Read this article in ChineseGerman | Japanese


This article applies to all TeamViewer customers with a TeamViewer Enterprise/Tensor license and Conditional Access AddOn.

This page is a short introduction into the different parts of Conditional Access and its configuration.

Preconditions

The following preconditions are required to be able to configure and use Conditional Access:

  • Activated license with the Conditional Access add-on
  • Created a TeamViewer company (possible via MCO)
  • Knowing the IP address of the dedicated router

Conditional Access is a security feature and therefore no connection is allowed initially as soon as the rule verification is activated!

Configuration

Client

The client has to be configured to contact the dedicated router because we are going to block the access to the usual TeamViewer routers in the firewall with the next step.

Windows

The configuration of the registry can be done using Group Policies (GPO) or MSI package with the following registry file:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer]
"KeepAliveServerName"="YOUR_ROUTER"


[HKEY_LOCAL_MACHINE\SOFTWARE\TeamViewer]
"KeepAliveServerName"="YOUR_ROUTER"

After restarting the TeamViewer service, the client will not connect to the usual TeamViewer routers but to the dedicated router instead. 

Hint: The MSI rollout with TeamViewer Settings is not possible with Azure and MS Intune!

macOS

To set the custom router you have to execute one of the following commands while TeamViewer is not running, depending on whether TeamViewer starts with the system or not.

When TeamViewer starts with the system:

defaults write /Library/Preferences/com.teamviewer.teamviewer.preferences.plist KeepAliveServerName -string YOUR_ROUTER

 

When TeamViewer doesn't start with the system:

defaults write ~/Library/Preferences/com.teamviewer.teamviewer.preferences.Machine.plist KeepAliveServerName -string YOUR_ROUTER

 

Firewall

Adjust your Firewall to block the following DNS-Entries:

  • master*.teamviewer.com
  • router*.teamviewer.com

As soon as this configuration is active, clients that didn't get the information to connect to the dedicated router will not be able to go online anymore. This is relevant for blocking unauthorized TeamViewer clients.

Adding rules

Conditional Access is working with rule engine in the back end. You can manage the rules centrally in the Management Console. When you have purchased and activated your license then you will see an additional section in the navigation.

image2019-3-10_0-5-21.png

When you go to the Conditional Access page, you will see an overview of all rules. Right now, this is empty and we will show you how to add a rule.

As we mentioned before, Conditional Access starts from blocking everything initially, which also makes the management of the rules easier as there is no possibility for contradictory rules.

When you click on Add Rule, a new dialog will pop up. You have the possibility to add rules for devices, accounts and groups for both source and target. There is auto completion available for all devices and accounts that are in your Computers and Contacts list. Additionally, all accounts from your company are also considered in the auto completion. You are still able to add devices that are not in your Computers & Contacts list by entering the TeamViewer ID. With respect to groups, you can only add them if you are the owner of the group, which again is a security measure.

image2019-3-9_23-19-54.png

There is also a field for the Connection Type, which is currently fixed to Remote Control. Later, we will introduce additional Connection Types like Meeting and File transfer. For now, the same rules that are done for remote control also apply to file transfer and Meeting is still working for everyone.

Additionally it's only possible to define rules for connections where the initiator is part of your company. A connection can't be established if it is initiated from a client that is not connected to your dedicated router

Enable rule verification

To make it easier to set up Conditional Access, we added a general on/off switch for the rule verification. This option can be used to ensure a smooth implementation of Conditional Access in your company. You can leave it deactivated until you have added all the rules that are necessary. 

image2019-3-9_23-42-25.png

What does this mean?

When the rule verification is turned off, the rules will not be enforced and therefore all connections that are initiated from a client that is connected to the dedicated router are allowed.

 

Version history
Revision #:
6 of 6
Last update:
a month ago
Updated by: