Endpoint Privilege Management (EPM)

Administrator accounts

A local administrator account is a user account with elevated permissions that allow significant changes to a computer. These accounts can install software, modify system settings, and access sensitive areas of the device.

Because of these broad capabilities, local administrator accounts are attractive to attackers. If compromised, they allow quick, wide-reaching access to university systems and data.

Endpoint Privilege Management (EPM)

EPM follows the cybersecurity principle of least privilege — ensuring users only have the permissions necessary to perform their work. The aim is to reduce standing privilege while still giving you the flexibility to work effectively.

Think of EPM like a smart key system: instead of carrying a permanent master key, you can unlock what you need, when you need it, without exposing critical systems to unnecessary risk.

EPM strengthens cybersecurity by limiting privilege where possible and ensures system integrity by restricting access to sensitive functions.

Implementation

EPM is being introduced on all ¶®É«µÛ computing devices. 

The university has selected the BeyondTrust Endpoint Privilege Management (EPM) tool. This allows users to: 

  • install commonly used low-risk business software (e.g. Adobe Acrobat) without needing additional permissions 
  • manage specific system settings they previously could not modify (e.g. adding hardware, like a home printer).

For most users, the change will be minimal. Your daily applications, browsers, and internet use will continue to function normally. There will be no changes to how you access folders, files and drives. Most software installations remain unchanged.

Software installation and additional access

By default, newly provisioned computers will be provisioned with a standard user account designed to support everyday work needs. This will enable most users to complete their daily tasks while maintaining system security and minimizing risk.

These accounts can:

  • Install and update low-risk and commonly used software with university relevance (e.g. Adobe Reader and Google Drive)
  • Modify selected system settings
  • Install some hardware, like a home printer
  • Continue to access required university services and systems

Not all software will be automatically permitted – you may need to request software installation by submitting a General IT Inquiry ticket through the .

Additional access

For users performing dynamic tasks such as academic and research-driven activities, software development, IT administration, or other specialized work — EPM can provide a highly flexible workstyle that allows you to:

  • Install and uninstall most software as needed.
  • Change many system settings that matter for your work.

At the same time, sensitive areas of the system remain protected. For example, EPM will restrict access to advanced configurations, core operating system files, or disabling of critical security features.

When purchasing new computer equipment, IST will work with you to understand your needs and provision this account during initial setup wherever possible.

To request additional access, please submit a General IT Inquiry ticket through the .

Frequently asked questions

What is the current scope of EPM?

The initial rollout targets centrally managed Windows computers on the STS domain and newly procured computers. Faculties and departments will receive implementation support to help with adoption.

What is the STS domain, and how do I know if I am on it?

STS is a term that refers to computers that are centrally managed by IST. To check if you are part of the STS domain:

  • Click Start → type “Settings” and open it.
  • Go to Accounts → Access work or school.
  • If you see "sts.ad.ualberta.ca" or "Connected to STS AD domain," then you are part of the STS domain.
  •  If it says anything other than "STS," you are not.

Will I lose my administrator account?

Existing administrator accounts are being evaluated, but you may retain yours if required for your work. 

EPM is designed to provide the right level of access to match your needs. For example, day-to-day office work may only require standard access, while research-driven or specialized technical roles will be given access that is close to a full administrator account.

How can I do what I need to do without administrator access?

The EPM tool allows the deployment of standard user accounts with enhanced privileges that provide the access levels required to do your work while mitigating the risk of system-wide administrator access.

But I need an administrator account. What’s the process?

IST will work with you to ensure you have the access required to complete your work. Access begins at the standard level and can be stepped up through additional levels until the right balance of flexibility and security is in place for your role. Requests for additional access requests can be made by submitting a General IT Inquiry ticket through the

Who do I contact for questions and information on the EPM tool?

If you have any questions or require additional information, please contact IST. Members of the U of A community can also request an information session. These sessions explain how EPM enhances individual and institutional security, and provide an opportunity to ask questions about its rollout.

Please submit a General IT Inquiry ticket through the