How to use settings policies to make TeamViewer more secure

The Blocklist and Allowlist define who can and can’t connect to a specific device.

Access Control for both incoming and outgoing connections defines what level of access a partner should have when connecting to a device, or what level of access someone should have when using a particular client to connect. The options range from having complete control of the client, to only being able to view what’s going on, to no access at all.

If you have certain clients that require stricter access, such as a sensitive server, or certain devices that shouldn’t be used to establish connections, like public-facing kiosks, this is where you would set those policies.

Perhaps you want a client to keep logs of every connection made to and from the device for accountability or compliance. The Enable Logging, Log Incoming Connections, and Log Outgoing Connections policies govern logging and are enabled by default. When logs are enabled, TeamViewer creates a .txt log file locally on the client.

The Report Connections to This Device policy setting dictates whether this client’s incoming connections should be reported to the Management Console under Device Reports, saving you a trip to retrieve the client’s local log. Both the logs and reports can go a long way in meeting regulatory requirements, especially in industries with strict privacy guidelines like finance or medicine. In the event of an audit, the logs and reports can satisfy a lot of questions about access capabilities and behaviors.

Organizations outside that level of scrutiny that are heavy users of TeamViewer may want to be more selective about which clients are reported on, otherwise these logs and reports can get quite large.

Although Easy Access, our password-less authentication feature, is our recommended best practice for access, some use cases require the traditional password instead. Just make sure your passwords follow best practices in length and complexity. These settings will help you make sure your passwords are as secure as possible.

Random Password After Each Session governs whether the system generates a random password after each session, only after the client restarts, or not at all. For example, if a client’s password stays the same, it is possible that someone who knows the password can access that client at any time – even after they leave the organization. To dictate how complex that password should be, use Password Length.

Temporarily Save Connection Passwords keeps the passwords active locally, so if someone gets disconnected, they don’t have to enter a new password even if you are requiring random passwords after each session. TeamViewer eliminates these passwords upon restart.

Check for New Version causes the client to see if a TeamViewer patch or upgrade is available. Even though the system is considerably secure on its own, up-to-date patching makes sure you don’t encounter any recent vulnerabilities at the software level. You can set this for weekly or monthly checks, or never.

New features and functionality updates tend to occur monthly, while security-relevant updates can happen at any time if we find a vulnerability. Of course, if the client isn’t checking for updates on its own, it’s up to IT to find relevant updates when they are released and push them out manually.

Once the client finds an update, Install New Versions Automatically sets whether the client should update itself without interaction. It can do this for all updates, just those flagged for security reasons, or just updates within your current major version (in other words, waiting to update to the next major version until you’ve tested it).

Black Screen for Incoming Connections means that when a computer is being used remotely, that computer will display a customizable black screen, rather than show what is happening on the actual desktop. This is a great way to maintain privacy on a client device if someone will use it remotely but have other people physically nearby, such as with kiosks or in a busy office.

Timing Out Inactive Sessions lets you set the time that needs to pass before an outgoing connection is timed out because of inactivity. If multiple people will use this client to access other remote devices or if there is a risk of this client being used in a public place where it could get lost, stolen, or compromised, this makes it more difficult for the next person to have access to an open connection that may or may not be authorized for them.

Changes Require Administrative Rights on This Computer makes sure that only users with administrative rights within Windows can change how the client’s TeamViewer settings are configured. Obviously, if this is not engaged, anyone can change any of the settings mentioned above, negating any progress you may make and putting the client at greater risk.