deviceTRUST 19.3.200 is now available. See the release notes for more information.

Policy category: Shell Access

  1. Policy setting: Method used to block logon whilst properties are read from the connected device
  2. Policy setting: Timeout whilst waiting for properties from the remote connected device
  3. Policy setting: Timeout before automatically disconnecting users from an untrusted device
  4. Policy setting: Disallow connections from trusted devices not supporting application level encryption
  5. Policy setting: Disallow connections from trusted devices not meeting the minimum client version
  6. Policy setting: Allow deviceTRUST to automatically update connecting clients
  7. Policy setting: Whitelist of users allowed access from an untrusted device
  8. Policy setting: Blacklist of users denied access from an untrusted device
  9. Policy setting: Allow deviceTRUST triggers to control access to the virtual session
  10. Policy setting: Define who can control access to the virtual session
  11. Policy setting: User message displayed whilst establishing host properties and device identity
  12. Policy setting: User message displayed whilst establishing context with a device
  13. Policy setting: User message displayed when a connection from a trusted device is disallowed
  14. Policy setting: User messages displayed when automatically updating the client
  15. Policy setting: User message displayed when an untrusted device is disallowed
  16. Policy setting: User message displayed on logoff button
  17. Policy setting: User message displayed on disconnect button
  18. Policy setting: User message displayed whilst wait triggers are executed
  19. Policy setting: Translations of user message displayed whilst establishing host properties and device identity
  20. Policy setting: Translations of user message displayed whilst establishing context with a device
  21. Policy setting: Translations of user message displayed when a connection from a trusted device is disallowed
  22. Policy setting: Translations of user messages displayed when automatically updating the client
  23. Policy setting: Translations of user message displayed when an untrusted device is disallowed
  24. Policy setting: Translations of user message displayed on logoff button
  25. Policy setting: Translations of user message displayed on disconnect button
  26. Policy setting: Translations of user message displayed whilst wait triggers are executed

Policy setting: Method used to block logon whilst properties are read from the connected device

Controls how deviceTRUST blocks logon sessions whilst properties are read from the connected device.

  • When set to Blocking, deviceTRUST prevents the logon process from continuing until properties have been obtained from the remote connected device. This is the best option for integrating deviceTRUST properties with Group Policy or third party logon tools.

  • When set to ‘Non Blocking’, deviceTRUST hides the user’s session whilst allowing the logon process to continue in the background, ensuring a speedy logon.

  • When set to Immediate, deviceTRUST allows the logon process to continue, and does not attempt to block the user’s session. The deviceTRUST Logon trigger is executed immediately without waiting for the remote connected device’s properties to be obtained.

Blocking is not supported for Amazon WorkSpace sessions and will be treated as Non Blocking within this environment.

The default value is Blocking.

Policy setting: Timeout whilst waiting for properties from the remote connected device

Determines how long to wait for properties from the remote connected device.

The value, specified in seconds, defines an upper limit of how long to wait for the properties from the remote connected device.

deviceTRUST can typically establish very quickly whether or not the client software is installed on the remote connected device. However, over volatile networks, or on platforms that rely on a push notification such as iOS, the communication cannot be guaranteed.

The default value is 120 seconds (2 minutes).

Policy setting: Timeout before automatically disconnecting users from an untrusted device

Determines how long to wait before forcing the disconnect or logoff of user on an untrusted device.

When connecting from an untrusted device, this value specified in seconds, defines the amount of time to display a message to the user preventing access to the virtual session before forcing a disconnect or logoff of the user. Users are logged off if they have never been presented with the session, otherwise they are disconnected.

The default value is 60 seconds.

Policy setting: Disallow connections from trusted devices not supporting application level encryption

Defines whether to deny access to clients that do not support application level encryption.

Application level encryption offers an additional layer of security over the top of the existing encryption offered by the underlying Virtual Channel protocol. Application level encryption involves a key exchange using an automatically generated 2048-bit RSA key pair, followed by encrypting all communication using a 256-bit AES-GCM stream cipher.

  • When ENABLED, clients must encrypt all communications with application level encryption to gain access to the shell. Clients not supporting this functionality will be denied access to the shell.

  • When DISABLED, clients supporting application level encryption will encrypt all communications, and clients not supporting will still be granted access to the shell.

The default behavior is disabled.

Policy setting: Disallow connections from trusted devices not meeting the minimum client version

Defines the minimum version number of the client that can be used to connect to the virtual session.

The value is a string that can be one of the following formats:

  • 18.1.100.0
  • 18.1.100
  • 18.1
  • 18
  • %HOST_VERSION%

%HOST_VERSION% ensures that clients with software older than the version of the host cannot connect.

This policy only applies to Windows clients.

The default behavior when not defined, allows all clients to connect.

Policy setting: Allow deviceTRUST to automatically update connecting clients

Defines the properties required for the deviceTRUST client to automatically update.

Auto update requires Windows client 18.1 or later. Additionally clients older than 19.1 require the ‘Disallow connections from trusted devices not meeting the minimum client version’ policy.

Clients older than the Update Version will be automatically updated and become active on subsequent connections whilst allowing the current connection to continue. To prevent clients from connecting when updating, this policy can be used together with the “Disallow connections from trusted devices not meeting the minimum client version” policy.

The Version Blacklist value defines a semi-colon separated list of client versions which should not be installed on a client. If a value within this list matches the installed client version and the installed client version is less than the Update Version the client will be upgraded. If a value within this list matches the installed client version and the installed client version is greater than the Update Version the client will be downgraded. Version Blacklist requires Windows client 19.3 or later.

The Primary Resource Url value defines the location of the client.

The Secondary Resource Urls value defines a semi-colon separated list of client locations to try should the primary resource url be unreachable.

The Hash value is the optional SHA-256 hash of the client executable. This is used by the client to ensure the integrity of the downloaded binary before it is executed.

The Args value defines the custom arguments. To enable logging, add ‘/log client_install.txt’. Installation files will be located in ‘[ProgramData]\deviceTRUST\Client\AutoUpdate'.

The default behavior does not automatically update clients.

Policy setting: Whitelist of users allowed access from an untrusted device

Defines a whitelist of users that will be allowed access from an untrusted device.

This policy works together with the ‘Blacklist of users denied access from an untrusted device’ policy, with blacklisted users taking precedence over whitelisted users.

User and security group names can be supplied in the format DOMAIN\UserName or DOMAIN\SecurityGroupName, where DOMAIN is either the SAM compatible domain, or the DNS domain name.

When defined, only users defined in the whitelist can access the virtual session without successfully providing properties of the remote connected device.

The default behavior when not defined, is that users do not need to provide properties of the remote connected device to gain access to the virtual session.

Policy setting: Blacklist of users denied access from an untrusted device

Defines a blacklist of users who are prohibited from accessing the virtual session from an untrusted device.

This policy works together with the ‘Whitelist of users allowed access from an untrusted device’ policy, with blacklisted users taking precedence over whitelisted users.

Defines a list of untrusted users who are prohibited from accessing the virtual session without successfully providing properties of the remote connected device.

User and security group names can be supplied in the format DOMAIN\UserName or DOMAIN\SecurityGroupName, where DOMAIN is either the SAM compatible domain, or the DNS domain name.

The default value does not include any users.

Policy setting: Allow deviceTRUST triggers to control access to the virtual session

Defines whether deviceTRUST triggers can control access to the virtual session.

This policy works together with the ‘Define who can control access to the virtual session’ policy, which can be used to allow SYSTEM or Local Administrator processes to control access to the virtual session.

  • When ENABLED, processes launched by deviceTRUST triggers can call dtcmd.exe to allow or deny access to the virtual session.

  • When DISABLED, processes launched by deviceTRUST triggers are unable to call dtcmd.exe to allow or deny access to the virtual session.

The default behavior is enabled.

Policy setting: Define who can control access to the virtual session

Determines whether SYSTEM or Elevated Processes can control access to the virtual session.

This policy works together with the ‘Allow deviceTRUST triggers to control access to the virtual session’ policy, which can be used to allow deviceTRUST triggered processes to control access to the virtual session.

  • When set to None, processes are unable to call dtcmd.exe to allow or deny access to the virtual session.

  • When set to ‘SYSTEM account’, allows any process running under the SYSTEM identity to allow or deny access to any other virtual session by supplying the /session: option to dtcmd.exe.

  • When set to ‘Any elevated process’, allows any elevated administrative process to allow or deny access to any other virtual session by supplying the /session: option to dtcmd.exe.

The default value is None.

Policy setting: User message displayed whilst establishing host properties and device identity

Defines the message displayed to the user whilst both host properties, and the identity of the remote connected device are established.

Variables within the text are substituted for their property values. Host properties are available when this message is displayed. Additionally, %NEWLINE% breaks the text onto an additional line.

The default value is ‘Please wait’.

Policy setting: User message displayed whilst establishing context with a device

Defines the message displayed to the user whilst context is established with the connected device.

Variables within the text are substituted for their property values. Host properties and %DEVICE_NAME% are available when this message is displayed. Additionally, %NEWLINE% breaks the text onto an additional line.

The default value is ‘Establishing context with %DEVICE_NAME%’.

Policy setting: User message displayed when a connection from a trusted device is disallowed

Defines the message displayed to the user when attempting to connect with a client that is disallowed due to application level encryption or minimum version requirements.

This policy works together with the ‘Disallow connections from trusted devices not supporting application level encryption’ and ‘Disallow connections from trusted devices not meeting the minimum client version’ policies, which can be used to prevent access to the virtual session when the deviceTRUST client does not meet the necessary requirements.

Variables within the text are substituted for their property values. Host properties and %DEVICE_NAME% are available when this message is displayed. Additionally, %NEWLINE% breaks the text onto an additional line.

The default title is ‘Access Denied’.

The default message is ‘To allow access to your work environment, please upgrade to the latest deviceTRUST client from https://devicetrust.com/download. %NEWLINE%For more details, contact your system administrator.’.

Policy setting: User messages displayed when automatically updating the client

Defines the messages displayed to the user when the client is automatically updating.

This policy works together with the ‘Allow deviceTRUST to automatically update connecting clients’ policy, which can be used to automatically update clients.

The default title is ‘We’re updating your software’.

The default downloading message is ‘Please wait while we download an update’.

The default upgrading message is ‘Installing your update’.

The default complete message is ‘Your update has been installed. Please close and relaunch your client before reconnecting to your workplace.’.

The default error message is ‘We didn’t manage to install your update successfully. Please download and install the latest deviceTRUST client from https://devicetrust.com/download or contact your system administrator.’.

Policy setting: User message displayed when an untrusted device is disallowed

Defines the message, and optionally a title to be displayed to the user when properties of the remote device could not be obtained, and the user is not permitted to access the desktop from an untrusted device.

Variables within the title or message are substituted for their property values. Host properties are available when this message is displayed. Additionally, %NEWLINE% breaks the text onto an additional line.

The default title is ‘Access Denied’.

The default message is ‘To allow access to your work environment, please install the deviceTRUST client from https://devicetrust.com/download. %NEWLINE%For more details, contact your system administrator.’.

Policy setting: User message displayed on logoff button

Defines the text displayed to the user on the Logoff button.

The logoff button is displayed when deviceTRUST blocks the virtual session, and that session has never been shown to the user.

The default value is ‘Logoff’.

Policy setting: User message displayed on disconnect button

Defines the text displayed to the user on the Disconnect button.

The disconnect button is displayed when deviceTRUST blocks the virtual session, and that session has previously been shown to the user.

The default value is ‘Disconnect’.

Policy setting: User message displayed whilst wait triggers are executed

Defines the text displayed to the user whilst executing a trigger.

This message is displayed to the user during the Logoff trigger, and during the Logon or Reconnect triggers when configured to wait for the trigger to complete.

Variables within the text are substituted for their property values. Host and trigger properties are available when this message is displayed. Additionally, %NEWLINE% breaks the text onto an additional line.

The default value is ‘Applying contextual policies’.

Policy setting: Translations of user message displayed whilst establishing host properties and device identity

Defines the translations of the user message displayed whilst establishing host properties and device identity.

Translations are defined as a mapping of user locale to the message displayed to the user.

User messages are selected by prioritizing a region specific locale such as -, followed by a region neutral locale such as , followed by the default user message.

For example:

  • en-US - Provides a user message displayed only when the language is English and the region is United States.
  • en - Provides a user message displayed when the language is English, regardless of the region.

The default value does not provide any translations.

Policy setting: Translations of user message displayed whilst establishing context with a device

Defines the translations of the user message displayed whilst establishing context with a device.

Translations are defined as a mapping of user locale to the message displayed to the user.

User messages are selected by prioritizing a region specific locale such as -, followed by a region neutral locale such as , followed by the default user message.

For example:

  • en-US - Provides a user message displayed only when the language is English and the region is United States.
  • en - Provides a user message displayed when the language is English, regardless of the region.

The default value does not provide any translations.

Policy setting: Translations of user message displayed when a connection from a trusted device is disallowed

Defines the translations of the user message displayed attempting to connect with a client that is disallowed due to application level encryption or minimum version requirements.

Translations are defined as a mapping of user locale to the message displayed to the user.

User messages are selected by prioritizing a region specific locale such as -, followed by a region neutral locale such as , followed by the default user message.

For example:

  • en-US - Provides a user message displayed only when the language is English and the region is United States.
  • en - Provides a user message displayed when the language is English, regardless of the region.

The default value does not provide any translations.

Policy setting: Translations of user messages displayed when automatically updating the client

Defines the translations of the user messages displayed when the client is automatically updating.

Translations are defined as a mapping of user locale to the message displayed to the user.

User messages are selected by prioritizing a region specific locale such as -, followed by a region neutral locale such as , followed by the default user message.

For example:

  • en-US - Provides a user message displayed only when the language is English and the region is United States.
  • en - Provides a user message displayed when the language is English, regardless of the region.

The default value does not provide any translations.

Policy setting: Translations of user message displayed when an untrusted device is disallowed

Defines the translations of the user message displayed when an untrusted device is disallowed.

Translations are defined as a mapping of user locale to the message displayed to the user.

User messages are selected by prioritizing a region specific locale such as -, followed by a region neutral locale such as , followed by the default user message.

For example:

  • en-US - Provides a user message displayed only when the language is English and the region is United States.
  • en - Provides a user message displayed when the language is English, regardless of the region.

The default value does not provide any translations.

Policy setting: Translations of user message displayed on logoff button

Defines the translations of the user message displayed on logoff button.

Translations are defined as a mapping of user locale to the message displayed to the user.

User messages are selected by prioritizing a region specific locale such as -, followed by a region neutral locale such as , followed by the default user message.

For example:

  • en-US - Provides a user message displayed only when the language is English and the region is United States.
  • en - Provides a user message displayed when the language is English, regardless of the region.

The default value does not provide any translations.

Policy setting: Translations of user message displayed on disconnect button

Defines the translations of the user message displayed on disconnect button.

Translations are defined as a mapping of user locale to the message displayed to the user.

User messages are selected by prioritizing a region specific locale such as -, followed by a region neutral locale such as , followed by the default user message.

For example:

  • en-US - Provides a user message displayed only when the language is English and the region is United States.
  • en - Provides a user message displayed when the language is English, regardless of the region.

The default value does not provide any translations.

Policy setting: Translations of user message displayed whilst wait triggers are executed

Defines the translations of the user message displayed whilst wait triggers are executed.

Translations are defined as a mapping of user locale to the message displayed to the user.

User messages are selected by prioritizing a region specific locale such as -, followed by a region neutral locale such as , followed by the default user message.

For example:

  • en-US - Provides a user message displayed only when the language is English and the region is United States.
  • en - Provides a user message displayed when the language is English, regardless of the region.

The default value does not provide any translations.