How can I change USB authorizations for PCoIP Zero Client?

Rate this Article
Average: 1 (1 vote)

USB devices can be enabled or disabled which allows IT control of the use of peripherals with HP Anyware PCoIP Agent, VMware Horizon View using PCoIP protocol, or PCoIP Remote Workstation Cards.

PCoIP Zero Clients provide unique USB security features that are not possible in other desktop form factors.  When a USB peripheral is disabled, the USB plug event is blocked in hardware in the PCoIP Zero Client.  The host virtual machine/remote workstation does not see the plug event and does not know that the USB device exists. Since this is implemented in silicon in the PCoIP Zero Client, it provides an additional layer of security compared to PC's and thin clients that use a Microsoft/Linux operating system.

The USB permissions page is available on the host and client but the host USB permissions have a higher priority and update the client USB permissions. It is strongly recommended you only set the USB permissions on the host when connecting to a PCoIP Remote Workstation Card. The following rules apply:

  • If the host has permissions programmed (authorized and/or unauthorized), the permissions are sent to the client. If the client has any unauthorized devices, they are added to the host\u2019s unauthorized devices and the consolidated list is used.
  • If the host does not have permissions programmed, the client\u2019s permissions are used.

USB authorizations settings can be changed in following ways:

  • PCoIP Zero Client Administrative Web Interface
  • PCoIP Management Console profile application
  • PCoIP session variable GPO in HP Anyware or VMware Horizon View

 

To change USB authorizations from PCoIP Zero Client AWI:

 

From the PCoIP Zero Client Administrative web interface->permissions->USB, you can configure permissions. You can authorize and unauthorize a list of USB devices based on ID or Class. You can use wildcards (or specify any) to reduce the number of entries needed to define all devices.

When you specify the devices you want to allow by adding them to the Authorized Devices list, this automatically blocks everything else. That means there is no need to add devices you don't want to allow to the Unauthorized Devices list.

Caution! Before making changes to the Authorized Devices list, you must first add the human interface devices i.e. USB mouse and keyboard. Otherwise, users will be locked out and unable to use mouse and keyboard when in session.

Follow the instructions below. 

Note: For more details about any of the settings below, refer to the PCoIP Zero Client and Host Administrator Guide (search key phrase: AWI USB permissions) in the Doc Center.

  1.  From the AWI of the PCoIP Zero Client, go to Permissions > USB, and make the following selections: Add New -> Class, Device Class -> 03 Human Interface Device, Sub Class ->Any, Protocol-> Any, and then click Add & then Apply.
  2. Once you add this rule, remove the default rule for Authorized Devices-"Any Device Class, Any Sub Class, Any Protocol".
  3. After that's done, you can add new rules authorizing the desired devices.

 

To change USB authorizations from GPO configuration :

 

  1. The HP Anyware PCoIP Agent for Windows installs the pcoip admin file automatically in C:\Program Files (x86)\Teradici\PCoIP Agent\configuration folder. If you are using VMware Horizon View you need to download the View GPO Bundle .zip file from VMware.
  2. Locate the  pcoip.adm file.
  3. Click Start -> Run, and then enter gpedit.msc.
  4. Navigate to: Local Computer Policy \ Computer Configuration \ Administrative Templates \ 
  5. Right click Administrative Templates and select Add/Remove Templates
  6. Click Add in the dialog box that appears.
  7. In the right pane of the new window, select the pcoip.adm file and click Open.
  8. Ensure the pcoip template is visible in the Add/Remove Templates window(Remove any previous pcoip templates) and select Close.
  9. Navigate to Local Computer Policy \ Computer Configuration \ Administrative Templates \ PCoIP Session Variables \ Overrideable Administrator Defaults.
  10.  Find "Configure PCoIP USB allowed and unallowed device rules in the Overrideable Administrator defaults.

When set to Disabled or Not Configured, all devices are allowed and none are disallowed. 

When set to Enabled, a USB device used in a PCoIP session must be included on the USB authorization list and not present on the USB un-authorization list.

 

USB authorizations:

Note: Newer USB devices such as mobile phones or multi-function printers often contain multiple VID/PIDs due to being mass storage devices and many other USB devices all combined into one. You may need to add multiple VID/PIDs combinations to get a device to work. To list all VID/PIDs that a device presents you may need to use a 3rd party application such as USBlyzer or Wireshark.

An empty USB authorization string means that no USB devices are authorized. Up to ten USB authorization rules may be defined and each rule can be either, a specific Vendor ID (VID)/ Product ID (PID), or a class of USB devices. Rules are separated by the '|' character.

A VID/PID rule is formatted as 1xxxxyyyy where xxxx is the device's VID in hexadecimal format and yyyy is the PID in hexadecimal format. The rule to authorize a device with VID=0x1a2b and PID=0x3c4d is '11a2b3c4d'.

A class rule can allow an entire device class, a single sub-class or a protocol within a sub-class. A class rule uses one of the following forms:

  1. Allow all USB devices: '23XXXXXX'.
  2. Allow USB device class ID 0xaa: '22aaXXXX'.

  3. Allow USB device sub-class 0xbb in device class 0xaa: '21aabbXX'.

  4. Allow USB protocol 0xcc in sub-class 0xbb in class 0xaa: '20aabbcc'.

Example:

The USB authorization string to allow USB HID (mouse and keyboard) devices (class ID 0x03) and webcams (class ID 0x0e) is '2203XXXX|220eXXXX'.

 

USB unauthorizations:

Note: Newer USB devices such as mobile phones or multi-function printers often contain multiple VID/PIDs due to being mass storage devices and many other USB devices all combined into one. You may need to add multiple VID/PIDs combinations to fully block a device. To list all VID/PIDs that a device presents you may need to use a 3rd party application such as USBlyzer or Wireshark.

Ten USB unauthorization rules may be defined and each rule can be either a specific Vendor ID (VID) and Product ID (PID), or a class of USB devices. Rules are separated by the '|' character.

A VID/PID rule is formatted as 1xxxxyyyy where xxxx is the device's VID in hexadecimal format and yyyy is the PID in hexadecimal format. The rule to block a device with VID=0x1a2b and PID=0x3c4d is '11a2b3c4d'.

A class rule can disallow an entire device class, a single sub-class or a protocol within a sub-class. A class rule uses one of the following forms:

  1. Disallow USB device class ID 0xaa: '22aaXXXX'.

  2. Disallow USB device sub-class 0xbb in device class 0xaa: '21aabbXX'.

  3. Disallow USB protocol 0xcc in sub-class 0xbb in class 0xaa: '20aabbcc'.

For Example: The USB authorization string to disallow USB Mass Storage devices (class ID 0x08) is '2208XXXX'.

This setting applies only to the server and only when the server is in a session with a PCoIP Zero Client.  Device usage is negotiated between the endpoints

 

To Change USB authorization from Management console 2 & 3:

 

Add USB authorized and unauthorized devices in the peripheral section of Management console profile. The management console profile having USB authorized and unauthorized devices will replace any existing devices added to a PCoIP Zero Client through admin web interface.

Note: - You should first add the human interface devices i.e. USB mouse and keyboard. Otherwise, users will be locked out and unable to use mouse and keyboard when in session.