19.3 Configuring Secure Workstation Events

This section provides information on the following:

19.3.1 Configuring an Inactivity Timeout Event

The following figure illustrates the dialog box for configuring Inactivity Timeout events:

Figure 19-4 Configuring Inactivity Timeout

This dialog box enables you to specify the inactivity timeout and configure a warning that is displayed just before the inactivity timeout is reached.

You can configure a .wav file to be played when the warning is shown. You can also specify an .avi file to be played for the warning. To configure these features:

  1. Click Start > Programs > Novell SecureLogin > Novell SecureWorkstation. The local policy editor opens.

  2. Under the Events list, click Inactivity Timeout.

  3. Click Edit Event.

  4. Select Warn User Before Inactivity Timeout > Customize.

  5. Select an option.

  6. Browse to select .avi or .wav files.

  7. Click OK.

The warning message can accommodate .avi files that display images of any size.

The warning dialog box is displayed for the last few seconds of the inactivity timeout. You can specify the number of seconds that the warning dialog box is displayed. For example, if you set an inactivity timeout of thirty seconds and configure the warning dialog box to display for ten seconds, Secure Workstation displays the warning dialog box after twenty seconds of inactivity.

19.3.2 Configuring a Device Removal Event

The following figure illustrates the dialog box for configuring a Device Removal event:

Figure 19-5 Configuring a Device Removal Event

This dialog box enables you to specify which devices are included in the policy. If a device is included in the policy, it must be present during the user's session. If a device in the list is not present, Secure Workstation executes the lock action.

  1. Click Start > Programs > Novell SecureLogin > Novell SecureWorkstation. The local policy editor opens.

  2. Under the Events list, click Device Removal.

  3. Click Edit Event.

  4. Select Activate Device Removal.

  5. Select the lock actions you want.

  6. Select the devices to monitor:

    • Select All Registered Devices if you want to monitor all the devices that are registered.

    • Select Selected Devices in Device List if you want to monitor specific devices, then select the devices you want to monitor.

      The Devices to Monitor for Removal section contains a list of devices that are registered with the Secure Workstation.

      For Novell SecureLogin, both the Universal Smart Card and pcProx Methods for NMAS can report device removal events to Secure Workstation.

      Other NMAS partners have also implemented devices that can report device removal events to Secure Workstation. If you want to use a device that does not show up in the list, make sure that you have installed the NMAS Login Client Method for the device. If the device still doesn’t show up, check with the vendor of the device to ensure that it will work with Secure Workstation.

  7. Click OK.

19.3.3 Configuring a Network Logout Event

The following figure illustrates a Network Logout event:

Figure 19-6 Configuring a Network Logout Event

A Network Logout event is triggered when a user logs out of the network. This event could be triggered by either Client32 or the LDAP Authentication Client, depending on which client is present.

One of the intended uses of the Network Logout event is to close programs that the user might have used for single sign-on through Novell SecureLogin. This event might also be used to display a login dialog box or run a script when the user logs out. For more information, see The Post-Policy Command.

This event has a different set of lock actions than the other events. The Default Action list contains the following actions:

  • Log Out of the Workstation

  • Close all programs

  • Only Execute the Post-Policy Command

The Action for Terminal Services Clients list contains the following actions:

  • Log Out of the Workstation

  • Close All Programs

  • Disconnect the Session

  • Only Execute the Post-Policy Command

The Default Action list does not include the following actions:

  • Lock the Workstation

    This action has been omitted because of the behavior of the GINA. If a network connection isn’t present when the workstation is locked, the Client32 GINA won’t allow the workstation to be unlocked with an eDirectory authentication.

  • Log Out of the Network

    This action has been omitted because it doesn’t make sense to log out of the network in response to a network logout event.

The Network Logout event is the only event that includes the Only Execute the Post-Policy Command action. This action is actually a substitute for the Log Out of the Network action that is available with other events. If you want to execute a Post-Policy command on network logout, but not do anything else, use this action.

You can use the Post-Policy command to display a login dialog box or run a script. For more information, see The Post-Policy Command.

19.3.4 Configuring the Manual Lock Event

The Manual Lock event gives users the ability to manually trigger Secure Workstation. A user can manually trigger Secure Workstation either by clicking the Logoff button on the Quick Logon/Logoff Interface or by executing SWLock.exe in the System32 directory.

The following figure illustrates the Manual Lock dialog box:

Figure 19-7 Configuring the Manual Local Event

To configure Manual Lock:

  1. Select Manual Lock from the main page, then click Edit Event.

  2. Select the Activate Manual Lock check box.

  3. (Optional) Select an option from the Default Action drop-down list.

  4. (Optional) Select an option from the Action for Terminal Services Clients drop-down list.

19.3.5 Advanced Settings

The following figure illustrates the Advanced Settings dialog box:

Figure 19-8 The Advanced Settings

To configure advanced settings, click Advanced on Secure Workstation’s main dialog box.

Terminating Applications

The Force Termination of Non-Responding Applications When Logging Out of Windows check box affects the way programs are shut down when Secure Workstation logs a user out of Windows. If this check box is selected, Windows terminates programs that do not respond to a Close message in a timely manner. This setting logs the user out of Windows more quickly, but some programs might not get an opportunity to save their data before being terminated.

The Wait Before Starting to Terminate Applications When Closing All Programs check box is similar, except that it controls the behavior of the Close All Programs action. When Secure Workstation closes programs, it always sends a Close message to each program to tell it to shut down. If the Wait Before Starting to Terminate Applications When Closing All Programs check box is not selected, Secure Workstation does nothing else to close the programs. The result is that some programs might not shut down.

For example, if Microsoft Word has an unsaved document, Secure Workstation might display a Save As dialog box.

On the other hand, if the Wait Before Starting to Terminate Applications When Closing All Programs check box is selected, Secure Workstation checks to see if the programs are still running after the specified timeout. Any programs that are still running at this point are terminated and might not have a chance to save their data.

You can use the Program List to specify which programs should be closed when Secure Workstation executes a Close All Programs action.

If you select Close Only the Programs Specified in the Program List, Secure Workstation closes only the programs listed.

If you select Close All Programs Except Those Specified in the Program List, Secure Workstation closes all programs except those specifically listed.

NOTE:If you select Close All Programs Except Those Specified in the Program List, SecureLogin closes every program in the user’s sessions except those listed. This closing includes explorer.exe, the process associated with the user’s desktop.

Secure Workstation closes only the programs that the currently logged in Windows user has sufficient rights to close on his or her own. Programs that the user does not have rights to (such as a service running as the LocalSystem account) are not closed.

When Secure Workstation is running on a Terminal Server, only the programs in the current user's session are closed. Programs running in other users' sessions aren’t affected.

You don't need to specify the full path and name of each program in the program list. For example, instead of adding c:\winnt\system32\notepad.exe to the list, you could just add Notepad.exe.

However, if you do not specify the full path, the entry affects to all programs with that name, regardless of the path. For instance, listing Notepad.exe in the list without the path would match both c:\winnt\system32\notepad.exe, and c:\documents and settings\user\notepad.exe.

You can also use environment variables in the program list. For example, you could specify %systemroot%\System32\notepad.exe instead of c:\winnt\system32\notepad.exe.

The Post-Policy Command

The Post-Policy command is a command that is executed after Secure Workstation executes the lock action. This feature was designed to display a login dialog box after a Close All Programs or Log Out of the Network action has been executed. However, you can use this feature to run any program or script. You must provide the full path and name of the program to run.

To display the login dialog box, use loginw32.exe for Client32. Use nldaplgn.exe for the LDAP Authentication Client. One of the programs is located in the system32 directory, depending on the mode of installation.

If you have configured the Network Logout event, Secure Workstation restarts the program specified in the Post-Policy command if it terminates before a user is logged in. This allows the login dialog box to be displayed again if a user clicks Cancel. For more information on configuring events for Secure Workstation, see Novell Technical Information Document 3407572 - Registry Keys and Values Used By Secure Workstations