Administrator Guide
Table Of Contents
- Dell Wyse ThinOS Version 8.6 Administrator’s Guide
- Contents
- Introduction
- About this guide
- What is new in ThinOS 8.6_807
- What is new in ThinOS 8.6_710
- What is new in ThinOS 8.6_606
- What is new in ThinOS 8.6_511
- What is new in ThinOS 8.6_412
- What is new in ThinOS 8.6_303
- What is new in ThinOS 8.6_206
- What is new in ThinOS 8.6_027
- What is new in ThinOS 8.6_024
- What is new in ThinOS 8.6_019
- Before working on ThinOS
- Getting started
- End User License Agreement
- Configuring ThinOS using the First Boot Wizard
- Connecting to a remote server
- Using your desktop
- Configuring thin client settings and connection settings
- Connecting to a printer
- Connecting to a monitor
- Locking the thin client
- Signing off and shutting down
- Battery information
- Sleep mode
- Additional getting started details
- Classic desktop features
- Login dialog box features
- Word wrap feature
- Accessing system information
- ENERGY STAR compliance
- IPv6 certification
- Global Connection settings
- Configuring connectivity
- Configuring the network settings
- Configuring the remote connections
- Configuring the central configurations
- Configuring the VPN Manager
- Configuring the connection brokers
- Configuring Citrix
- Configuring the Citrix broker connection
- Citrix Receiver feature matrix
- Citrix HDX RealTime Multimedia Engine or RealTime Optimization Pack
- Cisco Jabber Softphone for VDI
- Using Citrix ADC
- Citrix Cloud services
- Citrix icon refresh
- Using multiple audio in Citrix session
- Configuring ICA connections
- Support for multi-monitors in Citrix session
- ICA Self Service Password Reset
- QUMU or ICA Multimedia URL Redirection
- HTML5 Video Redirection
- ICA SuperCodec
- Anonymous logon
- Configuring the Citrix UPD printer
- Configuring VMware
- Configuring the VMware broker connection
- VMware Horizon Client feature matrix
- Using VMware Horizon View broker and desktop
- Enable username hint for smart card login
- Supporting VMware Real Time Audio-Video
- VMware Blast
- VMware Horizon Virtualization Pack for Skype for Business
- Using multi-monitors in PCoIP session
- Using Multi-monitors in VMware Blast session
- Blast Virtual Printing
- Enable hardware cursor in Blast session
- Enable relative mouse feature
- USB device splitting in Blast session
- Supporting Teradici SDK
- Configuring PCoIP connections using Teradici Remote Workstation card
- Customize PCoIP login window and icons
- Configuring Microsoft Remote Desktop
- Configuring Dell vWorkspace
- Configuring Amazon Web Services or WorkSpaces
- Configuring Teradici Cloud Access
- Configuring Citrix
- Configuring local settings
- Local Settings Menu
- Configuring the system preferences
- Configuring the display settings
- Configuring the peripherals settings
- Configuring the keyboard settings
- Configuring the mouse settings
- Configuring the audio settings
- Configuring the serial settings
- Configuring the camera settings
- Configuring the touch screen settings
- Configure the touch screen settings for VDI sessions
- Configuring the Bluetooth settings
- USB support
- Support for USB Type-C
- Configuring the printer settings
- Reset features
- Local Settings Menu
- TCX Suite
- Trusted Platform Module version 2.0
- Performing diagnostics
- BIOS management on ThinOS
- Security
- Troubleshooting
- Examples of common printing configurations
- Important notes
- Frequently asked questions
Security
A new global security policy has been defined for ThinOS and this policy is applied to all secure connections (https/SSL
connections) with a few exceptions.
Purpose—To improve the security level by default and add the global configuration. This security policy integrates security
setting for each application.
Table 56. INI parameter
INI parameter Description
SecurityPolicy={full | warning (default) |
low}
SecuredNetworkProtocol={yes | no
(default)}
TLSMinVersion={1 (default), 2, 3}
TLSMaxVesion={1, 2, 3 (default)}
Full—SSL connection must verify the server certificate. If it
is untrusted, cancel the connection.
Warning (default)—SSL connection must verify the server
certificate. If it is untrusted, you can continue or cancel the
connection.
Low—Server certificate is not verified. This value is set for a
few applications.
After firmware is updated, the default value is set to warning
for all applicable applications immediately.
There is an exception for file server and WDM.
The old ini SecurityLevel | SecureProtocol from Privilege
segment is deleted.
All applications running on the default SSL security mode follow the global mode. In the global mode, the default value is
Warning. The affected applications include VMware View, Amazon WorkSpaces (AWS), file server, WDM Service, Caradigm
Server, and OneSign Server.
For more information about the security mode INI parameters, see Dell Wyse ThinOS INI Guide.
The following are the exceptions:
● File server and WDM in factory reset state—Before you load any INI parameter, the SSL security mode is set to Low, and
after loading the INI parameter, the value is changed to follow the global mode value. For example, the default value is set to
warning, if the value is not changed by the INI parameter.
System with previous settings (default value is set to Low) follows the global mode after the unit is upgraded. For example,
the default value is set to Warning, if the value is not changed by the INI parameter.
● VMware View and AWS brokers include own security settings (GUI and INI). From ThinOS 8.3 release, an additional
option is added to follow the global mode as its new default value. The security mode GUI context is updated for better
understanding.
● Wyse Management Suite, Microsoft RDS broker, Citrix broker, and SecureMatrix are always Full.
Firmware signature
Firmware signature feature was introduced in ThinOS 8.3.1 for better firmware security. From ThinOS 8.4 release, firmware
signature verification is added to enhance firmware security.
Salient features
● By default, signature verification is required on firmware downgrade/upgrade process.
● Provision to downgrade from 8.4 firmware to 8.3 firmware without signature. For example, earlier to ThinOS 8.3.1 release,
the firmware downgrade is prohibited by default.
● New INI parameter verifysignature=no is introduced to enable user downgrade firmware. For example:
autoload=101 verifysignature=no. For more information about using INI parameters, refer to the latest Dell Wyse
ThinOS INI Reference guide.
12
214 Security