Best way to maintain some remote control but not absolute?
- 
 @scottalanmiller said in Best way to maintain some remote control but not absolute?: Getting remote access is always a weird subject. Are you their support or not? If so, you need access, always. If not, their support needs the skills to get you access when it is needed. You need to really determine the goal. Yes I am their support as far as break/fix and upgrades. The only other support is their copier guy, and their medical software support people. My issue is that, while I typically do all their support, I don't have any kind of retainer fee or contract or policies regarding maintaining any kind of remote control. Is it typical to create a contract for this for liability reasons? Or just a handshake on "hey I can get in the server whenever I want, cool with you?" If there is a contract for this, I'd like to see a sample or what that might look like. And for that reason, why not give myself access to every workstation in there while I'm at it? 
- 
 @guyinpv said in Best way to maintain some remote control but not absolute?: I'm not doing the job for free or anything, but I try to avoid telling them that along with their upgraded server that will do the exact same thing as the old one, they now have to make monthly payments to some service they never needed before. Or on the flip side, I don't want to personally make payments for a new tool I may use for them once a year. One of the things that we struggle with (we being NTG) is balancing between "this is what the customer does" and "this is what we do." We use and provide ScreenConnect. But lots of customers have their own policies, products, etc. We have an RMM tool, but not many customers on it. We have jump servers, but only with certain customers. It's complicated. I think one thing you have to decide is... are you an MSP (you determine the tools) or are you an ITSP/Consultant (they determine the tools much of the time?) 
- 
 @guyinpv said in Best way to maintain some remote control but not absolute?: My issue is that, while I typically do all their support, I don't have any kind of retainer fee or contract or policies regarding maintaining any kind of remote control. That would actually be weird. People rarely pay a retainer for on call support. Nothing wrong with a retainer, their are great, it's just not common. These aren't factors that people normally consider. If they want you to be their "on call", they need to provide (or allow) access. Plain and simple. I don't see how the rest come into play. 
- 
 @guyinpv said in Best way to maintain some remote control but not absolute?: Is it typical to create a contract for this for liability reasons? Or just a handshake on "hey I can get in the server whenever I want, cool with you?" Those aren't the flipsides. No, it's not common to have a contract for liability because the liability is if you decide to do something illegal... in which case the contract is void anyway. And it's not common that you can get on anytime that you want. What is common, more or less, is to have tools in place that you are allowed to use when needed to support them. You still need permission to get on, but permission, not physical allowance. 
- 
 @guyinpv said in Best way to maintain some remote control but not absolute?: If there is a contract for this, I'd like to see a sample or what that might look like. And for that reason, why not give myself access to every workstation in there while I'm at it? That's the normal way to work. You have to trust your system admin, you have to, it's the law of security. Microsoft said so. Basically if you are their IT, they have to trust you. If you are not that guy, then someone else is (the owner, maybe.) Nothing wrong with that, but if IT fails, it's his responsibility. You have to decide who is the IT guy, on call or otherwise, and trust them. Ultimately, someone is the system admin here. If they want that to be you, you need access to work. If it isn't, you can wait for the person that is to come up with how they want you to get access while you sit around on the clock. 
- 
 I'm definitely not an MSP. I have two clients that I support outside my normal day job. One of them is in the same building as my day job, so they don't bother with remote tools, but if the need arose, they would definitely do it. The second client, I had them purchase the remote tool (they have ScreenConnect) I have my own account in their SC system and have anytime access. But like Scott said, no retainer - they call, I remote in, otherwise I don't touch it. I probably do about 1 hour of work for them on average (though we just blitzed that this year with a global rollout of Windows 10 - 15 computers) and they've had some staff adds, so there's been some workstation setup work. 
 But last year was probably around 15 hours of work the whole year. Was it worth the cost of SC, yep, otherwise I would have charged them at least twice that in drive time.
- 
 @Dashrender make sure that you pass those costs onto the clients, or otherwise you just invested in their business twice. Once in paying for their tools, and again in getting paid to do half as much work! 
- 
 I'm reminded of the situation we have at my work. Our accountant uses TeamViewer to remote in (unattended) to the computer running Quickbooks so they can do payroll and some other stuff. 
 I never liked this arrangement, since they can use that system to pretty much go anywhere in the network once in. They are the ones who needed to use "their" tool TV which I now have to run all the time.I just went along with it since I don't have the time to create a walled-off Quickbooks station just for them. The point being, we have a sort of "contract" and we know they are regularly going to log in. 
 In my own case, I'm not doing regular work or maintenance, so there lies the difference between unattended access or not.I guess it's not worth discussing really, the business owner has the option to leave me unattended access or not. But in this case, I would be picking the tool and making sure its use is secure. I would prefer a free option for reasons mentioned already, namely that I probably wouldn't use it but once a year. I also prefer not dealing with dynamic IP and router issues which is something TV avoids. Darn licensing. 
- 
 @guyinpv said in Best way to maintain some remote control but not absolute?: I never liked this arrangement, since they can use that system to pretty much go anywhere in the network once in. They are the ones who needed to use "their" tool TV which I now have to run all the time. But their ability to log into other machines would either: - Be something that they can do regardless and TV isn't enabling that.
- Be something that could be locked down but no one is bothering to do?
 In either case, what's wrong with TV being used for that? Or does TV lack the necessary remote access controls to have user permissions? I don't use TV, so I don't know. 
- 
 @guyinpv said in Best way to maintain some remote control but not absolute?: In my own case, I'm not doing regular work or maintenance, so there lies the difference between unattended access or not. I must be missing something, I see zero difference. In both cases you "can" access and in both cases you are trusted to "not" access things you are not supposed to. That they log in whenever they feel like working and you do not feels like a red herring to me, I don't see any reason that that is important or relevant. 
- 
 @guyinpv said in Best way to maintain some remote control but not absolute?: I would prefer a free option for reasons mentioned already, namely that I probably wouldn't use it but once a year. I also prefer not dealing with dynamic IP and router issues which is something TV avoids. Darn licensing. There is no good, broad free option on the market for some reason. It's one of those gaps that no free tool has managed to fill. Why not? I truly have no idea. 
- 
 @scottalanmiller said in Best way to maintain some remote control but not absolute?: @guyinpv said in Best way to maintain some remote control but not absolute?: In my own case, I'm not doing regular work or maintenance, so there lies the difference between unattended access or not. I must be missing something, I see zero difference. In both cases you "can" access and in both cases you are trusted to "not" access things you are not supposed to. That they log in whenever they feel like working and you do not feels like a red herring to me, I don't see any reason that that is important or relevant. If I were a business owner and did not have any kind of agreement or arrangement with a contractor, I simply wouldn't want them leaving their crap on my systems. It doesn't even matter if I'm always calling them for the work, we don't have an agreement for them to store their tools in my shed, hang their hat on my hook, or install their personal support tools on my computers. I've been to homes where I found "support" tools installed by local IT shops and the people didn't even recall any agreement to have such a thing installed in the first place. Maybe they will change their support guy one day without telling me? They aren't smart enough to know the tools I have running, or how to remove them safely. They may even buy a new computer or reload one and have no idea that I need to get my stuff back on there. All of this just makes me think I should have an agreement or contract or at least an understanding, written or not, that I can access things unattended if needs be. Especially when the environment has PCI constraints or HIPAA. I suppose I'm being overly cautious. Doesn't hurt to dig in to these meta-issues sometimes. 
- 
 @guyinpv said in Best way to maintain some remote control but not absolute?: If I were a business owner and did not have any kind of agreement or arrangement with a contractor, I simply wouldn't want them leaving their crap on my systems. It doesn't even matter if I'm always calling them for the work, we don't have an agreement for them to store their tools in my shed, hang their hat on my hook, or install their personal support tools on my computers. Well that's not a very smart way to run a business. That's downright foolish, right? The agreement is totally a red herring and the need for cost effective work is what matters. That's just not smart business. But it's up to them, but if that's the case, maybe drop those customers, they aren't likely to be around long if they are that emotionally driven and confused about how business works. Seriously, most SMBs fail quickly, if you can spot those that lack clear business thinking early, you can save yourself a lot of "not getting paid." 
- 
 @guyinpv said in Best way to maintain some remote control but not absolute?: I've been to homes where I found "support" tools installed by local IT shops and the people didn't even recall any agreement to have such a thing installed in the first place. Sure, and lots of those bench shops are scams, and lots of people who use them are idiots would probably deployed those tools themselves. Both happen a lot, but don't apply here. 
- 
 @guyinpv said in Best way to maintain some remote control but not absolute?: Maybe they will change their support guy one day without telling me? They aren't smart enough to know the tools I have running, or how to remove them safely. They may even buy a new computer or reload one and have no idea that I need to get my stuff back on there. And what if they do? I still don't see the connection. Lots of shops use multiple support people. If they use a competitor, that again seems like a red herring. If you dont access when you are not supposed to, it makes no difference. If they want to cut you off explicitly, they can. Why would they cut you off just because they also use someone else or move to someone else? That doesn't make logical sense. If they can't get your support tools back on there, then you are only as bad off as if they had never been there in the first place, right? And clearly that means that you were not their support person, anyway, since you didn't do the work nor did they consult you. 
- 
 @guyinpv said in Best way to maintain some remote control but not absolute?: All of this just makes me think I should have an agreement or contract or at least an understanding, written or not, that I can access things unattended if needs be. That's find if you want to. But just understand... this is all for you because you want to. It's not normal nor needed. All you do is let them know that you want to do it and get the agreement, that's it. Everything else is just for your own personal desires. It doesn't do anything for you legally, nothing for your business relationship, doesn't change how things work, doesn't protect you in any way. 
- 
 @scottalanmiller said in Best way to maintain some remote control but not absolute?: @Dashrender make sure that you pass those costs onto the clients, or otherwise you just invested in their business twice. Once in paying for their tools, and again in getting paid to do half as much work! I didn't buy the remote access software/suite, they did. So there was no cost to me. Of course in making my life better I also decreased my billing, but I wanted my personal time back more than I wanted to be paid for driving there. 
- 
 @scottalanmiller said in Best way to maintain some remote control but not absolute?: Why would they cut you off just because they also use someone else or move to someone else? That doesn't make logical sense. What? If they hire someone else to do that job the OP is doing, I would fully expect them to cut the OP off. Of course, the new support person should be doing their investigation to make sure that's the case. If they can't get your support tools back on there, then you are only as bad off as if they had never been there in the first place, right? And clearly that means that you were not their support person, anyway, since you didn't do the work nor did they consult you. Absolutely right. If they buy something and don't tell you, it's not suddenly your fault that you can't remotely access that new equipment. 
- 
 One of the things I remind my boss of yearly is - the moment you don't trust me, you MUST fire me! I'm completely sincere about this. As the IT person, there is almost nothing you can't do. You could install backdoors, remote access, etc, etc, etc and most SMBs would NEVER have a clue. So I wonder, do you not trust yourself to do the right thing? As long as you do, and you're up front and honest with the client, I'm sure they will be fine. As for remote access - do what I did - Don't make it your choice. Make it their choice and their bill. If they want the tools to have you work remotely, help them get them setup, but make sure the bill is in their name. You should also create an admin level account give it to them in a sealed envelope and tell them this is their break glass in case of emergency situation. This is what I do for my client who has remote access. I could have setup my own account, put all of their computers into it, sent them a monthly bill for the possible access (talk to @JaredBusch and @hubtechagain - they both do this). You could purchase a RMM (remote machine management) suite that includes things like AV, then you could bill them more. etc etc... This all depends on how involved you want to be. But as far as the remote access goes - if they don't want you to have access except when they expressly permit it.. then they could change the password on the account you create in the remote control software themselves every time you are done, then give you the new password the next time they need server, then change, and give and change and give, etc. 
- 
 What I've done is use NoMachine and ZeroTier. The NoMachine client gives you access to the current display on the remote system. You get a white board and chat capability and also sound. Bundled with ZeroTier I can do this from anywhere. This doesn't solve the problem of a one off situation, but these were people I was regularly helping. 



