Deploying MacOS jump clinet via Intune

Hello ​@rpollock_tg - we have this KB which outlines our Best Practises and guide on how to deploy the JC on to the MacOS OS: https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0021113

Please let us know if this helps you!

Not really a question, just some unsolicited conversation / feedback based on how I’m understanding the best practices for connecting to a Mac device - 

Maybe we are an over-paranoid company, but it seems odd that we’d have to expose an API account to accomplish this. I would imagine in some environments those connections would need to come from the internet, and the permissions wouldn’t be locked down to only creating jump clients. Seems a little risky on the surface. 

​@PhillC My previous comment did not post. I’m getting a loop of endless “zsh: command not found: -H” errors, with only the H changing. I think that script may be outdated, because when I run a search, I did not find a zsh shell/terminal. Can I change the first line of the script to run in terminal instead? I’m not familiar with scripting in MacOS, so not sure how to accomplish this.

Thanks.

Hello ​@rpollock_tg - I think it may be best for you to raise a Support Case with our Support Team for this so they can assist you through the process of getting this set up. It could be the scipt is out of date, or maybe there is something extra which needs to be added.

I am actually having the same issue as OP and I have put in a support case as well as worked with our account rep on this and still no solution. Has it been verified if it is possible to deploy the jump client to Mac via Intune?

Our Mac footprint is pretty small (at least at the moment) so we are going to stick with session keys and having the remote user navigating to our site for the one-time agent download. Not as refined as Jump Clients but it will get the job done with our simple MAC environment for the moment. 

Got it. Thank you for the input.

It is possible and we’ve been doing so for about 3-4 months now, but it took a few weeks to get it working with BT support as it was originally not updated for more current revisions of MacOS. Unfortunately it is currently broken for us after the upgrade to cloud appliance version 25. They’ve changed the names they are using for the app from bomgar-scc to sra-pin, but have not provided an updated script or information about what needs to be updated and where. Pretty frustrating to just have this stop working while it’s out in production and not have any awareness about the change. 

I’ve got a support ticket open with them where they provided this information and then told me they don’t provide support for this script. The product is good, but if I was looking for support that was this meh, I would have just stayed with TeamViewer. They should have provided this information along with a guide on what to update.

From the current ticket I have open:

Researching into this and discussing with our T3, we do not support the script being used as it states in the KB (https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0021113) Disclaimer: "This script is provided "as is" and without warranty of any kind; expressed, implied or otherwise. BeyondTrust specifically disclaims any warranties of merchantability, fitness for a particular purpose and non-infringement. The script has been written for your convenience. Before running any scripts, please review the code and ensure you understand what it does.  Scripting is outside of Beyondtrust Support scope.  Join the Beekeepers community to collaborate with peers and BeyondTrust Staff on scripts. 
 
This 24.3 or lower sample script connects directly to the SRA appliance through API, generates a jump client installer, and then downloads and installs the client. 

Before uploading the script, ensure to customize the sections below: " 

We have seen issues with it since 25.1 and architecture changes, the script uses old names. There have been component name changes (https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0022801). Replaced all references to "Bomgar" with "sra" in folder names, MSI files, and EXE files where applicable. You would need to review the script and make needed changes as necessary and test. Scripting is outside of Beyondtrust Support scope.  Join the Beekeepers community to collaborate with peers and BeyondTrust Staff on scripts (https://beekeepers.beyondtrust.com).

Sorry. Just saw you replied to my post. So we were able to get it downloaded, but I am getting errors when trying to install it. We think it has to do with some security on the macOS that may be preventing installation of apps from unknown files downloaded from the internet, but it is just a guess. But overall this whole process has been massively frustrating.

How can I get access to this KB? When I try the link I just get a permissions error?

Also why is this thing so difficult for mac? It would seem some effort should be put into making a native signed pkg that can just be imported into our MDM of choice like pretty much all other software.

I am receiving the same error accessing the article.

#!/bin/zsh

# Beyondtrust JumpClient download and install script

# Logging output to a file for testing
#time=$( date "+%d%m%y-%H%M" )
#set -x
#logfile=/private/tmp/beyondtrust-"$time".log
#exec > $logfile 2>&1

# Require root (needed for /Applications & LaunchDaemons)
if [ "$(id -u)" -ne 0 ]; then
  echo "ERROR: This script must be run as root (use: sudo $0)"
  exit 1
fi

# Intune/zsh hardening: minimal PATH and UTF-8 locale; disable globbing for JSON handling
export PATH="/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin"
export LANG="en_US.UTF-8"
export LC_ALL="en_US.UTF-8"
setopt NO_GLOB

# Set credential variables here
clientid="<CLIENTID>"
clientse='<CLIENTSECRET>'
creds=$( printf "$clientid:$clientse" | /usr/bin/iconv -t ISO-8859-1 | /usr/bin/base64 -i - )

####
# Alternatively if you dont want to store your clientid and client secret within the script you can create the base64 
# encoded credential and simply store that within the script.

# creds="<base64 encoded credential>"
####

# Set Beyondtrust API creds here
url="https://<Your Site URL>"
token="oauth2/token"
base="api/config/v1"
jumpgroup="jump-group"
jumpclient="jump-client"
installer="jump-client/installer"

# Misc information we need to supply for this to work
jumpgroupname="<Enter Jump Group Name here>"
platform="mac-dmg"
dlfolder="/private/tmp"

# Obtain the user details.
# Here we have two options. If there is a local administrator account on all machines, we can specify that user
# for the installation
#currentuser="<Enter your username>"
#userid=$( /usr/bin/id -u $currentuser )

####
# Alternatively we can use the currently logged in user
currentuser=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' )
userid=$( /usr/bin/id -u $currentuser )
####

# Work out major os version
majver=$( /usr/bin/sw_vers -productVersion | /usr/bin/cut -d "." -f1 )

#####
## Download the latest BeyondTrust client via API
#####

# Request bearer access token using the API
request=$( /usr/bin/curl -s -X POST "${url}/${token}" \
-H "accept: application/json" \
-H "Authorization: Basic ${creds}" \
-d "grant_type=client_credentials" )

# Extract the bearer token from the json output above
if [ "$majver" -le 11 ];
then
	access_token=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\`$request\`).access_token" )
else
	access_token=$( /usr/bin/plutil -extract access_token raw -o - - <<< "$request" )
fi

# Get a list of the jump groups
groups=$( /usr/bin/curl -s -X GET "${url}/${base}/${jumpgroup}" \
-H "Accept: application/json" \
-H "Authorization: Bearer ${access_token}" )

# Find group ID by exact name via JXA (reliable under zsh/Intune)
groupid=$(/usr/bin/osascript -l JavaScript -e '
(function() {
  var groups = JSON.parse(String.raw`'"$groups"'`);
  var want = "'"$jumpgroupname"'";
  for (var i=0; i<groups.length; i++) {
    if (groups[i].name === want) { $.NSFileHandle.fileHandleWithStandardOutput.writeData($(groups[i].id + "\n").dataUsingEncoding(4)); return; }
  }
})();')

# Safety: one numeric ID only
groupid=$(echo "$groupid" | tr -d '[:space:]')
if ! echo "$groupid" | grep -Eq '^[0-9]+$'; then
  echo "ERROR: Could not resolve jump group id for name: $jumpgroupname"
  echo "Groups response was: $groups"
  exit 2
fi

# We're ready to request the download. First form the data to pass to the API
# Feed it the groupid from before.
# This is configurable based upon requirements, for more information review the 
# BeyondTrust API Documentation.

jumpclientconfig='
{
    "name":"",
    "jump_group_id":'$groupid',
    "jump_group_type":"shared",
    "tag":"",
    "connection_type":"active",
    "valid_duration":30,
    "elevate_install":true,
    "elevate_prompt":true,
    "allow_override_jump_group":false,
    "allow_override_jump_policy":false,
    "allow_override_name":false,
    "allow_override_comments":false
}'

# Use the prepared json above to get the installer unique id
uid=$( /usr/bin/curl -s -X POST "${url}/${base}/${installer}" \
-d "${jumpclientconfig}" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${access_token}" )

# Extract the installer ID from the output
if [ "$majver" -le 11 ];
then
	installer_id=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\`$uid\`).installer_id" )
	# key_info structure changed in the API. Try the new `key_info.encodedInfo` first,
	# then fall back to the previous platform-specific path if present.
	key_info=$( /usr/bin/osascript -l 'JavaScript' -e "(function(){var j=JSON.parse(\`$uid\`); if (j.key_info && j.key_info.encodedInfo) return j.key_info.encodedInfo; if (j.key_info && j.key_info['mac-osx-x86'] && j.key_info['mac-osx-x86'].encodedInfo) return j.key_info['mac-osx-x86'].encodedInfo; if (j.key_info) return j.key_info; return ''; })()" )
else
	installer_id=$( /usr/bin/plutil -extract installer_id raw -o - - <<< "$uid" )
	# key_info structure changed in the API. Try multiple plutil extract paths.
	# 1) key_info.encodedInfo
	# 2) key_info.mac-osx-x86.encodedInfo
	# 3) fallback: extract the whole key_info object as a raw string

	key_info=$( /usr/bin/plutil -extract key_info.encodedInfo raw -o - - <<< "$uid" 2>/dev/null )
	if [ $? -ne 0 ]; then
		key_info=$( /usr/bin/plutil -extract key_info.mac-osx-x86.encodedInfo raw -o - - <<< "$uid" 2>/dev/null )
	fi
	if [ $? -ne 0 ]; then
		key_info=$( /usr/bin/plutil -extract key_info raw -o - - <<< "$uid" 2>/dev/null )
	fi
fi

# Download latest installer to private tmp folder. Retry if required.
for loop in {1..10};
do
	echo "Download attempt: [$loop / 10]"
	test=$( /usr/bin/curl -s \
		-X GET "${url}/${base}/${installer}/${installer_id}/${platform}" \
		-H "Accept: application/json" \
		-H "Authorization: Bearer ${access_token}" \
		-w "%{http_code}" \
		-o ${dlfolder}/bomgar-scc-${key_info}.dmg )
	[ "$test" = "200" ] && break
done

# Did the download actually work. Error if not.
[ "$test" != "200" ] && { echo "Download failed. Exiting."; exit 1; }

#####
## Check and uninstall any previous installations.
#####

# Find the existing BeyondTrust install in /Users then run the uninstall command
/usr/bin/find /Users/Shared /Applications -iname "sdcust" -type f -maxdepth 5 -exec {} -uninstall silent \;
sleep 3

# This is the manual cleanup process. Uninstall should remove everything
# however this will also catch any previous failed installations.

# Are there any LaunchAgents from a previous install?
test=$( /usr/bin/find /Library/LaunchAgents -iname "com.bomgar.bomgar*.plist" | /usr/bin/wc -l | /usr/bin/awk '{ print $1 }' )

# More than zero means we have work to do
if [ "$test" -gt 0 ]; then
  # Unload user LaunchAgents only if a user is logged in
  if [ -n "$currentuser" ]; then
    laarray=$(/usr/bin/su - "$currentuser" -c "/bin/launchctl list" | grep com.bomgar | awk '{ print $3 }')
    for la in $laarray; do
      /bin/launchctl bootout user/"$la"
    done
  else
    echo "No console user; skipping user LaunchAgent unload."
  fi

  # Unload system LaunchDaemons
  ldarray=$(/bin/launchctl list | grep com.bomgar | awk '{ print $3 }')
  for ld in $ldarray; do
    /bin/launchctl bootout system/"$ld"
  done

  # Remove all the launchd agents and daemons
  /usr/bin/find /Library/LaunchAgents -iname "*com.bomgar*.plist" -exec rm -rf {} \;
  /usr/bin/find /Library/LaunchDaemons -iname "*com.bomgar*.plist" -exec rm -rf {} \;
  /usr/bin/find /Library/LaunchDaemons -iname "*com.bomgar*.helper" -exec rm -rf {} \;

  # Remove any existing install folders
  /bin/rm -rf /Users/Shared/bomgar-scc*
  /bin/rm -rf /Users/Shared/.com.bomgar.scc.*
  /bin/rm -rf /Applications/.com.bomgar*
fi

# Check the API to see if there's an existing record for the current hostname
# Remove if exists

# Generate the query date we require. As long as our hostnames are correct,
# then we can find the mac we're running on.
# Check for existing record for this hostname and delete it (GET with query string, not body)
host=$(hostname)
devices_json=$(/usr/bin/curl -s -G "${url}/${base}/${jumpclient}" \
  --data-urlencode "name=${host}" \
  -H "Accept: application/json" \
  -H "Authorization: Bearer ${access_token}")

# Extract first matching device id (if any)
if [ "$majver" -le 11 ]; then
  deviceid=$(/usr/bin/osascript -l JavaScript -e '
  (function() {
    var a = JSON.parse(String.raw`'"$devices_json"'`);
    if (Array.isArray(a) && a.length > 0 && a[0].id) { $.NSFileHandle.fileHandleWithStandardOutput.writeData($(a[0].id + "\n").dataUsingEncoding(4)); }
  })();')
else
  # plutil path for array index 0 id (if present)
  deviceid=$(echo "$devices_json" | /usr/bin/plutil -extract 0.id raw -o - - 2>/dev/null)
fi

# If we found a device id, delete it
if [ -n "$deviceid" ]; then
  /usr/bin/curl -s -X DELETE "${url}/${base}/${jumpclient}/${deviceid}" \
    -H "accept: application/json" \
    -H "Authorization: Bearer ${access_token}" >/dev/null
  sleep 5
fi

#####
## We're ready to install the application.
#####

# Create a temporary folder to mount the dmg to.
tmpmnt=$(/usr/bin/mktemp -d /private/tmp/tempinstall.XXXXXX)
if [ $? -ne 0 ]; then
  echo "$0: Cannot create temporary folder. Exiting."
  exit 1
fi

# Mount and capture the device node (e.g., /dev/disk4s3)
attach_out=$(/usr/bin/hdiutil attach "${dlfolder}/bomgar-scc-${key_info}.dmg" \
  -mountpoint "$tmpmnt" -nobrowse -noverify -noautoopen)
devnode=$(echo "$attach_out" | awk '/Apple_HFS|HFSX/ {print $1; exit}')

# Find and run the installer
sdc=$(/usr/bin/find "$tmpmnt" -iname "sdcust" -type f)
"$sdc" --silent
sleep 20

# Detach the volume reliably, then clean up
if [ -n "$devnode" ]; then
  /usr/bin/hdiutil detach "$devnode" -force || /usr/bin/hdiutil detach "$tmpmnt" -force
else
  /usr/bin/hdiutil detach "$tmpmnt" -force
fi

/bin/rm -rf "$tmpmnt"
/bin/rm -rf "${dlfolder}/bomgar-scc-${key_info}.dmg"

# All done
exit 0

So I contacted support and they sent me the script that was in the Knowledge article that, as of today, is not released.

Alot of trial and error later, plus some Copilot, I got it working. Do note that I am not a pro scripter or anything like that, so it can probably be improved upon both in terms of efficiency and security. Nevertheless, this works for us currently.

ps: Do remember to configure the Mass Deployment policies on Intune, according to Beyondtrusts Documentation.