To ensure the best configuration and continuity of your Login Enterprise setup we have defined a number of best practices for the Login Enterprise Launcher.
The Launcher setup describes how to effectively implement Launchers in the Login Enterprise environment to ensure the best possible setup.
To ensure the best results we recommend setting up two (2) launchers per environment.
- One (1) Launcher inside the datacenter
- One (1) Launcher outside the datacenter
The Launcher inside the datacenter is used to measure the connectivity to the environment and the results serve as the baseline of the measurements.
The Launcher outside the datacenter is used to measure the difference between the baseline and the "real world scenario".
This way you can find out, based on the results, where performance degradation comes from. Either the connection to the datacenter or the datacenter itself. It also allows you to view if the environment is available from inside and outside the datacenter.
Launcher configuration (windows)
For a successful implementation of the Login Enterprise Launcher we recommend a number of configurations to be done on the machine.
Schedule a weekly / daily reboot for the launcher with automatic login and Launcher startup
Scheduled Task for automatic reboot
To eliminate caching issues and other instability issues that can appear after a machines has not been rebooted for a longer period of time we recommend to setup a scheduled task within windows that automatically reboots the machine every day or week. To learn about how to setup a scheduled task click here.
Automatic Logon for Launcher user
Within windows you can configure that a machine automatically logs in when started. We recommend to promote continuity and diminish manual labour to configure auto-logon after the scheduled restart. To do this you need to configure the following registry keys:
- Value: 1 for enabled 0 for disabled
- Enables the automatic admin logon functionality
- Value: your domain name
- Configures the domain name for the user if applicable
- Value: the required password for the user
- Configures the used password for the auto-login user
- Value: Username
- Configures the username that is used for the auto-login
- Value: 1 for once, 2 for twice etc..
- Configures the amount of times the machine stores the configuration.
Autologon using sysinternals "Autologon"
The sysinternals section of Microsoft support has a tool called "Autologon". This tool can automate the auto-logon of a machine, simply follow the guide located here.
Creating an executable for auto logon
For a successful and secure implementation we recommend building an executable with a tool like AutoIT that is executed before the automatic reboot of a machine. This executable then contains the implementation of the above described registry keys. Make sure that the "AutoLogonCount" registry value is set to 1.
The reason behind the executable is that 1), the executable compiles / encrypts the content so all values set i.e. passwords are securely stored, for example powershell scripts have values stored as plain text. And 2) By default the "DefaultPassword" value stores the password as plain text in the registry. Meaning that if a person with malicious intend has access to the device it can clearly see the password stated in the registry. The combination of an executable and the "AutoLogonCount" registry key makes sure that after the reboot the registry entries are cleared, eliminating any security issues.
Automatically start the Login Enterprise Launcher software after login
We recommend placing a copy of the Login Enterprise Launcher shortcut (that is normally placed on the desktop after installation) in the startup folder of the machine. To do so simply
- Copy the Login Enterprise Launcher shortcut
- Press Winkey+R to open the run window
- Type in, without quotes, "shell:startup"
- Paste the shortcut in the presented folder.
All files placed in the Startup folder are automatically started after logon of a user.
If the launcher is added to your enterprise configuration and you are using a domain user / domain attached launcher you can use a workspace management tool like VmWare UEM or Ivanti to attach a logon action to the Launcher device or the Launcher user. Simply let it execute the launcher executable found in the installation directory. By default that is "C:\Program Files\Login VSI\Login PI 3 Launcher\LoginPI.Launcher.exe".
Power, lockscreen and screensaver settings
To enable continuity of the Launcher we need to make sure that the launcher machine does not stop working due to power-saving modes or screensavers. It is important to disable the following settings in the Launcher power-settings.
- Set the screen setting "On battery power, Turn off after" to Never
- Set the screen setting "When Plugged, Turn off after" to Never
- Set the power setting "On battery power, PC goes to sleep after" to Never
- Set the power setting "Sleep when plugged in, PC Goes to sleep after" to Never
- Set the "Lid close action" > "On battery" to Do Nothing
- Set the "Lid close action" > "Plugged In" to Do Nothing
- Set the "Power button action" > "On battery" to Do Nothing
- Set the "Power button action" > "Plugged In" to Do Nothing
- Set the "Sleep button action" > "On battery" to Do Nothing
- Set the "Sleep button action" > "Plugged In" to Do Nothing
There are also a number of other settings that need to be disabled namely:
- Disable screensaver on the machine
- Disable lockscreen on the machine
Remote connectivity to launcher
We recommend that, when using a physical launcher machine, to enable a form of remote connectivity in to the device. This can be RDP, Teamviewer, VNC or other remote connectivity applications. This makes troubleshooting easier if it is necessary.
Physical Launcher setup
When configuring the launcher as a physical device there are a few things to keep in mind. The biggest security risk is that unauthorised people gain access to the device. To mitigate this as much as possible please follow the following best practices.
Place the Launcher machine in a secure location
Placing the Launcher machine in a secure location reduced risk of malicious people to gain direct access to the device. The secure location can be a storage room, a server room or any other room that can be secured by a lock. The access to the room must be as limited as possible to reduce risk.
Lock physical device
To ensure the physical machine more we recommend that the device supports the use of a kensington lock. This makes sure that the device can not be easily removed from the secure location.
Physical Launcher device
To mitigate any potential security risks we recommend using a physical device that does not have a screen attached to the device. This means that we do not prefer the usage of a laptop device. We recommend using machines such as:
- Intel NUC's
- Desktop Machines
- Windows Thin clients
- IGEL Thin clients
- Other devices
If a laptop is used please make sure that the lid is closed at all times.
Connect the Launcher with a wired connection
We recommend connecting the launcher with a wired LAN cable to the internet to keep the connection as stable as possible. Only deviate from using the LAN cable when the situation requires it.
IT Environment Launcher implementation
The security of the launcher goes far beyond the physical. We have a number of recommendations when it comes to implementing the launcher in an IT environment.
Do not add launcher device to Domain
We recommend not to add the Launcher machine to the Domain if this is not necessary for management or remote connectivity. This eliminates the chance that any malicious person, if they gain access to the device, to have access to the domain.
Updates and Upgrades
We recommend that the Launcher device is always updated with the latest security patches that the software supplier recommends.
We recommend configuring a virus scanner on the Launcher machine at all times and updating this accordingly.
Add launcher to automatic software distribution method
To ease the manageability of the launcher(s) and increase the ease of software upgrades of Login Enterprise we recommend adding the launcher machine to your preferred software distribution setup such as SCCM or the likes. So when an update is released the new launcher software can be easily distributed.
Launcher user setup
For the user that is configured to log in to the Launcher machine there are a few things to consider.
When using a locally configured user please use enable the normal "user" permissions as much as possible.
If a domain user has been configured please make sure that this user has limited permissions as possible to only enable the running of the Launcher application.