This article applies to all TeamViewer customers with a TeamViewer Enterprise/Tensor license and Conditional Access AddOn.
This page is a short introduction into the different parts of Conditional Access and its configuration.
The following preconditions are required to be able to configure and use Conditional Access:
Conditional Access is a security feature and therefore no connection is allowed initially as soon as the rule verification is activated!
The client has to be configured to contact the dedicated router because we are going to block the access to the usual TeamViewer routers in the firewall with the next step.
The configuration of the registry can be done using Group Policies (GPO) or MSI package with the following registry file:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer] "KeepAliveServerName"="YOUR_ROUTER" [HKEY_LOCAL_MACHINE\SOFTWARE\TeamViewer] "KeepAliveServerName"="YOUR_ROUTER"
After restarting the TeamViewer service, the client will not connect to the usual TeamViewer routers but to the dedicated router instead.
Hint: The MSI rollout with TeamViewer Settings is not possible with Azure and MS Intune!
To set the custom router you have to execute one of the following commands while TeamViewer is not running, depending on whether TeamViewer starts with the system or not.
When TeamViewer starts with the system:
defaults write /Library/Preferences/com.teamviewer.teamviewer.preferences.plist KeepAliveServerName -string YOUR_ROUTER
When TeamViewer doesn't start with the system:
defaults write ~/Library/Preferences/com.teamviewer.teamviewer.preferences.Machine.plist KeepAliveServerName -string YOUR_ROUTER
Adjust your Firewall to block the following DNS-Entries:
As soon as this configuration is active, clients that didn't get the information to connect to the dedicated router will not be able to go online anymore. This is relevant for blocking unauthorized TeamViewer clients.
Conditional Access is working with rule engine in the back end. You can manage the rules centrally in the Management Console. When you have purchased and activated your license then you will see an additional section in the navigation.
When you go to the Conditional Access page, you will see an overview of all rules. Right now, this is empty and we will show you how to add a rule.
As we mentioned before, Conditional Access starts from blocking everything initially, which also makes the management of the rules easier as there is no possibility for contradictory rules.
When you click on Add Rule, a new dialog will pop up. You have the possibility to add rules for devices, accounts and groups for both source and target. There is auto completion available for all devices and accounts that are in your Computers and Contacts list. Additionally, all accounts from your company are also considered in the auto completion. You are still able to add devices that are not in your Computers & Contacts list by entering the TeamViewer ID. With respect to groups, you can only add them if you are the owner of the group, which again is a security measure.
There is also a field for the Connection Type, which is currently fixed to Remote Control. Later, we will introduce additional Connection Types like Meeting and File transfer. For now, the same rules that are done for remote control also apply to file transfer and Meeting is still working for everyone.
Additionally it's only possible to define rules for connections where the initiator is part of your company. A connection can't be established if it is initiated from a client that is not connected to your dedicated router
To make it easier to set up Conditional Access, we added a general on/off switch for the rule verification. This option can be used to ensure a smooth implementation of Conditional Access in your company. You can leave it deactivated until you have added all the rules that are necessary.
What does this mean?
When the rule verification is turned off, the rules will not be enforced and therefore all connections that are initiated from a client that is connected to the dedicated router are allowed.