Client Policy Settings for Windows

IDPrime Virtual settings are policy settings that are stored in a Windows Administrative Template (ADMX) file, and can be edited using Windows tools with the administrator rights. When edited on the server, the settings can be propagated to client computers.

Client Settings Overview

Administrative Template files are used to display registry-based SafeNet IDPrime Virtual policy settings for editing by the administrator.

SafeNet IDPrime Virtual is deployed and updated using a standard software distribution system, such as Windows Group Policy Objects (GPO) or Microsoft System Management Server (SMS).

Sample Administrative Template files are provided by Thales in the IDPrime Virtual software package are:

Use the Active Directory Group Policy Object Editor (GPO) to configure the Administrative Template ADMX files:

• When configured on a client, SafeNet IDPrime Virtual settings apply to the local computer only.

• When configured on a server, SafeNet IDPrime Virtual settings can be set to be propagated to the entire domain, or to apply to the domain controllers only.

The Administrative Template files provided by Thales are configured to write registry settings on 64-bit at HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Thales\SafeNet IDPrime Virtual

If you are installing IDPV Client with admx and adml files from the release package, you need to manually provide the registry settings like Proxy and DisableNotification. For more information, refer to Setting up Registry Keys Manually section.

Application Properties Hierarchy

Each property is defined in maximum four registry key folders. For each property, the settings found at the highest level of the hierarchy determines the application’s behavior.

If a property is set to a folder requiring administrator permissions, that setting overrides any other settings for that property.

Hierarchy List

To determine the application’s behavior, SafeNet IDPrime Virtual Client uses the following hierarchy:

1. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Thales\SafeNet IDPrime Virtual

2. HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Thales\SafeNet IDPrime Virtual

3. HKEY_CURRENT_USER\SOFTWARE\Policies\Thales\SafeNet IDPrime Virtual

4. HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\Thales\SafeNet IDPrime Virtual

Only the DisableNotification key is stored into HKEY_CURRENT_USER. The rest of the registry is set into HKEY_LOCAL_MACHINE. For more details, refer to Setting up Registry Keys Manually section.

Hierarchy Implications

The applications properties hierarchy has the following implications:

• When you use the sample Administrative Template (ADMX) files supplied by Thales to edit SafeNet IDPrime Virtual Client Settings, the edited properties are written to:

  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Thales\SafeNet IDPrime Virtual

  This value can replace any of the four values from the Hierarchy List.

  These values override values set by any other method.

• Empty properties are written to:

  HKEY_LOCAL_MACHINE\SOFTWARE\Thales\SafeNet IDPrime Virtual by the installer.

  When you set properties manually, write them to their appropriate registry keys in the registry folder mentioned above.

Setting up Registry Keys Manually

Perform the steps to manually set up the registry keys:

1. From the Windows taskbar, select Start > Run.

2. In the Run dialog box, enter regedit, and click OK.

   The Registry Editor displays the registry folders tree in the left pane.

3. Expand the tree, and select the folder of the required registry key.

   Unless the properties must override other settings, it is recommended to write them to:

   HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Thales\SafeNet IDPrime Virtual

4. Create Property folder in the Registry Editor tree if it is not present. The names and settings of the values in the registry key are displayed in the right pane. When setting the value manually, the registry value name is used, and not the property name.

   For more information, refer to the table below:

   Property Name	Description	ADMX File Setting	Registry Value
   IDPV URL	This policy setting defines the IDPrime Virtual Server URL.	1. Set the value to Enabled. 2. Enter the Server URL.	Name: IDPV Value: Server URL
   IDPV tenant	This policy setting defines the Tenant ID.	1. Set the value to Enabled. 2. Enter the IDPrime Virtual Tenant ID.	Name: IDPV tenant Value: IDPrime Virtual Tenant ID
   Proxy	Defines the static proxy that is required to allow the IDPV client to connect to the IDPV server.	1. Set the value to Enabled. 2. Enter the IP of proxy settings. 3. This parameter is required when connecting to an IDP or IDPV server using proxy configuration that differs from system proxy.	Name: Static Proxy Value: StaticProxy IP
   On Behalf connect	Defines whether or not the SafeNet IDPrime Virtual Administrator can create a new IDPrime Virtual Smart Card on behalf of the user to enroll a certificate.	Values: Disabled – The SafeNet IDPrime Virtual Administrator cannot create a new IDPrime Virtual Smart Card on behalf of the user. Enabled – The SafeNet IDPrime Virtual Administrator can create a new IDPrime Virtual Smart Card on behalf of the user. Default – Disabled	Name: On Behalf connect Values: 0 – Disabled 1 – Enabled Default: 0 - Disabled
   Disable Notification	Defines the setting to enable/disable all the IDPV notifications. Refer to below screenshot. Note: This registry setting is only applicable to the user account in which the installation is performed.	Values: Disabled – No IDPV notifications visible in IDPV tray. Enabled – All notifications visible in IDPV tray. Default – Enabled	Name:DisableNotification Values: 0 – Disabled 1 – Enabled Default: 0 - Enabled
   PCSCMode	Defines the IDPV installation type. Refer to below screenshot. Note: This registry setting is automatically updated when the installation type is selected while installing IDPV. Manual modification of the registry setting is not supported in PCSCMode.	N.A	Name: PCSCMode Values: 0 – Remote Desktop Access (RDP) Installation 1 – Typical Installation

   The DisableNotification registry is added to a new path:Computer\HKEY_ CURRENT_USER\SoftwareWow6432Node\Thales\SafeNet IDPrime Virtual.

   

5. To rename or delete a value, or to modify its data, right-click its Name. Registry settings that are not displayed in the right pane can be added.

6. To add a value to the registry key, or to add a new registry key in the tree, right-click the white space in the right pane.

7. Click Exit from the systray menu and restart the SafeNet IDPrime Virtual application form services.msc file to enable the settings except for Disable Notification, where the wait time is 60 seconds.

Adding ADMX File to Client Computer

When using an ADMX file, you can decide in which language to display the settings. The sample ADMX folder provided by Thales includes English language adml files.

Adding SafeNet IDPrime Virtual Settings

1. Copy SafeNet IDPrime Virtual Template.admx file, which is included in the SafeNet IDPrime Virtual software package provided by Thales at the C:\Windows\PolicyDefinitions location:

2. Copy the appropriate adml language file (SafeNet IDPrime Virtual.adml) to a language folder at the C:\Windows\PolicyDefinitions\ location:

   The English language file provided by Thales should be copied to C:\Windows\PolicyDefinitions\en-US

Viewing SafeNet IDPrime Virtual Settings**

1. From the Windows taskbar, select Start > Run.

2. In the Run dialog box, enter gpedit.msc, and click OK.

   The Local Group Policy Editor is displayed.

   

3. Under the Computer Configuration node, right-click Administrative Templates.

SafeNet IDPrime Virtual Configuration Properties

SafeNet IDPrime Virtual Client properties are stored on the computer as registry key values, which is added and changed to determine SafeNet IDPrime Virtual behavior. Depending on where a registry key value is written, it will apply globally, or be limited to a specific user or application.

All policy settings must be configured in order for SafeNet IDPrime Virtual to work. All properties can be manually set and edited.
It is recommended to set the policies using the Administrator Templates (ADMX) policy settings. This option allows spreading policies in a controlled manner and ensures that end users are not able to override any policies.