Porteus Kiosk

 

REMOTE MANAGEMENT


A huge milestone has been accomplished in Porteus Kiosk version 3.3.0: it is possible to centrally manage all your kiosks from a single configuration file stored on the network!

Up until now the kiosk config (presented on the final configuration page in the kiosk wizard) was always embedded in the ISO and burnt on the hard drive/usb stick during system installation. The main advantage of this approach is that system configuration file is encrypted and stored in a safe, read-only place. Nobody can access it so the kiosk can be exposed on a public network without a fear of adverse manipulation.

Such a feature works really well but there are cases where more flexible solution is needed.

In Porteus Kiosk 3.3.0 we have introduced a new feature which lets you choose how your kiosk config will be handled. You may decide if you want the system settings to be stored in the ISO itself (default action) or downloaded from remote location during each system boot. If you prefer to keep the config on your server then you have to activate a certain option in the wizard and provide an URL pointing to the remote kiosk configuration file.

Contents:

Requirements

Config rules

Advantages

Setup procedure

Remote Management FAQ

Sample scenarios

More complicated scenarios

Nested configurations

Requirements

HTTP or FTP server which is able to host a plain text file.


WARNING: when kiosk config is hosted on a web/ftp server then anybody who knows or finds its URL (internet bots/spiders/crawlers systematically caches and parses the webpages on the internet) is able to view the config and read the sensitive data from it: homepage address, Access Point name, wifi/SSH/VNC passwords, etc.


Kiosk configs (and other files e.g. wallpaper) can be hosted also on Porteus Kiosk Server.

Files are downloaded from PK Server over a secure SSH connection and not trough the http(s)/ftp protocols.


From the security point of view its highly recommended to use our dedicated server solution as 3rd parties are not able to access the files which are hosted on it. PK Server has also many other functions which are useful in remote management tasks: monitoring and interacting with the clients, viewing logs generated by the client, email notifications, etc.


If you are interested in a professional management solution then please utilize our server system for this task.



Config rules

WARNING: Be careful when updating the network, proxy, or kiosk server related settings in the remote config. If you enter incorrect values for the IP settings, proxy address, server URL or remove SSH from additional components (required for communication with Porteus Kiosk Server) then you may loose the control over the clients and manual reinstallation will be necessary.


a) When doing manual edits to the config please make sure it's saved with ANSI or UTF-8 encoding as UTF-16 (sometimes called "Unicode") is not supported in kiosk.

This rule does not apply to remote configs hosted on PK Server as correct formatting is used there by default.


b) All parameters in the config must be placed on new lines and must be aligned to the left to be recognized by the system.


c) Parameter value (even if it's long, e.g. whitelist) must be placed on the same line as the parameter name. Line wrapping is not supported.


d) You can add comments to your config on a new line and proceed them with a hash, e.g.

    # First comment

    parameter_one=value1

    # Second comment

    parameter_two=value2


WARNING: comments should not be added to the same line as the parameter as they will be treated as a part of the parameter value.


e) IMPORTANT: If you double parameters in the config then only first one will be processed by the system:

    homepage=https://kernel.org

    browser_idle=5

    # parameter below is doubled and will be ignored:

    homepage=http://google.com


f) 'kiosk_config=' parameter must be present in your remote config to keep remote management active after system reconfiguration. Sample for web hosted configs:

    kiosk_config=http://domain.com/files/kiosks.txt

and for configs hosted on Porteus Kiosk Server:

    kiosk_config=server://kiosks.txt



Advantages

  • You can manage all your kiosks (5, 30, 100+) from a single configuration file stored on your server.
  • You have the possibility of dividing your kiosks into groups by assigning them different configs (config-A, config-B).
  • There is no need to reinstall the kiosk manually or go through the kiosk wizard anymore. Simply update the remote config and reboot the kiosk so it can download the new parameters during boot.
  • It's possible to rebuild the kiosk config entirely (change networking/proxy, browser and system settings, power saving options, etc.) so you can easily switch the kiosk profile from for example 'web access PC' to 'digital signage' station.
  • You are able to add/remove additional system components like SSH, VNC, printing, etc but please mind that the system must be able to access the porteus-kiosk.org website to in order to download additional components.
  • You can frequently update essential system settings like SSH/VNC/proxy passwords (e.g. once a day or week) to improve kiosk security.


    • Setup procedure

    a) boot Porteus Kiosk installation ISO on the target PC

    b) setup network then select 'Launch wizard to create new configuration' on the initial wizard screen

    b) enable 'Remote kiosk management' in the wizard options and provide URL to the place where your config will be stored

    c) select other kiosk options as you like

    d) on the final configuration page in the wizard take a copy the config and send it to your email address or save on removable media

    e) save the config on some hosting server as a plain text file preserving correct URL provided in the wizard

    f) install kiosk and check that it's able to download the config from the network during first boot


    Configuration of additional kiosks:

    a) boot Porteus Kiosk on the target PC

    b) setup the network then select 'Point kiosk to existing remote configuration' on the initial wizard screen and provide URL to the config which is saved already on your server

    c) install the kiosk

    Remote Management FAQ


    In which situations is remote management is useful?

  • when you are planning to deploy and centrally manage a significant number of kiosks
  • when there is a need to frequently update various kiosk settings like: homepage, wallpaper, SSH password, etc ...
  • when kiosks are located in a remote location and accessing them physically for reinstallation would be troublesome

    • In which situations should this feature NOT be activated?

  • when your kiosk configuration rarely changes
  • when you have no possibility of maintaining a web server which would provide a safe place for the kiosk configs (in some cases 3rd party services like dropbox.com could be used for storing the configs).

    • How do I know which parameters are responsible for certain kiosk functions?

    A full list of currently supported kiosk parameters can be found here. If you need to make broad modifications to the kiosk config it's recommended to run the Kiosk Wizard and use it as a helper to generate your preferred kiosk settings.


    What happens if the remote config isn't available when the kiosk PC boots?

    The system defaults to the last downloaded configuration and displays notification that the remote config was not accessible.


    What does a remote kiosk config look like?

    A remote kiosk config looks exactly the same as a normal config except for the 'kiosk_config=http://domain.com/path/config-A.txt' parameter which must be present in it.


    I have 10 kiosks assigned to config A and 10 other machines assigned to config B. Is it possible to move 5 kiosks from group A to group B?

    Please edit remote config-A and change 'kiosk_config=http://domain.com/path/config-A.txt' parameter to 'kiosk_config=http://domain.com/path/config-B.txt' then reboot your 5 PCs. After reconfiguration they will be assigned to config-B.txt so please revert the changes made to config-A (it should point to itself again).


    Can I have each PC assigned to a different config?

    It's totally up to you if you want manage a group of kiosks from one config or prefer to control every unit separately by using different configs.

    Sample management tasks


    REMINDER: After performing an update to the remote config, the kiosk PC must be rebooted so it can reconfigure itself.


    1) There is a need to change the wallpaper in kiosk which would display a new company logo.

    In this case simply update the existing 'wallpaper=' parameter with the new URL:

      wallpaper=http://domain.com/new-image.png

    2) You are running digital signage business and need to update the kiosk homepage every week.

    You have to update 'homepage=' parameter in the kiosk config:

      homepage=http://domain.com/new_link.html

    3) Wifi networking started misbehaving and you need to enable debug mode to generate a system report and query Porteus Kiosk support for help.

    You have to add 'debug=yes' parameter to the config and reboot the PC. Once a system report is handed over to us you can remove 'debug=yes' and during next boot the kiosk will return to its default state.

    More complicated management tasks


    REMINDER: Please use the Kiosk Wizard to generate new configs when broader changes are required.


    1) Your company bought a printer and you need to add support for it to the kiosk system.

    The following parameters must be added to the config:

      additional_components=existing_components.xzm 10-printing.xzm

      printer_model=some_model

      printer_connection=lpd:/ip_address/queue


    2) The kiosk is installed in an organization where security is a top priority. You need to preserve the ability to login to the kiosk through SSH for system monitoring purposes.

    Best way to handle this would be to setup a scheduled task on your server (e.g. by using cron in Linux) and update the kiosk config file with randomly generated passwords every day. During each boot the kiosk would reconfigure itself with a new password and you can login to it using the last password saved in your remote config file.


    3) You need to move the kiosk to new place where only wireless networking is available.

    In this case you need to replace relevant network settings in the config.


    Old settings:

      connection=wired

      network_interface=eth0

      dhcp=yes


    New settings:

      connection=wifi

      network_interface=wlan0

      dhcp=yes

      wifi_encryption=wpa

      wpa_password=some_password

      ssid_name=AP_name


    Warning: it is necessary to reconfigure the kiosk with new settings when still using the wired connection. Once this is done you can move the PC to a new place so it can start using the wireless connection.


    4) Your website has been updated and contains videos encoded with a codec which Firefox can not handle natively but Google Chrome can.

    Since verion 3.4.0 of Porteus Kiosk it is possible to swap the browser between Mozilla Firefox and Google Chrome. In order to exchange the browser you need to add/edit following parameter to your config:


    Old setting:

      browser=firefox

    New setting:

      browser=chrome

    Note: Google Chrome does not support functions which are marked as *Firefox only* in the wizard. Please run the wizard to find out which functions (kiosk parameters) are not compatible with the Chrome browser.

    Nested configurations


    If you are having problems with nested configurations then please use separate configs for each kiosk which needs to be configured with different parameters.


    Since version 3.5.0 of Porteus Kiosk it's possible to use one remote config for all your kiosks even if their configuration is different. The main advantage is that in case of making configuration changes you need to edit a single file instead of multiple ones and also have a clear view which settings apply to which kiosks.


    Requirements and rules:

    a) You must create a [[ GLOBAL ]] section in your config containing parameters which apply to all kiosks. If the [[ GLOBAL ]] string is not present in the config then nested configrations won't work.

    b) For each kiosk with different parameters you must create a [[ PCID ]] section in the config. Porteus Kiosk FAQ explains how to find the PC identification number at this link.

    c) Parameters in the [[ PCID ]] section are parsed until empty line.

    d) Parameters from the [[ PCID ]] section take priority over parameters included in the [[ GLOBAL ]] section.

    e) If PC IDs are placed one under another then defined parameters apply to each of them.

    f) Letters in the GLOBAL and PCID strings must be capital.

    g) If you want to reset the parameter from the [[ GLOBAL ]] section for specific kiosk then you must add relevant parameter with an empty value to the [[ PCID ]] section of the config. Parameter below will deactivate URL filter for specific kiosk:

      [[ 0-7C-7D7-1E-20 ]]

      whitelist=


    Sample config with nested configurations enabled:


      [[ GLOBAL ]]

      kiosk_config=http://192.168.1.15/config.txt

      connection=wired

      dhcp=yes

      browser=firefox

      homepage=https://kernel.org

      root_password=toor

      additional_components=08-ssh.xzm 09-x11vnc.xzm


      #Louisville 1

      [[ B-51-32D-29-37 ]]

      homepage=https://domain.com

      wallpaper=http://porteus-kiosk.org/public/wallpapers/sample.jpg


      #Kent 1, 2, 3

      [[ 0-7C-7D7-1E-20 ]]

      [[ 0-71-EF9-C8-20 ]]

      [[ 0-74-EF5-C3-23 ]]

      browser=chrome

      homepage=https://www.google.ie

      additional_components=08-ssh.xzm


    Explanation:

    All kiosks have the same configuration defined in the [[ GLOBAL ]] section of the config:

    - wired connection with dhcp enabled

    - homepage set to kernel.org

    - SSH and VNC access enabled


    Kiosk with ID: B-51-32D-29-37 uses different homepage and wallpaper.


    Kiosks with ID: 0-7C-7D7-1E-20, 0-71-EF9-C8-20 and 0-74-EF5-C3-23:

    - use Chrome browser instead of Firefox

    - have the homepage set to google.ie

    - only SSH component is activated


    Example of incorrectly created kiosk config:


    1. __[[ GLOBAL ]]
    2. connection=wired
    3. dhcp=yes
    4. browser=firefox
    5. homepage=https://kernel.org
    6. root_password=toor
    7. additional_components=08-ssh.xzm 09-x11vnc.xzm
    9. [[ B-51-32D-29-37 ]]
    10. homepage=https://domain.com # Some comment here
    12. wallpaper=http://porteus-kiosk.org/public/wallpapers/sample.jpg
    14. [[ 0-7c-7d7-1e-20 ]]
    15. [[ 0-71-EF9-C8-20 ]]
    16. [[ 0-74-EF5-C3-23 ]]
    17. browser=chrome
    18. homepage=https://www.google.ie
    19. additional_components=08-ssh.xzm

    Explanation:

    - '[[ GLOBAL ]]' string is not aligned to the left

    - 'kiosk_config=' parameter is missing

    - line 10 has a comment which is placed on the same line as the 'homepage=' parameter (comment will be treated as part of the parameter)

    - line number 11 is empty and will cause that 'wallpaper=' parameter to be ignored (parameters in the PC ID section are parsed until empty line)

    - line number 14 has PCID with lower case letters - this kiosk wont be recognized


    Please take advantage of this feature and provide feedback necessary for improving it.