The View From NCS Technologies

Part 3: VDI and Virtualized Kiosk Workers

Posted by Scott Drucker on Feb 23, 2015 7:00:00 AM

Part 3 Of A Multi-Part Blog Series

As I mentioned in Parts 1 & 2 of this blog series, when a company expresses the intent to move toward virtualization, it is wise to ask them if they have a list of users and type of users that they intend to virtualize.

The questions quickly pop up, including what type of worker do you recommend we start with on the way to full virtualization? l have discussed the differences between a deployment with Persistent Desktops versus Non-Persistent Desktops and Linked Clones versus Full Clones. Today I'd like to discuss Kiosk Workers.

KIOSK WORKERS:

Kiosk users refer to someone who walks up to a multi-user shared desktop, such as ones found in a hotel business center, and can use all its allowed functionality without providing any type of credential access. In my opinion, these machines are the perfect situation to deploy as a dynamic or "provisioned" virtual desktop.  These machines require little to no resources and can be locked down completely.  In fact you can deploy these Virtual Desktops in Kiosk Mode.

You can deploy these kinds of virtual desktops to only connect to a non-secure network, and if anything goes wrong, it takes just a few clicks to spin up another. These types of desktops can be used in Military bases for signing into the facility.  With a connected webcam, users could actually sign in, provide credentials through an attached card reader and have their photos taken, all unmanaged.  You also have solutions like Imprivata’s OneSign solution that always you to login with a Smart Card or tap n go.

Imprivata_One_Sign

You can set up unattended clients that can obtain access to their desktops from VMware View.

A client in kiosk mode is a thin client or a lock-down PC that runs View Client to connect to a View Connection Server instance and launch a remote session. End users do not typically need to log in to access the client device, although the desktop might require them to provide authentication information for some applications. Sample applications include medical data entry workstations, airline check-in stations, customer self-service points, and information terminals for public access.

You should ensure that the desktop application implements authentication mechanisms for secure transactions, that the physical network is secure against tampering and snooping, and that all devices connected to the network are trusted.

Clients in kiosk mode support the standard features for remote access such as automatic redirection of USB devices to the remote session and location-based printing.

View Manager uses the Flexible Authentication feature in VMware View 4.5 and later to authenticate a client device in kiosk mode rather than the end user. You can configure a View Connection Server instance to authenticate clients that identify themselves by their MAC address or by a user name that starts with the characters "custom-" or with an alternate prefix string that you have defined in ADAM. If you configure a client to have an automatically generated password, you can run View Client on the device without specifying a password. If you configure an explicit password, you must specify this password to View Client. As you would usually run View Client from a script, and the password would appear in clear text, you should take precautions to make the script unreadable by unprivileged users.

Only View Connection Server instances that you enable to authenticate clients in kiosk mode can accept connections from accounts that start with the characters "cm-" followed by a MAC address, or that start with the characters "custom-" or an alternate string that you have defined. View Client in VMware View 4.5 and later does not allow the manual entry of user names that take these forms.

As a best practice, use dedicated View Connection Server instances to handle clients in kiosk mode, and to create dedicated organizational units and groups in Active Directory for the accounts of these clients. This practice not only partitions these systems against unwarranted intrusion, but also makes it easier to configure and administer the clients.

On the next blog I will discuss Task Workers.

An important part of of the virtual users experience is obviously the user device. One of the most important advances in virtualization recently is the availability of mobile zero client technology. To learn more, please consider downloading our White Paper on the NCS Cirrus LT Zero Client Laptop.

Download Cirrus LT  White Paper

Topics: Virtualized Users