Cloud Session Recording allows you to upload session recordings to custom storage. Storing these recordings for later review can be useful for quality improvements, training, and auditing. This article explains how to set up Cloud Session Recording. To learn more about how to initiate a recording of a remote session, you can read this article.
This article applies to Tensor license holders using Windows and Linux.
How to set up Cloud Session Recording
To set this up, you will have to create or update a TeamViewer policy and add a specific policy setting. This policy setting is called Upload session recording to custom storage. It offers the option to upload session recordings to an SFTP server, which could either be self-hosted or running in a cloud environment such as Azure or Amazon Web Services.
Therefore, to set up Cloud Session Recording, you need to:
- Create a policy and add the policy setting Upload session recording to custom cloud to your policy. Learn how to create a policy here.
- Apply the policy to your devices. Learn how to apply a policy to your devices here.
Once the policy is applied to your devices, all recorded TeamViewer sessions established on these devices will be uploaded to your cloud storage.
💡 Hint: This policy setting can be combined with other policy settings.
For example, you can add to your policy the following policy settings:
- Enforce auto recording of remote control sessions
- Disable stopping and pausing session recordings
How to set up the policy setting
Authentication Methods
We currently support two types of authentication methods:
- Password authentication
- Public key authentication
Please verify which of these is supported by your SFTP server/service and choose the Service Type appropriately.
Enter the username of the account that should be used for the upload and define the destination URL, which will be your SFTP server, including the path to the session recording. It is recommended that the rights of the chosen account to write access be minimized and potentially limited to the respective folder the URL is pointing to.
Encrypted password/Encrypted private key
The credentials that will be used to upload session recordings to your SFTP storage will be encrypted and decrypted by a user-defined certificate. This ensures that only the uploading device has access to the SFTP credentials. This means the password or private key will need to be supplied in an encrypted state. This can be achieved by following these steps:
1) This step can be skipped if there is already a certificate capable of decrypting files. To create this certificate, you can use the New-SelfSignedCertificate PowerShell command (please find the documentation here) by replacing <YourCertificateSubject> with the desired subject name (requires elevated rights to run):
New-SelfSignedCertificate -Subject <YourCertificateSubject> -CertStoreLocation cert:\LocalMachine\My -KeyUsage KeyEncipherment, DataEncipherment, KeyAgreement -Type DocumentEncryptionCert
2) Your chosen credentials must be encrypted into the Cryptographic Message Syntax (CMS) with your certificate. This can be done using the Protect-CmsMessagePowerShell command (Documentation) by replacing <Certificate> with either the path to the certificate or an identifier like the subject or thumbprint.
a. Password authentication: Replace <Password> with the password of the SFTP user account.
Protect-CmsMessage -To <Certificate> -Content <Password>
b. Public key authentication: Replace <PathToPrivateKey> with the relative or absolute path of the private key of the SFTP user account.
Get-Content <PathToPrivateKey> | Protect-CmsMessage -To <Certificate>
3) For the decryption of these credentials to work on the devices the policy will be assigned to, the certificate must be rolled out as well. To ensure the certificate cannot be tampered with, the certificate should be rolled out into a secure location.
a. Windows: Store the certificate in the local machine certificate storage cert:\LocalMachine\My (local machine certificate store). We suggest limiting access to the private key to the SYSTEM account.
b. Linux: Store the private key in /etc/teamviewer/ssl/private and public certificates in /etc/teamviewer/ssl/certs. Make sure that both the public certificate and corresponding private key have the same base filename. e.g. MyCompanySFTP.pem and MyCompanySFTP.key . Please ensure that the root is the owner of the private key file and is the sole account with access to it.
Now, you are all set to save the policy. It is recommended that the entire setup be tested before rolling it out entirely.
How to save the policy setting
Saving the policy setting with encrypted password - Service type is SFTP (Password)
If you opt to save the policy setting with an encrypted password, you add the information in the fields below and save the policy setting.
- Username
- Destination URL
- Encrypted password
- Certificate Thumbprint
Saving the policy setting with an encrypted private key - Service type is SFTP (Public Key)
If you opt to save the policy setting with an encrypted private key, you add the information in the below-mentioned fields and save the policy setting:
- Username
- Destination URL
- Encrypted private key
- Certificate Thumbprint