Only recently I became aware of a new player offering an interesting product that gives you real-time access to the system properties of the endpoint from which a user is currently connected to a remote Windows session. The company’s name is deviceTRUST (www.devicetrust.de/en) and they refer to their solution as “dynamic device context awareness”. In a nutshell, their product constantly monitors a range of settings and properties on the device that is connected to a remote Windows session. The result of the device assessment gets redirected to the associated user session environment on the host, allowing to respond dynamically to changing client device settings or conditions. A change in a monitored device property creates an event in the hosted session that can be displayed or that can be used to trigger a pre-defined action. As of today, the supported remoting protocols are RDP/RemoteFX and ICA/HDX. I personally started using deviceTRUST for collecting client-specific telemetry and configuration data before or while running remote end-user experience benchmarking tests. But then I figured that there are more use cases in security, compliance and user experience, which inspired me to dig a little deeper into how deviceTRUST works under the covers.
The design goal of deviceTRUST is to dynamically control access to company resources like applications, printers or network shares in a way that goes far beyond the capabilities provided by Microsoft Group Policy scripts or Group Policy Preference actions. It’s all about forcing the users’ interactive sessions to follow company security policies and compliance rules, while taking into account that a growing number of these users is able to work from every device, every network, every location and at any time. This all means that access rules cannot be defined in a static manner anymore and the context of the connected endpoint devices play an important role when setting up a dynamic ruleset.
To accomplish this, deviceTRUST introduces a simple way to make the context of the user and the connected device available within the remote session. Via virtual channel established in the underlying remoting protocol, the endpoint context properties are pushed to registry and environment variables in the user session, ready to be consumed there (see image below). The beauty of this solution is that it doesn’t require additional infrastructure and works across internal networks, external networks and VPNs. Any change in the remote user and connected device properties results in an immediate update of the context within the user session. Triggers for logon, logoff, desktop lock and unlock, disconnect, reconnect and property change allow the user’s remote session or virtual desktop to react dynamically. For maximum flexibility these triggers can execute any script or process within the user session. For analysis and reporting purposes, the context information of users and devices is collected in the Microsoft Event Log.
The endpoint properties I’m particularly interested in when running remote end user experience benchmarking tests are network bandwidth and latency. But there is so much more. On a connected device, deviceTRUST reads out more than 120 hardware, software, network, security, performance and location properties. Great examples are the authentication protocol of the connected wireless network, the serial number of the hardware, the status of the AV software, elevated user privilege settings and password age. Based on such properties, scripts in the user session can adapt system settings according to a corporate ruleset.
deviceTRUST relies on a Microsoft Azure hosted server for its administration console and to deliver the product configuration. As a result, there is no need for on-premises management infrastructure. Within the deviceTRUST console, a registration sequence must be performed which requires a Microsoft Azure account. The deviceTRUST components are then deployed to a domain-joined remoting host (Microsoft RDSH or Citrix XenApp/XenDesktop) and remoting clients (Microsoft RD Connection Client or Citrix Receiver). The MSI packages for the host-side installation requires administrative privileges. Either an administrator installs the client software for all users or individual users install the client software without the need for elevated privileges. For iPads there is a client-less solution available. Active Directory group memberships decide whether or not users are impacted by deviceTRUST. After logging in to the management console, all important settings can be made, such as assigning scripts and processes to triggers (see image below).
What exactly can you do with deviceTRUST? I personally use it for collecting client information when running end-user experience benchmarks in remoting environments. Other use cases are enforcing compliance and security rules, managing device-based licenses, controlling access from varying networks and governing access for contractors. After using it for a couple of weeks now I think that solutions based on deviceTRUST have a great future. What’s still missing is the support of the Teradici PCoIP and VMware Blast Extreme remoting protocols and a full on-premises version of the product.
This article was originally posted at http://drtritsch.com/2016/07/03/devicetrust-dynamic-device-context-awareness/