Software
-
Missing items from profile in VCS
Introduction This document explains the different scenarios in which user customization may be missing from Virtual Computer Services (VCS). Applicability This article applies to anyone using or supporting Virtual Computer Services (VCS) user profiles. Details Generally there are two scenarios where profile items may be missing. Scenario 1: Certain profile items may be missing such as mapped network drives, mapped network printers, Google Chrome bookmarks, custom wallpaper. But files on the Desktop, Documents, Downloads folders are still there. 95% of the time, this is caused by not logging off before the VCS virtual machines are restarted every Sunday morning at 1:00 am, and is often noticed Monday morning. If a proper Windows log off (Start ->Sign Out) is not done, then these profile items are not saved to the profile server for use next time. Be sure to sign out from your VCS desktop prior to Sunday @ 1am. Scenario 2: If a user profile cannot be loaded for whatever reason, the user may get signed into Windows, but be provided with a temporary profile. Usually this happens for a couple reasons: The user logged off of one virtual machine, and immediately logged into a new one. The old profile may not have been synced back to the profile server, before it is requested to be synced to a new machine. Usually waiting about 30 seconds - 1 minute after logging off before launching a new machine is recommended. The user profile may have components that are corrupt, and cannot be synced. Examining the Application Event Log may provide more information as to why the profile could not be loaded. The Event log may provide the solution in the action item, or potentially, the profile may need to be rebuilt. An incident ticket to IST will be required in this case. Keywords: VCS, Virtual Computer Services, profile, missing, drives, printers, bookmarks
-
Connecting to VCS from an Android device
Introduction Follow these steps to connect to a VCS (Virtual Computer Service) virtual machine from an Android based device. Applicability This article applies to anyone using or supporting VCS. Details To connect to VCS from an Android device, you'll need to get the Citrix Workspace App from the Google Play store. Citrix WorkSpace App Once you have it installed on your device, open it, and you'll see a fairly blank screen. We will need to enter the URL for Citrix Workspace App to connect to. Press the + sign in the bottom right to add a URL, which will bring up the following screen. Enter "https://vcs.med.ualberta.ca" (no quotes) and enable the option "Add account type as Web Interface", as you see in the screenshot below. Once you connect, you'll be presented with the username/password login screen as if you were connecting from a desktop/laptop, and if you're connecting your device from off campus, you'll be prompted for the multifactor authentication (MFA) prompts if necessary. Keywords: VCS,Virtual Computer Services,android
-
Changing keyboard layout on VCS
Introduction This article will show you how to force a specific keyboard layout within VCS (Virtual Computer Services). Applicability For anyone using or supporting VCS where keyboards type the wrong characters. Details By default, VCS will try to determine the type of keyboard you have, and make that same keyboard layout available within VCS. While the vast majority of people use a US-English keyboard layout, sometimes some computers may come with a Canadian-French keyboard. In some cases, you may need to specify the keyboard layout you want to use within VCS, as the auto-detection will not work properly. This may lead to unintended problems such especially if you end up using two or more computers that have different keyboard layouts. This may especially present problems if you set a password on a keyboard layout that you don't normally use. For people connecting to VCS from an Apple product, or someone using Linux, the keyboard layout detected within VCS commonly may not be the same keyboard layout as what you have specified on your client machine. For this you will need to edit a configuration file on your endpoint machine, to force a specific keyboard layout into VCS. MacOS Be sure you are not connected to VCS while doing this step. Open Finder Click on the Go menu at the top Click on Go to folder... type in the path /users/username/library/Application Support/Citrix Receiver, replacing username with your user account Edit the config file with the OSX text editor Change the line "KeyboardLayout=(User Profile)" to "KeyboardLayout=US" Save the file In some cases, doing the step above, doesn't always resolve the issue, so additional steps may be required. Again, make sure you are NOT connected to VCS while doing this step. Open Finder Click on the Go menu at the top Click on Go to folder... type in the path /users/username/library/Application Support Delete any folder starting with Citrix, such as the screenshot below. Leave the Finder window open, as we'll need to come back here. -{OPTIONAL}- You may want to take this opportunity to upgrade to the latest version of Citrix Workspace App that is compatible with your version of OSX if you haven't done so for a while. Use these KBs for assistance VCS Downloads Installing Citrix Workspace App Launch VCS, this will create a new set of Citrix files in the /users/username/library/Application Support with the default factory values Disconnect from VCS Go into the Citrix Receiver folder in Finder Edit the config file with the OSX text editor Change the line "KeyboardLayout=(User Profile)" to "KeyboardLayout=US" Save the file Launch VCS Linux Be sure you are not connected to VCS while doing this step. Open terminal Type nano /.ICAClient/wfclient.ini Change the line KeyboardLayout = (User Profile) to KeyboardLayout = US Save the file, press Ctrl X then press Y then press Enter to overwrite the same filename. Keywords: VCS,Virtual Computer Services,OSX,linux,keyboard,keys
-
Connecting to VCS from iOS
Introduction This article contains steps to connect to a VCS (Virtual Computer Services) desktop from an iOS device as well as some troubleshooting advice. Applicability Anyone using or supporting VCS, wanting to connect from an iOS device such as an iPad, or iPhone. Procedure To connect to VCS from an iOS device (iPhone or iPad), you'll need to get the Citrix Workspace App from the App store on your device. After it is downloaded and installed, open up the Citrix Workspace App, and press the Get Started button. Instead of entering a Store URL right away, we'll need to click on the ellipsis button in the top right, then down to Manual Setup You'll need to enter 3 things on this next screen. Enter https://vcs.med.ualberta.ca in the address field. For Description, you can enter VCS and then ensure Web Interface has a checkmark next to it. Then press Save in the top right. A sample is shown below: After hitting Save, it'll take you right to the login screen asking for your username and password. If you are connecting from off-campus, then you may need to provide the multifactor authentication part as well. Troubleshooting Virtual Desktop Connections If you encounter problems launching a virtual desktop at the desktop selection screen, and get an error #183. You may need to change a setting in the Workspace App. These instructions will work for both Android and iOS devices, as the process is almost identical. Click on the Ellipses or Gear button in the top right corner of the Workspace App, and go to Settings. Once in the settings menu, press TLS Versions. Then select TLS 1.2 You should now be able to launch a virtual desktop. Keywords: VCS,Virtual Computer Services, iOS,, iphone, ipad, Apple
-
Enrolling in Multifactor Authentication for VCS
Introduction This article discusses multifactor authentication (MFA) for Virtual Computer Services (VCS) instructions that can be used to access VCS while off-campus. Applicability This document applies to anyone who uses or supports external connections to VCS where multifactor authentication is required. Procedure Table of Contents 1. Getting Started 1.1 What is Multifactor Authentication (MFA)? 1.2 Downloading the SecureAuth Authenticator App 1.3 Connecting to VCS on Campus for the first time 1.3 Logging into VCS off Campus for the first time 2. Enrolling your Mobile device for MFA 2.1 Logging into the MedID Portal 2.2 Enrolling with a QR Code 2.3. Enrolling with a URL 2.4. Enrolling with a Yubikey 3. Connecting to VCS with MFA 3.1. Authenticating with push notifications 3.2. Authenticating with time-based passcodes 3.3. Authenticating with a Yubikey 4. Frequently Asked Questions VIDEO TUTORIAL 1. Getting Started 1.1. What is Multifactor Authentication (MFA)? Multifactor Authentication (MFA) is a security technique where an additional method is used to identify a user when they're logging in. Usually with a secondary device like a phone. Multifactor Authentication is used when connecting to VCS from locations outside the FOMD, UWS, or AHS networks. This is used to enhance security for remote connections. IST has set up the application SecureAuth Authenticator to be used when logging into VCS. The first step to setting up remote access to VCS when working offsite is to get the SecureAuth Authenticate application on your Android or Apple smartphone. If using a mobile phone is not an option, a hardware USB device can be used instead. Please contact the Service Desk at 780-492-8000. 1.2. Downloading the SecureAuth Authenticator App To install the SecureAuth application; go to your device's application store, and search for "SecureAuth". Alternatively, provided links have been provided to the application in the Android and iOS App Stores as well. After installing SecureAuth, you will need to connect to the MedID Portal to link the app to your MedID. Following downloading the SecureAuth Authenticate app on your mobile device, you'll need to enroll your device with the VCS enrollment site, which is only available from with VCS. Follow sections 1.3 or 1.4 for help with connecting to VCS for the first time. Android iPhone SecureAuth for Android SecureAuth for iOS 1.3. Connecting to VCS on Campus for the first time You can connect to VCS from on campus with your MedID and password once your MedID has been enabled. And you will not need MFA, however it is a good idea to set it up while you're on campus help make logging in easier when you're off campus. If you are off-campus, you can still log in, but you will need to contact the service desk to log in; please proceed to section 1.4 Connecting to VCS off campus. Citrix Workspace app is required to connect to VCS, and will be prompted to install when you sign into the VCS website. Additional support for installing Citrix Workspace App can be found at KB0013163. Go to https://vcs.med.ualberta.ca; then enter your MedID and Password. At the desktop selection screen, click on Windows 10. The Desktop viewer screen will show up and begin to log you into VCS. 1.4. Logging into VCS off Campus for the first time You can still connect to VCS from off campus with your MedID and password once your MedID has been enabled. However, prior to setting up MFA, you will need to contact the service desk to log in. Citrix Workspace app is required to connect to VCS, and will be prompted to install when you sign into the VCS website. Additional support for installing Citrix Workspace App can be found at KB0013163. You will need to call the service desk at 780-492-8000 to receive a temporary PIN to grant you access to VCS. Otherwise you will not be able to log in. Please call them immediately prior to logging in to receive the PIN. After receiving the PIN, go to https://vcs.med.ualberta.ca then enter your MedID and Password. When you connect, you'll need to specify whether you are on a Public Computer or a Private Computer, then enter your MedID and click Submit. The difference between "public computer" and "private computer" is that selecting 'this is a public computer' will force the VCS website to forget your computer's "fingerprint" when you close the browser. Whereas selecting 'this is a private computer' will have the site remember your computer's "fingerprint". The fingerprint is a way that the VCS website remembers trusted devices, so you are not prompted for MFA every time you login. Select the Personal Identificaiton Number (PIN) option and click Submit. Enter the PIN you received from the service desk. Then click Submit. Enter your MedID password. Then click Submit. At the desktop selection screen, click on Windows 10. The Desktop viewer screen will show up and begin to log you into VCS. 2. Enrolling your Mobile device for MFA 2.1. Logging into the MedID Portal Within the VCS virtual desktop, open a web browser and browse to the following website; https://medid.med.ualberta.ca Enter your MEDID and then click Submit. At this point you'll only have one option to receive the 6 digit passcode, which is by email. Select Email, then click Submit. If you get an error here, most likely a work email address must be added to your MEDID account. Please contact the Staff Service Centre at 780-492-8000 to have it added. Check your email for the FOMD passcode. Enter the passcode from your email into the text field. Then click Submit. Followed by entering your MEDID password. Then click Submit. 2.2. Enrolling with a QR Code This is the default method to enrol your device for MFA. However if your phone's camera does not work or you encounter any errors then skip to the next section. Log into VCS, and connect to the MedID portal using the instructions in "Section 2.1 Logging into MedID Portal". From the MedID portal, select Mobile App Enrolment. On the Mobile App Enrollment screen, open the SecureAuth Authenticate app on your mobile device. On your phone, tap Yes or Allow on any pop-ups requesting access to your camera or to send notifications. Using your mobile device, scan the QR code you see on your computer monitor. Note: if your phone fails to scan the QR code, you may need to refresh the website to generate a new QR code. Note: If this still fails, or you can not scan the QR code at all, proceed to Section 2.3. Enrolling with a URL. Once your mobile device successfully reads the QR code, you'll be sent to a dashboard showing your webcode as "LOCKED". This is expected, as you will need to create a new PIN in order to unlock your account. To create a PIN, tap on the LOCKED webcode. You will be shown a pop-up asking you to setup your PIN, tap on Go to App Lock to proceed. You will be taken to the App Lock screen to enable methods to unlock the SecureAuth app to help ensure that other people cannot use your phone to access your MedID. Tap on Passcode to create a PIN. You will be taken to a screen to create a new PIN for this application. Enter a 4-digit PIN that you will remember, then you will be asked to confirm your PIN, enter the exact same PIN to confirm. Do not give out this PIN to anybody, and IST will never ask you for this PIN when assisting you. This PIN is only used when exposing the 6 digit code on the SecureAuth Authenticor app on your mobile device if using the One Time Passcode login method as shown in section 3.2 You will be taken back to the App Lock page, feel free to enable other forms of security for this application (such as Touch ID/Fingerprint recognition or Face ID/Face recognition). You can use these in lieu of the PIN. Afterwards, you can close the App Lock page to return to the dashboard. If you can see the 6-digit passcode, then you have enabled security within the application successfully. Finally, you will need to perform a final step to enable your MedID to use MFA. Return to the MedID website within VCS, and enter the 6-digit passcode on your phone in the text box under "3. Confirm". Then click Enable. Your mobile device has now been enrolled. For all future attempts to log in off-campus, your phone will receive a notification to prompt you for authentication. Note: If push notifications are not working. You can use the passcode you entered in Step 12, though you will be asked to enter the PIN or use other forms of security that you set up previously. 2.3. Enrolling with a URL If using the QR code method for enrolling does not work, you can specify a URL for enrollment directly in the Authenticate App. This following section will be done in-lieu of Step 5 from the previous section. Complete Step 1 through Step 4 in the previous section, "2.2. Enrolling with a QR Code". From the Authenticate mobile app start by tapping Other Pairing Options. On the next screen enter the following URL into path: "https://secureauth.med.ualberta.ca/secureauth20" then tap on Pair. You'll be directed to a login page where it will ask for your MedID. Enter your MedID and then tap on Submit. Next, you'll be sent a 6 digit passcode to the email we have associated to your MedID (most often is your Ualberta email address). After receiving the code in your email, enter the 6 digit passcode in your email and then tap Submit. in the next screen on your mobile device, then tap on Submit. Next, it will ask for your MedID password to confirm your identity. Enter your password and tap Submit. You will now be enrolled! Please continue the steps from the previous section from Step 6 through 12. 2.4. Enrolling a Yubikey for MFA This is for those who either have a phone that will not work for this purpose, or cannot use their phone for their MedID. IST offers a device called a "YubiKey", which is a USB device that performs the same functions as the SecureAuth application; however it will need to be plugged in on any and all computers that you will sign in to VCS with. So ensure that you keep it with you on all times. Request a YubiKey from IST via the service portal found at the Staff Service Centre; or call the service desk at 780-492-8000 to have them help you with submitting a request. After you have received a YubiKey. Follow Section 2 "Enrolling your Mobile device for MFA using a QR Code" from Step 1 through Step 6. On the https://medid.med.ualberta.ca website, choose Yubikey Enrollment. Plug the YubiKey into your computer, then press on the little gold Y button on the YubiKey itself with your finger, which will automatically fill in the text field with a code for that Yubikey. Then click Submit. Once you see the Yubikey saved successfully, after being verified, then you can close the browser tab. 3. Connecting to VCS with MFA Now that you have set up MFA on your mobile device, you should test it by logging into VCS. You have two options Push Notifications and Time-based Passcodes. By default you should receive push notifications as it is the easier method; but we offer time-based passcodes as a fallback. 3.1 Authenticating with push notifications Browse to https://vcs.med.ualberta.ca on your computer. If you are on a public computer, then you'll want to set it as being on a public computer, so it doesn't remember your login. Enter your MEDID and then click Submit. To receive a push notification for authentication, choose the option to Send login request to _______ option. If push notifications are not working, then proceed to the following section; 3.2 Authenticating with Time-based Passcodes. On the next screen, you'll see either a randomly generated number or letter, you'll need to tap on the matching character on your mobile device to confirm your identity. Next it will move the login along to the password screen. Enter your MedID password then click Submit. From here you will be at the desktop selection screen. Select Windows 10 or any other virtual computer you need to access. 3.2 Authenticating with time-based passcodes. If push notifications are not available or not working, then we offer the ability to manually enter a 6 digit passcode from the SecureAuth app on your phone. This uses the same techniques as push notifications, however the only difference is that push notifications automatically send the 6-digit passcode to the login servers. Whereas time-based passcodes are entered manually. Time-based passcodes change very 60 seconds. The app on your phone will tell you how much time is left before a password resets, so be aware when a passcode will reset before entering it. Browse to https://vcs.med.ualberta.ca on your computer. If you are on a public computer, then you'll want to set it as being on a public computer, so it doesn't remember your login. Enter your MEDID and then click Submit. Select Time-based Passcode. Then click Submit. On your mobile device, open the SecureAuth Authenticate app, and tap on the account that was created when you enrolled your device. The app will prompt for your PIN that you created when you enrolled. This will then show the 6 digit passcode, from there, enter it into the VCS website, and then click Submit. Then enter your password then click Submit. From here you will be at the desktop selection screen. Choose your VM to launch. 3.3. Authenticating with a Yubikey If you don't have a phone that you can authenticate with, and you have followed the steps in 2.4. Enrolling a Yubikey for MFA then you can use a YubiKey to authenticate. Browse to https://vcs.med.ualberta.ca on your computer. If you are on a public computer, then you'll want to set it as being on a public computer, so it doesn't remember your login. Enter your MEDID and then click Submit. Select YubiKey Device then click Submit. Insert the YubiKey into your computer, then press on the little gold Y button on the Yubikey itself with your finger, which will automatically fill in the text field with a code for that Yubikey. The site will the proceed to the password page automatically. Enter your MEDID password then click Submit. From here you will be at the desktop selection screen. Choose your VM to launch. Frequently Asked Questions I lost my mobile device, what should I do? Contact the Service Desk at 780-492-8000 or log a ticket on the Service Portal and an Analyst will remove the lost device from your user profile. Can I enroll more than one mobile device? Yes, you can enroll up to 5 mobile devices. I'm on a business trip and my mobile device is not working, how can I login? Contact the Service Desk at 780-492-8000 or log a ticket on the Service Portal and an Analyst will generate a One-Time Passcode (OTP) for you. What mobile devices are supported? IOS, Android, Microsoft, and Blackberry devices are supported. Huawei devices are not supported due to U.S. embargo MD-839. My mobile device does not have an internet connection or push alerts are not working, how can I login? You can generate an OTP from the mobile application. Your mobile device does not need an internet connection to generate an OTP. When logging in, do I select public or private computer? If the computer you are using is not your personal computer, you should select public computer. Public computers are not stored as trusted computers in your user profile. Can One-Time Passcodes (OTP’s) be sent to my personal email address? No, for security reasons, OTP's are only sent to your U of A email address. Why I am no longer required to use MFA to login from my personal computer? Personal computers are stored in your user profile as a trusted computer during the first login with a fingerprint. Should the fingerprint change, you’ll be prompted to with multifactor authentication again. I do not have a mobile device to use for MFA, what other options do I have? You can purchase a hardware token from IST. This is known as a YubiKey. Keywords: VCS, Virtual Computer Services, multifactor, authentication, login, off campus, external, 2FA, MFA
-
Information about BeyondTrust Remote Support at the UofA
Introduction BeyondTrust Remote Support is an application that IST uses to help clients remotely. It allows the technician to see and control the remote computer as if they were sitting in front of it, and allows for file transfers to and from the device. This article is written using the latest OS and browser versions available at the time of writing. Applicability This article is for both IST technicians using the software and clients being helped with it. Details General Information Windows Downloading the App Google Chrome Mozilla Firefox Microsoft Edge Running the App Session Elevation Ending the Session macOS Downloading the App Google Chrome Mozilla Firefox Safari Running the App Initial Information (OS Independent) macOS 13-15 macOS 12 and Below Session Elevation Ending the Session General Information The portal site that clients will go to in order to start a session is https://helpme.ualberta.ca. They should see the following on the page regardless of OS type or browser: Similarly, after submitting the Session Key, the client should see the following page: The page should then automatically start the download of the file used to start the session (we will assume that the default setting of downloading automatically to the Downloads folder is still being used). After this the process changes based on the OS type (Windows or macOS) as well as which browser is being used. Windows Downloading the App Google Chrome After the file has finished downloading, click the downloads icon at the top right of the window, then click the downloaded file. Mozilla Firefox After the file has finished downloading, click the downloads icon at the top right of the window, then click the downloaded file. Microsoft Edge After the file has finished downloading, click the downloads icon at the top right of the window, then single-click the downloaded file. If the download icon disappears, click the three dots at the top right of the window, then click Downloads. Running the App After opening the app the client will briefly see a window with a loading bar in the middle, then the agreement will come up. Put the dot next to I have read and agree to the terms above. and click OK. Once that's done the main window will show up where the client and technician can communicate by text if needed. Session Elevation In order for the technician to be able to see User Account Control screens (i.e. run apps as an administrator) or to be able to login to a different user, the session needs to be elevated by the technician. Once they enter the necessary credentials on their side, the client will see the following screen and should click Yes: Ending the Session At any time the client can end the session by clicking STOP SHARING or the X at the top right of the main window, then clicking Yes. Once the session has ended the downloaded file will be removed. macOS Downloading the App Google Chrome Click the download icon at the top right, then click the Show in Finder icon (looks like a file folder). In the Finder window that comes up, double-click the Open to Start Support Session.zip file, then double-click the Open to Start Support Session.app file. Mozilla Firefox Click the download icon at the top right, then click the Show in Finder icon (looks like a magnifying glass). In the Finder window that comes up, double-click the Open to Start Support Session.zip file, then double-click the Open to Start Support Session.app file. Safari Click Allow in the popup asking to allow downloads from the site. If the system is enrolled in the Kandji management system (bee icon in the menu bar): Click the download icon at the top right, then click the Show in Finder icon (looks like a magnifying glass). In the Finder window that comes up, double-click the Open to Start Support Session.zip file, then double-click the Open to Start Support Session.app file. If the system is not enrolled in the Kandji management system: Click the download icon at the top right, then double-click the Open to Start Support Session.app line. Running the App Regardless of macOS version you will get several windows to start: The first one asks to run an app downloaded from the internet. On this window click Open. The second is a brief loading window where a bar will move back and forth. The third is an agreement window. Put the dot next to I have read and agree to the terms above. and click OK. The fourth is a window asking to grant Screen Recording permissions. We'll be doing this a different way, so click Deny on this one. The fifth is the Action Required window where we will give the app permissions to do the various things needed for the session to work. This changes slightly in different OS versions so that process will be described below. Note: If the system is enrolled in Kandji then the Accessibility and Full Disk Access buttons will have a green checkmark next to them and the buttons will say Revoke Access. Also, if the computer has been supported through BeyondTrust before then this screen won't show up. After this things change based on which version of macOS is on the computer: macOS 13 - 15 Click the Grant Access button in the Screen Recording section. In the System Settings window that comes up, click the toggle to the right of Remote Support Customer Client and enter the user password when asked. After entering the password a window will come up indicating that the app needs to be restarted. In this window click Quit & Reopen. Go back to the Action Required window and click the Grant Access button in the Accessibility section, then click the toggle next to Remote Support Customer Client. Go back to the Action Required window and click the Grant Access button in the Full Disk Access section, then click the toggle next to Remote Support Customer Client. The same app restart window will come up again, so click Quit & Reopen. For macOS 15 specifically you may see two windows in the course of running the app that indicate other permissions are required. On both of them click Allow. macOS 12 and below Click the Grant Access button in the Screen Recording section. In the System Preferences window, click the lock at the lower left corner of the window (if it's not already open) and enter the user password to unlock the window. After this put a check mark in the box to the left of Remote Support Customer Client. A window will come up indicating that the app needs to be restarted. In this window click Quit & Reopen. Go back to the Action Required window and click the Grant Access button in the Accessibility section, then put a checkmark to the left of Remote Support Customer Client. Go back to the Action Required window and click the Grant Access button in the Full Disk Access section, then put a checkmark to the left of Remote Support Customer Client. The same app restart window will come up again, so click Quit & Reopen. Regardless of the macOS version, after the permissions have been granted the main window will show up where the client and technician can communicate by text if needed. Session Elevation In order for the technician to be able to see certain security screens or to be able to login to a different user, the session needs to be elevated by the technician. If they need the user to type their password in order for this to happen the following window will come up where they can type their password and click OK: Ending the Session At any time the client can end the session by clicking STOP SHARING or the red dot at the top left of the main window, then clicking Yes. Once the session has ended the downloaded files can be deleted manually.