Re: [SunRay-Users] utpolicy settings

Fri, 29 Jul 2011 02:11:03 -0700 

Ivar Janmaat schrieb:

I don't think Paul request is that strange.
Maybe a feature request for the next version? ;-)
I am not talking about security. I agree with you on that.



utpolicy is about fundamental session mobility and access policies. For 
fine-grained access control you need different tools.



But what about a  Sun ray environment in combination with Ipads.

The Sun rays can be public terminals but you don't want any resource 
used on them unless the user has a smartcard

With a smartcard the user can logon otherwise there is no access.




Not security, but I can see the point. OTOH an unused login screen 
doesn't use that many resources.



The IPad however is personal so you can allow non smartcard logons. The 
IPad has its own access control.



Anyone who brings an iPad or laptop can connect this way. The only 
access control you can have here is at network level, for example IEEE 
802.1x. As Sun Ray DTUs don't support this yet, you need to prevent 
people from plutheir laptops ino these networks by laptops. (iPads may 
be easier as they typically come in through Wifi, which does have 
network access control.)



So people who have access to the Ipad are allowed to have access to a 
logon screen on OVDC without a smartcard.


The same applies to a pc where a user has to logon to the PC domain first.



A local login is fully sufficient to run OVDC. Your restriction works 
for PCs that you install and configure, but not for laptops the user 
brings along.




Logging on to the device resembles inserting the smartcard. Then the 
next step (logging on to VDI) is the same for Sun Rays and other devices.
I can see that Pauls policy might be handy in some mixed device 
situations were there are a limited number of personal laptops and Ipads 
and large numbers of Sun Rays.





See Craig's reply: to restrict non-card access to a specific set of 
devices, registered-only policy for non-card access is probably the best 
solution.


- Jörg

--
Jörg Barfurth                     http://blogs.oracle.com/joergb

Disclaimer: I am employed by Oracle. The statements and opinions
expressed here are my own and do not necessarily represent those
of Oracle Corporation.
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users























					Reply via email to