Skip to main content
Question

BeyondTrust with Windows Multi App Kiosk on Intune

  • March 30, 2026
  • 2 replies
  • 64 views
B

Does anyone know how to get BeyondTrust Jump Client or Customer Client working with interactivity on Intune Multi-App Kiosk machines? We have our Jump Client installed but there’s no interactivity in Kiosk mode. And Customer Client simply gets blocked. 

Part of the issue with whitelisting apps with AssignedAccess seems to be the multiple EXEs to whitelist and not allowing dynamic paths. E.g. I think bomgar-scc.exe needs to be whitelisted but it lives in C:\Program Files\BeyondTrust\bomgar-scc\*\ bomgar-scc.exe 

      2 replies

      DavidC
      BeyondTrust Employee
      • DavidC
      • BeyondTrust Employee
      • April 30, 2026

      Hi “Blam”!

       

      I think this was addressed in 25.2 at least for Jump Client. There was a change made to how we start the child processes of the agent. You don’t need to whitelist it. 

       

      Here’s how I set up my Kiosk for RS:

      • Build vanilla Windows 11 machine and install the RS Jump client

      • Obtain psexec.exe from Sysinternals

      • Save below PowerShell in c:\temp or similar

      • Save below xml in c:\temp as multiappconfig.xml

      • Open admin elevated cmd or powershell prompt

      • Run psexec to get a Powershell window running as SYSTEM

        • psexec -i -s powershell_ise

      • Set Exec policy if needed

        • Set-ExecutionPolicy Unrestricted

      • Run setup.ps1

      • Reboot

      • Endpoint will boot and auto-login as the Kiosk user

      • Attempt to start RS session

      PowerShell below

       

      # run this file from psexec.exe -i -s powershell.exe
      # Check for administrator privileges
      if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
        Write-Host "This script requires administrator privileges. Please run as administrator." -ForegroundColor Red
        exit $LASTEXITCODE
      }

      # Path to the XML configuration file
      $xmlFilePath = "$PSScriptRoot\multiappconfig.xml"

      # Assigned Access Configuration XML
      $assignedAccessConfiguration = Get-Content -Path $xmlFilePath -Raw

      # Set the Assigned Access Configuration
      # Encode the XML configuration
      $encodedAssignedAccessConfiguration = [System.Net.WebUtility]::HtmlEncode($assignedAccessConfiguration)

      # Define the namespace and class name
      $namespaceName = "root\cimv2\mdm\dmmap"
      $className = "MDM_AssignedAccess"

      # Get the CIM instance
      $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className

      # Set the configuration
      $obj.Configuration = $encodedAssignedAccessConfiguration

      # Write-Host "Applying this Configuration: $($obj.Configuration)"

      Set-CimInstance $obj 

       

       

      PowerShell Ends

       

      XML below...

       

      <?xml version="1.0" encoding="utf-8"?>
      <AssignedAccessConfiguration xmlns:xs="http://www.w3.org/2001/XMLSchema"
          xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
          xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config"
          xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
          xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
          xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config">
          <Profiles>
              <Profile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}">
                  <AllAppsList>
                      <AllowedApps>
                          <App AppUserModelId="%ProgramFiles%\Google\Chrome\Application\chrome.exe" />
                          <App DesktopAppPath="%ProgramFiles%\Git\git-bash.exe" rs5:AutoLaunch="true" rs5:AutoLaunchArguments="%userprofile%\ACM\docs\run_scripts\pm2\acm_launch.sh --file" />
                          <App DesktopAppPath="%ProgramFiles%\Docker\Docker\Docker Desktop.exe" />
                          <App DesktopAppPath="%ProgramFiles%\nodejs\node.exe" />
                          <App DesktopAppPath="%windir%\explorer.exe" />
                          <App DesktopAppPath="%windir%\System32\WindowsPowerShell\v1.0\Powershell.exe" />
                      </AllowedApps>
                  </AllAppsList>
                  <rs5:FileExplorerNamespaceRestrictions>
                      <rs5:AllowedNamespace Name="Downloads" />
                      <v3:AllowRemovableDrives />
                  </rs5:FileExplorerNamespaceRestrictions>
                  <v5:StartPins><![CDATA[{
                          "pinnedList": [
                              {"desktopAppLink": "%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe"},
                              {"desktopAppLink": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
                              {"desktopAppLink": "%ProgramFiles%\\Git\\git-bash.exe"},
                              {"desktopAppLink": "%ProgramFiles%\\Docker\\Docker\\Docker Desktop.exe"},
                              {"desktopAppLink": "%ProgramFiles%\\nodejs\\node.exe"},
                              {"desktopAppLink": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\acm_start.lnk"},
                              {"desktopAppLink": "%userprofile%\\Desktop\\acm_start.lnk"},
                              {"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk"}
                          ]
                  }]]></v5:StartPins>
                  <Taskbar ShowTaskbar="true" />
              </Profile>
          </Profiles>
          <Configs>
              <Config>
                  <AutoLogonAccount rs5:DisplayName="keith" />
                  <DefaultProfile Id="{EDB3036B-780D-487D-A375-69369D8A8F78}" />
              </Config>
          </Configs>
      </AssignedAccessConfiguration>

       

      XML Ends

        B
        • blam
        • Author
        • Apprentice
        • May 5, 2026

        Hi “Blam”!

         

        I think this was addressed in 25.2 at least for Jump Client. There was a change made to how we start the child processes of the agent. You don’t need to whitelist it. 

         

         

        Thanks! With this, do you get the BeyondTrust chat window to pop up? 

         

        Badge Earners

        • Core Concepts - Entitle
          samsamhas earned the badge Core Concepts - Entitle
        • 5 Courses Completed - Entitle
          samsamhas earned the badge 5 Courses Completed - Entitle
        • 1 Courses Completed - Entitle
          jjames23has earned the badge 1 Courses Completed - Entitle
        • BCSE: Endpoint Privilege Management - Windows
          Renato Mirandahas earned the badge BCSE: Endpoint Privilege Management - Windows
        • BCA: Remote Support
          RAKINEhas earned the badge BCA: Remote Support
        Show all badges
        Terms & ConditionsAccessibility statement