Session Policies: Set Session Permission and Prompting Rules

Users & Security > Session Policies

Session Policies

With session policies, you can customize session security permissions to fit specific scenarios. Session policies can be applied to users and Jump Clients.

The Session Policies section lists available policies. Click the arrow by a policy name to quickly see where that policy is being used; its availability for users, access invites, and Jump Clients; and the tools configured.

Create New Policy, Edit, Delete

Create a new policy, modify an existing policy, or remove an existing policy.

Copy

To expedite the creation of similar policies, click Copy to create a new policy with identical settings. You can then edit this new policy to meet your specific requirements.

Session Policy :: Add or Edit

Policy Settings

Display Name

Create a unique name to help identify this policy. This name helps when assigning a session policy to users and Jump Clients.

Code Name

Set a code name for integration purposes. If you do not set a code name, one is created automatically.

Description

Add a brief description to summarize the purpose of this policy. The description is seen when applying a policy to user accounts, group policies, and access invites.

Availability: Users

Choose if this policy should be available to assign to users (user accounts and group policies).

Availability: Access Invite

Choose if this policy should be available for users to select when inviting an external user to join a session.

Availability: Jump Items

Choose if this policy should be available to assign to Jump Items.

Availability: Dependencies

If this session policy is already in use, you will see the number of users and Jump Clients using this policy.

Tools

For all of the permissions that follow, you can choose to enable or disable the permission, or you can choose to set it to Not Defined. Session policies are applied to a session in a hierarchical manner, with Jump Clients taking the highest priority, then users, and then the global default. If multiple policies apply to a session, then the policy with the highest priority will take precedence over the others. If, for example, the policy applied to a Jump Client defines a permission, then no other policies may change that permission for the session. To make a permission available for a lower policy to define, leave that permission set to Not Defined.

Set which tools should be enabled or disabled with this policy.

Screen Sharing

Enable the user to view or control the remote screen. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

Application Sharing Restrictions

Limit access to specified applications on the remote system with either Allow only the listed executables or Deny only the listed executables. You may also choose to allow or deny desktop access.

Note: This feature applies only to Windows and Linux operating systems and does not include Remote Desktop Protocol (RDP) or VNC sessions.

Add New Executables

If application sharing restrictions are enforced, an Add New Executables button appears. Clicking this button opens a dialog that allows you to specify executables to deny or allow, as appropriate to your objectives.

After you have added executables, one or two tables display the file names or hashes you have selected for restriction. An editable comment field allows administrative notes.

Enter file names or SHA-256 hashes, one per line

When restricting executables, manually enter the executable file names or hashes you wish to allow or deny. Click on Add Executable(s) when you are finished to add the chosen files to your configuration.

You may enter up to 25 files per dialog. If you need to add more, click Add Executable(s) and then reopen the dialog.

Browse for one or more files

When restricting executables, select this option to browse your system and choose executable files to automatically derive their names or hashes. If you select files from your local platform and system in this manner, use caution to ensure that the files are indeed executable files. No browser level verification is performed.

Choose either Use file name or Use file hash to have the browser derive the executable file names or hashes automatically. Click Add Executable(s) when you are finished to add the chosen files to your configuration.

You may enter up to 25 files per dialog. If you need to add more, click Add Executable(s) and then reopen the dialog.

Note: This option is available only in modern browsers, not in legacy browsers.

Allowed Endpoint Restrictions

Set if the user can suspend the remote system's mouse and keyboard input. The user may also prevent the remote desktop from being displayed.

Allowed to log in using credentials from an Endpoint Credential Manager

Enable connection of a user to your Endpoint Credential Manager to use credentials from your existing password stores or vaults.

Use of the Endpoint Credential Manager requires a separate services agreement with Bomgar. Once a services agreement is in place, you may download the required middleware from the Bomgar self-service center.

Note: Prior to 15.2, this feature is available only in sessions started from an elevated Jump Client on Windows®. Starting with 15.2, you also may use an Endpoint Credential Manager in Remote Jump sessions, Microsoft® Remote Desktop Protocol sessions, VNC sessions, and Shell Jump sessions. You may also use this feature with the Run As special action in a screen sharing session on a Windows® system.

Annotations

Enables the user to use annotation tools to draw on the remote system's screen. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

File Transfer

Enables the user to upload files to the remote system, download files from the remote system, or both. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

Accessible paths on the endpoint's filesystem

Allow the user to transfer files to or from any directories on the remote system or only specified directories.

Accessible paths on user's filesystem

Allow the user to transfer files to or from any directories on their local system or only specified directories.

Command Shell

Enables the user to issue commands on the remote computer through a virtual command line interface. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

System Info

Enables the user to see system information about the remote computer. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

Allowed to use system information actions

Enables the user to interact with processes and programs on the remote system without requiring screen sharing. Kill processes; start, stop, pause, resume, and restart services; and uninstall programs.

Registry Access

Enables the user to interact with the registry on a remote Windows system without requiring screen sharing. View, add, delete and edit keys, search and import/export keys.

Canned Scripts

Enables the user to run canned scripts that have been created for their teams. If Not Defined, this option will be set by the next lower priority policy. This setting may be overridden by a higher priority policy.

Save Policy

Click Save Policy to make this policy available.

Export Policy

You can export a session policy from one site and import those permissions into a policy on another site. Edit the policy you wish to export and scroll to the bottom of the page. Click Export Policy and save the file.

Import Policy

You may import those policy settings to any other Bomgar site that supports session policy import. Create a new session policy and scroll to the bottom of the page. Browse to the policy file and then click Import Policy. Once the policy file is uploaded, the page will refresh, allowing you to make modifications. Click Save Policy to make the policy available.

Session Policy Simulator

Because layering policies can be complex, you can use the Session Policy Simulator to determine what the outcome will be. Additionally, you could use the simulator to troubleshoot why a permission is not available when you expected it to be.

User

Start by selecting the user performing the session. This dropdown includes both user accounts and access invite policies.

Session Start Method

Select the session start method.

Jump Client / Jump Item

Search for a Jump Item by name, comments, Jump Group, or tag.

Simulate

Click Simulate. In the area below, the permissions configurable by session policy are displayed in read-only mode. You can see which permissions are allowed or denied as a result of the stacked policies, as well as which policy set each permission.