IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2.2

Configuring shared desktops

Implementing shared desktop mode involves the configuration of Windows settings and the configuration of system, machine, and user policies in AccessAdmin.

Windows configuration

The user can either have an Active Directory account or a local Windows account. Create a local Windows account if there is no Active Directory account.

These steps are generally performed by corporate Active Directory Administrators. You are responsible for collaborating with them to ensure that the Windows configuration steps are in place before you begin configuring the shared desktop in AccessAdmin.

  1. Create a domain user to be used for automatic logon to Windows.
  2. Restrict the user rights by setting proper group membership and domain-level restrictions on applications, files, and services.
    Use the Global Policy Object editor to define the shared Windows account privileges. For example:
    • Restrict what users can see on the Start menu.
    • Do not allow logoff through the Start menu and Ctrl+Alt+Del sequence.

    For more information about applying policy settings for the Start menu in Windows, go to the Microsoft website at http://www.microsoft.com. Search for Policy settings for the Start menu.

  3. Edit the registry on the shared workstation to enable automatic logon to Windows for the shared user.

    For more information about how to enable automatic logon for Windows, go to the Microsoft website at http://www.microsoft.com. Search for How to turn on automatic logon.

AccessAdmin configuration

After configuring the necessary Windows settings, you must configure IBM® Security Access Manager for Enterprise Single Sign-On shared desktop settings in AccessAdmin. You can use the Setup Assistant.

You can set the following sample policies when you configure a shared desktop.
Note: Policy marked with (*) is a required configuration.
AccessAdmin policy Description

pid_unlock_option

 Unlock computer policy for controlling who can unlock a computer when it is locked by a user who is logged on to AccessAgent.

pid_win_startup_action

 Actions on Windows startup.
Note: When you set this policy to Lock Computer, make sure you set pid_en_network_provider_enabled to 0. Do this configuration to prevent the automatic log off of the first user who unlocks the shared desktop.

pid_win_fast_user_switching_enabled

 Whether to enable support for Fast User Switching in Microsoft Windows 7.

pid_fast_unlock_enabled

 Whether to allow AccessAgent to perform unlock without performing any checks with the IMS Server.

pid_engina_winlogon_option_enabled

 Whether to enable the option to go to Windows logon directly from EnGINA.

pid_en_network_provider_enabled

 Whether to enable the Network Provider.

pid_logoff_manual_enabled

 Whether to allow user to manually log off from AccessAgent.

pid_logoff_manual_action

 Actions to be performed by AccessAgent on manual logoff by the user.

pid_background_auth_enabled_option

 Option to specify whether AccessAgent must perform authentication with IMS Server in the background.

pid_background_auth_retry_mins

 Time interval, in minutes, to initiate background authentication if AccessAgent cannot connect to IMS Server.
See IBM Security Access Manager for Enterprise Single Sign-On Policies Definition Guide for more information about these policies.
Parent topic: Shared desktops

Feedback