Deploy ACD using MS group policies
Contents
Introduction
These are the instructions to use the windows group policies to "deploy" the AuthControl Desktop (Credential Provider).
Steps
1 - Install the Credential Provider on a single machine. Configure it as required, then use File, Export Settings from the configuration program to create a settings file named acd.xml. Alternatively, if you have a pre-configured build, there is no need for this step.
2 - Create a network share that can be accessed by all computers. Copy both the credential provider MSI and acd.xml (if required) to that folder.
3 - From the domain controller, in Server Manager, select the Tools menu, then "Group Policy Management".
4 - Select the domain node on the left-hand window. Right-click and choose "Create a GPO in this domain and link it here".
5 - Give the GPO a name, such as "AuthControl Credential Provider", and click OK.
6 - Under Group Policy Objects, find the GPO you just created, right-click on it and click Edit.
7 - Choose Computer Configuration, Policies, Software Settings, Software installation. Right-click and select New -> Package.
8 - From the file browser, enter the location of the MSI. It must be entered as a network share, i.e. \\Computer\Share\AuthControlCredentialProvider.msi. Leave deployment method as "Assigned".
9 - Choose User Configuration, Policies, Software Settings, Software installation and repeat the last 2 steps, except this time, the deployment method should be "Published".
10 - Close the editor and left-click on the GPO. Under Scope you should see the domain name in the Links section. Right-click on it and check "Enforced". Note that this will install the CP on every computer in the domain. It should be possible to restrict the policy to a single Organisational Unit, by applying the GPO link to that OU. You can only apply policies to domains or OUs, not ordinary containers. You can also restrict the policy by creating a group of computers and adding that group to Security Filtering.
9a) Choose User Configuration, Policies, Software Settings, Software installation. Right-click and select New -> Package.
9b) From the file browser, enter the location of the MSI. It must be entered as a network share, i.e. \\Computer\Share\AuthControlCredentialProvider.msi. Set deployment method to "Published".
Notes
Our understanding is that steps 7 and 8 make the software available for network installation. This step installs the software automatically if it is not yet installed, the next time each user connects to the domain.
The notes on the final step suggest how you can restrict which computers have the WCP installed.
Check the link below for more details:
Changing Settings
If you want to change the settings for computers that already have AuthControl Desktop installed, for example, to enable or disable test mode, currently the only way to do this is to change the registry settings directly.
All the settings are in the following registry key:
\\HKEY_LOCAL_MACHINE\SOFTWARE\Swivel Secure\AuthControl Desktop
You will need to know the names of the settings in the registry: please contact Swivel Secure support for specific requests. We will give an example below of enabling or disabling Test Mode, for which the setting name is "TestMode".
- Open "Group Policy Management" from a Domain Controller.
- Right-click on the domain, or an OU if you only want to apply the policy to a subset
- Select "Create a GPO in this domain and link it here". Give the GPO a name.
- Right-click on the GPO and select "Edit"
- Expand the tree for "Computer Configuration" -> "Preferences" -> "Windows Settings" -> "Registry"
- Right-click on "Registry" and select New -> Registry Item
- Make sure that action is "Update" and Hive is "HKEY_LOCAL_MACHINE"
- Enter Key Path as "SOFTWARE\Swivel Secure\AuthControl Desktop". Make sure you type this correctly, including the correct spacing
- Enter the Value name as "TestMode". To change a different value, enter the name as given by Swivel Secure
- Set the value type to REG_DWORD (this is for numeric or on/off settings - for text settings use REG_SZ)
- Set the value data to 1 to enable TestMode, or 0 to disable it.
- Click OK
Note two points:
- The settings are only applied when a computer is restarted
- The settings are not applied immediately, so it is possible that the first login after restart will still use the old settings.