Client Policy Settings for Windows
IDPrime Virtual settings are policy settings that are stored in a Windows Administrative Template (ADMX) file, and can be edited using Windows tools with the administrator rights. When edited on the server, the settings can be propagated to client computers.
Client Settings Overview
Administrative Template files are used to display registry-based SafeNet IDPrime Virtual policy settings for editing by the administrator.
SafeNet IDPrime Virtual is deployed and updated using a standard software distribution system, such as Windows Group Policy Objects (GPO) or Microsoft System Management Server (SMS).
Sample Administrative Template files are provided by Thales in the IDPrime Virtual software package are:
Sample File | Configuration |
---|---|
SafeNet IDPrime Virtual Template.admx |
IDPrime Virtual Settings |
SafeNet IDPrime Virtual Template.adml |
File of English strings |
Use the Active Directory Group Policy Object Editor (GPO) to configure the Administrative Template ADMX files:
-
When configured on a client, SafeNet IDPrime Virtual settings apply to the local computer only.
-
When configured on a server, SafeNet IDPrime Virtual settings can be set to be propagated to the entire domain, or to apply to the domain controllers only.
The Administrative Template files provided by Thales are configured to write registry settings on 64-bit at HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Thales\SafeNet IDPrime Virtual
If you are installing IDPV Client with admx and adml files from the release package, you need to manually provide the registry settings like Proxy
and DisableNotification
. For more information, refer to Setting up Registry Keys Manually section.
Application Properties Hierarchy
Each property is defined in maximum four registry key folders. For each property, the settings found at the highest level of the hierarchy determines the application’s behavior.
If a property is set to a folder requiring administrator permissions, that setting overrides any other settings for that property.
Hierarchy List
To determine the application’s behavior, SafeNet IDPrime Virtual Client uses the following hierarchy:
-
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Thales\SafeNet IDPrime Virtual
-
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Thales\SafeNet IDPrime Virtual
-
HKEY_CURRENT_USER\SOFTWARE\Policies\Thales\SafeNet IDPrime Virtual
-
HKEY_CURRENT_USER\SOFTWARE\WOW6432Node\Thales\SafeNet IDPrime Virtual
Only the DisableNotification
key is stored into HKEY_CURRENT_USER
. The rest of the registry is set into HKEY_LOCAL_MACHINE
. For more details, refer to Setting up Registry Keys Manually section.
Hierarchy Implications
The applications properties hierarchy has the following implications:
-
When you use the sample Administrative Template (ADMX) files supplied by Thales to edit SafeNet IDPrime Virtual Client Settings, the edited properties are written to:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Thales\SafeNet IDPrime Virtual
This value can replace any of the four values from the Hierarchy List.
These values override values set by any other method.
-
Empty properties are written to:
HKEY_LOCAL_MACHINE\SOFTWARE\Thales\SafeNet IDPrime Virtual
by the installer.When you set properties manually, write them to their appropriate registry keys in the registry folder mentioned above.
Setting up Registry Keys Manually
Perform the steps to manually set up the registry keys:
-
From the Windows taskbar, select Start > Run.
-
In the Run dialog box, enter
regedit
, and click OK.The Registry Editor displays the registry folders tree in the left pane.
-
Expand the tree, and select the folder of the required registry key.
Unless the properties must override other settings, it is recommended to write them to:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Thales\SafeNet IDPrime Virtual
-
Create Property folder in the Registry Editor tree if it is not present. The names and settings of the values in the registry key are displayed in the right pane. When setting the value manually, the registry value name is used, and not the property name.
For more information, refer to the table below:
Property Name Description ADMX File Setting Registry Value IDPV URL This policy setting defines the IDPrime Virtual Server URL. 1. Set the value to Enabled.
2. Enter the Server URL.Name: IDPV
Value: Server URLIDPV tenant This policy setting defines the Tenant ID. 1. Set the value to Enabled.
2. Enter the IDPrime Virtual Tenant ID.Name: IDPV tenant
Value: IDPrime Virtual Tenant IDProxy Defines the static proxy that is required to allow the IDPV client to connect to the IDPV server. 1. Set the value to Enabled.
2. Enter the IP of proxy settings.
3. This parameter is required when connecting to an IDP or IDPV server using proxy configuration that differs from system proxy.Name: Static Proxy
Value: StaticProxy IPOn Behalf connect Defines whether or not the SafeNet IDPrime Virtual Administrator can create a new IDPrime Virtual Smart Card on behalf of the user to enroll a certificate. Values:
Disabled – The SafeNet IDPrime Virtual Administrator cannot create a new IDPrime Virtual Smart Card on behalf of the user.
Enabled – The SafeNet IDPrime Virtual Administrator can create a new IDPrime Virtual Smart Card on behalf of the user.
Default – DisabledName: On Behalf connect
Values:
0 – Disabled
1 – Enabled
Default:
0 - DisabledDisable Notification Defines the setting to enable/disable all the IDPV notifications. Refer to below screenshot.
Note: This registry setting is only applicable to the user account in which the installation is performed.Values:
Disabled – No IDPV notifications visible in IDPV tray.
Enabled – All notifications visible in IDPV tray.
Default – EnabledName:DisableNotification
Values:
0 – Disabled
1 – Enabled
Default:
0 - EnabledPCSCMode Defines the IDPV installation type. Refer to below screenshot.
Note: This registry setting is automatically updated when the installation type is selected while installing IDPV.
Manual modification of the registry setting is not supported in PCSCMode.N.A Name: PCSCMode
Values:
0 – Remote Desktop Access (RDP) Installation
1 – Typical InstallationAllowedList The AllowedList check is implemented in the IDPV service to authorize only a predefined list of applications on the machine to establish connections to the IDPV service.
The allowed list will be stored in the registry under,HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Thales\SafeNet IDPrime Virtual\ClientProcess
, in a value namedAllowedList
of the typeREG_SZ
and it contains a list of full executables paths separated with a semicolon (;)
Note: Other applications can also be added in the registry manually to interact with the IDPV service.N.A Default Value:
- Typical and RDP # C:\Program Files (x86)\Thales\SafeNet IDPrime Virtual\IDPrimeVirtualSysTray.exe
- Complete # C:\Program Files (x86)\Thales\SafeNet IDPrime Virtual\IDPrimeVirtualSysTray.exe;C:\Windows\System32\LogonUI.exe;C:\Windows\System32\CredentialUIBroker.exe;C:\Windows\System32\consent.exe;C:\Windows\explorer.exe;The
DisableNotification
registry is added to a new path:Computer\HKEY_ CURRENT_USER\SoftwareWow6432Node\Thales\SafeNet IDPrime Virtual. -
To rename or delete a value, or to modify its data, right-click its Name. Registry settings that are not displayed in the right pane can be added.
-
To add a value to the registry key, or to add a new registry key in the tree, right-click the white space in the right pane.
-
Click Exit from the systray menu and restart the SafeNet IDPrime Virtual application form
services.msc
file to enable the settings except for Disable Notification, where the wait time is 60 seconds.
Adding ADMX File to Client Computer
When using an ADMX file, you can decide in which language to display the settings. The sample ADMX folder provided by Thales includes English language adml files.
Adding SafeNet IDPrime Virtual Settings
-
Copy
SafeNet IDPrime Virtual Template.admx
file, which is included in the SafeNet IDPrime Virtual software package provided by Thales at theC:\Windows\PolicyDefinitions
location: -
Copy the appropriate
adml
language file (SafeNet IDPrime Virtual.adml
) to a language folder at theC:\Windows\PolicyDefinitions\
location:The English language file provided by Thales should be copied to
C:\Windows\PolicyDefinitions\en-US
Viewing SafeNet IDPrime Virtual Settings**
-
From the Windows taskbar, select Start > Run.
-
In the Run dialog box, enter
gpedit.msc
, and click OK.The Local Group Policy Editor is displayed.
-
Under the Computer Configuration node, right-click Administrative Templates.
SafeNet IDPrime Virtual Configuration Properties
SafeNet IDPrime Virtual Client properties are stored on the computer as registry key values, which is added and changed to determine SafeNet IDPrime Virtual behavior. Depending on where a registry key value is written, it will apply globally, or be limited to a specific user or application.
All policy settings must be configured in order for SafeNet IDPrime Virtual to work. All properties can be manually set and edited.
It is recommended to set the policies using the Administrator Templates (ADMX) policy settings. This option allows spreading policies in a controlled manner and ensures that end users are not able to override any policies.