Posted by Staj
Photon

Re: Auto account assign doesn't work on TV12 Host MSI

Another Corporate user here, we use SCCM, MSIs and SCP (at least, we try to)

I must admit, I'm tired of this flaky non-standard feature too. Not sure why MSI public and private properties aren't used to pass parameters during install, that's the standard way of doing such things when it comes to MSIs. Transforms (MST) would be swell too. 

Example:
Note:This command is not real, it's just an example of how properties are used.

msiexec.exe /i "TeamViewer_Host.msi" CONFIGID="1234567" DEVICEALIAS="Corp Machine X"

-instead I have yet another Scripted Deployment Type I have to babysit in SCCM with a wrapper script to ensure it gets pushed out correctly.

Posted by Jeff82
Henagon

Re: Auto account assign doesn't work on TV12 Host MSI

When you Assign a computer to a group, for example group A. If you assign the same computer on a next deployment to group B, the computer still visible in group A in the management console and is not showing in group B. Plus, if you have  a strategy enabled for group A, when assigned to group B, the comptuer still had group A strategy and not the group B strategy like it should be.

Why the computer is not moving to the new group with the right strategy? It's look like a bug. If i redeploy hundreds of computers, i dont want to manage them one by one to find in what old group they are and move them to the right new group that it should be.

Posted by TeamViewer Staff
TeamViewer Staff

Re: Auto account assign doesn't work on TV12 Host MSI

Hello Everyone,

Thank you for your posts.

Let's keep in mind that each situation, network and setups are different, but here is some information to help you with your deployment.

Before you deploy TeamViewer 12 via MSI package, there is a few things to look out for.

The first thing would be, when creating the package for a mass deploy to machines that are part of the domain, do you want to have the "Grant Easy Access" option with the deployment? 

If your answer is NO, then you don't need to use the "Assignment_Tool.exe", neither have to worry about the "AssignmentData.Json". So if the box for the Assignment Tool is checked, just edit the Custom Host module in the Management Console and uncheck that box. 

At this point on, your silent installation will need the "Service Connection Point" configuration done in the DC (Domain Controller). That can be achieved manually by configuration the ADSIedit in the DC (please see instructions in the TeamViewer MSI manual), or by running the PS script that is downloaded with the MSI package and manuals. 

Now you just need to export the registry file with the TeamViewer options you would like on the machine, as well the unattended password. To achieve that, please do the following:

- Install a TeamViewer Host module on a test machine.
- Go to the Options>Security and enter your "unattended access password" and click Ok.
- Go to the Options>Advanced>Show advanced options>TeamViewer options
- Click in Export options to a *.reg file
- Choose the folder where you have the Host.msi file and name the file "TeamViewer_Settings" and click Save
- A new window will open, on the 3 unchecked boxes at the bottom, select "Export user specific settings as default for all users", also select and enter the unattended access password again in "Export personal password"(the exact same password you entered under security), and click Export.

The package is done, and can be applied on new installations as well on updates from previews versions (as long it was MSI deployments, in GPO there is an option to update package).

Now, if your answer for the question about having the "Grant Easy Access" is YES, then you will need to use the Assignment Tool, and make sure to check the box on the Management Console when editing the Custom Host module.

The setup for the  MSI package and the registry settings will be the same as above, but now you don't need to configure the "Service Connection Point" in the DC.

So, depending on how you are deploying, you may need a script to run the Assignment Tool, and I will give you an example below. Some deployment software you can just point to the Assignement_Tool.exe and add parameters, like PDQ Deploy for example. 

For the "AssignmentData.Json" to be created, the machine needs to have access to the Internet and connect to our Console servers. So if in your network the machine only access the Internet after an authenticated user sign's in, the script for the Assignment Tool should only be ran after the user sign in. 

If you have proxy or other security in place, please make sure to white list TeamViewer.

Another thing to look out for is registry keys from previews versions installed that has the account assignment. Those keys could cause the AssignmentData.json to not be created, if this is the case, then delete them first before making the MSI installation. 

Here is a code for the Assignment tool, copy and paste on a .txt file, and then convert to .bat. Replace the "xxxxx" with the location where you have the Assignment tool, where it asks for it, and the token too.

echo off
cd\

if exist "C:\Program Files (x86)" goto 64bit

goto 32bit

:32bit
start /wait \\XXXXX\XXXXX\XXXXX\TeamViewer_Assignment.exe -apitoken XXXXXXXXXXXXXXXXXXXXXXXX -datafile "C:\Program Files\TeamViewer\AssignmentData.json"

:64bit
start /wait \\XXXX\XXXX\XXXX\TeamViewer_Assignment.exe -apitoken XXXXXXXXXXXXXXXXXXXXXX -datafile "C:\Program Files (x86)\TeamViewer\AssignmentData.json"
echo exit

I hope this help you with the deployments.

W_deFazio

Support Engineer

 

 

Posted by Phil
Henagon

Re: Auto account assign doesn't work on TV12 Host MSI

 Esther

I've been trying the process with the documentation and I've got an issue with message


=> Assignment failed with:
Reading datafile 'C:\Program Files (x86)\TeamViewer\AssignmentData.json' failed with: ReadFile failed with 'open C:\Program Files (x86)\TeamViewer\AssignmentData.json: Accès refusé.'

Any idea?

Thanks

Philippe

Posted by SuperDOS
Trigon

Re: Auto account assign doesn't work on TV12 Host MSI

Would alos like to know how and when AssignmentData.json file WILL be auto created and when it will NOT be auto created and if there a way we can create AssignmentData.json file AFTER installing TeamViewer host v12.

have issues when deploying TV12 host during SCCM OSD.

Posted by Nfoster
Tetragon

Re: Auto account assign doesn't work on TV12 Host MSI

I have been up and down this forum and in and out with their support only to have a $2000 paperweight. I too have been trying to find a way to deploy TeamViewer silently of course. I have two modules one for Help Desk and one fo the end users. The Help Desk module is the full version. I can wrap the teamviewer.reg and teamviewer.msi into a single deploy WinRAR SFX exe but if I wrap it one more time into an MSI it fails. I cannot deploy exe files with Intune MDM, only MSI for a line of business apps.

Second, the end user module I have to a point now where I have two MSI that work fine, but when I wrap them into a single MSI the product never gets assigned. I have been using Advanced Installer Enterprise to embed command lines which work fine when the files are either two separate files or a single file run in full UI mode, silent commands do not work for some odd reason.

At the end of the day, I see a lot of people posting issues, scripts (that really do not solve the issue) and just plain frustration around TeamViewer. There are a lot of short coming to this product and eventually, they will either have to solve these issues or people or going to look elsewhere.

I have posted this concept in another post here on the forums and I will post it here. A simple solution would be to have TeamViewer work just like Active Directory. A computer can only bee accessed if they are joined to the domain and user can only access such computers that are joined to the domain. For those that are not a part of the domain, in other words, Free version of TeamViewer or another corporate TeamViewer identity, either that be computers and users, then there should a one-time guest access code or if you are an MSP then there should be a simple federation process that is controlled by the customer. From here policy should be mainly user based not computer based. A user based policy would also allow better integration with Active Directory or Azure AD with the likes of SSO. Remember the license model here with Teamviewer is user based. Install as many TemaViewer hosts as you want. So this would make logical sense to have the policies based on the users. Then the assignment process could be more simplified and we all would not be posting stupid workarounds and scripts. Do not get me wrong there should still be a policy for computer and a way to assign them to your TeamViewer account. This would prevent outside access and the rogue employee from spending their time helping someone else outside the company that is not on the payroll. Of curse there all should be options that you have control over. Like I said earlier you migt be an MSP.

Posted by Nfoster
Tetragon

Re: Auto account assign doesn't work on TV12 Host MSI

I come to find through a conversation with TeamViewer support that the main reason for the new process in how TeamViewer is deplyed/assigned is due to how Macs handle this process.

Why on Earth would anyone every mess up their installation rountine for the minority? I do not have anything against Apple and/or their prodcuts, but why a software company would go through the effort to completely mess this up is beyond me.

Posted by SuperDOS
Trigon

Re: Auto account assign doesn't work on TV12 Host MSI

FYI version of Teamviewer Host 12.1.13180 works with autoassignment during OSD deployment.

Posted by Nfoster
Tetragon

Re: Auto account assign doesn't work on TV12 Host MSI

Can you elaborate a little more, "works with autoassignment during OSD deployment." What is different with this build? New command line options? Where can I find the change logs?

I always seem to have some sort of issue with deploying TeamViewer. The one hard requirement that I cannot get around currently is that fact that TeamViewer needs to see the internet to create the JSON file. That is fine as long as the end user undedrstands this and in most cases they do not. I am using the ICD tool to provision Windows 10 during OOBE where I have both TeamViewer Host and Assignment configured to install. The issue becomes if the computer that the image is being deployed on does not have access to the internet the JSON never gets created and the Assignment tool fails.

TeamViewer's deployment process is very archaic. Too many command lines, dependencies, and depends on Active Directory. On the surface this appears to be a modern app, but under neither it is very old school and broken. I cannot even deploy the full version silently. This was confirmed with one of their support engineers. I feel they are so close to a true enterprise solution but they fail to commit. I really wish they would get their act together.

Posted by SuperDOS
Trigon

Re: Auto account assign doesn't work on TV12 Host MSI

Not sure what has changed but can only confirm that it wasn't working with the last version and now i does. No changes on our side. we have no ad integration with TV. Yes you need internet during install/assignment.

We install the host version MSI with /qb

Later we run (this is in a vb script)

WshShell.Run "tv_assignment.exe -apitoken XXXXXXXX-XXXXXXXXXXXX -datafile ""${ProgramFiles(x86)}\TeamViewer\AssignmentData.json"" -devicealias ""${COMPUTERNAME}"" -wait=30 -wait=30 -verbose",1,true

 here's the changelog: https://www.teamviewer.com/en/download/changelog/

Posted by Nfoster
Tetragon

Re: Auto account assign doesn't work on TV12 Host MSI

Ok, so nothing has changed to resolve my issue. The changelog does not reference this build which is another issue. Build numbers do not appear to be in sync between what you advertise in About TeamViewer (Product Version) and the file version. So when you reference either one it will confuse your audience. You need to fix this.

As I mention before your deployment process is broken. There is no AD integration when there is real no integration of any kind. I am ok with that but then there needs to be a better deployment process.

Security is fundamentally broken by the very fact that you require two separate files, host and assignment files. This also applies with the full version where the user is prompted to “Allow and finish”. In either case if the assignment tool fails or is not run, or the user does not click “Allow and finish” then the TeamViewer install is never registered with our account, thus we now have a rogue client which leaves a huge gaping hole.

The issue with TeamViewer really is not about the deployment of the product but how you handle policies in that you are driving policies at the program level when it really should be at the user level. I honestly do not care where TeamViewer is installed if you do not have a login (User management) then you will not get access to any of the TeamViewer hosts.

Computer:

The install should be simple single file (there should be no host or full version) that is compiled and downloaded from our account that will automatically assign when it is installed. Then a notification is sent to the any of the Company Administrators to be approved or declined and to which group it is assigned to.

User:

Polices and groups are assigned to the user. Policies will define what options that user will have with the TeamViewer application.


The way that TeamViewer is designing things is backwards. You are applying polices to the computer when you are trying to control what the user can do at the computer. This make no sense at all. Computers are dumb controllable objects, users are not. Polices need to be at the user level to mitigate possible user disgruntlement. Currently your setup allows a user to do more harm.

Posted by SuperDOS
Trigon

Re: Auto account assign doesn't work on TV12 Host MSI

regarding the buildnumber it reflects the full version, the host version has another build number and not sure if there's an own changelog for that.

Posted by Nfoster
Tetragon

Re: Auto account assign doesn't work on TV12 Host MSI

You are incorrect. I just confirmed that the host and full version properties are both 12.1.13180.0. This is from the direct download under my account.

After the product is installed the properties of the exe is as follows.TV_1.png

Posted by SuperDOS
Trigon

Re: Auto account assign doesn't work on TV12 Host MSI

both about and properties says 12.0.78716 (Product version, not file version)

Posted by Denver
Henagon

Re: Auto account assign doesn't work on TV12 Host MSI

In Windows 10 at least..

Every time TeamViewer Loads, it updates the security of the AssignmentData.json so that only system administrators can read it....  the 'System' account has no access to this file, therefore TeamViewer_Assignment.exe cant read the file to do anything with it.

Which means any GPO / batch file (BAT) cant do anything to Auto Assign it to our TV account. 

You need to set a GPO to give your 'system' account full access to the file before it can do anything automatically.   Unfortunately every re-boot of the system TeamViewer re-sets those permissions........

You just need to get the order and timings correct.......multiple GPO's zzzzz not enterprise ready. 

 

Posted by Denver
Henagon

Re: Auto account assign doesn't work on TV12 Host MSI

Basic Script for Bat file to fix teh security bug on Win10

IF EXIST "C:\Program Files (x86)\TeamViewer\AssignmentData.json" (
ping google.com -n 45
takeown /F "C:\Program Files (x86)\TeamViewer\AssignmentData.json" /D Y
icacls "C:\Program Files (x86)\TeamViewer\AssignmentData.json" /grant SYSTEM:(F,WO)
\\XXdddffff.local\gpo$\GPO_Installs\TeamViewer\TeamViewer_Assignment.exe -apitoken 123456-GDuHy&658zzzzz -datafile "C:\Program Files (x86)\TeamViewer\AssignmentData.json" -devicealias "${COMPUTERNAME}" -allowEasyAccess=true -wait=10 -verbose -proxyurl https://myproxyproxy:8080
) ELSE (
echo filename. missing.
)

Hope this helps someone...

Posted by SuperDOS
Trigon

Re: Auto account assign doesn't work on TV12 Host MSI

heads up, a new version of TV has been released.

https://www.teamviewer.com/en/download/changelog/

also the assignment tools is updated as well but not sure what has changed.