Another thing that came up (and I forgot about previously) is that in order to
print shipping labels, ILLiad requires MS Word be installed. That is a
*terrible* design choice considering how many "Google-shops" there are and how
expensive MS Office is for single purchases. Consider that LibreOffice is free
and open source and also has mail merge capability. Heck, Atlas/OCLC could
"steal" the code from LibreOffice to make their product stand-alone.
Anyway, I have not had a chance to test it, but this Group Policy setting looks
promising:
User Configuration -> Policies -> Administrative Templates -> Microsoft Office
2016 -> Miscellaneous
Block signing into Office
Thought someone might find that intriguing too.
Erich
On Thursday, December 14, 2023 at 12:20, John Lolis eloquently inscribed:
> I find your report of Deep Freeze being "fiddly" surprising. We've been
> using it for years for our in-house public access computers, and it's been
> rare that we've come across an issue. That notwithstanding, there's also
> Reboot Restore Rx which only reverts to a saved configuration on demand,
> not automatically upon reboot. We use it for our circulating laptops which
> of course you don't want to restore with every reboot. There's also a free
> version for home use: https://horizondatasys.com/reboot-restore-rx/.
>
> Other than that, it's possible to script something that overwrites the
> browser profile with the original, first-use one so that things are back
> to square one as far as the browser is concerned. I did just that years
> ago with a home-grown Linux OPAC kiosk using Chromium that would check
> for the browser process and if it wasn't running, would kick off another
> script that overwrote the profile to clear the history and relaunch
> Chromium.
>
> As for dealing with authentication for MS365 and other cloud-based services
> on shared computers, I feel your pain, Erich. I've reached the conclusion
> that we as IT professionals spend far too much time working with or around
> authentication processes and procedures all because it's become an abysmal
> mess--and one that's continually foisted upon us whether we like it or not
> by one nanny or the other: Microsoft, Google, Apple, et al.
>
> John Lolis
> Coordinator of Computer Systems
>
> 100 Martine Avenue
> White Plains, NY 10601
>
> tel: 1.914.422.1497
> fax: 1.914.422.1452
>
> https://whiteplainslibrary.org/
>
> *“I would rather have questions that can’t be answered than answers that
> can’t be questioned.”* — Richard Feynman
> <https://click.fourhourmail.com/5qure95xkf7hvvo93wh2/7qh7h8h05vr4zrtz/
> aHR0cHM6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvUmljaGFyZF9GZXlubWFu>,
> theoretical physicist and recipient of the Nobel Prize in Physics in 1965
>
> On Thu, 14 Dec 2023 at 10:33, Hammer, Erich F <er...@albany.edu> wrote:
>
>> Ray,
>>
>> Because none of the users is an administrator on these workstations, I
>> have no concerns about resetting the machines back to a previous state. If
>> users log in as themselves, they can't affect other users. If they log in
>> with a generic account, they won't/don't log out (so no reboots until the
>> update system forces it). One of my questions about the circulation desks
>> is whether they are logging out of their cloud services (i.e. Alma) or
>> closing the browser any time they step away during "the swirl". If not,
>> then they are violating the University usage policy (using other peoples
>> accounts). If they are, then how much different would it be to just log
>> out of Windows completely.
>>
>> In my previous job, we wrestled with DeepFreeze for years for our labs and
>> found it very "fiddly". It definitely was *not* trouble free, and we
>> ultimately dropped it as Windows (and apps) got much better about
>> restricting unprivileged users to their own profile.
>>
>> Appreciate the feedback anyway.
>>
>> Erich
>>
>>
>> On Thursday, December 14, 2023 at 10:01, Ray Voelker eloquently
>> inscribed:
>>
>>> This doesn't really solve your "shared login" problem, but I was always a
>>> big fan of using the DeepFreeze software on shared computers. It does a
>>> fantastic job of preventing those changes you were talking about from
>>> "sticking" -- especially if you force a reboot after logout, which isn't
>>> too hard to create a logout script to do that.
>>>
>>> https://www.faronics.com/deep-freeze-on-cloud
>>>
>>> --Ray
>>>
>>> On Thu, Dec 14, 2023 at 9:36 AM Hammer, Erich F <er...@albany.edu>
>>> wrote:
>>>
>>>> All,
>>>>
>>>> First, I apologize because this is much more of an IT question than a
>>>> coding question, but I come from an IT/desktop support background
>>>> with a particular interest in security.
>>>>
>>>> How are larger, academic libraries securing your employee-used,
>>>> shared workstations -- specifically, the circulation desk machines
>>>> and the back-end, ILL scanning stations? I have been trying mightily
>>>> for a few years to eliminate the shared-password generic accounts
>>>> because they present a real security/privacy concern. I am running
>>>> into some real road-blocks though, and I'm wondering if anyone here
>>>> has found solutions that work.
>>>>
>>>> Having viewed the chaotic state of the circulation desk with the
>>>> constant churn of employees using the stations, I have conceded that
>>>> it is better to use a generic login than to have folks log in/out
>>>> constantly.
>>>>
>>>> The ILL employees who do a lot of scanning don't have the rapid-fire
>>>> turnover at their workstations, but they (or their manager) is
>>>> insisting on a generic login because the scans need to be saved in a
>>>> specific, network location and Acrobat has no mechanism to set the
>>>> default save location for all users. (I hate Adobe!) When we have
>>>> tried using personal logins, folks forget, don't notice, or don't know
>>>> about watching that the PDFs are saved in the proper location, and
>>>> those scans have to be redone by someone else or are inaccessible
>>>> within the particular employee's private user profile until they return
>>>> to work (which could be days-weeks with student employees).
>>>>
>>>> In both cases, users still need to sign into services as themselves
>>>> (the LSP -- Alma --, scheduling, wiki documentation, ILLiad, etc.),
>>>> so I'm not really sure what the security advantages are with the
>>>> generic account (especially for ILL scanning). I've had to push
>>>> settings to prevent the browsers (Edge, Chrome and FireFox) from
>>>> saving passwords. I also have automated scripts running to regularly
>>>> blow away the MS Teams configuration to prevent users from using it
>>>> as someone else. (Teams "helpfully" remembers credentials for
>>>> one-click login even after logging out of it and rebooting.) I have
>>>> not been able to find a way to do the same with MS Office, so I have
>>>> been forced to uninstall it completely. Otherwise, everyone who uses
>>>> it while logged onto the computer with the generic account is signed
>>>> into/owns all the M365 documents as the user who first used it (and
>>>> had to sign into M365).
>>>>
>>>> The lack of Microsoft Office is the particular issue that I'm being
>>>> pressed on to prompt me to post this. I should add that I can't use
>>>> device licenses for M365 (where login/registration isn't required)
>>>> because they only work with Azure Active Directory which we do not
>>>> have. What are you all doing? I've been considering trying to set
>>>> circ desk systems up as mulit-app, auto-login kiosks so at least we
>>>> don't need to share the generic password, but the other problems
>>>> still remain.
>>>>
>>>> Any feedback is appreciated.
>>>>
>>>> Thanks,
>>>> Erich
>>>>
>>>>
>>>>
>>>> --
>>>> Erich Hammer Head of Library Systems
>>>> er...@albany.edu University Libraries
>>>> 518-442-3891 University @ Albany
>>>>
>>>> "Faith is the unflagging determination to remain ignorant
>>>> in the face of any and all evidence that you're ignorant."
>>>> -- Shaun Mason
>>>
>>>
>>
>>
>>
