"Allow account assignment without confirmation" missing on Design/deploy host page.

jhilkey

I'm seeing in some old articles a checkbox with this option. We have an old install that doesn't ask for confirmation, but new ones do. We are trying to deploy to hundreds of machines, without user interaction, and this is putting a hard stop to the project.

Anyone know where this option went or if it needs specific permissions?

Note: We're using Full/Host topology with managed "use managed group assignment"

JeanK

Hi @jhilkey,

Welcome to the Community!

To ensure your devices prompt you for a confirmation when connecting to it, you can deploy a policy with the parameter Access Control within the parameter Access Control (incoming connections) set to Confirm all.

Don't forget to Enforce the setting, so the end users can't change it.

Let me know if this helps.

/JeanK

jhilkey

This isn't what I was referring to. I could have explained a bit better:

This option:

isn't there when this option is set, and defaults to the unchecked behavior:

So if your'e using "use managed group assignment" then after the install, if you try to give it an assignment, it prompts the user even if it's installed silently. The user can click no, which reverts all the changes back, and opens them up to connections from external sources, which is a huge security issue.

As a workaround, I've turned OFF "Use Managed Group Assignment" and checked this option, then ran the assignment --id command line, and it assigns it to the managed group anyway without confirmation. So it appears that what needs to happen is for TeamViewer team to add the same functionality when using managed group assignment.

DarrynH

I agree this is happening to me also..

After deploy via /qn i have found it still prompts the first user on the device to approve and if they choose cancel it reverts back to normal install meaning we are now open to not meeting our cyber requirements.

Please provide an update if you can please.

Here is the sequence i am using

msiexec /i "TeamViewer_Host.msi" /qn CUSTOMCONFIGID=<custconfigid> APITOKEN=<apitoken>

jhilkey

@DarrynH I did find a workaround. The workaround is to turn off that "use managed group assignment" slider, but still use the --assignment switch in the install command. It will still get added to the managed group if you do that even if that slider setting is off. The difference being is that if it's off, you can check that box that allows group assignment, and then it won't ask when you assign it. It'll just do it.

Honestly, I'm not sure what that slider does anyway because the --assignment switch is still used in the documentation in the host install instructions on the site. It doesn't appear to be working as intended.

DarrynH

@jhilkey Thank you so you do it like this?

msiexec /i "TeamViewer_Host_15.33.msi" /qn CUSTOMCONFIGID=<custconfigid> APITOKEN=<apitoken> ASSIGNMENTOPTIONS="--id <assignment_id_copied_from_design_deploy_tab >"

Documentation is not really that good and i have tried numerous ways but no luck

I've been looking at these support docs but no luck.

https://community.teamviewer.com/English/kb/articles/109284-assignment-options-5-6

https://community.teamviewer.com/English/kb/articles/108805-assign-a-device-to-your-company

jhilkey

@DarrynH almost, I use the script provided here: Deploy TeamViewer (Host or full client) - 9/9 - TeamViewer Support

start /wait MSIEXEC.EXE /i "PATH_TO_MSI_FILE\TeamViewer_Host.msi" /qn CUSTOMCONFIGID=YOUR_CUSTOM_CONFIG_ID
timeout /t 30 /nobreak
"C:\Program Files (x86)\TeamViewer\TeamViewer.exe" assignment --id YOUR_ASSIGNMENT_ID

The thing I've noticed is that if teamviewer isn't running, then the third line doesn't work. That's why they put the second line in there that just tells it to wait 30 seconds to let the install finish before it runs the third command. There are a couple ways to approach that, you can either build it into your install script, or set it to run on computer/user login using GPO so that it always gets applied when the computer connects or a user logs in.

The way I THINK Teamviewer intends on this working is that when using the "Use managed group assignment" slider, you don't have to copy that awful and unnecessarily long assignment ID. It will just add it to the assignment based on the much shorter and more manageable configuration ID that is built into the custom config. But since they didn't add that checkbox that allows you to bypass the user being asked to verify the computer should be joined to the corporation, it really kills that method for mass deployments. Until they fix it, you'll need to manually assign the PC using the command they provided on that third line.

DarrynH

https://community.teamviewer.com/English/discussion/comment/142792#Comment_142792

@jhilkey Thank you for the quick reply. Appreciate it.. I'm using SCCM commands at the moment so i will try the above to see if i can have it wait.

I agree that it does work well in auto placing within the relevant managed group, Ideally though it needs to have the function same as a normal group by not asking the end user.

jhilkey

Here's a step-by-step on how I got this working:

1.    In design/deploy, customize your host file.

2.    Be sure to turn "Use Managed Group Assignment" OFF.

3.    Verify there's a checkmark next to "Allow account assignment".

4.    Save, then download your MSI file.

5.    Go to Policies, then configure your policy how you want it. You can create a different policy for different groups if you wish.

6.    Go to Assignment and create an assignment for each of your managed groups. I recommend naming the assignment after the managed group(s) that it is using.

7.    In each assignment, make sure that "Device Groups" is set to your corresponding managed group.

8.    Under "Policy:Inherit from group" is set to your managed group for this assignment.

9.    Once your assignments are set, then copy/paste the assignment ID to a notepad for later. You can copy it by clicking the clipboard icon(s) on the assignment page.

10. Go to device groups, and on each, do the following: click the edit pencil-looking icon to edit the group. Under assign teamviewer policies, choose the policy you want to have for that group.

11. Install your custom MSI on a test machine. Modify the options you want on the teamviewer client manually (like disabling the temporary password, requiring admin to make changes, etc.).

12. Once everything is set the way you want it, go to the advanced tab in the client options, and select “Export to a *.tvopt file” and save it in the same directory as your custom MSI. IMPORTANT: Name the file “TeamViewer_Settings.tvopt” or the install will say that it can’t find it, and fail the install. This is so teamviewer has a set of default settings should the install ever get unmanaged somehow, it’ll revert to these settings.

13. Now you’re ready to deploy. To do this, use this script:

start /wait MSIEXEC.EXE /i "PATH_TO_MSI_FILE\TeamViewer_Host.msi" /qn IMPORTREGFILE=1 CUSTOMCONFIGID=YOUR_CUSTOM_CONFIG_ID

14. This will install the client with your customized settings from the TeamViewer_Settings.tvopt file, but it won’t assign it to the correct managed group. To do that, use the following script AFTER the client is installed, and it is up and running:

  "C:\Program Files (x86)\TeamViewer\TeamViewer.exe" assignment --id YOUR_ASSIGNMENT_ID

After that, it should be installed, and in your managed groups.

Note: Computers get the policy from the Managed Group they're in. The Assignment merely puts the computer into a managed group. In the assignment tab, the manages are users who can use the assignment to assign computers to the assignment's configured groups. In the group edit window, managers are different than on the assignment section, and apply to only that group.

jhilkey

I forgot to mention: You'll need to modify the last command and keep a different command for each assignment.

"C:\Program Files (x86)\TeamViewer\TeamViewer.exe" assignment --id YOUR_ASSIGNMENT_ID

For me, this means I have 3 different installs that add computers to differrent managed groups.

jhilkey

During mass deployment, I had 3 commands that ran to deploy this smoothly to roughly 400 PC's (using PDQ).

First command:

start /wait MSIEXEC.EXE /i "PATH_TO_MSI_FILE\TeamViewer_Host.msi" /qn IMPORTREGFILE=1 CUSTOMCONFIGID=YOUR_CUSTOM_CONFIG_ID

Second Command

Wait 15 seconds

Third command

"C:\Program Files (x86)\TeamViewer\TeamViewer.exe" assignment --id YOUR_ASSIGNMENT_ID

The reason for the wait command is that PDQ (and I suspect others) will mark installing the MSI as "Successful" even if it's still running and hasn't completed yet.

DarrynH

Thank you @jhilkey

I have changed my deployment via sccm to run a bat instead, running it manually appears to work so trying via a full PXE build to see if it works the same way.

jhilkey

https://community.teamviewer.com/English/discussion/comment/142809#Comment_142809

I haven't been able to get a .bat file to work with this method. I get an error saying "you don't have permissions to install this for all users" even though I'm logged in as admin, and run it as admin. Still trying to figure that one out.

ilkera

https://community.teamviewer.com/English/discussion/comment/142314#Comment_142314

There are "device groups" and "groups".

When we turn on "Use Managed Group Assignment" computers are added to groups inside "device groups"

when we turn it off and use assignment id, device is added to groups inside "groups"

are you saying that you are able to add devices to "device groups" even though "use managed group assignment" is off?

BenvicJulienDijon

support answer :

Older deployment methods such as GPO and .mst transformation files are unfortunately not supported by TeamViewer and could have issues.

We advise to install .MSI packages either via directly running/pushing a .bat file which have the install command and all the parameters or through MDM deployment software such as Microsoft Endpoint Manager ( inTune ). 

As per the screenshot seems that the module is not set up for mass deployment. If the “Use Managed Group Assignment” is ticked - a pop-up will appear to confirm the account assignment at the end of the installation;if is unticked - no pop-up will appear to confirm the account assignment at the end of the installation 

I added [Removed as per Community Guidelines] a example script which has the uninstall and install command.

​

You need to modify these variables with your own:

%~dp0TeamViewer_Host.msi - the location of the file( if the script is not in the same location with the msi)

YOUR_CUSTOM_CONFIG_ID - how to create it https://community.teamviewer.com/English/kb/articles/109367-create-your-module-3-9

1. Log into the Management Console: https://login.teamviewer.com/
2. Click on Design and Deploy
3. Click on the plus sign (+), then select Host.
4. Customise your module by adding your corporate identity (logo, custom text, etc.)
5. Untick all the boxes as shown below and click Save.

 

 and the YOUR_ASSIGNMENT_ID - https://community.teamviewer.com/English/kb/articles/109371-create-an-assignment-configuration-7-9

 

As I mentrioned i f you want to use a GPO this is not part of our support you could save the script as a .bat file and add it as a startup script in the GPO.

That is what most customer do when deploying via GPO:

Within the group policy console you can go to computer configuration > Policies > Windows Settings > Scripts > startup > click add to select the bat file you want to setup for running whenever the computer starts next time.

JoeNZ

so what is the answer now to address this issue? This settings seems new as our current host custom module didnt have this extra setting if you turn off the slider. I am a bit hesitant to delete and create a new package not knowing the impact or issue it may create when the config ID changes as I created a new custom module.

Rob_CC

I'm preparing to deploy to 5000+ devices and this has me pulling out my hair. It is worth noting that if you use  “Use Managed Group Assignment”, you can proceed with the execution of

'pathto\teamviewer.exe assignment --id assignmentidhere'

Interestingly, it will apply your assignment settings and still display the account assignment dialog box. Even if the user clicks cancel, it will retain proper configuration and assignment.

This is not a fix by any means as I'm sure it would just create hundreds of people worried about a cyberthreat or which option they should click on. I really don't understand why this isn't cared for with the configuration ID / initial setup.

I guess I will go back to the old deployment method for now; at least it works unassisted. You could just periodically run the automated device migration wizard in the management portal to care for this; but it is messy.

WCSD_DOT1

Whats the solution to this TeamViewer? usingthe new web.teamviewer.com portal

JeanK

Hi @WCSD_DOT1,

I answered on this thread. 🙂

Cheers,

/JeanK