I would like to push new passwords to all teamviewer hosts by policy. So we can change the default password every x months or on suppect of breach or people leaving the company.
We have over 400 machines and now we have to do it local on the machine.
We have similar needs.
Check my post here:
Restrict user to connect to remote host with stored password ?
I also have the same need.. ?? I have contacted Support and they are not very quick to reply and I am still waiting.. I am starting to wonder if another solution might be better.
there are currently 2 alternative ways to manage access to your devices.
use whitelists (can be depolyed by policy):
- only people on the whitelist are allowed to connect.
- you can update the whitelist if a person joins/leaves
use shared groups and easy access:
- create one or more groups, add the devices to them. (each device can only be in one group for this)
- link each host to the account of the group owner (for example the company admin) => this can be done remotely
- activate easy access on the device
- share the group with all people who are supposed to have access
so, once set up and running:
- you do not need to share any passwords (you can still keep the fixed password for the admin as a fallback, if you want)
- each person the group is shared with may connect without password
- if a new person joins, you just share the group(s) with him (just give "read" rights, if he should not be allowed to add/remove devices and/or reshare the group)
- if a person leaves, remove him from the sharees via the management console
- can be used for Host or Full version
- you can additionally disable the random password via policy
- you can also prevent the removal of the account assignment via policy
Option B is "almost" perfectly what I need ;)
What I need is this kind of feature to add:
thanks for your valuable feedback.
maybe it helps, if I explain what easyAccess actually does (a bit simplyfied).
The host, where easyAccess is active has a list of accounts he trusts (thats the accounts its group is shared to)
On incoming connection it checks if the connecting account is trusted and additionally it is authenticated.
if you remove a account from a shared group, every host will remove it from its "list" and no longer let it connect.
So easyAccess more secure than using a password shared among a bunch of people:
- There are some mechanisms in place to protect the accounts against compromisation, such as TFA (two factor authentication) and our trusted devices (validation email, if you login to account from different computer).
- its easy to control what accounts have access, but hard to know who has knowledge of a password
we consider your use-case important and are thinking about improvements to help you keep your devices secured as easy as possible.
so thanks for helping us understand what you need.
@Steffen Thanks for your answer.
I can agree with you with that I have better possibility to control "who have access, an who not", but I'm thinking about additional way of authorization.
Current solution is good if you mean that TV user which is connecting to remote host, always logoff from his station, when he step back from computer, but the world is not perfect. I can imagine the case when active LoggedIn TeamViewer APP is stolen or the user have any kind of health issue. In that case any user will be have easy access to all remote host.
The solution which you showed to us is really perfect if we are using TViewer from secure offices. But you must think about that people are connectiong to servers, on many places (in train, coffee bar, car, etc...) , even from Cellurar Phone . And because bad things happned, I do not want to have a bad day when somebody stole devices with LogedUser/Employer.
But thanks for your Involvement in this thread, I hope that in the future the appropriate solution will settle as a function of TeamViewer.
I have read you post with great interest, because we are looking in on incorporating TV in our support environment, but one of the things that we have stumbled on is the security part, and how to change the password on the hosts when support personal leaves the company.
Can you help me towards some kind of guide, on how to setup easyacces?
i'd like to refer you to the user manual (https://www.teamviewer.com/docs/en/v12/TeamViewer12-Manual-Remote-Control-en.pdf)
Chapter 7.4 (Connections to your own computers without a password.) briefly explains how to set up easyAccess.
feel free to ask the community or contact our customer support if you need further assistance incorporating TV in your support environment.
I also need the ability to set / change passwords by policy. With comms as poor as they are here in Swaziland, we generally do not remote control via the internet but use direct LAN connections. This forces the use of the password as EasyAccess no longer applies.
This in turn forces us to share out a password for a number of technicians with no quick way to change the passowrd of our 400 PC's should we suspect abuse.
Teamviewer please pick up this issue / request / cause even if they cover themselves by suggesting the two methods above as best practice. Even if TV highly recommend that this "Feature" is not used. It would really help and great deal and allows the users of your product to make the choice, weighing up usability vs security.
I fail to see why Teamviewer is fighting this implementation. I've asked for this for years and it's the ONE thing I hate about TV. I don't want to use the whitelist or the easy access, I just want to change all my passwords at once. Why don't they understand that?
Hello....support dudes, are you listening? IT'S WHAT YOUR USERS WANT, SO BUILD IT....or someone else will.
I thought I had granted easy access to a machine, and it turns out I have not. I now need to log in to it, and can't as it's probably showing some 4 digit code that I can't see, as I am not there.
I logged in to the management console, and set a password for that machine (not the machine I am currently on). Tried to log on to that remote machine using the password I just set up, and it won't work. What is this password for then? How do I log on to this machine? It's in my list of verified computers, I should be able to set passwords remotely from my master TV account, yes? Why is this not working as expected? I NEED access to this machine NOW and you're not providing me a way to do it even though all machines are in my list of trusted devices. This is a massive hole in functionality.
I understand your need and put your feature request onto our roadmap.
However, I cannot promise you when this feature will be implemented.
Hi, any update in this case ?
I have also problem with change personal password on hosts (500 PC's) in my company. I am fighting with this second day and it is horrible...
I am deploying TV hosts using SCCM. I prepared on one host a configuration, Exported this configuration with a personal password. I added this configuration file (TeamViewer_Settings.reg) to a folder which contain TV MSI file with ID ending. I deployed new version of TV hosts via SCCM. What's was happened ?
Old password doesn't work, new password doesn't work and I don't have access to PC's...
I need help with that case I need access to computers
PS: I am using at the moment TV 13, maybe deploy v12 will solve the problem ?
Here's how I did it.. your mileage may vary..
Enable Win-RM, via GPO (if you haven't already)
Set a password on a box
regedit /a thinger.reg "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer"edit thinger.reg to only have the password entry, clean out the rest
copy the thinger to a secure file share
we use the unattended host, but instead of getting the MSI, get the EXE and TV Assignment tool, and put those on that secure file share
Copy your API key, then do something like this, of course you'd pump a list into it instead of just a single computer, but..
$computer = "some computer"
copy-item -path "\\your server\your path\your exe.exe" -Destination "\\$computer\the computers administrative share\program files (x86)\TeamViewer\your exe.exe"
then do the same for the TV assignment tool, and your thinger.reg
cd 'whichever drive you used in the administrative share above:\program files (x86)\TeamViewer'
regedit /s thinger.reg
.\uninstall.exe /S /norestart
.\your exe.exe /S /norestart
.\TV assignment tool.exe -apitoken whatever your token is -datafile AssignmentData.json
del your exe.exe
del TV assignment tool.exe
Incidently, this also seems to cure the issue where a computer might not take whichever policy you set in your management console.. although you may have to run it a couple few times depending on if the computer has had time to check in with TV or not..
Good luck :D
Same here! I I keep the password for backup purposes with IT Management but I still want to manage, rotate and enforce it via policy.
I don't know why this wouldn't have been included to begin with. If teamviewer at least had a policy to merge a reg file via command line I could use a GPO and script import a reg file with security settings. Which is not the right way to do this but at least an option. However teamviewer doesn't even allow that, that have to be imported during the MSI install or the GUI.
And of course if it is implemented it's applied to the policy it should have no reveal password button on the site. The only option should be to change it or leave it alone when managing that policy.
If some companies might purposely not want this feature then set it up so only account administrators can add or configure it. Even a user with Manage policies can be prevented. Just an idea if that's TeamViewers concern. Or even declare someone an account "owner" that has to enable the feature and the only one that can manipulate it.
Hi TeamViewer Support
I have a Tensor lincense and doing support for over 2700 Retail stores and 8 Distribusion centres in Different regions. You are looking at +-27000 devices we connect to daily and this is a big concern for me that we cannot change the password via the Policy.
I do understand that we need to Whitelist etc which I have done so BUT we have suppliers that are also in our license that have access to certain stores. This is a big security concern, when one of the supplier employees is fired and still have login details which we are very unlikely to know who is fired of not from the Supplier perspective. They can cause huge damage to our systems. We are doing a cleanup of account that have not been logged in for more than 6 months.
Please your urgent assistance is required in this? We were using Dameware five years ago and I convinced the Business that TeamViewer is the way to go but now there's talks about going back to Dameware or investigate a new solution.. Please understand our Frustration..
Siseko Bukani (SPAR Group)
Um.. You have a Tensor licence.. have you looked into using SAML to address this?
Thank you for your message.
This is a very crucial question, indeed.
In order to get the best support by our support engineers, please open a ticket via https://www.teamviewer.com/en/support/
We will be happy to answer all your question and to find the best settings for your use.
We wish you a good weekend.
Yep. This just makes sense. Using the cafe compromise scenario as a reference, this added layer of security and control is fairly obvious. I want to both whitelist AND have a password that I'm able to control at the policy level.
I get that an argument might be made that if your teamviewer account is compromised it would be very easy to change and push a new bad-guy-owned password via policy (assuming that user can modify policies), but at that point you've already lost your job. Maybe make this policy option require MFA be enabled on all TV user accounts? IMO MFA should be required for these accounts anyway.
In response to Kentain's registry solution above...
Good workaround for Windows machines, but how would you accomplish this for Mac's or off network devices?
TV needs to give us this option via policy. I've now learned the hard way that the new version with the MSI deployment will wipe out your previously set permanent password. You can script a registry import for on-network Windows machines, but that's just not good enough. I can't imagine if I were an MSP or huge shop with this issue. You're basically locked in to setting easy access durring install. I'm just not a fan of that.
This seems like an easy win for TV to accomplish on the security front.
In case anyone cares, here's the right way to roll out a customized host client to Windows machines via GPO. I think this process has been around for a while and I remember using it a long time ago. Kinda fell off my radar, until just stumbling on it again. /derp
1. Get the MSI installer, your API token, and Custom config ID from your Design and Deploy page.
2. Download and install Orca if you don't have it already: https://docs.microsoft.com/en-us/windows/win32/msi/orca-exe
3. Follow the loose instructions here LINK to create your transform file (mst) along with custom properties. You will set your API token, Custom config ID, and other assignment options here. Set the IMPORTREGFILE value to 1. Here's what mine looks like:
4. As an admin (just in case your policy prevents non-admins to make changes) , Install and setup a client manually using the settings you like. Include the 'Personal Password' or easy access here if you prefer. (The personal password inclusion is the big one for me.)
5. From the Advanced setting on that client, scroll all the way down and export the registry file. **This file name must be "TeamViewer_Settings.reg". Make sure to include the user specific settings and personal password if set like below:
5. Put the MSI, MST, and reg file you exported in the same folder in a share with read access on your network.
6. Again, referencing this LINK, create your GPO and add the software package using the Advanced deployment opiton. On the Modifications tab, add your MST file. Click OK to save.
7. Link that GPO to the test OU your test workstation is in. Run "gpupdate /force" on that workstation and restart.
8. Test, verify, tweak, test, verify, tweak, etc...
9. Roll it out to all your Windows machines.
Hope this helps someone.