Access Connections Deployment Guide Updated: March, 2014
Note: Before using this information and the product it supports, read the general information in Appendix B “Notices” on page 35. Fifth Edition (March 2014) © Copyright Lenovo 2008, 2014. LIMITED AND RESTRICTED RIGHTS NOTICE: If data or software is delivered pursuant a General Services Administration “GSA” contract, use, reproduction, or disclosure is subject to restrictions set forth in Contract No. GS-35F-05925.
Contents Preface . . . . . . . . . . . . . . . . . . ii Chapter 1. Overview. . . . . . . . . . . 1 Features . . . . . . . . . . . . . . . . . Considerations for deploying Access Connections . Requirements and specifications for deployment . . . . . . . . . . . . . . Access Connections deployment features . . . . . . 1 2 . . 2 2 Chapter 2. Installing Access Connections. . . . . . . . . . . . . . . 3 Installing Access Connections without user interaction . . . . . . . . . . . . . . . . .
Preface This guide is intended for IT administrators, or those who are responsible for deploying the Access ConnectionsTM program on computers in their organizations. The purpose of this guide is to provide the information required for installing Access Connections on one or many computers, provided that licenses for the software are available for each target computer.
Chapter 1. Overview Access Connections is a connectivity assistant program which helps to configure various network connections including wireless LANs. Users can create and manage location profiles that stores the network and Internet configuration settings needed to connect a client computer to a network from a specific location, such as home or at work.
• Create location profiles for remote deployment(administrator only) An Access Connections administrator can define location profiles for deployment to the client computers. Considerations for deploying Access Connections Collecting information about the various places where users might attempt to connect and the kinds of connections available in those locations will help you develop pre-configured profiles that users can import and use right away.
Chapter 2. Installing Access Connections The following instructions provide installation procedures for Access Connections. Installing Access Connections without user interaction To install Access Connections without user interaction, complete the following steps: 1. Start Microsoft® Windows® XP, Windows Vista®, or Windows 7 and then log on with administrative privileges. 2. Extract the Access Connections software package to the hard disk drive. 3.
4 Access Connections Deployment Guide
Chapter 3. Working with the Administrator Feature This chapter provides you with the information you need to enable and use the administrator features of Access Connections. Enabling the Administrator feature Access Connections must be installed on your system prior to enabling the Administrator feature. To enable the Administrator feature, complete the following steps: 1.
1. Using Access Connections, create location profiles. Consider the following scenarios as you create the location profiles: • Office and building connections • Home connections • Branch-office connections • Connections while traveling and hot-spot connections For instructions on how to create location profiles, or how to use Access Connections, see the Access Connections Help located in the application itself. 2. Create or edit a distribution package with the Administrator Profile Deployment feature. 3.
Figure 3. Creating Distribution Package for Windows XP Chapter 3.
Figure 4. Creating Distribution Package for Windows Vista and Windows 7 3. Select the User Access Policy from the drop down menu. The user access policy defines the restrictions that are in place for a particular profile. User access policies can be defined per profile and can have the following values: • Deny all changes / Deny Deletion: Users cannot perform operations such as modify, copy, or delete on the profile.
4. Click on Add/Delete under Associated MAC / IP Address for selected profile. This allows the setting of MAC or IP addresses of the network router(s) to be associated with an Ethernet enabled profile for location switching. This will prevent the pop-up message when connecting an unknown Ethernet connection with location switching enabled. Figure 5. Adding or Deleting MAC or IP Addresses Figure 6. Entering MAC or IP Address 5.
8. On the Export Location Profiles dialog box, navigate to your applicable directory path. and type the name for your .loa file. By default, the .loa and .sig files which are required for deployment are saved in C:\Program Files\Thinkpad\ConnectionUtilities\Loa (Windows XP) or C:\Program Files\lenovo\Access Connections (Windows Vista or 7) directory. Attention: For image deployment, the *.loa and *.sig file must reside in the Access Connections install directory.
Creating Groups: When creating groups of serial numbers, flat text files can be imported which contain the group of serial numbers. Figure 8. Creating Group The file must be formatted such that each line contains a single serial number. These text files can be created by exporting a list that has been created with the Administrator Feature or by an asset management system if it has such capabilities.
The following screen capture displays the settings you can configure for the Client tab of the Client Configuration Policy: Figure 9. Client Configuration Policy Marking the box beside Do not allow clients to become an administrator: will prevent users from enabling the Administrator Feature on their installation of Access Connections. This setting is useful in large enterprise environments when you want to prevent others from creating and distributing network access profiles.
• Create and apply WLAN location profiles using the Find Wireless Network function for Windows users without administrator privileges. • Automatic location profile switching. • Control roaming for Mobile Broadband devices.
The following screen captures provide examples for the Global Settings tab for Access Connections when installed on the Windows Vista and Windows 7 operating system: Figure 11.
Figure 12. Notification Global Settings for Windows XP Chapter 3.
Figure 13.
Figure 14. Defining Location Profiles Additional Settings: You can set the following policies on the Additional Settings tab for Access Connections to apply during new profile creation: General Options • Do not show warning message when connecting to an unencrypted network • Disable Ethernet adapter when Ethernet cable is unplugged • Disconnect / Power off wireless radio when switching profiles • Automatically create location profiles using active directory deployed wireless settings.
Note: If this option is selected, all the new Wired/Wireless profiles will not be added to automatic locations switching. • Do not allow clients to change automatic location switching settings Note: If this option is selected, the automatic location switching settings for the end users is grayed out.
Figure 15. Additional Settings for Windows XP Chapter 3.
Figure 16. Additional Settings for Windows Vista and Windows 7 PAC AID Groups (Windows XP only) Protected Access Credentials (PAC) protects user credentials that are exchanged with the Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) and a PAC key. All EAP-FAST authenticators are identified by an authority identity (AID).
The local authenticator sends its AID to an authenticating client, and the client checks the PAC AID group referenced in the location profile being applied, to see if the authenticating AID belongs to the group. If yes, then the client tries to use an existing PAC if available without any confirmatory message. If not, then a confirmatory message is shown to the user to use the existing PAC. If a matching PAC does not exist for the user, then the client system requests a new PAC. The .
1. On the Define PAC AID Groups window, click Groups. Figure 18. Defining PAC AID Groups 2. Right click on Available Pacs. Note: The PAC with the AID which is intended to be included in the Group must be present on the machine where the AID group is being created.
3. From the drop down menu, click Create Group. You can add or remove PAC AID Groups to a distribution package. To add a group, select it from the drop down menu and click Add. To remove a group, select the group from the available PAC AIDS list and then click Remove. Figure 19. Creating PAC AID Groups Allow silent import of this package after client installation By default, profiles in a *.loa file cannot be imported silently by Access Connections once it has been installed.
24 Access Connections Deployment Guide
Chapter 4. Deploying Access Connections After creating the location profiles required for client users, you can also manage and deploy new, updated, or revised location profiles to client computers. The following examples describe deployment scenarios used in deploying Access Connections: • Deploy Access Connections and Location Profiles on new client computers. • Deploy Location Profiles and Client Policy on existing client computers running Access Connections.
Deleting locked profiles There are two ways to delete a locked Access Connections profile. 1. Uninstall Access Connections and choose No when asked to save existing profiles. 2. To delete locked profiles remotely complete the following steps: • Create another deployment package with the same profile(s), name and passphrase as the originally deployment package, but with the profile to be unlocked set to Allow all changes/Allow deletion. • Deploy the.loa file that you created to client systems.
Chapter 5. Working with Active Directory and ADM files Active Directory provides a mechanism that gives administrators the ability to manage computers, groups, end users, domains, security policies, and any type of user-defined objects. The mechanisms used by Active Directory to accomplish this are known as Group Policy and Administrative Template files (ADM). With Group Policy and ADM files, administrators define settings that can be applied to computers or users in the domain.
4. The Access Connections installation on the client machine should not show the Peer-to-Peer tab on main interface. Note: In a real time scenario, the client system automatically refreshes the Group Policy at certain time intervals. By default, this time interval is 90 mins, with a random offset of 0 to 30 minutes. Whenever the client machine is refreshed with a policy, Access Connections should also be updated with the latest changes made in the Group Policy (if there were any changes).
Policy Setting Description Do not allow clients to view or edit browser proxy setting in location profile. If enabled, users can not view or edit browser proxy setting in location profile. Do not allow clients to view or edit security setting in location profile. If enabled, users can not view or edit security setting in location profile. Do not allow clients to view or edit start applications automatically setting in location profile.
Policy Setting Description Override proxy configuration during new profile creation If enabled, during new profile creation Override proxy configuration button is enabled by default in the Additional settings property page Disable mobile hotspot function If this policy setting and the Disable internet connection sharing during new profile creation policy setting are both enabled, the mobile hotspot function will be disabled.
Deploying .LOA and .SIG files through Active Directory with logon scripts The .loa file and .sig file will be stored in C:\Program Files\ThinkPad\ConnectUtilities [Windows XP] or C:\Program Files\lenovo\Access Connections [Windows Vista or 7]. When deploying the .loa and .sig files through Active Directory with logon scripts, mark the check box Allow silent import of this package even after installation of client on the Create Distribution Package window of Access Connections.
• If the silent.txt file does not exist, it copies the. loa and .sig files from the server to client: c:\programfiles\thinkpad\connectutilities • To import the profile into Access Connections silently, execute the following command qctray /silentimport • This creates a file called silent.txt at c:\programfiles\thinkpad\connectutilities and ends the operation.
Appendix A. Command line interface Access Connections can accept command line input to switch between location profiles and to import or export locations profiles. You can input these commands interactively within a command prompt window, or you can create batch files for use by other users. Access Connections does not need to be running before these commands are executed. • Apply Location Profile. \qctray.exe/set • Disconnect Location Profile. \qctray.
34 Access Connections Deployment Guide
Appendix B. Notices Lenovo may not offer the products, services, or features discussed in this document in all countries. Consult your local Lenovo representative for information on the products and services currently available in your area. Any reference to a Lenovo product, program, or service is not intended to state or imply that only that Lenovo product, program, or service may be used.
Trademarks The following terms are trademarks of Lenovo in the United States, other countries, or both: Access Connections Lenovo ThinkVantage ThinkPad Microsoft, Windows, and Windows Vista are trademarks of the Microsoft group of companies. Intel is a trademark of Intel Corporation in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.
