Forum / Remote Desktop Manager - Feature Request

MFA Issues with ConnectWise/ScreenConnect 6.3

  • Create an Issue
  • Cancel

We currently run our ScreenConnect Server & Client 6.3.13446.6374 environment on-premise, with Google Multi Factor Authentication. When we log into the ScreenConnect web portal, we are presented with the MFA validation, which includes an option "Trust this device", allowing the user's browser not to re-authenticate with MFA for 30 days, as per ConnectWise documentation:

https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Administration_page/Security_page/Enable_two-factor_authentication_for_host_accounts

However when we set up our ScreenConnect remote sessions with Remote Desktop Manager Enterprise 13.0.12.0 (BETA), we need to select "Use One Time Password" for each ScreenConnect object, and also use MFA each time we open one of the ScreenConnect connections.

Can you please build in an option for RDM to use "Trust this device" for MFA, so the queries can be suppressed for 30 days from trusted devices (Admin's RDM Client).

i.e. In RDM we set all ScreenConnect settings to MFA / "Use One Time Password", and it asks for code. Then doesn't ask for code for 30 days until the ScreenConnect server re-prompts, which asks user for new code again.

Additionally, the ScreenConnect Synchroniser does not have an MFA / "Use One Time Password", so it can't sync MFA protected web portal / clients.

Clock10 mths

Hello Miles,

I just transferred the post to the feature requests section.

Best regards,



David Grandolfo

signaturesignature

Clock10 mths

Hi again Miles,

I just talked with the engineering department and they said that we will try to implement this feature. Depending on how the integration between RDM and ScreenConnect work and if it's possible.

We will reply after this verification.

Best regard,



David Grandolfo

signaturesignature

Clock10 mths

Thanks David,

Also, the ScreenConnect Synchroniser does not have an MFA / "Use One Time Password", so it can't sync MFA protected web portal / clients at all.

Clock10 mths

Hi Miles,

Thanks for the information I transferred this to the engineering department too.

Best regards,



David Grandolfo

signaturesignature

Clock10 mths

Hi David,

Were you able to get any feedback from engineering?

Kind regards,

Clock9 mths

Hi Miles,

After a chat with the engineering department, they add a Use One Time Password option in the ConnectWise Control Synchronizer. Unfortunately, for the MFA option we weren't able to find a solution yet. We are still working on this.

Best regards,



David Grandolfo

signaturesignature

Clock9 mths

Hi David,

I've just installed 13.0.15.0 and noticed the ConnectWise Control Synchroniser now has the option for Use One Time Password - Awesome. However, when I set up the synchroniser, the OTP option is greyed out, I cannot seem to enable it, and ScreenConnect authentication still fails.

Our admins save their credentials in their private vaults and link them to Devolutions / RDM entries using the "User Specific Settings", and all our shared objects in the main navigation window use inherited credentials for authentication. In this configuration, I would expect the ScreenConnect synchroniser to authenticate with the credentials of the admin user who initiates the sync, and they would need to add their own OTP for the 2FA process.

However as I can't enable the OTP, the MFA doesn't prompt.

Please let me know if I'm using it incorrectly, or you need additional information about our setup / configuration.

Regards.

Clock9 mths

Our main Devolutions servers are 4.7.1.0 running on RDM 13.0.6.0. Do I need to upgrade these to 13.0.15.0 before the options are available?

Clock9 mths

Hi Miles,

The Use One Time Password could be activated when the Synchronize Automatically is not check.

And the way you are looking to configured it looks fine, please let me know if you have any issue with this setup.

Best regards,



David Grandolfo

signaturesignature

Clock9 mths

Hi David,

Yes, disabling auto sync allowed Use One Time Password option - that makes logical sense.

I was able to Sync a large amount of servers manually with OTP into a test folder, however I noticed it injected my username and password into every ScreenConnect client - the Sync and other sessions use Inherited credentials in the shared datasource.

How can I prevent saving my username / password in new entries? do I need to create a new ScreenConnect template and link it in the Synchroniser?

Have the Devs had success with "Trust This Device" the 30 day OTP session?

https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Administration_page/Security_page/Enable_two-factor_authentication_for_host_accounts

Kind regards,
Miles

Clock9 mths

Hi Miles,

I had a chat with the engineering department and regarding the password, that configuration has been built to be "easier" to manage. They told me that they add this feature in their to-do list.

And concerning the 30-day OTP, they are still working on it.

Best regards,



David Grandolfo

signaturesignature

Clock9 mths

Hi David,

Is there a way to disable adding my username / password into all objects synchronised? It leaks my credentials to the rest of the team - this is not easier.


Thanks for update, happy to help test 30-day OTP when available.

Regards.

Clock9 mths

Hi Miles,

The username and password function isn't yet implemented in RDM, good news the engineering department add this feature in their TODO list.

Best regards,



David Grandolfo

signaturesignature

Clock9 mths

Hi David,

Any update on 30-Day OTP accept for ScreenConnect sessions?

Regards.

Clock8 mths

Hello,

Unfortunately we haven't had more time to look into supporting this. It's not as easy as it may seem.

Regards,

Hubert Mireault

signaturesignature

Clock8 mths

Hi Hubert,

Do you have any update on the OTP please.

Regards.

Clock8 mths

Hello Miles,

We'll bump up the priority for the issue. I apologize for the delays.

Regards,

Hubert Mireault

signaturesignature

Clock7 mths

Hi Miles,

Good news, since RDM 13.5.7 we have a check box Use Sync credentials in created entries which will give you the possibility to save or not your credentials in the sync entries.

Best regards,



David Grandolfo

signaturesignature

Clock7 mths

Hello,

Good news is that we figured out how to implement the "trust this device" functionality. It will be an option in each Connectwise entry (right next to the "use one time password").
This will be available in the next RDM beta. When it's out it would be appreciated if you could give us some feedback on the feature. smile

Regards,

Hubert Mireault

signaturesignature

Clock6 mths

Awesome Hubert, what version should I be looking for?

I can get one of our admins to thoroughly test it on our 6.6.18120.6697 environment.

Clock6 mths

Hello Miles,

You can try out the feature in our latest beta, RDM 13.5.13.0. It's currently available for download on our website.

Regards,

Hubert Mireault

signaturesignature

Clock6 mths