Horizon Smart Policies

Horizon Smart Policies

Introduction to Horizon Smart Policies

This chapter introduces you to the Horizon Smart Policies feature of VMware User Environment Manager, which is included with VMware Horizon 7 Enterprise Edition. The exercises demonstrate the process of creating Horizon Smart Policies and applying them based on conditions such as user group, client device type, pool name, and more.

For an overview of Horizon 7, and information about key features, such as publishing applications, creating instant-clone desktops, and more, see the Reviewer's Guide for View in Horizon 7: Overview.

What Are Horizon Smart Policies?

With Smart Policies, administrators have granular control of a user’s desktop experience. A number of key Horizon 7 features can be dynamically enabled, disabled, or controlled based not only on who the user is, but on the many different variables available through Horizon 7: client device, IP address, pool name, and so on.

You can use Smart Policies to enable or disable features including clipboard redirection, USB access, printing, and client drive redirection. For example, you can create a policy so that a desktop login from outside the corporate network results in disabling of security-sensitive features such as cut-and-paste or USB drive access. Additionally, bandwidth profile settings allow you to customize the user experience based on user context and location.

Smart Policies can be enforced based on role, and evaluated at login and logout, disconnect and reconnect, and at predetermined refresh intervals. With all these capabilities and fine-grained control, you can use one desktop pool to address many different use cases.

Note: In most cases, Smart Policy settings that you configure for remote desktop features in User Environment Manager override any equivalent registry key and group policy settings.

Features Controlled by Smart Policies

You can use Smart Policies to enable, restrict, or disable Horizon 7 features that include clipboard redirection, USB access, printing, and client drive redirection, and you can select a profile that manages bandwidth usage.

  • USB redirection – Controls whether a user is allowed to use locally attached USB devices, such as thumb flash drives, cameras, and printers, from the remote desktop.
  • Printing – Controls if a user is allowed to print documents from the remote desktop to a network printer or a USB printer that is attached to the client computer.
  • Clipboard – Controls whether users are allowed to copy and paste text and graphics only from the client system to the remote desktop, only from the remote desktop or application to the client system, or both, or neither.
  • Client drive redirection – Controls whether drives and folders on the client system are shared with the remote desktop and, if so, whether they are readable only or readable and writeable.
  • HTML Access file transfer (available with User Environment Manager 9.1 and later) – Controls whether you can upload files from the client system to the remote desktop, download files from the remote desktop to the client system, or both, or neither, when you are using the web client to access the remote desktop. Note that this feature requires Connection Server and Horizon Agent 7.0.1 or later.
  • Bandwidth profile – Prevents the agent (remote desktop) from attempting to transmit data at a higher rate than the link capacity.

Note: If you have User Environment Manager 9.1 or later and Horizon Agent 7.0.1 or later, this setting applies when users are using either the Blast Extreme display protocol or the PCoIP display protocol. If you have User Environment Manager 9.0, this setting is called PCoIP Profile and applies only when users are using PCoIP.

The actual bit rate for the profiles varies, depending on whether you use the PCoIP or the Blast Extreme display protocol. For this reason, the list of profiles in the menu does not display the bit rate next to the profile name in User Environment Manager 9.1 or later.

Figure 1: Bandwidth Profile List

For details about the profiles, see the profile reference topic in the Using Smart Policies section of Configuring Remote Desktop Features in Horizon 7.

How Smart Policies Are Applied

To create a Smart Policy, you select settings for the Horizon 7 features that you want to control and specify the conditions, if any, under which the policy will go into effect. If you do not specify any conditions, the policy is applied to all users in the user OU configured for User Environment Manager.

Settings are always applied when the user logs in. You can optionally configure triggers to also re-evaluate the settings at other times, such as when users reconnect to the desktop or application.

When Users Do Not Match the Conditions That Are Set

If you specify conditions, the policy is applied to users who match the conditions. For users who do not match the conditions, no functionality changes are made to the features. For example, by default, you can copy and paste text from your client system to a remote desktop or application. If you create a policy that says clipboard redirection is disabled for a certain group of users, then users outside of this group will still be able to copy and paste text from the client to the remote desktop or application, unless the administrator has used some other method to configure the feature.

When a Setting Within a Policy Is Not Specified

If you create a Smart Policy but do not select the check box for a feature, then no functionality changes are made to that feature. For example, by default, you can copy and paste text from your client system to a remote desktop or application. If you create a Smart Policy and do not select the Clipboard check box, the user will continue to be able to copy and paste from the client system to the remote desktop or application.

You might notice that the default Smart Policy setting for the Clipboard check box is Allow All, but unless you select the check box, the Allow All setting is not used. That is, the default settings shown for the check boxes do not reflect the default settings used by the features when no policies are applied.

When Users Match Conditions for Multiple Policies

User Environment Manager processes multiple policies in alphabetical order based on the policy name. Horizon Smart Policies appear in alphabetical order in the Horizon Smart Policies pane. If policies conflict, the last policy processed takes precedence.

In some environments, you might want to strictly control functionality even when no policies are being matched on their conditions and therefore any functionality would normally be left as is. For these environments, create a default policy that sets all features, except the bandwidth profile, to Disabled. Use no conditions so that the policy is always matched, and give the policy a name that begins with “A,” such as A Default Policy. Because policies are evaluated in alphabetical order, this policy will be first in the list and because it has no conditions it will always be matched.

Then create your other policies with conditions to enable or set specific features when those conditions are matched (for example, client location or specific groups of users), as outlined in the exercises that follow. These other policies will be processed after the default policy, and the resultant feature settings will be applied only after all policies have been evaluated.

If no policies match, then the default policy will disable all controlled functionality. If another policy matches, then the settings in that policy will override the default policy you created.

Create a Basic Smart Policy for Internal Users

Now that you have installed and configured User Environment Manager, you can use policy settings that are readily available in the User Environment Manager Management Console. You will enable USB access and clipboard redirection and assign a bandwidth profile. The conditions that must be met for this policy to be applied are that the user must connect from inside the corporate network and must connect to a desktop from the Human Resources (HR) pool.

Prerequisites

If you want to apply these settings to an actual desktop or application pool in your environment, you must create the desktop or application pool and entitle it to a group of users included in the user OU configured for User Environment Manager. Having an existing pool is not required, however, if you just want to see how the management console works and try creating a policy.

1. Click the Create Button for Horizon Smart Policies

  1. In the User Environment Manager Management Console, click the User Environment tab.
  2. Select Horizon Smart Policies in the left pane.
  3. Click Create in the toolbar.

2. Complete the Settings Tab for Internal Users

On the Settings tab, enter the following settings:

  • Enter a name for the policy.

    The Label and Tag fields are optional. You can use them to describe or organize the settings. The Group By Tag ribbon button uses the Tag field for grouping the list items.
  • Select the check boxes next to USB redirection, Clipboard, and Bandwidth profile.
  • For Bandwidth profile, select LAN.

3. Add a Condition for a Horizon Client Property

  1. On the Conditions tab, click Add.
  2. Select Horizon Client Property.

4. Set the Client Location to Internal

  1. For Property, select Client location.
  2. Set the location to Internal.
  3. Click OK.

This setting is compared with the gatewayLocationproperty set for the server.

  • By default, if you connect directly to a Connection Server, the gateway location is Internal.
  • If you connect to a VMware Unified Access Gateway appliance or Security Server, the gateway location is External by default.

If you want to override the default location reported from a server, you can change these defaults by setting the gatewayLocationproperty in the locked.properties file for the server. For instructions, see the Configure the Gateway Location for a View Connection Server or Security Server Host.

5. Add Another Horizon Client Condition

  1. On the Conditions tab, click Add.
  2. Select Horizon Client Property.

6. Set a Specific Pool Name

  1. For Property, select Pool name.
  2. Set Starts with to HR (or the first few letters of the name of an actual desktop pool you want to use).
  3. Click OK.

By default, this new condition is added with an AND operator, meaning that the condition is applied if the user is connecting from inside the corporate network and if the user is trying to access a desktop pool that begins with the letters you specified.

7. View the Operators Available for Combining Conditions

On the Conditions tab, click Edit to see which other operators are available to combine conditions.

The Smart Policy settings and conditions are now defined. These settings are always evaluated and applied whenever the user logs in. Next, you will specify an event that triggers the reevaluation of the Smart Policy whenever the user reconnects, rather than logs in. This is called a triggered task.

8. Create a Triggered Task

  1. Select Triggered Tasks in the left pane.
  2. Click Create in the toolbar.

9. Complete the Settings for the Triggered Task

  1. On the Settings tab, enter a name for the task.

    The Label and Tag fields are optional. You can use them to describe or organize the settings. The Group By Tag ribbon button uses the Tag field for grouping the list items.
  2. For Trigger, select Session reconnected. The Smart Policies will be reevaluated and applied every time the user connects to the remote desktop.
  3. For Action, select User Environment refresh.

10. Specify That Smart Policies Are to Be Refreshed

In the list of check boxes that appear after you select User Environment refresh, select the Horizon Smart Policies check box and click Save.

Refreshing the user environment in this case means reevaluating the user’s connection characteristics, such as internal or external, and reapplying the Smart Policy appropriately. For example, if the user first connects at the office but then later connects from a café or other external network, the Smart Policy is reapplied to disable USB redirection and copying and pasting between the client and remote desktop.

In a production environment, you can select additional check boxes, depending on the other User Environment settings you configure.

Note: The Privilege Elevation Settings and Triggered Task Settings check boxes were added in User Environment Manager 9.2. Although these features are not part of Smart Policies, they can be used in conjunction with Smart Policies, such as when managing Just-in-Time Desktops and Apps as part of a JMP approach.

  • The Privilege Elevation Settings option refreshes settings for the privilege-elevation feature. With this feature, administrators specify applications that end users are allowed to install or run without having elevated privileges. Standard user accounts can run these applications as if they were a member of the local administrators group.
  • The Triggered Task Settings option allows triggered task settings to be refreshed when users disconnect, reconnect, or lock or unlock their workstation. Previously, these settings were refreshed only after users logged out of the virtual desktop or application.

The Smart Policy you created will now be applied whenever a user connects to a remote desktop with Horizon Client.

Create a Smart Policy Based on User Group

In this exercise, you explore some of the more advanced condition settings. Horizon Client properties give you many variables for evaluating conditions and applying Smart Policies. Some of these properties are provided in drop-down menus in the User Environment Manager Management Console, but many more are available when you enter the property name, which is derived from Windows Registry keys.

To view these properties, use Horizon Client to log in to a remote desktop, open the Windows Registry Editor (regedit.exe) on the remote desktop, and go to HKEY_LOCAL_MACHINE\Software\VMware, Inc.\VMware VDM\SessionData\n, where n is the number of the session, as shown in the following figure. When creating Smart Polices, you enter the properties names without the ViewClient_prefix. The SessionData registry setting is created when you log in using Horizon Client or the HTML Access web client. If you log in with HTML Access, fewer properties are listed.

Figure 2: Horizon Client Properties from the Windows Registry on the Remote Desktop

In this exercise, you create a Smart Policy that enables all features for a select Active Directory group of users who log in to a server with a specific launch tag and whose remote desktop belongs to a specific domain.

1. Click the Create Button for Horizon Smart Policies

  1. In the User Environment Manager Management Console, click the User Environment tab.
  2. Select Horizon Smart Policies in the left pane.
  3. Click Create in the toolbar.

2. Complete the Settings Tab for the Group of External Users

On the Settings tab, enter the following settings:

  • Enter a name for the policy.

    The Label and Tag fields are optional. You can use them to describe or organize the settings. The Group By Tag ribbon button uses the Tag field for grouping the list items.
  • Select all the check boxes.
  • For Bandwidth profile, select LAN.

3. Add a Condition for a Horizon Client Property

  1. On the Conditions tab, click Add.
  2. Select Horizon Client Property.

4. Set the Launch Tag

  1. For Property, select Launch tag(s).
  2. In the second list, select Is equal to.
  3. In the text box, enter the tag name HR-Dept.

    The tag name HR-Dept is a hypothetical name. To create a condition that will actually work in your environment, you must enter a tag name that you have actually assigned to a Connection Server and a desktop pool. For more information about assigning tags, see the topic Restricting Desktop or Application Access in Setting Up Virtual Desktops in Horizon 7.
  4. Click OK.

5. Add Another Horizon Client Condition

  1. On the Conditions tab, click Add.
  2. Select Horizon Client Property.

6. Set a Specific Machine Domain

  1. For Property, enter Machine_Domain.

    This property is derived from the Windows Registry key called ViewClient_Machine_Domain, which is pictured in Figure 2. You do not enter the ViewClient_ portion of the name.
  2. In the second list, select Is equal to.
  3. In the text box on the right, enter MyDomain (or the name of an actual domain in your enterprise).
  4. Click OK.

7. Add a Condition for Group Membership

  1. On the Conditions tab, click Add.
  2. Select Group Membership.

8. Complete the Group Membership Box

  1. Select User.
  2. Click Browse.

9. Select a User Group

  1. Enter a user group name.
  2. Click Check Names and select a name.
  3. Click OK.

10. Click OK in the Group Membership Box

Accept the defaults and click OK.

11. Save the New Smart Policy

Click Save. The default operator AND is used to combine the conditions, which is correct for this exercise.

This Smart Policy is set to enable all features and use the LAN bandwidth profile for all users from the Domain Admins user group who connect to a server and desktop assigned the HR-Dept tag and whose remote desktop VM belongs to the specified domain.

For more information about conditions and client properties, see Adding Conditions to Horizon Policy Definitions in Configuring Remote Desktop Features in Horizon 7.

You do not need to create a triggered task because you created a triggered task during the first exercise.

Verify That a Smart Policy Is Being Applied

In this exercise, you look at the User Environment Manager log to see that a Smart Policy is being evaluated and applied to a particular user.

Prerequisites

The first four steps of this procedure guide you through setting the logging level using the Group Policy Management Console. Before you can perform these steps, you must have created a FlexEngine GPO, as described in Initial Configuration Using an Active Directory Group Policy Object.

If instead you configured User Environment Manager using NoAD mode, you have already set the logging level to Debug, as described in Create the User Environment Manager NoAD Configuration File. In this case, you can skip to Step 5 of this exercise.

1. Log In to Active Directory and Lauch the Group Policy Management Console

  1. Type group policy management into the search box on the taskbar.
  2. Select Group Policy Management in the results.

2. Edit the Group Policy Object

  1. Expand your domain.
  2. Expand Group Policy Objects.
  3. Select the GPO that you created for the User Environment Manager group policy settings.
  4. From the Action menu, select Edit.

3. Open the FlexEngine Logging Policy

  1. Navigate to User Configuration > Policies > Administrative Templates > VMware UEM > FlexEngine.
  2. In the right pane, double-click FlexEngine logging.

4. Set the Logging Level to Debug

  1. Verify that logging is set to Enabled.
  2. Select Debug as the log level.
  3. Click OK.

VMware recommends that you set the log level to Debug only temporarily because the amount of logging can affect performance.

Note: This dialog box also shows the location of the log file. You specified the log file location when you installed and set up User Environment Manager.

5. Log In to the Virtual Desktop

Log in as a user to a virtual desktop that matches the Smart Policy.

Logging in will create a User Environment Manager log file for the user.

6. Search the User’s FlexEngine Log File for "Applied Horizon Smart Policies Settings"

On the file share machine, open the user’s FlexEngine log file, and search from the bottom up for Applied Horizon Smart Policies settings. For the example in this exercise, the path to this folder is \\<file-share>\UEM_Profiles\<username>\Archives\Logs.

In this example, the user does not meet the conditions for the policy called Internal, so those settings are skipped. Because the Broker_GatewayLocation property is set to External, the Smart Policy called External is applied for all the feature settings.

Note: In this example, the user logged in from an external location. You might be performing this exercise from your corporate office, using a desktop or some other test machine, which would be an internal device.