Deploy BeyondTrust with Jamf

IndianaChris
New Contributor II

BeyondTrust is telling us that the only way the "support deployment is through ARD." We are not huge fans of ARD. Has anyone been able to deploy with Jamf and the provided DMG? If so do you mind sharing how.

24 REPLIES 24

MTFIDjamf
Contributor II

Which product from BeyondTrust? Thy have bought up a bunch of stuff recently.

IndianaChris
New Contributor II

Great question, we are using the Secure Remote Access Jump Client.

shaquir
Contributor III

Hi @IndianaChris,
If you are referring to installing the remote support client (previously called Bomgar), you can take a look at this thread Deploying Bomgar JumpClient to Macs using Casper

cwaldrip
Valued Contributor

I checked BeyondTrust's web site and they still only list the their old Bomgar documentation about using Automator and ARD to mount a DMG, etc. However the installer is no longer ON a disk image. It's a standalone app (yes, an app... sigh). I'm looking into this too, but it MIGHT be as simple as installing it in /var/tmp/ and using open /var/tmp/Open To Deploy Jump Client.app. You'll probably need a user environment to run it in though.

Edit: Even with running this as root (sudo), there's still a prompt for local credentials to make changes.

dan-snelson
Valued Contributor II

@IndianaChris We're using @mm2270's App Packager for the bomgar-rep-installer.dmg.


--
Dan

cwaldrip
Valued Contributor

Sigh, update. I missed the 'programmatic' download option, which contains sdcust in the applications...

cwaldrip
Valued Contributor

If I run the install manually from the command line...
sudo hdiutil attach /private/var/tmp/bomgar-scc*.dmg
sudo /Volumes/bomgar-scc/Double-Click To Start Support Session.app/Contents/MacOS/sdcust
...it installs fine.

If I do the same thing in a post-install script as part of a package that puts the dmg in the same place, the splash screen comes up for a while, and it eventually goes away without anything being installed.

I don't understand why and I can't find any type of reference in a log anywhere (looked in console for sdcust, Bomgar, beyond trust, etc).

david_maestre
New Contributor

Interesting. We use Bomgar/Beyond Trust in our environment for remote support. We don't install any agents -- just a config profile on all machines that will allow the app to do it's thing. We have the use go to a website and click on the technicians name and it will initiate a remote session where the client will download and run a quick package. Allow screen recording and accept the connection. Done.

Kapil
New Contributor III

david_maestre Your method was working fine with Big Sur Mac machines.. So in this case only PPPC is enough and we can able to take remote of user machines without any issues. FYI, We can allow screen recording and accessibility through PPPC itself. Cheers buddy...

cwaldrip
Valued Contributor

@david.maestre but you're not installing the jump client to remote into the machine when a user isn't there. I've got the PPPC setup for most of it, but in 10.15 it prompts to allow screen recording, which I'd think happens even with user-initiated sessions...

torreiw
New Contributor

@cwaldrip This is correct we've tried remote portal and it does prompt to allow screen recording which then requires the user to restart the remote session before control can be had. We have upgraded our base to 6.1 and jump agents to 20.1.1. We now see the .app and have tried multiple ways to deploy and run a post script to install the .app installer without success. Has anyone figured this out as I have an open case with Bomgar with no pathway to success yet.

jtrant
Contributor III

Is the issue you're experiencing around the screen recording prompt, or getting the jump client installer to work?

If the former, this is a macOS restriction in Catalina and above, and I'm not aware of a workaround. If the latter, I'd be happy to share my postinstall script. It did take a bit of trial and error to get it working, main thing is to make your installers valid for a year (the maximum) or you'll find yourself re-packaging it a lot.

KyleEricson
Valued Contributor

@IndianaChris Look at this script to deploy this.

Steps:
1. Create the jump client dmg from the Bomgar console
2. Create policy in Jamf to Cache the dmg and run this script after.
3. Scope and deploy.

#!/bin/sh

# The Bomgar DMG should have been installed cached prior to this script running, but we should make sure...

if [ -a "/Library/Application Support/JAMF/Waiting Room/bomgar-scc-"*".dmg" ]; then

# Attach the Disk Image
    hdiutil attach /Library/Application Support/JAMF/Waiting Room/bomgar-scc-*.dmg

# Run the installer
    /Volumes/bomgar-scc/Double-Click To Start Support Session.app/Contents/MacOS/sdcust

# Wait a minute for it to finish up
    sleep 90

# Unmount the disk image
    hdiutil detach /Volumes/bomgar-scc

# Wait for the unmount to complete
    sleep 25

# Delete the disk image
    rm -R /Library/Application Support/JAMF/Waiting Room/bomgar-scc-*.dmg


else

echo "Bomgar NOT Present"
exit 1

fi
exit 0

jimmychi
New Contributor

@kericson when I use that script the jump client installs correctly but the the security/privacy preferences aren't set. Was wondering what would be the best way to set those item when installing the actual jump client using that script?

jimmychi
New Contributor

Here is the script I'm running:

#!/bin/bash

BOMGAR_URL='https://it-fileshare-files-179wwtfhkyps2.s3-us-west-2.amazonaws.com/IT/Mac/BomgarProgrammatic.dmg'
DMG_PATH='/tmp/BomgarProgrammatic.dmg'

/usr/bin/curl --silent "${BOMGAR_URL}" --output "${DMG_PATH}"

# The Bomgar DMG should have been installed cached prior to this script running, but we should make sure...

if [ -a "${DMG_PATH}" ]; then

# Attach the Disk Image
    hdiutil attach "${DMG_PATH}"

# # Run the installer
    /Volumes/bomgar-scc/Double-Click To Start Support Session.app/Contents/MacOS/sdcust --silent

# # Wait a minute for it to finish up
#     sleep 60

# # Unmount the disk image
#     hdiutil detach /Volumes/bomgar-scc

# # Wait for the unmount to complete
#     sleep 15

# # Delete the disk image
   # rm -R "${DMG_PATH}"


else

echo "Bomgar NOT Present"

fi

jimmychi
New Contributor

I'm then receiving this error output:

Script result: Checksumming Protective Master Boot Record (MBR : 0)…
Protective Master Boot Record (MBR :: verified   CRC32 $E2F8D74C
Checksumming GPT Header (Primary GPT Header : 1)…
 GPT Header (Primary GPT Header : 1): verified   CRC32 $6E0A0204
Checksumming GPT Partition Data (Primary GPT Table : 2)…
GPT Partition Data (Primary GPT Tabl: verified   CRC32 $E4C3873D
Checksumming  (Apple_Free : 3)…
                    (Apple_Free : 3): verified   CRC32 $00000000
Checksumming disk image (Apple_HFS : 4)…
          disk image (Apple_HFS : 4): verified   CRC32 $F182C998
Checksumming  (Apple_Free : 5)…
                    (Apple_Free : 5): verified   CRC32 $00000000
Checksumming GPT Partition Data (Backup GPT Table : 6)…
GPT Partition Data (Backup GPT Table: verified   CRC32 $E4C3873D
Checksumming GPT Header (Backup GPT Header : 7)…
  GPT Header (Backup GPT Header : 7): verified   CRC32 $1AECF169
verified   CRC32 $FF3EC199
/dev/disk2              GUID_partition_scheme           
/dev/disk2s1            Apple_HFS                       /Volumes/bomgar-scc
20201202 18:43:32 999999 19811:main(19affdc0) UTIL:INFO>license file: '/Volumes/bomgar-scc/Double-Click To Start Support Session.app/Contents/Resources/server.lic'

Let me know if anyone has any insights

KyleEricson
Valued Contributor

@jimmychi Which script are you using? The security/privacy preferences can't only be set with a PPPC profile and one part the user has to approve no way to automate per Apple.

jimmychi
New Contributor

@kericson I'm using the following script:

#!/bin/bash

BOMGAR_URL='https://it-fileshare-files-179wwtfhkyps2.s3-us-west-2.amazonaws.com/IT/Mac/BomgarProgrammatic.dmg'
DMG_PATH='/tmp/BomgarProgrammatic.dmg'

/usr/bin/curl --silent "${BOMGAR_URL}" --output "${DMG_PATH}"

# The Bomgar DMG should have been installed cached prior to this script running, but we should make sure...

if [ -a "${DMG_PATH}" ]; then

# Attach the Disk Image
    hdiutil attach "${DMG_PATH}"

# # Run the installer
    /Volumes/bomgar-scc/Double-Click To Start Support Session.app/Contents/MacOS/sdcust --silent

# # Wait a minute for it to finish up
#     sleep 60

# # Unmount the disk image
#     hdiutil detach /Volumes/bomgar-scc

# # Wait for the unmount to complete
#     sleep 15

# # Delete the disk image
   # rm -R "${DMG_PATH}"


else

echo "Bomgar NOT Present"

fi

Previously that script worked for us and we didn't have to set any security/privacy preferences so was trying to fix it but to no success. Was wondering how we would set the PPPC profile for screen recording and to allow the bomgar jump client?

guillaumegete
New Contributor III

@jimmychi You can't pre-authorize screen recording for any app. The use MUST authorize screen recording. Hard limit from Apple.

BTW, I managed to deploy Remote support button through Self Service, but it seems to fail with the same kind of error when mass deploying the Remote support button, because the install is done in root context when there is no session opened. Bummer.

abnaau
New Contributor III

Our script, similar to the above, used to work fine for installing the Jump Client - and still does - just not for Big Sur.

During installation on Big Sur the user runs into the dialog:

"Double-Click To Start Support Session" can't be opened because Apple cannot check it for malicious software. This software needs to be updated. Contact the developer for more information.

Really? They posted Big Sur support in the release notes but gave us no way to install via MDM? Is there any way around this via Jamf?

abnaau
New Contributor III

Allow me to answer my own question. The app can be pulled out of quarantine manually.

Added to the script - copy the app to /tmp/ and remove it from quarantine and then run it from there instead of the volume.

cp -R '/Volumes/foobar/Double-Click To Start Support Session.app' '/tmp/Double-Click To Start Support Session.app'
xattr -d com.apple.quarantine '/tmp/Double-Click To Start Support Session.app'

patgmac
Contributor III

If you're on the MacAdmins Slack, join the Bomgar channel. A BeyondTrust employee posted a PDF that will eventually replace the KB article on the BeyondTrust site for mass deployment.

Here's a direct link: https://macadmins.slack.com/archives/CEH9Y26D6/p1606838240060700

sgiesbrecht
Contributor

@patgmac I don't have an acct to that slack workspace. Can you copy the PDF here please

patgmac
Contributor III

@sgiesbrecht there is no way to attach files here. It's free to sign up for that Slack and it's a great place to hang out and get help.