ThinKiosk was developed in 2015 from within the virtualization community to provide a full thin client experience to any Windows x64/x86 device for access to virtual environments and secure utilization of local resources. While also providing a convenient solution for IT admins that makes management, control, and compliance over their entire estate easier.
Group Policy, by comparison, is a Microsoft offering that was made available in 2000 as a function of Windows Server, allowing you to use settings that control users, applications, device settings, etc. within Active Directory. There is a multitude of group policy settings that can be applied, covering most aspects of the Windows experience. A Group Policy Object (GPO) is a collection of Group Policy settings to apply to a specific device/number of devices.
In this post, we will explore some of the main points where ThinKiosk differs from Group Policy when it comes to things like use case versatility, overall security, and time efficiency. We will see how these differences make ThinKiosk the ideal solution when locking down your endpoints in a virtual environment.
End-User Experience and Windows Familiarity
|ThinKiosk delivers its own secure workspace interface to any Windows Device, providing access to whatever locally installed apps or remote environments you wish to present them, all while giving the option to access local configuration settings such as Language, Keyboard & Mouse, Printers, and Audio settings.||Group policy can be used to secure a desktop environment within an Active Directory, what they are presented with is a locked-down Windows desktop interface. For example, disabling local drives or disabling the start menu.|
GPOs from the outset makes sense as they use the actual Windows interface users are used to, however, end-users are also used to the freedom to do what they want on their Windows devices. Most GPOs at the endpoint level will need to take away things like start menu access or typical hardware settings, which can leave users feeling overly restricted in their workspaces, and users feeling restricted will often try to find ways around their policies. What’s more, these settings take time to set up and deploy.
ThinKiosk, on the other hand, runs its own UI, which not only gives admins the ability to make hardware options available to their end-users but sets user expectations when they sit down to interact with the endpoint. End-users will no longer become frustrated at visible but restricted windows features, as they will simply only be presented with the ThinKiosk UI.
Further, on that point, ThinKiosk can disable access to the Windows Shell interface, meaning end-users cannot access their underlying OS even if they tried.
Complete Lock-down with Keystroke Pass-Through
|ThinKiosk’s magic filter allows the dynamic passthrough of special keystrokes (CTRL + ALT + DEL & Windows + L) on the local machine to a remote session (or the ability to block the keystrokes completely).||Multiple keystrokes can be blocked by GPOs using assigned access.|
ThinKiosk’s ability to passthrough keystrokes to a remote environment ensures the end-users are not only kept inside their environment but also allowing them to utilize standard windows features they are used to within a secured space.
Currently, there is no equivalent way to pass through keystrokes like above through to a remote or virtual environment using GPOs. Outright blocking these keystrokes within an AD can also lead to users feeling restricted, similar to what was mentioned before.
With features like Magic Filter dynamically blocking and passing through keystrokes, users are kept secure and are prevented from hurting themselves under the shell.
Location & Context-Awareness - Shared Desktop Experience
|ThinKiosk is designed to be compatible with the dynamic nature of VDI deployments. Not only is ThinKiosk able to detect a user’s location and device, but can deliver users straight to their secure environment, regardless if the connection is internal or external.||Group policy is designed for static, on-domain environments. Policies applied on the user/device are based on Active Directory and cannot account for devices that are connecting from different locations.|
This is an area where it depends on your environment, GPOs, in this case, may not be a major issue if your office environment is all domain-joined, however the proverbial spanner gets thrown into the works if a user attempts to access with a device from outside the domain or if you have mobile workers in your environment.
With ThinKiosk you not only can lock down devices on or off domain, but you can also allow devices to login without domain credentials. Creating a true kiosk environment, to facilitate that shared desktop experience that is often sought after, particularly where dummy clients are involved.
Secure & Tabbed Browsing
|ThinKiosk includes an integrated secure browser, which supports a completely configurable user experience including the designation of pre-set URLs, read-only/hidden address bars and browser options.||Delivering similar functionality requires a bit of work, and further, specific GPOs would need to be applied across all browsers intended to be used.|
Using Group Policy, it can be time-consuming to lock down browser use, further, there are even fewer options with browsers that are not Internet Explorer or Edge.
ThinKiosk’s secure browser delivers the ability to securely connect to any site permitted by admins, including access to virtual environments. Allowing both a secure browsing experience and an alternative connection for users to access their virtual environment.
Admins can allow normal standard features that users are used to with ThinKiosk’s Secure Browser, such as multiple tabs, quick print and more.
Deployment and Updating
|Through the ThinScale Management Console, you can quickly deploy ThinKiosk across your entire estate regardless of the Windows OS, the ThinKiosk shell will run the same on any version of Windows. Admins can also quickly and easily update whatever policies they want centrally all with just a few clicks.||
GPOs can be updated and changed to fit whatever requirement needed. The policies just need to be updated to reflect the change needed and then sent out to the machines where the new rules will occur. These rules are specific to each version of Windows.
Deployments across and updating within an environment can be tedious. ThinKiosk attempts to alleviate this by allowing admins to centrally deploy both client and profile updates using tools like the Package Creator within the ThinScale Management Platform. ThinKiosk only requires a Windows OS to run its shell, meaning regardless if the OS is Windows 7, 8 or 10 it will run the same way with no extra work needed from the IT team.
For GPOs deployment is largely straightforward as well, one just needs to make sure the domain joined devices are all correctly set in the active directory. The policies themselves, however, need to be tailored to the specifics of each OS, so in an environment with varying Windows operating systems, there would need to be polices made for each. What’s more, should you want to upgrade your environments OS, you would need to adapt the existing policies to reflect the upgrade. Such things can be time-consuming.
|The ThinScale Management platform is quickly and easily accessed by administration, simply by clicking the desktop icon/executable. The platform provides a graphical interface for managing client devices and profiles. This can be managed and viewed at a high or low level using the folder-based view, which you can delineate and separate however you want, department, location or user.||
Policies can be managed natively using AD’s own Group Policy Management Console or with PowerShell, alternatively, they can use 3rd party tools to manage their GPO.
The ThinScale Management platforms user interface is leagues above what most admins will experience using group policy in terms of usability. Its ease of access makes it much less time consuming to apply changes within an environment.
Taking it a step further, ThinKiosk’s profiles themselves are all easily viewed and exported as a JSON file, allowing for easy troubleshooting among admins. All admin has to do to apply changes is restart the ThinKiosk UI, without a double boot or a machine restart, saving you time and effort.
Doing the same with GPO requires the user to log in and out before changes can take effect.
Time-consuming global changes that require a domain controller (DC) with GPOs are applied immediately with ThinKiosk.
When comparing the two solutions, you need to look at what ThinKiosk and Group Policies were designed to accomplish. ThinKiosk was made to provide a customizable, secure and easily managed experience to the endpoints of virtual and remote environments. Group Policy was designed by Microsoft to set restrictions on computer and user accounts within a domain. Both excel at what they were designed to do. However, as we are specifically looking at securing endpoints for a virtual environment, there are simply things ThinKiosk can do that GPOs cannot.
ThinKiosk can provide a fully locked down EUE while allowing admins complete control over every aspect with an easy to use and easily scalable management platform. ThinKiosk also provides unrivalled flexibility and versatility, customers often find they are able to use their thin clients in many more scenarios than they could when using GPOs.
Read here about how Allen Independent School District found ThinKiosk's flexibility compared to GPOs and scripts.
Consider the time spent creating and deploying the different policies required (for an enterprise-quality, locked down experience) and the cost of having employees manage these policies. By installing ThinKiosk and setting up a profile that can be quickly edited and redeployed en-masse, time and cost inputs are significantly reduced. That’s how ThinKiosk is the ideal choice for securing and managing your Windows endpoints, in a VDI/RDS environment.