Ekran System v.6.17 Getting Started...Getting Started The Ekran System installation consists of the following steps: 1. Install the Server. 2. Make sure the Management Tool installation

Ekran System v.6.18

Getting Started

2

Table of Contents

About ........................................................................................................................................ 5

System Requirements ........................................................................................................... 6

Program Structure ............................................................................................................... 11

Getting Started...................................................................................................................... 13

Server and Database ........................................................................................................... 14

Installing the Server ............................................................................................................ 14

Database Types Comparison ............................................................................................ 19

Management Tool ................................................................................................................. 22

Management Tool Installation Prerequisites .................................................................... 22

Turning on Internet Information Service (IIS) ................................................................ 22

Turning on IIS for Windows 8 and Windows 7 ........................................................... 22

Turning on IIS for Windows Server 2008 R2 ............................................................. 23

Turning on IIS for Windows Server 2012 ................................................................... 24

Installing .NET Framework.............................................................................................. 26

Configuring Internet Information Service (IIS)............................................................... 26

Using Certificates ............................................................................................................. 31

Generating Self-Signed Certificate ............................................................................. 31

Exporting Self-Signed Certificate ................................................................................ 32

Importing Trusted Certificate ....................................................................................... 33

Adding Certificate to Trusted Root Certification Authorities ..................................... 34

Setting HTTPS Binding for a Default Web-Site ............................................................ 39

Installing the Management Tool ........................................................................................ 41

Adjusting Computer for Remote Access ........................................................................... 43

Multi-Tenant Ekran System Mode ..................................................................................... 45

Enabling Multi-Tenant Mode .............................................................................................. 45

Adding Tenants ................................................................................................................... 45

Licensing ............................................................................................................................... 48

Activating Serial Keys Online ............................................................................................. 48

Adding Activated Serial Keys Offline................................................................................. 48

Installing Windows Clients ................................................................................................. 50

Windows Client Installation Prerequisites ......................................................................... 50

3

Installing Windows Clients Remotely via the Management Tool .................................... 51

About ................................................................................................................................. 51

Selecting Computers ....................................................................................................... 51

Remote Windows Client Installation Process ............................................................... 53

Remote Installation from an Existing .INI File ............................................................... 54

Installing Windows Clients Locally .................................................................................... 55

Installing macOS Clients .................................................................................................... 56

About .................................................................................................................................... 56

Downloading macOS Client Installation File .................................................................... 56

Installing macOS Clients .................................................................................................... 56

Installing Linux Clients ....................................................................................................... 57

About .................................................................................................................................... 57

Downloading Linux Client Installation File ........................................................................ 57

Installing Linux Clients ........................................................................................................ 57

Alerts ...................................................................................................................................... 60

Adding Alerts ....................................................................................................................... 60

Users and Permissions ....................................................................................................... 63

About .................................................................................................................................... 63

Adding Users ....................................................................................................................... 63

Permissions ......................................................................................................................... 67

Management Tool Log......................................................................................................... 68

Viewing Monitoring Results ............................................................................................... 69

Playing Sessions ................................................................................................................. 69

Playing Windows Sessions ................................................................................................ 70

Viewing Clipboard Text Data .......................................................................................... 70

Viewing USB Device Info ................................................................................................ 71

Viewing URLs ................................................................................................................... 71

Playing macOS Sessions ................................................................................................... 72

Viewing URLs ................................................................................................................... 72

Playing Linux Sessions....................................................................................................... 72

Playing Remote SSH Sessions ...................................................................................... 72

Playing Local X Window System Sessions ................................................................... 72

Filtering EXEC Commands ............................................................................................. 73

4

Dashboards ......................................................................................................................... 73

More Information .................................................................................................................. 74

5

About

Welcome to Ekran System!

Ekran System is an application that allows you to record the activity of the target computers with installed Clients and to view the screen captures from these computers in the form of video.

This guide will help you in managing Ekran components (installing, uninstalling, updating, etc.) and controlling their interaction.

6

System Requirements

Ekran System claims different system requirements for each of its components. Make sure your hardware and software meet the following system requirements to avoid possible component malfunctions.

Server requirements:

CPU (depending on deployment scale):

o Small Deployment (Up to 200 simultaneous sessions): 4-8 Cores o Medium Deployment (Up to 1000 simultaneous sessions): 8-16 Cores o Large Deployment (Up to 10 000 simultaneous sessions): 16-32 Cores

RAM: 8-16 Gb

1 GB Ethernet (10 GB Ethernet is recommended)

Windows Server 2019, Windows Server 2016, Windows Server 2012, and Windows Server 2008 R2 (x64 platform)

Universal C Runtime and Visual C++ Runtime (starting with Ekran System 5.5). Both can be installed via the Microsoft Visual C++ 2015 Redistributable: https://www.microsoft.com/en-gb/download/details.aspx?id=48145

NOTE: The Universal C Runtime needs to be initially installed via update KB2999226: https://support.microsoft.com/en-us/help/2999226/update-for-universal-c-runtime-in-windows

.Net Framework 4.8 NOTE: If the Server and the Management Tool are to be installed on the same computer, make sure you turn on the Internet Information Service before the installation of .Net Framework 4.8.

If you want to deploy the Ekran System in the High Availability mode, refer to the High Availability Deployment Guide for more information.

Database requirements:

[When using MS SQL Database]: Full edition of MS SQL Server 2019, MS SQL Server 2017, MS SQL Server 2016, MS SQL Server 2014, MS SQL Server 2012, MS SQL Server 2008R2. Standard license or higher is required.

[When using PostgreSQL Database]: PostgreSQL 10 or higher

Microsoft Azure SQL Database

Depending on deployment scale:

Small Deployment (Up to 200 simultaneous sessions):

CPU: 4-8 Cores

https://www.microsoft.com/en-gb/download/details.aspx?id=48145

https://support.microsoft.com/en-us/help/2999226/update-for-universal-c-runtime-in-windows

https://support.microsoft.com/en-us/help/2999226/update-for-universal-c-runtime-in-windows

7

RAM: 16 GB

Medium Deployment (Up to 1000 simultaneous sessions):

CPU: 8-16 Cores

RAM: 24-32 GB

Large Deployment (Up to 10 000 simultaneous sessions):

CPU: 16-32 Cores

RAM: 64-128 GB

1 GB Ethernet (10 GB Ethernet is recommended)

Windows Server 2019, Windows Server 2016, Windows Server 2012, and Windows Server 2008 R2 (x64 platform)

It is recommended to have enough free space depending on the volume and frequency of monitoring and the retention period of the Client monitoring data (on average, 1 Workstation Client generates 200-300 MB per 8-hour working day. For more information, see System Requirements and Performance Numbers guide)

Binary Data Storage requirements (when binary data received from Clients is stored in a shared or local folder)

Operating System hard disk: 100-200 GB (15K or SSD)

It is recommended to have enough free space depending on the volume and frequency of monitoring and the retention period of the Client monitoring data (on average, 1 Workstation Client generates 200-300 MB per 8-hour working day. For more information, see System Requirements and Performance Numbers guide)

Management Tool requirements:

CPU: 4-8 Cores

RAM: 4GB

1 GB Ethernet

Windows 10, Windows 8.1, Windows 8, Windows 7 (any edition except Home);

[recommended] Windows Server 2019, Windows Server 2016, Windows Server 2012, and Windows Server 2008 R2 (starting from SP1 version). Both x86 and x64 platforms are supported.

.Net Framework 4.8

IIS 7.5 or higher with enabled ASP.NET 3.5 and 4.5 support (4.6 for Windows Server 2016)

[For accessing the Management Tool locally or remotely] One of the following browsers:

Google Chrome 37 or higher Mozilla Firefox 32 or higher

https://www.ekransystem.com/sites/default/files/file_resources/Ekran%20System%20%20Requirements%20and%20Performance%20Numbers.pdf

https://www.ekransystem.com/sites/default/files/file_resources/Ekran%20System%20%20Requirements%20and%20Performance%20Numbers.pdf

8

Internet Explorer 10 or higher Safari S6 and Safari S5 Opera 15 or higher

NOTE: The Management Tool might be opened in other browsers, but its compatibility with other browsers is not guaranteed.

Client as Terminal Server:

Processor: Intel i3 or higher or equivalent AMD processor

RAM: 2 GB or more (35 MB per session)

100 Mb/1Gb Ethernet adapter

Windows Client requirements:

2.4 GHz or higher CPU is recommended

4GB


Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows XP SP3; Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2008, and Windows Server 2003 SP1. Both x86 and x64 platforms are supported.

NOTE: Due to the new SHA-256 code signing, on Windows 7 SP1 and Windows Server 2008 R2 SP1, the Microsoft Security Advisory update 3033929 needs to be installed: https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/3033929

Citrix XenDesktop; Citrix XenApp; Citrix XenDesktop/XenApp with Citrix Provisioning Services (PVS).

It is recommended to have not less than 1 GB of free space on the disk where the Client is installed to save data during the offline session.

macOS Client requirements:

2.26GHz Intel Core 2 Duo or higher CPU

2GB RAM

100 Mbit/s network adapter

macOS 10.9 and later


https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/3033929

https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/3033929

9

Linux Client requirements:

2.4 GHz or higher CPU is recommended

4GB



Linux Kernel 2.6.32 and higher

Distributor Base OS Versions Supported

Debian Debian

Ubuntu

Linux Mint

9.0, 8.0, 7.0

20.04, 18.04, 16.0, 15.0, 14.0, 12.0

17.xx - 13

openSUSE Suse Linux Enterprise Server 12(SP1, SP2, SP3), 11(SP2, SP3, SP4)

RedHat RedHat

CentOS

Oracle Linux

7.0, 6.0

7.x , 6.x

7.x - 5.6

Sun Microsystems

Solaris 11.0, 10.0 (Global and Whole root

zones only)

IBM AIX 7.2, 7.1

The monitoring of graphical interface for X Window System is supported on the following operating systems:

OS Versions Supported

Ubuntu Ubuntu 20.04 LTS, Ubuntu 18.04.1 LTS, Ubuntu 16.04.5 LTS,

Ubuntu 16.04.2, Ubuntu 14.04.5 LTS, Ubuntu 14.04.2, Ubuntu

12.04.1, Ubuntu 14.04 LTS

Red Hat Red Hat 7.0 – 7.6, Red Hat 6.0 – 6.10

CentOS CentOS 7.1 – 7.5, CentOS 6.1 – 6.9

Suse Linux

Enterprise Server

12(SP1, SP2, SP3)

NOTE: When the Client is installed to the terminal server, hardware requirements depend on the number of active user sessions and may increase drastically. For example, hardware

10

requirements for the Client deployed on the terminal server hosting 10 active user sessions will be as follows:

Intel Core i3 or similar AMD CPU

2048 MB RAM

11

Program Structure

Ekran System is an application specially designed to control user activity remotely.

Ekran System includes the following components:

Ekran System Server (further referred to as Server): It is the main part of the Ekran System used for storing the screenshots and associated information received from the Clients. The work of the Server can be started or stopped via Server Tray.

Ekran System Management Tool (further referred to as Management Tool): It is a central administrative unit that allows you to control and manage Clients, Users, USB Monitoring Rules, Alerts, Server database, and Serial Keys. You can have access to the Management Tool from any computer in the network without having to install it on this computer.

Ekran System Session Viewer provides a usable interface for quick review of the monitored data received from the Windows, macOS, and Linux Clients.

Ekran System Windows Clients (further referred to as Windows Clients): Being hosted on the remote computers, Windows Clients create screenshots with the defined frequency and send them to the Server along with metadata information such as user name, host name, activity time, active window titles, application names, URL addresses, clipboard text data, keystrokes, etc. Managing the remote Windows Clients configuration and settings is performed via the Management Tool.

Ekran System macOS Clients (further referred to as macOS Clients): Being hosted on the remote computers, macOS Clients create screenshots with the defined frequency and send them to the Server along with metadata information such as user name, host name, activity time, active window titles, application names, URL addresses, etc. Managing the remote macOS Clients configuration and settings is performed via the Management Tool.

Ekran System Linux/Unix Clients (further referred to as Linux Clients): Being hosted on the remote computers, Linux Clients capture input/output terminal data (including all executed commands) and send this interactive data to the Server.

Ekran System Tray Notifications application (further referred to as Tray Notifications application): This application allows receiving notifications on alert events on Clients.

12

13

Getting Started

The Ekran System installation consists of the following steps:

1. Install the Server.

2. Make sure the Management Tool installation prerequisites are met.

3. Install the Management Tool.

4. Purchase serial keys and activate them online (or add them offline).

5. Set up the network environment on the computers where the Clients will be installed.

6. Install the Windows Clients, macOS, or Linux Clients.

7. Define monitoring settings for Clients.

8. Add Alerts in case needed.

9. Add users to the system and define their permissions.

10. Start monitoring the captured data from the investigated computers.

14

Server and Database

Installing the Server

To install the Server, do the following:

1. Run the EkranSystem_Server.exe installation file.

2. Click Next on the Welcome page.

3. Carefully read the terms of the End-User License Agreement and click I Agree.

4. On the Choose Components page, do one of the following and click Next:

In the drop-down list, select Ekran System Server.

Select Ekran System Server in the box.

5. On the Choose Install Location page, enter the installation path or click Browse to navigate to the Server installation folder. Click Next.

15

6. On the Database Type page, select the type of database you want to use for storing data. Click Next. See the Database Types Comparison chapter, to see the difference and choose the proper type of the database.

NOTE: If you have the already created database, select its type, and then define the connection parameters for this database.

16

7. If you have selected PostgreSQL database, on the PostgreSQL Server Database Configuration page, define the connection parameters and then click Next.

Define the PostgreSQL Server instance name, which is the instance name assigned to the TCP/IP port. Optionally, you can define the custom PostgreSQL database port by entering it after the Server instance name and separating with colon (e.g.,<server_instance_name>:<port>). NOTE: If the default instance of the PostgreSQL is used, enter localhost in the Server instance field.

Define the Database name for the database.

Define the User name and Password of a user account via which the connection to the Server will be established. NOTE: By default, it is a user with the login postgres and the password defined during the PostgreSQL installation.

8. If you have selected MS SQL Server, on the MS SQL Server Database Configuration page, define the connection parameters and then click Next.

Define the MS SQL Server instance name, which is the instance name assigned to the TCP/IP port. Optionally, you can define the custom MS SQL database port by entering it after the Server instance name and separating with comma (e.g.,<server_instance_name>,<port>). NOTE: If the default instance of the MS SQL is used, then only name of the PC with the MS SQL server must be defined.

Define the Database name for the database.

17

Define the User name and Password of a user account via which the connection to the Server will be established. NOTE: You have to define either the SA credentials or the credentials of the user with the dbcreator permission.

9. If you already have a database created manually or during the usage of previous program versions, you will be offered to use it. If you want to use the existing database, click Yes. In other case, click No and the new database will be created. NOTE: If you click No, the existing database will be deleted.

10. On the Administrator password page, define the password for the administrator (the default user of Ekran System with login admin and full permissions). Click Next.

18

11. On the Client Uninstallation Key page, enter the key that will be used during the Client local uninstallation and click Next. By default, the Uninstallation key is allowed. You will be able to change this key via the Management Tool any time later.

12. Click Install.

19

13. The installation process starts. Its progress is displayed on the Installing page.

14. After the end of the installation process, click Finish to exit the wizard.

15. If you are installing the Server for the first time, back up EkranMasterCertificate (For more details, see the Backing up Ekran Master Certificate chapter in the Ekran System Deployment Guide). The backed up certificate might be required for Server recovery or during updates.

16. If you already have a backed up master certificate and re-using the database, delete the master certificate and import the backed up one instead of it.

17. In Windows Firewall, you must allow the Server executable to accept TCP connections via ports 9447 (for the connection between the Server and the Clients), 22712, 22713, and 22714 (for the connection between the Server and the Management Tool). These rules will be added to Windows Firewall automatically if Windows Firewall is enabled during the Server installation.

Database Types Comparison

When installing the Server, you can choose between two types of databases (MS SQL database and PostgreSQL database). These databases have the following differences:

Feature MS SQL Database PostgreSQL Database

General

Commercial/open-source

Commercial database from Microsoft

Open source product

Free ✘ (has a limited free version)

NOTE: Using MS SQL Express does not guarantee the stable work of the Server.

✔

Requires additional software installation

✔ ✔

Scalability

Remote access to database

✔

(a separate database engine that can be deployed on a separate server)

✔

(a separate database engine that can be deployed on a separate server)

20


Clustering support

✔

✔

(Primary-Standby)

Network drives support

✔ ✔ (if mount as drive)

Performance

Processing speed

High High

Efficient caching algorithms

✔ ✔

Index statistics update

Automatic Manual

Memory/process usage

A separate process, more efficient memory usage, quotas can be applied

A separate process, more efficient memory usage, quotas can be applied

Additional features

o Maintenance tasks can be

executed by the engine

independently

o Complex execution plans

optimizations

o Cross-platform. It can be run on

variety of systems and platforms

(Windows, Linux, macOS, BSD,

Solaris)

o A lot of third-party solutions for

replications and clustering

Requires additional software installation

✔ ✔

Safety and security

Security High. Keystroke encryption is supported

High. Keystroke encryption is supported

Safety o Database corruption is unlikely o Database corruption is unlikely

21


o Replications

o Сan be managed via Microsoft

native tools

o Support scheduled

maintenance: reindexing, shrinking

etc.

o Replications

Backup Flexible backup logic

(to learn more about the MS SQL database backup, visit the Microsoft website at https://docs.microsoft.com/en-us/sql/relational-databases/backup-restore/full-database-backups-sql-

server?view=sql-server-2017 )

Flexible backup logic

(to learn more about the PostgreSQL database backup, visit the PostgreSQL website at https://www.postgresql.org/docs/9.1/sta

tic/backup.html )

https://docs.microsoft.com/en-us/sql/relational-databases/backup-restore/full-database-backups-sql-server?view=sql-server-2017




https://www.postgresql.org/docs/9.1/static/backup.html

https://www.postgresql.org/docs/9.1/static/backup.html

22

Management Tool

Management Tool Installation Prerequisites

The following prerequisites are necessary for successful installation of the Management Tool. For Windows 7, it is important that you follow these steps in correct order.

To be able to install the Management Tool, you need to:

1. Turn on the Internet Information Service.

2. Install .NET Framework 4.8.

3. Configure the Internet Information Service.

4. Generate a self-signed certificate or import a purchased SSL certificate issued for the computer, on which the Management Tool will be installed.

5. Add the certificate to the Trusted Root Certification Authorities on the computer, on which the Management Tool will be installed. Otherwise a certificate error will be displayed in your browser when opening the Management Tool.

6. Set HTTPS binding for a default web site (or any other IIS site).

NOTE: If you already have a certificate generated for the computer on which the Management Tool will be installed, you can skip certificate generation step and use an existing certificate.

Turning on Internet Information Service (IIS)

Turning on IIS for Windows 8 and Windows 7

To turn on the Internet Information Service for Windows 8 and Windows 7, do the following:

1. Select Control Panel > Programs and Features (Program uninstallation).

23

2. Click the Turn Windows features on or off navigation link.

3. The Windows Features window opens.

4. In the features tree-view, select the Internet Information Services check box.

5. Click OK.

Turning on IIS for Windows Server 2008 R2

To turn on the Internet Information Service for Windows Server 2008 R2, do the following:

1. In the Start menu, select All Programs > Administrative Tools > Server Manager.

2. In the navigation pane, select Roles, and then click Add Roles.

24

3. The Add Roles Wizard opens.

4. On the Before You Begin page, click Next.

5. On the Server Roles page, select Web Server (IIS), click Next, and then go to the Role Services page to start configuring Web Server (IIS).

Turning on IIS for Windows Server 2012

The Internet Information Service can be turned on using the Windows PowerShell or Windows Server 2012 Server Manager.

To turn on the Internet Information Service for Windows Server 2012 using Windows PowerShell, do the following:

1. In the Start menu, select Windows PowerShell.

2. Enter the following command and click Enter:

Install-WindowsFeature -Name Web-Server, Web-Mgmt-Tools

To turn on the Internet Information Service for Windows Server 2012, do the following:

1. In the Start menu, select Server Manager.

2. In the navigation pane, select Dashboard, then click Manage > Add roles and features.

3. The Add Roles and Features Wizard opens.

4. On the Before You Begin page, click Next.

25

5. On the Installation type page, select Role-based or feature-based installation, and then click Next.

6. On the Server Selection page, select Select a server from the server pool, select your server from Server Pool list, and then click Next.

7. On the Server Roles page, select Web Server (IIS), click Next and then click Add Features to start configuring Web Server (IIS).

26

Installing .NET Framework

The .NET Framework 4.8 is included in the the Windows 10 (version 1903).

If your version of Windows does not have the .NET Framework 4.8, you can download it from the official Microsoft website. The .NET Framework requires administrator privileges for installation.

Configuring Internet Information Service (IIS)

Windows 10 Make sure that all the following options are selected in the Windows Features window and then click OK:

.NET Framework 4.6 Advanced Services;

Internet Information Services > Web Management Tools > IIS Management Console;

Internet Information Services > World Wide Web Services > Application Development Features > ASP.NET 3.5, ASP.NET 4.6, and WebSocket Protocol.

https://dotnet.microsoft.com/download/dotnet-framework

27

Internet Information Services > World Wide Web Services > Common HTTP Features > Static Content.


.NET Framework 4.5 Advanced Services;


Internet Information Services > World Wide Web Services > Application Development Features > ASP.NET 3.5, ASP.NET 4.5, and WebSocket Protocol;


28



Internet Information Services > World Wide Web Services > Application Development Features > ASP.NET;


Windows Server 2016

1. In the Add Roles and Features Wizard window, on the Server Roles page, make sure that the Web Server (IIS) option is selected and then click Next.

2. On the Features page, make sure that the following option is selected:

3. .NET Framework 4.6 Features > .NET Framework 4.6 and ASP.NET 4.6

4. Click Next. 5. On the Web Server Role IIS page, click Next. 6. On the Role Services page, select the ASP.NET 4.6 option

(under Application Development).

29

7. Click Next and then click Add Features. 8. On the Role Services page, make sure that the following

options are selected:

Application Development >

.NET Extensibility 4.6

ASP.NET 4.6

ISAPI Extensions

ISAPI Filters

WebSocket Protocol

9. Click Next and then click Install. 10. After the end of installation, click Close.

Windows Server 2012 1. In the Add Roles and Features Wizard window, on the Server Roles page, make sure that the Web Server (IIS) option is selected and then click Next.

2. On the Features page, make sure that the following option is selected:

.NET Framework 4.5 (Installed) > ASP.NET 4.5.

3. Click Next. 4. On the Web Server Role IIS page, click Next. 5. On the Role Services page, select the ASP.NET 4.5 option (under Application Development).

30

6. Click Next and then click Add Features. 7. On the Role Services page, expand Application Development, and make sure that the following options are selected:

.NET Extensibility 4.5

ISAPI Extensions

ISAPI Filters

WebSocket Protocol 8. Click Next and then click Install. 9. After the end of installation, click Close.

Windows Server 2008

1. In the Add Roles Wizard window, on the Role Services page, make sure that the following options are selected:

Common HTTP Features > Static Content;

Application Development > ASP.NET. 2. Click Next and then click Add Required Role Services. 3. On the Role Services page, make sure that the following options are selected:

Management Tools > IIS Management Console.

4. Click Next and then click Install. 5. After the end of installation, click Close.

31

Using Certificates

Generating Self-Signed Certificate

To generate a self-signed certificate on the machine, on which you will install the Management Tool, do the following:

1. Open the Internet Information Service Manager:

For Windows 8 or Windows 7: Open Computer > Manage > Services and Applications > Internet Information Services (IIS) Manager.

For Windows Server 2012 or Windows Server 2008: Press Windows+R, enter inetmgr in the Run window and then press Enter.

NOTE: Using the inetmgr command is a common way of opening the Internet Information Service Manager for any version of the Windows operating system.

2. Click the main node in the Connections tree-view and then double-click the Server Certificates item under the IIS category.

3. The Server Certificates pane opens.

4. On the Actions pane (to the right), click Create Self-Signed Certificate.

32

5. The Create Self-Signed Certificate window opens.

6. Enter the name for a certificate in the Specify a friendly name for the certificate box and select Personal in the Select a certificate store for the new certificate drop-down list. Click OK.

7. The certificate is created.

Exporting Self-Signed Certificate

To export self-signed certificate, do the following:

1. In the Internet Information Service Manager, on the Server Certificates pane, select the generated certificate and click Export on the Actions pane or in the certificate right-click menu.

2. In the Export Certificate window, define the location and password for the certificate. Click OK.

33

3. The certificate is exported and can be added to the Trusted Root Certification Authorities.

Importing Trusted Certificate

To import a purchased certificate issued for the computer, do the following:


For Windows 8 or Windows 7 Open Computer > Manage > Services and Applications > Internet Information Services (IIS) Manager.



2. Click the main node in the Connections tree-view and then double-click the Server Certificates item under the IIS category.

3. The Server Certificates pane opens.

4. On the Actions pane (to the right), click Import.

5. In the Import Certificate window, click the dots (…) to browse for the file of the purchased certificate and enter its password in the Password field.

34

6. Click OK.

7. The certificate is imported and displayed on the Server Certificates pane of the Internet Information Services (IIS) Manager.

Adding Certificate to Trusted Root Certification Authorities

Before adding the self-signed certificate to the Trusted Root Certification Authorities, it should be exported. For purchased certificates that were issued for your computer this procedure is not needed.

To add the certificate to the Trusted Root Certification Authorities, do the following:

1. Press Windows+R, type mmc in the Run text box and press Enter.

2. In the opened User Account Control window, click Yes.

3. In the Console window, select File > Add/Remove Snap-in.

4. In the opened Add or Remove Snap-ins window, select Certificates > Add.

35

5. In the opened Certificates snap-in window, select Computer account and click Next.

6. In the opened Select Computer window, select Local computer: (the computer this console is running on) and click Finish.

7. In the Add or Remove Snap-ins window, click OK.

36

8. In the Console window, expand the Certificates (Local computer) node.

9. In the Certificates (Local computer) tree-view, find the Trusted Root Certification Authorities node.

10. In the right-click menu of the Trusted Root Certification Authorities node, select All Tasks > Import.

11. The Certificate Import Wizard opens.

37

12. On the Certificate Import Wizard Welcome page, click Next.

13. On the File to Import page, click Browse to find the certificate to be imported and then click Next.

14. On the Private key protection page, enter the certificate password and then click Next.

38

15. On the Certificate Store page, click Next.

16. On the last page of the Certificate Import Wizard, click Finish. 17. In the confirmation message, click OK.

18. The certificate is imported and is displayed in the Console window in the Certificates node. Please note that the Issued To field contains the name of the computer, on which the Management Tool will be installed in the format that will be used when opening the Management Tool.

39

19. Close the Console window.

Setting HTTPS Binding for a Default Web-Site

To set HTTPS binding for a default web-site, do the following:


For Windows 8 or Windows 7: Open Computer > Manage > Services and Applications > Internet Information Services (IIS) Manager.



2. Expand the node with the name of the target computer in the central pane.

3. Expand the Sites node.

4. Select the Default Web Site.

NOTE: If there is no such site in the Internet Information Services (IIS) Manager of your computer, you can select any other site (the name of the site does not matter).

40

5. Click the Bindings navigation link on the right.

6. The Site Bindings window opens.

7. If there is no binding of HTTPS type in the Site Bindings window, click Add.

8. The Edit Site Binding window opens.

9. In the Type box, select https.

10. Next to the SSL certificate drop-down list, click Select.

11. The Select Certificate window opens, where the list of existing certificates is displayed.

41

12. In the Select Certificate window, select the certificate generated for the Management Tool and then click OK.

13. In the Add Site Binding window, click OK.

14. In the Site Bindings window, click Close.

15. Now the Internet Information Service is fully adjusted and you can start installing the Management Tool.

Installing the Management Tool

To install the Management Tool, do the following:

1. Run the EkranSystem_ManagementTool.exe installation file.

2. On the Welcome page, click Next.

3. Carefully read the terms of the End-User License Agreement and click I Agree.

4. On the Connection Settings page, do the following and then click Next:

In the Server address box, enter the name or IP address of the computer on which the Server is installed.

In the URL address field enter the folder where the Management Tool will be located within IIS. This URL will be used when opening the Management Tool.

42

5. On the Choose Install Location page, enter the destination folder in the corresponding field or click Browse and in the Browse For Folder window, define the destination folder. Click Install.

6. The installation process starts. Its progress is displayed on the Installing page.

7. After the end of the installation process, click Close to exit the wizard

8. The Management Tool is displayed as an application of a default web site or any other site with https connection in the Internet Information Services (IIS) Manager.

9. Now you can open the Management Tool via your browser from the same computer or a remote one.

43

Adjusting Computer for Remote Access

If you want to open the Management Tool from the computer different from the one where the Management Tool is installed, you need to adjust Firewall settings to be able to access this computer.

If the users access Management Tool only from computers where it is installed, there is no need to configure Firewall.

To adjust Firewall on the computer where the Management Tool is installed, do the following:

1. In the Control Panel, select System and Security > Windows Firewall.

2. In the Windows Firewall window, click Advanced settings.

3. In the Windows Firewall with Advanced Security window, right click Inbound Rules and select New rule.

4. The New Inbound Rule Wizard opens.

5. On the Rule Type page, select Predefined and then select Secure World Wide Web Services (HTTPS) in the list. Click Next.

44

6. On the Predefined Rules page, select the World Wide Web Services (HTTPS Traffic-In) check box. Click Next.

7. On the Action page, select Allow the connection. Click Finish.

8. The new inbound rule for Firewall is created.

45

Multi-Tenant Ekran System Mode

Enabling Multi-Tenant Mode

By default, Ekran System is installed in the Single-Tenant mode, so all Clients and settings are shared with all users according to their permissions.

If necessary, you can use the Ekran System in the Multi-Tenant mode. In this mode, all tenant users have access to their tenant Clients, but they have no access to other tenants’ Clients, configurations, alerts, reports, etc.

The Multi-Tenant mode is available for Windows and Linux Clients. For Linux Clients, the tenant they belong to is defined during the Client installation.

NOTE: The Multi-Tenant mode is available only if you have an activated Enterprise serial key.

To enable the Multi-Tenant Mode:

1. Log in to the Management Tool as a user with the administrative Tenant management and system configuration permission.

2. Click the Configuration navigation link to the left. 3. On the System settings tab, in the Ekran System Mode group, select the Enable Multi-

tenant mode option and click Save.

4. The Tenant Management navigation link appears in the navigation pane.

5. Click the Tenant Management navigation link to the left. 6. On the Tenants page, select the Built-in default tenant and then click Edit Tenant. 7. On the Licenses tab, select the amount of licenses of each type to be unassigned from the

Built-in default tenant. This amount of licenses will be available for the tenants created by the technician.

8. Add Tenants.

NOTE: To move already installed Windows Clients to the Tenant, you need to reinstall them.

Adding Tenants

To add a new tenant, do the following:

1. Log in to the Management Tool as a user with the administrative Tenant management and system configuration permission.

2. Click the Tenant Management navigation link to the left.

3. On the Tenants page, click Add Tenant.

4. On the Tenant Settings tab, define the tenant name and description.

46

5. To register the tenant admin, define the following information:

To register the tenant admin via email, select the Register the tenant admin via email option and define an email address in the Email box. The email with credentials will be sent to the tenant admin.

To register domain user or user group as a tenant admin, select the Select the tenant admin from the domain users/user group option and define the domain name and the user or user group name. NOTE: A domain user who belongs to several tenants will be prompted to select a required tenant during logging into the Management Tool.

6. On the Licenses tab, enter the amount of licenses of each type to be granted to the tenant. Please note that when the Multi-tenant mode is enabled, all licenses are assigned to the default tenant. Before creating a new tenant, you need to unassign the necessary amount of the licenses to be granted to a new tenant.

47

7. Click Finish. 8. The tenant is added and displayed on the Tenants page.

48

Licensing

Activating Serial Keys Online

To activate purchased serial keys online, do the following:

1. Make sure you have an active Internet connection on the computer with the installed Server.

2. Log in to the Management as a user of the Administrators user group.

3. Click the Serial Key Management navigation link on the left.

4. On the Serial Keys tab, click Activate keys online.

5. In the Serial Key Activation window, enter serial keys to be activated separating them with semicolons or paragraphs and click Activate.

6. The activated keys will appear on the Serial Key Management page

7. The number of available licenses and the update & support period end date change.

Adding Activated Serial Keys Offline

If you have no Internet connection on a computer on which the serial keys are to be activated, you can activate them on the license site and then add the activated serial keys offline. For more information, send an email to [email protected]

NOTE: Update and Support serial keys cannot be activated offline.

To activate serial keys offline on the license site, do the following:

1. On the computer with the installed Server, start the UniqueIdentifierGenerator.exe file, which you can download at https://www.ekransystem.com/sites/default/files/ekransystem/UniqueIdentifierGenerator.exe

2. The Unique Identifier Generator window opens.

mailto:[email protected]

https://www.ekransystem.com/sites/default/files/ekransystem/UniqueIdentifierGenerator.exe

https://www.ekransystem.com/sites/default/files/ekransystem/UniqueIdentifierGenerator.exe

49

3. Click Generate to generate a unique identifier for your computer.

4. When a unique identifier for your computer is generated, it will appear in a text box under the Unique Identifier group of options.

5. Copy the unique identifier from the text box to a text file on a removable drive.

6. Go to the Ekran System license site.

7. Enter the generated unique identifier in the Unique Identifier box.

8. Copy and paste the purchased serial keys to the Serial Keys box separating them with paragraphs or spaces.

9. Enter the CAPTCHA text in a text box near the CAPTCHA image.

10. Click Activate.

11. The activatedKeys.txt file will be generated. Save the file on a removable drive.

12. Copy the file to the computer on which you will open the Management Tool.

NOTE: Please do not edit the generated file activatedKeys.txt.

To add activated serial keys in offline mode, do the following:

1. Log in to the Management Tool as a user with the administrative Serial keys management permission.

2. Click the Serial Key Management navigation link on the left.

3. On the Serial Key Management page, click Add activated keys.

4. On the Activated Serial Key Adding page, click Choose File and navigate to the activatedKeys.txt file with activated serial keys.

5. Click Add.

6. The newly added serial keys appear on the Serial Key Management page.

7. The number of available licenses and the update & support period end date change.

8. If there are both licensed and unlicensed Clients in your network and you want to license the rest of Clients with a purchased key, you will have to assign the license to the remaining unlicensed Clients manually.

50

Installing Windows Clients

Windows Client Installation Prerequisites

The majority of Windows Client installation/uninstallation issues are caused by incorrect system or network settings.

The following conditions have to be met for successful Client installation:

The remote computer has to be online and accessible via network.

Shared folders have to be accessible on the remote computer. Simple file sharing (Sharing Wizard) has to be disabled if the computer is in a workgroup (for domain computers this requirement can be skipped).

You need to know the domain administrator or local administrator account credentials for the remote computer.

The Server and the Remote Procedure Call (RPC) system services have to be running on the remote computer.

Windows Vista and Windows XP Firewall has to be properly set up on the remote computer during the Clients remote installation.

In Windows 8, Windows 7, Windows Server 2012, and Windows Server 2008 Firewall, inbound connections have to be allowed in the Remote Service Management (RPC) rule for the remote computers and the File and Printer Sharing option has to be enabled (in this case it is not necessary to disable Windows Firewall).

Due to the new SHA-256 code signing, on Windows 7 SP1 and Windows Server 2008 R2 SP1, the Microsoft Security Advisory update 3033929 needs to be installed: https://technet.microsoft.com/en-us/library/security/3033929.aspx.

When running the Ekran Server service under a user account, and not under the LocalSystem account, make sure to assign the necessary rights to this user account.

In Windows Firewall on the Server side, allow the Server executable to accept TCP connections via port 9447 (for the connection between the Server and the Clients).

NOTE: These rules will be added to Windows Firewall automatically, if Windows Firewall is enabled during the Server installation.

Make sure the conditions mentioned above are met to avoid possible problems with Client remote installation.

https://technet.microsoft.com/en-us/library/security/3033929.aspx

51

Installing Windows Clients Remotely via the Management Tool

About

You can install the Windows Clients remotely via the Management Tool. This way of installation is very convenient if all computers in your network have the same domain administrator credentials.

Remote Client Installation is performed by a user who has the Client installation and management permission in two steps:

1. Selecting computers on which Clients will be installed.

2. Installation parameters definition and installation process.

Selecting Computers

To select the computers for Client installation, do the following:

1. Log in to the Management Tool as a user with the Client installation and management permission.

2. Click the Client Management navigation link on the left.

3. On the Clients page, click Install Clients.

4. The Computers without Clients page opens. On this page, you can see the computers, for which the previous installations failed.

5. Select how you would like to search for computers where the Windows Clients will be installed:

To select computers from the list of all computers in your network, Deploy via network scan.

To select computers by IP range (IPv4 or IPv6 addresses), click Deploy via IP range.

52

To select computers by their names, click Deploy on specific computers.

6. In the Choose search results window:

Click Start new search to look for computers with defined parameters.

Click Previous search results to choose the computers found in the previous search. If you haven’t performed any searches yet, this button will be absent.

7. If you have selected the Deploy via IP range option, the Computers Scan page opens. In the From Address and To Address boxes, enter the IP range (either IPv4 or IPv6), for which the network should be scanned. To find only one computer, enter the same IP address in both boxes. Click Scan.

8. If you have selected the Deploy on specific computers option, the Adding Computers page opens. Enter the names of computers on which Windows Clients must be installed in the box Name and click Scan. Use semicolon to separate computer names.

Please note that you should enter the full name of the computer.

9. The scanning process starts. The list of found computers will be updated automatically. If it is not updated, click Refresh. To stop the scanning process, click Stop.

10. When the scanning process finishes, select check boxes next to the computers that you want to install the Clients on. Click Next.

53

11. The selected computers are added to the list on the Computers without Clients page.

12. If you want to delete some computers from this list, click Remove from list next to the selected computer.

Remote Windows Client Installation Process

When all computers for Windows Client installation are selected, you are ready to start installation. Please make sure that all selected computers are correctly adjusted.

To install the Windows Clients remotely, do the following:

1. On the Computers without Clients page, click Install.

2. On the Client Configuration page, define the name/IP of the Server, to which the Windows Clients will be connecting, and define the Client configuration for the Clients you are installing. Click Next.

NOTE: The Server IP address has to be static for Clients to connect to it successfully. Unique external IP addresses should be used for cloud-based Servers. You can add several names and IP addresses separated with comma or semicolon.

3. On the Installation credentials page, enter the credentials of a user with administrator permissions on the target computers for Client installation and then click Next.

If the computers are in a domain, enter the domain name and domain administrator account credentials.

If the computers are in workgroup, enter the credentials of a local administrator for target computers.

If you leave the Domain box empty, the entered credentials will be used as the credentials of a local user of a target computer and the Client will be installed under the <target PC name>\<user name> account.

NOTE: All workgroup computers must have the same administrator account credentials. Otherwise use installation via installation package method to deploy Ekran System Clients.

54

4. The installation process starts. The progress of installation will be updated automatically on the Client installation page. If it is not updated, click Refresh.

5. After the end of the installation, the installed Clients will appear on the Clients page in All Clients group. If the installation of some Clients fails, these computers will remain in the Computers without Clients list and you can click Retry to start the installation again.

Remote Installation from an Existing .INI File

If you already have an .ini file with defined settings generated in the Management Tool and saved to your computer, you can use it for installing the Clients.

To install the Windows Clients remotely, using an existing .ini file do the following:

1. On the Computers without Clients page, click Install using existing .ini file.

2. On the INI file selection page, click Choose file to select the .ini file that will be used for configuration of new Clients.

Please note, if any parameter except RemoteHost is absent or not valid, its value will be set to default. The RemoteHost parameter is ignored, in this type of installation. The Client will connect to the Server to which the Management Tool is connected.

3. Once the .ini file is chosen, click Next and continue the installation the same way as when

installing the Clients remotely in a common way.

55

Installing Windows Clients Locally

You can install the Windows Clients locally using the Client installation file generated in the Management Tool. You have two options for downloading the Client installation file from the Management Tool:

Generate the installation package and set the Windows Client configuration during generation.

Use Client Installation file (.exe) to install the Client with default parameters.

Optionally, you can protect the installation package file from modification.

NOTE: Due to the new SHA-256 code signing, on Windows 7 SP1 and Windows Server 2008 R2 SP1, the Microsoft Security Advisory update 3033929 needs to be installed: https://technet.microsoft.com/en-us/library/security/3033929.aspx.

https://technet.microsoft.com/en-us/library/security/3033929.aspx

56

Installing macOS Clients

About

You can install the macOS Clients locally using the Client installation file generated in the Management Tool.

Downloading macOS Client Installation File

To download the file for macOS Client installation, do the following:


2. Click the Client Management navigation link to the left.


4. On the Computers without Clients page, click Download installation file.

5. On the Installation File Download page, select the MacOS option in the drop-down list, and then click MacOS x64 Client Installation (.tar.gz).

6. File downloading starts. The download settings depend upon the settings of your browser.

Installing macOS Clients

This type of installation allows you to install the macOS Clients locally using the downloaded EkranSystemmacOSClientx64.tar.gz package.

To install the macOS Client on the target computer with a macOS operating system from the command line:

1. Make sure that you log out of all active users except the current one.

2. Copy the installation package to any folder.

3. Run the Terminal.

4. Navigate to the folder with the installation package by entering the following command:

cd path/to/folder

5. Unpack the installation package using the following command:

tar xvfz <installation package name>

6. Navigate to the unpacked EkranClient folder using the following command:

cd EkranClient

The EkranClient folder contains the install.sh script used to install the Client.

57

7. Run the macOS Client installation script specifying the Server name or Server IP address

and the port used for connection to the Server (9447 is recommended):

./install.sh <server_name/IP> <server_port>.

8. After the end of the installation, macOS Client will appear in the list on the Clients page in

the Management Tool.

Installing Linux Clients

About

You can install the Linux Clients locally from the command line using the EkranSystemLinuxClient.tar.gz package, respectively:

EkranSystemLinuxClientx64.tar.gz for the 64-bit system

EkranSystemLinuxClientx86.tar.gz for the 32-bit system

Downloading Linux Client Installation File

To download the file for Linux Client installation, do the following:


2. Click the Client Management navigation link on the left.


4. On the Computers without Clients page, click Download installation file.

5. On the Installation File Download page, select the Linux option in the drop-down list, and then click Linux x86 Client Installation (.tar.gz) or Linux x64 Client Installation (.tar.gz).

6. On the Generate Installation Package page, optionally, protect the installation package file from modification, and then define the name/IP of the Server to which the Clients will connect, and click Download.

7. File downloading starts. The download settings depend upon the settings of your browser.

Installing Linux Clients

On the operating systems with enabled Security-Enhanced Linux (for example, CentOS and RedHat), before installing the Client to the custom directory, you need to pre-configure the SELinux Policy first.

On the Solaris operating system, before installing the Client, you need to update bash first.

58

NOTE: For Linux, AIX, and Solaris distributions, GNU bash 3.2.25(1) or higher must be installed.

To install the Linux Client on the target computer with the Linux operating system from the command line:

1. Copy the installation package to any folder. Make sure you use the correct installation

package (x64 or x86).

2. Run the command-line terminal.

3. Using the terminal, go to the folder with the installation package by entering the

following command:

$ cd path/to/folder

4. Unpack the installation package using the following command:

$ tar xvfz <installation package name>

5. Go to the unpacked EkranClient folder using the following command:

$ cd EkranClient.

6. The EkranClient folder contains the install.sh script used to install the Client.

7. Run the Linux Client installation script specifying the Server name or Server IP address

and the port used for connection to the Server (9447 is recommended).

$ sudo ./install.sh <server name or Server IP address> <server port>

If the Multi-Tenant mode is enabled, specify the Tenant Key parameter and the Tenant

Key value of the required tenant.

$ sudo ./install.sh <server name or Server IP address> <server port> -tenantKey

<tenant key value>

59

Optionally, to enable the monitoring of graphical interface for X Window System,

specify the X11 parameter.

$ sudo ./install.sh <server name or Server IP address> <server port> -withX11

Examples:

$ sudo ./install.sh 10.100.4.182 9447 – The Client connects to the Server with IP

10.100.4.182 through the port 9447. The monitoring of graphical interface for X

Window System is not enabled.

$ sudo ./install.sh Server1 9447 -withX11 -tenantKey 90807A10-DF80-45EA-

A7DE-A550B55F548A - The Client connects to the Server with the name Server1

through the port 9447. The monitoring of graphical interface for X Window

System is enabled. The Client belongs to the tenant with the specified tenant

key.

8. After the Client is installed, it starts monitoring a new session with the next user login.

9. The installed Linux Client appears in the list on the Client Management page in the Management Tool.

60

Alerts

Adding Alerts

To add an alert, do the following:

1. Log in to the Management Tool as a user with the administrative Client installation and management permission.

2. Click the Alert Management navigation link to the left and click Add Alert.

3. On the Add Alert page, in the Properties group, define the following alert properties and then click Next:

Enter a unique name for an alert.

Optionally, enter the alert description.

Select the Enabled option to enable an alert.

Select the alert risk level. It can be Critical, Normal, or High.

4. In the Rules group, define the rules to be applied and then click Next:

Select the Parameter of the rule.

Select the Comparison operator.

Enter the Value to which Parameter will be compared.

Click Add Rule to create one more rule.

To delete a rule, clear its Value box or click Delete.

5. In the Assigned Clients group, select the Clients/Client Groups to which the alert will be assigned and click Next. To find specific Clients/Client Groups, enter their names in the search box.

61

6. In the Actions group, select how you would like to receive the alert notifications:

Select the Send emails to option and then enter the email address to which the notifications will be sent. You can enter several email addresses separating them with semicolon.

NOTE: To receive email notifications correctly, make sure that Email Sending Settings contain correct parameters for email sending.

Select the Show warnings in Tray Notifications application option to activate the tray notifications. The alert notifications will then pop up from the tray.

Select the Show warning message to user option if you want a warning message to be displayed to the user when the alert is triggered. You can use the default message or enter your own text in the box below.

In the Additional actions box, select the Block user on all computers option if you want to automatically block the user performing forbidden actions, or select the Kill application option if you want to forcibly stop the detected application.

NOTE: The Block user on all computers option is available only for Windows Clients.

62

7. Click Finish to save the created alert.

8. The alert is added

63

Users and Permissions

About By default, there is one administrator in the system, whose login is admin and whose password is defined during the Server installation. The administrator has all the rights for work in the system. If the Multi-tenant mode is enabled, the administrator is the technician and is able to create tenants.

In order to grant others access to the system, you can add users and define their permissions. There are two types of users:

Internal users

Active Directory Users (Windows domain users and Windows domain user groups)

Adding Users

To add a new user, do the following:

1. Log in to the Management Tool as a user with the administrative User management permission.

2. Click the User Management navigation link to the left.

3. On the Users page, click Add User.

4. On the User Type tab, select the type of user you want to add:

Click Add an Internal user to create an internal application user.

Click Add an Active Directory user/user group to add an existing Windows user/user group.

NOTE: If Active Directory users have already been added as a part of two or more Active Directory user groups, such users cannot add themselves as independent users of the Management Tool. Only other users with appropriate permissions can add them.

64

5. On the User Details tab, do one of the following and click Next:

For an internal user, define user credentials and additional information about the user. Also, for internal users to receive the automatically generated one-time password, define the user’s email address to which the one-time password will be sent. NOTE: Login and password are required. The login must be unique. In the Multi-tenant mode, users of different tenants cannot have the same login. The password must be at least 8 characters long and include a letter, a special character, and a digit. The maximum length of the first name, last name, and description is 200 characters.

For an Active Directory user/user group, select the domain in the Domain list and then enter at least two characters into the User/User group box to search for the required user/user group.

65

NOTE: The Active Directory user/user group cannot be added if there is no LDAP target added for the required domain on the Configuration page or if the connection with the domain is lost (the domain is unavailable).

6. On the User Groups tab, select the user groups to which the user will belong. To find a specific group, enter its name in the Contains box and click Apply Filters. Click Next.

NOTE: The user is automatically added to the default All Users group and can’t be removed from it.

7. On the Administrative Permissions tab, select administrative permissions that will be given to the user. Click Next. NOTE: If the user has inherited some permissions from user groups, you can only add new permissions. To remove permissions inherited from user groups, you need to remove the user from these groups.

66

8. On the Client Permissions tab, do the following:

Select the necessary Client/Client Group. To find a specific Client/Client Group, enter its name in the Contains box and click Apply Filters.

Click Edit Permissions and then, in the Client Permissions/Client Group Permissions window, define the Client permissions which will be given to a user for the corresponding Client/Client Group.

When the permissions are defined, click Save to close the Client Permissions/Client Group Permissions window.

9. Click Finish.

10. The user is added and displayed on the Users page.

NOTE: For an Active Directory user, the first name and last name properties will be automatically filled after the user’s first login to the system.

67

Permissions

The permissions allow you to define which functions a user will be able to perform with the system and Clients. There are two types of permissions: administrative permissions and Client permissions.

Administrative permissions define actions that a user can perform with the whole system.

Client permissions define actions that a user can perform with selected Clients.

The permissions can be defined during user and user group adding/editing.

If you define permissions for the group, any user belonging to this group inherits these permissions. To remove permissions inherited by the user from a group, you need to remove the user from a group. Apart from permissions inherited from the group, you can assign a user his/her own permissions.

68

Management Tool Log

The Management Tool Log is an Ekran System component that contains information on all the user actions performed in the Management Tool. Such information might be useful for the administrator to manage and monitor the actions of all users in the system.

To view the log, log into the Management Tool as a user with the administrative User management permission and click the Management Tool Log navigation link to the left.

69

Viewing Monitoring Results

Monitored data received from Windows, macOS and Linux Clients is organized in the session.

The Windows Client session includes recorded user activity (screenshots, application names, activity titles, captured keystrokes, clipboard text data, and URLs). The macOS Client session includes recorded user activity (screenshots, application name, Activity title, URL, etc.).

Windows and macOS Clients start recording user activity in a new session every time the computer is restarted. The maximum duration of one session can be 24 hours. At 00:00 all live sessions are terminated. After their termination (their status changes from live to finished), new live sessions automatically start.

The remote Linux Client session contains the list of executed commands, their parameters, and functions. Linux Clients start recording a new monitoring session each time the remote SSH terminal is opened. There is no time limitation for a remote Linux Client session.

The local Linux Client session for X Window System includes recorded user activity (screenshots, application name, activity title, activity time). The maximum duration of one local session can be 24 hours. At 00:00 all live sessions are terminated. After their termination (their status changes from live to finished), new live sessions automatically start.

To view monitored sessions, click the Monitoring Results navigation link to the left and then open the Client Sessions tab.

Playing Sessions

The Session Viewer is a part of the Management Tool that provides the possibility to view monitored data within one selected session.

To open the Session Viewer, select one of the sessions in the Sessions grid on the Monitoring Results page and click on it.

70

Playing Windows Sessions

A user starts playing Windows Session by clicking the required in the Client Sessions list. The session is opened in the new tab or new window depending on your browser settings. While playing Windows sessions, you can view screenshots in the Player pane and associated metadata (Application name, Activity title, URL and keystrokes) in the Metadata grid.

Viewing Clipboard Text Data

The captured clipboard text data includes the text, which has been copied or cut and then pasted into documents, files, applications, browser address line, etc. on the Client computer.

The Ekran Client monitors the Copy, Cut, and Paste operations performed by using either the context menu commands or such key combinations as Ctrl+C, Ctrl+Ins, Ctrl+X, Shift+Del, etc.

The captured clipboard text data is displayed in the Text data column in the Metadata grid. It has a label specific to the performed action:

[Clipboard (Copy)]

[Clipboard (Paste)]

When you select a row in the Metadata grid, the clipboard text data associated with it is displayed in the Details pane below the Player pane.

Metadata grid

Text copied to the clipboard

71

Text pasted from the clipboard

Viewing USB Device Info

During the monitoring process, a screen capture is created every time the mass storage USB device is plugged in. Along with the screen capture, the information on the plugged in device is displayed in the Metadata grid as follows:

Activity title: USBStorage - <device details>

Application name: [Monitoring event]

If you are using rules for kernel-level USB monitoring according to which the devices are detected or blocked, each time the alert event occurs, a screen capture is created. In the Metadata grid, this is indicated by highlighting the activity in the grid.

NOTE: If the screenshot creation is not enabled on the Windows Client, sessions of this Client will contain no screenshots.

When you select a USB-device-related screen capture or a row in the Metadata grid, the USB device info associated with it is displayed in the Details pane below the Player pane.

If the device was blocked, it is marked as BLOCKED in the parentheses.

Viewing URLs

If the URL monitoring option is enabled for the Windows Client, then each time the user activity is captured while the user is working in the browser, the URL address is saved and displayed in the URL column in the Metadata grid. If there are several records made while the user is viewing one page on a certain website, then all of them contain the same URL information.

NOTE: If the screenshot creation is not enabled on the Windows Client, sessions of this Client will contain no screenshots.

The URL column contains only top and second-level domain names even if the parameter is not selected in the URL monitoring settings for the Windows Client. The full URL address is displayed in the Details pane.

72

NOTE: As getting a URL address to be monitored may take about 600 milliseconds, there is a possibility that the screen capture and its activity title along with URL address may be not properly synchronized in the Session Viewer (e.g., the user may see a screen capture with a URL address that belongs to the previous one).

Playing macOS Sessions

A user starts playing macOS Session by clicking the required Session in the Client Sessions list. The session is opened in the new tab or new window depending on the browser settings. While playing macOS sessions, you can view screenshots in the Player pane and associated metadata (Application name, Activity title, URL, etc.) in the Metadata grid.

Viewing URLs

If the URL monitoring option is enabled for the macOS Client, then each time the user activity is captured while the user is working in the browser, the URL address is saved and displayed in the URL column in the Metadata grid. If there are several records made while the user is viewing one page on a certain website, then all of them contain the same URL information.

The URL column contains only top and second-level domain names even if the parameter is not selected in the URL monitoring settings for the Windows Client. The full URL address is displayed in the Details pane.

NOTE: As getting a URL address to be monitored may take about 600 milliseconds, there is a possibility that the screenshot and its activity title along with URL address may be not properly synchronized in the Session Viewer (e.g., the user may see a screenshot with a URL address that belongs to the previous one).

Playing Linux Sessions

Playing Remote SSH Sessions

A user starts playing Linux Session by clicking on the required session in the Client Sessions list. The session is opened in the new tab or new window depending on your browser settings.

While playing remote Linux sessions, you can view all visually recreated interactive data in a form of a video in the Player pane and function and system calls, as well as the executed commands with parameters in the metadata grid.

Playing Local X Window System Sessions

A user starts playing Linux Session by clicking on the required session in the Client Sessions list. The session is opened in the new tab or new window depending on your browser settings.

73

While playing local Linux sessions, you can view screenshots in the Player pane and associated metadata (Application name, Activity title, Activity time) in the Metadata grid.

Filtering EXEC Commands

By default, the commands are filtered by ‘exec’ function to display only the command executed after user input.

To display the list of all commands, including system ones, discard the filtering by clearing the Show only execution commands option.

Dashboards

Ekran System allows viewing certain types of information using dashboards displayed on the Home page. Some dashboards are duplicated on the Health Monitoring page. Dashboards provide you with convenient real-time view of the most important data. The following dashboards are available:

Licenses

Clients

Database Storage Usage

Recent Alerts

Latest Live Sessions

Sessions out of Work Hours

Rarely Used Computers

Rarely Used Logins

CPU Usage

Memory Usage

Database State

You can choose which dashboards to display, rearrange the dashboards on the screen, add several dashboards of the same type to see the same data in different variations, and more.

74

More Information

For more detailed information, please see the Ekran System Help.

Documents

Ekran System v.6.17 Getting Started...Getting Started The Ekran System installation consists of the following steps: 1. Install the Server. 2. Make sure the Management Tool installation