1. Home
  2. Goverlan Reach
  3. Goverlan Client Agent Deployment and Management

Goverlan Client Agent Deployment and Management


The Goverlan Reach Client Agent must be installed on every client machine that needs to be managed with Goverlan Reach, our remote access software. The agent is very small (about 15 MB), stable and secure. It will not affect system performance.

Pushing the Goverlan Reach Client on remote systems can be done in many ways depending on if the remote system is within your organization or over the internet.

This article describes information about the deployment and maintenance of the Goverlan Reach Client.

System Requirements

The Goverlan Client Agent currently supports both Windows and MacOS operating systems. Both 32 and 64 bit architectures are supported.

Goverlan Agent OS requirements

  • Windows 7 and later (Intel/AMD only systems)
  • MacOS Catalina and later

Client agents for other platforms are currently under development; please check with our support department for updates.

Network Port

The Goverlan client agents expose the network port 22000 by default. This port is used for client communication. All communications to the client agent are encrypted, authenticated and audited.

If a firewall exists between your machine and the remote machine, the firewall must be configured to allow the Goverlan Client Agent port communication. Upon starting, the Goverlan client agent automatically configures the local Windows Firewall to authorize communication on that port (this behavior is configurable by Goverlan Reach Server policies).

It is possible to change the agent ports to a value of your choice using a Group Policy Object or a Goverlan Reach Server policy. See Network Ports used by Goverlan Reach for further information.

Deploying the Agent within my Organization

Automatic Installation and Maintenance

Within your organization, the Goverlan Client Agent is automatically installed and maintained on a per-needed basis by the Goverlan Operator Console. Upon accessing a remote system, Goverlan prompts you to install the agent if the remote machine is not equipped with it, or provides you with update options if applicable.


You can control the prompt behavior via the Client Agents section of the application settings.

Automatic agent installation & maintenance has the following prerequisites depending on the target operating system (Windows or MacOS)

Windows Prerequisites for Agent Pushing and Maintenance

  1. The operator must hold local administrative privileges on the remote machine. If local administrative privileges are not held, alternate credentials can be specified (See Using Alternate Credentials )
  2. Port 445 and the C$ \ ADMIN$ shares must be accessible (Windows Print & File Sharing.)
  3. The Remote Registry service or WMI Management must be enabled on the remote machine.

MacOS Prerequisites for Agent Pushing and Maintenance

  1. The operator must hold local administrative privileges on the remote machine. If local administrative privileges are not held, alternate credentials can be specified (See Using Alternate Credentials )
  2. Enable MacOS Support in the Goverlan Reach Console settings. See Goverlan Reach MacOS Client Agent for more details.
  3. Remote Login must be enabled on the MacOS side under System Preferences –> Sharing.

MacOS requires explicit permissions be given to the agent after it is installed. If the permissions are not set there will be limited functionality. Please see Goverlan Reach MacOS Client Agent for more information.

Pre-Installing Client Agents

In the event you wish to pre-install the Goverlan Client Agent on your machines, you can use one of the following methods to push agent installation on one or more systems.

Using the Goverlan Operator Console

Within the Goverlan operator console, right-click on any computer object and select the desired Reach Client Agent action to perform.

Using the Goverlan Agent Manager

The Goverlan Agent Manager can be accessed from the Application menu of the Goverlan Reach Operator Console or the Goverlan Reach Server.

The Goverlan Agent Manager can be used to deploy, update or remove the Goverlan Client Agent on one or more remote machines. It can also be used to push some configuration to these systems.

See: The Goverlan Agent Manager

Using an Installation Package

You can pre-install the Goverlan Client Agent via an installation package that is distributed to your machines and ran manually.

A Goverlan Client Agent installation package can be generated as an MSI, EXE for Windows or PKG for MacOS, using the Goverlan Agent Manager. These installers can also be pre-configured with specific settings before being generated.


MacOS requires explicit permissions be given to the agent after it is installed. If the permissions are not set there will be limited functionality. Please see Goverlan Reach MacOS Client Agent for more information.

Using a Goverlan Process Automation

Goverlan Client Agents can also be managed using a Goverlan Process Automation.

  1. Create a Goverlan Process Automation and define a computer scope.
  2. When configuring the Process Automation Actions, select the desired task under the Goverlan Agents category of the Execute section.

See: Process Automation 

Deploying the Agent to Off-Site Machines

To manage machines over the internet the Goverlan Reach Gateway services must be enabled. Once configured, the Goverlan Reach operator console auto-displays a new side panel named On-Demand Assist.

This panel is used to initiate On-Demand assistance sessions, or to install the Goverlan Client agent as a service, enabling unattended remote management of that node.

  1. Open the Goverlan Reach operator console or Goverlan Reach RC.
  2. Open the On-Demand Assist side panel and click Send a request, then select Generate a client email.

    To enable unattended installation, confirm that Enable Permanent Install Mode is activated before generating your client email.
  3. Send the email or the web-link to the remote user

Once the remote user receives the email and runs the downloaded executable, the user will be prompted to choose an execution mode.

The remote user must then click on the provided link to download the small Goverlan Reach Client and run it. The user is then presented with the following options:

On-Demand Access

On-demand access provides you with full remote management services of a computer over the internet while the session is active. Remote management services are not restricted to a remote control session, the full set of Goverlan management services can be used during an on-demand session.

Instruct the user to click on the Start Support Session button to initiate the remote assistance session. This will generate a session ID that you must enter in the Goverlan operator console to connect to the session.

Once the session is connected, you will be able to perform any management tasks on this node, including remote desktop access, software deployment, task management, etc.

Elevating On-Demand sessions to Administrative Sessions

To gain local administrative access to the machine during the assistance session, ask the remote user to enable the provide administrative access option. This option is required if you wish to handle UAC acceptance prompts.

Elevating the session to admin can also be accomplished by injecting local administrative credentials after a session has started. Look for the following controls after the session has been established.

Elevate Session to Admin – Use this control to elevate the remote session to an administrative session. On Windows, this will allow you to access all UAC prompts.

Convert to Unattended Endpoint – Use this control convert the entire session to a permanently managed node. After the conversion is complete, the device will appear under External Devices.

To close a remote assistance session, the remote user must close it by clicking on the Cancel button of the session window.

Unattended Installation

To perform an unattended installation of the Goverlan Client Agents, instruct the remote user to enable the Authorize Permanent Access option then click on the Provide Unattended Access button.

Once installed, the machine automatically registers itself to the Goverlan Reach Gateway services and is available for unattended management under the External Devices section of the Goverlan Reach operator console.

External unattended nodes are configured with an Organization ID. This organization id is used to group external nodes in containers for easy browsing in the Goverlan operator console. The default organization ID is set to the Organization Name configured in the Gateway services. However, it can be modified in the Goverlan Client Control Panel applet.

Goverlan Reach Client Configuration – Control Panel Applet

Once a machine is equipped with the Goverlan Reach Client Agent, a configuration control panel app is accessible for Windows and MacOS. This application can be used to review and change the configuration of the agent on the local machine or grant the required permissions for MacOS agents. See Goverlan Reach MacOS Client Agent for more information on MacOS Agent Deployment.

The Goverlan Client Configuration application can be found in the following locations:

  • Windows – Control Panel > System and Security area (or simply enter ‘Goverlan’ in the Search Control Panel field to find the applet)
  • MacOS – Finder > Applications

Windows Control Panel App

Agent Control Panel


MacOS App

MacOS Control Panel App

Agent Network Settings

Defines the communication port used to communicate with this endpoint as well as the gateway services configuration (if enabled).

Roaming Detection Method

Roaming may be configured in multiple ways.

Use Gateway’s Private Facing Address (Default) – If the endpoint cannot contact the Private Facing Address, it will register as an external endpoint.

Use Active Directory for Domain Joined Machines – If the endpoint cannot contact a domain controller for its assigned domain, it will register as an external endpoint. Non-Domain endpoints will use the Gateway to determine their roaming status.

Always Register – The endpoint will always register to the Reach Gateway. Roaming detection will be disabled.

Local Desktop Access

Defines the user acceptance configuration and behavior of the agent during a remote desktop access session. For instance, the agent can be configured to prompt the local user to approve a session before it is started, or accept the session automatically and display a notification message, or disable remote desktop access entirely.

MacOS Only – System Access

Specific permissions are required to be granted to the Goverlan Reach MacOS application. This screen will allow you to verify if the applications have been granted and allow the app to request them. See Goverlan Reach MacOS Client Agents.

How to Globally Configure Client Settings

Client configuration, behavior, and branding can be centrally configured using the Goverlan Global Policies feature of the Goverlan Reach Server. Once Global Policies are enforced, the control panel applet will not allow the modification of the client configuration.

Uninstalling the Goverlan Reach Agents

Depending on the method used to install the agent, you can remove the client agent using one of the following methods:

On-site and external unattended nodes Use the Goverlan operator console or the Goverlan Agent Manager
Via installation package Use the Windows Programs & Features or Drag the Goverlan Client App to the trash can in MacOS
If you no longer have Goverlan installed Contact our support department and we will send you an uninstaller package


Updated on June 6, 2023

Related Articles