Deploy Jump Clients

There are two ways to install a Jump Client:

During a BeyondTrust support session, a Jump Client can be installed as required by the representative.
Alternatively, an administrator can mass-deploy Jump Clients for a larger rollout.

These two methods of installation are outlined below.

During a support session

A Jump Client can be installed during a support session. This allows the support representative to access this computer at a later time, even if the computer is unattended. This method of installation is also known as session pinning and is achieved by clicking the Pin as Jump Client button.

ℹ️
Note
User mode Jump Clients have been deprecated. You cannot pin a Jump Client unless the end user is running the full customer client in elevated an elevated session.

From within an elevated support session, click the Pin as Jump Client button in the session toolbar at the top right corner of the representative console.
From the dropdown, you can select to customize the Jump Client before deploying it.
- Enter a Name for the Jump Item. This name identifies the item in the session tabs. This string has a maximum of 128 characters.
- If Starts Quietly is checked, the customer client does not take focus and remains minimized in the taskbar or dock when a session is started.
- You also have the option to set when the Jump Client expires. This can be never, at a specific time and date, or after a certain length of time. An expired Jump Client automatically uninstalls from the remote system and is removed from the list in the Jump Client interface.
- Move Jump Items from one Jump Group to another using the Jump Group dropdown. The ability to move Jump Items to or from different Jump Groups depends upon your account permissions.
- Further organize Jump Items by entering the name of a new or existing Tag. Even though the selected Jump Items are grouped together under the tag, they are still listed under the Jump Group in which each is pinned. To move a Jump Item back into its top-level Jump Group, leave this field blank.
- Select the Public Portal through which this Jump Item should connect. If a session policy is assigned to this public portal, that policy may affect the permissions allowed in sessions started through this Jump Item. The ability to set the public portal depends on your account permissions.
- Jump Items include a Comments field for a name or description, which makes sorting, searching, and identifying Jump Items faster and easier.
- To set when users are allowed to access this Jump Item, choose a Jump Policy. These policies are configured by your administrator in the /login interface.
  
  Choose session policies to assign to this Jump Item. Session policies assigned to this Jump Item have the highest priority when setting session permissions. The Customer Present Session Policy applies when the end user is determined to be present. Otherwise, the Customer Not Present Session Policy applies. The way customer presence is determined is set by the Use screen state to detect Customer Presence Jump Item setting in the /login interface. When enabled, a customer is considered present only if a user is logged in, the system is not locked, and a screen saver is not running. When disabled, a customer is considered present if a user is logged in, regardless of the screen state. Customer presence is detected when the Jump Item session starts. The session policy used for the session does not change throughout the session, regardless of any changes in the customer's presence while the session is in progress. The ability to set a session policy depends on your account permissions.
Alternatively, you can select a Jump Group to which to pin the Jump Client, not setting any properties. From the Jump Group dropdown, select whether to pin the Jump Client to your personal list of Jump Items or to a Jump Group shared by other users. Pinning to your personal list of Jump Items means that only you (and higher ranking roles on your team, such as Team Lead and Team Manager if you are a Team Member, and Team Manager if you are a Team Lead) can access this remote computer through this Jump Client. Pinning to a shared Jump Group makes this Jump Client available to all members of that Jump Group.
Depending on the session permissions, the customer could receive a message that you are requesting to install a Jump Client. The customer is asked to allow or refuse the request.
Once the Jump Client is installed, the remote computer appears in the Jump interface of the representative console. You might have to refresh the interface to see the new Jump Client.

ℹ️
Note
Support representatives can access unattended Android devices through session pinning.

Prior to support

Jump Clients can be installed on remote computers in anticipation of the need for remote access. This method of installation can be applied to one system or multiple systems simultaneously. You can easily automate the mass deployment of your Jump Client network by allowing customization during installation. The Jump Client command line installer has switches that allow a script to modify a variety of Jump Client parameters when executed. This enables you to create custom mass deployment scripts to pull in variables from other sources and use the variables to modify the Jump Client parameters at install time.

You can easily manage active installers from the Jump Client Installer list.

This list shows all previously created Jump Client installers. Click the trash can icon to delete the installer. Click the clock icon to change how long the installer will be valid. Click the download icon to either download the installer or to copy the key needed for the generic installer.

A warning appears at the top of the list: Installing more than one Jump Client as the same user or more than one Jump Client as a service on the same system is being phased out in a future release. In the Representative Console you may use the copy action on a Jump Client to apply different policies to the same endpoint. Click Dismiss to hide the message.

From the /login administrative interface, go to Jump > Jump Clients.
At the top of the Jump Client Installer List, click Add.
From the Jump Group dropdown, select whether to pin the Jump Client to your personal list of Jump Items or to a Jump Group shared by other users. Pinning to your personal list of Jump Items means that only you (and higher ranking roles on your team, such as Team Lead and Team Manager if you are a Team Member, and Team Manager if you are a Team Lead) can access this remote computer through this Jump Client. Pinning to a shared Jump Group makes this Jump Client available to all members of that Jump Group.
Select the Public Portal through which you want this Jump Client to connect. If a session policy is assigned to this public portal, that policy may affect the permissions allowed in sessions started through this Jump Client.
Choose session policies to assign to this Jump Client. Session policies assigned to this Jump Client have the highest priority when setting session permissions. The Customer Present Session Policy applies when the end user is determined to be present. Otherwise, the Customer Not Present Session Policy applies. The way customer presence is determined is set by the Use screen state to detect Customer Presence Jump Client setting. Customer presence is detected when the Jump Client session starts. The session policy used for the session does not change throughout the session, regardless of any changes in the customer's presence while the session is in progress.
The installer remains usable only as long as specified by the This Installer is Valid For dropdown. Be sure to leave adequate time for installation. If someone attempts to run the Jump Client installer after this time, installation fails, and a new Jump Client installer must be created. Additionally, if the installer is run within the allotted time but the Jump Client is unable to connect to the B Series Appliance within that time, the Jump Client uninstalls, and a new installer must be deployed. The validity time can be set for anywhere from 10 minutes to 1 year. This time does NOT affect how long the Jump Client remains active.

Once a Jump Client has been installed, it remains online and active until it is uninstalled from the local system either by a logged-in admin user with appropriate permissions, by a user from the Jump interface, or by an uninstall script. A user cannot remove a Jump Client unless the user is given appropriate permissions by their admin from the /login interface.
You can apply a Jump Policy to this Jump Client. Jump Policies are configured on the Jump > Jump Policies page and determine the times during which a user can access this Jump Client. If no Jump Policy is applied, this Jump Client can be accessed at any time.
Adding a Tag helps to organize your Jump Clients into categories within the representative console.
When a Jump Client is first deployed, if it cannot connect to the B Series Appliance, it searches the local network for a Jumpoint or Jumpoint cluster serving as a Jump Zone Proxy. This allows a Jump Client installed on a system without a native internet connection to use the Jumpoint to connect back to the B Series Appliance.

In the special case where the Jump Client and Jumpoint are not on the same local network or where a firewall blocks the Jump Client's attempt to connect to the Jumpoint, the Jumpoint Proxy setting allows you to set which Jumpoint the Jump Client should try to use as a proxy.

The Jumpoint selected here must be a standalone Jumpoint running as a Jump Zone Proxy. While Jump Clients can connect to clustered Jumpoints running as a Jump Zone Proxy, you cannot select a clustered Jumpoint in this wizard.
Add Comments, which can be helpful in searching for and identifying remote computers. Note that all Jump Clients deployed via this installer have the same comments set initially, unless you check Allow Override During Installation and use the available parameters to modify the installer for individual installations.
You can set the Maximum Offline Minutes Before Deletion of a Jump Client from the system. This setting overrides the global setting, if specified.
If Prompt for Elevation Credentials if Needed is selected, the installer prompts the user to enter administrative credentials if the system requires that these credentials be independently provided; otherwise, it installs the Jump Client with user rights. This applies only if an elevated install is being attempted.

ℹ️
Note
A Jump Client pinned in user mode is available only when that user is logged in. In contrast, a Jump Client pinned in service mode, with elevated rights, allows that system to always be available, regardless of which user is logged in. User mode Jump Clients have been deprecated for Windows and will be deprecated for Linux and Mac in a future release.
This option does not apply to headless Linux or Raspberry Pi Jump Clients.

Select Minimized to start the customer client minimized. It does not take the focus, and appears only in the taskbar or dock when a session is started through this Jump Client. Select Hidden to start the customer client hidden. It does not take the focus, and appears only as an icon in the system tray when a session is started through this Jump Client.

ℹ️
Note
This option does not apply to headless Linux or Raspberry Pi Jump Clients.

Once you click Create, you can download the Jump Client installer immediately if you plan to distribute it using a systems management tool or if you are at the computer that you need to later access. You can also email the installer to one or more remote users. Multiple recipients can install the client from the same link. The Platform option defaults to the appropriate installer for your operating system. You can select a different platform if you plan to deploy the Jump Client on a different operating system. Once the installer has run, the Jump Client attempts to connect to the B Series Appliance. When it succeeds, the Jump Client appears in the Jump interface of the representative console. If the Jump Client cannot immediately reach the B Series Appliance, then it continues to reattempt connection until it succeeds. If it cannot connect within the time designated by This Installer Is Valid For, then the Jump Client uninstalls from the remote system and must be redeployed.

Install on Android

A persistent connection can be established with an Android device by pinning a Jump Client to the device. This provides the ability to have unattended support sessions. You can deploy Jump Clients using either of the methods below.

ℹ️
Note
Bandwidth usage and battery life are minimally affected by establishing a persistent connection.
Persistent connections to an unattended Android device can occur only when the devices have both the BeyondTrust Support Client and BeyondTrust Jump Client App installed from the Google Play Store.
For more information, see Download the support client and Jump Client apps.

Pin an Android Jump Client from the representative console

While in a support session with the Android device, click on the Pin as Jump Client icon.
After pinning, the Android device appears as a Jump Item in the Jump Item list. If the Pin a Jump Client icon is gray, the Android Jump Client is not installed on the Android device.
Meanwhile, the BeyondTrust Jump Client app on the device displays the client as pinned, with a date and timestamp.
The BeyondTrust Jump Client app on the device also has a dropdown list of possible device names. The agent can select the Device Name reported by the device, or another option such as the reported value for the IP Address, Hostname, or Device Model. Values for some options may not be available due to permissions.

ℹ️
Note
Options are available for the Jump Client to be disabled if the device relies on battery power or on data to connect.

Email a link from the /login interface to install and Android Jump Client

From the /login interface, navigate to Jump > Jump Clients > Jump Client Mass Deployment Wizard.
Complete the information needed for your Jump Client, such as Jump Group, Public Portal, etc.
Click Create.
From the Download or Install the Client Now section, choose Android as your platform.
Verify that the BeyondTrust Jump Client app is installed on the Android device. If not, navigate to the Google Play App store to download the app.
To download the Jump Client to the device, open a browser on the Android device and go to the URL provided by the Mass Deployment Wizard.

ℹ️
Note

You can also email the URL to the Android device by clicking on the Email link located in the Deploy to Email Recipients section.

Android prevents the application from being fully functional until the user opens the app at least once. This should be done after the application has been installed, and before attempting to pin a session to it.

Uninstall a Jump Client

To uninstall a Jump Client, remove it from the Representative Console. The client remains on the device, but reverts to unpinned. If the client is not connected when it is removed from the console, the client reverts to unpinned the next time the client authorizes with the server.

Jump Clients can be removed from a device using a script. This will leave an entry in the Representative Console interface. The entry is automatically marked uninstalled or deleted, depending on your Jump Client Settings.

ℹ️
Note
For information about Jump Client settings, see Jump Client settings.

Install on Linux

You can override certain installation parameters specific to your needs. These parameters can be specified using a systems administration tool or the command line interface. When you mark specific installation options for override during installation, you can use the following optional parameters to modify the Jump Client installer for individual installations. Note that if a parameter is passed on the command line but not marked for override in the /login administrative interface, the installation fails. If the installation fails, view the operating system event log for installation errors.

Command line parameter	Value	Description
--install-dir	<directory_path>	Specifies a new writable directory under which to install the Jump Client. This is supported only on Windows and Linux. When defining a custom install directory, ensure that the directory you are creating does not already exist and is in a location that can be written to.
--jc-name	<name...>	If override is allowed, this command line parameter sets the Jump Client's name.
--jc-jump-group	user: <username> jumpgroup: <jumpgroup-code-name>	If override is allowed, this command line parameter overrides the Jump Group specified in the Mass Deployment Wizard.
--jc-public-site-address	<public-site-address-host-name>	If override is allowed, this command line parameter associates the Jump Client with the public portal which has the given hostname as a site address. If no public portal has the given hostname as a site address, then the Jump Client reverts to using the default public site.
--jc-session-policy-present	<session-policy-code-name>	If override is allowed, this command line parameter sets the Jump Client's session policy that controls the permission policy during a support session if the customer is present at the console.
--jc-session-policy-not-present	<session-policy-code-name>	If override is allowed, this command line parameter sets the Jump Client's session policy that controls the permission policy during a support session if the customer is not present at the console.
--jc-jump-policy	<jump-policy-code-name>	If override is allowed, this command line parameter sets the Jump Policy that controls how users are allowed to Jump to the Jump Client.
--jc-tag	<tag-name>	If override is allowed, this command line parameter sets the Jump Client's tag.
--jc-comments	<comments…>	If override is allowed, this command line parameter sets the Jump Client's comments.
--jc-max-offline-minutes	<minutes>	If override is allowed, this command line parameter sets the number of minutes the Jump Client can be offline before being considered lost.
--jc-ephemeral	None	If override is allowed on Maximum Offline Minutes, this command line parameter sets the Jump Client to ephemeral mode, marking it as uninstalled if it goes offline for more than 5 minutes. This is the same as setting --jc-max-offline-minutes 5.
--silent	None	If specified, the Jump Client performs a silent installation. No user interaction is requested and no user interface is displayed during the process.

Install a Linux Jump Client in service mode

ℹ️
Note
To install a Jump Client in service mode on a Linux system, the Jump Client installer must be run by root, but the Jump Client service should not be run under the root user context. A service mode Jump Client allows the user to start a session even if no remote user is logged on, as well as to log off the current remote user and log on with different credentials. A Linux Jump Client installed in user mode cannot be elevated within a session.

Use the following syntax to add executable permissions to the file, wherein {uid} is a unique identifier consisting of letter and numbers:

Add executable permissions to the file:

sudo chmod +x ./Downloads/bomgar-scc-[uid].bin

Run the installer as the root user using the sudo command:
```
sudo sh ./Downloads/bomgar-scc-[uid].bin
```

ℹ️
Note
For Remote Support versions prior to 24.1.1, enter .desktop instead of .bin.

Remote Support Linux Jump Clients can be installed in service mode. The status of any Jump Client is shown in the info panel that appears when a Jump Client is highlighted in the representative console’s list of Jump Clients. If a Jump Client shows the Install Mode as Service, it is installed as a service; otherwise, this field reads User, indicating it is installed in single-user context.

A service-mode Jump Client allows the user to start a session even if no remote user is logged on, as well as to log off the current remote user and log on with different credentials. A Linux Jump Client installed in user mode cannot do this, nor can it be elevated to service mode within a session.

To install a Jump Client in service mode on a Linux system, the Jump Client installer must be by run by root, but we recommend that you not run the Jump Client service under the root user context. This causes the Jump Client to run as a system service. If a previous Jump Client was installed in user mode, uninstall the existing Jump Client and install a new one as root. The process for doing this varies slightly depending on the distribution of Linux being used, but what follows is typical.

Log in to the representative console, right click the existing user mode Jump Client (if there is one), and click Remove.
Log in to the /login admin web interface of the BeyondTrust site and download a Jump Client installer for Linux from the Jump > Jump Clients tab.
Launch a terminal and add the executable permission to the installation file:
```
sudo chmod +x ./Downloads/bomgar-scc-[uid].bin
```
Execute the installation file as the root user using the sudo command:
```
sudo sh ./Downloads/bomgar-scc-[uid].bin
```

ℹ️
Note
For Remote Support versions prior to 24.1.1, enter .desktop instead of .bin.

Once the installation is complete, a new entry appears in the list of available Jump Clients displayed in the representative console. To test whether the Jump Client is installed as a service or not, you can Jump to the client and log out the active user. If you can still control the screen after logging out, this proves the client is running as a service.

ℹ️
Note
Jump Clients installed in service mode are found in the /opt/bomgar/bomgar-scc-* folder.

Uninstall a Jump Client installed using service mode

Follow the steps below:

Navigate to the uninstall script in the following location: /opt/bomgar/bomgar-scc-xxxxxx.
Run the uninstall script:
```
sudo sh ./uninstall
```

This leaves an entry in the representative console interface. The entry is automatically marked as uninstalled or deleted, depending on your Jump Client settings. Manual changes made for service mode Jump Client or headless Jump Client to start on boot are not removed by the script.

Install a Jump Client on a headless Linux system

To install a Jump Client on a remote Linux system with no graphical user interface, be sure you have downloaded the headless Linux Jump Client installer, and then follow these additional steps:

Using your preferred method, push the Jump Client installer file to each headless Linux system you wish to access.
Once the installer file is on the remote system, use a command interface to install the file and specify any desired parameters.
- Install the Jump Client in a location to which you have write permission, using --install-dir . You must have permission to write to this location, and the path must not already exist. Any additional parameters must also be specified at this time, as described below.
```
sh ./bomgar-scc-{uid}.bin --install-dir /home/username/jumpclient
```
- If you wish to install under a specific user context, you can pass the --user argument. The user must exist and have rights to the directory where the Jump Client is being installed. If you do not pass this argument, the Jump Client installs under the user context that is currently running.
```
sh ./bomgar-scc-{uid}.bin --install-dir /home/username/jumpclient --user jsmith
```

⚠️
Important
We do not recommend installing the Jump Client under the root context. If you attempt to install when the current user is root, you receive a warning message and are required to pass --user to explicitly specify the user that the process should run as.

You can also override certain installation parameters specific to your needs. When you mark specific installation options for override during installation, you can use the following optional parameters to modify the Jump Client installer for individual installations. Note that if a parameter is passed on the command line but not marked for override in the /login administrative interface, the installation fails. If the installation fails, view the operating system event log for installation errors.
```
sh ./bomgar-scc-{uid}.bin --install-dir /home/username/jumpclient --jc-jump-group jumpgroup:jump_group2
```

Command line parameter	Value	Description
--install-dir	<directory_path>	Specifies a new writable directory under which to install the Jump Client. This is supported only on Windows and Linux. When defining a custom install directory, ensure that the directory you are creating does not already exist and is in a location that can be written to.
--jc-name	<name...>	If override is allowed, this command line parameter sets the Jump Client's name.
--jc-jump-group	user: <username> jumpgroup: <jumpgroup-code-name>	If override is allowed, this command line parameter overrides the Jump Group specified in the Mass Deployment Wizard.
--jc-public-site-address	<public-site-address-host-name>	If override is allowed, this command line parameter associates the Jump Client with the public portal which has the given hostname as a site address. If no public portal has the given hostname as a site address, then the Jump Client reverts to using the default public site.
--jc-session-policy-present	<session-policy-code-name>	If override is allowed, this command line parameter sets the Jump Client's session policy that controls the permission policy during a support session if the customer is present at the console.
--jc-session-policy-not-present	<session-policy-code-name>	If override is allowed, this command line parameter sets the Jump Client's session policy that controls the permission policy during a support session if the customer is not present at the console.
--jc-jump-policy	<jump-policy-code-name>	If override is allowed, this command line parameter sets the Jump Policy that controls how users are allowed to Jump to the Jump Client.
--jc-tag	<tag-name>	If override is allowed, this command line parameter sets the Jump Client's tag.
--jc-comments	<comments…>	If override is allowed, this command line parameter sets the Jump Client's comments.
--jc-max-offline-minutes	<minutes>	If override is allowed, this command line parameter sets the number of minutes the Jump Client can be offline before being considered lost.
--jc-ephemeral	None	If override is allowed on Maximum Offline Minutes, this command line parameter sets the Jump Client to ephemeral mode, marking it as uninstalled if it goes offline for more than 5 minutes. This is the same as setting --jc-max-offline-minutes 5.
--silent	None	If specified, the Jump Client performs a silent installation. No user interaction is requested and no user interface is displayed during the process.

After installing the Jump Client, you must start its process. The Jump Client must be started for the first time within the time frame specified by This Installer Is Valid For.
```
/home/username/jumpclient/init-script start
```
This init script also accepts the stop, restart, and status arguments. You can use ./init-script status to make sure the Jump Client is running.
You must also arrange for init-script start to run at boot in order for the Jump Client to remain available whenever the system restarts. An example system.d service displays once the Jump Client is installed. Copy this information and create the new service for the Jump Client, filename.service (where filename is any name you choose), following these steps:
- cd /etc/systemd/system
- vi filename.service
- Paste copied information
- run chmod 777 filename.service
- Reload the systemctl daemon
- Enable and start the service file

Uninstall a Jump Client installed on a headless Linux system

To uninstall a Jump Client, remove it from the representative console.

If the client is not connected when it is removed from the console, the files are removed the next time the client authorizes with the server.
Manual changes made for service mode Jump Client or headless Jump Client to start on boot are not removed.

Jump Clients can be removed from a device by using a script:

/home/username/jumpclient/uninstall

ℹ️
Note
For information about Jump Client settings, see Jump Client settings.

Install on macOS

ℹ️
Note
A Jump Client can also be installed in service mode.

Enable a Jump Client on a Mac system

After a Jump Client is installed on a Mac system, it must be enabled by the end user. The exact steps, wording, and screen displays vary depending on the device and software version. Screen images show the Privileged Remote Access endpoint client, installed on a macOS desktop, however the process is similar for the Remote Support customer client and with other devices.

Three types of access are requested: Screen Recording, Accessibility, and Full Disk Access. For the best remote support experience, grant access for all three. Limited support is available if only one or two types of access are granted.

To grant access, the user takes the following steps for each type of access:

Click Grant Access...
Under Privacy & Security, applications that have requested access for the selected feature are listed. Toggles indicate if access has been granted. The newly installed client is disabled by default. Click the toggle to grant access to the client for this feature.
For the feature Full Disk Access, granting access requires stopping and restarting the client application. Click Quit & Reopen to grant access immediately. Jump Client icon disappears and re-appears within a few minutes.

The end user can grant or deny access at any time by clicking Settings > Privacy & Security, selecting the feature, Accessibility, Screen Recordings, or Full Disk Access, and then clicking the toggle.

Mass deploy on macOS

The installer files for access consoles and Jump Clients allow you to mass deploy BeyondTrust software to your macOS devices. This guide provides examples of how to mass-deploy BeyondTrust software using generally accepted deployment concepts. Actual deployment steps may vary.

Set privacy policy preference control

Starting with macOS Mojave (10.14), Apple introduced new privacy controls for end users. These controls require that applications be granted permission to access sensitive data or use macOS accessibility features. As an administrator, you can grant these permissions to an MDM-managed Mac using a Privacy Policy Preference Control (PPPC) profile. To ensure proper functionality of the BeyondTrust Remote Support Customer Client, deploy a PPPC profile targeting the following app bundle:

Identifier: com.bomgar.bomgar-scc
Identifier Type: Bundle ID
Code Requirement: identifier "com.bomgar.bomgar-scc" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = B65TM49E24

Service	Purpose	Allowed
Accessibility	Screen Sharing	true
SystemPolicyAllFiles (Full Disk Access)	File Transfer	true
ScreenCapture (Screen Recording)	Screen Sharing	AllowStandardUserToSetSystemService

ℹ️
Note
Screen recording can only be configured via MDM to allow a non-admin user to provide consent. IT administrators cannot grant screen recording permissions on behalf of end users. This preference is applicable for systems running macOS Big Sur (11.0) and later.

Configure managed login items

Starting with macOS Ventura 13, Apple introduced a new framework for managing background tasks such as LaunchAgents, LaunchDaemons, and Login Items. BeyondTrust's Jump Client for Remote Support leverages background tasks to ensure the client is running at all times. Administrators can manage these background tasks using a Managed Login Items payload delivered to managed devices. To ensure proper functionality, deploy a configuration profile targeting the below values:

Rule Type	Rule Value
Label Prefix	Bomgar
Team Identifer	B65TM49E24
Label Prefix	com.bomgar

Configure appliance

When deploying the Jump Client, there are two prerequisites that must be completed in Remote Support:

A user account with administrative permission to access the /login interface is required. This user can create Jump Clients only for Jump Groups where they have appropriate permissions.
To ensure that a single Jump Client installer can be used to pin a system to any Jump Group, a service account with Manage permissions on all Jump Groups must be created.

Create a service account user for Jump Client package creation

Log in to the Remote Support user interface.
Click Users & Security.
Click Add.
Fill in the basic details for the user account.
Expand Account Settings.
Check Account Never Expires, if necessary.
Expand Access Permissions.
Ensure Allowed to access endpoints is checked.
Uncheck all boxes under the Session Management and User-to-User Screen Sharing areas.
Under Allowed Jump Item Methods, ensure:

*   **Jump Clients** is checked
*   All other methods are uchecked

Under Jump Item Roles, ensure:

*   **Default** dropdown is set to **Administrator**
*   **System** dropdown is set to **Administrator**

Click Save.

Create a Jump Client installer package

Log in to the Remote Support appliance using the new account created above.
Click Jump.
Click Add to add a new Jump Client Installer.
Select a default Jump Group within the Jump Client Mass Deployment Wizard.
Check Allow Override During Installation for all available options.
Select your desired validity period from the This Installer is Valid For dropdown .
Check Start Customer Client Minimized When Session is Started, to ensure a completely silent deployment.
Click Create.
From the Platform dropdown, select macOS (for programmatic installation).
Click Download. A DMG file downloads. This is later imported into your management platform.

ℹ️
Note
Do not rename the downloaded DMG file.

Deploy manually

The BeyondTrust Remote Support Jump Client installer is delivered as a uniquely generated and named DMG file. This file has the format bomgar-scc-<uid>.dmg.

For deployment, the sequence of steps includes:

Stage the DMG file in a temporary location.
Mount the DMG file.
Install the Remote Support Jump Client.
Unmount the disk image.
Remove the DMG from the temporary location.

Deploy using JAMF Pro

ℹ️
Note
This information is provided for general assistance when using JAMF Pro, however BeyondTrust cannot provide support for third-party products, and their requirements and operations may change.

Upload package to Jamf software server

Log in to your Jamf Software Server (JSS) via a web browser.
Click Computers.
Click Management Settings.
Click the Computer Management tab.
Click Packages.
Click New.
Fill out a display name, and choose a category (if applicable).
Click Upload to choose the DMG file.
Click Save.

Upload deployment script

If necessary, log in to the JSS via a web browser.
Click Computers.
Click Management Settings.
Click the Computer Management tab.
Click Scripts.
Click New.
Copy and paste this sample deployment script on the Script tab (Remote Support versions 23.3.1 and later):

hdiutil attach /Library/Application\ Support/JAMF/Waiting\ Room/bomgar-scc-<uid>.dmg
 
sudo /Volumes/bomgar-scc/Open\ To\ Start\ Support\ Session.app/Contents/MacOS/sdcust --silent 
 
sleep 15

For Remote Support versions before 23.3.1, paste this script:

hdiutil attach /Library/Application\ Support/JAMF/Waiting\ Room/bomgar-scc-<uid>.dmg
 
sudo /Volumes/bomgar-scc/Double-Click\ To\ Start\ Support\ Session.app/Contents/MacOS/sdcust --silent 
 
sleep 15

Update the file name to match the DMG file downloaded from your appliance.
Click Save.

ℹ️
Note
Some networks or environments may have configurations that prevent endpoints from checking for malicious software. This can addressed by adding

xattr -d com.apple.quarantine bomgar-scc-[uid].dmg

to the script, or by enabling Stapled Mac Notarization. Administrators should evaluate which approach is more appropriate for their environment.

ℹ️
Note
For detailed information on sdcust usage, see Mass Deploy Help located within the /login interface on Jump > Jump Client.

Create deployment policy

If necessary, log in to the JSS via a web browser.
Click Computers.
Click Policies.
Click New.
Provide a policy name, configure desired policy triggers, and ensure Execution Frequency is Once Per Computer.
Click Packages, and then click Configure.
Click Add to select the Jump Client package from the list of available packages.
Select Cache as the action. This makes the packages available in the JAMF downloads folder for use by the deployment script created earlier.
Click Scripts from the left navigation menu.
Click Add to select the deployment script created above.
Confirm that the Priority is set to After.
Click Save.

The created policy now runs based on the defined trigger(s) to install the BeyondTrust Jump Client.

Uninstall a Jump Client

To uninstall a Jump Client, remove it from the representative console.

If the client is not connected when it is removed from the console, the files are removed next time the client authorizes with the server.

ℹ️
Note
For information about Jump Client settings, see Jump Client settings.

Install on Raspberry Pi

To access the file system, command shell, and system info of a remote Raspberry Pi system, you can deploy a Jump Client to that system.

From the /login administrative interface, go to Jump > Jump Clients.
At the top of the Jump Client Installer List, click Add.
From the Jump Group dropdown, select whether to pin the Jump Client to your personal list of Jump Items or to a Jump Group shared by other users. Pinning to your personal list of Jump Items means that only you (and higher ranking roles on your team, such as Team Lead and Team Manager if you are a Team Member, and Team Manager if you are a Team Lead) can access this remote computer through this Jump Client. Pinning to a shared Jump Group makes this Jump Client available to all members of that Jump Group.
Select the Public Portal through which you want this Jump Client to connect. If a session policy is assigned to this public portal, that policy may affect the permissions allowed in sessions started through this Jump Client.
The Customer Present Session Policy does not apply to headless Jump Clients.
You can choose a Customer Not Present Session Policy to apply to this Jump Client. A session policy assigned to this Jump Client has the highest priority when setting session permissions.

ℹ️
Note
We recommend that you not set a session policy for a headless Jump Client.

You can apply a Jump Policy to this Jump Client. Jump Policies are configured on the Jump > Jump Policies page and determine the times during which a user can access this Jump Client. If no Jump Policy is applied, this Jump Client can be accessed at any time.
Adding a Tag helps to organize your Jump Clients into categories within the representative console.
When a Jump Client is first deployed, if it cannot connect to the B Series Appliance, it searches the local network for a Jumpoint or Jumpoint cluster serving as a Jump Zone Proxy. This allows a Jump Client installed on a system without a native internet connection to use the Jumpoint to connect back to the B Series Appliance.

In the special case where the Jump Client and Jumpoint are not on the same local network or where a firewall blocks the Jump Client's attempt to connect to the Jumpoint, the Jumpoint Proxy setting allows you to set which Jumpoint the Jump Client should try to use as a proxy.

The Jumpoint selected here must be a standalone Jumpoint running as a Jump Zone Proxy. While Jump Clients can connect to clustered Jumpoints running as a Jump Zone Proxy, you cannot select a clustered Jumpoint in this wizard.
Add Comments, which can be helpful in searching for and identifying remote computers. Note that all Jump Clients deployed via this installer have the same comments set initially, unless you check Allow Override During Installation and use the available parameters to modify the installer for individual installations.
The installer remains usable only as long as specified by the This Installer is Valid For dropdown. Be sure to leave adequate time for installation. If someone should attempt to run the Jump Client installer after this time, installation fails, and a new Jump Client installer must be created. Additionally, if the installer is run within the allotted time but the Jump Client is unable to connect to the B Series Appliance within that time, the Jump Client uninstalls, and a new installer must be deployed. The validity time can be set for anywhere from 10 minutes to 1 year. This time does NOT affect how long the Jump Client remains active.

In addition to expiring after the period given by the This Installer is Valid For option, Jump Client mass deployment packages invalidate when their BeyondTrust Appliance B Series is upgraded. The only exception to this rule is live updates which change the license count or license expiration date. Any other updates, even if they do not change the version number of the B Series Appliance, invalidate the Jump Client installers from before the upgrade.

Once a Jump Client has been installed, it remains online and active until it is uninstalled from the local system either by a logged-in admin user with appropriate permissions, by a user from the Jump interface, or by an uninstall script. It can also be uninstalled, or extended, from the Jump Client Installer List. A user cannot remove a Jump Client unless the user is given appropriate permissions by their admin from the /login interface.
The options Attempt an Elevated Install if the Client Supports It, Prompt for Elevation Credentials If Needed, and Start Customer Client Minimized When Session Is Started do not apply to headless Jump Clients.
Once you click Create, select the Raspberry Pi OS option and click Download.
Using your preferred method, push the Jump Client installer file to each headless system you wish to access.
Once the installer file is on the remote system, install the file in a location to which you have write permission, using --install-dir . You must have permission to write to this location, and the path must not already exist. Any additional parameters must also be specified at this time, as described below.
```
sh ./bomgar-scc-{uid}.bin --install-dir /home/pi/<dir>
```
You can also override certain installation parameters specific to your needs. When you mark specific installation options for override during installation, you can use the following optional parameters to modify the Jump Client installer for individual installations. Note that if a parameter is passed on the command line but not marked for override in the /login administrative interface, the installation fails. If the installation fails, view the operating system event log for installation errors.

Command line parameter	Value	Description
--install-dir	<directory_path>	Specifies a new writable directory under which to install the Jump Client. This is supported only on Windows and Linux. When defining a custom install directory, ensure that the directory you are creating does not already exist and is in a location that can be written to.
--jc-name	<name...>	If override is allowed, this command line parameter sets the Jump Client's name.
--jc-jump-group	user: <username> jumpgroup: <jumpgroup-code-name>	If override is allowed, this command line parameter overrides the Jump Group specified in the Mass Deployment Wizard.
--jc-public-site-address	<public-site-address-host-name>	If override is allowed, this command line parameter associates the Jump Client with the public portal which has the given hostname as a site address. If no public portal has the given hostname as a site address, then the Jump Client reverts to using the default public site.
--jc-session-policy-present	<session-policy-code-name>	If override is allowed, this command line parameter sets the Jump Client's session policy that controls the permission policy during a support session if the customer is present at the console.
--jc-session-policy-not-present	<session-policy-code-name>	If override is allowed, this command line parameter sets the Jump Client's session policy that controls the permission policy during a support session if the customer is not present at the console.
--jc-jump-policy	<jump-policy-code-name>	If override is allowed, this command line parameter sets the Jump Policy that controls how users are allowed to Jump to the Jump Client.
--jc-tag	<tag-name>	If override is allowed, this command line parameter sets the Jump Client's tag.
--jc-comments	<comments…>	If override is allowed, this command line parameter sets the Jump Client's comments.
--jc-max-offline-minutes	<minutes>	If override is allowed, this command line parameter sets the number of minutes the Jump Client can be offline before being considered lost.
--jc-ephemeral	None	If override is allowed on Maximum Offline Minutes, this command line parameter sets the Jump Client to ephemeral mode, marking it as uninstalled if it goes offline for more than 5 minutes. This is the same as setting --jc-max-offline-minutes 5.
--silent	None	If specified, the Jump Client performs a silent installation. No user interaction is requested and no user interface is displayed during the process.

After installing the Jump Client, you must start its process. The Jump Client must be started for the first time within the time specified by This Installer Is Valid For.
```
/home/pi/<dir>/init-script start
```
This init script also accepts the stop, restart, and status arguments. You can use ./init-script status to make sure the Jump Client is running.
You must also arrange for init-script start to run at boot in order for the Jump Client to remain available whenever the system restarts. An example system.d service displays once the Jump Client is installed. Copy this information and create the new service for the Jump Client, filename.service (where filename is any name you choose), following these steps:
- cd /etc/systemd/system
- vi filename.service
- Paste copied information
- run chmod 777 filename.service
- Reload the systemctl daemon
- Enable and start the service file

Uninstall a Jump Client

To uninstall a Jump Client, remove it from the representative console.

If the client is not connected when it is removed from the console, the files are removed next time the client authorizes with the server.
Manual changes made for the Jump Client to start on boot are not removed.

Jump Clients can be removed from a device using a script:

/home/pi/<dir>/uninstall

This will leave an entry in the representative console interface. The entry is automatically marked uninstalled or deleted, depending on your Jump Client Settings. Manual changes made for the Jump Client to start on boot are not removed by the script.

ℹ️
Note
For information about Jump Client settings, see Jump Client settings.

Install on Windows

Installation parameters can be specified for the MSI installer using a systems administration tool or the command line interface.

When using a command line or system management tool to install, you can override certain installation parameters. For any setting with Allow override during installation checked, you can modify the Jump Client installer with the following parameters for each installation.

ℹ️
Note
If a parameter is passed on the command line but the setting is not marked for override in the administrative interface, the installation fails. View the operating system event log for installation errors.

Command line parameter	Value	Description
INSTALLDIR=	<directory_path>	Specifies a new writable directory under which to install the Jump Client. This is supported only on Windows and Linux. When defining a custom install directory, ensure that the directory you are creating does not already exist and is in a location that can be written to.
KEY_INFO=		Optionally, provide the Jump Client key. The key is built into the file name of a standard Jump Client installer but must be provided for a generic Jump Client installer.
ONLINE_INSTALL=	Blank or 1	If set to 1, causes the installation to fail if it cannot immediately reach the appliance. The default is blank.
jc_name=	<name...>	If override is allowed, this command line parameter sets the Jump Client's name.
jc_jump_group=	user: <username> jumpgroup: <jumpgroup-code-name>	If override is allowed, this command line parameter overrides the Jump Group specified in the Mass Deployment Wizard.
jc_public_site_address=	<public-site-address-host-name>	If override is allowed, this command line parameter associates the Jump Client with the public portal which has the given hostname as a site address. If no public portal has the given hostname as a site address, then the Jump Client reverts to using the default public site.
jc_session_policy_present=	<session-policy-code-name>	If override is allowed, this command line parameter sets the Jump Client's session policy that controls the permission policy during a support session if the customer is present at the console.
jc_session_policy_not_present=	<session-policy-code-name>	If override is allowed, this command line parameter sets the Jump Client's session policy that controls the permission policy during a support session if the customer is not present at the console.
jc_jump_policy=	<jump-policy-code-name>	If override is allowed, this command line parameter sets the Jump Policy that controls how users are allowed to Jump to the Jump Client.
jc_tag=	<tag-name>	If override is allowed, this command line parameter sets the Jump Client's tag.
jc_comments=	<comments…>	If override is allowed, this command line parameter sets the Jump Client's comments.
jc_max_offline_minutes=	<minutes>	If override is allowed, this command line parameter sets the number of minutes the Jump Client can be offline before being considered lost.
jc_ephemeral=	None	If override is allowed on Maximum Offline Minutes, this command line parameter sets the Jump Client to ephemeral mode, marking it as uninstalled if it goes offline for more than 5 minutes. This is the same as setting jc_max_offline_minutes=5.
/quiet	None	If specified, the Jump Client performs a silent installation. No user interaction is requested and no user interface is displayed during the process.

ℹ️
Note
If /quiet is selected, Run as Administrator must be used; otherwise, the installation will fail since an installation prompt does not display.

msiexec /i bomgar-scc-win32.msi jc_jump_group=jumpgroup:general jc_tag=servers

Normally, when msiexec runs, no messages display in the command line interface. To wait for the installation to complete and to check for any errors, you can set up your command like this:

$ start /wait msiexec /qn /i sra-pin-21fce94dee1940e.msi ONLINE_INSTALL=1
$ echo %ERRORLEVEL%

The error output will be either 0 to indicate success or a number indicating an error. For more information about error codes, see https://learn.microsoft.com/en-us/windows/win32/msi/error-codes

Modify Windows proxy information

In some cases, the proxy settings of an existing Windows Jump Client must be manually modified to accommodate changes in the proxy environment. The Jump Client has built-in logic to automatically detect updated proxy information within a 24-hour period. However, if the proxy enforces authentication, then the end-user is prompted to enter authentication credentials. If the system is unattended, then credentials and/or other proxy information may need to be manually entered.

The following steps guide you through manually modifying proxy-related sections of the settings.ini file used by the Jump Client.

ℹ️
Note
If a large number of systems must be manually modified, the process can be automated. You can develop a script to do this, or contact BeyondTrust Technical Support to engage the BeyondTrust Professional Services group.

To manually modify the proxy information for a pre-existing Jump Client on a Windows system:

Go to C:\ProgramData\bomgar-scc-, where is the Jump Client's unique ID.
Locate and edit the settings.ini file.
Within settings.ini, locate the proxy-related section, titled [Proxy]. An example existing proxy section is shown below.

[Proxy]
version=2
detect_failed=0
[Proxy\support.example.com:443\LastGood]
Proxy=DIRECT
[Proxy\support.example.com:443\Detected\1]
Proxy=DIRECT

Remove all of the settings within the [Proxy] section and replace them with the settings as follow. Replace all text with the appropriate information.

[Proxy]
version=1
ProxyUser=<domain\user>
ProxyPass=<password>
[Proxy\Manual]
ProxyMethod=<numeric value of 0=DIRECT, 100=HTTP CONNECT, 200=SOCKS4>
ProxyHost=<proxy hostname/ip>
ProxyPort=<proxy port>

An example of a manually modified section is below.

[Proxy]
version=1
ProxyUser=myDomain\proxyUser
ProxyPass=MyPassword
[Proxy\Manual]
ProxyMethod=200
ProxyHost=myproxyserver.example.com
ProxyPort=8443

Save and close the settings.ini file.
Either reboot the system or stop/start the BeyondTrust Jump Client service for the new information to apply.
The Jump Client now uses the manually defined proxy information.

ℹ️
Note
After making the above changes to the settings.ini file, the defined username and password which were entered in plain text will be hashed into an unreadable format.

Mass deploy on Windows

Avoid deploying duplicates

When mass-deploying the SRA Jump Client MSI with tools such as SCCM or Altiris, it is important to avoid installing duplicate clients, because this can cause multiple deployment failures. BeyondTrust does not provide any utilities for deploying clients, but there are some basic methodologies you can use to script a deployment system that will only install Jump Clients on systems that do not have one installed already. These methods depend on whether you already have Jump Clients installed.

If you have already installed Jump Clients, your script can be modified to prevent duplicates. If you have installed Jump Clients, you can use the INSTALLDIR.MSI variable or a custom file as described below. When you use INSTALLDIR, the MSI installation package itself automatically aborts if it finds the directory you specify already exists. If you choose the custom file option, you must script the install to check for this file prior to running the MSI installation package.

Prevent additional duplicates

If your deployment tool has already deployed duplicate clients, edit your script so that the tool aborts installation if the target system matches either of these conditions:

The system has any bomgar-scc.exe processes running.
The system has any DisplayName registry entries matching BeyondTrust Remote Support Jump Client [support.example.org], where support.example.com matches the hostname of your SRA appliance.

Prevent duplicates before deployment

If your deployment tool has not yet deployed any clients, you can script the tool to use the INSTALLDIR variable or deploy a custom file during the install process.

Use INSTALLDIR

Follow these steps to use the INSTALLDIR variable:

From the /login administrative interface, go to Jump > Jump Clients.
At the top of the Jump Client Installer List, click Add.
Enter the appropriate mass deployment wizard parameters.
Click Create.
Select Windows (x64) MSI, copy the string after KEY_INFO=, and then click Download/Install.
Load the downloaded MSI into your deployment tool and script the tool to install it using the following command:

msiexec /i bomgar-scc-win64.msi KEY_INFO=<key_info_string> INSTALLDIR=<installDir> /quiet

where <key_info_string> is the KEY_INFO string you copied earlier and <installDir> is the install directory of your choice.
Configure the deployment tool to abort installation if it finds the install directory you have chosen is already present.

Use a custom file

You have the option of deploying a custom file during installation and automatically aborting subsequent duplicate installation if this file is found. To do this:

Save a small text file with a descriptive title such as RSJumpClient.txt to a shared network location accessible from all systems on which Jump Clients will be deployed.
Follow the above steps for using INSTALLDIR to create and download an MSI installation file.
Configure the script to abort if the RSJumpClient.txt file already exists, or copy it to the local system and install the MSI file if the text file does not exist.

Manage deployment rate

It is important to consider rate of deployment if mass deploying on a large scale. A large number of simultaneous client installations can cause network traffic delays.

Depending on the deployment method used, the granular control allowed may vary. We recommend deploying no more than 60 clients per minute to avoid installation failures and degraded performance. For reference, 60 clients per minute equates to:

1 client install per second
60 client installs per minute
3,600 client installs per hour

Performance impact may vary with environmental factors, usage patterns, and appliance resources. BeyondTrust recommends starting mass deployment conservatively with smaller scale pushes at slower rates to confirm acceptable performance before gradually scaling up the number and rate of deployment.

Uninstall a Jump Client

To uninstall a Jump Client, remove it from the representative console.

If the client is not connected when it is removed from the console, the files are removed next time the client connects to the appliance.

Jump Clients can be removed from a device using Add/Remove Programsor msiexec /x. This will leave an entry in the representative console interface. The entry is automatically marked uninstalled or deleted, depending on your Jump Client settings.

ℹ️
Note
For information about Jump Client settings, see Jump Client settings.

During a support session

ℹ️Note

ℹ️Note

Prior to support

ℹ️Note

ℹ️Note

Install on Android

ℹ️Note

Pin an Android Jump Client from the representative console

ℹ️Note

Email a link from the /login interface to install and Android Jump Client

ℹ️Note

Uninstall a Jump Client

ℹ️Note

Install on Linux

Install a Linux Jump Client in service mode

ℹ️Note

ℹ️Note

ℹ️Note

ℹ️Note

Uninstall a Jump Client installed using service mode

Install a Jump Client on a headless Linux system

⚠️Important

Uninstall a Jump Client installed on a headless Linux system

ℹ️Note

Install on macOS

ℹ️Note

Enable a Jump Client on a Mac system

Mass deploy on macOS

Set privacy policy preference control

ℹ️Note

Configure managed login items

Configure appliance

Create a service account user for Jump Client package creation

Create a Jump Client installer package

ℹ️Note

Deploy manually

Deploy using JAMF Pro

ℹ️Note

Upload package to Jamf software server

Upload deployment script

ℹ️Note

ℹ️Note

Create deployment policy

Uninstall a Jump Client

ℹ️Note

Install on Raspberry Pi

ℹ️Note

Uninstall a Jump Client

ℹ️Note

Install on Windows

ℹ️Note

ℹ️Note

Modify Windows proxy information

ℹ️Note

ℹ️Note

Mass deploy on Windows

Avoid deploying duplicates

Prevent additional duplicates

Prevent duplicates before deployment

Use INSTALLDIR

Use a custom file

Manage deployment rate

Uninstall a Jump Client

ℹ️Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

⚠️
Important

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note

ℹ️
Note