The Remote Management service must be installed on a device for the remote operator to remotely manage the device. The service automatically starts when the managed device boots up. When a remote operator initiates a remote session on the managed device, the service starts the remote session only if the remote operator is authorized to perform remote operations on the managed device.
To prevent unauthorized access to the managed device, the Remote Management service on the managed device uses the following modes of authentication:
In rights-based authentication, rights are assigned to the remote operator to launch a remote session on the managed device. By default, the ZENworks administrator and the super administrator have rights to perform remote operations on all the managed devices regardless of whether the local user or the ZENworks user is logged in to the device.
The remote operator does not need any exclusive rights to perform a remote session on the managed device if no user has logged in to the managed device or if a user has logged in to the managed device but not in to ZENworks. However, the remote operator needs exclusive Remote Management rights to perform the remote operation on the managed device when a ZENworks user has logged in to the device. We strongly recommend that you use the rights-based authentication because it is safe and secure.
Using rights-based authentication requires the ZENworks Adaptive Agent to be installed on the device. Installing only the Remote Management service on the device is not sufficient.
This mode of authentication is not supported when launching remote management operation in the standalone mode or from the command line.
In password-based authentication, the remote operator is prompted to enter a password to launch the remote session on the managed device.
The two types of password authentication schemes used are:
ZENworks Password: This scheme is based on the Secure Remote Password (SRP) protocol (version 6a). The maximum length of a ZENworks password is 255 characters.
VNC Password: This is the traditional VNC password authentication scheme. The maximum length of a VNC password is 8 characters. This password scheme is inherently weak and is provided only for interoperability with the open source components.
If you use password-based authentication, we strongly recommend that you use the ZENworks Password scheme because it is safer and more secure than the VNC Password scheme.
The password schemes operate in the following modes:
Session Mode: The password set in this mode is valid only for the current session. The user on the managed device must set a password at the start of the remote session and communicate the password to the remote operator through out-of-band means such as telephone. When initializing a remote session with the managed device, the remote operator must enter the correct password in the session password dialog box that displays. If the remote operator fails to enter the correct password within two minutes after the dialog box is displayed, then the session closes for security reasons. If you use password-based authentication, we strongly recommend that you use this mode of authentication because the password is valid only for the current session and is not saved on the managed device.
Persistent Mode: In this mode, the password can be set by the administrator through the Remote Management policy or by the managed device user through the ZENworks icon if the
option is selected in the security settings of the Remote Management policy.If the password is set both by the managed device user and in the policy, the password set by the user takes precedence over the password configured in the policy.
The administrator can prevent the managed device user from setting the password and can even reset the password set by the user to ensure that the password configured in the policy is always enforced during authentication. For more information on resetting the password set by the managed device user, see Section 2.5.3, Clearing the Remote Management Password Using ZENworks Control Center.