Knowledgebase
ThinLinX Support > ThinLinX Help Desk > Knowledgebase

Search help:


How can I lock down configuration so that users can't mess with it?

Solution

You were probably hoping for a solution resembling Active Directory Group Policy, but we don't have the resources to do anything that sophisticated yet (read as: you aren't paying us enough for that!).  We do intend to gradually add policy functionality to TMS, but initially this will be very crude compared with what AD can do (initially it will just be linking a saved profile to a department, and forcing devices in that department to load the profile on boot).

Although TMS doesn't have policies (set configurations linked to your organisational structure within TMS from which clients are not permitted to deviate) it does have profiles (saved configurations that can be applied as a one-off action to multiple clients, which they can diverge from afterward).  It also has the ability to set a Restricted Feature access password that TLXOS end users must enter in order to access the local configuration tool (Tlxconfig) and interactive terminal windows (xterms), and since TMS 8.1.0, the ability to set custom reset states such that devices will reset to administrator-approved defaults rather than "factory" default settings (i.e. prevent end users from using reset to factory defaults as a way to subvert lockdown).  Combined, these features will allow you lock down devices to an approved confguration only fairly effectively.

Since it has no way of displaying discrepancies in current settings, TMS will only allow you to perform an operation on multiple clients simultaneously in situations where it does not have to show current values.  As a general rule, this means that with multiple devices selected you can perform actions but you cannot configure settings.  However, there is a way around this - you can use File->Save Configuration to save settings to a local file on the TMS server, then select multiple devices and use File->Load Configuration to apply the saved settings to selected devices (with some safety precautions, e.g. hostname and static IP configuration settings will be excluded).  In this way you can fully configure a single device as a template, and then clone its settings to the rest of your devices.

When you use File->Load Configuration, you will be presented with filter options which you can optionally configure to apply only part of the configuration to your selected devices:

If you opt to apply the entire configuration (all options selected), you will additionally asked if you want to use the saved configuration as a reset state.  If you do this, users will only be able to reset to this state, not to ThinLinX-provided ("factory") defaults.

If you want to prevent users from using the local configuration tool (Tlxconfig) to change settings on a device after you set its configuration, you should use "Device->Local Configuration->Set Restricted Feature Password"on your template device to password-protect this feature.

Please note that at present the saved configuration does not include any files that you have installed on the device (e.g. SSH public keys or CA certificates).  In future TMS will retain copies of installed files in a hash tree, and tms_client will automatically retrieve files that are named in the configuration but not present locally ("auto self-heal").  Right now, if you want to add installed files as part of your fixed configuration, you will have to do this as a separate follow-up action after using Load Configuration.  You can use File->Install File with multiple devices selected because it's an action, not a setting.

If you apply a full saved configuration (rather than a partial one), you can view which saved configuration was last loaded on a device by adding the "Based On" column to your display via Tools->Options.  You can also see whether a custom reset state has been set by adding the "Resets To" column.  Both features require TMS 8.1.0 or later, and only work properly if the client is using tms_client 8.1.0 or later.  ThinLinX have not released tms_client 8.1.0 yet, but will do so very soon.

Additionally, some TLXOS operational modes include a "Kiosk Mode" option.  This does not refer to any one specific application feature (e.g. Chromium's --kiosk option), but rather represents a set of application options that we have selected as a best effort to lock down the application so that users can't escape its main window or save data locally that the terminal's next user might be able to access.  Depending on your use case you may or may not want to select this option.

 

Related articles How secure is TLXOS? / TLXOS design overview
What is TLXOS? Is it Linux? What parts of it are proprietary?
Root / SSH access to TLXOS devices
How client devices locate a TMS server
Article details
Article ID: 22
Category: Knowledgebase
Date added: 2019-05-29 10:10:44
Views: 67

 
« Go back