Example: Use a USB device for authentication purposes

By restricting an application or setting to a Locations and Devices Zone based on the unique serial number of a USB storage device, you can turn this specific USB storage device into a key to the application or setting.

Common scenarios when using USB Storage Device Identification in Zones are:

  • Removable Disks Security
    By using Zones that contain USB Storage Device Identification rules, you can control which USB devices can be used by specific users.
  • Application Control
    By assigning Identity and Zones that contain USB Storage Device Identification rules to an application, you enable multi-factored authentication for this application (based on user credentials and USB Storage Device doubling as unique token).
  • Workspace Control
    By assigning Identity and Zones that contain USB Storage Device Identification rules to a Workspace Container, you enable multi-factored authentication for specific computers (only if these computers are exclusively assigned to this Workspace Container).
  • RES Workspace Extender
    When a user starts a remote session using the RES Workspace Extender, any Zone that contains USB Storage Device Identification rules applies, as in a "normal" session.
    This means that users can also use USB Storage Devices as an access token in remote sessions using the Workspace Extender. For example, when a user has started a remote session and plugs in a USB device with a specific serial number on his local computer, this information is passed on to the remote session. As a result, applications and settings whose accessibility or applicability depends on the availability of this specific USB device serial number become available in the remote session when this session is refreshed.
    If you run the Management Console in a remote session using the Workspace Extender, and plug in a USB device on your local computer, this device is automatically recognized by the Management Console. This allows you to create new Zones in the remote session using the serial number of the local USB device.

Procedure

  1. At User Context > Locations and Devices, create a Zone based on the rule USB storage device > Serial number.
  2. At Composition > Desktop > Lockdown and Behavior, in the Workspace Composer section, select Refresh Workspace on USB storage device change.
  3. Set the Access Control of the application or setting to require the Zone.

With this setup, the user's session is refreshed when a USB storage device is plugged in. If the serial number of the USB storage device matches the Zone rule, the application or setting becomes available. When the USB storage device is unplugged, the session refreshes again and the application or setting is no longer available.

This setup also works if the session is a Workspace Extension using the Workspace Extender.