Remote control for sysadmin (user support)

[jediatzinger]

What's the going app/service these days for helping users with remote access? For example if I have a call from someone in another state (or anywhere really) that needs my help to download, configure, etc anything on their laptop how can I remote control their machine to help?

I used to use a service from GoToMyPC called GoToAssist, but it was years ago and it's now called something else.

I don't have too many users (50+), but as I redeploy new laptops over the coming months, etc as part of lifecycle replacement I'd like to install an "agent" or something to help me help them.

What are you all using?

 

[continuum]

That sounds like the usual one still, unless you want to pay for a Bomgar appliance or go with an actual endpoint management solution.

 

[SplatMan_DK]

What's the going app/service these days for helping users with remote access? For example if I have a call from someone in another state (or anywhere really) that needs my help to download, configure, etc anything on their laptop how can I remote control their machine to help?

I used to use a service from GoToMyPC called GoToAssist, but it was years ago and it's now called something else.

I don't have too many users (50+), but as I redeploy new laptops over the coming months, etc as part of lifecycle replacement I'd like to install an "agent" or something to help me help them.

What are you all using?

We use mostly TeamViewer, and configure it to not launch automatically at boot. Then place a shortcut on the desktop, so it can be launched by the user.

By default TeamViewer has a service proxy on their end, which facilitates traffic. That means you only need to allow outbound connections for both the admin and the endpoint. And no UPnP either (which nobody should use nowadays).

We sometimes configure it to auto-launch for limited periods of time, during transition or transformation projects. It runs as a service and enables remote access without a user session (meaning you can access devices after reboots or during off-hours).

For security reasons, the remote management agent should not be running when not actively needed.

If you're really worried about security, and don't want to use TeamViewers service proxy, you can configure it to run on LAN traffic only.
You then wrap it in a VPN tunnel. Endpoints can either dial up to your VPN gateway, or, if you have specific customer sites to support, make a permanent Site-to-Site config.

 

[jediatzinger]

I'll admit I'd like some MDM or EPP to manage all of the field laptops. I'm in the corporate office and I see these people on a daily basis. It's the ones onsite out in the field that I don't have any visibility into. I'd like to be able to revoke access or lock it down if needed. There are times where an employee gets terminated and I get the call to remove their access.

Laptops out in the field are not domain joined, but instead have a user account (local admin). I too have a local admin account that I use to setup the laptop. When I remove access I log into the domain controller and change their password, which automatically syncs to Microsoft (I'm running local AD, but syncing via AC Connect to Office 365).

 

[Entegy]

If you have Business Premium licences, you have access to Intune. There's an addon package for Intune that contains remote control software as well.

If you jump into Autopilot, then you can use Entra ID's Temporary Access Pass feature to set up a new PC and account for someone without being bothered to setup their MFA or recovery info. Entra ID-only machines that are using domain-synced user accounts can also automatically translate the EID account to the equivalent AD account for SSO/login to local network resources. The trickiest part of the setup is if you use 802.1X auth or device certificates. There's some extra work to set that all up.

Intune also has a GPO analyzer tool where you upload your exported GP objects and it can tell you the feasibility of converting those into Intune config policies.

Finally, this doesn't require Intune, but if you're not using this yet, look into Windows LAPS. Unlike the older Microsoft LAPS, Windows LAPS is now integrated into Windows (Windows 10 22H2 and 11 23H2 require the May 2023 cumulative update to be installed) and the local admin password can be stored in either AD or Entra ID. If you store it in Entra ID, then the machine can always follow the password rotation schedule without a direct line of sight to a DC, which I imagine is an issue for your field users.

Windows has remote wipe commands it can follow from an MDM, but it's not as nice as the remote lock features of iOS/Android. So I leverage BitLocker for this. I have a script that wipes the key protectors BitLocker uses to unlock the disk and then forcibly wipe the machine. This forces BitLocker to ask for a recovery key on startup, so if the thief wants to use the laptop, they have to wipe the disk. They're not getting any of the data. We have also used this for ah... sudden termination of employees as well. Kicks em out of the computer and locks it down.