Unknown ScreenConnect Monitoring
Purpose
This solution detects and manages unauthorized or unknown ScreenConnect Client instances on Windows and macOS devices. It compares installed ScreenConnect instances against an approved list and takes action based on the enforcement level configured per organization, location, or device.
The solution supports three modes: audit only, audit and alert, and autofix with failure alerting. Results are written to device-level custom fields on every run and tickets are created when unknown instances are detected and remain present.
⚠️ Warning - Read before enabling Autofix
Setting cPVAL Unknown ScreenConnect Monitoring to
Autofix and Alert on Failurewithout first populating cPVAL Whitelisted ScreenConnect Instances will cause the automation to attempt removal of every ScreenConnect Client instance on the device - including your own remote access tool. This can result in losing remote access to affected endpoints.Always populate the whitelist with your approved ScreenConnect instance identifiers before enabling Autofix at any scope. If you are unsure, start with
Audit OnlyorAudit and Alertfirst to see what is installed before enabling any remediation.
Associated Content
Custom Fields
| Name | Type | Level | Purpose |
|---|---|---|---|
| cPVAL Unknown ScreenConnect Monitoring | Dropdown | Organization, Location, Device | Controls the enforcement mode: Audit Only, Audit and Alert, or Autofix and Alert on Failure. |
| cPVAL Whitelisted ScreenConnect Instances | Text | Organization, Location, Device | Stores approved ScreenConnect instance identifiers. Instances not on this list are treated as unknown. |
| cPVAL Installed ScreenConnect Instances | WYSIWYG | Device | Automatically populated with a table of detected instances, their whitelist status, actions taken, and timestamps. |
| cPVAL Unknown ScreenConnect Installed | Checkbox | Device | Checked automatically when one or more unknown instances are detected in the latest run. |
Automations
| Name | Platform | Purpose |
|---|---|---|
| Manage Unknown ScreenConnect Client [Windows] | Windows | Audits, optionally remediates, and updates custom fields for ScreenConnect instances on Windows devices. |
| Manage Unknown ScreenConnect Client [Macintosh] | macOS | Audits, optionally remediates, and updates custom fields for ScreenConnect instances on macOS devices. |
Compound Conditions
| Name | Platform | Purpose |
|---|---|---|
| Unknown ScreenConnect Detection - Windows Workstation | Windows Workstation | Runs the Windows automation daily on workstations with ScreenConnect installed. Triggers an alert and ticket when unknown instances are detected. |
| Unknown ScreenConnect Detection - Windows Server | Windows Server | Runs the Windows automation daily on servers with ScreenConnect installed. Triggers an alert and ticket when unknown instances are detected. |
| Unknown ScreenConnect Detection - Macintosh | macOS | Runs the macOS automation daily on Mac devices with ScreenConnect installed. Triggers an alert and ticket when unknown instances are detected. |
Group
| Name | Purpose |
|---|---|
| cPVAL Unknown ScreenConnect Installed | Dynamically groups all devices where cPVAL Unknown ScreenConnect Installed is checked. Useful for reporting and targeted follow-up. |
Implementation
Step 1: Create the Custom Fields
Create all four custom fields under SETTINGS → Custom Fields:
- cPVAL Unknown ScreenConnect Monitoring - Dropdown with options
Audit Only,Audit and Alert,Autofix and Alert on Failure. Default value:Audit Only. - cPVAL Whitelisted ScreenConnect Instances - Text field. Enter approved ScreenConnect instance identifiers, comma-separated or one per line.
- cPVAL Installed ScreenConnect Instances - WYSIWYG field. No manual configuration required; populated automatically by the automation.
- cPVAL Unknown ScreenConnect Installed - Checkbox field. No manual configuration required; managed automatically by the automation.
Step 2: Populate the Whitelist
Before enabling alerting or autofix, populate cPVAL Whitelisted ScreenConnect Instances at the organization level with your approved ScreenConnect instance identifiers.
Note: You can find your ScreenConnect instance identifier in the client name shown in your ScreenConnect console, or by running the automation in
Audit Onlymode first and reviewing the cPVAL Installed ScreenConnect Instances field output on a known-good device.
Step 3: Import the Automations
Import both automation scripts into NinjaOne:
Step 4: Create the Compound Conditions
Create the three compound conditions and attach them to the appropriate default agent policies:
- Unknown ScreenConnect Detection - Windows Workstation - attach to
Windows Workstation [Default]agent policy. - Unknown ScreenConnect Detection - Windows Server - attach to
Windows Server [Default]agent policy. - Unknown ScreenConnect Detection - Macintosh - attach to
Mac [Default]agent policy.
Note: In each compound condition, the
Allowed Instancesparameter on the evaluation script can be set to define approved identifiers at the policy level. When set, it overrides cPVAL Whitelisted ScreenConnect Instances for all devices in that policy. Leave it blank to use the custom field value instead.
Note: For ticketing to work, the Notifications section in each compound condition must be configured with a valid ticket template for your PSA integration (ConnectWise Manage, Autotask, HaloPSA, etc.). Without a template, NinjaOne cannot generate or manage tickets from these conditions.
Step 5: Create the Group
Create the cPVAL Unknown ScreenConnect Installed device group to automatically collect any device where unknown ScreenConnect instances are detected.
Step 6: Set the Enforcement Mode
Set cPVAL Unknown ScreenConnect Monitoring at the organization level to the desired enforcement mode.
Recommended rollout order:
- Start with
Audit Onlyto see what ScreenConnect instances are installed across devices without any alerting or changes. - Review cPVAL Installed ScreenConnect Instances and the cPVAL Unknown ScreenConnect Installed checkbox on devices to confirm the whitelist is complete and accurate.
- Move to
Audit and Alertonce the whitelist is confirmed, so tickets are created for genuinely unknown instances. - Only move to
Autofix and Alert on Failureafter thoroughly validating the whitelist and confirming no approved instances will be targeted for removal.
FAQ
1. What does this solution do?
It finds ScreenConnect installations on devices, checks if they are approved, and then audits, alerts, or removes them based on your settings.
2. Why would I use this solution?
Use it to find unknown ScreenConnect installs quickly and reduce security risk from unapproved remote access tools.
3. What does “unknown” mean here?
“Unknown” means the ScreenConnect instance is not listed in cPVAL Whitelisted ScreenConnect Instances.
4. What is the safest mode to start with?
Start with
Audit Only.
5. What happens in Audit Only mode?
The solution checks devices and updates custom fields. It does not create alerts and does not remove anything.
6. What happens in Audit and Alert mode?
The solution checks devices and creates alerts/tickets when unknown ScreenConnect instances are found.
7. What happens in Autofix and Alert on Failure mode?
The solution tries to remove unknown instances. If any remain, it creates an alert/ticket.
8. What is the biggest risk in Autofix mode?
If your whitelist is empty or incomplete, approved tools may be treated as unknown and removed.
9. Can this remove our own ScreenConnect instance by mistake?
Yes, if your approved instance identifier is not in the whitelist.
10. How do I avoid accidental removal?
Add approved identifiers to cPVAL Whitelisted ScreenConnect Instances, test with
Audit Only, then move up to stricter modes.
11. What if the whitelist is blank?
All detected ScreenConnect instances are treated as unknown.
12. Where do I set the monitoring mode?
In cPVAL Unknown ScreenConnect Monitoring at organization, location, or device level.
13. Which setting wins if values are different at multiple levels?
The most specific level (device over location over organization) is used by NinjaOne.
14. What if I do not set the monitoring field at all?
The automation defaults to
Audit Only.
15. What is Allowed Instances?
It is an automation parameter that can define approved identifiers at runtime.
16. Does Allowed Instances override the whitelist custom field?
Yes. When set, it overrides cPVAL Whitelisted ScreenConnect Instances for that run/policy.
17. What does the checkbox custom field mean?
cPVAL Unknown ScreenConnect Installed is checked when at least one unknown instance is found in the latest run.
18. What is the WYSIWYG custom field used for?
cPVAL Installed ScreenConnect Instances shows details like name, version, status, action, and timestamp.
19. Can I edit the WYSIWYG field manually?
You can, but you should not. The automation overwrites it on the next run.
20. How often does this run?
By default, each compound condition is configured to run every 24 hours.
21. Which devices are targeted by this solution?
Windows Workstations, Windows Servers, and Macintosh devices where ScreenConnect is detected and the policy conditions are met.
22. Do I need all three compound conditions?
Yes, if you want full coverage across all three platform/policy types.
23. Why are tickets not being created?
Usually because the notification/ticket template is not configured in the compound condition.
24. Can this work with ConnectWise, Autotask, or HaloPSA?
Yes. Configure notifications and the correct ticket template for your PSA integration.
25. What is the best rollout approach?
Use
Audit Onlyfirst, review results, fix whitelist gaps, move toAudit and Alert, and only then enableAutofix and Alert on Failure.
Changelog
2026-04-09
- Initial version of the document