Skip to content

USB Policy

HyWorks v3.4-SP2 is having feature integration to control USB redirection based on multiple attributes. This can be configured from HyWorks Management Console.

This document outlines the steps and configuration details for setting up USB policies via the controller's management console and managing them through the Workspace Client in accordance with the specified rules.

Prerequisites

  1. Accops Workspace Client version 7.0.0.1042 or later.

    Note

    • The feature is currently supported with Windows desktop Workspace client only. The document will be updated as the feature support is extended to other platforms.

    • The USB redirection driver support is not available with on-demand or non-admin client.

  2. HyWorks Controller version 3.4 SP2 or later.

  3. USB Redirection Driver: Built-in USB redirection driver.

    1. Make sure the desktop client is configured to use Built-in USB Redirection Driver. The settings can be configured from Devices > Devices section > Default Settings or Device Set Settings or Device Settings. Details can be found here.

      Note

      • This feature is currently supported with Built-in USB Redirection Driver only.

  4. Ensure that Eltima's registry is enabled in the SHD/VDI environments where USB redirection is required.

    1. Check the registry path: HKLM \Software \Accops \ DVMAgent \ Advance settings \ ELTIMA.

    2. Set the is_enabled registry key to True.

Note

  • Currently, USB redirection is supported only on the Windows Workspace client, not on Linux or Mac clients.

  • Conflicts may arise between USB profile settings and connection profile settings under the Local Resources tab. The USB profile takes precedence over the connection profile settings.

Configurations Steps

To configure USB policy, following steps to be performed:

  1. Create a USB Policy

  2. Configure USB Profile in Connection Profile

  3. Logon and verify

Create a USB Profile

To configure the USB profile on the HyWorks Controller, follow these steps:

  1. Login to the Management Console using administrative credentials.

  2. Navigate to Policies > Profiles > USB Profiles and click Add.

  3. Two sub-tabs will be available for controlling all USB devices in the environment.

  4. Select the Details and Policy tab, and provide a name and description for the policy and add the policy rules.

  5. Enter the following details in the Policy rules settings:

    1. Rule Name: Provide a name for the policy, which will be applied to external devices with the specified class, VID, protocol, and PID.

    2. USB Identification Mechanisms:

      1. Class: Specify the class of the external device. Please check section How to get USB Class, Subclass and Other Attributes

    3. Device Usage: This section enables or disables the usage of the respective external devices.

    4. Redirect: This option is available only if Allow is selected under Device Usage. There are three possible redirect options:

      • Always Redirect: The device is redirected, and the user cannot change this setting.

      • Never Redirect: The device is not redirected, and the user cannot change this setting.

      • User Choice: The user can decide whether to redirect the device via the Workspace client.

  6. After configuring the Policy rule, click Save and then click the Default Policy tab.

  7. In the Default Policy tab, specify the settings for devices that do not match any of the previously defined policy rules. This default policy will apply to all unmatched devices.

  8. Configure the device usage and redirection options as needed and click Save.

Functional Specifications

  1. Profile and Rule Configuration Requirements:

    • Profile name: Required 1 - 100 Characters.

    • Profile Description: Optional up to 4000 Characters.

    • Policy Rule Name: Required 1 - 50 Characters.

    • Class: Required Hexadecimal 1 - 2 Characters.

    • Subclass: Optional Hexadecimal up to 2 Characters.

    • Protocol: Optional Hexadecimal up to 2 Characters.

    • VID: Optional Hexadecimal up to 4 Characters.

    • PID: Optional Hexadecimal up to 4 Characters.

  2. Redirection Enum Values:

    • Never Redirect = 0

    • Always Redirect = 1

    • User Choice =2

    • Not Applicable =3

Configure USB Profile in Connection Profile

In environments where the Controller Admin has multiple connection profiles and USB profiles used, it is essential to link the correct USB profile to the respective connection profile.

Follow the steps below to link the correct USB profile to the respective connection profile :

  1. Login to the Management Console using administrative credentials.

  2. Navigate to Policies > Profiles > Connection Profile.

  3. Select the connection profile intended for the USB-controlled environment and click Edit.

  4. Under the Local Resources section, select Redirect all USB ports.

  5. In the Additional Settings section, go to the USB Profile field and assign the previously created USB profile to the connection profile.

  6. Save the changes to the connection profile.

Logon, Verify and Flow

  1. Launch Windows Workspace Client (Connect via HySecure Gateway or directly via HyWorks).

  2. Login with appropriate credentials.

  3. On logon, HyWorks Controller assigns a connection profile to the user session.

    1. USB Profile associated with the assigned connection profile will get assigned.

  4. Workspace client will get details of all the configurations for USB redirection and will apply.

  5. On connecting to assigned desktops, USB redirection will work as per the profile.

USB Profile Reflection on Client-side

  • Device Usage

    • Block: Block device is currently not implemented. The expected behavior will be to block the USB usage at the endpoint as well.

    • Allow: Allow device usage on client side.

  • Redirect

    • Always Redirect: User will not be able to control and configured devices (based on class, subclass, VID, PID, Protocol or default policy) will be shown shared.

    • Never Redirect: Device will not be shown in the USB devices list on client-side.

    • User Choice: User can chose to share or not.

How to get USB Device Attributes like Class, SubClass, Protocol, VID, PID

Before providing steps to identify, USB device attributes like Class, SubClass, Protocol, VID or PID, the next section gives brief summary of definition. Later section of the documents will cover the identification process.

USB Device Properties

  • Class: To identify a device's functionality and to nominally load a device. E.g.,

    • 0x03: Human Interface Device (HID) (e.g., keyboards, mice).

    • 0x08: Mass Storage Device (e.g., USB drives, external hard drives).

  • Subclass: A finer categorization within a USB Class, defining a subset of device functionality. It helps specify the exact type of device and its operational mode within its class. E.g.,

    • For Class 0x08 (Mass Storage):

      • 0x01: Reduced Block Commands (RBC).

      • 0x06: SCSI Transparent Command Set (common for USB drives).

  • Protocol: Specifies the protocol used for communication within a USB SubClass. E.g.,

    • For HID Class (0x03):

      • 0x01: Keyboard.

      • 0x02: Mouse.

  • Vendor Id (VID): An identifier assigned by the USB Implementers Forum (USB-IF) to a specific manufacturer. E.g.,

  • Product ID (PID): Identifier assigned by the manufacturer to a specific product within their VID.

    • When combined, the VID and PID uniquely identify a USB device: A specific Logitech keyboard.

USB Properties Identification Process

Using Device Manager

Following steps can be used to identify certain attributes of a USB device using device manager on Windows systems:

  1. Make sure USB devices are not blocked on your Windows desktops.

  2. Make sure to login with user having administrator privileges.

  3. Plug-in the USB device.

  4. Go to Control Panel > Device Manager.

  5. In respective section, locate the device.

  6. Right click on listed device name and click on Properties.

  7. In Device Properties, go to Details. It lists all the device properties.

  8. Select the property to get its value.

Desktop Client Logs

Alternatively, if the end-user system is having appropriate version of Accops Workspace client installed, its logs can be checked to get the USB device properties.

  1. Log Location: The logs can be found at below location:

    %localappdata%\Accops\edc\softclient\logs\edcService.log

  2. Search for the USB device to get the details and locate following consecutive logs for reference:

    1. The first line will have the device name.

    2. The Second line will have port number to which device is physically connected.

    3. The properties like Class, Subclass, Protocol, VID, PID can be found in the third line.

    4. The reference logs:

      Logs
      [11-12-2024] [19:55:32_900][T006572] [ 2428 ] [DEBUG] [ ELTIMA ] NodeOperation: deviceName=[Integrated Camera] port String [Integrated Camera / shared 17432] connectString []
      [11-12-2024] [19:55:32_900][T006572] [ 2428 ] [DEBUG] [ ELTIMA ] Device port Name = Integrated Camera / shared 17432 key = Port_3 keyCount = 4
      [11-12-2024] [19:55:32_901][T006572] [ 2428 ] [DEBUG] [ ELTIMA ] CheckForUSBActionForUsbProfile USB details form base device: class = Decimal [239] Hexa [EF] subclass = Decimal [2] Hexa [2] protocol = Decimal [1] Hexa [1] PID = Decimal [46507] Hexa [B5AB] VID = Decimal [1266] Hexa [4F2] iDefaultAction = 2 iDefaultUserControl = 1

      `