BeyondTrust EPM Server
БесплатноНе проверенEnables management of BeyondTrust Endpoint Privilege Management (EPM) through natural language, supporting policy, computer, user, group management, file inspec
Описание
Enables management of BeyondTrust Endpoint Privilege Management (EPM) through natural language, supporting policy, computer, user, group management, file inspection, audit monitoring, and admin access requests.
README
A Model Context Protocol (MCP) server for managing BeyondTrust Endpoint Privilege Management (EPM) through Claude Desktop and other MCP clients.
Features
- 🔐 Policy Management: Create, read, and manage EPM policies and applications
- 📋 Computer Management: List, authorize, and organize managed endpoints
- 👥 User & Group Management: Manage EPM users, roles, and computer groups
- 🔍 File Inspection: Safely extract file metadata for policy creation (Windows PE files)
- 📊 Audit & Monitoring: Access activity audits, events, and authorization requests
- ✅ Admin Access Requests: Create, approve, and deny admin access requests
🚀 Quick Start
Prerequisites
- Python 3.14 or higher
- uv package manager
- Claude Desktop (or another MCP client)
- BeyondTrust EPM instance with API credentials
Installation
1. Clone the Repository
git clone https://github.com/wesharris222/btepmmcp.git
cd btepmmcp
2. Install Dependencies
uv sync
This installs:
httpx- HTTP client for EPM APImcp- Model Context Protocol SDKpefile- PE file parser for file inspection
3. Get Your EPM API Credentials
From your BeyondTrust EPM console:
- Navigate to Configuration → API Registration
- Create a new API client
- Copy the following values:
- Base URL:
https://[your-subdomain]-services.pm.beyondtrustcloud.com - Client ID: Your API client ID (GUID)
- Client Secret: Your API client secret
- Base URL:
4. Configure Claude Desktop
Windows: Edit %APPDATA%\Claude\claude_desktop_config.json
macOS: Edit ~/Library/Application Support/Claude/claude_desktop_config.json
Linux: Edit ~/.config/Claude/claude_desktop_config.json
Add this configuration:
{
"mcpServers": {
"beyondtrust-epm": {
"command": "uv",
"args": [
"--directory",
"C:/path/to/btepmmcp",
"run",
"bt_epm_mcpv1.py"
],
"env": {
"BT_EPM_BASE_URL": "https://YOUR-SUBDOMAIN-services.pm.beyondtrustcloud.com",
"BT_EPM_CLIENT_ID": "your-client-id-here",
"BT_EPM_CLIENT_SECRET": "your-client-secret-here"
}
}
}
}
Important: Replace the following:
C:/path/to/btepmmcp→ Actual path where you cloned the repoYOUR-SUBDOMAIN→ Your EPM subdomainyour-client-id-here→ Your API client IDyour-client-secret-here→ Your API client secret
5. Restart Claude Desktop
Close and reopen Claude Desktop to load the MCP server.
6. Verify Installation
In Claude Desktop, try:
List all EPM policies
If configured correctly, Claude will use the MCP server to retrieve your policies!
📖 Usage Examples
Policy Management
List all policies
Show me the details for policy ID 063caa3a-a1fe-4f41-a1d3-994ad5cb0d7a
List applications in policy 063caa3a-a1fe-4f41-a1d3-994ad5cb0d7a
File Inspection (Safe - No Execution)
Inspect the file at C:\Program Files\7-Zip\7zFM.exe
Returns file properties like:
- File name, size, hashes (SHA256, SHA1)
- Publisher, product name, version
- All metadata without executing the file
Create Policy Application
Create a policy application:
- Policy ID: 063caa3a-a1fe-4f41-a1d3-994ad5cb0d7a
- Application Group ID: 5c28a0a9-c133-4f19-9378-0b12f5fe7b77
- Type: exe
- Description: 7-Zip File Manager
- Publisher: Igor Pavlov
- Product Name: 7-Zip
Computer Management
List all computers
Show unauthorized computers
Authorize computer IDs [id1, id2] and assign to group [group-id]
User Management
List all EPM users
Create a user with email [email protected] and role ID [role-id]
Admin Access Requests
Create an admin access request for computer [computer-id]
Approve admin access request [request-id] by user [email protected]
🛠️ Available Tools
The MCP server provides these tools (used automatically by Claude):
Policy Management
list_policies- List all policiesget_policy_details- Get detailed policy informationlist_policy_application_groups- List applications in a policycreate_policy_application- Add applications to policies
File Inspection
inspect_file_for_policy- Extract file metadata safely
Computer Management
list_computers- List managed computersget_computer_details- Get computer detailsauthorize_computers- Authorize computersassign_computers_to_group- Assign computers to groups
Group Management
list_groups- List computer groupscreate_group- Create new groups
User Management
list_users- List EPM userscreate_user- Create new users
Monitoring & Auditing
get_activity_audits- Get audit logssearch_events- Search EPM eventslist_authorization_requests- List authorization requestsget_authorization_request_details- Get request details
Admin Access Requests
list_admin_access_requests- List admin access requestsget_admin_access_request_details- Get request detailscreate_admin_access_request- Create new requestsapprove_admin_access_request- Approve requestsdeny_admin_access_request- Deny requests
🔒 Security & Safety
File Inspection Safety
The inspect_file_for_policy tool is 100% safe:
✅ Never executes files - Only reads metadata
✅ Read-only operations - No file modifications
✅ Static analysis only - Parses PE structures without running code
✅ Industry-standard library - Uses trusted pefile library
✅ Cross-platform - Works on Windows, Linux, macOS
See FILE_INSPECTION_README.md for details.
API Security
- Uses OAuth 2.0 client credentials flow
- Credentials stored in Claude Desktop config (local only)
- HTTPS communication with BeyondTrust EPM API
- Token auto-refresh with expiration handling
📁 File Structure
btepmmcp/
├── bt_epm_mcpv1.py # Main MCP server
├── pyproject.toml # Python dependencies
├── README.md # This file
├── FILE_INSPECTION_README.md # File inspection guide
├── IMPLEMENTATION_SUMMARY.md # Technical details
├── QUICK_START.md # Quick reference
├── test_file_inspection.py # Safety tests
└── mcp_output/ # Query results (auto-created)
🧪 Testing
Test File Inspection
uv run python test_file_inspection.py
This verifies:
- Files are not executed
- Metadata is extracted correctly
- Hashes are calculated
- PE parsing works
Manual Testing
# Test file inspection
uv run python -c "from bt_epm_mcpv1 import inspect_file_properties; import json; print(json.dumps(inspect_file_properties('C:\\Windows\\System32\\notepad.exe'), indent=2))"
🌐 Cross-Platform Support
Windows
- Full functionality
- PE file metadata extraction
- Native path support
Linux
- Full API functionality
- Can inspect Windows PE files (.exe, .dll)
- Use Linux paths:
/usr/bin/app
macOS
- Full API functionality
- Can inspect Windows PE files
- Use macOS paths:
/Applications/App.app/Contents/MacOS/app
📊 Output Files
All query results are saved to mcp_output/:
latest.json- Last query result (always overwritten)<tool>_<timestamp>.json- Archived results for each query
Example:
mcp_output/
├── latest.json
├── list_policies_2025-11-13T10-30-45-123456.json
├── inspect_file_for_policy_2025-11-13T10-35-22-789012.json
└── create_policy_application_2025-11-13T10-40-15-345678.json
⚙️ Configuration Options
Environment Variables
Required (set in Claude Desktop config):
BT_EPM_BASE_URL- Your EPM instance URLBT_EPM_CLIENT_ID- API client IDBT_EPM_CLIENT_SECRET- API client secret
Customization
Edit bt_epm_mcpv1.py to customize:
OUTPUT_DIR(line 17) - Change output directorytimeout=30.0(line 146) - Adjust HTTP timeout- Tool descriptions and parameters
🐛 Troubleshooting
"Missing required environment variables"
Problem: Server can't find API credentials
Solution: Check your claude_desktop_config.json:
- Verify the path is correct
- Ensure all three env vars are set
- No typos in variable names
- Restart Claude Desktop after changes
"Import pefile could not be resolved"
Problem: Dependencies not installed
Solution:
cd /path/to/btepmmcp
uv sync
"File not found" when inspecting files
Problem: Relative paths or incorrect path format
Solution: Use absolute paths:
- Windows:
C:\\Program Files\\App\\app.exe(double backslashes) - Linux/Mac:
/usr/bin/app
"HTTP Error 401 Unauthorized"
Problem: Invalid API credentials
Solution:
- Verify credentials in EPM console
- Check Base URL format (must include
https://) - Ensure client has proper permissions
"HTTP Error 405 Method Not Allowed"
Problem: Incorrect API endpoint (fixed in v1)
Solution: Update to latest version:
git pull origin main
MCP Server Not Loading
Problem: Claude Desktop can't find the server
Solution:
- Check absolute path in config is correct
- Verify
uvis in your PATH - Check Claude Desktop logs:
- Windows:
%APPDATA%\Claude\logs\ - macOS:
~/Library/Logs/Claude/ - Linux:
~/.config/Claude/logs/
- Windows:
📚 Additional Resources
🤝 Contributing
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch
- Test your changes
- Submit a pull request
📝 License
[Add your license here]
💡 Tips & Best Practices
Policy Creation
- Inspect files first: Use
inspect_file_for_policyto get accurate metadata - Use publisher matching: More flexible than hash matching for updates
- Test with small groups: Verify policies before wide deployment
File Inspection
- Always use absolute paths: Avoid path resolution issues
- Review extracted properties: Not all files have all metadata
- Combine criteria: Use publisher + product name for best results
Security
- Protect API credentials: Never commit config files with real credentials
- Use least privilege: Create API clients with minimum required permissions
- Review audit logs: Monitor MCP server actions in EPM audit logs
🆘 Support
For issues or questions:
- Check the Troubleshooting section
- Review the documentation files in this repo
- Check BeyondTrust EPM API documentation
- Open an issue on GitHub
✨ What's New
v1.0 (Current)
- ✅ Fixed 405 error in
create_policy_application - ✅ Added cross-platform file inspection
- ✅ PE metadata extraction (publisher, version, hashes)
- ✅ Comprehensive documentation
- ✅ Safety testing suite
🎯 Roadmap
Future enhancements:
- Batch file inspection
- Directory scanning
- Certificate validation
- Policy templates
- Version comparison tools
- Web UI for configuration
Ready to automate your EPM management? Get started now! 🚀
Установка BeyondTrust EPM Server
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/wesharris222/btepmmcpFAQ
BeyondTrust EPM Server MCP бесплатный?
Да, BeyondTrust EPM Server MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для BeyondTrust EPM Server?
Нет, BeyondTrust EPM Server работает без API-ключей и переменных окружения.
BeyondTrust EPM Server — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить BeyondTrust EPM Server в Claude Desktop, Claude Code или Cursor?
Открой BeyondTrust EPM Server на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
GitHub
PRs, issues, code search, CI status
автор: GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
автор: mcpdotdirectCompare BeyondTrust EPM Server with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории development
