Greetings all,
We have a Tensor license going for our company.
With that we've created user accounts with our domain for our employees that need to work from home.
We then make sure that their Office computers are added to device groups with a policy assigned, at which point we add the specific user to be a "Manager" of their computer with only "Easy Access" enabled.
The office computers are outfitted with our host module, Random password is disabled as they do not need to grant access to anyone.
We also make sure that TFA is enforced on their user account.
Now here lies my issues with this entire setup:
Enforcing TFA on the TeamViewer account means we need the user to have an authenticator,
which is fine, but here is what happens when the user goes home.
They install TeamViewer, Login into their account, input their TFA code and away they go.
Now lets say most users, before they sign in, tick the keep me signed in, their lies the problem.
Lets assume their computer at home has no password to their account, then the only line of defence we have is our Domain login once connected. I've tested this and doesn't matter what I do at the home computer, TeamViewer starts with windows and remembers your login, it won't event TFA, so there you have an already logged in TeamViewer account with a computer listed with "Easy Access" which will let anyone that has access to said computer connect to it.
Unless you specifically tell TeamViewer not to keep you signed in but then that would force the user to be disciplined enough to exit TeamViewer when done.
Now lets look at the TFA for connections, I can't believe that this feature requires a separate app, forcing a user to use two different app for TFA is a tad ridiculous.
A lot of people these days have an authenticator app, whether its google, microsoft or even Authy, I'd be ready to add a 2nd TeamViewer entry for TV Connection but here it seems I have to have TeamViewer Remote Connection App.
It also doesn't help that this feature is not deployable from Management Console in some shape or form. This solution isn't really practical, the idea is there but using multiple authenticators for this seems out of place.
Now, back to the Trusted Devices, we get to see their "home" device there.
If I go to revoke said trust, I'm afraid it doesn't do anything. If the "Home" client is still logged in, it still lets you make a connection. Then even if I sign out and back in (with TFA prompt) it will re-add the device in the Trusted devices and carry on as normal.
To me I thought revoking the trust, would force some sort of re-confirmation of said device even if the same when re-connecting / re-signing into the user account. And yet it didn't.
The other option is to slap a personal password on the office computer, again a manual process that has to be done with the user so they know the password to make the connection. There is no way to push a personal password to a device specifically via the Management Console.
With TeamViewer Management Console, there is a "singed out automatically". Which then prompts us IT to re-login and TFA, which is great. Why can't we enforce this on our users account on their client. We already know of Session timeouts but here we're at an account level.
I'd be more inclined to leave "Easy Access" on for a user if I knew they would get triggered with the same TFA Authenticator.
I just don't like that the TeamViewer Client will pretty much keep me indefinitely logged in, even upon a restart of the computer, with no way other than having the user disciplined to not tick the "keep me signed in".
Now maybe I'm missing something in all of this and there is another function I don't know of or a different way to go about it.
You could argue that if we are so concerned about this, that we should be supplying the gear for the WFH setup and have control of said environment, but then how far do you go? Where do you stop? Introducing business hardware in a personal environment, who's going to be responsible for what? Power usage, bandwidth usage, Physical space usage?
Anyway, that's not the issue here, we're concentrating on TeamViewer in my previous mentioned scenarios, and I'm looking to have a better controlled environment where I don't lose so many "steps" to get into a computer.
Without using TeamViewer Remote Control as a 2nd TFA or Personal Password I'm down to just connecting and be greeted with the Office Computer's Login Screen.
Are there other options?
