Security is fundamentally broken
Security is fundamentally broken by the very fact that you require two separate files, host and assignment files. This also applies with the full version where the user is prompted to “Allow and finish”. In either case if the assignment tool fails or is not run, or the user does not click “Allow and finish” then the TeamViewer install is never registered with our account, thus we now have a rogue client which leaves a huge gaping hole.
The issue with TeamViewer really is not about the deployment of the product but how you handle policies in that you are driving policies at the program level when it really should be at the user level. I honestly do not care where TeamViewer is installed if you do not have a login (User management) then you will not get access to any of the TeamViewer hosts.
The install should be simple single file (there should be no host or full version) that is compiled and downloaded from our account that will automatically assign when it is installed. Then a notification is sent to the any of the Company Administrators to be approved or declined and to which group it is assigned to.
Polices and groups are assigned to the user. Policies will define what options that user will have with the TeamViewer application.
The way that TeamViewer is designing things is backwards. You are applying polices to the computer when you are trying to control what the user can do at the computer. This make no sense at all. Computers are dumb controllable objects, users are not. Polices need to be at the user level to mitigate possible user disgruntlement. Currently your setup allows a user to do more harm.