Privileged Remote Access 25.2 release notes
September 9, 2025
This release introduces a range of security-forward enhancements and experience improvements to Privileged Remote Access.
🔥 Spotlight new features
Vault now supports Amazon Web Services (AWS) and Password Safe discovery
You can use the Discovery feature to easily find AWS Secrets stored in AWS Secrets Manager, making it simpler to bring everything together in one secure place.
For information, see Discovery of AWS Secrets.
In Password Safe:
Vault discovers and imports Managed Accounts and Managed Systems from your Password Safe instance.
For information, see Discovery of Password Safe.
Endpoint automation API support
Endpoint automation makes it easy to run scripts on multiple devices at once—no need to start a support session. It’s a great way to speed up routine tasks and boost efficiency.
With automation, manage all your systems more smoothly, cut down on manual work, and ensure everything stays updated and consistent across the board.
The endpoint automation feature is only available to service mode Jump Clients with an active connection on Mac, Windows, or Desktop Linux.
For more information, see Endpoint automation API support.
Added Endpoint automation roles
Assign users the right level of access to endpoint automation based on what they need to do.
- Not Allowed: The Endpoint Automation tab is hidden.
- User: Create automation jobs but with some limits.
- Administrator: Full access to create jobs, script templates, and resources.
Access automation roles under Access Permissions when you add a new user or edit an existing user on the Users & Security > Users page.
For more information, see Roles for Endpoint Automation.
Duplicate Jump Clients reporting
You’ll find a new report under Reports > Duplicate Jump Clients that shows how many duplicate Jump Clients are in your environment—making it easier to keep things organized.
For information, see Duplicate Jump Clients reports.
🆕 New features
Wayland display server support
You can now take advantage of these Wayland features:
- Mouse and keyboard functionality
- Screen sharing in view-only mode
You still need X Server for Wayland to run properly. A fully standalone Wayland setup isn't supported at this time.
For more information, see Wayland support.
Auto start sessions
You can now mark a set of Jump Items to automatically start sessions immediately after you log in to the Console.
For more information, see Sessions to automatically start.
Turn on edit permissions automatically when creating Jump Item Roles
When you set up a Jump Item Role and check the Create new Jump Items or upgrade Jump Clients box, all "edit" permissions under the Jump Items section are turned on automatically. You'll see this message letting you know:
The "Create Jump Items" permission grants broad creation privileges, including the ability to set all fields on items during creation. This permission should be granted to trusted users only.
For more information, see Add a Jump Item Role.
Jump Clients display on Status page
You can now view the following details on the Status page:
- Number of Jump Clients in use
For more information, see Status.
Manage duplicate Jump Clients
We've made some updates to make it easier to manage duplicate Jump Clients:
- You’ll now see a warning dialog box when duplicates are detected, so you can take action right away.
- The Jump Group field is no longer automatically filled with the default group—giving you more flexibility to choose the right one for each client.
For more information, see Maintenance of duplicate Jump Clients.
Jump Zone Proxy chaining
Jump Zone Proxies can now be set up to connect to other Jump Zone Proxies. This lets you reach endpoints in target networks through multiple layers, using connected Jumpoints to bridge the gaps.
For more information, see Configure multiple outbound Jumpoint proxies.
OIDC as new service provider
OpenID Connect (OIDC) is now supported as an identity authentication protocol. From the Users & Security > Security Provider page, you can select OpenID Connect to configure a new service provider.
For more information, see OpenID Connect.
Session credential column
Added the Credential column to easily see the name of the active credential being used in a session.
The Credential field is included in audits to help track which credentials are used and to create a clear audit trail.
Available on the Web Access Console and Desktop Access Console.
For more information, see Credential column in console.
Preset configuration settings
You can select a preset configuration based on the Access Console platform which automatically fills in the tunnel type, command, and argument fields.
For information, see Preset Configuration settings.
✨ Enhancements
Jump Client installer usage
Added installer parameters for Linux and headless deployments: scope, user, headless, and online-install.
The silent parameter for Linux has been removed.
For more information, see Install a Linux Jump Client.
Jump Group auto refresh
When a Jump Group is created or a user is added to a Jump Group or Jumpoint, the Access Console automatically refreshes to show the updated access state.
For information, see Jump interface.
Jump Client installer table
The following new fields have been added to the Jump Client installer table by default:
- Jump Group
- Tag
- Comments
The Connection Type field is completely removed from the table.
For more information, see Jump Client installer list.
Turn on edit permissions automatically when creating Jump Item Roles
When you set up a Jump Item Role and check the Create new Jump Items or upgrade Jump Clients box, all "edit" permissions under the Jump Items section are turned on automatically. You'll see this message letting you know:
The "Create Jump Items" permission grants broad creation privileges, including the ability to set all fields on items during creation. This permission should be granted to trusted users only.
For more information, see Jump Item Roles.
Session policy permission to keep sessions active after owner leaves
In the Permissions section on the Users & Security > Session Policies page, a new permission called Allow original session owner to leave sessions running for others has been added. When you enable this permission, the session remains running for other participants after the original owner leaves.
For more information, see Allow original session owner to leave sessions running for others.
Access reports updates
- The View Reports permission in Jump Item Roles now applies to both Jump Item reports and session reports.
- Renamed the Jump Item Role permission to View Session and Jump Item Reports. This permission is assigned through the Jump Group the user belongs to.
- Added a new permission, Allowed to View Access Session Reports, available on the Users & Security > Group Policies page under General Permissions. This option appears when the Session and Team Report Access checkbox is selected.
For more information, see Add a Jump Item Role.
Settings and permissions changes
-
Increased permission granularity for session policies.
-
Added new settings for Jump Policies and external tools.
-
If you navigate to Jump > Jump Item > Jump Item Settings page, External Tools is now configurable as a part of Jump Policy settings instead of as a global setting. This change enables fine-grained control at both the endpoint and user levels.
For more information, see External tools.
New settings for outbound events
The following new settings have been added to outbound events:
- Jumpoint is online
- Jumpoint is offline
For more information, see Add or edit HTTP recipient.
Configure email using default email gateway (Cloud and Pathfinder only)
This feature is not available for Privileged Remote Access on-premises.
You can now use settings from a BeyondTrust hosted email gateway, there is no need to manually enter SMTP Relay Server details.
Go to Management > Email Configuration, and select Use BeyondTrust Privileged Remote Access default email gateway.
For more information, see Use hosted email settings.
User interface refresh
Updated styling with a more modern color palette to improve accessibility through better font contrast and color choices.
⏰ Deprecation notices
- Replaced all references to "Bomgar" with "sra" in folder names, MSI files, and EXE files where applicable.
- Removal of Passive Jump Clients.
⛔ Known Issues
| Product Area | Description | Resolution |
|---|---|---|
| Jump Client | License information being displayed incorrectly. | Patch HELP-11765 fixes an issue where incorrect license information was displaying on the status page. The patch is available in the Check for updates interface after 25.2.1 is installed. Cloud sites will have the patch automatically installed shortly after a 25.2.1 upgrade. Successful installation of the patch can be confirmed in the Installed Patches section in the /login interface. |
🛠️ Issues resolved
| Product Area | Description | Resolution |
|---|---|---|
| Session policy | If you have use Jump approval with a Jump policy that has the Require approval before a session starts and Approvers can approve settings set to All requests except their own, you approve your own requests. | The Jump approval works as expected. |
| API | When you create a protocol tunnel Jump, your site may become unresponsive. | The protocol tunnel jump works as expected. |
| Vault | Authentication of an endpoint system does not correctly identify Microsoft Entra ID. | Authentication to a system with Microsoft Entra ID is correctly identified. |
| Vault | When you delete Jump Items associated with a Vault Account that exceeds 50, it does not update the number of Jump Items to be associated with that Vault Account. | The limit value works as expected. |
| Security Providers | When you configure LDAP by using the Enable LDAP object cache permission, it may give inconsistent results. | The Enable LDAP object cache works as expected. |
| Atlas | System Network address prefixes disappeared on new traffic nodes | System network address appear correctly. |
| Access Console | On a Mac computer, the Access Console closes unexpectedly when the Invite External User window is open. | The Access Console works as expected. |
| Access Console | When you copy an incorrectly formatted Kubernetes cert, the error message dialog box is blank. | The error message dialog box correctly displays. |
| Access Console | When you create a Kubernetes Tunnel Shortcut and do not include a certificate, the tooltip does not display. | The tooltip works as expected. |
| Access Console | Console behavior using the minimize and maximize buttons on a dual monitor setup causes incorrect primary monitor setting. | The dual monitor behavior works as expected. |
| Access Console | When you use a Croatian keyboard the @ symbol (AltGr+v) does not work at the Windows login screen. | The AltGr+v combination works as expected. |
| Access Console | If you request authorization to a Jump client and you cancel the request seconds before another user cancels, and then the original user creates another request, the Access Console becomes unresponsive. | The Access Console works as expected. |
| Access Console | When you copy and paste a URL from Linux to Windows, it contains non-printable characters which make the URL not valid. | The copy and paste between Linux and Windows works correctly. |
| Access Console | Pop up Notifications and Team Chat in the Sessions dialog box does not update correctly. | The transferred text updates correctly. |
| Access Console | You are unable to copy and paste between two applications on the endpoint system. | The copy and paste functionality work as expected. |
| Access Console | When you enable the Blink Cursor option in Shell Settings and the user starts a Command Shell, the cursor does not blink. | The Blink Cursor settings work as expected. |
| Web Access Console | When you use large usernames or comments, a blank External Access Invite URLs is created. | Web Access invite URLs work as expected. |
| Web Access Console | The Shift Key does not work in Chrome OS in a Web Access Remote RDP session. | The Shift key works as expected. |
| Web Access Console | When you use an RDP session, a black screen sometime displays. | RDP sessions work as expected. |
| Web Access Console | When you start and then end a session while using the Access Console on a 4K monitor, the text in the options is cut off. | The text displays correctly on a 4K monitor. |
| Network tunnel | Routes for the tunnel configuration are using the wrong gateway address in Windows. | The tunnel uses the correct gateway address. |
| Jump Client | If you log into a Kiosk Windows computer, the session starts slowly. | The sessions work as expected. |
| Jumpoint | Shell jumps using Jumpoints installed on Windows Server 2016 can no longer scroll. | Scrolling in a Shell Jump works correctly. |
| Mac | When the Allowed to enable extended availability mode settings is not enabled in an Access Console, the File tab displays a bubble. | The File tab displays correctly. |
| Mac | On a Mac 15 endpoint, the Jump client stat thumbnail is blacked. No endpoint image is present. | The Jump Client stat thumbnail works as expected. |
| Mac | The Force immediate reboot check box is in the wrong location on the Reboot Confirmation window on Macs. | The Force immediate reboot check box is in the correct location. |
| Mac | The Access Console changes multiple times after the Console window is maximized and then minimized. | The Access Console window behavior works as expected. |
| Mac | The Ctrl + Tab combination in the Access Console to Windows endpoints does not work correctly. | The Ctrl + Tab combination sent from Mac Access Console to Windows endpoints works correctly. |
| Linux | Keyboard mapping does not work correctly when jumping to an Ubuntu 20.04 jump client. | The keyboard mapping works correctly. |
| Linux | When you install a Jump Client on Linux system, it displays errors even though the Jump Client installed correctly. | The installation of a Jump Client works as expected. |
| Web Jump | You are unable to download a file(s) with a list of virtual machines in VMware. | You can download files from VMware. |
| Miscellaneous | When an administrator signs in to the site for the first time, the EULA screen only shows in the Cloud version. | The EULA screen shows for all versions. |
📝 Requirements
- Requires Base 8.0.
- Supports ECM Protocol 1.6.
- Supports upgrades from RS 24.2.4+.
- Validated with ECM 1.6.4.
- Validated with Integration Client 25.1.1
- Includes VSC 1.2.10.2.
- Before upgrading, ensure any SSL certificates used are either from a trusted Certificate Authority, or, for self-signed certificates, the certificate is either trusted on all endpoints or explicitly included in their installation.
