Reviewer's Guide For View In Horizon 7: Smart Policies
Welcome to the Reviewer’s Guide for View in VMware Horizon 7: Smart Policies. This guide introduces you to the Horizon Smart Policies feature of VMware User Environment Manager™, which is included with VMware Horizon® 7 Enterprise Edition.
The View component (formerly the product called Horizon View) of VMware Horizon 7 offers a virtual desktop infrastructure (VDI) and remote applications through Remote Desktop Session Host (RDSH). This is done through a single platform, which simplifies desktop administration and operations and enhances user experience. By centrally maintaining desktops, applications, and data, Horizon 7 uses View to reduce costs, improve security, and increase availability and flexibility for end users.
JMP – Next-Generation Desktop and Application Delivery Platform
JMP (pronounced jump), which stands for Just-in-Time Management Platform, represents capabilities in VMware Horizon 7 Enterprise Edition that deliver Just-in-Time Desktops and Apps in a flexible, fast, and personalized manner. JMP is composed of the following VMware technologies:
• VMware Instant Clone Technology for fast desktop and RDSH provisioning
• VMware App Volumes™ for real-time application delivery
• VMware User Environment Manager for contextual policy management
JMP allows components of a desktop or RDSH server to be decoupled and managed independently in a centralized manner, yet reconstituted on demand to deliver a personalized user workspace when needed. JMP is supported with both on-premises and cloud-based Horizon 7 deployments, providing a unified and consistent management platform regardless of your deployment topology. The JMP approach provides several key benefits, including simplified desktop and RDSH image management, faster delivery and maintenance of applications, and elimination of the need to manage “full persistent” desktops.
Purpose of This Guide
The Reviewer’s Guide for View in VMware Horizon 7: Smart Policies is one of a series of guides to help you evaluate the View component of Horizon 7. This guide provides exercises to demonstrate the process of creating Horizon Smart Policies and applying them based on conditions such as user group, client device type, pool name, and more. For an overview of View in Horizon 7, and information about key features, such as publishing applications, creating instant-clone desktops, and more, see All Guides.
Important: This guide is designed for evaluation purposes only. It uses the minimum required resources for a basic deployment and does not explore all possible features. Do not use this evaluation environment as a template for deploying a production environment. To deploy a production environment, see VMware Horizon 7 Documentation.
Intended Audience for This Guide
This guide is intended for IT administrators and product evaluators who want to install Horizon 7 to deploy and manage remote desktops or published applications. Both current and new users of Horizon 7 can benefit from using this guide. Familiarity with VMware vSphere® and VMware vCenter Server® is assumed. Some familiarity with other technologies is helpful, including networking and storage in a virtual environment, Active Directory, identity management, directory services, Simple Mail Transfer Protocol (SMTP), and RSA SecurID.
Before You Begin
This guide is the seventh in the series. We recommend that you follow the guides in order. For information about all guides in the series, see All Guides.
Before you can perform the exercises in this guide, you must have the following infrastructure components installed and configured:
• VMware vSphere 6.0 Update 1 or later, including VMware vCenter Server 6.0 Update 1 or later. VMware vSphere 6.5 or later is recommended. For more information, see VMware vSphere 6 Documentation.
• VMware ESXi™ host or hosts configured in the vCenter Server instance.
• An authentication infrastructure that includes Active Directory, DNS, DHCP, and Certificate Authority setup.
• View Connection Server, version 7.0 or later, set up as described in the Reviewer’s Guide for View in VMware Horizon 7: Installation and Configuration.
Note: View Connection Server version 7.2 or later is recommended and is required for using Smart Policies with RDSH-published applications.
• User Environment Manager 9.0 or later. User Environment Manager 9.2 or later is recommended.
See the User Environment Manager Administrator’s Guide. User Environment Manager is quick to set up, requiring only the installation of the agent and management console software, creation of two file shares, and configuration of group policy objects (GPOs) on the user organizational unit (OU).
You must install the agent component, called the VMware UEM FlexEngine, on each remote desktop. For a linked-clone or instant-clone pool, you install this component in the master VM that you use to create a master image for the clones. For an RDS desktop pool, you install the component on the RDSH server that provides the RDS desktop sessions.
Note: When you install this component on a VM where Horizon Agent is already installed, you are not required to specify a User Environment Manager license file, though you are required to have purchased User Environment Manager. This component is included with Horizon 7 Enterprise Edition.
You can install the User Environment Manager Management Console component on any desktop from which you want to manage the User Environment Manager environment.
For GPO configuration instructions that are specific to Smart Policies, also see the topic Configuring User Environment Manager in Configuring Remote Desktop Features in Horizon 7.
What Are Horizon Smart Policies?
With Smart Policies, administrators have granular control of a user’s desktop experience. A number of key Horizon 7 features can be dynamically enabled, disabled, or controlled based not only on who the user is, but on the many different variables available through Horizon 7: client device, IP address, pool name, and so on.
You can use Smart Policies to enable or disable features including clipboard redirection, USB access, printing, and client drive redirection. For example, you can create a policy so that a desktop login from outside the corporate network results in disabling of security-sensitive features such as cut-and-paste or USB drive access. Additionally, bandwidth profile settings allow you to customize the user experience based on user context and location.
Smart Policies can be enforced based on role, and evaluated at login and logout, disconnect and reconnect, and at predetermined refresh intervals. With all these capabilities and fine-grained control, you can use one desktop pool to address many different use cases.
Note: In most cases, Smart Policy settings that you configure for remote desktop features in User Environment Manager override any equivalent registry key and group policy settings.
Features Controlled by Smart Policies
You can use Smart Policies to enable, restrict, or disable Horizon 7 features that include clipboard redirection, USB access, printing, and client drive redirection, and you can select a profile that manages bandwidth usage.
• USB redirection – Controls whether a user is allowed to use locally attached USB devices, such as thumb flash drives, cameras, and printers, from the remote desktop.
• Printing – Controls if a user is allowed to print documents from the remote desktop to a network printer or a USB printer that is attached to the client computer.
• Clipboard – Controls whether users are allowed to copy and paste text and graphics only from the client system to the remote desktop, only from the remote desktop to the client system, or both, or neither.
• Client drive redirection – Controls whether drives and folders on the client system are shared with the remote desktop and, if so, whether they are readable only or readable and writeable.
• HTML Access file transfer (available with User Environment Manager 9.1 and later) – Controls whether you can upload files from the client system to the remote desktop, download files from the remote desktop to the client system, or both, or neither, when you are using the web client to access the remote desktop. Note that this feature requires View Connection Server and Horizon Agent 7.0.1 or later.
• Bandwidth profile – Prevents the agent (remote desktop) from attempting to transmit data at a higher rate than the link capacity.
Note: If you have User Environment Manager 9.1 or later and Horizon Agent 7.0.1 or later, this setting applies when users are using either the Blast Extreme display protocol or the PCoIP display protocol. If you have User Environment Manager 9.0, this setting is called PCoIP Profile and applies only when users are using PCoIP.
The actual bit rate for the profiles varies, depending on whether you use the PCoIP or the Blast Extreme display protocol. For this reason, the list of profiles in the menu does not display the bit rate next to the profile name in User Environment Manager 9.1 or later.
Figure 1: Bandwidth Profile List
For details about the profiles, see the profile reference topic in the Using Smart Policies section of Configuring Remote Desktop Features in Horizon 7.
How Smart Policies Are Applied
To create a Smart Policy, you select settings for the Horizon 7 features that you want to control and specify the conditions, if any, under which the policy will go into effect. If you do not specify any conditions, the policy is applied to all users in the user OU configured for User Environment Manager.
Settings are always applied when the user logs in. You can optionally configure triggers to also re-evaluate the settings at other times, such as when users reconnect to the desktop or application.
When Users Do Not Match the Conditions That Are Set
If you specify conditions, the policy is applied to users who match the conditions. For users who do not match the conditions, no functionality changes are made to the features. For example, by default, you can copy and paste text from your client system to a remote desktop or application. If you create a policy that says clipboard redirection is disabled for a certain group of users, then users outside of this group will still be able to copy and paste text from the client to the remote desktop or application, unless the administrator has used some other method to configure the feature.
When a Setting Within a Policy Is Not Specified
If you create a Smart Policy but do not select the check box for a feature, then no functionality changes are made to that feature. For example, by default, you can copy and paste text from your client system to a remote desktop or application. If you create a Smart Policy and do not select the Clipboard check box, the user will continue to be able to copy and paste from the client system to the remote desktop or application.
You might notice that the default Smart Policy setting for the Clipboard check box is Allow All, but unless you select the check box, the Allow All setting is not used. That is, the default settings shown for the check boxes do not reflect the default settings used by the features when no policies are applied.
When Users Match Conditions for Multiple Policies
User Environment Manager processes multiple policies in alphabetical order based on the policy name. Horizon Smart Policies appear in alphabetical order in the Horizon Smart Policies pane. If policies conflict, the last policy processed takes precedence.
In some environments, you might want to strictly control functionality even when no policies are being matched on their conditions and therefore any functionality would normally be left as is. For these environments, create a default policy that sets all features, except the bandwidth profile, to Disabled. Use no conditions so that the policy is always matched, and give the policy a name that begins with “A,” such as A Default Policy. Because policies are evaluated in alphabetical order, this policy will be first in the list and because it has no conditions it will always be matched.
Then create your other policies with conditions to enable or set specific features when those conditions are matched (for example, client location or specific groups of users), as outlined in the exercises that follow. These other policies will be processed after the default policy, and the resultant feature settings will be applied only after all policies have been evaluated.
If no policies match, then the default policy will disable all controlled functionality. If another policy matches, then the settings in that policy will override the default policy you created.
Exercise 1: Creating a Basic Smart Policy for Internal Users
Now that you have installed and configured User Environment Manager, you can use policy settings that are readily available in the User Environment Manager Management Console. You will enable USB access and clipboard redirection and assign a bandwidth profile. The conditions that must be met for this policy to be applied are that the user must connect from inside the corporate network and must connect to a desktop from the Human Resources (HR) pool.
Note: If you want to apply these settings to an actual desktop or application pool in your environment, you must create the desktop or application pool and entitle it to a group of users included in the user OU configured for User Environment Manager. Having an existing pool is not required, however, if you just want to see how the management console works and try creating a policy.
1. Open the User Environment Manager Management Console.
2. Click the User Environment tab, select Horizon Smart Policies in the left pane, and click Create in the toolbar.
Note: In User Environment Manager 9.1 and later, the item to select is Horizon Smart Policies. In User Environment Manager 9.0, the item is Horizon Policies.
3. On the Settings tab, enter the following settings:
• Enter a name for the policy.
The Label and Tag fields are optional. You can use them to describe or organize the settings.
The Group By Tag ribbon button uses the Tag field for grouping the list items.
• Select the check boxes next to USB redirection, Clipboard, and Bandwidth profile.
• For Bandwidth profile, select LAN.
4.Click the Conditions tab and click Add.
5. Select Horizon Client Property, and enter the following settings:
• For Property, select Client location.
• Set the location to Internal.
• Click OK.
This setting is compared with the gatewayLocation property set for the server.
• By default, if you connect directly to a View Connection Server, the gateway location is Internal.
• If you connect to an Access Point appliance or Security Server, the gateway location is External by default.
If you want to override the default location reported from a server, you can change these defaults by setting the gatewayLocation property in the locked.properties file for the server. For instructions, see the Configure the Gateway Location for a View Connection Server or Security Server Host topic in View Administration.
6. Click Add to add another condition, select Horizon Client Property, and enter the following settings:
• For Property, select Pool name.
• Set Starts with to HR (or the first few letters of the name of an actual desktop pool you want to use).
• Click OK.
By default, this new condition is added with an AND operator, meaning that the condition is applied if the user is connecting from inside the corporate network and if the user is trying to access a desktop pool that begins with the letters you specified.
7. On the Conditions tab, click Edit to see which other operators are available to combine conditions.
The Smart Policy settings and conditions are now defined. These settings are always evaluated and applied whenever the user logs in. Next, you will specify an event that triggers the reevaluation of the Smart Policy whenever the user reconnects, rather than logs in. This is called a triggered task.
8. Select Triggered Tasks in the left pane, and click Create in the toolbar.
9. On the Settings tab, enter the following settings:
• Enter a name for the task.
The Label and Tag fields are optional. You can use them to describe or organize the settings.
The Group By Tag ribbon button uses the Tag field for grouping the list items.
• For Trigger, select Reconnect session.
The Smart Policies will be reevaluated and applied every time the user connects to the remote desktop.
• For Action, select User Environment refresh.
10. In the list of check boxes that appear after you select User Environment refresh, select the Horizon Smart Policies check box and click Save.
Refreshing the user environment in this case means reevaluating the user’s connection characteristics, such as internal or external, and reapplying the Smart Policy appropriately. For example, if the user first connects at the office but then later connects from a café or other external network, the Smart Policy is reapplied to disable USB redirection and copying and pasting between the client and remote desktop.
In a production environment, you can select additional check boxes, depending on the other User Environment settings you configure.
Note: The Privilege Elevation Settings and Triggered Task Settings check boxes were added in User Environment Manager 9.2. Although these new features are not part of Smart Policies, they can be used in conjunction with Smart Policies, such as when managing Just-in-Time Desktops and Apps as part of a JMP approach.
• The Privilege Elevation Settings option refreshes settings for the User Environment Manager 9.2 feature called privilege elevation. With this feature, administrators specify applications that end users are allowed to install or run without having elevated privileges. Standard user accounts can run these applications as if they were a member of the local administrators group.
• The Triggered Task Settings option allows triggered task settings to be refreshed when users disconnect, reconnect, or lock or unlock their workstation. Previously, these settings were refreshed only after users logged out of the virtual desktop or application.
The Smart Policy you created will now be applied whenever a user connects to a remote desktop with Horizon Client 4.0 or later, including HTML Access 4.0 or later, which is included with Connection Server 7.0 or later.
Exercise 2: Using Conditions Based on User Group and Volatile Variables
In this exercise, you explore some of the more advanced condition settings. Horizon Client properties give you many variables for evaluating conditions and applying Smart Policies. Some of these properties are provided in drop-down menus in the management console, but many more are available when you enter the property name, which is derived from Windows Registry keys.
To view these properties, open the Windows Registry Editor (regedit.exe) on the remote desktop and go to HKEY_LOCAL_MACHINE\Software\VMware, Inc.\VMware VDM\SessionData\n, where n is the number of the session, as shown in Figure 2. You enter the properties names without the ViewClient_ prefix.
Figure 2: Horizon Client Properties from the Windows Registry on the Remote Desktop
In this exercise, you create a Smart Policy that enables all features for a select Active Directory group of users who log in to a server with a specific launch tag and whose remote desktop belongs to a specific domain.
1. Open the User Environment Manager Management Console, and on the User Environment tab, select Horizon Smart Policies in the left pane and click Create in the toolbar.
2. On the Settings tab, enable all the features, and for Bandwidth profile, select LAN.
3. Click the Conditions tab and click Add.
4.Select Horizon Client Property, and enter the following settings:
• For Property, select Launch tag(s).
• In the second list, select Is equal to.
• In the text box, enter the tag name HR-Dept, and click OK.
Note: The launch tag must match a tag that has been assigned to a View Connection Server and a desktop pool. For more information about assigning tags, see the topic Restricting Desktop or Application Access in Setting Up Virtual Desktops in Horizon 7.
5. Click Add to add another condition, select Horizon Client Property, and enter the following settings:
• For Property, enter Machine_Domain.
This property is derived from the Windows Registry key called ViewClient_Machine_Domain,
which is pictured in Figure 2. You do not enter the ViewClient_ portion of the name.
• In the second list, select Is equal to.
• In the text box on the right, enter MyDomain (or the name of a domain in your enterprise), and click OK.
6. Click Add to add a third condition, and select Group Membership.
7. In the Group Membership dialog box, select User and click Browse.
8. In the Select Group dialog box, enter the group name and click OK.
9. In the Group Membership box, click OK.
10. In the Horizon Smart Policies dialog box, click Save.
The default operator AND is used to combine the conditions, which is correct for this exercise.
This Smart Policy is set to enable all features and use the LAN bandwidth profile for all users from the Domain Admins user group who connect to a server and desktop assigned the HR-Dept tag and whose remote desktop VM belongs to the specified domain.
For more information about conditions and client properties, see Adding Conditions to Horizon Policy Definitions in Configuring Remote Desktop Features in Horizon 7.
You do not need to create a triggered task because you created a triggered task during the first exercise.
Exercise 3: Verifying That a Smart Policy Is Being Applied
In this exercise, you look at the User Environment Manager log to see that a Smart Policy is being evaluated and applied to a particular user.
Note: Before you begin this exercise, make sure you have created GPOs for Smart Policies, as described in Before You Begin and in the topic Configuring User Environment Manager in Configuring Remote Desktop Features in Horizon 7.
1. Log in to the operating system of the Active Directory Domain Controller as the administrator.
2. Launch the Group Policy Management console.
Go to Control Panel > Administrative Tools > Group Policy Management.
3. Expand your domain, under Group Policy Objects, select the GPO that you created for the User Environment Manager group policy settings, and from the Action menu, select Edit.
4. In the GPO Editor, in the left pane, go to User Configuration > Policies > Administrative Templates > VMware UEM > FlexEngine, and in the right pane, double-click FlexEngine logging.
5. In the FlexEngine logging dialog box, verify that logging is set to Enabled, select Debug as the log level, and click OK.
VMware recommends you set the log level to Debug only temporarily, since the amount of logging can affect performance. This dialog box also shows the location of the log file. You specified the log file location when you installed and set up User Environment Manager.
6. Log in as a user to a remote desktop that matches the Smart Policy. Logging in will create a User Environment Manager log file for the user.
7. On the file share machine, open the user’s FlexEngine log file, and search from the bottom up for Applied Horizon Smart Policies.
In this example, the user does not meet the conditions for the policy called Internal, so those settings are skipped. Because the Broker_GatewayLocation property is set to External, the Smart Policy called External is applied for all the feature settings.
The Reviewer’s Guide for View in VMware Horizon 7: Smart Policies is one of a series of guides that explore the View component of VMware Horizon 7. This guide provided exercises to walk you through the process of creating and applying Horizon Smart Policies and verifying that the policies are being applied correctly.
You can explore many key features and capabilities in the Reviewer’s Guide series for View in VMware Horizon 7:
Note: For information about features that are not covered in this series of guides, see VMware Horizon 7 Documentation.
For more information about the View component of VMware Horizon 7, you can explore the following resources:
• VMware Horizon 7 (which includes the View component)
• VMware vSphere and VMware vCenter Server resources
• VMware consultation and support
Appendix: Terminology Used in This Guide
The following terms are used in this guide:
|Instant clone||A rapidly generated and nonpersistent clone of a powered-on virtual machine. An instant clone provides users with a virtual desktop in seconds.|
|Linked clone||A copy of a master virtual machine that shares virtual disks with it by using a snapshot. This conserves disk space and ensures all users receive the same software installation.|
|Master virtual machine (VM)||A single desktop source that is used to deploy a group of virtual desktops or virtual machines. A master virtual machine is sometimes referred to as a master image, desktop image or golden image. In a physical environment, a master virtual machine can be referred to as a disk image file.|
|Snapshot||A set of files that contain the entire state of a virtual machine— its data, memory, and configuration. If you revert to a snapshot, the current state of the virtual machine is lost, and its saved state is restored. Multiple snapshots are differential, and have a parent and child relationship. The files of a child snapshot contain only changes made to its parent snapshot.|
|Virtual desktop||The user interface of a virtual machine that is made available to an end user.|
|Virtual machine||A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.|
For more information about terms, see the VMware Glossary.
About the Authors
This Reviewer’s Guide was written by Caroline Arakelian, Senior Technical Marketing Manager, and Graeme Gordon, Senior End-User-Computing Architect, End-User-Computing Technical Marketing, VMware.
To comment on this paper, contact VMware End-User-Computing Technical Marketing at firstname.lastname@example.org.