ThinKiosk and Imprivata Integration

This article will outline the required steps in order to use ThinKiosk with Imprivata OneSign. #TK-KB9

Written by Giuseppe

Last published at: February 28th, 2024

ThinKiosk will work just fine with the Imprivata OneSign but few settings are required.

------------------------------------------------------------

During tap / unlock, ThinKiosk needs to be called with the following command line

  • ThinKiosk.exe -l -u=<username> -p=<password> -d=<domain>


This command line will cause ThinKiosk to automatically log in, enumerate and launch resources based on your ThinKiosk profile. If an instance of ThinKiosk is already running it will connect to that running instance and perform the login.


During tap/lock, the following command line needs to be called

  • ThinKiosk.exe -imprivataLock


When ThinKiosk receives this command line it will hide all remote Citrix / RDP / VMware windows and the ThinKiosk UI window itself. This is done for security reasons so that if a different user taps back in they don’t see the previous users sessions. But if the same user logs back in ThinKiosk simply un-hides itself and any remote desktop window that was previously hidden, this gives a very fast user experience for the same user tapping in and out.


You will need to add the following registry key to enable our command-line options

HKLM\Software\WOW6432Node\ThinKiosk\ImprivataMode ( REG_DWORD ) : 1


Here is the configuration that is required in OneSign.


  • ThinKiosk utilizes the Imprivata Extensions, see the following screen and select “Extensions”


Then Select “Procedure Code “

You need a minimum of 3 procedures/extensions:


ThinKiosk–Start which is launched when the user logs in or do a desktop unlock. We’ve found it is best to use a VBS script.

This example script makes It possible to use a 32 bit or a 64 bit OS with one policy, if you are only using 64 bit (so no embedded OS), you can use a single command also.


Dim objShell,objFSO,objFile

Set objShell=CreateObject("WScript.Shell")
Set objFSO=CreateObject("Scripting.FileSystemObject")

'enter the path for TK

If objFSO.FolderExists("C:\Program Files (x86)") Then
    strPath="C:\Program Files (x86)\ThinKiosk\iexplore.exe"
Else
    strPath="C:\Program Files\ThinKiosk\iexplore.exe"
End If

'verify the file exists
If objFSO.FileExists(strPath) Then
'return short path name
  Set objFile= objFSO.GetFile(strPath)
  strCMD=objFile.ShortPath & "-l -u={VAR SSOUSR} -p= {VAR SSOPWD} -d= domain l"
  objShell.Run strCMD,0
  
 Else

 WScript.Echo "Failed to find " & strPath
 WScript.Quit 

 End If


Then you need a script to initiate the -ImprivataLock switch command:


Dim objShell,objFSO,objFile

Set objShell=CreateObject("WScript.Shell")
Set objFSO=CreateObject("Scripting.FileSystemObject")

'enter the path for TK

If obj.FSO.FolderExists("C:\Program Files (x86)") Then
    strPath="C:\Program Files (x86)\ThinKiosk\thinkiosk.exe"
Else
    strPath="C:\Program Files\ThinKiosk\thinkiosk.exe"
End If
'Command Argument
strPAR=" -imprivatalock"


'verify the file exists
If objFSO.FileExists(strPath) Then
'return short path name
  Set objFile= objFSO.GetFile(strPath)
  strCMD=objFile.ShortPath
  objShell.Run strCMD & strPAR,0
  
 Else

 WScript.Echo "Failed to find " & strPath
 WScript.Quit 

 End If


And finally, you need another procedure when the user press “cancel” on the login box of Imprivata, which initiates a lock:


Finally, you need to enable these extensions in the computer policies that are applied to the PC: