There’s lots of stuff to be done, you just didn’t like any of the solutions. It comes down to someone deliberately and willfully ignoring directions at work.
Thanks again.
Since there appears to be nothing you can physically do or inform management and HR then you need to go into ‘cover your ass’ mode. That means you need to send an email to the person violating security protocol, his manager and HR informing them of this problem and the consequences if this continues. You do this because when a data breach happens you will have documentation that you were aware of the problem and that you informed the offender and management and that they did nothing to correct it. This way if you get fired over this then you should be able to file a wrongful termination lawsuit.
I’m suprised it takes 8 seconds. I lock my computer whenever I get up from it, and logging back in, including my typing in a password, probably (I guess) takes less than 8 seconds. I would have thought swipe magic would be instant!
Thinking about it, I got into the habit of always locking my computer (windows key + L in popular desktop environments, or xlock or whatever) a decade ago at uni, because if I didn’t terrible things would happen if I didn’t. (just like terrible things would happen to other unlocked sessions I found lying around…).
So I reiterate someone else’s point from above: keep dicking with their stuff until they learn to love the lock. (Could you even do it remotely to save yourself time, using admin powa, and just claim someone did it locally?)
The powers that be were already informed, that’s actually how I came to look into it - they came to me and asked. I’m fine, just doing some research for senior leadership.
It’s a VMWare environment, so the user is re-connecting to a Windows 7 VM using PCoIP and it has the ol’ blue welcome screen that takes a few seconds before it dives back into where they were (the desktop). I’m not sure why it’s not instant but I suspect it’s due to having to talk to the broker to re-negotiate the session. It’s sometimes as low as 4 or 5 seconds, but it’s never more than 8.
And yeah, I now have two of these devices in my office, so at least I have some free tech. :)
VMware? Ban the USB VID/PID from redirection to the View session. Use GPO to apply settings to the Horizon Client or View Agent per user/group/desktop pool. Even if there are a few types, should not take you long to build up a pool of banned VID/PID to filter out.
USB Device Filtering
USB device filtering allows specific devices, device families (such as storage devices), or vendor product models to be restricted from being forwarded to the virtual desktop. These rules can be applied locally at the client, or at the virtual desktop in the data center. Administrative group policies (GPOs) can be applied, too, allowing company-wide configurations to be applied across all or some desktops. USB device filtering is often used by companies to disable the use of mass storage devices on virtual desktops, or perhaps to block a specific device that a user never wants to be forwarded, such as a USB-to-Ethernet adapter which the user is using to connect to the desktop in the first place. Mice and keyboards are by default excluded from redirection.
Of course, another +1 for trying to get the business to actually enforce their advertised policy via other means as well. Sounds like you have some political issues! :)
This method might be a time burden if there ends up being quite a different types, but take comfort in that every time you add one to the banned list, some fucker just wasted their investment and needs spend another $20 to try another brand! Should give you a little chuckle whenever you pass by their desk!
Excellent info, thanks @sharaleo - I’ll see if I can get the GUID off the devices we have and go from there.
Did you have a conversation about it with the person? I find it really weird that someone would go any trouble at all to dodge a relogin unless the security settings where really disrupting their workflow. I guess if it’s just solely one person that’s the offender then it could be a screwball user but I still can’t fathom someone doing that just to avoid a few seconds to relogin.
Just on the facts reported, I’d be suspicious that there’s another underlying reason driving someone to resort to something like a mouse wiggler. Maybe they have a workflow that involves needing to read off the screen while on a conference call or similar, the kind of activity where the PC going to sleep suddenly would be disruptive even though the user isn’t actively using the keyboard or mouse.
So I’m gonna come clean guys it’s me and I’m just trying to fuck with Scott.
Pretty strange reading this thread as my past was in the military where we would have just banned the device or the user. However, I work in, “do what the fuck you want,” land now it seems, so software and devices like this are all over the place. Like several have mentioned here, there is a behavior driving this, especially so if you’ve confiscated a device or two and they keep going back to it.
Attack the underlying behavior if you can’t address banning the device/software outright. I’ve been in many, many sit down talks as part of IT. This would be one where it was needed. You, an HR rep, the user’s boss, and the user. Come prepared with multiple reasons why it violates security policy and safety of data for the company. List policies that apply especially if users signed anything on acceptable use that is relevant.
You attack this not just with a technical fix (ban the device) but with a social scolding. The latter works very, very well at times.
This person was already spoken to, they had a few concerns and those were this.
1 - Sometimes when they are not logged in for many hours, it takes a long time to get back to their session. This is true, the “log off inactive session” was set to 2 hours. I adjusted it to 6. The longer it’s set too of course, the more likely it will be a resource is not available for someone else coming on shift as users aren’t great about manually logging off when they finish for the day. I provisioned an additional VM in that pool to offset that, though.
2 - “It takes a long time to badge back in! It feels like a full minute!” I timed it, it’s like 8 seconds. Many times, even less. It’s the same for everyone in the entire building, no one else has ever found or reported a device like this on the system, in a 200+ user setting.
Those were this persons complaints when they was spoken to about this the first time. I made the above change, and I wasn’t part of any conversations with them after that. Then someone found another one being used by the same person (I think because the clerk was actually looking for them now), and leadership asked me about disabling them entirely, which is where I am now.
I’m going to look into the VMWare USB Filtering settings on the view agent at work today. I still have the two devices so I can get the hardware ID pretty quick, I think.
Oops, sorry Scott. I missed that point. Sounds like a joy of a user to have to work with.
QT3: Fire them!
Scott: Uh, Leadership is already involved and obviously doesn’t want to go down that route.
QT3: Fire them!
QT3: Fire them!
QT3: Fire them!
I love much power people think IT has here. LOL. I am not the gate keeper, I just maintain the gate.
It’s 2016, we don’t fire people anymore. We just put them in a content filter that doesn’t allow them to do anything fun on any of their devices while at work.