Download Simplify Suite v6

Simplify Suite v6
Simplify Suite v6 – Administrator Guide
1
Simplify Suite v6
Simplify Suite v6
Table of Contents
1
2
The Simplify Suite ...........................................................................................................................................5
1.1
Simplify Suite Installation Overview ................................................................................................................6
1.2
Infrastructure Components .............................................................................................................................6
1.3
System Requirements .....................................................................................................................................7
1.4
Localized Language Support ............................................................................................................................9
1.5
Modifications Made to the System .................................................................................................................9
1.6
Installing and Upgrading Direction and Precautions .....................................................................................10
1.7
What to do After Installing ............................................................................................................................10
1.8
Frequently Asked Questions .........................................................................................................................10
1.9
Walkthroughs ................................................................................................................................................13
Simplify Console ...................................................................................................................................................18
2.1
Overview .......................................................................................................................................................18
2.2
Configuration .................................................................................................................................................20
2.3
Walkthroughs ................................................................................................................................................36
2.4
Frequently Asked Questions .........................................................................................................................55
3
Simplify Profiles ............................................................................................................................................61
3.1
Overview .......................................................................................................................................................61
3.2
Windows Profiles and Simplify Profiles .........................................................................................................62
3.3
Windows Policy Objects ................................................................................................................................65
3.4
Profile and Registry Objects ..........................................................................................................................78
3.5
Administrative Templates .............................................................................................................................95
3.6
Simplify Profiles Offline Mode.....................................................................................................................102
3.7
Walkthroughs ..............................................................................................................................................104
3.8
Frequently Asked Questions .......................................................................................................................108
3.9
Simplify Profiles Tools .................................................................................................................................113
4
Simplify Printing .........................................................................................................................................128
4.1
2
Overview .....................................................................................................................................................128
Simplify Suite v6
Simplify Suite v6
4.2
ScrewDrivers................................................................................................................................................130
4.3
The v6 Print Server ......................................................................................................................................131
4.4
Native Drivers ..............................................................................................................................................151
4.5
v4 PDF-Only Settings ...................................................................................................................................156
5
Simplify Desktop .........................................................................................................................................159
5.1
Overview .....................................................................................................................................................159
5.2
Simplify Applications – Basic Operation ......................................................................................................160
5.3
Simplify Applications – Features .................................................................................................................169
5.4
Shell Configuration ......................................................................................................................................180
5.5
Simplify Desktop Offline Mode ...................................................................................................................186
5.6
Using triShell ...............................................................................................................................................188
5.7
Frequently Asked Questions .......................................................................................................................189
5.8
Troubleshooting ..........................................................................................................................................190
6
7
8
3
Simplify Lockdown ........................................................................................................................................196
6.1
Overview .....................................................................................................................................................196
6.2
Simplify Applications - Creating an Application Object ...............................................................................196
6.3
Simplify Applications – Features .................................................................................................................201
6.4
Walkthrough................................................................................................................................................206
6.5
Frequently Asked Questions .......................................................................................................................213
6.6
Troubleshooting ..........................................................................................................................................213
The Simplify Database ........................................................................................................................................215
7.1
Overview .....................................................................................................................................................215
7.2
Walkthrough................................................................................................................................................215
7.3
Frequently Asked Questions .......................................................................................................................234
Licensing .............................................................................................................................................................240
8.1
License Keys.................................................................................................................................................240
8.2
Installing the Simplify License Server ..........................................................................................................240
8.3
Frequently Asked Questions .......................................................................................................................240
8.4
END USER LICENSE AGREEMENT .................................................................................................................240
Simplify Suite v6
Simplify Suite v6
9
4
Appendix A: Reference Architecture ..................................................................................................................245
9.1
Executive Summary .....................................................................................................................................245
9.2
Architecture.................................................................................................................................................246
9.3
Scalability.....................................................................................................................................................251
9.4
Security and Access Control ........................................................................................................................259
Simplify Suite v6
Simplify Suite v6
1
The Simplify Suite
The Simplify Suite provides the abilities to reliably deploy desktops, control application access, help enforce
company policies, reduce logon times, manage personalization for large numbers of virtual desktops, and deliver
the correct profile information to the right user at every logon session from any location.
This is all done through the Simplify Console, which offers an all-in-one interface that allows you to streamline,
automate, and optimize the more challenging aspects of Terminal Services, virtual desktop, and workstation
configuration.
Simplify Suite™ v6 core components:
Simplify Management Console is a centralized interface for configuring, managing, and monitoring of all Simplify
Suite functions. It integrates with Active Directory and LDAP and lets you configure operations at any level of the
directory structure, including objects such as specific IP addresses and individual terminals.
ScrewDrivers™ eliminates the need for installing, managing, and updating print drivers on servers and
workstations. It requires no configuration and speeds print jobs by compressing print files.
Simplify Printing™ Bundle is the ultimate solution for business environments with support for Windows print
servers and workstations. It also includes Tricerat’s flagship solution, ScrewDrivers™.
Simplify Profiles™ provides users with the personalization they need without implementing roaming profiles.
Ensure quicker user logon times while retaining user preferences and settings.
Simplify Lockdown™ enhances application security by making it impossible for users to launch unauthorized
applications or malicious code on their Windows system.
Simplify Desktop™ rapidly deploys thousands of customized desktops from one easy-to-use console.
The Simplify Suite enables the administrator to deliver desktop, lockdown, printing, profile and stability solutions
to users from a centralized management console known as the Simplify Console. Every Windows machine with
5
Simplify Suite v6
Simplify Suite v6
Simplify Suite that points to the SQL database that hosts the configurations will pick up the Simplify settings. The
settings are synced to the user’s session at Logon using a SQL DSN ODBC entry.
This solution does not degrade the performance of the Windows environment; rather the Simplify Suite ensures
that settings are delivered from a centralized location using efficient assignment processes. Assignments made
with Simplify Suite are performed at machine level, rather than relying on Windows commands, scripts, and Group
Policies. Many components in the Suite are multithreaded, thus optimizing performance for multi-core processors.
If you would like to schedule a demo or install for a Simplify Suite product then please complete and submit this
form: http://www.tricerat.com/schedule
1.1 Simplify Suite Installation Overview
The Simplify Suite components, along with the management console, are installed on each Terminal or Citrix server
in your environment. Each installation of the Suite uses a shared SQL database to store all of the settings
configured for the Simplify Suite as well as profile information for users.
Because Simplify Suite computers are communicating with a SQL database, it is recommended to have a SQL server
on the same LAN as the clients. For multi-site environments it is recommended to use SQL Clustering to optimize
performance, stability, reliability and management.
The only software that needs to be installed on the client workstations is the Screwdrivers client if you wish to
allow your users to print to printers locally attached to their workstation.
1.2 Infrastructure Components
Required Components




Simplify Suite - the core installation of the Simplify Suite must be installed to Windows workstations or

servers. The core features include Simplify Desktop, Lockdown, Printing, Profiles and Stability.

SQL Server - the Simplify Suite configurations are stored in a Microsoft SQL database.
Simplify Console - the entire Simplify Suite is managed through a single application known as the Simplify

Console. All changes applied in the Simplify Console are immediately saved to the Simplify database.
Network - the Simplify Suite requires a network for the clients to communicate with the Simplify

database.
Optional Components

6
Print Server - Windows print servers can be installed with the ScrewDrivers Print Server Agent. This
enables the printers to be managed from any computer installed with Simplify Printing. 
Simplify Suite v6
Simplify Suite v6



File Server - Simplify Profiles generally requires a file server to store user profile data. 
Tricerat License Server – Supports Concurrent Server, Concurrent User or Named User licenses. 
Management Server - The Simplify Console can be installed without other components, functioning as a
Simplify Suite management server. 
1.3 System Requirements
There are no dedicated servers required for the Simplify Suite. The only requirements are a Windows OS and a
Microsoft SQL instance to host the Simplify database. Please consider the following:
Operating Systems
The only requirement for the Simplify Suite is Windows. The following Windows operating systems are supported:
 Windows Server 2008
 Windows Server 2008 R2
 Windows Server 2012
 Windows Server 2012 R2
 Windows 7
 Windows 8
 Windows 8.1
 Windows 10
Common Technologies
The Simplify Suite is commonly used in conjunction with these technologies:
 Physical and virtual servers
 Terminal Services
 Virtual Desktops
 Provisioned servers
 Physical workstations
 Thin clients
Connection Protocols
The supported connection mechanisms include, but are not limited to, the following:
 Console session (Windows 7, 8, 8.1, 10)
 Terminal Services (RDP and ICA)
 PCoIP
 Active X and Java for Terminal Services (RDP and ICA)
 SLL VPN devices
 Ericom
 2x
7
Simplify Suite v6
Simplify Suite v6
In addition the Windows machine, the following two components of the Suite may be installed on different
computers:
Simplify Database
The Simplify database is a feature of the Simplify Suite installer. Specifying the SQL Server, database name, and
authentication is a required step of the installation. If the database does not exist then the installer will create it. If
the database already exists, then the database will attempt to upgrade the existing database to match the installer
version. If the existing database is the same version the installer will not modify the database.
For small-scale evaluation purposes, a local or remote SQL Express database can be used. SQL Express is fully
functional but performance degradation can occur as the load scales to support more users. The performance of
SQL Express is limited to the maximum CPU and Memory that can be allocated for that release of SQL Server. The
following releases of SQL Server versions are supported:
 SQL 2005
 SQL 2005 Express
 SQL 2008
 SQL 2008 Express
 SQL 2008 R2
 SQL 2008 Express R2
 SQL 2012
 SQL 2012 Express
 SQL 2014
 SQL 2014 Express
Simplify Console
The Simplify Console is management feature of the Simplify Suite and will be installed by default to the designated
Windows machine(s). If you choose to not install the Simplify Console during the first installation then you will not
be able to configure or manage assignments until it is installed. It is recommended to include the Simplify Console
during the initial install. The installation can always be modified at a later time to add or remove the Simplify
Console if desired.
Like the Simplify Suite, the Simplify Console can be installed on any of the aforementioned operating systems.
The Simplify Suite must be installed at the console of the terminal server (i.e. session 0), not through a remote
session. There are a number of ways to access the console, described in Section Error! Reference source not
found.: Error! Reference source not found.
8
Simplify Suite v6
Simplify Suite v6
1.4 Localized Language Support
The Simplify Suite defaults to English regardless of the Multilingual User Interface (MUI) configuration defined in
the Regional and Language options. The Simplify Suite has a separate MUI configuration that supports the
following languages:
 English
 German
 Japanese
 French
 Spanish
1.5 Modifications Made to the System
The primary location for files is Program Files\Tricerat (unless modified during install) and the primary location for
registry settings is HKEY_LOCAL_MACHINE\Software\Tricerat. Some user-specific registry settings are also saved to
HKEY_CURRENT_USER\Software\Tricerat. Besides these locations, the Simplify Suite install also modifies:
 Windows\System32 – DLLs for notifications and event messages
 Windows\System32\spool\drivers\w32x86 or ...\x64 (depending on the OS) – ScrewDrivers print driver
 HKLM\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\System.ini\boot – Modifies the
shell value to refer to user’s shell value
 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify – Adds the sub key
SimplifyNotify
 HKLM\System\CurrentControlSet\Control\Terminal Server\AddIns – Adds the sub key snmonitor
 HKLM\System\Services\Eventlog\Application – Adds the subkey Simplify Resources
 HKLM\System\Services\Eventlog\System – Adds the subkey Simplify Resources
 HKLM\System\Services – Adds the subkey SimpRescSvc
As of Simplify Suite 5.6, on computers running NT6 (Windows Server 2008, Server 2012, Vista, 7, or 8) Simplify
Profiles modifies:
Key: HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon – Value name: Userinit to be the value
“C:\Windows\System32\triCeratUserinit.exe”
Simplify Suite stores the original value in:
Key: HKLM\Software\Tricerat\Simplify Profiles – Value name: Userinit.
The default original value is “C:\Windows\system32\userinit.exe,” including the comma.
If you need to modify the registry value while Simplify Suite version 5.6 or greater is installed on NT6, modify the
Userinit value in HKLM\Software\Tricerat\Simplify Profiles instead of the one in Winlogon.
This process is described in the Microsoft article at http://technet.microsoft.com/en-us/library/cc939862.aspx.
9
Simplify Suite v6
Simplify Suite v6
1.6 Installing and Upgrading Direction and Precautions
Please read these directions and precautions before installing Simplify Suite v5 into a production environment:
Some older versions of Simplify Suite do not handle upgrade by installing over top of the existing
version cleanly. To avoid these issues, uninstall your current version of Simplify Suite before installing
the new version.






Some older versions of Simplify Suite do not handle upgrade by installing over top of the existing version
cleanly. To avoid these issues, uninstall your current version of Simplify Suite before installing the new
version.
Backup the Simplify database before running the Simplify Suite v5 installer. Tricerat ALWAYS
recommends a database backup be taken before ANY Simplify Suite upgrade. Use these
directions to backup the Simplify database (Section 7.2.3: Migrating and backing up the Simplify
Suite database)
For customers about to perform a major upgrade, it is recommended to backup the Simplify
database and restore it to a non-production environment. Then perform the database upgrade
in the non-production environment in case of problems. The newly upgraded database can then
be restored into production before migrating the rest of the farm to the new release. Use
these directions to migrate the Simplify database. (Section 7.2.3: Migrating and backing up the
Simplify Suite database)
If you encounter a database upgrade problem (database version messages) please contact
Tricerat Support.
Simplify Suite v6 uses a different licensing technology than Simplify Suite v5! Contact Tricerat
Support or Sales to discuss your licensing options.

Tricerat provides full technical support during the 30-day trial.
1.7 What to do After Installing
After the Simplify Suite is installed, the components of the Suite (Lockdown, Printing, Profiles, etc.) will need to be
configured and assigned to users in the environment.
To accomplish this, use this guide to help familiarize yourself with the Simplify Console (Section 2) or schedule time
with a member of our support team to help you with configuring the Suite by submitting the following form:
http://www.tricerat.com/schedule-demo
1.8 Frequently Asked Questions
This section details some Frequently Asked Questions related to Getting Started. If you have a questions related to
Getting Started that is not answered in the FAQ, then please contact Tricerat.
10
Simplify Suite v6
Simplify Suite v6
1.8.1
Can I install the management tools (Simplify Console) on a workstation?
Yes, the Simplify Console is unlicensed and can be deployed as needed. To install the Simplify Console, remove the
Simplify Suite products from the Product Features list during installation. The Simplify Console and Database are
required. Many administrators install the Simplify Console on their workstation providing a way to remotely assign
objects and change settings remotely.
11
Simplify Suite v6
Simplify Suite v6
1.8.2
How do I deploy the Simplify Suite through Group Policy?
The Simplify Suite install is available in MSI format, allowing for silent installations and deployment through Active
Directory. To download the MSI version of the Suite installer, please contact Tricerat support. Silent install is
initialized using the /q switch with msiexec.exe, and then passing in values for properties. The command line
syntax to set a property is PROPERTY=VALUE. Valid properties include:
 INSTALLDIR
 SQLSERVERNAME
 SQLTRUSTED
 SQLUSERNAME
 SQLPASSWORD
Below is an example of correct syntax to begin a silent installation of Simplify Suite.
msiexec /i simplify.msi /q SQLSERVERNAME=SQLSVR SQLTRUSTED=no SQLUSERNAME=sa SQLPASSWORD=sapwd
SQLUSERNAME and SQLPASSWORD are only necessary when SQLTRUSTED=no. If SQLTRUSTED=yes, then the install
ignores the SQL username and password.
1.8.3
Do I need to reboot after installing Simplify Suite?
Servers
A reboot is not required after the initial install of the Simplify Suite on a Terminal or Citrix server.
There will be a required reboot; however, after a Suite upgrade or reinstall.
Note: The server does need to be rebooted after uninstalling the product.
Workstations
Installing Simplify Suite on a workstation such as Windows 2000, XP, Vista or Win7 requires a reboot.
Assignments are called through winlogon.exe, but until a reboot performed winlogon.exe does not have
handling for Simplify Suite.
1.8.4
When I uninstall or upgrade, what happens to the database?
The database is not affected while uninstalling the Simplify Suite. Whether the SQL Express or SQL Server is used,
uninstalling the Suite will leave the database intact. Reinstalling the Simplify Suite will show the same objects,
assignments and profile information that existed before the uninstall.
Simplify Suite upgrades are designed to automatically execute SQL scripts to upgrade the Simplify database. These
database upgrades are required to implement new features and add support for existing features. For this reason,
12
Simplify Suite v6
Simplify Suite v6
it is recommended to upgrade the entire server farm if a single Suite server is upgraded. This ensures that every
Suite server contains the required components to utilize all aspects of the Simplify database.
1.8.5
Can I keep my settings from Desktop 2001, PMP, or Regset?
Unfortunately, the settings are not transferable to the Simplify Suite. You must recreate the
application objects and assignments using the new tools available.
1.8.6
When I upgrade the Simplify Suite, do I need to uninstall the old
software first?
It is not required to uninstall Simplify Suite as the upgrade procedure will automatically remove old versions of the
software. However, it is generally recommended to backup the database and uninstall the software before
upgrading because some files may be in use.
Upgrades should follow these steps:
1.
Backup the Simplify database. The Simplify Suite installer does execute a database upgrade script to add in
support for new features, thus it is recommended to backup the database before the upgrade for disaster
recovery purposes.
2. Connect to server at console. If remotely connecting, use mstsc.exe /console.
3. Change to install mode. Open cmd.exe and type change user /install
4. Verify no users are remotely connected. Open Terminal Services Manager and Log Off all remote connections.
5. Verify no ScrewDrivers driver is not in use. Open Printers and Faxes and delete all ScrewDrivers printers. If
there are print jobs hung in the spooler, then stop the Print Spool service, delete spools from
Windows\System32\Spool\Printers, and start the Print Spool service.
6. Use Add or Remove Programs to remove Simplify Suite and reboot. It is not required, but this guarantees
that all services, DLLs, and EXEs are removed properly.
7. Connect to server at console.
8. Change to install mode. Open cmd.exe and type change user /install
9. Install Simplify Suite. No reboot is required for servers.
10. Change to execute mode. Open cmd.exe and type change user /execute
1.9 Walkthroughs
1.9.1
Installation Walk-through
For an installation walk-through, please refer to the quick start installation guide for Simplify Suite.
13
Simplify Suite v6
Simplify Suite v6
1.9.2
Uninstallation Walk-through
Simplify Suite follows the Microsoft Windows Installer standards.
1. Connect to the server console. In Terminal Services environments, use mstsc.exe / console if you are
connecting from a remote location.
2. Open Terminal Services Manager and verify no users are remotely Connected or Disconnected. In this
example, user m1 has a Disconnected session.
3.
Log Off all users. Right-click on the specified users and select Log Off.
4.
Delete all ScrewDrivers printers, as you do not want ScrewDrivers in use during the Simplify Suite
uninstall. In this example, the Mac PDF Saver had a document locked in the Spooler. In situations
14
Simplify Suite v6
Simplify Suite v6
like this, you must stop the Windows Print Spooler service and delete all SPL files from
Windows\System32\Spool\Printers\, start the Windows Print Spooler service, and delete the
printers.
5.
Open Add or Remove Programs, select Simplify Suite, and select Remove.
6.
If prompted during the uninstall with this message, then select Yes.
15
Simplify Suite v6
Simplify Suite v6
7.
Simplify Suite is now removed. It is recommended to restart the computer after removing Simplify
Suite, even before upgrades to ensure that no files are locked.
1.9.3
Setting up a Proof of Concept
Because the Simplify Suite modifies user environments, it is important to understand how it works and observe the
effect on your environment before rolling it out to your production environment. Our recommendation is to first
set up a proof of concept (POC) in a non-production environment.
The best scenario for a POC environment is a terminal server configured to match the production servers as closely
as possible. This server might be in a different domain than the production server, but it can safely remain in the
same domain without affecting other servers. Only servers that run the Simplify Suite will be affected by
configurations made in the Suite, even if assignments are made to the entire domain.
If a non-production server cannot be used, it is recommended to remove a server from the production
environment by disabling logins to the server temporarily. You can then perform the installation of the Simplify
Suite and initial configuration without interfering with users who are trying to access the server.
Finally, if the terminal server must remain in service, the installation should be performed during a time where as
few users as possible will be trying to access the server.
During the install of the Simplify Suite, the administrator will need to configure a database to use for the
configuration of Simplify Suite. This database should be in the same domain as the POC terminal server. If a
different database is used for evaluation and production, refer to Section 7.2.3: Migrating and backing up the
Simplify Suite database.
1.9.4
Migration from a Proof of Concept to a production environment
Moving a POC setup to production depends on the configuration of the POC environment. The primary
consideration in moving from test to production is the behavior of the configuration database. A decision must be
16
Simplify Suite v6
Simplify Suite v6
made to start with a blank database for production and rebuild objects and assignments made in the test
environment or to move the POC database into the production environment.
The best case for maintaining the database is a database set up on a production server that is also in the same
domain as the POC server. In this case, new Simplify Suite terminal servers can attach to this existing database, and
all configurations remain intact.
If the database must be moved, please refer to Section 7.2.3: Migrating and backing up the Simplify Suite
database. If the database changes domains, object assignments will be lost because they were tied to owners who
are in the previous domain. All object configurations will remain through a database migration.
To start using a database on production servers after it has been on test servers:
A. If the test servers and production servers are not in the same domain:
Migrate the database to a server in the production domain
Install Simplify Suite on production terminal servers, and connect to the new database.
B. If the test servers and production servers are in the same domain and the database is not on a production server
Migrate the database to the production server
Install Simplify Suite on production terminal servers, and connect to the new database.
C. If the test servers and production servers are in the same domain and the database is on a production server
Install Suite on production terminal servers and connect to the existing database.
The Simplify Suite can be installed on the other production terminal servers once the database has been migrated
to the production environment. These installs should happen during minimal usage of the terminal servers. Once
Simplify Suite is installed on the terminal servers, all new logins will be subject to the assignments defined in the
Simplify Suite.
1.9.5
Database Updates
When performing upgrades to the Simplify Suite, the schema of the database will be updated to support features
added or changed in the Simplify Suite. Because multiple servers may be attached to the same database, it is best
to upgrade all servers to the same version at the same time. Tricerat makes every effort for the database schemas
to be backwards compatible, but servers on older versions will not take advantage of the latest changes.
17
Simplify Suite v6
Simplify Suite v6
2
Simplify Console
2.1 Overview
Simplify Console is the management interface for all the components in the Simplify Suite.
Upon startup the application establishes and maintains a connection with a previously configured SQL Server ODBC
data source. This data source is used to store all persistent data related to the operation of the Simplify Suite.
If present, the application will also query Active Directory to produce a hierarchical list of owners. The process of
creating and configuring objects and then assigning those objects to owners is discussed in this section.
18
Simplify Suite v6
Simplify Suite v6
The client area of Simplify Console houses three different (window) panes:
 Owners (Section 2.2.2)
 Assignments (Section 2.2.3)
 Objects (Section 2.2.4)
Panes may be manipulated in various ways to alter the visual layout of the application. Panes may be in one of four
possible states:
 Docked – pane is visible and occupies a portion of the application client area.
19
Simplify Suite v6
Simplify Suite v6



Floating – pane is visible, but is not confined to the application client area. Its size and position may be
manipulated independently.
Hidden – pane is not visible, but a pane tab is visible at the edge of the application client area.
Closed – neither pane nor pane tap is visible.
Pane manipulation occurs by:
 Clicking/double-clicking on the pane title bar.
 Dragging-and-dropping via the pane title bar.
 Clicking the pin and close icons in the upper right portion of the pane title bar
 Clicking on pane tabs.
 Clicking on pane icons in the application toolbar, and selecting corresponding menu items under the
application View popup menu.
 Clicking the View | Reset Layout menu item.
It is possible (via drag-and-drop) to combine two or more panes to create a pane group. The visible pane of a pane
group is selected using pane tabs located at the bottom of the pane group.
Clicking on the title bar of pane makes it active and gives it input focus.
Double-clicking on the title bar of a pane toggles it between the docked and floating states.
A pane may be closed by clicking the close icon in the upper right corner of a pane’s title bar. Use the toolbar icons
or View popup menu items to reopen a closed pane.
A pane (or pane group) may be hidden by clicking the pin icon in the upper right corner of a docked pane’s title
bar.
Clicking on the tab of a hidden pane will cause the pane to become temporarily visible.
2.2 Configuration
The Simplify Console consists of three main panes: The Owners pane, the Assignments pane, and the Objects pane.
Objects represent various settings and abilities that the Simplify Suite offers, such as registry edits, policies,
Simplify Printing printers, and more. Owners are entities that the settings can be assigned to, such as users,
groups, OUs, and computers. Objects are created in the Objects pane, while an Owner is selected in the Owners
pane.
20
Simplify Suite v6
Simplify Suite v6
The Assignments pane’s structure mirrors the Objects pane, and it displays the assignments related to the
currently selected Owner. Users of the Simplify Console can drag-and-drop Objects into their matching slots on the
Assignments pane to “assign” an object to an Owner.
Other sections include the Menu Bar and the Audit pane.
2.2.1
Menu Bar Items
File Menu
Manage Data Sources: Allows the administrator to manage the data source to which the Simplify console will
connect
Refresh Database: Refreshes the Simplify Console display
Exit: Closes the Simplify Console
View Menu
Owners: Highlights the Owners Pane. Displays the Owners Pane if Auto Hide is selected
Assignments: Highlights the Assignments Pane. Displays the Assignments Pane if Auto Hide is selected
Objects: Highlights the Object Pane. Displays the Object Pane if Auto Hide is selected
triReg: Highlights the triReg Pane. Displays the TriReg Pane if Auto Hide is selected
21
Simplify Suite v6
Simplify Suite v6
Audit: Opens the Audit pane that is minimized be default at the bottom of the Simplify Console
Reset Layout: Resets the Console window panes to their default locations.
Tools Menu
External: Opens the menu for access to the Suite External tools which are: RegDiff, Simplify Migration Utility,
AppChecker and the License Server Console
License Manager: Opens the License Manager, allowing the Administrator to enter and retrieve license
information. For more information, please see Section 8.1: License Keys.
Configure Simplify Lockdown: Opens the Simplify Lockdown Configuration window in which the administrator can
set the service options, restart the Lockdown service and purge the database tables
Customize User Messages: Allows the Administrator to customize the messages users receive from within their
session when an application is being locked down
The following variables can be used to customize each message:
%MESSAGENAME% - Message name (e.g. APPTERM_TRUSTLIST, APPTERM_CHILDTRUST, etc.)
%APPLICATION% - Application name
%FULLAPPPATH% - Application name with full path
%PID% - Process name
%SIGNATURE% - Process signature
%PARENTPROCESS% - Parent process ID
%USERNAME% - User’s login name
%SERVERNAME% - Server’s name that is hosting the User’s session
22
Simplify Suite v6
Simplify Suite v6
APPFREEZE_STABILITY_MEMQUOTA - message received when an application has exceeded its memory quota. The
application will not be terminated. It will be halted until memory usage dips below the set limit
APPTERM_BLACKLISTED_CPUQUOTA - message received when an application has exceeded the CPU quota that is
set by the Administrator
APPTERM_BLACKLISTED_IMMEDIATE - message received when User attempts to launch an application that is
defined on the User’s Banned List
APPTERM_CHILDTRUST - message received when a process launched from another application is marked as
banned on the application’s child trust list
APPTERM_INSTANCE_LIMITS - message received when the instance limit has been reached for a specific
application
APPTERM_STABILITY_CPUQUOTA - message received when an application has exceeded its CPU quota.
APPTERM_STABILITY_MEMQUOTA - message received when an application has exceeded its memory quota.
APPTERM_TRUSTLIST - message received when User attempts to launch an application that is defined on the
User’s Trust List
GENERIC_ADDENDUM - appended to the end of all APPTERM messages. The default message is “For more
information contact your administrator”
OPERATOR_INTERVENTION - message received when an application has been terminated on operator request
Services: Opens the menu to allow the Administrator to Start, Stop or Restart the Simplify Printing, Lockdown and
Stability services
Import Learn Mode Apps: Opens the window for importing application objects that were made available for
import based on what applications were accessed by users who were in Learn mode
Show Users In Learn Mode: Opens a list of users who are set up with Learn Mode turned on
Show Denied Apps: Opens a list of applications that have been added to the banned list
Find Apps to Import: Opens the Search window that will allow administrators to search for applications to import
and creates an application object for those applications
Options: Opens the options window from which the administrator can configure general settings for the console,
turn on logging, and turn on or off Offline Mode
Reports Menu
Assigned Owners by Object: Will display a report listing all of the Objects and the Owners to which they are
assigned
23
Simplify Suite v6
Simplify Suite v6
Assigned Objects by Owners: Will display a report listing all of the Owners and the Objects that are assigned to
them
Note: Microsoft Report viewer version 9 is required to be able to display the reports
Help Menu
Tricerat Simplify Help: Opens the Simplify Suite Help File
Tricerat Online Help: Opens the Tricerat Online Help File in your default browser
Online Training Demos: Opens the AutoDemo web site in your default browser
Tricerat Home Page: Opens the main page of the Tricerat web site in your default browser
Tricerat Support Web Site: Opens the Tricerat Support web site in your default browser
About Simplify Console: Displays both the Console and Simplify Suite version numbers
24
Simplify Suite v6
Simplify Suite v6
2.2.2
Owners Pane
The function of the owners pane is to display a set of eligible owners.
Owners are entities that may receive assignments and other owner - specific settings (e.g. lockdown mode, shell
preference). In the server - based (or thin client) environment, there are three primary parties – the server
computer, the client computer and the user. Owners are organized in the tree in a hierarchical fashion – according
to the ancestor/descendent relationship mentioned above. Active Directory domains occupy the highest level of
the owners tree – with computers, user groups then individual users at the very bottom level.
OUs and containers are found in the middle.
The owners tree is built by an examination and analysis of the host computer’s Active Directory environment. This
examination and analysis occurs every time the Simplify Console application is opened. The creation of
custom owners is also supported. Custom owners can be a Group, a computer, a specific IP or a range of IPs.
25
Simplify Suite v6
Simplify Suite v6
The top - level sort order of the owners tree is as follows:
 Primary domain (domain of the host computer) 
 Trusted domains (0 or more) 
 Host computer – local users and user groups appear under this owner 
 Custom owners – user may specify computers by (DSN) name, IP address or IP address ranges. 
The hierarchical structure of the owners tree is not simply an organizational mechanism, it serves a practical
purpose. Although domains, OUs and containers are not primary parties in a thin client session, they can be
assigned objects just the same. These assignments are then inherited by descendant owners. In this manner,
boilerplate configuration can be made at the domain or OU level and fine-tuned at a lower level.
The effective configuration for a given Terminal Services session is a mixture of the configurations for all three
owner parties. In general, when configuration conflicts arise between parties, the most restrictive setting takes
precedence.
26
Simplify Suite v6
Simplify Suite v6
2.2.3
Assignments Pane
The function of the assignments pane is to permit the display and manipulation of object assignments
and other configuration settings for the owner currently selected in the owners tree.
As an administrator navigates the owners tree, the assignments pane will be reloaded with
assignment/configuration data for the newly selected owner.
All changes made to an owner’s assignments or configuration data occur within the assignments pane.
The only exception is when objects/groups are updated in the objects pane (i.e. deleted,
enabled/disabled, objects moved into/out of groups).
The assignments pane is composed of an assignments toolbar and the assignments tree. The
organization of the assignments tree is very similar to that of the objects tree. Assignments are made
27
Simplify Suite v6
Simplify Suite v6
with a drag-and-drop operation from the objects tree to the corresponding section in the assignments
tree.
The name of the selected owner will appear in the title bar of the assignments pane. The owner is also
represented by the highest level branch in the tree.
Controls in the assignments toolbar will dynamically change as a different row is selected. The
assignments tree only permits single selection at this time.
Direct assignments are made by a drag-and-drop operation from the objects tree into the assignments
tree. The currently selected owner is the recipient of a direct assignment.
Only direct assignments may be deleted from an owner.
All descendants of an owner will inherit any assignments made to the parent owner.
Inherited assignments may not be deleted. However, it is possible to designate certain sets of
assignments to be blocked or ignored for a particular owner and its descendants. To block any or all of
inherited, direct, server, or client assignments for an owner, select the top (owner’s) row in the
assignments tree. Four toggle icons will appear in the assignments toolbar. Click an icon to block that
set of assignments – click again to allow them.
Any assignment (direct or inherited) may be denied for a particular owner. The denied state of an
assignment is also inherited, i.e. if an owner is denied an assignment, all descendants of that owner
will be denied the assignment.
An assignment (permitted or denied) may be overridden at the descendant level, i.e. if an assignment
is permitted or denied at the ancestor level, the state may be reversed for any particular descendant.
This is accomplished by selecting the descendant owner in the owners tree, finding the assignment in
the assignments tree, and clicking the appropriate assignments toolbar button (permit/deny).
If the Simplify Lockdown (Section 6) component has been licensed, an owner’s lockdown mode may be
directly set by selecting the Lockdown row in the assignments tree – then selecting the desired mode in
the combo box in the assignments toolbar.
Lockdown mode may be inherited and overridden just as object assignments are.
If the Simplify Desktop (Section 5) component has been licensed, an owner’s shell (Explorer or triShell)
may be directly set by selecting the Shell row in the assignments tree – then selecting the desired shell
in the combo box in the assignments toolbar.
An owner’s Shell may be inherited and overridden.
28
Simplify Suite v6
Simplify Suite v6
If the Simplify Printing (Section 4) component has been licensed, a user may have one or more types of
printers assigned (e.g. ScrewDrivers, Print Server, network, local, etc.). One (at most) of the assigned
printers (regardless of type) may be designated as the owner’s default printer. Select the desired
printer and click on the Set/Clear As Default Printer icon in the assignments toolbar.
The default status of a printer may be inherited and overridden.
A denied printer assignment may not be set as the default printer.
2.2.4
Objects Pane
The function of the objects pane is to permit a user to create, configure, and manipulate objects and object
groups.
29
Simplify Suite v6
Simplify Suite v6
Objects are things which may be assigned to individual owners. Examples include applications, printers, and
various configuration settings.
The objects pane is composed of two sub panes separated by a vertical splitter. The left sub pane contains the
objects toolbar and the objects tree. All objects defined in the current Simplify database will appear somewhere in
the tree. Objects are organized by their type and are sorted by name.
Which object types appear in the tree depend upon which components of the Simplify Suite have been licensed.
Buttons in the objects toolbar will dynamically change as different row(s) are selected.
The left sub pane will contain a set of zero or more tabbed object forms. The forms displayed will depend upon the
type of object selected in the tree. Each object type has its own set of forms. Each form in the set groups together
related configuration parameters. The form controls will be loaded with settings for the currently selected object.
When any form is changed, such as when you modify the settings for an object, an Apply Changes button in the
toolbar becomes enabled. The user may manually apply changes at any time by clicking this button. If settings have
changed, the user will be automatically prompted to apply changes if the objects tree selection is altered.
In addition to creating objects of various types, a user may create object groups. An object group is simply a logical
collection of objects. The concept is provided as a convenient mechanism which allows users to:
 Group together related objects of a particular type (e.g. Word, Excel, and PowerPoint application objects
could be located under an Office object group).
 Manipulate objects in a group simultaneously. Deleting or disabling a group deletes or disables all objects
in that group. Objects may also be assigned as a group. 
Object groups only apply in the Simplify Console. The Simplify Suite server components ignore groups and only
deal with the underlying object assignments. Nested groups are not supported. Adding/removing objects to/from
an existing group will implicitly assign/unassign those objects from owners which have been assigned the group.
Deleting objects/groups will automatically delete all assignments of those objects/groups. Group objects may be
assigned independently from their group.
A user may select multiple rows in the objects tree. This is to permit the convenience of simultaneous operations
on multiple objects/groups (e.g. assign, delete, disable/enable). Object forms are only displayed when a single
object is selected. They are hidden at all other times. Only objects and groups may be multi-selected. A group and
one or more of its nested objects cannot be multi-selected.
Right-clicking in the tree control will display a floating menu which will contain whatever options are available for
the selected row(s). If no options exist, a floating menu will not be displayed.
30
Simplify Suite v6
Simplify Suite v6
ScrewDrivers v4 Print Server (Section 4.3) objects are a special type of object. They cannot be directly assigned to
an owner – only the nested printers may be assigned. There can be no ScrewDrivers v4 Print Server groups, and
there can be no ScrewDrivers v4 Print Server Printer groups
2.2.5
Inheritance Among Owners
As objects are assigned to owners in the Simplify Suite, the rules of inheritance determine the final result of
objects that each login session will receive.
Definition of conflicting assignments
Some objects and settings in the simplify suite require a single final result, while others can be properly merged
together to form a final list.
Single-result settings:
 Shell mode 
 Lockdown mode 
 ScrewDrivers configuration 
 triShell configuration 
 System resources configuration 
 Policy settings (one of each type – drive mappings, drive restrictions, etc.)
Multiple-result settings (different objects will add together):
 Applications 
 Printers 
 Registry settings 
In either case, a conflict may occur if the same object is assigned to two owners, but one is set as a “deny” object.
Determining the Owner Inheritance
Finding Related Owners and Building the Assignment List
When the Simplify Suite detects a new login session, several pieces of information are used about that session to
find related owners.
 The user that is logging into the system
 The server that the user is logging into
 The client that the user is logging in from
Each one of these owners are used as a foundation to find additional related owners through Active Directory
memberships, custom owners and group and IP addresses.
Owner Hierarchy
31
Simplify Suite v6
Simplify Suite v6
For owners that appear in a tree structure, such as the Active Directory, assignments are evaluated from general to
specific. This means that in the case of conflicting assignments, an owner lower on the tree will override an owner
higher on the tree. For example, if the domain is assigned the explorer shell, but an OU is assigned triShell, an
owner in that OU will receive triShell because that assignment is more specific to their user.
Outside of Hierarchy – Groups
In the case of Windows NT security groups, the Simplify Suite treats assignments at this level as more general than
the user, but more specific than an OU. This applies even if the group is in a different OU than the user. In the case
where the group and user are in different organizational units, the tree is evaluated for parents of both the user
and group.
Solving Conflicts
When there is not a clear hierarchy to fall back on
 Assignments for users vs. servers vs. clients
 Assignments for owners at the same level (groups) 
In the case of shell and lockdown settings, the conflict is solved by choosing the most restrictive setting. These are
hard coded values that have the following order, from least restrictive to most restrictive:
Shell (Section 5)
 Explorer 
 triShell 
 No Shell (deny login)
Lockdown (Section 6)
 Don’t use lockdown 
 Learn mode 
 Use banned list 
 Use trusted list 
For example, if the user hierarchy determines a shell setting of Explorer, but the server hierarchy determines a
shell setting of triShell, then triShell will be applied to the end user session because it is more restrictive.
For objects that do not have this inherent order of resolution, there are a few tests before being left up to
database order:
In the case of the user/server/client branches, the client is the least important, followed by the server, and leaving
the user setting as the most important. If a server has ScrewDrivers configuration A and the user has ScrewDrivers
configuration B, the end result will be ScrewDrivers configuration B.
32
Simplify Suite v6
Simplify Suite v6
All groups are weighted higher than OU’s or containers above it in the active directory. However, in the case of
nested groups, groups containing the user directly will be considered more specific to the user, and override
settings made to groups of groups.
If all conflict resolutions tests have failed to produce a unique result, the final order comes from the order in which
objects are retrieved from the active directory and subsequently read from the database. This can be discovered
by reviewing the Tricerat owner enumeration on a case by case basis, but the best advice is to use deny objects
where needed to filter out a unique result.
Advanced Features
Besides normal assignment operations, there are several ways to manipulate the final result of user assignments.
First, any assignment can be denied at a lower level in the tree, or simply added as a deny object in the event the
object is inherited through any other means. Secondly, each owner can be selected to ignore entire categories of
assignments. This includes blocking all objects inherited from the tree above them, blocking server assignments,
blocking client assignments, or blocking user assignments. For instance, if an administrator wants to only receive
assignments based on user membership, they can instruct the domain level to ignore all server and client
assignments.
Viewing Inheritance in the Simplify Console
Because not all factors for all user logins can be displayed in the administrator console, only certain inheritance
rules can be shown. By clicking any owner in the owners pane, assignments will appear that are linked directly to
that owner, or any owner that is clearly related. This includes NT groups and parents in the Active Directory tree.
Objects that are direct assignments and those that are inherited determine which operations can be performed.
Inherited assignments are for display purposes only and therefore cannot be removed or deleted. They can be
denied, which creates a new object in the database that is of the denial type. In order to perform operations on
these inherited objects, the administrator must select the owner in the owners’ pane for which the assignment is
directly assigned.
In the assignments pane, the second column contains information about where the object is inherited
from. This list reveals the name or names of owners responsible for passing the assignment down to the
current owner, including any owners that are causing a denial of the object.
2.2.6
Audit
Audit is a management tool for the Simplify Console that tracks all changes to the Simplify database. There are
three main ways of auditing changes:
1.
33
Audit Object - this is used to audit an Object’s history since creation.
Simplify Suite v6
Simplify Suite v6
Right - click an Object and select Audit.
The audit results of the IE Home registry object can be accessed by expanding the Audit plug-in along
the bottom of the Simplify Console.
2.
Audit Owner - this is used to audit an Owner’s history of assignments.
Right-click an Owner and select Audit.
34
Simplify Suite v6
Simplify Suite v6
The audit results of the test.tricerat.com owner can be accessed by expanding the Audit plug-in along
the bottom of the Simplify Console.
3.
Searching Audit Data - this allows you to search Audit Data by a few factors such as Users, Actions,
Record Types, Record Age, and Strings.
Expand the Audit plug-in and click the Search Audit Data button.
Enter the desired search criteria and press Search.
35
Simplify Suite v6
Simplify Suite v6
Additional Info About Audit
Searching by User (not Owner) allows you to view assignments made by different SQL accounts. For
larger environments it may be suitable to create a separate SQL account (or granting db_owner to
admin accounts for the Simplify database) for tracking purposes.
2.3 Walkthroughs
2.3.1
Create and Assign Objects to an Owner
To add an object, first find the object folder type in the Object pane (i.e., Application, Print server, etc.) and select
it. Then right-click and select New Object or Click the New Object button on the Object toolbar at the top of the
Object pane.
36
Simplify Suite v6
Simplify Suite v6
Once the object is created, you can name the object. Names are stored internally by an ID, so the same name can
be used multiple times, though this is not recommended because using the same name for multiple objects can
become confusing. After you have named the object, then set the configuration properties that you want. Once
the properties are set, be sure to save the changes by clicking on the Apply Change button on the tool bar. Now
you are ready to assign the object to an Owner!
Assigning an object to an owner in three steps:
1. Select the target owner in the Owners pane by highlighting the user, group, OU or any of the other owner
types available.
2.
3.
37
Select the object you wish to assign in the Objects pane.
Click and drag the object from the Objects pane over to the Assignments pane. Drop the object in the area you
want to make the assignment. As you drag, if an object cannot be dropped into the current area, a small circle
with a line through it will appear.
Simplify Suite v6
Simplify Suite v6
You can also delete an object from the Objects pane. To delete an object, select the object then right-click and
choose delete, or click the Delete button on the object toolbar. Be aware that when you delete an object all
assignments for that object are also deleted!
Hint: The structure of the Objects pane is almost identical to the structure of the Assignments pane. For example,
to assign a ScrewDrivers object created in the Objects pane, drag it to the ScrewDrivers container in the
Assignments pane.
2.3.2
Assign Objects to a Client Computer
Custom owners can be created using computer names, IP addresses and IP address ranges. Custom owners may
also be organized using groups. These features can be accessed by right-clicking on the Computers container in the
Owners pane.
38
Simplify Suite v6
Simplify Suite v6
To add a computer by name, right-click on Computers and select Add | Computer. Then
type the name of the computer that you would like to add. Assignments can now be made
to that computer in the same manner that they would normally be assigned to a Group,
User, OU, etc. Wildcards are supported with named computer owners. These wildcards
include ? and *. A ? is used to specify one character, and a * can be used to specify
multiple characters.
To add a computer by IP Address, right-click on Computers and select Add | IP Address. Then type the
IP address of the computer that you would like to add.
To add computers by IP Address Range, right-click on Computers and select Add | IP Address Range.
Then type the low and high IP address of the desired range.
Groups can be added by right-clicking on Computers and selecting Add | Group. Once the group is
created, owners can be added to the group by right-clicking on the group and selecting either Add |
Computer, Add | IP Address or Add | IP Address Range. Groups may also be nested within other
groups.
To delete an owner that has been added to the Computers container, right-click and select
delete. Deleting a group will delete all nested groups and owners.
2.3.3
Customize the Console Layout
The Simplify Console layout can be customized for your personal preference. To do this, click and hold the left
mouse button on the title bar of the pane you wish to move. Move the mouse with the left button still depressed.
Blue positioning markers will appear on the console. The markers display all of the possible locations that the pane
can be moved to. Move the mouse over the marker of your preference. A transparent blue box will appear
displaying the area in which the pane will now be located.
39
Simplify Suite v6
Simplify Suite v6
Note: the Objects pane cannot be moved by dragging it with the mouse; however it will move to accommodate
other panes when they are relocated. For instance, if you move the Owners pane to the right of the Objects pane,
the Objects pane will move to the center allowing space to the right for the Owners pane.
To return the panes to their default locations, select the View menu, mouse down and click on Reset Layout.
The menu and shortcut toolbars can also be relocated by clicking on the gripper located on the left side of each
toolbar.
Each toolbar/pallet can be docked on any of the four sides of the console. Alternatively the toolbar pallets can also
float above the center of the console in an undocked state.
40
Simplify Suite v6
Simplify Suite v6
Another useful way to customize the Console layout is by making use of the Auto Hide buttons.
They are located on the title bar of the Owners, Assignments and Simplify Monitor Panes.
With a single mouse click on the Auto Hide button, the window pane collapses and creates an anchor button
located on the corresponding edge of the Console.
41
Simplify Suite v6
Simplify Suite v6
The pane is restored to its previous position by either clicking on the anchor button or holding the pointer over the
anchor button. When the pointer is clicked off of the window pane, the pane will once again return to a collapsed
state. To turn off auto hide, restore the window by either clicking or holding the pointer on the anchor button,
then click on the Auto Hide button one time to turn it off. The window pane will snap back to its previous position
in the console.
2.3.4
Block an Owner from Receiving an Assignment
If you right-click on the owner’s name at the top of the Assignments Pane you will notice that there are four
possible settings to turn on.
42
Simplify Suite v6
Simplify Suite v6




2.3.5
Block Inherited assignments: Blocks all indirect assignments
Block Server Assignments: Blocks all assignments that are inherited from the
server
Block Client Assignments: Blocks assignments made to client machines, as well as
computers defined in the Computers container
Block User Assignments: Blocks a user’s direct assignments, as well as
assignments that are inherited by the user
Deny Inherited Assignment
If an owner receives an unwanted assignment by inheriting it from a higher level such as a
domain, OU, server, group, etc., highlight the owner in the Owners pane, right-click on the
unwanted object in the Assignments pane, and select Deny Assignment. It is not possible
to delete assignments that are inherited. It is only possible to delete a direct assignment.
43
Simplify Suite v6
Simplify Suite v6
It is possible to block all inherited assignments to a specific owner’s container by right-clicking on the user name at
the top of the Assignments pane and selecting Block Inherited Assignments.
2.3.6
Configure the Authorization Manager
The Authorization Manager is a tool designed to give specific users access to certain tasks within the Simplify
Console. It can also be used to lock users out of the Simplify Console altogether. The tool currently uses the
Authorization Manager snap-in for the Microsoft Management Console. In future releases this option will be
available from within the Simplify Console.
Use these steps to setup and configure the Authorization Manager
1.
44
Accessing the Authorization Manager MMC Snap-In
Simplify Suite v6
Simplify Suite v6
Access the Authorization Manager by opening the Microsoft Management Console (mmc.msc) and selecting or
adding the Authorization Manager snap-in, or by running azman.msc.
2. Opening the Simplify Suite Authorization Store
Open the Simplify Suite authorization store by selecting Open Authorization Store under the Action menu. The
store file will be located in C:\Program Files\Tricerat\Simplify Suite\Simplify Console\SimplifySuiteAS.xml
3. Creating Role Definitions and Assigning Tasks
Now that we have the Simplify Suite authorization store opened, we can create role definitions that can be
assigned to specific users. Under the Definitions container, right-click on Role Definitions and select New Role
Definitions.
45
Simplify Suite v6
Simplify Suite v6
You will want to give the role definition a logical name (e.g. Printer Administrator, Desktop Administrator, Profile
Administrator, etc.).
46
Simplify Suite v6
Simplify Suite v6
You will now want to assign tasks to the role definition. Select the Add button and then select the Task tab. There
will be a predefined task.
47
Simplify Suite v6
Simplify Suite v6
You can assign tasks to the role definition by putting a check in the desired task definition.
Note: The RunSimplifyConsole task is required to run the Simplify Console. You will want to assign this task to
anyone that should have access to the Simplify Console.
Here is a complete list of the available tasks with their descriptions:
Task Name
Description
RunSimplifyConsole
FileManageDataSources
ToolsOptions
ToolsExternalCustomize
ToolsLicenseManager
ToolsConfigureLockdown
ToolsCustomizeLockdownMessages
ToolsServicesLockdown
ToolsServicesResources
ToolsImportLearnModeApps
Required to run Simplify Console.
Required to access the Manage Data Sources dialog.
Required to access the Options dialog.
Required to access the Customize External Tools dialog.
Required to access the License Manager dialog.
Required to access the Simplify Lockdown Configuration dialog.
Required to access the Customize Lockdown Messages dialog.
Required to manage the Lockdown Service via the Tools menu.
Required to manage the Resources Service via the Tools menu.
Required to access the Import Learn Mode Applications dialog.
48
Simplify Suite v6
Simplify Suite v6
ToolsShowUsersInLearnMode
ToolsShowDeniedApps
ModifyLockdownMode
ModifyShellSetting
AssignApplicationObjects
AssignLocalPrinterObjects
AssignNetworkPrinterObjects
AssignScrewDriversV3Objects
AssignScrewDriversV4Objects
AssignScrewDriversV4PrintServerPrinterObjects
AssignRegistryObjects
AssignTriShellConfigObjects
AssignResourcesObjects
AssignDriveMapObjects
AssignDriveRestrictionObjects
AssignExplorerObjects
AssignFolderRedirectionObjects
ManageApplicationObjects
ManageLocalPrinterObjects
ManageNetworkPrinterObjects
ManageScrewDriversV3Objects
ManageScrewDriversV4Objects
ManageScrewDriversV4PrintServerPrinterObjects
ManageRegistryObjects
ManageTriShellConfigObjects
ManageResourcesObjects
ManageDriveMapObjects
ManageDriveRestrictionObjects
ManageExplorerObjects
ManageFolderRedirectionObjects
ToolsOptionsSimplifyConsoleSecurity
BlockAssignments
ManageOwners
SearchOwners
ManageScrewDriversV4PrintServerObjects
4.
Required to access the Users in Learn Mode dialog.
Required to access the Denied Applications dialog.
Required to modify the Lockdown Mode setting in the Assignments pane.
Required to modify the Shell setting in the Assignments pane.
Required to assign Application objects and groups.
Required to assign Local Printer objects and groups.
Required to assign Network Printer objects and groups.
Required to assign ScrewDrivers v3 objects and groups.
Required to assign ScrewDrivers v4 objects and groups.
Required to assign ScrewDrivers v4 Print Server Printer objects.
Required to assign Registry objects and groups.
Required to assign triShell Configuration objects and groups.
Required to assign Resources objects and groups.
Required to assign Drive Map objects and groups.
Required to assign Drive Restriction objects and groups.
Required to assign Explorer objects and groups.
Required to assign Folder Redirection objects and groups.
Required to create, modify, move, delete, and disable Application objects and groups.
Required to create, modify, move, delete, and disable Local Printer objects and groups.
Required to create, modify, move, delete, and disable Network Printer objects and groups.
Required to create, modify, move, delete, and disable ScrewDrivers v3 objects and groups.
Required to create, modify, move, delete, and disable ScrewDrivers v4 objects and groups.
Required to modify, delete, and disable ScrewDrivers v4 Print Server Printer objects.
Required to create, modify, move, delete, and disable Registry objects and groups.
Required to create, modify, move, delete, and disable triShell Configuration objects and groups.
Required to create, modify, move, delete, and disable Resources objects and groups.
Required to create, modify, move, delete, and disable Drive Map objects and groups.
Required to create, modify, move, delete, and disable Drive Restriction objects and groups.
Required to create, modify, move, delete, and disable Explorer objects and groups.
Required to create, modify, move, delete, and disable Folder Redirection objects and groups.
Required to view and change Simplify Console security options
Required to block assignments in the Assignments tree.
Required to create, delete, and rename custom owners and groups.
Required to access the Search Owners dialog.
Required to modify, delete, and disable ScrewDrivers v4 Print Server objects.
Assigning Role Definitions to Specific Users
Now that you have created a role definition, you will want to assign the role to the desired users in order to give
them access to the tasks defined within the role.
Right click on the Role Assignments container and select Assign Roles.
49
Simplify Suite v6
Simplify Suite v6
Place a check next to the desired role definitions and select the OK button.
50
Simplify Suite v6
Simplify Suite v6
Under Role Assignments, right click on the role and select Assign Windows Users and Groups.
51
Simplify Suite v6
Simplify Suite v6
Enter the users that should be assigned to the role in the text box. User names should be delimited by a semicolon.
52
Simplify Suite v6
Simplify Suite v6
You will want to repeat these steps until you have created the desired roles for your users.
5.
Enabling the Authentication Manager for the Simplify Suite
From within the Simplify Console, select the Tools Menu and click on Options. Select the Security option located
under Simplify Console. Place a check next to Enable use of Authorization Manager. Select the ellipses to browse
for the store file.
53
Simplify Suite v6
Simplify Suite v6
Once the store file is selected, you will want to test is to check for possible issues by selecting the Test button.
The following message will be displayed if you have not added access to the Simplify Console for your current
logon:
If the test is successful, you will receive a message stating that the test has passed. Select the OK button to apply
the changes. The Authentication Manager has now successfully been enabled.
6.
54
Securing the Simplify Suite Authorization Store
Simplify Suite v6
Simplify Suite v6
It might be desired to modify the security settings for the SimplifySuiteAS.xml file so that only specified users are
allowed to modify it. This can be done by opening the properties for the file and making the appropriate
modifications on the Security tab. Please note that all users that access the Simplify Console will need to have read
access to the file.
2.4 Frequently Asked Questions
2.4.1
Can I connect to another Simplify database from the Simplify Console?
Yes, see Section 7.2.1: View and Modify DSN Settings to connect to another database.
2.4.2
How can I figure out what objects are assigned to a particular owner?
First, select the owner (Section 2.2.2) for which you would like to see assignments. Assignments will then be
displayed in the assignments pane (Section 2.2.3). Both direct and inherited assignments will be shown. Keep in
mind that assignments shown in this context do not necessarily reflect what will be seen in a live environment,
where the individual assignments for user, client, and server are merged into a set of effective assignments.
2.4.3
How do I refresh the Active Directory in the Simplify Console?
Go to the menu bar and choose File -> Refresh Database. This will force both a refresh of the Active Directory and
the Simplify database.
55
Simplify Suite v6
Simplify Suite v6
2.4.4
How can I make assignments to local accounts?
The Local Users and Groups under the Owners pane branch represents the local accounts on the terminal server.
It cannot be removed, but can be used to make assignments to local accounts if necessary.
56
Simplify Suite v6
Simplify Suite v6
2.4.5
How can I see all of the Simplify Console with a low resolution?
The console panes can be moved or hidden to allow an administrator to see another pane. For more information
on customizing the console view, see Section 2.3.3: Customize the Console Layout.
57
Simplify Suite v6
Simplify Suite v6
2.4.6
Where is the Active Directory structure?
The Active Directory structure is only accessible for domain accounts, and a domain controller must be present.
Verify that the account is not a local account and the domain controller is online. Try another domain account,
domain administrator if possible.
2.4.7
How do I save my changes?
There are two types of changes that occur in the Simplify Console: objects and assignments.
Assignment changes (Section 2.3.1) are automatically saved to the database, so nothing more needs to be done
for these changes to take effect.
Object changes must be manually saved to be updated in the SQL database. This can be done with the Apply
Changes (blue) button at the top of the Objects pane. This button is grayed out when there have been no changes
made.
58
Simplify Suite v6
Simplify Suite v6
2.4.8
What should I do when I receive Database connection failed errors?
If you receive the error message “Database connection failed: [Microsoft][ODBC SQL Server Driver][SQL Server]
Login failed for user ‘sa’”, this means that the Simplify Console cannot connect to the Simplify database with the
specified credentials.
59
Simplify Suite v6
Simplify Suite v6
2.4.9
How do I block users from accessing Simplify Console?
Access to the Simplify Console can be controlled by:
 Default - the Simplify Console is unusable without a SQL account. All users will be prompted for an
account to use to access the Simplify database. Without a valid account the users should not be able to
fully open the Simplify Console.
 Simplify Lockdown - access to the SimplifyConsole.exe can be delegated with the use of Simplify
Lockdown. It is best to add SimplifyConsole.exe to the Banned list for domain users. To ignore the Banned
assignment of the Console for Administrators, use a block at the Domain Admins security group.
 Authorization Manager - Microsoft Management Console’s Authorization Manager (Section 2.3.6) can be
used and integrated with Simplify Suite to deny users access to the Simplify Console. This is the most
secure way of denying access to the Simplify Console.
60
Simplify Suite v6
Simplify Suite v6
3
Simplify Profiles
3.1 Overview
Simplify Profiles enables administrators to deliver personalized environments to their users without
roaming profiles. This provides a simple, powerful, and effective mechanism for setting, managing, and
restoring environment settings. The result is reduced administrative and support efforts, and boosted
system reliability, user satisfaction, and productivity. All environment information is stored within the
Simplify SQL database, eliminating corruption.
Simplify Profiles is built on Tricerat’s RegSet™ technology. RegSet provides a mechanism for saving a
user’s registry settings to the Simplify Database and restoring those settings to the registry in
subsequent sessions, regardless of what server the user logs into. User data is exported to the SQL
database at Log Off and imported into the user’s profile at Log On.
Simplify Profiles allows the delivery of mandatory profiles to the users combined with Simplify Profiles
Save & Restore operations to mimic the Windows roaming profiles. This hybrid solution delivers
personalized environments to the users without the management overhead caused by Windows roaming
profiles.
Simplify Profiles can be delivered as a profiles solution to any contemporary Windows Operating System
environment.
Features:
 Full Registry Control
 File Operations
 Drive Mappings
 Drive Restrictions
 Explorer/Internet Explorer Restrictions
 Application Based Personalization
 Folder Redirections
 ADMX Template Support
 Offline Mode
 triReg
 RegDiff
 Simplify Migration Utility
Reducing Logon and Logoff Times
 Do not use roaming profiles
Simplify Profiles’ hybrid solution optimizes performance
61
Simplify Suite v6
Simplify Suite v6

Do not use locally stored shell folders that require logon and logoff data transfer
Simplify Redirected Folders look and act the same but are instantly available
Reducing Administrative Complexity
 Do not use remedial forms of drive mappings
Simplify Drive Mappings are easy to manage

Do not resort to complex, difficult to manage logon scripts for the remaining tasks
Simplify File, Profile, and Registry operations are simple to setup and maintain
Migrating from Roaming Profiles?
Already-configured registry settings such as the data in the roaming profiles (ntuser.dat) and Documents and
Settings can be migrated for use with Simplify Profiles. Rather than forcing the user to re-create that data for
Simplify Profiles, the registry settings can be migrated into the Simplify SQL database using the Simplify Migration
Utility and automatically delivered. This allows administrators to quickly deploy and migrate users to Simplify
Profiles. Additionally, the Documents and Settings on the file server(s) hosting the roaming profiles can be
redirected using Simplify Profiles. To the users this migration process is seamless and they will instantly benefit
from a faster logon/logoff process. For administrators, this will reduce stress and simplify the implementation
process required for Simplify Profiles. For more information, see Section 3.9.3: Simplify Migration Utility.
Research and RegDiff
Many application and environment customizations delivered by Simplify Profiles are configured through the
registry. It may be initially unclear as to where specific settings are in the registry or what to set them to. Often,
Internet documentation can reveal information about registry settings. If a desired customization has unknown
corresponding registry entries, Simplify Profiles can still be used through Tricerat’s RegDiff tool. This tool is
designed to track changes to the registry which can then be configured and integrated into the Simplify Console as
Registry Save & Restore, Set, and Delete operations.
3.2 Windows Profiles and Simplify Profiles
3.2.1
Windows User Profile Types
Windows profiles store configuration information for the user, including environment and application settings
either on the local computer or in a central profile share location. Profiles can be local, roaming, or mandatory.
Local profiles are created for each Windows computer the user logs on to and configuration changes to the profile
on one machine do not result in changes to profiles on other computers.
62
Simplify Suite v6
Simplify Suite v6
Roaming profiles are stored on the network and accessed by the local computer, allowing changes to the profile to
be propagated to any computer on the network that the user logs into.
Mandatory profiles are a special case of roaming profiles, which are read-only, meaning individual users are not
able to make changes to the configuration.
The Windows profile is stored as a group of files and folders, including the file that represents the user’s local
portion of the registry. When a profile is loaded, the registry for that user is also loaded and mapped to the
HKEY_CURRENT_USER hive, allowing for user-specific configurations.
3.2.2
Replacing Roaming Profiles
Simplify Profiles allows administrators to migrate users from roaming profiles to mandatory profiles without
compromising the users’ personalized environments.
Why replace roaming profiles?
Roaming profiles are good idea in theory, but in practice they can cause more problems than they resolve. The
Windows roaming profile will copy the user’s entire Documents and Settings directory at Logon and the modified
files are restored to the profile share at Logoff. This process is slow and to complicate things, there is no way to
control or limit the files and folders to be copied out to the profile share. As a result, user profiles expand in size
with every Logon. As profiles increase in size, the likelihood of corruption increases. With large files such as
Outlook’s Personal Folders (PSTs), roaming profiles are unstable, slow, and corruptible.
What are the benefits of using mandatory profiles with Simplify Profiles?
 Personalized User Environments
 Improved Logon and logoff speed
 No More Corruption
 Eliminate Inefficient Scripts
 Secured Explorer File Browser
 Centralized User Profile Management through triReg
 File Operations
 RegSet assignments
Simplify Profiles allows environments to replace all roaming profiles with mandatory profiles, while still allowing a
user to save registry information between sessions. This allows for much faster Logon and Logoff times and easier
administration, while still giving the user the same experience of saving settings between sessions. For information
on how to configure the profiles, see Configure user profiles with Simplify Profiles (on-line documentation).
63
Simplify Suite v6
Simplify Suite v6
3.2.3
Interaction with Windows policies and Profiles
Simplify Profiles does not hinder existing Windows policies, assignments, or other scripts (including GPO’s) as they
will continue to apply to the user’s session. Simplify Profiles applies personalized settings to the users profile
(ntuser.dat) after Windows has loaded the profile, therefore the Simplify Profile settings will take precedence over
these settings.
At Log Off, Simplify Profiles captures values from the registry to save before the profile is unloaded. Once Simplify
Profiles completes, Windows unloads the profile normally. Using the Microsoft User Profile Hive Cleanup (UPHC)
service will help ensure graceful Log Outs in more complex environments.
Assignments for Simplify Profiles are made with the RegSet plug-in pulling data from the SQL database, which is
much more efficient than GPOs, scripts, and other utilities. Typically implementing Simplify Profiles includes
replacing the inefficient configurations with Simplify Profile assignments. The best practice use for Simplify Profiles
would be to start with a baseline mandatory profile appropriate for the terminal server environment, and then
apply customized settings for each user through Simplify Profiles.
64
Simplify Suite v6
Simplify Suite v6
3.3 Windows Policy Objects
Windows Policies are common policies in Windows environments typically configured through Group Policies or
scripts. The policies included are Drive Mappings, Drive Restrictions, Explorer settings, and Folder Redirections.
These Windows Policies are easy to configure and delivered instantly.
Note: Simplify Profiles automatically reverts Windows Policies at user logoff, unlike registry changes made by other
pieces of Simplify Profiles such as Profile and Registry objects.
3.3.1
Drive Mappings
Instead of relying on complex or hard to setup logon scripts, Tricerat’s Drive Mappings injects the registry keys,
roughly 512 bytes of data per drive mapping, into users’ profiles (ntuser.dat). On some systems, Windows will
automatically detect the registry changes, while on others; Simplify Drive Mappings will also instruct Windows to
create the drive mappings as well as change the registry. Typically, drive mappings are assigned to a security group
that has been granted access to the network share, thus making the authentication process unnecessary.
65
Simplify Suite v6
Simplify Suite v6
Creating a new network drive mapping is easily accomplished by creating a new drive mapping object. After
creating a new object, select the desired drive letter and enter in the network path. After saving the object, it can
be assigned to the appropriate Owner.
To create a new drive mapping:
1. Right-click the Drive Mappings folder or select the New Object button.
2.
66
Select the drive letter, then enter the path or browse to the desired network path. Name the
Object and save the settings.
Simplify Suite v6
Simplify Suite v6
3.
The Object has been created and the last step is to assign it to the appropriate Owner. In this
example, the Human Resources drive mapping has been assigned to the Human Resources Active
Directory Security Group.
Drive Mappings does support variables such as %USERHOME% and %USERNAME%. Machine names such as
\\tsclient and \\client can also be used to reference the client’s local drives such as
\\tsclient\c$\Documents and Settings\% USERNAME%\My Documents\, but this requires the client and
server account to be named the same.
3.3.2
Drive Restrictions
The Drive Restriction Object in Simplify Profiles provides an easy method to hide or restrict drives in a user session.
To configure a Drive Restriction, select the drives that should be restricted and then select the type of restriction.
Users can run applications on restricted drives if executed through triShell shortcuts, and the application will still
automatically load files and folders on restricted drives.
67
Simplify Suite v6
Simplify Suite v6
Hide these specified drives in My Computer: Hiding a drive simply removes it from any drive listing,
such as explorer or a save dialog. Using drive hiding does not prevent a user from typing the drive
letter and browsing the drive.
Prevent access to drives from My Computer: Restricting access to a drive prevents the user from
viewing a listing of any files on the drive. This does not prevent them from accessing file when using
the full path to the file, which makes it safe to use even on the system drive. The drive restriction
policies do not replace traditional file permissions, but can provide additional security and streamline
the user environment.
First select the type of restriction you wish to apply. Then select the drives that you would like to hide
or restrict access to. Both hide and restrict restriction types can be selected at the same time and the
options selected will apply to all drives selected in the drive list.
Note: To remove drive restrictions or hidden drives, create a Drive Restriction Object with Hide these
specified drives in My Computer and Prevent access to drives from My Computer enabled and no
Drives selected, and then assign it to the user.
3.3.3
Explorer Restrictions
The Explorer Restriction object in Simplify Profiles provides an easy method to apply basic restrictions to file
Explorer and Internet Explorer. The policies offered in this object are common to terminal server installations and
recommended by Microsoft for a locked down terminal server environment.
68
Simplify Suite v6
Simplify Suite v6
Explorer Restrictions
 Remove the Folder Options menu item from the Tools menu – Removes the Folder Options item from all
Windows Explorer menus and removes the Folder Options item from Control Panel
 Remove File menu from Windows Explorer – Removes the File menu from My Computer and Windows
Explorer
 Remove Map Network Drive and Disconnect Network Drive – Prevents users from connecting and
disconnecting to network drives with Windows Explorer and removes the corresponding menu options
 Remove Search button from Windows Explorer – Prevents users from searching for applications from
Windows Explorer
 Remove Security Tab – (Windows Server 2003) Removes the Security tab from Windows Explorer
 Remove Windows Explorer’s default context menu – Removes the shortcut menu from Windows
Explorer
69
Simplify Suite v6
Simplify Suite v6








Hide the Manage item on the Explorer shortcut menu – Removes the option that opens the Computer
Management MMC snap-in from Windows Explorer
Remove Hardware tab – Removes the Hardware tab from Mouse, Keyboard, Sounds and Audio Devices in
Control Panel and from the Properties dialog box for all local drives.
Remove Order Prints from Picture Tasks – (Windows Server 2003) Removes the “Order Prints Online
from Picture Tasks” link in the My Pictures Folder
Remove Publish to Web from File and folders Tasks – (Windows Server 2003) Removes “Publish this file
to the Web,” “Publish this folder to the Web,” and “Publish the selected items to the Web from File and
Folder” tasks in Windows Explorer
No “Computers Near Me” in My Network Places – Removes computers in the user’s domain from lists of
network resources in Windows Explorer and My Network Places
Turn off Windows+X hotkeys – (Windows Server 2003) Turns off Windows+X hotkeys, such as
Windows+R for the Run dialog box or Windows+E for Windows Explorer
Turn on Classic Shell – Removes the Active Desktop and Web view features. This results in a user interface
that looks and operates like the interface for Windows NT 4.0
Hide the common dialog places bar – Removes the shortcut bar from the “Common Open File” dialog box
Internet Explorer Restrictions
 Disable Find Files via F3 from within the browser – (Internet Explorer 5) Disables the use of the F3 key to
search in Microsoft Internet Explorer and Windows Explorer
 Disable Context menu – (Internet Explorer 5) Prevents the shortcut menu from appearing when users
click the right mouse button while using the browser
 Hide Favorites menu – (Internet Explorer 5) Prevents users from adding, removing or editing the list of
Favorite link
Additional Explorer Restrictions can be applied to Explorer using HKCU RegSets.
3.3.4
Folder Redirection
The Folder Redirection Object in Simplify Profiles provides an easy method to redirect user shell folders to a
network location, giving users access to the file portion of their profile while maintaining fast logon and logoff
speeds. Folder Redirections can be used with any Windows profile to provide a centralized and incorruptible
Documents and Settings for users. They can be used in conjunction with roaming profiles to improve logon/logoff
speeds, as the redirected folders are no longer copied to each machine the user logs into, but rather, are accessed
over the network. They can also be used in conjunction with mandatory profiles as well, though in this case their
purpose is to provide a method to retain user files even after logoff, which normally cannot be done with
mandatory profiles. We strongly recommend using mandatory profiles to increase speed while Simplify Profiles
delivers personalized environments. For more information about Windows User Profiles Types, see Section 3.2.1.
70
Simplify Suite v6
Simplify Suite v6
To configure a redirection path, place the path name in UNC format in each edit box in the dialog. To leave a
setting at the default, simply leave the edit box blank. System variables are allowed, so use a setting such as
\\server\profiles\%USERNAME%\Desktop to keep each user’s desktop folder separate.
Folder Redirection Types:
 Application Data – Stores state information, settings and data from applications such as custom
dictionaries, toolbar settings, and other items not stored in the registry.
 Cookies – Location of Internet Explorer Cookies and index.dat. This file function as a
repository of redundant information, such as web URLs, search queries and recently
opened files. All auto complete functions are stored in the index.dat file. This
directory should be redirected if users use Internet Explorer.
 Desktop – Location of desktop shortcuts, files and folders. This Desktop folder
refers to the Desktop folder used by Windows Explorer and has no effect when the
user shell is triShell.
 Favorites – Location of Internet Explorer Favorites. Redirecting this directory
ensures users’ favorites are backed up.
 History – Location of Internet Explorer History. Redirecting this enables users to
retain browsing history.
 My Documents – Location of the user’s “My Documents” folder, which stores the
user’s work files such as documents, spreadsheets, etc.
 Recent – Location of “My Recent Documents,” a Windows directory that autogenerates shortcuts to recently accessed files and folders. This directory can be
published to the user’s triShell Desktop.
 Start Menu – Stores the shortcuts and program groups that make up the user’s
Start Menu. This refers to the Start Menu folder used by Windows Explorer and has
no effect when the user shell is triShell. Redirecting this directory allows users to
take advantage of the “Pin to Start Menu” feature.
To create a new Folder Redirection:
1. Right-click on Folder Redirection and select the new object menu item or select the New
Object button at the top of the Objects pane.
71
Simplify Suite v6
Simplify Suite v6
2.
Name the Object, enter the paths for redirection and check off the folders that need to
be redirected. In this example Application Data has not been redirected.
72
Simplify Suite v6
Simplify Suite v6
3.
The last step is to assign the Object to the desired Owners. In this example, the Folder
Redirection is applied to the domain level, thus redirecting every user’s folders on every
Simplify Profiles server.
73
Simplify Suite v6
Simplify Suite v6
3.3.5
Environment Variables
Environment Variable Policies are supported as of Simplify Profiles 5.6.
Similar to Profiles objects, multiple environment variable operations can be performed within an Environment
Variable object. These operations are entered onto a grid, with columns Variable Name, Operation Type, and
Variable Value. The variable name is the environment variable name, such as PATH. Three operation types are
supported: New Value, Add to Existing Value, and Delete Existing Value.
New Value - sets the environment variable to be the Variable Value.
Delete Existing Value – deletes the environment variable, and ignores the Variable Value
Add to Existing Value – Environment variables are a list of values separated by semicolons. This operation is similar
to New Value if the environment variable does not exist, otherwise it adds the Variable Value to the list of values.
Clicking the Delete Selected Row button will clear the row from the grid, removing the operation.
74
Simplify Suite v6
Simplify Suite v6
Left-clicking Import Existing opens up a GUI window with a table of the administrator’s current environment
variables. Left-clicking a row selects it, and multiple rows can be selected. Left-Clicking Import imports all of the
75
Simplify Suite v6
Simplify Suite v6
selected rows to the environment variable grid as New Value operations. Note that importing does not import the
type (User or System) of environment variable, that is set in the Config tab. So if you import a System variable and
select User Logon/Logoff in Config then it will be set as a User environment variable.
The Config tab determines when environment variable operations are performed (beginning operations) and
undone (ending operations). It also determines whether the environment variable operations are on system or
user environment variables.
User Logon/Logoff is the default setting. When this is selected, beginning operations occur when a user logs on,
and ending operations occur when a user logs off. Selecting this results in user environment variable operations.
If Application Start/End is selected, then beginning operations will occur when one of the applications that are
selected is opened and none of the others are currently open, and ending operations will occur when one of the
applications that are selected is closed and none of the others are currently open. Selecting this results in user
environment variable operations.
76
Simplify Suite v6
Simplify Suite v6
If Startup is selected, then beginning operations occur when the server is restarted, and ending operations never
occur. Selecting this results in system environment variable operations.
77
Simplify Suite v6
Simplify Suite v6
3.4 Profile and Registry Objects
Profile and Registry objects provide the backbone of Simplify Profiles by allowing administrators to deliver
personalized environments with mandatory profiles through registry operations and file operations. Supported
registry operations are Save/Restore, Set, and Delete. These operations are facilitated through Tricerat’s RegSet
technology. Supported file operations are Copy, Move, Rename, and Delete.
Profile objects define operations on the HKCU registry as well as user files during user logon and logoff, while
Registry objects define operations on the HKLM registry during server startup and shutdown. Note that to apply a
registry object set or delete the server must be restarted. While this is a limitation of HKLM registry sets, there is
often a corresponding HKCU registry key. In these cases, it is recommended to use a Profile object Set operation on
the HKCU registry key instead of a Registry object Set operation on the HKLM registry key.
Save/Restore
This operation exports specified registry settings to the Simplify database at logoff and imports those saved
settings back into the user’s profile at logon. Save/Restore operations enable you to replace roaming profiles with
mandatory or local profiles without losing any features. The hybrid solution optimizes logon/logoff performance,
nearly eliminates corruption and ensures securely backed-up user settings.
Set
This operation imports administrator defined registry settings to the user profile during the logon process. The Set
operation can be used to lockdown applications, replace Group Policies or set system and application settings.
Delete
This operation is used to delete settings from a user profile at logon. Temporary keys or values left behind by
applications can enlarge a profile and reduce efficiency in large profiles. The delete operation enables the
administrator to manage and cleanup these temporary keys and values.
To perform any registry operation, locate the registry key or value you are looking for and right-click on that item
to see a menu of available registry operations. The menu items are context sensitive, so if you select a registry key,
only operations applicable to that registry key are shown.
Creating a new registry object:
78
Simplify Suite v6
Simplify Suite v6
Operations available on a registry key:
79
Simplify Suite v6
Simplify Suite v6
Operations available on a registry value:
80
Simplify Suite v6
Simplify Suite v6
Select the operation you wish to perform and the selected item will turn bold indicating it now has an assigned
registry operation. The State column will now also specify the assigned registry operation. If the new operation
affects any child registry items, they will also now be bold.
Multiple registry operations can be assigned within one registry object. Thus, you can create a new registry object
that contains any combination of Save/Restore, Set, and Delete operations.
See each sub-topic for a more detailed explanation of the registry operations.
81
Simplify Suite v6
Simplify Suite v6
3.4.1
Registry Operations
3.4.1.1 Save/Restore Operations
The Save/Restore operation is the basis of the Simplify Profiles technology. When you select to save/restore a
registry key, then that key will be saved to the SQL database when a user logs out of their terminal session, and will
be restored when the user logs back in.
To create a registry Save/Restore operation, locate the registry item you want to perform the Save/Restore on,
and right-click to bring up a menu of available registry operations. If you selected a registry key, you will have two
options under Save/Restore; Entire Key and All Subkeys and Entire Key and No Subkeys. If you have selected a
registry value, then the Save/Restore This Value option is available.
Select the operation you wish to perform, and the selected item will turn bold indicating it has an assigned registry
operation. The State column will now also specify the registry operation. If a Save/Restore operation was
performed on a registry key, all children affected by the new operation will also be bold.
82
Simplify Suite v6
Simplify Suite v6
During a user session, the save and restore occurs during user logon and logoff. When the user logs into a session,
Simplify Profiles retrieves the saved registry values from the Simplify database and applies them to the session.
Then, when a logoff is initiated, Simplify Profiles will save the selected registry values back to the database. By
using a central database, the saved settings can be retrieved from any other server with Simplify Suite. Each user
maintains his or her unique set of registry settings, even if the registry definition is applied to a group of users.
Note: You can choose to Save/Restore the entire HKEY_CURRENT_USER hive, but it is a good idea to do it on a
more granular level in order to reduce logon times and unnecessary data replication on the network.
For related topics, see:
Section 3.7.1: Find a registry key for an application
Section 3.7.2: Microsoft Outlook Settings
83
Simplify Suite v6
Simplify Suite v6
Section 3.8.15: Where are the registry values saved?
3.4.1.2 Set Operations
The Set operation provides allows integration of mandatory settings with roaming settings in the same profile.
When you choose the set operation, you can set specific values in the registry every time a user logs on. This does
not prevent them from changing the values while they are in the session, but every time they log on it guarantees
that the value will return to what you have specified. Set operations can be used to deliver pre-defined application
or environment settings. This can be used to force security settings for poorly secured applications, such as
Internet Explorer and Explorer.
To create a registry Set operation, locate the registry value you want to perform the Set on, and right-click to bring
up a menu of available registry operations. Select the Set This Value option and the selected item will turn bold
indicating it has an assigned registry operation. The State column will now also specify the registry operation.
84
Simplify Suite v6
Simplify Suite v6
85
Simplify Suite v6
Simplify Suite v6
3.4.1.3 Delete Operations
The delete operation provides you with a way to clean the registry. Temporary keys or values left behind by
applications can enlarge a profile and reduce efficiency, and by deleting specific keys and/or values, you can regain
this lost efficiency.
To create a registry Delete operation, locate the registry item you want to delete, and right-click to bring up a
menu of available registry operations. If you selected a registry key, then the Delete Key option can be used. If you
have selected a registry value, then the Delete This Value option is available.
In the example below, the Typed URLs under Internet Explorer will be deleted every time the user logs in to a
terminal session.
86
Simplify Suite v6
Simplify Suite v6
87
Simplify Suite v6
Simplify Suite v6
3.4.2
File Operations
Simplify Profiles’ File Operations offer the ability to copy, move, rename, and delete files and folders when a user
logs on or off of the Terminal Server. It is also possible to copy files and folders back to the original location when
the user logs off the Terminal Server. File Operations and Folder Redirections allow the administrator to fully
customize and deliver the user’s files without the expense of performance and application presentation.
The traditional means of File Operations are through scripts which require knowledge of syntax and group policies.
Furthermore, scripts can become cumbersome to update and difficult to manage and deploy. The Simplify
Console’s File Operations are simple to create and assign to users and computers. Many common locations are
built-in to Simplify Profiles, such as User’s Profile, Local AppData, User’s Documents and Program Files, simplifying
configurations.
These file operations provide means to overcome limitations in legacy applications. For example, certain programs
are coded for local profile environments statically saving files to uncontrolled folders such as Local AppData or
%USERPROFILE%\Folder. These features enable the ability to deliver single-user OS applications to many users in
multi-user environments.
The folder Copy operation is useful when you have a scenario that requires you to “roam”
specific directories. One example would be an application that writes to a temporary
directory. It may not be efficient to redirect users’ temporary directories to a network share
location. With the folder copy operation, the temporary directory can be copied from a
network share location upon logon, as well as copied back to the network share when the
user logs off. Copy operations can be applied to both files and folders.
File Move operations work similarly to the Copy function; however the original file or folder
is deleted once the copy function finalizes.
The Delete operation adds the ability to delete files or folders when a user either logs on or
off of the Terminal Server. Some examples of it usage include removing files from a user’s
AppData folder or deleting the user’s local cached profile completely when the user logs off
of the Terminal Server.
New File Operations Objects can be created by right-clicking on the desired operation and
selecting New Object or by pressing the New Object button.
88
Simplify Suite v6
Simplify Suite v6
3.4.2.1 Copy/Move/Rename Operations
After creating a New Operation, click the tab in the right menu that says File Operations.
There are two operation buttons to choose from: the New Copy/Move/Rename
Operation button and the New Delete Operation button. Click on the New
Copy/Move/Rename Operation button. This will create a selection below the button in
the operation grid. Rename the operation to a desired name.
Select the Operation Type in the box below the grid called Type of Operation. Once the
Operation Type has been selected, you will want to select the target folder or file with
which to apply the operation. The target path can be either a local path or a UNC path. The
path can also include Windows environment variables such as the %USERNAME% variable.
89
Simplify Suite v6
Simplify Suite v6
Note: The use of mapped drive letters is not supported when selecting target files or
folders. As the mapped drive is a drive, not a folder, although using the UNC will overcome
this.
There are also some predefined options available when selecting the target file or folder.
These options include Local AppData, Program Files, User’s Documents, and User’s Profile.
You can use the predefined target locations followed by a backslash (\) and then the folder or file
name to point to a file or folder that is within the predefined location.
Example: [Program Files]\Tricerat
Once the target file or folder has been selected, you will now want to select the Destination folder.
Like the target location, the destination can include the Windows environment variables and can be
either a local or a network location. There are also some predefined options available when selecting
the destination file or folder. These options include Local AppData, Program Files, User’s Documents,
and User’s Profile.
When creating file or folder Rename operations you will need to input the new file or folder name.
90
Simplify Suite v6
Simplify Suite v6
3.4.2.2 Operation Specific Settings
Additional options are located at the bottom of the operation settings pane. These operations vary
depending upon the type of operation selected.
If a Copy File operation is selected, you will be given the additional options to Overwrite file if it
exists and Copy file back at logoff. Copy file back at logoff will only copy the file back to the original
location if a change is detected.
The Move File options are basically the same as the Copy File options, except the option
to Copy file back at logoff is changed to Move file back at logoff. If Move file back at
logoff is selected, the file is copied back to the original location and the destination file is
deleted.
91
Simplify Suite v6
Simplify Suite v6
The Rename File Options gives you the ability to Overwrite file if it exists.
The additional options for the Copy Folder operation are Include Subfolder and Copy
folder back at logoff. Include Subfolders will copy all subdirectories from the specified
target directory to the destination folder. Copy folder back at logoff copies the specified
folder back to the target location upon logoff. If both options are selected, the specified
folder and all subfolders are copied back to the target location upon logoff.
The Move Folder Options are basically the same as the Copy Folder Options except the
option to Copy folder back at logoff is changed to Move folder back at logoff. If Move
folder back at logoff is selected, the folder is copied back to the original location and the
destination folder is deleted.
The Rename Folder Options give you the ability to replace the folder if the renamed
folder name already exists in the specified directory.
92
Simplify Suite v6
Simplify Suite v6
3.4.2.3
Delete Operations
A New Delete Operation can be created clicking on the File Operations tab and clicking
on New Delete Operation.
After creating the new object, you can rename it to your liking and then select the Operation Type. You are given
the option to either Delete File or Delete Folder.
93
Simplify Suite v6
Simplify Suite v6
3.4.3
Configuration
The Config tab determines when beginning operations such as registry sets, restores, and deletes, and ending
operations such as registry restores occur.
User Logon/Logoff is the default setting. When this is selected, beginning operations occur when a user logs on,
and ending operations occur when a user logs off.
If Application Start/End is selected, then beginning operations will occur when one of the applications that are
selected is opened and none of the others are currently open, and ending operations will occur when one of the
applications that are selected is closed and none of the others are currently open.
In Simplify Profiles 5.6 and greater, if User Logon/Logoff is selected, then Execute on Session
Disconnect/Reconnect option is available. If this option is selected, beginning operations occur when a user logs
on and when a user reconnects, and ending operations occur when a user logs off and when a user disconnects.
The main use of this option is to allow assignments made to the client computers to be refreshed when a user
switches from one device to another device via disconnect and reconnect. For example, if a user has a registry set
with this option on for single-click assigned to a mobile client device and a registry set with this option on for
double-click assigned to a desktop client device, if the user disconnects while on the desktop client device and
reconnects while on the mobile client device, he will have the single-click setting.
94
Simplify Suite v6
Simplify Suite v6
3.5 Administrative Templates
The Simplify Suite provides Administrative template support from within the console for servers
running NT6 (Windows Vista, Windows 7, Windows 8, Server 2008, and Server 2012). Similar to Windows
Policy Objects, Administrative Templates allow administrators to edit the registry through a userfriendly interface with helpful explanations of settings. However, each Windows Policy Object type is
individually maintained and tailored through the Simplify Console, allowing for only a few common
types of policies such as Drive Mappings and Folder Redirections. On the other hand, Administrative
95
Simplify Suite v6
Simplify Suite v6
Templates are loaded from a folder outside of the Simplify Console containing .admx files provided by
Microsoft or other companies, allowing for hundreds of different types of policies. These files tell the
Simplify Console how to build the interface that administrators use to create Administrative Template
objects. These objects act like any other Suite object, and allow administrators to edit policies,
manage, and assign them to specific users or groups.
3.5.1
General Use
The Administrative templates editor uses the same store locations as the native policies (the .admx
files). The central store is out on %logonserver%\sysvol\%userdnsdomain%\policies\PolicyDefinitions. The
editor will pull in the existing templates from the central store out on the network and display them
with in the console allowing them to be edited and assigned. There is also a local store that will allow
that administrator to edit ADMX files that are only on the local computer. The local store is on
%systemroot%\PolicyDefinitions. Using the central store is highly recommended for production scenarios
as this will allow all administrators in the active directory to make changes to the template.
Once the Administrative template store has been loaded with the correct files, Administrative
template objects can be created. The files in the store allow the Simplify Console to load in a user
interface that corresponds to the files. This custom data is displayed in the Administrative Templates
panel, which contains two sides. The left side is a tree view of template keys. These keys can be filtered to reveal
what has been configured and aid in searching as explained in Section 3.5.3. Selecting a template key loads the
right side, which is a list view of the template values contained under the template key. Standard use involves
selecting between Enabled, Disabled, and Not Configured for each template value. Advanced use involves custom
Properties, as explained in the following section.
There are two types of Administrative template objects, computer level objects and user level objects.
The Computer configurations will only be applied when assigned to a computer, whereas the User
configuration will be applied when assigned to a User or Group. The administrative template
assignments are applied at computer startup for computer configurations and user logon for user
configurations.
To create an Administrative template:
1.
96
Right-click the Computer Configuration or User Configuration folder under Administrative
Templates and select New Object.
Simplify Suite v6
Simplify Suite v6
2.
97
Select the User or Computer Configuration setting desired and Save the settings. Note: There is a brief
description on the policy setting and details of the effect of enabling the setting in the lower right on the
console.
Simplify Suite v6
Simplify Suite v6
3.
The object has been created and can now be assigned to the desired owner.
3.5.2
Custom Properties
Simplify Profiles provides support for advanced administrative templates features called custom properties. These
features, located on specific values, allow many more types of input for a single value besides Enabled, Disabled,
and Not Configured. This is done by dynamically loading custom GUI checkboxes, decimal textboxes, dropdown
98
Simplify Suite v6
Simplify Suite v6
lists, listboxes, and textboxes. The GUI elements are initially disabled, and are enabled by setting the main
property to Enabled. Multiple GUI elements can correspond to a single administrative template value, as shown
below where both a listbox and a checkbox correspond to the value Allow Delegating Default Credentials….
99
Simplify Suite v6
Simplify Suite v6
3.5.3
Template Key Filter
Simplify Profiles 5.6 contains a filtering feature for administrative templates to reveal what has been configured
and aid in searching. The Administrative Templates panel contains two sides, with the filtering feature located at
the bottom of the panel. The left side is a tree view of template keys, and the right side is a list view of template
values. The filter feature hides keys that do not meet the specified criteria and do not have a child key that meets
the specified criteria.
100

Only show configured keys
This option hides all keys that have all values set to Not Configured. In the example below, Regional and
Language Options is shown because it has a value, Force selected system UI… that is set to Enabled.

Only show keys with names containing
This option hides all keys that do not have the given text in the name, case insensitive. In the example
below, Regional and Language Options is shown because regional is part of the key name.

Only show keys with values containing
This option hides all keys that do not have the given text in at least one of its values. In the example
below, Regional and Language Options is shown because selected is part of the value name Force
selected system UI…
Simplify Suite v6
Simplify Suite v6
3.5.4
Troubleshooting
3.5.4.1 Sometimes the Administrative Templates panel vanishes
This is a known problem, Simplify Profiles versions 5.6 and greater fix many scenarios where the Administrative
Templates panel vanishes, but some still remain. To force a refresh, select an object or object type that is not an
101
Simplify Suite v6
Simplify Suite v6
Administrative Template object, then select the Administrative Template object again and the panel should show
correctly.
3.6 Simplify Profiles Offline Mode
Simplify Profiles supports an offline mode. This mode will allow users to login without database or network access
and still retain their profiles settings.
To Turn on Offline Mode follow these steps:
1.
In the Console go to Tools -> Options.
2.
The Options window will be displayed. Select the Settings option under Offline Mode.
102
Simplify Suite v6
Simplify Suite v6
3.
103
Check the Enable Offline Mode for Simplify Profiles check box. You will also want to check Enable Offline mode
for Simplify Desktop check box if you have Desktop installed on this machine. Note: When making changes to
Offline Mode the Profiles and Lockdown services need to be restarted for the changes to be picked up.
Simplify Suite v6
Simplify Suite v6
4.
Click OK. Offline mode will now be enabled.
Note: Users must have logged in at least once while the Simplify Profiles server was properly connected to receive
their profiles settings when offline later. If a user’s settings have been changed through the Simplify Console, these
settings will not be received by the user until the next time they log in online.
3.7 Walkthroughs
3.7.1
Find a registry key for an application
Many Windows applications store settings in the HKEY_CURRENT_HIVE of the registry. The HKEY_CURRENT_HIVE
is structured in an organized manner, but it is not designed to be natively browsed and edited like a file browser.
For many applications it is unclear where specific settings in the registry are stored. Generally Windows
applications store settings in HKCU\Software\Vendor\Application\. For example, all Tricerat’s ScrewDrivers Clients
store user settings in HKCU\Software\Tricerat\Simplify Printing\ScrewDrivers Client v4\. Not all application
104
Simplify Suite v6
Simplify Suite v6
vendors follow the Microsoft’s standards, and some applications change registry settings in other locations (see
Microsoft Outlook S/R).
The process of discovering the specific registry keys required to save application settings may initially seem
difficult, but many resources are available in this help document as well as online to assist administrators with
commonly used applications. Simplify Profiles includes the RegDiff tool (Section 3.9.1) to help facilitate the process
of locating and creating the registry objects with the correct Save/Restore operations.
3.7.2
Microsoft Outlook Settings
Microsoft Outlook is one of the more complex applications in multi-user environments. The majority of the
application settings are stored in the standard location under Software\Vendor\Application\ but Outlook also uses
the Windows Mail Profile which stores settings in a completely separate section of the profile. The directions
below explain the process to deploy personalized Outlook settings to users.
1.
2.
3.
4.
5.
6.
7.
Create a new registry object named Outlook Settings under the HKEY_CURRENT_USER folder
Locate the Software\Microsoft\Office\<version>\Outlook key (or Software\Microsoft\Office - generally the
entire Office registry key is Saved/Restored)
Right-click the Outlook (or Office) key, select Save/Restore, then select Entire Key and all Sub keys.
Locate the Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles key
Right-click the Profiles key, select Save/Restore, then select Entire Key and all Sub keys.
Apply the Changes (Section 2.4.7)
Assign the Outlook Settings object to the desired owner (Section 2.3.1)
Microsoft Outlook also stores application settings in AppData and Local AppData. It is recommended to redirect
the AppData folders using Folder Redirections.
3.7.3
Internet Explorer Home Page
In this example, a Registry Set operation will be created to set the Internet Explorer home page to
www.tricerat.com. This is a small example of the RegSet plug-in of Simplify Profiles.
1. Create a new Profiles registry object named IE Start Page under the Profiles folder
2. Browse to Software\Microsoft\Internet Explorer\Main registry key on the HKCU Registry
Viewer tab
3. Right-click on the Start Page value and select Set This Value
4. Set the string to the web page of your choosing, such as http://www.tricerat.com, and
press OK
5. Save the object (Section 2.4.7)
6. Assign the IE Start Page object to the desired owner (Section 2.3.1)
105
Simplify Suite v6
Simplify Suite v6
Owners that have this setting will have their Internet Explorer home page forced to the
appropriate website at each login.
3.7.4
Internet Explorer Security Settings
This guide will show you how to manage security settings for any zone using Internet Explorer. After deciding what
security settings you wish to configure for each zone, you will need to create a registry object and name it (for this
example, we will name it IE Security). For this example, we will allow ActiveX controls to be run for the Internet
Zone:
1.
2.
3.
Select the IE Security object.
In the right pane, navigate to Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones.
Expand the 3 folder (for the Internet Zone).
4.
Right-click on 1200 (Run ActiveX controls and plug-ins), select Set.
106
Simplify Suite v6
Simplify Suite v6
5.
6.
7.
Type 1 in the text box, and then click OK.
Right click on 1001 (Download signed ActiveX controls), select Set, type 1, and Click OK.
Now apply the changes (Section 2.4.7) for the registry object and assign it to an OU (Section 2.3.1).
3.7.5
Configure Redirected Shell Folders
1.
Create a folder on a file server that is accessible to all terminal servers. The folder should allow full control to
everyone.
2. Share the folder and make sure the share permissions grant Full Control to Everyone.
3. In Simplify Console, create a new Folder Redirection Object. (Section 2.3.1)
4. For folders you want to redirect, change the path to the new share. For instance, set My
Documents to
107
Simplify Suite v6
Simplify Suite v6
5.
\\server\share\%USERNAME%\My Documents.
Assign the object to the desired owners. (Section 2.3.1)
Users that have the redirected folder assignment will now have the shell folders specified
redirected to the file share. This can be verified by viewing the file share for the creation of
the user folder and sub-folders. Folders will not create until a file read or write operation is
performed, so it may be necessary to perform an action such as opening an application or
saving a file. As a follow up to these steps, it is best to restrict permissions to the user shell
folders share. For more information, see Section 3.8.14: What permissions are required for redirected
folders?
3.8 Frequently Asked Questions
3.8.1
Can I set permissions on the registry values that are created by Simplify
Profiles?
The current version does not allow custom permissions to be applied to registry settings, but instead uses the
default inherited permissions already defined in the registry.
As stated in various locations in this document, the recommended profile to be used with Simplify Profiles is a
single mandatory profile that everyone uses. The entire HKEY_CURRENT_USER hive should grant Full Control to
Everyone and System.
3.8.2
How can I see what is saved by Simplify Profiles?
Every user’s Save/Restore data is accessible through the Simplify Profiles triReg tool (Section 3.9.2). To access
triReg in the Simplify Console, select View and triReg or mouse over the triReg auto-hiding tab on the left.
triReg can be used to view and change the Save/Restore data for each user that has been saved to the Simplify
database. For more information about triReg, see the triReg section.
3.8.3
How do I save files in the user profile?
Simplify Profiles includes File Operations (Section 3.4.2) which can be used to save files and folders to specific
locations of the user’s profile. For example, if you want to deploy a manual or a commonly-used document to a
user, then use a File copy operation with a destination of the profile server, such as
108
Simplify Suite v6
Simplify Suite v6
\\server\profiles\%username%\My Desktop or My Documents. If Folder Redirections are not implemented, then
set the destination to %userhome%\Directory.
This method can be used to patch or clear application settings. For example, Citrix’s modules.ini file could be
associated with a File copy operation to deploy an upgraded file with new shortcuts for Citrix’s ICA client.
3.8.4
How do I use Simplify Profiles to eliminate issues with roaming profiles?
While roaming profiles bring many benefits to the end user experience, they also cause many administration
headaches. By using Simplify Profiles, an administrator can move everyone to a mandatory profile for easier
administration, no profile corruption, and faster logon/logoff times while still allowing the users to save their
settings and customizations between sessions.
3.8.5
How does Simplify Profiles improve performance?
The major benefit of Simplify Profiles is to allow the administrator to move all users to a mandatory profile, which
reduces logon and logoff times drastically. Local profiles technically provide the quickest logon for users because
all the data is local and stays local, but Mandatory profiles provide a centralized, pre-defined and easy-to-manage
profile.
With Save/Restore operations an administrator can select what parts of the user’s registry to be saved between
sessions. Because this setting can be customized for particular keys or values, then only the registry information
that needs to be saved to the SQL database will be, making the process as streamlined as possible. The ntuser.dat
is known to expand uncontrollably, and these Save/Restore operations provide a controlled solution to the
uncontrolled Windows profile.
3.8.6
How are different versions of an application installed on different
servers handled?
The manner in which Simplify Profiles handles different versions of software is dependent on the way the
applications stores settings in the registry. Scenarios can include:
109

The application uses the same keys and values between versions: This is the easiest case, and works the
same as if a single version is installed. 

The application uses different registry keys for different versions: If this is the case, a registry definition
must be set up for each version of the key, but the values will not conflict. While this is beneficial in that
Simplify Suite v6
Simplify Suite v6
each version of the application will have its settings saved and restored properly, it’s important to realize
that settings will not migrate across versions.

The application uses different values in the same key: In this case, Simplify Profiles will save the values
after each logout. If the registry values conflict, they will be overwritten during the save process. If the
values do not conflict, then values for each version will be saved by the registry definition. 
The vast majority of applications fall under the first two options, which means a save/restore setting applied to the
key for the application will cover all versions of that program. For example, Microsoft Office stores version-specific
values in a key named for each version. This guarantees that there are not conflicts between versions, and Simplify
Profiles can safely save and restore the entire set of registry values regardless of the version being used.
An alternative to saving the entire software key is to save the specific version key. A separate registry definition
will exist for each version, but only version-specific values will be saved with each definition. This is rarely
beneficial, and capturing the entire key is often recommended.
3.8.7
If I uninstall Simplify Profiles, what happens to the user profiles?
Simplify Profiles modifies the registry at each logon. If Simplify Profiles is removed from the system, the registry
settings will cease to be applied to the user profile. However, if the existing profile is still in place, it may contain
saved data from registry settings made previously. Note that with a Mandatory profile, which we encourage use of
with Simplify Profiles, the previous registry settings will be reset by the system once the user is logged off.
However, with a Roaming profile, registry settings applied by Simplify Profiles will remain after uninstallation due
to the nature of Roaming profiles. No new settings will be applied to the profile.
Uninstalling the Simplify Suite does not automatically uninstall the configuration database. If the configuration
database remains intact, both registry definitions and saved registry values will be available should the product be
re-installed.
3.8.8
What happens if a registry key or value that is part of a save/restore is
deleted from the registry?
During the restore operation, Simplify Profiles will remove keys and values that are not included in the saved
information. This results in key or value deletions from one server propagating to other servers. This type of
synchronization only occurs when the registry scope selected is Apply to this key and all subkeys or Apply to this
key only.
110
Simplify Suite v6
Simplify Suite v6
3.8.9
What happens if the database connection fails?
If offline mode (Section 3.6) is turned on then Simplify Profiles will perform the same. Note that any changes made
through Simplify Console after the user last logged in will not be applied.
If offline mode is not being used and the database connection is unavailable to the Simplify configuration
database, Simplify Suite will fail to get the user registry assignments, and registry changes will not be made to the
session. The result will be the profile that is loaded by windows, such as their local profile or network profile. If a
local or roaming profile is used, the settings from the previous session may have been saved into the profile, and
therefore may still be active in the session.
3.8.10 What happens when a user logs on to multiple sessions at the same
time?
Simplify Profiles will save only the registry data that has changed during that session, limiting the situations where
a conflict can occur. If a conflict does still occur, however, then the information saved from the last Log Off will
remain in the database.
Generally, the terminal server should be configured to limit users to a single session.
For Microsoft’s Terminal Services RDP, users typically connect to a desktop where multiple applications can be
launched, thus multiple RDP connections to a single server are not recommended due to limitations in the
Windows Operating Systems and Windows Profiles.
Citrix ICA protocol supports session sharing which overcomes the limitations mentioned in the paragraph above.
The session sharing technology will open multiple applications from a single session so the user profile is shared for
every published application. It is recommended to research session sharing to ensure that every application,
server, and farm is configured for session sharing. For example, the resolution and color depth must be configured
identically for published applications to use session sharing.
3.8.11 Can I save registry hives other than HKEY_CURRENT_USER?
In the current version of Simplify Profiles, operations can only be performed on the HKEY_CURRENT_USER or
HKEY_LOCAL_MACHINE hives.
It is important to note that all hives other than HKEY_CURRENT_USER, such as HKEY_LOCAL_MACHINE, are not
user-specific, thus changes made to those hives will be applied to the entire system. While Simplify Profiles allows
this, it is important to consider the ramifications of this action before using a hive other than
HKEY_CURRENT_USER. In the case of some applications, registry keys in HKEY_LOCAL_MACHINE must be changed.
111
Simplify Suite v6
Simplify Suite v6
Simplify Profiles provides a method to make this change across all servers, but the change will apply to all users on
the machine. Therefore, it is important to keep changes to HKEY_LOCAL_MACHINE appropriate for all users on the
server, and not use user-specific values in HKEY_LOCAL_MACHINE.
3.8.12 How do I hide and prevent drive access function?
The hide drives option in Simplify Drive Mapping will simply remove the drive from drive listing dialogs, but will still
allow access if the drive is accessed directly. The prevent option blocks any browsing of the drive, although it will
still show up in a drive listing. It is important to note that preventing access to a drive only stops browsing, but will
still allow files to be opened through direct access. Both options are valid to determine what a user can see and
browse, but they do not circumvent the need for proper file permissions as well.
For example, if Hide and Restrict drives are both applied to drive C:\ (the system drive), a user that opens My
Computer will not see drive C: in the drive listing due to the Hide policy. If a user types “C:\” into the address bar,
the message “This operation has been cancelled due to restrictions in effect on this computer. Please contact your
system administrator.” will be displayed. If the user types “C:\Windows\Notepad.exe” into the address bar,
notepad will launch if the user has correct permissions on the Notepad.exe file.
3.8.13 What is the order of registry operations when they involve the same key
or value?
Configurations using Delete will be applied first, followed by Set, and finally Save/Restore. This allows a default
configuration to be set in all profiles, and user-customized Save/Restore values to be applied as the final
configuration when Save/Restore information is present.
3.8.14 What permissions are required for redirected folders?
At minimum, the root folder must have NTFS permissions of Full Control for Creator/Owner, Full Control for local
system, and List and Create Folder for the users with folders in this location. The share must have Full Control for
the users with shell folders in this share. Finally, each user’s redirected folder requires Full Control for that user
and Full Control for the local system.
In large environments it is recommended to work with Security Administrators to find a solution that optimizes
security without compromising the user’s environment.
112
Simplify Suite v6
Simplify Suite v6
3.8.15 Where are the registry values saved?
When a user with an assigned Save/Restore object logs out, the selected keys of the registry get saved to the
Simplify Suite database. Because all Simplify Suite servers have access to this database, the saved registry data is
available for users logging on to any server.
In the Simplify database, all users’ saved registry values are contained in the RegSetData table. Use triReg to view
and edit user Save/Restore data.
3.9 Simplify Profiles Tools
3.9.1
RegDiff
RegDiff is a versatile utility that complements Tricerat’s powerful Simplify Profiles technology by
aiding administrators in determining which registry keys and/or values need Save/Restore and Set
Registry Operations to give your users a customized computing environment.
RegDiff works by comparing either the HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE registry hives
and displaying any changes. New registry operations can then easily be made based on these changes
and with a few simple clicks, a new Registry object is created for the Simplify Console.
This tool is designed to help administrators determine the areas within the registry that are modified
when a setting is changed within a user’s session. Many applications and environment settings use the
registry. Some examples include:
 setting up an Outlook profile (Section 3.7.2)
 configuring applications for new users 
 modifying environment and shell properties 
 changing folder options 
Using RegDiff to Create Registry Objects
RegDiff can be executed directly from “Program Files\Tricerat\Simplify Profiles\RegDiff.exe” or within the Simplify
Console, by selecting Tools -> External -> RegDiff.
113
Simplify Suite v6
Simplify Suite v6
To start a new comparison, select New Compare... or File -> New Compare...
114
Simplify Suite v6
Simplify Suite v6
A new window will appear where you can select to run the comparison on the HKEY_CURRENT_USER or
HKEY_LOCAL_MACHINE hive. Press the Start button to take the initial snapshot of the selected hives.
After the initial snapshot is complete, you can then perform various software operations that may affect the
registry. When ready, return to the RegDiff program and press the Done button. This will take the second snapshot
and compare the differences. After the comparison completes, any changes that have occurred will be displayed in
the main RegDiff window.
Note: In this example Internet Explorer’s Home page was changed from about:blank to www.tricerat.com.
115
Simplify Suite v6
Simplify Suite v6
To perform Registry Operations, right-click on a registry key or value and select the appropriate registry operation.
This works identical to how registry operations are performed within a Registry object in the Simplify Console.
Once all operations are in place, the registry object can be created. Select the File menu and click on Create
Registry Object.
Name the registry object and select Create Object.
116
Simplify Suite v6
Simplify Suite v6
To view the new object, you will need to either close and re-open the Simplify Console or select the Refresh
Database option located in the File menu within the Simplify Console.
The new object can now be assigned.
Enabling Registry Tracking
Simplify Profiles also allows administrators to track registry changes made during a user’s session. When a user
logs on, Simplify Profiles takes an initial snapshot of the user’s HKEY_CURRENT_USER hive. When the user logs out,
another snapshot is taken and compared to the initial snapshot. The differences are then saved to a file in a
predefined directory.
This file can then be imported into RegDiff.
117
Simplify Suite v6
Simplify Suite v6
Registry Tracking can be enabled on a per-server basis by creating two registry values. Both values need to be
placed in HKEY_LOCAL_MACHINE\Software\Tricerat\Simplify Profiles
The first value is a REG - DWORD called TrackRegistry. To enable registry tracking, the data value should be set to
1. To disable tracking the data value should be set to 0.
The second value is a string (REG_SZ) called TrackRegistryPath. The value can be any valid path where you wish to
create the Registry Difference File (.rdf). The value data should not include the file name. The file name will be
generated based upon the user’s name and a timestamp (Example: alincoln_2008-08-13_164522.rdf)
Importing the Registry Difference File (RDF) into RegDiff
The Registry Difference File (RDF) can be imported into RegDiff by selecting the Import option from the File menu.
Browse to the folder specified in the TrackRegistryPath value and select an RDF file. The registry changes are
displayed within RegDiff. Registry operations can then be created using RegDiff.
3.9.2
triReg
triReg is the Simplify Profiles registry viewer. It functions much like Microsoft’s regedit.exe, but can be used to
view the Save & Restore data accrued with Simplify Profiles. triReg allows access of every user’s registry settings as
well as altering, deleting, or adding registry keys and subkey values.
triReg is not a standalone tool, and must be accessed via the Simplify Console by positioning the mouse pointer
over the triReg sidebar. If triReg is not seen in this location, then select View -> Reset Layout for it to reappear.
118
Simplify Suite v6
Simplify Suite v6
triReg is divided into two sections:
 My Computer - displays all data that Microsoft’s regedit displays, with many of the standard features. 
 Save/Restore Data for Users - displays all Simplify Profiles registry data.
The File menu is used to access standard regedit functions:
 Load Hive - this function allows you to load a registry profile into HKEY_USERS. 
 Unload Hive - this function unloads a registry profile from HKEY_USERS. 
 Connect Network Registry - connects to a remote computer’s registry. 
119
Simplify Suite v6
Simplify Suite v6
The View menu is used to modify triReg view options:
 Filter Hives - changes the visible registry hives in My Computer (HKEY_CLASSES_ROOT,
HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, HKEY_CURRENT_CONFIG).
 Refresh Registry - refreshes the My Computer registry data.
 Refresh Save/Restore Data - refreshes the Save/Restore Data for triReg.
Save/Restore Data for Users
This section displays live Simplify Profiles registry data. From here you can delete Save/Restore Data or edit subkey
values.
To edit a sub key value, double-click the sub key to modify the value. In this example, mandatory1’s Internet
Explorer Start Page was changed to about:blank.
120
Simplify Suite v6
Simplify Suite v6
To delete Save/Restore data for a user, right-click and select delete. The user must then redefine the personalized
settings. This is usually used to delete application data when applications become corrupt. For example, Microsoft
Outlook becomes corrupt easily, especially with 3rd party plug-ins such as virus protection. In this situation you
would want to delete the HKCU\Software\Microsoft\Outlook. This is faster and easier to manage than deleting the
entire profile, which is the standard procedure for corrupted roaming profiles.
3.9.3
Simplify Migration Utility
The Simplify Migration Utility (SMU) is a tool designed to migrate users from roaming to hybrid Simplify Profiles. In
this situation, each roaming profile has the user’s personalized settings which should be integrated into Simplify
Suite’s database. Simplify Profiles can implemented without using the Simplify Migration Utility, however that
route forces the users to redefine their personalized settings. The Simplify Migration Utility is typically used as the
final step to integrate Simplify Profiles into roaming profile networks. This migration can be seamless for the end
users without any critical downtime.
Tricerat’s Simplify Migration Utility integrates with the Active Directory by finding users’ roaming profiles and
simulating a log off. This means that all Simplify Profiles Save/Restore operations assigned will then save those
121
Simplify Suite v6
Simplify Suite v6
keys to the Simplify database. Then, the next time the user logs into the Simplify Profiles computer those same
keys will be restored into the profile. With the Save/Restore data in the database, you can deploy Local or
Mandatory profiles without compromising the user personal settings, as these settings will be configured by
Simplify Profiles and inserted at a user’s logon.
The following example shows migration of several roaming profiles to mandatory profiles. It is suggested to first
create a mandatory profile and use it with a test account to verify that the Simplify Profiles Save & Restore
operations handle the proper registry keys for the users’ personal settings.
The HKCU Save & Restore operation shown in the following image contains:
 Control Panel\Desktop - key holds all the settings for the desktops, its appearance, and how the windows
and menus react to user input.
 Software\Microsoft\Internet Explorer - contains all the settings for Internet Explorer.
 Software\Microsoft\Notepad - contains all settings for Notepad. This key is rarely useful for users, but is
ideal for testing Save & Restore functions.
 Software\Microsoft\Office\12.0 - contains all settings for Office Suite applications.
 Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles - contains
Windows Mail Profile, which is used by Microsoft Outlook and other email clients.
The S/R Office 2007 object is assigned to the Roaming Profiles OU, which will automatically inherit to the users.
This policy will Save the specified registry keys at Logoff and Restore the keys at Logon.
122
Simplify Suite v6
Simplify Suite v6
Run Program Files\Tricerat\Simplify Profiles\ProfileMigration.exe. In the Select Organization Units check the OUs
that you want to search for roaming profiles. Keep in mind that this does not migrate the profiles, but only
searches and displays roaming profiles.
The Simplify Profile Migration will display all roaming profiles in the OUs you selected in the previous query. Select
the profiles you want to migrate to Simplify Profiles, and click Start Migration.
123
Simplify Suite v6
Simplify Suite v6
This window shows the profile migration results. All profiles migrated successfully except Scott Apples in this
example.
124
Simplify Suite v6
Simplify Suite v6
The migrated profile settings are accessible with the triReg tool. Although, you may need to select Refresh
Save/Restore Data first.
125
Simplify Suite v6
Simplify Suite v6
As you can see, the migrated profiles are displayed in triReg after the refresh. Refer to triReg documentation to
learn more about triReg.
After completing the profile migration, the next step is to assign the mandatory profile to the users. There are
many ways to accomplish this, but in this scenario the user’s Terminal Services Profile has been changed to use the
mandatory profile. This is an appropriate configuration if Simplify Profiles is installed for a terminal services farm
such as Terminal Server, Citrix, or VDI farm. If Simplify Profiles is being deployed for Desktops, then you want to set
the Profile tab to use the mandatory profile.
126
Simplify Suite v6
Simplify Suite v6
127
Simplify Suite v6
Simplify Suite v6
4
Simplify Printing
4.1 Overview
Simplify Printing is a print driver solution for Windows environments designed to overcome remote printing
limitations using Tricerat’s ScrewDrivers technology. While Simplify Printing is a Universal Print Driver solution,
other UPDs are designed with generic and basic settings in an attempt to support as many client drivers and
printers possible, providing remote printing support for 80-90% of Windows drivers. ScrewDrivers is a client-server
solution; the ScrewDrivers client queries the drivers to get a list of features (such as Color, DPI, Paper Sizes, Trays,
the name of Trays, etc.), passes the driver settings up to the server, and the ScrewDrivers server virtualizes the
driver using the ScrewDrivers UPD. This process guarantees that the server driver is 100% compatible with the
client driver, supporting 100% of Windows drivers that use the Windows Print Spooler.
The ScrewDrivers Client can be loaded on any Windows PC and Windows XPe. Simplify Printing also includes a Print
Server plug-in, allowing the ScrewDrivers UPD to communicate directly with print servers. This means that all
clients can print in Citrix and Terminal Servers directly to Print Servers regardless of OS, Fat Client, Thin Client,
Windows, Mac, Linux, UNIX, Smart Phone, etc.
Because ScrewDrivers supports any Windows-based driver, implementing Simplify Printing completely eliminates
driver management on Citrix and Terminal Servers. Furthermore, Simplify Printing can be installed on Windows
FAT clients. This means that there is no driver management required on client PCs either; printers in the entire
infrastructure can be migrated to Print Servers, providing a centralized, incorruptible, reliable print solution for
local and remote printing.
Other features:
 compression - all ScrewDrivers print jobs are automatically compressed between the server and client
which improves the speed of printing. Compression varies based on application and driver, but typical
compression rates are 80% to 90%, meaning that 10MB gets compressed to 2 to 1MB. This causes no
overhead on the server.
 streaming - print jobs are streamed, so for larger print jobs it will start physically printing out before the
job completes the spool process on the server.
 exports - the user can use ScrewDrivers printers to save PDFs or BMPs, much like PDF995 and CutePDF
 font embedding - various functions that provide accurate font printing.
 x86 and x64 compatibility - your clients can be loaded with standard x86 drivers and print from an x64
application server without a hitch.
 print as image - unique ScrewDrivers feature that overcomes and resolves all graphical output issues.
 proximity printing - printers can be assigned to IPs, IP ranges, and client name for proximity printing.
128
Simplify Suite v6
Simplify Suite v6
129
Simplify Suite v6
Simplify Suite v6
Simplify Printing is made up of three technologies, ScrewDrivers (Section 4.2), Print Server (Section 4.3), and
Native Drivers (Section 4.4), each covered in the following documentation.
4.2 ScrewDrivers
ScrewDrivers is a remote printing tool for Windows operating systems that is fast, reliable, and does
not require storing print drivers on the terminal server. ScrewDrivers mimics the printer settings on the
server and is seamless to the user and application. Compression is used to send information from the
server to the client thus making the process faster than standard remote printing.
ScrewDrivers is a plug and play solution. Once you install it, users will be able to perform remote
desktop printing from any application on the server to any printer on the client using any printer
setting on the printer without administrative support. Complex remote printing requests are handled
simply and properly. ScrewDrivers can overcome the printing limitations of other solutions
regardless of the application or printer driver, while remaining simple to use.
Supported Environments: Citrix XenApp (aka Citrix Presentation Server), Citrix XenDesktop, VMware
VDI, Microsoft Windows Terminal Services, Microsoft Windows Remote Desktop
Features:
 Prints to any available local client printer without administrator intervention
 triMeta format print job, replaces EMF formats
 32 and 64 - bit compatibility
 Seamless print streaming
 Windows RDP and Citrix ICA Client support and Mac ICA support
130
Simplify Suite v6
Simplify Suite v6
Benefits:
 Eliminate printer driver management for Citrix and Terminal Service
 Retains familiar printer names
 Increases print speed
 Decreases print bandwidth w/compression, streaming, and proprietary image rendering to
control color quality and image format (PNG/JPEG/BMP)
 Reduces printer support cost and effort
 Boosts productivity and organization by providing seamless printing
 Increases server performance and reliability by eliminating print spooler crashes
 Speeds printing by compressing printer files
4.3 The v6 Print Server
Screwdrivers v6 offers a solution for administrators who are unable to install the Screwdrivers client piece (for
instance, with thin clients) or are looking to consolidate the print drivers and spooling to print servers. There are
two pieces in the Screwdrivers v6 print service, the terminal server piece and the print server piece.
The terminal server piece acts as the Screwdrivers server. Through the interface, you can select what users or
groups are able to see and print to specific printers from the print servers. The print server piece acts as the
Screwdrivers client. The print server piece builds its local and network printers to the Screwdrivers server and any
print job that a user starts will go directly from the terminal server to the print server. This means that there is no
spooling on the client’s local machine, and all print information is sent between the servers instead of the server
and client. Another benefit of this scenario is when the print server is across a WAN from the terminal server.
131
Simplify Suite v6
Simplify Suite v6
4.3.1
Print Server Advanced Print Features
Simplify Printing supports advanced printing features that are defined uniquely by printer manufacturers. These
features may include secure printing, departmental printing, stapling, or other finishing features. This is made
possible through access of the manufacturer print dialog within the user session, while still using the ScrewDrivers
virtual print driver on the terminal server, virtual desktop, or workstation.
132
Simplify Suite v6
Simplify Suite v6
4.3.1.1 Enabling Advanced Print Features
To enable Advanced Print Features on a printer, the administrator must enable the feature on the print server or
an individual print server printer. If the print server is set to “Enable All”, the all printers on that print server will
have Advanced Print Features enabled.
By default, “Use Printer Setting” is selected on the print server, and an administrator can select a printer and click
the check box to enabled Advanced Print Features.
133
Simplify Suite v6
Simplify Suite v6
4.3.1.2 Using Advanced Print Features
When user selects a printer that has Advanced Print Features enabled, a new tab will appear on the printer
properties dialog. Selecting the “Advanced Print Features” tab reveals a “Show UI” button. Clicking this button will
communicate with the print server and display the native print dialog for the selected printer.
134
Simplify Suite v6
Simplify Suite v6
4.3.2
Walkthroughs
4.3.2.1 Setup and assign a Print Server Object
For information on how to create and assign objects in the Simplify Suite, please see Section 2.3.1: Create and
Assign Objects to an Owner.
135
Simplify Suite v6
Simplify Suite v6
Under the ScrewDrivers v4 Print Servers folder, create a new object. Name this object the name of your print
server. Under the object settings on the right, type in the hostname or IP address of the print server, and click the
test connection button.
If the test is completed successfully, you will see this message:
Now click the Refresh All Printers button.
136
Simplify Suite v6
Simplify Suite v6
Your printers will now show up under the print server object you created:
Now you can assign the Print Server Printers (Section 2.3.1).
After selecting an owner under the owners pane, then you can drag a printer from the objects pane to the
assignments pane under the Admin Assigned folder. For an explanation of the different places to assign print
server printers, see Section 4.3.3.3: User Assigned Printers.
137
Simplify Suite v6
Simplify Suite v6
Now when your user logs on, they will see the printer available in their printers list.
4.3.3
Configuration
4.3.3.1 Print Server Object Settings
Like a traditional ScrewDrivers server, the Print Server has settings that determine how printers are named,
information about the print server, etc. These settings are described below where they differ from a regular server
setting.
138
Simplify Suite v6
Simplify Suite v6
General






Hostname or IP: This field specifies the location of the Print Server
Port: This field specifies the port the Print Server will listen on and should only be changed if there is a
conflict on this port
Connection ID: This is an auto-generated ID for the Print Server
Test Connection: This button allows you to confirm that the Print Server is available and that the above
configuration items are correct
Refresh Printer List: This will open a connection to the Print Server and request the current list of installed
printers
Auto-Query on Close: This determines whether each time the Print Server is saved a query for the latest
printers will be executed
Printer Naming
139
Simplify Suite v6
Simplify Suite v6
140

Naming Scheme: Select from the options here to change how the printers will display to your users.
NOTE: Custom Names without SESSIONID are not supported; it can cause problems in printer names
when users log in.

Limit Name Component Length: This setting can limit the length of each part of the printer name. For
example, the printer name can be set to 0 for an unlimited length, while the username is set to 6 for a
maximum of 6 characters.

For client’s network printer name, replace "on" with: Specify the character that will replace the word
"on" in any printer names. This is mainly used for network printers.
Simplify Suite v6
Simplify Suite v6

Replace Backslashes (\) in the printer name with: Replaces each backslash in a printer name with the
character specified. For example, Novell printers include backslashes in the printer name which are not
supported by Windows.

Replace Space ( ) in the printer name with: Replaces each space in a printer name with the character
specified. This setting can be used allow compatibility for legacy applications.
Information
This tab displays information about the server that the Print Server is hosted on such as the OS version as well as
the default Language information.
141
Simplify Suite v6
Simplify Suite v6
4.3.3.2 Print Server Printer Settings
Print Server hosted printers will behave just as traditional ScrewDrivers created printers and have similar
configuration.
General
This tab includes basic information about the printer that was determined during the query of the Print Server.
Printer Naming
142
Simplify Suite v6
Simplify Suite v6
143

Use Print Server’s Naming Scheme: This is the default option and will use the naming scheme as defined
for the print server that this printer is connected to. Uncheck this option to specify another naming
scheme only for this printer.

Naming Scheme: Select from the options here to change how the printers will display to your users.
NOTE: Custom Names without SESSIONID are not supported; it can cause problems in printer names
when users log in.
Simplify Suite v6
Simplify Suite v6

Limit Name Component Length: This setting can limit the length of each part of the printer name. For
example, the printer name can be set to 0 for an unlimited length, while the username is set to 6 for a
maximum of 6 characters.

For client’s network printer name, replace "on" with: Specify the character that will replace the word
"on" in any printer names. This is mainly used for network printers.

Replace Backslashes (\) in the printer name with: Replaces each backslash in a printer name with the
character specified. For example, Novell printers include backslashes in the printer name which are not
supported by Windows.

Replace Space ( ) in the printer name with: Replaces each space in a printer name with the character
specified. This setting can be used allow compatibility for legacy applications.
4.3.3.3 User Assigned Printers
Print Server User Assigned Printers is a feature of Simplify Printing to allow end users to select which print server
printers they would like to use in their session. This is very useful in large environments where the users should be
able to select their printers and administrators configuring each user would be impractical. In the assignments
pane, the administrator will see three places to assign a print server printer:
144
Simplify Suite v6
Simplify Suite v6
Admin Assigned: Printers assigned to this folder will appear for the user and cannot be removed by them. This
folder should be used when the administrator does not want the user to be able to affect the building of these
printers.
User Allowed: Printers assigned to the Allowed folder will give the user the option to build these printers. The user
will see all printers under this folder when the user is adding a printer through the UAP application (Section
4.3.3.4).
User Assigned: Printers assigned in the Assigned folder will be built for the user by default. The user can select
to remove this printer from their session through the UAP application(Section 4.3.3.4).
Now, with the UAP Application assigned to a user’s startup folder, they will be able to select their printers from
the list of printers you have allowed for them. For documentation on the UAP Application, see the following
section.
145
Simplify Suite v6
Simplify Suite v6
4.3.3.4 User Assigned Printers Application
The UAP application is the tool used by end users to select which printers they would like to build in a session. This
document will use the following configuration for Print Server Printers, described in the previous section (Section
4.3.3.3).
With this configuration, this is how the UAP Application will appear on startup
There is the Ricoh 2800 listed under Admin Assigned, so the user will have this printer in their printer list and they
cannot remove it. There is also a Xerox Global printer listed under User Assigned, so the user will have this printer
assigned to them by default, but they can remove it if they wish. By selecting the User Assigned folder, and clicking
on the Add Printer button, the user will see a list of available printers
146
Simplify Suite v6
Simplify Suite v6
Now the user can see all printers that are listed under Allowed printers in the Simplify Suite for them. When they
select a printer and click Add Printer, it will appear in the list of User Assigned printers
147
Simplify Suite v6
Simplify Suite v6
The user can also select a printer and click the Delete Printer button to remove a printer from their list
148
Simplify Suite v6
Simplify Suite v6
When exiting the application, if the Refresh Printers button has not been clicked, the user will be prompted to
refresh their printer list
4.3.4
Frequently Asked Questions
4.3.4.1 Is the client involved in the printing process?
With the ScrewDrivers v4 Print Server, the client is not involved in the actual print processing. After the user starts
a print job, it is spooled on the terminal server and sent directly to the print server to be spooled there. Once it is
spooled on the print server, it is sent to the printer. The print job is never sent to the client for processing.
4.3.5
Troubleshooting
4.3.5.1 Printers are not building for any user
Normally, when printers build into a user’s session, they will show under Tricerat, as well as the system location
under:
HKLM\System\CurrentControlSet\Control\Print\Printers
The system location is equivalent to what is seen in the regular printers folder in the terminal session, keeping in
mind that a user will only see printers to which permissions have been given.
In a situation where printers are only displaying under the Tricerat location, but not the system location, there was
a problem with the ScrewDrivers server install or upgrade. To correct the problem, a clean install of the driver files
will be needed.
Perform the following steps:
149
Simplify Suite v6
Simplify Suite v6
1.
2.
3.
4.
5.
6.
Go to C:\Windows or Winnt\system32\spool\drivers\w32x86\3
In that folder, rename the extensions of sd3drv.dll and sd3ui.dll to .old
Reboot the server
Delete the two .old files that were just renamed
Go to C:\Tricerat\Simplify Printing\ScrewDrivers Server v3
Run (in this order): install_driver.exe, install_port.exe (you may get an error indicating the ports have already
been installed, that is fine, just click OK), setsec_server.exe
Your users should now be able to login to new sessions and see their printers.
4.3.5.2 Some printers do not delete when the user logs off
Here are some suggestions to solve some printing problems. These should be performed while no one is logged
into the terminal server to avoid any problems:
1.
2.
3.
4.
5.
Go to Control Panel -> Administrative Tools -> Services.
Stop the Print Spooler service.
Remove any files in Windows\system32\spool\printers.
Start the Print Spooler service.
Delete any printers under Printers and Faxes on the server that are not printers installed directly on the
server.
If clearing the spool directory does not help, be sure that there are no auto-created printers causing confusion with
the users. Here is the method to turn off auto-created printers (so only ScrewDrivers printers are being created).
Before performing this, verify that no users are using the auto-created printers:
1.
2.
3.
4.
5.
6.
7.
8.
Go to Control Panel -> Administrative Tools -> Terminal Services Configuration.
Double Click on RDP-Tcp or ICA-Tcp, depending on what protocol you use.
Go to the client settings tab and uncheck the following boxes:
Use connection settings from user settings.
Connect client printers at logon.
Default to main client printer.
At the bottom of that window, check the box that says Windows printer mapping.
Click ok and close the Terminal Services Configuration.
Try to log a session in to see if that fixes your problem. If it does not, contact Tricerat support .
150
Simplify Suite v6
Simplify Suite v6
4.4 Native Drivers
4.4.1
What is Native Drivers?
Native Drivers is a management tool that allows an administrator to control any print drivers that are installed on
the terminal or Citrix server. Normally, a printer installed on the server will show up for all users, but through the
Native Drivers tool in the Simplify Suite, the printers installed on the server can be seen only by the users that have
been assigned those printers.
4.4.2
Local Printers
General
Printer Name: Descriptive printer name, for example, HP Laserjet 4.
Set As Default: This option will set this printer as the default <reference: how to set default>.
Location: Location of the printer that will display in the printer properties page.
Comment: Comments for the printer that will display in the printer properties.
Shared As: Checking the box will share the printer and have a share name of what is entered into the Shared as
text field.
Select the driver to use for this printer from the list of drivers that are currently installed onto the server.
151
Simplify Suite v6
Simplify Suite v6
The port tab specifies where the terminal server will print to for this native printer object.
You can specify a port on the server, or an RDP/ICA port that is connected to the client.
152
Simplify Suite v6
Simplify Suite v6
Local Port: A port local to the terminal server.
ICA Port: A port that is mapped through an ICA (Citrix) session.
RDP Port: A port that is mapped through an RDP (Terminal Server) session.
Select from the options here to change the way the printer name will be displayed to the user.
153
Simplify Suite v6
Simplify Suite v6
4.4.3
Network Printers
General
UNC Printer Path: Type the UNC Printer Path in the text field (for example, \\server\Ricoh Aficio MP 2800 PCL 5c)
Printer to a Port Name: Check this box if you would like a "net use" command run at the time of printer creation in
order to map the printer to a port name such as "LPT1:"
154
Simplify Suite v6
Simplify Suite v6
4.4.4
Frequently Asked Questions
4.4.4.1 How do I add a printer for a thin client?
In an environment that uses thin clients who print to local and network printers, Native Drivers fits very well. For
any printer attached directly to the thin client, you will need to install the print driver on the server and add a local
printer Native Drivers object. In a similar way, for any network printers (on a print server, for instance) you will
need to create a network printer Native Drivers object and type in the UNC path of that printer. Assign the printers
to a particular owner level and the next time they login, they should be able to print to those printers through their
terminal session.
4.4.4.2 What is the difference between local and network printers?
A local printer object specifies the driver to use when printing to a printer directly connected to a user’s local
computer.
A network printer object defines the driver to use when printing to a printer connected through the network (for
instance, on a print server).
4.4.4.3 Do network print jobs spool on both the server and client?
Print jobs for a network native drivers object are sent directly from the server to the print server and therefore, are
never sent to or spooled on the client computer.
4.4.4.4 Do Native Drivers handle printers connected to the server or client?
Local Printer objects are created for printers that are connected directly to either the client’s computer or the
server. You can add a printer object for a printer local to the client or server and allow access to it for the
necessary owners.
4.4.4.5 What is the Port tab?
The port tab specifies where the terminal server will print to for this native printer object. You can specify a port
on the server, or an RDP/ICA port that is connected to the client.
155
Simplify Suite v6
Simplify Suite v6
4.5 v4 PDF-Only Settings
v4 PDF-Only Settings are printer objects for PDF publishing. Assignment of one of these printer objects generates a
printer that uses the ScrewDrivers PDF print driver. The user can create PDFs from any application that supports
printing. A PDF (Portable Document Format) is a light-weight universal document-exchange format. PDF viewing
and printing is supported by most modern operating systems including: Windows, Mac, Linux and UNIX. The v4
PDF-Only Settings configurations support saving PDFs to admin-defined or user-specified (via a save dialog) local
directories, mapped drivers, network shares, etc.
PDF printers are created under Printers -> ScrewDrivers -> v4 PDF-Only Settings.
General
Export PDF file to server
Each of following three options can be set to Deny, Force, or Suggest to automate the print process or
prevent certain functions during the print process. Suggest allows the user to override the default
156
Simplify Suite v6
Simplify Suite v6
settings defined for the object; however, the user must modify the printer within the session by
accessing the Printing Preferences.

Save Mode: This can be set to either Display Save Dialog for a user-specified save location, or
Use Input Pathname for a pre-defined PDF save destination.

Destination: This field is called if Save Mode is set to Use Input Pathname.

If File Exists: This field is called if Use Input Pathname is used, and the pre-defined file exists.
This can be set to Overwrite, Prompt, Cancel, or Append. Overwrite replaces the old file,
Prompt forces the user to decide the action, Cancel exits the print process without saving the
PDF, and Append allows the user to modify the file name and path.
Printer Naming
The Printer Naming tab is the same as the options available for v4 Print Servers and v4 Settings in the
Simplify Console.
157
Simplify Suite v6
Simplify Suite v6
158
Simplify Suite v6
Simplify Suite v6
5
Simplify Desktop
5.1 Overview
Simplify Desktop, Tricerat’s desktop management solution, allows you to deliver secure customized desktops
without compromising the environment your users know. This is done through an operating system shell
replacement called triShell.
triShell is a Windows shell alternative designed to overcome the management and security flaws of Microsoft’s
Explorer shell. The interface is graphically similar to the Windows Explorer GUI, yet is both secure and robust as
Published Applications and RemoteApp. Using triShell, system administrators can deploy secure customized
desktops and prevent unauthorized access to system tools. triShell manages assembling, interaction, and
deployment of the user’s Desktop, Start Menu and Taskbar environments.
The Desktop Administrator can design the user’s environment (shell) from the ground-up, assigning specific
applications to Desktop, Start Menu, Quick Launch, and Start Up. This eliminates security threats associated with
the shell.
Shell Security Enhancements
 Right-click functionality removed from Taskbar and Start Menu (without compromising System Icon Tray) 
 Simplified Desktop, Taskbar, and Start Menu customization 
 Simplified Application Delivery
 Real-time triShell configuration (allows delivery of applications without user logoff or disconnect) 
 Desktop folder redirection 
 Deny Save access to Desktop folder 
 Improved Shell stability 
 Assign Desktop configuration based on user, group, OU, server, and/or client. 
 and more... 
The only threats that remain are presented via applications. Simplify Desktop interacts with Simplify Lockdown
(Section 6) to fully secure your system by locking down the server without compromising the shell and application
functionality. Use Simplify Lockdown to combat security holes in applications as the Lockdown Service intercepts
and authenticates permission to execute all EXEs. While Simplify Desktop controls interaction with the shell,
Simplify Lockdown controls execution of applications, providing a combination solution for any Windows
environment. Simplify Lockdown includes Simplify Desktop.
There are three types of Simplify Console assignments that relate to Simplify Desktop, located in two sections:
Simplify Applications and Shell Configuration.
159
Simplify Suite v6
Simplify Suite v6
1.
2.
3.
Which shell the owner is assigned. This is located in both the Applications section under Shell and the Shell
Configuration section, changing the assignment in one location will change it in both.
Which applications are available in triShell as well as where they will be placed. This assignment is located in
the Applications section under Shell.
The specific configuration for triShell. This assignment is located in the Shell Configuration section under
triShell.
5.2 Simplify Applications – Basic Operation
5.2.1
Selecting a Shell
Selecting a shell for your users is a single setting, but it is a choice that must be balanced against the power and
flexibility that your users require.
The default Windows shell is Explorer. The explorer.exe process can run in two modes, shell mode or file manager
mode. In a typically Windows environment every user will always have explorer.exe. When explorer is then
launched in file manager mode, a new thread will attach to the explorer.exe process and provide a view into the
file system. The explorer shell notoriously uses a lot of memory, which can be detrimental to capacity in a Terminal
Server environment. It is also insecure, providing users with the ability to access system functions that they were
not intended to have. With Simplify Desktop it is only recommended that you allow Administrators and some
Power Users access to the Windows Explorer shell.
Once you install the Simplify Desktop, the default shell for all owners is set to Explorer Shell. The Tricerat shell,
triShell, replacement is much more secure than the Explorer shell and provides Administrators with precise control
over what applications a user can see and what system functions to which they have access. In many instances,
triShell also consumes less memory than the Explorer shell, and therefore can help you increase the capacity of
your servers. The only time the explorer.exe process will run is when you allow users to access the Windows file
manager.
An owner’s shell can be set to one of four options:
160
Simplify Suite v6
Simplify Suite v6
Inherit shell setting: The owner’s shell is inherited from its parents.
No Shell (deny login): The owner is not allowed to log in to Simplify servers. When a user with this setting tries to
log in, a short, administrator-defined message appears and the user is logged off the server.
triShell: The owner is assigned triShell.
Explorer: The owner is assigned Explorer.
Shell selection for owners is done in the Assignments pane. Select the target owner in the Owners pane and then
perform the following steps to set the shell. There are two places to set the shell, setting it in one will set it in both.
Method 1:
Under the owner’s name in the Assignments pane:
Expand the Applications branch.
Right-click on the Shell item and choose the shell.
Method 2:
Under the owner’s name in the Assignments pane:
Right-click on the Shell Configuration item and choose the shell.
161
Simplify Suite v6
Simplify Suite v6
5.2.2
Creating an Application Object
To create an application object that can be assigned to an owner, first locate the objects pane on the right side of
the Simplify Console. You can either click the new object button or right-click on the Applications branch and
choose New Object.
This will create a blank template for an application object.
Next, where New Object is highlighted in the tree, provide a name for the application you are about to define. This
name is for administrative reference and does not reflect what the user will see.
162
Simplify Suite v6
Simplify Suite v6
5.2.2.1 Properties
Now you are ready add an application. There are a number of fields on the right, most of which will populate
automatically. They are:

Name: This is the name that a user will see for the application.

Executable: Specifies the location of the executable.

Working Directory: Specifies the working directory for the application.

Icon: Specifies the icon the user will see.

Arguments: Provides the ability to use arguments if required.

Startup: Specifies how the application should open (Normal, Minimized or Maximized). This setting is
specific to triShell.

Instance Count Limit: Specifies the number of times the application is allowed to be launched per session,
per machine or has no limit at all.
Now, locate the Executable line and click the ellipses … button to the right. This will provide an open dialog box
through which you can browse to locate the executable of the application that you want to bring in. Once found,
highlight the item and then click the Open button. At this point the basic fields will self-populate. In the example
below, Internet Explorer (iexplore.exe) was populated.
163
Simplify Suite v6
Simplify Suite v6
There are five optional tabs that you can use to further customize each application object. They are the
Signature, Trust List, Stability, Run As and Run Once tabs.
Importing Application Objects
Creating application objects one-by-one is a long and tedious process. To avoid this hassle, use the Find Apps to
Import (Section 5.3.1) and Import Learn Mode Apps (Section 5.3.2) functions.
5.2.2.2 Run As
The Run As tab allows the applications to execute as a specified user. This feature can allow applications to execute
with administrator rights without granting the user’s account administrative rights. The Run As settings will only
take effect if the User’s shell setting is set to triShell. By default Run As is disabled.
164
Simplify Suite v6
Simplify Suite v6
After enabling Run Application As specified User you must specify the user account. If Prompt Interactive User for
Password is enabled, then the user will be prompted with a password when the application is launched. However,
you can enter the password to provide allow the user to launch the application seamlessly.
165
Simplify Suite v6
Simplify Suite v6
5.2.2.3 Run Once
The Run Once tab is a triShell feature designed to emulate the Run Once feature in Microsoft Explorer. By default
Run Once is disabled. Simplify Desktop adds features to make Run Once easier to manage, allowing administrators
to track the users that have executed the application, purge the list of users that have executed the application,
permanently enforce the Run Once policy, or enforce the Run Once policy until a specific date.
Note: The Run Once feature in Simplify Desktop does not automatically launch the application. The administrator
must assign this application to the user’s shell. If you want the application to launch once automatically then assign
this application to the Start Up folder.
Once the Run Once application published to the Desktop or Start Menu has been executed by the user, it will no
longer be published to that user’s Desktop or Start Menu.
166
Simplify Suite v6
Simplify Suite v6
The Run Options can either disable Run Once, allow the Run Once configuration until disabled, or automatically
disable the Run Once policy after a specified date.
The Maintenance section allows the administrator to track the users that have executed the application or purge
the user list. Purging All Users will set the Run Once application back to the default state, meaning users will be
able to run the application once again.
167
Simplify Suite v6
Simplify Suite v6
5.2.3
Assigning Applications to triShell
There are four possible areas where applications can be assigned to the triShell. They include Desktop, Quick
Launch, Start Menu, and Startup. You can find these assignment containers located under the Applications
container located on the Assignments pane.
Applications are assigned by dragging the application object to the desired container. This is where the application
will appear on the user’s shell. Adding an object to Desktop adds it to the triShell Desktop, Start Menu to the
triShell Start Menu, and Quick Launch to the triShell Task Bar. Adding an object to Startup will cause it to be run as
the user logs on to triShell.
Custom sub-folders can be added to the Start Menu by right-clicking on the Start Menu container and selecting
Insert Folder. Folders can also be added to the Programs container that is within the Start Menu container.
168
Simplify Suite v6
Simplify Suite v6
5.3 Simplify Applications – Features
5.3.1
Find Apps to Import
This function is used to search specified directories and sub-directories for applications. A common scenario to use
this function is after installing new applications.
The following example shows how to import Microsoft Office Suite applications.
1. Access Find Apps to Import in the Simplify Console via View -> Find Apps to Import.
169
Simplify Suite v6
Simplify Suite v6
2.
In Search for and Create Application Objects, browse or type the directory to be searched and press Start
Search. Verify that the Search options are valid for the directory, for example, System Files/Folders should be
enabled to import most applications from Windows\System32.
3.
Select the applications to be imported and click the Import Applications... button. You may select multiple
applications to import at one time; you will be informed when the applications are finished being imported.
170
Simplify Suite v6
Simplify Suite v6
4.
171
The applications are now available in the Application container in the Objects pane. It is best to verify the
Object’s settings and tweak them as needed. For example, this Outlook object needed its Display Name,
Sorting Rank, and set Instance Count Limit settings changed.
Simplify Suite v6
Simplify Suite v6
5.3.2
Import Learn Mode Apps
Import Learn Mode Apps, which relies on the Lockdown service (Section 6), assists in configuration by recording
every application executed and allows the import of any recorded application. To take advantage of this
functionality, Lockdown must be in Learn Mode. It is best to enable Learn Mode for a single account, such as an
admin, junior admin, or user account, to generate a list of Learn Mode Apps.
For example, if there are scripts used to customize settings at logon and/or logoff, then Learn mode can be used to
learn more about them. To do this, enable Learn Mode for a test account, logon, and logoff. Every application will
execute as normal, but the application information is “Learned” by the Lockdown service and saved in the Simplify
database. From there, the Import Learn Mode Apps can be accessed and used to import the applications. Learn
Mode will capture the application name, path, arguments, hash, parent path, server, version, and file date.
To use Learn Mode Apps:
1. Set Lockdown to Learn Mode (Section 6.4.1), then let the user run applications.
172
Simplify Suite v6
Simplify Suite v6
2.
In the Simplify Console, select Tools -> Import Learn Mode Apps.
3.
Look at the list of applications used by users in Learn Mode. Select the applications to import and press
Import.
173
Simplify Suite v6
Simplify Suite v6
You can also view a list of users in learn mode per the Tools Menu.
5.3.3
Create Common Explorer Items as Applications
Creating common explorer items as applications can be achieved by using Explorer command-line switches in
conjunction with the class identifier (CLSID) for the Special Folder. The first step is to create an application object
within the Objects Pane of the Simplify Console. You will want to use the explorer.exe as the executable. Place the
command-line switches and desired CLSID in the Arguments text field.
174
Simplify Suite v6
Simplify Suite v6
Note: Arguments should never be placed in the Executable text field. This will cause the object to not appear on
the user’s desktop.
Explorer command-line switches are delimited with the use of a comma.
The Explorer command-line switches are below:
/n - Opens the specified folder in a new single-paned view, looks like My Computer
/e - Opens the specified folder in a double-paned view, looks like a typical explorer view
/root - Makes the specified folder the root of the tree. Users cannot navigate up. (Folder
M:\Documents\Business User cannot go to M:\Documents)
/select - Opens window with the specified folder selected.
Here is a list of popular Explorer desktop items and the corresponding CLSIDs:
My Documents
::{450D8FBA - AD25 - 11D0 - 98A8 - 0800361B1103}
Recycle Bin
::{645FF040 - 5081 - 101B - 9F08 - 00AA002F954E}
Printers and Faxes
175
Simplify Suite v6
Simplify Suite v6
::{2227A280 - 3AEA - 1069 - A2DE - 08002B30309D}
My Computer
::{20D04FE0 - 3AEA - 1069 - A2D8 - 08002B30309D}
My Network Places
::{208D2C60 - 3AEA - 1069 - A2D7 - 08002B30309D}
Network Connections
::{7007ACC7 - 3202 - 11D1 - AAD2 - 00805FC1270E}
Scheduled Tasks
::{D6277990 - 4C6A - 11CF - 8D87 - 00AA0060F5BF}
Note: You cannot drag items to the Recycle Bin on the triShell desktop, however you can take item out of the
Recycle Bin.
In the following example, “/ n” is used to open the window in a single-paned view. The switch is delimited with the
use of a comma. The “/ root” switch is used to lock the user into the specified window. The user will be unable to
navigate up through the directory tree. Finally, the “My Documents” CLSID is used to point to the user’s My
Documents directory.
Arguments - /n, /root,::{450D8FBA - AD25 - 11D0 - 98A8 - 0800361B1103}
Result:
176
Simplify Suite v6
Simplify Suite v6
In the next example, “/ e” is used to open the window in a double-paned view. Then the CLSID is used to display
the “My Computer” folder.
Arguments - /e,::{2227A280 - 3AEA - 1069 - A2DE - 08002B30309D}
Result:
177
Simplify Suite v6
Simplify Suite v6
Once you have entered the desired arguments, the object’s Display Name should be modified to reflect the Special
Folder name. In addition, the object icon can be changed to the proper icon for the type of Special Folder selected.
If you do not see the desired icon in the Available Icons list, you can point the Icon File to “C:\Windows\system32
\shell32.dll” for additional icons.
178
Simplify Suite v6
Simplify Suite v6
5.3.4
Place a folder in triShell that links to a network drive
You will need to publish an instance of the Windows Explorer executable on triShell, but add a special argument to
make it reflect the location you need.
179
Simplify Suite v6
Simplify Suite v6
Application arguments are not limited in triShell. For example, all explorer.exe arguments are supported.
5.4 Shell Configuration
5.4.1
Desktop Configuration
The Desktop of triShell is the basic window that users see when they login. You can configure it to show a
background, display application icons, and have other system functionality. Here is a screenshot of the desktop
configuration settings, available in the triShell object type under Profiles -> Shell.
180
Simplify Suite v6
Simplify Suite v6
Show Desktop Icons: This option will allow a user to have icons on their desktop. If this is
unchecked, there will be no icons on the desktop even if the owner has applications
assigned to their desktop.
181
Simplify Suite v6
Simplify Suite v6
Align to Grid: This setting will align all of the icons on a user’s desktop to a grid.
Arrange Icons By Name: This will sort all of the icons on the desktop by alphabetical
order.
Allow User to Rearrange Icons: Check this option to allow the user to move and rearrange icons on their desktop.
Allow User to Store Files on Desktop: Check this option if you want to allow files to be stored on the user’s
desktop. The option below will allow different types of files on the desktop when checked. The redirect desktop
option will allow you to specify a folder to store the user’s triShell desktop along with any files they have placed on
their desktop. In Simplify Desktop 5.6 and greater, Refresh on Desktop Change will monitor the user’s triShell
desktop and if any changes occur, it will refresh the desktop to show them.
Background and Text Color: These options will set the background and text color for a particular triShell
configuration.
Set Wallpaper: This option will allow you to set the wallpaper for a triShell configuration.
5.4.2
Start Menu Configuration
The Start Menu of triShell is designed to look and feel like the Windows Start Menu present in the Windows
Explorer shell, and common functions have been added to this configuration.
Here is a screenshot of the start menu configuration settings, available in the triShell object under Profiles -> Shell.
182
Simplify Suite v6
Simplify Suite v6
Show My Documents: adds My Documents to Start Menu.
Show Disconnect: adds Disconnect to Start Menu
Show Logoff: adds Log Off to Start Menu
Show Run: adds Run to Start Menu
183
Simplify Suite v6
Simplify Suite v6
Show Help: adds Help to Start Menu. If using Lockdown, you must add HH.exe to the Lockdown Trusted list.
Show Control Panel: adds Control Panel to Start Menu. If using Lockdown, you must add Control.exe to the
Lockdown Trusted list.
Remove Program Folders if Empty: removes Programs Folder from Start Menu if no applications are assigned to
triShell Start Menu.
Remove Other Folders if Empty: in Simplify Desktop 5.6 and greater, removes empty folders from the Start Menu,
excluding the Programs Folder
Sort Applications By:
Name - this will sort Start Menu applications by alphabetical order.
Rank - this will sort Start Menu applications using the Objects’ rank values.
Title Bar:
This is for customizing the Start Menu’s title bar. Either a Bitmap or Text can be added to the Start Menu.
Image - Browse to the image to be displayed in the Start Menu. The user logging in must have Read access to the
Bitmap.
Text - Specific the text and colors to display in the Start Menu. Windows variables can be used. For example:
"Tricerat Demo - %username% on %computername%"
5.4.3
Taskbar Configuration
The Taskbar of triShell is designed to look and feel like Windows 2000 Start Menu within the Windows Explorer
shell. Here is a screenshot of the Taskbar configuration settings available in the triShell object type under Shell
Configuration -> triShell.
184
Simplify Suite v6
Simplify Suite v6
Show the Taskbar: This checkbox can show or hide the Taskbar to the user.
Taskbar Appearance: These options allow you to define settings for the Taskbar within the triShell. It is possible to
lock the taskbar to keep it from being moved around, make the taskbar stay above other windows, show or hide
the Start button, show or hide Quick launch icons, as well as choose whether or not the user should have the
capability of using the "Show Desktop Shortcut" option. The "Show Desktop Shortcut" behaves just like in the
desktop shortcut in the Explorer shell, where all applications are minimized and the desktop is brought to the
front.
185
Simplify Suite v6
Simplify Suite v6
Notification Area: These two options will allow you to show or hide the clock and any notifications (also known as
bubbles) that appear above the system tray.
5.5 Simplify Desktop Offline Mode
Simplify Desktop supports an offline mode. This mode will allow users to login without database or network access
and still retain their desktop settings.
To Turn on Offline Mode follow these steps:
1. In the Console go to Tools -> Options.
2.
186
The Options window will be displayed. Select the Settings option under Offline Mode.
Simplify Suite v6
Simplify Suite v6
3.
187
Check the Enable Offline Mode for Simplify Desktop check box. You should also check Enable Offline mode for
Simplify Profiles check box if you have Profiles installed on this machine. Note: When making changes to
Offline Mode the Profiles and Lockdown services need to be restarted for the change to be picked up.
Simplify Suite v6
Simplify Suite v6
4.
Click OK. Offline mode will now be enabled.
Note: Users will have had to have logged in at least once while the Simplify Desktop server was properly connected
to receive their desktop settings when offline later.
5.6 Using triShell
Users do not have their normal right-click options within triShell by design. triShell is setup so that users do not
have any extra privileges until the Administrator allows them. Right-clicking inside the Explorer shell allows access
to items which may allow a user to circumvent security. This is why they are disallowed through triShell.
The few right-click options that are available are only for use within triShell are shown below:
188
Simplify Suite v6
Simplify Suite v6
Arrange Icons: If allowed by the Administrator, a user has the ability to arrange icons on their triShell desktop
based upon the arrange settings specified in the triShell configuration
Refresh Desktop View: Repaints the triShell desktop
Refresh (F5): Used for refreshing triShell to show new items (particularly if a new application object has been
assigned and the user needs access right-away)
Paste: If allowed by the Administrator through the triShell configuration, a user will able to paste certain items to
their triShell (e.g. documents, shortcuts, etc.)
5.7 Frequently Asked Questions
5.7.1
Can I publish Citrix applications to triShell?
Yes, triShell supports pass-through style connections. Simply import the “AppName.ICA” file as an application
object (Section 5.2.2). When the user opens the ICA file, it will launch as normal and create the appropriate
connection.
5.7.2
Can I add non-executable shortcuts to triShell?
Yes, you can add non-executable shortcuts. This can be done by first creating an application object (Section 5.2.2).
189
Simplify Suite v6
Simplify Suite v6
Upon clicking the ellipses button on the Executable line, you will be presented with an Open dialog. At the bottom
of that dialog, there is an option for Files of type: with a drop-down menu. It is here that you can select to show All
Files (*.*) so that you will be able to see non-executable files. Once you locate the desired file, highlight it and click
Open as normal.
5.8 Troubleshooting
5.8.1
Users are being denied from logging into the server
If your users are seeing this error when logging in to the terminal server, the most likely cause is a database
connectivity issue. You should Check your DSN settings (Section 7.2.1: View and Modify DSN Settings).
190
Simplify Suite v6
Simplify Suite v6
Another possibility is that the user may have a shell setting of None which will not allow them to access the
terminal server. See Section 5.2.1: Selecting a Shell for further reference.
As a troubleshooting step, you may set the user to Block Inherited Assignments temporarily to limit variables.
5.8.2
An application assigned in triShell is missing
This can happen for a number of reasons. To troubleshoot, try the following:
1.
If you the application assignment has been made at level such as a Group, OU, or the Domain, make sure that
the user is part of that level within your Active Directory.
2.
Be sure that the application that is being assigned is available on all servers the user will be logging into. The
Suite performs a check when a user logs in to determine if the assigned application objects are available. If
one or more are not, they will not be shown on triShell after login.
3.
Verify the user is assigned and receives triShell at login. Shell assignments including the desktop, start menu,
and quick launch can only be assigned to triShell users.
4.
If the application object is not assigned directly to the user, in other words the application is assigned to a
higher level within the Active Directory structure such as a Group or an OU, then verify that the user is
inheriting the assignment by selecting the user in the Owner pane and looking at the Assignments pane for
the application object.
If the application does not appear to be assigned to the user, check the user’s group membership. Also,
verify that Block Inherited Assignments or Block User Assignments is not enabled by right-clicking on
the user’s name at the top of the Assignments pane.
191
Simplify Suite v6
Simplify Suite v6
5. Make sure that the application executable exists within the specified location. Verify that the
executable filed in the application object points to the correct path. You may need to find out
what server the client is currently logged into to verify that the EXE exists within the defined path
on a specific server.
6. Verify the user has Read permissions to the specified executable path of the application object. If
you are using a UNC path for the application object, then verify the user has the ability to access
the network share.
7. If you are using the Trusted List mode of Simplify Lockdown, verify that the application object is
assigned to the Trusted List as well as the user’s triShell. If the Trust List mode of Simplify
Lockdown is in use, but the application object is not assigned to the Trusted List, the application
will not appear within triShell. Similarly, if the Banned List mode of Simplify Lockdown is in use,
the application will not appear within triShell if the application object has been assigned to the
Banned List.
192
Simplify Suite v6
Simplify Suite v6
8. The Executable field for the application cannot contain arguments. Arguments need to be placed
within the Arguments field. Putting arguments in the Executable field will cause the application to
not appear within triShell.
5.8.3



193
triShell users are unable to save items on their triShell Desktop
Enable allow user to save documents to desktop as shown below
Ensure the desktop is redirected properly as explained below
Ensure that the user has rights to the redirected desktop folder
Simplify Suite v6
Simplify Suite v6

Users must refresh the desktop after saving documents/folders to the desktop
-Automatic refreshing of the desktop has been added as a configurable option in Simplify Suite 5.6.
To enable the user to save documents to their desktop, they need to have a triShell configuration (Section
5.4.1) assigned to them with appropriate options selected.
194
Simplify Suite v6
Simplify Suite v6
triShell and explorer shell have two separate desktop locations, but they may be redirected to the
same location. It is best redirect triShell and explorer to the same location if you allow access to
explorer.exe for certain functionality, such as publishing desktop folders and network shares. Explorer
folder redirection can be accomplished with Simplify Profiles (Section 3.3.4) and Group Policies.
195
Simplify Suite v6
Simplify Suite v6
6
Simplify Lockdown
6.1 Overview
Simplify Lockdown allows the prevention of specified executables from executing. Lockdown can run as either a
whitelist or a blacklist. Every process run by a user (including processes such as winlogon.exe and userinit.exe) is
monitored and Simplify Lockdown determines if the process should be blocked from running using the whitelist
and blacklist.
Processes are represented through application objects. These application objects can be added to the Trusted List
and the Banned list. If the user is in Trusted mode and a process is not explicitly defined in the user’s Trusted List,
or if the user is in Banned mode and a process is explicitly defined in the user’s Banned list then it is blocked from
running. The Banned (black) List and the Trusted (white) List are separate: in Banned mode the Banned List is used
and Trusted List ignored, in Trusted mode the Trusted List is used and the Banned List ignored.
Process restriction can operate in one of four modes:

Trusted Mode (White List): This mode is the most restrictive. No processes are allowed to run unless the
administrator has assigned that executable to the owner’s Trusted List (a White List).

Banned Mode (Black List): This mode is less restrictive than White List mode. All processes are allowed to
run except for those that the administrator has assigned to the owner’s Banned List (a Black List).

Don’t use lockdown (Off): Simplify Lockdown does not perform any process restriction at all.

Learn Mode: This mode is intended to assist in configuration of the farm environment by recording data
for every application run on the Terminal Server that can then be used to configure a comprehensive
White List as well as Application Trust Lists. This mode does perform any restriction while collecting this
data, similar to Don’t use lockdown.
Simplify Lockdown in combination with Simplify Desktop (Section 6) makes it easy to deploy secure desktops and
prevent unauthorized executables from running on your Terminal Server.
6.2 Simplify Applications - Creating an Application Object
To create an application object that can be assigned to an owner, first locate the objects pane on the right side of
the Simplify Console. You can either click the new object button or right-click on the Applications branch and
choose New Object.
196
Simplify Suite v6
Simplify Suite v6
This will create a blank template for an application object.
Next, where New Object is highlighted in the tree, provide a name for the application you are about to define. This
name is for administrative reference and does not reflect what the user will see, but you are recommended to use
the application name for clarity.
6.2.1
Properties
Now you are ready add an application. There are a number of fields on the right, most of which will populate
automatically. They are:

197
Name: This is the name that a user will see for the application.
Simplify Suite v6
Simplify Suite v6

Executable: Specifies the location of the executable.

Working Directory: Specifies the working directory for the application.

Icon: Specifies the icon the user will see.

Arguments: Provides the ability to use arguments if required.

Startup: Specifies how the application should open (Normal, Minimized or Maximized). This setting is
specific to triShell.

Instance Count Limit: Specifies the number of times the application is allowed to be launched per session,
per machine or has no limit at all.
Now, locate the Executable line and click the ellipses … button to the right. This will provide an open dialog box through which you can browse to locate the executable of the application that you want to bring in. Once found,
highlight the item and then click the Open button. At this point the basic fields will self-populate. In the example
below, Internet Explorer (iexplore.exe) was populated.
There are five optional tabs that you can use to further customize each application object. They are the
Signature, Trust List, Stability, Run As and Run Once tabs.
Importing Application Objects
198
Simplify Suite v6
Simplify Suite v6
Creating application objects one-by-one is a long and tedious process. To avoid this hassle, use the Import Learn
Mode Apps and Find Apps to Import functions.
6.2.2
Signatures
This tab allows you to define how Lockdown will determine whether a runtime application matches the defined
object in the system. There are three components that can make up a match:



The name of the executable, which can include the full path or just the base name
The arguments supplied to the application
A unique hash of the executable file
If Use Hash is selected as a signature component the administrator can select which hashes from those in the table
will be allowed. These hashes are placed in the table in one of three ways: the initial creation of the application
object, manual creation by the admin using the Generate button or implicitly by the Lockdown product itself when
it detects a new hash at runtime that is not already in the table.
Note that Simplify Lockdown has a security feature in Banned Mode where if an application is renamed, and an
Application Object exists in the Simplify Console that refers to the old name, Simplify Lockdown will deny the
application, even if it is not assigned to the user’s Banned List. Unchecking Use Name in the Application Object’s
signature tab also has no effect on this security feature. If this is a problem, delete all Application Objects that refer
to the old name, and if necessary, recreate those objects referring to the new name.
199
Simplify Suite v6
Simplify Suite v6
6.2.3
Trust List
In addition to the general trust list, each application can have a Child Trust List. The Child Trust List allows for
processes to start only as child processes of a parent application. A child process is any process that is spawned
from another process. When you open Windows Explorer (a process) and open up Notepad from there, Notepad is
considered a child process of Windows Explorer. For example, the Child Trust List can be used to allow the Office
Help application to start from Microsoft Word, but not directly from the desktop or any other application. To
configure this, there is a tab for each application object called Trust List.
The Trust List tab allows the administrator to define whether a given application allows children to be created and
if so how restricted that ability is.

Allow All Trusted Applications: This allows any application that is assigned to the user’s White List to be
created as a child.

Deny All Child Applications: This application is not allowed to create any children regardless of White List
assignments.

Use Child Trust List: Only applications that match the application objects set in the table will be allowed
to run. Applications can be set to allowed, denied, or ignored by clicking on the lock icon . Ignoring an
application allows it if it is on the Trusted List and denies it if it is not.
The Child Trust List is necessary because child processes can create security complications. In Notepad or any other
application where you can go to File -> Open, change the view to “All Files”, and then you will be able to open CMD
or any other program in the file system. The main Trusted List deals with most scenarios such as this, but
200
Simplify Suite v6
Simplify Suite v6
sometimes programs such as system processes must be placed on the Trusted List to run in the background, while
being undesirable for users to be able to execute manually. Simplify Desktop (Section 5) can aid with this situation
by restricting users’ access to a few programs, but this is not enough to secure the system.
For example, say Simplify Desktop only makes Notepad accessible and only Notepad and a system process is on
the Trusted List. At first glance, this seems like a secure system, but a devious user could open the system process
from Notepad using File -> Open. The system can be made secure while leaving the system process on the Trusted
List by selecting the Notepad object’s Trust List tab and selecting the option Deny All Child Applications. This
prevents the user from running any system process from Notepad, even if it is on the Trusted List. Alternatively,
one could delete the system process from the Trusted List, and find the process that needs to run the system
process. For that parent process, create an application object, add it to the Trusted List, then select Use Child Trust
List and change the system process to allow.
6.3 Simplify Applications – Features
6.3.1
Find Apps to Import
This function is used to search specified directories and sub-directories for applications. A common scenario to use
this function is after installing new applications.
The following example shows how to import Microsoft Office Suite applications.
1. Access Find Apps to Import in the Simplify Console via View -> Find Apps to Import.
201
Simplify Suite v6
Simplify Suite v6
2.
In the Search for and Create Application Objects window, browse or type the directory to be searched and
press Start Search. Verify that the Search options are valid for the directory, for example, System Files/Folders
should be enabled to import most applications from Windows\System32.
3.
Select the applications to be imported and click the Import Applications... button. You may select multiple
applications to import at one time; you will be informed when the applications are finished being imported.
202
Simplify Suite v6
Simplify Suite v6
4.
203
The applications are now available in the Application container in the Objects pane. It is best to verify the
Object’s settings and tweak them as needed. For example, this Outlook object needed its Display Name,
Sorting Rank, and set Instance Count Limit settings changed.
Simplify Suite v6
Simplify Suite v6
6.3.2
Import Learn Mode Apps
Import Learn Mode Apps, which relies on the Lockdown service, assists in configuration by recording every
application executed and allows the import of any recorded application. To take advantage of this functionality,
Lockdown must be in Learn Mode. It is best to enable Learn Mode for a single account, such as an admin, junior
admin, or user account, to generate a list of Learn Mode Apps.
For example, if there are scripts used to customize settings at logon and/or logoff, then Learn mode can be used to
learn more about them. To do this, enable Learn Mode for a test account, logon, and logoff. Every application will
execute as normal, but the application information is “Learned” by the Lockdown service and saved in the Simplify
database. From there, the Import Learn Mode Apps can be accessed and used to import the applications. Learn
Mode will capture the application name, path, arguments, hash, parent path, server, version, and file date.
To use Learn Mode Apps:
1. Set Lockdown to Learn Mode, then let the user run applications.
204
Simplify Suite v6
Simplify Suite v6
2.
In the Simplify Console, select Tools -> Import Learn Mode Apps.
3.
Look at the list of applications used by users in Learn Mode. Select the applications to import and press
Import.
205
Simplify Suite v6
Simplify Suite v6
You can also view a list of users in learn mode per the Tools Menu.
6.4 Walkthrough
6.4.1
General Use
Setting Lockdown configurations require four steps:
206
Simplify Suite v6
Simplify Suite v6
1.
Set the Lockdown mode for the desired owner. This can be done in the Assignments pane, under Applications
-> Lockdown – [current Mode]. Right-click Lockdown and select the desired Lockdown mode.

Inherit Lockdown Mode: This is the default setting for all Active Directory Objects. The owner’s Lockdown
Mode is inherited from its parents.

Use Trusted Mode – This setting uses a whitelist to only allow the use of applications that are trusted and
will deny all applications by default.

Use Banned Mode – This setting uses a blacklist to deny any applications that are banned and will allow
all applications by default.

Learn Mode – This is used to monitor applications users are using and can be used to allow administrators
to import those applications easily.

Don’t Use Lockdown – This setting will disable Lockdown from preforming any actions against
applications.
**It is important to note that while in Trusted mode anything in the Banned list is ignored and in Banned
mode anything in the Trusted list is ignored.
2.
Create the desired Application objects as described in the previous section.
3.
Assign the Application objects to the Banned or Trusted List. The Banned and Trusted lists are located in the
Assignments pane, under Applications -> Lockdown – [currentMode] -> Banned, and Applications -> Lockdown
– [currentMode] -> Trusted. Simply drag and drop Application objects for Lockdown from the Objects Pane to
the Banned and Trusted lists in the Assignments pane to assign the object.
207
Simplify Suite v6
Simplify Suite v6
4.
208
After any assignment changes are made that affect Lockdown, the Lockdown configuration must be refreshed.
This occurs automatically every 5 minutes, or immediately after the Lockdown service is restarted. To restart
the Lockdown Service, in the Console, select Tools -> Services -> Simplify Lockdown -> Restart, or restart
Simplify Lockdown from Services.msc. Lockdown will also be restarted if the server is restarted.
Simplify Suite v6
Simplify Suite v6
After these steps have been completed, any users that attempt to run a process that they do not have permission
to run will receive an error message similar to the following:
When in Trusted Mode any process not explicitly on the Trusted List will receive this message when trying to run,
including system processes. Required system processes are automatically placed on the Trusted List by the
Simplify Lockdown installer, but administrators must set up the rest of the Trusted List applications, otherwise the
user will receive this error message about dozens of optional system processes. This setup may take an hour or
two, but once this is done you will permanently have a secure environment.
6.4.2
Show Denied Apps
Administrators can also see a list of applications denied to users. This list shows what applications users are trying
to access, but are not allowed to them. It will show the users name, the server they are on, and the time of
incident. To access it, go to the Console Menubar, and select Tools -> Show Denied Apps…
209
Simplify Suite v6
Simplify Suite v6
6.4.3
Configure Simplify Lockdown
The Configure Simplify LockDown Menu allows you to set delays for denied messages, restart the service for that
specific server, and purge the saved Denied Apps and Learn Mode Apps Tables.
210
Simplify Suite v6
Simplify Suite v6
6.4.4
Customizing the Lockdown Error Message
The Lockdown error message can be customized to set a specific message, such as “Contact your
Administrator if you need to access this Application”. To customize the message, open the Simplify
Console and click Tools -> Customize Lockdown Messages. The following dialog will appear with all of
the messages you can customize, double click the APPTERM_TRUSTLIST.
211
Simplify Suite v6
Simplify Suite v6
Now a dialog will appear that allows the administrator to type a message in for the user to see. The
message can contain any of the variables listed below.
6.4.5
Lockdown with Published Applications
In a published application, even though you are not providing your users with a traditional shell, the application IS
the shell. Many administrators incorrectly believe this secures the system; it does not. A published application
often allows access to any other application on the server. For instance, Microsoft Word can launch other
applications through one of its many tools/dialogs, such as the Open or Save-As dialog boxes. Simplify Lockdown
monitors and controls what processes can execute regardless of whether a traditional shell is displayed. It also can
allow you to specify what applications can be launched by another process (such as Microsoft Word) through a
child trust list.
6.4.6
Simplify Lockdown and Simplify Desktop
Simplify Lockdown can be used both with and without Simplify Desktop’s triShell. When Lockdown is used with
triShell, the products work together – any applications assigned to triShell that are blocked through Lockdown are
not displayed to the user. If Lockdown is used with the Explorer shell, users will still be able to see any
unauthorized applications, but will receive the Lockdown error message if they attempt to run the applications.
212
Simplify Suite v6
Simplify Suite v6
6.5 Frequently Asked Questions
6.5.1
What happens if a process is on both the banned and trusted lists?
Though we do not recommend this, it does not cause any problems. The lists are separate – banned mode uses the
banned list and trusted mode uses the trusted list. Thus, if you are in banned mode the process will be denied and
if you are in trusted mode, the process will be allowed.
6.6 Troubleshooting
6.6.1
Users are able to launch items not assigned to their trusted list
Verify that the Lockdown mode is set to Lockdown - Trusted, Simplify Lockdown service is running, and the user is
logging in remotely. Simplify Lockdown does not deny applications from console sessions (where the user is using
the same physical machine as the server).
If the issue is still occurring, then restart the Simplify Lockdown service.
6.6.2
Users are able to launch items assigned to their banned list
Verify that the user is logging in remotely. By design, Simplify Lockdown does not function in console sessions
(where the user is using the same physical machine as where Simplify Lockdown is installed).
213
Simplify Suite v6
Simplify Suite v6
6.6.3
Users are unable to launch items even when they are not assigned to
their banned list
Note that Simplify Lockdown has a security feature in Banned Mode where if an application is renamed, and an
Application Object exists in the Simplify Console that refers to the old name, Simplify Lockdown will deny the
application, even if it is not assigned to the user’s Banned List. Unchecking Use Name in the Application Object’s
signature tab also has no effect on this security feature. The solution is to delete all Application Objects that refer
to the old name, and if necessary, recreate those objects referring to the new name.
Note that Simplify Lockdown automatically creates Application Objects necessary for the system for use with
Trusted Mode. Thus, if a core system process such as explorer.exe is renamed, those Application Objects must be
deleted for Banned Mode to work correctly.
6.6.4
Users are receiving an APPTERM_TRUSTLIST error message. Why is this
happening?
Users receive this type of error when they attempt to launch a process to which they have not been given
permission, so this is an indication Lockdown is working.
When in Trusted Mode any process not explicitly on the Trusted List or parent application’s Child Trust List (Section
6.2.3) will receive this message when trying to run, including system processes. Required system processes are
automatically placed on the Trusted List by the Simplify Lockdown installer, but administrators must set up the rest
of the Trusted List applications. Otherwise, the user will receive this error message about dozens of optional
system processes. This setup can take an hour or two, but once this is done you will permanently have a secure
environment.
214
Simplify Suite v6
Simplify Suite v6
7
The Simplify Database
7.1 Overview
The Simplify Suite uses an SQL database to store all of the configuration data for the users, groups and OUs in the
environment. During the Simplify Suite install, a “Simplify” database is created on the SQL or SQL Express server
instance and all Suite configuration data is stored there. Because the database mainly holds configuration data, it
should not grow too large in size (an average would be around 20 - 40 MB). However, Simplify Profiles (Section 3)
does store saved registry information (Section 3.4.1.1: Save/Restore Operations) in the database for each user,
which can make the database size increase depending on the number of users in the environment.
7.2 Walkthrough
7.2.1
View and Modify DSN Settings
If the configuration database needs to be changed after installation, there are three steps that must be followed to
set the new data source. Under the file menu in Simplify Console, select Manage DSNs to open the ODBC Data
Source Administrator.
Please note that this is the same utility that can be opened under the Administrative Tools folder. In the ODBC
Data Source Administrator, select the System DSN tab and choose to configure the DSN named Tricerat Simplify.
215
Simplify Suite v6
Simplify Suite v6
The first screen asks for the name of the DSN, a description, and the Server. Make sure the server selected is the
correct database server, including the named instance if any.
216
Simplify Suite v6
Simplify Suite v6
After clicking next, a choice must be made between Windows NT authentication (user authentication) and SQL
Server authentication (SQL authentication). If the authentication type is SQL Server authentication
(recommended), type in a valid login ID and password to connect to the database and review the rest of the
options.
217
Simplify Suite v6
Simplify Suite v6
On the third page, make sure the default database is Simplify, and click next.
Finally, click the finish button and test data source. If everything is configured correctly, a message TESTS
COMPLETED SUCCESSFULLY! will be displayed.
218
Simplify Suite v6
Simplify Suite v6
219
Simplify Suite v6
Simplify Suite v6
After the ODBC data source is set, select Set Simplify DSN under the file menu.
This dialog sets the database connections for the products in the Simplify Suite running on the server in question.
Choose the DSN that was previously set up (the default is Tricerat Simplify) and the type of credentials to use for
this connection.
220
Simplify Suite v6
Simplify Suite v6
Finally, click the Test button. If everything is configured correctly, a message Passed! will be displayed.
7.2.2
Setup SQL Replication
Depending on the physical layout of the network, it may be advantageous to have SQL Servers located locally to
the terminal server farms they are serving. However, the desire is to maintain a central point of configuration and
management. This document describes how to configure built-in SQL Server replication to achieve these results.
The end result of this configuration allows Simplify Suite terminal servers to access the configuration database
from a local source, while the SQL Server replication makes any changes available throughout the entire system.
221
Simplify Suite v6
Simplify Suite v6
The primary SQL Server (also referred to as the central server or the publisher in replication terms) must be a full
copy of Microsoft SQL Server 2000 or 2005. The client servers, or the local database servers, can be either
MSDE/Express, or full SQL Servers. These instructions are based on SQL Server 2000 replicating with MSDE 2000.
The process for SQL Server 2005 is similar, but the steps will not be identical.
To begin, the Simplify database must be installed on both the central server and the local server. This can be
accomplished by first installing the Simplify Suite and connecting to the central server, then uninstalling the
product and reinstalling (with the MSDE version) for the local server. This builds the Simplify database in both
locations, and leaves the terminal server configured to point to the local server.
The replication functions are configured in the SQL Server Enterprise Manager, that is installed on the SQL Server
computer, or installing the client tools from the SQL Server CD. In the Enterprise manager, BOTH the central and
local servers must be listed. If they are not listed, add them by right-clicking on a SQL Server Group and choose
New SQL Server Registration. Server can be added through the list box or the edit box.
The first step is to configure a publisher for the replication.
1.
Open the SQL Server in the tree, and then expand Replication and Publications.
2.
Right click and select New Publication.
3.
Select the distributor. It is usually best to leave the default choice of the current server.
4.
If the SQL Server Agent runs as the system account, change to a windows account. The wizard will prompt you
if it needs to change.
5.
Select Yes, configure the SQL Server Agent to start automatically.
6.
Input Snapshot folder.
7.
Choose the Simplify database.
8.
Choose Merge publication as the publication type.
9.
Choose Servers running SQL Server 2000 as the only subscriber type.
10. When choosing articles, select all except RegSetData, DllModuleInstance, DllModules, ExeModuleInstance,
ExeModules, and SessionSummaryTable. Leaving these tables out of the replication prevents system logging
information and registry save/restores to be published to all servers in the replication scheme. If this
information is needed (such as users logging in to different locations) then you can check for all tables. Note
that these are the largest tables in the configuration database, so network bandwidth may be of concern.
222
Simplify Suite v6
Simplify Suite v6
11. The publication name and description can be anything. It is easiest to refer to the publication name as
Simplify, the default.
12. Choose No, create the publication as specified.
13. The publication is created.
Now that the publication is created, the local servers must be set to subscribe to this publication. The easiest way
to do this in the enterprise manager is to push the subscription to the clients.
1.
Still on the central SQL Server item, right click on the newly created publication and select to Push New
Subscription.
2.
Select the local server (perhaps MSDE) to receive the subscription.
3.
Leave the database server name as Simplify.
4.
Select the schedule for replication. You may want it to be immediate on changes, or at a specified time. For
testing purposes, immediate is easiest, but in a production environment a specified schedule may be optimal.
5.
Choose Yes, to initialize the schema and data.
6.
Use the Publisher as a proxy for the Subscriber when resolving conflicts.
7.
Choose Next and Finish.
The replication is established. Data entered into any servers’ database will now be synchronized to all servers
participating in the replication.
As described above, the Simplify Suite terminal servers should be connecting to the local databases. The central
database should only be serving terminal servers local to it, and acting as the replication master for all local
databases.
7.2.3
Migrating and backing up the Simplify Suite database
SQL Management Studio includes Backup and Restore functions. Regular backups of the Simplify database, as well
as before all upgrades are strongly recommended. The Backup and Restore functions are also the usual method for
customers to migrate the Simplify database from evaluation environments to production environments. Follow
these directions to backup the Simplify database without using replication, and the directions in the next section to
223
Simplify Suite v6
Simplify Suite v6
restore the Simplify database from the backup file. To migrate, backup the database on the current SQL Server,
and restore the database on the SQL Server you are migrating to.
1.
Open Microsoft SQL Server Management Studio and Login. Microsoft SQL Server Management Studio is a free
add-on for Microsoft SQL Server available at www.microsoft.com.
2.
Find the Simplify database, right-click it, and select Tasks -> Back Up...
224
Simplify Suite v6
Simplify Suite v6
3.
225
Verify the Source, Backup set, and Destination. There are some useful options in the Options page such as
Verify Backup when finished and Perform Checksum before writing.
Simplify Suite v6
Simplify Suite v6
4.
226
The Backup will be named Simplify (the same as the database source name) with a .bak extension into the
Backup directory.
Simplify Suite v6
Simplify Suite v6
The following section covers how to restore the Simplify Database from this backup file.
7.2.4
Restoring the Simplify Database from a .bak file
1.
The Simplify.bak file needs to be Restored on the desired SQL Server, which can be accomplished by moving it
to the target server.
2.
Open Microsoft SQL Server Management Studio on the new SQL Server and Login. Expand the instance, rightclick the Database directory, and select Restore Database...
3.
Complete the Restore Database form and select OK. The To database field must be named Simplify. Select
From device and navigate to Simplify.bak.
227
Simplify Suite v6
Simplify Suite v6
4.
228
Return to the terminal server(s) and modify the Suite to connect to the new SQL Server. Open the Simplify
Console, and under the file menu, go to Manage DSNs\System DSN (tab), find the Tricerat Simplify entry and
choose configure. Follow the screens to input the correct server name and credentials to connect with.
Simplify Suite v6
Simplify Suite v6
5.
Finally, go back to the file menu and choose Set Simplify DSN. Make sure that Tricerat Simplify is selected.
Then choose Use specified credentials and again provide the appropriate credentials with which to connect to
the database. This will need to be performed on every server.
7.2.5
Simple Database Backup and Restore
It is possible to do a copy/paste of both the database and the database log files, although the Backup & Restore
functions are recommended. This procedure is best completed when users are not logged into the terminal server.
1.
Go to the services control panel under Administrative Tools.
2.
If you are running the MSDE version of SQL server, stop the MSSQL$TRICERAT service. If you are running a
separate SQL server, stop the MSSQLSERVER service.
3.
Copy the Simplify.mdf and Simplify_log.LDF files from C:\Program Files\Microsoft SQL
Server\MSSQL$TRICERAT\Data to your backup location.
4.
If you are running the MSDE version of SQL server, restart the MSSQL$TRICERAT service. If you are running a
separate SQL server, restart the MSSQLSERVER service.
To restore the database from the backup files:
1. Open up the Enterprise Manager.
229
Simplify Suite v6
Simplify Suite v6
2.
Go to Microsoft SQL Servers\SQL Server Group\SQLSVR (Windows NT)\Databases on the tree on the left.
3.
Right-click on Databases and choose All Tasks and then Attach Database.
4.
Use the ellipses button on the top-right to browse to where you placed the Simplify.mdf file.
5.
Click the Verify button to make sure the database is ok.
6.
Under Specify database owner, select the appropriate account that will make the connection to the database
for use. Normally, the sa account is used.
7.2.6
Install MSDE 2000 from Tricerat’s bundle
The Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) is a free version of SQL Server 2000. For
environments that do not have SQL Server, the MSDE can be used for the Simplify Suite. Tricerat provides a version
of the Simplify Suite that includes the MSDE, and will install both the MSDE and the Simplify Suite in a single
installation. For administrators who would like to control the installation of the MSDE, or install the MSDE on a
server that is not also a terminal server, you can download the MSDE free of charge from Microsoft. Using a
terminal server to run the MSDE is acceptable, but additional performance will be gained by running the MSDE on
a server that is not also a terminal server.
The MSDE is a scaled down version of SQL Server. The primary point of concern for administrators is the workload
governor present in MSDE. The MSDE will only process five requests simultaneously before the workload governor
is applied. The size of the environment that can be supported by an MSDE implementation depends on a number
of factors, including the number of users per server and the frequency of logons. Once a terminal server farm
grows to be more than a few servers, it is recommended that a full license of SQL Server be deployed.
Besides the workload governor, a full instance of SQL Server provides additional benefits. SQL Server has additional
replication technologies available to enable servers in multiple locations, or redundancy in case of failure. SQL
Server also comes with Enterprise Manager which allows for easier administration of SQL Servers, including
configuration of replication and clustering.
To install the Simplify Suite with the MSDE, use the Tricerat downloads page to download the install bundled with
the MSDE. Make sure the server is in install mode and run the SimplifyMSDE.exe executable. This executable will
first install MSDE on the server, and then proceed to run the Simplify Suite install. The database connection will
automatically be set to use the MSDE on the local server. When installing additional servers, make sure to use the
basic Simplify Suite install (without MSDE), and configure the database settings to use the database on the first
server.
230
Simplify Suite v6
Simplify Suite v6
7.2.7
Install MSDE 2000A separately from Tricerat’s bundle
If an administrator decides to install MSDE 2000A separately from the Tricerat install, one must first download the
package from Microsoft. After unpacking the download, the setup routine must be run with parameters to
configure the database system.
The first required parameter, DISABLENETWORKPROTOCOLS=0, is required to have servers other than localhost
attach to the database. The other required parameter is SAPWD, which sets the password for the sa account. A
third parameter, SECURITY=SQL, sets the security mode of the SQL server to have both SQL authentication and
Windows Authentication. This parameter is highly recommended because omitting this parameter forces the
server to Windows Authentication only and Tricerat does not support the use of Windows authentication on
MSDE. The final parameter, setting the instance name of the server, is optional. A server can have up to 16
instances of SQL Server and the MSDE running, and additional instances require a name to identify them. If you do
not supply an instance name, the default instance is used. When connections are made to the database, it is
identified by SERVERNAME\INSTANCENAME. The default instance is identified by SERVERNAME. To specify an
instance name, the parameter INSTANCENAME is used.
The recommended command to install the MSDE is:
setup.exe DISABLENETWORKPROTCOLS=0 SAPWD=!tricerat.msde SECURITY=SQL INSTANCENAME=TRICERAT
As an alternative to manually installing the MSDE, the Simplify Suite bundled with MSDE can be used to install the
MSDE, and then cancel the install of the Simplify Suite.
The next step will be to install the Simplify Suite using the Simplify.msi. During the install process, you will be
prompted to provide the appropriate database location and credentials.
The SQL server name will be in the following format: SERVERNAME\TRICERAT
For authentication, Use Tricerat defaults is appropriate if you followed the procedure above (Username - sa,
Password - !tricerat.msde). If not, please provide the needed credentials.
Finally, place a check in the check box Create a new Simplify Database.
7.2.8
Install SQL Server Express 2005 separately from Tricerat’s bundle
If you have chosen to make use of the SQL Server 2005 Express package, which can be found online from
Microsoft, an install wizard is provided.
When installing:
1. Uncheck Hide Advanced Configuration Options.
231
Simplify Suite v6
Simplify Suite v6
2.
3.
4.
Named Instance is TRICERAT.
Authentication mode should be set to Mixed Mode.
Enter Password “!tricerat.msde”.
Next you may need to change some settings on the SQL Server instance. Go to Start -> All Programs -> Microsoft
SQL Server Express -> Configuration Tools -> SQL Server Surface Area Configuration.
1. Click on Surface Area Configuration for Services and Connections.
2. Click on Remote Connections.
3. Select Local and Remote Connections.
4. Select Using both TCP/IP and name pipes.
5. Click the Apply button.
6. You will see a warning telling you that you need to restart the Database engine. Click OK.
7. Click OK to close the dialog box.
8. Open the Services manager and restart the SQL Server (SQLEXPRESS) or your named Database Engine.
Make sure .Net framework 2.0 or higher is installed as it is required for Simplify Suite.
The next step will be to install the Simplify Suite using the Simplify.msi. During the install process, you will be
prompted to provide the appropriate database location and credentials.
The SQL server name will be in the following format: SERVERNAME\TRICERAT
For authentication, Use Tricerat defaults is appropriate if you followed the procedure above (Username - sa,
Password - !tricerat.msde). If not, please provide the needed credentials.
Finally, place a check in the check box Create a new Simplify Database.
7.2.9
Installing on an existing SQL Server
If Microsoft SQL Server 2000 or SQL Server 2005 exists in the domain, it can be used to host the configuration
database for the Simplify Suite. During the install, the database connection is configured with the name of the SQL
Server and the credentials used to connect to the database. There is also a checkbox that will create a new
database. This option should be used for the first installation in a terminal server farm. When creating the
database, it is important to supply credentials that have permissions to create a new database on the database
server (See Section 7.3.5: What are the required permissions for the Simplify Suite database?).
7.2.10 SQL Server and SQL Express Limitations
SQL Server Express and Microsoft SQL Server Desktop Engine (MSDE) is a free version of Microsoft’s SQL Server.
Click the following link to view the limitations of MSDE. http://www.aspfaq.com/show.asp?id=2343
232
Simplify Suite v6
Simplify Suite v6
MSDE 2000
 Supports up to 2GB RAM. 
 2GB database size limit. 
 Five concurrent users or less is recommended. 
 Supports up to 2 CPU on Windows NT|2000|2003 
 No publishing for transaction replication. 
 No Database Server Failover Support. 
 No Full-text search. 
 No GUI interface (there are no SQL Server Enterprise Manager, SQL Server Profiler, Query Analyzer,
Database Upgrade Wizard, Index Tuning Wizard, Import and Export Wizards, and so on). 
 No OLAP. 
 No English Query. 
 No SQL Books Online. 
SQL Server 2005 Express
 1 GB memory (for buffer, not total). 
 1 CPU. 
 50 named instances per machine. 
 4 GB per database (not including log files). 
 Transactional replication is limited to a subscriber role only. 
 Data mirroring and clustering are not available. 
 Full-text search is not available. 
 SQL Agent is not available (you can use Service Broker or Task Scheduler instead). 
 The DTS Runtime is not available (though you can use DTS in Express from other machines). 
 Reporting Services is not available. 
 Business Intelligence is not available (this includes Notification Services and Analysis Services). 
7.2.11 Using the Simplify Console from a workstation
It can be beneficial to install the Simplify Console to a workstation instead of the terminal server. The Simplify Suite
should be installed on the workstation, while only selecting to install the Simplify Console.
For the database configuration page in the install, you will fill in the database information so you can receive and
modify the database entries that are read by the terminal servers.
233
Simplify Suite v6
Simplify Suite v6
7.3 Frequently Asked Questions
7.3.1
Can I create a Simplify Database on a separate SQL Server?
Yes. A server with SQL Server must already exist when the Simplify Suite install is launched. During installation, set
the database server path and apply SQL authentication credentials, or your Windows Authentication. Once the
credentials pass the software will install on the new SQL Server instance.
7.3.2
Can I use another Database Management System?
Currently the Simplify Suite is only compatible with Microsoft SQL Server 2000, Microsoft SQL Server 2005, or
Microsoft SQL Server 2005 Express or higher. Databases such MySQL, Oracle, etc. are not supported at this time.
234
Simplify Suite v6
Simplify Suite v6
7.3.3
Can I use a different name for the database?
Yes. On the Database Server screen of the Installer enter the desired database name in the Database field.
7.3.4
How does another application using MSDE/SQL on my terminal server
affect the Simplify Suite?
A server can have up to 16 instances of MSDE/SQL running. Additional instances require a unique name to identify
them. The Simplify Suite installer creates a unique MSDE/SQL instance automatically, so there will not be a conflict
with any existing applications.
7.3.5
What are the required permissions for the Simplify Suite database?
There are two types of authentication that can be used during the creation of the Simplify Suite database. They are
SQL authentication and Windows NT authentication. SQL authentication is recommended during the creation of
the database whenever possible.
235
Simplify Suite v6
Simplify Suite v6
SQL Authentication
During database creation, you will need to use the sa account or an account with privileges. Once the
database has been created, any account that has public and db_owner roles may be used for database
connectivity.
Windows NT Authentication
During database creation, you will need to use an Administrator account or an account with
Administrator equivalent privileges. Once the database has been created, permissions must be granted
so that users have access to the Simplify database. The database roles required are public and
db_owner.
In addition to user permissions, terminal server accounts must also be granted permission because
some elements of Simplify Suite run in the system account. Usually, all servers in the active directory
are added to a group called Domain Computers. The SQL Server must be configured to grant access to
the Simplify database to this group.
7.3.6
What does the \TRICERAT after the SQL Server do?
SQL Server can be installed multiple times on a server, called instances. Up to sixteen instances can be defined on a
server. When multiple instances of the SQL Server are used, multiple copies of the service runs, and each copy
contains its own configuration, security, and databases. To identify different instances, each instance is assigned a
name during the installation. There is also a special instance, the default instance, which does not have a name.
To interfere as little as possible with the existing system, Tricerat installs the MSDE database to an instance named
TRICERAT, so existing instances of the MSDE or SQL Server will be unmodified. When a connection is being made
to this server, the name of the server is <SERVERNAME>\TRICERAT.
When administrators install the MSDE or SQL Server separately from the Tricerat install, they decide which
instance name, if any, to assign to it. Usually, only one instance is installed on a server and it is the default
instance. If the default instance is used, the server path is just <SERVERNAME>, whereas a named instance’s path
would be < SERVERNAME>\<INSTANCENAME>.
7.3.7
What settings are needed on the SQL Server Service?
The SQL Server service should be set to run as the System account. If users are unable to connect to the database,
verify that the SQL Server service is running as System.
236
Simplify Suite v6
Simplify Suite v6
7.3.8
When installing the Simplify Suite, how do I use an existing database?
During the install of the Simplify Suite, you can select the database to connect to on the SQL Connection screen:
The SQL server can be selected from the drop down list, by selecting the browse button, or be typed in manually.
Fill in the login credentials for the SQL server and click next. If there is a problem with the database connection,
you will see the error message before continuing with the Suite install.
7.3.9
What happens if the database connection is lost?
With Simplify Desktop offline mode on (Section 5.5), everything should work the same. With Simplify Desktop
offline mode off, users who have triShell assigned will not be able to log on.
237
Simplify Suite v6
Simplify Suite v6
With Simplify Profiles offline mode on (Section 3.6), everything should work the same. With Simplify Profiles offline
mode off, the objects will not be assigned to the user, so it should act as if our product is not installed.
7.3.10 Troubleshooting
7.3.11 I do not have the necessary SA access to create a new database
For this situation, Tricerat has a Simplify.sql script that can be sent to the DBA so that the Simplify Suite v4
database can be created manually. Once the database is ready, the terminal server administrator can then use the
Simplify.msi installer to install the Suite on the terminal server and then connect to the database using their
Database Owner privileges. To obtain a copy of the script please email Tricerat Support.
The syntax to use at the command prompt on the SQL server is as follows:
osql - E - S %COMPUTERNAME%\TRICERAT < Simplify.sql
Once the script is complete, begin the suite install on the terminal server. During the install, connect to the SQL
server that the script was run on. NOTE: It will be necessary to connect with a Database Owner account that has
permission to the Simplify database. The database roles required for the Database Owner account are public and
db_owner. After the install is complete, it will be necessary to run the following executable on the terminal server:
C:\Program Files\Tricerat\Simplify Console\DatabaseInit.exe
The DatabaseInit program will populate the Simplify database tables with the default values.
To Change the SA account password:
1. Download the SQL Server Management Studio Express from Microsoft’s web site.
2. Launch the program and log in with your Windows Authentication. If you cannot log in to the database server
you do not have permission to the database. Check your permissions in Active Directory.
3. Go to Security -> Logins.
4. Right-click on the sa account.
238
Simplify Suite v6
Simplify Suite v6
5.
6.
7.
Click on Properties.
Set the password to a password of your choice and confirm your new password.
Click OK to accept the changes.
7.3.12 The database is rapidly growing in size
This may occur if Simplify Resources logging is turned on. Specifically, there are two logging options under the
Logging tab of a Simplify Resources object that, when turned on, save a large amount of data to the database.
The two data logging options are Enable User Session Recording and Enable Detailed Application Recording.
7.3.13 I am unable to connect to my SQL/Express database, and the users are
locked out of the server
First, make sure that the SQL server is available and the SQL Server service is running. With an SQL Express
installation, the service is called MSSQL$TRICERAT. With a separate SQL Server installation, the service is called
MSSQLSERVER.
If you have chosen a separate SQL Server to host the database, make sure that terminal server can connect to the
SQL Server over the network. A quick test could be performed by issuing a ping from the terminal server.
To troubleshoot connectivity, you will need to check your DSN settings (Section 7.2.1: View and Modify DSN
Settings).
239
Simplify Suite v6
Simplify Suite v6
8
Licensing
License help can be found in the “Tricerat Licensing Options Guide”.
8.1 License Keys
License keys are in the form of an Activation Code and usually transferred by email upon fulfilment of an order by
Tricerat. Please refer to the Tricerat Licensing Options Guide, which accompanies the Activation Code, for help
with types of licenses and applying new licenses to the system.
8.2 Installing the Simplify License Server
Please refer to “Tricerat Licensing Options Guide” for instructions on installing the Tricerat License Server.
8.3 Frequently Asked Questions
8.3.1
How do I upgrade to a Suite license from older Tricerat products?
Simplify Suite v6 requires a different license when upgrading from v5. To find if you are eligible for an upgrade,
please contact your sales representative for information on upgrading costs, which can be done through the
Tricerat Contact Page.
If you are upgrading from a previous version 6 install, the existing license activation key will remain valid.
8.3.2
When in the install process should the server be imaged?
When using a technology to image servers or virtual desktops, a license server should be used. When the Simplify
Suite is installed into the image using the license server address, a new instance will automatically connect to the
license server to get a license for the new machine instance when it comes online.
8.4 END USER LICENSE AGREEMENT
IMPORTANT - READ CAREFULLY: BY DOWNLOADING, INSTALLING OR RECEIVING THIS SOFTWARE OR OTHER
MATERIALS PROVIDED BY TRICERAT, INC. (“TRICERAT ”), YOU ACKNOWLEDGE THAT YOU HAVE READ THIS END
USER LICENSE AGREEMENT (“AGREEMENT ”), THAT YOU UNDERSTAND IT, AND THAT YOU AGREE TO BE BOUND BY
ITS TERMS. TRICERAT IS WILLING TO LICENSE THE LICENSED TECHNOLOGY (AS DEFINED HEREIN) TO YOU OR
240
Simplify Suite v6
Simplify Suite v6
THE ENTITY FOR WHICH YOU ARE INSTALLING THIS SOFTWARE (“LICENSEE”) ONLY UPON THE CONDITION THAT
LICENSEE ACCEPTS ALL OF THE TERMS AND CONDITIONS CONTAINED IN THIS AGREEMENT. IF LICENSEE DOES
NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT, THEN LICENSEE SHOULD PROMPTLY EXIT THIS
PAGE WITHOUT DOWNLOADING, INSTALLING OR RECEIVING THE LICENSED TECHNOLOGY.
1. Definitions.
“Documentation” shall mean any technical instructions or other documentation related to the Software available
at Tricerat’s website and provided to Licensee pursuant to this Agreement.
“Licensed Technology” shall mean the Software, the Documentation and any related intellectual property rights,
including without limitation, patents, trademarks, trade secrets and trademarks.
“Software” shall mean any software available at Tricerat’s website and provided to Licensee pursuant to this
Agreement.
2. Grant of License. During the term hereof, Tricerat grants to Licensee a non-exclusive, non-sublicenseable, nontransferable right and limited use license (i) to download, install, use and execute one (1) copy of the Licensed
Technology on one (1) network server computer at Licensee’s facilities solely for Licensee’s internal business
purposes; (ii) to make one (1) copy of the Software solely for backup and archival purposes; and (iii) to make a
reasonable number of copies of the Documentation solely for Licensee’s internal business purposes.
3. Restrictions. Any rights not expressly granted by Tricerat to Licensee are reserved by Tricerat, and all implied
licenses are disclaimed. Except as otherwise stated herein, Licensee shall not (i) reverse engineer, decompile,
reverse compile, translate, adapt, or disassemble or otherwise access the source code to the Licensed Technology,
or any part thereof; (ii) copy the Licensed Technology, or any part thereof, in any form, except as set forth in
Section 2(ii) and (iii) herein; (iii) publish, display, disclose, sell, rent, lease, modify, store, loan, distribute, or create
compilations or derivative works of the Licensed Technology, or any part thereof; (iv) assign, sublicense, convey,
transfer, pledge as security or otherwise encumber the rights and licenses granted hereunder; (v) use the Licensed
Technology in any fashion that may infringe any patent, copyright, trademark, trade secret or other intellectual
property or proprietary rights of Tricerat, its third party suppliers or any other third party; (vi) use the Licensed
Technology over a network or distribute any portion of the Licensed Technology to other computers over a
network, except as set forth in Section 2(i) herein; (vii) make available any portion of the Licensed Technology
through electronic mail or the Internet; or (viii) save, store or otherwise archive the Licensed Technology or any
part thereof, except as set forth in Section 2(ii) herein. Licensee may not cause, assist or permit any third party to
do any of the foregoing.
4. Ownership. Licensee acknowledges that Tricerat or its suppliers retain all right, title and interest in and to the
Licensed Technology and any and all copyrights, trademarks, patents, trade secrets and other intellectual property
and proprietary rights therein. Licensee agrees that it has no right, title or interest in or to the Licensed Technology
241
Simplify Suite v6
Simplify Suite v6
or any copies thereof. Rather, Licensee has a license to use the Licensed Technology as long as this Agreement
remains in full force and effect. Except as set forth herein, any other use of the Licensed Technology by any other
entity is strictly forbidden and is a violation of this Agreement. Licensee may not remove or obscure the copyright
notice or other notices contained in the Licensed Technology.
5. Term and Termination. This Agreement shall continue in effect for an initial evaluation term of thirty (30) days
following the date that Licensee downloads the Licensed Technology, unless otherwise terminated in accordance
with the terms and conditions set forth herein. This Agreement may be renewed and shall continue in effect,
unless terminated in accordance with this terms and conditions set forth herein, upon (i) the purchase by Licensee
from Tricerat of the Licensed Technology at Tricerat’s then current pricing and (ii) the provision by
Tricerat to Licensee of authorized activation codes for continued use of the Licensed Technology. Licensee may
terminate this Agreement at any time by destroying or returning to Tricerat all copies of the Licensed Technology
in Licensee’s possession or under Licensee’s control. Licensee’s right to use the Licensed Technology terminates
automatically if Licensee violates any part of this Agreement. Upon notification of termination,
Licensee agrees to destroy or return to Tricerat the Licensed Technology and any Confidential Information (as
defined herein) and to certify in writing that it has complied with this Section 5. All provisions relating to
confidentiality and intellectual property and proprietary rights shall survive the termination of this Agreement.
6. Warranty.
6.1 Licensee represents and warrants to Tricerat that Licensee is either: (i) an individual of at least eighteen (18)
years of age or (ii) a duly authorized representative of an entity, including without limitation, a corporation, limited
liability company, or partnership. Licensee further represents and warrants to Tricerat that: (i)
Licensee ’ s use of the Licensed Technology complies in all respects with all applicable laws, statutes, regulations,
ordinances and other rules; (ii) any and all information provided by Licensee to Tricerat is truthful and accurate;
and (iii) Licensee ’ s use of the Licensed Technology shall not infringe any patent, copyright, trademark, trade
secret or other intellectual property or proprietary rights of Tricerat, its third party suppliers or any other third
party.
6.2 Licensee acknowledges and agrees that the use of the Licensed Technology is at Licensee’s sole risk. The
Licensed Technology is provided to Licensee on an “AS IS” and “AS AVAILABLE” basis and without a warranty of any
kind and, to the maximum extent permitted by law, TRICERAT AND ITS SUPPLIERS DISCLAIM ALL OTHER
WARRANTIES OF ANY KIND, EITHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING WITHOUT LIMITATION,
IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, INFRINGEMENT
AND TITLE. TRICERAT AND ITS SUPPLIERS DO NOT WARRANT THAT THE FUNCTIONS CONTAINED IN THE
LICENSED TECHNOLOGY WILL MEET ANY REQUIREMENTS OR NEEDS LICENSEE MAY HAVE, OR THAT THE LICENSED
TECHNOLOGY WILL OPERATE ERROR FREE, OR IN AN UNINTERRUPTED FASHION, OR THAT ANY DEFECTS OR
ERRORS IN THE LICENSED TECHNOLOGY WILL BE CORRECTED, OR THAT THE LICENSED
242
Simplify Suite v6
Simplify Suite v6
TECHNOLOGY IS COMPATIBLE WITH ANY PARTICULAR PLATFORM. SOME JURISDICTIONS DO NOT ALLOW THE
WAIVER OR EXCLUSION OF SOME WARRANTIES SO THEY MAY NOT APPLY TO LICENSEE. IF THIS EXCLUSION IS
HELD TO BE UNENFORCEABLE BY A COURT OF COMPETENT JURISDICTION, THEN ALL EXPRESS, IMPLIED AND
STATUTORY WARRANTIES SHALL BE LIMITED IN DURATION TO A PERIOD OF THIRTY (30) DAYS FROM THE DATE OF
THE LICENSE OF THE LICENSED TECHNOLOGY, AND NO WARRANTIES SHALL APPLY AFTER THAT PERIOD.
7. Indemnification. Licensee shall indemnify, defend and hold harmless Tricerat and its directors, officers,
employees and agents from and against any and all claims, losses, damages, liabilities, costs and expenses,
including reasonable attorneys’ fees, that arise out of, result from or are related to (i) a breach by Licensee of any
warranty, representation or covenant set forth herein, (ii) Licensee’s negligence or willful misconduct, and (iii) any
other claim resulting from or occasioned by the possession, use or operation of the Licensed Technology by
Licensee.
8. Limitation of Liability. IN NO EVENT SHALL TRICERAT OR ITS SUPPLIERS BE LIABLE TO LICENSEE OR ANY
THIRD PARTY FOR ANY INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, INDIRECT,
SPECIAL, PUNITIVE, OR EXEMPLARY DAMAGES FOR LOSS OF BUSINESS, LOSS OF PROFITS, BUSINESS
INTERRUPTION, OR LOSS OF BUSINESS INFORMATION) ARISING OUT OF THIS AGREEMENT, THE USE OF OR
INABILITY TO USE THE LICENSED TECHNOLOGY, OR FOR ANY CLAIM BY ANY OTHER PARTY, EVEN IF TRICERAT
HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. TRICERAT’S AND ITS SUPPLIERS’ AGGREGATE
LIABILITY IN CONNECTION WITH THIS AGREEMENT AND THE LICENSED TECHNOLOGY, WHETHER IN CONTRACT
OR TORT OR OTHERWISE, SHALL NOT EXCEED THE FEES PAID BY LICENSEE UNDER THIS AGREEMENT. BECAUSE
SOME STATES/COUNTRIES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO LICENSEE.
9. Confidentiality. At all times during the term of this Agreement and at all times thereafter, Licensee shall keep
confidential and not disclose, directly or indirectly, and shall not use for the benefit of Licensee or any other third
party any Confidential Information. “Confidential Information” means any trade secrets or confidential or
proprietary information whether in written, digital, oral or other form which is unique, confidential or proprietary
to Tricerat or its suppliers, including, but not limited to, Licensed Technology and any other materials or
information related to the business or activities of Tricerat or its suppliers which are not generally known to others
engaged in similar businesses or activities. Failure to mark any Confidential Information as confidential, proprietary
or otherwise shall not affect its status as Confidential Information hereunder.
10. Export Restrictions. This Agreement is expressly made subject to any applicable laws, regulations, orders, or
other restrictions on the export of the technology or information about the Licensed Technology which may be
imposed from time to time. Licensee shall not export the Licensed Technology, information about the Licensed
Technology or any product containing the Licensed Technology without complying with such laws, regulations,
orders, or other restrictions. The Licensed Technology shall not be exported or re-exported (i) to Cuba, Iran, Iraq,
Libya, North Korea, Rwanda, Sudan and Syria and any and all other persons and entities prohibited under the
243
Simplify Suite v6
Simplify Suite v6
United States Export Administration Regulations, as amended from time to time, nor (ii) to any person or entity on
the United States Department of the Treasury’s Office of Foreign Asset Control’s list of Specially Designated
Nationals and Blocked Persons, as amended from time to time. Licensee agrees to indemnify and hold harmless
Tricerat against all claims, losses, damages, liabilities, costs and expenses, including reasonable attorneys’ fees, to
the extent such claims arise out of any breach of this Section 10.
11. Governing Law. THIS AGREEMENT SHALL BE CONSTRUED, INTERPRETED AND GOVERNED BY THE LAWS OF
THE STATE OF MARYLAND OF THE UNITED STATES OF AMERICA, WITHOUT REGARD TO CONFLICTS OF LAWS
PRINCIPLES AND WITHOUT APPLICATION OF THE MARYLAND UNIFORM COMPUTER INFORMATION
TRANSACTIONS ACT AND INTERNATIONAL LAWS. THE PARTIES AGREE TO SUBMIT TO THE EXCLUSIVE
JURISDICTION AND VENUE OF THE STATE AND/OR FEDERAL COURTS WITHIN THE STATE OF MARYLAND
REGARDING ANY DISPUTE AMONGST THE PARTIES UNDER THIS AGREEMENT.
12. General. This Agreement shall constitute the entire Agreement between the parties hereto. Any waiver of this
Agreement shall only be effective if it is in writing and signed by both parties hereto. From time to time and
immediately upon notice to Licensee, Tricerat may amend the then existing terms and conditions of this
Agreement, and Licensee ’ s continued use of the Licensed Technology shall constitute acceptance of such
amendments. Licensee may not modify the terms and conditions of this Agreement except by a written agreement
signed by both parties hereto. This Agreement, the rights granted hereunder and the Licensed Technology shall
not be assigned by Licensee without the prior written consent of Tricerat, which may be withheld at its sole
discretion. This Agreement shall bind and inure to the benefit of the successors and assigns of the parties. If any
part of this Agreement is found invalid or unenforceable by a court of competent jurisdiction, the remainder of this
Agreement shall be interpreted so as to reasonably effect the intention of the parties. Tricerat is not bound by any
provision of any purchase order, receipt, acceptance, confirmation, correspondence, or otherwise, unless Tricerat
specifically agrees to the provision in writing.
244
Simplify Suite v6
Simplify Suite v6
9
Appendix A: Reference Architecture
9.1 Executive Summary
The Tricerat Simplify Suite Reference Architecture white paper describes supported designs for Simplify
Suite in Windows infrastructures. The integration of the Simplify Suite can be a challenging and difficult
process, but this article is designed to expose customers to best practices to optimize the software
functionality. Customers have full access to support during the presales process, and it is recommended to
consult Tricerat Software for a personalized architecture plan.
9.1.1
Reference Architecture Introduction and Scope
The deliverability of the Simplify Suite can vary based upon solution requirements and project goals of the
customers. This Reference Architecture suggests some key factors that should be reviewed and
considered. A simple deployment will provide minimal requirements and can be easily deployed, whereas
a complex integration provides maximum functionality at an enterprise class level. Functionality,
performance, scalability, reliability, and disaster recovery are some critical factors for the Simplify Suite.
The scope of this document is limited to Tricerat solutions. There are other designs referenced within this
document, but instructions for the other designs should be researched independently or with the
assistance of Tricerat Software. This paper should not be used as a "how to" or product administrative
guide.
9.1.2
Simplify Suite Introduction
The Simplify Suite provides the ability to reliability deploy user personalization and configurations using a
simple centralized interface for configuring, managing, and monitoring fundamental features in a
Windows infrastructure. The software is designed to layer on a Windows server or workstation to add
enhanced functionality to the operating system. All settings are stored in a database to ensure a high level
of security and performance. The Simplify Suite is commonly used with the following technologies:
Remote Desktop Services - communication technology on Windows platforms used for remote access of
the server or workstation. Terminal Services protocols are not limited to RDP (Remote Desktop Protocol).
These protocols are segmented into virtual channels at a network level. Each virtual channel supplies
remote procedures for hardware, essentially a Terminal Services driver. Keyboard, mouse, audio, display,
and redirected devices are sample virtual channels.
Citrix Presentation Services aka XenApp - a 3rd party addition to Microsoft Terminal Services. Citrix uses
their proprietary ICA protocol for communication. It generally delivers an increased value and
245
Simplify Suite v6
Simplify Suite v6
functionality when compared to RDP, but at the core it delivers the same service, remote access, through
Terminal Services.
Virtual Desktop Infrastructure - a technology designed to replace physical PCs. The desktop and
associated features are repacked and delivered virtually to the users. VDI eliminates many limitations that
traditional distributed computing environments contain, reducing the time and energy invested in
desktop management.
Cloud Computing - a classification of computed hosted services that are readily made available through
the Internet. In the scope of this document the Cloud technologies supported are application, server, and
desktop hosting.
Windows Fat Clients - a group of Windows machines in Domains or Workstations, or standalone PC. FAT
clients include laptops and desktops.
Windows Embedded Thin Clients - a lightweight machine with limited hardware settings. Windows driver
and applications installations are supported in a limited degree.
Thin Clients - a lightweight machine that does not contain installation support of Windows drivers or
applications. These devices are strictly used for remote access to hosted services such as web - based
applications, terminal services, or virtual desktops.
9.2 Architecture
The Simplify Suite is comprised of the following components:
Required: Simplify Suite core installation, Simplify Database, Simplify Console
Optional: Active Directory Domain, License Server, ScrewDrivers Print Server, ScrewDrivers Client
246
Simplify Suite v6
Simplify Suite v6
Simplify Suite core installation - this is the Winodws code that facilitates the user environment
configurations. The core installation must be installed on the Windows devices that need to be managed.
Simplify Suite is commonly installed in Server Based Computing networks on Terminal Servers, Citrix,
and VDI.
Simplify Console - This utility provides the environment administrators a GUI - based management tool
for the Simplify Suite. The Simplify Console includes access delegation, change tracking for audit history,
and reporting.
Simplify Database - this is the central repository of data which supplies the Simplify Suite core installation
and Simplify Console the managed configurations. The policies, known as Objects, are associated to a
plethora of user or machine attributes. These associations will be referred to as Assignments. Those user
or machine attributes known as Owners include username, groups membership, OU containment, device
hostname, and client device hostname or IP.
Active Directory Domain - The Microsoft Active Directory services improves the ease of management and
presentation of the Simplify Suite. No updates or changes are applied to Active Directory, rather a
relational association is made with Active Directory objects and schema. LDAP queries are executed when
247
Simplify Suite v6
Simplify Suite v6
users log into machines installed with Simplify Suite. The information retrieved is cross-referenced with
the Simplify Database records to resolve the user's Assignments.
ScrewDrivers Print Server - This print server client layers on a Windows Print Server adding an additional
layer of communication for Simplify Printing to process print jobs. The ScrewDrivers Print Server receives
compressed TMF print jobs from Windows machines installed with Simplify Printing.
These TMF print jobs become uncompressed and sent the print queue in the appropriate format and
language. The native features on the print server continue to work as designed.
ScrewDrivers Client - This client is a Terminal Services add-on to Citrix ICA and Microsoft RDP protocols
which virtualizes the client's printers. The client receives the compressed TMF print jobs and sends the
native print job to specified printer.
Simplify License Server - The license server is a required component for the concurrent license model. It
automates the Simplify Suite's license check-in and check-out process. As user(s) connect to a machine
with the Simplify Suite core installation, a license is checked out. The license is checked in when all users
are logged off the machine.
9.2.1
Network Protocols and Communication
Due to the architectural design of the Simplify Suite many components may require TCP ports opened on
network devices and software and hardware firewalls. If a network connection traverses subnets, firewalls,
routers, or gateways then consider the following for Network and Transport processing.
SQL - the Simplify Suite core installation defaults to dynamic port negotiation with the SQL server, but
custom SQL ports are supported. The custom SQL port can be specified at the time of the installation with
SQL Server\Instance,Port or the port can be set after installation in the Simplify Database ODBC Driver.
The SQL communication required is with TCP.
ScrewDrivers Print Server - the Simplify Printing core installation sends data to the ScrewDrivers Print
Server with TCP. The software defaults to TCP 3550 but it can be manually set after completing the
installation. The Simplify Console also communicates to the print server using the same port and
protocol.
ScrewDrivers Client - the ScrewDrivers Client communicates with the Simplify Printing core installation
using virtual channels in Terminal Services (ICA/RDP). The virtual channels are named SCREW4 and
SCREW?. No network changes are required to enable the ScrewDrivers virtual channels. If the native
client ICA protocol works, then the ScrewDrivers virtual channels are supported.
Simplify License Server - for environments with concurrent licensing and the Simplify License Server,
TCP port 3750 needs to be open for communication between the license server and the machines installed
248
Simplify Suite v6
Simplify Suite v6
with Simplify Suite. If the environment does not include a license server then no ports need to be opened
for license checks.
9.2.2
Minimum Requirements
Simplify Suite Core Installation
The Simplify Suite agent can reside on a Remote Desktop Server or XenApp Server, as well as Windows
workstation. The server or workstation can be either physical or virtual. In the case of virtual server or
VDI, the agent is not dependent on the host machine's operating system, only the operating system on the
actual virtual machine, therefore the agent is hypervisor agnostic.
Simplify Suite for RDS or XenApp
Operating System
 Windows Server 2008
 Windows Server 2008 R2
 Windows Server 2012
 Windows Server 2012 R2
Memory
512 MB (minimum)
Disk Space
100 MB
Simplify Suite for Workstation
Operating System
 Windows 7
 Windows 8
 Windows 8.1
 Windows 10
Memory
512 MB (minimum)
Disk Space
100 MB
Simplify Console
The Simplify Console can be installed on any Windows - based machine that will be used to manage the
settings within the Simplify Suite. It can be installed with the actual Simplify Suite installation, or it can
be installed separately. Additionally, it can be installed in multiple locations, if so desired.
Operating System
 Windows 7 or higher
 Windows 2008 or higher
Memory
512 MB (minimum
Disk Space
75 MB (minimum
The Simplify Database
The Simplify database can use either the full version of SQL, or the Express version. The database size will
vary depending on the amount of users and settings. Please see the 'Scalability' section of this document
for greater detail.
Simplify Suite requires Microsoft SQL Server 2005 or higher.
249
Simplify Suite v6
Simplify Suite v6
ScrewDrivers Client
Tricerat offers ScrewDrivers Clients for both Windows-based operating systems, as well as Mac OS. Please
note that the ScrewDrivers Mac Client is only compatible with the ICA protocol, and will not function with
RDP.
ScrewDrivers Client for Windows
Operating System
 Windows 7
 Windows 8
 Windows 8.1
 Windows 10
 Windows Server 2008 or higher
RDP Client
Version 5 or higher
ICA Client
Version 6 or higher
ScrewDrivers Client for MacOS
Operating System
Mac OS X 10.7 or higher
RDP Client
N/A
ICA Client
Citrix Receiver 11.0 or higher
ScrewDrivers Server
 ScrewDrivers Server 4.5.5.60 or
higher
 Simplify Printing 5.3.1 or higher
ScrewDrivers Print Server Agent
The ScrewDrivers Print Server Agent does not need to be installed on a Windows server with the Print
Services Role installed. The agent can reside on any Windows-based server, or workstation that has
printers installed on it.
ScrewDrivers Print Server Agent
Operating System
Windows Server 2008 or higher
Windows 7 or higher
Memory
512 MB (minimum)
Disk Space
25 MB (minimum)
9.2.3
Language Localization
It is understood that some implementations require localized language for user and/or admin
applications. The Simplify Suite defaults to English regardless of the Multilingual User Interface (MUI)
configuration defined in the Regional and Language options. The software, however, supports the
following languages:



250
English
German
Japanese
Simplify Suite v6
Simplify Suite v6
These UIs can be set after the installation. The Simplify Console, ScrewDrivers User Assigned Printers
utility, and ScrewDrivers Client support localized user interfaces.
9.3 Scalability
As the environment complexity increases, measures should be taken to ensure the Simplify Suite scales
appropriately. Multiple datacenters and disaster recovery are two examples of complexity that require
reflection of scalability. It is important to design or redesign the architecture to fit the required evolving
network topology.
9.3.1
SQL Scalability
As expected as the number of configurations and complexity increase, so does the database size and
traffic. The native functionality and features of SQL make it a reliable data host for Enterprise class
environments.
Things to consider 
Database size
The initial install of the software creates a 5 MB database, but the database size grows as more
configurations become defined. Here's a good assessment of database size and network traffic for
communication:
An owner with an assignment is 300 bytes
An assignment is 200 bytes
A printer is 25 kilobytes
Based on these numbers, a login that matches 5 owners with 3 printers per owner is roughly 379.5
KB

251
Connection count
The number of connections increases proportionally with the number of Simplify Suite core
installations. At times multiple database connections are initiated from a single client to provide
multi-threaded processing. However, many areas of code use shared connections allowing
multiple threads to use a single database connection. In all instances of communication
connections are optimized in a transient fashion, meaning connections are terminated after SQL
queries complete. This minimizes open idle connections to the database. SQL Server has a
maximum connection count of 32,767, but do not mistake this as maximum user count because of
transient connections. The bulk of database transactions execute as a user logs into a computer
with the Simplify Suite core installation.
Simplify Suite v6
Simplify Suite v6

Network latency
It is always recommended to optimize the communication speed as the latency of the database
queries impact the execution of the code. Therefore, it is recommended to host the database in the
LANs where the Simplify Suite core installations reside.
There are a variety of different SQL configurations that can deliver a high fidelity experience for any
infrastructure design. Here are some common Simplify database designs:
Standalone databases - the simplest database configuration supported by the Simplify Suite. Standalone
databases are commonly used for environments with a single production datacenter, but they can also be
deployed in multiple datacenters. This, however, requires the administrators to manage each database
independently. This can be desirable in certain environments as it allows segregated management for
farms where LAN or regional management is encouraged.
Database Replication - Database replication allows infrastructure engineers to deliver the Simplify Suite
to Enterprise levels in a centralized management fashion. Multiple SQL servers can be deployed
throughout the WAN to optimize deliverability and performance. There are many different forms of
database replication. Due to the design of the Simplify database, hypothetically any SQL database
replication process should be supported. In the event that multiple active datacenters are used in
production it is recommended to use Peer-to-peer replication. In an active-passive disaster recovery
approach it is recommended to implement Transactional Replication with Updatable Subscriptions.
Transactional Replication is also used for publishing settings from a master database to subscribing
databases. In either configuration the DBA defines the frequency of the database update transactions. In
situations where users are directed to a specific datacenter based on locale the updates should be
252
Simplify Suite v6
Simplify Suite v6
published less frequently than environments where users are subjected to various datacenters in a load
balanced or round-robin process.
253
Simplify Suite v6
Simplify Suite v6
SQL Clustering - A database technology commonly used to facilitate disaster recovery in SQL services. The
focus of clustering is to deliver high availability and productivity. In an Active - Passive Cluster if the
active SQL server fails, the its responsibilities are taken over by another server in the cluster. Technically
Active - Active Clustering is supported but it is not a practical implementation of the Simplify Suite due to
nature of the communication, updates, and transactions.
254
Simplify Suite v6
Simplify Suite v6
SQL Mirroring - This technology should strictly be used in an attempt to maximize the availability of the
database. There are no performance and scalability benefits added with SQL Mirroring. It is strictly a
disaster recovery solution. SQL Mirroring is only supported by Simplify Suite with the SQL Native Driver.
When a SQL Mirror Partner becomes inaccessible, the SQL Native Driver redirects traffic to another
Partner.
255
Simplify Suite v6
Simplify Suite v6
9.3.2
ScrewDrivers Print Server Scalability
Standalone ScrewDrivers Print Servers - this is the most common ScrewDrivers Print Server
implementation due to the adaptation of server virtualization and simplicity of management. This would
be simply a Windows Print Server installed with the ScrewDrivers Print Server Agent. Generally, either
there is a single Enterprise print server or many print servers throughout the WAN, commonly one print
server at each LAN. The complexity of the print data impacts the performance of the ScrewDrivers Print
Server. The three main hardware factors for performance are CPU, core count, and system memory. It is
normal to see the CPU to spike to 100% as print jobs are submitted to the ScrewDrivers Print Server, but
the hardware should be reviewed if CPU or memory is pegged for extended periods of time. Increasing the
number of print servers will spread out the load of network and hardware utilization.
256
Simplify Suite v6
Simplify Suite v6
Clustered ScrewDrivers Print Servers - Active - Passive Print Server Clusters are supported on the
ScrewDrivers Print Server. This cluster setup delivers failover access to a print server. When the Active
node fails, a passive node becomes the primary print server in the cluster.
257
Simplify Suite v6
Simplify Suite v6
Network Load Balanced ScrewDrivers Print Servers - This technology is the most expensive solution but it
provides the best performance and flexibility. A network load balancing device, like a Citrix NetScaler,
enables the ability to redirect traffic based upon several conditions. For printing the load balancing device
can redirect traffic like a cluster, in an Active and Passive approach for disaster recovery. Another option
is to load balance the print jobs in a round-robin process which improves printing speed and decreases
the load per print server. Those two technologies - round-robin and active/passive can be used in
conjunction to improve performance and stability.
258
Simplify Suite v6
Simplify Suite v6
9.4 Security and Access Control
The Simplify Suite access control methods include authentication, authorization, and auditing. An
assortment of configurable access control systems exists to ensure a high level of security.
Database Security - The Simplify Database does not contain any confidential information, but
fundamentally database security should be maintained for SQL environments. The Simplify Database by
default supports SQL Authentication fully and Windows Authentication in a limited fashion. SQL
Authentication does not require the use of the SA account, but the SQL account must have DBO rights to
the Simplify database. For a first - time installation of the software the SQL account requires DB Creator
or the account must have DBO rights to an empty Simplify database. Use this script to enable Windows
Authentication after installing the Simplify Suite.
259
Simplify Suite v6
Simplify Suite v6
Simplify Console Security - The user must have access to the ODBC System DSN Data Source for the
Simplify Suite to use the Simplify Console, which requires group membership to the local Administrators
group. In addition, the user must either have the SQL account or sufficient Windows Authentication to
access the database. The Windows Authentication script does not grant the user access to any stored
procedures used by the Simplify Console, so Windows Authentication is not a security threat for
Authenticated Users.
Simplify Console Access Control - The Simplify Suite comes with an Authorization Store file which can be
configured in the Microsoft Authorization Manager to delegate and segment Simplify Console access to
specific users or groups. For example, a Help Desk security group can be granted read - only access to the
Simplify Console. Each Task in the Authorization Store corresponds to a Stored Procedure in the Simplify
Database for optimized security.
Simplify Console Audits - This is a management tool for the Simplify Console that tracks all changes to the
Simplify database with stored procedures. Individual Objects and Owners can be audited, and there's an
audit search engine in the Simplify Console. Some information tracked by the audits includes User(s),
Action(s), Record Type(s), Record Age, and Strings.
ScrewDrivers Client Security - The TMF print data is not encrypted, but the data is compressed in a
proprietary format. TMF is not clear text so it is difficult to extract information from the print jobs. In the
event that confidential information printed requires encryption then it is recommended to use encryption
outside the Tricerat software. Since the ScrewDrivers Client communication exists in a ICA virtual
channel, ICA packet encryption should be used to encrypt ScrewDrivers print data.
ScrewDrivers Print Server Security - Like the ScrewDrivers Client, the ScrewDrivers Print Server uses
TMF without encryption. Therefore, it is recommended to use network devices that support encryption to
transmit the print data, such as the Citrix NetScaler.
Simplify Console Reports - The Simplify Console includes a Report menu which can export a report of
Assigned Owners by Object or Assigned Objects by Owner. Reports can also be executed for each Owner.
The Simplify Console Reports require the installation of Crystal Reports 2008 Runtime and Report
Viewer 2005 Runtime
SQL Reports - A DBA can generate custom SQL reports. The Simplify Database Diagram should be
referenced to generate reports. Tricerat can provide additional database information on an as-needed
basis for custom SQL reports.
260
Simplify Suite v6