I would just like to say that this isn’t the best way to configure remote access for clients, however for some clients without domains, VPN Configurations or as a temporary measure due to COVID-19, It is an option that you can use.
There are two ways that I’m aware of that you can grant your customers access to their own devices with ConnectWise Automate/Control as a temporary measure to allow clients to remotely connect to their desktops in the office if they need urgent access with COVID-19 causing issues across the globe.
Method 1: Automate Account
Within Automate, you can create a user account for each member of staff at your client (try to segregate clients into separate folders for easier management)
Create a new User Class in System > User Class Manager for your client account. Be sure to use as little permissions as necessary and under the ‘Web Extensions‘ tab select ConnectWise Control. Be sure the permissions only allow your client access to their network and test all permissions before handing over credentials to the client.
Method 2: Control Plugin (Remote Workforce)
Thanks to Quinntin Comer for informing me about this plugin!
Using the Control that’s built-in to Automate, head to https://automateurl.com:8040 and log in with your administrator credentials. Select Admin > Extensions and search for Remote Workforce. Enable the plugin and Control will reload. Now from within Admin > Security expand Internal Users and create users for each of the users that require access.
Tick the machine to assign to the user and select ‘More’ and ‘Assign Machine’
Now select the user for the machine and test the account.
Official Article on the Extension Here
Method 3: Control Account (Manual)
Using the Control that’s built-in to Automate, head to https://automateurl.com:8040 and log in with your administrator credentials.
Select Create Session Group and name it (I’d suggest naming it after your client) and add in your arguments for what devices should appear in this view.
I would suggest selecting ‘Show Reference’ to see a list of variables.
For example, if your client has computers named ‘CLIENTPC-1’ to ‘CLIENTPC-10’ you can collect all of these devices by creating a Session Filter similar to
GuestMachineName LIKE ‘CLIENTNAME-‘
Now head over to Admin > Security and select Create Role
Be sure to leave the ‘Global Permissions‘ blank and under Scoped Permissions select the Session Group that you have just created. Now tick and untick the permissions within these devices that you wish to enable for the client.
As a good practice, I’d recommend removing the following permissions:
- End Session
- Edit Session
- Reinstall Session
- Uninstall Session
- RunSharedToolsInSession (Toolbox)
- TransferFilesInSession (To prevent any malware being uploaded through Control)
Now that you have your Session Group and Roles configured, you can go back to Admin > Security and expand Internal Users and create a user account with the new Role.
As always, be sure to test these permissions before handing any credentials over to clients.
Rather than sending your clients passwords over emails, I’d recommend using a service such as onetimesecret.com. If you sign in, One Time Secret will send your clients the email with the password in it, and you can seperately send the secure passphrase to decode it.
Method 4: Host Pass
This is probably the easiest, yet the most insecure (and temporary) method. From within Automate, tick the device that you wish to grant access to your client for and select ‘Get Host Pass’. Now you can select from a drop-down box of default permission levels and a time for the host pass to expire. The maximum period is 24-hours. Be careful who you provide access to this as the host pass doesn’t require any authentication from Control itself.
Whilst I wouldn’t normally recommend these methods as I’m always wary of avoiding standard protocol (SSL/L2TP VPN’s with 2FA), it can be a quick-fix for some clients who don’t have adequate infrastructure. You can also set clients up with 2FA in Control. Please feel free to get in touch if we can help any further!