 Rank: Member Medals:  Joined: 4/18/2012(UTC) Posts: 11 Location: Spokane, WA
Thanks: 1 times
|
Currently we have around 100 Sessions groups. Primarily set to group devices by client based on parameters such as "(GuestMachineDomain = 'DOMAINNAME') OR (CustomProperty1='ORGANIZATIONNAME')".
Our techs security is set to "HostSessionWithoutConsent: AllSessionGroups, OwnedAndUnowned".
What I need to do is reconfigure the security so that if a device is a WORKSTATION OS it will require a prompt for consent and if it is a SERVER OS to then NOT prompt for consent.
I am pretty sure I have to create 2 Session Groups per client. One for Workstations that does not have "HostSessionWithoutConsent" and one for Servers that has "HostSessionWithoutConsent" I would then have to update the Security Role for Each of the 2 new Session Groups per client. This is doable but will be a management pain and time sink on configuration. If there is an alternative method I'm not thinking of, please chime in.
The next part to figure out is... Is there a parameter in "manage session groups" that would be able to include a device if it is a workstation or server? I've searched the forums and support sections but haven't found what I am looking for.
NOTE: We use the default Unattended MSI installer and use the Manage Session Group filters to auto assign any new device to the appropriate client group. This has worked flawlessly so far and would like to keep the same process as part of solution.
Has anyone else gone down this rabbit hole?
Any help is appreciated.
|
|
|
|
 Rank: Advanced Member Medals:  Joined: 1/29/2014(UTC) Posts: 130   Location: Indianapolis, IN Thanks: 2 times Was thanked: 21 time(s) in 21 post(s)
|
For the session groups, you could use GuestOperatingSystem Name LIKE '*Windows Server*' to gather the servers. You could do the same for the workstations, but you would have to split it out into several OR listing for the various OS names. Here is a list you can use: http://msdn.microsoft.co...724832%28v=vs.85%29.aspxOr just use a NOT LIKE Windows Server string, if you don't have any non-windows computers to deal with. You might also add a Notes Like line with "Windows Server Box", in case you have anyone using a "server" with a workstation OS. But I haven't found an easy way to split up the consent rights. I tried creating a master "servers" group, thinking the computers in it would inherit the hostwsessionithoutconsent rights across all groups. But that right goes with the group, not the computers in it. So if you click on the MasterServers group, and then join a computer, it works. If you click on say, ClientName-Servers group and try to join the same computer, it prompts for consent. (since that group doesn't have the specific right) And in your case, the rights page is going to be a real pain. You'll have to grant the permission to each of the 100 specific groups one line at a time.
|
|
|
|
 Rank: Member Medals:  Joined: 4/18/2012(UTC) Posts: 11 Location: Spokane, WA
Thanks: 1 times
|
Thank you, that worked just as needed. Been playing with the roles and I think I got it ironed out.
For our Techs Global Roles I have the following. CreateSupportSession CreateMeetingSession BuildAccessInstaller ManageSharedToolbox ViewSessionGroup: AllSessionGroups JoinSession: AllSessionGroups, OwnedAndUnowned EndSession: AllSessionGroups, OwnedAndUnowned TransferSession: AllSessionGroups, OwnedAndUnowned EditSession: AllSessionGroups, OwnedAndUnowned RunCommandOutsideSession: AllSessionGroups, OwnedAndUnowned AddNoteToSession: AllSessionGroups, OwnedAndUnowned RemoveNoteFromSession: AllSessionGroups, OwnedAndUnowned ReinstallSession: AllSessionGroups, OwnedAndUnowned UninstallSession: AllSessionGroups, OwnedAndUnowned TransferFilesInSession: AllSessionGroups, OwnedAndUnowned RunSharedToolInSession: AllSessionGroups, OwnedAndUnowned
And then create one additional role for "HostSessionWithoutConsent" and add JUST the Client Server Groups HostSessionWithoutConsent: 'CLIENT-A SERVERS', OwnedAndUnowned HostSessionWithoutConsent: 'CLIENT-B SERVERS', OwnedAndUnowned HostSessionWithoutConsent: 'CLIENT-C SERVERS', OwnedAndUnowned etc,..
The Techs Global Roles do not have the Manage Session right nor the HostSessionWithoutConsent. Devices are grouped automagically based on the Manage Session rules. Techs cannot move a device from one session group to another.
Manage Session Groups: SERVER: (GuestOperatingSystemName LIKE '*Server*') AND ((GuestMachineDomain = 'DOMAINNAME') OR (CustomProperty1='OrganizationName')) WORKSTATION: (GuestOperatingSystemName NOT LIKE '*Server*') AND ((GuestMachineDomain = 'DOMAINNAME') OR (CustomProperty1='OrganizationName'))
Now comes the fun part. Creating a second group for each client for just Servers. Updating the original group for just workstations. And then finally updating the Security Role for the Servers to host without consent.
Time for more in depth testing. I'll post any other insights I may find on way. Any comments or other ideas are welcome. Thanks guys
|
|
|
|
 Rank: Advanced Member Medals:  Joined: 1/17/2014(UTC) Posts: 38  Location: California Was thanked: 2 time(s) in 2 post(s)
|
I only have one group that I want to access with consent. Does anyone know how that can be setup? Is there a way I can say "HostSessionWithConsent: 'My Session Name', OwnedAndUnowned"?
|
|
|
|
 Rank: Advanced Member Medals:  Joined: 1/29/2014(UTC) Posts: 130   Location: Indianapolis, IN Thanks: 2 times Was thanked: 21 time(s) in 21 post(s)
|
I don't think so. The option is HostSessionWithoutConsent, and I think you would have to add that right to every group BUT the one you want prompted for consent.
|
|
|
|
 Rank: Advanced Member Medals:   Joined: 11/14/2014(UTC) Posts: 43
Thanks: 2 times Was thanked: 4 time(s) in 3 post(s)
|
I need to set a specific Session Group to requiring consent all others should be with no consent. How would I do this?
|
|
|
|
 Rank: Administration Medals:  Joined: 5/30/2012(UTC) Posts: 501 Location: Raleigh, NC
Thanks: 56 times Was thanked: 82 time(s) in 68 post(s)
|
I think HighTech's solution reflects our view of roles best. Role based Security is a permissions based system: http://help.screenconnec...r_roles_and_permissions. We need to specify which permissions each role will carry and then assign them to our users. Roles are stackable, so when minor adjustments are needed, creating additional roles is an efficient way of adjusting permissions. I would recommend: 1. Delete the "HostSessionWithoutConsent: AllSessionGroups, OwnedAndUnowned" permission from the role you wish to edit. 2. Create a new role with the ability to "HostSessionWithoutConsent: AllSessionGroups, OwnedAndUnowned" 3. Create a second role with the ability to "HostSessionWithoutConsent: 'Name of Session Group', OwnedAndUnowned" for each group you wish to allow "HostSessionWithoutConsent". 4. Now you can assign a second role as necessary to techs to allow or deny access to the specific group. This will allow you to dynamically assign access to the group of machines in question. I hope this information is helpful.Please feel free to call in if you need a walk through. Here's a link to setting up session groups, jic: http://help.screenconnec...Managing_session_groups. |
ScreenConnect Team |
|
|
|
 Rank: Advanced Member Medals:   Joined: 11/14/2014(UTC) Posts: 43
Thanks: 2 times Was thanked: 4 time(s) in 3 post(s)
|
This is a very complicated way of doing this.
A simple HostSessionRequiresConsent and then selecting the session group would be much better. All of our techs have the same permission level and I am sure it is similar for most IT support businesses.
We will have a Session Group for every company we support containing all of their servers and workstations (somewhere in the region of 100 groups at the moment), currently we have one customer who requires consent for us to connect.
Doing this the way you suggest will mean that every time a new Session Group is added a new permission will have to be added with HostSessionWithoutConsent and the group name. This is making the system far too complicated to maintain, as mentioned above it would be much easier to have a HostSessionRequiresConsent option.
|
|
|
|
 Rank: Newbie Joined: 7/8/2015(UTC) Posts: 1  Location: Calgary
|
Does setting up security restrictions also apply to sessions created/joined from an RMM (such as Labtech)? I edited the base Security Role to only allow HostSessionWithoutConsent on specific groups and have one excluded. This works as expected when going through the web-interface; however, when trying to connect to that same machine through Labtech there is no consent required. I verified that the Security Role is the same for both the individual user as well as the global user that Labtech uses to connect.
|
|
|
|
 Rank: Administration Medals:  Joined: 5/30/2012(UTC) Posts: 501 Location: Raleigh, NC
Thanks: 56 times Was thanked: 82 time(s) in 68 post(s)
|
At this time LabTech, does not recognize our role based security options within their solution. This is an enhancement that will likely make it into rev 2 of their integration. |
ScreenConnect Team |
|
|
|
 Rank: Guest Joined: 12/20/2017(UTC) Posts: 1  Location: NH
|
Originally Posted by: Mike  At this time LabTech, does not recognize our role based security options within their solution. This is an enhancement that will likely make it into rev 2 of their integration. This is a bit of an old thread but has Labtech/Automate gotten to the point where it can leverage the role based security options? I was hoping to be able to disable file transfers but only for specific organizations and was hoping to do this with a session group. It works using the ScreenConnect web page but I can still transfer files when accessing the systems through Labtech. Thanks Edited by user Wednesday, December 20, 2017 6:45:39 PM(UTC)
| Reason: Not specified
|
|
|
|
 Rank: Administration Medals:  Joined: 3/28/2014(UTC) Posts: 2,862  Thanks: 3 times Was thanked: 351 time(s) in 303 post(s)
|
@jfhall When connecting to a session via LabTech, the permissions granted and hard coded into the extension they use. Basically this means that they cannot be changed at this time. I believe any request to do so would have to go through their Feature Request process. |
ScreenConnect Team |
|
|
|
Forum Jump
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.