FAQ and Best Practice Guide for Tensor customers

Scotty
Scotty Posts: 493 Staff member 🤠

Read this article in: Japanese 


Below is our Best Practices-Guide and FAQ for Corporate and Enterprise level customers who will need multiple users set up and managed into the future as well as mass deployment.

How to create a Master Account?

To make sure there is no confusion later, we recommend all devices, groups, and modules must have a single account as their owner.
We have an article on this here

These can be viewed and modified by others with the correct rights, but some things are restricted to the owner such as:

  • Deploying New Policies
  • Remotely assigning devices
  • Fixing some issues

To ensure that your account stays centralised and as some functions can only be done by the admin, we would recommend that all of your deployment modules and groups be created and kept under a single master.

Generally, this would be set up with an email like "admin@yourcompany.com" or "support@yourcompany.com"

You can have a person's account as the administrator. However, this user must make sure that they pass the account to someone else when they leave.
Also, note there are some functions that can only be performed by this user.

What about 2 Factor Authentication?

If using a centralised account, to keep the account secure and accessible to your admins, we would recommend protecting this account with 2FA (2 Factor Authentication)

More information on this can be found here

When this is set up, you will be given a QR code. This can be kept and used to activate more users at a later date but must be kept absolutely secure.

Each admin who should have access to the master should have the 2FA code running on their mobile.

Note: Please also make sure you keep the recovery code is a safe place.

SSO - Best Practice

If using a centralised account and SSO (Tensor license users only), we would recommend the Admin account be exempt. This also serves to allow SSO to be fixed should something go wrong and your users get locked out.

See also: Single Sign-On (SSO) 

What is the custom Host for deployment?

A custom Host module has your settings and requirements pre-configured as well as your own branding for a custom look. See also: All about TeamViewer modules | Customized Host module

 The settings of these can also be centralized which is explained in the next section on policies

How do I create my custom Host?

A Host module is a version of the software that allows only incoming connections.

It can be configured with your own settings and be set to automatically add devices into your contacts list.
We have a walk through on this hereHost.png

Tip: Custom branding is dynamic. If you deploy the software and then change the branding or color scheme later, the changes will take effect on your endpoints on the next restart of the software.

Settings for the Host

User Visible

The example on the left will be what your user sees. You can change colors, logos, and text here.

Name

This is just for your reference. Customers will not see this.

Automatically add computers to a group in your contacts list

We would recommend you create a group called "New Devices" or similar. This will be where unsorted devices go and they can be shifted to other groups later. If mass deploying, a different group can be specified on deployment, there is no need to create different modules to have them go into different groups.

Allow Customer to Initiate a Service Case

This will place a button on the host allowing users to create a support case within TeamViewer. If you want them to contact another way, unchecked this box. 

More information on service cases can be found here

Policy

Policies are covered in the next section. If you have only one policy you would like to set for your company, you can set this here. If you have multiple policies, we would recommend selecting "Inherit from group" and then set the policy on each of your contact groups. Policies will then reflect whatever group you move the device to at any time.

Tip: Policies are only set when the software is deployed. If you deploy your host and then set a policy under "Design and Deploy" later, this policy will only apply to hosts that were installed after the policy specified

Allow Account Assignment

This box will allow assignment via Mass Deployment. This box is only available to Corporate licenses and higher.

Note that if you click this box, if you download the .exe package from the download link, this will no longer automatically assign or appear in your groups. If you need a host like this, you will have to create a separate module.

Permanent Link

The Permanent link is a link you can create that will download your custom module. When installed it will follow the rules and get the logos specified in your host. 

Note that this will not occur fully if you selected the "Allow Account Assignment" as mentioned above.

 Download MSI

This is only visible to Corporate users and above. You can download the MSI package here.

 Note: The package has no customization when download. The instructions must be followed and the package is deployed with a script to get customizations as covered in sections below.

Configuration ID

This is used during mass deployment. This code is used to download these settings and customizations from the server and applies them to the MSI package.

Using Policies to control TeamViewer Settings

Policies are settings that will be deployed with your custom host. You can select a policy when creating or editing your Host.
We have a walk through on creating policies as well as all of their functions here

Note that passwords cannot be deployed through policies – This can only be set through a reg file covered later in this guide.

Enforce
The Enforce button stops and users from changing this setting. We would recommend this is checked for all options.

Settings are based on hierarchy as shown below where 1 will override 2 and so on.

  1. Enforced Policy
  2. User set setting
  3. Policy without enforce
  4. Default Settings

Our most recommended Policies are:

Black and Whitelist   

This secures your devices so that only specified people can connect to your devices.
We have a guide on this here

If you are unsure, we recommend this is set to your company. This ensures that all users under "User Management" can connect

Password Strength

This controls the random password displayed on the front of the software. If no ad-hoc connections are needed and you have set up unattended access, we would recommend you set this to “Disabled”

Disable TeamViewer Shutdown 

This is a good setting as it stops end users from being able to shut down the software unless they are admins.

Access Control – Incoming Connections 

This is a good setting if you want to control how your users connect. For example, if you don’t want your techs able to jump into any device at any time, change this to “Confirm All” and the end-user would need to click “Allow” before you can connect.

Full Access Control When Connecting to the Windows Login Screen 

If you have set access control to “Confirm” above, this

Prevent removing account assignment 

This will stop end users removing your ability to apply policies

Report connections to this device 

This will make sure all connections to any device is recorded for security purposes.

These logs are recorded under device reports

Sharing your contacts list with others

The contacts list and groups are not shared by default.

You need to make sure that groups are shared with users who need to be able to access the devices contained.
We have a guide here on how to share groups

Mass Deploying the Software

You can mass deploy the software using common deployment methods.

Creating your deployment script

This script controls the behavior of your install and also allows it to pop up in your list automatically without confirmation.

Full instructions are here

Example:

msiexec /i "X:\TeamViewer_Host.msi" /qn CUSTOMCONFIGID=<Config ID> IMPORTREGFILE=1 APITOKEN=<APItoken> ASSIGNMENTOPTIONS="--alias %COMPUTERNAME% --grant-easy-access --reassign"

CUSTOMCONFIGID

set the logo and look of the host (the Config ID is created when you create your custom module)
APITOKEN - Assigns to your account (The API token is created when you create your custom module)

IMPORTREGFILE

Starting with TeamViewer 15.10.5 this is obsolete because now we use the "tvopt" file.

A reg file can't be exported anymore from the Client when using the latest version.

Also for the example MSI Parameter

ASSIGNMENTOPTIONS:

Controls the behavior of the install and link to your TeamViewer account

--alias

Sets the name of the device as it appears in your console

--grant-easy

access makes sure that the account this is assigned to can connect without a password

--reassign

makes sure the device is assigned to you even if it has been assigned to another account before

Setting personal passwords and other settings

If you want to provide a predefined password for your installation, you can put the settings file "TeamViewer_Settings.reg" (file name is mandatory) in the same directory as the MSI file.

This can also contain other settings if you would like.

How to get the settings file

?The following only applies to TeamViewer in versions 15.9 or older:

On a device with TeamViewer already installed:
In the Options dialog (Extras | Options) in the category, Advanced use the Button Export…
in order to export the *.reg file and name it TeamViewer_Settings.reg

If you only want a password, you can uncheck all the boxes in the window that appears and just enter the password.

Make sure to add the property IMPORTREGFILE=1 to your command when installing TeamViewer_Host.msi (version 13.2 or higher) or TeamViewer_Full.msi (version 14.0 or higher). 0 is the default value for IMPORTREGFILE and will not import the settings.

 

Senior Moderator
Did my reply answer your question? Why not accept it as a solution to help others?
Tagged: