This article applies to all TeamViewer customers with a TeamViewer Enterprise/Tensor license and Conditional Access AddOn or Tensor Pro or Unlimited licenses.
This page is a short introduction to the different parts of Conditional Access and its configuration.
While block- and allowlist cover incoming connections, Conditional Access is the total package that empowers the administrators to control all connections - incoming and outgoing.
The following preconditions are required to be able to configure and use Conditional Access:
- Activated license with the Conditional Access add-on
- TeamViewer Client version 15.5 or higher
- Created a TeamViewer company (possible via MCO)
- Knowing the DNS/IP address of the dedicated router
⚠Conditional Access is a security feature and therefore no connection is allowed initially as soon as the rule verification is activated!
Configuration of Client and Firewall
The client has to be configured to contact the dedicated routers because we are going to block access to the usual TeamViewer routers in the firewall with the next step.
The configuration of the registry can be done by running the following command or adding the registry keys through an import.
reg.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer" /v "ConditionalAccessServers" /t REG_MULTI_SZ /d YOUR_ROUTER1.teamviewer.com\0YOUR_ROUTER2.teamviewer.com /f
reg.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\TeamViewer" /v "ConditionalAccessServers" /t REG_MULTI_SZ /d YOUR_ROUTER1.teamviewer.com\0YOUR_ROUTER2.teamviewer.com /f
After restarting the TeamViewer service, the client will not connect to the usual TeamViewer routers but to one of the dedicated routers instead.
💡Hint: The MSI rollout with TeamViewer Settings is not possible with Azure and MS Intune!
To set the dedicated routers you have to execute one of the following commands while TeamViewer is not running, depending on whether TeamViewer starts with the system or not.
# start with system
sudo defaults write /Library/Preferences/com.teamviewer.teamviewer.preferences.plist ConditionalAccessServers -array YOUR_ROUTER1.teamviewer.com YOUR_ROUTER2.teamviewer.com
# not starting with system
defaults write ~/Library/Preferences/com.teamviewer.teamviewer.preferences.Machine.plist ConditionalAccessServers -array YOUR_ROUTER1.teamviewer.com YOUR_ROUTER2.teamviewer.com
To set the dedicated routers you need to change the global.conf file and add the following entry:
[strng] ConditionalAccessServers = "YOUR_ROUTER1.teamviewer.com" "YOUR_ROUTER2.teamviewer.com"
Restart the TeamViewer service after editing the global.conf.
Adjust your Firewall to block the following DNS-Entries:
As soon as this configuration is active, clients that didn't get the information to connect to the dedicated router will not be able to go online anymore. This is relevant for blocking unauthorized TeamViewer clients.
Conditional Access is working with a rule engine as well as Feature Options in the back end. You can manage the rules and Feature Options centrally in the Management Console.
After you purchased and activated your license, you will see an additional section in the navigation called Conditional Access.
Feature Options within Conditional Access allow you to customize your rules, e.g. if certain users/User Groups should only have limited access rights when connecting to specific devices.
📌Note: If you want to add a Feature Option to your rules, you need to create the Feature Options first. If you do not want to use Feature Options, you can continue reading here.
When creating a rule, the Feature Options can be added to the rule.
💡Hint: An Option defines the access level during a connection.
Add a new Feature Option
Feature Options are created in the Conditional Access section of the Management Console. To add a new Feature option, please follow the below steps:
1.) Navigate to Conditional Access --> Options --> click the + Button:
2.) The Add Feature Option dialog opens. Here, define a name for the Feature Option and exactly what should and what shouldn't be available during the connection.
📌Note: Options that are in use by Conditional Access rules cannot be deleted; an error message informs the user that the option is in use.
In the example below, every setting has been set to After Confirmation:
Overview of Options
All created Feature Options for Conditional Access rules can be viewed in the Management Console at any time. Filtering and editing of the Options are possible, too.
📌Note: More Option types will be available in the future.
Different rules valid for the same connection
In case a user is part of multiple User Groups that are using different Conditional Access rules, the rules with the highest permission set is having the highest priority.
For example, if one rule allows file transfer, but another rule does not allow it, the file transfer will be possible.
Feature Options vs. local settings
The Feature Options for Conditional Access are complimentary to access control settings on the device.
For example, if the Conditional Access Options of a rule allow file transfer, but the access control settings on the device do not allow it (either set via policy or locally in the options), file transfer will not be possible.
💡Hint: A rule defines who can connect where, when, and how.
After navigating to the Conditional Access page, you will see an overview of all rules. If no rule has been created yet, the page shows no rule.
As we mentioned before, Conditional Access starts from blocking everything initially, which also makes the management of the rules easier as there is no possibility for contradictory rules.
When you click on the + Button for add rule, a new page will appear.
You have the possibility to add rules Devices, Accounts, Groups, Managed Groups, User Groups, and Directory Groups both for the Source Type and the Target Type.
Depending on what you choose as Source Type and Target Type, you need to choose a corresponding Source and Target, e.g, a specific User Group out of your User Groups if you choose User Group as a Type. Or a user if you selected Account.
Alternatively, if you choose All, all User Groups (or another chosen source) will be added.
💡Hint: There is auto-completion available when typing in Source and Target for all devices and accounts that are in your Computers & Contacts list. Additionally, all accounts from your company are also considered in the auto-completion.
📌Note: You are still able to add devices that are not in your Computers & Contacts list by entering the TeamViewer ID. With respect to groups, you can only add them if you are the owner of the group. This is a security measure.
Expiration Dates for Conditional Access rules
You can add an expiry date to the Conditional Access rules.
The expiration functionality is important for any scenario where certain TeamViewer users should receive access to specific devices for a limited time only:
- Project-based work
- Interns, part-time workers, etc.
- Substitutes, stand-ins, and others helping out for a limited time
Expiration dates can be set for new and existing rules.
💡Hint: The Expiry defines from when until when the rule will be active.
Expiration dates can be edited at any time:
(Green: create a new time frame. Orange: edit existing ones. Time shown is UTC.)
Several timeframes can be added to one rule. Expiry status for all rules can be seen in the overview:
- never (no expiry set),
- scheduled (in the future),
- active (currently within the timeframe),
- expired (in the past)
Enable rule verification
Added rules are not automatically enabled.
Please use Activate Conditional Access to make sure that only the connections allowed by the rules are possible and nothing else.
Block Meetings is also available. However, this is an "All or nothing" setting. If enabled, all meetings are blocked. No exceptions.