Does the Jamf & TeamViewer integration open up any security risks?
TeamViewer Quick App SupportWhen a TeamViewer remote session request is sent from Jamf the integration checks for the presence of the TeamViewer app on the target Mac. If the application is present the support request can utilise the existing client for remote access. If TeamViewer is not installed it will direct the user to download and open the TeamViewer QuickSupport app which is a lightweight version of TeamViewer designed for simple support sessions. The QuickSupport app doesn’t get installed onto the Mac, rather it runs as a portable app from the downloaded DMG. However, like the full client, it would still prompt the end user to allow certain requests such as Full Disk Access and Screen Recording.
PPPC ProfilesWith Apple’s requirements for PPPC Profiles to pre-approve requests such as Full Disk Access, or Accessibility, it was common to find IT admins choosing to deploy the full version of TeamViewer through Jamf. This allowed them to ensure the client app was available on their fleet of Macs, while also making it easier to deploy pre-existing PPPC profiles available on Jamf Nation. QuickSupport is a relatively new addition to the TeamViewer suite of apps, and uses different Bundle IDs compared to the full client, hence less articles/pre-configured profiles being available online.
Applications & Workflows
Our recommendation would be to explore TeamViewer QuickSupport as the application never gets installed and is removed as soon as the end user unmounts the downloaded DMG, logs out, or restarts their Mac. There is no shortage of stories in which end users are tricked into handing over remote support credentials to unauthorised users. If the full client is available on their Mac, this makes it easier for them to handover these credentials. With a request in the Self Service app, and the need to download the QuickSupport app every time they expect someone from IT to connect to their Mac, the end user is less likely to make this mistake.
With that, we would suggest the following workflows are considered: –
1. Speak to your TeamViewer account manager and make sure you have the correct license in place to facilitate any security measures around conditional access. Why let any device in the world running TeamViewer access your corporate devices, when there is a feature to only permit a certain group of IT admin devices?
2. Use the power of Jamf Pro with Extension Attributes and Smart Groups. If an IT admin needs to request remote access to a device, you could quickly have them change a dropdown box within the device record in Jamf Pro to permit remote access. This could do one of two things, firstly it could install TeamViewer on only the devices that require it, or secondly it could move the TeamViewer.app out from a restricted software policy so the user could then launch it.
3. Provide the TeamViewer application in the Jamf Pro Self Service for a user to install if they require remote support. But add in a workflow that would then remove the application once support has completed. The best way we have found to achieve this is to add in a post install script to the TeamViewer install that removes the application after 1 hour.
There will be many more techniques used I am sure, but the main thing here is to consider whether the automatic deployment of a remote access tool to all of your users is best practice for your security needs. Should you require any assistance with Apple security workflows please click the contact us button below.