Editing the Windows Client Configuration
You can edit the Client configuration for both online and offline Clients. Configuration changes to online Clients will be applied immediately. Configuration changes to offline Clients will be applied as soon as the Client goes online.
Newly installed Clients have a Custom configuration that can be edited for each Client individually. When Clients are added to a Client group, you can choose whether they keep their Custom configuration or inherit the configuration from the Client group. Whenever the Client group configuration is changed, the Client configuration that is inherited from this Client group will also change.
To edit the Windows Client custom configuration, do the following:
1. Log in to the Management Tool as a user with the Client Configuration Management permission for Clients.
2. Click the Client Management navigation link on the left.
3. On the Client Management page, find the Windows Client which you want to edit the configuration of, and click on its name in the Client Name column.
NOTE: To find specific Clients, the Search box and filters at the top of the Client Management page can be used.
NOTE: If you do not have the Client Configuration Management permission for this Client, the configuration options will be disabled.
4. On the Editing Client page that opens, on the Properties tab, do the following:
• Optionally, in the Description field, enter a description for the Client.
• In the Assigned License drop-down list, select the type of license to be assigned to the Client.
• In the Settings Type drop-down list, select the type of settings to be applied to the Client:
- If the Custom settings type is selected, you will be able to edit all Client settings.
- If the Inherited from <Client group> settings type is selected, the Client settings are inherited from the selected Client group and these settings cannot be changed.
• Select the Enable Protected mode checkbox if you want to enable Protected mode.
NOTE: The Client mode will only be changed after the Client computer is rebooted.
• Select the Update Client automatically checkbox if you want the Client to be updated automatically.
• Select the Display Client tray icon checkbox if you want to display the Client tray icon to the user.
• Select the Display icon when recording is in progress checkbox if you want to inform logged-in users that their actions are being recorded.
• [For Clients with either a Terminal Server / Terminal Server (Limited Sessions) license only:] Select the Enable the Ekran System PAM Connection Manager checkbox if you want the Client computer to function as a jump server for remote access using secrets. NOTE: A Workstation license can alternatively be used without the use of a jump server computer, if no more than one concurrent session is required.
- Also select the Replace Windows Shell with the Ekran System PAM Connection Manager checkbox if you want to only display the Ekran System Connection Manager window (i.e. without the secret user's desktop).
• Select the Notify if the Client is offline for more than checkbox and define the time period after which the Client will be considered as "disconnected" if you want to monitor the Client if it is offline for more than a specified time period. If you also want to receive email notifications about the Client being disconnected, enter the required email addresses, separated by semicolons, in the Send Email Notification to field.
• Select the Send log messages to Windows Event log checkbox and select the severity level (Error, Warning, or Information) of the log entries in the Log Level drop-down list if you want to save Ekran System events, such as errors, warnings, and informational messages to the Windows Event log on the Client Computer.
• Select the type of Auto-Cleanup Options to be applied to the Client:
- Never: Cleanup operations will not be performed.
- Run once: A one-time cleanup operation will be performed by clicking the Finish button on the Editing Client page.
- Repeat according to schedule: A scheduled cleanup operation will be performed every few days at the specified time, as defined:
- Perform every (days): The frequency of the cleanup operation.
- Start at: The time at which the cleanup operation will be run.
• In the Action type drop-down list, select either the:
- Cleanup option to delete the monitored data from the database.
- NOT AVAILABLE IN SAAS Archive & Cleanup option to first archive and then delete the monitored data from the database.
NOTE: If the Archive & Cleanup option is selected, the Archive Parameters must be configured on the Configuration page.
• In the Sessions older than (days) field, define the retention period for the monitored data. Sessions stored in the database longer than the defined period of time will be deleted during the Cleanup process.
• On the Client log level drop-down list, select the severity level of the log entries to be saved to the Client log files.
5. On the User Activity Recording tab, do the following:
• Define the Frequency Settings for User Activity Recording.
• Define the Recording Period Settings.
• NOT AVAILABLE IN SAAS Define the Screen Capture Settings.
6. On the Monitoring [Windows/macOS] tab, do the following:
• Select the Enable clipboard monitoring checkbox to enable monitoring of the Windows clipboard text data.
• Select the Enable SWIFT username monitoring checkbox to record the user name used to log in to the SWIFT network in the log file.
• Select the Detect system IDLE event checkbox to enable the registering of an idle event whenever the user is inactive for more than 15 minutes, the computer is in sleep or hibernation mode, or the screen is turned off automatically.
• Select the Register IDLE event when user is inactive checkbox to enable the registering of an idle event whenever there is no Client activity, i.e. no mouse movement or key pressing for longer than the Timeout (min) value. The default timeout value is 15 minutes.
• Select the Enable creating log files of monitored events checkbox to enable the creation of monitoring logs on the Client computer and define the location of the log files.
• Select the Enable URL monitoring checkbox to receive information about websites visited by the user of the Client computer.
- Also select the Monitor top and second-level domain names only checkbox if you want to monitor only the main part of the URL (e.g. example.com).
• In the Offline Cache Size (MB) field, define the size of the offline cache.
7. On the Application Filtering tab, define the Application Filtering parameters for the Client.
8. On the User Filtering tab, define the User Filtering parameter for the Client.
9. On the Monitoring Time Filtering tab, define the Monitoring Time Filtering parameter for the Client.
10. On the Remote Host IP Filtering tab, define the Remote Host IP Filtering parameter for the Client.
11. On the Authentication Options tab, do the following:
• Select the Enable displaying of additional message checkbox if you want to an additional message on user login to be displayed to the user, and then enter the message to be displayed.
- Select the Require user’s comment checkbox if you want the user to comment on the additional message displayed on login.
- Select the Require ticket number checkbox if you want the user to enter a valid ticket number to access the system.
• Select the Enable secondary user authentication on login checkbox if you want to enable additional authorization for users that log in to the Client computer.
• Select the Allow the use of one-time passwords checkbox if you want to allow users to use one-time passwords to log in to the Client computer, then specify the users who can approve access in the Users Who Can Approve Access field.
- Select the Automatically send one-time passwords to Active Directory users checkbox if you want a one-time password to be generated on the request of the user without approval by the administrator and sent automatically to the email address defined in user’s Active Directory account.
- Select the Automatically send one-time passwords to internal users checkbox if you want the one-time password to be generated on the request of the user without requiring approval by the administrator and sent automatically to the email address of the Ekran System internal user.
• Select the Enable two-factor authentication checkbox if you want to require users to enter a 2FA time-based one-time password to log in to the Client computer.
- [For Windows Clients only:] Also select the Do not generate QR code automatically checkbox in the (unlikely) event that you want to disable the Mass 2FA feature, so that all users of Windows Client computers (who will be required to use 2FA to log in) instead need to be first added manually on the Access Management page).
NOTE: The "Enable secondary user authentication on login" and the "Allow the use of one-time passwords" options cannot be used together. Neither of them will function correctly if both of these checkboxes are selected.
12. On the Keystroke Monitoring tab, do the following:
• Select the Enable keystroke logging checkbox to enable keystroke logging.
- Also select the Start monitoring after detecting one of the following keywords checkbox if you want the Client to start recording user activity only after the user enters one of the specified keywords on the Client computer.
• Define the Keystroke Filtering parameter for the Client.
13. On the Additional Options tab, define the various Bandwidth Usage Reduction parameters for the Client.
14. After completing the configuration, click the Next button in the bottom right to proceed to defining the Client Groups which the Client will belong to, permissions for managing the Client, and alerts assigned to the Client, and then click the Finish button to save the changes.
15. The new configuration is applied to the Client immediately.