This article applies to all TeamViewer clients that have a TeamViewer Tensor license with the Conditional Access Add-on.
Context
You are responsible for managing the intern IT helpdesk within your global company. This department is made of an Admin-team, a Level 2 helpdesk and two Level 1 helpdesks, one located in Europe, one located in North America. And you want to have absolute control of who is connecting to who and want also to determine which devices are allowed to connect to each other via TeamViewer. This is what you can achieve with Conditional Access...
What is Conditional Access?
Conditional Access is the ultimate tool to ensure maximum security and absolute control over who uses TeamViewer and which devices are allowed/blocked to use TeamViewer within your corporate network.
We offer you the possibility to have a dedicated router that will work as a firewall and determine all permissions within your network.
The main idea is to block all connections/use of TeamViewer in your network at the beginning. And at a later stage, you will allow who and which devices are allowed to communicate.
How does Conditional Access work?
The router will block all link to router.teamviewer and master.teamviewer.com and allow TeamViewer communication exclusively via your dedicated router, e.g. yourcompany.teamviewer.com
On Windows the information about the dedicated router is located in the registry and on mobile devices it is pushed via App config. Finally on Mac, the information is located in a plist file. So no major change on your level here.
Without Conditional Access
With Conditional Access
Expected behaviour #1
All devices (Windows, macOS, mobile devices) which do not have yourcompany.teamviewer.com who will try to connect through our regular infrastructure via the regular route,
will be blocked. Incoming and outcoming connections won't be possible for those devices.
Expected behaviour #2
All devices (Windows, macOS, mobile devices) that know the destination (yourcompany.teamviewer.com) will pass through your firewall to reach your dedicated router where there all the rules/connection permissions are set up. This leads us to our next topic: The rule verification!
Therefore, Conditional Access offers you infinitely more granularity with the use of TeamViewer regarding outgoing and incoming traffic in your network.
Use case
As previously said, you are reponsible for managing a global support company and you want to have absolute control of who is connecting to who and want also to determine which devices are allowed to connect to each other via TeamViewer.
Setting up the rules
In this scenario, the following rules will be applied:
The Level 1 EMEA helpdesk group is authorized to connect to the Devices EMEA group (group made of devices like iPhones, Android devices, Windows computers).
The Level 1 NORAM helpdesk group is authorized to connect to the Devices NORAM group (group made of devices like iPhones, Android devices, Windows computers).
The Level 2 helpdesk group are allowed to connect to both Devices EMEA and Devices NORAM group.
The Admin group is allowed to connect to the helpdesk of Level 2, Level 1 EMEA and NORAM and on the devices of EMEA and NORAM.
Expected behaviour of this rule setup
Level 1 EMEA cannot connect to the device group NORAM, cannot connect to Level 2, cannot to the Admins and can't even connect to each other. Can only connect to the device group EMEA and nothing else.
Level 1 NORAM cannot connect to the device group EMEA, cannot connect to Level 2, cannot to the Admins and can't even connect to each other. Can only connect to the device group NORAM and nothing else.
Level 2 can connect to the device groups EMEA and NORAM but cannot connect to the helpdesk's devices of EMEA and NORAM.
The admin group can connect everywhere but not with each other. So they can connect to the EMEA and NORAM groups. They can connect to the PCs of the Level 1 EMEA and NORAM helpdesks, and also to the Level 2 helpdesk.