Conditional Access is a framework that allows you to control which devices, users, and user groups using TeamViewer Tensor have access to which data sources, services, and applications in your organization.
With Conditional Access, enterprise IT and security managers can maintain company-wide oversight of TeamViewer access and usage from a single location.
- Re-use options help administrators select rules and create feature options for all access controls.
- Expiry dates to conditional access rules limit access by 3rd party vendors and temporary workforce.
- Centralized rules management within the client or the web app at https://web.teamviewer.com/.
- Assign permissions for remote sessions, file transfer, and meeting connections.
- Configure rules at the account, group, or device level.
- Cloud-based solution provides greater flexibility than an on-premise approach.
This article applies to all TeamViewer customers with a TeamViewer Tensor license and Conditional Access add-on or Tensor Pro or Unlimited licenses.
Preconditions
The following preconditions are required to be able to configure and use Conditional Access:
- Activated license with the Conditional Access add-on
- TeamViewer client version 15.5 or higher
- Knowing the DNS/IP address of the dedicated router
Conditional Access is a security feature, and therefore, no connection is allowed initially as soon as the rule verification is activated!
Configuration of client and firewall
Client
The client has to be configured to contact the dedicated routers because we are going to block access to the usual TeamViewer routers in the firewall with the next step.
Windows
The configuration of the registry can be done by running the following command or adding the registry keys through an import.
32-bit Version:
reg.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer" /v "ConditionalAccessServers" /t REG_MULTI_SZ /d YOUR_ROUTER1.teamviewer.com\0YOUR_ROUTER2.teamviewer.com /f
64-bit Version:
reg.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\TeamViewer" /v "ConditionalAccessServers" /t REG_MULTI_SZ /d YOUR_ROUTER1.teamviewer.com\0YOUR_ROUTER2.teamviewer.com /f
After restarting the TeamViewer service, the client will not connect to the usual TeamViewer routers but to one of the dedicated routers instead.
macOS
To set the dedicated routers, you have to execute one of the following commands while TeamViewer is not running, depending on whether TeamViewer starts with the system or not.
# start with system sudo defaults write /Library/Preferences/com.teamviewer.teamviewer.preferences.plist ConditionalAccessServers -array YOUR_ROUTER1.teamviewer.com YOUR_ROUTER2.teamviewer.com # not starting with system defaults write ~/Library/Preferences/com.teamviewer.teamviewer.preferences.Machine.plist ConditionalAccessServers -array YOUR_ROUTER1.teamviewer.com YOUR_ROUTER2.teamviewer.com
Linux
To set the dedicated routers you need to change the global.conf file and add the following entry:
[strng] ConditionalAccessServers = "YOUR_ROUTER1.teamviewer.com" "YOUR_ROUTER2.teamviewer.com"
Restart the TeamViewer service after editing the global.conf.
Firewall
Adjust your Firewall to block the following DNS-entries:
- master*.teamviewer.com
- router*.teamviewer.com
As soon as this configuration is active, clients that didn't get the information to connect to the dedicated router will not be able to go online anymore. This is relevant for blocking unauthorized TeamViewer clients.
Network configuration
Please also read our article on how to set up your network for an optimal configuration of Conditional Access:
Getting started
Conditional Access is working with a rule engine as well as Feature options in the back end. You can manage the rules and Feature options centrally in the client or at https://web.teamviewer.com/.
After you purchase and activate your license, you will see an additional section in the Organization Management category within the Admins settings called Conditional Access.
How to add a rule
Hint: A rule defines who can connect where, when, and how.
In the rules section of the Conditional Access menu, you will see an overview of your rules.
As we mentioned before, Conditional Access starts by blocking everything initially, which also makes the management of the rules easier as there is no possibility for contradictory rules.
To add a new rule:
- Go to Conditional Access.
- In the Rules tab, click Add rule.
You have the possibility to add rules for devices, accounts, groups, managed groups, user groups, and directory groups both for the source type and the target type.
Depending on what you choose as source type and target type, you need to choose a corresponding source and target, e.g, a specific User Group out of your User Groups if you choose User Group as a Type. Or a user if you selected Account.
Alternatively, if you choose All, all User Groups (or another chosen source) will be added.
Hint: There is auto-completion available when typing in source and target for all devices and accounts that are in your computers & contacts list. Additionally, all accounts from your company are also considered in the auto-completion.
Note: You are still able to add devices that are not in your Computers & Contacts list by entering the TeamViewer ID. With respect to groups, you can only add them if you are the owner of the group. This is a security measure.
Rule options
You can add rule options to these rules. There are three types of rule options.
Approval option
The approval option provides an additional layer of security by allowing chosen users to approve connections to specific devices. For more information, please read the article below:
Feature option
The feature option allows you to customize your Conditional Access rules and define the supporter's (user connecting to the remote device) permissions, in case they should only have limited access when connecting to specific devices. For more information, please read the article below:
Time option
The time option allows you to enable specific types of access only during certain times, such as for external 3rd party support, internal IT help desk, and remote workers. For more information, please read the article below:
Expiration dates for Conditional Access rules
You can add an expiry date to the Conditional Access rules.
The expiration functionality is important for any scenario where certain TeamViewer users should receive access to specific devices for a limited time only:
- Project-based work
- Interns, part-time workers, etc.
- Substitutes, stand-ins, and others helping out for a limited time
Expiration dates can be set for new and existing rules.
Hint: The Expiry defines from when until when the rule will be active.
Expiration dates can be edited at any time:
- Select the rule you want to edit.
- Click Edit.
- Click the rule expiry button.
Several timeframes can be added to one rule. Expiry status for all rules can be seen in the overview:
Available states:
- No expiry (no expiry set),
- Scheduled (in the future),
- Active (currently within the timeframe),
- Expired (in the past)
Note: If you are in a session when the rule expires, both sides of the connection will receive a 5-minute warning. The session will close immediately when the rule expires.
Enable rule verification
Added rules are not automatically enabled.
Please click Activate to make sure that only the connections allowed by the rules are possible and nothing else.
After activating Conditional Access, you can also allow meetings and include session codes.
When Allow meetings is enabled, users inside your company can establish meeting connections. If not enabled, all meetings are blocked, and no exceptions can be set up.
If Include session codes is enabled, users inside your organization can connect via session codes inside their groups.
Different rules valid for the same connection
In case a user is part of multiple user groups that are using different Conditional Access rules, the rules with the highest permission set have the highest priority.
For example, if one rule allows file transfer, but another rule does not allow it, the file transfer will be possible.
Rules check for connections from the browser
When Conditional Access is active, your rules are enabled, and you connect from the browser, the Conditional Access rules are applied. You don't need to set anything up in the devices' registry.