Invalid Token.dat with Deep Freeze
We would like to install software on the student computers in the future. Unfortunately we have a problem with the FOG Client Token. We use Deep Freeze as protection software. This software does not allow changes to be retained on the hard drive. After a restart, all changes to the operating system are reset.
The token.dat is also reset and the FOG client can no longer communicate with the server. Invalid Token.dat appears in the log.
If we go to “Reset Encryption Data” on the host in the FOG server, it works again.
Can you switch off token renewal on the client?
Or perhaps you can simply use the FOG API to automatically “Reset Encryption Data” on all clients every DAY.
Or can you switch off the checking of the token?
Thanks in advance.
@PCF24 The whole point of the “token” is to ensure the system is a “known” device from fogs perspective. This way it’s a 2 way trust between the FOG server and the FOG client.
Since there’s exchange of information such as Hostname, AD join, Printer installs, Snapins, etc…, we wouldn’t want that being exchanged in plain text to just any ol’ system.
If you configure your base image to have all the software/drivers/printers, necessary, then work with Deep Freeze, you shouldn’t need the FOG Client on the image at all.
Just my 2 cents.
The whole point of the Client is to allow changes using the UI. Since you’re using a system to prevent changes the FOG Client (in my opinion) is basically pointless to have on your machines.
Thank you very much for your reply.
The Fog Client definitely makes sense for software distribution. The image is rolled out once, after which the software should be kept up to date via the software distribution. This means that the software on the computers is more up-to-date and you hardly have to do any work. This is how we currently do it with a different software distribution. But I would like to use the software distribution from FOG.
I just don’t understand why the FOG client has to update the token every time the computer starts.
If the Fog Client only did this once at the very beginning (first commissioning), security would also be guaranteed. The Token.dat is currently updated every time a user logs in.
Even with Windows you can define that the computer account should not be updated so that the computer does not fall out of the domain. Otherwise Deep Freeze would not work at all in a Windows domain.
If necessary, I have to move the FOGClient to an unprotected partition. But that would be a lot of work with 1500 computers.
Is there perhaps a way that I could automatically run “Reset Encryption Data”. That would save me a lot of work.
@PCF24 you could create a trigger I suppose, or a crontab that runs form the fog server to clear all the hosts sec token data. I can’t give you the exact commands but that would do the trick. Maybe somebody with more backend knowledge of the mysql and sending queries as part of the shell script could help out a lot more?
Not that I couldn’t figure it out, but I’m unable to at the moment.
Something like that would be extremely helpful to me. I don’t know enough about the backend. Maybe some of you have more information about this.
I would also pay for the effort if one of you sent me a script that I could run via crontab.