Managing Profiles and Policies for Windows Desktops: Dynamic Environment Manager Operational Tutorial

Introduction

Overview

VMware Dynamic Environment Manager™ (formerly known as User Environment Manager, until version 9.9) delivers personalization and centrally managed policy configurations across virtual, physical, and cloud-based Windows desktop environments. IT administrators control which settings users are allowed to personalize, and administrators can map environmental settings such as network drives and location-specific printers.

User-specific Windows desktop and application settings can be applied in the context of client device, location, or other conditions. Policies are enforced when users log in, launch an app, reconnect, or when some other triggering event occurs.

Dynamic Environment Manager also has a feature for configuring folder redirection for storing personal user data, including documents, pictures, and so on.

Purpose of This Tutorial

This tutorial provides step-by-step instructions for using the major features of Dynamic Environment Manager after you have completed installation and initial configuration. For instructions on installation and initial configuration, see the Quick-Start Tutorial for VMware Dynamic Environment Manager.

Audience

This tutorial is intended for IT administrators and product evaluators who are familiar with VMware vSphere® and VMware vCenter Server®.  Familiarity with networking and storage in a virtual environment, Active Directory, identity management, and directory services is  assumed. Knowledge of other technologies, such as VMware Horizon® is also helpful.

Features Covered in This Tutorial

The exercises in this tutorial guide you through using the following major features of Dynamic Environment Manager.

Application Profiler

Preserving user-specific application settings and applying or enforcing specific default application settings are key features of Dynamic Environment Manager. VMware provides application management templates for commonly used software packages, and the VMware Dynamic Environment Manager Community Forum contains many more templates that were created with the Application Profiler.

For applications that do not have a corresponding application management template, you can use the Application Profiler, a standalone application that analyzes where an application store its file and registry configuration. The analysis results in an optimized Dynamic Environment Manager Flex configuration file, which you can edit in the Application Profiler or use directly.

You can also use Application Profiler to set the initial configuration state of applications.

User Environment Settings

End users are using more devices than ever before, and expect a consistent user experience when accessing corporate resources. With Dynamic Environment Manager, end users can roam between disparate devices while preserving custom application settings and Windows personalization settings.

When a user logs in to a virtual desktop or application, Dynamic Environment Manager reads the profile archive file for that user's profile and can, for example, display the desktop background or application settings that the user saved during the last session, regardless of whether the actual endpoint device was a desktop computer at work or an iPad at home.

Application Blocking

This feature, which is also called application authorization, enables administrators to build allowlists and denylists of applications to control application and license sprawl. You can also create condition settings to control the circumstances under which an application can be used. For example, you can create a condition that allows a user access to company-specific applications only when the user is on the internal corporate network.

Privilege Management

Privilege management can be a daunting task, and many IT administrators are forced to provide Local Administrator privileges to end users to satisfy application demands. With the Dynamic Environment Manager privilege elevation feature, IT can strategically elevate permissions for application installers, as well as executables for applications already installed that require Local Administrator privileges to run. Elevating privileges for specific executables, while removing Local Administrator privileges from end users, can dramatically reduce the risk of a malware or ransomeware attack on your network.

Horizon Smart Policies

This feature integrates with VMware Horizon, so that a number of key Horizon features can be dynamically enabled or disabled based not only on who the user is, but on the many different variables available through Horizon: client device, IP address, pool name, and so on.

Basic Features

Create an Application Template with Application Profiler

For applications that do not have a corresponding application management template, you can use the Application Profiler, a standalone application that analyzes where an application stores its file and registry configuration. The analysis results in an optimized User Environment Manager Flex configuration file, which you can edit in the Application Profiler or use directly. You can also use Application Profiler to set the initial configuration state of applications.

In this exercise, you will install the Application Profiler tool, which is included in the User Environment Manager installation package. After Application Profiler is installed in a provisioning VM, you can run the tool to open the application you want to profile, change some settings, and then create a template you can use to manage the application for your end users.

The following section, Introduction to Dynamic Environment Manager Application Profiler, provides additional background. (Approximate read time: 1 minute)

Prerequisites for Using Application Profiler

To perform this exercise, you need the following:

  • Provisioning machine – The machine that you use to profile the application must use the same Windows OS version and similar patch version as the machine that your end users will use. For supported Windows versions, see Application Profiler System Requirements.
    Note: The provisioning machine must not have the Dynamic Environment Manager agent installed on it. VMware recommends that the provisioning machine not have any additional applications installed aside from those included with the OS and VMware Tools, if you are using a VM.
  • User account – When you log in to the provisioning machine to run the Application Profiler installer, the account you use must have administrative privileges.
  • Installer – The Application Profiler installer is included in the Dynamic Environment Manager installation package, in the Optional Components folder. If necessary, you can download the package from the Product Evaluation Center or  the VMware Downloads page. The installer is an architecture-specific (x86 or x64) MSI file.
  • Internet access – The installation process includes a certificate revocation check to verify the digital signature of the MSI file. This check requires Internet access.
  • Application to profile – For the example used in this exercise, you can download the Notepad++ application. The application that you profile must be the same version that is installed in the machine that your end users will use.

    Note: Application Profiler can profile applications that are installed natively in virtual desktops or RDSH servers, as well as applications that are delivered by VMware App Volumes AppStacks.

1. Place the Installer in a Suitable Location

For this example, we downloaded the installer to a provisioning VM hosted on an ESXi server. To connect to this VM, called Provision, you would select the VM in the inventory list and select Launch Remote Console.

If you are performing this exercise in your own lab, you can download and extract the Application Profiler installer file, which is located in the Optional Components folder of the installation package, and copy the file to the system where it will run or to a location accessible to the system.

2. Run the Installer

  1. Log in to the provisioning machine, and browse to the location of the Application Profiler installer.
  2. Double-click the installer file to start the wizard, and follow the prompts. You can accept all the defaults.

Tip: (Optional) After installation is complete, shut down the machine and take a VM snapshot. With a VM snapshot of the machine, you can easily revert the machine to its pristine condition after you finish profiling an application. You can then use the machine to profile a different application, and so on.

3. Install the Application to Be Profiled

  1. On the provisioning machine, browse to the location of the installer for the application you want to profile.
    For the example in this exercise, we used  the Notepad++ application, but you can use any application that your end users will use. Be sure to use the same version that your end users have.
  2. Double-click the installer file to start the wizard, and follow the prompts. If you are installing Notepad++, configure the following options in the installation wizard:
    • De-select the Auto-Updater check box.
    • Select the Localization check box.
    • Select the Create Shortcut on Desktop check box.

Important: VMware recommends that, if possible, you install the application so that automatic updating is disabled, especially if you use instant clones. For the purposes of this exercise, enable localization packs, as shown in the following figure. In this exercise, we will test profile settings by changing the language used in the UI.

4. Start Application Profiler

From the All Programs list on the provisioning machine, Application Profiler is located in the VMware DEM folder.

5. Start the Profiling Session

  1. Click Start Session.
  2. Browse to and select the application.

After you click OK, Application Profiler opens the application to be profiled and begins monitoring the changes you make and where those changes are saved in the Windows registry and file system.

For example, the VLC Player application saves some changes to .ini files and some to the Windows registry. For more information, see Profiling Applications with VMware User Environment Manager, Part 2: Applying and Troubleshooting Predefined Settings.

6. Make Some Changes to the Application

  1. From the menu bar, select Settings > Preferences.
  2. From the Toolbar list, select Big icons.
  3. De-select the Show status bar check box.
  4. Close the application.

Application Profiler saves the changes you made, and prompts you to confirm that profiling is finished, as shown in the following figure.

Application Profiler also displays the location in the file system where the Notepad++ configuration changes where made. In this case, settings were written to a Notepad++ subfolder of the AppData folder.

7. Verify the Location of Application Configuration Changes

Open Windows Explorer and type %AppData%\Notepad++ into the text box for navigating the path. The %AppData% variable resolves to the correct location on the machine, and the contents of the Notepad++ folder are displayed, which include a configuration file.

8. Save the Config File

  1. Click the Save button, and select Save Config File.
  2. When prompted, provide a file name, such as NPP, and save the Application Profiler configuration files to the desktop.

In this exercise, you are creating a configuration file to enable application personalization by the end user, so that when an end user changes a Notepad++ preference, the user's preference will be saved across sessions and VMs.

Because you select Save Config File, rather than Save Config File with Predefined Settings, the preference settings you changed in this exercise will not be presented to end users. For more information, see Saving a Flex Configuration File With Predefined Settings. You changed preference settings in Notepad++ only so that Application Profiler could monitor and determine the path to the application configuration file.

9. Copy the Notepad++ Configuration Files

For the example in this exercise, the files you copy from the desktop of the provisioning machine are:

  • NPP.ico – The icon file.
  • NPP.ini – The application configuration file.
  • NPP.ini.flag – The flag file, which tells Dynamic Environment Manager to import settings when the application starts and export the user settings when the application closes.

10. Paste the Files in the Applications Folder on the Configuration Share

For the example in this exercise, the folder is located in \\<file-server>\DEM_Config\General\Applications.

Note: After you paste the files in this location, if you close the Dynamic Environment Manager Management Console and start it again, you see Notepad++ added to the list of applications being managed, as shown in the following figure. Also note that the NPP.ini.flag file enables DirectFlex for this application, and the path to the executable is recorded.

11. Log In to a Virtual Desktop as an End User

For the example in this exercise, we are using a Horizon instant-clone desktop, and we access it through the VMware Workspace ONE catalog.

12. Start Notepad++ and Change Some Settings

  1. After login is complete, start the application, and select Settings > Preferences, and select Big icons.
  2. From the Localization list, select Deutsch and save the settings.

In Notepad++ the toolbar icons are now large and the menu names are displayed in German, as shown in the following figure.

13. Verify That Application Settings Are Saved to the Profile Archives

Navigate to the profile archive Applications folder for the user, and note that a new NPP.zip file has been created.

The NPP.zip file was created as soon as you started the application. For the example in this exercise, the path to this folder on the profile archives share is \\<file-share>\DEM_Profiles\<username>\Archives\

14. Log Out and Log In Again to See Persistent Settings

After you log out of the virtual desktop and log in again as the same user, when you start Notepad++, you see that your settings have been preserved.

If you are using a Horizon instant-clone desktop, the VM that you first logged in to was destroyed, and this new desktop still displays the Notepad++ settings you chose using the previous VM.

If you are using a full-clone desktop, you might be able to replicate this experience by reverting the VM back to a snapshot taken before you ever logged in for the first time. When you log in after reverting, you will still see the personalized Notepad++ settings.

This exercise demonstrated profiling a simple application. For the applications that you need to profile for your company, if an application profile is not already included with the Easy Start feature, use the following resources to create an application profile template:

The following App Profiler video provides a detailed demonstration of the steps outlined in this exercise. If you need additional detail, you can find it here. If you already completed the Application Profiler exercise, feel free to skip the video. This video is 6 minutes.

Configure User Environment Settings

User environment settings include many different kinds of settings, some of which can be application-specific, and some can pertain to the user's whole virtual desktop environment. These are imported when the user logs in to the OS. For example, you can map a drive to a virtual desktop either when a user logs in to the OS or when a user starts a specific application. Besides configuring environment settings, you can specify the conditions under which the settings are applied, and you can specify which tasks might trigger a setting to be used.

To configure environment settings for a user's whole virtual desktop environment, you can click the User Environment tab at the top of the Management Console, as shown in the following figure.

As you can see, user environment settings include the following, among others:

  • Application Blocking – An advanced feature that is discussed in the later exercise Configure Application Blocking.
  • Drive Mappings – A feature that is explored in this exercise, but is applied to a specific application.
  • File Type Associations – A feature that is explored in this exercise, wherein you configure which application is used to open files with a specific file extension.
  • Horizon Smart Policies – A feature that integrates with Horizon, in which a number of key Horizon features can be dynamically enabled or disabled based not only on who the user is, but on the many different variables available through Horizon: client device, IP address, pool name, and so on. For more information, see the chapter Horizon Smart Policies.
  • Privilege Elevation – An advanced feature that is discussed in the later exercise Configure Privilege Elevation for Installing an Application.
  • Shortcuts – A feature that lets you configure whether to use a desktop shortcut or a Program folders shortcut (or both), the shortcut name, the shortcut icon, and more. An introduction to this feature is provided in the Quick-Start Tutorial for VMware Dynamic Environment Manager.

Providing exercises for all the different types of user environment settings is beyond the scope of this quick-start tutorial, but you can easily get an introduction by selecting items in the list and reviewing the user friendly control labels for each one in the Management Console. Also see Configuring User Environment Settings. For information about App Volumes settings, see VMware User Environment Manager with VMware App Volumes.

In addition to configuring settings for the whole desktop environment, you can configure settings based on which applications a user launches. To configure environment settings for a specific application, you can select the application in the list, and click the corresponding User Environment tab, as shown in the following figure.

You will use both types of User Environment tabs in this exercise.

Prerequisites

To perform this exercise, you need the following:

  • Notepad application listed as a managed application in the Management Console. This application is listed after you complete the exercise enable the Easy Start feature, as described in the Quick-Start Tutorial for VMware Dynamic Environment Manager.
  • An Active Directory group containing an end-user account that you can use to log in to a virtual desktop. As part of this exercise, you will remove this user account from the AD group to test a conditional setting.
  • End-user credentials for that end-user account.
  • Credentials for the virtual or physical machine where you installed and performed the initial configuration of the Dynamic Environment Manager Management Console, as described in the Configure the Dynamic Environment Manager Management Console exercise in the Quick-Start Tutorial for VMware Dynamic Environment Manager.
  • One or more folders on a file-share server, to allow you to test drive mapping. For the example in this exercise, we created a Marketing file share, with the following path:

\\<file-server>\Marketing\

Inside the Marketing folder are the subfolders Docs, PPT Templates, and Reports.

Note: Throughout this exercise you will frequently change between your Windows end-point device where the Dynamic Environment Manager Agent is installed, and the physical or virtual machine where the Management Console is installed. It is recommended that you simply minimize the unused screen to streamline the testing process.

1. Create an Environment Setting for the Notepad Application

  1. In the Dynamic Environment Manager Management Console, select Notepad in the left pane.
  2. Select the DirectFlex tab, and select the Enable DirectFlex for this config file check box. Enabling DirectFlex is required for configuring application-specific user environment settings.
  3. Select the User Environment tab.

1.1. Add a Drive-Mapping User Environment Setting

  1. Select the Add button.
  2. Select Drive Mapping from the list.

1.2. Configure Drive Mapping for the Notepad Application

  1. In the Name text box, enter Map Drive with Notepad. This is the name of the setting as it appears in the Dynamic Environment Manager Management Console.
  2. For Drive letter, select a letter that is not already in use. For the example in this exercise, M is used.
  3. For Remote path, enter the path to the share that you want to map to a drive letter. For the example in this exercise, \\<file-server>\Marketing is used.
  4. For Friendly name, enter the name that you want end users to see in Windows Explorer next to the drive letter.
  5. Select the Undo at application exit check box. This setting unmaps the drive when the user closes the application.

The Run asynchronously check box is selected by default. This setting helps the drive-mapping process to complete quickly.

After you save the settings in the Drive Mapping dialog box, the new configuration is listed on the User Environment tab for Notepad, using the name you specified in the Name text box.

1.3. Save the Configuration to the Configuration File

Select Save Configuration in the main toolbar.

2. Log In to a Virtual Desktop and Test the Feature

Log in to the virtual desktop as an end user. For the example in this exercise, we are using a Horizon instant-clone desktop, and we access it through the VMware Workspace ONE catalog.

2.1. Verify That the Drive Has Not Yet Been Mapped

Open Windows Explorer to view the drives mapped to the virtual desktop. Note that the drive you configured is not mapped yet because, at this point, you have logged in but not started the Notepad application.

2.2. Start Notepad and Verify That the Drive Is Mapped

  1. Start Notepad.
  2. Open Windows Explorer to view the drives mapped to the virtual desktop. Note that the drive you configured is now mapped.
    Note: If you do not see the mapped drive immediately, wait a few seconds and refresh the window.
  3. Close the Notepad application.
  4. Open Windows Explorer again and note that the drive has been unmapped.
  5. Log out of the virtual desktop.

2.3. Examine the Logs on the Profile Archives Share

Open the FlexEngine.log file in the Logs folder of the profile archives folder for the user, and verify that you see the line Successfully unmapped drive 'M:' ('Notepad.INI.Map Drive with Notepad').

For the example in this exercise, the path to this folder is \\<file-share>\DEM_Profiles\<username>\Archives\Logs. You can also search the file for all instances of the word "map" to find other entries for mapping events.

3. Create Conditions for the Drive-Mapping Setting

On the Personalization tab of the Management Console, select the Map Drive with Notepad setting, and select Edit.

3.1. Add a Condition for AD Group Membership

On the Conditions tab, select the Add button, and select Group Membership.

3.2. Select the AD Group

In the Group Membership dialog box, click Browse to search for and select the group.

This is the AD group mentioned in Prerequisites that contains an end-user account that you can use to log in to a virtual desktop. In this exercise, you will remove this user account from the AD group to test the conditional setting.

3.3. Add Another Condition for Windows Version

  1. On the Conditions tab, select the Add button, and select Windows Version.
  2. Select Windows 10, or whatever version of Windows is installed in the virtual desktop.

After you click Save, the condition is added to the Conditions tab, and is combined with the first condition, as shown in the following figure.

At this point in the exercise, the conditions for mapping a drive when the user starts the Notepad application are as follows: The user must be a member of a particular AD group (the Marketing group) and that the user must be logged in to a Windows 10 desktop.

Note: By default the AND operator is used when you add a condition, but you can select the condition and select Edit to change the default operator, as shown in the following figure. For this exercise, we use AND.

3.4. Save the Configuration to the Configuration File

Select Save Configuration in the main toolbar.

4. Test the Condition

In Active Directory Users and Groups, remove the end user from the AD group that you set up as part of the Prerequisites. For the example in this exercise, the group had only one member, which we removed.

4.1. Log In to the Virtual Desktop and Start Notepad

  1. Log in to the virtual desktop using the end-user account that you just deleted from the AD group.
  2. Start the Notepad application.
  3. Open Windows Explorer and note that the drive is not mapped to the virtual desktop. The drive is not mapped because the user does not meet the condition of belonging to the AD group.
  4. Close Notepad and log out of the virtual desktop.

4.2. Examine the Logs on the Profile Archives Share

Open the FlexEngine.log file in the Logs folder of the profile archives folder for the user, and verify that you see the line Conditons: Check for user membership of group '<group-name>' = false.

Note: You must have the log level set to DEBUG to see this entry. The entry that follows, however, is visible at the INFO level: Skipping drive mapping due to conditions.

For the example in this exercise, the path to this folder is \\<file-share>\DEM_Profiles\<username>\Archives\Logs.

At this point, you could add the user back to the AD group and then log in to the desktop again to verify that the drive will now be mapped when you start Notepad.

5. Test File Type Associations

  1. In the Management Console, select the User Environment tab.
  2. In the list, select File Type Associations.
  3. In the right pane, double-click abc.
  4. Review the Settings tab. With this setting, all files in the virtual desktop file system that use the file extension .abc are opened with the Notepad application.
  5. Select Cancel. You do not need to save the settings because these are the default settings included with Easy Start.

6. Create and Open a File with the ABC Extension

  1. Log in to the virtual desktop as an end user, and on the desktop, create a new text file with the .abc file extension.
  2. Double-click the file, and note that the default application used to open the file is Notepad.

Refreshing Settings Without Logging Out of the Desktop

For the steps in this exercise, after you created a new setting or changed a setting, you had to log in to the virtual desktop again to verify that the new setting was properly applied. However, you can use FlexEngine command-line commands on the virtual desktop to refresh environment settings so that you do not need to log out and log back in.

For example, when you are logged in to a virtual desktop as an end user, you can try changing the file type association for files with the .abc extension so that Microsoft Word opens them rather than Notepad. Or you could change which application shortcuts are created for one of the default applications, such as Notepad or Calculator.

After you make the change in the Management Console and save the configuration, on the virtual desktop, you can run the command to refresh the shortcuts and file type associations. For the example in this exercise, use the following command.

"c:\Program Files\Immidio\Flex Profiles\flexengine.exe" -UemRefresh

Different command-line options are provided for refreshing different types of settings. For more information, see FlexEngine Command-Line Arguments and Additional FlexEngine Operations. Besides running these commands on the virtual desktop, you can use these commands in scripts and logon tasks.

The following User Environment Settings video provides a detailed demonstration of the steps outlined in this exercise. If you need additional detail, you can find it here. If you already completed the User Environment Settings exercise, feel free to skip the video. This video is 5 minutes.

Advanced Features

Configure Application Blocking

This feature, which is also called application authorization, enables administrators to build denylists and allowlists of applications to control application and license sprawl. You can also create condition settings to control the circumstances under which an application can be used. For example, you can create a condition that allows a user access to company-specific applications only when the user is on the internal corporate network.

The following Configure Application Blocking section provides a brief overview of the application-blocking feature.
(Approximate read time: 2 minutes)

For the purposes of this tutorial, we recommend that you limit this feature to endpoint devices used for testing purposes. After you are comfortable with the way the feature works, and have the appropriate application-blocking rules defined, you can expand to using devices in your production environment.

Prerequisites for Using Application Blocking

To perform this exercise, you need the following:

  • Credentials for the virtual or physical machine where you installed and performed the initial configuration of the Dynamic Environment Manager Management Console, as described in the Configure the Dynamic Environment Manager Management Console exercise in the Quick-Start Tutorial for VMware Dynamic Environment Manager.
  • End-user credentials for the virtual or physical endpoint machine where you installed the Dynamic Environment Manager Agent, as described in the exercise Install the Dynamic Environment Manager Agent (FlexEngine) on the Desktop or RDSH Server, in the Quick-Start Tutorial for VMware Dynamic Environment Manager.
  • One or more executable files with which to test application blocking. We recommend downloading the following executables for testing:
  • To complete all exercises, we recommend creating the following file structure on a file-share server.
    • \\<fileshare>\software
      Copy Putty.exe to the software folder.
    • \\<fileshare>\software\installers
      Copy Notepad++ to the installers folder.
  • The Domain Users group, or whichever group you selected when you created and configured the profile archives share, must have read and execute permissions to this file share. For more information, see the exercise Create and Configure the Profile Archives Share, in the Quick-Start Tutorial for VMware Dynamic Environment Manager.

Note: Throughout this exercise you will frequently change between your Windows end-point device, where the Dynamic Environment Manager agent (FlexEngine) is installed, and the physical or virtual machine where the Management Console is installed. It is recommended that you simply minimize the unused screen to streamline the testing process.

1. Log In to the Desktop as an End User to Verify That Putty Can Run

Log in to your Windows end-point device where the Dynamic Environment Manager agent is installed.

For the example in this exercise, we used a Windows 10, instant-clone VM, accessed through the VMware Horizon Client.

 

1.1. Run Putty

From the Windows endpoint, browse to the file share and run Putty.exe.

1.2. Close Putty

Select Cancel to close Putty.

Remain logged in to the Windows endpoint device, but minimize the window before continuing to the next step.

2. Select Global Application Blocking in the Management Console

  1. On the physical or virtual machine where the Management Console is installed, open the Management Console.
    From the Start screen, select the Management Console shortcut in the VMware DEM folder.
  2. Select the User Environment tab.
  3. Select Application Blocking.
  4. Select Global Configuration.

3. Enable and Configure Application Blocking

  1. Select Enable Application Blocking.
  2. Select Add.

3.1. Specify the Path to the Windows Explorer Application

Browse to or enter the path to explorer.exe. Windows Explorer is considered a parent application, which means it is used to start other applications.

3.2. Complete the Configuration

Select OK to continue.

The Message title, Message text, and Hide after text boxes are automatically populated. These fields define the notification that the end-user receives when the user attempts to start an application that is blocked by Dynamic Environment Manager.

Although this notification is not required, we recommend that you leave this default configuration in place while testing the application-blocking feature.

3.3. Confirm Application Blocking

Review the disclaimer and select OK to continue. Application blocking is now enabled. If you use Windows Explorer to start an application whose executable file does not reside in C:\Program Files or C:\Program Files (x86), you will see the notification you configured in the previous step, and the application will not start.

4. Refresh Settings and Verify That Application Blocking Is Enabled

  1. Maximize the virtual desktop window or reconnect to your Windows endpoint device.  
  2. Open a command-prompt window and run the following command to force FlexEngine to check for updated application-blocking policies.
"C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe" -uemrefreshapplicationblocking

Application-blocking policy settings are read when a user logs in to Windows or when a triggered task occurs to refresh the policy settings. You can manually refresh the application-blocking policy settings on an endpoint device by running FlexEngine.exe at the command line with the appropriate argument.

There are a number of arguments that can be passed to FlexEngine.exe, as described in the following section, Additional Flex Engine Operations. (Approximate read time: 2 minutes)

4.1. Verify That Running Putty from the File Share Is Blocked

From the Windows endpoint, browse to the file share and double-click the Putty.exe file.

This time, Putty is blocked by Dynamic Environment Manager. If the default settings were chosen when you enabled application blocking, a notification is displayed for ten seconds.

4.2. Verify That Running Putty from the Desktop Is Blocked

  1. Copy Putty.exe from the file share to the virtual desktop.
  2. Double-click Putty.exe and notice that again it is blocked from running.  

4.3. Verify That Putty Runs from the Permitted Location

  1. Copy Putty.exe to C:\Program Files.
    Note: You may need to elevate permissions to copy the executable to this location.
  2. Double-click Putty.exe and notice the executable runs normally. This is because C:\Program Files is one of the default allowlisted folders for application blocking.

Remain logged in to the Windows endpoint, but minimize the window before continuing to the next step.

5. Create a Hash-Based Rule for Application Blocking

  1. In the Management Console, select the User Environment tab.
  2. Select Application Blocking.
  3. Select Create to create a new Allow rule for application blocking.

Dynamic Environment Manager provides several types of application-blocking rules. After you select the rule type, you can create settings to allow or block applications. In this exercise, you will create a hash-based rule and a path-based rule.

The following section, Allow and Block Additional Applications, summarizes the rule types and the steps for creating application rules.
(Approximate read time: 1 minute)

5.1. Specify the Name and Type for a Hash-Based Rule

  1. In the Application Blocking dialog box that appeared after you completed the previous step, enter a name for this application-blocking rule.
  2. Select Hash-based from the Type drop-down list.
  3. In the Allow section, select Add to browse to an executable.

5.2. Select the Application Executable

Browse to the file share where Putty.exe is stored and select Putty.exe.

Note that a hash of the executable is made.

5.3. Save the Hash-Based Rule

Select Save to commit the new application-blocking rule.

5.4. Refresh Application-Blocking Policies on the Virtual Desktop

  1. Maximize the virtual desktop window or reconnect to your Windows endpoint device.
  2. Open a command-prompt window and run the following command to force FlexEngine to check for updated application-blocking policies.
"C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe" -uemrefreshapplicationblocking

5.5. Verify That Putty Can Start from Any Location

  1. Verify that Putty.exe runs from the Desktop.
  2. Verify that Putty.exe runs from the file share.

With the application-blocking Allow rule in place, Putty.exe can now run from any location.

5.6. Verify That Putty Runs After You Rename the Executable

  1. Rename Putty.exe to myapp.exe.
  2. Double-click myapp.exe and notice the executable still runs.

One of the advantages of hash-based application-blocking rules is that they work even if the end user renames the executable.  

6. Create an Approved Software Repository Using a Path-Based Rule for Application Blocking

  1. In the Management Console, select the User Environment tab.
  2. Select Application Blocking.
  3. Select Create to create a new Allow rule for application blocking.

Enterprises often need to prevent end users from running executables located outside of an IT-approved repository. Because the contents of the repository might change over time, a path-based Allow rule is well-suited for this task.

6.1. Specify the Name and Type for a Path-Based Rule

  1. Enter a name for this application-blocking rule.
  2. Select Path-based from the Type drop-down list.
  3. In the Allow section, select Add to browse to a folder.

6.2. Enter the Path to the Software Repository

Enter the path to the folder you want to use as a software repository.

This path should use the file structure you created as specified in Prerequisites for Using Application Blocking. For the example in this exercise, we use \\file\software\installers.

6.3. Save the Path-Based Rule

Select Save to commit the new application-blocking rule.

Notice that an asterisk is automatically appended to the folder path. This wildcard character indicates that all executables in this folder will inherit the Allow rule.

6.4. Refresh Application-Blocking Policies on the Virtual Desktop

  1. Maximize the virtual desktop window or reconnect to your Windows endpoint device.
  2. Open a command-prompt window and run the following command to force FlexEngine to check for updated application-blocking policies.
"C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe" -UemRefreshApplicationBlocking

6.5. Verify That You Can Start an Application in the Software Repository

Navigate to \\<fileserver>\software\installers and double-click the Notepad++ executable.

You can copy additional executables to this folder location and verify that application blocking allows them to run from this approved software repository.

7. Disable Application Blocking Before Proceeding to Other Exercises

  1. In the Management Console, select the User Environment tab.
  2. Select Application Blocking.
  3. Select Global Configuration.

Important: Disabling application blocking is strongly recommended at this point to avoid having the feature interfere with other exercises.

8. De-select the Enable Application Blocking Check Box

  1. Clear the Enable Application Blocking check box to disable the feature.
  2. Select OK to commit the change.

The following App Blocking video provides a detailed demonstration of the steps for enabling application blocking. If you need additional detail, you can find it here. This video is 5 minutes.

Configure Privilege Elevation for Installing an Application

With privilege elevation, administrators can now allow end users to run certain applicators as administrators, as well as install their own applications if they meet the specified criteria. IT administrators can create rules that elevate privileges based on a file hash, a software publisher, or a path to a file or folder.

The following Configure Privilege Elevation section provides a brief overview of this feature.
(Approximate read time: 2 minutes)

Prerequisites for Using Privilege Elevation

To perform this exercise, you need the following:

  • Credentials for the virtual or physical machine where you installed and performed the initial configuration of the Dynamic Environment Manager Management Console, as described in the Configure the Dynamic Environment Manager Management Console exercise in the Quick-Start Tutorial for VMware Dynamic Environment Manager.
  • End-user credentials for the virtual or physical endpoint machine where you installed the Dynamic Environment Manager Agent, as described in the exercise Install the Dynamic Environment Manager Agent (FlexEngine) on the Desktop or RDSH Server, in the Quick-Start Tutorial for VMware Dynamic Environment Manager.

Important: The end-user credentials must have Local User privileges to the endpoint device, rather than Local Administrator privileges. The privilege elevation feature elevates privileges on specific executables, without requiring Local Administrator privileges.

  • One or more executable files with which to test privilege elevation. We recommend downloading  WireShark for testing. Starting this file requires Local Administrator privileges.
  • To complete all exercises, we recommend creating the following file structure on a file-share server.

\\<fileshare>\software\installers

Copy the WireShark file to the installers folder.

Important: The Domain Users group, or whichever group you selected when you created and configured the profile archives share, must have read and execute permissions to this file share. For more information, see the exercise Create and Configure the Profile Archives Share, in the Quick-Start Tutorial for VMware Dynamic Environment Manager.

Note: Throughout this exercise, you will frequently change between your Windows end-point device, where the Dynamic Environment Manager agent (FlexEngine) is installed, and the physical or virtual machine where the Management Console is installed. It is recommended that you simply minimize the unused screen to streamline the testing process.

1. Verify Local User Privileges

Log in to your Windows end-point device, where the Dynamic Environment Manager agent is installed.

For the example in this exercise, we used a Windows 10, instant-clone VM, accessed through the VMware Horizon Client.

To properly demonstrate privilege elevation, you will verify that privileges for the end-user credentials are insufficient to run the Wireshark installer.

 

1.1. Attempt to Start Wireshark as an End User on the Virtual Desktop

  1. Browse to the file share you created. For the example in this exercise, the path is \\file\software\installers.
  2. Double-click the Wireshark installer.

1.2. Verify That You Are Prompted for Administrator Credentials

Note that Windows User Account Control prompts you for administrator credentials because the end-user credentials lack the privileges required to run this installer.

Remain logged in to the Windows endpoint device, but minimize the window before continuing to the next step.

2. Select Global Privilege Elevation in the Management Console

  1. On the physical or virtual machine where the Management Console is installed, open the Management Console.
    From the Start screen, select the Management Console shortcut in the VMware DEM folder. Select the User Environment tab.
  2. Select Privilege Elevation.
  3. Select Global Configuration.

2.1. Enable and Configure Privilege Elevation

  1. Select Enable Privilege Elevation.
  2. Select Also elevate all child processes.
    This is an optional, global setting that applies only to the case where you enable end users to install applications. This setting is not required to complete this exercise.
  3. Select Ask user to elevate.
  4. Enter text for Message title and Message text. This notification is displayed to the end user when the privilege elevation feature is invoked.

After you select OK a confirmation box appears.

2.2. Confirm Privilege Elevation

Review the disclaimer and select OK to continue. Privilege elevation is now enabled.

3. Create a Rule for Privilege Elevation

  1. On the User Environment tab, select Privilege Elevation.
  2. Select Create in the toolbar.

Privilege elevation operates as an allowlist. In addition to enabling the feature, you must create privilege elevation rules and specify files or folders to elevate.  

3.1. Specify the Name and Type for the Privilege Election Rule

  1. Enter a Name for this privilege elevation rule.
  2. Select Path-based elevated application from the Type drop-down list.
  3. Select Add to browse to a folder.

 

3.2. Select the Directory Path to Elevate

Browse to or type the path to the file share. For the example in this exercise, all executables in the \\file\software\installers folder will be elevated.

3.3. Save the Privilege Elevation Rule

  1. Select Also elevate child processes.
  2. Select Save to commit the new privilege elevation rule.

4. Refresh Privilege Elevation Rules on the Virtual Desktop

  1. Maximize the virtual desktop window or reconnect to your Windows endpoint device.  
  2. Open a command-prompt window and run the following command to force FlexEngine to check for updated privilege elevation policies.
"C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe" -UemRefreshPrivilegeElevation

Privilege elevation policy settings are read when a user logs in to Windows or when a triggered task occurs to refresh the policy settings. You can manually refresh the privilege elevation policy settings by running FlexEngine.exe at the command line with the appropriate argument.

There are a number of arguments that can be passed to FlexEngine.exe, as described in the following section, Additional Flex Engine Operations. (Approximate read time: 2 minutes)

5. Start the Wireshark Installer

  1. Browse to the file share you created. In this case, the path is \\file\software\installers.
  2. Double-click the Wireshark installer.
    A notification is displayed with the text you entered when configuring the privilege elevation feature.
  3. Select Yes to elevate the installer.

6. Verify That the Installer Runs Without Prompting for Administrator Credentials

Notice that the setup wizard starts. This time, the Wireshark installer runs without the Windows User Account Control prompt for alternate credentials.

The following Privilege Elevation video provides a detailed demonstration of the steps outlined in this exercise. If you need additional detail, you can find it here. This video is 2 minutes.

Additional Information and Use Cases for Privilege Elevation

In this exercise, you created a single, path-based privilege elevation rule. Dynamic Environment Manager provides several types of privilege elevation rules, including the ability to elevate executables for applications that have already been installed but that require local administrator privileges to run.

The following User Environment Manager 9.2 - Privilege Elevation Demo video provides demos of several use cases, as well as a brief technical discussion of the way privilege elevation uses Access Tokens in Windows. This video is 8 minutes.

Horizon Smart Policies

Introduction to Horizon Smart Policies

This chapter introduces you to the Horizon Smart Policies feature of VMware Dynamic Environment Manager, which is included with VMware Horizon Enterprise Edition. The exercises demonstrate the process of creating Horizon Smart Policies and applying them based on conditions such as user group, client device type, pool name, and more.

For an overview of VMware Horizon, and information about key features, such as publishing applications, creating instant-clone desktops, and more, see the Quick-Start Tutorial for VMware Horizon 8.

What Are Horizon Smart Policies?

With Smart Policies, administrators have granular control of a user’s desktop experience. A number of key Horizon features can be dynamically enabled, disabled, or controlled based not only on who the user is, but on the many different variables available through Horizon: client device, IP address, pool name, and so on.

You can use Smart Policies to enable or disable features including clipboard redirection, USB access, printing, and client drive redirection. For example, you can create a policy so that a desktop login from outside the corporate network results in disabling of security-sensitive features such as cut-and-paste or USB drive access. Additionally, bandwidth profile settings allow you to customize the user experience based on user context and location.

Smart Policies can be enforced based on role, and evaluated at login and logout, disconnect and reconnect, and at predetermined refresh intervals. With all these capabilities and fine-grained control, you can use one desktop pool to address many different use cases.

Note: In most cases, Smart Policy settings that you configure for remote desktop features in Dynamic Environment Manager override any equivalent registry key and group policy settings.

Features Controlled by Smart Policies

You can use Smart Policies to enable, restrict, or disable Horizon features that include clipboard redirection, USB access, printing, and client drive redirection, and you can select a profile that manages bandwidth usage.

  • USB redirection – Controls whether a user is allowed to use locally attached USB devices, such as thumb flash drives, cameras, and printers, from the remote desktop.
  • Printing – Controls if a user is allowed to print documents from the remote desktop to a network printer or a USB printer that is attached to the client computer.
  • Clipboard – Controls whether users are allowed to copy and paste text and graphics only from the client system to the remote desktop, only from the remote desktop or application to the client system, or both, or neither.
  • Client drive redirection – Controls whether drives and folders on the client system are shared with the remote desktop and, if so, whether they are readable only or readable and writeable.
  • HTML Access file transfer  – Controls whether you can upload files from the client system to the remote desktop, download files from the remote desktop to the client system, or both, or neither, when you are using the web client to access the remote desktop. Note that this feature requires Connection Server and Horizon Agent 7.0.1 or later.
  • Bandwidth profile – Prevents the agent (remote desktop) from attempting to transmit data at a higher rate than the link capacity.

The actual bit rate for the profiles varies, depending on whether you use the PCoIP or the Blast Extreme display protocol. For this reason, the list of profiles in the menu does not display the bit rate next to the profile name.

Figure 1: Bandwidth Profile List

For details about the profiles, see the profile reference topic in the Using Smart Policies section of Configuring Remote Desktop Features in Horizon.

How Smart Policies Are Applied

To create a Smart Policy, you select settings for the Horizon features that you want to control and specify the conditions, if any, under which the policy will go into effect. If you do not specify any conditions, the policy is applied to all users in the user OU configured for Dynamic Environment Manager.

Settings are always applied when the user logs in. You can optionally configure triggers to also re-evaluate the settings at other times, such as when users reconnect to the desktop or application.

When Users Do Not Match the Conditions That Are Set

If you specify conditions, the policy is applied to users who match the conditions. For users who do not match the conditions, no functionality changes are made to the features. For example, by default, you can copy and paste text from your client system to a remote desktop or application. If you create a policy that says clipboard redirection is disabled for a certain group of users, then users outside of this group will still be able to copy and paste text from the client to the remote desktop or application, unless the administrator has used some other method to configure the feature.

When a Setting Within a Policy Is Not Specified

If you create a Smart Policy but do not select the check box for a feature, then no functionality changes are made to that feature. For example, by default, you can copy and paste text from your client system to a remote desktop or application. If you create a Smart Policy and do not select the Clipboard check box, the user will continue to be able to copy and paste from the client system to the remote desktop or application.

You might notice that the default Smart Policy setting for the Clipboard check box is Allow All, but unless you select the check box, the Allow All setting is not used. That is, the default settings shown for the check boxes do not reflect the default settings used by the features when no policies are applied.

When Users Match Conditions for Multiple Policies

Dynamic Environment Manager processes multiple policies in alphabetical order based on the policy name. Horizon Smart Policies appear in alphabetical order in the Horizon Smart Policies pane. If policies conflict, the last policy processed takes precedence.

In some environments, you might want to strictly control functionality even when no policies are being matched on their conditions and therefore any functionality would normally be left as is. For these environments, create a default policy that sets all features, except the bandwidth profile, to Disabled. Use no conditions so that the policy is always matched, and give the policy a name that begins with “A,” such as A Default Policy. Because policies are evaluated in alphabetical order, this policy will be first in the list and because it has no conditions it will always be matched.

Then create your other policies with conditions to enable or set specific features when those conditions are matched (for example, client location or specific groups of users), as outlined in the exercises that follow. These other policies will be processed after the default policy, and the resultant feature settings will be applied only after all policies have been evaluated.

If no policies match, then the default policy will disable all controlled functionality. If another policy matches, then the settings in that policy will override the default policy you created.

Create a Basic Smart Policy for Internal Users

Now that you have installed and configured Dynamic Environment Manager, you can use policy settings that are readily available in the Dynamic Environment Manager Management Console. You will enable USB access and clipboard redirection and assign a bandwidth profile. The conditions that must be met for this policy to be applied are that the user must connect from inside the corporate network and must connect to a desktop from the Human Resources (HR) pool.

Prerequisites

If you want to apply these settings to an actual desktop or application pool in your environment, you must create the desktop or application pool and entitle it to a group of users included in the user OU configured for Dynamic Environment Manager. Having an existing pool is not required, however, if you just want to see how the management console works and try creating a policy.

1. Click the Create Button for Horizon Smart Policies

  1. In the Dynamic Environment Manager Management Console, click the User Environment tab.
  2. Select Horizon Smart Policies in the left pane.
  3. Click Create in the toolbar.

2. Complete the Settings Tab for Internal Users

On the Settings tab, enter the following settings:

  • Enter a name for the policy.

    The Label and Tag fields are optional. You can use them to describe or organize the settings. The Group By Tag ribbon button uses the Tag field for grouping the list items.

  • Select the check boxes next to USB redirection, Clipboard, and Bandwidth profile.
  • For Bandwidth profile, select LAN.

3. Add a Condition for a Horizon Client Property

  1. On the Conditions tab, click Add.
  2. Select Horizon Client Property.

4. Set the Client Location to Internal

  1. For Property, select Client location.
  2. Set the location to Internal.
  3. Click OK.

This setting is compared with the gatewayLocationproperty set for the server.

  • By default, if you connect directly to a Connection Server, the gateway location is Internal.
  • If you connect to a VMware Unified Access Gateway appliance or Security Server, the gateway location is External by default.

If you want to override the default location reported from a server, you can change these defaults by setting the gatewayLocationproperty in the locked.properties file for the server. For instructions, see the Configure the Gateway Location for a View Connection Server or Security Server Host.

5. Add Another Horizon Client Condition

  1. On the Conditions tab, click Add.
  2. Select Horizon Client Property.

6. Set a Specific Pool Name

  1. For Property, select Pool name.
  2. Set Starts with to HR (or the first few letters of the name of an actual desktop pool you want to use).
  3. Click OK.

By default, this new condition is added with an AND operator, meaning that the condition is applied if the user is connecting from inside the corporate network and if the user is trying to access a desktop pool that begins with the letters you specified.

7. View the Operators Available for Combining Conditions

On the Conditions tab, click Edit to see which other operators are available to combine conditions.

The Smart Policy settings and conditions are now defined. These settings are always evaluated and applied whenever the user logs in. Next, you will specify an event that triggers the reevaluation of the Smart Policy whenever the user reconnects, rather than logs in. This is called a triggered task.

8. Create a Triggered Task

  1. Select Triggered Tasks in the left pane.
  2. Click Create in the toolbar.

9. Complete the Settings for the Triggered Task

  1. On the Settings tab, enter a name for the task.

    The Label and Tag fields are optional. You can use them to describe or organize the settings. The Group By Tag ribbon button uses the Tag field for grouping the list items.

  2. For Trigger, select Session reconnected. The Smart Policies will be reevaluated and applied every time the user connects to the remote desktop.
  3. For Action, select User Environment refresh.

10. Specify That Smart Policies Are to Be Refreshed

In the list of check boxes that appear after you select User Environment refresh, select the Horizon Smart Policies check box and click Save.

Refreshing the user environment in this case means reevaluating the user’s connection characteristics, such as internal or external, and reapplying the Smart Policy appropriately. For example, if the user first connects at the office but then later connects from a café or other external network, the Smart Policy is reapplied to disable USB redirection and copying and pasting between the client and remote desktop.

In a production environment, you can select additional check boxes, depending on the other User Environment settings you configure.

Note: Although the Privilege Elevation Settings and Triggered Task Settings check boxes are not part of Smart Policies, they can be used in conjunction with Smart Policies, such as when managing Just-in-Time Desktops and Apps as part of a JMP approach.

  • The Privilege Elevation Settings option refreshes settings for the privilege-elevation feature. With this feature, administrators specify applications that end users are allowed to install or run without having elevated privileges. Standard user accounts can run these applications as if they were a member of the local administrators group.
  • The Triggered Task Settings option allows triggered task settings to be refreshed when users disconnect, reconnect, or lock or unlock their workstation. Previously, these settings were refreshed only after users logged out of the virtual desktop or application.

The Smart Policy you created will now be applied whenever a user connects to a remote desktop with Horizon Client.

Create a Smart Policy Based on User Group

In this exercise, you explore some of the more advanced condition settings. Horizon Client properties give you many variables for evaluating conditions and applying Smart Policies. Some of these properties are provided in drop-down menus in the Dynamic Environment Manager Management Console, but many more are available when you enter the property name, which is derived from Windows Registry keys.

To view these properties, use Horizon Client to log in to a remote desktop, open the Windows Registry Editor (regedit.exe) on the remote desktop, and go to HKEY_LOCAL_MACHINE\Software\VMware, Inc.\VMware VDM\SessionData\n, where n is the number of the session, as shown in the following figure. When creating Smart Polices, you enter the properties names without the ViewClient_prefix. The SessionData registry setting is created when you log in using Horizon Client or the HTML Access web client. If you log in with HTML Access, fewer properties are listed.

Figure 2: Horizon Client Properties from the Windows Registry on the Remote Desktop

In this exercise, you create a Smart Policy that enables all features for a select Active Directory group of users who log in to a server with a specific launch tag and whose remote desktop belongs to a specific domain.

1. Click the Create Button for Horizon Smart Policies

  1. In the Dynamic Environment Manager Management Console, click the User Environment tab.
  2. Select Horizon Smart Policies in the left pane.
  3. Click Create in the toolbar.

2. Complete the Settings Tab for the Group of External Users

On the Settings tab, enter the following settings:

  • Enter a name for the policy.

    The Label and Tag fields are optional. You can use them to describe or organize the settings. The Group By Tag ribbon button uses the Tag field for grouping the list items.

  • Select all the check boxes.
  • For Bandwidth profile, select LAN.

3. Add a Condition for a Horizon Client Property

  1. On the Conditions tab, click Add.
  2. Select Horizon Client Property.

4. Set the Launch Tag

  1. For Property, select Launch tag(s).
  2. In the second list, select Is equal to.
  3. In the text box, enter the tag name HR-Dept.

    The tag name HR-Dept is a hypothetical name. To create a condition that will actually work in your environment, you must enter a tag name that you have actually assigned to a Connection Server and a desktop pool. For more information about assigning tags, see the topic Implementing Connection Server Restrictions for Global Entitlements.

  4. Click OK.

5. Add Another Horizon Client Condition

  1. On the Conditions tab, click Add.
  2. Select Horizon Client Property.

6. Set a Specific Machine Domain

  1. For Property, enter Machine_Domain.

    This property is derived from the Windows Registry key called ViewClient_Machine_Domain, which is pictured in Figure 2. You do not enter the ViewClient_ portion of the name.

  2. In the second list, select Is equal to.
  3. In the text box on the right, enter MyDomain (or the name of an actual domain in your enterprise).
  4. Click OK.

7. Add a Condition for Group Membership

  1. On the Conditions tab, click Add.
  2. Select Group Membership.

8. Complete the Group Membership Box

  1. Select User.
  2. Click Browse.

9. Select a User Group

  1. Enter a user group name.
  2. Click Check Names and select a name.
  3. Click OK.

10. Click OK in the Group Membership Box

Accept the defaults and click OK.

11. Save the New Smart Policy

Click Save. The default operator AND is used to combine the conditions, which is correct for this exercise.

This Smart Policy is set to enable all features and use the LAN bandwidth profile for all users from the Domain Admins user group who connect to a server and desktop assigned the HR-Dept tag and whose remote desktop VM belongs to the specified domain.

For more information about conditions and client properties, see the product documentation topic Adding Conditions to Horizon Policy Definitions.

You do not need to create a triggered task because you created a triggered task during the first exercise.

Verify That a Smart Policy Is Being Applied

In this exercise, you look at the Dynamic Environment Manager log to see that a Smart Policy is being evaluated and applied to a particular user.

Prerequisites

The first four steps of this procedure guide you through setting the logging level using the Group Policy Management Console. Before you can perform these steps, you must have created a FlexEngine GPO, as described the exercise Initial Configuration Using an Active Directory Group Policy Object, in the Quick-Start Tutorial for VMware Dynamic Environment Manager.

If instead you configured Dynamic Environment Manager using NoAD mode, you have already set the logging level to Debug, as described in  Exercise: Create the NoAD Configuration File, in the Quick-Start Tutorial for VMware Dynamic Environment Manager. In this case, you can skip to Step 5 of this exercise.

1. Log In to Active Directory and Lauch the Group Policy Management Console

  1. Type group policy management into the search box on the taskbar.
  2. Select Group Policy Management in the results.

2. Edit the Group Policy Object

  1. Expand your domain.
  2. Expand Group Policy Objects.
  3. Select the GPO that you created for the Dynamic Environment Manager group policy settings.
  4. From the Action menu, select Edit.

3. Open the FlexEngine Logging Policy

  1. Navigate to User Configuration > Policies > Administrative Templates > VMware DEM > FlexEngine.
  2. In the right pane, double-click FlexEngine logging.

4. Set the Logging Level to Debug

  1. Verify that logging is set to Enabled.
  2. Select Debug as the log level.
  3. Click OK.

VMware recommends that you set the log level to Debug only temporarily because the amount of logging can affect performance.

Note: This dialog box also shows the location of the log file. You specified the log file location when you installed and set up Dynamic Environment Manager.

5. Log In to the Virtual Desktop

Log in as a user to a virtual desktop that matches the Smart Policy.

Logging in will create a Dynamic Environment Manager log file for the user.

6. Search the User’s FlexEngine Log File for "Applied Horizon Smart Policies Settings"

On the file share machine, open the user’s FlexEngine log file, and search from the bottom up for Applied Horizon Smart Policies settings. For the example in this exercise, the path to this folder is \\<file-share>\DEM_Profiles\<username>\Archives\Logs.

In this example, the user does not meet the conditions for the policy called Internal, so those settings are skipped. Because the Broker_GatewayLocation property is set to External, the Smart Policy called External is applied for all the feature settings.

Note: In this example, the user logged in from an external location. You might be performing this exercise from your corporate office, using a desktop or some other test machine, which would be an internal device.

Summary and Next Steps

Introduction

This tutorial provided step-by-step instructions for using the major features of Dynamic Environment Manager once it is installed and initially configured. 

After you have tried out these features , you can explore the product further or plan your production environment by examining Additional Resources.

Additional Resources

Changelog

The following updates were made to this guide.

Date Description of Changes
2021-06-11
  • Removed all the sections you see in this guide from the Quick-Start Tutorial and made them into a day-2 operational tutorial.
  • Updated the product name from User Environment Manager to Dynamic Environment Manager. (Note: The screenshots were not updated.)
  • Updated links to product documentation topics.
2018-03-22

Initial publication, as part of the Quick-Start Tutorial for User Environment Manager.

About the Authors

Josh Spencer, formerly an EUC Staff Architect, is now a Senior Product Line Manager, End User Computing, VMware.

Caroline Arakelian is a Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Filter Tags

Horizon Dynamic Environment Manager Document Operational Tutorial Intermediate Manage Modern Management Windows Delivery