Overview of Remote Assistance for IT Leadership
This article presents a high-level overview of the decision to implement Bomgar (BeyondTrust) as the remote assistance tool recommended for IT at Cornell.
This article applies to: Bomgar
Who is Able to Use Bomgar?
Cornell's Bomgar license limits use to people in designated IT support roles at the university. It is not available for end users or technicians to use to gain remote access into their office computers. It is also not available for IT staff in non-client support roles, although Bomgar has the ability for a client-support technician to "invite" someone without Bomgar installed to view a session (for example, a developer could be invited to view a problem on a client's web page, but the developer would not be able to initiate a session themselves.) This situation may change in the future as business needs evolve. We recommend that all IT staff using Bomgar sign the “University Information and Confidentiality Annual Agreement,” which is part of Cornell policy 4.12, mentioned below.
Cornell Policies and Bomgar
Policies are in place to protect both the end-user and IT staff against breaches of privacy and to define the appropriate use of technology. These policies apply to all IT services and activities including remote assistance using Bomgar or any other remote assistance tool. The University Policy Office resource for IT-specific policies include these specifically applicable policies:
4.12 Data Stewardship and Custodianship
5.1 Responsible User of IT Resources
5.4.1 Security of IT Resources
5.9 Access to IT Data
IT staff using Bomgar will be granted access privileges appropriate for their role. There are three levels of access, presented here from least-privileged to most-privileged:
Basic: The end user must be present for the session, which begins with the end user downloading and installing the Bomgar mini-client. As the session progresses, each time the TSP requires a different type of access (screen sharing, file transfer, system information, elevation of privileges, etc.) the end user will need to click on a prompt saying that they agree to this access. When the session ends, the Bomgar mini-client is removed from the end user's computer. The CornellAD group associated with this level of access is <unit>-bomgar-no-jump. (Support providers in CIT who are supporting end users outside of CIT will only use this type of access.)
Basic with "Jump" ability: This level of access allows a TSP to work in exactly the same way as described under Basic above, with one addition. During a Bomgar support session, the TSP can request permission to leave the Bomgar mini-client present on the end user's computer when the session ends. This is known as "pinning" the client, and is sometimes referred to as a "jump client."
Once the jump client is present, the TSP is allowed to start a Bomgar session at a future time without the need for the end user to go through the installation steps for the mini-client. In all other ways, the support session is the same: the end user needs to be present and must respond to the TSP's requests for various kinds of access.
The jump client will remain on the end user's computer until the TSP "unpins" it. At the end of that session, the client is removed. The CornellAD group associated with this level of access is <unit>-bomgar.
Unattended: This level of access is reserved for the most trusted TSPs and end users who may need to have their computers worked on when they are not available. TSPs with this level of access can also operate as described with the two groups above.
An unattended session requires that the jump client (described above) be present on the end user's computer. This can be done during a normal Bomgar session, through a group policy, or other mass methods determined by local IT leadership.
A TSP with this level of access can begin a Bomgar support session without any involvement by the end user. Note that the TSP's actions are still visible on the end user’s computer, but all prompts for additional privileges will be automatically affirmed. For fully unattended mode, the Bomgar "jump client" is left installed on the end user's computer, so that the TSP can start unattended support sessions as the need arises.
The CornellAD group associated with this level of access is <unit>-bomgar-jump-unattended.
Note that there are significant reporting capabilities within Bomgar that allow an IT manager to review unattended activities, such as whether a file is downloaded, however, there is no way to inform the end users of activities during their absence. The CornellAD group associated with managerial access is <unit>-bomgar-managers. Bomgar sessions are NOT recorded.
IT Directors need to affirm with their unit leadership what levels of access are appropriate for their areas. It is likely that different end user roles will define the level of access used to provide support to them. Decision makers should familiarize themselves with Cornell policies as described above and bear in mind that unattended access may be more appropriate in some areas than others. It is crucial that end users be informed of the use of remote assistance technology, however, the method and frequency of that communication is left to unit IT leadership.
Once it has been determined which of these three levels of access are appropriate for a given TSP, local unit OU admins use the CornellAD tools to assign the TSPs to the appropriate group or groups.
See CornellAD Groups Associated with Bomgar for more information on the groups.