Remote Support at Nebraska
Remote Support at the University of Nebraska has been configured with user privacy and data security as the foundation. All data transmitted during a remote session is encrypted from end to end, and all actions performed by IT staff during a support session are logged and routinely audited. Users are always in full control of their support experience when connecting with an IT support representative. On privately issued University devices, local user consent is required to begin the remote session and allow an IT support representative to access and control the device. At any time a user can terminate the remote session by closing the BeyondTrust chat window.
Session Configuration
The configuration for a Remote Support session is determined in four phases: Initiator, Portal, Connection, and Authorization.
Phase 1 - Session Initiator
A support session can be initiated either by a user or a Remote Support Representative. Sessions can be either of two different types: Attended or Unattended.
Attended
Attended sessions are initiated by a local user that navigates to one of two online portals: help.nebraska.edu or help-confidential.nebraska.edu. At the support portal, a user selects the name of their IT Support Representative or the user types in a pre-shared session key. This method of remote support requires a user to download and install a temporary Jump Client. The user must accept a Remote Support End User License Agreement (EULA) before support can start. The user is in full control of the support session and can terminate it at any time. After the session is complete, the temporary Jump Client automatically uninstalls.
Unattended
A Remote Support Representative initiates an unattended session through the console on endpoints that have a pre-installed Jump Client. This method of remote support does not require a user to install anything or take any action to begin remote support. The user will be presented with a Remote Support EULA in the chat window that appears when a support session starts. A local user is in full control of the support session and can terminate it at any time. Only University issued endpoints may have permanently installed Jump Clients.
Phase 2 - Session Portal
Remote Support Sessions flow through one of two session portals: General or Confidential.
The general support portal is for regular remote support sessions. General sessions are recorded for training and quality control purposes. Session recordings and logs will be retained for 90 days.
The confidential support portal is for remote support sessions that will involve confidential or regulated information. Confidential sessions are not recorded, only basic session metadata will be logged for training and quality control purposes. Session logs will be retained for 90 days.
Unattended Jump Clients are pre-configured to use the General or Confidential portal during installation.
Phase 3 - Session Connection
Standard BeyondTrust Remote Support Sessions operate through Jump Clients. Jump Clients are available for Windows, Mac, or Linux endpoints, as well as Android phones and tablets. Pre-installed Jump Clients are accessed from any of the Remote Support Representative consoles. Jump clients can be mass deployed through SCCM and Jamf Pro or installed manually. To locate specific endpoints in the console Jump Clients are organized into groups and can then be individually marked with tags or comments. After receiving Representative access, Jump Client downloads will be available from Box.
Two types of Jump Clients are deployed to University endpoints: Passive and Active.
Passive
Passive clients listen for session requests. The Passive client will listen over TCP 5832 and wait for a session call which happens over TCP 443. Once the call is initiated from the BeyondTrust appliance, the Passive client establishes a session over TCP 443. When the session ends, the Passive client returns to a listening state on TCP 5832. Passive clients check in to the BeyondTrust appliance every 24 hours to update inventory.
Passive clients are best suited for endpoints that have a static network address and are accessible over TCP 5832. Local and network firewalls will need to allow incoming traffic over TCP 5832 for a Passive client to function.
Active
Active clients maintain a heartbeat with the BeyondTrust appliance. Active clients continuously check in with the BeyondTrust appliance looking for session requests over TCP 443 and log their current status and network location. When a Remote Support Representative initiates a support session the Active client will see the request and establish a session. When the session ends, the Active client returns to a regular heartbeat. Active clients will submit inventory information every hour.
Active clients are best suited for mobile endpoints or those without a static address. Local and network firewalls do not require modification for an Active client to function. Active clients generate more network traffic and place a substantial load on the server, for this reason, they are only deployed to devices when needed.
If any Passive or Active Jump Client is offline for more than 30 days, the Representative Console will mark the Jump Client as "Lost" until a connection is re-established. If the device remains offline for 120 days, the Jump Client will be removed automatically from the Representative Console and the device.
Phase 4 - Session Authorization
Remote Support Sessions use one of two permission configurations for the Representative.
Private
This access role is for accessing Unattended private institutional endpoints or one-time Attended endpoints.
A private institutional endpoint is defined as any desktop, laptop, or tablet that is assigned to a single user for their private use. Examples of private institutional endpoints are those assigned to individual Faculty, Staff, and Students.
A pre-installed Jump Client on private institutional endpoints makes remote assistance quick and easy for users by enabling a Representative to initiate a remote session after being contacted by a user for assistance. Users must be present to accept the remote session and elevate representative access. The user is in full control of the support session and can terminate it at any time.
Open
This access role is for accessing non-private institutional endpoints.
A non-private institutional endpoint is defined as any desktop, laptop, tablet, or server that is not assigned to a single user and does not contain private user data. Examples of non-private institutional endpoints include research or business workstations, lab computers, appliances, kiosks, digital signs, and servers.
A pre-installed Jump Client on non-private institutional endpoints allows Representatives to openly connect to and control these endpoints without local user presence. This role is useful for managing end-user endpoints that do not contain private or confidential information or administering servers. Open Unattended Jump Clients will not be configured to use the Confidential Portal.
Session Configuration Summary
These diagrams summarize the different ways a Remote Support session at the University of Nebraska functions.
All Private Unattended Jump Clients reside within common Jump Groups in the Remote Support Representative Console. Open Unattended Jump Clients are divided into separate private Jump Groups based on Representative privileges for specific IT support teams. Only one Open Unattended Jump Group will be allocated per IT support team.