ABOUT THE PRODUCT:

The RX540 and RX580 cloud-ready thin clients are powered by the Raspberry Pi Compute Module 5 platform, featuring 4GB and 8GB of system RAM, respectively. Designed for optimized connectivity across multiple VDI and DaaS platforms, these devices deliver exceptional performance and value.

Key features include 4K Ultra HD video support, two monitor outputs, Gigabit Ethernet, Wi-Fi connectivity, and extensive peripheral compatibility.

Engineered for Citrix, Omnissa Horizon, Microsoft (RDS, AVD, Windows 365), NComputing (vSpace Pro Enterprise, VERDE VDI, and Remote Access), and Virtual Cable UDS Enterprise, the RX540 and RX580 ensure a secure, seamless computing experience for accessing virtual desktops and applications.

Both models come equipped with an integrated Chromium browser and Microsoft Teams PWA support, enabling web kiosk mode or productivity mode for direct access to web content and applications without requiring desktop virtualization.

IT administrators can efficiently manage these thin clients with NComputing PMC Endpoint Manager, ensuring streamlined deployment and centralized control. The RX540 and RX580 clients provide a high-performance, easy-to-deploy virtual desktop solution, ideal for SMBs, SMEs and Enterprises utilizing DaaS or VDI environments.

Features highlights:

• Powered by LEAF OS – A secure, Linux-based operating system optimized for high-performance access to virtual desktops and cloud workspaces. LEAF OS offers flexible deployment and supports multiple virtual desktop platforms.
• Comprehensive Virtualization Support – Compatible with Citrix, Omnissa Horizon, Microsoft Windows 365 Cloud PC, Microsoft AVD, Microsoft RDS, VERDE VDI & Remote Access, vSpace Pro Enterprise, and Virtual Cable UDS Enterprise for DaaS and VDI environments.
• Optimized Microsoft Teams Experience – Enhanced support for Citrix, Microsoft AVD, Windows 365, RDP, VERDE VDI, and UDS Enterprise sessions, ensuring smooth video conferencing.
• Integrated Web Access – Features a local Chromium browser and Microsoft Teams PWA, allowing direct access without requiring a full VDI desktop.
• Dual Display Support – Native dual-screen output with up to 3840 x 2160 resolution on RX540 and RX580.
• Built-in VPN Support – Compatible with OpenVPN, OpenConnect, Fortinet, IPsec, and PPTP for secure remote access.
• Reliable Connectivity – Options for Gigabit Ethernet or built-in 5GHz/2.4GHz 802.11 b/g/n/ac Wi-Fi with Personal and Enterprise 802.1x security.
• Enhanced Streaming Performance – Supports NComputing vCAST Streaming technology and SuperRDP software (separate license required).
• Extensive Peripheral Compatibility – Broad USB device support and multi-touch screen functionality (on the primary display).
• Customizable Power Management – Configurable power button actions with sleep mode support.
• Simplified IT Management – Seamless remote management via PMC Endpoint Manager software.
• Cost-Effective & Energy-Efficient – Designed for low total cost of ownership and minimal power consumption.

SUPPORTED VIRTUAL DESKTOP ENVIRONMENTS

• Citrix Desktop Virtualization

• Citrix DaaS
• Citrix Virtual Apps and Desktops 7 1808 or newer
• Citrix StoreFront 3.0 or newer, StoreFront 1811 or newer (including connections through Citrix Gateways)
• Citrix XenApp/XenDesktop 7.6 or newer
• Citrix Web Interface 5.4 

• Omnissa

• Omnissa Horizon Cloud
• Omnissa Horizon 8 version 2006 and later
• VMware Horizon 7 version 7.13 and later

• Microsoft Azure Virtual Desktop (AVD)

• Deployments in Azure Commercial Cloud

• AVD (ARM-based) – formerly known as Spring 2020 release
• AVD (Classic) – formerly known as Fall 2019 release

• Deployments in Azure Government Cloud

• Microsoft Windows 365 – Cloud PC
• Microsoft Remote Desktop Services (RDS)

• Microsoft Windows Server systems:

• Windows Server 2025
• Windows Server 2022
• Windows Server 2019
• Windows Server 2016
• Windows Server 2016 (Multipoint Services)
• Windows Server 2012 R2
• Windows Server Multipoint Server 2012
• Windows Server 2008 R2

• Microsoft Windows desktop systems:

• Windows 11
• Windows 10
• Windows 8.1
• Windows 7

• NComputing VERDE VDI, VERDE Secure Browser, and VERDE Remote Access (version 8.2.8 or higher)
• NComputing vSpace Pro Enterprise (version 12.9.2 or higher)

• Added support for the new ‘UXP Turbo (H.264)’ protocol.

• Virtual Cable 

• UDS Enterprise 4.0

SUPPORTED APPLICATIONS

Following desktop virtualization clients are present in RX540 and RX580 devices:

• AVD Client (for AVD and Windows 365) 
• Citrix Workspace App Client
• Omnissa Horizon Client
• RDP Client
• VERDE VDI Client
• vSpace Client
• Virtual Cable UDS Enterprise Client

RX540 and RX580 device firmware also comes with an integrated local application support for extended functionality without solely relying on the desktop virtualization environment.

The built-in local applications are:

• Chromium browser
• Microsoft Teams PWA (Progressive Web Application)

CITRIX WORKSPACE APP FEATURES

• Citrix Workspace app for Linux (version 2411) integration
• Microsoft Teams optimization for smoother video conferencing
• Browser Content Redirection (BCR) support
• H.264 (video codec) support
• HDX Adaptive Transport (Enlightened Data Transport protocol) support
• Session Reliability (Common Gateway Protocol) support
• Dual display with independent screen rotation
• Desktop Viewer Toolbar support
• Support for StoreFront application subscriptions
• Guest mode and auto-launch support
• Support for peripheral devices:

• USB webcams
• USB and network printers
• USB mass storage devices
• Digital (HDMI, DisplayPort, S/PDIF), analog, USB, and Bluetooth audio (beta preview)
• USB smart card readers and security keys
• Serial ports
• Other USB devices through Generic USB redirection

• Citrix custom parameters support
• Ability to launch Citrix sessions with native Citrix Workspace app engine from local web browser
• Please refer to the ‘Getting Started: LEAF OS for Citrix Guide’ for step-by-step procedures.

OMNISSA HORIZON CLIENT FEATURES

• Omnissa Horizon Client for Linux (version 2503) integration 
• Omnissa Blast & PCoIP protocol support
• Omnissa Blast H.264 Decoding
• Multimedia Redirection (MMR) support
• Dual display with independent screen rotation
• Drop down menu bar support
• Guest mode and auto-launch support
• Ability to remember last logged user name
• Support for peripheral devices:

• USB webcams
• USB and network printers
• Document scanner
• USB mass storage devices
• Digital (HDMI, DisplayPort, S/PDIF), analog, USB, and Bluetooth audio
• USB smart card readers and security keys
• Serial ports
• Other USB devices through Generic USB redirection

• Please refer to the ‘Getting Started: LEAF OS for Omnissa Horizon’ for step-by-step procedures.

AZURE VIRTUAL DESKTOP AND WINDOWS 365 CLIENT FEATURES

• Multi-Factor Authentication (MFA) and conditional MFA support
• Support for RemoteApp programs and desktops
• Kiosk mode auto-login
• Audio/video (AV) Optimization support for Microsoft Teams in Azure Virtual Desktop (AVD), Windows 365, and RDP sessions
• RDP Shortpath (UDP-based transport protocol)
• Support for peripheral devices:

• USB webcams
• USB and network printers
• USB mass storage devices
• Digital (HDMI, DisplayPort, S/PDIF), analog, USB, and Bluetooth audio (beta preview)
• USB smart card readers and security keys (support for in-session authentication)
• Multi-touch touchscreens support
• Other USB devices through Generic USB redirection

• Clipboard redirection support
• Native dual display support with independent screen rotation
• Please refer to the ‘RX-Series Thin Client AVD and Windows 365 Setup Guide’ for step-by-step procedures.

VIRTUAL CABLE UDS ENTERPRISE CLIENT FEATURES

• UDS Enterprise Client for Linux (version 4.0) integration
• Support for UDS Enterprise virtual applications and desktops
• Support for Microsoft Teams optimization (audio/video) when using AVD client type in RDP sessions
• Support for peripheral devices:

• USB webcams
• USB and network printers
• USB mass storage devices
• Digital (HDMI, DisplayPort, S/PDIF), analog, USB, and Bluetooth audio (beta preview)
• USB smart card readers and security keys 
• Multi-touch touchscreens
• Other USB devices through Generic USB redirection

• Native dual display support with independent screen rotation
• Please refer to the ‘Getting Started with LEAF OS for UDS Enterprise’ for step-by-step procedures.

INTEGRATED VPN CLIENTS

• OpenVPN, OpenConnect VPN, PPTP, IPSec/L2TP, IPSec/IKEv2, and FortiClient SSL VPN

SUPPORTED ENDPOINT MANAGEMENT SYSTEMS

• Device configuration version used by this RX540 and RX580 version:

This firmware utilizes a corresponding device configuration version when operating on the RX540 and RX580. The PMC configuration update (PCU) file equips PMC with the necessary information to effectively manage this firmware version.

• PMC Endpoint Manager (version 4.1.1 or higher):

RX540 and RX580 devices come with a perpetual license to use PMC Endpoint Manager. These devices can be easily configured using PMC Endpoint Manager software. An admin can remotely manage RX540 and RX580 devices over local and wide-area networks, including locations behind firewalls and NAT-routers through an easy-to-use, web-based user interface. 

PMC allows automatic discovery, check-in, and configuration provisioning of new devices, making the deployment easy. Administrators can setup device profiles with all settings and configurations, then assign the profiles to groups of devices. Only a few clicks are needed to schedule device firmware updates, access the summary dashboard or view the detailed event logging. Users are always up-to-date with the latest technology.

• vSpace Console (only available in vSpace Pro Enterprise desktop virtualization):

Included in the vSpace Pro Enterprise Edition release (version 12.9.2 or higher), vSpace Console can manage a subset of RX540 and RX580 device configuration related to vSpace configuration parameters and provide integrated user session management of RX540 and RX580 devices (e.g. Multi-View, remote view, take over, message, stop/pause). 

FIRMWARE UPDATE INSTRUCTIONS

The firmware update (including the download of firmware package) can take a few minutes. Please do not turn off your device during this time. Once the firmware update is complete, the device will reboot automatically.  

• Updating the firmware locally

The device firmware can be updated manually from the Setup GUI with a firmware update package uploaded to an FTP or a web server or from a locally connected USB memory stick:

• For FTP or web server (URL):

• Upload the ‘firmware update package file (.upd) into your FTP or RX540 and RX580 devices open the Setup GUI and go to the ‘Support’ section.
• Enter the FTP or HTTP URL of the firmware update package and click the ‘Update’ button.

• For a locally connected USB memory stick:

• Download the latest .upd firmware package and save it to a USB memory stick.
• Insert the USB stick to RX540 and RX580 device.
• On the RX540 and RX580 device, open the Setup GUI and go to the ‘Support’ section.
• Select ‘Update from the USB memory stick’ radio-button, select the firmware update file displayed in the pop-up, and click the ‘Update button’.

Once the device finishes downloading the firmware update package, the firmware update process will start and will take a while (around half a minute). The process should not be interrupted. Firmware update will end with a device reboot.

• Updating firmware from PMC 

The device firmware can be updated from any version of PMC. Follow the steps below to perform the firmware update on remote RX540 and RX580 devices:

• Logon to PMC as a user with administrative privileges, open the Menu, go to Administration > Files.
• Select Firmware Image as file type.
• Click the Choose file button and select the latest .upd file.
• Click the Upload file button to upload the firmware package.
• In PMC 4.1 or newer:

• Open the Menu, go to Devices.
• Select the devices which should receive the firmware update.
• Execute the Update Firmware task of the Devices list.
• Select the latest .upd firmware package.

• Schedule the update date and time or opt to update now.
• Click the [Apply] button.

If Update now was chosen, then within 30 seconds the device will receive a request to initiate the firmware update. For remote devices the process can be followed by observing the Audit Events log on Dashboard. The firmware update process will take a while and should not be interrupted. Firmware update will end with a device reboot.

ADDITIONAL NOTES

User interface with workspace concept:

• LEAF OS workspace user interface 

RX540 and RX580 devices adopt LEAF OS workspace user interface. The desktop icons allow easier access to local RX540/RX580 applications and to resources published in VDI environments, simplify the multi-tasking, and improve the overall user productivity. 

The applications and published resources can be accessed through the icons presented on the Desktop, in Start Menu, or in the App Launcher:

Newly created applications will, by default, be shown on the Desktop and Start Menu. Customers preferring to configure the devices as a locked-down kiosks (without any icon to be shown on the Desktop, Start Menu, or App Launcher, and with Auto-Launch) should deselect the Show on App Launcher, Show on Start Menu, and Show Desktop icon options, select Auto-launch, and choose Restart as Action on exit. This can be done by editing the application under Settings > Applications. Please refer to this KB article on how to setup locked-down kiosk mode in LEAF OS. The information from this article applies to RX540 and RX580 device models.

• Ability to rescale the LEAF OS desktop and applications

When using high-resolution displays, especially 4K, it may be beneficial to upscale the RX540/RX580 GUI components, to make them appear bigger and thus become better readable. Scaling factors from 100% (which is the default, meaning no scaling) to 200% are selectable under Display settings. The RX540/RX580 components which will respect the scaling selection are:

• Desktop (the desktop icons),
• Taskbar,
• Setup UI,
• Logon windows of client applications (AVD, RDP, VERDE VDI), the server chooser of vSpace Client, RDP sessions, AVD sessions.

Note: The scaling ratio of some LEAF OS applications might be silently adjusted to a value accepted by the application or kept set to 100%, if the application does not support scaling.

AVD, Windows 365 and RDP clients related:

• AVD Client connection configuration

The RX540 and RX580 firmware supports connections to Microsoft Azure Virtual Desktop deployments hosted in Microsoft Azure cloud. When the AVD Client will be added to Applications list, then, under Application Settings, the AVD release version matching customer’s deployment(s) should be selected. The ARM-based or Windows 365 (formerly known as Spring 2020) AVD release will be selected by default. The AVD Classic (Fall 2019) or Azure Government releases can be selected alternatively.

• Accessing published AVD resources

After logging into the AVD account, user will be presented with a list of AVD published resources. The resource listing can be expanded or collapsed by clicking at the top-level category. Double-clicking on any RemoteApp or desktop icon allows launching the resource. The taskbar at the bottom of the screen can be used to manage multiple opened applications.

• AVD Client connection in Kiosk Mode

The Kiosk Mode settings allow the user to automatically login to his/her AVD account and, if required, automatically launch a particular Windows application or desktop. 

The Domain field allows pre-configuration of the Azure Active Directory domain name. Preconfiguring a domain name will simplify user logon, as the user will only need to provide their names, without the ‘@domain name…’ suffix. Please note that multifactor authentication (MFA) is not supported when Kiosk Mode is enabled.

• Using the RX540 and RX580 device as Windows 365 Cloud PC client

In the AVD Client application, under Application Settings, the AVD (ARM-based) or Windows 365 release needs to be selected to be able to connect to Microsoft Windows 365 Cloud PC.

• Microsoft Teams optimization (audio/video) in AVD, Windows 365, and RDP sessions

In optimized Microsoft Teams application, audio and video streams are offloaded from the virtual desktop or remote desktop session and processed locally on the client device. This helps reduce network bandwidth usage and improves overall user experience by minimizing latency and providing smoother video conferencing.

To enable Teams AV optimization, both server-side and client-side needs to be configured.

Server-side configuration: 

• Refer to “Use Microsoft Teams on AVD” document for the information.
• For Microsoft Teams audio/video optimization in AVD, Windows 365, and RDP sessions:

• Following registry key needs to be created prior to Teams installation: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Teams
• Following value must exist in the Teams key: 
  IsWVDEnvironment (DWORD) = 1
• Remote Desktop WebRTC Redirector version 1.50 or higher must be installed. The latest version can be found on the Microsoft website here.  The WebRTC Redirector Service is a necessary component to optimize the Microsoft Teams experience on Windows AVD, Windows 365, and Remote Desktop Services.

Client-side configuration:

• For AVD and Windows 365 connections:

• In AVD Client application, under Application Settings, select the Enable Microsoft Teams optimization checkbox.

• For RDP connections:

• In RDP Client application, under Application Settings, select AVD as Client type and select the Enable Microsoft Teams optimization checkbox.

• Support for AAC audio codec in AVD client
  The AAC (Advanced Audio Coding) audio codec reduces the amount of audio data sent from the session host to AVD client when playing audio. This can be beneficial for audio latency sensitive applications (e.g., VoIP, WebRTC, etc.) By default, the PCM (Pulse Code Modulation) audio codec is used by the AVD client. PCM codec requires more network bandwidth to transmit the audio data.

To enable the AAC audio codec:

• For AVD and Windows 365 connections:

• In AVD Client application, under Application Settings, select the Enable AAC audio codec checkbox.

• For RDP connections:

• In RDP Client application, under Application Settings, choose AVD as Client type and select the Enable AAC audio codec checkbox.

• RDP Shortpath support (direct UDP-based transport) for AVD and Windows 365 sessions
  The RDP Shortpath feature enables direct, UDP-based, transport between the AVD client and the AVD or Windows 365 session host. Thanks to reduced overhead of the UDP protocol, RDP Shortpath greatly enhances overall user experience.

To enable RDP Shortpath, both server-side and client-side needs to be configured.

Server-side configuration: 

• Refer to “Configure RDP Shortpath for AVD” document for the information.

Client-side configuration:

• In AVD Client application, under Application Settings, select the Enable RDP Shortpath checkbox.

• Clipboard redirection support for AVD and Windows 365 clients can be enabled or disabled in AVD settings.
• RDP Client connection configuration

The RX540 and RX580 firmware supports RemoteApp and Desktop Connections. The parameters necessary for the RDP Client connection are different depending on the RemoteApp support being enabled or not.

• RemoteApp and Desktop Connections not enabled: The RDP Client connects directly to specified Remote Desktop Session Host. 
• RemoteApp and Desktop Connections enabled: The RDP Client first communicates with the specified Remote Desktop Web Access server (which cooperates with Remote Desktop Connection Broker; both must exist in the RDS deployment). The Remote Desktop Web Access server URL must be specified in RDP Client application configuration. This URL can be entered in simplified or full form, e.g.:

• 192.168.50.7 – will be expanded to: https://192.168.50.7/RDweb
• rdwa – will be expanded to: https://rdwa/RDWeb
• rdwa.company.local – will be expanded to: https://rdwa.company.local/RDWeb
• https://rdwa.company.local/RDWeb - will be used as is.

• Ability to select RDP client type 

The AVD client can be used for on-prem RDP connections. Users can benefit from the features which are available in the AVD client (which is based on official Microsoft Linux client SDK), but absent in the standard RDP client, especially from Microsoft Teams Optimization.

• Using custom parameters for RDP connections

The RX540 and RX580 firmware allows specifying custom parameters for RDP connections. If multiple custom parameters must be specified then they should be separated by the “;” (semicolon) character.

Note: Custom parameters can be specified separately for the RDP and AVD client type selections. The syntax of the custom parameters for both client types is different. Please refer to FreeRDP documentation for the information about supported parameters for the RDP client type selection: https://github.com/FreeRDP/FreeRDP/wiki/CommandLineInterface

• RD Session Host, AVD, and Windows 365 virtual machine configuration for best user experience

The RDP and AVD clients integrated in RX540 and RX580 devices support the use of H.264/AVC encoding (Advanced Video Codec) in RDP, AVD and Windows 365 sessions. Using AVC ensures the best user experience. To take advantage of this H.264/AVC graphics mode, following Group Policy setting must be enabled: 

Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment: Prioritize H.264/AVC 444 graphics mode for Remote Desktop Connections. 

This Group Policy setting can be deployed through Active Directory Group Policy Objects or, in simplest case, it can be configured on the local machine with Local Group Policy Editor (gpedit.msc).

Refer to this KB article on how to setup.

• RD Session Host, AVD and Windows 365 virtual machine configuration for webcam redirection

The RDP and AVD clients integrated in RX540 and RX580 devices support the native (functional) redirection of USB webcams. To ensure proper webcam redirection, please make sure that the following Group Policy setting is not enabled:

Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection: Do not allow video capture redirection

This Group Policy setting can be deployed through Active Directory Group Policy Objects or, in simplest case, it can be configured on the local machine with Local Group Policy Editor (gpedit.msc).

Additionally, each user under Settings > Privacy > Camera, needs to allow the applications to access the camera. 

Note: Webcams described as driverless Windows webcams (webcam not requiring any special vendor drivers to work on Windows) or Video for Linux version 2 compliant webcams should work. To preserve the network bandwidth when using redirected webcams, the device firmware tries to use the H.264 encoder to compress the webcam’s video stream before sending it to RDP or AVD session.

• RD Session Host, AVD and Windows 365 virtual machine configuration for printers redirection

The RDP and AVD clients integrated in RX540 and RX580 devices support the native (functional) redirection of local printers. USB and network printers are supported. To ensure proper printers redirection, please make sure that the following Group Policy setting is not enabled:

Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Printer Redirection: Do not allow client printer redirection

Printer drivers appropriate for the redirected printers must be installed on the RD Session Host, AVD or Windows 365 VM for successful printers redirection. ‘x64, Type 3 – User Mode’ printer drivers need to be installed. The ‘Remote Desktop Easy Print’ driver cannot be used with printers redirected from RX540 and RX580 thin clients. To prevent the attempts to use this unsupported driver, the following Group Policy setting can be disabled in Computer Configuration or User Configuration:

Computer/User Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Printer Redirection: Use Remote Desktop Easy Print printer driver first

The above mentioned Group Policy settings can be deployed through Active Directory Group Policy Objects or, in simplest case, they can be configured on the local machine with Local Group Policy Editor (gpedit.msc).

Following are the topics to consider when planning to use the native/functional redirection of printers in RDP, AVD or Windows 365 sessions:

• Locally connected USB printers and network printers supporting the JetDirect protocol (also known as RAW or AppSocket) can be used with native redirection.
• Low-cost GDI printers should be avoided, as they may not work properly. More advanced printers understanding the PCL, PostScript, and/or other high-level page description languages are advisable and should work.
• Functional redirection of printers requires the installation of appropriate Windows printer driver on the remote machine running the RDP session. The literally spelled name of the Windows printer driver must be entered in the Windows printer driver name field when adding a printer for native redirection. 
• Even though the Windows printer driver name often matches the USB printer identification string obtained from the USB printer during the detection process, this is not a general rule. For some USB printers the Windows printer driver name automatically populated when detecting the printer will have to be edited to match the real name of the Windows printer driver installed on the remote server. 
• The ‘type 3’ drivers for Windows x64 architecture should be selected for installation. ‘Type 4’ drivers are known to cause issues with functional redirection of printers.
• The list of Windows printer drivers installed on a Windows machine (with the information about class and architecture) can be obtained with the following command executed in Command Prompt:

wmic /NameSpace:\\Root\CIMV2 path Win32_PrinterDriver GET Name

• RD Session Host, AVD and Windows 365 virtual machine configuration for smart cards redirection

The RDP and AVD clients integrated in RX540 and RX580 devices support the native (functional) redirection of smart cards (smart card readers). CCID-compliant, ReinerSCT and ACS smart card readers are supported. To ensure proper smart cards redirection, please make sure that the following Group Policy setting is not enabled:

Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection: Do not allow smart card device redirection

This Group Policy setting can be deployed through Active Directory Group Policy Objects or, in simplest case, it can be configured on the local machine with Local Group Policy Editor (gpedit.msc).

• RD Session Host, AVD and Windows 365 virtual machine configuration for Generic USB redirection of peripheral devices

The RDP and AVD clients integrated in RX540 and RX580 devices support the Generic USB redirection of peripheral devices. In latest Windows Server and Windows desktop operating systems, the ‘Do not allow supported Plug and Play device redirection’ Group Policy setting is enabled by default (when not configured), which prevents the Generic USB redirection of the peripheral devices. This Group Policy setting can be found under ‘Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection’. To be able to use the Generic USB redirection of RX540 and RX580 peripheral devices, this policy must be explicitly disabled. This Group Policy setting can be deployed through Active Directory Group Policy Objects or, in simplest case, it can be configured on the local machine with Local Group Policy Editor (gpedit.msc).

In Windows Server 2012 R2, Windows 8.1 and older Windows server and desktop operating systems the Remote Desktop Services by default allows the redirection of supported plug and play devices, thus the ‘Do not allow supported Plug and Play device redirection’ Group Policy setting does not need to be altered.

• Server CPU load in RDP 8 sessions with RemoteFX enabled

Enabling the RemoteFX feature for Remote Desktop connections greatly improves user experience in legacy Windwos OS versions by providing very good GUI performance. This is thanks to optimized algorithms used to encode the areas of the session screen which contain dynamically changing contents (like videos or animations). Ideally the screen encoding on the server side should be accelerated by supported graphics cards. Leveraging server CPUs for RemoteFX screen encoding can cause high load and effectively limit the per-server user density.

• Kiosk mode application auto-start

Latest versions of Windows operating systems favor RemoteApp publishing  and do not allow launching applications with executable program paths specified on the client side. This functionality can be re-enabled by modifying the Windows registry:

Registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\TSAppAllowList
Registry value: REG_DWORD fDisabledAllowList
Registry value data: 1

Registry key: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
Registry value: REG_DWORD HonorLegacySettings
Registry value data: 1

Published RemoteApp program or desktop will be automatically started when program or desktop name will be specified as Application in RDP Client application’s Kiosk Mode settings.

• vCAST support in RDP sessions

Support for vCAST Web Streaming and vCAST VLC Media Streaming in RDP sessions started from RX540 and RX580 devices requires installation of the NComputing SuperRDP Server Pack software on the Remote Desktop machine. The NComputing SuperRDP server pack is available through your reseller (SKU: SuperRDP-PREM-VC-P).

• vCAST limitations

The vCAST Web Streaming and vCAST Media Streaming technologies require the client device to use optimized display drawing to work properly. Such optimized drawing methods are only available when the terminal session runs in full-screen desktop mode. For that reason, vCAST is not supported in published RemoteApp programs. RemoteApp desktop sessions run in full-screen mode and support vCAST.

Note: For vCAST support in RDP sessions, the SuperRDP software must be installed on the remote machine.

The vCAST Media Streaming technology can only offload to the client device H.264-encoded media contents. For other formats, the VLC player needs to have the ‘Windows GDI’ video output selected under Video output settings.

Citrix Workspace App related:

Following Citrix Workspace app settings can be configured:

• Store URL – the URL of the Citrix Store the Citrix Workspace app will connect to. Store URL must generally be an HTTPS URL. For successful communication, the Citrix Workspace app components must not encounter any issues related to the Store URL certificate. Especially, the SSL certificated of the web server hosting Citrix Store must be signed by a Certificate Authority the device trusts. If the certificate has not been issue by a well-known and commonly-trusted Certification Authority, then the certificate of the Root Certification Authority (and depending on how the certificate chain presented by the web server looks like, possibly also the certificates of Intermediate Certification Authorities) will have to be added to RX540/RX580 device. This can be done under Security settings. Please refer to the dedicated section below.
• Show Citrix SelfService user interface – when enabled, the original SelfService user interface of Citrix Workspace app will be presented to the user. When disabled, NComputing’s own implementation of Citrix published resource list will be used. Certain functionalities are only available when this option will be disabled.
• Guest mode – when enabled, the information cached by Citrix Workspace app (e.g., the list of published resources and their icons) will be wiped out from the device when the user exits the Citrix Workspace app session. By default, the guest mode is not enabled, and the list of Citrix resources remains on the device, even if it is rebooted.
• Show Desktop Viewer Toolbar – when enabled, the Citrix Desktop Viewer Toolbar will appear in published desktop sessions. As the Desktop Viewer Toolbar is solely a client functionality, this setting takes precedence over the Desktop Viewer Toolbar settings possibly configured on the StoreFront or Web Interface server.
• Enable H.264 support – when enabled, the device will be ready to use the H.264 codec (also known as video codec) for the entire desktop session screen or for the actively changing regions of the desktop session screen. The H.264 codec ensures the best user experience when using multimedia applications.
  On the Citrix Virtual Desktop Agent side, the Use video codec for compression Citrix Policy setting can be used for controlling this feature. To allow the use of the H.264 codec, this policy setting should not be set to Do not use video codec. By default (when not configured), this Citrix Policy setting is set to Use when preferred, which means that the VDA machine will try to choose the best variant of the codec based on the VDA type and session behavior. To enforce full-screen H.264 encoding, the Use video codec Citrix Policy setting should be set to For the entire screen. 
  Note: The H.264 codec can effectively be used only with screen resolutions up to 1920x1080.
• Allow HDX Adaptive Transport – when enabled, the device will try to use the HDX Adaptive Transport protocol (also known as Enlightened Data Transport protocol, EDT, or UDP transport) for Citrix connections. If establishing the session with Adaptive Transport is not possible, Citrix Workspace app will fall back to TCP transport. 
  On the Citrix Virtual Desktop Agent side, the HDX Adaptive Transport Citrix Policy setting can be used for controlling this feature. To allow Adaptive Transport, this policy setting should not be set to Off. By default (when not configured), this Citrix Policy setting is set to Preferred, which means that the data transport to the VDA machine takes place over the Citrix EDT protocol, that is build on top of UDP, with automatic fallback to TCP.
• Allow Session Reliability – when enabled, the device will try to use the Session Reliability feature (Common Gateway Protocol) in Citrix connections. In case of session disconnects caused by network problems, Citrix Workspace app will freeze the session screen and will try to re-establish the connection in the background.
  On the Citrix Virtual Desktop Agent side, the Session reliability connections Citrix Policy setting can be used for controlling this feature. To allow Session Reliability, this policy setting should not be set to Prohibited. By default (when not configured), this Citrix Policy setting is set to Allowed.
• Enable Microsoft Teams optimization – when enabled, the optimization mechanisms for Microsoft Teams will be enabled. The processing and transmission of audio and video data will happen on the client device, which will offload the network connection of the Citrix VDA machine as well as the VDA’s CPU. 
  On the Citrix Virtual Desktop Agent side, the Microsoft Teams redirection Citrix Policy setting can be used for controlling the Teams Optimization feature. To allow Teams Optimization, this policy setting should not be set to Prohibited. By default (when not configured), this Citrix Policy setting is set to Allowed. Refer to the ‘Troubleshooting HDX Optimization for Microsoft Teams’ article from Citrix Knowledge Base for more information: https://support.citrix.com/article/CTX253754.
• Enable Browser Content Redirection – when enabled, the rendering of the contents presented by supported web browsers (Google Chrome and Microsoft Edge), when accessing configured web pages, will happen on the RX540/RX580 device. This will offload the Virtual Desktop Agent machine. 
  On the Citrix VDA side, the Browser Content Redirection Citrix Policy can be used for controlling this feature. To allow Browser Content Redirection, this policy setting should not be set to Prohibited. By default (when not configured), this Citrix Policy setting is set to Allowed. Refer to the ‘How to Troubleshooting Browser Content Redirection’ article from Citrix Knowledge Base for more information: https://support.citrix.com/article/CTX230052.
• Auto-logoff on last session exit – when enabled, the Citrix Workspace app will be closed (and the user logged off) when the last Citrix connection of the user will be terminated.
• Start automatically, if only one application or desktop is published – when enabled, and if only one application or desktop is published for the logged in user, this published application or desktop will be started automatically. To use this option, do not enable Citrix SelfService user interface.
• Use this application to grant access to other applications – when enabled, the user will be unable to access any other RX540/RX580 applications until the Citrix authentication will be successfully completed. To use this option, do not enable Citrix SelfService user interface.
• Workspace app window size – selection of the Citrix Workspace app (Self-Service GUI) window size.
• Custom parameters – additional parameters, which can be injected into Citrix Workspace app configuration files.

Configuring custom parameters for Citrix Workspace app

RX540/RX580 firmware allows injecting new or modifying existing parameters in given sections of the following Citrix Workspace app configuration files:

• wfclient.ini
• All_Regions.ini
• module.ini

Please refer to the ‘Citrix Workspace app for Linux OEM Reference Guide’ (https://developer-docs.citrix.com/projects/workspace-app-for-linux-oem-guide/en/latest/reference-information/#configuration-files) for the information about the Citrix Workspace app configuration files, their entries, and values. 

The syntax of the custom parameters is:

<filename.ini>:[<section>]<key>=<value>;<filename.ini>:[<section>]<key>=<value>;…

• <filename.ini> must be one of the above mentioned configuration files.
• <section> is the name of the section in the configuration file, where the parameter (key) will be injected or modified.
• <key> is the name of the parameter to be injected or modified.
• <value> is the value the parameter will be set to.

Multiple custom parameters can be specified in one custom parameters line. In such case, the parameters need to be separated with semicolons (without preceding or following whitespaces).

Example:

wfclient.ini:[WFClient]HDXWebCamWidth=1280;wfclient.ini:[WFClient]HDXWebCamHeight=720

The above line defines two custom parameters for the wfclient.ini file and adds the following entries to the [WFClient] section of that file:

HDXWebCamWidth=1280
HDXWebCamHeight=720

The above will set the picture resolution of 1280x720 for the Citrix HDX Webcam redirected with the Citrix HDX RealTime Video Compression feature. 

Time zone mapping

Citrix Workspace app integrated in RX540/RX580 devices supports mapping of the client’s time zone. Time zone can be selected under Date and Time settings. 

On the Citrix Virtual Desktop Agent side, the Use local time of client Citrix Policy setting can be used for controlling this feature. To enable the mapping of client’s time zone, this policy setting must be set to Use client time zone. By default (when not configured), this Citrix Policy setting is set to Use server time zone.

Keyboard layout mapping

Citrix Workspace app sends to the Virtual Desktop Agent machine the information about the keyboard layout configured locally on the client device. The selected keyboard layout will be used in the Citrix sessions connected from the device. There is no Citrix Policy setting for controlling the keyboard layout mapping feature. This feature is enabled by default.

Deploying Certification Authority certificates

Citrix Workspace app needs to trust the issuer of the SSL server certificate presented by the web server hosting the Citrix Store. If necessary (e.g., when using organization’s own Certification Authority), to establish this necessary trust relationship, the certificates of Root and Intermediate Certification Authorities (X.509 certificates) can be added to RX540/RX580 devices. This can be done in Security settings. RX540/RX580 devices accept Base64-encoded Certification Authority certificates. The Base64-encoded X.509 certificate format is commonly known as PEM format. Please refer to the ‘Security Settings’ section of ‘LEAF OS and RX-series User and Configuration Guide’ for more information. Download link can be found in the ‘Additional Resources’ section below.

Server-side control over native/functional redirection of peripheral devices

The Peripherals settings of RX540 and RX580 devices allow selecting the redirection type for different peripheral device classes. However, these client-side settings cannot overwrite the settings, which are configured on the server side. The redirections will only work when the server will not prevent them. The following paragraphs describe the Citrix Policy settings, which can be used for controlling the native/functional redirection of peripherals on the Virtual Desktop Agent side.

Mass storage

On the Citrix Virtual Desktop Agent side, the Client drive redirection Citrix Policy setting can be used for controlling this feature. To allow the native redirection of mass storage devices, this policy setting should not be set to Prohibited. By default (when not configured), this Citrix Policy setting is set to Allowed.

Audio

On the Citrix Virtual Desktop Agent side, the Client audio redirection and Client microphone redirection Citrix Policy settings can be used for controlling this feature. To allow audio output (speakers) redirection, the Client audio redirection policy setting should not be set to Prohibited. To allow audio input (microphone) redirection, both the Client audio redirection and the Client microphone redirection policy settings should not be set to Prohibited. By default (when not configured), these Citrix Policy settings are set to Allowed.

Printers

Citrix Workspace app integrated in RX540 and RX580 devices supports the native (functional) redirection of USB and network (JetDirect) printers. On the Citrix Virtual Desktop Agent side, the Client printer redirection Citrix Policy setting can be used for controlling this feature. To allow the native redirection of printers, the Client printer redirection policy setting should not be set to Prohibited. By default (when not configured), this Citrix Policy setting is set to Allowed. 

The native redirection of printers requires the printers to be defined locally on the RX540/RX580 device. When adding USB printers, a USB printer identification string needs to be specified. It can be also pulled from the USB printer, if it is connected. This serves the purpose of identifying the different USB printers, when multiple USB printer will be connected. In case of single USB printer, this field can be left empty. For each configured printer, the exact name of corresponding Windows printer driver must be specified. This driver must be installed on the Citrix VDA machine for successful printer redirection. 

The first printer from the list will be configured as the default printer and will also become the default printer in the Citrix session.

Printer drivers appropriate for the redirected printers must be installed on the Citrix VDA machines for successful printers redirection. ‘x64, Type 3 – User Mode’ printer drivers need to be installed. The Citrix universal print driver cannot be used with printers redirected from RX540 and RX580 devices. To prevent attempts to use this unsupported driver, the Universal print driver usage Citrix Policy setting can be set to Use only printer model specific drivers. 

Webcams (video devices)

There is no Citrix Policy setting for controlling the webcam redirection (actually known as HDX RealTime Video Compression) feature on the Virtual Desktop Agent side. This feature is enabled by default.

Smart cards readers

Citrix Workspace app integrated in RX540/RX580 supports the native (functional) redirection of smart cards (smart card readers). CCID-compliant, ReinerSCT, and ACS smart card readers are supported.

There is no Citrix Policy setting for controlling the smart cards redirection feature on the Virtual Desktop Agent side. This feature is enabled by default.

Serial ports

The /dev/ttyUSB0, /dev/ttyUSB1, /dev/ttyACM0 and /dev/ttyACM1 serial devices will be redirected as client’s COM1, COM2, COM3 and COM4 ports, accordingly.

On the Citrix Virtual Desktop Agent side, the Client COM port redirection Citrix Policy setting can be used for controlling this feature. To allow the native redirection of serial ports, this policy setting must be set to Enabled. By default (when not configured), this Citrix Policy settings is set to Disabled. 

Generic USB redirection of peripheral devices

Citrix Workspace app integrated in RX540 and RX580 devices supports the Generic USB redirection of most peripheral device classes (excluding the smart card readers). However, wherever possible the native redirection should be used, as in the majority of cases it is the most reliable and best optimized redirection method. The Generic USB redirection should generally be used only as the last resort method for device classes (like HID devices), for which no native redirection method exists. RX540/RX580 firmware tries determining the USB classes of connected USB devices and only attempts to use the Generic USB redirection for that device, where the Generic method has been really selected. USB devices which in their USB descriptors contain the Vendor Specific Class (0xFF) cannot be automatically categorized by the device firmware and must be added to the Custom VID:PID list to be redirected in the Generic way. 

This can be configured under Peripherals > Custom Devices, when the General redirection policy is set to Custom.

On the Citrix Virtual Desktop Agent side, the Client USB device redirection Citrix Policy setting can be used for controlling this feature. To enable the generic redirection of USB devices, this policy setting must be set to Allowed. By default (when not configured), this Citrix Policy setting is set to Prohibited.

Other considerations regarding Citrix Workspace app

• Launching Citrix sessions from Chromium browser

RX540 and RX580 devices allow launching Citrix sessions from the Chromium browser. All applicable Citrix Workspace app settings and Peripherals settings will be respected when launching Citrix sessions from the Chromium browser.

• Redirection of FIDO2 security keys into Citrix sessions

Citrix Workspace app included in RX540 and RX580 devices contains all the components necessary to redirect the FIDO2 security keys, but the feature itself is disabled by default. To enable the redirection of FIDO2 security keys, the following custom parameter needs to be added under Citrix connection settings:

module.ini:[ICA 3.0]FIDO2=On

Note: On the Citrix server, the VDA version 2209 or newer is required to use this feature.

Omnissa Horizon Client related:

• Following Omnissa Horizon Client-specific Application Settings can be configured:

Broker address – the address of Omnissa Horizon server which will authenticate the users and provide list of available virtual desktops.

Protocol – the selection of the display protocol to be used for connections to virtual desktop machines. Blast and RDP protocol selections are possible. Further protocol-specific settings are available on dedicated tabs of the Omnissa Horizon Client application settings dialog. The PCoIP protocol is not available in the Omnissa Horizon Client integrated in LEAF OS.

Desktop size – screen configuration of the virtual desktop. The session can be started in full-screen mode on all connected monitors, in full-screen mode on a single monitor only, in big window, or in a small window.

Guest mode – when not enabled (which is the default), LEAF OS will preserve the configuration changes the user makes through the original Omnissa Horizon Client UI. When enabled, all the user-made configuration changes will be wiped out on LEAF OS reboot.

Show drop down menu bar – this setting controls the appearance of Omnissa Client’s menu bar and connection bar.

Remembering the last logged user name in Omnissa Horizon Client

The Omnissa Horizon Client can be configured to Remember last logged user name. This option can be enabled in Omnissa Horizon Client’s Application Settings. 

Note: The Guest mode option must be not enabled for the user name remembering feature to be able to persistently save the user name.

SSL verification policy – selection of the checks performed on the SSL certificate presented by the Omnissa Horizon server:

• Strict verification – the SSL server certificate must be issued by a trusted Certification Authority, the Common Name in the Subject of the certificate must match the specified fully qualified domain name of the Omnissa Horizon server, and the certificate must be valid at the connection time. Connections will be disallowed in case of any SSL/TLS problems.
• Warn and allow self-signed – the connections to Omnissa Horizon servers presenting self-signed certificates will be allowed.
• No checks – no SSL certificate checks will be performed and connections to all servers will be allowed.

Custom parameters – a semicolon-separated list of custom parameters for the Omnissa Horizon Client. Custom parameters can be used to extend the command line of the Omnissa Horizon Client executable (of the ‘Omnissa-view’ program) or to modify some Omnissa Horizon Client’s configuration files. 

The syntax of each Omnissa custom parameter must be one of the following:

Destination:         Omnissa-view command line

Parameter syntax:    arg:cmdline_parameter    

Example:        arg:--launchMinimized

Example:        arg:+CRLRevocationCheck

Note: the Omnissa Horizon Client application (the ‘Omnissa-view’ program) will be by default launched with the --skipCRLRevocationCheck command line parameter. This parameter lets the client to not perform the revocation checks of the SSL certificates. To enforce those checks, the ‘arg:+CRLRevocationCheck’ custom parameter must be used. 

Destination:         /etc/Omnissa/config file

Parameter syntax:    config:parameter_name=parameter_value

Example:        config:RemoteDisplay.AllowAudio = "false"

Destination:        /etc/Omnissa/viewagent-custom.conf file

Parameter syntax:    viewagent-custom.conf:parameter_name=parameter_value

Example:        viewagent-custom.conf:BlastProxy.log.logLevel = 'verbose'

Destination:        $HOME/.Omnissa/view-preferences file 

Parameter syntax:    view-preferences:parameter_name=parameter_value

Example:        view-preferences:view.enableHEVC = 'FALSE'

Following Blast protocol settings can be configured for the Omnissa Horizon Client:

The Blast protocol settings configurable here are same as the ones which are configurable in the Omnissa Horizon Blast Configuration dialog, accessible from the File > Configure Omnissa Blast menu of the original Omnissa Client UI. 

• Deploying Certification Authority certificates

Omnissa Horizon Client needs to trust the issuer of the SSL server certificate presented by the Omnissa Horizon server (accessible through the Broker address specified in Application Settings). If necessary (e.g. when using organization’s own Certification Authority), to establish this necessary trust relationship, the certificates of Root and Intermediate Certification Authorities (X.509 certificates) can be added to LEAF OS devices under the Security settings. LEAF OS accepts Base64-encoded Certification Authority certificates. The Base64-encoded X.509 certificate format is commonly known as PEM format. Please refer to the ‘Security Settings’ section of ‘LEAF OS and RX-series User and Configuration Guide’ for more information (you will find the download link in the ‘Additional Resources’ section below).

• Printers

Omnissa Horizon Client in LEAF OS supports the Native (functional) redirection of USB and network (JetDirect) printers. The native redirection of printers requires the printers to be defined locally on the LEAF OS device. When adding USB printers, a USB printer identification string needs to be pulled from the USB printer (if it is connected) or specified manually. This serves the purpose of identifying the different USB printers, when multiple USB printers will be connected. In case of single USB printer, this USB identification field can be left empty. For each configured printer, the exact name of Windows printer driver must be specified. 

For each defined printer, LEAF OS will create two printers: first – with the original name, and the second – with the original name and with the ‘_local’ suffix appended. For the first printer, LEAF OS will not configure any Linux printer driver (so this printer will only act as a spooler and will then send the spooled print jobs to the physical printer without reformatting them). This printer will be used in VDI connections using the RDP protocol. The specified Windows printer driver name will be reported to the virtual desktop VM when making connection with the RDP protocol. The virtual desktop VM must have this exact driver installed to be able to load it when creating the redirected printer. ‘x64, Type 3 – User Mode’ printer drivers are appropriate for the Native redirection of printers with the RDP protocol. For the second printer (the one with ‘_local’ suffix), LEAF OS tries to find and to load an appropriate Linux printer driver. This second printer will be used for the printers redirection with the Blast protocol. No dedicated Windows printer driver needs to be installed on the virtual desktop VM in this case. The print job received from the virtual desktop will be rendered on LEAF OS with the help of the Linux printer driver and only then sent to the physical printer.

• Smart cards readers

CCID-compliant, ACS, and Reiner SCT CyberJack smart card readers are supported and will be redirected with the Native method with both protocols (Blast and PCoIP). 

• Serial ports

Serial ports (USB-to-serial adapters) can be redirected with the Native redirection method when the RDP protocol will be selected. The /dev/ttyUSB0, /dev/ttyUSB1, /dev/ttyACM0 and /dev/ttyACM1 serial devices will be redirected as client’s COM1, COM2, COM3 and COM4 ports, accordingly.

Serial ports can be redirected with the Generic USB redirection method when the Blast protocol will be selected. Omnissa’s own Generic USB redirection implementation will be always used in this case, no matter what redirection method is selected for the Serial Ports in the Peripherals settings. Windows driver for the connected USB-to-serial adapter needs to be installed on the virtual desktop VM for the serial ports redirection to work in this case. 

vSpace Pro Client and VERDE VDI Client related:

• Connecting to vSpace Pro Enterprise servers

vSpace Client connections from RX540 and RX580 devices are only supported on latest vSpace Pro Enterprise (12.9.2 or newer) servers. vSpace Pro LTS servers will not accept connections from RX540 and RX580 devices.

Unlike the vSpace Clients contained in the NComputing RX300 thin client devices, the vSpace Clients from the RX540 and RX580 firmware do not contain any embedded vSpace Client connection licenses. Appropriate vSpace Client connection licenses need to be purchased and added to the vSpace Pro Enterprise deployments to allow uninterrupted vSpace Client connections from RX540 and RX580 devices. Without the necessary licenses, the vSpace sessions will run in trial mode and will be disconnected after 10 minutes.

vSpace Pro Client Connection License ordering SKUs:

• 1 year  (vSpacePro-SW-1A)
• 3 years (vSpacePro-SW-3A)
• 5 years (vSpacePro-SW-5A)

• Connecting to VERDE VDI or VERDE Remote Access

Two license types are supported. Both are concurrent connection models:

• VERDE-WFH-1A-10 (VERDE VDI Suite - Remote Access 10-seat license, annual subscription) 

This license type allows Remote Access connections to PCs through the VERDE Connection Broker and is the most affordable option.

• VERDE8-CCU-1A (VERDE VDI Suite –1-seat license, annual subscription)

This license type allows Remote Access connections to PCs through the VERDE Connection Broker and supports connections to VDI sessions hosted by VERDE Servers.

• Native (functional) redirection of webcams in UXP sessions

vSpace Pro Enterprise 12.4 or higher is necessary for the native webcam redirection functionality. Each user, under Privacy settings, needs to allow the applications to access the redirected camera.

Local Chromium Browser and Microsoft Teams PWA related:

• Microsoft Teams PWA (Progressive Web Application) is available on RX540 and RX580 via local Chromium Browser

The Teams PWA can be created within the built-in Chromium browser.

To enable Teams PWA from the built-in Chromium:

• Open the Setup UI and go to Applications.
• Click the [+] button to add an application. 
• Select Chromium Browser as Application type and navigate to the PWA Settings tab.

• Under Enable PWA and show on, in the MS Teams row, choose where to display the Microsoft Teams PWA icon.
• Click Add to save the PWA settings change.
• Click Apply to finalize and create the Chromium Browser with Microsoft Teams PWA enabled.

With the above configuration, the Chromium Browser and Teams PWA icons will appear in the Start Menu and/or on the Desktop and/or in the App Launcher. To only allow the access to Teams PWA, without enabling the access to Chromium browser:

• Open the Setup UI and go to Applications.
• Select the Chromium application and click the pencil button to edit its properties. 
• On the General tab, deselect the Show on App launcher, Show on Start Menu, and Show Desktop Icon checkboxes. 
• Click OK to save the Chromium settings changes.
• Click Apply to finalize.

Note: When launching Teams PWA for the first time, an instance of the Chromium browser will open to install the Microsoft Teams Progressive Web Application. For subsequent launches, Teams PWA will function like a native application without opening the Chromium browser.

• Local printing support for local Chromium browser in RX540 and RX580

For each defined local printer, an additional instance of the same printer gets created with the '_local' suffix appended to the name. For this additional printer, based on the specified Windows Printer Driver Name, RX540/RX580 tries to find a suitable Linux printer driver. With that, the local Chromium web browser should be able to print. In Chromium, using the ‘See more…’ options in Printing dialog may be necessary to find the additional local printer:

In the example above, the 'HPDJ_5520' printer was defined in the device configuration. This caused the creation of two Linux printers: HPDJ_5520 (driverless, to be used in AVD, RDP, and Citrix sessions only) and HPDJ_5520_local (with Linux driver configured, to be used in Chromium browser).

• Custom Chromium policy support

Chromium policy customization file can be added Chromium browser under its Application Settings. Please refer this KB article ‘Customize local Chromium browser policy settings’ for configuration details. 

• Multiple instances of local Chromium browser (e.g., different customized Chromium policies, pre-defined bookmarks, etc.) can be created on LEAFOS, EX500W, RX420(RDP), RX540 and RX580 devices. Please refer to this article ‘Configure multiple instances of local Chromium browser’ for instructions.

Networking and connectivity related:

• Authentication methods supported by the VPN clients:

• L2TP/IPsec VPN – pre-shared key, username, password.
• IKEv2/IPsec VPN client – client certificate with password.
• FortiClient SSL VPN client – username and password.

• Support for Bluetooth audio devices, keyboards and mice (beta preview)

RX540 and RX580 devices support Bluetooth audio and human interface devices (keyboard and mouse). It’s end-users’ responsibility to properly pair the necessary Bluetooth devices and mark them as trusted. 

• To enable Bluetooth connectivity, select the Enable Bluetooth support option under Peripherals > Bluetooth. 
• To pair a new Bluetooth peripheral device, click on the Bluetooth icon in the system tray and select the Devices… option from the pop-up menu. From the display list in the pop-up menu, right-click on the new Bluetooth peripheral device you would like to pair and select Connect. Once the new Bluetooth device has been paired, right click on this device again and select Trust. 
• On next bootups, RX540/RX580 will try to automatically reconnect the Bluetooth devices which have been paired and marked as trusted. 

The preferred Bluetooth audio profile can be selected under Peripherals > Bluetooth:

• Select automatically – Bluetooth audio profile will be selected automatically according to device preferences. This option will allow the user to manually change the profile by right-clicking the Bluetooth icon in the system tray and going to Devices.
• A2DP – High quality audio playback profile will be set (when supported by the device). Microphone will not be supported.
• Headset – The bidirectional headset profile, which is good for communication applications, will be set (when supported by the device).

• Preconfiguring Wi-Fi connection using the wifi-config.txt file

When deploying new (with factory default settings) RX540 and RX580 devices the Wi-Fi connection can be automatically configured using information from the wifi-config.txt file stored on a locally connected USB memory stick. This helps streamlining new deployments by eliminating the need for users to manually configure local Wi-Fi connections.

The wifi-config.txt file must be a plain text file containing the Wi-Fi configuration parameters in ‘parameter_name=parameter_value’ format in each line.

The mandatory parameters are:

• ssid – the name of the Wi-Fi network
• passphrase – the clear-text password for the Wi-Fi network (using Personal security)

Optional parameters are:

• security – valid values: ‘personal’ (default if not specified) or ‘enterprise’
• country – two-uppercase-characters country code, e.g. US, GB, FR, DE, IN, etc., for United States, Great Britain, France, Germany, India, etc.
• user_name – Wi-Fi user name for ‘enterprise’ security
• user_password – Wi-Fi user password (in clear-text) for ‘enterprise’ security
• hidden_ssid – true or false to enable or disable support for Wi-Fi networks not broadcasting their names
• ip_address – static IP address (only needed when ‘type’ will be set to ‘static’)
• network_mask – network mask (only needed when ‘type’ will be set to ‘static’)
• default_gateway – IP address of default gateway (only needed when ‘type’ will be set to ‘static’)
• advanced_security – Wi-Fi encryption type: ‘auto’, ‘wpa’, or ‘wpa2’
• authentication_method – Wi-Fi authentication method: ‘peap’, ‘ttls’, ‘tls’
• frequency – Wi-Fi frequency: ‘auto’, ‘2.4’, or ‘5’
• type – type of IP configuration: ‘dhcp’ (default if not specified) or ‘static’

Other device setting related:

• Simple Certificate Enrollment Protocol support

LEAF OS allows using the Simple Certificate Enrollment Protocol for obtaining the Certification Authority and client certificates, which can then be used for the 802.1x network authentication with the TLS protocol. The SCEP settings can be configured on the Security > SCEP page of the Setup UI.

The configurable parameters are:

• Use SCEP for certificate enrollments – When selected, the device will use the SCEP protocol to obtain the Certification Authority and client certificates.
• SCEP server URL – The address (IP or hostname) or URL of the SCEP server. When only an address is specified, the SCEP server URL will be composed by prepending the ‘http://’ protocol scheme and appending the ‘/CertSrv/mscep/mscep.dll’ path. For example: if ‘scep.company.local’ would be specified as SCEP server URL, the actual URL would become: ‘http://scep.company.local/CertSrv/mscep/mscep.dll’. This will work when the Microsoft Network Device Enrollment Service (NDES) will be used as the SCEP server. When using an SCEP server other than Microsoft NDES, the complete URL should be specified, not just an address.
• SCEP challenge password source – Two options are selectable here: Specified below and NDES admin page. 

• Specified below – The SCEP challenge password will be taken from the SCEP challenge password field of SCEP settings. This option makes sense when the SCEP server is configured with a static SCEP challenge password. 
• NDES admin page – This option has been designed to allow using dynamic (one-time) SCEP challenge passwords. The SCEP challenge password will be obtained from the NDES admin page before creating each certificate signing request, which will be sent through SCEP then. If the specified SCEP server URL is just an address, then the URL of the NDES admin page will be composed by prepending the ‘https://’ protocol scheme and appending the ‘/CertSrv/mscep_admin/’ path. For example: if ‘scep.company.local’ would be specified as SCEP server URL, the actual NDES admin page URL would become: ‘https://scep.company.local/CertSrv/mscep_admin’. As the name of the option suggests, this will only work with Microsoft NDES. When a complete URL is configured as SCEP Server URL, then the same URL will be used as NDES admin page URL, only the scheme will be changed to ‘https://’. This will not work with NDES. For that reason, when using Microsoft NDES as SCEP server, we advise to only specify the server address (not the full URL) as the SCEP server URL.

• SCEP challenge password – The (usually static) SCEP challenge password to be used when creating certificate signing requests.
• NDES admin user name – The name of the Active Directory user permitted the access to the NDES admin page. It will be used when obtaining the SCEP challenge password from the NDES admin page.
• NDES admin user password – The password of the NDES admin user.
• Certificate subject type – Two options are selectable here: Device name only and Device name with DNS domain.

• Device name only – Only the current device name from the General > Device name settings will be used as the Common Name and Subject Alternate Name in the requested client certificate. E.g., LEAF681DEF38CF69.
• Device name with DNS domain – The current device name from the General > Device name settings with the DNS domain name (obtained from DHCP or configured statically) will be used as the Common Name and Subject Alternate Name in the requested client certificate. 
  E.g., LEAF681DEF38CF69.company.local.

No other components than the Common Name will be included in the subject of the requested client certificate.

• Private key length – Selection of the private key length: 1024, 2048, or 4096 bits.
• Keep the old private key when renewing the certificate – When selected, the already present private key will be re-used when renewing the certificate. Otherwise, a new private key will be generated when renewing the certificate.
• Custom parameters – This field will not be currently used.

Note: The SCEP support has only been tested with the Microsoft Network Device Enrollment Service (NDES) acting as SCEP server. The NDES admin page selection for the SCEP challenge password source will only work when NDES and only when an address (not a URL) has been specified as SCEP server URL.

Information about the Certificate Authority certificate and client certificate currently stored on the LEAF OS device will be displayed above the SCEP settings on the Security > SCEP page of the Setup UI.

• Using the SCEP-obtained client certificates for 802.1x network authentication 

The Certification Authority and client certificates obtained with the SCEP protocol can be used for the 802.1x Ethernet and Wi-Fi network authentication with the TLS method. For this purpose, two new parameters have been added to Enterprise (802.1x) Ethernet and Wi-Fi network settings in LEAF OS 6.5.503: CA certificate source and Client certificate source. Two selections are possible for both of them: Device configuration and SCEP.

• Device configuration – The certificate will have to be selected in device configuration, as it was in all older LEAF OS versions.
• SCEP – The certificate obtained with SCEP will be used.

Practical deployment advise: 

As the 802.1x network access control standard disallows the network access from devices which cannot authenticate themselves, the LEAF OS device, to be able to make use of the SCEP protocol for obtaining the certificates necessary for 802.1x authentication, must be first temporarily connected to some open network. This open network should allow the device to connect to PMC Endpoint Manager, which should provide to the device the configuration which will: 1. contain the SCEP settings, and 2. contain the 802.1x network settings (including the options to enable 802.1x support with the TLS authentication method and to use the SCEP-obtained certificates for 802.1x authentication). Alternatively, assuming that the final destination of the deployed devices will allow fallback to an open network (e.g., to a guest VLAN), the fallback network should allow access to PMC Endpoint Manager which will provide the necessary configuration. The devices, once configured in the fallback network, should be able to automatically switch to the secured network, as they will already have all the information (especially the SCEP-obtained certificates) necessary to successfully complete the 802.1x authentication.

• Custom device naming

Before LEAF OS version 6.5.503 it was possible to configure a custom LEAF OS device name by specifying it in device’s General settings. The configured device name will be used by the DHCP client when requesting IP configuration, it gets reported to PMC during check-in, so it can be used to identify the device in PMC, also the VDI clients report the device name to the session hosts which in turn make it available for the applications through the CLIENTNAME environment variable. In older LEAF OS versions, the default device name was set to ‘LEAF’ with the MAC address of the Ethernet or (in absence of Ethernet) Wi-Fi network interface appended. 

LEAF OS allows automating the device naming based on configurable rules. The device name prefix, its body (which can be parts of the MAC address), and the suffix are now configurable on the General > Devie Name page of the Setup UI. Following settings are available:

• Specified – The freely specified device name, as in previous LEAF OS versions.
• Set automatically – The device name will be set automatically based on the configured rules.
• Prefix – The device name prefix. 
• Body – The body (middle part) of the device name. 6, 8, 10, or 12 (the whole) characters of the Ethernet or Wi-Fi interface MAC address.
• Suffix – The device name suffix. 

After resetting the device to factory defaults, the prefix will be set to ‘LEAF’, the body will be set to ‘whole MAC address’, and the suffix will be empty. With such settings, the default device name will be set in the same way as it was in the previous LEAF OS versions.

• Support for the Virtual Cable UDS Enterprise virtualization environment

UDS Enterprise client has been updated to version 4.0 in LEAF OS 6.5.503. This client will be launched when the UDS Enterprise connection will be initiated in the Chromium browser and when the ‘RDP Tunnel for Desktop’ will be used for establishing the connection. The RDP Settings, which are configurable for the Chromium browser application, will be taken into account then. Especially, the type of the RDP client used for the connection initiated through Chromium browser can be selected. Selecting the AVD client as client type allows the UDS Enterprise users to benefit from the Microsoft Teams optimization. 

• On-screen keyboard

The binaries of the ‘onboard’ on-screen keyboard are contained in the firmware image. The on-screen keyboard can be configured under "Keyboard and Mouse" settings. 

• Configurable power button custom actions

The RX540 and RX580 devices can be configured to execute the following actions when the user presses on the power button:

• entering the sleep mode, 
• shutting down,
• rebooting,
• not performing any action.

The actions can be executed immediately or postponed for a specified period of time, when a pop-up message with a countdown counter will be displayed allowing the user to cancel the action or to select a different one. 

To configure the Power button actions, go to Settings > Management > Power Button Actions.

• Ability to rescale the RX540/RX580 display and selected applications

When using high-resolution displays, especially 4K, it may be beneficial to upscale the RX thin client GUI components, to make them appearing bigger and thus become better readable. Scaling factors from 100% (which is the default, meaning no scaling) to 200% are selectable under Display settings. The RX540/RX580 software components which will respect the scaling selection are:

• Desktop and local applications
• Logon windows of client applications (AVD, RDP, VERDE VDI), the server chooser of vSpace Client, RDP sessions, AVD sessions.

Note: The scaling ratio of some applications might be silently adjusted to a value accepted by the application or kept set to 100%, if the application does not support scaling.

• Using VDI clients to control access to RX540/RX580 applications

The VDI client applications which perform user authentication and enumerate the VDI resources prior to starting the actual terminal session and for which the RX540/RX580 firmware has access to user credentials can be used to control access to other applications. To enable this feature, the Use this application to grant access to other applications checkbox needs to be selected in Application Settings. With this feature enabled, RX540/RX580 will not allow the access to all other applications (hide the application icons in Start Menu, on the Desktop, and in App Launcher) until the user will successfully authenticate in the one, which has this option enabled.

Following applications can be used for this purpose:

• RDP Client (only when the RemoteApp and Desktop connections will be enabled)
• AVD Client
• Citrix Workspace app (only when the use of Citrix SelfService user interface will not be enabled)
• VERDE VDI Client

• Support for Asian multilingual input

The IBus (Intelligent Input Bus) component can be optionally enabled under Keyboard and Mouse settings for the Chinese, Korean, Japanese and Thai keyboard layouts. This allows proper keyboard input in local Chromium Browser application.

Note: Enabling IBus is not necessary (and even not advisable) if no local Chromium Browser is used, and the user will only work in remote desktop sessions.

PMC Endpoint Manager related:

• PMC license for managing the RX540 and RX580 devices

Each RX540 and RX580 device comes with a perpetual license for the PMC Endpoint Manager software and first-year complimentary software maintenance update (AMP for RDP) license. After the expiration of the first-year complimentary Device AMP license, the device will not be able to receive and apply firmware updates. An extended Device AMP licenses must be purchased and allocated to each RX540 and RX580 device to allow local or remote (via PMC) firmware updates.

• PMC Endpoint Manager server auto-discovery

To automate the PMC server discovery, the DHCP option 207 can be used. This DHCP option should provide a string value containing the URL in form of ‘https://<PMC_address>’, like: ‘https://pmc.company.local’, or: ‘https://10.25.40.190’. If DHCP response will not contain the 207 option, the device will attempt to use the ‘https://pmc’ URL as PMC URL. This will work if the DNS system for the current DNS domain will be able to resolve the ‘pmc’ hostname to a valid PMC IP address.

• Using PMC Endpoint Manager for device screen shadowing

The software components allowing device screen shadowing from PMC act as yet another VNC viewer application. The VNC screen shadowing feature needs to be enabled on the devices for the PMC screen shadowing feature to work.

• Passcode-based device onboarding

When the Require passcode for device onboarding option will be activated under System Settings of PMC Endpoint Manager, then newly connecting devices will prompt the users to provide the onboarding passcode. Only if the user will provide correct onboarding passcode the device will successfully check-in and will be added to PMC’s database. This is a one-time process only. Already onboarded devices will never prompt users for any onboarding passcode.

• Using the network test tools

The results of network tests will be saved into a temporary file, which will be collected when creating a Troubleshooting File. The device will also execute the network tests when creating the Troubleshooting File on PMC administrator’s request. Appropriate test parameters (address and port) should be configured on the device before requesting the Troubleshooting File with PMC.

• Support for the device “Raise Hand” feature for easier identification of devices whose users need help 

When the device user will press the Shift-Ctrl-F2 key combination to ‘raise hand’ to PMC, PMC will display a notification and put a timestamp information into the Raised Hand column of Devices list.

• Secure Shell support

LEAF OS allows establishing Secure Shell (SSH) connections to LEAF OS Linux shell. The Secure Shell access is disabled by default and can be enabled under Management > Secure Shell settings. The user with Secure Shell access is ‘rx’ and a password must be set to allow the access.

ADDITIONAL RESOURCES

• Getting Started: LEAF OS for Citrix Guide

• Getting Started: LEAF OS for Omnissa Horizon

• Getting Started: LEAF OS for Microsoft AVD and Windows 365 Guide

• Getting Started: LEAF OS for UDS Enterprise

• Video Tutorial: Setup LEAF OS for Single Operation Mode

• Video Tutorial: Optimize multitasking with Multi-Application Setup

• RX-series User Configuration Guide:

RX420(RDP), RX440(RDP) and RX-RDP+ are easy-to-use and provision. For users who want to learn how to use advanced features and/or customizations, please refer to the RX420(RDP), RX440(RDP) and RX-RDP+ User Configuration Guide:

https://ncomputing.box.com/shared/static/310pp20tfhh4aqc6x4nj14sxch52q360.pdf 

• PMC Endpoint Manager Quick Start Guide:

NComputing PMC Endpoint Manager is a device management system designed and developed to remotely manage NComputing access devices. 

Please refer to the PMC Quick Start Guide:

https://support.ncomputing.com/portal/en/kb/articles/pmc-3-0-start-guide