Configure Imprivata Kiosk PC

 

Prerequisite StoreFront configuration

Change in web.config (c:\inetpub\wwwroot\citrix\STORE)

<pnaProtocolResources changePasswordAllowed=”Never” logonMethod=”prompt
in

<pnaProtocolResources changePasswordAllowed=”Never” logonMethod=”sson

Install Citrix Receiver for Windows 4.3.100

CitrixReceiver.exe /silent /includeSSON /EnableCEIP=false ALLOWADDSTORE=N ADDLOCAL=ReceiverInside,ICA_Client,WebHelper,SSON,AM,SELFSERVICE,USB,Flash,Vd3d

Note – SELFSERVICE requires .NET 3.5 Service Pack 1. The Self-Service Plug-in is not available for Windows Thin PC / Windows Embedded devices, which do not support .NET 3.5.

Optional – also include the /STORE0 switch (store zero) from the command line:
CitrixReceiver.exe /silent /includeSSON /EnableCEIP=false ALLOWADDSTORE=N ADDLOCAL=ReceiverInside,ICA_Client,WebHelper,SSON,AM,SELFSERVICE,USB,Flash,Vd3d STORE0=”STORE_NAME;https://storefront.domain.local/Citrix/Store/discovery;on;STORE_DESCRIPTION”

Suppress the ‘Add Account Window in Citrix Receiver for Windows’

Set the following Windows Registry value on the target machine. This can be done manually from the Windows Registry Editor or from an Active Directory Group Policy Object (GPO).

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Citrix]
“EnableFTU”=dword:00000000

Citrix Receiver 4.4

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Citrix]
“EnableX1FTU”=dword:00000000

Configure Computer GPO

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive Logon
Interactive logon: Do not display last user name (Enabled)
Interactive logon: Do not require CTRL+ALT+DEL (Enabled)

Computer Configuration\Administrative Templates\System\Group Policy
User Group Policy loopback processing mode (Replace)

Computer Configuration\Administrative Templates\System\Logon
Always wait for the network at computer startup and logon (Enabled)
Hide entry points for Fast User Switching (Enabled)

Add registry keys

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
DefaultUserName (REG_SZ) username
AutoAdminLogon (REG_SZ) 1
Shell (REG_SZ) dummy.exe
DefaultPassword (REG_SZ) password
DefaultDomainName (REG_SZ) domain (if a local account is used type: “.\” )

Create a ‘local’ user account during deployment:
net user username password /passwordchg:no /expires:never /comment:”Imprivata OneSign Service Account” /add

Configure Citrix Receiver policy

Receiver 4.3: Add icaclient.adm (C:\Program Files\Citrix\ICA Client\Configuration\)
Receiver 4.4: Add receiver.admx (C:\Program Files\Citrix\ICA Client\Configuration\)

User Authentication – Local user name and password:
Check Enable pass-through authentication
Check Allow pass-through authentication for all ICA connections
Uncheck Use Novell Directory Server credentials

Manage Fast Connect API Support:
Check Enable Fast Connect API functionality
Check EnableFastConnectTransisitionAPI
Uncheck Leave Apps Running On Logoff
Check Integrate Self Service Plugin with FastConnect

SelfService – Control when Receiver attempts to reconnect to existing sessions.

Control when Receiver attempts to reconnect to existing sessions: Enabled
In the Options pane, select Choose the appropriate combination of reconnect conditions: Disabled

Remove Citrix Keyboard Mapping Tips window
The following key removes the Citrix Keyboard Mapping Tips window when starting a Citrix session. If a local computer account is used, a user GPO from Active Directory will not apply. Therefor, use one of the following methods:

Service account is a domain account
Add registry keys via user GPO

SOFTWARE\Citrix\ICA Client\Keyboard Mapping\Tips

In full screen mode (REG_DWORD) 0x1 (1)

Service account is a local account
Change the ‘Default’ local user profile BEFORE the service account logs in

SET HKEY=HKU\Default
REG LOAD %HKEY% %SystemDrive%\Users\Default\NTUSER.DAT
REG ADD “%HKEY%\Software\Citrix\ICA Client\Keyboard Mapping\Tips” /v “In full screen mode” /t REG_DWORD /d 1 /f
REG UNLOAD %HKEY%

Install Imprivata OneSign Agent
msiexec.exe /i “OneSignAgent.msi” IPTXPRIMSERVER=”https://192.168.100.1/sso/servlet/messagerouter” AGENTTYPE=2 /l*v c:\ISXAgent.log /qb /norestart

Replace Imprivata OneSign Agent Logo
Copy a logo (bmp) to a folder on the endpoint (C:\Windows\Web\Wallpaper\Imprivata\logo.bmp) (via Group Policy Preferences – Computer Policy)

Add registry keys
HKLM\SOFTWARE\SSOProvider\CoBranding
LogoImage (REG_SZ) C:\Windows\Web\Wallpaper\Imprivata\logo.bmp

 

Leave a Reply

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *