Remote Assistance
Workspaces includes, thanks to the alliance with AnyDesk, remote assistance tools that allow viewing and taking control of the user's session.
Remote assistance is compatible with all types of sessions, such as users on physical devices, VDIs, shared desktops, and even in virtualized application environments. It supports operating systems such as Windows, Linux (including ChromeOS), and Mac.
Remote assistance for Workspaces is designed to cover end-user devices as well as devices that do not have a user in front of them, such as servers or customer service kiosk-type devices.
Workspaces incorporates a significant improvement that allows the support operator to manage all the applications the user sees, including those that require elevation of permissions, which are launched with 'Run as administrator' or that run under User Account Control (UAC). Additionally, all AnyDesk functionalities for session recording, file transfer, and chat are activated.
Main functions
There are two options for remote assistance:
- Interactive remote assistance: aimed at end users. Requires user consent.
- Unattended remote assistance: allows unattended access to technical equipment.
The Flexxible Tools are also included, which allow administrative tools to be activated in remote assistance.
Activation
The activation of remote assistance, as well as the configuration of options that will be available for a device, is carried out from the configuration of the reporting group to which that device belongs, in Portal.
Although remote assistance uses AnyDesk technology, no traffic is generated from the devices to their servers, which allows it to work even in network environments with traffic filtering to AnyDesk servers.
Remote assistance can be configured to allow interactive or unattended access.
Requirements
To function properly, remote assistance requires device connectivity to ra.flexxible.com via TCP port 443.
Additional considerations
When the operator downloads the remote assistance file from Workspaces, it will generate the following processes:
- FlxRA_xxxx: the file downloaded from the web
- FlexxibleRemoteAssistance_xxxx: is the process responsible for initiating the remote assistance connection.
On the user's device, an AnyDesk.exe process will be generated that runs automatically when requesting remote assistance.
Interactive remote assistance
To minimize the attack surface, vulnerability exploitation, and maintain device security, FlexxAgent does not install any additional software, so there is no service or process "listening" for incoming connections. The AnyDesk process only runs (without installation) in real-time when requested from Workspaces.
Remote assistance allows support staff to access the user's session to see what is happening on their screen or take control easily. It is accessible from both the Sessions view and Workspaces and can be executed from the Operations button in the top right of the interface.
Operations -> Remote assistance -> Start remote assistance
When the operator initiates the Start remote assistance request, FlexxAgent launches an AnyDesk process (with user permissions) on the device and notifies the user with the session ID.
From the support side, an application is displayed to access the user's session, which can be downloaded by clicking Download from the remote assistance window in Workspaces. Once downloaded, this application must be executed to send the consent request to the user.
Note: the session access application for remote assistance expires after 15 minutes.
The user's consent must be awaited:
From the acceptance of remote assistance, the support staff can take control of the session.
The AnyDesk binary will only be present on the device’s filesystem when remote assistance is requested and will run with the user's permissions, without installation, and will remain active for the duration of the remote assistance session. Once the session ends, the process will be stopped, and the binary deleted from the filesystem.
Important: the fact that the Anydesk binary executes without administrative permissions does not prevent access to the administrative tools necessary for support delivery. These are offered for remote assistance within the Flexxible Tools menu at the top left of the remote assistance window.
Unattended Remote Assistance
Unattended remote assistance allows access to server-type or self-service kiosk devices, where there is no specific user working.
To access the device unattended, the following action must be performed:
Operations -> Remote assistance -> Start unattended remote assistance
When the operator performs this action, Workspaces sends the order to FlexxAgent to install a custom AnyDesk service, start it, configure an access password, and inform the operator via the console that the session is now accessible with the respective authentication data:
- Session ID: is the session identifier.
- Password: is a dynamic password that regenerates in each session; it is not recommended to store it.
- Download the remote assistance access application for the operator: a mini-application that allows access to the session for 15 minutes. If access is not made within that time, it will expire and will not allow control of the device.
Once the access application has been started by the support operator, it will be necessary to enter the session password to take control of the device.
As soon as the session is interrupted by closing the remote assistance binary, the service will remain operational for 15 minutes before being automatically uninstalled, preventing access to the device until the action Operations -> Remote assistance -> Start unattended remote assistance is executed again.
Note: 15 minutes after the unattended remote assistance connection ends, it will no longer be possible to use the same authentication data or access binary again. The custom AnyDesk service will be uninstalled from the device and the session password will have expired.
This mechanism offers unattended access on demand and preserves the security of devices by not having services "listening" at times when they are not required.
Flexxible Tools
Since the AnyDesk binary is executed with the user's permission level, it may happen that the user is not a local administrator of the device. To cover these cases, the Flexxible Tools have been incorporated.
This is a series of functions embedded in the remote assistance application that can be accessed from the top left part of the interface.
These tools can be executed with the following administrative permissions:
- CMD
- PowerShell
- Registry Editor
- Task Manager
If the user has permissions in the Portal, the Flexxible Tools can be activated for users by role. This can be done in two ways:
- From
Portal->Configuration->Products: for each product in the list, there is anAgent Configurationbutton, which allows applying the change for all reporting groups. - From
Portal->Configuration->Reporting Groups: allows the functionality to be activated or deactivated for ONLY one or several reporting groups.