nvda icon indicating copy to clipboard operation
nvda copied to clipboard
verified publisher icon nvaccess

Corporate mode for NVDA

Open gerald-hartig opened this issue 1 year ago • 12 comments

Is your feature request related to a problem? Please describe.

Corporate (security) mode for NVDA. This mode is intended to enhance security while allowing certain configuration settings to be saved, providing a balance between security and customisability for enterprise environments.

Describe the solution you'd like

The solution involves developing a new mode called "Corporate Mode" which is based on the current "Secure Mode". The development plan includes the following features for version 1.0:

  • Save configuration for most settings.
    • Allow changing and saving of settings related to speech, braille, audio and vision preferences, keyboard preferences and mouse settings, review cursor, input composition and object presentation.
    • Essentially exclude advanced settings and any settings that require administrative privileges to modify.
  • Save gesture map / custom keyboard shortcuts and gestures for NVDA functions.
  • Allow users to create, save and switch between different configuration profiles.
  • Provide access to user documentation from within NVDA without requiring elevated privileges.
  • Disable any features that require admin or elevated access.
  • Addons are enabled, but disable installation of new addons.
  • Disable the Python console.
  • Disable custom configuration loading (-c).
  • Disable creating portable installations.
  • Rebrand existing "Secure Mode" to "Kiosk Mode".
  • Creation of documentation for Corporate Mode (eg: setup guide, usage scenarios, enterprise troubleshooting tips).

This is essentially Secure Mode with a few punch-outs.

Describe alternatives you've considered

We could soften the existing "Secure Mode" by adding the required features directly into it. However, creating a distinct "Corporate Mode" allows for clearer differentiation and there is still a need for a fully locked-down mode. To avoid confusion with NVDA's elevated security during sign-on screens, the existing Secure Mode will be renamed Kiosk Mode.

Additional context

Features that are likely not to be included in version 1.0 but can be considered for future updates based on user feedback include:

  • Checking for updates & auto-updates.
  • Updating addons.
  • Configurability of policy whitelist/blacklist.
  • Allowing admins to enable/disable the log viewer.
  • Allowing users to install/update specific addons from a whitelist.
  • Integration with Active Directory / Group Policy
  • Admin dashboards

gerald-hartig avatar May 21 '24 05:05 gerald-hartig

The UIA settings from the advanced settings are crucial as well, e.g. not using UIA in Microsoft Word is still a better choice, especially in corporate environments.

Adriani90 avatar May 21 '24 10:05 Adriani90

Hi Adriani,

i tend to disagree here.

I know people, who use UIA in the corporate mode:

The reasons are as follows:

speed,

responsiveness,

and better interaction in documents, especially in latest office 365.

zstanecic avatar May 21 '24 11:05 zstanecic

I don‘t agree. I am working with NVDA in corporate, and office still has lot of limitations in office products. There are still lots of issues also open on github whuich are still a show stopper for default UIA. Von meinem iPhone gesendetAm 21.05.2024 um 13:03 schrieb Zvonimir Stanečić @.***>: Hi Adriani,

i tend to disagree here.

I know people, who use UIA in the corporate mode:

The reasons are as follows:

speed,

responsiveness,

and better interaction in documents, especially in latest office 365.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: @.***>

Adriani90 avatar May 21 '24 11:05 Adriani90

Hi,

Both points are valid. Corporate environments do not update office suites often, or if they do, updates are delayed slightly from consumer releases to help IT folks test things and to make the suite comply with policies (I bet there are organizations using Office 2013 (end of life for various reasons). On the other hand, with migration to newer Office products such as Office 2021 and upcoming Office 2024 (or even Microsoft 365), information workers (including people in corporate settings) can use Office releases with improved UIA support. Do note that Word object model does not handle more modern things well (if we are to require UIA in Office suite, we need to drop support for Office versions earlier than 2019).

Thanks.

josephsl avatar May 21 '24 15:05 josephsl

@zstanecic true, but @Adriani90 has a valid point too.

It depends on many factors, including what you are doing with the Office programs (which features are important to your work), and which version your company lets you run.

There are still some rather huge corporations, insisting on using older versions of Office and even Windows. For example, in the U.S., one of the largest banks in the country was still using Windows 10, 1809 version, and Office 2016, as of two years ago. While that is inconceivably stupid from most points of view, UIA would never have been appropriate in that environment. Especially since there have been some issues suggesting that NVDA doesn't always detect when it shouldn't use UIA.

So in corporate support environments, this may need to be configurable by the user, not just by the IT department.

XLTechie avatar May 22 '24 07:05 XLTechie

@zstanecic true, but @Adriani90 has a valid point too. It depends on many factors, including what you are doing with the Office programs (which features are important to your work), and which version your company lets you run. There are still some rather huge corporations, insisting on using older versions of Office and even Windows. For example, in the U.S., one of the largest banks in the country was still using Windows 10, 1809 version, and Office 2016, as of two years ago. While that is inconceivably stupid from most points of view, UIA would never have been appropriate in that environment. Especially since there have been some issues suggesting that NVDA doesn't always detect when it shouldn't use UIA. So in corporate support environments, this may need to be configurable by the user, not just by the IT department.

I do not understand this discussion about old Office versions. NVDA usually decide if UIA should be used or not for Word, depending on Word version and Windows version. Except at NVDA startup (see #13704), I do not know of any use case where NVDA does not decide correctly. @XLTechie have you one or more other case in mind?

CyrilleB79 avatar May 22 '24 12:05 CyrilleB79

The issues with UIA are in Office 365, they all are still open here on Github.Von meinem iPhone gesendetAm 22.05.2024 um 14:51 schrieb Cyrille Bougot @.***>:

@zstanecic true, but @Adriani90 has a valid point too. It depends on many factors, including what you are doing with the Office programs (which features are important to your work), and which version your company lets you run. There are still some rather huge corporations, insisting on using older versions of Office and even Windows. For example, in the U.S., one of the largest banks in the country was still using Windows 10, 1809 version, and Office 2016, as of two years ago. While that is inconceivably stupid from most points of view, UIA would never have been appropriate in that environment. Especially since there have been some issues suggesting that NVDA doesn't always detect when it shouldn't use UIA. So in corporate support environments, this may need to be configurable by the user, not just by the IT department.

I do not understand this discussion about old Office versions. NVDA usually decide if UIA should be used or not for Word, depending on Word version and Windows version. Except at NVDA startup (see #13704), I do not know of any use case where NVDA does not decide correctly. @XLTechie have you one or more other case in mind?

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: @.***>

Adriani90 avatar May 22 '24 13:05 Adriani90

With UIA enabled in MS Word and Outlook which is the default, following issues are still open and valid according to my testing, also in Office 365:

Outlook

  • In Outlook NVDA cannot activate grafic links in browse mode (#15326)
  • In Outlook NVDA doesn't read the image descriptions (#14217)
  • Problem with data tables being recognized when UIA is on in Outlook (#12853),
  • UIA has an effect on NVDA reading layout tables in emails in Outlook (see https://github.com/nvaccess/nvda/issues/14892#issuecomment-1530259209)
  • Page numbers are reported in outlook when uIA is enabled which is confusing (#9190)
  • And probably others I could't find on the first look

MS Word

  • Severe freeze when using text style navigation (#16546)
  • Alt text on images is not read when UIA is enabled (#16185)
  • NVDA skips empty cells in browse mode when using tables in MS Word and UIA is enabled (#15456)
  • Deleting characters with backspace in MS Word sometimes fails when UIA is enabled (#13748)
  • NVDA still uses UIA after restarting it, although the user disabled UIA. This happens also in old MS Word versions before 365 (#13704)
  • Numbered lists with blank lines are not reported properly when UIA is enabled (#13462)
  • Track changes in MS Word with single markup do not work when UIA is enabled (#13460)
  • When a new row is added via tab key in MS Word with UIA enabled, NVDA does not report it while in browse mode (#13077)
  • Further problem with lists in MS Word when UIA is enabled (#13064)
  • NVDA reports confusing information in MS Word tables when UiA is enabled and navigating with tab through the table (#12998)
  • Formatting styles are not always properly reported when UIA is enabled (#11427, #9766)
  • Scrolling does not work properly when UIA is enabled and when using say all (#9559)

Registering for UIA events

  • There are problems when using UIA registering for event selectively which is the default behavior, especially in MS Outlook, task manager and context menus in Firefox (#11599, #11354, #14892)

I could continue with UIA in consoles, and UIA in Chromium browsers where we also need to change the settings case by case to gain better accessibility.

Adriani90 avatar May 22 '24 13:05 Adriani90

At least for UIA in Word and Outlook, in my view it was a mistake to enable UIA by default. Who ever is using UIA in MS Office, it is definitely having some important drawbacks compared to objectModel.

Adriani90 avatar May 22 '24 13:05 Adriani90

At least for UIA in Word and Outlook, in my view it was a mistake to enable UIA by default. Who ever is using UIA in MS Office, it is definitely having some important drawbacks compared to objectModel.

Oh! I was not aware of these so many issues. Some of them are not so important, but at least the two first are. You may open a new issue asking to turn back to legacy by default. Not sure that NV Access will accept it but surely it will be re-discussed in a centralized place. And maybe the most important issues can be prioritized again by NV Access.

In any case, I will not discuss UIA/not UIA topic further here since IMO, there is no reason why the config should be different between corporate or home user. But if Word UIA should be configurable by any user according to his/her needs, and this seem to be the case, there's no point to keep this option in Advanced settings. The truth is probably that NVDA shouldn't even allow to configure Word UIA/non-UIA; it should take best of both world according to each situation, as it is probably done in Jaws.

CyrilleB79 avatar May 22 '24 14:05 CyrilleB79

The truth is probably that NVDA shouldn't even allow to configure Word UIA/non-UIA; it should take best of both world according to each situation, as it is probably done in Jaws.

I think the best way would be to have a properly designed API which is maintained regularly instead of having 3 or I don't know how many APIs out there. Jaws merges API calls indeed between both objectModel and UIA, but this causes freezes and crashes in different areas because in some cases API calls can interfere. So It is ok to separate them I think. But if someone merges them properly, it might work as well, who knows...

Adriani90 avatar May 22 '24 19:05 Adriani90

There's a built-in Kiosk mode in Windows already, if NVDA's Kiosk mode isn't going to be related to that, I would strongly advise against using that nomenclature. If most of (admin permission needed settings) are going to be not available, then I wonder how I'll make NVDA have the same configurations on my lock-screen and on secured screens as my normal user configurations. How would we enable automatic updates without admin permissions? I think this also links backs to my previously raised issue, #16498, making NVDA available in microsoft store. This way, we can deploy the package via Microsoft Intune management extention or any other MDM tools, keep it updated from microsoft store in corporate environments. Reference: https://learn.microsoft.com/en-us/mem/intune/apps/store-apps-microsoft

RuturajL avatar May 23 '24 12:05 RuturajL

@RuturajL - yes, it is both related to kiosk mode and has the same principles behind it. Currently secure mode covers both the kiosk use case, and the corporate use case, which is why we want to split these out. The main use of kiosk mode is for secure screens like UAC and the sign-in screen. These run from a system profile where it is important that 1 user cannot write to disk and change the settings of the global system installation. i.e. NVDA in kiosk mode must be stateless after a restart. This is the same principle as Windows Kiosk mode, as kiosks must be safe, restricted and stateless. Kiosk Mode main use would be for Kiosk environments (including testing environments).

seanbudd avatar May 24 '24 00:05 seanbudd