Remote Assistance
Workspaces includes remote assistance tools that allow an operator to access a device and take control of the user's session to resolve issues or make system changes.
The operator can manage all applications visible to the user, including those that require permission elevation, run as Run as administrator, or under User Account Control (UAC).
Main features
- Compatible with user sessions on physical devices, VDIs, shared desktops, and virtualized application environments.
- Works with or without a proxy.
- Supports end user devices and devices without a user present (servers or customer service kiosk-type devices).
- Compatible with Windows.
- Can be used for quick support sessions or as a remote access mechanism to infrastructure (e.g., servers).
Privacy and security
-
To minimize the attack surface, exploit vulnerabilities, and maintain device security, FlexxAgent does not install any additional software, so there is no service "listening" for incoming connections. Only runs (without installation) in real-time and when requested from Workspaces.
-
Audio redirection is disabled by default; this prevents the operator from listening to any conversation when the user is on a video call.
Types of remote assistance
There are three types of remote assistance:
Interactive remote assistance
Interactive remote assistance is aimed at end users. Allows a support operator to access the user's session to see what is happening on their screen or take control easily. This type of assistance requires user consent.
Unattended remote assistance
Unattended remote assistance allows access to server type or self-service kiosk computers, where no specific user is working.
When the operator performs this action, Workspaces sends the order to FlexxAgent to install a custom Flexxible service, start it up, set up an access password, and inform the operator through the console that the session is already accessible with its respective authentication data:
- Session ID. Session identifier.
- Password. Dynamic password that regenerates every session. It's not recommended to store it.
- Download the remote assistance access file for the operator.
Once the access file is activated by the support operator, you will need to enter the session password to take control of the device.
After 15 minutes since the end of the unattended remote assistance connection, it will no longer be possible to reuse the same authentication data or access file. The service will be deactivated from the device and the session password will have expired.
Dynamic remote assistance
Dynamic remote assistance allows an operator to act on a device regardless of whether the user has an active session at that time.
When a dynamic remote assistance is launched, FlexxAgent checks the active sessions on the device; if there is any, it launches the interactive remote assistance process. On the contrary, if there is no user session active, it will trigger the unattended remote assistance process, allowing the operator to access the device to perform maintenance tasks, even using other user accounts to log in, without interfering with the user's session or data.
When a device is configured to receive dynamic remote assistance, the operator will not have the option to launch an unattended remote assistance process on any session of the device from the Sessions
view.
To receive dynamic remote assistance, the device receiving the assistance must have version 24.9.2 or higher of FlexxAgent installed.
Although the reporting group to which the device belongs has been configured to receive dynamic remote assistance, Workspaces will display the three options to start remote assistance: interactive, unattended, and dynamic. In that specific case, the operator will not be able to activate interactive or unattended remote assistance. If attempted, Workspaces will display an error message.
Requirements to perform remote assistance
- The device receiving remote assistance must have FlexxAgent version 23.7 or higher (24.9.2 or higher for dynamic remote assistance).
- Connectivity of the devices to https://ras.flexxible.com, via TCP port 443.
If FlexxAgent restarts during a remote support session, the session will be interrupted.
Settings
For a device to receive remote assistance, it must be configured from the FlexxAgent Settings (Remote Assistance) of its reporting group. From there, you can choose which type of remote assistance devices will have access to.
Activation
Once the configuration is done, from the support side, when you want to activate remote assistance on a device, it should be done from the Workspaces
module, having previously selected the device to be assisted. Level 1
-> Operations
-> Remote Assistance
. And then choose the type of remote assistance to be provided: interactive, unattended, or dynamic.
The remote assistance operation can be activated both from the Sessions
view and from Workspaces
.
When the operator launches the Start remote assistance
request, FlexxAgent initiates a process (with the user's permissions) on the device and notifies the user.
Activation file download
The support operator needs to download an activation file to provide the remote assistance service. The type of file will depend on whether the device providing support has FlexxAgent installed or not.
File for devices with FlexxAgent installed
If the support operator's device has FlexxAgent installed, they should download the Flexxible Remote Assistance file, with the extension ".flxra", and run it by double-clicking on it.
This file will run with the user's permissions, without installation, and will remain active for the duration of the remote assistance session. Once the session is over, the process will be stopped and the file will be automatically deleted from the filesystem.
File for devices without FlexxAgent installed
If the support operator's device does not have FlexxAgent installed, they should download the file with the ".exe" extension and run it by double-clicking on it.
This file will run with the user's permissions, without installation, and will remain active for the duration of the remote assistance session. Once the session is over, the process will be stopped, but the file will not be automatically deleted from the filesystem.
Next, in both cases, the consent request will be sent to the user.
Wait for the user's consent.
Once remote assistance is accepted, the support operator can gain control of the session.
Even if the file is executed without administrative permissions, access is not denied to the administrative tools needed for support delivery. These are in the Flexxible Tools
menu, in the upper left corner of the remote assistance window.
Processes
When the operator downloads the remote assistance file from Workspaces, the following processes will be generated and run automatically:
- FlexxAgent.exe
- FlexxibleRA.exe
Behavior of remote assistance through proxy
From the operator's perspective, the operation is as follows:
- When executing the ".flxra" or ".exe" file, it is checked if the Proxy_Url key exists in the FlexxAgent keys. If yes, it uses it if accessible. Otherwise, the AnyDesk binary is launched with autodetect.
From the end user's perspective, when remote assistance is performed:
-
FlexxAgent will detect if the proxy is configured, if it detects it and is accessible, it uses it. Otherwise, the AnyDesk binary is launched with autodetect.
-
If the proxy configuration registry keys do not exist, it will detect if the operating system has the proxy configured. If it detects it and it is accessible, it uses it. Otherwise, the AnyDesk binary is launched with autodetect.
Flexxible Tools
The remote assistance file runs with the user's permissions; however, they might not have local administrator privileges on the device. To address this scenario, Flexxible Tools has been incorporated.
Flexxible Tools allows the operator to use administrative tools during the session, even if they do not have local administrator privileges on the remote device.
This functionality is available only in interactive remote support, through the menu located in the top left corner of the interface.
These tools can be executed with the following administrative permissions:
- CMD
- PowerShell
- Registry editor
- Task Manager
Settings
If the user has permissions in Portal, Flexxible Tools can be enabled for users by role. This can be done in two ways:
- From
Portal
->Settings
->Organization
-> In the menu,Products
tab: for each product in the list there is aFlexxAgent Configuration
button that allows applying the change to all report groups. - From
Portal
->Configuration
->Reporting Groups
: for one or several reporting groups, functionality can be activated or deactivated.
Flexxible Tools requires that both the operator's device and the assisted device use FlexxAgent from the same environment.