TeamViewer Integration

Integrating Jamf Pro with TeamViewer, a fast and secure all-in-one solution for gaining access to computers and networks remotely, allows you to establish a remote screen-sharing connection between a Jamf Pro administrator and an end user's computer. For information on establishing a remote administration session using Jamf Pro and TeamViewer, see Screen Sharing Using TeamViewer.

TeamViewer uses the following network ports for connections:

  • 5938—This is the primary port. Your firewall settings should allow this at a minimum.

  • 443—This is used if TeamViewer cannot connect over port 5938. Selected TeamViewer processes (e.g., update checks) and custom modules created in the TeamViewer Management Console also use port 443.

  • 80—This is used if TeamViewer cannot connect over port 5938 or 443.

    Note: The connection speed over port 80 is slower and less reliable than ports 5938 or 443. There is no automatic reconnection if the connection is temporarily lost.

TeamViewer integration is site specific. This means Jamf Pro allows you to add one configuration per site. If there are no sites in your environment, you can add a TeamViewer configuration in the full context of your Jamf Pro instance.

Adding a New TeamViewer Configuration

Requirements

  • TeamViewer account with administrative priviliges

  • A Jamf Pro user account with Remote Administration privileges

  • A script token for Jamf Pro configured in TeamViewer

  • To send Self Service notifications, you must configure them in the Interaction section of the Self Service settings in Jamf Pro. For more information, see Jamf Self Service for macOS Notifications.

Procedure

  1. Log in to the TeamViewer Management Console with your management account and do one of the following:

    • To retrieve a script token, navigate to Edit profile > Apps. Your token must include the "Create, view and edit all sessions" session management privilege.

    • To create a token, do the following:

      1. In the top-right corner of the TeamViewer Management Console, open your profile settings.

      2. Click Apps.

      3. Click Create script token.

      4. Add the name and description for the token.

      5. From the Session management pop-up menu, choose Create, view and edit all sessions.

      6. Click Save.

    Note: To avoid potential issues with an inaccessible account, it is recommended to create the script token using a general TeamViewer account (e.g., support@yourcompany.com). Do not link the script token to a specific administrator.

  2. In a separate web browser window, log in to Jamf Pro.

  3. In the top-right corner of the page, click Settings images/download/thumbnails/85395374/Settings_Icon.png .

  4. Click Global Management.

  5. Click Remote Administration images/download/thumbnails/85395374/remote_administration.png .

  6. Click New.

  7. Follow the onscreen instructions to add a TeamViewer configuration. Consider the following:

    • The configuration is site specific. If your environment includes sites and you are logged in as a Jamf Pro Site full administrator, you must select a site for your configuration or add a configuration in the full context of your Jamf Pro instance. For site administrators, the site is automatically assigned.

    • The Maximum Session Time setting allows you to control the session duration. It defaults to 15 minutes with a minimum value of 1 minute and a maximum value of 1440 minutes. It is recommended to use the minimum value greater than 5 minutes. Meetings started during a session are not terminated when the session times out.

  8. Click Complete.

Saving the configuration triggers automatic connection verification. The verification process must succeed before you can use the configuration.

Granting Necessary Privacy Permissions

To conduct a TeamViewer session, the TeamViewer application requires the following Privacy permissions on a remote computer:

  • Accessibility—This is required to run scripts and system commands.

  • Full Disk Access—This is required for File Transfer and certain administrative settings for all users on a computer.

  • Screen Recording—This allows the session supporter to see the end user's screen.

Users with administrator privileges can grant the permissions manually. Users without administrator privileges may not be able to grant those permissions manually as an end user workflow.

Note: Permissions granted by an administrator are granted to all users on the computer. For more information, see Change Privacy preferences on Mac in Apple's macOS User Guide.

You can grant the necessary Privacy permissions via a configuration profile with the Privacy Preferences Policy Control payload:

  1. Log in to Jamf Pro.

  2. Click Computers at the top of the page.

  3. Click Configuration Profiles.

  4. Click New images/download/thumbnails/85395374/Icon_New_Button.png .

  5. Use the General payload to configure basic settings.

  6. Configure the Privacy Preferences Policy Control payload:

    1. In the Identifier field, enter com.teamviewer.TeamViewerQS.

    2. From the Identifier type pop-up menu, choose Bundle ID.

    3. In the Code Requirement field, enter the following code:
      anchor apple generic and identifier "com.teamviewer.TeamViewerQS" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV6)

    4. In the App or Service table, add the following:

      1. Accessibility with the value Allow—This will grant the Accessibility permission.

      2. SystemPolicyAllFiles with the value Allow—This will grant the Full Disk Access permission.

      3. (Optional, computers with macOS 11 or later only) ScreenCapture with the value Allow Standard Users to Allow Access—This will grant the Screen Recording permission. Users without administrator privileges must decide if TeamViewer can share the screen.

        Important: Attempting to deploy the configuration profile with the ScreenCapture setting to computers with macOS 10.15.7 or earlier will cause the profile installation to fail.

  7. Click the Scope tab and configure the scope of the profile.

  8. (Optional) If you chose to make the profile available in Self Service, click the Self Service tab to configure Self Service settings for the profile.

  9. Click Save images/download/thumbnails/85395374/floppy-disk.png .

The profile is distributed to the deployment targets in the scope the next time they contact Jamf Pro.

The procedure includes TeamViewer QuickSupport as the application for remote administration. Use the following identifiers and code requirements for the respective TeamViewer applications:

Application

Identifier

Code Requirement

TeamViewer QuickSupport

com.teamviewer.TeamViewerQS

anchor apple generic and identifier "com.teamviewer.TeamViewerQS" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV6)

TeamViewer Full normal

com.teamviewer.TeamViewer

 

anchor apple generic and identifier "com.teamviewer.TeamViewer" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV6)

TeamViewer Full start as service

TeamViewer Host

com.teamviewer.TeamViewerHost

anchor apple generic and identifier "com.teamviewer.TeamViewerHost" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV6)

Deploying the TeamViewer Application Using Jamf Pro

You can deploy the TeamViewer application to a remote computer and install it silently. The following procedure describes how to install TeamViewer Host.

Requirements

  • TeamViewer with the Corporate or higher subscription plan

  • Composer or another package-building tool installed on your computer. For information on building packages using Composer, see the Composer User Guide .

Procedure

  1. Download the TeamViewer PKG:

    1. Log in to the TeamViewer Management Console.

    2. From Design & Deploy, click Download installer and choose PKG (Host & Full Client for macOS).

    3. From the downloaded archive, extract the TeamViewer_Host PKG.

  2. Prepare the choices.xml file using the editor of your choice:

    <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <array>
    <dict>
    <key>attributeSetting</key>
    <integer>1</integer>
    <key>choiceAttribute</key>
    <string>selected</string>
    <key>choiceIdentifier</key>
    <string>com.teamviewer.teamviewerSilentInstaller</string>
    </dict>
    </array>
    </plist>
  3. Using Composer or another package-building tool, combine the TeamViewer_Host PKG you extracted in step 1 and choices.xml into the TeamViewer-files DMG. Configure the Composer to install the file to an easily accessible location (e.g., ‘/Users/Shared'). You will use this location path in the installer script.

  4. Add the package created in step 3 to Jamf Pro. For more information, see Package Management.

  5. Add the following installer script to Jamf Pro:

    #!/bin/bash

    sudo installer -applyChoiceChangesXML "/Users/Shared/choices.xml" -pkg "/Users/Shared/TeamViewer_Host.pkg" -target /

    For instructions, see the "Adding a Script to Jamf Pro" section in Scripts.

  6. Create a policy to install TeamViewer using the DMG from step 3 and the installer script. Ensure the following:

    • The Fill Existing User Directories (FEU) checkbox is selected in the Packages payload.

    • The Priority is set to After in the Scripts payload.

For detailed instructions, see Policy Management.

The policy will run on computers in the scope the next time they check in with Jamf Pro and meet the criteria in the General payload.

Related Information

For related information, see documentation resources from TeamViewer.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.