Skip to main content

Cornell University

Overview of Remote Assistance for IT Leadership

This article presents a high-level overview of the decision to implement BeyondTrust Remote Support as the remote assistance tool recommended for IT at Cornell.

This article applies to: BeyondTrust Remote Support

On This Page

Who is Able to Use BeyondTrust Remote Support?

Cornell's BeyondTrust Remote Support license limits use to people in designated IT support roles at the university. It is not available for end users or technicians to use to gain remote access into their office computers. It is also not available for IT staff in non-client support roles, although BeyondTrust Remote Support has the ability for a client-support technician to “invite” someone without BeyondTrust Remote Support installed to view a session (for example, a developer could be invited to view a problem on a client's web page, but the developer would not be able to initiate a session themselves.) This situation may change in the future as business needs evolve. We recommend that all IT staff using BeyondTrust Remote Support sign the “University Information and Confidentiality Annual Agreement,” which is part of Cornell policy 4.12, mentioned below. 

Cornell Policies and BeyondTrust Remote Support

Policies are in place to protect both the end-user and IT staff against breaches of privacy and to define the appropriate use of technology. These policies apply to all IT services and activities including remote assistance using BeyondTrust Remote Support or any other remote assistance tool. The University Policy Office resource for IT-specific policies include these specifically applicable policies: 

Access Types

IT staff using BeyondTrust Remote Support will be granted access privileges appropriate for their role. There are three levels of access, presented here from least-privileged to most-privileged:

Basic: The end user must be present for the session, which begins with the end user downloading and installing the BeyondTrust Remote Support mini-client. As the session progresses, each time the TSP requires a different type of access (screen sharing, file transfer, system information, elevation of privileges, etc.) the end user will need to click on a prompt saying that they agree to this access. When the session ends, the BeyondTrust Remote Support mini-client is removed from the end user's computer. The CornellAD group associated with this level of access is <unit>-bomgar-no-jump. (Support providers in CIT who are supporting end users outside of CIT will only use this type of access.) 

Basic with “Jump” ability: This level of access allows a TSP to work in exactly the same way as described under Basic above, with one addition. During a BeyondTrust Remote Support session, the TSP can request permission to leave the BeyondTrust Remote Support mini-client present on the end user's computer when the session ends. This is known as “pinning” the client, and is sometimes referred to as a “jump client.”

Once the jump client is present, the TSP is allowed to start a BeyondTrust Remote Support session at a future time without the need for the end user to go through the installation steps for the mini-client. In all other ways, the support session is the same: the end user needs to be present and must respond to the TSP's requests for various kinds of access.

The jump client will remain on the end user's computer until the TSP “unpins” it. At the end of that session, the client is removed. The CornellAD group associated with this level of access is <unit>-bomgar.

Unattended: This level of access is reserved for the most trusted TSPs and end users who may need to have their computers worked on when they are not available. TSPs with this level of access can also operate as described with the two groups above.

An unattended session requires that the jump client (described above) be present on the end user's computer. This can be done during a normal BeyondTrust Remote Support session, through a group policy, or other mass methods determined by local IT leadership.

A TSP with this level of access can begin a BeyondTrust Remote Support session without any involvement by the end user. Note that the TSP's actions are still visible on the end user’s computer, but all prompts for additional privileges will be automatically affirmed. For fully unattended mode, the BeyondTrust Remote Support “jump client” is left installed on the end user's computer, so that the TSP can start unattended support sessions as the need arises.

The CornellAD group associated with this level of access is <unit>-bomgar-jump-unattended.

Note that there are significant reporting capabilities within BeyondTrust Remote Support that allow an IT manager to review unattended activities, such as whether a file is downloaded, however, there is no way to inform the end users of activities during their absence. The CornellAD group associated with managerial access is <unit>-bomgar-managers.

BeyondTrust Remote Support sessions are NOT recorded.

IT Directors need to affirm with their unit leadership what levels of access are appropriate for their areas. It is likely that different end user roles will define the level of access used to provide support to them. Decision makers should familiarize themselves with Cornell policies as described above and bear in mind that unattended access may be more appropriate in some areas than others. It is crucial that end users be informed of the use of remote assistance technology, however, the method and frequency of that communication is left to unit IT leadership.

Once it has been determined which of these three levels of access are appropriate for a given TSP, local unit OU admins use the CornellAD tools to assign the TSPs to the appropriate group or groups.

See CornellAD Groups Associated with BeyondTrust Remote Support for more information on the groups.

Comments?

To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.