deviceTRUST 23.1.410 for Windows and macOS, and 23.1.400 for Ubuntu and iOS are now available.
×

Policy category: Shell Access

  1. Policy setting: Method used to block logon whilst properties are read from the remote device
  2. Policy setting: Remoting protocols that deviceTRUST will use when attempting to establish properties from the remote device
  3. Policy setting: Timeout whilst waiting for properties from the remote device
  4. Policy setting: Timeout before automatically disconnecting users from an untrusted device
  5. Policy setting: Disallow connections from trusted devices not supporting application level encryption
  6. Policy setting: Disallow connections from trusted devices not meeting the minimum client version
  7. Policy setting: Users allowed access from an untrusted device
  8. Policy setting: Users denied access from an untrusted device

Policy setting: Method used to block logon whilst properties are read from the remote device

Controls how deviceTRUST blocks logon sessions whilst properties are read from the remote device.

  • When set to Blocking, deviceTRUST prevents the logon process from continuing until properties have been read from the remote device. This is the best option for integrating deviceTRUST properties with Group Policy or third party logon tools.

  • When set to ‘Non Blocking’, deviceTRUST hides the user’s session whilst allowing the logon process to continue in the background, ensuring a speedy logon.

  • When set to Immediate, deviceTRUST allows the logon process to continue, and does not attempt to block the user’s session. The deviceTRUST Logon trigger is executed immediately without waiting for the remote device’s properties to be read.

Blocking is not supported for Amazon WorkSpace sessions and will be treated as Non Blocking within this environment.

The default value is Blocking.

Policy setting: Remoting protocols that deviceTRUST will use when attempting to establish properties from the remote device

Defines the remoting protocols that deviceTRUST will use when attempting to establish properties from the remote device.

  • When RDP, ICA, PCoIP or Blast is checked, deviceTRUST will attempt to establish properties from the remote device when that remoting protocol was used to establish the session.

  • When ‘ICA over RDP’ is checked, deviceTRUST will attempt to establish properties from the remote device using the RDP virtual channel protocol for ICA sessions.

The default value is enabled for all protocols. When disabled, deviceTRUST will not attempt to connect to the remote device.

Policy setting: Timeout whilst waiting for properties from the remote device

Determines how long to wait for properties from the remote device.

The value, specified in seconds, defines an upper limit of how long to wait for the properties from the remote device.

deviceTRUST can typically establish very quickly whether or not the client software is installed on the remote device. However, over volatile networks, or on platforms that rely on a push notification such as iOS, the communication cannot be guaranteed.

The default value is 120 seconds (2 minutes).

Policy setting: Timeout before automatically disconnecting users from an untrusted device

Determines how long to wait before forcing the disconnect or logoff of user on an untrusted device.

When connecting from an untrusted device, this value specified in seconds, defines the amount of time to display a message to the user preventing access to the virtual session before forcing a disconnect or logoff of the user. Users are logged off if they have never been presented with the session, otherwise they are disconnected.

The default value is 60 seconds.

Policy setting: Disallow connections from trusted devices not supporting application level encryption

Defines whether to deny access to clients that do not support application level encryption.

Application level encryption offers an additional layer of security over the top of the existing encryption offered by the underlying Virtual Channel protocol. Application level encryption involves a key exchange using an automatically generated 2048-bit RSA key pair, followed by encrypting all communication using a 256-bit AES-GCM stream cipher.

  • When ENABLED, clients must encrypt all communications with application level encryption to gain access to the shell. Clients not supporting this functionality will be denied access to the shell.

  • When DISABLED, clients supporting application level encryption will encrypt all communications, and clients not supporting will still be granted access to the shell.

The default behavior is disabled.

Policy setting: Disallow connections from trusted devices not meeting the minimum client version

Defines the minimum version number of the client that can be used to connect to the virtual session.

The value is a string that can be one of the following formats:

  • 18.1.100.0
  • 18.1.100
  • 18.1
  • 18
  • %HOST_VERSION%

%HOST_VERSION% ensures that clients with software older than the version of the host cannot connect.

This policy only applies to Windows clients.

The default behavior when not defined, allows all clients to connect.

Policy setting: Users allowed access from an untrusted device

Defines a list of users that will be allowed access from an untrusted device.

This policy works together with the ‘Users denied access from an untrusted device’ policy, with denied users taking precedence over allowed users.

User and security group names can be supplied in the format DOMAIN\UserName or DOMAIN\SecurityGroupName, where DOMAIN is either the SAM compatible domain, or the DNS domain name.

When defined, only users defined in the allowed list can access the virtual session without successfully providing properties of the remote device.

The default behavior when not defined, is that users do not need to provide properties of the remote device to gain access to the virtual session.

Policy setting: Users denied access from an untrusted device

Defines a list of users who are prohibited from accessing the virtual session from an untrusted device.

This policy works together with the ‘Users allowed access from an untrusted device’ policy, with denied users taking precedence over allowed users.

Defines a list of untrusted users who are prohibited from accessing the virtual session without successfully providing properties of the remote device.

User and security group names can be supplied in the format DOMAIN\UserName or DOMAIN\SecurityGroupName, where DOMAIN is either the SAM compatible domain, or the DNS domain name.

The default value does not include any users.