After you've set up your Management Server and Management Console, you're ready to start preparing your environment for testing.
NOTE: Read up on the content of the Management Console to be able to navigate easily.
Device Folder
Begin by building your Device Folder hierarchy.
For demonstration purposes we will create a "ClientA" folder:
Right-click the folder and click on Edit Folder. You will bring up the folder configuration window.
Enable the Custom Device Properties to get the rest of the options available, then enable the following:
Device Idle Timeout - The time interval when the device will show offline in the Console
Device Reconnect Timeout - The time interval of how often will the Devices of this folder reach out to the Server for new rules/profile/software updates.
Encrypt Profile - vital for Secure Remote Worker as it encrypts the local file of the downloaded profile so it cannot be read from outside of the SRW UI.
Refresh Profile on UI Start - whenever the end-user starts the SRW UI, the client will request profile updates from the Server
Allow known device to re-authenticate - Device re-authenticate every time they connect to the Server. If this is disabled, if SRW client is reinstalled on this machine, the device will not be able to authenticate to the server.
Collect Windows Updates Info - very handy to have enabled so that the administrator of the Console is able to see the latest installed Windows Updates
Clients Command Settings - Don't perform profile refresh if UI is active - when the profile refreshes it kicks the user outside of SRW UI. This option disables that.
Enable Logging - collecting all event logs.
Profile Folder
It's always easier to keep track of what profiles belong to which client if you name your Profile Folders the same as the Device Folders.
For example if the Device Folder is "ClientA", then the Profile Folder containing profiles for this client would also be "ClientA".
Site (pre- version 7.0)
Create a new site for your ClientA using the following options:
Username And Password need to be unique for each Site. It's what the Client will use for authentication with the Site.
Enabled - is the site in use or not.
Allow unknown devices to authenticate - If this option is disabled, this Site will not accept any installations that have not been assigned an ID (existing devices).
Default Device Folder - choose the landing Device Folder to which the new Client will be placed after authentication. T
Move device to the default folder during installation - Using this option, a device will automatically receive a profile, software packages and other configuration rules without manual intervention. Using the other option will keep on moving this device to the specified landing folder, which may not be ideal if the administrator decides to manually drag and drop a device to another Device Folder at some point.
Access Keys (version 7.0 and onward)
Access Keys are new and improved Sites from the previous versions of the Console.
Create a new Access Key and fill in the following options:
Enabled - is the AK in use or not.
New Device Registration Key - a key that new clients will use for authentication with the AK.
Allow unknown devices to authenticate - If this option is disabled, this AK will not accept any installations that have not been assigned an ID in the database (existing devices).
Default Device Folder - choose the landing Device Folder into which the new Client will be placed after authentication.
Move device to the default folder during installation - Using this option, a device will automatically receive a profile, software packages and other configuration rules without manual intervention. Using the other option will keep on moving this device to the specified landing folder, which may not be ideal if the administrator decides to manually drag and drop a device to another Device Folder at some point.
If you have clients with versions older than 7.0 then enable the legacy authentication as well. It is the same as with Sites where the client will authenticate using an encrypted username and password instead of a registration Key. Both options, however, will register so that for future changes the Client will be using the Registration Key.
Profile
Note: You can find the full Profile Configuration guide here.
If you're just starting off with profile creation, you would want to firstly take care of the applications and appearances, and then look into the security section once you're happy with the UI that will be available to the end-user.
Otherwise, SRW would not launch because the default security settings are set up so that SRW does not launch unless the Windows Firewall is healthy, Windows Updates compliance is healthy, etc.
So for starters you will want to have the following options configured as below:
Access Policies > Access Policies
Computer Settings > Ctrl+Alt+Del Screen
End Point Protection > Windows Security Centre Detection
End Point Protection > Windows Patch Management
End Point Protection > Windows Firewall Control
End Point Security > Wi-Fi Adapters
End Point Security > Virtual Machine Detection
End Point Security > Application Execution Prevention
End Point Security > Service Execution Prevention
Software Package Installation
Now you can start working on your UI appearance and Local Applications. (Article: Getting to Know your Secure Remote Worker Profile)
To test out the end-user experience, assign the profile to the Device Folder so that it can be applied before you install the client on a device.
- Select the "ClientA" Device folder
- On the right pane, click on Profiles tab
- Right click the Profile space below and choose Assign Profile (or use the button on the ribbon bar)
- Then navigate to the ClientA Profile folder in the popup and choose your desired profile. End result:
When you're happy with the appearance and available applications/browser settings, you can start working on your security (the options we've disabled previously). More details on the configuration can be found in the Secure Remote Worker Client Admin Guide.