This article applies to all TeamViewer customers with a TeamViewer Enterprise/Tensor license and Conditional Access AddOn or Tensor Pro or Unlimited licenses.
This page is a short introduction into the different parts of Conditional Access and its configuration.
The following preconditions are required to be able to configure and use Conditional Access:
- Activated license with the Conditional Access add-on
- TeamViewer Client version 15.5 or higher
- Created a TeamViewer company (possible via MCO)
- Knowing the DNS/IP address of the dedicated router
⚠Conditional Access is a security feature and therefore no connection is allowed initially as soon as the rule verification is activated!
The client has to be configured to contact the dedicated routers because we are going to block the access to the usual TeamViewer routers in the firewall with the next step.
The configuration of the registry can be done running the following command or adding the registry keys through an import.
reg.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer" /v "ConditionalAccessServers" /t REG_MULTI_SZ /d YOUR_ROUTER1.teamviewer.com\0YOUR_ROUTER2.teamviewer.com /f
reg.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\TeamViewer" /v "ConditionalAccessServers" /t REG_MULTI_SZ /d YOUR_ROUTER1.teamviewer.com\0YOUR_ROUTER2.teamviewer.com /f
After restarting the TeamViewer service, the client will not connect to the usual TeamViewer routers but to one of the dedicated routers instead.
💡Hint: The MSI rollout with TeamViewer Settings is not possible with Azure and MS Intune!
To set the dedicated routers you have to execute one of the following commands while TeamViewer is not running, depending on whether TeamViewer starts with the system or not.
# start with system
sudo defaults write /Library/Preferences/com.teamviewer.teamviewer.preferences.plist ConditionalAccessServers -array YOUR_ROUTER1.teamviewer.com YOUR_ROUTER2.teamviewer.com
# not starting with system
defaults write ~/Library/Preferences/com.teamviewer.teamviewer.preferences.Machine.plist ConditionalAccessServers -array YOUR_ROUTER1.teamviewer.com YOUR_ROUTER2.teamviewer.com
To set the dedicated routers you need to change the global.conf file and add the following entry:
[strng] ConditionalAccessServers = "YOUR_ROUTER1.teamviewer.com" "YOUR_ROUTER2.teamviewer.com"
Restart the TeamViewer service after editing the global.conf.
Adjust your Firewall to block the following DNS-Entries:
As soon as this configuration is active, clients that didn't get the information to connect to the dedicated router will not be able to go online anymore. This is relevant for blocking unauthorized TeamViewer clients.
Conditional Access is working with rule engine in the back end. You can manage the rules centrally in the Management Console. When you have purchased and activated your license then you will see an additional section in the navigation.
When you go to the Conditional Access page, you will see an overview of all rules. Right now, this is empty and we will show you how to add a rule.
As we mentioned before, Conditional Access starts from blocking everything initially, which also makes the management of the rules easier as there is no possibility for contradictory rules.
When you click on Add Rule, a new dialog will pop up. You have the possibility to add rules for devices, accounts and groups for both source and target. There is auto completion available for all devices and accounts that are in your Computers and Contacts list. Additionally, all accounts from your company are also considered in the auto completion. You are still able to add devices that are not in your Computers & Contacts list by entering the TeamViewer ID. With respect to groups, you can only add them if you are the owner of the group, which again is a security measure.
There is also a field for the Connection Type, which is currently fixed to Remote Control. Later, we will introduce additional Connection Types like Meeting and File transfer. For now, the same rules that are done for remote control also apply to file transfer and Meeting is still working for everyone.
Enable rule verification
To make it easier to set up Conditional Access, we added a general on/off switch for the rule verification. This option can be used to ensure a smooth implementation of Conditional Access in your company. You can leave it deactivated until you have added all the rules that are necessary.
What does this mean?
When the rule verification is turned off, the rules will not be enforced and therefore all connections that are initiated from or targeted to a client that is connected to the dedicated router are allowed.
📌Note: You can enforce the rules you have defined for TeamViewer Meetings as well.