Enabling External Devices Management
For Goverlan to manage computers over the internet, you must implement a Goverlan Reach Server within your organization, and enable the Gateway services.
Once the Goverlan Reach Gateway Services infrastructure is implemented, Goverlan operators can remotely manage computers over the internet in unattended, or on-demand modes.
The unattended mode allows privileged access and management of an endpoint without end-user interaction. The remote computer can also be managed if no user is logged-in to the machine.
For a computer to be manageable over the internet in unattended mode, it must be equipped with the with the Goverlan Client Agent as a service (see Goverlan Client Agent Deployment and Management.)
Once an external endpoint is equipped with the Goverlan Client Agent, this one registers to the Goverlan Gateway under the organization ID provided. It is then accessible via the External Devices area of the Goverlan Reach operator console.
Pre-requisites for Standalone Computers:
You must have the local admin credentials of the target system. You may enter them in the Goverlan Credential Manager to store them for later use.
Remote UAC must be disabled. You will need to add the following registry change to the remote system.
LocalAccountTokenFilterPolicy DWORD Value = 1
For more information on Remote UAC please see this MS Article:
Mobile users within your company, using laptops equipped with the Goverlan Client Agents automatically monitor whether they are connected to the private network (either directly or via a VPN), or if they are connected to a public network. In the latter case, they register themselves to the Gateway server for unattended management.
On-demand assistance allows an operator to temporarily assist any user over the internet. The operator sends an assistance request to the user, this one accepts it and grants temporary access to the computer. This mode is explained later in this article.
Accessing Unattended External Computers
An operator can gain access to an unattended external computer either by name or by browsing the External Devices section of the My Devices panel:
External computer nodes are organized by folders defined by the organization name assigned to the computer as well as by any Active Directory hierarchy of remote client sites.
The External Devices area can be browsed, searched and used to configure the alternate credentials to access machines.
Browsing the External Devices area
To browse the External Devices area, simply double click on any organization container to disclose the sub-containers or the computers it holds.
The folder hierarchy is defined by each node’s organization name configured in the Goverlan Reach Gateway services (or individually via the Goverlan Client Agent control panel applet), and the AD path of the computer if this one belongs to an active directory.
The active/offline status of a node is indicated via its computer icon. Offline nodes cannot be managed as they are either Powered OFF or may be back on the private network (in case of traveling corporate users).
Searching for External Devices
You can easily access an external computer by searching for it. External device searches can be executed whenever a computer name is prompted in Goverlan, or within the External Devices area.
Searching within the External Devices Area
Right-click the parent container to search and select the Search feature:
Enter a partial node name including wildcard (*) before or after the search string to view all External Devices matching your search criteria within the selected container.
Searching during a Computer Name Prompt
Whenever Goverlan prompts for a computer name, you can execute a search against external devices by specifying the prefix REACH: followed by the node name or search string. The REACH: prefix indicates to Goverlan that the computer is outside of your private network, and the connection must go through the gateway services.
For instance, to open a remote control session to the external computer named SOME-OUTMAC-001, you can type:
The connection string above assumes that SOME-OUTMAC-001 is registered at the root of the External Devices Area. However, most computers will use an organization name or their local Active Directory Domain information to register themselves.
If the exact path or name of a computer is not known, use the * wildcard character in the connect string.
For instance, enter REACH: SOME-OUTMAC-001* and a search for SOME-OUTMAC-001 will be initiated, irrespective of its location within the External Devices Area.
Other search examples:
|REACH:*||Returns the entire repository|
|REACH:CLIENT-ORG/*||Returns all machines registered in the
|REACH:Domain Controllers*||Returns all machines registered in any Active Directory container titled Domain Controllers across all client sites.|
Configuring External Devices Credentials
The access and management of an external computer in unattended mode requires proper authentication and authorization. By default, Goverlan uses the technician’s credentials to authenticate against the remote endpoint. If this fails, alternate credentials are prompted.
The alternate credentials specified must hold local administrative privileges to initiate a remote control session or perform management tasks on a remote endpoint.
You can specify alternate credentials on a per-machine basis; however if a common local administrator’s account is available on machines that belong to the same container, you can also pre-configure credentials at the container level.
To configure per-machine credentials you can either:
- Initiate a management action on the remote machine and wait for the Goverlan credentials prompt.
- Configure the credentials the first time you connect to the machine:
Once the credentials have been configured, they are reused for subsequent connections to the same machine. These credentials can be modified or removed via the Credentials Manager.
Credentials for a scope of machines can be configured on any of the parent containers. Right-click on an External Devices Area container and select Configure Credentials for this Realm:
Specify the credentials to be used for all the nodes that belong to this realm. Make sure to indicate the proper authority in your credentials.
- For a local account, use the machine name or ‘.’ (for example: .\Administrator)
- For a domain account, use the domain name (for example XYZCORP\Administrator)
On-demand access provides instant remote management services of any computer over the internet.
Initiating an On-Demand assistance session is straight-forward:
- Send an On-Demand request to any remote user
- The remote user accepts the request and generates a session ID
- Enter the session ID in the Goverlan Operator Console and connect
Initiating an On-Demand Session
Operator Side > Starting an On-Demand Session
On-demand sessions are started using the On-Demand Assist side panel inside the Goverlan Reach operator console (both main console and the remote control console):
Click on the Send a request to start the process.
A request can be sent in two formats:
- Generate a client email – Automatically launches your default email client with a template that includes the web link that the remote user must click on to start the session.
- Copy Web-link to clipboard – Copy the web link to your clipboard. This is useful if you are in a live chat with the remote user or want to generate a customized email request.
Enable Permanent Install Mode: Enable this option to generate a client support package that exposes the Authorize permanent access option to the remote user. Permanent installations will make the node available for both attended and unattended support session.
End User Side > Accepting an On-Demand Session
Once the end user receives the assistance request and clicks on the provided web link, he/she will be instructed to download and start the Goverlan Client Assistance program.
Once this is opened, the user is prompted to start the support session:
Once the user starts the support session, they are presented with a Session ID:
As a best practice, your Goverlan Reach Gateway public facing address should be configured with a TLS identity certificate. Service identity validation is then confirmed to the end user. The user can click on the “Server identify verified” link to display certificate information. If your Gateway public facing address is not configured with an identity certificate, the Session ID window will turn red as follows:
Operator Side > Connecting the Session
Once the session ID is received, the Operator enters it in the On-Demand Assist panel and clicks on the Connect button. This actively starts the remote assistance session.
The session ID then appears within the On-Demand Assist panel. Click on a connected session button to disclose the available management features:
Ending a Support Session
Upon first connection with the remote client, the user sees the following screen:
To end a support session, the remote user must click on the End Support Session button.
Once the user terminates the session, the option to keep or remove the Reach Session Starter is presented:
Selecting Yes generates a shortcut on the user’s desktop that can be used at any time to re-open a support session.
Reviewing Operator Actions
During an On-Demand Assist session, all Operator actions are audited and logged. By default, these audits are recorded in the local machine’s Application log of the Event Viewer. However, the user can choose to review these actions by selecting the Review support actions upon exit option. This option must be enabled before clicking on End Support Session.