In getting our ASK iPad pilot into full swing for Bloomberg Connects we needed to nail down how we were going to present the answers to museum-goers-—a seemingly simple task that unfurled into and increasing number of smaller details like peeling some kind of silicone based onion. We knew asking via the iPad worked for our visitors, but we wanted to introduce a second screen to display the answers.
At first we considered using two iPads: one to ask questions, the other to view the answers. However, we felt that the way that answers were presented needed not only to be visually compelling, but had to stand apart from (or perhaps even in opposition to) the ASK kiosk. Further, we had to be able properly lock down these devices to not only protect them from a overly curious user, but to ensure that any visitor to the museum can have the full experience without accidentally breaking a piece of it.
In the end we decided to use an All-In-One PC running Windows 8; specifically the HP ProOne 400. With a 23in widescreen monitor it stood in an appropriate contrast to the iPads. Also, given that it runs Windows 8 we could count of a host of software vendors to help us secure each device, if not our in-house expertise. This particular model is also VESA compatible (a surprisingly rare feature for All-In-Ones) allowing us to select from of a variety of wall mounts upon which to hang our soon to be Answer Kiosks.
Confident in our selection we purchased seven shiny new HP ProOne 400s and began the process of securing the first among them. This was the part of the onion peeling process where my eyes began to tear, and wouldn’t stop for several days.
Despite considerable research we could not find a vendor that provided kiosk software that could secure the devices in the way we needed. Although each effectively restricted the computer to the webpage, some injected their logos onto the page, while others allowed gestures that would complicate the experience. Disheartened, I resolved to lock it down using the settings and commands within Windows.
The Answer webpage was designed to work optimally with Google Chrome, which, if run from the command line with the “–kiosk” switch will present a web page in full screen and prevent someone from closing Chrome or opening a new program from the Start Screen. Later, while trying to find ways of breaking, or breaking into my setup I decided to add the following switches: –incognito (to suppress webpage restore options in the event that Chrome shutdown unexpectedly), and–disable-pinch (to disable pinch-to-zoom because Chrome enables this feature by default even if it is disabled in Windows).
Chrome’s configurations, however, were insufficient to secure these touch screen devices because of Windows 8’s edge gestures. If you swipe a finger inward from an edge on a touch screen computer running Windows 8 it will present menus that allow you to change the PCs settings, switch apps, or even shut the PC down—none of which would be conducive to the ASK experience. This one feature was also left unaddressed by the majority of the software vendors I researched earlier, forcing me to turn them down.
Fortunately, I was not the only citizen of the internet who had faced this dilemma and I was able to find a tech support forum post wherein another Network Admin explained that the edge swipe feature relied on explorer.exe, and could be “disabled” if you end the explorer.exe process. Of course, by doing so one closes the entire Windows experience—the start menu, task bar, and programs (most importantly the Answer webpage itself) all disappear from view, and remain as such until you re-run explorer.exe… the layers of the onion (and the tears) just kept on coming.
After some experimenting, I found that by running a short script that first disabled explorer.exe then ran Chrome with all my desired switches I could successfully present the Answer webpage in all its glory without leaving any prompts, buttons, or gestures that would complicate this for the user. Next I set this script to run on start up, so that when the PC is powered on it will automatically bring up and lock down the webpage. For the curious that script is as follows:
taskkill /IM explorer.exe /f
“C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –kiosk http://brooklynmuseum.org/ask/forum/responses.php?forum=28&” –incognito, –disable-pinch
Having stripped away that issue I went about unraveling the finer details. This included preventing the PC from going to sleep, disabling the card reader and Auto-Play to keep anyone from installing malicious software, setting it to run on an isolated wireless network, and having all of this run from a restricted account, which would automatically login upon startup.
To protect against power outages (whether accidental or otherwise) I configured the BIOS (a computer’s internal hardware settings) to automatically power on if power is lost then restored, and disabled the automated Startup Repair feature that normally runs if the PC isn’t shut down properly. At this point, to do anything in the PC other than view the Answer page one would need to plug in a keyboard directly into one of the PCs in an exhibition, which will be promptly stopped by museum security… something I experienced myself when was setting up one of the devices without my ID about my neck. I would like to note that discovering an angry cloud of grey and blue gathering behind me as I clacked away on my presumably contraband keyboard was my least favorite but most reassuring experience in this piece of the project, but I digress.
One would think that after all this every angle was covered, but a final nearly-overlooked detail arose in the 11th hour. Many of our answers include videos from YouTube, whose players we embed into the answer pages. These players include a “YouTube” button that links over to YouTube.com\/watch when tapped. If a user were to do so, given all the settings I described above, there would be no way of getting back to the answer page without power cycling the PC. For this, David Huerta and Christina White, our Head of IT, worked together to select a Chrome plugin aptly named “Redirector” which redirects any attempt to go to Youtube.com\/watch back to our answer page, effectively turning that link into a simple refresh button.
With that the Answer experience was fully secured, and the PCs mounted in their associated exhibitions. The process was documented to make future deployments easier, and an image backup was captured of each machine individually using Clonezilla. We would have used a managed imaging software like Symantec Ghost to deploy the settings to each device at once, but the complications between Symantec, Windows 8’s licensing mechanisms, and HP’s hardware make up the layers of another onion that is best left for another day.
Brian is a recent addition to the Technology department and serves as the museum’s Network Administrator. Although he started as student of Philosophy and Religious Studies at Pace University Brian became absorbed in the world of IT and established a PC (and occasionally Mac) repair business with his two brothers. Having worked in over 30 different networks he now helps manage the IT infrastructure and security for the Brooklyn Museum.