Planning a TeamViewer deployment

Hi

We are seeking some advice on a corporate wide deployment.

So far we have used TeamViewer in a very marginal manner, about 5-10 endpoints, with basic remote connections and maybe 1-2 policies. Now we are planning to use TeamViewer both internally (corporate personnel) and externally (suppliers, vendors, etc), with roughly 500 Windows endpoints (workstations/laptops/tablets) and about 50 Windows Servers. Total amount of users will be around 50-70 (not simultaneous). The idea is to use TeamViewer as a remote management and support tool. For online meetings we have MS Lync instead.

Different user groups will most likely consist of:
- internal ICT personnel (admin rights, access to all devices, perhaps 2-factor authentication)
- internal superuser/sysadmin personnel (user rights, access to most devices, perhaps 2-factor authentication)
- internal end user personnel (user rights, access to specific devices)
- external personnel (user rights, access to specific devices)

Endpoints consist of:
- AD workstations (including laptops)
- AD servers
- Non-AD workstations
- Non-AD servers
- (Maybe) Android mobile devices in the future

Below are some examples of our remote connection scenarios and who should be able to access these devices, just to give and idea of the different remote connection needs.

Example 1: Basic AD workstation
- remote access & support to ICT personnel
- remote access & support to superuser personnel

Example 2: Basic AD server
- remote access to ICT personnel
- remote access to superuser personnel
- remote access to vendor X
- remote access to vendor Y

Example 3: Non-AD workstation or server (production computer for instance)
- remote access to ICT personnel
- remote access to end user personnel
- remote access to vendor Z

Example 4: Non-AD workstation or server (production computer for instance)
- remote access to ICT personnel
- remote access to vendor Z
- remote access to vendor X
- remote access to vendor Y

How would you recommend creating and organizing groups, policies, users, and devices at the Management Console to accomplish an easy to manage and secure environment? Are there any examples or guides on how to build these the "correct" way = best practise thinking? How does everyone else use them, is there a per-site group thinking or similar that we should consider?

Do we need a separate access policy for each unique device connection scenario?

Is it recommended to have unique passwords to each user group that are connecting to same devices, if that's possible?

External users who don't have a TeamViewer account, do they have to create one? Or can they just connect using the ID and password directly? What is the recommended procedure here? They might use TeamViewer connections to multiple different environments and sites, others than ours too.

I believe there is much potential in this product if we manage design the basic structure correctly. Any help is appreciated, and examples from the real world are more than welcome. MSI package deployment, host settings, and other technical things are pretty clear, but the management side needs some thinking.