How to Manage Remote Endpoints Without VPN or On-Prem Infrastructure

You already have a way to remote into endpoints. The question is whether it's costing you more time and overhead than it should.

Most IT teams run a standalone remote desktop tool alongside their endpoint management platform. That means a second agent deployed across every endpoint, a second console to authenticate into, a second set of permissions to manage, and a second vendor relationship to maintain. When a ticket comes in and the fix requires hands-on access, the technician leaves the console where they spotted the problem, switches to the remote tool, finds the endpoint again, and starts a session. It works, but every one of those transitions adds friction to a process that's supposed to be fast.

For teams still routing remote sessions through VPN, the overhead is worse: concentrator bottlenecks, inbound firewall rules, and a dependency on infrastructure that was designed for network extension, not endpoint support.

Automox integrates Splashtop – a remote access platform with 20 years behind it – directly into the endpoint management console. Technicians start a remote session from the same view where they check patch status, review policy logs, and run Automox Worklets™. The Splashtop Streamer deploys to endpoints through the Automox console – no separate vendor portal, no standalone licensing, no VPN tunnel, no infrastructure to maintain.

A technician sees a Windows endpoint with three consecutive patch failures in the Automox console. Something is blocking the update and the logs aren't conclusive. They need to look at the endpoint directly.

• From the endpoint's detail page in the Automox console, the technician clicks Remote Control.

• The end user sees a consent prompt on their screen and approves the session.

• The Splashtop-powered connection establishes over encrypted channels.

• The technician is on the desktop. They check Windows Update logs, clear a corrupted cache, and re-trigger the patch from the same console.

No VPN. No re-authenticating. The technician went from "I see a problem" to "I'm on the endpoint" in seconds, from the same console they were already working in.

For unattended endpoints – servers, kiosks, shared workstations – administrators can enable Exclude Remote Control Consent so technicians connect directly without an end-user prompt.

With Automox Resolve (the advanced add-on), technicians can also transfer files to the endpoint, chat with the end user during the session, view multiple monitors, record the session for documentation, and collaborate with another technician in the same session.

If your current remote desktop tool works, it's reasonable to ask why you'd change. The answer isn't that standalone tools don't work. It's that they carry hidden costs that compound over time.

Security surface you didn't ask for. A standalone remote agent on every endpoint is another piece of software to keep updated, another set of network connections to monitor, and another potential access vector if credentials are compromised. And when a remote tool gets installed on an endpoint for a one-off session and never gets removed – which happens more often than anyone likes to admit – that endpoint has an unmanaged backdoor sitting on it.

Permission sprawl. When remote access lives in a different system than endpoint management, permissions diverge. A technician might have tightly scoped access in the endpoint management console but broad access in the remote tool because nobody set up granular controls there. When licenses are limited, teams share accounts – which means shared credentials, no individual accountability, and an audit trail that's useless during a compliance review.

Vendor and invoice overhead. Every standalone tool is another renewal cycle, another contract negotiation, another line item to justify in the budget. That's not just a finance problem. It's time that your team spends on tool management instead of endpoint management.

Fragmented audit trails. When an auditor asks "who accessed this endpoint and what did they do," the answer shouldn't require cross-referencing logs from three different systems. But with separate VPN, remote desktop, and endpoint management tools, that's exactly what happens.

Consolidating remote control into the endpoint management platform eliminates all four of those costs. One console, one permission model, one audit log, one vendor.

If you've already moved away from VPN for remote sessions, skip this section. But plenty of organizations still route remote access through VPN concentrators, and it's worth understanding why that approach is losing ground.

VPN was designed to extend the network perimeter to a remote user. It was never designed to be a support tool. When IT teams use it as a remote desktop gateway, they inherit trade-offs that get worse as remote session volume grows:

• Concentrator bottleneck. Every session routes through a central appliance. Session quality degrades as concurrent connections increase, and if the concentrator goes down, every remote session goes with it.

• Split-tunnel risk. Organizations that enable split tunneling to improve performance expose the remote session to whatever network the end user is on.

• It doesn't replace the remote desktop tool. VPN gets the technician onto the network. They still need a separate tool – with its own agent and console – to interact with the endpoint. Tools like Intune add another layer on top of that.

• Unreliable for field service. Technicians on mobile hotspots or low-bandwidth connections see VPN sessions time out or drop, forcing them to restart troubleshooting mid-session.

VPN infrastructure is also a growing security liability. The Verizon 2025 Data Breach Investigations Report found that exploitation of edge device vulnerabilities – including VPN appliances – surged from 3% to 22% of all vulnerability-related breaches.

Cloud-native remote control sidesteps all of this. The session goes directly to the endpoint agent over outbound HTTPS, brokered through a cloud relay. No concentrator, no inbound firewall rules, no network dependency. If the endpoint has an internet connection, it's reachable. With Gallup's 2024 hybrid work data showing more than half of remote-capable employees in hybrid models, that flexibility matters.

If remote access permissions don't live in the same system as your endpoint management permissions, they'll drift. That's not a theoretical risk. It's what happens in practice when two systems have separate admin consoles and nobody has time to keep them in sync.

Automox maps remote control permissions directly to its existing role-based access control framework. The Device: Control permission governs who can start sessions:

• Full Administrators can initiate sessions on any endpoint.

• Organization Operators can remote into endpoints within their assigned organization.

• Helpdesk Operators can access endpoints within their assigned organization.

If a technician already has operator-level access to an endpoint group for patching, they can initiate remote sessions on those same endpoints. No additional provisioning, no separate permission setup.

Every session is tied to an authenticated user identity and logged against a specific endpoint – including session start, end, failure events, and the initiating user. When an auditor asks who accessed what, the answer is in one place – not spread across VPN logs, remote desktop logs, and directory services. That matters for SOC 2, HIPAA, PCI DSS, and CIS Controls v8 Control 6, all of which require least-privilege access and auditable session records.

For more on compliance reporting within Automox, see IT and Compliance Reporting.

Use this when comparing remote control solutions. The "ask the vendor" column gives you the question to cut through marketing positioning and get a concrete answer.

Automox remote control is powered by Splashtop and built into the Automox console.

Automate Enterprise includes core remote control: attended and unattended access to Windows and macOS endpoints, clipboard support, and view-only mode.

Automox Resolve is available as an add-on for the Automate Essentials and Automate Enterprise tiers. It adds file transfer, remote printing, live chat, multi-monitor support, concurrent connections, session recording, and multi-technician collaboration. See Automox pricing for details.

If the Automox agent (version 2.4.33 or later) is already deployed, enabling remote control takes minutes. The Splashtop Streamer deploys to endpoints directly from the Automox console – organization-wide or per device – with no separate vendor portal or infrastructure to provision. On macOS, end users need to approve permissions for Screen Recording and Accessibility before sessions work fully; IT can pre-approve Accessibility and Full Disk Access via MDM, but Apple policy requires user approval for Screen Recording.

For guidance on architecture that supports remote endpoint management – including remote patching without VPN – see NIST SP 800-46 Rev. 2 and Remote Patching Best Practices.

• Verizon 2025 Data Breach Investigations Report – Edge device vulnerability exploitation surged from 3% to 22% of vulnerability-related breaches

• Gallup, Indicators: Hybrid Work, 2024 – More than half of remote-capable employees work in hybrid models

• NIST SP 800-46 Rev. 2, Guide to Enterprise Telework, Remote Access, and BYOD Security – Framework for securing remote access without perimeter-dependent tools

• CIS Controls v8, Control 6: Access Control Management – Least-privilege and role-based access requirements for remote sessions