Security policies

It is common for security policies to have been configured that apply each time a device is logged onto the network. Login Agent is used to automatically log devices, that host runtime resources, onto the network. If security policies that require human intervention are applied to these devices, this can prevent Login Agent from working. Therefore, it is necessary for these policies to be disabled on the devices or policy needs to be applied that allows them to be programmatically traversed.

• For devices on which there are no policies that require human intervention Login Agent can automatically login without having to enable and configure the SAS service.
• For devices on which there are policies that require human intervention, the SAS service can be used to programmatically send Ctrl + Alt + Del and, whilst not a recommended approach, it also provides unsupported functionality that can attempt to temporarily disable some policies.
• The SAS service must run with by a local system or local admin account.

The following sections provide recommended and alternative solutions for traversing common security policies.

Ctrl + Alt + Del – Secure Attention Sequence

If there is a requirement for users to press Ctrl + Alt + Del (Secure Attention Sequence) as part of the login:

Recommended Apply Local Security Policy that enables a software SAS to be submitted on all runtime resources. Configure the Blue Prism automated process to request the SAS service to programmatically send the SAS as part of the Login operation.	Policy setting Local Group Policy > Administrative Templates > Windows Components > Windows Logon Options > Disable or enable software Secure Attention Service Value: Enabled for either Services or Services and Ease of Access applications. Login Agent install options Install the SAS service and enable the SAS proxy Configure login process to instruct a software SAS to be sent
Alternative Disable the requirement for users to traverse the SAS as part of the Login operation. (Only needs applying on devices that will be used as runtime resources).	Policy setting Local Security Policy > Interactive Login > Do not require Ctrl + Alt + Del Value: Enabled
Alternative (unsupported) Configure the Blue Prism SAS service to attempt to disable the policy setting on-the-fly.	Login Agent install options Install the SAS service and set the local SAS proxy Login process does not need to send a software SAS

On-screen pre-login message

If there is a requirement for users to traverse an on-screen message as part of the login:

Recommended Disable the requirement for users to traverse a login message as part of the Login operation. (Only needs applying on devices that will be used as runtime resources).	Policy setting Local Security Policy > Interactive Login > Message text for users attempted to log on Value: [Blank] Local Security Policy > Interactive Login > Message title for users attempted to log on Value: [Blank]
Alternative (Unsupported) Configure the Blue Prism SAS service to attempt to disable the policy setting on-the-fly.	Login Agent install options Install the SAS service and set the local legal message policy

Display lock screen

There should be no requirement to traverse a lock-screen making it possible for Login Agent to be used to unlock a locked runtime resource. This helps to ensure secure operation of devices as it makes it easier to lock and unlock devices.

Local Group Policy Editor: Do not display the lock screen.

Value: Enabled.