Conditional Access is a framework allowing you to control which devices, users, and user groups using TeamViewer Tensor have access to which data sources, services, and applications in your organization.
With Conditional Access, enterprise IT and security managers can maintain company-wide oversight of TeamViewer access and usage from a single location.
- Re-use options help administrators to select rules and create feature options for all access controls.
- Expiry dates to conditional access rules limit access by 3rd party vendors and temporary workforce.
- Centralized rules management within the client or the web app at https://web.teamviewer.com/.
- Assign permissions for remote sessions, file transfer, and meeting connections.
- Configure rules at the account, group, or device level.
- Cloud-based solution provides greater flexibility than an on-premise approach.
This article applies to all TeamViewer customers with a TeamViewer Tensor license and Conditional Access add-on or Tensor Pro or Unlimited licenses.
The following preconditions are required to be able to configure and use Conditional Access:
- Activated license with the Conditional Access add-on
- TeamViewer client version 15.5 or higher
- Knowing the DNS/IP address of the dedicated router
⚠Conditional Access is a security feature, and therefore, no connection is allowed initially as soon as the rule verification is activated!
Configuration of client and firewall
The client has to be configured to contact the dedicated routers because we are going to block access to the usual TeamViewer routers in the firewall with the next step.
The configuration of the registry can be done by running the following command or adding the registry keys through an import.
reg.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer" /v "ConditionalAccessServers" /t REG_MULTI_SZ /d YOUR_ROUTER1.teamviewer.com\0YOUR_ROUTER2.teamviewer.com /f
reg.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\TeamViewer" /v "ConditionalAccessServers" /t REG_MULTI_SZ /d YOUR_ROUTER1.teamviewer.com\0YOUR_ROUTER2.teamviewer.com /f
After restarting the TeamViewer service, the client will not connect to the usual TeamViewer routers but to one of the dedicated routers instead.
To set the dedicated routers, you have to execute one of the following commands while TeamViewer is not running, depending on whether TeamViewer starts with the system or not.
# start with system
sudo defaults write /Library/Preferences/com.teamviewer.teamviewer.preferences.plist ConditionalAccessServers -array YOUR_ROUTER1.teamviewer.com YOUR_ROUTER2.teamviewer.com
# not starting with system
defaults write ~/Library/Preferences/com.teamviewer.teamviewer.preferences.Machine.plist ConditionalAccessServers -array YOUR_ROUTER1.teamviewer.com YOUR_ROUTER2.teamviewer.com
To set the dedicated routers you need to change the global.conf file and add the following entry:
[strng] ConditionalAccessServers = "YOUR_ROUTER1.teamviewer.com" "YOUR_ROUTER2.teamviewer.com"
Restart the TeamViewer service after editing the global.conf.
Adjust your Firewall to block the following DNS-entries:
As soon as this configuration is active, clients that didn't get the information to connect to the dedicated router will not be able to go online anymore. This is relevant for blocking unauthorized TeamViewer clients.
Conditional Access is working with a rule engine as well as Feature options in the back end. You can manage the rules and Feature options centrally in the client or at https://web.teamviewer.com/.
After you purchase and activate your license, you will see an additional section in the Organization Management category within the Admins settings called Conditional Access.
Feature options within Conditional Access allow you to customize your rules, e.g., if certain users/user groups should only have limited access rights when connecting to specific devices.
📌Note: If you want to add a feature option to your rules, you need to create the feature options first. If you do not want to use feature options, you can continue reading here.
When creating a rule, the feature options can be added to the rule.
💡Hint: An option defines the access level during a connection.
Add a feature option
Feature Options are created in the Conditional Access section of the Management Console. To add a new feature option, please follow the below steps:
1) Navigate to Conditional Access ➜ Rule options ➜ + Add option and select Feature option:
2) Now, define a name for the feature option and exactly what should and what shouldn't be available during the connection.
📌Note: Options that are in use by Conditional Access rules cannot be deleted; an error message informs the user that the option is in use.
In the example below, every setting has been set to After confirmation:
📌Note: The Switch sides feature is, per default, set up as Deny, as when enabled, the access control permissions of the expert are being transferred to the session participant.
Overview of rule options
All created rule options for Conditional Access rules can be viewed in the rule options section. Filtering and editing of the options are possible, too.
📌Note: More option types will be available in the future.
Different rules valid for the same connection
In case a user is part of multiple user groups that are using different Conditional Access rules, the rules with the highest permission set have the highest priority.
For example, if one rule allows file transfer, but another rule does not allow it, the file transfer will be possible.
Feature options vs. local settings
The Feature Options for Conditional Access are complimentary to access control settings on the device.
For example, if the Conditional Access Options of a rule allow file transfer, but the access control settings on the device do not allow it (either set via policy or locally in the options), file transfer will not be possible.
Add a rule
💡Hint: A rule defines who can connect where, when, and how.
In the rules section of the Conditional Access menu, you will see an overview of your rules.
As we mentioned before, Conditional Access starts by blocking everything initially, which also makes the management of the rules easier as there is no possibility for contradictory rules.
To add a new rule, go to Conditional Access ➜ Rules ➜ + Add rule.
You have the possibility to add rules devices, accounts, groups, managed groups, user groups, and directory groups both for the source type and the target type.
Depending on what you choose as source type and target type, you need to choose a corresponding source and target, e.g, a specific User Group out of your User Groups if you choose User Group as a Type. Or a user if you selected Account.
Alternatively, if you choose All, all User Groups (or another chosen source) will be added.
💡Hint: There is auto-completion available when typing in source and target for all devices and accounts that are in your computers & contacts list. Additionally, all accounts from your company are also considered in the auto-completion.
📌Note: You are still able to add devices that are not in your Computers & Contacts list by entering the TeamViewer ID. With respect to groups, you can only add them if you are the owner of the group. This is a security measure.
Expiration dates for Conditional Access rules
You can add an expiry date to the Conditional Access rules.
The expiration functionality is important for any scenario where certain TeamViewer users should receive access to specific devices for a limited time only:
- Project-based work
- Interns, part-time workers, etc.
- Substitutes, stand-ins, and others helping out for a limited time
Expiration dates can be set for new and existing rules.
💡Hint: The Expiry defines from when until when the rule will be active.
Expiration dates can be edited at any time:
- Select the rule you want to edit.
- Click Edit.
- Click the rule expiry button.
Several timeframes can be added to one rule. Expiry status for all rules can be seen in the overview:
- No expiry (no expiry set),
- Scheduled (in the future),
- Active (currently within the timeframe),
- Expired (in the past)
Enable rule verification
Added rules are not automatically enabled.
Please click Activate to make sure that only the connections allowed by the rules are possible and nothing else.
Block Meetings is also available. However, this is an "All or nothing" setting. If enabled, all meetings are blocked. No exceptions.