Session Policies: Set Session Permission and Prompting Rules
Users & Security
Session Policies
Session Policies
With session policies, you can customize session security permissions to fit specific scenarios. Session policies can be applied to users, public sites, and all Jump Items.
For more information, please see How to Use Support Session Policies.
The Session Policies section lists available policies. Click the arrow by a policy name to quickly see where that policy is being used; its availability for users, rep invites, and Jump Clients; the support tools configured; and the prompting configured.
Add, Edit, Delete
Create a new policy, modify an existing policy, or remove an existing policy.
Copy
To expedite the creation of similar policies, click Copy to create a new policy with identical settings. You can then edit this new policy to meet your specific requirements.
Add or Edit Session Policy
After making your edits, click Save to make this policy available.
Display Name
Create a unique name to help identify this policy. This name helps when assigning a session policy to users, public portals, and Jump Clients.
Code Name
Set a code name for integration purposes. If you do not set a code name, one is created automatically.
Description
Add a brief description to summarize the purpose of this policy. The description is seen when applying a policy to user accounts, group policies, and rep invites.
Availability
Users
Choose if this policy should be available to assign to users (user accounts and group policies).
Rep Invite
Choose if this policy should be available for users to select when inviting an external user to join a session.
Jump Items
Choose if this policy should be available to assign to Jump Items.
Dependencies
If this session policy is already in use, you will see the number of users, public portals, and Jump Clients using this policy.
Permissions
For all of the permissions that follow, you can choose to enable or disable the permission, or you can choose to set it to Not Defined. Session policies are applied to a session in a hierarchical manner, with Jump Clients taking the highest priority, then support portals, then users, and then the global default. If multiple policies apply to a session, then the policy with the highest priority will take precedence over the others. If, for example, the policy applied to a Jump Client defines a permission, then no other policies may change that permission for the session. To make a permission available for a lower policy to define, leave that permission set to Not Defined.
For details and examples, see How to Use Support Session Policies.
Set which tools should be enabled or disabled with this policy, as well as which tools should prompt the customer for permission.
Support Tool Prompting
For more information, please see Customer Client: Support Session Interface.
Prompting Rules
Choose to ask the customer permission to use any of the support features below. Select No Prompting to never prompt, Always Prompt to always prompt, or Prompt for Some Tools to choose which permissions to prompt for. If Prompt for Some Tools is chosen, a Prompt Customer option will appear beside each tool with the options to Never prompt or to Always prompt. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
Allowed to prompt once
If Screen Sharing is set to View and Control and prompting is enabled, this option appears. Check the box to make the screen sharing prompt request access to all tools during the session, with no further prompts.
Prompting Options
Set how long to wait for a response to a prompt before defaulting to the answer of Deny or Allow. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
Screen Sharing
Screen Sharing Rules
Enable the user to view or control the remote screen. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
For more information, please see Screen Share with the Remote Customer for View and Control.
Allowed to show their screen to the customer
Enables the user to share their screen with the customer during a support session. This option is available if View Only or View or Control is selected.
For more information, please see Show My Screen: Reverse Screen Share.
Allowed Customer Restrictions
Set if the user can suspend the remote system's mouse and keyboard input. The user may also prevent the remote desktop from being displayed. This is option is available if View and Control is selected. If Display, Mouse and Keyboard is the selected Customer Restriction, a check box is available to Automatically request a privacy screen on session start. Privacy screen is applicable only for sessions started from a Jump Client, a Remote Jump item, or a Local Jump item. We recommend using privacy screen for unattended sessions. The remote system must support privacy screen.
For more information, please see Restricted Customer Interaction: Privacy Screen, Disable Remote Input.
Application Sharing Prompt Behavior
Set if a request for screen sharing should always or never prompt the customer to select applications to share, or if the user can choose whether to prompt for application sharing or not. Selecting Always or Rep Decides also allows you to predefine application sharing restrictions.
For more information, please see Application Sharing: Limit What the Representative Can See.
Clipboard Synchronization Direction
This is option is available if View and Control is selected. Select how clipboard content flows between representatives and end users. The options are:
- Not allowed: The representative is not allowed to use the clipboard, no clipboard icons display in the representative console, and cut and paste commands do not work.
- Allowed from Rep to Customer: The representative can push clipboard content to the customer but cannot paste from the end user's clipboard. Only the Send clipboard icon displays in the representative console.
- Allowed in Both Directions: Clipboard content can flow both ways. Both Push and Get clipboard icons display in the representative console.
For more information about the Clipboard Synchronization Mode, please see Security: Manage Security Settings.
Annotations
Annotation Rules
Enables the user to use annotation tools to draw on the remote system's screen. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
More more information, please see Use Annotations to Draw on the Remote Screen at .
File Transfer
File Transfer Rules
Enables the user to upload files to the remote system, download files from the remote system, or both. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
Accessible paths on customer's filesystem
Allow the user to transfer files to or from any directories on the remote system or only specified directories.
Accessible paths on representative's filesystem
Allow the user to transfer files to or from any directories on their local system or only specified directories.
For more information, please see File Transfer to and from the Remote System.
Command Shell
Command Shell Rules
Enables the user to issue commands on the remote computer through a virtual command line interface. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
Command shell access cannot be restricted for Shell Jump sessions.
For more information, please see Access the Remote Command Shell.
System Information
System Information Rules
Enables the user to see system information about the remote computer. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
Allowed to use system information actions
Enables the user to interact with processes and programs on the remote system without requiring screen sharing. Kill processes; start, stop, pause, resume, and restart services; and uninstall programs.
For more information, please see View Remote System Information.
Registry Access
Registry Access Rules
Enables the user to interact with the registry on a remote Windows system without requiring screen sharing. View, add, delete and edit keys, search and import/export keys.
For more information, please see Access the Remote Registry Editor.
Canned Scripts
Canned Script Rules
Enables the user to run canned scripts that have been created for their teams. Note that when the user is in view-only screen sharing, the customer receives a prompt to allow the script to run.If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
For more information, please see Access the Remote Command Shell.
Elevation
Elevation Rules
Enables the user to attempt to elevate the customer client to run with administrative rights on the remote system. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
For more information, please see Elevate the Client.
Support Button Deployment
Support Button Deployment Rules
Enables the user to deploy or remove a Support Button while in a session. Locations available for deployment depend on the Support Button settings above. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
For more information, please see Support Session Overview and Tools.
Jump Clients Pinning/Unpinning
Jump Clients Pinning/Unpinning Rules
Enables the user to pin or unpin a Jump Client while in a session. Locations available for deployment depend on the Jump Client settings above. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
For more information, please see Support Session Overview and Tools.
Chat
For more information, please see Chat with the Customer During a Session.
Chat Rules
Enables the user to chat with the remote customer. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.
Allowed to push URLs to the customer's web browser
Enables the user to enter a URL into the chat area and then click the Push URL button to automatically open a web browser to that address on the remote computer.
Allowed to send files using the chat interface
Enables the user to send files via the chat interface.
For more information, please see Customer Client: Support Session Interface.
Session Termination Behavior
If unable to reconnect within the time you set by Reconnect Timeout, choose what action to take. To prevent an end-user from accessing unauthorized privileges after an elevated session, set the client to automatically log the end user out of the remote Windows computer at session end, to lock the remote computer, or to do nothing. These rules do not apply to browser sharing sessions.
Allow users to override this setting per session
You can allow a user to override the session termination setting from the Summary tab in the console during a session.
Export Policy
You can export a session policy from one site and import those permissions into a policy on another site. Edit the policy you wish to export and scroll to the bottom of the page. Click Export Policy and save the file.
Import Policy
You may import those policy settings to any other BeyondTrust site that supports session policy import. Create a new session policy and scroll to the bottom of the page. Browse to the policy file and then click Import Policy. Once the policy file is uploaded, the page will refresh, allowing you to make modifications. Click Save Policy to make the policy available.
Session Policy Simulator
The Session Policy Simulator allows you to determine what the outcome of complex policy layering will be. The simulator can also be used to troubleshoot permission errors, such as a permission being unexpectedly unavailable.
Representative
Start by selecting the user performing the session. This dropdown includes user accounts and rep invite policies.
Session Start Method
Select the session start method to use for this simulation.
Public Portal
If you selected Public Portal, choose the public portal to use for this simulation of a customer-initiated session.
Support Button
If you selected Support Button, search for a deployed Support Button by profile, associated public portal, associated queue, computer name, or description. The associated public portal will be automatically selected above.
Jumpoint or Local Jump
Because local Jumps and Jumpoints are always associated with the default public portal, there are no further settings to define.
Jump Client, Local Jump Shortcut, Remote Jump Shortcut, Local VNC Jump Shortcut, Remote VNC Jump Shortcut, Remote RDP Jump Shortcut, Local RDP Jump Shortcut, Shell Jump Shortcut, Intel® vPro Shortcut
Search for a pinned Jump Client or Jump Shortcut by name, comments, Jump Group, tag, or associated public portal. The associated public portal will be automatically selected above.
Customer Present
If you selected Jump Client, you can choose whether the customer should appear as present or not.
