Exploring TeamViewer Remote Assistance in Intune

Remote Assistance with Intune and TeamViewer

Today’s blog post focuses on the Intune-TeamViewer integration to check how the Remote Assistance feature works.

Let’s begin by checking the license requirements and platform supportability to use the Remote Assistance feature made available in Intune via the TeamViewer integration.

License Requirements:

  • Valid TeamViewer account with Corporate or Tensor license.
If you have a TeamViewer Corporate License and want to have the remote assistance feature enabled for mobile devices (Android/iOS) as well, you require to have the Add-on plan Mobile Device Support.
  • Intune license must be assigned to the Intune admin account used for configuring the TeamViewer connector.
  • If using Intune RBAC roles for the admin account, then it must have the following roles assigned:
    • Remote Assistance Read and Update
    • Request Remote Assistance

Platforms that support the Intune-TeamViewer Remote Assistance feature:

  • Android Device Administrator (DA)
  • Android Enterprise Personally owned devices with a work profile (BYOD)
  • iOS/iPadOS
  • macOS
  • Windows

Devices enrolled in any of the three Android Enterprise Corporate Owned enrollment schemes are not supported for remote assistance via TeamViewer. This is because the incoming assistance request is facilitated via the Company Portal app and not the Intune app.

Windows HoloLens devices, Surface Hubs, and/or Windows 10 S devices are not supported by TeamViewer.

For the purpose of this blog post, we will be testing the Intune-TeamViewer Remote Assistance feature on the Windows platform.

Install the TeamViewer full client on Admin workstations

The Intune Admins who would be initiating remote assistance sessions require to have the full TeamViewer client installed on their workstations, signed in with a properly licensed TeamViewer account.

Install the TeamViewer full client on Admin workstations
Install the TeamViewer full client on Admin workstations
  • Run the downloaded application. Choose the Default installation option during the installation. In case there is a UAC dialog, click the Yes button and the installation will proceed and complete.
  • Launch the TeamViewer application and sign-in with the account that have the TeamViewer license.
Install the TeamViewer full client on Admin workstations
Install the TeamViewer full client on Admin workstations
  • You would be prompted to Trust the device.

This is done via TeamViewer sending you a device authorization link to the email address specified for the TeamViewer account. You need to click on the link as received in the email sent by TeamViewer and add the device as a Trusted device.

Once the device has been added to TeamViewer Management Console as a Trusted Device, you will be able to complete the sign-in to the client.

Install the TeamViewer full client on Admin workstations
Install the TeamViewer full client on Admin workstations

The TeamViewer client is now ready on the Admin workstation.

Enable Intune-TeamViewer Connector in MEM Admin Center

The TeamViewer integration in Intune is pre-built. It only requires an Admin with the required roles to enable the integration and link the TeamViewer account.

In the MEM Admin Center

  • Navigate to Tenant administration > Connectors and tokens > TeamViewer Connector
  • Click on Connect
Enable Intune-TeamViewer Connector in MEM Admin Center
Enable Intune-TeamViewer Connector in MEM Admin Center
  • Click on OK to accept the permissions.
Enable Intune-TeamViewer Connector in MEM Admin Center
Enable Intune-TeamViewer Connector in MEM Admin Center
  • On the same screen, there is a link to Log in to TeamViewer to authorize. Click on it.
Enable Intune-TeamViewer Connector in MEM Admin Center
Enable Intune-TeamViewer Connector in MEM Admin Center
  • A new browser windows will open to the TeamViewer site where you need to sign-in with your TeamViewer credentials
Enable Intune-TeamViewer Connector in MEM Admin Center
Enable Intune-TeamViewer Connector in MEM Admin Center
  • It will then show the Request for permission screen where you need to click on Allow
Enable Intune-TeamViewer Connector in MEM Admin Center
Enable Intune-TeamViewer Connector in MEM Admin Center
  • You will be again redirected to Microsoft login, requiring a sign-in. Use the credentials of the same M365 Admin account which initiated the connector configuration.
Enable Intune-TeamViewer Connector in MEM Admin Center
Enable Intune-TeamViewer Connector in MEM Admin Center
  • On successful setup, you get the below confirmation message displayed on the browser screen.
Enable Intune-TeamViewer Connector in MEM Admin Center
Enable Intune-TeamViewer Connector in MEM Admin Center

Return to the initial browser window where you have the MEM Admin Center open. If the connection status is not already reflecting as Active, click on Refresh to refresh the connector status and it should now display as Active.

Enable Intune-TeamViewer Connector in MEM Admin Center
Enable Intune-TeamViewer Connector in MEM Admin Center

The TeamViewer-Intune integration is now complete.

Prepare TeamViewer Host to be deployed to managed endpoints

Since I have already mentioned ealrier that for the purpose of this blog, we will be testing the Teamviwer Remote Assistance feature with Intune for the Windows platform, here I will be taking you through the steps required to deploy hosts to managed Windows 10 endpoints.

  • Login to TeamViewer Management Console
  • From the menu on the left side, click on Design and Deploy
  • Click on Add Custom Module and select Host (doing this for Windows)
Prepare TeamViewer Host to be deployed to managed endpoints
Prepare TeamViewer Host to be deployed to managed endpoints

This then allows you to customize the TeamViewer client to de deployed on the endpoints to include

  • your organization logo
  • custom text and text color
  • background-color for the client
Prepare TeamViewer Host to be deployed to managed endpoints
Prepare TeamViewer Host to be deployed to managed endpoints

An example of customization for reference is shown below.

Prepare TeamViewer Host to be deployed to managed endpoints
Prepare TeamViewer Host to be deployed to managed endpoints
  • Once you are done with customizing the host and click on Save.
  • A dialog will appear with the Download deployment package, and an API token to be used during the MSI Deployment.
Prepare TeamViewer Host to be deployed to managed endpoints
Prepare TeamViewer Host to be deployed to managed endpoints
  • Copy the API token to be used later for deployment
  • Click on the Download deployment package

Note that the package downloaded is an EXE version with which you can repackage it as an Intune Win32 (.INTUNEWIN) app with the proper detection rules and then deploy from Intune.

  • However, we can also have the MSI version to be deployed as a LOB app from Intune. For that, return back to Design and Deploy page and you will see your newly created Custom Host in the list.
Prepare TeamViewer Host to be deployed to managed endpoints
Prepare TeamViewer Host to be deployed to managed endpoints
  • Click on the Edit button.

This opens the same window as the previous one where you created your custom host, but scroll down and you will find new information shown as highlighted. From here, you need to

  • Copy the Configuration ID as this will also be required for the MSI deployment.
Prepare TeamViewer Host to be deployed to managed endpoints
Prepare TeamViewer Host to be deployed to managed endpoints
  • Finally, click on the Download MSI link.

This downloads a ZIP file which when extracted gives the MSIs for both the Full client and the Host version. We will be deploying the Host to the end-user devices.

We now have the MSI package for the Host version, the API token, and the Configuration ID. Hence let’s proceed to create the app in Intune.

Create and Deploy TeamViewer Host MSI from Intune

IN the MEM Admin Center,

  • Navigate to Apps >> Windows (By Platform)
  • Click on Add and then select Line-of-Business app for App type
Create and Deploy TeamViewer Host MSI from Intune
Create and Deploy TeamViewer Host MSI from Intune
  • Upload the MSI file named TeamViewer_Host.msi
Create and Deploy TeamViewer Host MSI from Intune
Create and Deploy TeamViewer Host MSI from Intune
  • Configure the rest of the details for the App and the Install command
You need to build the install command as shown below using the Configuration ID and API Token values as obtained from previous steps.

/qn CUSTOMCONFIGID=%YOURCUSTOMCONFIGID% APITOKEN=%YOURAPITOKEN% ASSIGNMENTOPTIONS="--grant-easy-access"
Create and Deploy TeamViewer Host MSI from Intune
Create and Deploy TeamViewer Host MSI from Intune
  • After making the necessary assignments, click on Create to create the app.
Create and Deploy TeamViewer Host MSI from Intune
Create and Deploy TeamViewer Host MSI from Intune

All you need to do now is monitor the app deployment status to confirm successful deployments.

Monitor TeamViewer Host deployment with Intune

Once the TeamViewer host is deployed on an endpoint, this is how it will look when a user launches it. [Depends on the customizations done to the Host]

Monitor TeamViewer Host deployment with Intune
Monitor TeamViewer Host deployment with Intune

Note the user device hostname included in the above snapshot. You can use the device hostname for cross-reference either from

  • the TeamViewer Management Console by looking at the Trusted Devices section
Monitor TeamViewer Host deployment with Intune
Monitor TeamViewer Host deployment with Intune
  • or from the TeamViewer client (Full) that is installed on the Admin workstation.
Monitor TeamViewer Host deployment with Intune
Monitor TeamViewer Host deployment with Intune

Thus we now have the

  • Full client installed and running on the Admin workstation
  • Intune-TeamViewer integration in active state
  • Host customized and deployed to end-user devices

Let’s now go ahead and check out the remote assistance experience.

Intune-TeamViewer Remote Assistance User Experience

Admin initiates remote assistance

  • The Admin selects a managed Windows 10 device from the MEM console and triggers New Remote Assistance Session remote action.
Intune-TeamViewer Remote Assistance User Experience
Intune-TeamViewer Remote Assistance User Experience
  • Admin confirms the remote action by clicking on Yes
Intune-TeamViewer Remote Assistance User Experience
Intune-TeamViewer Remote Assistance User Experience
  • Once Intune is able to connect with TeamViewer services, Admin will see the Start Remote Assistance link generated in the Essentials section for the device
Intune-TeamViewer Remote Assistance User Experience
Intune-TeamViewer Remote Assistance User Experience
  • Admin clicks on Start Remote Assistance. This opens a new browser tab that will ask to open the Full TeamViewer client that is installed on the Admin workstation.
Intune-TeamViewer Remote Assistance User Experience
Intune-TeamViewer Remote Assistance User Experience
  • The TeamViewer client on the Admin workstation launches. But at this point, it stays at the below screen waiting for actions that need to be performed on the end-user device.
Intune-TeamViewer Remote Assistance User Experience
Intune-TeamViewer Remote Assistance User Experience

End-user needs to join the initiated remote session

  • On the end-user device, the remote assistance request will land up as a notification in the Company Portal app as shown below.
Intune-TeamViewer Remote Assistance User Experience
Intune-TeamViewer Remote Assistance User Experience

This is not notified via a Toast notification so the user needs to open the Company Portal app and check the notification from within the app.

  • End-user needs to click on that notification, which in turn opens a new web browser. It will ask the end-user to allow opening the TeamViewer host that is already present on the device. The user needs to click on Open.
Intune-TeamViewer Remote Assistance User Experience
Intune-TeamViewer Remote Assistance User Experience
  • End-user will receive another pop-up dialog to Allow the remote session.
Intune-TeamViewer Remote Assistance User Experience
Intune-TeamViewer Remote Assistance User Experience

This is a time-limited prompt as such the end-user needs to click on Allow within the stipulated countdown timer which is shown on the Cancel button. Else the session is automatically terminated.

Considering the user clicked on Allow on the above prompt within time, the remote session will get connected and the Admin would get the remote control of the end-user device.

When the remote session gets connected and Admin takes the remote control, on the end-user device, the screen will go black with the TeamViewer host present at the bottom-right corner of the screen. End-user can terminate the session at will by closing the TeamViewer host.

Intune-TeamViewer Remote Assistance User Experience
Intune-TeamViewer Remote Assistance User Experience

And this is how the TeamViewer client on the Admin workstation looks like when a remote session is in place.

For Windows devices provisioned via userless methods, such as Autopilot Self-Deploy (in preview) and Windows Configuration Designer (WCD), the Intune Teamviewer Remote Assistance notification doesn’t show in the Company Portal app.

For such devices, admins can initiate the remote session from the TeamViewer portal/client itself, provided the host has been successfully deployed to those endpoints.

Wrap Up

The target of the TeamViewer-Intune integration is to enable IT Administrators to remotely troubleshoot issues related to the devices.

For the cost associated to procure the TeamViewer license, what you get in return is the cost savings in the form of a cut in travel costs for on-site, in-person service calls, and maintenance.

That’s all for today. Thanks for reading.

1 Trackback / Pingback

  1. Intune Windows Autopilot URLs Whitelist Requirement - MDM Tech Space

Comments are closed.