Deploy Jump Clients
Jump Clients can be preinstalled on remote computers in anticipation of the need for remote access. This method of installation may be applied to one system or multiple systems simultaneously. You can easily automate the mass deployment of your Jump Client network by allowing customization during installation. The Jump Client command line installer has switches that allow a script to modify a variety of Jump Client parameters when executed. This allows you to create custom mass deployment scripts to pull in variables from other sources and use the variables to modify the Jump Client parameters at install time.
This list shows all previously created Jump Client installers. Click the trash can icon to delete the installer. Click the clock icon to change how long the installer will be valid. Click the download icon to either download the installer or to copy the key needed for the generic installer.
A warning appears at the top of the list: Installing more than one Jump Client as the same user or more than one Jump Client as a service on the same system is being phased out in a future release. In the Access Console you may use the copy action on a Jump Client to apply different policies to the same endpoint. Click Dismiss to hide the message.
-
From the /login administrative interface, go to Jump > Jump Clients.
-
At the top of the Jump Client Installer List, click Add.
-
From the Jump Group dropdown, select whether to pin the Jump Client to your personal list of Jump Items or to a Jump Group shared by other users. Pinning to your personal list of Jump Items means that only you can access this remote computer through this Jump Client. Pinning to a shared Jump Group makes this Jump Client available to all members of that Jump Group.
-
You may apply a Jump Policy to this Jump Client. Jump Policies are configured on the Jump > Jump Policies page and determine the times during which a user can access this Jump Client. A Jump Policy can also send a notification when it is accessed or can require approval to be accessed. If no Jump Policy is applied, this Jump Client can be accessed without restriction.
-
You may choose a Session Policy to assign to this Jump Client. Session policies are configured on the Users & Security > Session Policies page. A session policy assigned to this Jump Client has the highest priority when setting session permissions.
-
When a Jump Client is first deployed, if it cannot connect to the B Series Appliance, it searches the local network for a Jumpoint or Jumpoint cluster serving as a Jump Zone Proxy. This allows a Jump Client installed on a system without a native internet connection to use the Jumpoint to connect back to the B Series Appliance.
In the special case where the Jump Client and Jumpoint are not on the same local network or where a firewall blocks the Jump Client's attempt to connect to the Jumpoint, the Jumpoint Proxy setting allows you to set which Jumpoint the Jump Client should try to use as a proxy.
The Jumpoint selected here must be a standalone Jumpoint running as a Jump Zone Proxy. While Jump Clients can connect to clustered Jumpoints running as a Jump Zone Proxy, you cannot select a clustered Jumpoint in this wizard.
-
Add Comments, which can be helpful in searching for and identifying remote computers. Note that all Jump Clients deployed via this installer have the same comments set initially, unless you check Allow Override During Installation and use the available parameters to modify the installer for individual installations.
-
The installer remains usable only as long as specified by the This Installer is Valid For dropdown. Be sure to leave adequate time for installation. If someone should attempt to run the Jump Client installer after this time, installation fails, and a new Jump Client installer must be created. Additionally, if the installer is run within the allotted time but the Jump Client is unable to connect to the B Series Appliance within that time, the Jump Client uninstalls, and a new installer must be deployed. The validity time can be set for anywhere from 10 minutes to 1 year. This time does NOT affect how long the Jump Client remains active.
Once a Jump Client has been installed, it remains online and active until it is uninstalled from the local system either by a user from the Jump interface or by an uninstall script. It can also be uninstalled, or extended, from the Jump Client Installer List. A user cannot remove a Jump Client unless the user is given appropriate permissions by their admin from the /login interface.
-
If Attempt an Elevated Install if the Client Supports It is selected, the installer attempts to run with administrative rights, installing the Jump Client as a system service. If the elevated installation attempt is unsuccessful or if this option is deselected, the installer runs with user rights, installing the Jump Client as an application. This option applies only to Windows and Mac operating systems.
Note
A Jump Client pinned in user mode is available only when that user is logged in. In contrast, a Jump Client pinned in service mode, with elevated rights, allows that system to always be available, regardless of which user is logged in. User mode Jump Clients have been deprecated for Windows and will be deprecated for Linux and Mac in a future release.
Note
This option does not apply to headless Linux Jump Clients or Raspberry Pi Jump Clients.
- You can set the Maximum Offline Minutes Before Deletion of a Jump Client from the system. This setting overrides the global setting, if specified.
- If Prompt for Elevation Credentials if Needed is selected, the installer prompts the user to enter administrative credentials if the system requires that these credentials be independently provided; otherwise, it installs the Jump Client with user rights. This applies only if an elevated install is being attempted.
Note
This option does not apply to headless Linux Jump Clients or Raspberry Pi Jump Clients.
- Once you click Create, you can download the Jump Client installer immediately if you plan to distribute it using a systems management tool or if you are at the computer that you need to later access. You can also email the installer to one or more remote users. Multiple recipients can install the client from the same link. Click on the Direct Download Link to copy the link. The Platform option defaults to the appropriate installer for your operating system. You can select a different platform if you plan to deploy the Jump Client on a different operating system.
Note
Once the installer has run, the Jump Client attempts to connect to the B Series Appliance. When it succeeds, the Jump Client appears in the Jump interface of the access console. If the Jump Client cannot immediately reach the B Series Appliance, then it continues to reattempt connection until it succeeds. If it cannot connect within the time designated by This Installer Is Valid For, then the Jump Client uninstalls from the remote system and must be redeployed.
Install on Windows, Linux, or Mac systems
For system administrators who need to push out the Jump Client installer to a large number of systems, the Windows MSI, the Mac DMG, or the LInux BIN can be used with your systems management tool of choice.
When using a command line or system management tool to install, you can override certain installation parameters. For any setting with Allow override during installation checked, you can modify the Jump Client installer with the following parameters for each installation.
Note
If a parameter is passed on the command line but the setting is not marked for override in the administrative interface, the installation fails. View the operating system event log for installation errors.
| Command line parameter | Value | Description |
|---|---|---|
| --install-dir | <directory_path> | Specifies a new writable directory under which to install the Jump Client. This is supported only on Windows and Linux. When defining a custom install directory, ensure that the directory you are creating does not already exist and is in a location that can be written to. |
| --jc-name | <name...> | If override is allowed, this command line parameter sets the Jump Client's name. |
| --jc-jump-group | user: jumpgroup: | If override is allowed, this command line parameter overrides the Jump Group specified in the Mass Deployment Wizard. |
| --jc-public-site-address | If override is allowed, this command line parameter associates the Jump Client with the public portal which has the given hostname as a site address. If no public portal has the given hostname as a site address, then the Jump Client reverts to using the default public site. | |
| --jc-session-policy | If override is allowed, this command line parameter sets the Jump Client's session policy that controls the permission policy during a session. | |
| --jc-jump-policy | If override is allowed, this command line parameter sets the Jump Policy that controls how users are allowed to Jump to the Jump Client. | |
| --jc-tag | If override is allowed, this command line parameter sets the Jump Client's tag. | |
| --jc-comments | <comments…> | If override is allowed, this command line parameter sets the Jump Client's comments. |
| --jc-max-offline-minutes | If override is allowed, this command line parameter sets the number of minutes the Jump Client can be offline before being considered lost. | |
| --jc-ephemeral | None | If override is allowed on Maximum Offline Minutes, this command line parameter sets the Jump Client to ephemeral mode, marking it as uninstalled if it goes offline for more than 5 minutes. This is the same as setting --jc-max-offline-minutes 5. |
| --silent | None | If specified, the Jump Client performs a silent installation. No user interaction is requested and no user interface is displayed during the process. |
Note
When deploying an MSI installer on Windows using the msiexec command:
- The installation directory may be specified by passing a variable: INSTALLDIR=
- The KEYINFO= is optional as it is built into the filename.
- If you specify ONLINE_INSTALL=1, the installation fails if it cannot immediately reach the appliance. The default is blank.
- A silent installation can be done by specifying /quiet to the msiexec command.
- All of the --jc… parameters listed above may be specified as variables by:
- Removing leading dashes (-)
- Converting remaining dashes to underscores ()
- Assigning a value using an equals sign (=)
Example:
msiexec /i bomgar-scc-win32.msi jc_jump_group=jumpgroup:general jc_tag=servers
Note
Normally, when msiexec runs, no messages display in the command line interface. To wait for the installation to complete and to check for any errors, you can set up your command like this:
$ start /wait msiexec /qn /i sra-pin-21fce94dee1940e.msi ONLINE_INSTALL=1 $ echo %ERRORLEVEL%The error output will be either 0 to indicate success or a number indicating an error. For more information about error codes, see https://learn.microsoft.com/en-us/windows/win32/msi/error-codes.
Uninstall a Jump Client
To uninstall a Jump Client, remove it from the access console.
If the client is not connected when it is removed from the console, the files are removed next time the client connects to the appliance.
Jump Clients can be removed from a device using Add/Remove Programsor msiexec /x. This will leave an entry in the access console interface. The entry is automatically marked uninstalled or deleted, depending on your Jump Client settings.
Modify Windows proxy information
In some cases, the proxy settings of an existing Windows Jump Client must be manually modified to accommodate changes in the proxy environment. The Jump Client has built-in logic to automatically detect updated proxy information within a 24-hour period. However, if the proxy enforces authentication, then the end-user is prompted to enter authentication credentials. If the system is unattended, then credentials and/or other proxy information may need to be manually entered.
The following steps guide you through manually modifying proxy-related sections of the settings.ini file used by the Jump Client.
Note
If a large number of systems must be manually modified, the process can be automated. You can develop a script to do this, or contact BeyondTrust Technical Support to engage the BeyondTrust Professional Services group.
To manually modify the proxy information for a pre-existing Jump Client on a Windows system:
- Go to C:\ProgramData\bomgar-scc-, where is the Jump Client's unique ID.
- Locate and edit the settings.ini file.
- Within settings.ini, locate the proxy-related section, titled [Proxy]. An example existing proxy section is shown below.
[Proxy]
version=2
detect_failed=0
[Proxy\access.example.com:443\LastGood]
Proxy=DIRECT
[Proxy\access.example.com:443\Detected\1]
Proxy=DIRECT
- Remove all of the settings within the [Proxy] section and replace them with the settings as follow. Replace all text with the appropriate information.
[Proxy]
version=1
ProxyUser=<domain\user>
ProxyPass=<password>
[Proxy\Manual]
ProxyMethod=<numeric value of 0=DIRECT, 100=HTTP CONNECT, 200=SOCKS4>
ProxyHost=<proxy hostname/ip>
ProxyPort=<proxy port>
An example of a manually modified section is below.
[Proxy]
version=1
ProxyUser=myDomain\proxyUser
ProxyPass=MyPassword
[Proxy\Manual]
ProxyMethod=200
ProxyHost=myproxyserver.example.com
ProxyPort=8443
- Save and close the settings.ini file.
- Either reboot the system or stop/start the BeyondTrust Jump Client service for the new information to apply.
- The Jump Client nows use the manually defined proxy information.
Note
After making the above changes to the settings.ini file, the defined username and password which were entered in plain text will be hashed into an unreadable format.
Enable a Jump Client on a Mac system
After a Jump Client is installed on a Mac system, it must be enabled by the end user. The exact steps, wording, and screen displays vary depending on the device and software version.
Three types of access are requested: Screen Recording, Accessibility, and Full Disk Access. For the best remote support experience, grant access for all three. Limited support is available if only one or two types of access are granted.
To grant access, the user takes the following steps for each type of access:
- Click Grant Access...
- Under Privacy & Security, applications that have requested access for the selected feature are listed. Toggles indicate if access has been granted. The newly installed client is disabled by default. Click the toggle to grant access to the client for this feature.
- For the feature Full Disk Access, granting access requires stopping and restarting the client application. Click Quit & Reopen to grant access immediately. Jump Client icon disappears and re-appears within a few minutes.
The end user can grant or deny access at any time by clicking Settings > Privacy & Security, selecting the feature, Accessibility, Screen Recordings, or Full Disk Access, and then clicking the toggle.
Install a Linux Jump Client in service mode
Note
To install a Jump Client in service mode on a Linux system, the Jump Client installer must be run by root, but the Jump Client service should not be run under the root user context. A service mode Jump Client allows the user to start a session even if no remote user is logged on, as well as to log off the current remote user and log on with different credentials. A Linux Jump Client installed in user mode cannot be elevated within a session.
Use the following syntax to add executable permissions to the file, wherein {uid} is a unique identifier consisting of letter and numbers:
-
Add executable permissions to the file:
sudo chmod +x ./Downloads/bomgar-pec-[uid].bin -
Run the installer as the root user using the sudo command:
sudo sh ./Downloads/bomgar-pec-[uid].bin
Note
For Privileged Remote Access versions prior to 24.1.1, enter .desktop instead of .bin.
Linux Jump Clients may be installed in service mode. The current status of any Jump Client is shown in the info panel that appears when a Jump Client is highlighted in the representative console’s list of Jump Clients. If a Jump Client shows the Install Mode as Service, it is installed as a service; otherwise, this field reads User, indicating it is installed in single-user context.
A service-mode Jump Client allows the user to start a session even if no remote user is logged on, as well as to log off the current remote user and log on with different credentials. A Linux Jump Client installed in user mode cannot do this, nor can it be elevated to service mode within a session.
To install a Jump Client in service mode on a Linux system, the Jump Client installer must be by run by root, but the Jump Client service should not be run under the root user context. This causes the Jump Client to run as a system service. If a previous Jump Client was installed in user mode, uninstall the existing Jump Client and install a new one as root. The process for doing this varies slightly depending on the distribution of Linux being used, but what follows is typical.
- Log into the access console, right click the existing user mode Jump Client (if there is one), and then click Remove.
- Log into the /login admin web interface of the BeyondTrust site and download a Jump Client installer for Linux from the Jump > Jump Clients tab.
- Launch a terminal and add the executable permission to the installation file:
sudo chmod +x ./Downloads/bomgar-pec-[uid].desktop - Execute the installation file with sh as the root user using the sudo command:
sudo sh ./Downloads/bomgar-pec-[uid].desktop
Note
For Privileged Remote Access versions prior to 24.1.1, enter .desktop instead of .bin.
Once the installation is complete, a new entry appears in the list of available Jump Clients displayed in the representative console. To test whether the Jump Client is installed as a service or not, you can Jump to the client and log out the active user. If you can still control the screen after logging out, this proves the client is running as a service.
Uninstall the Jump Client installed using service mode
If you wish to uninstall the Jump Client, you must run its uninstall script.
- Navigate to the uninstall script in the following location: /opt/bomgar/bomgar-pec-xxxxxx.
- Run the uninstall script:
sudo sh ./uninstall - Remove the Jump Client from the access console.
Note
If the uninstall script is run but the client is not removed from the console, the client is visible but not accessible. Similarly, if the client is removed from the console but the uninstall script is not run, the client is not accessible but the Jump Client files remain on the Linux system.
Install on headless Linux systems
To install a Jump Client on a remote Linux system with no graphical user interface, be sure you have downloaded the headless Linux Jump Client installer, and then follow these additional steps:
- Using your preferred method, push the Jump Client installer file to each headless Linux system you wish to access.
- Once the installer file is on the remote system, use a command interface to install the file and specify any desired parameters.
- Install the Jump Client in a location to which you have write permission, using --install-dir . You must have permission to write to this location, and the path must not already exist. Any additional parameters must also be specified at this time, as described below.
sh ./bomgar-pec-{uid}.bin --install-dir /home/username/jumpclient - If you wish to install under a specific user context, you can pass the --user argument. The user must exist and have rights to the directory where the Jump Client is being installed. If you do not pass this argument, the Jump Client installs under the user context that is currently running.
sh ./bomgar-pec-{uid}.bin --install-dir /home/username/jumpclient --user jsmith
- Install the Jump Client in a location to which you have write permission, using --install-dir . You must have permission to write to this location, and the path must not already exist. Any additional parameters must also be specified at this time, as described below.
Important
We do not recommend installing the Jump Client under the root context. If you attempt to install when the current user is root, you receive a warning message and are required to pass --user to explicitly specify the user that the process should run as.
- You can also override certain installation parameters specific to your needs. When you mark specific installation options for override during installation, you can use the following optional parameters to modify the Jump Client installer for individual installations. Note that if a parameter is passed on the command line but not marked for override in the /login administrative interface, the installation fails. If the installation fails, view the operating system event log for installation errors.
sh ./bomgar-pec-{uid}.bin --install-dir /home/username/jumpclient --jc-jump-group jumpgroup:jump_group2
| Command Line Parameter | Value | Description |
|---|---|---|
| --jc-jump-group | user: jumpgroup: | If override is allowed, this command line parameter overrides the Jump Group specified in the Mass Deployment Wizard. |
| --jc-jump-policy | If override is allowed, this command line parameter sets the Jump Policy that controls how users are allowed to Jump to the Jump Client. | |
| --jc-tag | If override is allowed, this command line parameter sets the Jump Client's tag. | |
| --jc-comments | <comments…> | If override is allowed, this command line parameter sets the Jump Client's comments.3 |
- After installing the Jump Client, you must start its process. The Jump Client must be started for the first time within the time frame specified by This Installer Is Valid For.
/home/username/jumpclient/init-script start
This init script also accepts the stop, restart, and status arguments. You can use ./init-script status to make sure the Jump Client is running.
- You must also arrange for init-script start to run at boot in order for the Jump Client to remain available whenever the system restarts. An example system.d service displays once the Jump Client is installed. Copy this information and create the new service for the Jump Client, filename.service (where filename is any name you choose), following these steps:
- cd /etc/systemd/system
- vi filename.service
- Paste copied information
- run chmod 777 filename.service
- Reload the systemctl daemon
- Enable and start the service file
Uninstall the Jump Client installed on a headless Linux system
- If you wish to uninstall the Jump Client, you must run its uninstall script.
/home/username/jumpclient/uninstall - Remove the Jump Client from the access console.
Note
If the uninstall script is run but the client is not removed from the console, the client is visible but not accessible. Similarly, if the client is removed from the console but the uninstall script is not run, the client is not accessible but the Jump Client files remain on the Linux system.
Deploy a Jump Client on a Raspberry Pi
To access the File System, Command Shell, and System Info of a remote Raspberry Pi system, you can deploy a Jump Client to that system.
- From the /login administrative interface, go to Jump > Jump Clients.
- From the Jump Group dropdown, select whether to pin the Jump Client to your personal list of Jump Items or to a Jump Group shared by other users. Pinning to your personal list of Jump Items means that only you can access this remote computer through this Jump Client. Pinning to a shared Jump Group makes this Jump Client available to all members of that Jump Group.
- You may apply a Jump Policy to this Jump Client. Jump Policies are configured on the Jump > Jump Policies page and determine the times during which a user can access this Jump Client. A Jump Policy can also send a notification when it is accessed or can require approval to be accessed. If no Jump Policy is applied, this Jump Client can be accessed without restriction.
- You may choose a Session Policy to apply to this Jump Client. A session policy assigned to this Jump Client has the highest priority when setting session permissions.
Note
We recommend that you not set a session policy for a headless Jump Client.
-
Adding a Tag helps to organize your Jump Clients into categories within the access console.
-
Set the Connection Type to Active or Passive for the Jump Clients being deployed. An active Jump Client maintains a persistent connection to the B Series Appliance, while a passive Jump Client instead listens for connection requests.
-
Add Comments, which can be helpful in searching for and identifying remote computers. Note that all Jump Clients deployed via this installer have the same comments set initially, unless you check Allow Override During Installation and use the available parameters to modify the installer for individual installations.
-
The installer remains usable only as long as specified by the This Installer is Valid For dropdown. Be sure to leave adequate time for installation. If someone should attempt to run the Jump Client installer after this time, installation fails, and a new Jump Client installer must be created. Additionally, if the installer is run within the allotted time but the Jump Client is unable to connect to the B Series Appliance within that time, the Jump Client uninstalls, and a new installer must be deployed. The validity time can be set for anywhere from 10 minutes to 1 year. This time does NOT affect how long the Jump Client remains active.
In addition to expiring after the period given by the This Installer is Valid For option, Jump Client mass deployment packages invalidate when their B Series Appliance is upgraded. The only exception to this rule is live updates which change the license count or license expiration date. Any other updates, even if they do not change the version number of the B Series Appliance, invalidate the Jump Client installers from before the upgrade.
Once a Jump Client has been installed, it remains online and active until it is uninstalled from the local system either by a user from the Jump interface or by an uninstall script. It can also be uninstalled, or extended, from the Jump Client Installer List. A user cannot remove a Jump Client unless the user is given appropriate permissions by their admin from the /login interface.
-
The options Attempt an Elevated Install if the Client Supports It and Prompt for Elevation Credentials If Needed do not apply to headless Jump Clients.
-
Once you click Create, select the Raspberry Pi OS option, and then click Download.
-
Using your preferred method, push the Jump Client installer file to each headless system you wish to access.
-
Once the installer file is on the remote system, install the file in a location to which you have write permission, using --install-dir . You must have permission to write to this location, and the path must not already exist. Any additional parameters must also be specified at this time, as described below.
sh ./bomgar-pec-{uid}.bin --install-dir /home/pi/<dir> -
You can also override certain installation parameters specific to your needs. When you mark specific installation options for override during installation, you can use the following optional parameters to modify the Jump Client installer for individual installations. Note that if a parameter is passed on the command line but not marked for override in the /login administrative interface, the installation fails. If the installation fails, view the operating system event log for installation errors.
| Command Line Parameter | Value | Description |
|---|---|---|
| --jc-jump-group | user: jumpgroup: | If override is allowed, this command line parameter overrides the Jump Group specified in the Mass Deployment Wizard. |
| --jc-session-policy | If override is allowed, this command line parameter sets the Jump Client's session policy that controls the permission policy during an access session. | |
| --jc-jump-policy | If override is allowed, this command line parameter sets the Jump Policy that controls how users are allowed to Jump to the Jump Client. | |
| --jc-tag | If override is allowed, this command line parameter sets the Jump Client's tag. | |
| --jc-comments | <comments…> | If override is allowed, this command line parameter sets the Jump Client's comments. |
-
After installing the Jump Client, you must start its process. The Jump Client must be started for the first time within the time frame specified by This Installer Is Valid For.
/home/username/jumpclient/init-script startThis init script also accepts the stop, restart, and status arguments. You can use ./init-script status to make sure the Jump Client is running.
-
You must also arrange for init-script start to run at boot in order for the Jump Client to remain available whenever the system restarts. An example system.d service displays once the Jump Client is installed. Copy this information and create the new service for the Jump Client, filename.service (where filename is any name you choose), following these steps:
- cd /etc/systemd/system
- vi filename.service
- Paste copied information
- run chmod 777 filename.service
- Reload the systemctl daemon
- Enable and start the service file
-
If you wish to uninstall the Jump Client, you must run its uninstall script.
/home/pi/<dir>/uninstall
Note
Separately and in addition to running the uninstall script, you must remove the Jump Client via the access console. Otherwise, the Jump Client remains in the access console, though it is not accessible. Relatedly, removing the Jump Client via the access console only prevents it from being accessed but leaves the Jump Client files on the system.
Mass deploy on Windows
Avoid deploying duplicates
When mass-deploying the SRA Jump Client MSI with tools such as SCCM or Altiris, it is important to avoid installing duplicate clients, because this can cause multiple deployment failures. BeyondTrust does not provide any utilities for deploying clients, but there are some basic methodologies you can use to script a deployment system that will only install Jump Clients on systems that do not have one installed already. These methods depend on whether you already have Jump Clients installed.
If you have already installed Jump Clients, your script can be modified to prevent duplicates. If you have installed Jump Clients, you can use the INSTALLDIR.MSI variable or a custom file as described below. When you use INSTALLDIR, the MSI installation package itself automatically aborts if it finds the directory you specify already exists. If you choose the custom file option, you must script the install to check for this file prior to running the MSI installation package.
Prevent additional duplicates
If your deployment tool has already deployed duplicate clients, edit your script so that the tool aborts installation if the target system matches either of these conditions:
- The system has any bomgar-pec.exe processes running.
- The system has any DisplayName registry entries matching BeyondTrust Privileged Remote Access Jump Client [support.example.org], where support.example.com matches the hostname of your SRA appliance.
Prevent duplicates before deployment
If your deployment tool has not yet deployed any clients, you can script the tool to use the INSTALLDIR variable or deploy a custom file during the install process.
Use INSTALLDIR
Follow these steps to use the INSTALLDIR variable:
-
From the /login administrative interface, go to Jump > Jump Clients.
-
At the top of the Jump Client Installer List, click Add.
-
Enter the appropriate mass deployment wizard parameters.
-
Click Create.
-
Select Windows (x64) MSI, copy the string after KEY_INFO=, and then click Download/Install.
-
Load the downloaded MSI into your deployment tool and script the tool to install it using the following command:
msiexec /i bomgar-scc-win64.msi KEY_INFO=<key_info_string> INSTALLDIR= /quiet
where <key_info_string> is the KEY_INFO string you copied earlier and is the install directory of your choice.
-
Configure the deployment tool to abort installation if it finds the install directory you have chosen is already present.
Use a custom file
You have the option of deploying a custom file during installation and automatically aborting subsequent duplicate installation if this file is found. To do this:
- Save a small text file with a descriptive title such as PRAJumpClient.txt to a shared network location accessible from all systems on which Jump Clients will be deployed.
- Follow the above steps for using INSTALLDIR to create and download an MSI installation file.
- Configure the script to abort if the PRAJumpClient.txt file already exists, or copy it to the local system and install the MSI file if the text file does not exist.
Manage deployment rate
It is important to consider rate of deployment if mass deploying on a large scale. A large number of simultaneous client installations can cause network traffic delays.
Depending on the deployment method used, the granular control allowed may vary. We recommend deploying no more than 60 clients per minute to avoid installation failures and degraded performance. For reference, 60 clients per minute equates to:
- 1 client install per second
- 60 client installs per minute
- 3,600 client installs per hour
Performance impact may vary with environmental factors, usage patterns, and appliance resources. BeyondTrust recommends starting mass deployment conservatively with smaller scale pushes at slower rates to confirm acceptable performance before gradually scaling up the number and rate of deployment.
Mass deploy on macOS
The installer files for access consoles and Jump Clients allow you to mass deploy BeyondTrust software to your macOS devices. This guide provides examples of how to mass-deploy BeyondTrust software using generally accepted deployment concepts. Actual deployment steps may vary.
Set privacy policy preference control
Starting with macOS Mojave (10.14), Apple introduced new privacy controls for end users. These controls require that applications be granted permission to access sensitive data or use macOS accessibility features. As an administrator, you can grant these permissions to an MDM-managed Mac using a Privacy Policy Preference Control (PPPC) profile. To ensure proper functionality of the BeyondTrust Privileged Remote Access Customer Client, deploy a PPPC profile targeting the following app bundle:
- Identifier: com.bomgar.bomgar-pec
- Identifier Type: Bundle ID
- Code Requirement: identifier "com.bomgar.bomgar-pec" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = B65TM49E24
| Service | Purpose | Allowed |
|---|---|---|
| Accessibility | Screen Sharing | true |
| SystemPolicyAllFiles (Full Disk Access) | File Transfer | true |
| ScreenCapture (Screen Recording) | Screen Sharing | AllowStandardUserToSetSystemService |
Note
Screen recording can only be configured via MDM to allow a non-admin user to provide consent. IT administrators cannot grant screen recording permissions on behalf of end users. This preference is applicable for systems running macOS Big Sur (11.0) and later.
Configure managed login items
Starting with macOS Ventura 13, Apple introduced a new framework for managing background tasks such as LaunchAgents, LaunchDaemons, and Login Items. BeyondTrust's Jump Client for Privileged Remote Access leverages background tasks to ensure the client is running at all times. Administrators can manage these background tasks using a Managed Login Items payload delivered to managed devices. To ensure proper functionality, deploy a configuration profile targeting the below values:
| Rule Type | Rule Value |
|---|---|
| Label Prefix | Bomgar |
| Team Identifer | B65TM49E24 |
| Label Prefix | com.bomgar |
Configure appliance
When deploying the Jump Client, there are two prerequisites that must be completed in Privileged Remote Access.
- A user account with administrative permission to access the /login interface is required. This user can create Jump Clients only for Jump Groups where they have appropriate permissions.
- To ensure that a single Jump Client installer can be used to pin a system to any Jump Group, a service account with Manage permissions on all Jump Groups must be created.
Create a service account user for Jump Client package creation
- Log in to the Privileged Remote Access user interface.
- Click Users & Security.
- Click Add.
- Fill in the basic details for the user account.
- Expand Account Settings.
- Check Account Never Expires, if necessary.
- Expand Access Permissions.
- Ensure Allowed to access endpoints is checked.
- Uncheck all boxes under the Session Management and User-to-User Screen Sharing areas.
- Under Allowed Jump Item Methods, ensure:
* **Jump Clients** is checked
* All other methods are uchecked
- Under Jump Item Roles, ensure:
* **Default** dropdown is set to **Administrator**
* **System** dropdown is set to **Administrator**
- Click Save.
Create a Jump Client installer package
- Log in to the Privileged Remote Access appliance using the new account created above.
- Click Jump.
- Click Add to add a new Jump Client Installer.
- Select a default Jump Group within the Jump Client Mass Deployment Wizard.
- Check Allow Override During Installation for all available options.
- Select your desired validity period from the This Installer is Valid For dropdown .
- Check Start Customer Client Minimized When Session is Started, to ensure a completely silent deployment.
- Click Create.
- From the Platform dropdown, select macOS (for programmatic installation).
- Click Download. A DMG file downloads. This is later imported into your management platform.
Note
Do not rename the downloaded DMG file.
Deploy manually
The BeyondTrust Privileged Remote Access Jump Client installer is delivered as a uniquely generated and named DMG file. This file has the format bomgar-pec-<uid>.dmg.
For deployment, the sequence of steps includes:
- Stage the DMG file in a temporary location.
- Mount the DMG file.
- Install the Remote Support Jump Client.
- Unmount the disk image.
- Remove the DMG from the temporary location.
Deploy using JAMF Pro
Note
This information is provided for general assistance when using JAMF Pro, however BeyondTrust cannot provide support for third-party products, and their requirements and operations may change.
Upload package to Jamf software server
- Log in to your Jamf Software Server (JSS) via a web browser.
- Click Computers.
- Click Management Settings.
- Click the Computer Management tab.
- Click Packages.
- Click New.
- Fill out a display name, and choose a category (if applicable).
- Click Upload to choose the DMG file.
- Click Save.
Upload deployment script
- If necessary, log in to the JSS via a web browser.
- Click Computers.
- Click Management Settings.
- Click the Computer Management tab.
- Click Scripts.
- Click New.
- Copy and paste this sample deployment script on the Script tab (for Privileged Remote Access versions 23.3.1 and later):
hdiutil attach /Library/Application\ Support/JAMF/Waiting\ Room/bomgar-scc-<uid>.dmg
sudo /Volumes/bomgar-scc/Open\ To\ Start\ Support\ Session.app/Contents/MacOS/sdcust --silent
sleep 15
For Privileged Remote Access versions before 23.3.1, paste this script:
hdiutil attach /Library/Application\ Support/JAMF/Waiting\ Room/bomgar-scc-<uid>.dmg
sudo /Volumes/bomgar-scc/Double-Click\ To\ Start\ Support\ Session.app/Contents/MacOS/sdcust --silent
sleep 15
- Update the file name to match the DMG file downloaded from your appliance. For Privileged Remote Access, this includes updating bomgar-scc to bomgar-pec.
- Click Save.
Note
Some networks or environments may have configurations that prevent endpoints from checking for malicious software. This can addressed by adding
xattr -d com.apple.quarantine bomgar-scc-[uid].dmg
to the script, or by enabling Stapled Mac Notarization. Administrators should evaluate which approach is more appropriate for their environment.
Note
For detailed information on sdcust usage, see Mass Deploy Help located within the /login interface on Jump > Jump Client.
Create deployment policy
- If necessary, log in to the JSS via a web browser.
- Click Computers.
- Click Policies.
- Click New.
- Provide a policy name, configure desired policy triggers, and ensure Execution Frequency is Once Per Computer.
- Click Packages, and then click Configure.
- Click Add to select the Jump Client package from the list of available packages.
- Select Cache as the action. This makes the packages available in the JAMF downloads folder for use by the deployment script created earlier.
- Click Scripts from the left navigation menu.
- Click Add to select the deployment script created above.
- Confirm that the Priority is set to After.
- Click Save.
The created policy now runs based on the defined trigger(s) to install the BeyondTrust Jump Client.
Updated 20 days ago