Enterprise preparation

Before installing SS&C | Blue Prism® Enterprise , it is important to consider what type of deployment is required:

  • Multi-device deployment (recommended).
  • Blue Prism components deployed across a number of devices whereby all database connections are established via an application server.
    • Provides an extensible deployment of Blue Prism suitable for a broad range of scenarios.
    • Advanced techniques relating to deploying additional application servers, or securing and hardening the environment will commonly require this type of deployment.
  • Standalone deployment (for evaluating Blue Prism Enterprise).
  • A single standalone device containing a Blue Prism interactive client and runtime resource connecting directly to a database server (which can optionally be hosted on an additional device).
    • Simplest deployment of Blue Prism.
    • Configuration options are selected based on the ease of install.
    • Suitable only for evaluation, non-production, short-term use.
    • Both installation types leverage in-product functionality to create and configure the database remotely on the SQL Server. It is therefore necessary to authenticate against the target SQL Server using an account with sysadmin privileges.


Before carrying out the installation, the following conditions must be met:

  • A SQL Server must be available to host the Blue Prism database. Administrator-level access is required – for short-term evaluations a local edition of SQL Server Express may be suitable.
  • Administrator access to the devices where Blue Prism is to be installed must be available. All devices must meet the minimum specifications and the devices must be able to communicate with each other over the network.
  • If using Active Directory Single Sign-on (SSO), the users' Active Directory accounts, the Blue Prism application server(s), and all Blue Prism devices that will be accessed by users (such as, interactive clients and runtime resources) must reside in Active Directory domains that are trusted by the domain in which the account running the Blue Prism application server(s) resides.. For more information, see Active Directory domains.

It is also important to ensure that the following decisions have been taken prior to carrying out the installation. The table below outlines which questions are relevant based on the deployment type.

Considerations and their relevance for the type of deployment

Standalone Deployment

Multi-Device Deployment

On what device will the database be hosted?



What authentication mode is required for the SQL database (SQL Native or Windows Authentication)?



Do all devices where Blue Prism is to be installed meet the minimum requirements (including an appropriate version of the .NET Framework)?



Will the interactive client be used to create/edit processes?



Will all components be deployed within a common Active Directory Forest?



Will users authenticate using Blue Prism native authentication or Active Directory Single Sign-on?



What account will the Blue Prism Server service be configured to logon as?



Will users log into the Blue Prism interactive client directly or via Authentication Server (i.e. will they require access to the Hub Control Room)?



Do any applications at your organization only operate with 32-bit software applications? If yes, see the Upgrade notices for 7.2.



For details about the supported software versions and operating systems, see Software and hardware requirements.

Multi-device deployment considerations

When undertaking a multi-device deployment the following items must be considered prior to undertaking the installation.


Dev/Test/Pre-Prod Environments

Production Environments

General connectivity

Connectivity between the various devices must be configured appropriately.

Commonly this requires DNS to be configured to allow the devices to resolve each other based on their FQDN; and appropriate firewall rules to be in place to allow the devices to communicate on the required ports.

Runtime resources

Fewer runtime resources are deployed in comparison to a production environment as execution can be tested locally

The largest number of runtime resources are deployed into production environments.

Interactive clients

Require target applications to be installed to allow processes to be designed and verified.

Do not typically require target applications to be installed as these devices are commonly only used for controlling the environment.

Application server

A single device can host multiple application servers (on different ports).
This may be appropriate for environments of the same type.

All services on a given device must use a common version of Blue Prism.

Database server instance

Consider if the way that resources are allocated to SQL Server instances make it appropriate to use a single shared instance for deployments of Blue Prism based on their importance and criticality. (E.g. Dev and Production environments are likely to be most business critical).

WCF connection mode

Select which WCF server connection mode will be used to determine whether a server certificate will be required. For more details, see  Selecting a BP Server connection mode.

If a certificate is required, this must be manually generated and installed on the application server(s). The common name on the certificate must align with the address that the client devices will be configured to use to connect to the server.

Additionally, all devices that will connect to the server must trust the Certification Authority that issued the manually generated certificate.

Runtime resource certificates

Decide if there is a requirement to apply certificate-based security to the instructional communications from the interactive clients and application servers to each runtime resource; and to inbound communications received by the runtime resources if they are hosting web services.

If a certificate is required this must be manually generated and installed on each applicable runtime resource. The common name on the certificate must align with the address that Blue Prism will be configured to use when communicating with the devices (E.g. FQDN or machine short name).

Additionally, all devices that will connect to the runtime resources must trust the Certification Authority that issued the manually generated certificate(s).

User role permissions

To strengthen Blue Prism network security, role-based access control (RBAC) should be utilized and only specific users, such as infrastructure administrators, should be granted access to application servers and network communication configuration. All other users should be denied access by default. Explicit allow/deny access should be configured for all users and the principle of ‘Least Privilege’ followed.

These controls should also extend to the users of Blue Prism, so that only those who need access to the platform are allowed and are only given the level of authority required to carry out their role, while all others are denied access by default.

It is advised that you also consult the Robotic Operating Model (ROM) security information on the Blue Prism Portal for recommendations of best practice.

Please be aware that starting and running a runtime resource with elevated permissions might affect the interaction with the application that is being automated. Generally, the permissions of the runtime resource must match those of the user context of the target application.