Everyone having a Good Citrix Synergy week? Some great new products announced! Ready for more announcements?
After 5 months of coffee, tears of frustration and hair pulling we’re absolutely delighted, thrilled and relieved to announce ThinKiosk 4.0 is nearly ready. Complete with my new partner in crime Remko Weijnen (I’ve been saying ‘we’ for ages, now you know who… awesome eh?) we’ve worked some long nights to get this version out the door.
With that out of the way, we’re proud to announce some of the new features coming in 4.0. Bear in mind this is just a preview, the final features and details of the product are still being hammered out, but below is a taster of some of the functionality you can expect to see shortly.
Back to the drawing board:
ThinKiosk 4.0 is a complete rewrite and refactor of ThinKiosk. It’s built on the 4.0 .Net framework which has brought a lot of simplicity and new features to our tool-set. ThinKiosk 4.0 was built with three main aims:
- Enterprise Ready.
- Fool Proof.
- Secure by Design.
With ThinKiosk 4.0, your setup time will go from days to minutes. Out of the box, ThinKiosk is ready for the following technologies without any local machine tuning:
- Citrix XenDesktop / XenApp.
- Citrix VDI in a Box.
- VMware View.
- Microsoft Remote Desktop Services.
For the exact details of each of these optimizations, follow the subsequent blog posts / documentation.
New Look and Feel:
Without further ado, lets start with the new look and feel:
ThinKiosk 4.0 has also been built on the industry leading graphical interface DevExpress giving us a really shiny, professional and sleek interface. Finally giving us an Interface we can be proud to put on your desktops.
ThinKiosk’s interface has been further improved giving you an Applications tab for Publishing desktops for VMware View, Microsoft Remote Desktop services or Citrix Desktops via ICA file or local applications.
This Applications tab has been modelled after the windows 8 Metro err, I mean Windows 8 UI. This provides a similar look and feel to the new Windows start menu and it really breathes new life into old hardware. With this tab, you can publish shortcuts to VDI Desktops or local applications making it a one stop shop for applications.
You can flick from one tab to another easily, or disable the one you do not wish to use.
It’s all about the customization!
Beauty is in the eye of the beholder right? Agreed!
ThinKiosk 4.0 will ship with over 8 themes and wallpapers, customization of the splash screen, buttons… everything!
The Applications tab can also be completely customized to your tastes:
As with Previous versions of ThinKiosk, every button and object in ThinKiosk can be locked down to exactly what you wish, for example here’s a stripped back browser session:
Or a stripped back application window:
Anyway… Enough about the appearance, Lets talk tech!
Introducing the new ThinKiosk Broker Service and Management console:
The ThinKiosk Broker, Management Console and ThinKiosk clients use an all new ThinKiosk TCP protocol (I never ever, ever want to see a tcp socket again for as long as I live, writing this protocol was a killer!) to allow you to centrally manage, catalog and report on your ThinKiosk devices. The protocol is lightening fast and secure by design.
This new framework will form a long blog post itself, but some quick fire information is below:
- Complete off domain management.
- Auto device registration, just point ThinKiosk at the broker and it will check in and download the default profile.
- Remote Control / Shadowing of end point devices via the console.
- Device Grouping for profiling multiple devices or creating an organisation structure.
- Remote actions (power off, restart, update).
- Device Reporting.
- No Enterprise database software necessary.
- Audit logging.
Unlike other Thin Client protocols and software, ThinKiosk does not accept any inbound connections, in user or system context. Removing the ability to hijack thin clients… which is all too possible with certain vendors!
The console is simple, and quick to navigate:
Installation of the broker takes roughly 5 minutes and is ready to serve your Devices as soon as you configure the default profile.
New Profile Handler:
The ThinKiosk client has received an overhaul and with it we’ve streamlined the profile. ThinKiosk no longer requires group policies or the clunky offline config tool, we have a new profile system based on XML files with a fitting profile editor to match:
No more configuring 5 group policies for one url, the new policy manager is clean, self explanatory, full of new functionality and uses the same interface whether you are using the ThinKiosk management console or modifying the local profile.
If you want to still use group policy to deploy configuration? No problem! just drop the file on the client via group policy preferences!
And the Client!
Lets talk about the 4.0 client.
Windows XP – Windows 8
ThinKiosk is now a fully fledged browser, complete with address bar. If you want to allow your users to browse around, now you can.
The ThinKiosk 4.0 browser will:
- Supress scripting errors.
- Allow you to add your sites to the trusted sites via policy.
- Auto tunes the browser for VDI portals.
- Auto circumvent silly SSL untrusted or mismatched errors (great for POC’s *cough* VDI in a Box *cough*)
- ThinKiosk now runs as an Internet explorer executable. No more flicking between iexplore.exe and thinkiosk.exe.
Now to the nuts and bolts!
Local login pass through:
Now that you have the ability to add direct VDI connections. ThinKiosk will handle the log in experience and pass the credentials to the responsible technology:
This integration allows ThinKiosk to better manage the desktop experience and provide your users with a single login pane rather than the recurrent login screens you can experience with Microsoft / Citrix file connections.
These connection files can also be auto launched, to remove that pesky click first thing each day.
- Log off screen redirection for Web interface, storefront and VDI in a box.
- Log off the web portal when a desktop launches for the above platforms.
- Support for Adding ICA file connections.
- Auto configuration of Single sign on from local pc to remote desktop. (Nightmare previously).
- VDI in a Box auto browser tuning for compatibility.
- Optionally disable the Citrix Desktop viewer (CDviewer.exe).
- Support for publishing multiple pool connections
- Support for publishing multiple direct desktop connections.
- Support for PassThrough.
- Disables Certificate checking by default for quick POC’s.
- Pass through ctrl alt del / Windows + l (more on this later).
Microsoft Remote Desktop Services:
- Support for publishing multiple connections.
- Support for 2012 RDS and VDI.
- SSL Certificate warning suppression.
- Support for login once.
Improved local application handling:
ThinKiosk 4.0 has an improved local application engine, When you add an application to the Applications tab, it will automatically pull in the icon window and you can also specify to launch apps but hide them (think run key entries). If ThinKiosk is restarted via admin task, it’s smart enough to know not to relaunch them.
Environment variables for paths and arguments are fully supported and i’ve also added a variable for 32bit program files paths… I always wondered why Microsoft didn’t do this, but I digress.
Windows secure keystroke blocking and passthrough:
You asked… (and asked and asked and asked and asked). It’s done, with ThinKiosk 4.0 you will be able to block CTRL + Alt + Del, [Windows] + [L] etc.
Pass through of these keystrokes to the remote desktop is available for VMware View already and will be coming shortly after 4.0 for Citrix and Microsoft connections.
Group Policy Lockdown:
By default when you install ThinKiosk 4.0, it will arm the PC with the most restrictive policies via the local group policy engine, disabling access to all admin utilities and even local disks. This lockdown can be tuned or turned off via policy if required.
ThinKiosk performs privileged actions via the ThinKiosk Machine service which installs as part of the installation.
ThinKiosk will ship with it’s own user account for fast deployment. This account will be created on the local machine and gives you a quick an easy method to manage local accounts on non domain joined PC.
The accounts password is synchronized with the ThinKiosk unlock password you specify.
This account is completely optional and you can turn it off or substitute it with a domain account of your choice.
ThinKiosk will also manage the Windows Shell replacement policy itself via policy, so no more mucking around with local group policy or registry keys.
ThinKiosk also now encrypts the auto login account using LSA.
With ThinKiosk as shell, you can now run Active Setup with ThinKiosk’s improved Active Setup Async.
Active setup Async is a utility we have implemented into ThinKiosk that will perform active setup 60% faster than standard Microsoft active setup via a threading and queuing engine, the end result is active setup support ( for example: HDX flash redirection) with a much faster (and prettier) interface.
ThinKiosk can now implement the local group policy engines start-up script to allow you to manage off domain PC’s. With the start-up script, you can install software, updates, disable services, uninstall software, delete files, profiles… anything!
The only limitation here is your own imagination or scripting abilities.
If the latter is a concern? worry not, we’ll be creating a scripting library where ThinKiosk enthusiasts can share and collaborate on similar tasks.
ThinKiosk 4.0 offers you the ability to control local volume, printers, screen saver and even background color.
ThinKiosk logs everything, every action, command, hiccup… everything.
If something isn’t quite working as expected, chances are the debugging window will announce in triumphant glory exactly what is broken!
Redundant profile management:
ThinKiosk takes a copy of it’s profile on each check in to an FTP server or Broker server.
In the event of the server being offline ThinKiosk attempts five times to connect before failing back to the local profile allowing your users to continue working without an outage.
If the broker server becomes available again throughout the day, ThinKiosk will check back in to allow management but will not disturb the user.
And so much more!
I’m not going to go on and on, but as you can see… It’s awesome!
Check back in a few weeks for the release as we ready the build.
With great pleasure I’m announcing the general availability of ThinKiosk 3.1. Quite a bit of change under the hood and some nice features added to match.
VMware View enhanced support:
VMware View has gotten some love in this update, A big thanks to Jarian Gibson for the help.
You can now enforce end of session options for VMware view:
You can also now choose to wipe the last users details from the Kiosk between View sessions:
FTP policy management:
With ThinKiosk 3.1, you no longer are tied to manage the thinkiosk devices by Group Policy or local registry settings, you can now also use an ftp server with a shared xml configuration file:
Just configure a Device as you would like it to appear, unlock the admin menu and you can export the configuration to xml:
Then move it to your ftp server!
The unlock password in group policy can now be encrypted to save it appearing in plain text to anyone capable of viewing the policy. ThinKiosk 3.1 ships with a password encryption tool you can use to encrypt your password.
You can also test reversing the password to plain text to make sure you get it right before applying it en-mass and locking yourself out!
This encryption functionality has now been added to both the offline configuration tool:
And by default the FTP password will be encrypted too!
ThinKiosk is now aware of batteries in laptop devices and will report their status.
When the battery begins to run out, ThinKiosk will throw a warning in the foreground as below:
You can additionally disable this functionality with the offline configuration tool.
Pre launch Citrix Receiver:
A rare issue seen with the latest versions of the receiver was a bit of a hang, pause or complete lock up as receiver came to life. To combat this, you can now choose to early launch the receiver for Citrix, allowing it to gracefully start up in the background before the user requires it.
Early launch process:
A number of customers needed to have third party software launched as soon as ThinKiosk started each day. I’ve now added the ability to early launch a process
You can also choose to launch this process as hidden, away from the user.
ThinKiosk can now act as a locked down browser by adding back and forward buttons.
AM / PM clock:
This feature was asked for quite a few times, so now you can set the clock to 12 hour.
A fully fledged debug window has been added to help timing issues. The debug menu can be accessed via command line (-debug) or via the admin menu in ThinKiosk.
In rare situations (and I’ve been unable to reproduce it) ThinKiosk can jump above the citrix session when a log off of the web interface happens or during the login process.
Zorder awareness will tell ThinKiosk to send itself to the back of the Zorder when the browser finishes rendering. It will also display a hide button, which will send ThinKiosk to the back in this rare event.
Please use this setting as a troubleshooting tool, not a production setting. If this setting fixes the issue for you, please drop me an email and I’ll write it in. As I’ve been unable to reproduce this issue, it’s a bit rough around the edges.
Citrix Storefront timeout screen:
ThinKiosk is now aware of the timeout screen and will automagically redirect back to the login screen if it see’s it.
Hide ThinKiosk when a desktop is active:
If you wish to outright hide ThinKiosk while a desktop is active, you can now do so!
Even More sites:
Support for up to 20 sites has been added, thanks Martijn!
Sticky Home Page:
A request came through to allow the home page always be site 1, this has now been included.
- support for environment variables in custom tools and prelaunch commands. (thanks Nathan).
- Offline config tool not setting password correctly.
- VB Powerpack accidentally bundled with ThinKiosk 3.0
- In process launch mode, power options were intermittently being applied.
And it’s still free!
ThinKiosk development has taken quite some time and it takes time to support you via email. If you use ThinKiosk in your environment or appreciate the savings its made for you, please consider making a donation or paying for enterprise support to help me keep this project alive… I would really appreciate it as it will allow me to invest in better development tools to make the product look and feel even better!
While at Citrix Synergy in Barcelona this week, I attended the Citrix Personal vDisk deep dive session. The session was interesting and informative but there was a mention of the inventory and scanning piece of the personal vDisk suite that really got me asking myself “what if?”.
From my understanding of the presentation, when you add a revision to the golden image, Personal vDisk scan’s both images then compares these items to the personal vDisk in an attempt to figure out which bits belong in the vDisk and which bits belong in the base image.
If you’ve read my previous blog post on golden image management with PVS (questionable assumptions and why I don’t trust people), you know I have a great fear with auditing and control of this image. Without having to read the old article, it basically translated to “Provisioning server is great, but I don’t trust people to audit and document the changes they have made to the golden images”.
While sitting in this session, I had another “lightbulb moment” . If the Personal vDisk has baked in technology that audits the changes to the golden image layer and registry, could it be extracted from personal vDisk? If so, wouldn’t this give you a granular view of changes to the golden image from point to point? I.E. a list of changes between snapshots (MCS) or versions (PVS)?
The more I think of it, the better this idea sounds. Imagine having a catalog of changes, searchable for file or registry key names that would help you track back changes, or even view changes made to the golden image to be reviewed before or after you seal the image? This technology would work well with Citrix Provisioning server, XenClient and Machine Creation Services, delivering a matrix of changes to the golden image.
I can’t see wrapping a gui around this auditing as being a challenge, this is Citrix we’re talking about! and as Citrix has mostly adopted Microsofts vhd file type, it would be a single image type to scan.
For me, this would address my concerns with moving most implementations from automated installs, to snapshot mechanisms while still achieving auditing and a deep view of the changes to the file system.
So Citrix, please consider this approach, it would be an immediate value add and put your image management head and shoulders above your competition.
So what do you the readers think? Would this give you more confidence of changes by others? Do you see this technology and a post change report as an extra safe guard on change management?
Just a quick update to address a few bugs found in ThinKiosk 2.2.
- ThinKiosk will now better handle url’s typed incorrectly (i.e. two full stops) Thanks Geert.
- ThinKiosk will now correctly supress script errors, Thanks Dane / Igor.
- ThinKiosk will no longer allow you to specify a url on first launch, as it was close to impossible to correct due to policy settings.
Offline Configuration tool
- The Offline Configuration tool will no longer allow non administrators run the application when UAC is turned off.
- The Offline configuration tool has been updated to include an option to log off the desktop when a remote session ends.
Caffeine integration is still not quite finished, so expect it in 2.3.
ThinKiosk development has taken quite some time and it takes time to support you via email. If you use ThinKiosk in your environment or appreciate the savings its made for you, please consider making a donation to help me keep this project alive… I would really appreciate it!
This was a bit of a revelation to me, but after thinking about it, it makes perfect sense and I feel a bit naive for overlooking this use case originally!
Before I launch into my little discovery, here’s something I want to share:
Since ThinKiosk was released in January, It’s been downloaded over 5,000 times and I have counted (only from those who have contacted me) that there are well over 10,000 instances running in customer environments to this day. Version 1 was released with just 700 lines of code and version 2.3 is just shy of 6,000. This is absolutely amazing to me, seeing an idea that I thought was a “Publish and Forget” blog post be embraced so passionately by the community. So for this, I just wanted to thank you guys for all your help, support and idea’s.
Anyway, back to it. While reviewing my emails recently, it struck me that there are many, many customers using ThinKiosk, not on old PC’s which I had written the program for, but on Thin Clients from top vendors… Now this doesn’t bother me one bit, as the more people using this tool the better, but why aren’t these people using Linux Thin Clients? I’m a large advocate of linux based thin clients in my day job, hell, they’re much cheaper, easier to manage and in most cases boot faster… Why choose Windows?
So confused and curious, I decided to perform a little poll on Twitter:
"Monday morning poll, why do you choose Windows based thin clients?"
And to my surprise, the feedback was great, below I’ve included the top reasons why community members choose Windows Thin Clients:
- HDX Redirection (Aero, Flash, Printing, Scanning)
- Better feature set on Windows / Future proof for upcoming features.
- Central Management via Active Directory / Group Policy.
- Driver support (proxy card’s, smart card’s)
- Familiar User Interface.
- Familiar support platform / Unified support platform / No in house linux knowledge.
So all this got me thinking, even with a list that long of why Windows based thin clients are preferred, why are these guys using ThinKiosk on out of box Thin Clients? Surely a paid for solution will be an end to end solution?
Well not really and why is this? Citrix receiver.
Citrix receiver for Windows (Previously the Program Neighbourhood agent) has been designed for published applications running inside of the users local desktop session, not for Thin Clients connecting to virtual desktops and this is very clear when you consider that Receiver will by default place your published desktop on the start menu or desktop of your session.
This approach will normally lead you to have to log the user into the Thin Client as themselves, which you would prefer to be locked down in the first place. This also leaves you with the challenge of how do you log them off after their desktop session has ended!
Sure Citrix have added some additional desktop related functionality along the way (Desktop Viewer) but even desktop viewer itself is designed for running inside a users session allowing the user to jump back to the local device via the home button.. which can’t subsequently be locked down sadly.
Citrix did also release the desktop lock tool, which is good for very small use cases, but lacks the functionality of multiple desktops, workspace control, user customisations etc… Hence why ThinKiosk came to be!
Thin Client vendor work around?
Most Thin Client vendors will allow you to present glorified shortcuts to ICA files on the desktop of the Thin Client device, or auto launch them on boot… But this approach eliminates the benefits of Workspace Control, XenApp preferencial load balancing and requires trickery to get pass through authentication to work… Not only this but managing these shortcuts in a multi desktop and multi language environment where users roam from country to country is a complete administrative nightmare!
But What about the web access products from Citrix?
Now the obvious alternative to the Citrix Receiver is the Citrix’s web access platforms… The web interface or Cloud Gateway, unlike the desktop lock, or ica files offers multiple desktops, workspace control, load balancing policies etc. You can also leverage web interfaces built in password changing feature for the user with them having to be logged in to the local device and even allow them to reset their own password or unlock their account with Citrix Single Sign on!
And the best part is? the users will already be very familiar with this interface if you have an access gateway or Secure gateway for remote access.
Aha! now it makes sense!
I accidentally provided an easy to use, unified access approach across all windows devices…and I feel blind for not seeing it before!
What ThinKiosk also accidentally addressed, was allowing this web access platform to be leveraged with ease, security and minimal configuration… from any windows platform, Thin Client or old pc.
So in short, I think this was the success story for ThinKiosk I hadn’t considered… so much so that I’ve changed my own approach and mindset for Linux based Thin Clients too, locking down a local copy of Firefox and presenting the Web Interface or Cloud Gateway.
So if you’re considering rolling in windows Thin Clients for your current or next VDI project… Consider using ThinKiosk, it’ll save you alot of pain, will work seamlessly with all your clients (thin or fat), and will save you time in management in the long run!