Security policies
It is common for security policies to have been configured that apply each time a device is logged onto the network. Login Agent is used to automatically log devices, that host runtime resources, onto the network. If security policies that require human intervention are applied to these devices, this can prevent Login Agent from working. Therefore, it is necessary for these policies to be disabled on the devices or policy needs to be applied that allows them to be programmatically traversed.
- For devices on which there are no policies that require human intervention Login Agent can automatically login without having to enable and configure the SAS service.
- For devices on which there are policies that require human intervention, the SAS service can be used to programmatically send Ctrl + Alt + Del and, whilst not a recommended approach, it also provides unsupported functionality that can attempt to temporarily disable some policies.
- The SAS service must run with by a local system or local admin account.
The following sections provide recommended and alternative solutions for traversing common security policies.
Ctrl + Alt + Del – Secure Attention Sequence
If there is a requirement for users to press Ctrl + Alt + Del (Secure Attention Sequence) as part of the login:
Recommended Apply Local Security Policy that enables a software SAS to be submitted on all runtime resources. Configure the Blue Prism automated process to request the SAS service to programmatically send the SAS as part of the Login operation. |
Policy setting Local Group Policy > Administrative Templates > Windows Components > Windows Logon Options > Value: Enabled for either Services or Services and Ease of Access applications. Login Agent install options
|
Alternative Disable the requirement for users to traverse the SAS as part of the Login operation. (Only needs applying on devices that will be used as runtime resources). |
Policy setting Local Security Policy > Interactive Login > Value: Enabled |
Alternative (unsupported) Configure the Blue Prism SAS service to attempt to disable the policy setting on-the-fly. |
Login Agent install options
|
On-screen pre-login message
If there is a requirement for users to traverse an on-screen message as part of the login:
Recommended Disable the requirement for users to traverse a login message as part of the Login operation. (Only needs applying on devices that will be used as runtime resources). |
Policy setting Local Security Policy > Interactive Login > Value: [Blank] Local Security Policy > Interactive Login > Value: [Blank] |
Alternative (Unsupported) Configure the Blue Prism SAS service to attempt to disable the policy setting on-the-fly. |
Login Agent install options
|
Display lock screen
There should be no requirement to traverse a lock-screen making it possible for Login Agent to be used to unlock a locked runtime resource. This helps to ensure secure operation of devices as it makes it easier to lock and unlock devices.
Local Group Policy Editor: Do not display the lock screen.
Value: Enabled.