Cameyo PowerTags are metatags which can be assigned to Cameyo apps, servers, clusters, users, user groups and/or the entire account. They can either be a specific Cameyo PowerTag defining custom behavior, or a Custom PowerTag injecting a dynamic value into the Windows session and running app. This article focuses on the latter. PowerTags can be configured wherever you see this:
- !STARTUP_BEFORE_xxxx: controls session scripting.
Session behavior and appearance:
- !TASKBAR_QUICKLAUNCH: controls Cameyo's Task Bar.
- !EXTRATOOLBTNS: controls extra toolbar buttons.
- !CLIPBOARD=1 or 0: enables or disables clipboard support.
- !CONNECT_RESOLUTION=800x600: defines a fixed session width and height.
- !KEYLOCK=1: when in full screen mode, session will capture all system keyboard keys including the "Windows" key, Alt-Tab as well as misc reserved control keys.
- !CLOUDDRIVE=1 or 0: enables or disables user's cloud drives virtualization, if configured.
- !ADMIN_APPS=1 or 0; !ADMIN_USERS=1 or 0; !ADMIN_SERVERS=1 or 0: enables or disables delegation of ADMIN functions to users/user groups. Please see a complete list of Granular Admin Permissions.
- !CLOSECONFIRM=1 or 0: enables or disables accidental tab closure (on special channel).
File dialogs and storage:
- !STORAGEFILEDIALOG, !STORAGEFILEDIALOGPATHS, !FILEDIALOG_EXTRA, !FILEDIALOG_MYFILES: control Cameyo's File Dialog.
- !USERPROFILE_DRIVE=X: virtual drive letter for user profile.
- !PUBLIC_DRIVE=P: virtual drive letter for the Public dir.
- !UPCS_ENABLED=0/1: controls Session Sync for data persistence and cloud-based user profile synchronization.
- !UPCS_INCLUDE, !UPCS_EXCLUDE: controls Session Sync data persistence and its include / exclude filters.
- !UPCS_MINSPACE: defines the minimum hard-drive space when caching data persistence locally (C:\UserData). See Session Sync data persistence.
Session connectivity and initiation:
- !CLOUDTUNNEL=1 or 0: forces Cloud Tunneling on / off.
- !AUTHDOMAIN= domain name for Native Windows authentication mode (or "-" to force none).
- !NATIVE=1: launches session using the native player (Windows clients only).
- !SPLASH_EYE=1 or 0: displays or hides the 'eye' button on the splash screen, allowing to see the Windows login process.
- !SPLASH=0 hides the splash screen, allowing to see the Windows login process. Useful for interactive login that requires users to click OK before starting session, q.v. Group policy preventing Cameyo sessions from initializing.
- !SERVER=[server-id]: forces sessions to run on a specific server. Can only be applied to apps, users or usergroups.
- !LBFACTORS=[dist,load,sessions]: defines load-balancing behavior. Example: !LBFACTORS=20,40,40 defines load-balancing to be based 20% on distance (servers closer to the user get a higher chance), 40% on server load (servers with lower CPU/RAM usage get a higher chance), 40% on number of sessions (servers with a smaller number of sessions get a higher chance). Can only be defined on clusters or apps.
- !ADMINMAIL=1: sends a notification email to the technical contacts every time an Admin session is initiated on a Cameyo server, for increased account security.
- !ALLOW_COUNTRY= white-list of countries from which sessions can be requested (2-letter ISO country codes). See Conditional session access.
- !ALLOW_IP= list of IP addresses, separated by semicolon, from which sessions can be requested. Takes precedence over !ALLOW_COUNTRY so the two PowerTags can be used together to allow specific IP addresses from blocked countries.
- !ENABLED_END=7/19/2023 or !ENABLED_START=7/19/2023 [Month/Day/Year] will disable/enable the specified app on that date. The application is also removed (!ENABLED_END) or made visible(!ENABLED_START) in the end user portal. See detail here
Windows / app behavior:
- !STOPFILES: blocking access to specific files and executables.
- !CLIENTNAME, !USERNAME, !COMPUTERNAME: client, user and machine name virtualization.
- !CHROME=1: sets Chrome as the default browser instead of IEXPLORE.
- !STARTINGDIR: defines the starting directory for the session app's execution.
- !EXECREDIR=org.exe=c:\new\new.exe: substitutes the execution of org.exe anywhere on the disk with that of c:\new\new.exe.
- !SHELL_LOCKDOWN=1 or 0: blocks hard-disk Explorer navigation and basic system commands.
- Requires !USERPROFILE_DRIVE to be set (i.e. !USERPROFILE_DRIVE=X).
- Has to be set at the server level (or cluster or company) but cannot be on a single app or user, as it's a server-global security feature and not per-session.
- Requires service restart to be applied, for the same reason.
- !URLREDIR=1 or [url_prefix in the form: https://someurl.com/somewhere]: URLs launched by the session's app will be redirected directly as a new tab within the user's browser, outside the session itself.
- !SUPPORT=0 or -1: blocks server access to Cameyo's support team. 0 blocks admin access, -1 blocks admin and regular app sessions.
- !MAXDISCONNECT: time, in seconds, to keep sessions alive in case of disconnection. Equivalent to Windows RDS' MaxDisconnectionTime parameter. Cameyo's default is 120.
- !MAXIDLETIME: maximum idle time in minutes. Overrides the session policy settings. Requires service restart.
- !CLOUDTAGS (GCP only), !CLOUDLABELS, !CLOUDVPC, !CLOUDSUBNETS: respectively custom cloud tags and labels, VPC and subnets for created instances.
- !CLOUDSECUREBOOT=1 (GCP only): forces Secure Boot to be enabled on created instances.
Session token security:
- !TOKEN_TTL: timeout in seconds after which a session's token can no longer be used. Note that this also neutralizes connection resiliency after the timeout expires.
- !TOKEN_MULTI_AUTH=0: revokes a session's token a few seconds after session authentication.
- !TOKEN_MULTI_IP=0: prevents a session's token from being used from an IP different than the initial one. Note that this also neutralizes connection resiliency if the user's IP changes during session time.
Users / portal:
- !INACTIVEUSERS=[delete_days/report_days]: delete and/or report inactive users (company-level PowerTag only).
- delete_days: number of inactivity days after which to automatically delete users (minimum allowed: 14), or 0 for never.
- report_days: number of inactivity days after which to report users as inactive. Report is submitted by email, or 0 for never.
- !USERSETTINGS=0: Disables the ability for end users to access "My Profile". For a full description see here.
- !PWDEXPIRE=X: Cameyo logins only: passwords expire after X days, after which they must be changed.
- !PWDREGEX=regex: Cameyo logins only: regular expression for password strength validation. See examples here.
- !UKRAINE=1: Ukraine-supportive theme and colors for the portal, to be applied at the company level.
- !FAVICON: changes browser icon from Cameyo icon to an online ICO file, e.g. !FAVICON=https://someurl.com/favicon.ico, allowing customization of portal favicon.
Configuration and order of precedence
PowerTags are dynamic, meaning they can vary from one session to another and take effect immediately, without requiring service nor server restart (except server-level PowerTags). When multiple tags exist for a given session (i.e. cluster + server + user + app), the session will be started with the combination of all relevant tags. The order of precedence, from the most prioritary to the least is:
- User group
For example, if user has tag 'MY_NAME=John' defined while the server has 'MY_NAME=Server' defined, a session run by this user on that server will have 'MY_NAME' defined as 'John'.
As another example, if the server has tag 'MY_NAME=SERVER' defined while the server's cluster has 'MY_NAME=CLUSTER' defined, sessions will run on this server with 'MY_NAME' defined as 'SERVER'.
As yet another example, if an application has tag 'MY_NAME=SomeApp' while the same global Cameyo account's PowerTag is defined as 'MY_NAME=CameyoAccount' then a session running this app will have 'MY_NAME' defined as 'SomeApp'.
Multiple tags can be defined on each line, e.g:
MY_VAR2=Some other value
PowerTags can also be used to inject any value of your choice into Cameyo sessions as environment variables:
'+' sticky PowerTags: persistent server-wide environment variables (advanced)
PowerTags are defined per-sessions, allowing high flexibility. If you need tags or environment variables to be defined globally for the entire server (including system processes for example), you can do so by prefixing your PowerTags with a plus sign ('+'). In this case the PowerTag will be defined globally on relevant servers, even outside of Cameyo sessions. For example, setting "+MY_GLOBAL_VAR=Some value" will result in the affected servers having a global system variable "MY_GLOBAL_VAR" with the value "Some value". Sticky tags can only be set for servers, clusters and whole accounts. They only take effect upon server's service start. Removing a sticky server tag that has been added requires setting it to an empty value, i.e: "+MY_GLOBAL_VAR=". It will then be removed upon the next Cameyo service restart and a consequent system reboot (a Windows limitation).
The '+' must always comes first. i.e. to define a config tag such as "!REBOOTDAYS=1" as sticky, specify "+!REBOOTDAYS=1".
Sticky Config Tags:
- +!REBOOTDAYS=7: server uptime reboot frequency in days (0=never).