Exploring TeamViewer Remote Assistance in Intune

Today’s blog post focuses on the Intune-TeamViewer integration to check how the Remote Assistance feature works.

Let’s begin by checking the license requirements and platform supportability to use the Remote Assistance feature made available in Intune via the TeamViewer integration.

License Requirements:

• Valid TeamViewer account with Corporate or Tensor license.

If you have a TeamViewer Corporate License and want to have the remote assistance feature enabled for mobile devices (Android/iOS) as well, you require to have the Add-on plan Mobile Device Support.

• Intune license must be assigned to the Intune admin account used for configuring the TeamViewer connector.

• If using Intune RBAC roles for the admin account, then it must have the following roles assigned:
  • Remote Assistance Read and Update
  • Request Remote Assistance

Platforms that support the Intune-TeamViewer Remote Assistance feature:

• Android Device Administrator (DA)
• Android Enterprise Personally owned devices with a work profile (BYOD)
• iOS/iPadOS
• macOS
• Windows

Devices enrolled in any of the three Android Enterprise Corporate Owned enrollment schemes are not supported for remote assistance via TeamViewer. This is because the incoming assistance request is facilitated via the Company Portal app and not the Intune app.

Windows HoloLens devices, Surface Hubs, and/or Windows 10 S devices are not supported by TeamViewer.

For the purpose of this blog post, we will be testing the Intune-TeamViewer Remote Assistance feature on the Windows platform.

Install the TeamViewer full client on Admin workstations

The Intune Admins who would be initiating remote assistance sessions require to have the full TeamViewer client installed on their workstations, signed in with a properly licensed TeamViewer account.

• You can download the TeamViewer client for your OS by invoking the following link https://www.teamviewer.com/en/download/ or you can simply log in to the TeamViewer Management Console and download the client from there.

• Run the downloaded application. Choose the Default installation option during the installation. In case there is a UAC dialog, click the Yes button and the installation will proceed and complete.

• Launch the TeamViewer application and sign-in with the account that have the TeamViewer license.

• You would be prompted to Trust the device.

This is done via TeamViewer sending you a device authorization link to the email address specified for the TeamViewer account. You need to click on the link as received in the email sent by TeamViewer and add the device as a Trusted device.

Once the device has been added to TeamViewer Management Console as a Trusted Device, you will be able to complete the sign-in to the client.

The TeamViewer client is now ready on the Admin workstation.

Enable Intune-TeamViewer Connector in MEM Admin Center

The TeamViewer integration in Intune is pre-built. It only requires an Admin with the required roles to enable the integration and link the TeamViewer account.

In the MEM Admin Center

• Navigate to Tenant administration > Connectors and tokens > TeamViewer Connector
• Click on Connect

• Click on OK to accept the permissions.

• On the same screen, there is a link to Log in to TeamViewer to authorize. Click on it.

• A new browser windows will open to the TeamViewer site where you need to sign-in with your TeamViewer credentials

• It will then show the Request for permission screen where you need to click on Allow

• You will be again redirected to Microsoft login, requiring a sign-in. Use the credentials of the same M365 Admin account which initiated the connector configuration.

• On successful setup, you get the below confirmation message displayed on the browser screen.

Return to the initial browser window where you have the MEM Admin Center open. If the connection status is not already reflecting as Active, click on Refresh to refresh the connector status and it should now display as Active.

The TeamViewer-Intune integration is now complete.

Prepare TeamViewer Host to be deployed to managed endpoints

Since I have already mentioned ealrier that for the purpose of this blog, we will be testing the Teamviwer Remote Assistance feature with Intune for the Windows platform, here I will be taking you through the steps required to deploy hosts to managed Windows 10 endpoints.

• Login to TeamViewer Management Console
• From the menu on the left side, click on Design and Deploy
• Click on Add Custom Module and select Host (doing this for Windows)

This then allows you to customize the TeamViewer client to de deployed on the endpoints to include

• your organization logo
• custom text and text color
• background-color for the client

An example of customization for reference is shown below.

• Once you are done with customizing the host and click on Save.
• A dialog will appear with the Download deployment package, and an API token to be used during the MSI Deployment.

• Copy the API token to be used later for deployment
• Click on the Download deployment package

Note that the package downloaded is an EXE version with which you can repackage it as an Intune Win32 (.INTUNEWIN) app with the proper detection rules and then deploy from Intune.

• However, we can also have the MSI version to be deployed as a LOB app from Intune. For that, return back to Design and Deploy page and you will see your newly created Custom Host in the list.

• Click on the Edit button.

This opens the same window as the previous one where you created your custom host, but scroll down and you will find new information shown as highlighted. From here, you need to

• Copy the Configuration ID as this will also be required for the MSI deployment.

• Finally, click on the Download MSI link.

This downloads a ZIP file which when extracted gives the MSIs for both the Full client and the Host version. We will be deploying the Host to the end-user devices.

We now have the MSI package for the Host version, the API token, and the Configuration ID. Hence let’s proceed to create the app in Intune.

Create and Deploy TeamViewer Host MSI from Intune

IN the MEM Admin Center,

• Navigate to Apps >> Windows (By Platform)
• Click on Add and then select Line-of-Business app for App type

• Upload the MSI file named TeamViewer_Host.msi

• Configure the rest of the details for the App and the Install command

You need to build the install command as shown below using the Configuration ID and API Token values as obtained from previous steps.

/qn CUSTOMCONFIGID=%YOURCUSTOMCONFIGID% APITOKEN=%YOURAPITOKEN% ASSIGNMENTOPTIONS="--grant-easy-access"

• After making the necessary assignments, click on Create to create the app.

All you need to do now is monitor the app deployment status to confirm successful deployments.

Monitor TeamViewer Host deployment with Intune

Once the TeamViewer host is deployed on an endpoint, this is how it will look when a user launches it. [Depends on the customizations done to the Host]

Note the user device hostname included in the above snapshot. You can use the device hostname for cross-reference either from

• the TeamViewer Management Console by looking at the Trusted Devices section

• or from the TeamViewer client (Full) that is installed on the Admin workstation.

Thus we now have the

• Full client installed and running on the Admin workstation
• Intune-TeamViewer integration in active state
• Host customized and deployed to end-user devices

Let’s now go ahead and check out the remote assistance experience.

Intune-TeamViewer Remote Assistance User Experience

Admin initiates remote assistance

• The Admin selects a managed Windows 10 device from the MEM console and triggers New Remote Assistance Session remote action.

• Admin confirms the remote action by clicking on Yes

• Once Intune is able to connect with TeamViewer services, Admin will see the Start Remote Assistance link generated in the Essentials section for the device

• Admin clicks on Start Remote Assistance. This opens a new browser tab that will ask to open the Full TeamViewer client that is installed on the Admin workstation.

• The TeamViewer client on the Admin workstation launches. But at this point, it stays at the below screen waiting for actions that need to be performed on the end-user device.

End-user needs to join the initiated remote session

• On the end-user device, the remote assistance request will land up as a notification in the Company Portal app as shown below.

This is not notified via a Toast notification so the user needs to open the Company Portal app and check the notification from within the app.

• End-user needs to click on that notification, which in turn opens a new web browser. It will ask the end-user to allow opening the TeamViewer host that is already present on the device. The user needs to click on Open.

• End-user will receive another pop-up dialog to Allow the remote session.

This is a time-limited prompt as such the end-user needs to click on Allow within the stipulated countdown timer which is shown on the Cancel button. Else the session is automatically terminated.

Considering the user clicked on Allow on the above prompt within time, the remote session will get connected and the Admin would get the remote control of the end-user device.

When the remote session gets connected and Admin takes the remote control, on the end-user device, the screen will go black with the TeamViewer host present at the bottom-right corner of the screen. End-user can terminate the session at will by closing the TeamViewer host.

And this is how the TeamViewer client on the Admin workstation looks like when a remote session is in place.

For Windows devices provisioned via userless methods, such as Autopilot Self-Deploy (in preview) and Windows Configuration Designer (WCD), the Intune Teamviewer Remote Assistance notification doesn’t show in the Company Portal app.

For such devices, admins can initiate the remote session from the TeamViewer portal/client itself, provided the host has been successfully deployed to those endpoints.

Wrap Up

The target of the TeamViewer-Intune integration is to enable IT Administrators to remotely troubleshoot issues related to the devices.

For the cost associated to procure the TeamViewer license, what you get in return is the cost savings in the form of a cut in travel costs for on-site, in-person service calls, and maintenance.

That’s all for today. Thanks for reading.