IGEL OS 11

Firmware version 11.06.210
Release date 2021-11-30
Last update of this document 2021-11-30

> IGEL Release Notes

Supported Devices

UD2-LX 51, UD2-LX 50, UD2-LX 40
UD3-LX 60, UD3-LX 51
UD6-LX 51
UD7-LX 20, UD7-LX 11, UD7-LX 10
UD9-LX Touch 41, UD9-LX 40

> Supported IGEL OS 11 thirdparty devices


Release Notes 11.06.210 (Based On 11.06.150 / 11.06.200)

New Features

Citrix

  • Updated Citrix Workspace app 2109
    Available Citrix Workspace Apps in this release: 2109 (default), 2104, and 2010
  • New features:
  • The user agent strings are added to the network traffic to make it easier to identify the origin of the request. .

Parameter

Add custom user-agent string in network requests

Registry

ica.authman.useragentsuffix

Value

[default empty string]* (default) [App/AppVersion][Edit custom string]

  • Adaptive audio optimizes the audio settings, eliminating the need for manual configuration of audio quality on the VDA.

Parameter

Adaptive Audio for better quality

Registry

ica.module.EnableAdaptiveAudio

Value

on (default)/off

  • In case of a connection problem, a message is displayed in the desktop session.

Parameter

Shows Session Reliability Notification during the desktop session

Registry

ica.module.srnotification

Value

on (default)/off

VMware Horizon

  • Updated Horizon Client to version 2106.1

Firefox

  • Updated Mozilla Firefox to version 91.3.0 ESR
  • Added a check at boot-time which triggers a reset of the firefox profile if the usage is reaching a certain threshhold level.
    This is to prevent a complete fill-up in which the browser would be not usable anymore.

Chromium

  • Updated Chromium Browser to version 95.0.4638.69.
  • Added support for hardware accelerated video decoding.

Power Term

  • Updated Ericom PowerTerm LTC to version 14.0.1.62267. This fixes special characters of Eastern European languages.
  • Removed legacy Ericom PowerTerm version 12.0.1.0.20170219.2-dev-34574 due to technical limitations.

Parallels Client

  • Updated Parallels client to version 18.2

ThinLinc

  • Updated ThinLinc client to version 4.13.0

Smartcard

  • Updated Athena IDProtect smartcard library to version 7-20210902. This fixes smartcard logon using Horizon client and CRYPTAS TicTok v2 cards.
  • Updated Gemalto/Thales SafeNet libraries to version 10.8.28.
  • Added configuration parameters for options of PC/SC lite smartcard daemon which are needed in some cases:

Parameter

Maximum number of threads

Registry

scard.pcscd.max_thread

Value

200 (default)

Parameter

Maximum number of card handles per thread

Registry

scard.pcscd.max_card_handle_per_thread

Value

200 (default)

Parameter

Maximum number of card handles per reader

Registry

scard.pcscd.max_card_handle_per_reader

Value

200 (default)

Parameter

Keep card always powered on

Registry

scard.pcscd.power_on

Value

false (default)

Cisco JVDI Client

  • Updated Cisco JVDI to version 14.0.2

Cisco Webex

  • Updated Cisco Webex Meetings VDI Clients to version 41.10.1.18.

Available Cisco WebEx Meetings VDI clients in this release: 41.10.1.18 (default), 41.8.4.11, and 41.6.7.16

Base system

  • Add a prompt to accept the IGEL EULA for usage of IGEL Starter License.
  • Updated IGEL EULA.

Window manager

  • The location of the notification pop-up window is now configurable.

Parameter

Location of notifications

Registry

windowmanager.wm%.variables.notifications.location

Range

[Top left][Bottom left][Top right][Bottom right][Center]

Value

Bottom right

Shadowing/VNC

  • Added a parameter to adjust the position of the shadow indicator popup window.
IGEL Setup System > Remote Access > Shadow

Parameter

Position of the indicator

Registry

userinterface.vncserver.indicatorposition

Range

[Bottom left][ Bottom right ][Top left][Top right]

Zoom Media Plugin

  • Updated Zoom Plugin to version 5.8.0.36438
    Available Zoom Plugins in this release: 5.8.0.36438(default), 5.7.6.20822, and 5.5.8.20606

Misc

  • Added representation of all systemd units - installed in the firmware. This is now part of the generel support information in UMS (via Support Wizard).

TC Setup (Java)

  • Updated TC Setup to version 6.9.7.
  • Added display of Energy-Star Logo in Setup Tool for specific 3rd party devices and when requirements are fullfilled.
  • Added a center snapping feature in TCSetup Display page.

Driver

  • Updated of Olympus driver for dictation to version 4.0.1.
  • Added driver forÿWiFi chipset MediaTek MT7921.

Security Fixes

Firefox

  • Updated Mozilla Firefox to 91.3.0esr
  • aka mfsa2021-49: CVE-2021-38503, CVE-2021-38504, CVE-2021-38506, CVE-2021-38507, MOZ-2021-0008, CVE-2021-38508, CVE-2021-38509, MOZ-2021-0007. (MOZ-* pending CVE assignment)
  • aka mfsa2021-45: CVE-2021-38496, CVE-2021-38497, CVE-2021-38498, CVE-2021-32810, CVE-2021-38500, CVE-2021-38501.
  • aka mfsa2021-40: CVE-2021-38495.
  • aka mfsa2021-37: CVE-2021-29991.
  • aka mfsa2021-33: CVE-2021-29986, CVE-2021-29981, CVE-2021-29988, CVE-2021-29984, CVE-2021-29980, CVE-2021-29987, CVE-2021-29985, CVE-2021-29982, CVE-2021-29989, CVE-2021-29990.

Chromium

  • Fixed Chromium browser security issues CVE-2021-37973, CVE-2021-37972, CVE-2021-37971, CVE-2021-37970, CVE-2021-37969, CVE-2021-37968, CVE-2021-37967, CVE-2021-37966, CVE-2021-37965, CVE-2021-37964, CVE-2021-37963, CVE-2021-37962, CVE-2021-37961, CVE-2021-37960, CVE-2021-37959, CVE-2021-37958, CVE-2021-37957, CVE-2021-37956, CVE-2021-30633, CVE-2021-30632, CVE-2021-30631, CVE-2021-30630, CVE-2021-30629, CVE-2021-30628, CVE-2021-30627, CVE-2021-30626, CVE-2021-30625, CVE-2021-30624, CVE-2021-30623, CVE-2021-30622, CVE-2021-30621, CVE-2021-30620, CVE-2021-30619, CVE-2021-30618, CVE-2021-30617, CVE-2021-30616, CVE-2021-30615, CVE-2021-30614, CVE-2021-30613, CVE-2021-30612, CVE-2021-30611, CVE-2021-30610, CVE-2021-30609, CVE-2021-30608, CVE-2021-30607, CVE-2021-30606, CVE-2021-30604, CVE-2021-30603, CVE-2021-30602, CVE-2021-30601, CVE-2021-30600, CVE-2021-30599, CVE-2021-30598, CVE-2021-30597, CVE-2021-30596, CVE-2021-30594, CVE-2021-30593, CVE-2021-30592, CVE-2021-30591, CVE-2021-30590, CVE-2021-30589, CVE-2021-30588, CVE-2021-30587, CVE-2021-30586, CVE-2021-30585, CVE-2021-30584, CVE-2021-30583, CVE-2021-30582, CVE-2021-30581, CVE-2021-30580, CVE-2021-30579, CVE-2021-30578, CVE-2021-30577, CVE-2021-30576, CVE-2021-30575, CVE-2021-30574, CVE-2021-30573, CVE-2021-30572, CVE-2021-30571, CVE-2021-30569, CVE-2021-30568, CVE-2021-30567, CVE-2021-30566, CVE-2021-30565, CVE-2021-37976, CVE-2021-37975, CVE-2021-37974, CVE-2021-37977, CVE-2021-37979, CVE-2021-37980, CVE-2021-37981, CVE-2021-37982, CVE-2021-37983, CVE-2021-37984, CVE-2021-37985, CVE-2021-37986, CVE-2021-37987, CVE-2021-37988, CVE-2021-37989, CVE-2021-37990, CVE-2021-37991, CVE-2021-37992, CVE-2021-37993, CVE-2021-37996, CVE-2021-37994, CVE-2021-37995, CVE-2021-38003, CVE-2021-38002, CVE-2021-38001, CVE-2021-38000, CVE-2021-37999, CVE-2021-37998 and CVE-2021-37997.

Resolved Issues

VMware Horizon

  • Fixed Zoom VDI Media Plugin.

Base system

  • Fixed sporadic firmware update issue, where not all partitions were updated and features not usable. In 11.06.200 a reboot was necessary to get the missing partitions - the 11.06.210 substitutes the withdrawn 11.06.200.

Citrix

  • Fixed rarely occurring startup issue with Selfservice and Storefront.
  • The parameter HDX Adaptive Transport over EDT on the setup page
    Sessions -> Citrix -> Citrix Global -> Options has been removed.
    From now on, this value should be set by policy at Citrix server.
  • Added a workaround for Citrix client in order to correctly check the certificate validity period, independently of the local time zone. To enable the workaround, following registry key is needed:

Parameter

Activate workaround for certificate validity check

Registry

ica.workaround-cert-validity

Value

enabled/disabled (default)

VMware Horizon

  • Fixed omission of already mapped drives, which are created before the Horizon session is started. These drives are now usable in addition to the drives which are plugged during the runtime of the session.

Chromium

  • Fixed set of multiple urls did not work properly for Chromium Browser Sessions

Network

  • Improved behaviour of ethernet with 802.1X authentication under these conditions:
    network.interfaces.ethernet.device%.ieee8021x.secure_only=false
    and
    network.interfaces.ethernet.device%.insistence=true

An authenticated and then an unauthenticated connection is tried not only on startup but also when a cable is plugged in late. * Fixed global no-proxy list getting effective via gconf2. This e.g. can help Citrix Workspace App using the right proxy configuration. * Fixed global no-proxy list: in certain cases entries were not getting effective.

Open VPN

  • Added following new config parameter:

Registry

sessions.openvpn%.vpnopts.extend_opts

Value

extend parameter as string

These parameters extend the arguments of the VPN command. Parameters that are already set in the GUI must not be used. Enter parameter starting with --.
Example: --ping 10 --ping-restart 120

Base system

ÿFixed suspend action when closing the laptop lid, this is now working properly again. Fixed issue with losing all data on encrypted partitions on each reboot (happened only in rare and special cases).
* Fixed issues with update/downgrade firmware and encryption key handling. * Fixed vanishing of custom partition and chromium/firefox partition in a very special up/downgrade cycle. * Fixed missing bluetooth tray icon after login. * Fixed missing audio tray icon after login.

Conky

  • Fixed compositor parameter windowmanager.wm0.variables.usecompositing - is not forced off anymore, if opacity is set to 255 for conky.

Window manager

  • Fixed an issue where some taskbar settings from the TCSetup did not trigger the supposed changes.

VNC

  • Fixed keyboard mapping in shadowing sessions, especially with backslash, euro and (at) keys in French keyboard layout.

Component Versions

Clients

Amazon WorkSpaces Client

3.1.9

Chromium

95.0.4638.69-igel1635513789

Cisco JVDI Client

14.0.2

Cisco Webex VDI plugin

41.8.0.19732

Cisco Webex Meetings VDI plugin

41.10.1.18

Cisco Webex Meetings VDI plugin

41.6.7.16

Cisco Webex Meetings VDI plugin

41.8.4.11

Known Issues

Citrix

  • To launch multiple desktop sessions with Citrix HDX RTME and Citrix H.264
    acceleration plugin the following registry key must be enabled:

Parameter

Activate workaround for dual RTME sessions and H264 acceleration

Registry

ica.workaround-dual-rtme

Range

enabled / disabled (default)

  • This workaround is not applicable when "Enable Secure ICA" is active for the
    specific delivery group.
  • Adding smartcard readers while the session is ongoing does not work. The reader is visible, but cannot be used due to permanently unknown reader status.
  • Citrix has known issues with GStreamer 1.0 which describe problems with multimedia redirection of H.264, MPEG1 and MPEG2. GStreamer 1.0 is used if browser content redirection is active.
  • Browser content redirection does not work with activated DRI3 and hardware accelerated H.264 deep compression codec.
  • With activated DRI3 and an AMD GPU Citrix H.264 acceleration plugin could freeze. Selective H.264 mode (API v2) is not affected from this issue.
  • Citrix H.264 acceleration plugin does not work with enabled server policy "Optimize for 3D graphics workload" in combination with server policy "Use video codec compression" -> *"For the entire screen"**.
  • With Citrix Workspace app versions 21.04.0 and newer, smartcard authentication fails to forward the PIN correctly into the session for login. Instead the user has to input the PIN a second time within the session. The problem does not occur with Citrix Workspace App 20.10.0.
  • From CWA 2109 onwards, Storebrowse creates a superfluous application icon named "to" without any function.
  • An enabled ica.module.vdcamversion4support parameter can cause problems (e.g. no audio rates within session). Citrix advises not to use this parameter and will offer an alternative solution. For now, the parameter can be used at your own risk.

OSC Installer

  • OSC not deployable with IGEL Deployment Appliance: New version 11.3 is required for 11.06 deployment.

VMware Horizon

  • After disconnect of an RDP based session, the Horizon main window which contains the server or sessions overview, cannot be resized anymore.
  • Copying Text from Horizon Blast sessions is not possible.
  • The on-screen keyboard in Horizon appliance mode does not work correctly with local logon.
    It is necessary to switch off local logon and enable the following two keys via IGEL registry:
    userinterface.softkeyboard.autoshow
    userinterface.softkeyboard.autohide
  • Zoom VDI Media Plugin versions below 5.8.0 make Horizon Client crash upon connection to the remote desktop in cases when TCSetup is running at the same time.
  • When using the PCoIP protocol, the virtual channel provided by VMware used for serial port and scanner redirection can make Horizon client hang on logout from the remote session.

This happens when enabling scanner or serial port redirection.
The freeze does not occur if both redirection methods are enabled or none of them. The Blast Protocol isn't affected by this bug.

The respective settings can be found here in the IGEL Registry:
vmware.view.enable-serial-port-redir
vmware.view.enable-scanner-redir * Keyboard Input Source Language Synchronization works only when using a local layout which has deadkeys enabled.
If a keyboard layout is used which has deadkeys disabled (which is the default on IGEL OS), Horizon client falls back to en-US layout. * PCoIP sessions may crash in some cases. Please switch to Blast Protocol instead. In case H.264/HEVC encoding would be too demanding for your environment, you can switch it off. * Client drive mapping and USB redirection for storage devices can be switched on at the same time but there're problems under some circumstances:
Horizon Client tracks the drives which are dynamically mounted and adds them to the remote session using client drive mapping, I.e. USB redirection is then not used for theses devices.
However in case of devices like USB SD card readers, Horizon does not map them as client drives but forcefully uses USB-redirection which results in an unclean unmount.
As a work-around the IDs of these card readers can be added to IGEL USB access rules and denied.

Parallels Client

  • Native USB redirection does not work with Parallels Client.

Network

  • Wakeup from system suspend fails on DELL Latitude 5510

WiFi

  • TP-Link Archer T2UH WiFi adapters does not work after system suspend/resume. Workaround: Disable system suspend at IGEL Setup > System > Power Options > Shutdown.

Cisco JVDI Client

  • There may be a segfault shown in the logs (during logout of Citrix Desktop session). Occurs only when using Citrix Workspace App 2010 and Cisco JVDI.

Base system

  • Hyper-V (Generation 2) needs a lot of memory (RAM). The machine needs a sufficient amount of memory allocated.
  • Update from memory stick requires network online state (at least when multiple update stages are involved)
  • Unreliable messages in user dialog for applying settings during boot. Could occur when new settings were fetched from the UMS.

Conky

  • The right screen when using multiscreen environment may not be shown correctly.
    Workaround: The horizontal offset should be set to the width of the monitor (e.g. if the monitor has a width of 1920, the offset should be set to 1920)

Firmware update

  • On devices with 2 GB of flash storage it could happen that there is not enough space for updating all features. In this case, a corresponding error message occurs. Please visit [https://kb.igel.com/igelos-11.04/en/error-not-enough- space-on-local-drive-when-updating-to-igel-os-11-04-or-higher-32870765.html] for a possible solution and additional information.

Appliance Mode

  • When ending a Citrix session in browser appliance mode, the browser is restarted twice instead of once.
  • Appliance mode RHEV/Spice: spice-xpi firefox plugin is not longer supported. The "Console Invocation" has to allow 'Native' client (auto is also possible) and should be started in fullscreen to prevent any opening windows.
  • Browser Appliance mode can fail when the Web URL contains special control characters like ampersands (& character).
    Workaround: Add quotes at the beginning and the end of an affected URL. E.g.:
    'https://www.google.com/search?q=aSearchTerm&source=lnms&tbm=isch'

Audio

  • IGEL UD2 (D220) fails to restore the volume level of the speaker when the device used firmware version 11.01.110 before.
  • Audio jack detection on Advantec POC-W243L does not work. Therefore, sound output goes through a possibly connected headset and also the internal speakers.
  • UD3-M340C: Sound preferences are showing Headphone & Microphone, although not connected.
  • After plugging in a USB headset, the sound does not change to this, although this is indicated in the sound preferences and in Pulseaudio.

Multimedia

  • Multimedia redirection with GStreamer could fail when using Nouveau GPU driver.

Hardware

  • Some newer Delock 62599 active DisplayPort to DVI (4k) adapters only work on INTEL-based devices.

Remote Management

  • AIT feature with IGEL Starter License is only supported by UMS version 6.05.100 or newer.

Release Notes 11.06.150 (Based On 11.06.120)

New Features

Audio

  • Updated EPOS Connect to 7.0.0.19714.

Resolved Issues

Remote Management

  • Fixed keepalive mechanism in rmagent. The mechanism must prevent premature closing connection by the UMS if a remote command takes a time period over 30 seconds.

Release Notes 11.06.120 (Based On 11.06.100)

New Features

VMware Horizon

  • Added dynamically mounted shares are available in Horizon session as shared folders.

WiFi

  • Updated wireless regdb to 2021-08-28 version.

Imprivata

  • Removed registry key "imprivata.gain_permission". Since OneSign 6.3 is End-Of- Life by July 31 2021, permission is gained by default now.

Base system

  • Added possibility to hide the mouse cursor.
  • Added new registry key:

Parameter

Disable drawing of a mouse cursor.

Registry

x.xserver%.nocursor

Type

bool

Value

enabled / disabled (default)

Security Fixes

Base system

  • Fixed vim security issues CVE-2021-3796 and CVE-2021-3778.
  • Fixed libgd2 security issues CVE-2021-40145, CVE-2021-38115 and CVE-2017-6363.
  • Fixed qtbase-opensource-src security issues CVE-2021-38593 and CVE-2020-17507.
  • Fixed curl security issues CVE-2021-22947, CVE-2021-22946, CVE-2021-22945, CVE-2021-22901, CVE-2021-22898 and CVE-2021-22897.
  • Fixed libxml2 security issues CVE-2021-3541, CVE-2021-3537, CVE-2021-3518, CVE-2021-3517 and CVE-2021-3516.
  • Fixed libslirp security issues CVE-2021-3595, CVE-2021-3594, CVE-2021-3593 and CVE-2021-3592.
  • Updated ca-certificates to version 20210119~20.04.2.
  • Fixed gst-plugins-good1.0 security issues CVE-2021-3498 and CVE-2021-3497.
  • Fixed krb5 security issues CVE-2021-37750, CVE-2021-36222 and CVE-2018-20217.
  • Fixed webkit2gtk security issue CVE-2021-30858.

Resolved Issues

Citrix

  • With the CWA 2012 Citrix has revised the client drive mapping. Since then, the user can assign these rights in the session itself. This selection remains also over a reboot, the necessary file persistently on our system is stored.

AVD

  • Fixed ezeep support for AVD.

WiFi

  • Fixed issue with TP-Link AC600 not working on 5GHz (8821au driver).
  • Fixed support for WiFi devices using Realtek 8822bu driver.
  • Fixed Realtek 8852AE Wi-Fi/BT module support for HP t540/t640 (rtw89 driver).

Base system

  • Updated libssh2 to 1.10 version to fix possible problems with windows SSH servers.
  • Fixed unwanted automount of inital settings partition on devices with MMC storage.
  • Fixed sporadic failures while custom partition initialisation.
  • Fixed issues with Renesas based USB devices.
  • Fixed sporadic settings loss while upgrading from IGEL OS 11.05 to 11.06.
  • Fixed issues with Device Encryption while resetting to Factory Defaults.

IgelDesktop

  • Fixed single touch on desktop icon, configurable at IGEL Setup > User Interface > Desktop > "Single click mode".

Window manager

  • Fixed taskbar was displayed incorrectly in some special configuration cases.

Audio

  • Added Parameter for pulseaudio for switching headset microphone suspend mode on/off:

Parameter

Disable pci/isa suspend on idle

Registry

multimedia.pulseaudio.daemon.disable-pci-suspend

Range

[auto] [on] [off]

Value

auto

Remote Management

  • Fixed opening communication ports in rmagent - now all network ports use IPv4 only.
  • Changed applying of remote settings received during boot - the settings are synced with the current local settings at the end of the boot process. If these changes require a system interaction to be applied (like restart of some services) then the user is asked about applying. The dialog is optional and quits after a timeout. This bugfix solves the problem, that the "Apply changes" dialog is shown on every boot.

IGEL Cloud Gateway

  • Fixed exchange of the ICG certificate chain.

Release Notes 11.06.100

New Features

Citrix

  • Added Citrix Workspace App 2106
    Available Citrix Workspace Apps in this release: 2106 (default), 2104, and 2010
  • New registry keys:
  • The battery status of the device (notebooks/mobile devices) is now shown within notification area of Citrix Windows Desktop session.

Parameter

*Battery status indicator*

Registry

ica.module.virtualdriver.mobilereceiver.enable

Type

bool

Value

enabled (default)/ disabled

  • Added registry key for enabling screen pinning or multi-monitor support with native Workspace app.

Parameter

Enhanced experience for Multi-monitor scenario

Registry

ica.authman.screenpinenabled

Value

on (default)/off

  • Added registry key to enable DNS cache.

Parameter

Enable DNS Cache

Registry

ica.authman.dnscacheenabled

Value

off (default)/on

  • Implemented "Synchronize Citrix password with screensaver" for SelfService.
    Parameter for StoreFront was (re-) used for that purpose
  • Updated Citrix HDX RTME 2.9.400
  • Updated Grundig Dictation driver to version 20-09-16.
  • Added passthrough authentication for Citrix SelfService. Activate via parameter:

Setup

Sessions>Citrix>Citrix Global>StoreFront Login

Parameter

Use passthrough authentication

Registry

sessions.pnlogin0.settings.passthrough

Value

false (default) / true

  • Added: All parameters of the Citrix setlog program are now available in IGEL setup via ica.logging.setlog. Logging can be set permanent now.
    Optimized structure of parameters for showing the inheritance more clearly.
  • Added automatic configuration of the Citrix webcam redirection in ICA sessions.

IGEL Setup

Sessions > Citrix > Citrix Global > HDX Multimedia

Parameter

Automatic HDX webcam configuration

Registry

ica.igel_hdxwebcam.enabled

Value

disabled / enabled (default)

Parameter

Resolution grade

Registry

ica.igel_hdxwebcam.quality

Range

[Very low][Low][Normal(default)] [High][Very high][Best]

Parameter

Minimal frame rate

Registry

ica.igel_hdxwebcam.framerate

Value

15

  • Added configuration for h.264 encoding in the Citrix webcam redirection

Parameter

HDX Webcam H264 encoding

Registry

ica.wfclient.hdxh264inputenabled

Value

disabled (default) / enabled

  • Added configuration for native h.264 encoding provided by webcam, for usage via the Citrix webcam redirection. This parameter requires the ica.wfclient.hdxh264inputenabled set to true.

Parameter

HDX Webcam H264 native

Registry

ica.wfclient.hdxh264enablenative

Value

disabled (default) / enabled

OSC Installer

  • Enhanced OSC Installer for creation of 'Factory preload images (master images)'
  • Added possibility to add initial settings to OSC Installer ISO.
  • Added support for 'Reset after first boot' for OSC Factory Image function. Further information / details via https://kb.igel.com/igelos-11.05/en/installation-42011487.html

RDP/IGEL RDP Client 2

*ÿ Added multitouch support for RDP Sessions.

Registry

sessions.winconnect%.option.enable-multitouch

Value

enabled / disabled (default)

  • Added parameter to enable serverside audio for RDP sessions

Registry

sessions.winconnect%.option.enable-serverside-audio

Value

enabled / disabledÿ(default)

  • Added option to enable/disable automatic reconnect for RDP session.

Registry

sessions.winconnect%.option.enable-reconnect

Type

bool

Value

enabled (default) / disabled

RD Web Access

  • Added option to enable/disable automatic reconnect for RD Web Access Apps.

Registry

rdp.rd_web_access.enable-reconnect

Type

bool

Value

enabled (default) / disabled

AVD / WVD

  • Renamed WVD (Windows Virtual Desktop) to AVD (Azure Virtual Desktop)
  • Added timezone redirection support.
  • Added AVD printer redirection support.

IGEL Setup

Sessions > AVD > AVD Sessions > AVD Session > Printing > CUPS Printer Redirection

Parameter

CUPS printer redirection

Registry

sessions.wvd%.printing.cups

Value

enabled (default) / disabled

IGEL Setup

Devices > Printer > CUPS > Printers > Add Printer > Mapping in sessions

Parameter

Map printer in AVD sessions

Registry

print.cups.printer%.map_wvd

Value

enabled (default) / disabled

IGEL Setup

Devices > Printer > CUPS > Printers > Add Printer > Mapping in sessions

Parameter

Printer driver

Registry

print.cups.printer%.wvd_printer_driver

  • The default windows driver name is "Microsoft PS Class Driver" which is installed by default and should work in general.
    For usage of a custom printer driver, the exact printer name must be set and corresponding driver must be installed on AVD (server-)side.

RD Web Access

  • Added option to save username and domain for RD WebAccess login. In legacy mode, RD Web Access login uses the settings from Sessions -> RDP -> RDP Global -> Local Logon.

IGEL Setup

Sessions -> RDP -> Remote Desktop Web Access -> Authentication

Parameter

Save username and domain from last login

Registry

rdp.rd_web_access.options.save_user_and_domain

Type

string

Value

[Legacy]**(default)[Yes][No]

UD Pocket

  • Added official support for `Secured Kobra Stick´ from Digittrade.

VMware Horizon

  • Allow wildcard symbol in Horizon client USB redirection rules:
    Product ID can contain asterisks () - * represents one hexadecimal digit.
    Product ID can be left empty which is equivalent to
    ** - for any Product ID.
  • Added param to enable MS Teams support.
    Changed default of html5 multimedia redirection to enabled.

IGEL Setup

Sessions > Horizon Client > Horizon Client Global > Unified Communications > VDI Solutions

Parameter

HTML5 multimedia redirection

Registry

vmware.view.html5mmr

Type

bool

Value

enabled (default) / disabled

IGEL Setup

Sessions > Horizon Client > Horizon Client Global > Unified Communications > VDI Solutions

Parameter

Microsoft Teams optimization

Registry

vmware.view.vdwebrtc.enable

Type

bool

Value

enabled (default) / disabled

  • Added entry in IGEL Setup regarding Unified Communication:
    In Sessions > Horizon Client > Horizon Client Global > Unified Communications > Cisco
    for enabling VDI support for Cisco Webex Meetings
    and in Sessions > Horizon Client > Horizon Client Global > Unified Communications > VDI Solutions
    for enabling Zoom VDI Media Plugin.

Parallels Client

  • Updated Parallels client to version 18.1.0

IBM_5250

  • Updated IBM iAccess Client Solutions to version 1.1.8.6.

NX client

  • Updated NoMachine client to version 7.1.3

Amazon WorkSpaces Client

  • Updated AWSC to 3.1.9

Chromium

  • Updated Chromium browser to version 91.0.4472.164
  • Added "Block third party cookies" as parameter in the registry.
  • Added h.264 and AAC A/V playback support. A/V playback support is only possible either in Chromium or in Firefox Browser depending on these conditions:
  1. If Chromium feature is disabled, codecs are used in Firefox.
  2. If Firefox feature is disabled, codecs are used in Chromium.
  3. Number of sessions of each browser type are compared, codecs are used for browser with more sessions.
  4. Usage of codecs as configured via set of "default" browser, by
    registry key 'system.default_apps.browser'.
  • Added "Default web browser" configuration
IGEL Setup IGEL Setup Sessions > Chromium Browser > Chromium Browser Global Sessions > Firefox Browser > Firefox Browser Global

Parameter

Default web browser

Registry

system.default_apps.browser

Type

string

Value

Firefox Browser (default)

  • Added new configuration: +------------+-----------------------------------------------------------------+ |IGEL Setup |Sessions > Chromium Browser > Chromium Browser Global > Security | +============+=================================================================+ |Parameter |Download allowlist | +------------+-----------------------------------------------------------------+ |Registry |chromiumglobal.app.mimetype_forced_download | +------------+-----------------------------------------------------------------+ |Type |string | +------------+-----------------------------------------------------------------+ |Value |application/x-ica; application/x-rdp; application/smil; application/nxs; application/x-java-jnlp-file; application/x-2xa; application/x-sapshortcut; application/x-virt-viewer; image/tiff (default) | +------------+-----------------------------------------------------------------+ |IGEL Setup |Sessions > Chromium Browser > Chromium Browser Global > Security | +------------+-----------------------------------------------------------------+ |Parameter |Open file types automatically after downloading | +------------+-----------------------------------------------------------------+ |Registry |chromiumglobal.app.mimetype_forced_open | +------------+-----------------------------------------------------------------+ |Type |string | +------------+-----------------------------------------------------------------+ |Value |ica; rpd; smi; smil; nxs; jnlp; vv; tif; tiff (default) | +------------+-----------------------------------------------------------------+ |Parameter |File Access | +------------+-----------------------------------------------------------------+ |Registry |chromiumglobal.app.file_access_enabled | +------------+-----------------------------------------------------------------+ |Type |bool | +------------+-----------------------------------------------------------------+ |Value |False (default) | +------------+-----------------------------------------------------------------+

  • Removed redundant "Incognito mode" as it has been repaced by "Allow incognito mode"
  • Renamed "Enable phishing and malware protection" to "Safe Browsing"

IGEL Setup Sessions > Chromium Browser > Chromium Browser Global > Security

Parameter

Safe Browsing

Registry

chromiumglobal.app.safebrowsing_enabled

Type

bool

Value

False (default)

  • Added the possibility to clean the profile partition when Chromium Browser is not used

Firefox

  • Added "Default web browser" to "Firefox Browser Global"
IGEL Setup IGEL Setup Sessions > Firefox Browser > Firefox Browser Global Sessions > Chromium Browser > Chromium Browser Global

Parameter

Default web browser

Registry

system.default_apps.browser

Type

string

Value

Firefox Browser (default)

  • Moved "Hide local file system" from "Window" to "Security"
IGEL Setup Sessions > Firefox Browser > Firefox Browser Global > Security

Parameter

Hide local file system

Registry

browserglobal.app.filepicker_dialog_hidden

Type

bool

Value

True (default)

Network

  • Changed names of Ethernet and WiFi interfaces. Apart from some symbolic occurrences "eth0", "eth1", and "wlan0" have been replaced by so-called predictable network interface names.
    Improved reliability of associating configurations with interfaces.
    More than two Ethernet interfaces can be configured by creating further instances of network.interfaces.ethernet.device%.
    The following registry key may be used to explicitly assign a configuration instance to an interface:

Parameter

Fixed interface

Registry

network.interfaces.ethernet.device%.ifname

Type

string

Value

empty Default

  • Added r8152 thirdparty network driver
  • Added new registry key to enable use of r8152 thirdparty driver:

Parameter

Use thirdparty r8152 kernel module.

Registry

network.drivers.r8152.prefer_thirdparty

Range

[Auto][Yes][No]

Value

Auto

  • In the tcpdump configuration eth0, eth1, and wlan0 are treated as symbolic names. These remain functional even if the true interface names are different.
  • "urfkill" tool has been removed from firmware.
  • Following scripts provided by "urfkill" tool are not available anymore:
  • /usr/share/urfkill/scripts/block
    /usr/share/urfkill/scripts/flight-mode
  • In case of using above mentioned commands via custom scripts. For turn radio devices on/off, usage of 'rfkill' tool may be needed to enable custom script. rfkill <block
    |unblock> <wlan|bluetooth|uwb|wimax|wwan|
    gps> rfkill <block|unblock> all
  • Added registry key for specifying the anonymous identity in authentication methods.
Parameter Anonymous Identity

Registry

network.interfaces.ethernet.device%.ieee8021x.anonymous_identity

Type

string

Value

empty Default

Parameter Anonymous Identity

Registry

network.interfaces.wirelesslan.device0.wpa.anonymous_identity

Type

string

Value

empty Default

Parameter Anonymous Identity

Registry

network.interfaces.wirelesslan.device0.alt_ssid%.wpa.anonymous_identity

Type

string

Value

empty Default

  • Added support for EAP FAST with inner method MSCHAPV2. PAC files are stored persistently in /wfs/eap_fast_pacs/. File names can be determined with the script /bin/gen_pac_filename.sh.
    In internal tests with hostapd, it was necessary to disable TLS1.2 (registry key phase1_direct: tls_disable_tlsv1_2=1). The following registry keys have been added and "FAST" has been added to the range of the corresponding eap_type registry keys:
Parameter Automatic PAC Provisioning

Registry

network.interfaces.ethernet.device%.ieee8021x.pac_provisioning

Range

[disabled][unauthenticated][authenticated][unrestricted]

Value

unrestricted

Parameter Automatic PAC Provisioning

Registry

network.interfaces.wirelesslan.device0.wpa.pac_provisioning

Range

[disabled][unauthenticated][authenticated][unrestricted]

Value

unrestricted

Parameter Automatic PAC Provisioning

Registry

network.interfaces.wirelesslan.device0.alt_ssid%.wpa.pac_provisioning

Range

[disabled][unauthenticated][authenticated][unrestricted]

Value

unrestricted

  • Added Realtek RTL8125 2.5Gigabit Ethernet driver.

WiFi

  • Added new feature WiFi automatic switch on/off. The following registry key have been added:
Parameter Enable Wi-Fi automatic switch

Registry

network.applet.wireless.enable_wifi_auto_switch

Type

bool

Value

enabled / disabled (default)

  • Enabling this feature in combination with the following registry key will add a menu to WiFi manager applet which enables the user to switch WiFi on, off or select the automatic mode.
Parameter Enable Wi-Fi switch

Registry

network.applet.wireless.enable_wifi_switch

Type

bool

Value

enabled (default) / disabled

  • When automatic mode is selected, WiFi will automatically switch to off, if a LAN connection is available - or switch to on, if LAN connection get disconnected.
  • If "Enable Wi-Fi switch" is disabled and "Enable Wi-Fi automatic switch" is enabled, WiFi automatic switch functionality will work in background and user cannot see the menu entry in WiFi manager applet for changing the WiFi mode.
  • NOTE: Any workaround for switching WiFi on/off automatically using custom scripts should be eliminated.
  • Added support for Realtek RTW8852AE WiFi device.

AppliDis

  • Integrated Systancia AppliDis 6.0.0-4

Imprivata

  • Added registry key to overcome the window overlap that complicates the use of the local Setup or hotkeyed applications like the display switch.
IGEL Setup Registry

Registry

imprivata.avoid_focus_ownership

Type

bool

Value

enabled / disabled (default)

  • Added parameter to ignore the VMware protocol selection done by the appliance, local selection.

Parameter

Ignore the demanded VMWare protocol

Registry

imprivata.ignore_horizon_protocol

Default Value

|false

Remark

Registry Only

Smartcard

  • Added support for certgate AirID Bluetooth smartcard reader. Enable with Registry parameter scard.pcscd.certgate.airid_enable. In addtion Bluetooth must be enabled, in Setup via Devices>Bluetooth.

Parameter

certgate AirID driver for Bluetooth smart card readers

Registry

scard.pcscd.certgate.airid_enable

Value

disabled (default) / enabled

  • Added smartcard reader driver for 'Kobra stick' from Digittrade.

Cisco Webex

  • Added version selection for Cisco Webex Meetings VDI plugins Available Cisco Webex Meetings VDI plugins in this release: 41.8.4.11 (default), 41.7.8.5 and 41.6.7.16

  • Added a registry key for enabling the "active version" of Cisco Webex Meetings client.

IGEL Setup

Sessions > Unified Communications > Cisco WebEx Meetings VDI Selection

Parameter

Cisco webex Meetings client version

Registry

multimedia.ciscomeetings.activeversion

Value

41.8.4.11ÿ(default), 41.7.8.5 and 41.6.7.16

  • Note: Webex meetings plugin and application version must match. Otherwise, it may fail to launch Webex VDI optimized meeting.
    With the integration of this selection, the necessary partition size was increased.

  • Updated Cisco Webex VDI to version 41.8.0.19732

Cisco JVDI Client

  • Updated Cisco JVDI to version 14.0.1

Base system

  • Updated IGEL EULA to version April 2021.
  • Removed permission to start mousepad editor for non-root users.
  • Added new registry key to toggle the executable rights via parameter:

Parameter

Permission to start text editor

Registry

system.security.texteditorpermission

Type

bool

Value

enabled / disabled (default)

  • Updated kernel to version 5.12.x
  • Added compressed filesystem for Firefox and Chromium profile partitions.
  • Added IGEL Device Encryption Feature Following registry keys were be added:

Parameter

Minimum password length

Registry

system.deviceencryption.pwpolicy.minlen

Type

int

Value

8 Default

Parameter

Minimum amount of upper case letters

Registry

system.deviceencryption.pwpolicy.minupper

Type

int

Value

0 Default

Parameter

Minimum amount of lower case letters

Registry

system.deviceencryption.pwpolicy.minlower

Type

int

Value

1 Default

Parameter

Minimum amount of special characters

Registry

system.deviceencryption.pwpolicy.minspecial

Type

int

Value

0 Default

Parameter

Minimum amount of numbers

Registry

system.deviceencryption.pwpolicy.minnumbers

Type

int

Value

0 Default

Parameter

Special characters allowed

Registry

system.deviceencryption.pwpolicy.specialset

Type

string

Value

!"$%&/()?+~-" Default**

Parameter

Unwanted strings in password (comma separated)

Registry

system.deviceencryption.pwpolicy.exclude

Type

string

Value

empty Default

Parameter

The password must contain

Registry

system.deviceencryption.pwpolicy.fulfill

Range

[all][2 of][3 of]

Value

all

Parameter

Deviceencryption state

Registry

system.deviceencryption.state

Range

[0][1][2]

Value

0

Parameter

Password aggregation function

Registry

system.deviceencryption.security_level

Range

[I: Argon2id, 8M/7 ops][II: Argon2id, 128M/3 ops] [III: Argon2id, 256M/3 ops][IV: Argon2id, 512M/3 ops] [V: Argon2id, 1024M/4 ops][VI: Argon2id, 128M/4 ops]

Value

II: Argon2id, 128M/3 ops

Parameter

Security level

Registry

system.deviceencryption.security_mode

Range

[Auto, constant-time][Auto, at least level][Manual]

Value

Auto, constant-time

Parameter

Target time delay (ms)

Registry

system.deviceencryption.security_delay_ms

Type

int

Value

700 Default

Parameter

Device Encryption mode

Registry

system.deviceencryption.mode

Range

[keep][activate][deactivate]

Value

keep

Parameter

Authentication type

Registry

system.deviceencryption.auth_type

Range

[PW]

Value

PW

Parameter

Wipe config and user data upon activation

Registry

system.deviceencryption.wipe_data

Type

bool

Value

enabled / disabled (default)

Parameter

Display password as plain text on logon screen is possible

Registry

system.deviceencryption.option_display_ptpasswd

Type

bool

Value

enabled / disabled (default)

Parameter

Downgrade without warning of data loss

Registry

system.deviceencryption.force_downgrade

Type

bool

Value

enabled / disabled (default)

  • Added new registry to show verbose boot messages and disable the splash (for debugging purposes).

Parameter

Disable splash and show verbose messages on bootup.

Registry

system.kernel.bootparams.noquiet

Type

bool

Value

enabled / disabled (default)

  • Added automatic proxy detection and pac file support for proxy authentication pass through with cntlm
  • Updated frenchÿtranslation
  • Added support for multiple batteries in taskbar. If enabled, taskbar shows a battery indicator for each device battery.

Parameter

Display multi battery

Registry

windowmanager.wm0.variables.battery_indicator.display_multi_battery

Type

bool

Value

enabled / disabled (default)

  • Hide "Other user" label on login screen when not needed.
  • Add TLS options for rsyslog

Parameter

TLS enabled

Registry

system.syslog.output%.tls

Type

bool

Value

enabled / disabled (default)

Parameter

CA Certificate

Registry

system.syslog.output%.cacertificate

Type

string

Value

empty Default

  • Added support to monitor multiple sessions and have a post-session command triggered if all sessions exited successfully. Configurable at setup page: System > Firmware Customization > Custom Commands > Post Session
  • Added configuration for EMP license notification:

Parameter

*Enable Enterprise Management Pack license notification*

Registry

userinterface.license_notification.enable_enterprise_management_notification

Type

bool

Value

enabled (default)/ disabled

  • Added further configuration of logon with local user password. In Setup on page Security>Logon>Local User and also within IGEL Setup Assistant. The used password parameter is the former screenlock password.

Setup

Security>Logon>Local User

Parameter

Login with local user password

Registry

auth.login.xlock

Value

false (default) / true

Setup

Security>Logon>Local User

Parameter

Password

Registry

sessions.xlock0.options.password

Value

empty (default)

  • Added passthrough NTLM authentication for Firefox. If enabled, user name and password from local logon mask will be used for automatic NTLM authentication to web sites and proxies.

Parameter

Passthrough for NTLM authentication

Registry

auth.login.ntlm.passthrough

Value

false (default) / true

  • Added Single Sign on NTLM authentication to Firefox after Kerberos smartcard authentication. If enabled, NTLM credentials are retreived at smartcard logon. These credentials are then used for automatic NTLM authentication to websites and proxies. For this functionality an appropriate Kerberos keytab has to be specified in parameter auth.krb5.keytab.crypt_password.

Parameter

Store supplemental credentials

Registry

auth.krb5.appdefaults.pam.store_nt_owf_pass

Value

false (default) / true

  • Added client side NTLM authenticating proxy. If it is enabled, applications which use the system proxy settings will connect via this local proxy. It will transparently do NTLM authentication.

Parameter

Enable client side NTLM authenticating proxy

Registry

network.proxy.cntlm.enable

Value

false (default) / true

Parameter

Listening Port

Registry

network.proxy.cntlm.port

Value

3128 (default)

  • Added Kerberos login verification. If this is enabled, login will fail unless a service ticket sent from the KDC/domain controller can be verified. For this, the configuration of an appropriate Kerberos keytab is necessary. The keytab must be encoded in base64.

Parameter

Verify credentials against a local key

Registry

auth.krb5.libdefaults.verify_ap_req_nofail

Value

false (default) / true

Parameter

Keytab (base64)

Registry

auth.krb5.keytab.crypt_password

Value

empty (default)

  • Set device hostname based on a remote asset service.

Parameter

Enable remote asset service

Registry

network.remote_asset.enable

Type

bool

Value

enabled / disabled (default)

Parameter

Url

Registry

network.remote_asset.url

Type

string

Value

empty Default

Parameter

Response type

Registry

network.remote_asset.response_type

Range

[Xml][Json]

Value

Xml

Parameter

Validation path

Registry

network.remote_asset.validation_path

Type

string

Value

empty Default

Parameter

Pre fallback identifier

Registry

network.remote_asset.pre_fallback_identifier

Type

string

Value

ITC Default

Lakeside SysTrack

  • Updated Lakeside SysTrack client plugin for Citrix, RDP and VMWare Horizon Client to version 9.0. New support for Microsoft AVD Client:

Parameter

Lakeside SysTrack

Registry

sessions.wvd<inst>.plugins.lakeside

Value

false (default) / true

Conky

  • Added support for Conky system monitor:
IGEL Setup Accessories > Conky System Monitor > Options

Parameter

Use IGEL Setup for configuration

Registry

userinterface.system_monitor.conky.igelsetupconfig

Type

bool

Value

enabled (default) / disabled

IGEL Setup

Accessories > Conky System Monitor > Options

Parameter

Monitor

Registry

userinterface.system_monitor.conky.display

Range

[Automatic][1st monitor][2nd monitor][3rd monitor][4th monitor][5th monitor][6th monitor][7th monitor][8th monitor]

Value

1st monitor (default)

IGEL Setup

Accessories > Conky System Monitor > Options

Parameter

Window type

Registry

userinterface.system_monitor.conky.window_type

Range

[Normal][Desktop][Dock][Panel][Override]

Value

Normal (default)

IGEL Setup

Accessories > Conky System Monitor > Options

Parameter

Alignment

Registry

userinterface.system_monitor.conky.alignment

Range

[Top Left][Top Right][Top Middle][Bottom Left][Bottom Right][Bottom Middle][Middle Left][Middle Middle][Middle Right]

Value

Top Right (default)

IGEL Setup

Accessories > Conky System Monitor > Options

Parameter

Layer

Registry

userinterface.system_monitor.conky.hint_layer

Range

[Below][Above][None]

Value

Below (default)

IGEL Setup

Accessories > Conky System Monitor > Options

Parameter

Decorations

Registry

userinterface.system_monitor.conky.hint_decorations

Type

bool

Value

enabled / disabled (default)

IGEL Setup

Accessories > Conky System Monitor > Options

Parameter

Show in taskbar

Registry

userinterface.system_monitor.conky.hint_taskbar

Type

bool

Value

enabled / disabled (default)

IGEL Setup

Accessories > Conky System Monitor > Options

Parameter

Default color

Registry

userinterface.system_monitor.conky.default_color

Type

string

Value

#ff8000 (default)

IGEL Setup

Accessories > Conky System Monitor > Options

Parameter

Font type

Registry

userinterface.system_monitor.conky.font_type

Type

editable

Value

Monospace (default) / Sans /

IGEL Setup

Accessories > Conky System Monitor > Options

Parameter

Font size

Registry

userinterface.system_monitor.conky.font_size

Type

integer

Value

8 (default)

IGEL Setup

Accessories > Conky System Monitor > Options

Parameter

Opacity

Registry

userinterface.system_monitor.conky.opacity

Type

integer

Value

255 (default)

IGEL Setup

Accessories > Conky System Monitor > Options

Parameter

Borders

Registry

userinterface.system_monitor.conky.draw_borders

Type

bool

Value

enabled / disabled (default)

IGEL Setup

Accessories > Conky System Monitor > Options

Parameter

Offset horizontal

Registry

userinterface.system_monitor.conky.gap_x

Type

integer

Value

5 (default)

IGEL Setup

Accessories > Conky System Monitor > Options

Parameter

Offset vertical

Registry

userinterface.system_monitor.conky.gap_y

Type

integer

Value

60 (default)

IGEL Setup

Accessories > Conky System Monitor > Custom Setup

Parameter

Config name

Registry

userinterface.system_monitor.conky.custom_config%.config_name

Type

string

Value

empty (default)

IGEL Setup

Accessories > Conky System Monitor > Custom Setup

Parameter

Config value

Registry

userinterface.system_monitor.conky.custom_config%.config_value

Type

string

Value

empty (default)

IGEL Setup

Accessories > Conky System Monitor > Custom Setup

Parameter

Text

Registry

userinterface.system_monitor.conky.custom_text%.text_line

Type

string

Value

empty (default)

Driver

  • Updated Grundig Dictation driver to version 20-09-16. This fixes termination of Citrix sessions when USB devices are plugged or unplugged with Citrix Workspace App newer than 2009.
  • Added basic HyperV DRM driver to support resolution changes during runtime in HyperV VM.

Firmware update

  • Added support for IGEL's automatic update service; supposed to be used for devices during evaluation.

Parameter

Enable automatic update service

Registry

update.auto-service.enable

Range

[During evaluation only][Off]

Value

During evaluation only

Parameter

Check interval

Registry

update.auto-service.interval

Type

integer

Value

0 Default

Parameter

Randomized delay

Registry

update.auto-service.randomized_delay

Type

integer

Value

0 Default

Parameter

Count of maximal delays

Registry

update.auto-service.max_delays

Type

integer

Value

0 Default

Parameter

Timeout for user dialog

Registry

update.auto-service.user_dialog_timeout

Type

integer

Value

0 Default

Parameter

Target version

Registry

update.auto-service.version

Type

string

Value

empty Default

Parameter

Server address

Registry

update.auto-service.server

Type

string

Value

empty Default

  • Added: sftp protocol supports now the following key exchange methods:
    ecdh-sha2-nistp256 (BSI)
    ecdh-sha2-nistp384 (BSI)
    ecdh-sha2-nistp521 (BSI)
    curve25519-sha256 (BSI)
    curve25519-sha256@libssh.org (BSI)
    diffie-hellman-group-exchange-sha256
    diffie-hellman-group-exchange-sha1
    diffie-hellman-group14-sha1
    diffie-hellman-group1-sha1
  • Added: Prevent firmware update if battery level has reached critical status (on battery powered devices). The following registry key have been introduced to configure this option:
Parameter Allow firmware update even when battery state is critical

Registry

update.update_on_critical_battery_status

Type

bool

Value

enabled / disabled (default)

Driver

  • Updated deviceTRUST client plugin for Citrix, RDP and Amazon WorkSpaces Client to version 20.2.310. New support for Amazon WorkSpaces Client and Microsoft AVD Client, enabling via:

Parameter

deviceTRUST

Registry

awsc.plugins.devicetrust

Value

false (default) / true

Parameter

deviceTRUST

Registry

sessions.wvd<inst>.plugins.devicetrust

Value

false (default) / true

Security Fixes

Firefox

  • Updated Mozilla Firefox to 78.12.0esr
  • aka mfsa2021-29:
    CVE-2021-29970: Use-after-free in accessibility features of a document
    CVE-2021-30547: Out of bounds write in ANGLE
    CVE-2021-29976: Memory safety bugs fixed in Firefox 90 and Firefox ESR 78.12

Details see: https://www.mozilla.org/en-US/security/advisories/mfsa2021-29/ * aka mfsa2021-24:
CVE-2021-29964: Out of bounds-read when parsing a WM_COPYDATA message
CVE-2021-29967: Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11

Details see: https://www.mozilla.org/en-US/security/advisories/mfsa2021-24/ * aka mfsa2021-15:
CVE-2021-29951: Mozilla Maintenance Service could have been started or stopped by domain users
CVE-2021-23994: Out of bound write due to lazy initialization
CVE-2021-23995: Use-after-free in Responsive Design Mode
CVE-2021-23998: Secure Lock icon could have been spoofed
CVE-2021-23961: More internal network hosts could have been probed by a malicious webpage
CVE-2021-23999: Blob URLs may have been granted additional privileges
CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an encoded URL
CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to null-reads
CVE-2021-29946: Port blocking could be bypassed Details see: https://www.mozilla.org/en-US/security/advisories/mfsa2021-15/

Network

  • Sensitive SCEP settings cannot be accessed by the non-root user anymore.

Base system

  • Fixed chromium-browser security issues CVE-2021-21157, CVE-2021-21156, CVE-2021-21155, CVE-2021-21154, CVE-2021-21153, CVE-2021-21152, CVE-2021-21151, CVE-2021-21150, CVE-2021-21149, CVE-2021-21190, CVE-2021-21189, CVE-2021-21188, CVE-2021-21187, CVE-2021-21186, CVE-2021-21185, CVE-2021-21184, CVE-2021-21183, CVE-2021-21182, CVE-2021-21181, CVE-2021-21180, CVE-2021-21179, CVE-2021-21178, CVE-2021-21177, CVE-2021-21176, CVE-2021-21175, CVE-2021-21174, CVE-2021-21173, CVE-2021-21172, CVE-2021-21171, CVE-2021-21170, CVE-2021-21169, CVE-2021-21168, CVE-2021-21167, CVE-2021-21166, CVE-2021-21165, CVE-2021-21164, CVE-2021-21163, CVE-2021-21162, CVE-2021-21161, CVE-2021-21160, CVE-2021-21159, CVE-2020-27844, CVE-2021-21193, CVE-2021-21192, CVE-2021-21191, CVE-2021-21199, CVE-2021-21198, CVE-2021-21197, CVE-2021-21196, CVE-2021-21195, CVE-2021-21194, CVE-2021-21220, CVE-2021-21206, CVE-2021-21221, CVE-2021-21219, CVE-2021-21218, CVE-2021-21217, CVE-2021-21216, CVE-2021-21215, CVE-2021-21214, CVE-2021-21213, CVE-2021-21212, CVE-2021-21211, CVE-2021-21210, CVE-2021-21209, CVE-2021-21208, CVE-2021-21207, CVE-2021-21205, CVE-2021-21204, CVE-2021-21203, CVE-2021-21202, CVE-2021-21201, CVE-2021-21226, CVE-2021-21225, CVE-2021-21224, CVE-2021-21223, CVE-2021-21222, CVE-2021-21233, CVE-2021-21232, CVE-2021-21231, CVE-2021-21230, CVE-2021-21229, CVE-2021-21228, CVE-2021-21227, CVE-2021-30520, CVE-2021-30519, CVE-2021-30518, CVE-2021-30517, CVE-2021-30516, CVE-2021-30515, CVE-2021-30514, CVE-2021-30513, CVE-2021-30512, CVE-2021-30511, CVE-2021-30510, CVE-2021-30509, CVE-2021-30508, CVE-2021-30507, CVE-2021-30506, CVE-2021-30521, CVE-2021-30522, CVE-2021-30523, CVE-2021-30524, CVE-2021-30525, CVE-2021-30526, CVE-2021-30527, CVE-2021-30528, CVE-2021-30529, CVE-2021-30530, CVE-2021-30531, CVE-2021-30532, CVE-2021-30533, CVE-2021-30534, CVE-2021-30535, CVE-2021-21212, CVE-2021-30536, CVE-2021-30537, CVE-2021-30538, CVE-2021-30539, CVE-2021-30540, CVE-2021-30544, CVE-2021-30545, CVE-2021-30546, CVE-2021-30547, CVE-2021-30548, CVE-2021-30549, CVE-2021-30550, CVE-2021-30551, CVE-2021-30552, CVE-2021-30553, CVE-2021-30554, CVE-2021-30555, CVE-2021-30556 and CVE-2021-30557.
  • Fixed mysql-5.7 security issues CVE-2021-2060, CVE-2021-2032, CVE-2021-2022, CVE-2021-2014, CVE-2021-2011, CVE-2021-2010, CVE-2021-2307, CVE-2021-2226, CVE-2021-2194, CVE-2021-2180, CVE-2021-2179, CVE-2021-2171, CVE-2021-2169, CVE-2021-2166, CVE-2021-2162, CVE-2021-2154, CVE-2021-2146, CVE-2021-2390, CVE-2021-2389, CVE-2021-2385, CVE-2021-2372 and CVE-2021-2342.
  • Fixed wpa security issue CVE-2021-0326.
  • Fixed openldap security issues CVE-2020-36230, CVE-2020-36229, CVE-2020-36228, CVE-2020-36227, CVE-2020-36226, CVE-2020-36225, CVE-2020-36224, CVE-2020-36223, CVE-2020-36222 and CVE-2020-36221.
  • Fixed qemu security issues CVE-2021-20221, CVE-2021-20181, CVE-2020-35517, CVE-2021-3416, CVE-2021-20263, CVE-2021-20257, CVE-2021-3409, CVE-2021-3392, CVE-2020-25085 and CVE-2020-17380.
  • Fixed zulu8 security issues CVE-2020-14779, CVE-2020-14781, CVE-2020-14782, CVE-2020-14792, CVE-2020-14796, CVE-2020-14797, CVE-2020-14798, CVE-2020-14803, CVE-2021-2161, CVE-2021-2163, CVE-2021-2388, CVE-2021-2369 and CVE-2021-2341.
  • Fixed bind9 security issues CVE-2020-8625, CVE-2021-25216, CVE-2021-25215 and CVE-2021-25214.
  • Fixed openssl1.0 security issues CVE-2021-23841 and CVE-2021-23840.
  • Fixed openssl security issues CVE-2021-23841, CVE-2021-23840 and CVE-2021-3449.
  • Fixed openldap security issue CVE-2021-27212.
  • Fixed xterm security issue CVE-2021-27135.
  • Fixed aspell security issue CVE-2019-25051.

  • Fixed nvidia-graphics-drivers-460 security issues CVE-2021-1052, CVE-2021-1053, CVE-2021-1076 and CVE-2021-1077.
  • Fixed python3.6 security issues CVE-2021-3177 and CVE-2020-27619.
  • Fixed tiff security issues CVE-2020-35524 and CVE-2020-35523.
  • Fixed grub2 security issues CVE-2020-14372, CVE-2020-27779, CVE-2020-25632, CVE-2020-25647, CVE-2021-20225, CVE-2021-20233 and CVE-2020-27749.
  • Fixed python2.7 security issue CVE-2021-3177.
  • Fixed glib2.0 security issues CVE-2021-27219, CVE-2021-27218, CVE-2021-2721 and CVE-2021-28153.
  • Fixed pillow security issues CVE-2021-27923, CVE-2021-27922, CVE-2021-27921, CVE-2021-2792, CVE-2021-25293, CVE-2021-25292, CVE-2021-25290, CVE-2021-28678, CVE-2021-28677, CVE-2021-28676, CVE-2021-28675, CVE-2021-25288 and CVE-2021-25287.
  • Fixed libjpeg-turbo security issue CVE-2021-0384.
  • Fixed spice security issue CVE-2021-20201.
  • Fixed openssh security issue CVE-2021-28041.
  • Fixed ldb security issues CVE-2021-20277 and CVE-2020-27840.
  • Fixed lxml security issue CVE-2021-28957.
  • Fixed openjpeg2 security issues CVE-2018-5727, CVE-2018-21010 and CVE-2018-20847.
  • Fixed unzip security issue CVE-2019-13232.
  • Fixed curl security issues CVE-2021-22890 and CVE-2021-22876.
  • Fixed xorg-server security issue CVE-2021-3472.
  • Fixed nettle security issues CVE-2021-20305, CVE-2021-3580 and CVE-2018-16869.
  • Fixed underscore security issue CVE-2021-23358.
  • Fixed network-manager security issue CVE-2021-20297.
  • Fixed libcaca security issue CVE-2021-3410.
  • Fixed gst-plugins-good1.0 security issues CVE-2021-3498 and CVE-2021-3497.
  • Fixed webkit2gtk security issues CVE-2021-1871, CVE-2021-1844, CVE-2021-1788, CVE-2021-30799, CVE-2021-30797, CVE-2021-30795, CVE-2021-30762, CVE-2021-30761, CVE-2021-30758, CVE-2021-30749, CVE-2021-30744, CVE-2021-30734, CVE-2021-30720, CVE-2021-30689, CVE-2021-30682, CVE-2021-30666, CVE-2021-30665, CVE-2021-30663, CVE-2021-30661, CVE-2021-21806, CVE-2021-21779, CVE-2021-21775, CVE-2021-1826, CVE-2021-1825, CVE-2021-1820 and CVE-2021-1817.
  • Fixed samba security issue CVE-2021-20254.
  • Fixed openvpn security issue CVE-2020-15078.
  • Fixed libxml2 security issues CVE-2021-3537, CVE-2021-3518, CVE-2021-3517 and CVE-2021-3516.
  • Fixed djvulibre security issues CVE-2021-3500, CVE-2021-32493, CVE-2021-32492, CVE-2021-32491, CVE-2021-32490 and CVE-2021-3630.
  • Fixed libx11 security issue CVE-2021-31535.
  • Fixed avahi security issue CVE-2021-3468.
  • Fixed qpdf security issues CVE-2021-36978 and CVE-2018-18020.
  • Fixed ffmpeg security issues CVE-2020-22033, CVE-2020-22021, CVE-2020-22019, CVE-2020-22015 and CVE-2020-21041.
  • Fixed systemd security issues CVE-2021-33910 and CVE-2020-13529.
  • Fixed openssl security issues CVE-2021-3712 and CVE-2021-3711.
  • Update of ntfs-3g to solve some security issues.

Audio

  • Fixed libsndfile security issue CVE-2021-3246.

Remote Management

  • Added timeout for Secure VNC and Secure Terminal connections, by default the timeout is 180 seconds. The timeout can be changed by the environment variable IGEL_TLS_TUNNEL_TIMEOUT (in seconds, 0 for infinite).
  • Fixed a possible privilege escalation while sending user logoff event to the UMS.

VNC

  • Fixed a Secure Terminal and Secure VNC Shadowing remote code execution vulnerability.

Java

  • Updated Zulu-8 JRE to version 8u292.

Resolved Issues

Citrix

  • Improved startup of Citrix USB daemon.
  • Updated Grundig Dictation driver to version 20-09-16. This fixes termination of Citrix sessions when USB devices are plugged / unplugged with Citrix Workspace App newer than 20.09.
  • Fixed: The NSAP virtual channel is loaded correctly and works as expected.
  • Improved dialog for Citrix farm selection.
  • Changed the default value of the parameter 'HDX Adaptive Transport over EDT' toÿ'TCP only'. With the previous default value 'UDP with fallback to TCP' performance problems occured.

IGEL Setup

Sessions > Citrix XenDesktop/XenApp > HDX/ICA Global > Options

Parameter

HDX Adaptive Transport over EDT

Registry

ica.wfclient.hdxoverudp

Range

[UDP without fallback to TCP][ **TCP Only - UDP disabled(default)* ] [UDP with fallback to TCP]

  • Fixed problems with Citrix multimedia redirection
  • Fixed Browser Appliance mode a white screen is shown when the browser was not closed correctly but the process got terminated.
  • Fixed Citrix login with certain passwords and PINs.
  • Improved start of Citrix logging daemon ctxlogd with CWA 2104
  • Fixed Citrix SelfService passthrough login in case the user interface is set to German.
  • Fixed post sessions commands for Citrix sessions, an exception for return code 2 and process wfica was added to the registry under pcom.
  • Updated HDX Realtime Optimization Pack to version 2.9.300

OSC Installer

  • OSC not deployable with IGEL Deployment Appliance: New version 11.3 is required for 11.06.100 deployment.
  • Enhanced the boot cmdline options for OSC

AVD / WVD

  • Fixed access bearer token re-authentication (see also "sign-in frequency" setting in Azure).
  • Fixed issue with AVD workspace names that contain slashes.
  • Fixed timezone redirection for MS-Teams chat/calendar and for Edge browser.
    Note: Page reload or MS-Teams application restart might be needed when the timezone actually changes.
  • Fixed sporadic appearance of claims token dialog while in a running session.
  • Fixed claims token dialog being shown when session reconnects happen too fast (within 60s).
  • Added: Set the HttpAcceptLanguage property in browser instance to the currently selected language for showing the Azure login page in the correct language.

VMware Horizon

  • Fixed the broken session handling when using Webex Teams where the Horizon session could only be started once.
  • Fixed 'Remember last user' functionality in Appliance Mode.
  • Fixed Horizon session bouncing back to login
  • Fixed setting regarding Blast HEVC decoding:
    vmware.view.blast-hevc
  • Fixed setting regarding synchronization of lock modifieres (num lock, shift lock and scroll lock):
    vmware.view.enable-sync-numlock

Parallels Client

  • Fixed an issue where the post-session command got triggered too early

IBM_5250

  • Fixed error in iAccess configuration.

Chromium

  • Fixed browser certificates were lost after reboot if UMS was not reachable
  • Fixed too small chromium profile partition.
  • Removed parameter "On startup->Continue where you left off" for Chromium sessions
  • Added "Autostart requires network" to Chromium Browser Session settings
  • Modified: 'Automatic browser restart on exit' no longer needs a reboot to be deactivated
  • Removed option On Startup->"Continue where you left off" for Chromium sessions, this feature only works globally
  • Fixed reboot was required to toggle the splash screen
  • Modified: 'Automatic browser restart on exit' does now restart every time the browser is closed
  • Fixed 'Language' and 'Chromium translation' was not working as expected
  • Changed: Replaced download location prompt by download confirmation popup
  • Added warning popup if downloads are blocked
  • Fixed: Auto-opened files will not be blocked (e.g. ica connection files)
  • Added: RDP now works with Chromium Browser

Network

  • The currently used parameter tls-remote is deprecated and was removed in openVPN 2.4.
    It was be changed to verify-x509-name.
  • Certificate keys without passwords can be used.
  • Improved network device order for LG Electronics CL60.
  • Improved WWAN device connection activation.
  • Fixed handling 802.1X registry keys phase1_direct, phase2_direct
  • Improved network interface order for LG Electronics 27CN650W (dmi product_name CN65)

WiFi

  • Added registry key for tweaking the WPA supplicant. In general the value is a comma-separated list of names. If it contains LATESUCCESS a late EAP-Success message will be ignored. When such a message arrives,it had been dropped. This might cause WPA Enterprise authentication to restart.

Parameter

IGEL Tweaks

Registry

network.interfaces.wirelesslan.device0.wpa.igel_tweaks

Type

string

Value

empty Default

  • Added registry key to activate usage of broadcom sta driver (needed for older broadcom WiFi devices)

Parameter

Use broadcom sta driver instead of b43 for WLAN.

Registry

network.drivers.broadcom.use_broadcom_sta

Type

bool

Value

enabled / disabled (default)

  • Updated wireless regulatory database to version from July 2021.

Open VPN

  • Added: Certificate keys without passwords can be used.
  • Added new config parameter in dropdown menue to use tls-crypt

Imprivata

  • Fixed Horizon session bouncing back to login
  • Fixed missing vendor logo
  • Fixed: Horizon failed to launch
  • Removed outdated parameter: imprivata.xen_new_session

Smartcard

  • Fixed problem with Nexus Personal smartcard in Gemalto IDBridge CT30 reader via Citrix and RDP
  • Fixed smartcard resource manager: if an eject of a card fails, perform a reset of card.

Base system

  • Fixed: Options dialog keeps the settings which were previously set
  • Fixed boot problems due to 2 partitions are marked active (legacy boot with GPT partition table).
  • Fixed support for Datalogic barcode scanner.
  • Fixed keyboard layout switcher: show popup menu for selecting layouts also in screen lock and logon screen; show correct keyboard layout after switching from or to lock screen.
  • Fixed an issue where the post-session command was not triggering Media Player and Chromium Browser sessions.
  • Added: Windows-key can be used as modifier for all hotkeys. AltGR do not work as modifier.
  • Fixed a graphics distortion in IGEL Setup Assistant
  • Fixed an issue with VMware Horizon not triggering the post-session command.
  • Fixed an issue with RDP not triggering the post-session command on session disconnect.
  • Fixed ntlm_auth helper to terminate gracefully if no password is given.
  • Minimized periodic write access to flash drive.
  • Fixed: Bootcode update is done on each reboot on some EFI devices.
  • Added: Setup parameter are also checked after suspend.
  • Fixed an issue with powerplan switching via the systray icon on systems with specific Intel CPUs.
  • Fixed an issue where the post-session command was not triggered at sessions with long binary names, for example VMware Horizon.
  • Fixed system proxy handling for Chromium and Firefox
  • Added: An improved implementation of the post-session command mechanism has been integrated.
  • Fixed system messages where lines were cut off
  • Fixed usable space issues with self extracting factory preload images.

X11 system

  • Fixed screen sorting order to be independent from screen startup time (GTK-3)
  • Fixed panel on wrong screen, when original one takes longer to start
  • Fixed start menu (whiskermenu) restart due to crash
  • Fixed taskbar hide/show delay has no effect
  • Fixed Turkish (Q) and Turkish (F) keyboard layout configuration.
  • Fixed panel keyboard layout indicator for French(Switzerland), Turkish (Q) and Turkish (F) keyboard layouts.
  • Fixed screen configuration done with monitor defaults on the 2nd graphic card.
  • Fixed touchscreen screen configuration when screen is connected on the 2nd graphic card.

X server

  • Fixed issue with screen staying black if master monitor in a DisplayPort Daisy Chaining environment is turned off and on again.

Window manager

  • Fixed an issue where disabling the local window manager caused a significant boot delay.
  • Desktop Icon Font Color will now be previewed correctly in the setup.

VirtualBox

  • Fixed screen remains black after start in VirtualBox multi-monitor configurations.
  • Fixed second screen in VirtualBox environment only is configured with 1024x768.
  • Fixed issue with getting screen resolution from special VirtualBox version.

Audio

  • Fixed non working audio on Intel Tiger Lake-based devices.
  • Added handling for microphone mute multimedia key.
  • Added possibility to disable pci audio, this includes internal speaker and HDMI/DP audio.

Registry

multimedia.disable_audio.pci

Value

true / false (default)

  • To be more consistent moved parameter multimedia.webcam.disable_audio to multimedia.disable_audio.webcam

Registry

multimedia.disable_audio.webcam

Value

true / false (default)

  • Improved playback function in the ALSA Pulse PCM involved by applications using ALSA API (Citrix ICA Receiver).
  • Fixed automatic start of output audio stream in ALSA Pulse PCM. The bug caused a complete freeze of a Parallels session while playback audio.
  • Fixed autostart of ALSA Pulse PCM.

Multimedia

  • Fixed playback of Zoom recordings if hardware accelerated decoder is used.
  • Fixed hardware accelerated decoding of Zoom recordings on VA-API platforms.

Hardware

  • Fixed issue with limited colors on the DisplayPort 1 of UD2 LX50.
  • Fixed touchpad issues for some Dynabook laptops (for devices with and without fingerprint reader within touchpad).
  • Added possibility to use Touchpad toggle FN key.
  • Added new registry keys to possible solve some touchpad issues

Parameter

Blacklist i2c-i801 driver.

Registry

system.module_params.i2c_i801.blacklist

Range

[Default][Yes][No]

Value

Default (blacklist as there are some known problems)

Parameter

Set this if touchpad is a synaptics intertouch device.

Registry

system.module_params.psmouse.synaptics_intertouch

Type

bool

Value

enabled / disabled (default)

Parameter

Set this if touchpad needs the a4tech workaround.

Registry

system.module_params.psmouse.a4tech_workaround

Type

bool

Value

enabled / disabled (default)

Parameter

Compat protocol to use can help with non working touchpads.

Registry

system.module_params.psmouse.protocol

Range

[Default][PS/2][ImPS/2][ImExPS/2]

Value

Default

Parameter

Resolution in dpi (0 means use default).

Registry

system.module_params.psmouse.resolution

Type

integer

Value

0 Default

Parameter

Report rate in reports per second (0 means use default).

Registry

system.module_params.psmouse.rate

Type

integer

Value

0 Default

Parameter

Reset device after so many packages (0 means never).

Registry

system.module_params.psmouse.resetafter

Type

integer

Value

0 Default

Parameter

Mouse idle time before forcing resync in seconds (0 means never).

Registry

system.module_params.psmouse.resync_time

Type

integer

Value

0 Default

Remote Management

  • Modified AssetInfo:
    Recurring ADD/REMOVE commands for the same device are suppressed within 30 seconds.
  • Fixed the indefinite time point of applying remote settings during boot. The received remote settings now are merged and applied at the same time (at end of the boot process).
  • Fixed handling of UMS scheduled jobs during boot process.
  • Fixed WOL proxy command.
  • Fixed execution of generic commands (Deploy Jabra Xpress package) when invoked as UMS scheduled job.
  • Fixed online check mechanism if client has more than one active network interface.
  • Fixed broken UMS Registering dialog.

IGEL Cloud Gateway

  • Fixed unreliable ICG status shown by ICG tray icon.
  • Fixed security issue in remote managent - validate the UMS server certificate for incoming UMS requests if the endpoint has an established connection to ICG.