Install a Jump Client, Jumpoint, or Elevation Service for Elevated Session Start
When attempting to operate with the credentials on a smart card, the user is prompted to enter a PIN. This UAC prompt is inaccessible to the support representative if the BeyondTrust customer client is not already running in elevated mode. It is therefore necessary to access the remote computer in one of three ways:
- A Jump Client running as a system service
- A Jumpoint or local network Jump, using administrative credentials
- A customer-initiated or Jump session with the BeyondTrust elevation service pre-installed on the remote system
Accessing the remote computer in elevated mode allows the representative to interact with UAC prompts in order to enter the smart card PIN.
When attempting to operate with the credentials on a smart card, the user is prompted to enter a PIN. This UAC prompt is inaccessible to the support representative if the BeyondTrust customer client is not already running in elevated mode. It is therefore necessary to access the remote computer via a pre-installed Jump Client, which must be running as a system service, or through a Jumpoint or local network Jump using administrative credentials. Jumping to a remote computer via an elevated Jump allows the representative to interact with UAC prompts in order to enter the smart card PIN.
To install a Jumpoint, see Jumpoint: Set Up Unattended Access to a Network. No special setup is required.
Jump Client Installation
To install a Jump Client in preparation for using smart card support, you must set certain options as described below.
- From the /login interface of your BeyondTrust Appliance, go to Jump > Jump Clients.
- Configure the Jump Client settings as needed. For details, see the Jump Clients: Manage Settings and Install Jump Clients for Unattended Access.
- The connection type can be either active or passive.
- Be sure to check Attempt an Elevated Install if the Client Supports It as well as Prompt for Elevation Credentials if Needed.
- Click Create.
- From this page, you may email the Jump Client installer to one or more remote users.
- Alternatively, select a platform and download the Jump Client installer to your local system. You may then distribute this installer to multiple systems for manual installation, or you may distribute it via a software deployment tool.
Elevation Service Installation
In special cases, you may need a session to start with the customer client already in elevated mode, or you may need to elevate the customer client without providing credentials. To securely elevate the customer client without the prompt, download the BeyondTrust Automatic Elevation Service from /login > My Account and install it beforehand on the remote Windows systems to which you need credential-less elevation access. You must install the elevation service using an account that has administrative privileges to the local machine.
When the elevation service runs, it adds to the registry a hash unique to your BeyondTrust site. Then, when the remote system begins a session through that site, the elevation service matches the registry hash against the hash in the client. If they match, the client attempts automatic elevation.
Elevation occurs following the rules set in /login > Public Portals > Customer Client :: Miscellaneous Options. If the rules set for the customer client do not allow it to elevate automatically, a matching hash will still make the elevation service the means for elevation when the representative clicks the Elevate button in the representative console. When the elevation service is used, neither the representative nor the customer is prompted for credentials.
After a BeyondTrust software update, your site hash changes. Download and run the elevation service registry file to update the registry hash on systems which already have the elevation service installed. You must run the elevation service registry file using an account that has administrative privileges to the local machine.