ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Best way to maintain some remote control but not absolute?

    Scheduled Pinned Locked Moved IT Discussion
    101 Posts 8 Posters 14.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stacksofplatesS
      stacksofplates @scottalanmiller
      last edited by

      @scottalanmiller said in Best way to maintain some remote control but not absolute?:

      @stacksofplates said in Best way to maintain some remote control but not absolute?:

      What I've done is use NoMachine and ZeroTier. The NoMachine client gives you access to the current display on the remote system. You get a white board and chat capability and also sound. Bundled with ZeroTier I can do this from anywhere. This doesn't solve the problem of a one off situation, but these were people I was regularly helping.

      NX on jump stations and a jump station network thanks to ZT? Or am I picturing this incorrectly?

      No, I have NoMachine actually on the Windows clients. So I can remote in from Windows or Linux via NX to their Windows desktop over ZT.

      1 Reply Last reply Reply Quote 0
      • guyinpvG
        guyinpv @scottalanmiller
        last edited by

        @scottalanmiller said in Best way to maintain some remote control but not absolute?:

        @guyinpv said in Best way to maintain some remote control but not absolute?:

        If I were a business owner and did not have any kind of agreement or arrangement with a contractor, I simply wouldn't want them leaving their crap on my systems. It doesn't even matter if I'm always calling them for the work, we don't have an agreement for them to store their tools in my shed, hang their hat on my hook, or install their personal support tools on my computers.

        Well that's not a very smart way to run a business

        Is it??

        When you've had multiple employees steal from you, do "secret" things, reveal corporate secrets to competitors, or try to entangle the boss in a legal scuffle because they don't like their job.

        After a while, the boss just isn't interested in giving any random people any special privileges, access rights, full time control abilities, secret software only they know how to use, etc.

        Sure it's paranoia, but if your last accountant stole money, how likely are you to tell the next one "ya do what you want, why not!?"

        DashrenderD 1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender @guyinpv
          last edited by

          @guyinpv said in Best way to maintain some remote control but not absolute?:

          @scottalanmiller said in Best way to maintain some remote control but not absolute?:

          @guyinpv said in Best way to maintain some remote control but not absolute?:

          If I were a business owner and did not have any kind of agreement or arrangement with a contractor, I simply wouldn't want them leaving their crap on my systems. It doesn't even matter if I'm always calling them for the work, we don't have an agreement for them to store their tools in my shed, hang their hat on my hook, or install their personal support tools on my computers.

          Well that's not a very smart way to run a business

          Is it??

          When you've had multiple employees steal from you, do "secret" things, reveal corporate secrets to competitors, or try to entangle the boss in a legal scuffle because they don't like their job.

          After a while, the boss just isn't interested in giving any random people any special privileges, access rights, full time control abilities, secret software only they know how to use, etc.

          Sure it's paranoia, but if your last accountant stole money, how likely are you to tell the next one "ya do what you want, why not!?"

          You have to have trust with people who are working for you, otherwise you spend all your time looking over their shoulder getting nothing done. But this doesn't mean that you can't/don't put audit trails in place to alert you when weird things are going on.

          In the case of the accountant, that could be a second accountant who's job it is to look over the books on some sort of schedule, or the owner sitting down with them, etc.

          But if you switch from having the accountant do their job, to one where they are getting your approval every time they make an entry into the accounting system, then neither of you will get much work done.

          1 Reply Last reply Reply Quote 0
          • guyinpvG
            guyinpv @Dashrender
            last edited by

            @Dashrender said in Best way to maintain some remote control but not absolute?:

            So I wonder, do you not trust yourself to do the right thing?

            Of course I do.

            My primary concerns were:

            1. Does it open liabilities if something happens at the company and they want to try and blame me for the breach? (He has passwords, he has access, he has remote tools, he knows our backup sources, bla bla) Even if nothing is provable, even a small legal scuffle can ruin an independent like me.

            2. I feel as though the business should pay for the convenience. I make far less money with a quick remote-access session and a reboot than I would having to drive down there in person with a minimum onsite fee. Maintaining unattended access seems like it's worth a support contract or some kind of retainer for monthly maintenance or monitoring tools. Pay me $X a month for remote access as needed, basic server monitoring and reporting goes to me, and the retainer also gives you a reduced rate for additional work or onsite visits. Something like that. Also needed to support the cost of remote software itself.

            3. Finding good tools.

            The idea is, let's say I have 5 small business clients. 2 of them allow me unattended access, 3 of them don't. If all 5 of them require the exact same work, the 3 will pay more for onsite visits and the other 2 I can do in my underwear eating pancakes and if I charge by the hour, they come out ahead.
            The 2 companies that allow me unattended access trade some sense of extra security for a cheaper fee. The 3 companies trade being "more secure" for paying a higher fee for onsite visit.

            Then from my perspective, I do the exact same work, but get paid less for MY own convenience. It's easier for me to use remote, but I don't want to lose money by being more efficient. I could charge MORE for having remote access, but then what's the benefit to the business? It's gone. Catch 22?
            It's like saying, I could wash your car by hand in one hour, or you can drive through the automated machine in 10 minutes, but both cost the same. You'd think the automated, more efficient, quicker way would be cheaper.
            If I do charge more for the faster, more efficient remote access, yet charge full price, you get the whole "you're charging THIS for 10 minutes of work!"

            Anyway, Scott suggests there are no possible legal issues with unattended remote, and further that contracts and agreements wouldn't help anyway. Not sure I agree yet, but that's one answer.

            Trying to get a retainer for maintaining unattended access is a hard sell, at least not without some other quality services.

            It's not really an option to buy all the remote tools, only to then charge much less for work. That's a lose-lose for the technician.

            Convincing the client that doing work for them in much less time is still worth the same/similar fee as going onsite. They may as well request the onsite time? At least I can be used more when onsite, can check other things, talk face to face, etc. So you have to keep charging premium prices no matter how easy/automated/efficient your work becomes.

            1 Reply Last reply Reply Quote 0
            • DashrenderD
              Dashrender
              last edited by

              On the surface your points appear to be valid, but a few of them need a different point of view.

              @guyinpv said in Best way to maintain some remote control but not absolute?:

              1. Does it open liabilities if something happens at the company and they want to try and blame me for the breach? (He has passwords, he has access, he has remote tools, he knows our backup sources, bla bla) Even if nothing is provable, even a small legal scuffle can ruin an independent like me.

              Almost no contract on the planet will provide you with any protection. If I'm a business owner, there is no way I'd sign a contract absolving you liability when working on my systems. The chances are that he lacks the skill set to watch what you are doing the entire time you are working to know that you haven't do something against his interest. So with that in mind, he simply HAS to trust you. Don't abuse that trust, and you'll have less likeliness that when something bad does happen, he doesn't try to sue you, but a contract won't keep you from being sued if they choose to do it.

              1. I feel as though the business should pay for the convenience. I make far less money with a quick remote-access session and a reboot than I would having to drive down there in person with a minimum onsite fee. Maintaining unattended access seems like it's worth a support contract or some kind of retainer for monthly maintenance or monitoring tools. Pay me $X a month for remote access as needed, basic server monitoring and reporting goes to me, and the retainer also gives you a reduced rate for additional work or onsite visits. Something like that. Also needed to support the cost of remote software itself.

              So you've jumped a few things together here. You've automatically assumed that since you have remote unattended access that you will have reporting sent to you. These two things are not related. You can often easily get email, text, etc notices while having no external access.

              Most companies I've seen have a minimum charge, Say min 1 hr. So even if you work on something for 10 mins, you bill them for an hour. Few companies will complain about this because they understand that in order for you to become engaged with them, you have to disengage from what you were doing previously (time lost), get into their issue, resolve it, then disengage from them (time lost). So while the job might only take 10 mins, you might really spend more like 20 or 30 mins (or more) not billing someone else because of this work.

              If you are watching logs (through remote monitoring tools) then you deserve to be compensated for that. With something like this, basically you're working 24/7/365 - watching their logs waiting to respond to them. There is value in that, they should get billed. And as you said, you have costs for these tools, so you need to recoup at minimum the cost of those tools, but come on, this is capitalism, who resells access to tools and doesn't make a profit, even if it's small? Not many.

              1. Finding good tools.

              This is a challenge sometimes, and you need to know what your tool needs to provide for you. For example, do you need a remote access only tool like Screen Connect? or do you need a full monitoring suite like MSPs use? Or do you pay for nothing, have the customer carry those costs and just provide you access?
              In my case, I only have two customers (not currently looking for more). One needs me to have remote access, one doesn't. it's not worth the state requirements for me to get a sales tax ID and all of the paperwork that goes with it to resell that remote access to that one customer. Instead I have them buy it themselves.
              In your case of 5 customers, it might be worth the hassle of the Sales Tax ID, paperwork, etc... oh and while I'm thinking about it - that extra you make off the cost off selling the remote access software to your customer, it has to be considered into the time/money spent filing those tax forms, audits, etc.

              The idea is, let's say I have 5 small business clients. 2 of them allow me unattended access, 3 of them don't. If all 5 of them require the exact same work, the 3 will pay more for onsite visits and the other 2 I can do in my underwear eating pancakes and if I charge by the hour, they come out ahead.

              I'm not sure what the norm here is, but there are many options.
              Do you charge your full hourly wage when driving? I've worked at consultant shops that did, and others that charged a flat trip fee (typically based on miles 10 miles = $30, 20 miles = $40, etc). If you charge the full tech charge, then you're right you're going to loose money on a per trip basis, but you gain something else, more time to service more clients.
              There probably is no right way, or best way to set this up.

              You could charge each of them a different hourly rate (means you can't really publish your rates either - SMBs don't like that). But I would institute a minimum billing time, for example, minimum of 1 hour.

              Then from my perspective, I do the exact same work, but get paid less for MY own convenience. It's easier for me to use remote, but I don't want to lose money by being more efficient. I could charge MORE for having remote access, but then what's the benefit to the business? It's gone. Catch 22?

              Actually there is a benefit to the business, it's nearly instant access to you supporting them. No more waiting for you to drive across town. This is pretty valuable to most.

              It's like saying, I could wash your car by hand in one hour, or you can drive through the automated machine in 10 minutes, but both cost the same. You'd think the automated, more efficient, quicker way would be cheaper.

              No way the machine should be cheaper, at least not at first, the machine wasn't free, and you gave the customer 50 mins back. That's huge for them, and they are often willing to pay for that.
              I have a story on this personally. I was in line to get some autographs. I could tell from the line that I was going to be there for at least 2 more hours (at which time the event I was at would have been closed). Someone offered to let me cut in line for $30. I jumped at this chance. I got two hours to enjoy the event's other offerings instead of standing in line. More than worth the $30.

              Trying to get a retainer for maintaining unattended access is a hard sell, at least not without some other quality services.

              I know @hubtechagain does something like this for his customers. He knows that he spends an average of say 5 hours a month working for a customer. He offers to sell them a package if they sign a one year deal to always buy 5 hours minimum a month, and if they don't use those hours, they expire at the end of the month. If they use more, he bills for overage.
              Thinks like this are easier if you are providing other services like AV, remote management, monitoring, etc.

              It's not really an option to buy all the remote tools, only to then charge much less for work. That's a lose-lose for the technician.

              When I owned my own company 10+ years ago.. when I purchased a remote access tool, I simply raised my rates for everyone. I explained that I would have faster access to work on their problems, but that ability came at a cost. Not one client complained.

              Convincing the client that doing work for them in much less time is still worth the same/similar fee as going onsite. They may as well request the onsite time? At least I can be used more when onsite, can check other things, talk face to face, etc. So you have to keep charging premium prices no matter how easy/automated/efficient your work becomes.

              So I'll give you the Face to Face thing, but the rest - what would they have you look at that you can't fix remotely that wouldn't require an onsite visit anyhow?

              One of the things that I'm not sure Scott has posted here on ML is the need to have the 'right' clients. You want client that understand the value you bring. If they don't value you, they might as well be using Geek Squad. But those that do won't have a problem paying more for what is hopefully good service.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @Dashrender
                last edited by

                @Dashrender said in Best way to maintain some remote control but not absolute?:

                @scottalanmiller said in Best way to maintain some remote control but not absolute?:

                @Dashrender said in Best way to maintain some remote control but not absolute?:

                @scottalanmiller said in Best way to maintain some remote control but not absolute?:

                Why would they cut you off just because they also use someone else or move to someone else? That doesn't make logical sense.

                What? If they hire someone else to do that job the OP is doing, I would fully expect them to cut the OP off. Of course, the new support person should be doing their investigation to make sure that's the case.

                Why? SUpport is not an all or nothing thing. It is common to have multiple support people or companies and to have them do different things or to work at different times. There is no reason to cut off one support person just because you are using another one.

                If they hire someone else to do the OP's job - why are they keeping the OP around? Unless they have given the OP another job to do. Now if they hire another support vendor to do something the OP does not do.. then of course, they both work equally.

                @Dashrender said in Best way to maintain some remote control but not absolute?:

                @scottalanmiller said in Best way to maintain some remote control but not absolute?:

                @Dashrender said in Best way to maintain some remote control but not absolute?:

                @scottalanmiller said in Best way to maintain some remote control but not absolute?:

                Why would they cut you off just because they also use someone else or move to someone else? That doesn't make logical sense.

                What? If they hire someone else to do that job the OP is doing, I would fully expect them to cut the OP off. Of course, the new support person should be doing their investigation to make sure that's the case.

                Why? SUpport is not an all or nothing thing. It is common to have multiple support people or companies and to have them do different things or to work at different times. There is no reason to cut off one support person just because you are using another one.

                If they hire someone else to do the OP's job - why are they keeping the OP around? Unless they have given the OP another job to do. Now if they hire another support vendor to do something the OP does not do.. then of course, they both work equally.

                IT isn't a one man show kind of job. Lots of companies use more than one person and/or company to do overlapping work. Is it ideal? Of course not. Is having an MSP be a one man show ideal? Of course not. It is what it is, a common business practice whether it is for fault tolerance reasons (you need more than one MSP in case one isn't available) or capabilities reasons (you want better technical coverage) or different roles (you need different support from different people or companies.)

                One of the reasons that you pick NTG over a one man shop is that you get a long history of corporate governance and stability with the reliability of a full staff all "in one box." Even with a company as established and "large" as we are, we often work side by side with other vendors. For companies that are smaller, like one or two man shows or those that don't have the eight years of "survival" experience needed to have faith in corporate stability it's very common to have companies offset that by having more than one vendor involved.

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Dashrender
                  last edited by

                  @Dashrender said in Best way to maintain some remote control but not absolute?:

                  @scottalanmiller said in Best way to maintain some remote control but not absolute?:

                  @Dashrender said in Best way to maintain some remote control but not absolute?:

                  @scottalanmiller said in Best way to maintain some remote control but not absolute?:

                  @Dashrender make sure that you pass those costs onto the clients, or otherwise you just invested in their business twice. Once in paying for their tools, and again in getting paid to do half as much work!

                  I didn't buy the remote access software/suite, they did. So there was no cost to me. Of course in making my life better I also decreased my billing, but I wanted my personal time back more than I wanted to be paid for driving there.

                  Oh okay, that's better.

                  now with all that in mind... I could raise my rates because I would be making less money - I wonder how many companies do that?

                  Lots. Companies with low rates normally do so by being very inefficient. Companies that are highly efficient have higher rates because they are using the extra overhead to invest into better skills, tooling, training, etc.

                  1 Reply Last reply Reply Quote 2
                  • scottalanmillerS
                    scottalanmiller @Dashrender
                    last edited by

                    @Dashrender said in Best way to maintain some remote control but not absolute?:

                    @scottalanmiller said in Best way to maintain some remote control but not absolute?:

                    @Dashrender said in Best way to maintain some remote control but not absolute?:

                    But as far as the remote access goes - if they don't want you to have access except when they expressly permit it.. then they could change the password on the account you create in the remote control software themselves every time you are done, then give you the new password the next time they need server, then change, and give and change and give, etc.

                    This would require decentralized control, which adds a bit of complication compared to centralized control. But doable.

                    How is this decentralized? and if it is, then NTG has decentralized control in their SC setup since multiple people have access to the admin system (hopefully each with their own account) and can lock others out.

                    The assumption being that there is no account control or instead of locking out the password they would just disable access if the system was centralized but keep the end user's access controls. That's the beauty of centrally managed, you don't have all this overhead of changing passwords as a security mechanism.

                    1 Reply Last reply Reply Quote 0
                    • guyinpvG
                      guyinpv
                      last edited by

                      No need to belabor the points. I think the legal question is pretty much settled. There is no way to avoid it if a company wants to go after you, and they wouldn't sign off on full release of liability either.

                      The convenience of unattended access should be recommended, as long as the business fully understands what that means and how it will be used. They could be given an envelope for the lock box with instructions about the system in case they ever want to change support or remove it, etc.

                      Support pricing should not change even if labor time decreases due to automation, remote tools and so forth. Cost of tools still passes on to customer.

                      I could use a dedicated jump box and open it to the web, or use ZeroTier and leave remote control open only once inside the network. Or I could use standard remote tools directly on the workstations/server that don't require changes to router such as ScreenConnect, TeamViewer, Deskroll, NoMachine, Remote Utilities, etc.

                      Lastly, I'll probably throw XC on the boss's workstation as a means of dealing with VMs, but otherwise I should be able to do most work just getting directly into the guests.

                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @guyinpv
                        last edited by

                        @guyinpv said in Best way to maintain some remote control but not absolute?:

                        Lastly, I'll probably throw XC on the boss's workstation as a means of dealing with VMs, but otherwise I should be able to do most work just getting directly into the guests.

                        Move them to XO and solve that issue. No need for workstation access or Windows licenses.

                        guyinpvG 1 Reply Last reply Reply Quote 1
                        • guyinpvG
                          guyinpv @scottalanmiller
                          last edited by

                          @scottalanmiller said in Best way to maintain some remote control but not absolute?:

                          @guyinpv said in Best way to maintain some remote control but not absolute?:

                          Lastly, I'll probably throw XC on the boss's workstation as a means of dealing with VMs, but otherwise I should be able to do most work just getting directly into the guests.

                          Move them to XO and solve that issue. No need for workstation access or Windows licenses.

                          Then I still have to remote in somewhere to access XO unless you're saying I should open it up to the world and use Zerotier?
                          That means I would need 2 more VMs on the server, one for jump and other for XO.

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @guyinpv
                            last edited by

                            @guyinpv said in Best way to maintain some remote control but not absolute?:

                            Then I still have to remote in somewhere to access XO unless you're saying I should open it up to the world and use Zerotier?
                            That means I would need 2 more VMs on the server, one for jump and other for XO.

                            One fewer, right? Either you need the Jump OR ZeroTier, but not both. But for access to a remote Windows machine you need ZeroTier + RDP or similar. Doesn't XO almost make it easier? And it lets you use a tiny Linux VM instead of a Windows machine that is either expensive or used for something else.

                            guyinpvG 1 Reply Last reply Reply Quote 1
                            • DashrenderD
                              Dashrender
                              last edited by

                              where would you install ZT? on the XO VM? I suppose that would work.

                              So his management would be something like :

                              SC to control Windows PCs and windows server VMs
                              ZT to manage XO to manage XS

                              Personally I wouldn't install ZT unless you're going to install it EVERYWHERE at that client.

                              scottalanmillerS 2 Replies Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @Dashrender
                                last edited by

                                @Dashrender said in Best way to maintain some remote control but not absolute?:

                                where would you install ZT? on the XO VM? I suppose that would work.

                                Definitely there.

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Dashrender
                                  last edited by

                                  @Dashrender said in Best way to maintain some remote control but not absolute?:

                                  SC to control Windows PCs and windows server VMs
                                  ZT to manage XO to manage XS

                                  If you are using a VPN you presumably always have a dedicated machine for that client. So you just.... open a web browser. That's it. Nothing more to it. It's always there, always ready to go. No SC, no PC, no Windows, no hops.

                                  1 Reply Last reply Reply Quote 0
                                  • DashrenderD
                                    Dashrender
                                    last edited by

                                    Where did VPN come into the discussion?

                                    stacksofplatesS scottalanmillerS 2 Replies Last reply Reply Quote 0
                                    • guyinpvG
                                      guyinpv @scottalanmiller
                                      last edited by

                                      Remote Utilities allows use up to 10 clients including business for free. Chances are good I'll hook that up to the server. From there I suppose I could RDP to workstations.
                                      Doesn't take care of using XO though. Maybe I would hook up RU to one workstation as well just in case. Otherwise I could access XO from the server VM, assuming it isn't down. If it is down, then I could get to the workstation instead and try to access XO. If that doesn't work, something is up with the hardware or network.

                                      1 Reply Last reply Reply Quote 0
                                      • stacksofplatesS
                                        stacksofplates @Dashrender
                                        last edited by

                                        @Dashrender said in Best way to maintain some remote control but not absolute?:

                                        Where did VPN come into the discussion?

                                        ZeroTier

                                        1 Reply Last reply Reply Quote 1
                                        • stacksofplatesS
                                          stacksofplates
                                          last edited by stacksofplates

                                          So if you don't want to use ZT here's what I would do (and currently do when not using ZT). Set up a jump box and use dynamic tunnels for your access (or local tunnels but you need to know the ports ahead of time).

                                          For the dynamic tunnels you can use:

                                          ssh -D 1080 user@host
                                          

                                          This turn your SSH client into a SOCKS proxy. You can tell your browser to use a SOCKS proxy on port 1080 (default port) and just browse to the normal addresses on the remote network.

                                          If you want to use local tunneling then you need:

                                          ssh -L <localport>:<remoteip>:<remoteport> user@host
                                          

                                          Use as many -L arguments as you need. You can also do both together.

                                          This will give you access to anything you need, fully encrypted. RDP is possible with Remmina or the Remote Desktop Viewer application, along with VNC, SPICE, NX, and others.

                                          1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @Dashrender
                                            last edited by

                                            @Dashrender said in Best way to maintain some remote control but not absolute?:

                                            Where did VPN come into the discussion?

                                            I was answering your questions about the ZT VPN...

                                            0_1472165913288_Screenshot from 2016-08-25 18-58-18.png

                                            DashrenderD 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 4 / 6
                                            • First post
                                              Last post