in wso2 emm, when in policy i set a passcode policy, and set the policy to enforce.
There is no enforcement for screen lock, is that nominal or a bug ?
how can i enforce the device to have a screen lock password or pin code protected ?
regards,
This is the normal behavior. You don't want a policy to lock the screen. Locking the screen is a simple operation as you quickly press the power button of your device.
You can send the passcode policy and it will be apply to your device on the fly. But you can see the password screen once you unlock the screen.
Related
I'm attempting to create a dashboard for admins to allow them to reset a chrome device managed by GoogleAdmin using google apps script.
I don't see any way to perform a reset using Admin SDK API. Can this be done?
If you want to deprovision and/or disable a ChromeOS device
The supported actions when using the Directory API, according to the documentation here are:
deprovision: Remove a device from management that is no longer active, being resold, or is being submitted for return / repair, use the deprovision action to dissociate it from management.
disable: If you believe a device in your organization has been lost or stolen, you can disable the device so that no one else can use it. When a device is disabled, all the user can see when turning on the Chrome device is a screen telling them that it’s been disabled, and your desired contact information of where to return the device.
Taking this into account, this is how the request would look like:
POST https://admin.googleapis.com/admin/directory/v1/customer/{customerId}/devices/chromeos/{resourceId}/action
If you want to reboot and/or remote powerwash a ChromeOS device
However, if you simply plan on doing a powerwash or a reboot, you can make use of the below information:
REBOOT: Reboot the device. Can only be issued to Kiosk and managed guest session devices.
REMOTE_POWERWASH: Wipes the device by performing a power wash. Executing this command in the device will remove all data including user policies, device policies and enrollment policies.
Warning: This will revert the device back to a factory state with no enrollment unless the device is subject to forced or auto enrollment. Use with caution, as this is an irreversible action!
Taking this into account, this is how the request would look like:
POST https://admin.googleapis.com/admin/directory/v1/customer/{customerId}/devices/chromeos/{deviceId}:issueCommand
Apps Script
As for applying any of these in Apps Script, you will have to add the Admin SDK API advanced service and choose the directory _v1 version and simulate any of the above requests.
Code
Assuming you want to remote powerwash a device, you will have to write something similar to this:
let resource = {
YOUR_RESOURCE_HERE;
"commandType": "REMOTE_POWERWASH"
};
let customerId = 'CUSTOMER_ID';
let deviceId = 'DEVICE_ID';
AdminDirectory.Customer.Devices.Chromeos.issueCommand(resource, customerId, deviceId);
Not what you are looking for?
You can simply create a feature request on Google's Issue Tracker and provide the details with regards to your task by filling in the form here.
Reference
Directory API Manage ChromeOS Devices.
The features described in this doc https://docs.wso2.com/display/IS530/User+Account+Locking+and+Account+Disabling are around locking accounts after too many failed login attempts and disabling accounts after idle activity.
Let's say the user in question has the "admin" role (as usually configured in a tenant). Can they get their account locked/disabled? If so, how does one get out of this situation?
Yes, admin users can get locked out after exceeding the maximum number of login attempts as same as other users. The user will have to wait until the end of the configured account unlock time window to retry.
Account unlock timeout = Configured Account Unlock Time * (Lock Timeout Increment Factor ^ failed login attempt cycles)
An alternative approach available to unlock an account as explained in [1]. In this case, a different admin user can login and unlock the locked user account.
I want to make auto login of a particular user when certain events happen when on any service running inside the system.
CredentialProvider is used to fetch User & Password, but complete auto login does not work.
So I want to call Mousemove & mouseclick on x,y position on credential provider tile.
Custom CredentialProvider runs under winlogon, So any code in CredentailProvider will execute as winlogon, So can Active Accessibility User Interface methods used inside CredentailProvider and access Text / coordinates of user tile?
With your own credential provider you should be able to logon user automatically. You need to call CredentialsChanged() using ICredentialProviderEvents object you got on Advice().
But if you want to use the crazy way (clicking the button and so on) you can get coordinates of that button using Active Accessibility or UI Automation.
My service start an interactive client process with something really similar to this: https://msdn.microsoft.com/en-us/library/windows/desktop/aa379608(v=vs.85).aspx
It works when the service Log On as Local System, and it work if it's running under an Administrator account with the SE_ASSIGNPRIMARYTOKEN_NAME and SE_INCREASE_QUOTA_NAME privileges.
My issue is when using a Standard User account OR Local Service, it fails at OpenWindowStation with error code 5 (ACCESS DENIED).
// Get a handle to the interactive window station.
hwinsta = OpenWindowStation(_T("winsta0"), // the interactive window station
FALSE, // handle is not inheritable
READ_CONTROL | WRITE_DAC); // rights to read/write the DACL
Is it possible to call OpenWindowStation from a Standard User account or my service must run under an Administrator account? I tried almost all Local Policies without success
Thanks!
Unfortunately it can't be done, it seems that only an Administrator can open the interactive station.
I tired to lock user account using the admin console UI as described in http://isurad.blogspot.com/2014/09/how-to-lock-user-account-in-wso2.html. I made http://wso2.org/claims/identity/accountLocked = true. But still I can log in to the console using locked account.
Also tried to lock user account using the web service. Even this prints in the console,
{org.wso2.carbon.identity.mgt.services.UserIdentityManagementAdminService} - User account unconfirmed1 locked
Still I can log in to the console using locked account. What has gone wrong here?
The operation via the admin console is cached and is currently set to 15 mins. Hence the account lock should have worked but you need to wait 15 mins for this to come into effect. The web service calls should be immediate though.