The Support Departments are usually the busiest within the IT team, especially in larger organisations. Challenges could range from something as simple as not installing updates or having a caps lock on when entering the password to something more challenging. Usually, colleagues need the problem fixed immediately as it is stopping them from doing their tasks. We are not talking about preventative measures, just purely the immediate help from the IT department.
There are solutions that enable the support representative to access their colleague’s desktop remotely and provide the much-needed help. Those solutions have been there at the disposal of the IT departments for some time. Now, however, Microsoft have produced an app that can be easily deployed via Microsoft Endpoint Manager.
Remote help is now available in public preview from within Endpoint Manager and can be controlled by Role-based access controls within AzureAD. This helps you to control who has permissions to assist users and what they can do while they are assisting.
What would it solve and how is it different from previous solutions?
To answer both questions: it is simplicity. It is now possible to deliver the help required through one app, however, being so new, we have found a couple of bugs.
The terms and conditions page on the installer currently does not show much and during the install process it pops up asking you to confirm if you want to cancel the install.
But as time goes by we have no doubt that these small inconsistencies will be addressed by Microsoft which will create a much smoother experience.
What can this app do?
- Enable remote help for your tenant –If you choose to turn on remote help, its use is enabled tenant-wide.
- Requires Organisation login - To use remote help, both the helper and the sharer must sign in with an Azure Active Directory (Azure AD) account from your organisation.
- Use remote help with unenrolled devices – You can choose to allow help to devices that aren't enrolled with Intune.
- Compliance Warnings - Before connecting to a device, a helper will see a non-compliance warning about that device if it’s not compliant to its assigned policies. This warning doesn’t block access but provides transparency about the risk of using sensitive data like administrative credentials during the session.
- Role-based access control – Admins can set RBAC rules that determine the scope of a helper’s access and what actions they can take while providing assistance. This will allow for more granular control of the help needed: keeping to the principles of Zero Trust – least privilege, and provide the support needed for the user.
- Elevation of privilege - When needed, a helper with the correct RBAC permissions can interact with the UAC prompt on the sharer's machine to enter credentials. This option is believed to be safe as all the sessions are recorded and monitored. There is little chance for external intervention here as the UAC prompt remains on the secure desktop.
- Monitor active remote help sessions, and view details about past sessions – In the Microsoft Endpoint Manager admin centre you can view reports that include details about who helped who, on what device, and for how long. You’ll also find details about active sessions.
Overall it is a great app, it is not as smooth as it could potentially be but the centralised control combined with AAD resources which it can tap into, I am sure will provide great value and save hours of time for the busy IT support staff.
We will keep monitoring the app as it develops, and report back on what new and or additional features it receives. This is another small step towards the betterment of workflows.