Conditional Access - TeamViewer Support
<main> <article class="userContent"> <p><br></p><h2 data-id="general">General</h2><div class="blockquote"><div class="blockquote-content"><p class="blockquote-line"><em>This article applies to all TeamViewer customers with a TeamViewer Enterprise/Tensor license and Conditional Access AddOn or Tensor Pro or Unlimited licenses.</em></p></div></div><p>This page is a short introduction to the different parts of Conditional Access and its configuration.</p><p>While block- and allowlist cover incoming connections, Conditional Access is the total package that empowers the administrators to control all connections - incoming and outgoing. </p><p><br></p><h3></h3><h2 data-id="preconditions">Preconditions</h2><p>The following preconditions are required to be able to configure and use Conditional Access:</p><ul><li>Activated license with the Conditional Access add-on</li><li>TeamViewer Client version 15.5 or higher</li><li>Created a TeamViewer company (possible via MCO)</li><li>Knowing the DNS/IP address of the dedicated router</li></ul><p><strong>⚠Conditional Access is a security feature and therefore no connection is allowed initially as soon as the rule verification is activated!</strong></p><p><br></p><h3 data-id="-1"></h3><h2 data-id="configuration-of-client-and-firewall">Configuration of Client and Firewall</h2><h3 data-id="client">Client</h3><p>The client has to be configured to contact the dedicated routers because we are going to block access to the usual TeamViewer routers in the firewall with the next step.</p><h4 data-id="windows">Windows</h4><p>The configuration of the registry can be done by running the following command or adding the registry keys through an import.</p><p>32-bit Version:</p><pre class="code codeBlock" spellcheck="false" tabindex="0">reg.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer" /v "ConditionalAccessServers" /t REG_MULTI_SZ /d YOUR_ROUTER1.teamviewer.com\0YOUR_ROUTER2.teamviewer.com /f </pre><p>64-bit Version:</p><pre class="code codeBlock" spellcheck="false" tabindex="0">reg.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\TeamViewer" /v "ConditionalAccessServers" /t REG_MULTI_SZ /d YOUR_ROUTER1.teamviewer.com\0YOUR_ROUTER2.teamviewer.com /f </pre><p>After restarting the TeamViewer service, the client will not connect to the usual TeamViewer routers but to one of the dedicated routers instead.</p><p><br></p><h4 data-id="macos">macOS</h4><p>To set the dedicated routers you have to execute one of the following commands <strong>while TeamViewer is not running</strong>, depending on whether TeamViewer starts with the system or not.</p><pre class="code codeBlock" spellcheck="false" tabindex="0"># start with system sudo defaults write /Library/Preferences/com.teamviewer.teamviewer.preferences.plist ConditionalAccessServers -array YOUR_ROUTER1.teamviewer.com YOUR_ROUTER2.teamviewer.com # not starting with system defaults write ~/Library/Preferences/com.teamviewer.teamviewer.preferences.Machine.plist ConditionalAccessServers -array YOUR_ROUTER1.teamviewer.com YOUR_ROUTER2.teamviewer.com </pre><h4 data-id="linux">Linux</h4><p>To set the dedicated routers you need to change the global.conf file and add the following entry:</p><pre class="code codeBlock" spellcheck="false" tabindex="0">[strng] ConditionalAccessServers = "YOUR_ROUTER1.teamviewer.com" "YOUR_ROUTER2.teamviewer.com" </pre><p>Restart the TeamViewer service after editing the global.conf.</p><h3 data-id="firewall">Firewall</h3><p>Adjust your Firewall to block the following DNS-Entries:</p><ul><li>master*.teamviewer.com</li><li>router*.teamviewer.com</li></ul><p>As soon as this configuration is active, clients that didn't get the information to connect to the dedicated router will not be able to go online anymore. This is relevant for blocking unauthorized TeamViewer clients.</p><p><br></p><h3 data-id="-2"></h3><h2 data-id="getting-started">Getting started</h2><p>Conditional Access is working with a rule engine as well as Feature Options in the back end. You can manage the rules and Feature Options centrally in the Management Console.</p><p>After you purchased and activated your license, you will see an additional section in the navigation called <strong>Conditional Access</strong>.</p><div class="embedExternal embedImage display-medium float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/AEN0G7O02275/grafik.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/AEN0G7O02275/grafik.png" alt="grafik.png" height="281" width="264" loading="lazy" data-display-size="medium" data-float="none"></img></a> </div> </div> <p><br></p><h3 data-id="-3"></h3><h2 data-id="feature-options">Feature Options</h2><p><strong>Feature Options </strong>within Conditional Access allow you to customize your rules, e.g. if certain users/User Groups should only have limited access rights when connecting to specific devices.</p><p>📌<strong>Note</strong>: If you want to add a Feature Option to your rules, you need to create the Feature Options first. If you do not want to use Feature Options, you can continue reading <a href="https://community.teamviewer.com/English/kb/articles/57261-conditional-access#adding-rules" rel="nofollow noreferrer ugc">here</a>.</p><p>When creating a rule, the Feature Options can be added to the rule.</p><p>💡<strong>Hint</strong>: An Option defines the access level during a connection.</p><p><br></p><h3 data-id="-4"></h3><h2 data-id="add-a-new-feature-option">Add a new Feature Option</h2><p>Feature Options are created in the <strong>Conditional Access</strong> section of the Management Console. To add a new <strong>Feature option</strong>, please follow the below steps:</p><p>1.) Navigate to <strong>Conditional Access</strong> --> <strong>Options </strong>--> click the <strong>+ Button:</strong></p><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/KVT40GLKBCNN/grafik.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/KVT40GLKBCNN/grafik.png" alt="grafik.png" height="317" width="907" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p><br></p><p><em>2.) The </em><strong>Add Feature Option</strong> dialog opens. Here, define a name for the Feature Option and exactly <strong>what should</strong> and <strong>what shouldn't be available</strong> during the connection. </p><p><strong>📌Note</strong>: Options that are in use by Conditional Access rules cannot be deleted; an error message informs the user that the option is in use. </p><p>In the example below, every setting has been set to <strong>After Confirmation: </strong></p><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/1U8YWFLSAT96/grafik.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/1U8YWFLSAT96/grafik.png" alt="grafik.png" height="871" width="646" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p><br></p><h3 data-id="-5"></h3><h2 data-id="overview-of-options">Overview of Options</h2><p>All created Feature Options for Conditional Access rules can be viewed in the Management Console at any time. Filtering and editing of the Options are possible, too.</p><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/04BZFLLA8S6O/grafik.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/04BZFLLA8S6O/grafik.png" alt="grafik.png" height="415" width="633" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p> </p><p>📌<strong>Note</strong>: More Option types will be available in the future.</p><p><br></p><h3 data-id="-6"></h3><h2 data-id="hierarchy">Hierarchy</h2><h3 data-id="different-rules-valid-for-the-same-connection">Different rules valid for the same connection</h3><p>In case a user is part of multiple User Groups that are using different Conditional Access rules, the rules with the highest permission set is having the highest priority.</p><p>For example, if one rule allows file transfer, but another rule does not allow it, the file transfer will be possible.</p><h3 data-id="feature-options-vs.-local-settings">Feature Options vs. local settings</h3><p>The <strong>Feature</strong> <strong>Options </strong>for Conditional Access are complimentary to access control settings on the device.</p><p>For example, if the Conditional Access Options of a rule allow file transfer, but the access control settings on the device do not allow it (either set via policy or locally in the options), file transfer will not be possible.</p><p><br></p><h3 data-id="-7"></h3><h2 data-id="adding-rules">Adding rules</h2><p>💡<strong>Hint</strong>: A rule defines who can connect where, when, and how.</p><p>After navigating to the Conditional Access page, you will see an overview of all rules. If no rule has been created yet, the page shows no rule.</p><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/NXNO8MCY3PPK/grafik.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/NXNO8MCY3PPK/grafik.png" alt="grafik.png" height="750" width="1293" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p><br></p><p>As we mentioned before, Conditional Access starts from blocking everything initially, which also makes the management of the rules easier as there is no possibility for contradictory rules.</p><p>When you click on <strong>the + Button </strong>for add rule, a new page will appear.</p><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/IDAWC8DN34IM/grafik.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/IDAWC8DN34IM/grafik.png" alt="grafik.png" height="612" width="699" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p><br></p><p>You have the possibility to add rules <strong>Devices</strong>, <strong>Accounts</strong>, <strong>Groups</strong>, <strong>Managed Groups</strong>, <strong>User Groups</strong>, and <strong>Directory Groups</strong> both for the <strong>Source Type</strong> and the <strong>Target Type</strong>.</p><p>Depending on what you choose as <strong>Source Type</strong> and <strong>Target Type</strong>, you need to choose a corresponding <strong>Source </strong>and <strong>Target</strong>, e.g, a specific User Group out of your User Groups if you choose User Group as a Type. Or a user if you selected Account.</p><p>Alternatively, if you choose <strong>All</strong>, all User Groups (or another chosen source) will be added.</p><p>💡<strong>Hint</strong>: There is auto-completion available when typing in <strong>Source </strong>and <strong>Target </strong>for all devices and accounts that are in your Computers & Contacts list. Additionally, all accounts from your company are also considered in the auto-completion.</p><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/KUNM5ANLHLYL/grafik.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/KUNM5ANLHLYL/grafik.png" alt="grafik.png" height="609" width="699" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p><br></p><p>📌<strong>Note</strong>: You are still able to add devices that are not in your Computers & Contacts list by entering the TeamViewer ID. <strong>With respect to groups, you can only add them if you are the owner of the group. This is a security measure.</strong></p><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/KOOUTGJ0F8MP/grafik.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/KOOUTGJ0F8MP/grafik.png" alt="grafik.png" height="682" width="969" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p><br></p><h3 data-id="-8"></h3><h2 data-id="expiration-dates-for-conditional-access-rules">Expiration Dates for Conditional Access rules</h2><p>You can add an expiry date to the Conditional Access rules.</p><p>The expiration functionality is important for any scenario where certain TeamViewer users should receive access to specific devices for a limited time only: </p><ul><li>Project-based work</li><li>Interns, part-time workers, etc.</li><li>Substitutes, stand-ins, and others helping out for a limited time</li></ul><p>Expiration dates can be set for new and existing rules.</p><p>💡<strong>Hint</strong>: The Expiry defines from when until when the rule will be active.</p><p>Expiration dates can be edited at any time:</p><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/8LCYDNQ81HV8/grafik.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/8LCYDNQ81HV8/grafik.png" alt="grafik.png" height="878" width="1451" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p><br></p><p>(Green: create a new time frame. Orange: edit existing ones. Time shown is UTC.)</p><p>Several timeframes can be added to one rule. Expiry status for all rules can be seen in the overview: </p><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/Z7ZVV71R974I/grafik.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/Z7ZVV71R974I/grafik.png" alt="grafik.png" height="457" width="1173" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p><br></p><p>Available states:</p><ul><li>never (no expiry set),</li><li>scheduled (in the future),</li><li>active (currently within the timeframe),</li><li>expired (in the past)</li></ul><h3 data-id="-9"></h3><h2 data-id="enable-rule-verification">Enable rule verification</h2><p>Added rules are not automatically enabled.</p><p>Please use <strong>Activate Conditional Access</strong> to make sure that only the connections allowed by the rules are possible and nothing else.</p><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/32HW87NKVMWC/grafik.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/32HW87NKVMWC/grafik.png" alt="grafik.png" height="410" width="1036" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p><br></p><p><strong>Block Meetings</strong> is also available. However, this is an "All or nothing" setting. If enabled, all meetings are blocked. No exceptions. </p> </article> </main>
