Corporate mode for NVDA

[Qchristensen]

Is your feature request related to a problem? Please describe.

Corporate (security) mode for NVDA. This mode is intended to enhance security while allowing certain configuration settings to be saved, providing a balance between security and customisability for enterprise environments.

Describe the solution you'd like

The solution involves developing a new mode called "Corporate Mode" which is based on the current "Secure Mode". The development plan includes the following features for version 1.0:

• Save configuration for most settings.
  • Allow changing and saving of settings related to speech, braille, audio and vision preferences, keyboard preferences and mouse settings, review cursor, input composition and object presentation.
  • Essentially exclude advanced settings and any settings that require administrative privileges to modify.
• Save gesture map / custom keyboard shortcuts and gestures for NVDA functions.
• Allow users to create, save and switch between different configuration profiles.
• Provide access to user documentation from within NVDA without requiring elevated privileges.
• Disable any features that require admin or elevated access.
• Addons are enabled, but disable installation of new addons.
• Disable the Python console.
• Disable custom configuration loading (-c).
• Disable creating portable installations.
• Rebrand existing "Secure Mode" to "Kiosk Mode".
• Creation of documentation for Corporate Mode (eg: setup guide, usage scenarios, enterprise troubleshooting tips). This is essentially Secure Mode with a few punch-outs.

Describe alternatives you've considered

We could soften the existing "Secure Mode" by adding the required features directly into it. However, creating a distinct "Corporate Mode" allows for clearer differentiation and there is still a need for a fully locked-down mode. To avoid confusion with NVDA's elevated security during sign-on screens, the existing Secure Mode will be renamed Kiosk Mode.

Additional context

Features that are likely not to be included in version 1.0 but can be considered for future updates based on user feedback include:

• Checking for updates & auto-updates.
• Updating addons.
• Configurability of policy whitelist/blacklist.
• Allowing admins to enable/disable the log viewer.
• Allowing users to install/update specific addons from a whitelist.
• Integration with Active Directory / Group Policy
• Admin dashboards

Please note: The original issue created for this became a very useful discussion on the current state of UIA implementation, and was moved to a discussion so as to separate it from this corporate mode proposal, but not to lose it.

[Qchristensen]

The original issue created by @gerald-hartig has been moved to discussion #16600 The discussion around the current state of UIA implementation was very useful and is worth continuing there. To address the potential need to change UIA settings for the current application when in corporate mode, I have proposed issue #16598 for a gesture to change UIA settings on the fly (which would also likely help corporate users who need to change from the default UIA setting for a specific situation but return to it in other cases).

[thgcode]

Please include the possibility of installing new organization-approved addons, there are very good addons that enhance the productivity for some users but other users might find they are not necessary for them.

[Qchristensen]

Please include the possibility of installing new organization-approved addons, there are very good addons that enhance the productivity for some users but other users might find they are not necessary for them.

This would be possible - this is also possible currently in secure mode. How it would work currently is that the admin would setup NVDA however they need - including whatever add-ons are required - then set NVDA to use secure mode (eg using the "forceSecureMode" registry key). (if you needed to make changes later, you could disable the registry key, make the changes, then re-enable the key). So this kind of approach would also work with corporate mode.

[thgcode]

This can work if the user has permission to change the registry, however in some scenarios the user only has permission to work in a non-privileged account, in this case only the system administrator has the admin privileges of the computer, in this case the user would be unable to install addons without the administrator doing the procedure of disabling the registry key, installing the addon and re-enabling it. A list of approved addons that the user could install would make it easier for the user to have freedon of installing the addons based on the approved list and the system administrator that would not need to individually install addons for every user.

[RuturajL]

Could the process for managing addons receive extra attention, particularly when operating in a corporate environment? I foresee potential bottlenecks including delays, follow-up requests, and numerous ticket submissions to have a single addon approved or whitelisted. It would greatly benefit IT teams to have clear guidance on addon review procedures, including instructions or direct links to examine source code. Much of this information is already available in NVDA's addon store. While advanced NVDA users may navigate these processes with ease, everyday users may struggle. In a corporate mode Addons store, a dedicated tab could be maintained listing all available addons, alongside a button to streamline the data submission process for cyber review. This way, users could easily locate the desired addon, click the button, get the needed info in their clipboard, proceed to pasting it in an Email or ticket form and submit all necessary information to reviewers. May be there's a better way to do this, above was just 1 way that came to mind.

[gerald-hartig]

@thgcode @RuturajL With the add-ons, we want to get the basic functionality for persisting settings out as quickly as possible, as the feedback we've received is that this will have a large impact to a large number of users. Settings persistence is therefore a must-have. With the add-ons (Allowing users to install/update specific addons from a whitelist) we prioritised this as a priority for a later version since there will be are workarounds (having the admin install add-ons individually rather than the user).

For the v1.0 release we want to deliver the minimum set of features that must be there in order for Corporate Mode to be useful to the users. If we add more features into v1.0, this will delay the release of v1.0, which is fine if the features are must-have features. At the moment the feedback we're seeing is that more advanced add-on handling is very nice to have, and once we have feedback from users on how v1.0 is performing in the wild, we can prioritise it for the next release.

Of course if you feel that Corporate Mode has no value to users without the add-on functionality, and is a must-have feature, I invite you to make that argument.

[RuturajL]

@gerald-hartig, fully agree on doing the most important things for v1. This would promote use of NVDA in corporate environments hopefully. Obviously this would go through beta testing etc, so I am hoping all the issues would be ironed out before corporates start implementing it left and right. I do feel addons are critical in work environments. However, even under current process, users would be probably requesting for admin access or IT helpdesk's assistance for installing addons in such corporate environments, so, hopefully this wouldn't be a big change for them.