Setting Up a Closed Mode Station

Scenario: You want to configure a Desigo CC installed client station to run in closed mode, which means the Desigo CC software runs at all times and no other Windows applications (Task Manager, Taskbar, or desktop icons) can be accessed by the logged on operator.

 

Prevent access to system folders in closed-mode stations
Due to security reasons, in closed-mode stations it is recommended to hide critical system folders on local drive for the closed-mode user (GMSDefaultUser).

 

Reference: For background information, see the reference section.

 

Workflow diagram:

 

 

Steps:

1 – Check the GmsDefaultUser Accounts for Closed Mode

The closed-mode service requires local Windows GmsDefaultUser accounts on the Desigo CC server station and on the client stations that will operate in closed mode.
If these Windows accounts do not yet exist, you can create them on each computer using SMC. The passwords of these Windows accounts must all be the same.

Closed mode also requires a Desigo CC GmsDefaultUser account in the project. This account is automatically created, but you need to check that its password matches that of the Windows accounts.

  1. On the Desigo CC server station, start SMC, select the System node, and in the Settings expander check the Closed mode user section.
    (In SMC System Settings, see Settings Expander.)
  • If the user does not yet exist, click Create, enter a password twice (note it down), and finally click Save . This creates the Windows GmsDefaultUser on this computer, and sets the same password in SMC.
  • If the user exists and the Password label is black, this means that the Windows GmsDefaultUser account exists on this computer, and its password correctly matches the one set in SMC.
  • If the user already exists but the Password label is red, this means that the password set in SMC does not match that of the Windows GmsDefaultUser on this computer.
    In SMC, enter the correct password of the Windows user. If you do not know it, go to Align the GmsDefaultUser Passwords for Closed Mode, below.
  1. On each client station that you want to set in closed mode, start SMC, select the System node, and in the Settings expander check the Closed mode section:
  • If the user does not yet exist, click Create, enter twice the same password you used on the Desigo CC server station, and click Save . This creates a Windows GmsDefaultUser on this computer.
    If you do not know the password set on the server station, go to Align the GmsDefaultUser Passwords for Closed Mode, below.
  • If the user already exists and the Password label is black, this means that the password of the Windows GmsDefaultUser on this computer correctly matches the one in SMC. They should also match the corresponding password on the server station.
    If you are not sure, go to Align the GmsDefaultUser Passwords for Closed Mode, below.
  • If the user already exists but the Password label is red, it means the password of the Windows GmsDefaultUser on this computer does not match the one set in SMC. You need to enter in SMC the correct password of the Windows user on this computer.
    This password must also match the one used the password used on the server station. If you do not know it, go to Align the GmsDefaultUser Passwords for Closed Mode, below.
  1. From any station, start the Desigo CC client application and switch it to Engineering mode. Then set the password for the GmsDefaultUser in Desigo CC as follows:
    a. In System Browser, select Management View.
    b. Select System Settings > Users.
    c. In the Users tab, select GmsDefaultUser.
    d.     In the Change Password expander, enter the same password that you used for the Windows GmsDefaultUser accounts and in SMC.
    e. Click Apply.
    If you do not know the password, go to Align the GmsDefaultUser Passwords for Closed Mode, below.

 

2 – Align the GmsDefaultUser Passwords for Closed Mode

For closed mode to function, the Windows GMSDefaultUser passwords on all the stations must be identical, and also match the closed mode password set in SMC, and the Desigo CC GMSDefaultUser password set in the project.

If you have a problem with a mismatch, or if you need to change the GMSDefaultUser password because it is expired, perform this procedure to set the same password throughout.

  1. On each Desigo CC station, set the same Windows GMSDefaultUser password as follows:
    a. Click the Windows Start button, right-click Computer, and select Manage.
    b. In the Computer Management Console tree, select Users.
    c. Right-click the GmsDefaultUser user account, and click Set Password.
    d. Read the warning message and click Proceed.
    e. In the New password and Confirm password fields, enter the password you want to set.
    f. Click OK.
    g. Close the Computer Management window.
  1. Set a matching password for the closed mode service in SMC as follows:
    a. Launch SMC.
    b. Select the System node and open the Settings expander.
    c. In the closed mode Password field, enter the same password that you set for the Windows GMSDefaultUser accounts in the preceding step.
  1. Set a matching password for the GMSDefaultUser in Desigo CC as follows:
    a. Launch the Desigo CC client application.
    b. Set System Manager to Engineering mode.
    c.     In System Browser, select Management View.
    d. Select Project > System Settings > Users.
    e. Select GmsDefaultUser.
    f. In the Change Password expander, enter the password into the New password and Confirm new password fields. This must be the same password that you used in the preceding two steps.
    j. Click Apply.
  • The GMSDefaultUser passwords are aligned.

 

3 – Set the GmsDefaultUser Account Password that Never Expires

SMC does not create the GmsDefaultUser account with Password Never Expires option enabled. You may want to set this option as described in this section.

Before setting this option, check with the IT security manager whether setting a password that never expires can comply with the security policy of your network. If this option not permitted, when the password expires you must perform the password-alignment procedure to set a new consistent password throughout.

  1. Click the Windows Start button, search for MMC, and press ENTER.
    NOTE: Only users with administrator privileges can use the MMC. If the UAC (User Account Control) is enabled, it may happen that you are prompted for administrator password or confirmation.
  1. In the Console left pane, select Local Users and Groups.
    NOTE: If Local Users and Groups is not visible, it is probably because this snap-in has not been added to MMC. Proceed as follows to install it:
    a. In the Console window, select File > Add/Remove Snap-in.
    b. Select Local Users and Groups and click Add.
    c. Select the Local computer option, click Finish and then click OK.
  1. Select the Users folder.
  1. In the Console window, right-click GmsDefaultUser and select Properties.
  1. In the Properties dialog box, select the following option: Password never expires.
  1. Click OK.
  1. Select File > Exit.

 

4 – Check GmsDefaultUser Permission on the Project Folder

The GmsDefaultUser Windows user must have access to the shared project folder on the server disk.

 

Restriction in Distributed Systems
The GmsDefaultUser can only see the system where the user exists. It is not possible to configure the GmsDefaultUser to see other nodes of the Distributed System.

 

  1. On the Desigo CC server station, start SMC.
  1. In the SMC tree, expand the Projects node and select the project you want to share.
  1. If the project is running, click to Stop it.
  1. Click Edit .
  1. In the Server Project Information expander, make sure to select the Distribution participant check box.
  1. In the Project Shares expander, select the Share Project check box.
    (In SMC Project Modification Settings, see Project Shares Expander.)
  1. Click Add.
  1. In the Select User or Group dialog box, enter GmsDefaultUser or locate and select it the list of local users.
  1. Click OK.
  • The GmsDefaultUser is added in the Project Shares expander.
  1. Click Save .
  1. Click Start .

.

 

5 – Check GmsDefaultUser Permission on the Host Certificate Private Key

The GmsDefaultUser Windows user must have read access to the private key of the host certificate created for the closed-mode client station.

  • You set up a Secured communication between the Desigo CC server and client stations.
    NOTE: If the communication is set to Unsecured, you can skip this procedure.
  • You imported the client host certificate into the client station that you want to set to closed mode.
  1. On the closed-mode client station, click the Windows Start button, launch MMC, and set it to view and manage the Local Computer certificates (Certificates > Computer account).
    For instructions on how to do this, see: https://msdn.microsoft.com/en-us/library/ms788967(v=vs.110).aspx.
  1. In the Console Root pane, select Certificates (Local Computer) > Personal folder.
  • The list of certificates displays. One of them is the client host certificate that takes the computer name.
    NOTE: If the client host certificate is not present, it may mean that it was not yet imported or was imported for an individual user only.
    In this case, stop this procedure and verify the SMC configuration for communication security.
  1. Right-click the imported client host certificate and select All Tasks > Manage Private Keys.
  • The Permission for <certificate> private keys dialog box displays.
  1. Make sure that the GmsDefaultUser has the read permission (Allow/Read check box selected).
  • If the GmsDefaultUser is not present, click Add, select it, and click OK.
  • If the GmsDefaultUser has no read access, select the Allow/Read check box.
  • Click OK.

 

Related Topics

In SMC, see:

 

6 – Apply Closed Mode to the Client Station
  • System Manager is in Engineering mode.
  1. In System Browser, select Management View.
  1. Select one of the following:
  • Project > Management System > Clients > [client station]
  • Project > Management System > FEPs > [FEP station]
  • The System Management tab displays.
  1. Select the Closed mode check box.
  1. Click Save .
  • The station operator is prompted to switch over to closed mode. This happens immediately if Desigo CC is already running, or otherwise the next time Desigo CC is started.
    The operator must click Do Now to accept. The current user is automatically logged off and Desigo CC then starts up in closed mode, with the GMSDefaultUser automatically logged on.

 

- To restore a closed mode station to normal operation, see Removing Closed Mode from a Station.
- To troubleshoot closed mode, see Unlocking a Station in Closed Mode.