- 13 Sep 2023
- 7 Minutes to read
- Print
- DarkLight
- PDF
Configure AirLock for Your Organization
- Updated on 13 Sep 2023
- 7 Minutes to read
- Print
- DarkLight
- PDF
This section details the configurations of the various registry keys and GPO. We recommend these settings be set via GPO in the provided administrative templates, to provide consistent configuration across all AirLock enabled workstations.
- All manual configurations are in HKLM:\\SOFTWARE\Axiad\AirLock.
- All policy configurations are in HKLM:\\SOFTWARE\Policies\Axiad\AirLock, and override manual configurations.
Kiosk Settings
The kiosk is the Unified Portal.
Registry and GPO Keys | Key Type | Description | Value |
---|---|---|---|
reg: KioskAlwaysLogout GPO: Always Logout After AirLock | REG_SZ | If enabled, when a user completes a process in AirLock and would otherwise be sent to their desktop, they will instead be logged out of Windows. (This does not affect cases where the user does not need to enter AirLock.) | Default: “true” - meaning enabled. When “false”, AirLock will determine whether to allow desktop access or log the user out based on whether they have met the enforcement rules. |
reg: KioskAutoLogonDomains GPO: Authorized domains for Kerberos SSO | REG_SZ | A comma-separated list of domain names that should be authorized to use Kerberos SSO to automatically log into AirLock. | No default. Mandatory for leveraging Windows domain logon for the AirLock kiosk. |
reg: KioskImmuneGroupSids GPO: Immune Security IDs | REG_MULTI_SZ | A list of Security IDs (SIDs) corresponding to roles for a user that should be immune to AirLock enforcement. | Default: S-1-5-32-544 This is the built-in Windows administrator SID for local and domain administrators. Any value (including an empty list) will override the default. Note: REG_MULTI_SZ values are problematic to edit manually in a .reg file. It is recommended that you simply edit a REG_MULTI_SZ from inside regedit and export the resulting value for later use. |
reg: KioskLogicCard GPO: Logic to use after PKI-based logon | REG_SZ | The "logic module" used to determine whether the user must go to the kiosk, which will be used only when the user logged in with a smart card. | One of: "never" or "validity" (case-sensitive) Default: "never" |
reg: KioskLogicConnectivityTest GPO: Logic to use for testing network connectivity | REG_SZ | The method that should be used to determine whether or not the user is online (and therefore whether or not they should be eligible for the AirLock). Active Directory: Test whether the computer's Active Directory network is available. (Default) Direct: Test whether the Axiad Unified Portal server is accessible. | One of “direct” or “ad”. Default: “ad” |
reg: KioskLogicPass GPO: Logic to use after regular logon | REG_SZ | The "logic module" used to determine whether the user must go to the kiosk, which will be used only when the user did NOT log in with a smart card. | One of: "slb-securityFlag" - See “Module: slb-securityFlag” for additional configuration. “always” to always enforce on use of password “when-online” to enforce when online or “never” to never enforcement on use of password Values are case-sensitive. Default: "never" |
reg: KioskOfflinePolicy GPO: Policy for offline users | REG_SZ | The desired action to take when the AirLock detects that a user is offline. Defer: Let the other configured policies ("logic modules") decide what happens. (Default) Bypass: All users are allowed to use their desktop while offline. Admins Only: Admins are allowed to use their desktop while offline. All other users are logged out. Require Certificate: Users that have logged in with a certificate are allowed to use their desktop while offline. All other users are logged out. | One of “defer”, “bypass”, “admins-only”, or “require-certificate”. Default: “defer” |
reg: KioskRequireGroupSids GPO: Require Security IDs | REG_MULTI_SZ | A list of Security IDs (SIDs) corresponding to roles of users that should be AirLock enforced. Only users with these roles will be enforced - The opposite effect of KioskImmuneGroupSids. | No default. Note: REG_MULTI_SZ values are problematic to edit manually in a .reg file. It is recommended that you simply edit a REG_MULTI_SZ from inside regedit and export the resulting value for later use. |
reg:KioskSilenceErrors GPO: Silence Standard Error Dialogues | REG_SZ | Whether or not standard error dialogues should be suppressed. These dialogues appear when a malfunction has been detected in the AirLock. | Default: “false” |
reg: KioskSplashColor GPO: Splash screen background color | REG_SZ | Kiosk splash screen background color. Must be formatted as 6-character RRGGBB. | Default: "0067A8" |
reg: KioskSplashLevel GPO: Splash screen display level | REG_DWORD | Level for configuring splash screen display. | Default: 3 0: No logo or progress bar 1: Show logo but not progress bar 2: Show logo and progress bar 3: Show logo, progress bar, and status updates |
reg: KioskUrl GPO: Base URL for the kiosk | REG_SZ | The URL which AirLock will start the kiosk with. This value will follow the pattern: https://portal-<customer>.cloud.axiadids.net/user/ | Required |
reg: RenewFullscreen GPO: Force optional renewal to become maximized | REG_SZ | Whether or not the optional renewal browser window should be opened in full-screen mode, or as a regular window. | One of “true” or “false”. Default: “false” |
reg: KioskIdleExitSeconds GPO: Amount of time a user might be idle | REG_WORD | The number of seconds that users can be idle while viewing the Airlock kiosk, before Airlock will automatically exit. | Default: 60 |
Enforcement Logic
slb-securityFlag
Registry and GPO Keys | Key Type | Description | Value |
---|---|---|---|
SlbAction*
(where “*” is a number) / Helpdesk Enforcement | REG_SZ | The action which should be appended to the existing KioskUrl when the user's slb-securityFlag AD attribute equals a given value.
If a value is supplied that does not match a configured SlbAction* key, enforcement will be bypassed. | E.g.: Defining SlbAction3 as “xyz” would append ?action=xyz to the value of KioskUrl. Valid options are:
Default definitions are as follows when no value is supplied for each of the following:
|
Validity
Registry and GPO Keys | Key Type | Description | Value |
---|---|---|---|
reg: RenewOptionalPeriod GPO: Days before expiration to offer device renewal
| REG_DWORD
| The number of days before certificate expiration where the user should be asked if they wish to renew their logon cert. | Required |
reg: RenewRequiredPeriod GPO: Days before expiration to require device renewal
| REG_DWORD | The number of days before certificate expiration where the user is forced to renew their logon cert. | Required |
reg: RenewAction GPO: Action to take when nearing expiration
| REG_SZ | The action which should be appended to the existing KioskUrl when X509 cert renewal is either required or requested. | E.g.: Defining RenewAction as issue would append ?action=issue to the value of KioskUrl. Default is no action |
reg: RenewSilenceAmbiguousCerts GPO: Silence Ambiguous Certificate Renewal Message | REG_SZ | Whether or not display MsgRenewAmbiguous should be hidden when the user's certificate could not be identified amongst other logon certificates currently available devices | Default: "false" |
Branding and User Messaging
- The Registry and GPO key values are under the Customize sub-key.
- All manual configurations go in HKLM:\\SOFTWARE\Axiad\AirLock\Customize.
- All policy configurations go in HKLM:\\SOFTWARE\Policies\Axiad\AirLock\Customize and override manual configurations.
Registry and GPO Keys | Key Type | Description | Value |
---|---|---|---|
reg: MsgDisallowedByPolicy GPO: Offline user logout warning | REG_SZ | The message shown to warn the user that they're being logged out due to the AirLock offline policy. | Default: |
reg: MsgEnforcementReasonCertificateExpiration GPO: Mandatory Enforcement: Certificate Expiration | REG_SZ | The message shown when the user must renew their expiring logon certificate immediately. | Default: |
reg: MsgRenewOffline GPO: Offline Certificate Renewal Message | REG_SZ | A customized message that displays when a user's certificate is about to expire, and the user is offline. Provide one instance of %s in the string to insert the number of days remaining until the certificate expires. | Default: "Your certificate will expire in %s days. Renew it now?" |
reg: MsgRenewOptional GPO: Optional Certificate Renewal Message | REG_SZ | The message that displays when the user's certificate will expire before RenewRequiredPeriod but after RenewOptionalPeriod. Provide one instance of %s in the string to insert the number of days remaining until the certificate must be renewed. | Default: “Your logon certificate will expire in %s days. Renew it now?” |
reg: BmpSplashLogo GPO: Splash Screen BMP File | REG_SZ | The fully qualified filename of the logo image to display during enforcement processing. | Default: Empty string which defaults to Axiad’s logo. This must be an absolute filesystem path to a 256x256px .bmp image accessible by any user. |
reg: MsgErrorShellMinor GPO: Minor Error Message | REG_SZ | The message displayed when an unexpected but recoverable error has occurred during enforcement. These errors should only occur when AirLock is misconfigured or there is a runtime issue with | Default: |
reg: MsgErrorShellMajor GPO: Major Error Message | REG_SZ | The message displayed when an unexpected and unrecoverable error has occurred during enforcement. These errors should only occur when AirLock is misconfigured or there is a runtime issue with | Default: Please notify your administrator or support team for assistance.” |
reg: MsgErrorValidity GPO: Validity Error message | REG_SZ | The message displayed when the kiosk is launched but fails. These errors should only occur when AirLock is misconfigured or there is a runtime issue. | Default: Your logon certificate may be expiring soon, but an error occurred while trying to offer you a solution.\n\nPlease visit the User Portal in order to renew your certificate. |
reg: MsgRenewAmbiguous GPO: Ambiguous Certificate Renewal Message | REG_SZ | Prompt shown when the user's certificate could not be identified amongst other logon certificates currently available devices. | Default: “The Axiad AirLock could not discern which certificate was used to log in. Your certificate might require renewal.” |
Troubleshooting
Registry and GPO Keys | Key Type | Description | Value |
---|---|---|---|
reg: DebugLogFileService GPO: Log file for the Lockdown Service | REG_SZ | Where debug logs for the Lockdown Service go. | Default: "C:\\Program Files\\Axiad\\AirLock\\Service.log" Note the doubled “\” path separators. |
reg: DebugLogFileShell GPO: Log file for the Custom Shell | REG_SZ | Where debug logs for the Custom Shell go. | Default: "%LocalAppData%\\Axiad\\AirLock\\Shell.log" Note the doubled “\” path separators. |
reg: DebugLogLevel GPO: Log level | REG_DWORD | The debug log detail level. | Default: 5 The range is from 1-6; 5 is recommended for effective bug reports. |
reg: DebugSafeMode GPO: Safe Mode | REG_SZ | If enabled, AirLock will be started in safe mode without fullscreen mode and without the keyboard lockdown. In addition, the debug flags will be enabled in AirLock. | Default: “false” for disabled “true” to enable |
reg: DebugSafeModeDumpFile GPO: Network dump file for Safe Mode | REG_SZ | The path to save a network dump when DebugSafeMode is enabled. This file will be overwritten on each launch of AirLock. | Default: “%LocalAppData%\\Axiad\\AirLock\\Network Dump.json” |