John,
We dropped DeepFreeze over a decade ago, and it clearly sounds like it has improved. Back then, the big problem was something to do with the unfreeze window and the update and reboot windows always seeming to fall out of alignment which ended up with some hosed machines and some unpatched machines (often within the same lab). Workstation management has changed enormously (for us) since then.
Regardless, with all users (generic included) being unprivileged users, the only reason I would be interested in DeepFreeze would be to sanitize the user profile on boot, and I can do that in other ways for free. Also, it still wouldn't resolve the concerns of multiple users within the same login session.
Thanks,
Erich
On Thursday, December 14, 2023 at 12:20, John Lolis eloquently inscribed:
> I find your report of Deep Freeze being "fiddly" surprising. We've been
> using it for years for our in-house public access computers, and it's been
> rare that we've come across an issue. That notwithstanding, there's also
> Reboot Restore Rx which only reverts to a saved configuration on demand,
> not automatically upon reboot. We use it for our circulating laptops which
> of course you don't want to restore with every reboot. There's also a free
> version for home use: https://horizondatasys.com/reboot-restore-rx/.
>
> Other than that, it's possible to script something that overwrites the
> browser profile with the original, first-use one so that things are back
> to square one as far as the browser is concerned. I did just that years
> ago with a home-grown Linux OPAC kiosk using Chromium that would check
> for the browser process and if it wasn't running, would kick off another
> script that overwrote the profile to clear the history and relaunch
> Chromium.
>
> As for dealing with authentication for MS365 and other cloud-based services
> on shared computers, I feel your pain, Erich. I've reached the conclusion
> that we as IT professionals spend far too much time working with or around
> authentication processes and procedures all because it's become an abysmal
> mess--and one that's continually foisted upon us whether we like it or not
> by one nanny or the other: Microsoft, Google, Apple, et al.
>
> John Lolis
> Coordinator of Computer Systems
>
> 100 Martine Avenue
> White Plains, NY 10601
>
> tel: 1.914.422.1497
> fax: 1.914.422.1452
>
> https://whiteplainslibrary.org/
>
> *“I would rather have questions that can’t be answered than answers that
> can’t be questioned.”* — Richard Feynman
> <https://click.fourhourmail.com/5qure95xkf7hvvo93wh2/7qh7h8h05vr4zrtz/
> aHR0cHM6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvUmljaGFyZF9GZXlubWFu>,
> theoretical physicist and recipient of the Nobel Prize in Physics in 1965
>
> On Thu, 14 Dec 2023 at 10:33, Hammer, Erich F <[log in to unmask]> wrote:
>
>> Ray,
>>
>> Because none of the users is an administrator on these workstations, I
>> have no concerns about resetting the machines back to a previous state. If
>> users log in as themselves, they can't affect other users. If they log in
>> with a generic account, they won't/don't log out (so no reboots until the
>> update system forces it). One of my questions about the circulation desks
>> is whether they are logging out of their cloud services (i.e. Alma) or
>> closing the browser any time they step away during "the swirl". If not,
>> then they are violating the University usage policy (using other peoples
>> accounts). If they are, then how much different would it be to just log
>> out of Windows completely.
>>
>> In my previous job, we wrestled with DeepFreeze for years for our labs and
>> found it very "fiddly". It definitely was *not* trouble free, and we
>> ultimately dropped it as Windows (and apps) got much better about
>> restricting unprivileged users to their own profile.
>>
>> Appreciate the feedback anyway.
>>
>> Erich
>>
>>
>> On Thursday, December 14, 2023 at 10:01, Ray Voelker eloquently
>> inscribed:
>>
>>> This doesn't really solve your "shared login" problem, but I was always a
>>> big fan of using the DeepFreeze software on shared computers. It does a
>>> fantastic job of preventing those changes you were talking about from
>>> "sticking" -- especially if you force a reboot after logout, which isn't
>>> too hard to create a logout script to do that.
>>>
>>> https://www.faronics.com/deep-freeze-on-cloud
>>>
>>> --Ray
>>>
>>> On Thu, Dec 14, 2023 at 9:36 AM Hammer, Erich F <[log in to unmask]>
>>> wrote:
>>>
>>>> All,
>>>>
>>>> First, I apologize because this is much more of an IT question than a
>>>> coding question, but I come from an IT/desktop support background
>>>> with a particular interest in security.
>>>>
>>>> How are larger, academic libraries securing your employee-used,
>>>> shared workstations -- specifically, the circulation desk machines
>>>> and the back-end, ILL scanning stations? I have been trying mightily
>>>> for a few years to eliminate the shared-password generic accounts
>>>> because they present a real security/privacy concern. I am running
>>>> into some real road-blocks though, and I'm wondering if anyone here
>>>> has found solutions that work.
>>>>
>>>> Having viewed the chaotic state of the circulation desk with the
>>>> constant churn of employees using the stations, I have conceded that
>>>> it is better to use a generic login than to have folks log in/out
>>>> constantly.
>>>>
>>>> The ILL employees who do a lot of scanning don't have the rapid-fire
>>>> turnover at their workstations, but they (or their manager) is
>>>> insisting on a generic login because the scans need to be saved in a
>>>> specific, network location and Acrobat has no mechanism to set the
>>>> default save location for all users. (I hate Adobe!) When we have
>>>> tried using personal logins, folks forget, don't notice, or don't know
>>>> about watching that the PDFs are saved in the proper location, and
>>>> those scans have to be redone by someone else or are inaccessible
>>>> within the particular employee's private user profile until they return
>>>> to work (which could be days-weeks with student employees).
>>>>
>>>> In both cases, users still need to sign into services as themselves
>>>> (the LSP -- Alma --, scheduling, wiki documentation, ILLiad, etc.),
>>>> so I'm not really sure what the security advantages are with the
>>>> generic account (especially for ILL scanning). I've had to push
>>>> settings to prevent the browsers (Edge, Chrome and FireFox) from
>>>> saving passwords. I also have automated scripts running to regularly
>>>> blow away the MS Teams configuration to prevent users from using it
>>>> as someone else. (Teams "helpfully" remembers credentials for
>>>> one-click login even after logging out of it and rebooting.) I have
>>>> not been able to find a way to do the same with MS Office, so I have
>>>> been forced to uninstall it completely. Otherwise, everyone who uses
>>>> it while logged onto the computer with the generic account is signed
>>>> into/owns all the M365 documents as the user who first used it (and
>>>> had to sign into M365).
>>>>
>>>> The lack of Microsoft Office is the particular issue that I'm being
>>>> pressed on to prompt me to post this. I should add that I can't use
>>>> device licenses for M365 (where login/registration isn't required)
>>>> because they only work with Azure Active Directory which we do not
>>>> have. What are you all doing? I've been considering trying to set
>>>> circ desk systems up as mulit-app, auto-login kiosks so at least we
>>>> don't need to share the generic password, but the other problems
>>>> still remain.
>>>>
>>>> Any feedback is appreciated.
>>>>
>>>> Thanks,
>>>> Erich
>>>>
>>>>
>>>>
>>>> --
>>>> Erich Hammer Head of Library Systems
>>>> [log in to unmask] University Libraries
>>>> 518-442-3891 University @ Albany
>>>>
>>>> "Faith is the unflagging determination to remain ignorant
>>>> in the face of any and all evidence that you're ignorant."
>>>> -- Shaun Mason
>>>
>>>
>>
>>
>>
|