The year 2019 started quite well. I have finally started with the preparation for OSCP certification (“Penetration Testing Training with Kali Linux” course) that I promised myself since the last year. Situation report – it’s great! I’m very excited about the course and I wish I had more time for it than I do.
In this article, I will focus on TeamViewer, which, like Hyper-V or Ubiquiti UniFi, is our standardized equipment and has been our primary tool for remote support for 4 years now.
What is TeamViewer for
TeamViewer is a software for remote control of devices (PC and Windows servers, tablets and phones with iOS and Android). When you connect to a remote computer, you see the same thing as the user who is sitting on the computer (unlike the RDP) and you can use his “mouse” and manipulate his “keyboard”. It is the most commonly used by companies/people providing remote support to users. Just like us.
TeamViewer uses a cloud to connect to a remote device, so you do not have to configure anything on the router and do a “port forward” (as opposed to RDP or some VNCs).
Apart from remote control of the devices, TeamViewer can also be used for online meetings. When it “gathers” online more people for presentation/webinar/or project collaboration. They then share their screens/applications with each other. However, we don’t use TeamViewer is this mode so I can not review it.
You can use TeamViewer without any registration. However, this is only suitable for sporadic use. You can also create a TeamViewer account (a license is not required) to get an online “directory” with the computers you are connecting to.
TeamViewer and user privacy
An important feature of TeamViewer is that it can not be used for spying on users (as opposed to VNCs). Each time you connect, a pop-up window will appear at the right the bottom of the screen, thanks to which a person know knows that someone is connected to his device and knows who he is. This behavior can not be changed and it is this way on purpose. At the same time, all connection information is logged in (both in the cloud and locally – depending on the setting).
We use the fact that the user sees who is connected. Everyone has his/her own TeamViewer account in their name and with their photos (see picture below). It’s important for security while improving relationships and boosting customer confidence.
To connect to a remote device, you need to know its TeamViewer ID (it’s always the same) and password. The password can be random (change after each connection), static (predefined), or the password does not need to be used at all (easy access when it is verified that your TeamViewer account has the right to connect to the remote device).
You can connect to a remote device at any time (if TeamViewer is running and you know the password and ID), which not all users may like. In this case, it is possible to configure TeamViewer so that the connection to the remote device has to be approved by the user on the device. You will lack some comfort, for example, if you want to connect to the device to fix the problem while the user grabs a lunch (to keep the user productive).
TeamViewer versions
When you decide to download TeamViewer, you will find that there are more “versions”:
- TeamViewer, sometimes also TeamViewer Full: This option allows you to connect to other devices, but also someone to connect to you. You install it on your administrator PC.
- TeamViewer Host: this program is only installed on “client” devices (those you will regularly connect to). Unlike the full option, it does not have features to connect to other devices. By default, TeamViewer Host runs in the background (starts automatically with the operating system) and allows you to connect to this device at any time.
- TeamViewer QuickSupport: it is used when you want to help someone at distance. This version of the program does not install but only runs. Once you run the program, it will automatically appear in the list of computers and you can connect to it. The user only approves your connection (depending on whether you own a QuickSupport module). Once TeamViewer QuickSupport is complete, you can not re-connect (the program does not run itself repeatedly as opposed to the Host variant).
TIP: Occasionally, it was difficult to direct inexperienced users to download the QuickSupport module (… open the address X … click X … then find the button in the menu … click on it …). So we made it easier by registering domain http://patron.help. A short name that is easy to pronounce and people can write it down.😉 When someone enters this address into their browser, they will automatically download our QuickSupport. We’ve got this gadget from ESET. 🙂
How much does TeamViewer cost
TeamViewer is free for personal (non-commercial) use. But we use it commercially, so we have to pay (hard). The free version has the same functionality as paid one (other than management console). Perhaps this is why the manufacturer prevents it from being exploited, and if you “overuse” it (you are performing a large number of devices connections or joining a device with a “commercial” TeamViewer license), your TeamViewer is blocked and a paid version is offered.
Paid TeamViewer versions differ in functionality (see TeamViewer subscription). Basically, the higher the license, the more functionality for the convenience of more users. A sole proprietor/trade licensee is eligible for a “Single User” license. Small internal IT department/small outsourcing company for a “Multi User” license. Teams of 4 or more people will then have to reach out for a Corporate License (or Enterprise – prices are not public).
Price development
We have used LogMeIn Central (an alternative to TeamViewer) in the early days of our company. We have paid a yearly subscription. However, LogMeIn has gotten greatly expensive in the past 2 years (each year, prices doubled and the package structure changed).
Since we did not like the aggressive price increase of LogMeIn and we did not know where it stops, we have looked elsewhere. TeamViewer was also in our target list – plus points for functionality, minus at prices (Corporate version at that time was about 56 thousand crowns). However, at the beginning of 2015 the prices were comparable, so have switched from LogMeIn Central to TeamViewer 10.
Another positive thing. Getting TeamViewer was a one-time purchase. Not a year subscription as LogMeIn. Of course, we were not naive. It was clear that TeamViewer will issue a new version of the program in December (10.x -> 11.x -> 12.x …) and will request for more money for the upgrade.
Subscription comes
Like many other companies, TeamViewer has changed the licensing policy. It has stopped selling “permanent” licenses and began offering only “subscriptions” in 2018. Those with older versions of TeamViewer have a certain advantage. They can use them until their support is over and save some money. However, according to the list of supported OSs for each version, it may be earlier than anyone expects, see Which operating systems are supported, Win10 v1809 is only supported by the latest version of the TV).
Note: Con of the older version is that you can not connect to a device with a newer version of TeamViewer (for example, if you have a license for version 12, you will not be able to connect to a device that has TeamViewer version 13 or later installed).
Personally, I would say that TeamViewer has gotten more expensive with the upgrade. Unfortunately, I do not have any original prices. If someone does, or there is a service that tracks price movements of services, I’ll be very pleased. We’ve been touched by the exclusion of “Mobile Support” from the Corporate License. We can only buy it as an add-on. All in all, the annual subscription of the Corporate Edition with 8 channels and support for mobile devices will cost us 135.432 CZK without VAT. This is not cheap. : – /
Things we like
TeamViewer has a number of features/properties that we like. I judge from our point of view. We have over 10 technicians and manage around 1.5 thousand computers with less than 100 customers. It is possible that you will appreciate other features as well.
Management console
With “Multi User” licenses or higher, you gain access to the user & device management console. You can create user accounts for other colleagues from your company, or join existing TeamViewer accounts. For all of these accounts, you grant permissions to users. Whether they can share computer groups, edit their settings, view logs, manage policies, etc.
Likewise, you can manage a “directory” with known devices and create device groups from this very console. Manage policies (see below) and create branded TeamViewer packages. More information on What is the TeamViewer Management Console and a partial image can be drawn up from the screenshot below.
Policies
TeamViewer can centrally manage individual installation settings. This is a simpler example of group policies (GPO – group policies) from Active Directory.
In essence, you create one or more policies that contain the desired settings and then assign the policy to the device (or a group of devices). You will find most of the options you can set through TeamViewer GUI. What cannot be set up through the policy is a “personal password” to connect to that device.
Once a setting is set through policy, it can not be changed on the device (if it is marked as “force”). It’s a great thing to unify settings through all of your managed devices. Especially when there are several hundred or thousands of them. This is particularly beneficial for safety (see part 2).
Unfortunately, compared to a regular GPO, TeamViewer does not allow multiple policies on one device (for example, if you want to layer policies).
However, to assign a policy to a device, the device must be “assigned” under your TeamViewer account. Otherwise, everyone would assign whatever wherever it wants it. 🙂 This is done either manually after installation (through setup and log in via the account – but this is not very safe) or during installation (see next chapter next week).
TeamViewer installation
TeamViewer can be manually installed on a device, which is impractical for larger deployments. With the Corporate License, you will get access to the MSI package and it can be deployed all over using group policies (AD GPO) or MS System Center.
From Host 13.2 and Full 14.0, there was a change in deployment. We consider it positive. You simply get a device assignment under your TeamViewer account using MSI (so you can apply policies to it), and you also turn on “easy access” (without password). This is the thing that didn’t work for a long time. For more information, see the Mass Deployment Improvements (documentation is finally starting to be of some use).
Other features for good user comfort
-
Safe mode
A great thing, mainly for support. TeamViewer allows the computer to remotely restart the computer into Safe Mode while setting up TeamViewer to automatically run in Safe Mode.
-
Multiple users on a single PC
It sometimes happens that we need to look at one problem in more people at a time. For example, sometimes we invite an IT system vendor to a solution. TeamViewer allows multiple people to be connected at one device at the same time and to work together to resolve the problem.
-
Updates
Because we have a lot of technology experience, we do not consider automatic updates as “unbreakable”. However, with TeamViewer, it has not happened over the years that it broke down during the automatic update or the update did not take place. When I look through our monitoring system on installed versions of TeamViewer on devices, I see we have the latest versions everywhere.
TeamViewer can be set up to auto-update itself within the main version (ie 12.a.b at 12.c.d). Or to always be the most up-to-date (ie updates itself from 12.x to 13.y).
-
File transfer
It is possible to transfer more data between your and your remote device. Either via a data box or a transfer manager. We did not have this functionality with LogMeIn Central (we would have to pay extra for it).
-
VPN
It is possible to let a remote device connect the VPN and direct all traffic through it (ie, get into its network).
-
User chat
It sometimes happens that we need to contact the user on the other side but we do not have an email/phone number. Thanks to TeamViewer, we’ll chat with the user and request to give us a call. Or we’ll ask if we can connect.
-
Screen recording
It is sometimes necessary to gather information and send them further. To avoid describing everything, we would record the whole remote connection session and forward the video. It often explains the problem better than a thousand words. 😊
-
Running scripts
If a task that is often repeated through TeamViewer needs to be done, it can be “scripted” and triggered by pressing a button. For example, at the same time opening a command line with “ipconfig/all”, control panel with installed SW, event viewer and Windows update.
Conclusion
What tool do you use? Did you find a suitable alternative to TeamViewer? Or even better? How do you perceive the license price? Is it expensive or cheap?
I will continue to describe our experiences in the following article. This time, I will mention what we do not like with the TeamViewer and how we set it up to be as safe as possible.