​Transform Any x86-64 PC and Laptop into a

Designed and optimized for:

Amazon WorkSpaces, Citrix, Microsoft (RDS, AVD, Windows 365), Omnissa Horizon, NComputing (vSpace Pro, VERDE VDI), Parallels RAS, UDS Enterprise, and Dizzion Frame.

ABOUT LEAF OS FOR X86-64 PCS, LAPTOPS AND THIN CLIENTS

NComputing LEAF OS is a next-generation software endpoint solution that transforms any x86-64 PC or laptop into a secure and centrally managed endpoint.

Designed and optimized for Amazon WorkSpaces, Citrix, Dizzion Frame, Microsoft (RDS, AVD, Windows 365), NComputing (vSpace Pro Enterprise, VERDE VDI and Remote Access), Omnissa Horizon, Parallels, and Virtual Cable UDS Enterprise, LEAF OS delivers a secure computing environment to access virtual desktops and virtual apps from any x86-64 system. It can be used as a self-contained operating system when booted from a USB drive. This methodology leaves the user's existing operating system, files, and hard drive untouched while providing an ideal environment for work-from-home use cases. When users finish their work, a simple reboot to their native OS restores their device to personal use.

Alternatively, LEAF OS can be used to repurpose PCs and laptops by converting any x86-64 hardware from a stand-alone computer to a dedicated thin client by installing directly onto an internal hard drive, removing the old system and files. This method extends the usefulness of aging computers using end-of-life operating systems like Windows 7 while giving users powerful up-to-date desktops.

LEAF OS also comes with integrated local Chromium browser support, providing additional flexibility such as web kiosk mode or productivity mode with direct access to web content and web apps without desktop virtualization. Other popular applications such as local Microsoft Teams PWA and Zoom are supported.

LEAF OS secure boot runs on x86-64 platforms, protecting the system against malicious code by ensuring only authenticated software runs on the device.

LEAF OS devices can be remotely managed by the IT admin via NComputing PMC Endpoint Manager. LEAF OS devices provide a simple-to-deploy, centrally managed, high-performance virtual desktop, perfect for use in SMB and SME organizations with Daas or VDI deployment.

MINIMUM PC AND LAPTOP HARDWARE REQUIREMENTS FOR LEAF OS

• Standard x86-64 compatible processor, based on either BIOS or UEFI motherboard firmware with USB boot support.
• The system should have at least 8GB flash/HDD storage.
• The system should have at least 2GB RAM. 4GB or more RAM is required for use cases relying heavily on local Linux applications. 
• PCs and laptops with Secure Boot enabled are also supported.

SUPPORTED DAAS AND VIRTUAL DESKTOP ENVIRONMENTS

• Amazon 

• Amazon WorkSpaces

• Citrix

• Citrix DaaS
• Citrix Virtual Apps and Desktops 7 1808 or newer
• Citrix StoreFront 3.0 or newer, StoreFront 1811 or newer (including connections through Citrix Gateways)
• Citrix XenApp/XenDesktop 7.6 or newer
• Citrix Web Interface 5.4 

• Dizzion Frame
• Omnissa

• Omnissa Horizon Cloud
• Omnissa Horizon 8 version 2006 and later
• VMware Horizon 7 version 7.13 and later

• Microsoft 

• Azure Virtual Desktop (AVD)

• Deployments in Azure Commercial Cloud

• AVD (ARM-based) – formerly known as Spring 2020 release
• AVD (Classic) – formerly known as Fall 2019 release

• Deployments in Azure Government Cloud

• Microsoft Windows 365 – Cloud PC
• Microsoft Windows 365 Frontline
• Microsoft Remote Desktop Services (RDS)

• Microsoft Windows Server systems:

• Windows Server 2025
• Windows Server 2022
• Windows Server 2019
• Windows Server 2016
• Windows Server 2016 (Multipoint Services)
• Windows Server 2012 R2
• Windows Server Multipoint Server 2012
• Windows Server 2008 R2

• Microsoft Windows desktop systems:

• Windows 11
• Windows 10
• Windows 8.1
• Windows 7

• NComputing 

• VERDE VDI, VERDE Secure Browser, and VERDE Remote Access (version 8.3.4.1 or higher)
• vSpace Pro Enterprise (version 12.9.1 or higher) 

• Parallels 

• Parallels RAS Core (version 20.1 or higher)

• Virtual Cable 

• UDS Enterprise 4.0

SUPPORTED APPLICATIONS

Following desktop virtualization clients can be added to the list of LEAF OS applications and presented in LEAF OS Start Menu, App Launcher, or on LEAF OS desktop:

• Amazon WorkSpaces
• AVD Client (for AVD, Windows 365, and Frontline)
• Citrix Workspace App
• Dizzion Frame Client
• NComputing VERDE VDI Client
• NComputing vSpace Client
• Omnissa Horizon Client
• Parallels RAS Client
• RDP Client
• Virtual Cable UDS Enterprise Client

LEAF OS also comes with integrated local applications support for extended functionality without solely relying on the desktop virtualization environment. The built-in local applications are:

• Chromium browser
• Microsoft Teams PWA (Progressive Web Application)
• Zoom

Other x86-64 Linux applications can be additionally deployed as custom or packaged LEAF OS applications. Click here to learn more.

AMAZON WORKSPACES LINUX CLIENT INTEGRATION

Amazon WorkSpaces is a cloud-based desktop virtualization service built on AWS, providing both Windows and Linux desktops. With the integration of the Amazon WorkSpaces Client, organizations can seamlessly configure and run Amazon WorkSpaces sessions on LEAF OS.

Amazon Workspaces Client integrated in LEAF OS supports following features:

• WorkSpaces Protocol (WSP) for high-performance remote desktop experience
• Dual display
• Selected peripheral devices

AZURE VIRTUAL DESKTOP AND WINDOWS 365 CLIENT FEATURES

• Multi-Factor Authentication (MFA) and conditional MFA support
• Smart card authentication
• Microsoft Entra Single Sign-On (SSO)
• Support for RemoteApp programs and desktops
• Kiosk mode auto-login
• Microsoft Teams optimization (local processing of audio and video) in AVD, Windows 365, and Frontline
• RDP Shortpath (UDP-based transport protocol)
• Support for peripheral devices:

• USB webcams
• USB and network printers
• USB mass storage devices
• Digital (HDMI, DisplayPort, S/PDIF), analog, USB, and Bluetooth audio (beta preview)
• USB smart card readers and security keys 
• Multi-touch touchscreens
• Other USB devices through Generic USB redirection

• Clipboard redirection support
• AAC audio codec support for low latency audio applications
• Native dual display support with independent screen rotation
• Please refer to the ‘LEAF OS AVD and Windows365 Setup Guide’ for step-by-step procedures.

CITRIX WORKSPACE APP FEATURES

• Citrix Workspace app for Linux (version 2411 and 2303) integration
• Microsoft Teams optimization and Zoom Meetings optimization for smoother video conferencing
• Browser Content Redirection (BCR) support
• H.264 (video codec) support
• HDX Adaptive Transport (Enlightened Data Transport protocol) support
• Session Reliability (Common Gateway Protocol) support
• Dual display with independent screen rotation
• Desktop Viewer Toolbar support
• Support for StoreFront application subscriptions
• Guest mode and auto-launch support
• FIDO2 authentication support
• Support for peripheral devices:

• USB webcams
• USB and network printers
• USB mass storage devices
• Digital (HDMI, DisplayPort, S/PDIF), analog, USB, and Bluetooth audio (beta preview)
• USB smart card readers and security keys
• Serial ports
• Other USB devices through Generic USB redirection

• Citrix custom parameters support
• Ability to launch Citrix sessions with native Citrix Workspace app engine from local web browser

Please refer to the ‘LEAF OS Citrix Setup Guide’ for step-by-step procedures.

OMNISSA HORIZON CLIENT FEATURES

• Omnissa Horizon Client for Linux (version 2503) integration 
• Omnissa Blast & PCoIP protocol support
• Omnissa Blast H.264 decoding and AV1 decoding support
• Microsoft Teams Optimization
• HTML5 Multimedia Redirection (HTML5 MMR) & Browser Content Redirection support
• Multimedia Redirection (MMR) support
• Dual display with independent screen rotation
• Drop down menu bar support
• Guest mode and auto-launch support
• Ability to remember last logged user name
• Support for peripheral devices:

• USB webcams
• USB and network printers
• Document scanner
• USB mass storage devices
• Digital (HDMI, DisplayPort, S/PDIF), analog, USB, and Bluetooth audio
• USB smart card readers and security keys
• Serial ports
• Other USB devices through Generic USB redirection

• Please refer to the LEAF OS Omnissa Horizon Setup Guide for step-by-step procedures.

PARALLELS RAS CLIENT FEATURES

• Parallels RAS Client for Linux (version 20.2) integration 
• Dual display support
• Kiosk mode auto-launch support
• Support for peripheral devices:

• USB webcams
• USB and network printers
• USB mass storage devices
• Digital (HDMI, DisplayPort, S/PDIF), analog, USB, and Bluetooth audio (beta preview)
• USB smart card readers
• Serial ports

VIRTUAL CABLE UDS ENTERPRISE CLIENT FEATURES

• UDS Enterprise Client for Linux (version 4.0) integration
• Support for UDS Enterprise virtual applications and desktops
• Support for Microsoft Teams optimization (audio/video) when using AVD client type in RDP sessions
• Support for peripheral devices:

• USB webcams
• USB and network printers
• USB mass storage devices
• Digital (HDMI, DisplayPort, S/PDIF), analog, USB, and Bluetooth audio (beta preview)
• USB smart card readers and security keys 
• Multi-touch touchscreens
• Other USB devices through Generic USB redirection

• Native dual display support with independent screen rotation

DIZZION FRAME CLIENT FEATURES

• Frame Client for Linux (version 7.8.1) integration
• Native dual display support
• Auto-launch support

INTEGRATED VPN CLIENTS

• OpenVPN
• OpenConnect VPN
• PPTP
• IPSec/L2TP
• IPSec/IKEv2
• FortiClient SSL VPN

LEAF OS EXECUTION MODES

Enable BYOD with LEAF OS live boot from USB flash drive:

A bootable USB flash drive can be created containing LEAF OS. Any x86-64 hardware device can boot to LEAF OS and instantly become a locked-down NComputing thin client. LEAF OS does not replace the underlying operating system in this case. When users finish their work, simply reboot from the native OS providing an ideal work-from-home environment.

Revitalize aging PCs/Laptops by repurposing with LEAF OS:

LEAF OS can also be flashed directly to the internal hard drive, turning any x64 PC or laptop (with BIOS or UEFI motherboard firmware) into a permanently repurposed, high-performance thin client.

Supported internal storage type for PC/laptop/thin client repurposing:

• HDD
• SSD
• eMMC
• NVMe

SUPPORTED ENDPOINT MANAGEMENT SYSTEMS

Device configuration version used by this LEAF OS version

PMC Endpoint Management (version 4.1 and higher)

LEAF OS device license comes with a perpetual license to use PMC endpoint management. LEAF OS devices can be easily configured using PMC Endpoint management software. An admin can remotely manage LEAF OS devices over local and wide-area networks, including locations behind firewalls and NAT-routers through an easy-to-use, web-based user interface. PMC comes with automatic discovery, check-in and configuration provisioning of new devices making deployment easy. Administrators can setup device profiles complete with all settings and configurations, then push the profile to individual or grouped devices. Only a few clicks are needed to schedule device firmware updates, access the summary dashboard or view the detailed event logging. Users are always up-to-date with the latest technology.

To ensure smooth transition and uninterrupted management ability, NComputing suggests updating PMC to latest version before upgrading to the latest LEAF OS version. To be able to remotely manage LEAF OS devices, upload of a corresponding PMC configuration update file (PCU file) with the support for the latest LEAF OS configuration version will be necessary. 

Please refer to PMC Release Notes for the information about PMC updating.

vSpace Console (only available in vSpace Pro Enterprise desktop virtualization)

Included in the vSpace Pro Enterprise Edition release (version 12.9.1 or higher), vSpace Console can manage a subset of LEAF OS device configurations for LEAF OS related to vSpace configuration parameters and provide integrated user session management of LEAF OS devices (e.g. Multi-View, remote view, take over, message, stop/pause). 

LICENSING

LEAF OS device activation license

Each LEAF OS device (PC/laptop/thin client) requires its corresponding LEAF OS device activation license (perpetual). The LEAF OS device license also comes with complimentary 1st year device AMP coverage (i.e. software maintenance update), and complimentary perpetual use for PMC Endpoint Management software.

The following is the LEAF OS device activation license SKU: 

• LeafOS—P (perpetual license)

After the first year, additional coverage of device AMP (software maintenance) will be required to receive firmware updates.

Device AMP (software maintenance) – (optional)

The following device AMP (software maintenance) renewal durations are available after the first year of coverage:  

• NC-AMP-RXRDP-1A (one additional year)
• NC-AMP-RXRDP-2A (two additional years)
• NC-AMP-RXRDP-3A (three additional years)
• NC-AMP-RXRDP-4A (four additional years)

Connecting to vSpace Pro Enterprise servers (optional)

vSpace Client connections from LEAF OS are only supported on latest vSpace Pro Enterprise (12.9.1 or newer) servers. vSpace Pro LTS servers will not accept connections from LEAF OS  devices.

Unlike the vSpace Clients contained in the NComputing RX300 thin client devices, the vSpace Clients from LEAF OS devices do not contain any embedded vSpace Client connection licenses. Appropriate vSpace Client connection licenses need to be purchased and added to the vSpace Pro Enterprise deployments to allow uninterrupted vSpace Client connections from LEAF OS devices. Without the necessary licenses, the vSpace sessions will run in trial mode and will be disconnected after 10 minutes.

vSpace Pro Client Connection License for LEAF OS ordering SKUs:

• 1 year (LeafOS-SW-1A)
• 3 years (LeafOS-SW-3A)
• 5 years (LeafOS-SW-5A)

Connecting to VERDE VDI or VERDE Remote Access (optional)

Two license types are supported. Both are concurrent connection models:

• VERDE-WFH-1A-10 (VERDE VDI Suite - Remote Access 10-seat license, annual subscription) 

This license type allows Remote Access connections to PCs through the VERDE Connection Broker and is the most affordable option.

• VERDE8-CCU-1A (VERDE VDI Suite –1-seat license, annual subscription)

This license type allows Remote Access connections to PCs through the VERDE Connection Broker and supports connections to VDI sessions hosted by VERDE Servers.

STEP (1) INSTALL LEAF OS SOFTWARE ENDPOINT

Skip this step if you are using NComputing EX500/EX500W thin client.

Download and prepare LEAF OS installation

1. From NComputing Software Download page, select “LEAF OS” and download the compressed image (i.e. ZIP).
2. Extract the .IMG file (~2GB) from the downloaded .ZIP file.
3. Create a bootable LEAF OS installer USB memory stick (use at least 8GB or higher capability):

1. Use a flashing application like the Win32 Disk Imager or balenaEtcher to write the image into your USB stick. 

4. Pick an x86-64 PC/laptop (BIOS or UEFI).

1. Access the PC/laptop’s Boot Menu or change the PC/laptop BIOS setting to set external USB storage device at the top of the booting priority list.

Use case #1 – live boot LEAF OS using USB memory stick

By default, your device will always live boot LEAF OS from the connected USB flash drive. There will be no changes to the PC/laptop’s internal HDD.

1. Connect the x86-64 PC/laptop to Ethernet or Wi-Fi network.
2. Connect the bootable USB memory stick (prepared according to the instructions above) to the PC or laptop and power it up. The PC or laptop will perform live boot from the connected LEAF OS memory stick. Please refer to ‘LEAF OS Live Boot from USB flash Drive Guide’ document on how to perform USB live boot of LEAF OS on PCs/laptops across different manufacturers.
3. It may take 10-20 seconds to bring up the LEAF OS UI (similar to RX420(RDP) thin client) during the power up. Please be patient.
4. Once the LEAF OS UI is up, you will see the LEAF OS device activation window. Please move to step (2) below to activate the device.

Use case #2 – flash LEAF OS into HDD/SSD/eMMC/NVMe internal storage to boot from

Your device’s internal storage will be wiped and flashed with LEAF OS. When you boot the device, the LEAF OS will be directly booted from the internal HDD/SSD/eMMC/NVMe storage.

1. Follow the same procedures above to live boot LEAF OS on the device using the connected USB memory stick.
2. Once the LEAF OS UI is up, navigate to the Installation tab and click on [Install] (see screenshot below). There are additional warning messages to inform the admin/user that the ‘Install’ process will erase the internal storage of the selected device.
   
   

3. Once you click on [Install] and click [OK] on the warning message, wait few seconds until the NComputing LEAF OS Installer window appears. It will prompt you to confirm to proceed flashing LEAF OS to the internal storage. Click the [Proceed] button to confirm and proceed. Once the HDD/SSD/eMMC/NVMe storage is flashed, you will be prompted to shut the PC/laptop down and reboot. 
   
   

The installation process may take several minutes. Please wait until it is finished. Once the internal storage is flashed, you will be prompted to shut the PC/laptop down and reboot.

4. Remove the USB stick with LEAF OS installer and power up the computer again. LEAF OS will boot directly from the internal storage. Once the LEAF OS UI is up, you will see the LEAF OS device activation window. Please move to step (2) below to activate the device.

STEP (2) ACTIVATE LEAF OS SOFTWARE ENDPOINT

Skip this step if you are using NComputing EX500/EX500W thin client.  EX500 thin client (SKU: 700-0038) and EX500W (SKU: 700-0048) come with an activated LEAF OS perpetual license.

1. Once the LEAF OS device is boot up, you will see the following device activation window. 

If you already have a valid LEAF OS license key, enter it (one time action) and click on ‘Activate Now. 

If you don’t have a LEAF OS license, click on [Try for Free] to start the free trial. The free trial duration is subject to change. At the time of this writing, LEAF OS free trial is 7 days on 3rd party hardware and 60 days on NComputing EX500 thin client (part# 700-0037). 

2. The device should be activated within seconds. Once the device is activated, you can connect to the selected desktop virtualization environment (e.g. Amazon Workspaces, Citrix, Omnissa Horizon, AVD, Windows 365, RDS, vSpace Pro, VERDE VDI) and start working.

LEAF OS BOOT-UP TROUBLESHOOTING

Having trouble booting LEAF OS USB memory drive? Please refer to the ‘Quick Install Guide: LEAF OS USB live boot’ on how to perform live boot from connected USB memory stick on different PC/laptop models. 

HDD/SSD is visible, but not USB

If the HDD/SSD option is visible at Boot Menu, but not the USB drive, follow these tips and reboot your computer to try again:

• If your computer has multiple USB ports: plug and unplug the flash drive in different ports for each boot you do
• If your computer has USB 2.0 and USB 3.0 ports: try to use the flash drive only on the USB 2.0 port

USB not booting

1. If the USB isn’t booting, you need to make sure:

• That the USB flash drive is bootable
• That you can either select the USB from the Boot Device list or configure BIOS/UEFI to always boot from a USB drive and then from the hard disk

2. On new computer models with UEFI/EFI:

• Secure boot feature must be disabled (not supported by LEAF OS) 

3. On some ultrabooks models with a Fast Boot option:

• Disable fast boot

4. LEAF OS supports UEFI-based devices. However, if you have issues booting, you can normally disable UEFI and enable legacy/BIOS mode.

ADDITIONAL NOTES

User interface with workspace concept:

• LEAF OS workspace user interface 

Devices running LEAF OS, EX500W, RX540 and RX580 devices adopt LEAF OS workspace user interface. The desktop icons allow easier access to local applications and to resources published in DaaS and VDI environments, simplify the multi-tasking, and improve the overall user productivity. 

The applications and published resources can be accessed through the icons presented on the Desktop, in Start Menu, or in the App Launcher:

Newly created applications will, by default, be shown on the Desktop and Start Menu. Customers preferring to configure the devices as a locked-down kiosks (without any icon to be shown on the Desktop, Start Menu, or App Launcher, and with Auto-Launch) should deselect the Show on App Launcher, Show on Start Menu, and Show Desktop icon options, select Auto-launch, and choose Restart as Action on exit. This can be done by editing the application under Settings > Applications. Please refer to this KB article on how to setup locked-down kiosk mode in LEAF OS. 

• Ability to rescale the LEAF OS desktop and applications

When using high-resolution displays, especially 4K, it may be beneficial to upscale the LEAF OS GUI components, to make them appear bigger and thus become better readable. Scaling factors from 100% (which is the default, meaning no scaling) to 200% are selectable under Display settings. The RX540/RX580 components which will respect the scaling selection are:

• Desktop (the desktop icons),
• Taskbar,
• Setup UI,
• Logon windows of client applications (AVD, RDP, VERDE VDI), the server chooser of vSpace Client, RDP sessions, AVD sessions.

Note: The scaling ratio of some LEAF OS applications might be silently adjusted to a value accepted by the application or kept set to 100%, if the application does not support scaling.

AVD, Windows 365 and RDP clients related:

• AVD Client connection configuration

The LEAF OS firmware supports connections to Microsoft Azure Virtual Desktop deployment hosted in Microsoft Azure cloud. Supported AVD releases include:

• AVD (ARM-based – formerly known as Spring 2020) or Windows 365; this option is selected by default,
• AVD (Classic – formerly known as Fall 2019),
• Windows 365 Frontline, and
• Azure Government

• Accessing published AVD resources

After logging into the AVD account, user will be presented with a list of AVD published resources. The resource listing can be expanded or collapsed by clicking at the top-level category. Double-clicking on any RemoteApp or desktop icon allows launching the resource. The taskbar at the bottom of the screen can be used to manage multiple opened applications.

• AVD Client connection in Kiosk Mode

The Kiosk Mode settings allow the user to automatically login to his/her AVD account and, if required, automatically launch a particular Windows application or desktop. Please note that multifactor authentication (MFA) is not supported when User auto-logon is enabled in AVD Client mode. 

• Pre-population of AVD username based on Kiosk Mode settings

LEAF OS allows pre-population of AVD user names, so the users can only enter the password (or proceed with multi-factor authentication) to authenticate. The AVD user name will be composed as Username@Domain, where the Username and Domain are the values taken from the corresponding fields of Kiosk Mode settings. The User auto-logon option should not be selected to only pre-populate the AVD user name (but not trigger the authentication process).

• Using the LEAF OS device as Windows 365 Cloud PC client

In the AVD Client application, under Application Settings, the AVD (ARM-based) or Windows 365 release needs to be selected to be able to connect to Microsoft Windows 365 Cloud PC.

• Microsoft Teams optimization (audio/video) in AVD, Windows 365, and RDP sessions

In optimized Microsoft Teams application, audio and video streams are offloaded from the virtual desktop or remote desktop session and processed locally on the client device. This helps reduce network bandwidth usage and improves overall user experience by minimizing latency and providing smoother video conferencing.

To enable Teams AV optimization, both server-side and client-side needs to be configured.

Server-side configuration: 

• Refer to “Use Microsoft Teams on AVD” document for the information.
• For Microsoft Teams audio/video optimization in AVD, Windows 365, and RDP sessions:

• Following registry key needs to be created prior to Teams installation: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Teams
• Following value must exist in the Teams key: 
  IsWVDEnvironment (DWORD) = 1
• Remote Desktop WebRTC Redirector version 1.50 or higher must be installed. The latest version can be found on the Microsoft website here.  The WebRTC Redirector Service is a necessary component to optimize the Microsoft Teams experience on Windows AVD, Windows 365, and Remote Desktop Services.

Client-side configuration:

• For AVD and Windows 365 connections:

• In AVD Client application, under Application Settings, select the Enable Microsoft Teams optimization checkbox.

• For RDP connections:

• In RDP Client application, under Application Settings, select AVD as Client type and select the Enable Microsoft Teams optimization checkbox.

• Support for AAC audio codec in AVD client
  The AAC (Advanced Audio Coding) audio codec reduces the amount of audio data sent from the session host to AVD client when playing audio. This can be beneficial for audio latency sensitive applications (e.g., VoIP, WebRTC, etc.) By default, the PCM (Pulse Code Modulation) audio codec is used by the AVD client. PCM codec requires more network bandwidth to transmit the audio data.

To enable the AAC audio codec:

• For AVD and Windows 365 connections:

• In AVD Client application, under Application Settings, select the Enable AAC audio codec checkbox.

• For RDP connections:

• In RDP Client application, under Application Settings, choose AVD as Client type and select the Enable AAC audio codec checkbox.

• RDP Shortpath support (direct UDP-based transport) for AVD and Windows 365 sessions
  The RDP Shortpath feature enables direct, UDP-based, transport between the AVD client and the AVD or Windows 365 session host. Thanks to reduced overhead of the UDP protocol, RDP Shortpath greatly enhances overall user experience.

To enable RDP Shortpath, both server-side and client-side needs to be configured.

Server-side configuration: 

• Refer to “Configure RDP Shortpath for AVD” document for the information.

Client-side configuration:

• In AVD Client application, under Application Settings, select the Enable RDP Shortpath checkbox.

• Clipboard redirection support for AVD and Windows 365 clients can be enabled or disabled in AVD settings.
• Alternative AVD authentication components

Up to LEAF OS 4.11.2, the AVD Client was always using its own embedded web browser engine to render the Azure logon page and to perform the AVD user authentication. The 5.5.8 version and higher added to the AVD Client an option to use an external browser engine (Chromium) to perform the user authentication. This provides better support for 3rd party multi-factor authentication methods, such as Cisco DUO MFA. This option can be enabled by selecting the Use external browser for authentication checkbox available under Settings > Applications > AVD Client > Application Settings.

Note: When the Use an external browser for authentication will be selected for any AVD release or when the Windows 365 Frontline release will be selected, the NComputing AVD Client application will use the Azure Application Identifier (ID) of NComputing AVD Client instead of the identifier of Microsoft 1st party Azure Virtual Desktop Client application. You will need to grant consent for the usage of the NComputing AVD Client within your organization. This can be easily accomplished by an Azure Active Directory admin user with the authority to approve consent requests for the organization. If the application has not yet been consented in your Azure tenant, users will be unable to utilize the NComputing AVD Client application to connect to your AVD or Windows 365 resources. 

• Microsoft Entra Single Sign-On (SSO) for Azure Virtual Desktop (AVD) authentication

Starting with LEAF OS version 5.12.4, seamless authentication to AVD is supported using Microsoft Entra SSO. This enhancement simplifies Azure login and enables streamlined access to AVD resources. The default AVD configuration already supports Entra SSO authentication for accessing AVD sessions. Here are relevant default parameters in AVD Client > Application Settings: 

• Use browser authentication (FIDO, smartcard) option – not selected
• Allow Entra ID SSO authentication option – not selected
• Reuse Azure credentials when launching AVD sessions option – selected

• Smart card authentication with Microsoft Entra Single Sign-On (SSO) to Azure Virtual Desktop (AVD)

Starting with LEAF OS version 5.12.4, support for smart card authentication with Microsoft Entra SSO is supported.

Setup introductions:

1. Enable Microsoft Entra SSO on Azure:

Ensure that Microsoft Entra SSO is configured and enabled in your Azure environment.

2. Configure LEAF OS client:

• On the client side, go to AVD Client > Application Settings and select the option: Use browser authentication (FIDO, smartcard).
• Grant consent for the use of the NComputing AVD Client within your organization.

Authentication workflow:

• The built-in Chromium browser in LEAF OS will display the AVD login page.
• The login process will prompt the user to:

1. Select a certificate from the smart card.
2. Enter the smart card pin.

• When launching AVD resources (e.g. RemoteApps or RemoteDesktops), users will be prompted once again to:

1. Select a certificate from the smart card.
2. Enter the smart card pin.

The repeated authentication step is due to a current limitation with the Microsoft AVD software development kit.

• RDP Client connection configuration

The LEAF OS firmware supports RemoteApp and Desktop Connections. The parameters necessary for the RDP Client connection are different depending on the RemoteApp support being enabled or not.

• RemoteApp and Desktop Connections not enabled: The RDP Client connects directly to specified Remote Desktop Session Host. 
• RemoteApp and Desktop Connections enabled: The RDP Client first communicates with the specified Remote Desktop Web Access server (which cooperates with Remote Desktop Connection Broker; both must exist in the RDS deployment). The Remote Desktop Web Access server URL must be specified in RDP Client application configuration. This URL can be entered in simplified or full form, e.g.:

• 192.168.50.7 – will be expanded to: https://192.168.50.7/RDweb
• rdwa – will be expanded to: https://rdwa/RDWeb
• rdwa.company.local – will be expanded to: https://rdwa.company.local/RDWeb
• https://rdwa.company.local/RDWeb - will be used as is.

• Ability to select RDP client type 

The AVD client can be used for on-prem RDP connections. Users can benefit from the features which are available in the AVD client (which is based on official Microsoft Linux client SDK), but absent in the standard RDP client, especially from Microsoft Teams Optimization.

• Using custom parameters for RDP connections

The LEAF OS firmware allows specifying custom parameters for RDP connections. If multiple custom parameters must be specified, then they should be separated by the “;” (semicolon) character.

Note: Custom parameters can be specified separately for the RDP and AVD client type selections. The syntax of the custom parameters for both client types is different. Please refer to FreeRDP documentation for the information about supported parameters for the RDP client type selection: https://github.com/FreeRDP/FreeRDP/wiki/CommandLineInterface

• Using AVD client for RDP connection with custom parameters to support RD Gateway

Following custom parameters allow using the AVD client as the RDP client for connections which need to travers an RD Gateway:

gatewayhostname=s:<hostname>

gatewayusage=i:<gateway_usage_method>

As all other customer parameters, multiple parameters can be specified in the input field, separated with semicolons, e.g.:

gatewayhostname=s:rdgw.company.com;gatewayusage=i:2

Descriptions of possible <gateway_usage_method> values:

• 0 – Do not use the RD Gateway.
• 1 – Try to bypass the RD Gateway. In local-area network where the RD Session Host is accessible directly, the client will bypass the RD Gateway. This is the default value when the custom parameter is not present.
• 2 – Always use the RD Gateway. The client will never try to bypass the RD Gateway, even in local-area network where the RD Session Host could be accessed directly.

• RD Session Host, AVD and Windows 365 virtual machine configuration for best user experience

The RDP and AVD clients integrated in LEAF OS devices support the use of H.264/AVC encoding (Advanced Video Codec) in RDP and AVD sessions. Using AVC ensures the best AVD user experience. To take advantage of this H.264/AVC graphics mode, following Group Policy setting must be enabled: 

Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment: ‘Prioritize H.264/AVC 444 graphics mode for Remote Desktop Connections’. 

This Group Policy setting can be deployed through Active Directory Group Policy Objects or, in simplest case, it can be configured on the local machine with Local Group Policy Editor (gpedit.msc).

• RD Session Host, AVD and Windows 365 virtual machine configuration for webcam redirection

The RDP and AVD clients integrated in LEAF OS support the native (functional) redirection of USB webcams. This redirection is only supported in RDP, AVD and Windows 365 sessions if the Remote Desktop Session Host is a Windows Server 2019 or a Windows 10 machine. To ensure proper webcam redirection, please make sure that the following Group Policy setting is not enabled:

Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection: Do not allow video capture redirection

This Group Policy setting can be deployed through Active Directory Group Policy Objects or, in simplest case, it can be configured on the local machine with Local Group Policy Editor (gpedit.msc).

Additionally, each user under Settings > Privacy > Camera, needs to allow the applications to access the camera. 

Note: Webcams described as driverless Windows webcams (webcam not requiring any special vendor drivers to work on Windows) or Video for Linux version 2 compliant webcams should work. 

• RD Session Host, AVD and Windows 365 virtual machine configuration for printers redirection

The RDP and AVD clients integrated in LEAF OS devices support the native (functional) redirection of local printers. USB and network printers are supported. To ensure proper printers redirection, please make sure that the following Group Policy setting is not enabled:

Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Printer Redirection: Do not allow client printer redirection

Printer drivers appropriate for the redirected printers must be installed on the RD Session Host or AVD VM for successful printers redirection. ‘x64, Type 3 – User Mode’ printer drivers need to be installed. The ‘Remote Desktop Easy Print’ driver cannot be used with printers redirected from LEAF OS devices. To prevent the attempts to use this unsupported driver, the following Group Policy setting can be disabled in Computer Configuration or User Configuration:

Computer/User Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Printer Redirection: Use Remote Desktop Easy Print printer driver first

The above mentioned Group Policy settings can be deployed through Active Directory Group Policy Objects or, in simplest case, they can be configured on the local machine with Local Group Policy Editor (gpedit.msc).

Following are the topics to consider when planning to use the native/functional redirection of printers in RDP sessions:

• Locally connected USB printers and network printers supporting the JetDirect protocol (also known as RAW or AppSocket) can be used with native redirection.
• Low-cost GDI printers should be avoided, as they may not work properly. More advanced printers understanding the PCL, PostScript, and/or other high-level page description languages are advisable and should work.
• Functional redirection of printers requires the installation of appropriate Windows printer driver on the remote machine running the RDP session. The literally spelled name of the Windows printer driver must be entered in the Windows printer driver name when adding a printer for native redirection. 
• The Windows printer driver name often matches the USB printer identification string obtained from the USB printer during the detection process, but this is not a general rule. For some USB printers the Windows printer driver name automatically populated when detecting the printer will have to be edited to match the real name of the Windows printer driver installed on the remote server. 
• The ‘type 3’ drivers for Windows x64 architecture should be selected for installation. ‘Type 4’ drivers are known to cause issues with functional redirection of printers.
• The list of Windows printer drivers installed on a Windows machine (with the information about class and architecture) can be obtained with the following command executed in Command Prompt:

wmic /NameSpace:\\Root\CIMV2 path Win32_PrinterDriver GET Name

• RD Session Host, AVD and Windows 365 virtual machine configuration for smart cards redirection

The RDP and AVD clients integrated in LEAF OS devices support the native (functional) redirection of smart cards (smart card readers). CCID-compliant, ReinerSCT and ACS smart card readers are supported. To ensure proper smart cards redirection, please make sure that the following Group Policy setting is not enabled:

Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection: Do not allow smart card device redirection

This Group Policy setting can be deployed through Active Directory Group Policy Objects or, in simplest case, it can be configured on the local machine with Local Group Policy Editor (gpedit.msc).

• RD Session Host, AVD and Windows 365 virtual machine configuration for Generic USB redirection of peripheral devices

The RDP and AVD clients integrated in LEAF OS devices support the Generic USB redirection of peripheral devices. In Windows Server 2016/2019 and Windows 10 the ‘Do not allow supported Plug and Play device redirection’ Group Policy setting is enabled by default (when not configured), which prevents the Generic USB redirection of the peripheral devices to those operating systems. This Group Policy setting can be found under ‘Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection’. To be able to use the Generic USB redirection of RX420(RDP) and RX-RDP+ peripheral devices, this policy must be explicitly disabled. This Group Policy setting can be deployed through Active Directory Group Policy Objects or, in simplest case, it can be configured on the local machine with Local Group Policy Editor (gpedit.msc).

In Windows Server 2012 R2, Windows 8.1 and older Windows server and desktop operating systems the Remote Desktop Services by default allows the redirection of supported plug and play devices, thus the ‘Do not allow supported Plug and Play device redirection’ Group Policy setting does not need to be altered.

• Server CPU load in RDP 8 sessions with RemoteFX enabled

Enabling the RemoteFX feature for Remote Desktop connections greatly improves user experience in legacy Windows OS versions by providing very good GUI performance. This is thanks to optimized algorithms used to encode the areas of the session screen which contain dynamically changing contents (like videos or animations). Ideally the screen encoding on the server side should be accelerated by supported graphics cards. Leveraging server CPUs for RemoteFX screen encoding can cause high load and effectively limit the per-server user density.

• Kiosk mode application auto-start

Latest versions of Windows operating systems favor RemoteApp publishing and do not allow launching applications with executable program paths specified on the client side. This functionality can be re-enabled by modifying the Windows registry:

Registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\TSAppAllowList
Registry value: REG_DWORD fDisabledAllowList
Registry value data: 1

Registry key: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
Registry value: REG_DWORD HonorLegacySettings
Registry value data: 1

Published RemoteApp program or desktop will be automatically started when program or desktop name will be specified as Application in RDP Client application’s Kiosk Mode settings.

• vCAST support in RDP sessions

Support for vCAST Web Streaming and vCAST VLC Media Streaming in RDP sessions started from LEAF OS devices requires installation of the NComputing SuperRDP Server Pack software on the Remote Desktop machine. The NComputing SuperRDP server pack is available through your reseller (SKU: SuperRDP-PREM-VC-P).

• vCAST limitations

The vCAST Web Streaming and vCAST Media Streaming technologies require the client device to use optimized display drawing to work properly. Such optimized drawing methods are only available when the terminal session runs in full-screen desktop mode. For that reason, vCAST is not supported in published RemoteApp programs. RemoteApp desktop sessions run in full-screen mode and support vCAST.

Note: For vCAST support in RDP sessions, the SuperRDP software must be installed on the remote machine.

The vCAST Media Streaming technology can only offload to the client device H.264-encoded media contents. For other formats, the VLC player needs to have the ‘Windows GDI’ video output selected under Video output settings.

Citrix Workspace App related:

• Support for multiple Citrix Workspace app versions in single LEAF OS image

At the time of this KB article, LEAF OS (x86-64) version 6.7.2 contains two selectable Citrix Workspace app for Linux versions: 2411 and 2303. In this LEAF OS version, the Latest version selects Citrix Workspace app 2411.

Following Citrix Workspace app settings can be configured:

• Store URL – the URL of the Citrix Store the Citrix Workspace app will connect to. Store URL must generally be an HTTPS URL. For successful communication, the Citrix Workspace app components must not encounter any issues related to the Store URL certificate. Especially, the SSL certificated of the web server hosting Citrix Store must be signed by a Certificate Authority the device trusts. If the certificate has not been issue by a well-known and commonly-trusted Certification Authority, then the certificate of the Root Certification Authority (and depending on how the certificate chain presented by the web server looks like, possibly also the certificates of Intermediate Certification Authorities) will have to be added to RX540/RX580 device. This can be done under Security settings. Please refer to the dedicated section below.
• Show Citrix SelfService user interface – when enabled, the original SelfService user interface of Citrix Workspace app will be presented to the user. When disabled, NComputing’s own implementation of Citrix published resource list will be used. Certain functionalities are only available when this option will be disabled.
• Guest mode – when enabled, the information cached by Citrix Workspace app (e.g., the list of published resources and their icons) will be wiped out from the device when the user exits the Citrix Workspace app session. By default, the guest mode is not enabled, and the list of Citrix resources remains on the device, even if it is rebooted.
• Show Desktop Viewer Toolbar – when enabled, the Citrix Desktop Viewer Toolbar will appear in published desktop sessions. As the Desktop Viewer Toolbar is solely a client functionality, this setting takes precedence over the Desktop Viewer Toolbar settings possibly configured on the StoreFront or Web Interface server.
• Enable H.264 support – when enabled, the device will be ready to use the H.264 codec (also known as video codec) for the entire desktop session screen or for the actively changing regions of the desktop session screen. The H.264 codec ensures the best user experience when using multimedia applications.
  On the Citrix Virtual Desktop Agent side, the Use video codec for compression Citrix Policy setting can be used for controlling this feature. To allow the use of the H.264 codec, this policy setting should not be set to Do not use video codec. By default (when not configured), this Citrix Policy setting is set to Use when preferred, which means that the VDA machine will try to choose the best variant of the codec based on the VDA type and session behavior. To enforce full-screen H.264 encoding, the Use video codec Citrix Policy setting should be set to For the entire screen. 
  Note: The H.264 codec can effectively be used only with screen resolutions up to 1920x1080.
• Allow HDX Adaptive Transport – when enabled, the device will try to use the HDX Adaptive Transport protocol (also known as Enlightened Data Transport protocol, EDT, or UDP transport) for Citrix connections. If establishing the session with Adaptive Transport is not possible, Citrix Workspace app will fall back to TCP transport. 
  On the Citrix Virtual Desktop Agent side, the HDX Adaptive Transport Citrix Policy setting can be used for controlling this feature. To allow Adaptive Transport, this policy setting should not be set to Off. By default (when not configured), this Citrix Policy setting is set to Preferred, which means that the data transport to the VDA machine takes place over the Citrix EDT protocol, that is build on top of UDP, with automatic fallback to TCP.
• Allow Session Reliability – when enabled, the device will try to use the Session Reliability feature (Common Gateway Protocol) in Citrix connections. In case of session disconnects caused by network problems, Citrix Workspace app will freeze the session screen and will try to re-establish the connection in the background.
  On the Citrix Virtual Desktop Agent side, the Session reliability connections Citrix Policy setting can be used for controlling this feature. To allow Session Reliability, this policy setting should not be set to Prohibited. By default (when not configured), this Citrix Policy setting is set to Allowed.
• Enable Microsoft Teams optimization – when enabled, the optimization mechanisms for Microsoft Teams will be enabled. The processing and transmission of audio and video data will happen on the client device, which will offload the network connection of the Citrix VDA machine as well as the VDA’s CPU. 
  On the Citrix Virtual Desktop Agent side, the Microsoft Teams redirection Citrix Policy setting can be used for controlling the Teams Optimization feature. To allow Teams Optimization, this policy setting should not be set to Prohibited. By default (when not configured), this Citrix Policy setting is set to Allowed. Refer to the ‘Troubleshooting HDX Optimization for Microsoft Teams’ article from Citrix Knowledge Base for more information: https://support.citrix.com/article/CTX253754.
• Enable Browser Content Redirection – when enabled, the rendering of the contents presented by supported web browsers (Google Chrome and Microsoft Edge), when accessing configured web pages, will happen on the LEAF OS device. This will offload the Virtual Desktop Agent machine. 
  On the Citrix VDA side, the Browser Content Redirection Citrix Policy can be used for controlling this feature. To allow Browser Content Redirection, this policy setting should not be set to Prohibited. By default (when not configured), this Citrix Policy setting is set to Allowed. Refer to the ‘How to Troubleshooting Browser Content Redirection’ article from Citrix Knowledge Base for more information: https://support.citrix.com/article/CTX230052.
• Auto-logoff on last session exit – when enabled, the Citrix Workspace app will be closed (and the user logged off) when the last Citrix connection of the user will be terminated.
• Start automatically, if only one application or desktop is published – when enabled, and if only one application or desktop is published for the logged in user, this published application or desktop will be started automatically. To use this option, do not enable Citrix SelfService user interface.
• Use this application to grant access to other applications – when enabled, the user will be unable to access any other RX540/RX580 applications until the Citrix authentication will be successfully completed. To use this option, do not enable Citrix SelfService user interface.
• Workspace app window size – selection of the Citrix Workspace app (Self-Service GUI) window size.
• Custom parameters – additional parameters, which can be injected into Citrix Workspace app configuration files.

Configuring custom parameters for Citrix Workspace app

LEAF OS firmware allows injecting new or modifying existing parameters in given sections of the following Citrix Workspace app configuration files:

• wfclient.ini
• All_Regions.ini
• module.ini

Please refer to the ‘Citrix Workspace app for Linux OEM Reference Guide’ (https://developer-docs.citrix.com/projects/workspace-app-for-linux-oem-guide/en/latest/reference-information/#configuration-files) for the information about the Citrix Workspace app configuration files, their entries, and values. 

The syntax of the custom parameters is:

<filename.ini>:[<section>]<key>=<value>;<filename.ini>:[<section>]<key>=<value>;…

• <filename.ini> must be one of the above mentioned configuration files.
• <section> is the name of the section in the configuration file, where the parameter (key) will be injected or modified.
• <key> is the name of the parameter to be injected or modified.
• <value> is the value the parameter will be set to.

Multiple custom parameters can be specified in one custom parameters line. In such case, the parameters need to be separated with semicolons (without preceding or following whitespaces).

Example:

wfclient.ini:[WFClient]HDXWebCamWidth=1280;wfclient.ini:[WFClient]HDXWebCamHeight=720

The above line defines two custom parameters for the wfclient.ini file and adds the following entries to the [WFClient] section of that file:

HDXWebCamWidth=1280
HDXWebCamHeight=720

The above will set the picture resolution of 1280x720 for the Citrix HDX Webcam redirected with the Citrix HDX RealTime Video Compression feature. 

Time zone mapping

Citrix Workspace app integrated in LEAF OS devices supports mapping of the client’s time zone. Time zone can be selected under Date and Time settings. 

On the Citrix Virtual Desktop Agent side, the Use local time of client Citrix Policy setting can be used for controlling this feature. To enable the mapping of client’s time zone, this policy setting must be set to Use client time zone. By default (when not configured), this Citrix Policy setting is set to Use server time zone.

Keyboard layout mapping

Citrix Workspace app sends to the Virtual Desktop Agent machine the information about the keyboard layout configured locally on the client device. The selected keyboard layout will be used in the Citrix sessions connected from the device. There is no Citrix Policy setting for controlling the keyboard layout mapping feature. This feature is enabled by default.

Deploying Certification Authority certificates

Citrix Workspace app needs to trust the issuer of the SSL server certificate presented by the web server hosting the Citrix Store. If necessary (e.g., when using organization’s own Certification Authority), to establish this necessary trust relationship, the certificates of Root and Intermediate Certification Authorities (X.509 certificates) can be added to LEAF OS devices. This can be done in Security settings. LEAF OS devices accept Base64-encoded Certification Authority certificates. The Base64-encoded X.509 certificate format is commonly known as PEM format. Please refer to the ‘Security Settings’ section of ‘LEAF OS and RX-series User and Configuration Guide’ for more information. Download link can be found in the ‘Additional Resources’ section below.

Server-side control over native/functional redirection of peripheral devices

The Peripherals settings of RX540 and RX580 devices allow selecting the redirection type for different peripheral device classes. However, these client-side settings cannot overwrite the settings, which are configured on the server side. The redirections will only work when the server will not prevent them. The following paragraphs describe the Citrix Policy settings, which can be used for controlling the native/functional redirection of peripherals on the Virtual Desktop Agent side.

Mass storage

On the Citrix Virtual Desktop Agent side, the Client drive redirection Citrix Policy setting can be used for controlling this feature. To allow the native redirection of mass storage devices, this policy setting should not be set to Prohibited. By default (when not configured), this Citrix Policy setting is set to Allowed.

Audio

On the Citrix Virtual Desktop Agent side, the Client audio redirection and Client microphone redirection Citrix Policy settings can be used for controlling this feature. To allow audio output (speakers) redirection, the Client audio redirection policy setting should not be set to Prohibited. To allow audio input (microphone) redirection, both the Client audio redirection and the Client microphone redirection policy settings should not be set to Prohibited. By default (when not configured), these Citrix Policy settings are set to Allowed.

Printers

Citrix Workspace app integrated in LEAF OS devices supports the native (functional) redirection of USB and network (JetDirect) printers. On the Citrix Virtual Desktop Agent side, the Client printer redirection Citrix Policy setting can be used for controlling this feature. To allow the native redirection of printers, the Client printer redirection policy setting should not be set to Prohibited. By default (when not configured), this Citrix Policy setting is set to Allowed. 

The native redirection of printers requires the printers to be defined locally on the LEAF OS device. When adding USB printers, a USB printer identification string needs to be specified. It can be also pulled from the USB printer, if it is connected. This serves the purpose of identifying the different USB printers, when multiple USB printer will be connected. In case of single USB printer, this field can be left empty. For each configured printer, the exact name of corresponding Windows printer driver must be specified. This driver must be installed on the Citrix VDA machine for successful printer redirection. 

The first printer from the list will be configured as the default printer and will also become the default printer in the Citrix session.

Printer drivers appropriate for the redirected printers must be installed on the Citrix VDA machines for successful printers redirection. ‘x64, Type 3 – User Mode’ printer drivers need to be installed. The Citrix universal print driver cannot be used with printers redirected from LEAF OS devices. To prevent attempts to use this unsupported driver, the Universal print driver usage Citrix Policy setting can be set to Use only printer model specific drivers. 

Webcams (video devices)

There is no Citrix Policy setting for controlling the webcam redirection (actually known as HDX RealTime Video Compression) feature on the Virtual Desktop Agent side. This feature is enabled by default.

Smart cards readers

Citrix Workspace app integrated in LEAF OS supports the native (functional) redirection of smart cards (smart card readers). CCID-compliant, ReinerSCT, and ACS smart card readers are supported.

There is no Citrix Policy setting for controlling the smart cards redirection feature on the Virtual Desktop Agent side. This feature is enabled by default.

Serial ports

The /dev/ttyUSB0, /dev/ttyUSB1, /dev/ttyACM0 and /dev/ttyACM1 serial devices will be redirected as client’s COM1, COM2, COM3 and COM4 ports, accordingly.

On the Citrix Virtual Desktop Agent side, the Client COM port redirection Citrix Policy setting can be used for controlling this feature. To allow the native redirection of serial ports, this policy setting must be set to Enabled. By default (when not configured), this Citrix Policy settings is set to Disabled. 

Generic USB redirection of peripheral devices

Citrix Workspace app integrated in LEAF OS devices supports the Generic USB redirection of most peripheral device classes (excluding the smart card readers). However, wherever possible the native redirection should be used, as in the majority of cases it is the most reliable and best optimized redirection method. The Generic USB redirection should generally be used only as the last resort method for device classes (like HID devices), for which no native redirection method exists. LEAF OS firmware tries determining the USB classes of connected USB devices and only attempts to use the Generic USB redirection for that device, where the Generic method has been really selected. USB devices which in their USB descriptors contain the Vendor Specific Class (0xFF) cannot be automatically categorized by the device firmware and must be added to the Custom VID:PID list to be redirected in the Generic way. 

This can be configured under Peripherals > Custom Devices, when the General redirection policy is set to Custom.

On the Citrix Virtual Desktop Agent side, the Client USB device redirection Citrix Policy setting can be used for controlling this feature. To enable the generic redirection of USB devices, this policy setting must be set to Allowed. By default (when not configured), this Citrix Policy setting is set to Prohibited.

Other considerations regarding Citrix Workspace app

• Launching Citrix sessions from Chromium browser

LEAF OS devices allow launching Citrix sessions from the Chromium browser. All applicable Citrix Workspace app settings and Peripherals settings will be respected when launching Citrix sessions from the Chromium browser.

• Redirection of FIDO2 security keys into Citrix sessions

Citrix Workspace app included in LEAF OS devices contains all the components necessary to redirect the FIDO2 security keys, but the feature itself is disabled by default. To enable the redirection of FIDO2 security keys, the following custom parameter needs to be added under Citrix connection settings:

module.ini:[ICA 3.0]FIDO2=On

Note: On the Citrix server, the VDA version 2209 or newer is required to use this feature.

• Philips Speech optimization for Citrix Workspace app

Philips Speech optimization is supported in both Citrix Workspace app versions contained in LEAF OS (x86-64). This feature is disabled by default. The following Philips Speech optimization channels can be separately enabled under Peripherals > Other Devices:

• Audio
• Control (Buttons, LEDs)
• DPM and SpeechAir

Omnissa Horizon Client related:

• Following Omnissa Horizon Client-specific Application Settings can be configured:

Broker address – the address of Omnissa Horizon server which will authenticate the users and provide list of available virtual desktops.

Protocol – the selection of the display protocol to be used for connections to virtual desktop machines. Blast and RDP protocol selections are possible. Further protocol-specific settings are available on dedicated tabs of the Omnissa Horizon Client application settings dialog. The PCoIP protocol is not available in the Omnissa Horizon Client integrated in LEAF OS.

Desktop size – screen configuration of the virtual desktop. The session can be started in full-screen mode on all connected monitors, in full-screen mode on a single monitor only, in big window, or in a small window.

Guest mode – when not enabled (which is the default), LEAF OS will preserve the configuration changes the user makes through the original Omnissa Horizon Client UI. When enabled, all the user-made configuration changes will be wiped out on LEAF OS reboot.

Show drop down menu bar – this setting controls the appearance of Omnissa Client’s menu bar and connection bar.

SSL verification policy – selection of the checks performed on the SSL certificate presented by the Omnissa Horizon server:

• Strict verification – the SSL server certificate must be issued by a trusted Certification Authority, the Common Name in the Subject of the certificate must match the specified fully qualified domain name of the Omnissa Horizon server, and the certificate must be valid at the connection time. Connections will be disallowed in case of any SSL/TLS problems.
• Warn and allow self-signed – the connections to Omnissa Horizon servers presenting self-signed certificates will be allowed.
• No checks – no SSL certificate checks will be performed and connections to all servers will be allowed.

Custom parameters – a semicolon-separated list of custom parameters for the Omnissa Horizon Client. Custom parameters can be used to extend the command line of the Omnissa Horizon Client executable (of the ‘Omnissa-view’ program) or to modify some Omnissa Horizon Client’s configuration files. 

The syntax of each Omnissa custom parameter must be one of the following:

Destination:         Omnissa-view command line

Parameter syntax:    arg:cmdline_parameter    

Example:        arg:--launchMinimized

Example:        arg:+CRLRevocationCheck

Note: the Omnissa Horizon Client application (the ‘Omnissa-view’ program) will be by default launched with the --skipCRLRevocationCheck command line parameter. This parameter lets the client to not perform the revocation checks of the SSL certificates. To enforce those checks, the ‘arg:+CRLRevocationCheck’ custom parameter must be used. 

Destination:         /etc/Omnissa/config file

Parameter syntax:    config:parameter_name=parameter_value

Example:        config:RemoteDisplay.AllowAudio = "false"

Destination:        /etc/Omnissa/viewagent-custom.conf file

Parameter syntax:    viewagent-custom.conf:parameter_name=parameter_value

Example:        viewagent-custom.conf:BlastProxy.log.logLevel = 'verbose'

Destination:        $HOME/.Omnissa/view-preferences file 

Parameter syntax:    view-preferences:parameter_name=parameter_value

Example:        view-preferences:view.enableHEVC = 'FALSE'

Following Blast protocol settings can be configured for the Omnissa Horizon Client:

The Blast protocol settings configurable here are same as the ones which are configurable in the Omnissa Horizon Blast Configuration dialog, accessible from the File > Configure Omnissa Blast menu of the original Omnissa Client UI. Additionally, the Microsoft Teams optimization, multimedia, and web contents redirection settings are configurable under Blast Settings.

• Remembering the last logged user name in Omnissa Horizon Client

The Omnissa Horizon Client can be configured to Remember last logged user name. This option can be enabled in Omnissa Horizon Client’s Application Settings. 

Note: The Guest mode option must be not enabled for the user name remembering feature to be able to persistently save the user name.

• Deploying Certification Authority certificates

Omnissa Horizon Client needs to trust the issuer of the SSL server certificate presented by the Omnissa Horizon server (accessible through the Broker address specified in Application Settings). If necessary (e.g. when using organization’s own Certification Authority), to establish this necessary trust relationship, the certificates of Root and Intermediate Certification Authorities (X.509 certificates) can be added to LEAF OS devices under the Security settings. LEAF OS accepts Base64-encoded Certification Authority certificates. The Base64-encoded X.509 certificate format is commonly known as PEM format. Please refer to the ‘Security Settings’ section of ‘LEAF OS and RX-series User and Configuration Guide’ for more information (you will find the download link in the ‘Additional Resources’ section below).

• Printers

Omnissa Horizon Client in LEAF OS supports the Native (functional) redirection of USB and network (JetDirect) printers. The native redirection of printers requires the printers to be defined locally on the LEAF OS device. When adding USB printers, a USB printer identification string needs to be pulled from the USB printer (if it is connected) or specified manually. This serves the purpose of identifying the different USB printers, when multiple USB printers will be connected. In case of single USB printer, this USB identification field can be left empty. For each configured printer, the exact name of Windows printer driver must be specified. 

For each defined printer, LEAF OS will create two printers: first – with the original name, and the second – with the original name and with the ‘_local’ suffix appended. For the first printer, LEAF OS will not configure any Linux printer driver (so this printer will only act as a spooler and will then send the spooled print jobs to the physical printer without reformatting them). This printer will be used in VDI connections using the RDP protocol. The specified Windows printer driver name will be reported to the virtual desktop VM when making connection with the RDP protocol. The virtual desktop VM must have this exact driver installed to be able to load it when creating the redirected printer. ‘x64, Type 3 – User Mode’ printer drivers are appropriate for the Native redirection of printers with the RDP protocol. For the second printer (the one with ‘_local’ suffix), LEAF OS tries to find and to load an appropriate Linux printer driver. This second printer will be used for the printers redirection with the Blast protocol. No dedicated Windows printer driver needs to be installed on the virtual desktop VM in this case. The print job received from the virtual desktop will be rendered on LEAF OS with the help of the Linux printer driver and only then sent to the physical printer.

• Smart cards readers

CCID-compliant, ACS, and Reiner SCT CyberJack smart card readers are supported and will be redirected with the Native method with both protocols (RDP and Blast). 

• Serial ports

Serial ports (USB-to-serial adapters) can be redirected with the Native redirection method when the RDP protocol will be selected. The /dev/ttyUSB0, /dev/ttyUSB1, /dev/ttyACM0 and /dev/ttyACM1 serial devices will be redirected as client’s COM1, COM2, COM3 and COM4 ports, accordingly.

Serial ports can be redirected with the Generic USB redirection method when the Blast protocol will be selected. Omnissa’s own Generic USB redirection implementation will be always used in this case, no matter what redirection method is selected for the Serial Ports in the Peripherals settings. Windows driver for the connected USB-to-serial adapter needs to be installed on the virtual desktop VM for the serial ports redirection to work in this case. 

vSpace Pro Client and VERDE VDI Client related:

• vSpace Pro: Native (functional) redirection of webcams in UXP sessions

Native webcam redirection is supported in vSpace Pro Enterprise 12.4 or later. To enable this functionality, each user must grant camera access to applications under their system’s Privacy settings.

• VERDE VDI: Enhanced RDP Client Selection 

The VERDE VDI Client has been upgraded to support Microsoft Teams optimization when using the AVD client type. Users can now choose the AVD client for RDP connections to access VERDE VDI environments. For detailed setup on both the server and client sides, refer to this related knowledge base article knowledge-based article.

Local Chromium Browser, Microsoft Teams PWA, Custom Local Applications related:

• Microsoft Teams PWA (Progressive Web Application) replacing Microsoft Teams App for Linux in LEAF OS

The Microsoft Teams app for Linux was announced to be end-of-life (EOL) in April 2024. Microsoft recommends transitioning to the Teams PWA as a replacement. In LEAF OS 5.12.4 and later, the Teams PWA can be created within the built-in Chromium browser.

To enable Teams PWA from the built-in Chromium:

• Open the Setup UI and go to Applications.
• Click the [+] button to add an application. 
• Select Chromium Browser as Application Type and navigate to the PWA Settings tab.

• Under Enable PWA and show on, in the MS Teams row, choose where to display the MS Teams PWA icon.
• Click Add to save the PWA settings change.
• Click Apply to finalize and create the Chromium Browser with MS Teams PWA enabled.

With the above configuration, the Chromium Browser and Teams PWA icons will appear in the Start Menu and/or on the Desktop and/or in the App Launcher. To only allow the access to Teams PWA, without enabling the access to Chromium browser:

• Open the Setup UI and go to Applications.
• Select the Chromium application and click the pencil button to edit its properties. 
• On the General tab, deselect the Show on App launcher, Show on Start Menu, and Show Desktop Icon checkboxes. 
• Click OK to save the Chromium settings changes.
• Click Apply to finalize.

Note: When launching Teams PWA for the first time, an instance of the Chromium browser will open to install the MS Teams Progressive Web Application. For subsequent launches, Teams PWA will function like a native application without opening the Chromium browser.

• Local printing support for local Chromium browser in LEAF OS

For each defined local printer, an additional instance of the same printer gets created with the '_local' suffix appended to the name. For this additional printer, based on the specified Windows Printer Driver Name, LEAF OS tries to find a suitable Linux printer driver. With that, the local Chromium web browser should be able to print. In Chromium, using the ‘See more…’ options in Printing dialog may be necessary to find the additional local printer:

In the example above, the 'HPDJ_5520' printer was defined in the device configuration. This caused the creation of two Linux printers: HPDJ_5520 (driverless, to be used in AVD, RDP, and Citrix sessions only) and HPDJ_5520_local (with Linux driver configured, to be used in Chromium browser).

• Custom Chromium policy support

Chromium policy customization file can be added Chromium browser under its Application Settings. Please refer this KB article ‘Customize local Chromium browser policy settings’ for configuration details. 

• Multiple instances of local Chromium browser (e.g., different customized Chromium policies, pre-defined bookmarks, etc.) can be created on LEAFOS, EX500W, RX420(RDP), RX540 and RX580 devices. Please refer to this article ‘Configure multiple instances of local Chromium browser’ for instructions.

• Extending the base LEAF OS functionality with custom modules and custom applications

LEAF OS is an x86-64 Linux-based operating system designed for PC and laptop repurposing. Technically, applications or drivers which can be installed in a 64-bit Ubuntu Desktop environment should also be installable on LEAF OS to expand its functionality. This is possible with LEAF OS firmware version 3.3.5 or higher versions.

3rd party applications need to be appropriately “packaged” to make them deployable to LEAF OS devices. This packaging process must be performed with care to ensure that all required components and dependencies for the application, such as libraries, system services, drivers, etc., are included. Depending on the 3rd party application specifics, different levels of Linux expertise is required to perform the packaging process. For more advanced applications, collecting the necessary dependencies might be a complicated process requiring several days of work. If you don’t feel comfortable doing it on your own, please ask your NComputing representative and we will be glad to assist with a one-time professional service fee.

The following is a list of relevant online articles describing this topic in detail:

• Overview of LEAFOS 3rd party (custom) application support
• Technical details – part 1 – How to create 3rd party custom modules for LEAFOS devices
• Technical details – part 2 – How to deploy 3rd party custom modules to LEAFOS devices
• Reference examples of packaged 3rd party ‘custom modules’ for LEAFOS devices

• Using a system extension to change the default speaker and microphone volume

The system extension needs to contain the following file:

/etc/rx-ui-params

This file can contain two parameters: microphone_default_volume and speaker_default_volume. They can be used to set the default volumes (in percents, where 100 is the maximum), as in following example:

microphone_default_volume=80
speaker_default_volume=90

Refer to the ‘Extending the base LEAF OS functionality with custom modules and custom applications’ section for more information about the system extension modules.

Networking and connectivity related:

• Authentication methods supported by the VPN clients included in LEAF OS:

• OpenVPN client – username with password, client certificate with password, and .ovpn file.
• OpenConnect VPN client – username with password, client certificate with password.
• PPTP – username with password.
• FortiClient SSL VPN client – username with password.
• IPSec:

• L2TP/IPsec VPN – pre-shared key, username with password.
• IKEv2/IPsec VPN client – client certificate with password.

• Support for Bluetooth audio devices, keyboards and mice (beta preview)

LEAF OS supports Bluetooth audio and human interface devices (keyboard and mouse). It’s end-users’ responsibility to properly pair the necessary Bluetooth devices and mark them as trusted. 

• To enable Bluetooth connectivity, select ‘Enable Bluetooth support’ option under Peripherals > Bluetooth. 
• To pair a new Bluetooth peripheral device, click on the Bluetooth icon in the system tray and select the “Devices…” option from the pop-up menu. From the display list in the pop-up menu, right-click on the new Bluetooth peripheral device you would like to pair and select ‘Connect’. Once the new Bluetooth device has been paired, right click on this device again and select ‘Trust’. 
• On next bootups, LEAF OS will try to automatically reconnect the Bluetooth devices which have been paired and marked as trusted. 

The preferred Bluetooth audio profile can be selected under Peripherals > Bluetooth:

• Select automatically – Bluetooth audio profile will be selected automatically according to device preferences. This option will allow the user to manually change the profile by right-clicking the Bluetooth icon in the system tray and going to Devices.
• A2DP – High quality audio playback profile will be set (when supported by the device). Microphone will not be supported.
• Headset – The bidirectional headset profile, which is good for communication applications, will be set (when supported by the device).

Other device settings related:

• Simple Certificate Enrollment Protocol support

LEAF OS allows using the Simple Certificate Enrollment Protocol for obtaining the Certification Authority and client certificates, which can then be used for the 802.1x network authentication with the TLS protocol. The SCEP settings can be configured on the Security > SCEP page of the Setup UI.

The configurable parameters are:

• Use SCEP for certificate enrollments – When selected, the device will use the SCEP protocol to obtain the Certification Authority and client certificates.
• SCEP server URL – The address (IP or hostname) or URL of the SCEP server. When only an address is specified, the SCEP server URL will be composed by prepending the ‘http://’ protocol scheme and appending the ‘/CertSrv/mscep/mscep.dll’ path. For example: if ‘scep.company.local’ would be specified as SCEP server URL, the actual URL would become: ‘http://scep.company.local/CertSrv/mscep/mscep.dll’. This will work when the Microsoft Network Device Enrollment Service (NDES) will be used as the SCEP server. When using an SCEP server other than Microsoft NDES, the complete URL should be specified, not just an address.
• SCEP challenge password source – Two options are selectable here: Specified below and NDES admin page. 

• Specified below – The SCEP challenge password will be taken from the SCEP challenge password field of SCEP settings. This option makes sense when the SCEP server is configured with a static SCEP challenge password. 
• NDES admin page – This option has been designed to allow using dynamic (one-time) SCEP challenge passwords. The SCEP challenge password will be obtained from the NDES admin page before creating each certificate signing request, which will be sent through SCEP then. If the specified SCEP server URL is just an address, then the URL of the NDES admin page will be composed by prepending the ‘https://’ protocol scheme and appending the ‘/CertSrv/mscep_admin/’ path. For example: if ‘scep.company.local’ would be specified as SCEP server URL, the actual NDES admin page URL would become: ‘https://scep.company.local/CertSrv/mscep_admin’. As the name of the option suggests, this will only work with Microsoft NDES. When a complete URL is configured as SCEP Server URL, then the same URL will be used as NDES admin page URL, only the scheme will be changed to ‘https://’. This will not work with NDES. For that reason, when using Microsoft NDES as SCEP server, we advise to only specify the server address (not the full URL) as the SCEP server URL.

• SCEP challenge password – The (usually static) SCEP challenge password to be used when creating certificate signing requests.
• NDES admin user name – The name of the Active Directory user permitted the access to the NDES admin page. It will be used when obtaining the SCEP challenge password from the NDES admin page.
• NDES admin user password – The password of the NDES admin user.
• Certificate subject type – Two options are selectable here: Device name only and Device name with DNS domain.

• Device name only – Only the current device name from the General > Device name settings will be used as the Common Name and Subject Alternate Name in the requested client certificate. E.g., LEAF681DEF38CF69.
• Device name with DNS domain – The current device name from the General > Device name settings with the DNS domain name (obtained from DHCP or configured statically) will be used as the Common Name and Subject Alternate Name in the requested client certificate. 
  E.g., LEAF681DEF38CF69.company.local.

No other components than the Common Name will be included in the subject of the requested client certificate.

• Private key length – Selection of the private key length: 1024, 2048, or 4096 bits.
• Keep the old private key when renewing the certificate – When selected, the already present private key will be re-used when renewing the certificate. Otherwise, a new private key will be generated when renewing the certificate.
• Custom parameters – This field will not be currently used.

Note: The SCEP support has only been tested with the Microsoft Network Device Enrollment Service (NDES) acting as SCEP server. The NDES admin page selection for the SCEP challenge password source will only work when NDES and only when an address (not a URL) has been specified as SCEP server URL.

Information about the Certificate Authority certificate and client certificate currently stored on the LEAF OS device will be displayed above the SCEP settings on the Security > SCEP page of the Setup UI.

• Using the SCEP-obtained client certificates for 802.1x network authentication 

The Certification Authority and client certificates obtained with the SCEP protocol can be used for the 802.1x Ethernet and Wi-Fi network authentication with the TLS method. For this purpose, two new parameters have been added to Enterprise (802.1x) Ethernet and Wi-Fi network settings in LEAF OS 6.7.2 or newer version: CA certificate source and Client certificate source. Two selections are possible for both of them: Device configuration and SCEP.

• Device configuration – The certificate will have to be selected in device configuration, as it was in all older LEAF OS versions.
• SCEP – The certificate obtained with SCEP will be used.

Practical deployment advise: 

As the 802.1x network access control standard disallows the network access from devices which cannot authenticate themselves, the LEAF OS device, to be able to make use of the SCEP protocol for obtaining the certificates necessary for 802.1x authentication, must be first temporarily connected to some open network. This open network should allow the device to connect to PMC Endpoint Manager, which should provide to the device the configuration which will: 1. contain the SCEP settings, and 2. contain the 802.1x network settings (including the options to enable 802.1x support with the TLS authentication method and to use the SCEP-obtained certificates for 802.1x authentication). Alternatively, assuming that the final destination of the deployed devices will allow fallback to an open network (e.g., to a guest VLAN), the fallback network should allow access to PMC Endpoint Manager which will provide the necessary configuration. The devices, once configured in the fallback network, should be able to automatically switch to the secured network, as they will already have all the information (especially the SCEP-obtained certificates) necessary to successfully complete the 802.1x authentication.

• Custom device naming

Before LEAF OS version 6.7.2 it was possible to configure a custom LEAF OS device name by specifying it in device’s General settings. The configured device name will be used by the DHCP client when requesting IP configuration, it gets reported to PMC during check-in, so it can be used to identify the device in PMC, also the VDI clients report the device name to the session hosts which in turn make it available for the applications through the CLIENTNAME environment variable. In older LEAF OS versions, the default device name was set to ‘LEAF’ with the MAC address of the Ethernet or (in absence of Ethernet) Wi-Fi network interface appended. 

LEAF OS allows automating the device naming based on configurable rules. The device name prefix, its body (which can be parts of the MAC address), and the suffix are now configurable on the General > Devie Name page of the Setup UI. Following settings are available:

• Specified – The freely specified device name, as in previous LEAF OS versions.
• Set automatically – The device name will be set automatically based on the configured rules.
• Prefix – The device name prefix. 
• Body – The body (middle part) of the device name. 6, 8, 10, or 12 (the whole) characters of the Ethernet or Wi-Fi interface MAC address.
• Suffix – The device name suffix. 

After resetting the device to factory defaults, the prefix will be set to ‘LEAF’, the body will be set to ‘whole MAC address’, and the suffix will be empty. With such settings, the default device name will be set in the same way as it was in the previous LEAF OS versions.

• Support for the Virtual Cable UDS Enterprise virtualization environment

UDS Enterprise client has been updated to version 4.0 in LEAF OS 6.7.2 and newer versions. This client will be launched when the UDS Enterprise connection will be initiated in the Chromium browser and when the ‘RDP Tunnel for Desktop’ will be used for establishing the connection. The RDP Settings, which are configurable for the Chromium browser application, will be taken into account then. Especially, the type of the RDP client used for the connection initiated through Chromium browser can be selected. Selecting the AVD client as client type allows the UDS Enterprise users to benefit from the Microsoft Teams optimization. 

• AuthX passwordless authentication

LEAF OS 6.7.2 and newer versions contain the AuthX Authenticator application integrated. It allows using the RFID cards to quickly reconnect or disconnect Microsoft RDP or Citrix sessions. 

As this feature is still at technical preview stage, the AuthX Authenticator app needs to be set up as a system application. Following parameters need to be configured when defining the AuthX Authenticator app:

General settings:

• Application type – Select System Application.
• Display name – The application name to be presented to the users, e.g. AuthX Login.

Application settings:

• Icon path – Specify: /opt/AuthX/authx.ico
• Command path – Specify: /opt/AuthX/authx_launcher
• Application ID – Specify: AuthX

Following named parameters must be added to the System Application definition with the values taken from your AuthX-protected application settings in AuthX Portal:

• application_id – The AuthX Application ID.
• application_key – The Application key.
• api_server_url – The Application URL.
• citrix_path – Must be set to: /opt/Citrix/ICAClient.

• Touchscreen support

LEAF OS provides built-in touchscreen identification tool for dual touchscreen setups (primary & secondary display).

• On-screen keyboard

The ‘onboard’ on-screen keyboard is integrated in LEAF OS. The on-screen keyboard can be configured on the Keyboard and Mouse > On-Screen Keyboard Settings page of Setup UI.

• Configurable power button custom actions

The LEAF OS device can be configured to execute the following actions when the user will press the power button:

• entering the sleep mode,
• shutting down,
• rebooting,
• not performing any action.

The actions can be executed immediately or postponed for a specified period of time, when a pop-up message with a countdown counter will be displayed allowing the user to cancel the action or to select a different one.

To configure the ‘Power button actions’, go to Settings > Management > Power Button Actions.

• Using VDI clients to control access to LEAF OS applications

The VDI client applications which perform user authentication and enumerate the VDI resources prior to starting the actual terminal session and for which LEAF OS has access to user credentials can be used to control access to other LEAF OS applications. To enable this feature, the Use this application to grant access to other applications checkbox needs to be selected in Application Settings. With this feature enabled, LEAF OS will not allow the access to all other applications (hide the application icons in Start Menu, on the Desktop, and in App Launcher) until the user will successfully authenticate in the one, which has this option enabled.

Following applications can be used for this purpose:

• RDP Client (only when the RemoteApp and Desktop connections will be enabled)
• AVD Client
• Citrix Workspace app (only when the use of Citrix SelfService user interface will be not enabled)
• VERDE VDI Client

• Support for Asian multilingual input

The IBus (Intelligent Input Bus) component can be optionally enabled under Keyboard and Mouse settings for the Chinese, Korean, Japanese, and Thai keyboard layouts. This allows proper keyboard input in local Chromium, Teams, and Zoom applications.

Note: Enabling IBus is not necessary (and even not advisable) if no local LEAF OS applications are used and the user will only work in remote desktop sessions.

PMC Endpoint Manager related:

• PMC license for managing the LEAF OS devices

Each LEAF OS device comes with a perpetual license for the PMC Endpoint Manager software and first-year complimentary software maintenance update (AMP for RDP) license. After the expiration of the first-year complimentary Device AMP license, the device will not be able to receive and apply firmware updates. An extended Device AMP licenses must be purchased and allocated to each RX540 and RX580 device to allow local or remote (via PMC) firmware updates.

• PMC server auto-discovery

To automate the PMC server discovery the DHCP option 207 can be used. This DHCP option should provide a string value containing the URL in form of ‘https://<PMC_address>’, like: ‘https://pmc.company.local’, or: ‘https://10.25.40.190’. If DHCP response will not contain the 207 option, LEAF OS will attempt to use the ‘https://pmc’ URL as PMC URL. This will work if the DNS system for the current DNS domain will be able to resolve the ‘pmc’ hostname to a valid PMC IP address. Concurrently, after booting up, LEAF OS will also try to get in touch with NComputing Management Portal to obtain the information about the LEAF OS device’s AMP subscription. Management Portal’s response can contain an address or URL of PMC. In Management Portal, separate PMC addresses or URLs can be provided for the license keys redeemed on the user account and used for LEAF OS activation. If one is returned, the LEAF OS device will attempt to connect to PMC through the URL or address returned by Management Portal. Effectively, the priority of the PMC server discovery methods is the following:

• DHCP
• Management Portal
• DNS

Once a PMC URL is determined using one method, no other methods will be tried. LEAF OS will keep trying to use the first auto-discovered URL even if the PMC connection through that URL will fail. 

• Using PMC Endpoint Manager for device screen shadowing

The software components allowing device screen shadowing from PMC act as yet another VNC viewer application. The VNC screen shadowing feature needs to be enabled on the devices for the PMC screen shadowing feature to work.

• Passcode-based device onboarding

When the Require passcode for device onboarding option will be activated under System Settings of PMC Endpoint Manager, then newly connecting devices will prompt the users to provide the onboarding passcode. Only if the user will provide correct onboarding passcode the device will successfully check-in and will be added to PMC’s database. This is a one-time process only. Already onboarded devices will never prompt users for any onboarding passcode.

• Using the network test tools

The results of network tests will be saved into a temporary file, which will be collected when creating a Troubleshooting File. The device will also execute the network tests when creating the Troubleshooting File on PMC administrator’s request. Appropriate test parameters (address and port) should be configured on the device before requesting the Troubleshooting File with PMC.

• Support for the device “Raise Hand” feature for easier identification of devices whose users need help 

When the device user will press the Shift-Ctrl-F2 key combination to ‘raise hand’ to PMC, PMC will display a notification and put a timestamp information into the Raised Hand column of Devices list.

• Secure Shell support

LEAF OS allows establishing Secure Shell (SSH) connections to LEAF OS Linux shell. The Secure Shell access is disabled by default and can be enabled under Management > Secure Shell settings. The user with Secure Shell access is ‘rx’ and a password must be set to allow the access.

ADDITIONAL RESOURCES

• Getting Started: LEAF OS for Citrix Guide

• Getting Started: LEAF OS for Microsoft AVD and Windows 365 Guide

• Getting Started: LEAF OS for Omnissa Horizon

• Getting Started: LEAF OS for UDS Enterprise

• Quick Install Guide: LEAF OS USB live boot

• Video Tutorial: Setup LEAF OS for Single Operation Mode

• Video Tutorial: Optimize multitasking with Multi-Application Setup

• RX420(RDP), RX440(RDP), RX-RDP+ and LEAF OS User Configuration Guide:

RX420(RDP), RX440(RDP), RX-RDP+ and LEAF OS are easy-to-use and provision. For users who want to learn how to use advanced features and/or customizations, please refer to the RX420(RDP), RX-RDP+ and LEAF OS User Configuration Guide:

https://ncomputing.box.com/shared/static/310pp20tfhh4aqc6x4nj14sxch52q360.pdf 

• PMC Endpoint management Quick Start Guide:

NComputing PMC is a endpoint management system designed and developed to remotely manage NComputing access devices. 

Please refer to the PMC Quick Start Guide:

https://support.ncomputing.com/portal/en/kb/articles/pmc-3-0-start-guide