Configuring RapidIdentity MFA Windows Client Shared Workstation
RapidIdentity MFA Windows Client Shared Workstation is configured using policies from RapidIdentity Server and can also be configured through the Windows Registry. To enable RapidIdentity MFA Windows Client Shared Workstation and its features, it is necessary to add these settings to the Windows Registry manually or manage available policies through RapidIdentity Server Policies. These settings should only be used by seasoned administrators who are experienced in manipulating Windows Registry values.
Follow these steps to configure RapidIdentity MFA Windows Client Shared Workstation:
From the Windows Start Menu, type regedit and open the Registry Editor.
Navigate to HKEY_LOCAL_MACHINE | SOFTWARE | Foray.
Add the following values, as desired, one at a time.
Value Name | Value Type | Value | Description | Example |
|---|---|---|---|---|
SharedWorkstation | String | True | This setting must be enabled before any of the other shared workstation related settings and is the only mandatory string for RapidIdentity MFA Windows Client Shared Workstation. |  |
SWBypass | String | True | This string is designed to allow users to bypass the windows shade by clicking Guest Logon.Serious consideration should be given to enabling this setting. Its primary use is for systems that are secured behind multiple layers of physical access and for which the inability to access the SWE may result in a catastrophic mishap. | |
SWGenLogin | String | True | This string is designed to allow users to authenticate to Shared Workstation using a username and password and the password may be the RapidIdentity MFA Windows Client or a non-Active Directory password. |  |
SWEALogin | String | True | This string is designed to allow users to authenticate to Shared Workstation using Emergency Access |  |
SWCitrixInstantConnect | String | True | This string is designed to enable InstantConnect on Shared Workstation on which the Citrix Online Plug-in is installed. |  |
SWCitrixQLaunchParams | String | True | This string is designed to pass the parameters that would normally be used to automatically launch a Citrix Published Application or Published Desktop using the PNAgent.exe /QLaunch command. The parameters are in the exact same format, i.e. “MyFarm:Published Desktop”. |  |
SWVMwareInstantConnect | String | True | This string is designed to enable InstantConnect on Shared Workstation on which the VMware View is installed. |  |
SWInactivityTime | DWORD, hexadecimal | Integer (minutes) | This value defines the number of minutes that a Shared Workstation may be left inactive prior to locking the workstation and returning the screen to the “Present Card” dialog. The value may be set from any value equal to or greater than “1”. |  |
SWInstantConnectLockOnExit | String | True | This string is designed to automatically lock a Shared Workstation with InstantConnect configured for either VMware View or Citrix Online Plugin (XenDesktop Only) when the user logs out of the VM desktop or the Citrix Published Desktop. |  |
SWBackAlpha | DWORD, hexadecimal | Integer, 0-255 | This value defines the transparency of the window shade. The value should be set between 0 = fully transparent and 255 = no transparency. By default, the value is 255 when not configured. |  |
SWBackColor | DWORD, hexadecimal | 0 (default) | This value defines the color of the window shade. The value must be set to an RGB value of your desired color. By default, the value is black when not configured. |  |
SWBackImage | String | The file path for the image | This value defines a custom background image that is displayed when a Shared Workstation is locked. The value must be set to the path of the image file that you wish to use. If spaces are present in the path to your file, do not use quotation marks. Supported image file format is .png. |  |
SWIdleAnimTimer | DWORD, hexadecimal | Integer | This value defines the number of minutes to wait before the RapidIdentity MFA Windows Client logon dialog begins to animate. The value may be set from any value equal to or greater than “1”, for an idle period of 1 to X minutes. |  |
SWDelayOnLaunch | DWORD, hexadecimal | Integer | This value defines the number of seconds that Shared Work dependent DLLs are delayed upon initial logon. This is useful to provide administrators the ability to perform administrative tasks on a shared workstation before the window shade is triggered. The value must be set to a number greater than or equal to 1. The default value is zero, meaning there is no delay. |  |
SWPINPolicyRule | DWORD, hexadecimal | 0, 1, or 2 | This value defines the PIN use policy within Shared or non-Shared Workstations to enforce and/or override users’ PIN policies. This is useful in organizations with varied PIN policies or for organizations that desire to have a different PIN policy for Shared Workstation. Since Logoff is not used in Shared Workstation, users with a PIN Policy of “Do not require PINonunlock” will not be required to enter their PIN when locking and unlocking the window shade. The value may be set to “0” to use the user’s standard PIN policy, “1” to never require a PIN, or “2” to always require a PIN. |  |
SWCardBehaviorOverride | DWORD, hexadecimal | -1, 0, 1, 2, 3, or 4 | This value provides an override for card removal behavior on a Shared Workstation. There are 6 possible values.
|  |
SWCloseAllWindowsOnLogoff | String | True | This string is designed to close all applications opened and terminate all new processes launched by the prior user during prior logon session by Secured Applications upon a logoff event. |  |
SWLoginAllWindowsOnLogon | String | True | This setting will attempt to logon to all open applications simultaneously upon unlock of shared workstation, rather than waiting for each application logon dialog to come into focus. |  |
SWLaunchOnLogon | Multi-String value | The executable file | This setting will launch one or more applications or processes upon successful authentication to RapidIdentity MFA Windows Client Shared Workstation. This is a multi-string setting so multiple applications may be configured. Multiple executables are defined on separate lines. If there is a space in the path, the path must be contained within quotation marks. |  |
SWLockOnOSLock | String | True | This string is designed to automatically lock Shared Workstation when the operating itself locks. This is necessary for environments where the Windows desktop may lock and to ensure the Shared Workstation screen will lock. For example, if the generic user account is a well-known username or easy password, then unlocking Windows may not be secure. Enabling this setting will cause the Shared Workstation screen to automatically come up. If not enabled (which is the default), locking Windows does nothing to the Shared Workstation state. |  |
SWIdleAnimType | DWORD, hexadecimal | 0, 1 | This value provides an override for how the Shared Workstation prompt behaves when the Idle Timer (SWIdleAnimTime) is hit. By default, the prompt will float around the screen. The default value of "0" is for float and the value of "1" is for hide. |  |
SWAlwaysOnTop | String | False | This string is designed to specify whether or not the Shared Workstation prompt is always on top of all other windows, which is the default behavior. However, in some environments, it might be useful to allow other applications to appear in front of the Shared Workstation screen. To disable the Always on Top setting and allow other windows to potentially appear on top of the Shared Workstation prompt set this value to False. |  |
SWWaitOnSync | String | True | This string is designed to force Shared Workstation to complete a sync before launching InstantConnect. By default, Shared Workstation favors speed over accuracy in starting the InstantConnect connection. However, in environments when Windows passwords may be changing regularly, it may be desired to always ensure the latest passwords are synced down before attempting a launch that may require that. To force the sync before attempting to launch any InstantConnect connection, set this value to True. |  |
SWEnforceUserMatch | String | True | This string is designed to force Shared Workstation to enforce 2-step authentication by requiring that the only user who can unlock Shared Workstation is the same user who logged onto Windows. This is useful for certain environments where enforcing two-factor authentication cannot be accomplished by more traditional methods. To force the Shared Workstation to only accept the credentials of the user who logged onto Windows set this value to True. |  |
SWPinComplexityRule | DWORD, hexadecimal | Integer | This value defines the PIN complexity policy within Shared Workstation and may also be used on non-Shared Workstation systems to enforce and/or override users’ PIN policies. In order to calculate the appropriate value to enter, convert the appropriate bit-flag for this value. If bit zero is the least-significant bit, then in order of processing is as follows.
For example, in order to enforce Windows Password As PIN on this system, the DWORD value should be set to: 20 (Hexadecimal) or 32 (Decimal). A value of 0 indicates that no complexity policy should be enforced. The default value of -1 indicates to use the user's complexity policy defined by the user's authentication set. |  |
SWDefaultMethod | DWORD, hexadecimal | 2, 3, 4, 6, 8, 9, 10, 11 | This value provides an override for the default tile that is selected when the Shared Workstation screen first comes up. By default, the prompt will show all available methods. The following values correspond to each tile:
Any other value results in the default behavior of showing all tiles. The user will still have the option of clicking cancel or hitting ESC to return to the full list of tiles available on the machine. |  |
SWDefaultDomain | String | The RapidIdentity MFA Windows Client domain name | This string forces Shared Workstation to use the domain name supplied in the setting whenever a domain is not entered. It will also default to showing this domain in the username field for certain tiles. The value should be set to the desired domain name. |  |
SWKillAllWindowsOnLogoff | String | True | This string is designed to work similar to SWCloseAllWindowsOnLogoff and close all applications opened and terminate all new processes launched by the prior user during prior logon session by Secured Applications upon a logoff event. However, with Closing windows as opposed to Killing windows, sometimes the window may have a prompt before allowing it to close gracefully. With this setting set, even if a prompt appears before closing, this forcefully kills the window to ensure it closes. |  |
SWSkipAppWindowsOnLogoff | Multi-String value | The executable file path | This setting works in conjunction with SWCloseAllWindowsOnLogoff and SWKillAllWindowsOnLogoff to specify certain windows or applications that should not be closed or killed. This is a multi-string setting so multiple applications may be configured. |  |
SWRdpInstantConnect | String | True | This string is designed to enable InstantConnect on Shared Workstation on which the user is expected to automatically connect to an RDP session, such as Remote Desktop Services, and must be used in conjunction with SWRdpServer.The authentication occurs with the user's Active Directory or Windows credentials. |  |
SWRdpServer | String | The server name | This string sets the server name that Instant Connect will connect to when used in conjunction with SWRdpInstantConnect.The server name should be the same value as would normally be entered into a standard RDP connection. |  |