By Michael Thomson
Technical Director
Does the Jamf & TeamViewer integration open up any security risks?
With the recent release of Jamf Pro 10.31 the highly anticipated TeamViewer integration is now live for all Jamf Pro users. The integration allows a Jamf admin to initiate a remote support session directly from the Jamf Pro admin console. All an end user has to do is approve the request from within the Self Service app. This has been a highly sought-after feature which empowers Jamf admins to offer the most seamless remote support experience possible for their Mac users. On release we saw the uptake of TeamViewer increase dramatically across our clients as they moved away from competing solutions. A large proportion of the IT admins we work with began building TeamViewer packages to deploy the TeamViewer app via Jamf to their Mac estates. This installs TeamViewer silently for the end user, removing the need for users to download or install anything themselves.
TeamViewer Quick App Support
When a TeamViewer remote session request is sent from Jamf the integration checks for the presence of the TeamViewer app on the target Mac. If the application is present the support request can utilise the existing client for remote access. If TeamViewer is not installed it will direct the user to download and open the TeamViewer QuickSupport app which is a lightweight version of TeamViewer designed for simple support sessions. The QuickSupport app doesn’t get installed onto the Mac, rather it runs as a portable app from the downloaded DMG. However, like the full client, it would still prompt the end user to allow certain requests such as Full Disk Access and Screen Recording.
PPPC Profiles
With Apple’s requirements for PPPC Profiles to pre-approve requests such as Full Disk Access, or Accessibility, it was common to find IT admins choosing to deploy the full version of TeamViewer through Jamf. This allowed them to ensure the client app was available on their fleet of Macs, while also making it easier to deploy pre-existing PPPC profiles available on Jamf Nation. QuickSupport is a relatively new addition to the TeamViewer suite of apps, and uses different Bundle IDs compared to the full client, hence less articles/pre-configured profiles being available online.
Applications & Workflows
Our recommendation would be to explore TeamViewer QuickSupport as the application never gets installed and is removed as soon as the end user unmounts the downloaded DMG, logs out, or restarts their Mac. There is no shortage of stories in which end users are tricked into handing over remote support credentials to unauthorised users. If the full client is available on their Mac, this makes it easier for them to handover these credentials. With a request in the Self Service app, and the need to download the QuickSupport app every time they expect someone from IT to connect to their Mac, the end user is less likely to make this mistake.
With that, we would suggest the following workflows are considered: –
- Speak to your TeamViewer account manager and make sure you have the correct license in place to facilitate any security measures around conditional access. Why let any device in the world running TeamViewer access your corporate devices, when there is a feature to only permit a certain group of IT admin devices?
- Use the power of Jamf Pro with Extension Attributes and Smart Groups. If an IT admin needs to request remote access to a device, you could quickly have them change a dropdown box within the device record in Jamf Pro to permit remote access. This could do one of two things, firstly it could install TeamViewer on only the devices that require it, or secondly it could move the TeamViewer.app out from a restricted software policy so the user could then launch it.
- Provide the TeamViewer application in the Jamf Pro Self Service for a user to install if they require remote support. But add in a workflow that would then remove the application once support has completed. The best way we have found to achieve this is to add in a post install script to the TeamViewer install that removes the application after 1 hour.
There will be many more techniques used I am sure, but the main thing here is to consider whether the automatic deployment of a remote access tool to all of your users is best practice for your security needs. Should you require any assistance with Apple security workflows please click the contact us button below.
