Remote Assistance
Workspaces includes, thanks to the alliance with AnyDesk, remote assistance tools that allow you to view and take control of the user's session.
Remote assistance is compatible with all types of sessions, such as users on physical devices, VDIs, shared desktops, and even on virtualized application environments. And it supports operating systems such as Windows, Linux (including ChromeOS), and Mac.
Workspaces remote assistance is designed to cover end-user devices, as well as devices without a user in front of them, such as servers or customer service kiosk devices.
Workspaces incorporates an important improvement that allows the support operator to manage all the applications that the user sees, including those that require elevation of permissions, that are launched with 'Run as administrator', or that run under User Account Control (UAC). In addition, all AnyDesk features for session recording, file transfer, and chat are enabled.
Base features
There are two options for remote assistance:
- Interactive remote assistance: intended for end-users. User consent is required.
- Unattended remote assistance: allows unattended access to technical equipment.
Flexxible tools are also included, which allow you to enable administrative tools in remote assistance.
Activation
The activation of remote assistance, as well as the configuration of options that will be available for a device, is done from the reporting group configuration that the device is part of, in Portal.
Although remote assistance uses AnyDesk technology, no traffic is generated from the devices to their servers, which allows it to work even in network environments with traffic filtering to AnyDesk servers.
Remote assistance can be configured to allow interactive or unattended access.
Requirements
For proper operation, remote assistance requires device connectivity to ra.flexxible.com, through port TCP 443.
Interactive remote assistance
To minimize the attack surface, the exploitation of vulnerabilities, and maintain device security, FlexxAgent does not install any additional software, so there is no service or process "listening" for incoming connections. Only the AnyDesk process runs (without installation) in real-time and when requested from Workspaces.
Remote assistance gives support personnel the ability to access the user's session to see what is happening on their screen or take control easily. It is accessible from both the Sessions view and Workspaces and can be executed from the Operations button in the top right of the interface.
Operations -> Remote assistance -> Start remote assistance
At the moment the operator launches the Start remote assistance request, FlexxAgent launches an AnyDesk process (with the user's permissions) on the device and notifies the user with the session ID.
From the support side, an application to access the user session is displayed, which can be downloaded by clicking on Download in the remote assistance window in Workspaces. Once this application is downloaded, it must be executed for the user consent request to be launched.
Note: Once the application to access the remote assistance session is downloaded, it will expire after 15 minutes and will not allow access to the session.
You must wait to obtain user consent:
When remote assistance is accepted, support personnel can take control of the session.
The AnyDesk binary will only be present in the filesystem of the device when remote assistance is requested and will run with the user's permissions, without installation, and will remain active for the duration of the remote assistance session. After the session, the process will be stopped and the binary removed from the filesystem.
Important: The fact that the AnyDesk binary runs without administrative permissions does not prevent access to the administrative tools needed for support delivery. These are offered for remote assistance within the Flexxible tools menu in the top left of the remote assistance window.
Unattended remote assistance
Unattended remote assistance allows access to server-type or self-service kiosk-type devices, where there is no specific user working.
To access the device unattended you must execute the following action:
Operations -> Remote assistance -> Start unattended remote assistance
When the operator performs this action, Workspaces sends the order to FlexxAgent to install a customized AnyDesk service, start it, configure an access password, and inform the operator in the console that the session is now accessible with its respective authentication details:
- Session ID: is the session identifier.
- Password: is a dynamic password that regenerates in each session, it is not recommended to store it.
- Download of the remote assistance access application for the operator: mini-application that allows access to the session for 15 minutes. If access has not been made after that time, it will expire and will not allow control of the device.
Once the access application is started by the support operator, it will be necessary to enter the session password to take control of the device.
As soon as the session is interrupted by closing the remote assistance binary, the service will remain operational for 15 minutes before being automatically uninstalled, preventing access to the device until the action Operations -> Remote assistance -> Start unattended remote assistance is executed again.
Note: After 15 minutes from the end of the unattended remote assistance connection, it will no longer be possible to use the same authentication details or access binary. The customized AnyDesk service will be uninstalled from the device and the session password will have expired.
This mechanism offers on-demand unattended access and preserves device security by not having services "listening" at times when they are not required.
Flexxible tools
Since the AnyDesk binary is run with the user's permission level, it may happen that the user is not a local administrator of the device. To cover these cases, Flexxible tools have been incorporated.
These are a series of functions embedded in the remote assistance application that can be accessed from the top left of the interface.
These tools can be run with administrative permissions of:
- CMD
- PowerShell
- Registry editor
- Task Manager
