Your comments

I'm not aware of any plans to sign/notarize the pkg at the moment, but a workaround would be to first deploy the support guest client, and then from the Support tab select all sessions and Install Access (though this is assuming that your license allows support sessions)

Signing the pkg without removing support for customization would be a significant undertaking (though of course you're welcome to create a separate feature request for that if it doesn't already exist).

You could also connect with a support session to begin with and then install the access agent from there; the support bundle is signed, so Gatekeeper shouldn't complain about that.

To clarify, the pkg itself is not signed, but the app it installs is. I don't believe we have any imminent plans to sign the pkg itself

Yes, the setting will default to 0 days, which disables expiration.

Users don't have an associated email address stored, though, so there isn't really a way to automatically send out any sort of password reset.