55cm (21") or larger display.

All-in-One chassis.

USB ports, for HID devices (e.g. keyboard and mouse).

GigE NIC with support for PXE (netboot) and WOL (Wake-on-LAN).

x86–64 CPU, although low-end is sufficient.

4G or more of RAM.

Glass fascia. Vendors are encouraged to consider the option of stronger tempered glass as some correctional facilities consider this a valuable feature.

Internal PSU. An external PSU is not suitable as it can be used as a flail weapon.

Chassis secured with Tamper-Resistant Torx (also known as Torx TR) or pin-in Torx to ensure prisoners can not gain access to the internal components.

Internal speakers.

3.5mm TRS stereo jack and TS mic, or combined TRRS audio jack.

No webcam. Exceptions may be made for desktops isolated in monitored rooms, for use in virtual hearings or similar.

No hard-drive.

No TV receiver.

No microphone.

No WiFi transceiver.

No bluetooth transceiver.

Any external port must provide no support for MHL, HEC, or HEAC.

All firmware config screens disabled. It is acceptable for the firmware to only display information such as the date and time, MAC address, etc.

Firmware password protection disabled. Note that common 'password protection' is insufficient to satisfy the previous requirement.

Traditional BIOS. We expect to support UEFI in the future. When we do, UEFI and secure boot must be configured to include only Cyber IT Solutions' public key in trusted keyring (db), and Microsoft's keys explicitly blacklisted (dbx). Cyber IT Solutions' public key available on request.

Permit boot from only PXE (netboot).

Boot must be disabled from HDD and removable media (USB, CD/DVD, etc) under all circumstances.

SATA AHCI enabled.

WoL (wake-on-LAN) enabled.

Firmware factory default and optimised default values equivalent to these requirements.

Firmware must not allow updates to be applied by removable media.

HDMI audio disabled.

NumLock off.