Another thing that came up (and I forgot about previously) is that in order to print shipping labels, ILLiad requires MS Word be installed.  That is a *terrible* design choice considering how many "Google-shops" there are and how expensive MS Office is for single purchases.  Consider that LibreOffice is free and open source and also has mail merge capability.  Heck, Atlas/OCLC could "steal" the code from LibreOffice to make their product stand-alone.

Anyway, I have not had a chance to test it, but this Group Policy setting looks promising:

User Configuration -> Policies -> Administrative Templates -> Microsoft Office 2016 -> Miscellaneous    
    Block signing into Office

Thought someone might find that intriguing too.

Erich



On Thursday, December 14, 2023 at 12:20, John Lolis eloquently inscribed:

> I find your report of Deep Freeze being "fiddly" surprising.  We've been
> using it for years for our in-house public access computers, and it's been
> rare that we've come across an issue.  That notwithstanding, there's also
> Reboot Restore Rx which only reverts to a saved configuration on demand,
> not automatically upon reboot.  We use it for our circulating laptops which
> of course you don't want to restore with every reboot.  There's also a free
> version for home use: https://horizondatasys.com/reboot-restore-rx/.
> 
> Other than that, it's possible to script something that overwrites the
> browser profile with the original, first-use one so that things are back
> to square one as far as the browser is concerned.  I did just that years
> ago with a home-grown Linux OPAC kiosk using Chromium that would check
> for the browser process and if it wasn't running, would kick off another
> script that overwrote the profile to clear the history and relaunch
> Chromium.
> 
> As for dealing with authentication for MS365 and other cloud-based services
> on shared computers, I feel your pain, Erich.  I've reached the conclusion
> that we as IT professionals spend far too much time working with or around
> authentication processes and procedures all because it's become an abysmal
> mess--and one that's continually foisted upon us whether we like it or not
> by one nanny or the other: Microsoft, Google, Apple, et al.
> 
> John Lolis
> Coordinator of Computer Systems
> 
> 100 Martine Avenue
> White Plains, NY  10601
> 
> tel: 1.914.422.1497
> fax: 1.914.422.1452
> 
> https://whiteplainslibrary.org/
> 
> *“I would rather have questions that can’t be answered than answers that
> can’t be questioned.”* — Richard Feynman
> <https://click.fourhourmail.com/5qure95xkf7hvvo93wh2/7qh7h8h05vr4zrtz/
> aHR0cHM6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvUmljaGFyZF9GZXlubWFu>,
> theoretical physicist and recipient of the Nobel Prize in Physics in 1965
> 
> On Thu, 14 Dec 2023 at 10:33, Hammer, Erich F <[log in to unmask]> wrote:
> 
>> Ray,
>> 
>> Because none of the users is an administrator on these workstations, I
>> have no concerns about resetting the machines back to a previous state.  If
>> users log in as themselves, they can't affect other users.  If they log in
>> with a generic account, they won't/don't log out (so no reboots until the
>> update system forces it).  One of my questions about the circulation desks
>> is whether they are logging out of their cloud services (i.e. Alma) or
>> closing the browser any time they step away during "the swirl".  If not,
>> then they are violating the University usage policy (using other peoples
>> accounts).  If they are, then how much different would it be to just log
>> out of Windows completely.
>> 
>> In my previous job, we wrestled with DeepFreeze for years for our labs and
>> found it very "fiddly".  It definitely was *not* trouble free, and we
>> ultimately dropped it as Windows (and apps) got much better about
>> restricting unprivileged users to their own profile.
>> 
>> Appreciate the feedback anyway.
>> 
>> Erich
>> 
>> 
>> On Thursday, December 14, 2023 at 10:01, Ray Voelker eloquently
>> inscribed:
>> 
>>> This doesn't really solve your "shared login" problem, but I was always a
>>> big fan of using the DeepFreeze software on shared computers. It does a
>>> fantastic job of preventing those changes you were talking about from
>>> "sticking" -- especially if you force a reboot after logout, which isn't
>>> too hard to create a logout script to do that.
>>> 
>>> https://www.faronics.com/deep-freeze-on-cloud
>>> 
>>> --Ray
>>> 
>>> On Thu, Dec 14, 2023 at 9:36 AM Hammer, Erich F <[log in to unmask]>
>>> wrote:
>>> 
>>>> All,
>>>> 
>>>> First, I apologize because this is much more of an IT question than a
>>>> coding question, but I come from an IT/desktop support background
>>>> with a particular interest in security.
>>>> 
>>>> How are larger, academic libraries securing your employee-used,
>>>> shared workstations -- specifically, the circulation desk machines
>>>> and the back-end, ILL scanning stations?  I have been trying mightily
>>>> for a few years to eliminate the shared-password generic accounts
>>>> because they present a real security/privacy concern.  I am running
>>>> into some real road-blocks though, and I'm wondering if anyone here
>>>> has found solutions that work.
>>>> 
>>>> Having viewed the chaotic state of the circulation desk with the
>>>> constant churn of employees using the stations, I have conceded that
>>>> it is better to use a generic login than to have folks log in/out
>>>> constantly.
>>>> 
>>>> The ILL employees who do a lot of scanning don't have the rapid-fire
>>>> turnover at their workstations, but they (or their manager) is
>>>> insisting on a generic login because the scans need to be saved in a
>>>> specific, network location and Acrobat has no mechanism to set the
>>>> default save location for all users.  (I hate Adobe!)  When we have
>>>> tried using personal logins, folks forget, don't notice, or don't know
>>>> about watching that the PDFs are saved in the proper location, and
>>>> those scans have to be redone by someone else or are inaccessible
>>>> within the particular employee's private user profile until they return
>>>> to work (which could be days-weeks with student employees).
>>>> 
>>>> In both cases, users still need to sign into services as themselves
>>>> (the LSP -- Alma --, scheduling, wiki documentation, ILLiad, etc.),
>>>> so I'm not really sure what the security advantages are with the
>>>> generic account (especially for ILL scanning).  I've had to push
>>>> settings to prevent the browsers (Edge, Chrome and FireFox) from
>>>> saving passwords. I also have automated scripts running to regularly
>>>> blow away the MS Teams configuration to prevent users from using it
>>>> as someone else. (Teams "helpfully" remembers credentials for
>>>> one-click login even after logging out of it and rebooting.)  I have
>>>> not been able to find a way to do the same with MS Office, so I have
>>>> been forced to uninstall it completely.  Otherwise, everyone who uses
>>>> it while logged onto the computer with the generic account is signed
>>>> into/owns all the M365 documents as the user who first used it (and
>>>> had to sign into M365).
>>>> 
>>>> The lack of Microsoft Office is the particular issue that I'm being
>>>> pressed on to prompt me to post this.  I should add that I can't use
>>>> device licenses for M365 (where login/registration isn't required)
>>>> because they only work with Azure Active Directory which we do not
>>>> have.  What are you all doing?  I've been considering trying to set
>>>> circ desk systems up as mulit-app, auto-login kiosks so at least we
>>>> don't need to share the generic password, but the other problems
>>>> still remain.
>>>> 
>>>> Any feedback is appreciated.
>>>> 
>>>> Thanks,
>>>> Erich
>>>> 
>>>> 
>>>> 
>>>> --
>>>> Erich Hammer            Head of Library Systems
>>>> [log in to unmask]         University Libraries
>>>> 518-442-3891              University @ Albany
>>>> 
>>>> "Faith is the unflagging determination to remain ignorant
>>>> in the face of any and all evidence that you're ignorant."
>>>>                                 -- Shaun Mason
>>> 
>>> 
>> 
>> 
>>