> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/rdm/knowledge-base/how-to-articles/cyberark-dashboard-configuration-and-use.md). # CyberArk dashboard configuration and use The purpose of the ***CyberArk dashboard*** entry is to provide Remote Desktop Manager users with an interface that eliminates the need to use Password Vault Web Access (PVWA) to see the list of safes and credentials that the currently logged on user has access to. Combined with password-less scenarios and/or our rich role-based access control (RBAC), this means that a user does NOT need to know the CyberArk credentials to be presented with a list of accounts they have access to. Additionally, since the dashboard is meant to authenticate once to your server and, most importantly, maintain an active session for as long as it is active, it has the significant advantage of only requiring MFA once when you launch the dashboard. {% hint style="info" %} CyberArk integrations require either Remote Desktop Manager Team edition or the [Privileged access management solutions package](https://docs.devolutions.net/resources/getting-started-packages/privileged-access-management-package/) license. {% endhint %} Another design principle of the dashboard is that its main usage model is to go through the CyberArk Privileged Session Manager (PSM) to reach assets. This means that Remote Desktop Manager does NOT need to read the password for the account to be used. Less secure models are available to support older scenarios that some of our customers are still using. {% hint style="info" %} Learn more about the [CyberArk MFA delimiter option](https://docs.devolutions.net/rdm/kb/knowledge-base/mfa-delimiter-cyberark/). {% endhint %} ## Configuration 1. Create a new ***CyberArk Dashboard*** entry or go to the ***Properties*** of your existing one. 2. In the ***General*** section, specify a ***Name*** and ***Folder*** for your entry if that is not already done. ### General tab 3. Enter the ***Web services URL*** to connect to your CyberArk instance. It is the address of the server and should look like "https\://\.\.loc/". ![](https://cdnweb.devolutions.net/docs/RDMW6093_2025_3.png)

The following is what your Web services URL will be, depending on your CyberArk subscription:

  • SelfHosted: Short URL
  • PrivilegeCloud: Short URL if the URL does not end in "cyberark.cloud"
  • PrivilegeCloud: /privilegecloud if the URL ends in "cyberark.cloud"
4. Enter a ***Virtual directory***. This field is either /privilegecloud or empty. 5. Select a ***Version*** in the drop-down list. This refers to the CyberArk PVWA version seen on the CyberArk authentication page.

Please note that we only support the CyberArk V12 API for now and that CyberArk version 12.1 is required.

6. Select the ***Authentication mode*** used to connect to the CyberArk instance (***CyberArk***, ***Windows***, ***LDAP***, ***RADIUS***, or ***SAML***). SAML authentication is supported with CyberArk since version 2022.3.25 of Remote Desktop Manager, but important improvements and bug fixes have been implemented in ulterior versions. We recommend to at least update to the 2023.1 version of Remote Desktop Manager if your current version is older. One of the improvements in version 2023.1 is that you no longer have to provide the ***IdP sign-in URL*** when configuring your SAML authentication. If you have trouble with your SAML authentication, consult [SAML Configuration and Troubleshooting](https://docs.devolutions.net/rdm/kb/troubleshooting-articles/saml-configuration-troubleshooting-cyberark-dashboard/). SAML authentication for CyberArk Privilege Cloud requires Remote Desktop Manager 2023.2.17 or newer. Your CyberArk vault administrator should provide you with the authentication model being used, but if, in the PVWA, you click on a link that matches your corporate domain name, this indicates that the LDAP model is being used. 7. In the ***Authentication credentials*** drop-down list, select ***Custom*** to enter your credentials below or select them using a Remote Desktop Manager mechanism. This list is not available with the ***SAML Authentication mode***.

As with all Dashboard entries in Remote Desktop Manager, if you are creating an entry that will be visible to multiple users, we recommend choosing My Account Settings PVWA, then visiting FileMy Account SettingsCyberArk PVWA to enter your personal CyberArk credentials.

8. Follow this step if you selected ***Custom*** in the ***Authentication credentials*** list. If not, skip to the Advanced tab section. 1. Enter your ***Username*** and ***Password*** in the corresponding fields. Use the ***Password generator*** to help you create a secure password. 2. Check the ***Always ask password*** box to be prompted for your password each time you connect. 3. If you have a RSA SecurID code, check the ***Append RSA SecurID code to password*** box, then select below the ***RSA SecurID source***. ### Advanced tab **General** 9. The ***Auto refresh*** option is enabled by default. It maintains the connection to your CyberArk environment and removes the need to enter 2FA credentials on every connection. It is recommended to leave it enabled.
10. Check ***Open sessions externally*** if you do not want your sessions to open in embedded mode in Remote Desktop Manager. This is mostly useful for applications that only support being open externally, such as PSM-Putty (PSM-SSH) and many other PSM connection components. It is required to connect to remote applications using PVWA connections.

For most connection components requiring the opening of an application on PSM, the Open Externally option must be enabled. This is due to a limitation of the RDP ActiveX we use, which does not support RDP RemoteApp mode. However, this limitation can be mitigated by setting a connection component parameter in CyberArk. This parameter is called DisableRemoteApp and must be set to Yes. For more information, see CyberArk's documentation.

11. Check ***Allow connect to host*** if you want to allow a direct connection to the remote machine, meaning that the currently logged on user needs to have the right to view the password; it is therefore less secure and is not recommended by the CyberArk team. 12. Check ***Ask for reason*** if you are required to have a reason to establish a connection. 13. Check ***Ask for ticket number*** if you are required to provide a ticket number to establish a connection depending of your CyberArk configuration. The ***Ticketing system*** field that is paired with this option is a string value that makes sense in your environment. It is informative and we send it along with the number. 14. The ***Default Save*** loads your Safes. You can also check the ***Load favorites by default*** box to load your favorite safes. 15. Set the default ***Username format*** to be able to connect to the remote machine. It can also be changed in the dashboard for ad hoc connections, but this will be the default format for this dashboard instance. 16. Select the ***Domain search method*** in the drop-down list. 17. The ***Domain field*** drop-down list is only relevant when the ***Username format*** is set to the ***Field*** value. Depending on how your vault was set up, there can be various CyberArk fields used to hold the domain information. Choose the value that corresponds to your vault settings. **PVWA** 18. The ***Allow direct connections (PVWA)*** option is enabled by default and is the recommended method. It allows the exact same action as the ***Connect*** button offers in PVWA.
19. In the ***Connection components*** box, enter the components you wish to use for your connections. We initialize the field with the default components of a vanilla CyberArk installation, but this list MUST match the components configured in your vault. 20. Since Remote Desktop Manager version 2023.2.24, there is a new feature called ***Override RDP Settings***. By default, RDP settings are fetched from CyberArk PVWA when generating the PSM session. This new option allows you to ignore settings provided by CyberArk and apply the ones specified in the ***CyberArk Dashboard*** entry instead. This override is for all PSM sessions established from this dashboard to have different display settings. One might consider creating different instances of the dashboard entry to reflect different users' preferences. {% hint style="info" %} Remote Desktop Manager and Devolutions Server versions must be at least 2023.2.28 and 2023.2.8 for ***Override RDP Settings*** to work. {% endhint %}
**PSM** 21. The ***Allow connect using PSM (alternate shell)*** option is disabled by default. Enable it if you want to allow connections via PSM, but using the legacy method of providing an alternate shell.
{% hint style="info" %} Enable the following [policy](https://docs.devolutions.net/rdm/kb/how-to-articles/group-policies/#policies)to only allow ***Cyberark PSM connect***.`%Root%\SOFTWARE\Policies\Devolutions\RemoteDesktopManager\DisableCyberArkPasswordRetrieval` {% endhint %} Here are the restrictions related to PSM: ```powershell PSM Alternate Shell PSM /u /a /c restrictions ``` * A user must connect to the PSM server via RDP and be granted permission to do so. * PSM has to be able to link the LDAP account with a CyberArk PVWA profile (could work with a SAML Entra ID when LDAP is cloned on Entra ID) * The ***account to use*** must be found without any ambiguity in the CyberArk vault. {% hint style="warning" %} This is provided as a convenience and is not recommended by the CyberArk team. It has some limitations when compared to the ***Connect*** action from PVWA which uses a limited lifetime token. You must have a PSM Server entry configured in the same vault. Select it in the ***PSM*** server drop-down list. {% endhint %} ## Using the dashboard {% hint style="info" %} Please note that for the sake of clarity, this section will only provide information about the main usage model of connecting through the PSM. {% endhint %} ### User interface ![](https://cdnweb.devolutions.net/docs/docs_en_kb_KB2072.png) 1. The ***Actions*** menu allows you to: * Log in or out from the dashboard. * Connect to a host using the selected credentials. * Refresh the content of the safe. * Add a safe to your favorites. 2. The top menu allows you to: * Select a safe to connect to. * Select the ***Username format***. * Allow or disallow the session to ***Open externally*** (not embedded in Remote Desktop Manager). * Refresh the content of the safe. * Enable or disable the ***Auto refresh***. If disabled, PSM connections may require MFA upon every connection. 3. The content area allows you to see and interact with the accounts within a safe or group. You can see the ***Account***, its ***Address***, its ***Platform***, and the ***Safe*** in which it is located. ### Selecting a safe With the safe selector, you can browse your safes and select the one you wish to use. ![](https://cdnweb.devolutions.net/docs/docs_en_kb_KB2069.png) 1. The upper section of the drop-down list contains a subset of the safes that one has access to. You can also see and manage the list of excluded safes in ***File – Settings – Types – CyberArk***. 2. ***Favorites*** will display accounts that have been tagged as favorites in CyberArk, but from within Remote Desktop Manager. Adding or removing a favorite will update CyberArk. 3. ***Show all*** will list all accounts that the user has access to. For certain users, this we be a sizeable list and will not be a quick operation. It is provided for users that have access to a finite list of accounts. 4. ***Browse...*** will display the safe selection dialog, where there is paging and filtering to help the user to locate the relevant safe. Again, they are listed by default in the order received from CyberArk. Below is a preview of the ***CyberArk Select Safe*** page that appears after selecting ***Browse...*** in the safe selector.
In this view, if you select a safe and click ***OK***, you will then be able to view the accounts from that safe. ![](https://cdnweb.devolutions.net/docs/docs_en_kb_KB2073.png) ### Connecting to a host After selecting the account you wish to use, you can either use the ***Connect*** button in the ***Actions*** menu or right-click and select the appropriate connection component. ![](https://cdnweb.devolutions.net/docs/docs_en_kb_KB2070.png) In both cases, you will then see a dialog box that allows you to specify the host you want to connect to. ### Selecting a host ![](https://cdnweb.devolutions.net/docs/docs_en_kb_KB2071.png) 1. ***Host*** field * If the CyberArk Remote machine access field is used in the account properties, the endpoints that were entered will be listed in this field. It allows for connections even for assets that are not managed in Remote Desktop Manager. * If the CyberArk Remote machine access field is not used, you can type in any name in the control to connect to it. Please note that name resolution is performed at the PSM level. Therefore, please adhere to the standards of your CyberArk installation to achieve success. 2. Filter field: Type in characters that fit an asset name to have a filter applied in the grid below. 3. The grid will display entries that represent a host system. Therefore, connect to the one that represents the endpoint you need to connect to. ### Using the Remote Desktop Manager ***navigation pane*** to establish connections After selecting the account in the CyberArk Dashboard, you can also use the ***navigation pane*** to select a host by right-clicking an entry and navigating to the ***Connect using*** menu. ![](https://cdnweb.devolutions.net/docs/docs_en_kb_KB2205.png) The menu can be bypassed by allowing a double-click action when there is only one possible combination of account/gateway/component. {% hint style="info" %} You can use a batchedit PowerShell script to allow a double-click action instead of selecting the option described in the steps below. {% endhint %} ``` $connection.ConnectUsingDashboardOnDoubleClick = "True"; $RDM.Save(); ``` 1. Select an entry and go to ***Properties*** – ***Advanced***. 2. Go to ***Connect using dashboard on double click*** and click ***Yes***. {% hint style="info" %} The same option can be found in ***File*** – ***Settings*** – ***Types***. {% endhint %} 3. Click ***OK*** to save and close the window. Double-clicking will now automatically open the ***Dashboard***. ### See also * [Devolutions Blog – Spotlight on: CyberArk Dashboard in RDM](https://blog.devolutions.net/2025/06/spotlight-on-cyberark-dashboard-in-rdm/) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.devolutions.net/rdm/knowledge-base/how-to-articles/cyberark-dashboard-configuration-and-use.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.