Managing Profiles and Policies for Windows Desktops: Dynamic Environment Manager Operational Tutorial

This tutorial provides step-by-step instructions for using the major features of Dynamic Environment Manager after you have completed installation and initial configuration. For instructions on installation and initial configuration, see the Quick-Start Tutorial for VMware Dynamic Environment Manager.

This tutorial is intended for IT administrators and product evaluators who are familiar with VMware vSphere® and VMware vCenter Server®.  Familiarity with networking and storage in a virtual environment, Active Directory, identity management, and directory services is  assumed. Knowledge of other technologies, such as VMware Horizon® is also helpful.

Preserving user-specific application settings and applying or enforcing specific default application settings are key features of Dynamic Environment Manager. VMware provides application management templates for commonly used software packages, and the VMware Dynamic Environment Manager Community Forum contains many more templates that were created with the Application Profiler.

For applications that do not have a corresponding application management template, you can use the Application Profiler, a standalone application that analyzes where an application store its file and registry configuration. The analysis results in an optimized Dynamic Environment Manager Flex configuration file, which you can edit in the Application Profiler or use directly.

You can also use Application Profiler to set the initial configuration state of applications.

End users are using more devices than ever before, and expect a consistent user experience when accessing corporate resources. With Dynamic Environment Manager, end users can roam between disparate devices while preserving custom application settings and Windows personalization settings.

When a user logs in to a virtual desktop or application, Dynamic Environment Manager reads the profile archive file for that user's profile and can, for example, display the desktop background or application settings that the user saved during the last session, regardless of whether the actual endpoint device was a desktop computer at work or an iPad at home.

This feature, which is also called application authorization, enables administrators to build allowlists and denylists of applications to control application and license sprawl. You can also create condition settings to control the circumstances under which an application can be used. For example, you can create a condition that allows a user access to company-specific applications only when the user is on the internal corporate network.

Privilege management can be a daunting task, and many IT administrators are forced to provide Local Administrator privileges to end users to satisfy application demands. With the Dynamic Environment Manager privilege elevation feature, IT can strategically elevate permissions for application installers, as well as executables for applications already installed that require Local Administrator privileges to run. Elevating privileges for specific executables, while removing Local Administrator privileges from end users, can dramatically reduce the risk of a malware or ransomeware attack on your network.

This feature integrates with VMware Horizon so that a number of key Horizon features can be dynamically activated or deactivated based not only on who the user is, but on the many different variables available through Horizon: client device, IP address, pool name, and so on.

To perform this exercise, you need the following:

• Provisioning machine – The machine that you use to profile the application must use the same Windows OS version and similar patch version as the machine that your end users will use. For supported Windows versions, see Application Profiler System Requirements.
  Note: The provisioning machine must not have the Dynamic Environment Manager agent installed on it. VMware recommends that the provisioning machine not have any additional applications installed aside from those included with the OS and VMware Tools, if you are using a VM.
• User account – When you log in to the provisioning machine to run the Application Profiler installer, the account you use must have administrative privileges.
• Installer – The Application Profiler installer is included in the Dynamic Environment Manager installation package, in the Optional Components folder. If necessary, you can download the package from the Product Evaluation Center or  the VMware Downloads page. The installer is an architecture-specific (x86 or x64) MSI file.
• Internet access – The installation process includes a certificate revocation check to verify the digital signature of the MSI file. This check requires Internet access.
• Application to profile – For the example used in this exercise, you can download the Notepad++ application. The application that you profile must be the same version that is installed in the machine that your end users will use.
  
  Note: Application Profiler can profile applications that are installed natively in virtual desktops or RDSH servers, as well as applications that are delivered by VMware App Volumes AppStacks.

For this example, we downloaded the installer to a provisioning VM hosted on an ESXi server. To connect to this VM, called Provision, you would select the VM in the inventory list and select Launch Remote Console.

If you are performing this exercise in your own lab, you can download and extract the Application Profiler installer file, which is located in the Optional Components folder of the installation package, and copy the file to the system where it will run or to a location accessible to the system.

1. Log in to the provisioning machine, and browse to the location of the Application Profiler installer.
2. Double-click the installer file to start the wizard, and follow the prompts. You can accept all the defaults.

Tip: (Optional) After installation is complete, shut down the machine and take a VM snapshot. With a VM snapshot of the machine, you can easily revert the machine to its pristine condition after you finish profiling an application. You can then use the machine to profile a different application, and so on.

1. On the provisioning machine, browse to the location of the installer for the application you want to profile.
   For the example in this exercise, we used  the Notepad++ application, but you can use any application that your end users will use. Be sure to use the same version that your end users have.
2. Double-click the installer file to start the wizard, and follow the prompts. If you are installing Notepad++, configure the following options in the installation wizard:
   • De-select the Auto-Updater check box.
   • Select the Localization check box.
   • Select the Create Shortcut on Desktop check box.

Important: VMware recommends that, if possible, you install the application so that automatic updating is deactivated, especially if you use instant clones. For the purposes of this exercise, enable localization packs, as shown in the following figure. In this exercise, we will test profile settings by changing the language used in the UI.

From the All Programs list on the provisioning machine, Application Profiler is located in the VMware DEM folder.

1. Click Start Session.
2. Browse to and select the application.

After you click OK, Application Profiler opens the application to be profiled and begins monitoring the changes you make and where those changes are saved in the Windows registry and file system.

For example, the VLC Player application saves some changes to .ini files and some to the Windows registry. For more information, see Profiling Applications with VMware User Environment Manager, Part 2: Applying and Troubleshooting Predefined Settings.

1. From the menu bar, select Settings > Preferences.
2. From the Toolbar list, select Big icons.
3. De-select the Show status bar check box.
4. Close the application.

Application Profiler saves the changes you made, and prompts you to confirm that profiling is finished, as shown in the following figure.

Application Profiler also displays the location in the file system where the Notepad++ configuration changes where made. In this case, settings were written to a Notepad++ subfolder of the AppData folder.

Open Windows Explorer and type %AppData%\Notepad++ into the text box for navigating the path. The %AppData% variable resolves to the correct location on the machine, and the contents of the Notepad++ folder are displayed, which include a configuration file.

1. Click the Save button, and select Save Config File.
2. When prompted, provide a file name, such as NPP, and save the Application Profiler configuration files to the desktop.

In this exercise, you are creating a configuration file to enable application personalization by the end user, so that when an end user changes a Notepad++ preference, the user's preference will be saved across sessions and VMs.

Because you select Save Config File, rather than Save Config File with Predefined Settings, the preference settings you changed in this exercise will not be presented to end users. For more information, see Saving a Flex Configuration File With Predefined Settings. You changed preference settings in Notepad++ only so that Application Profiler could monitor and determine the path to the application configuration file.

For the example in this exercise, the files you copy from the desktop of the provisioning machine are:

• NPP.ico – The icon file.
• NPP.ini – The application configuration file.
• NPP.ini.flag – The flag file, which tells Dynamic Environment Manager to import settings when the application starts and export the user settings when the application closes.

For the example in this exercise, the folder is located in \\<file-server>\DEM_Config\General\Applications.

Note: After you paste the files in this location, if you close the Dynamic Environment Manager Management Console and start it again, you see Notepad++ added to the list of applications being managed, as shown in the following figure. Also note that the NPP.ini.flag file enables DirectFlex for this application, and the path to the executable is recorded.

For the example in this exercise, we are using a Horizon instant-clone desktop, and we access it through the VMware Workspace ONE catalog.

1. After login is complete, start the application, and select Settings > Preferences, and select Big icons.
2. From the Localization list, select Deutsch and save the settings.

In Notepad++ the toolbar icons are now large and the menu names are displayed in German, as shown in the following figure.

Navigate to the profile archive Applications folder for the user, and note that a new NPP.zip file has been created.

The NPP.zip file was created as soon as you started the application. For the example in this exercise, the path to this folder on the profile archives share is \\<file-share>\DEM_Profiles\<username>\Archives\

After you log out of the virtual desktop and log in again as the same user, when you start Notepad++, you see that your settings have been preserved.

If you are using a Horizon instant-clone desktop, the VM that you first logged in to was destroyed, and this new desktop still displays the Notepad++ settings you chose using the previous VM.

If you are using a full-clone desktop, you might be able to replicate this experience by reverting the VM back to a snapshot taken before you ever logged in for the first time. When you log in after reverting, you will still see the personalized Notepad++ settings.

This exercise demonstrated profiling a simple application. For the applications that you need to profile for your company, if an application profile is not already included with the Easy Start feature, use the following resources to create an application profile template:

• Go to the VMware Dynamic Environment Manager Community Forum, which contains many more templates created with Application Profiler.
• See the VMware Dynamic Environment Manager Application Profiler Administration Guide and the blog series that begins with Profiling Applications with VMware User Environment Manager, Part 1: Introduction to Application Profiler.

The following App Profiler video provides a detailed demonstration of the steps outlined in this exercise. If you need additional detail, you can find it here. If you already completed the Application Profiler exercise, feel free to skip the video. This video is 6 minutes.

To perform this exercise, you need the following:

• Notepad application listed as a managed application in the Management Console. This application is listed after you complete the exercise enable the Easy Start feature, as described in the Quick-Start Tutorial for VMware Dynamic Environment Manager.
• An Active Directory group containing an end-user account that you can use to log in to a virtual desktop. As part of this exercise, you will remove this user account from the AD group to test a conditional setting.
• End-user credentials for that end-user account.
• Credentials for the virtual or physical machine where you installed and performed the initial configuration of the Dynamic Environment Manager Management Console, as described in the Configure the Dynamic Environment Manager Management Console exercise in the Quick-Start Tutorial for VMware Dynamic Environment Manager.
• One or more folders on a file-share server, to allow you to test drive mapping. For the example in this exercise, we created a Marketing file share, with the following path:

\\<file-server>\Marketing\

Inside the Marketing folder are the subfolders Docs, PPT Templates, and Reports.

Note: Throughout this exercise you will frequently change between your Windows end-point device where the Dynamic Environment Manager Agent is installed, and the physical or virtual machine where the Management Console is installed. It is recommended that you simply minimize the unused screen to streamline the testing process.

1. In the Dynamic Environment Manager Management Console, select Notepad in the left pane.
2. Select the DirectFlex tab, and select the Enable DirectFlex for this config file check box. Enabling DirectFlex is required for configuring application-specific user environment settings.
3. Select the User Environment tab.

Log in to the virtual desktop as an end user. For the example in this exercise, we are using a Horizon instant-clone desktop, and we access it through the VMware Workspace ONE catalog.

On the Personalization tab of the Management Console, select the Map Drive with Notepad setting, and select Edit.

In Active Directory Users and Groups, remove the end user from the AD group that you set up as part of the Prerequisites. For the example in this exercise, the group had only one member, which we removed.

1. In the Management Console, select the User Environment tab.
2. In the list, select File Type Associations.
3. In the right pane, double-click abc.
4. Review the Settings tab. With this setting, all files in the virtual desktop file system that use the file extension .abc are opened with the Notepad application.
5. Select Cancel. You do not need to save the settings because these are the default settings included with Easy Start.

1. Log in to the virtual desktop as an end user, and on the desktop, create a new text file with the .abc file extension.
2. Double-click the file, and note that the default application used to open the file is Notepad.

For the steps in this exercise, after you created a new setting or changed a setting, you had to log in to the virtual desktop again to verify that the new setting was properly applied. However, you can use FlexEngine command-line commands on the virtual desktop to refresh environment settings so that you do not need to log out and log back in.

For example, when you are logged in to a virtual desktop as an end user, you can try changing the file type association for files with the .abc extension so that Microsoft Word opens them rather than Notepad. Or you could change which application shortcuts are created for one of the default applications, such as Notepad or Calculator.

After you make the change in the Management Console and save the configuration, on the virtual desktop, you can run the command to refresh the shortcuts and file type associations. For the example in this exercise, use the following command.

Different command-line options are provided for refreshing different types of settings. For more information, see FlexEngine Command-Line Arguments and Additional FlexEngine Operations. Besides running these commands on the virtual desktop, you can use these commands in scripts and logon tasks.

The following User Environment Settings video provides a detailed demonstration of the steps outlined in this exercise. If you need additional detail, you can find it here. If you already completed the User Environment Settings exercise, feel free to skip the video. This video is 5 minutes.

To perform this exercise, you need the following:

• Credentials for the virtual or physical machine where you installed and performed the initial configuration of the Dynamic Environment Manager Management Console, as described in the Configure the Dynamic Environment Manager Management Console exercise in the Quick-Start Tutorial for VMware Dynamic Environment Manager.
• End-user credentials for the virtual or physical endpoint machine where you installed the Dynamic Environment Manager Agent, as described in the exercise Install the Dynamic Environment Manager Agent (FlexEngine) on the Desktop or RDSH Server, in the Quick-Start Tutorial for VMware Dynamic Environment Manager.
• One or more executable files with which to test application blocking. We recommend downloading the following executables for testing:
  • Putty
  • Notepad++
• To complete all exercises, we recommend creating the following file structure on a file-share server.
  • \\<fileshare>\software
    Copy Putty.exe to the software folder.
  • \\<fileshare>\software\installers
    Copy Notepad++ to the installers folder.
• The Domain Users group, or whichever group you selected when you created and configured the profile archives share, must have read and execute permissions to this file share. For more information, see the exercise Create and Configure the Profile Archives Share, in the Quick-Start Tutorial for VMware Dynamic Environment Manager.

Note: Throughout this exercise you will frequently change between your Windows end-point device, where the Dynamic Environment Manager agent (FlexEngine) is installed, and the physical or virtual machine where the Management Console is installed. It is recommended that you simply minimize the unused screen to streamline the testing process.

Log in to your Windows end-point device where the Dynamic Environment Manager agent is installed.

For the example in this exercise, we used a Windows 10, instant-clone VM, accessed through the VMware Horizon Client.

1. On the physical or virtual machine where the Management Console is installed, open the Management Console.
   From the Start screen, select the Management Console shortcut in the VMware DEM folder.
2. Select the User Environment tab.
3. Select Application Blocking.
4. Select Global Configuration.

1. Select Enable Application Blocking.
2. Select Add.

1. Maximize the virtual desktop window or reconnect to your Windows endpoint device.  
2. Open a command-prompt window and run the following command to force FlexEngine to check for updated application-blocking policies.

Application-blocking policy settings are read when a user logs in to Windows or when a triggered task occurs to refresh the policy settings. You can manually refresh the application-blocking policy settings on an endpoint device by running FlexEngine.exe at the command line with the appropriate argument.

There are a number of arguments that can be passed to FlexEngine.exe, as described in the following section, Additional Flex Engine Operations. (Approximate read time: 2 minutes)

1. In the Management Console, select the User Environment tab.
2. Select Application Blocking.
3. Select Create to create a new Allow rule for application blocking.

Dynamic Environment Manager provides several types of application-blocking rules. After you select the rule type, you can create settings to allow or block applications. In this exercise, you will create a hash-based rule and a path-based rule.

The following section, Allow and Block Additional Applications, summarizes the rule types and the steps for creating application rules.
(Approximate read time: 1 minute)

1. In the Management Console, select the User Environment tab.
2. Select Application Blocking.
3. Select Create to create a new Allow rule for application blocking.

Enterprises often need to prevent end users from running executables located outside of an IT-approved repository. Because the contents of the repository might change over time, a path-based Allow rule is well-suited for this task.

1. In the Management Console, select the User Environment tab.
2. Select Application Blocking.
3. Select Global Configuration.

Important: Deactivating application blocking is strongly recommended at this point to avoid having the feature interfere with other exercises.

1. Clear the Enable Application Blocking check box to deactivate the feature.
2. Select OK to commit the change.

The following App Blocking video provides a detailed demonstration of the steps for enabling application blocking. If you need additional detail, you can find it here. This video is 5 minutes.

To perform this exercise, you need the following:

• Credentials for the virtual or physical machine where you installed and performed the initial configuration of the Dynamic Environment Manager Management Console, as described in the Configure the Dynamic Environment Manager Management Console exercise in the Quick-Start Tutorial for VMware Dynamic Environment Manager.
• End-user credentials for the virtual or physical endpoint machine where you installed the Dynamic Environment Manager Agent, as described in the exercise Install the Dynamic Environment Manager Agent (FlexEngine) on the Desktop or RDSH Server, in the Quick-Start Tutorial for VMware Dynamic Environment Manager.

Important: The end-user credentials must have Local User privileges to the endpoint device, rather than Local Administrator privileges. The privilege elevation feature elevates privileges on specific executables, without requiring Local Administrator privileges.

• One or more executable files with which to test privilege elevation. We recommend downloading  WireShark for testing. Starting this file requires Local Administrator privileges.
• To complete all exercises, we recommend creating the following file structure on a file-share server.

\\<fileshare>\software\installers

Copy the WireShark file to the installers folder.

Important: The Domain Users group, or whichever group you selected when you created and configured the profile archives share, must have read and execute permissions to this file share. For more information, see the exercise Create and Configure the Profile Archives Share, in the Quick-Start Tutorial for VMware Dynamic Environment Manager.

Note: Throughout this exercise, you will frequently change between your Windows end-point device, where the Dynamic Environment Manager agent (FlexEngine) is installed, and the physical or virtual machine where the Management Console is installed. It is recommended that you simply minimize the unused screen to streamline the testing process.

Log in to your Windows end-point device, where the Dynamic Environment Manager agent is installed.

For the example in this exercise, we used a Windows 10, instant-clone VM, accessed through the VMware Horizon Client.

To properly demonstrate privilege elevation, you will verify that privileges for the end-user credentials are insufficient to run the Wireshark installer.

1. On the physical or virtual machine where the Management Console is installed, open the Management Console.
   From the Start screen, select the Management Console shortcut in the VMware DEM folder. Select the User Environment tab.
2. Select Privilege Elevation.
3. Select Global Configuration.

1. On the User Environment tab, select Privilege Elevation.
2. Select Create in the toolbar.

Privilege elevation operates as an allowlist. In addition to enabling the feature, you must create privilege elevation rules and specify files or folders to elevate.  

1. Maximize the virtual desktop window or reconnect to your Windows endpoint device.  
2. Open a command-prompt window and run the following command to force FlexEngine to check for updated privilege elevation policies.

Privilege elevation policy settings are read when a user logs in to Windows or when a triggered task occurs to refresh the policy settings. You can manually refresh the privilege elevation policy settings by running FlexEngine.exe at the command line with the appropriate argument.

There are a number of arguments that can be passed to FlexEngine.exe, as described in the following section, Additional Flex Engine Operations. (Approximate read time: 2 minutes)

1. Browse to the file share you created. In this case, the path is \\file\software\installers.
2. Double-click the Wireshark installer.
   A notification is displayed with the text you entered when configuring the privilege elevation feature.
3. Select Yes to elevate the installer.

Notice that the setup wizard starts. This time, the Wireshark installer runs without the Windows User Account Control prompt for alternate credentials.

The following Privilege Elevation video provides a detailed demonstration of the steps outlined in this exercise. If you need additional detail, you can find it here. This video is 2 minutes.

In this exercise, you created a single, path-based privilege elevation rule. Dynamic Environment Manager provides several types of privilege elevation rules, including the ability to elevate executables for applications that have already been installed but that require local administrator privileges to run.

The following User Environment Manager 9.2 - Privilege Elevation Demo video provides demos of several use cases, as well as a brief technical discussion of the way privilege elevation uses Access Tokens in Windows. This video is 8 minutes.

With Smart Policies, administrators have granular control of a user’s desktop experience. A number of key Horizon features can be dynamically activated, dedactivated, or controlled based not only on who the user is, but on the many different variables available through Horizon: client device, IP address, pool name, and so on.

You can use Smart Policies to activate or deactivate features including clipboard redirection, USB access, printing, and client drive redirection. For example, you can create a policy so that a desktop login from outside the corporate network results in deactivating of security-sensitive features such as cut-and-paste or USB drive access. Additionally, bandwidth profile settings allow you to customize the user experience based on user context and location.

Smart Policies can be enforced based on role, and evaluated at login and logout, disconnect and reconnect, and at predetermined refresh intervals. With all these capabilities and fine-grained control, you can use one desktop pool to address many different use cases.

Note: In most cases, Smart Policy settings that you configure for remote desktop features in Dynamic Environment Manager override any equivalent registry key and group policy settings.

You can use Smart Policies to activate, restrict, or deactivate Horizon features that include clipboard redirection, USB access, printing, and client drive redirection, and you can select a profile that manages bandwidth usage.

• USB redirection – Controls whether a user is allowed to use locally attached USB devices, such as thumb flash drives, cameras, and printers, from the remote desktop.
• Printing – Controls if a user is allowed to print documents from the remote desktop to a network printer or a USB printer that is attached to the client computer.
• Clipboard – Controls whether users are allowed to copy and paste text and graphics only from the client system to the remote desktop, only from the remote desktop or application to the client system, or both, or neither.
• Client drive redirection – Controls whether drives and folders on the client system are shared with the remote desktop and, if so, whether they are readable only or readable and writeable.
• HTML Access file transfer  – Controls whether you can upload files from the client system to the remote desktop, download files from the remote desktop to the client system, or both, or neither, when you are using the web client to access the remote desktop. Note that this feature requires Connection Server and Horizon Agent 7.0.1 or later.
• Bandwidth profile – Prevents the agent (remote desktop) from attempting to transmit data at a higher rate than the link capacity.

The actual bit rate for the profiles varies, depending on whether you use the PCoIP or the Blast Extreme display protocol. For this reason, the list of profiles in the menu does not display the bit rate next to the profile name.

Figure 1: Bandwidth Profile List

For details about the profiles, see the profile reference topic in the Using Smart Policies section of Configuring Remote Desktop Features in Horizon.

To create a Smart Policy, you select settings for the Horizon features that you want to control and specify the conditions, if any, under which the policy will go into effect. If you do not specify any conditions, the policy is applied to all users in the user OU configured for Dynamic Environment Manager.

Settings are always applied when the user logs in. You can optionally configure triggers to also re-evaluate the settings at other times, such as when users reconnect to the desktop or application.

If you want to apply these settings to an actual desktop or application pool in your environment, you must create the desktop or application pool and entitle it to a group of users included in the user OU configured for Dynamic Environment Manager. Having an existing pool is not required, however, if you just want to see how the management console works and try creating a policy.

1. In the Dynamic Environment Manager Management Console, click the User Environment tab.
2. Select Horizon Smart Policies in the left pane.
3. Click Create in the toolbar.

On the Settings tab, enter the following settings:

• Enter a name for the policy.
  
  The Label and Tag fields are optional. You can use them to describe or organize the settings. The Group By Tag ribbon button uses the Tag field for grouping the list items.
• Select the check boxes next to USB redirection, Clipboard, and Bandwidth profile.
• For Bandwidth profile, select LAN.

1. On the Conditions tab, click Add.
2. Select Horizon Client Property.

1. For Property, select Client location.
2. Set the location to Internal.
3. Click OK.

This setting is compared with the gatewayLocationproperty set for the server.

• By default, if you connect directly to a Connection Server, the gateway location is Internal.
• If you connect to a VMware Unified Access Gateway appliance or Security Server, the gateway location is External by default.

If you want to override the default location reported from a server, you can change these defaults by setting the gatewayLocationproperty in the locked.properties file for the server. For instructions, see the Configure the Gateway Location for a View Connection Server or Security Server Host.

1. On the Conditions tab, click Add.
2. Select Horizon Client Property.

1. For Property, select Pool name.
2. Set Starts with to HR (or the first few letters of the name of an actual desktop pool you want to use).
3. Click OK.

By default, this new condition is added with an AND operator, meaning that the condition is applied if the user is connecting from inside the corporate network and if the user is trying to access a desktop pool that begins with the letters you specified.

On the Conditions tab, click Edit to see which other operators are available to combine conditions.

The Smart Policy settings and conditions are now defined. These settings are always evaluated and applied whenever the user logs in. Next, you will specify an event that triggers the reevaluation of the Smart Policy whenever the user reconnects, rather than logs in. This is called a triggered task.

1. Select Triggered Tasks in the left pane.
2. Click Create in the toolbar.

1. On the Settings tab, enter a name for the task.
   
   The Label and Tag fields are optional. You can use them to describe or organize the settings. The Group By Tag ribbon button uses the Tag field for grouping the list items.
   
2. For Trigger, select Session reconnected. The Smart Policies will be reevaluated and applied every time the user connects to the remote desktop.
3. For Action, select User Environment refresh.

In the list of check boxes that appear after you select User Environment refresh, select the Horizon Smart Policies check box and click Save.

Refreshing the user environment in this case means reevaluating the user’s connection characteristics, such as internal or external, and reapplying the Smart Policy appropriately. For example, if the user first connects at the office but then later connects from a café or other external network, the Smart Policy is reapplied to deactivate USB redirection and copying and pasting between the client and remote desktop.

In a production environment, you can select additional check boxes, depending on the other User Environment settings you configure.

Note: Although the Privilege Elevation Settings and Triggered Task Settings check boxes are not part of Smart Policies, they can be used in conjunction with Smart Policies, such as when managing Just-in-Time Desktops and Apps as part of a JMP approach.

• The Privilege Elevation Settings option refreshes settings for the privilege-elevation feature. With this feature, administrators specify applications that end users are allowed to install or run without having elevated privileges. Standard user accounts can run these applications as if they were a member of the local administrators group.
• The Triggered Task Settings option allows triggered task settings to be refreshed when users disconnect, reconnect, or lock or unlock their workstation. Previously, these settings were refreshed only after users logged out of the virtual desktop or application.

The Smart Policy you created will now be applied whenever a user connects to a remote desktop with Horizon Client.

1. In the Dynamic Environment Manager Management Console, click the User Environment tab.
2. Select Horizon Smart Policies in the left pane.
3. Click Create in the toolbar.

On the Settings tab, enter the following settings:

• Enter a name for the policy.
  
  The Label and Tag fields are optional. You can use them to describe or organize the settings. The Group By Tag ribbon button uses the Tag field for grouping the list items.
  
• Select all the check boxes.
• For Bandwidth profile, select LAN.

1. On the Conditions tab, click Add.
2. Select Horizon Client Property.

1. For Property, select Launch tag(s).
2. In the second list, select Is equal to.
3. In the text box, enter the tag name HR-Dept.
   
   The tag name HR-Dept is a hypothetical name. To create a condition that will actually work in your environment, you must enter a tag name that you have actually assigned to a Connection Server and a desktop pool. For more information about assigning tags, see the topic Implementing Connection Server Restrictions for Global Entitlements.
4. Click OK.

1. On the Conditions tab, click Add.
2. Select Horizon Client Property.

1. On the Conditions tab, click Add.
2. Select Group Membership.

1. Select User.
2. Click Browse.

1. Enter a user group name.
2. Click Check Names and select a name.
3. Click OK.

Accept the defaults and click OK.

Click Save. The default operator AND is used to combine the conditions, which is correct for this exercise.

This Smart Policy is set to enable all features and use the LAN bandwidth profile for all users from the Domain Admins user group who connect to a server and desktop assigned the HR-Dept tag and whose remote desktop VM belongs to the specified domain.

For more information about conditions and client properties, see the product documentation topic Adding Conditions to Horizon Policy Definitions.

You do not need to create a triggered task because you created a triggered task during the first exercise.

The first four steps of this procedure guide you through setting the logging level using the Group Policy Management Console. Before you can perform these steps, you must have created a FlexEngine GPO, as described the exercise Initial Configuration Using an Active Directory Group Policy Object, in the Quick-Start Tutorial for VMware Dynamic Environment Manager.

If instead you configured Dynamic Environment Manager using NoAD mode, you have already set the logging level to Debug, as described in  Exercise: Create the NoAD Configuration File, in the Quick-Start Tutorial for VMware Dynamic Environment Manager. In this case, you can skip to Step 5 of this exercise.

1. Type group policy management into the search box on the taskbar.
2. Select Group Policy Management in the results.

1. Expand your domain.
2. Expand Group Policy Objects.
3. Select the GPO that you created for the Dynamic Environment Manager group policy settings.
4. From the Action menu, select Edit.

1. Navigate to User Configuration > Policies > Administrative Templates > VMware DEM > FlexEngine.
2. In the right pane, double-click FlexEngine logging.

1. Verify that logging is set to Enabled.
2. Select Debug as the log level.
3. Click OK.

VMware recommends that you set the log level to Debug only temporarily because the amount of logging can affect performance.

Note: This dialog box also shows the location of the log file. You specified the log file location when you installed and set up Dynamic Environment Manager.

Log in as a user to a virtual desktop that matches the Smart Policy.

Logging in will create a Dynamic Environment Manager log file for the user.