain
 Recommended naming convention is PSMConnect and
PSMAdminConnect
Note: This is not required if the Connector is out-of-domain, see the RDS licensing KB noted above
as per-device CALs are only supported in that deployment type

© CyberArk Software, Inc. | cyberark.com 3

Check Date

☐ ___/___/___ SIEM Integration (if applicable):

 TCP or TLS 1.2 (UDP not supported)

☐ ___/___/___ Windows Reconcile Account:

 Customer has created a Reconcile Account for Windows account
password resets
o Recommended naming convention is CyberArk_Reconcile
 This Reconcile Account needs to be able to change and reset passwords
on the domain and/or target servers
 If Domain Administrator accounts are in scope for password
management, please ensure the Reconcile account is also a Domain
Administrator
o Reconciliation can be done with a user with less than Domain
Admin membership
 Knowledgebase Article - Additional instructions

☐ ___/___/___ Managed Account Passwords Testing:

 Customer has prepared test accounts to confirm functionality of
password management per target platform needed.
o For example, a Local Administrator on a Windows server, a Root
account on a UNIX server etc.). One of each type will be tested

☐ ___/___/___ Customer has taken snapshots of the Connector VM server before the
engagement starts to prepare a backup in case of failure for any reason.

☐ ___/___/___ Domain user with Local Admin access to the Connector Servers will be available
to CyberArk administrators during installation

☐ ___/___/___ Customer has made CyberArk Administrators, needed for training and
deployment, exclusively available for the whole duration of the engagement

☐ ___/___/___ Customer has made the company's following engineers available to assist as
needed for the duration of the engagement:
 Systems Administrator
 Network Engineer
 Domain administrator
 Any Server/IT engineer as you see fit

Customer Project Manager or

CyberArk Administrator _____________________________

Date of Completion ___/___/___

© CyberArk Software, Inc. | cyberark.com 4