RES Automation Manager security Modules

AM-sec_modules-01

When configuring a security role in RES Automation Manager (RES AM) it is posible to deny access to the content of the modules.

When editing the permisions of the Module node in a RES AM security Role, a select box is shown. With the option “Limit task details when read access permissions are set” selected, a user who is configured with this security role can not view the content of the tasks of the modules.

AM-sec_checkrights_notok_01

Option “Limit task details when read access permissions are set” selected.

AM-sec_checkrights_ok_01

Option “Limit task details when read access permissions are set” not selected. Setting and Script tab are accessible.

 

 

Show Specific control panel items issue RES WM

In a locked down Windows environment, it is a best practice to hide specific control panel items for those functions that can’t or shouldn’t be performed by an end user.

With a RES WM “User registry” object, you can use “control.admx” to load the policy template to configure these settings.policy_01

In the “List of allowed control panel items” the Canonical name of the Control panel items should be entered.

So far so good. But it wasn’t working in my environment…

With this configuration active in RES Workspace Manager  2014, still all control panel items were shown.

When looking in the registry of a logged in user, these registry key’s were present:

registry_01

The registry hive “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl” is set by the policy.

As stated in this MS Technet article, “The Hide specified control panel applets policy takes precedence over the Show only specified control panel applets policy.”

The entries in the “DisallowCpl” hyve are:

registry_02

 

What about the “…\DisallowCpl”? Where does it come from?

The “villan” here, appears to be the setting “Disable Add/Remove programs” at Composition -> Desktop -> Lockdown and behaviour:

reswm_lockdown_01a

This setting will result in the “Disallow” hive.

Logging in, with this setting unchecked, only the specified items in the control panel were visible. Everything is working as expected…

 

“Stub” Application – RES Workspace manager

In an RES Workspace Manager environment you have to deal with the following settings:

  1. Application Security Rules
  2. User settings (Zero Profile)
  3. Configuration

An issue can be, to know and keep track for what reason a specific setting has been set. A way to keep track is to make use of the “Administrative note”. When filling in this field, make it short and descriptive. With “Security Rule” you can end up with more than one rule for a specific application, eg. Java. You will end up adding “Java” to each rule.

A more organized way, is making use of a “Stub” (Dummy) application Object and Move all security rule, belonging to Java to this “Stub” object. To move the security rule to the “stub”, select the rule, click right, select “Move…” and select the “stub” object. Name this object “stub Java” .SecurityMove_01 To keep these special Application Objects together (more than one stub), you can put the “Stub”s in a separate start menu folder.

Start_subs01

To make sure that this special Application Object doesn’t behave as a normal Application Object, some settings needs to be set on the Application Object:

  1. General -> Command Line = empty
  2. General -> ☐ Create Start Menu Shortcut
  3. Settings -> ☑ Hide application
  4. Settings -> ☑ Do not list in PowerHelp
  5. Settings -> ☑ Do not show in “New Applications”
  6. Settings -> ☑ Autolaunch at session start: Mandatory

“Identity”, “Location” and devices” and “Workspace Containers” needs to be adjusted according to the need of the security rules.

This technique can also be used with an application suite (a collection of Application objects, eg. Office). By doing so you can configure the “user settings” and “Configuration” actions once and link to the application objects of the suite.

  • User settings: ☑ Use the user settings from the following application: “…” and select the stubUsersettings_02
  • Configuration: Add “Linked Action” and select the stubLinkedaction_01

The “Zero profile mode” configured in the Usersettings of the “stub” need to be set to “capture on session end”.

Usersettings_03

To get the Zero profile activated at the start of a session, configure the “User Settings” -> “Application user settings”, global or for a Workspace conatainer, to “Prefetch in background, check on application start”.

Usersettings_01Having all the settings for a specific Application, collected in the “stub”, you have a better overview of what is necessary for that application. Also changing from a Test to a Production environment is a lot easier, one Building Block instead of…

 

Update 14-10-2014: For “User settings” to save settings at session end, it is nessesarry to start the “stub” at session start. Added setting 6. to the setting for a sub application object.

 

 

RES Workspace Manager “Installation on demand”

In a RES Workspace Manager environment it is easy to present an application to an end user (Identity).

Most of the time, the challence is to install the application on the Laptop / Desktop. There needs to be consistency between the application delivered and installed on the machine of the end user.

By integrating RES AM (for installation of the application) in RES WM (for delivering the application), in case the application is not pressent when started, it can be installed.

In this example the application “Skype” is used.

RES AM Integration

To integrate RES AM in RES WM, go in the WM Console to menu Setup -> RES Software -> RES Automation Manager…

Int_RESAM_00

 

Select “RES Automation Manager” integration. In the “Dispatcher dectection” settings, select“Autodetect” or choose “User dispatcher address list” and add a Dispatcher.
To choose a RES AM environment, Click “…” and select the name of the AM environment.

Choose “authentication” the way that you have enough rights within RES AM(Read on Modules and Projects) with the account you are logged in in the RES WM console. To find out if you can access RES AM, click “Test Now…”. When correct you will see the Modules/projects from RES AM.

RES AM Installation module

In RES AM a Module needs to be created to acctualy install the application.

Int_RESAM_05

 

In this example, a “Windows Installer Package” Task I configured, in the “Install – Skype” Module. This task performs a “Silent” installation of the “skypesetup.msi”. Additional configuration, for the application on the machine, can be added to the module.

RES WM Application

To add the RES AM module to a RES WM application, open the application and add an “Automation task” action at “Configuration” of the application object.

Int_RESAM_02

 

At the “Automation task” select “Task” and select the RES AM installation module for the application.

Int_RESAM_03

Int_RESAM_04

 

Enter at “Custom status message” a message, which will be shown to the end user, when the RES AM module is started by RES WM. Default, the option “Skip if applicatie executable was found” is checked, this is the trigger for RES WM to initiate the RES AM task. Select “Wait for task to finish before continuing” to postpone the start of the application until the RES AM task has finished. When this option is not selected, RES WM will present an error message, “Can’t start application”, because the installtion task hasn’t finished. With the option “Run Once” -> User, you can prevent that an application is installed on different devices.

RES WM Application start

When the end user starts the application for the first time, a message appears at the lower right of the screen. When the installattion is finished the application will be launched. When the installation takes some time, the end user can click on “Dismiss and notify me when done”, RES WM will notify the end user when the installation is done and the application can be used.

Install-skype-ws-01    Install-skype-ws-02

 

With this integration of RES AM in RES WM, an application can be easily, on demand, deployed to an end user device. By doing so an initial deployment of an end user device can contain less software.