ThinKiosk and Imprivata Integration
This article will outline the required steps in order to use ThinKiosk with Imprivata OneSign. #TK-KB9
ThinKiosk will work just fine with the Imprivata OneSign but few settings are required.
------------------------------------------------------------
During tap / unlock, ThinKiosk needs to be called with the following command line
- ThinKiosk.exe -l -u=<username> -p=<password> -d=<domain>
This command line will cause ThinKiosk to automatically log in, enumerate and launch resources based on your ThinKiosk profile. If an instance of ThinKiosk is already running it will connect to that running instance and perform the login.
During tap/lock, the following command line needs to be called
- ThinKiosk.exe -imprivataLock
When ThinKiosk receives this command line it will hide all remote Citrix / RDP / VMware windows and the ThinKiosk UI window itself. This is done for security reasons so that if a different user taps back in they don’t see the previous users sessions. But if the same user logs back in ThinKiosk simply un-hides itself and any remote desktop window that was previously hidden, this gives a very fast user experience for the same user tapping in and out.
You will need to add the following registry key to enable our command-line options
HKLM\Software\WOW6432Node\ThinKiosk\ImprivataMode ( REG_DWORD ) : 1
Here is the configuration that is required in OneSign.
- ThinKiosk utilizes the Imprivata Extensions, see the following screen and select “Extensions”
Then Select “Procedure Code “
You need a minimum of 3 procedures/extensions:
ThinKiosk–Start which is launched when the user logs in or do a desktop unlock. We’ve found it is best to use a VBS script.
This example script makes It possible to use a 32 bit or a 64 bit OS with one policy, if you are only using 64 bit (so no embedded OS), you can use a single command also.
Dim objShell,objFSO,objFile
Set objShell=CreateObject("WScript.Shell")
Set objFSO=CreateObject("Scripting.FileSystemObject")
'enter the path for TK
If objFSO.FolderExists("C:\Program Files (x86)") Then
strPath="C:\Program Files (x86)\ThinKiosk\iexplore.exe"
Else
strPath="C:\Program Files\ThinKiosk\iexplore.exe"
End If
'verify the file exists
If objFSO.FileExists(strPath) Then
'return short path name
Set objFile= objFSO.GetFile(strPath)
strCMD=objFile.ShortPath & "-l -u={VAR SSOUSR} -p= {VAR SSOPWD} -d= domain l"
objShell.Run strCMD,0
Else
WScript.Echo "Failed to find " & strPath
WScript.Quit
End If
Then you need a script to initiate the -ImprivataLock switch command:
Dim objShell,objFSO,objFile
Set objShell=CreateObject("WScript.Shell")
Set objFSO=CreateObject("Scripting.FileSystemObject")
'enter the path for TK
If obj.FSO.FolderExists("C:\Program Files (x86)") Then
strPath="C:\Program Files (x86)\ThinKiosk\thinkiosk.exe"
Else
strPath="C:\Program Files\ThinKiosk\thinkiosk.exe"
End If
'Command Argument
strPAR=" -imprivatalock"
'verify the file exists
If objFSO.FileExists(strPath) Then
'return short path name
Set objFile= objFSO.GetFile(strPath)
strCMD=objFile.ShortPath
objShell.Run strCMD & strPAR,0
Else
WScript.Echo "Failed to find " & strPath
WScript.Quit
End If
And finally, you need another procedure when the user press “cancel” on the login box of Imprivata, which initiates a lock:
Finally, you need to enable these extensions in the computer policies that are applied to the PC: