Cache Cleaner
About Cache Cleaner
Cache Cleaner is a Host Checker policy that removes residual data, such as temporary files or application caches, left on a user's machine after a session. For example, when a user signs in to a device from an Internet kiosk and opens a Microsoft Word document using a browser plug-in, Cache Cleaner can remove the temporary copy of the Word file stored in the browser cache (Windows folder) when the session terminates. By removing the copy, Cache Cleaner prevents other kiosk users from finding and opening the Word document after the user concludes the session.
Cache Cleaner can also prevent Web browsers from permanently storing the usernames, passwords, and Web addresses that users enter in Web forms. By preventing browsers from improperly caching this information, Cache Cleaner keeps confidential user information from being stored on untrusted systems.
Setting Global Cache Cleaner Options
When you enable Cache Cleaner, it clears all content downloaded through the system's Content Intermediation Engine from a user's system. In addition, you can use settings in the Authentication > Endpoint Security > Cache Cleaner page of the admin console to clear content from the following places:
•Specified hosts and domains-If you enable PSAM or JSAM, you may want to configure Cache Cleaner to clear additional hosts and domains. When users browse the Internet outside the system using PSAM or JSAM, Internet files appear in their temporary Internet file folder. To delete these files using Cache Cleaner, you must specify the appropriate hostname (for example, www.yahoo.com).
•Specified files and folders-If you enable your users to access client-server applications on their local systems, you may want to configure Cache Cleaner to clear the temporary files and folders that the applications create on the users' systems.
If you configure Cache Cleaner to remove files from a directory, Cache Cleaner clears all files, including those that the user has explicitly saved to the directory and files that were in the directory prior to the session.
Only one Cache Cleaner policy is allowed. You can neither delete the default Cache Cleaner policy (named "Cache Cleaner Policy") nor create a new one.
To specify global Cache Cleaner options:
1.Select Authentication > Endpoint Security > Cache Cleaner in the admin console.
2.Under Options:
•Specify how often Cache Cleaner runs in the Cleaner Frequency field. Valid values range from 1 to 60 minutes. Each time Cache Cleaner runs, it clears all content downloaded through the Content Intermediation Engine plus the browser cache, files, and folders you specify under the Browser Cache and Files and Folders sections.
•Select the Disable AutoComplete of web addresses check box to prevent the browser from using cached values to automatically fill in Web addresses during the user's session. When you select this option, the system sets the following Windows registry value to 0 during the user's session: HKEY_CURRENT_USER\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\ AutoComplete.
Then, at the end of the session, the system restores the registry value to its original setting.
•Select the Disable AutoComplete of usernames and passwords check box to prevent Internet Explorer from automatically filling in user credentials in Web forms using cached values. Selecting this option also disables the "Save Password?" prompt on Windows systems. When you select this option, the system sets the following Windows registry values to 0:
•HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FormSuggest Passwords
•HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FormSuggest Passwords\FormSuggest PW Ask
•HKEY_CURRENT_USER\SOFTWARE\Microsoft\ Windows\CurrentVersion\Internet Settings\ DisablePasswordCaching
•Select the Flush all existing AutoComplete Passwords check box to clear any cached passwords that Internet Explorer has cached on the user's system. When you select this option, the system sets the following Windows registry value to 0:
HKEY_CURRENT_USER \Software\\Microsoft\\Internet Explorer\\ IntelliForms\\SPW
Then, select one of the following options:
•Select the For Secure Gateway session only option button to specify that the system should restore the user's cached passwords at the end of his session.
•Select the Permanently option button to permanently delete the user's cached passwords.
•Select the Empty Recycle Bin and Recent Documents list check box to empty the recycle bin and clear the recent documents list. The entire contents are removed, not just the files related to the user's sessions.
3.Under Browser Cache, enter one or more hostnames or domains (wildcards are permitted). When a user session ends, Cache Cleaner removes any content in the browser cache that originates from these servers. Cache Cleaner also removes this content when it runs at the specified cleaner frequency interval. Note that the system does not resolve hostnames, so enter all possible representations of a server, such as its hostname, FQDN, and IP address.
4.Under Files and Folders:
•Specify either:
•The name of a file that you want Cache Cleaner to remove.
•The complete directory path to a folder whose contents you want Cache Cleaner to remove. If you specify a directory, select Clear Subfolders to also clear the contents of any subdirectories within this directory.
•Select the Clear folders only at the end of session check box if you want Cache Cleaner to clear directory contents only at the end of the user session. Otherwise, Cache Cleaner also clears files and folders at the specified cleaner frequency interval
When specifying files and folders to clear, note the following:
Cache Cleaner uses a cookie called DSPREAUTH to send the client's status to the system. If you delete this cookie from the user's client, Cache Cleaner does not work properly. To avoid problems, do not specify Internet Explorer directories such as <userhome>\Local Settings\Temporary Internet Files\* under File or folder path. Note that Cache Cleaner still clears all of the Internet Explorer cache downloaded from the system and the hosts specified in the Hostnames box, regardless of what directories you specify under Files and Folders.
For the Firefox browser, Cache Cleaner clears only those directories you specify under Files and Folders.
5.Click Save Changes to save these settings globally.
If more than one valid session exists from the same system and Cache Cleaner is used in those sessions, all sessions are terminated when a user signs out from one of the sessions. To prevent this, turn off Cache Cleaner for those sessions that do not need Cache Cleaner.
If multiple administrators or end users to a single system are signed in from the same client and at least one of them deploys Cache Cleaner, unexpected results may occur. For example, Cache Cleaner might shut down, role privileges might be lost, and forced disconnections might occur.
Implementing Cache Cleaner Options
After you specify which hosts, domains, files, and folders to clear using settings in the Authentication > Endpoint Security > Cache Cleaner page of the admin console, you can restrict system and resource access by requiring Cache Cleaner in the following options:
•Realm authentication policy-When users try to sign in to a device, the system evaluates the specified realm's authentication policy to determine if the pre-authentication requirements include Cache Cleaner. You can configure a realm authentication policy to evaluate whether to require and enforce the Cache Cleaner policy in order for the user to log in to the specified realm. If the user's computer does not meet the requirements, then the user is denied access to the device. As a post-authentication requirement, you can evaluate without enforcing the Cache Cleaner policy on the client and allow user access. You configure realm-level restrictions through the Users > User Realms > Realm> Authentication Policy > Host Checker page of the admin console.
•Role-When the system determines the list of eligible roles to which it can map an administrator or user, it evaluates each role's restrictions to determine if the role requires Cache Cleaner to run on the user's workstation. If it does and the user's machine is not already running Cache Cleaner, then it does not map the user to that role. You can control which roles the system maps a user to by using settings in Users > User Realms > Realm > Role Mapping. Select or create a rule and then select Custom Expressions. You can configure role-level restrictions through the Users > User Roles > Role > General > Restrictions > Host Checker page of the admin console.
•Resource policy-When a user requests a resource, the system evaluates the resource policy's detailed rules to determine whether or not Cache Cleaner needs to be installed or running on the user's workstation. The system denies access to the resource if the user's machine does not meet the Cache Cleaner requirement. You can implement Cache Cleaner restrictions at the resource policy level through the Condition Field box of the Rules window. Select Users > Resource Policies > Resource > Policy > Detailed Rules and set hostCheckeryPolicy = 'Cache Cleaner policy'.
You may specify that the system evaluate your Cache Cleaner policies only when the user first tries to access the realm, role, or resource that references the Cache Cleaner policy. Or, you can use settings in the Authentication > Endpoint Security > Cache Cleaner tab to specify that the system periodically re-evaluate the policies throughout the user's session. If you choose to periodically evaluate Cache Cleaner policies, the system dynamically maps users to roles and allows users access to new resources based on the most recent evaluation.
When the user tries to access a device, Host Checker evaluates its policies (Cache Cleaner is a Host Checker policy) in the following order:
•Initial evaluation
•Realm-level policies
•Role-level policies
•Resource-level policies
Specifying Cache Cleaner Restrictions
To specify Cache Cleaner restrictions:
1.Select Authentication > Endpoint Security > Cache Cleaner and specify global options for Cache Cleaner to apply to any user for whom Cache Cleaner is required in an authentication policy, a role mapping rule, or a resource policy.
2.Implement Cache Cleaner at the realm level and role level as you would with Host Checker.
3.Create role-mapping rules based on a user's Cache Cleaner status as you would with Host Checker.
4.To implement Cache Cleaner at the resource policy level:
1.Select Users > Resource Policies > Select Resource > Select Policy > Detailed Rules.
2.Click New Rule or select an existing rule from the Detailed Rules list.
3.Create a custom expression in a detailed rule that sets hostCheckeryPolicy = 'Cache Cleaner policy'.
About Cache Cleaner Logs
Since Cache Cleaner is a Host Checker policy, it is included in the Host Checker logs. Use the System > Log/Monitoring > Client Logs > Settings tab to enable client-side logging for Host Checker. When you enable this option, the system writes a client-side log to any client that uses Host Checker. The system appends to the log file each time the feature is invoked during subsequent user sessions. This feature is useful when working with the support team to debug problems with the respective feature.