Remote Assistance
Workspaces includes remote assistance tools so that an operator can efficiently access a device and take control of the user's session to solve problems and make system changes.
The operator can manage all the applications the user sees, including those requiring elevated permissions, launched with Run as administrator or executed under User Account Control (UAC).
Features
- It supports all types of sessions, such as users on physical devices, VDIs, shared desktops, and even in virtualized application environments.
- Remote assistance works with or without a proxy.
- It is designed to cover end-user devices and devices that do not have a user in front of them, like servers or kiosk-type customer service devices.
- It supports devices running Windows as an operating system.
- Thanks to its configuration options, it can be used for quick remote assistance sessions with users and as a remote access mechanism to infrastructure devices, like servers.
To minimize the attack surface, exploit vulnerabilities, and maintain device security, FlexxAgent does not install any additional software, so there is no service "listening" for incoming connections. The process runs only (without installation) in real-time when requested from Workspaces.
Types of remote assistance
There are three types of remote assistance:
Interactive remote assistance
Interactive remote assistance is aimed at end users. Allows a support operator to access the user's session to see what is happening on their screen or take control easily. This type of assistance requires user consent.
Unattended remote assistance
Unattended remote assistance allows access to server type or self-service kiosk computers, where no specific user is working.
When the operator performs this action, Workspaces sends the order to FlexxAgent to install a custom Flexxible service, start it up, set up an access password, and inform the operator through the console that the session is already accessible with its respective authentication data:
- Session ID: session identifier.
- Password: dynamic password that regenerates with each session, it is not recommended to store it.
- Download the remote assistance access file for the operator.
Once the access file has been activated by the support operator, it will be necessary to enter the session password to take control of the device.
After 15 minutes since the end of the unattended remote assistance connection, it will no longer be possible to reuse the same authentication data or access file. The service will be deactivated from the device, and the session password will have expired.
Dynamic Remote Assistance
Dynamic remote assistance allows an operator to act on a device regardless of whether the user has a session at that time.
When a dynamic remote assistance is launched, FlexxAgent checks the active sessions on the device; if there is any, it launches the interactive remote assistance process. On the contrary, if there is no user session active, it will trigger the unattended remote assistance process, allowing the operator to access the device to perform maintenance tasks, even using other user accounts to log in, without interfering with the user's session or data.
To receive dynamic remote assistance, the device receiving the assistance must have version 24.9.2 or higher of FlexxAgent installed.
Although the reporting group to which the device belongs has been configured to receive dynamic remote assistance, Workspaces will display the three options to start remote assistance: interactive, unattended, and dynamic. In that specific case, the operator will not be able to activate interactive or unattended remote assistance. If attempted, Workspaces will display an error message.
Requirements to perform remote assistance
- The device receiving remote assistance must have FlexxAgent 23.7 or higher installed (24.9.2 or higher for dynamic remote assistance).
- Device connectivity to ras.flexxible.com, through TCP port 443.
Settings
For a device to receive remote assistance, it must be configured from the FlexxAgent Settings (Remote Assistance) of its reporting group. From there, you can choose which type of remote assistance devices will have access to.
Activation
Once the configuration is done, from the support side, when you want to activate remote assistance on a device, it should be done from the Workspaces module, having previously selected the device to be assisted. Level 1 -> Operations -> Remote Assistance. And then choose the type of remote assistance to be provided: interactive, unattended, or dynamic.
The remote assistance operation can be activated both from the Sessions view and from Workspaces.
When the operator launches the Start remote assistance request, FlexxAgent initiates a process (with the user's permissions) on the device and notifies the user.
Activation file download
The support operator needs to download an activation file to provide the remote assistance service. The type of file will depend on whether the support device has FlexxAgent installed or not.
File for devices with FlexxAgent installed
If the support operator's device has FlexxAgent installed, they should download the Flexxible Remote Assistance file, with the extension ".flxra", and run it by double-clicking on it.
This file will run with the user's permissions, without installation, and will remain active for the duration of the remote assistance session. Once the session is over, the process will be stopped and the file will be automatically deleted from the filesystem.
File for devices without FlexxAgent installed
If the support operator's device does not have FlexxAgent installed, they should download the file with the ".exe" extension and run it by double-clicking on it.
This file will run with the user's permissions, without installation, and will remain active for the duration of the remote assistance session. Once the session is over, the process will be stopped, but the file will not be automatically deleted from the filesystem.
Next, in both cases, the consent request will be sent to the user.
Wait for the user's consent.
Once remote assistance is accepted, the support operator can gain control of the session.
The fact that the file runs without administrative permissions does not prevent access to the necessary administrative tools for providing support. These are offered for remote assistance within the Flexxible Tools menu at the top left of the remote assistance window.
Processes
When the operator downloads the remote assistance file from Workspaces, the following processes are generated, which run automatically.
- FlexxAgent.exe
- FlexxibleRA.exe
Behavior of remote assistance through proxy
From the operator's perspective, the operation is as follows:
- When executing the ".flxra" or ".exe" file, it is checked if the Proxy_Url key exists in the FlexxAgent keys. If yes, it uses it if accessible. Otherwise, the AnyDesk binary is launched with autodetect.
From the end user's perspective, when remote assistance is performed:
-
FlexxAgent will detect if the proxy is configured, if it detects it and is accessible, it uses it. Otherwise, the AnyDesk binary is launched with autodetect.
-
If the proxy configuration registry keys do not exist, it will detect if the operating system has the proxy configured. If it detects it and it is accessible, it uses it. Otherwise, the AnyDesk binary is launched with autodetect.
Flexxible Tools
Since the remote assistance file is executed with the user's permission level, it may happen that the user is not a local administrator of the device. To cover these cases, Flexxible Tools have been incorporated.
Flexxible Tools allows activation of administrative tools in remote assistance. These are a series of functions embedded in the remote assistance application that can be accessed from the top left of the interface.
These tools can be executed with the following administrative permissions:
- CMD
- PowerShell
- Registry editor
- Task Manager
If the user has permissions in Portal, Flexxible Tools can be activated for users by role. This can be done in two ways:
- From
Portal->Configuration->Products: for each product in the list, there is aFlexxAgent Configurationbutton that allows applying the change to all reporting groups. - From
Portal->Configuration->Reporting Groups: for one or several reporting groups, functionality can be activated or deactivated.