A new global security policy has been defined
for ThinOS and this policy is applied to all secure connections (https/SSL
connections) with a few exceptions.
Purpose: To improve the security level by default
and add the global configuration. This security policy integrates
security setting for each application.
INI Parameter | Description |
SecurityPolicy={full |
warning (default) | low}
SecuredNetworkProtocol={yes | no (default)}
TLSMinVersion={1 (default), 2, 3}
TLSMaxVesion={1, 2, 3 (default)}
| Full: SSL connection need to verify server
certificate. If it is untrusted, cancel the connection.
Warning (default): SSL connection need to verify
server certificate. If it is untrusted, the user can continue or cancel
the connection.
Low: Server certificate is
not verified– this is the value set for a few applications.
After firmware is updated, the default value is set to
warning for all applicable applications immediately.
There is one exception for file server and WDM. The old ini SecurityLevel |SecureProtocol from Privilege segment
is deleted.
|
All applications running on the default SSL security
mode follow the global mode. In the global mode, the default value
is Warning. The affected applications include VMware View, Amazon
Workspaces (AWS), File Server, WDMService, Caradigm Server, and OneSign
Server.
For more information about the security mode INI parameters,
see
Dell Wyse ThinOS INI Guide.
The following are the exceptions:
File Server and WDM in factory reset
state: Before loading any INI parameter, the SSL security mode is
set to Low, and after loading the INI parameter, the value is changed
to follow the global mode value. For example, the default value is
set to Warning, if the value is not changed by the INI parameter.
System with previous settings (default value is set
to Low) follows the global mode after the unit is upgraded. For
example, the default value is set to Warning, if the value is not
changed by the INI parameter.
VMware View and AWS brokers include
own security settings (GUI and INI). From 8.3 release, an additional
option is added to follow the global mode as its new default value.
The security mode GUI context is updated for better understanding.
CCM, Microsoft RDS broker, Citrix
broker, and SecureMatrix are always
Full.
File Server default protocol is retained as FTP without
any setting from WDM/DHCP/INI and always displays the full address
with protocol prefix. For example,
ftp://.
New firmware/client deploy information
- Dell recommends you to define the SecurityPolicy before
upgrading to version 8.3 and later. If not, you may get warning messages
that require intervention to proceed.
- Before upgrading to version 8.3 and later, it is
recommended to define the desired SSL security level and add the required
Security Policy parameters/options to global INI file.
- For
SecurityPolicy=Fullor
warning, you are required to add certificates from the respective
File, View, AWS, WDM, OneSign, and/or Caradigm server(s) to the ThinOS
client before updating the firmware.
- The default protocol of File Server is still FTP
and ftp prefix is added automatically, if the protocol is not provided.
Improved user friendly messages are displayed for
errors and warnings
.
The UI is not changed and only the message is modified
for security errors/warnings.
In full security mode, the following warning message
is displayed:
For warning security mode, the following warning messages
are displayed:
The server address does not convert to http, if WDM
server is set as https.
In the previous scenario, If WDM server
is configured without HTTPS, and local WDM server address is specified
in HTTPS, then the system converts it to HTTP address.
In the current scenario, the system
does not convert the WDM server address to HTTP.
Manual discovery is removed from WDM. In the
WDA tab, the Manual discovery method option is removed (Highlighted
in red color in the following screenshot).