Applying the System Security Manager Settings to other Users

The SiteKiosk System Security Manager helps you to manage the restricted SiteKiosk user. The user is created by the SiteKiosk installer. It is a local standard Windows user account. The System Security Manager further restricts this account to increase the security of the kiosk terminal. The manager enables you to customize the restrictions for the SiteKiosk user to your needs. We strongly recommend to run SiteKiosk with this user, which is the default behaviour when using the Auto Start mode of SiteKiosk.

In case your kiosk environment requires the usage of another user you can do so by using the Customized start options of SiteKiosk. For those scenarios we recommend to use the default Windows options, e.g. local or domain policies, to secure this user to meet your project requirements.

If you want to apply the same restrictions to your user which the System Security Manager applies to the local SiteKiosk Windows user, you can use command line parameters for this. Please note that these parameters are unsupported and provided as is. Use the following information at your own risk. Also note that if you apply the restrictions to a domain user they might only last until the next periodic domain policy update on the computer, because domain policies always overrule local settings if they overlap.

The SystemSecurity.exe is located in the main installation folder of SiteKiosk Windows, e.g. C:\Program Files (x86)\SiteKiosk.

To open the graphical user interface of the SiteKiosk System Security Manager with a user of your choice, use the follwing command line parameters:

SystemSecurity.exe /user:<UserNameOrSID> /pass:<Password> /domain:<DomainName>

To apply the default settings used for the restricted SiteKiosk user to a user of your choice without using the graphical user interface, you can use the following command line parameters:

SystemSecurity.exe /applydefault /user:<UserNameOrSID> /pass:<Password> /domain:<DomainName>

User Logoff on Screensaver Activation or SiteKiosk Logout Button Usage

This script example is suited for environments where SiteKiosk is started when users login to the kiosk terminal with their individual accounts instead of the default SiteKiosk user and the terminal should return to the Windows login screen once the user leaves the terminal. In most cases this means domain environments.

Instead of using the standard Auto Start mode from the SiteKiosk Quick Start menu the Customized mode is used according to the needs of the specific kiosk environment. For example by choosing Run SiteKiosk automatically at Windows startup, unchecking Settings only apply to the restricted SiteKiosk user account and also leaving Disable any keyboard input during startup and Log on automatically at system startup unchecked, this leaves the kiosk terminal at the Windows login screen when turned on, where users can type in their credentials and SiteKiosk will start right after the login of the user.

In order for the kiosk terminal to return to the Windows login screen either when a user presses the default SiteKiosk logout button or the screensaver activates a small script can be added in the configuration tool of SiteKiosk.

The script uses the SiteKiosk Object Model and has this content:

SiteKiosk.OnReset = InitUserLogoff; // Requires the default Screensaver setting to execute a logout to be active

function InitUserLogoff(){
	//Wait 5 seconds to give SiteKiosk time to do the usual screensaver and logout processing, adjust if necessary
	SiteKiosk.Scheduler.AddDelayedEvent(5000, LogoffWindows);
}

function LogoffWindows(){
	//Run the Windows user logoff
	SiteKiosk.LogoffWindows();
}

The script uses the OnReset event to detect the usage of the logout button or the activation of the screensaver. Note that it requires the default screensaver behaviour to execute a logout to be active to work. In case the OnReset event fires, the function InitUserLogoff is called, which uses the AddDelayedEvent method to wait 5 seconds to give SiteKiosk time to perform the usual logout and screensaver actions. You can change the time to match your requirements. After the delay the LogoffWindows function is called, which uses the LogoffWindows method to initiate a Windows logoff while retaining the selected SiteKiosk start settings.

Copy and paste the above code to an editor, e.g. Notepad, and save it as a .js file in the Html subfolder of your SiteKiosk installation (usually located here: C:\Program Files (x86)\SiteKiosk\Html). To add the script to SiteKiosk, go to Start Page & Browser -> Customize -> Advanded and add it as an external script file to be executed on startup of SiteKiosk.

Enabling Tabs When Using Fullscreen Mode for Specific URLs

The default SiteKiosk Windows behaviour when using fullscreen mode for specific URLs with the Chrome engine is to disable tabs. If a link opens an additional website and the URL matches a fullscreen pattern a new window is shown in fullscreen mode. This enables users to use both pages at the same time. If you do not need this kind of usability for a project but want the ability to use tabs instead, you can use the method described below. Be aware that as soon as a navigation in one of the tabs matches a fullscreen URL, the browser will switch to fullscreen. Make sure to include navigations that allow the user to leave the fullscreen mode to make the other tabs usable again.

Note that this feature requires SiteKiosk Windows 9.9.6000 or higher.

First configure the fullscreen mode for specific URLs in the configuration of SiteKiosk under Start Page & Browser -> Fullscreen.

Save the configuration and then open the configuration file with an editor like Notepad. Look for the fullscreen section, e.g.:

"fullscreen": {
    "enabled": true,
    "hideTaskbar": false,
    "activateFullscreenOnAddresses": {
      "enabled": true,
      "urls": [
        "https://www.sitekiosk.com/"
      ]
    }
  },

Add the line "allowTabs": true at the end of it, e.g.:

"fullscreen": {
    "enabled": true,
    "hideTaskbar": false,
    "activateFullscreenOnAddresses": {
      "enabled": true,
      "urls": [
        "https://www.sitekiosk.com/"
      ]
    },
    "allowTabs": true
  },

You also need to edit the file C:\Users\Public\SiteKiosk\data\content\local\files\projects\d97aa96b962543fcb39625a3f8e8d8fb\000000000000000000000000\files\browserSettings.js. It is recommended to make a backup of the file before making the change.

Look for the line:

var canOpenTabs = !!appConfig.visibility.showHideTabBarButton && (!modules["appSettings"].fullscreen.enabled || modules["appSettings"].fullscreen.allowTabs);

Change it to this:

var canOpenTabs = !!appConfig.visibility.showHideTabBarButton && (!modules["appSettings"].fullscreen.enabled || modules["appSettings"].fullscreen.showTabbar);

Now tabs are available. 

Monitoring the Windows Event Log with SiteKiosk Windows

Here is a quick script based solution that describes one way to monitor the Windows event log for certain messages with the help of SiteKiosk Windows.

When you combine SiteKiosk Windows with SiteRemote the errors from the Windows application and system event logs are monitored by default. Depending on your environment you might need to monitor certain warning or even information events. There are numerous ways to achieve this in combination with SiteKiosk and the different SiteKiosk APIs. One of the simplest options is using two Javascript (JScript) files.

Two script files are required because the user you usually run SiteKiosk under does not have the rights to access the Windows event log and in order to write to the SiteKiosk logs by script (which is what we will do in this example) you need to be in the same user context as the running SiteKiosk Windows application.

The first script monitors the Windows event log for certain messages.

//This script needs to be added to the Windows Task Scheduler and set to start at system startup
//Initiating required objects
var fso = new ActiveXObject("Scripting.FileSystemObject");
var gk_locator = new ActiveXObject("WbemScripting.SWbemLocator");
var gk_wmi_service =  gk_locator.ConnectServer(".", "Root/Cimv2");

//Creating the query string
var gstr_wql = "select * from __instancecreationevent where targetinstance isa 'Win32_NTLogEvent' and targetinstance.eventcode = '102' and targetinstance.type = 'information' and targetinstance.sourcename = 'ESENT'";

//Running the query
var gk_objeventsource = gk_wmi_service.execnotificationquery(gstr_wql);

function writeToEventlogstore(message){
	var lobj_timestamp = new Date();
	
	//Make sure the path to the file matches
	var lobj_filehandle = fso.OpenTextFile("C:\\Users\\Public\\Documents\\eventlogstore.txt",8,true,-1);
	lobj_filehandle.WriteLine(lobj_timestamp + " " + message);
    lobj_filehandle.Close();
}

//Using a while loop to constantly monitor
while(true){
	//Getting a new event
	lk_objeventobject = gk_objeventsource.nextevent();
	//Check if the event contains a specific string element 
	if(lk_objeventobject.TargetInstance.Message.indexOf("starting") != -1){
		//Write to the event log store file
		writeToEventlogstore(lk_objeventobject.TargetInstance.Message);
	}
}

The script uses no SiteKiosk specific code, please use your preferred search engine if you want to learn more about the objects and methods that have been used.

This script example listens for information events (targetinstance.type = 'information') with the event ID 102 (targetinstance.eventcode = '102') and the source is ESENT (targetinstance.sourcename = 'ESENT'). It then checks for the occurrance of a specific string fragment in the message, in this case starting (lk_objeventobject.TargetInstance.Message.indexOf("starting")). Doing so, will pick a certain message from events that have the same event ID. If such a message is found, it will be written to a text file. You should place the text file at a location where the user you run SiteKiosk with has the rights to read and delete the file, e.g. C:\Users\Public\Documents\eventlogstore.txt.

Save the script as eventlogmonitor.js in the folder ..\SiteKiosk\html. Then add the script to the Task Scheduler of Windows. The script needs to run at startup with a user that is allowed to access the Windows event log. Execute it with wscript.exe.

The second script should be saved as eventlogreader.js, also in the folder ..\SiteKiosk\html, and is added to SiteKiosk as an external script by going to Start Page & Browser -> Customize -> Advanced in the SiteKiosk configuration.

//This script needs to be added to the SiteKiosk configuration as an external script 
//Initiating required objects
var fso = new ActiveXObject("Scripting.FileSystemObject");

function ReadFromEventlogstore(){
	//Make sure the path to the file matches
	var lobj_filehandle = fso.OpenTextFile("C:\\Users\\Public\\Documents\\eventlogstore.txt",1,true,-1);
	try{
		var str_eventlogstorecontent = lobj_filehandle.ReadAll();
		//Write to the SiteKiosk Logfile
		SiteKiosk.Logfile.Write(9999, 20, "CustomEventLogStore","Event log store content: " + str_eventlogstorecontent);
	}catch(e){}
	lobj_filehandle.Close();
	fso.DeleteFile("C:\\Users\\Public\\Documents\\eventlogstore.txt",true);
}

//Read the event log store every 5 seconds
SiteKiosk.Scheduler.AddPeriodicEvent(5000, ReadFromEventlogstore);

This script uses Javascript (JScript) and also the SiteKiosk Object Model and checks the text file written by the first script every 5 seconds (SiteKiosk.Scheduler.AddPeriodicEvent(5000, ReadFromEventlogstore)) while SiteKiosk is running. If the file has content it will be written to the SiteKiosk logs (SiteKiosk.Logfile.Write(9999, 20, "CustomEventLogStore","Event log store content: " + str_eventlogstorecontent)) and then the file will be deleted. Of course you also could do something different here, this is just meant as an example.

With the information added to the SiteKiosk logs you could then create a custom SiteRemote error to be notified when the event fires.

Adding Custom Components to the Software Tab of a Machine on a SiteRemote or SiteKiosk Online Server

When running your own SiteRemote or SiteKiosk Online Server you can add custom components to the software tab of a Windows machine in a team on the server. This means you can monitor the version number (must be available as a property of the file) and creation date of any executable (exe) or dynamic link library (dll) that is available on a machine. They will be shown as part of the Components table on the software tab of a machine.

By default the software tab lists the most common components and all installed software that is visible in the Programs and Features list of the Windows control panel.

If you need to monitor exe or dll files that have been copied to the machine without using a standard installation routine or that are not the main part of an application you can go to the Settings tab of the SiteRemote or SiteKiosk Online Server administration. Click on Edit configuration next to the Software component settings on the right side of the page. You will now see a table with the existing components.

Click on the Add New button to create a new entry. Choose a display name to identify the component in the table.

You can either query the component by the Component Object Model'S programmatic identifier (see https://docs.microsoft.com/en-us/windows/win32/com/-progid--key) or by the file path. You can use system environment variables as part of the file path, e.g. %windir% or %ProgramFiles%.

The Type determines under which component category the added component will be listed in the Components table on the software tab of a machine. You can select from Application, System, Additional, Remote Client or Multimedia (the other options in the dropdown field are for SiteKiosk specific usage).

Click Save on the right side of the new entry to save it temporarily, add an additional component if you wish, and then click the Save button at the bottom of the page to save the changes permanently and activate them by restarting the server service.

If the newly added component is present on a machine it will show up after a few machine contacts with the server.

Using the RunHelper Tool to Start Applications

A few applications cannot be started directly if added to the list of external applications in the configuration of SiteKiosk. In most cases this is due to directory virtualization. One example is osk.exe which is the on-screen keyboard of Windows (Note: it is strongly recommended to use the onscreen keyboards included in SiteKiosk whenever possible, using the default Microsoft onscreen keyboard will decrease the security of SiteKiosk by bypassing the keyboard input filter).

The little RunHelper tool for 64-bit systems that can be downloaded here will help starting these kind of applications. It can also be used instead of a batch file to start programs, therefore eliminating the need to lift some security restrictions of SiteKiosk.

The RunHelper tool has two parameters, the first is a string for the path to the executable, the second is an optional string for all parameters that might be needed for the application. 

It is recommended the place the tool in the HTML subfolder of your SiteKiosk installation path.

If you want to start an application without parameters the command line field in the SiteKiosk configuration needs to look like this:

"C:\Program Files (x86)\SiteKiosk\Html\RunHelper.exe" "C:\windows\system32\osk.exe"

For an application with parameters the command line field needs to look like this:

"C:\Program Files (x86)\SiteKiosk\Html\RunHelper.exe" "C:\windows\system32\notepad.exe" "C:\Program Files (x86)\SiteKiosk\Html\test.txt"

Using SiteRemote to Install the Smart Kiosk Control Client

The Smart Kiosk Control client enables the remote control of kiosk terminals and displays with a mobile phone or tablet. The Smart Kiosk Control client can also be used for presentations or as an accessibility option. The client needs to be installed on the SiteKiosk Windows machine that a user should be able to control with a mobile device.

The installation can be done with the SiteRemote job system on existing SiteKiosk Windows machines. The SiteRemote job will consist of 3 steps.

Download the RemoteInput installer from your SiteRemote team account at Administration -> Downloads or directly here: https://www.siteremote.net/download/SmartKioskControlSetup.exe.

Next go to SiteKiosk -> Jobs in your SiteRemote team and click on the New Job button. Give the job a name, e.g. Install Smart Kiosk Control Client. You may also check the option to Save this job as a new template, if you want to reuse it in the future. Add a description if desired. 

Now choose File Upload from the available tasks to create the first job step. Upload the downloaded file and choose the destination path, e.g. %TEMP%\SmartKioskControlSetup.exe.

For the second step choose the task Run Executable. For the command line use

%TEMP%\SmartKioskControlSetup.exe /exenoui /qn

This will start a silent installation of the application. Make sure to choose invisible execution, so the installer runs with administrative rights.

The third and final step uses the Execute Operating System Command task. Use Restart from the available options. This will restart the operating system to finish the installation process.

Assuming the SiteKiosk machine is set to Autostart mode, a user will be able to remotely control SiteKiosk with a mobile device after the restart.

Using Different User Agents for Websites in SiteKiosk Windows Chrome Browser

For compatibility reasons or identification purposes it can be useful or even necessary to modify the user agent of the browser. You can do that for the browser as a whole in the configuration of SiteKiosk under Start Page & Browser -> Customize.

Replacing the whole default user agent string of SiteKiosk instead of just adding something to it is described here (Chrome) and here (IE).

But a modification that helps on one website can lead to problems on another website. So it can be useful to edit the user agent only for certain pages while on others the default user agent is used. You can do this with SiteKiosk Windows by editing the configuration file of SiteKiosk with an editor like Notepad. Look for urlSpecificUserAgents in the file and create entries for your URL(s). There are two options, you can either just add something to the default user agent of SiteKiosk or you can fully replace the user agent. 

This is how adding something to the default user agent for a specific URL looks like (as you can see, wildcards (*) are supported):

"url": "*whatsmyuseragent.org/*",
"userAgent": {
"add": "SiteKiosk Windows"
}

In this example SiteKiosk Windows is added to the default user agent for the specified page, while other pages receive the default user agent.

You can have as much different specific user agents as you need. This is how more than one looks like:

"urlSpecificUserAgents": [
{
  "url": "*.google.*",
  "userAgent": {
	"add": "Edg/$(ChromiumVersion)"
  },
  "url": "*whatsmyuseragent.org/*",
  "userAgent": {
	"add": "SiteKiosk Windows"
  }
}
],

The option to replace the full user agent string with a custom one looks like this:

"url": "*whatsmyuseragent.org/*",
"userAgent": {
"full": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Edg/89.0.774.76"
}

This example uses the user agent string of Edge (Chromium engine).

Note that using a user agent that mimmicks another browser can lead to display problems with a webpage. Always test the settings before using them in your production environment.

How to Trigger a Customizable Navigation Command in SiteKiosk Windows Chrome Browser from Another Application

We will create a little C# example to show how to trigger a navigation in the Chrome Browser of SiteKiosk Windows from an external application.

It makes use of the SendCustomCommand method from the ISiteKiosk9 object, that is part of the SiteKioskRuntime type library (..\SiteKiosk\Typelib\SiteKioskRuntime.tlb). Add the library to your C# project and access the ISiteKiosk9 object similar to what you find in this description (https://www.provisio.com/helpconsole/SiteKiosk%20Object%20Model%20Help/en-US/default.htm?codesamples_accessobject.htm).

The main part of the code for a small application with a button to call https://www.provisio.com/ looks like this:

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;
using System.Runtime.InteropServices;
using SiteKioskRuntimeLib;

namespace NavigateInSKWchrome
{
    public partial class Form1 : Form
    {
        [DllImport("ole32.dll", CallingConvention = CallingConvention.StdCall)]
        public static extern int CoGetClassObject(ref Guid rclsid, uint dwClsContext, IntPtr pServerInfo, ref Guid riid, out IntPtr ppv);

        public Form1()
        {
            InitializeComponent();
        }

        private void button1_Click(object sender, EventArgs e)
        {
            // initialize GUID's for classes and interfaces
            Guid lr_FactoryGuid = typeof(ISiteKioskFactory).GUID;
            Guid lr_FactoryClass = Guid.Parse("1CA0D073-4ABB-4D06-B318-BFFDE38E4903");
            Guid lr_SiteKioskGuid = typeof(ISiteKiosk9).GUID;

            ISiteKiosk9 mk_pSiteKiosk;

            // try to get the ISiteKioskFactory interface of the instance
            // of SiteKioskFactoryClass
            IntPtr lk_FactoryPtr = new IntPtr();
            CoGetClassObject(ref lr_FactoryClass, 4, new IntPtr(), ref lr_FactoryGuid, out lk_FactoryPtr);
            
            // convert the received IntPtr to the requested ISiteKioskFactory
            // interface
            ISiteKioskFactory lk_Factory = (ISiteKioskFactory)Marshal.GetObjectForIUnknown(lk_FactoryPtr);

            // call CreateSiteKiosk to get the ISiteKiosk interface of the
            // current instance of SiteKiosk
            IntPtr lk_SiteKioskPtr = new IntPtr();
            lk_Factory.CreateSiteKiosk(ref lr_SiteKioskGuid, out lk_SiteKioskPtr);

            // convert the received IntPtr to the requested
            // ISiteKioskFactory interface
            mk_pSiteKiosk = (ISiteKiosk9)Marshal.GetObjectForIUnknown(lk_SiteKioskPtr);

            mk_pSiteKiosk.SendCustomCommand("openBrowser", "https://www.provisio.com/");
        }
    }
}

When building the project, make sure to build it as an x86 project, so that it can communicate with SiteKiosk. Also make sure that you run the application within the same user context as SiteKiosk, otherwise the application will not be able to access SiteKiosk.

SendCustomCommand can also be used from an external script by simply calling this line in an external Javascript file:

SiteKiosk.SendCustomCommand("openBrowser", "https://www.provisio.com/");

Note that the SendCustomCommand method is handled in the file ..\SiteKioskNG\assets\rootApp\modules\browser.js. By default the onCustomCommand method, that is fired when a custom command is received, only includes the openBrowser command. It uses the navigateinMainBrowser method to open the requested page in a new tab, when the first parameter is false, or in the acitve tab, when the parameter is true. Feel free to add your own code to the browser.js file to enable your own custom commands to be used with the Chrome Browser of SiteKiosk Windows.

How to Force PDF Downloads in SiteKiosk Windows Chrome Browser

Most web servers do not deliver PDF files as direct downloads, instead they allow the browser to display them instantly if the browser has this capability. When using the Chrome browser of SiteKiosk Windows this means that most PDF files are shown in the integrated PDF viewer. You can allow downloads in the configuration of SiteKiosk (see below), then a user can click the little download icon in the upper right corner of the PDF viewer to actually download the file, just like in any other modern browser.

Depending on the intended use of the kiosk system, you might want to avoid having your users go through all these steps to download the file or you even want the PDF to automatically open in another application. This can be achieved by manually adding the Chrome command line switch disable-pdf-extension to your SiteKiosk configuration file (assuming it is not possible to change the server behaviour for PDF delivery itself). 

Open your SiteKiosk configuration with an editor like Notepad and look for the lines:

"browserEngine": {
      "commandLineArguments": {
        "set": [],
        "remove": []
      }
}

Change it to this:

"browserEngine": {
      "commandLineArguments": {
        "set": [
          "disable-pdf-extension"
        ],
        "remove": []
      }
}

Save the file and open the SiteKiosk configuration editor to use the GUI to make additional changes. Go to Start Page & Browser -> Chrome Browser -> Customize -> Downloads. Enable the download option. Select the PDF file type and click on Edit. Choose Open the following application (or one of the other methods to handle the file) and select the application you want PDF files to be opened with. Finally you might also want to check the Autostart checkbox to automatically start the PDF with the selected application after the download.

Note that SiteKiosk Windows will still show the file in the browser and do the above as additional actions on top of the default behaviour.

Also note that there are additonal command line arguments that can be used for other purposes. See https://devblog.provisio.com/post/2016/09/19/Starting-SiteKiosk-Windows-with-Chrome-Command-Line-Switches.aspx for further information.