Provisioning Users and Accessing Virtual Desktops

VMware Horizon 7 version 7.5 and later

Provisioning Users and Accessing Virtual Desktops

Introduction to User Provisioning

The first part of this chapter walks you through the process of entitling end users to a desktop or application pool. The second part of this chapter shows you how to connect to a virtual desktop or published application as an end user would, from a variety of client devices.

User Entitlement

You can entitle users to an application pool or desktop pool when you create the pool. At the end of the Add Application Pool wizard or Add Desktop Pool wizard, you can select the Entitle users after this wizard finishes check box.

You can also create user entitlements after the pool is created. If you are entitling users to application pools, you can select multiple application pools, and entitle users to all the selected pools. For desktop pools, you must select one pool at a time.

It is also possible to set up the system so that end users can access RDSH application pools without having to authenticate at all.

Note: For this evaluation, you create local entitlements, which entitle users to desktops within one Horizon 7 pod. A pod is a group of interconnected Connection Servers running in the same LAN segment that broker desktops or published applications. For information about using the Cloud Pod Architecture feature to create global entitlements, which entitle users to multiple desktops across multiple pods in a pod federation, see the guide Administering Cloud Pod Architecture in Horizon 7.

Important: Alternatively, for instant-clone desktop pools, you can also entitle users by using the JMP Integrated Workflow to define a JMP assignment. JMP assignments include information about the App Volumes AppStacks, instant-clone desktops pools, and User Environment Manager settings for specific groups of users. For instructions, see the Quick-Start Tutorial for VMware Horizon JMP Integrated Workflow.

Launching Remote Desktops and Applications from Client Devices

After you have finished deploying virtual desktops or published applications and entitling users, you are ready to explore end-user connection options. End users can connect to desktops and applications using different Horizon Clients, including desktop and mobile clients. VMware provides native Horizon Clients for iOS, Android, Chrome, macOS, Windows, Linux, and Windows 10 UWP.

Alternatively, you can use the HTML Access web client by entering the URL of your Connection Server, using the following format:

https://<FQDN or IP address>

On the VMware Horizon web portal page that appears, you can click either the icon that takes you to the Horizon Clients download page or the icon for logging in using the HTML Access web client.

Entitle End Users to Application Pools or Desktop Pools

Entitling users means specifying which users and groups are allowed to access the desktop or application. You can entitle users to an application pool or desktop pool when you create the pool. At the end of the Add Application Pool wizard or Add Desktop Pool wizard, you can select the Entitle users after this wizard finishes check box.

You can also create user entitlements after the pool is created, which is what we do in this exercise.

For this exercise, you will use the newest Horizon 7 management interface, the Horizon Console.

Prerequisites for Entitling Users

Before you can entitle users, you must create a desktop or application pool. Exercises for performing these tasks are included in the chapters Creating Single-User Desktop Pools and Creating RDSH-Published Desktops and Applications.

1. Start the Add Entitlements Wizard in the Horizon Console

  1. Log in to the Horizon Console, and select Inventory > Desktops or, for application pools, select Inventory > Applications.
    The format of the URL for accessing the console is: https://<connection-server-FQDN>/newadmin
  2. Select the check box next to the name of the pool you want to entitle users to.
    Important: If you are entitling users to application pools, you can select multiple pools, and entitle users to all the selected pools. For desktop pools, you must select one pool at a time.
  3. Select Entitlements > Add Entitlements.

2. Click Add to Add New Users

Click Add.

3. Search for Users and Groups

  1. Use the Name/User name drop-down list and text box to search for users. For this example, we selected Starts with and entered a D so that all user and group names that begin with D will be returned.
    You can narrow your query using the drop-down menus to add search terms and modifiers. If you leave the text boxes empty, all users and groups are returned.
  2. Click Find.
  3. Scroll through the list and select the check boxes next to the names of the users and groups to entitle.
  4. Click OK.

4. Click OK to Add Entitlements

Click OK.

Note: The Add button in this dialog box is for adding additional users to the list. The check boxes are for selecting a user or users you want to remove.

You are returned to the Application Pools list or the Desktop Pools list.

5. Verify That Entitlements Have Been Added

Click the name of the desktop or application pool in the list of pools, and select the Entitlements tab.

Note: You can also use the buttons on the Entitlements tab to add and remove user entitlements for a specific pool.

Configure Unauthenticated Access to Published Applications

In this exercise, you set up the system so that end users can access RDSH-published application pools without having to authenticate first. Use this feature to provide unauthenticated access if your users require access to a seamless application that has its own security and user management, or for kiosk use cases.

For this exercise, you will use the newest Horizon 7 management interface, the Horizon Console, to add and entitle an unauthenticated user. You will use the Horizon Administrator UI to configure unauthenticated access for a specific Connection Server.

Prerequisites for Configuring Unauthenticated Access

To perform this exercise, you need to have created a user account, not a user group, in Active Directory that will be used for unauthenticated access. For this example, we created a user account named Unauthenticated User.

Be sure to create a user account that will not be used for any other purpose. If you select a user with desktop entitlements and make the user an unauthenticated access user, the user will not have access to the entitled desktops.

1. Start the Unauthenticated Access User Wizard

  1. Log in to the Horizon Console, and select Users and Groups.
    The format of the URL for accessing the console is: https://<connection-server-FQDN>/newadmin
  2. Select the Unauthenticated Access tab.
  3. Click Add.

2. Select the User Account to Designate for Unauthenticated Access

  1. Use the Name/User name drop-down list and text box to search for users. For this example, we selected Starts with and entered a Un so that all user and group names that begin with Un will be returned.
    You can narrow your query using the drop-down menus to add search terms and modifiers. If you leave the text boxes empty, all users and groups are returned.
  2. Click Find.
  3. Scroll through the list and select the user account.
  4. Click Next.

3. Enter a User Alias

  1. Enter an alias for the account. For this example, because the user name was Unauthenticated User, which has a space between the words, we added a hyphen to create the alias. Spaces are not allowed.
  2. Click Submit.

The user account is added to the list of users who have unauthenticated access.

4. Edit the Connection Server Configuration

  1. Log in to the Horizon Administrator, and select View Configuration > Servers.
    The format of the URL for accessing the console is: https://<connection-server-FQDN>/admin
  2. Select the Connection Servers tab.
  3. Click Edit.

5. Configure the Authentication Settings for Unauthenticated Access

  1. Scroll down to the View Authentication section, and set Unauthenticated Access to Enabled.
  2. In the Default unauthenticated access user drop-down list, select the user account you added; for this example, Unauthenticated-User.
  3. Click OK.

6. Start the Add Entitlement Wizard in Horizon Console

  1. Log in to the Horizon Console, and select Inventory >  Applications.
    The format of the URL for accessing the console is: https://<connection-server-FQDN>/newadmin
  2. Select the check box next to the name of the pool you want to entitle users to.
    You can select multiple pools.
  3. Select Entitlements > Add Entitlements.

7. Click Add to Add the New User

Click Add.

8. Select the User Account for Entitling Unauthenticated Access to This Pool

  1. Select the Unauthenticated users check box.
  2. Use the Name/User name drop-down list and text box to search for the user. For this example, we selected Starts with and entered a Un so that all user and group names that contains Un will be returned.
    You can narrow your query using the drop-down menus to add search terms and modifiers. If you leave the text boxes empty, all users and groups are returned.
  3. Click Find.
  4. Scroll through the list and select the check box next to the name of the user entitle.
  5. Click OK.

9. Click OK to Add the Entitlement

Click OK.

10. Verify That Entitlement Has Been Added

Click the name of the application pool in the list of pools, and select the Entitlements tab.

Important: At the time of this writing, the latest client software release is Horizon Client 4.8, and this feature is available only for the HTML Access web client, and for Linux, Windows, Android, and Chrome OS client devices. Part of the exercise Use Horizon Client from a PC or Laptop gives step-by-step instructions for using this feature to access published applications anonymously.

For a complete list of rules and guidelines for configuring unauthenticated users, see the product documentation topic Providing Unauthenticated Access for Published Applications.

Use Horizon Client from a PC or Laptop

After you have finished deploying virtual desktops or published applications and entitling users, you are ready to explore end-user connection options. This exercise guides you through using VMware Horizon Client™ on a PC or laptop endpoint, which include Windows, macOS, and Linux.

Prerequisites for Connecting to a Desktop or Application with Horizon Client

To perform this exercise, you need the following:

  • Endpoint PC – You can use a Mac, Linux, or Windows PC. For this exercise, do not use a device with a Windows 10 UWP operating system because the unauthenticated user access feature is not yet available for that OS.
  • Installer – Go to the Download VMware Horizon Clients page, and download and install the free Horizon Client software.
  • User account – To install the Horizon Client software, you must log in to the endpoint device as a user with administrative privileges.
  • Connection Server address – Verify that you have the fully qualified domain name of the Connection Server that brokers connections to the desktop and application pools you created in earlier exercises.
  • Desktop or application pools – Exercises for creating pools are included in the chapters Creating Single-User Desktop Pools and Creating RDSH-Published Desktops and Applications.
  • Configuration of unauthenticated access – To connect anonymously to a published application, you must have performed the exercise Configure Unauthenticated Access to Published Applications.

1. Start Horizon Client

Start VMware Horizon Client the same way you would start any application. For example, on a Windows PC, double-click the desktop icon.

2. Connect to the Connection Server

  1. Click New Server.
  2. When prompted, enter the FQDN of the Connection Server.
  3. Click Connect.

3. Click Continue If You Receive a Security Warning

Click Continue to bypass the certificate warning. If you install a CA-signed security certificate on the machine that hosts the Connection Server, this warning does not appear.

4. Supply User Credentials

Enter credentials of a user who is entitled to desktops and published applications, and click Login.

5. Launch a Desktop or Application

To launch an application or desktop, double-click the icon for the application or desktop.

6. Allow Sharing of Removable Storage and Local Files

Click Allow to allow access to files on your client device, as well as locally connected storage devices such as USB thumb drives, while using virtual desktops and published applications.

7. Verify a Successful Connection

Verify that you have successfully logged in to your desktop or application. For this example, we have successfully logged in to an instant-clone VM from the Windows 10 Desktop pool.

8. Disconnect from the Session and Exit

  1. Close the window as you normally would, and, for desktops, confirm that you want to disconnect.
  2. Quit Horizon Client.
  3. Restart Horizon Client.

9. Select to Log In to Published Applications Anonymously

  1. In Horizon Client, click the Settings toolbar button.
  2. Click to place a check mark in front of Log in anonymously using Unauthenticated Access.

Important: At the time of this writing, the latest release is Horizon Client 4.8, and this feature is available only for the HTML Access web client and for Linux, Windows, Android, and Chrome OS client devices.

10. Connect to the Server

Double-click the server icon.

Instead of being prompted to enter user credentials, you will see the application selector screen, displaying all the published applications that are configured for unauthenticated user access. If no applications appear in the selector, you need to complete the exercise Configure Unauthenticated Access to Published Applications.

11. Launch the Application

Double-click the icon for the application.

12. Verify Unauthenticated Access

Note that the application window looks just like it would if it were a locally installed application.

The application icon for the published application appears in the taskbar just as it would for a locally installed application.

The screenshots in this exercise showed the Windows-based client and seamless integration into the Windows user experience. If you install Horizon Client on other operating systems, such as macOS or Linux, the experience of using Horizon Client is likewise integrated into those operating systems and their OS-specific features.

Tip: If you have problems logging in anonymously, see the complete list of rules and guidelines for configuring unauthenticated users, available in the product documentation topic Providing Unauthenticated Access for Published Applications.

Use the HTML Access Web Client

You can connect to virtual desktops and published applications from an HTML5-enabled web browser. The supported web browsers are

  • Chrome
  • Internet Explorer
  • Microsoft Edge
  • Firefox
  • Safari

The versions of browsers supported depend on the client operating system. For details about supported client operating systems and browser versions, see the VMware Horizon HTML Access User Guide.

Important: The desktop or application you are connecting to through HTML Access must be in a pool with the HTML Access feature enabled. The exercises in this quick-start guide directed you to enable HTML Access when creating pools.

Prerequisites for Connecting to a Desktop or Application with HTML Access

To perform this exercise, you need the following:

1. Use a Browser to Launch HTML Access

  1. Open a supported web browser and enter the address of your Connection Server. The URL format is https://<connection-server-FQDN>
    Note: If you do not have a CA-signed security certificate, you might be prompted to add a security exception to your browser.
  2. Click VMware Horizon HTML Access.

2. Log In to the Server

Enter credentials of a user who is entitled to the desktop or application pool, and click Login.

After the credentials are validated, you can see the available desktops and applications.

3. Mark an Item as a Favorite

  1. Click a star in one of the desktop icons to mark the desktop as a favorite.
    This feature is convenient if you have many desktops and applications and do not want to have to scroll to find the applications and desktops you use most frequently.
  2. Click the Star toolbar button to display only favorites.
  3. Click the desktop icon, rather than the star, to launch the desktop in your browser.

Note: You can also use the Search field to quickly locate an application or desktop if you know its display name.

4. Click an Icon to Launch a Desktop and Then Open the Sidebar

Click the tab on the left side of the screen to open the navigation sidebar.

Note: The green desktop shortcut is for the VMware Horizon Performance Tracker. You selected to install this component when you installed Horizon Agent in the master VM.

5. Open a Published Application Using the Sidebar

  1. Hover your cursor over each toolbar button to display its tooltip.
    You can use the toolbar at the top of the sidebar to
    • Send Ctrl+Alt+Del to the application work area
    • Transfer files, if the feature is enabled
    • Open the Copy & Paste panel
    • Open the Settings menu
  2. Click an application in the sidebar to launch it.

Note: In the sidebar, you can click the star icon to the right of an application or desktop name to designate the item as a favorite, and click the star above the list to display only favorites.

6. Examine the Settings Available Through the Sidebar

Click the Menu toolbar button, and select Settings.

7. Turn On Hardware Decoding

  1. Click the toggle button to set Allow H.264 decoding to On.
  2. Click Close.

When you use a Chrome browser and use the VMware Blast Extreme display protocol, this setting causes the graphics processor on the client device to do the work involved in playing back video and images. Hardware decoding offloads the work to the GPU, so that CPU consumption is reduced, resulting in less device power consumed, for longer battery life. To make the setting take effect, you must disconnect and reconnect to the desktop or application.

For information about the Shadow Session Display Fit to viewer setting, see the product documentation topic Using the Session Collaboration Feature.

8. Disconnect from the Desktop

In the list of running desktops and applications, click the Menu toolbar button next to the desktop and select Close, or close the browser tab or window.

This exercise described using the HTML Access web client, which does not require installing any software on the client device. For information about HTML Access features such as copying and pasting or transferring files between your local client system and the virtual desktop or published application, see the HTML Access documentation.

This exercise described logging in as an entitled user. For information about logging in using unauthenticated user access, see the product documentation topic Use Unauthenticated Access to Connect to Published Applications.

Use Horizon Client from a Mobile Device

This exercise guides you through using the iOS Horizon Client on an iPad, though Horizon Clients are also available for Android, Windows 10 UWP, and Chromebook mobile devices.

Prerequisites for Connecting to a Desktop or Application with Horizon Client

To perform this exercise, you need the following:

1. Start Horizon Client

Launch Horizon Client, enter the FQDN of the Connection Server in the Server Address text box, and tap Add Server.

Tip: If you are using the default self-signed SSL certificate, an Untrusted View Connection warning appears. You can modify the Horizon Client security settings by tapping the Settings link in the upper-right corner.

2. Click Continue to Accept the Self-Signed Certificate

If prompted about an untrusted Horizon connection, click Continue.

3. Log In to the Connection Server

Enter the credentials of a user who is entitled to the desktop or application pool.

4. Launch a Desktop

On the desktop and application selector page, tap a desktop icon to connect to a virtual desktop.

Tip: You can tap and hold an icon to display a context menu and mark the item as a favorite. Tap Favorites at the bottom of the screen to display only items marked as favorites.

The Unity Touch sidebar appears on the left side of the screen. If you are connected to a desktop, the sidebar provides the functionality of a typical Windows Start menu without having to maneuver your touch screen to use the Start menu. If the sidebar is closed, you can slide the tab to the right to open the sidebar.

5. Tap All Programs and Select an Application

Tap All Programs in the sidebar and tap an application such as a word-processing or spreadsheet application, which allows you to enter text.

Tip: For convenience, to keep favorite applications or files listed in the sidebar, tap Manage under FAVORITE APPLICATIONS or FAVORITE FILES and select your favorites.

6. Enter Text in the Application

Tap in the application to enter text.

The on-screen keyboard appears unless you already have a keyboard attached to the device.

Above the traditional keyboard overlay is a row of Windows-specific keys such as arrow keys, Ctrl, Win, and so on.

7. Tap the Horizon Client Tools Icon

Tap the Horizon Client Tools icon, and note the various icons for the various client settings.

The Horizon Client Tools enable you to perform such tasks as disconnecting from the session or bringing up the keyboard.

8. 9.Tap the Disconnect Icon

To end the desktop session, tap the Disconnect icon.

After you confirm that you want to disconnect, you are disconnected from your desktop session and returned to the list of available desktops and applications.

9. Launch a Published Application

On the desktop and application selector screen, tap a published application, such as Calculator.

The Calculator application appears, along with the sidebar. To exit out of the Calculator application, you can tap the Close button (X) just as you would for a Windows application installed on a Windows PC or laptop.

The Unity Touch sidebar displays a list of the other application pools and desktop pools the user is entitled to. You can use the sidebar to quickly switch to another desktop or published application provided by the server you are logged in to.

10. Launch a Desktop Using the Sidebar

Tap an arrow next to a desktop listed in the sidebar, and tap Connect. You are logged in to the desktop.

This exercise showed only a few of the features available on mobile clients. For more information about all the features for the various Horizon Clients, see the VMware Horizon Client documentation.