Please add a layer of security protection so when a guest (or host) entering a password when logging in to another software or website when screen is being shared does NOT appear on other user's screen. Currently passwords can be seen and this is a major privacy/security issue.

There needs to be an option to kill the session cookie when the client closes the connection to the host. We do not want the client to have the ability to connect back to the host without logging back into the web interface. Financial Institutions are now requiring 2-factor authentication for access and the current setup allows the client to login back in until the session cookie expires.

Currently that small grey bar showing the host is in the unattended computer seems a bit unprofessional. It would be much better to have a nice box, at the bottom right corner of the screen showing who is logged in remotely AND there should be some controls where the unattended computer owner can 'end session' or 'overpower the host's mouse'. 

This would allow the unattended a feeling of control rather than giving up ALL control of their computer.

Tests ran through Acunetix come up with a result of 'Insecure CORS configuration' due to the issue mentioned in this post:

https://github.com/balderdashy/sails/issues/3862

I have worked with Control support, and they have confirmed that the POST is getting a 403/ forbidden error that is causing this issue. Contained in that link is an example of how the 403 error can be resolved to no longer show this vulnerability in Acunetix. Our auditors are unsatisfied with the results, so it would be great if we could get this resolved.

An easier way to setup a single user to access a single machine, without having to setup up a session group, role & user. Or at least a way to automatically create these and hide them away to save making the site wide setting messy.

A filter for session groups that uses "Company" to allow separation of machines by subsidiary or department in large deployments.

Would like to set the AccessTokenExpireSeconds so it does not expire when I create an exe. Currently does not work according to documentation.

At the moment, I have client workstations I need to access that MUST have the consent popup however the servers should not. We have a few servers that must start up to a user account automatically for some archaic software and I am unable to log into these systems because there is no physical user ready to hit consent. If we could either apply an app.config by a group or allow "SC user John Doe" = allowwithoutconsent for systems LIKE... that would be great! Right now I must log out of my normal user and into the admin account to reach these servers.

Hyper-V 2008R2 and Hyper-V 2012R2, along with Server Core installations apparently don't install MSCOREE.DLL when installing/updating .Net framework. Installation of ScreenConnectClient fails with: SFXCA: Failed to load mscoree.dll in the msiexec log. Requesting to have a workaround for installing on Hyper-V or Server Core hosts.

The Edit Web.Config AppSettings extension allows you to edit existing entries, but would be good to be able to add new entries via this screen. This would allow cloud partners to configure plugins like the "Expand Thumbnail Preview Image" plugin, which requires additional config entries in the web.config file.