Tools > Configuration > Agent Settings > Remote control
Use the Remote control settings dialog box to specify and save a collection of remote control settings.
The Remote control settings dialog box's General settings page contains the following features:
- Allow HTML access: Allows the remote control agent to receive HTML remote control requests.
For more information, see Remote control.
- Allow legacy remote control access: Allows the remote control agent to receive legacy remote control requests.
- Remote control: Grants permission to control the device.
- Draw: Grants permission to use the viewer window's drawing tools on the device.
- View only: Remote control sessions are view only. The remote control viewer can only see the remote computer and can't take control of it.
- Run programs on remote device: Grants permission to run programs on the device.
- Run as administrator: Starts programs with administrator permissions.
- Restart: The remote control viewer can reboot the remote computer.
- File transfer: The remote control viewer can exchange files with the remote computer.
- Chat: Grants permission to chat with the device.
The Remote control settings dialog box's Indicator settings page contains the following features:
- Floating desktop icon: Displays the remote control agent icon on the device screen at all times or only when being remotely controlled. When being controlled by the console, the icon changes to show a magnifying glass and the icon's title bar turns red.
- System tray icon: Places the remote control agent icon in the system tray. Again, the icon can be visible all the time or only while being remotely controlled.
The Remote control settings dialog box's Permission settings page contains the following features:
- Permission not needed, full access
- End user must grant permission and must be logged in
- End user must grant permission, but only if they are logged in
- End user must grant permission
- Display a custom message:
Prompts the user with a custom message created here for permission to do one of the following:
- Remote control
- Remote execute
- File transfer
- All permissions
- Ask permission to use all features at one time
- Close permission message box after: Allows the user to accept or deny permission (in seconds) to the managed device. This is a configurable time setting for how long the permission window remains open when asking permission to remotely control a managed device.
When deploying remote control, you need to consider which security model you want to use. You have these choices:
- Local template: This is the most basic security that uses whatever remote control settings are specified on the device. This model doesn't require any other authentication or group membership.
- Windows NT security/local template: Allows only members of the Remote Control Operators group to initiate remote control connections from the console to remote devices. Permitted users are still required to use the permissions set from the Permission settings page of this dialog box.
Since the Remote Control Operators group is a local group, each device has its own copy of the group. To avoid managing each device's Remote Control Operators group individually, include global (domain level) groups with each local group. Permitted users still use the device's remote control settings, such as permission required.
This model doesn't require communication with the core server. Because there is a credential exchange between the remote control operator and the remote device, this option can be less secure.
- Smart card required: This option is only available when Windows NT security is selected. When you deploy an agent setting with this option selected to managed devices, those devices will require SmartCard hardware authentication before you can remote control them. For more information, see About SmartCard security.
- Windows NT security server authenticated. This option was added in version 2019 SU2. This option is similar to the Windows NT Security/local template option. The main difference is how the remote control account credentials are managed. With the server authenticated option, the remote device sends its list of remote control group members to the core server. The core server then verifies the remote control group membership and authentication, without having to send credentials to the remote device, making this option more secure.
Since the core server is handling authentication, this model requires communication with the core server.
- Integrated security: This is the most secure option and is the default. Integrated security is described in the next section.
Integrated security is the new default security model. Here's an outline of the integrated security remote control communication flow:
- The remote control viewer connects to the managed device's remote control agent, but the agent replies that integrated security authentication is required.
- The viewer requests remote control rights from the core server.
- The core server calculates remote control rights based on the viewer's scope, role-based administration rights, and Active Directory rights. The core server then creates a secure signed document and passes it back to the viewer.
- The viewer sends this document to the remote control agent on the managed device, which verifies the signed document. If everything is correct, the agent allows remote control to begin.
WARNING: Integrated security requires the core server
With integrated security remote control, if the core server isn't available, consoles won't be able to remote control devices. Integrated security remote control requires the core server to work.
If you select Windows NT security/local template or Windows NT security server authenticated as your security model, the Remote control operators group and View only group boxes list the users for the console or for the selected Windows NT domain. The users you select here will have remote control access to the devices that receive the settings defined in this configuration settings file. View only group users can only view remote devices. They can't take over the mouse or keyboard.
When adding users to one of the remote control groups, the console uses the logged-on user's Windows credentials, not the Ivanti console user's credentials, to list the users in a domain. If the List users from box isn't showing the domain you want, log in to Windows as a user with rights on that domain.
To choose from an existing server or domain
- In the Remote control page, click Windows NT security/local template or Windows NT security server authenticated and click the Add button.
- In the List users from box, select either the core server name or a Windows NT domain name containing user accounts.
- In the user list, select one or more users and click Insert to add them to the Inserted names list.
- Click OK to add the selected names to the Remote Control Operators group on each device that receives these configuration settings.
- If you want any of these users to be in the View only group, select them and move them over. Users can only be in one group.
To manually enter names
You can enter names manually by clicking in the Inserted names list and using any of the following formats to enter names. Use semicolons to separate names.
- DOMAIN\username where DOMAIN is the name of any domain accessible to the target device.
- MACHINE\username where MACHINE is the name of any device in the same domain as the target device.
- DOMAIN\groupname where DOMAIN is the name of any domain accessible to the target device, and groupname is the name of a management group in that domain.
- MACHINE\groupname where MACHINE is the name of any device in the same domain as the managed node, and groupname is the name of a management group on that device.
If you don't specify a domain or device name, it is assumed that the user or group specified belongs to the local device.
Click OK to add the names to the Remote Control Operators user group on the target device.
SmartCard security requires a hardware SmartCard reader on the device initiating remote control sessions. When a remote device's agent setting requires a SmartCard for remote control, the session won't start unless a SmartCard is inserted and the SmartCard PIN is provided. The SmartCard user must also be in the Remote Control Operators or View Only group.
SmartCard security only works on Windows 7 or newer devices. SmartCard authentication also requires the Windows remote control viewer application. HTML remote control doesn't support SmartCard authentication.
The Remote control settings dialog box's Security settings page contains the following features:
- Lock the remote control computer when the session ends: Locks the managed device to secure mode whether the user is logged in or not.
- Terminate remote access if the user logs out or locks the machine: Automatically ends the remote control session if the user logs out or locks the machine.
- Allow the end user to terminate the session: If this option is selected, users being remote controlled can use the remote control floating icon or the system tray icon to stop an active remote control session. If this option isn't selected, users won't be able to stop an active session.
- Close inactive session after: If no mouse or keyboard activity is transmitted via the remote control viewer for the duration of this timeout, the session will end.