Review Additional Considerations for Jump Client Mass Deployment — macOS

The installer files for access consoles and Jump Clients allow you to mass deploy BeyondTrust software to your macOS devices. This guide provides examples of how to mass-deploy BeyondTrust software using generally accepted deployment concepts. Actual deployment steps may vary.

Set Privacy Policy Preference Control

Starting with macOS Mojave (10.14), Apple introduced new privacy controls for end users. These controls require that applications be granted permission to access sensitive data or use macOS accessibility features. As an administrator, you can grant these permissions to an MDM-managed Mac using a Privacy Policy Preference Control (PPPC) profile. To ensure proper functionality of the BeyondTrust Remote Support Customer Client, deploy a PPPC profile targeting the following app bundle:

  • Identifier: com.bomgar.bomgar-scc
  • Identifier Type: Bundle ID
  • Code Requirement: identifier "com.bomgar.bomgar-scc" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = B65TM49E24
Service Purpose Allowed
Accessibility Screen Sharing true
SystemPolicyAllFiles (Full Disk Access) File Transfer true
ScreenCapture (Screen Recording) Screen Sharing AllowStandardUserToSetSystemService

Screen recording can only be configured via MDM to allow a non-admin user to provide consent. IT administrators cannot grant screen recording permissions on behalf of end users. This preference is applicable for systems running macOS Big Sur (11.0) and later.

Configure Managed Login Items

Starting with macOS Ventura 13, Apple introduced a new framework for managing background tasks such as LaunchAgents, LaunchDaemons, and Login Items. BeyondTrust's Jump Client for Remote Support leverages background tasks to ensure the client is running at all times. Administrators can manage these background tasks using a Managed Login Items payload delivered to managed devices. To ensure proper functionality, deploy a configuration profile targeting the below values:

Rule Type Rule Value
Label Prefix Bomgar
Team Identifer B65TM49E24
Label Prefix com.bomgar

Configure Appliance

When deploying the Jump Client, there are two prerequisites that must be completed in Remote Support:

  • A user account with administrative permission to access the /login interface is required. This user can create Jump Clients only for Jump Groups where they have appropriate permissions.
  • To ensure that a single Jump Client installer can be used to pin a system to any Jump Group, a service account with Manage permissions on all Jump Groups must be created.

Create a Service Account User for Jump Client Package Creation

  1. Log in to the Remote Support user interface.
  2. Click Users & Security.
  3. Click Add.
  4. Fill in the basic details for the user account.
  5. Expand Account Settings.
  6. Check Account Never Expires, if necessary.
  7. Expand Access Permissions.
  8. Ensure Allowed to access endpoints is checked.
  9. Uncheck all boxes under the Session Management and User-to-User Screen Sharing areas.
  10. Under Allowed Jump Item Methods, ensure:
    • Jump Clients is checked
    • All other methods are uchecked
  11. Under Jump Item Roles, ensure:
    • Default dropdown is set to Administrator
    • System dropdown is set to Administrator
  12. Click Save.

Create a Jump Client Installer Package

  1. Log in to the Remote Support appliance using the new account created above.
  2. Click Jump.
  3. Click Add to add a new Jump Client Installer.
  4. Select a default Jump Group within the Jump Client Mass Deployment Wizard.
  5. Check Allow Override During Installation for all available options.
  6. Select your desired validity period from the This Installer is Valid For dropdown .
  7. Check Start Customer Client Minimized When Session is Started, to ensure a completely silent deployment.
  8. Click Create.
  9. From the Platform dropdown, select macOS (for programmatic installation).
  10. Click Download. A DMG file downloads. This is later imported into your management platform.

Do not rename the downloaded DMG file.

Deploy Manually

The BeyondTrust Remote Support Jump Client installer is delivered as a uniquely generated and named DMG file. This file has the format bomgar-scc-<uid>.dmg.

For deployment, the sequence of steps includes:

  1. Stage the DMG file in a temporary location.
  2. Mount the DMG file.
  3. Install the Remote Support Jump Client.
  4. Unmount the disk image.
  5. Remove the DMG from the temporary location.

Deploy using JAMF Pro

This information is provided for general assistance when using JAMF Pro, however BeyondTrust cannot provide support for third-party products, and their requirements and operations may change.

Upload Package to Jamf Software Server

  1. Log in to your Jamf Software Server (JSS) via a web browser.

In jamf PRO, select Computers.

  1. Click Computers.

 

Select Management Settings

  1. Click Management Settings.

 

Select Computer Management tab.

  1. Click the Computer Management tab.

 

Select Packages on the Computer Management panel.

  1. Click Packages.
  2. Click New.

 

  1. Fill out a display name, and choose a category (if applicable).

Enter details for the new package.

  1. Click Upload to choose the DMG file.
  2. Click Save.

Upload Deployment Script

  1. If necessary, log in to the JSS via a web browser.
  2. Click Computers.
  3. Click Management Settings.
  4. Click the Computer Management tab.

Select Packages on the Computer Management panel.

  1. Click Scripts.
  2. Click New.

 

  1. Copy and paste this sample deployment script on the Script tab:
hdiutil attach /Library/Application\ Support/JAMF/Waiting\ Room/bomgar-scc-<uid>.dmg
 
sudo /Volumes/bomgar-scc/Open\ To\ Start\ Support\ Session.app/Contents/MacOS/sdcust --silent 
 
sleep 15
  1. Update the file name to match the DMG file downloaded from your appliance.
  2. Click Save.
Some networks or environments may have configurations that prevent endpoints from checking for malicious software. This can addressed by adding 
xattr -d com.apple.quarantine bomgar-scc-[uid].dmg
to the script, or by enabling Stapled Mac Notarization. Administrators should evaluate which approach is more appropriate for their environment.

For detailed information on sdcust usage, see Mass Deploy Help located within the /login interface on Jump > Jump Client.

Create Deployment Policy

  1. If necessary, log in to the JSS via a web browser.
  2. Click Computers.

Under Content Management, select Policies to create a new policy.

  1. Click Policies.
  2. Click New.

    3.  

  3. Provide a policy name, configure desired policy triggers, and ensure Execution Frequency is Once Per Computer.

Enter the policy details.

  1. Click Packages, and then click Configure.

Conifgure the install package.

  1. Click Add to select the Jump Client package from the list of available packages.

Add the Jump Client package.

Select Cache as the action for the Jump Client installer.

  1. Select Cache as the action. This makes the packages available in the JAMF downloads folder for use by the deployment script created earlier.

 

Select scripts to work with the script.

  1. Click Scripts from the left navigation menu.

    2.  

  2. Click Add to select the deployment script created above.

Click add to add the install script for deployment.

Set Priority to After.

  1. Confirm that the Priority is set to After.
  2. Click Save.

 

The created policy now runs based on the defined trigger(s) to install the BeyondTrust Jump Client.

For more information, please see Install a Jump Client on a Mac System.