Allow end-user to control remote access

phyndman · ‎06-28-2024

As an MSP I used to rely on the lite licenses to provide the ability to monitor client PCs.

Now that we no longer have this option, I have a come across the situation where new clients are unwilling to have the pro agent installed as they consider it to be too much of a security risk with us being able to access their machines remotely at any time - this is especially true of clients that deal with sensitive data, such as financial advisers etc...

Would it be possible to add an option in the agent that would allow an end-user to disable/enable remote control? Or allow them to specify that they have to give explicit permission each time remote control is requested?

GoTo_DanielL · ‎07-02-2024

Hi @phyndman ,

thank you for your suggestion.

In fact, you can enforce that the end user HAS to accept a remote support session on their device by deactivating the toggle "Access attended managed devices without end user consent" (first screen shot) for any agent who should not be able to override end user consent. You can find this setting in the Admin Center, when you navigate to the specific agent and then hit the "Settings" tab at the top (Users > Settings). Note that agents may need to log out and in again for this change to become effective.

Once the setting is stored, agents will see the screen as depicted in the second screen shot, missing the button to "Connect now". That should accomplish what you are asking for. Does this solve your problem?

Happy to assist you further, if needed.

Best,

Daniel

phyndman · ‎07-02-2024

Hi @GoTo_DanielL ,

I learn something every day! That does mainly fix the problem - it would be helpful if this was driven at the user end so that I can't turn it back on (I'm guessing that if I turn the toggle back to on, I then get access again), but it's definitely much better.

One quick question, with the 'Access unattended managed devices' turned on, but the 'access attended managed devices without end user consent' turned off, does this give me access to devices that aren't currently logged in? Or does the second option override, and prevent any remote access without consent?

Thanks,

Paul

GoTo_DanielL · ‎07-02-2024

Hey Paul,

I'm glad the suggestion solves the problem (mostly 😀).

Regarding your follow-up question - those two settings (end user is logged in vs. not logged in) work independent of each other. That is, you can deny or allow access for both scenarios on a per agent level. The example you provided would result in the agent being able to connect to devices where no end user is present, and if there is an end user present, that end user would have to approve the remote session for the agent to connect to the device.

So, you can realize pretty much any client requirement, I dare say. If you don't allow agents to connect for either attended or unattended situation, the connect button and all related buttons will appear as greyed out, as you can see in the screenshot below.

Let me know if you need further assistance, happy to help.

Best,
Daniel

phyndman · ‎07-02-2024

Hi Daniel,

Thanks for the info. - that does make sense.

If you could add a feature that means the end-user could choose whether to lock out remote access without permission it would be 100%! 😁

Regards,

Paul

KateG · ‎07-02-2024