Jump | PRA Cloud

ℹ️

Allow override during installation: Some Mass Deployment Wizard settings allow override, enabling you to use the command line to set parameters that are specific to your deployment, prior to installation.

For system administrators who need to push out the Jump Client installer to a large number of systems, the Windows MSI can be used with your systems management tool of choice.

When using a command line or system management tool to install, you can override certain installation parameters. For any setting with Allow override during installation checked, you can modify the Jump Client installer with the following parameters for each installation.

ℹ️

If a parameter is passed on the command line but the setting is not marked for override in the administrative interface, the installation fails. View the operating system event log for installation errors.

ℹ️

When deploying an MSI installer on Windows using the msiexec command:

• The installation directory may be specified by passing a variable: INSTALLDIR=<path>
• The KEY_INFO= is optional as it is built into the filename.
• If you specify ONLINE_INSTALL=1, the installation fails if it cannot immediately reach the appliance. The default is blank.
• A silent installation can be done by specifying /quiet to the msiexec command.
• All of the --jc… parameters listed above may be specified as variables by:
  1. Removing leading dashes (-)
  2. Converting remaining dashes to underscores (_)
  3. Assigning a value using an equals sign (=)

✅

Example

msiexec /i sra-scc-win32.msi jc_jump_group=jumpgroup:general jc_tag=servers

ℹ️

Normally, when msiexec runs, no messages display in the command line interface. To wait for the installation to complete and to check for any errors, you can set up your command like this:

$ start /wait msiexec /qn /i sra-pin-21fce94dee1940e.msi ONLINE_INSTALL=1
$ echo %ERRORLEVEL%

The error output will be either 0 to indicate success or a number indicating an error. For more information about error codes, see https://learn.microsoft.com/en-us/windows/win32/msi/error-codes.

Modify Windows proxy information

In some cases, the proxy settings of an existing Windows Jump Client must be manually modified to accommodate changes in the proxy environment. The Jump Client has built-in logic to automatically detect updated proxy information within a 24-hour period. However, if the proxy enforces authentication, then the end-user is prompted to enter authentication credentials. If the system is unattended, then credentials and/or other proxy information may need to be manually entered.

The following steps guide you through manually modifying proxy-related sections of the settings.ini file used by the Jump Client.

ℹ️

If a large number of systems must be manually modified, the process can be automated. You can develop a script to do this, or contact BeyondTrust Technical Support to engage the BeyondTrust Professional Services group.

To manually modify the proxy information for a pre-existing Jump Client on a Windows system:

1. Go to C:\ProgramData\sra-scc-, where is the Jump Client's unique ID.
2. Locate and edit the settings.ini file.
3. Within settings.ini, locate the proxy-related section, titled [Proxy]. An example existing proxy section is shown below.

[Proxy]
version=2
detect_failed=0
[Proxy\access.example.com:443\LastGood]
Proxy=DIRECT
[Proxy\access.example.com:443\Detected\1]
Proxy=DIRECT

4. Remove all of the settings within the [Proxy] section and replace them with the settings as follow. Replace all <bracketed> text with the appropriate information.

[Proxy]
version=1
ProxyUser=<domain\user>
ProxyPass=<password>
[Proxy\Manual]
ProxyMethod=<numeric value of 0=DIRECT, 100=HTTP CONNECT, 200=SOCKS4>
ProxyHost=<proxy hostname/ip>
ProxyPort=<proxy port>

An example of a manually modified section is below.

[Proxy]
version=1
ProxyUser=myDomain\proxyUser
ProxyPass=MyPassword
[Proxy\Manual]
ProxyMethod=200
ProxyHost=myproxyserver.example.com
ProxyPort=8443

5. Save and close the settings.ini file.
6. Either reboot the system or stop/start the BeyondTrust Jump Client service for the new information to apply.
7. The Jump Client nows use the manually defined proxy information.

ℹ️

After making the above changes to the settings.ini file, the defined username and password which were entered in plain text will be hashed into an unreadable format.

Avoid deploying duplicates

When mass-deploying the SRA Jump Client MSI with tools such as SCCM or Altiris, it is important to avoid installing duplicate clients, because this can cause multiple deployment failures. BeyondTrust does not provide any utilities for deploying clients, but there are some basic methodologies you can use to script a deployment system that will only install Jump Clients on systems that do not have one installed already. These methods depend on whether you already have Jump Clients installed.

If you have already installed Jump Clients, your script can be modified to prevent duplicates. If you have installed Jump Clients, you can use the INSTALLDIR.MSI variable or a custom file as described below. When you use INSTALLDIR, the MSI installation package itself automatically aborts if it finds the directory you specify already exists. If you choose the custom file option, you must script the install to check for this file prior to running the MSI installation package.

Prevent additional duplicates

If your deployment tool has already deployed duplicate clients, edit your script so that the tool aborts installation if the target system matches either of these conditions:

• The system has any sra-scc.exe processes running.
• The system has any DisplayName registry entries matching BeyondTrust Privileged Remote Access Jump Client [support.example.org], where support.example.com matches the hostname of your SRA appliance.

Prevent duplicates before deployment

If your deployment tool has not yet deployed any clients, you can script the tool to use the INSTALLDIR variable or deploy a custom file during the install process.

Use INSTALLDIR

Follow these steps to use the INSTALLDIR variable:

1. From the /login administrative interface, go to Jump > Jump Clients.

2. At the top of the Jump Client Installer List, click Add.

3. Enter the appropriate mass deployment wizard parameters.

4. Click Create.

5. Select Windows (x64) MSI, copy the string after KEY_INFO=, and then click Download/Install.

6. Load the downloaded MSI into your deployment tool and script the tool to install it using the following command:

   msiexec /i sra-scc-win64.msi KEY_INFO=<key_info_string> INSTALLDIR= /quiet

   where <key_info_string> is the KEY_INFO string you copied earlier and is the install directory of your choice.

7. Configure the deployment tool to abort installation if it finds the install directory you have chosen is already present.

Use a custom file

You have the option of deploying a custom file during installation and automatically aborting subsequent duplicate installation if this file is found. To do this:

1. Save a small text file with a descriptive title such as PRAJumpClient.txt to a shared network location accessible from all systems on which Jump Clients will be deployed.
2. Follow the above steps for using INSTALLDIR to create and download an MSI installation file.
3. Configure the script to abort if the PRAJumpClient.txt file already exists, or copy it to the local system and install the MSI file if the text file does not exist.

Manage deployment rate

It is important to consider rate of deployment if mass deploying on a large scale. A large number of simultaneous client installations can cause network traffic delays.

Depending on the deployment method used, the granular control allowed may vary. We recommend deploying no more than 60 clients per minute to avoid installation failures and degraded performance. For reference, 60 clients per minute equates to:

• 1 client install per second
• 60 client installs per minute
• 3,600 client installs per hour

Performance impact may vary with environmental factors, usage patterns, and appliance resources. BeyondTrust recommends starting mass deployment conservatively with smaller scale pushes at slower rates to confirm acceptable performance before gradually scaling up the number and rate of deployment.

You can override certain installation parameters specific to your needs. These parameters can be specified using a systems administration tool or the command line interface. When you mark specific installation options for override during installation, you can use the following optional parameters to modify the Jump Client installer for individual installations.

ℹ️

The -jc attribute parameters are also available and work on a Windows-based system.

Wayland support

Wayland is a modern display server protocol used in Linux-based operating systems. It serves as a replacement for the older X11 (X Window System), aiming to provide a simpler, more efficient, and more secure way for graphical applications to communicate with the display hardware. The Wayland to X11 Video Bridge is required for the Jump Client to work. It is preinstalled with Wayland on most Linux distributions.

This feature offers foundational capabilities, with more enhancements planned in upcoming releases.

Supported capabilities

• Mouse and keyboard support
• Ability to screen share
• Ubuntu 24.04 and RHEL 10 support
• Support of English keyboards

Current limitations

• After installing a Jump Client, it is recommended to log out at least once to fully reinitialize the display manager.
• Jump Client thumbnails are not currently supported on Wayland.
• Team Monitoring is not currently supported.

If you try to use a Jump Client, it should connect correctly. However, if you do need to disable Wayland support for troubleshooting purpose, you can disable Wayland in the custom.conf file by following these steps:

1. Open a command line terminal, and then edit the /etc/gdm3/custom.conf file to set WaylandEnable=false.
2. Type the following syntax:

   WaylandEnable=false
   

3. Restart the computer.

Install a Linux Jump Client in service mode

ℹ️

To install a Jump Client in service mode on a Linux system, the Jump Client installer must be run by root, but the Jump Client service should not be run under the root user context. A service mode Jump Client allows the user to start a session even if no remote user is logged on, as well as to log off the current remote user and log on with different credentials. A Linux Jump Client installed in user mode cannot be elevated within a session.

Run the installer as the root user using the sudo command:

sudo sh ./Downloads/sra-pin-[uid].bin

Linux Jump Clients can be installed in service mode. The status of any Jump Client is shown in the info panel that appears when a Jump Client is highlighted in the representative console’s list of Jump Clients. If a Jump Client shows the Install Mode as Service, it is installed as a service; otherwise, this field reads User, indicating it is installed in single-user context.

A service-mode Jump Client allows the user to start a session even if no remote user is logged on, as well as to log off the current remote user and log on with different credentials. A Linux Jump Client installed in user mode cannot do this, nor can it be elevated to service mode within a session.

To install a Jump Client in service mode on a Linux system, the Jump Client installer must be by run by root. This causes the Jump Client to run as a system service. The process for doing this varies slightly depending on the distribution of Linux being used, but what follows is typical.

1. Sign in to the /login admin web interface of the BeyondTrust site and download a Jump Client installer for Linux from the Jump > Jump Clients tab.

2. Execute the installation file as the root user using the sudo command:

   sudo sh ./Downloads/sra-pin-[uid].bin
   

Once the installation is complete, a new entry appears in the list of available Jump Clients displayed in the representative console. To test whether the Jump Client is installed as a service or not, you can Jump to the client and log out the active user. If you can still control the screen after logging out, this proves the client is running as a service.

ℹ️

By default, Jump Clients installed in service mode are found in the /opt/beyondtrust/sra-pin-* folder.

Uninstall a Jump Client installed on a headless Linux system

To uninstall a Jump Client, remove it from the representative console.

• If the client is not connected when it is removed from the console, the files are removed the next time the client authorizes with the server.
• Manual changes made for service mode Jump Client or headless Jump Client to start on boot are not removed.

Jump Clients can be removed from a device by using a script:

/install/folder/uninstall

sudo installfolder/uninstall

This leaves an entry in the representative console interface. The entry is automatically marked as uninstalled or deleted, depending on your Jump Client settings. Manual changes made for service mode Jump Client or headless Jump Client to start on boot are not removed by the script.

ℹ️

For information about Jump Client settings, see Jump Client settings.

Install a Jump Client on a headless Linux system

To install a Jump Client on a remote Linux system with no graphical user interface, be sure you have downloaded the Linux Jump Client installer, and then follow these additional steps:

1. Using your preferred method, transfer the Jump Client installer file to the headless Linux system you wish to access.
2. Once the installer file is on the remote system, use a command interface to install the file and specify any desired parameters, but specifically include the -–headless option. See the table above for the various additional command line options, including the –-scope parameter to select system or user mode.
3. If the headless Jump Client is installed with system scope, then the service will run as root and started sessions will provide the remote user root access. If root access is not desired, then specify the --session-user argument.

For system administrators who need to push out the Jump Client installer to a large number of systems, the Mac DMG can be used with your systems management tool of choice.

When using a command line or system management tool to install, you can override certain installation parameters. For any setting with Allow override during installation checked, you can modify the Jump Client installer with the following parameters for each installation.

ℹ️

If a parameter is passed on the command line but the setting is not marked for override in the administrative interface, the installation fails. View the operating system event log for installation errors.

The installer files for access consoles and Jump Clients allow you to mass deploy BeyondTrust software to your macOS devices. This guide provides examples of how to mass-deploy BeyondTrust software using generally accepted deployment concepts. Actual deployment steps may vary.

Set privacy policy preference control

Starting with macOS Mojave (10.14), Apple introduced new privacy controls for end users. These controls require that applications be granted permission to access sensitive data or use macOS accessibility features. As an administrator, you can grant these permissions to an MDM-managed Mac using a Privacy Policy Preference Control (PPPC) profile. To ensure proper functionality of the BeyondTrust Privileged Remote Access Customer Client, deploy a PPPC profile targeting the following app bundle:

• Identifier: com.bomgar.bomgar-scc
• Identifier Type: Bundle ID
• Code Requirement: identifier "com.bomgar.bomgar-scc" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = B65TM49E24

ℹ️

Screen recording can only be configured via MDM to allow a non-admin user to provide consent. IT administrators cannot grant screen recording permissions on behalf of end users. This preference is applicable for systems running macOS Big Sur (11.0) and later.

Configure managed login items

Starting with macOS Ventura 13, Apple introduced a new framework for managing background tasks such as LaunchAgents, LaunchDaemons, and Login Items. BeyondTrust's Jump Client for Privileged Remote Access leverages background tasks to ensure the client is running at all times. Administrators can manage these background tasks using a Managed Login Items payload delivered to managed devices. To ensure proper functionality, deploy a configuration profile targeting the below values:

Configure appliance

When deploying the Jump Client, there are two prerequisites that must be completed in Privileged Remote Access.

• A user account with administrative permission to access the /login interface is required. This user can create Jump Clients only for Jump Groups where they have appropriate permissions.
• To ensure that a single Jump Client installer can be used to pin a system to any Jump Group, a service account with Manage permissions on all Jump Groups must be created.

Create a service account user for Jump Client package creation

1. Log in to the Privileged Remote Access user interface.
2. Click Users & Security.
3. Click Add.
4. Fill in the basic details for the user account.
5. Expand Account Settings.
6. Check Account Never Expires, if necessary.
7. Expand Access Permissions.
8. Ensure Allowed to access endpoints is checked.
9. Uncheck all boxes under the Session Management and User-to-User Screen Sharing areas.
10. Under Allowed Jump Item Methods, ensure:
    • Jump Clients is checked
    • All other methods are unchecked
11. Under Jump Item Roles, ensure:
    • Default dropdown is set to Administrator
    • System dropdown is set to Administrator
12. Click Save.

Create a Jump Client installer package

1. Log in to the Privileged Remote Access appliance using the new account created above.
2. Click Jump.
3. Click Add to add a new Jump Client Installer.
4. Select a default Jump Group within the Jump Client Mass Deployment Wizard.
5. Check Allow Override During Installation for all available options.
6. Select your desired validity period from the This Installer is Valid For dropdown .
7. Check Start Customer Client Minimized When Session is Started, to ensure a completely silent deployment.
8. Click Create.
9. From the Platform dropdown, select macOS (for programmatic installation).
10. Click Download. A DMG file downloads. This is later imported into your management platform.

ℹ️

Do not rename the downloaded DMG file.

Deploy manually

The BeyondTrust Privileged Remote Access Jump Client installer is delivered as a uniquely generated and named DMG file. This file has the format sra-scc-<uid>.dmg.

For deployment, the sequence of steps includes:

1. Stage the DMG file in a temporary location.
2. Mount the DMG file.
3. Install the Remote Support Jump Client.
4. Unmount the disk image.
5. Remove the DMG from the temporary location.

Deploy using JAMF Pro

ℹ️

This information is provided for general assistance when using JAMF Pro, however BeyondTrust cannot provide support for third-party products, and their requirements and operations may change.

Upload package to Jamf software server

1. Log in to your Jamf Software Server (JSS) via a web browser.
2. Click Computers.
3. Click Management Settings.
4. Click the Computer Management tab.
5. Click Packages.
6. Click New.
7. Fill out a display name, and choose a category (if applicable).
8. Click Upload to choose the DMG file.
9. Click Save.

Upload deployment script

10. If necessary, log in to the JSS via a web browser.
11. Click Computers.
12. Click Management Settings.
13. Click the Computer Management tab.
14. Click Scripts.
15. Click New.
16. Copy and paste this sample deployment script on the Script tab (for Privileged Remote Access versions 23.3.1 and later):

hdiutil attach /Library/Application\ Support/JAMF/Waiting\ Room/sra-scc-<uid>.dmg
 
sudo /Volumes/sra-scc/Open\ To\ Start\ Support\ Session.app/Contents/MacOS/sdcust --silent 
 
sleep 15

For Privileged Remote Access versions before 23.3.1, paste this script:

hdiutil attach /Library/Application\ Support/JAMF/Waiting\ Room/sra-scc-<uid>.dmg
 
sudo /Volumes/sra-scc/Double-Click\ To\ Start\ Support\ Session.app/Contents/MacOS/sdcust --silent 
 
sleep 15

17. Update the file name to match the DMG file downloaded from your appliance. For Privileged Remote Access, this includes updating bomgar-scc to sra-scc.
18. Click Save.

ℹ️

Some networks or environments may have configurations that prevent endpoints from checking for malicious software. This can addressed by adding

xattr -d com.apple.quarantine sra-scc-[uid].dmg

to the script, or by enabling Stapled Mac Notarization. Administrators should evaluate which approach is more appropriate for their environment.

ℹ️

For detailed information on sdcust usage, see Mass Deploy Help located within the /login interface on Jump > Jump Client.

Create deployment policy

19. If necessary, log in to the JSS via a web browser.
20. Click Computers.
21. Click Policies.
22. Click New.
23. Provide a policy name, configure desired policy triggers, and ensure Execution Frequency is Once Per Computer.
24. Click Packages, and then click Configure.
25. Click Add to select the Jump Client package from the list of available packages.
26. Select Cache as the action. This makes the packages available in the JAMF downloads folder for use by the deployment script created earlier.
27. Click Scripts from the left navigation menu.
28. Click Add to select the deployment script created above.
29. Confirm that the Priority is set to After.
30. Click Save.

The created policy now runs based on the defined trigger(s) to install the BeyondTrust Jump Client.

To access the File System, Command Shell, and System Info of a remote Raspberry Pi system, you can deploy a Jump Client to that system.

1. From the /login administrative interface, go to Jump > Jump Clients.
2. From the Jump Group dropdown, select whether to pin the Jump Client to your personal list of Jump Items or to a Jump Group shared by other users. Pinning to your personal list of Jump Items means that only you can access this remote computer through this Jump Client. Pinning to a shared Jump Group makes this Jump Client available to all members of that Jump Group.
3. You may apply a Jump Policy to this Jump Client. Jump Policies are configured on the Jump > Jump Policies page and determine the times during which a user can access this Jump Client. A Jump Policy can also send a notification when it is accessed or can require approval to be accessed. If no Jump Policy is applied, this Jump Client can be accessed without restriction.
4. You may choose a Session Policy to apply to this Jump Client. A session policy assigned to this Jump Client has the highest priority when setting session permissions.

ℹ️

We recommend that you not set a session policy for a headless Jump Client.

5. Adding a Tag helps to organize your Jump Clients into categories within the access console.

6. Set the Connection Type to Active or Passive for the Jump Clients being deployed. An active Jump Client maintains a persistent connection to the B Series Appliance, while a passive Jump Client instead listens for connection requests.

7. Add Comments, which can be helpful in searching for and identifying remote computers. Note that all Jump Clients deployed via this installer have the same comments set initially, unless you check Allow Override During Installation and use the available parameters to modify the installer for individual installations.

8. The installer remains usable only as long as specified by the This Installer is Valid For dropdown. Be sure to leave adequate time for installation. If someone should attempt to run the Jump Client installer after this time, installation fails, and a new Jump Client installer must be created. Additionally, if the installer is run within the allotted time but the Jump Client is unable to connect to the B Series Appliance within that time, the Jump Client uninstalls, and a new installer must be deployed. The validity time can be set for anywhere from 10 minutes to 1 year. This time does NOT affect how long the Jump Client remains active.

   In addition to expiring after the period given by the This Installer is Valid For option, Jump Client mass deployment packages invalidate when their B Series Appliance is upgraded. The only exception to this rule is live updates which change the license count or license expiration date. Any other updates, even if they do not change the version number of the B Series Appliance, invalidate the Jump Client installers from before the upgrade.

   Once a Jump Client has been installed, it remains online and active until it is uninstalled from the local system either by a user from the Jump interface or by an uninstall script. It can also be uninstalled, or extended, from the Jump Client Installer List. A user cannot remove a Jump Client unless the user is given appropriate permissions by their admin from the /login interface.

9. The options Attempt an Elevated Install if the Client Supports It and Prompt for Elevation Credentials If Needed do not apply to headless Jump Clients.

10. Once you click Create, select the Raspberry Pi OS option, and then click Download.

11. Using your preferred method, push the Jump Client installer file to each headless system you wish to access.

12. Once the installer file is on the remote system, install the file in a location to which you have write permission, using --install-dir . You must have permission to write to this location, and the path must not already exist. Any additional parameters must also be specified at this time, as described below.

    sh ./sra-scc-{uid}.bin --install-dir /home/pi/<dir>
    

13. You can also override certain installation parameters specific to your needs. When you mark specific installation options for override during installation, you can use the following optional parameters to modify the Jump Client installer for individual installations. Note that if a parameter is passed on the command line but not marked for override in the /login administrative interface, the installation fails. If the installation fails, view the operating system event log for installation errors.

14. After installing the Jump Client, you must start its process. The Jump Client must be started for the first time within the time frame specified by This Installer Is Valid For.

    /home/username/jumpclient/init-script start
    

    This init script also accepts the stop, restart, and status arguments. You can use ./init-script status to make sure the Jump Client is running.

15. You must also arrange for init-script start to run at boot in order for the Jump Client to remain available whenever the system restarts. An example system.d service displays once the Jump Client is installed. Copy this information and create the new service for the Jump Client, filename.service (where filename is any name you choose), following these steps:

    • cd /etc/systemd/system
    • vi filename.service
    • Paste copied information
    • run chmod 777 filename.service
    • Reload the systemctl daemon
    • Enable and start the service file

16. If you wish to uninstall the Jump Client, you must run its uninstall script.

    /home/pi/<dir>/uninstall
    

ℹ️

Separately and in addition to running the uninstall script, you must remove the Jump Client via the access console. Otherwise, the Jump Client remains in the access console, though it is not accessible. Relatedly, removing the Jump Client via the access console only prevents it from being accessed but leaves the Jump Client files on the system.