VMware Workspace ONE Cloud-Based Reference Architecture

Service Integration Design

At this stage, the VMware Workspace ONE® components have been designed and deployed, and the environment has all the functionality and qualities that are required. We can now proceed to creating the parts from each component and assembling and integrating them into the various services that are to be delivered to end users.

Some components are common to multiple services. To avoid repeating information common to each individual service, we outline the design of common components first.

Workspace ONE Use Case Service Integration

The following table lists the parts required for each Workspace ONE service. The rest of this section details the design and configuration of each service.

 

Enterprise Mobility Management Service

Enterprise Productivity Service

Enterprise Application Workspace Service

VMware Workspace ONE® UEM

P

P

P

VMware Identity Manager

P

P

P

AirWatch Cloud Connector

P

P

P

VMware Identity Manager Connector

 

P

P

VMware Workspace ONE® Verify

 

P

P

Adaptive management

P

 

 

Device enrollment

 

P

P

Native mobile apps

P

P

P

SaaS apps

P

P

P

Unified app catalog

P

P

P

Mobile email management

 

P

 

Mobile content management

 

P

 

DLP restrictions

 

P

P

Secure browsing

 

P

 

Mobile SSO

P

P

P

Conditional access

 

P

P

VMware Horizon® 7 or VMware Horizon® Cloud Service

 

 

P

VMware Unified Access Gateway

 

 

P

Table: Service Requirements

The two broad categories of application types are handled as follows:

  • SaaS applications – Are added from the Workspace ONE SaaS cloud catalog and are entitled to appropriate users.
  • Native mobile apps – Are added from the Workspace ONE UEM Console. Privileged apps have the Require Management option selected; other apps do not.

Enterprise Mobility Management Service

The Enterprise Mobility Management service brings an organization that has minimal device management capabilities—such as Exchange ActiveSync policies applied for passcode, wipe, and other basic settings—under an EMM strategy.

 

The devices are initially configured to support adaptive management. Some less critical applications are enabled for SSO, while other applications are configured to require enrollment. Employees are encouraged, but not required, to enroll their devices. Users can use their native email clients, email apps available from the public app stores, or VMware Workspace ONE® Boxer.

Figure: Enterprise Mobility Management Service

Devices in this service have the following characteristics.

Table: Configuration Considerations for the Enterprise Mobility Management Service

Service Feature

Configuration Considerations

Adaptive management

  • Adaptive management enables applications such as WebEx and Concur to be used with mobile SSO across all platforms without device enrollment. Other applications, such as HR sites, ADP, or Salesforce, require device enrollment to have a high degree of control over the device.
  • Users are encouraged to download the Workspace ONE app from a public app store.
  • Applications that are deemed to have a higher risk to user or company data are set to require management in the Workspace ONE UEM device profile.

Active Directory – cloud password authentication

  • VMware Identity Manager is configured with a policy to use the cloud password from the built-in identity provider and authenticate through the VMware Identity Manager Connector to the Active Directory account.

Email access

  • Users are provided appropriate documentation on how to configure their device for native or third-party email client access.
  • If users choose to install Workspace ONE Boxer, their email configuration is automatically pushed to the device. Typically, users are provided with the Exchange ActiveSync Server address (outlook.office365.com) and their email address and password.

Enrollment

  • Enrollment is completed through the Workspace ONE application. If a user attempts to access an application that has been deployed as one that requires management in Workspace ONE UEM, the enrollment process is initiated.
  • After enrollment in Workspace ONE, end users have all applications available to them. They can also use mobile SSO after they have enrolled because they have a device profile. This profile deploys the appropriate payloads to authenticate using the appropriate SSO technology.
  • Additional compliance information is passed to VMware Identity Manager. If the device is no longer in compliance, the user loses access to the applications provided by VMware Identity Manager.

Enterprise Productivity Service

The Enterprise Productivity service builds on the previous service in that it begins with devices that have been enrolled with the VMware Workspace ONE® Intelligent Hub (formerly called the VMware AirWatch Agent) and are fully managed at deployment. When new devices are brought into the organization, they are essentially quarantined until enrolled.

 

Devices in this service have the following characteristics.

Table: Configuration Considerations for the Enterprise Productivity Service

Service Feature

Configuration Considerations

Device enrollment

All devices in the Enterprise Productivity service are required to enroll using the Workspace ONE Intelligent Hub. These devices are likely to have valuable enterprise data on them and so require a higher level of control and security.

Email restrictions

Native and third-party email apps are blocked, and all users use Workspace ONE Boxer for increased security.

Content access

VMware Workspace ONE® Content is pushed to the device and configured for secure access to corporate repositories.

Secure browsing

VMware Workspace ONE® Web is pushed to the device to ensure that links to intranet sites are always opened in a secure browser.

Email access

Email and content are delivered from Microsoft Office 365, so federation with the Microsoft Office 365 service is enabled to allow SSO to the Office service and native mobile Microsoft Office 365 apps.

Data loss prevention

DLP components are enabled within Workspace ONE Content and Workspace ONE Boxer to prevent the use of unapproved applications, ensuring that data cannot be inadvertently or purposely copied and pasted into other apps.

Multi-factor authentication

Multi-factor authentication through Workspace ONE Verify is used when users need to access the Workspace ONE application and they are in a network range that is not within the corporate network. On corporate Wi-Fi, users need only mobile SSO-based authentication. Workspace ONE Verify is also required on personally owned, non-managed PCs using only the browser to access SaaS apps.

 

Figure: Enterprise Productivity Service

 

Table: Configuration Considerations for Microsoft Office 365 Federation

Configuration Item

Tasks and Considerations

Federation to Microsoft Office 365

VMware Identity Manager uses the Microsoft Federated Identity approach to authenticate login requests to the Microsoft Office 365 service.

For information about this configuration, see the following resources:

Enable federation in the Microsoft Office 365 or Microsoft Azure AD portals

Perform these tasks: 

  • Sync Active Directory user accounts through the Microsoft Azure AD or Microsoft Office 365 portal.
  • Use PowerShell scripting to configure the Microsoft Office 365 service to authenticate through Workspace ONE as a federated identity provider. A set of PowerShell scripts with appropriate parameters and signing certificates establish trust between Microsoft Office 365 and VMware Identity Manager.
  • Note: An important criterion to make Microsoft Office 365 integration work is ensuring that the attribute ObjectGUID is synced from AD to the VMware Identity Manager service.

Configure Microsoft Office 365 apps in VMware Identity Manager

  • Using the templates in the Cloud Application Catalog, configure the Microsoft Office 365, WS-fed based template to allow authentication against VMware Identity Manager for Microsoft Office 365-based apps and resources, such as email, SharePoint Online, Skype for Business, and other Microsoft Services.

 

Table: Configuration Considerations for Email

Configuration Item

Tasks and Considerations

Email integration with Microsoft Office 365 through PowerShell

Workspace ONE UEM issues commands through PowerShell to Exchange in Microsoft Office 365. Devices communicate directly with Exchange ActiveSync in the Microsoft Office 365 service. For full configuration information, see PowerShell Email Integration, in the INTEGRATIONS section of the VMware Workspace ONE UEM Online Help.

PowerShell Roles in Office 365

PowerShell requires specific roles to be established in the Microsoft Office 365 administration portal for Exchange. These roles enable the execution of PowerShell cmdlets from Workspace ONE UEM to the Microsoft Office 365 service.

Blocking and quarantine rules

To prevent unauthorized devices from connecting to the Exchange server, you can block or quarantine devices until they have enrolled. PowerShell commands are used to set the appropriate policy. These rules are not needed for environments where enrollment is not required.

Email compliance policies

Compliance policies for email include a range of options for controlling managed and unmanaged devices:

  • Must the device be enrolled to perform email sync?
  • Which email clients are allowed to sync email?
  • Is device encryption required for email sync?
  • Are jail-broken or otherwise compromised devices allowed?

ActiveSync profiles for email clients

 Perform these tasks:

  • To enable email sync, you must configure the Exchange ActiveSync payload for the device profiles. The hostname for Microsoft Office 365 is typically outlook.office365.com.
  • The domain, username, and email address are configured with lookup values. Make sure that these values are available in the directory and are properly mapped from AD through the AirWatch Cloud Connector (ACC).

 

Table: Configuration Considerations for Content

Configuration Item

Tasks and Considerations

Content integration with Microsoft Office 365

Integration is established through the Workspace ONE UEM Console under the Content node.

From here, you configure templates for the SharePoint libraries in Microsoft Office 365, to sync to the mobile devices.

For more information see Corporate File Servers, in the CONTENT section of the VMware Workspace ONE UEM Online Help.

Office 365 SharePoint document libraries Use https://portal.office.com to log in to Microsoft Office 365 and create SharePoint sites with document libraries containing content.
Content templates in Workspace ONE UEM for automatic deployment

To create these templates:

  • In the Workspace ONE UEM Console, access the Content node, select Templates, and then select Automatic.
  • Configure SharePoint Office 365 as the repository type.
  • Configure the Link field with the path to the SharePoint document library. For example, https://<domain>.sharepoint.com/Sales_Material/Shared%20Documents
  • Enable Allow Write if read/write access is needed.
  • If content is synced, choose Allow Offline Viewing.
  • If content is used with other apps, select Allow Open in Third Party Apps.
  • Review other security settings per your enterprise policy.
  • Assign appropriate groups to the repository.

For more information, see the Enable Users to Sync Corporate File Servers, in the CONTENT section of the VMware Workspace ONE UEM Online Help.

Workspace ONE Content To ensure access to content, require that Workspace ONE Content be automatically deployed to groups who use SharePoint.

Table: Configuration Considerations for Data Loss Prevention

Configuration Item

Tasks and Considerations

DLP configuration on a global basis

 Perform these tasks:

  • You can set DLP configuration on a global basis, platform basis, or per application deployment.
  • For DLP settings to take effect, the application must be built with the VMware Workspace ONE® Software Development Kit (SDK), or, for an internal application, DLP settings must be supported through app wrapping.
  • Workspace ONE Boxer, Workspace ONE Content, and Workspace ONE Web are built using the Workspace ONE SDK and honor the settings chosen.

SDK profile defaults for iOS or Android

SDK profiles allow global configuration of DLP settings that are applied to applications on the platform for which the profile is defined. Policy settings include enabling or disabling:

  • Printing
  • Composing email
  • Location services
  • Data backup
  • Camera
  • Watermarking
  • Ability to open documents in certain apps
  • Copy and paste in and out
  • Third-party keyboards

Custom policies for Workspace ONE Content and Workspace ONE Boxer

Workspace ONE Content can use the default policies defined in the SDK profile, or defaults can be overridden by enabling custom policies. Requiring MDM enrollment ensures that content is accessed only by enrolled devices.

Email compliance policies

When configuring Workspace ONE Content policies, verify that the email compliance policies match corporate standards, including whether devices must be enrolled in device management to receive email. 

Table: Configuration Considerations for Workspace ONE Verify

Configuration Item

Tasks and Considerations

Authentication adapter in VMware Identity Manager

Workspace ONE Verify is an authentication method within VMware Identity Manager. You must enable the built-in authentication adapter by selecting a check box.

Access policies

To use an authentication method, you add it to a policy. You can configure Workspace ONE Verify as a standalone authentication method in a policy, but it is typically chained with other methods to implement multi-factor authentication.

To use Workspace ONE Verify in conjunction with mobile SSO for iOS, click the + icon and add VMware Verify. After authenticating through mobile SSO, users are prompted for Workspace ONE Verify credentials.

Installation

The Workspace ONE Verify app is available from the Apple App Store, Google Play, and as an add-in for Chrome on Windows and macOS.

Device enrollment

When users access Workspace ONE Verify for the first time, they are asked for a phone number. The phone number is then associated with the VMware Identity Manager service, and a notification is sent to the user’s device to enroll it.

After enrollment, the user’s phone is issued an authentication token. If the phone can receive push notifications, it lets the user choose to allow or reject the authentication.

Registration of additional devices

You can register additional devices for the end user by leveraging a previously registered device. During registration of an additional device, an authentication request is sent to a previously registered device for verification.

Table: Configuration Considerations for Access and Compliance Policies

Policy

Tasks and Considerations

Workspace ONE UEM compliance

Perform these tasks: 

  • Create a compliance policy for the appropriate platforms through the Workspace ONE UEM Console. Criteria for evaluation can include jail-broken or rooted devices, devices that have not checked into the Workspace ONE UEM environment in a certain period of time, or the installation of blacklisted applications.
  • The policy can include an escalation of notifications as actions, starting with an email notification to the user, followed by an email notification to an administrator, and ultimately blocked access to email if the device is not remediated in time.

VMware Identity Manager compliance

Perform these tasks: 

  • VMware Identity Manager compliance checking is enabled through policy configuration. Policies include device compliance with the Workspace ONE UEM authentication adapter and other authentication methods, such as a password.
  • You can use the policies in conjunction with network ranges, OS platforms, or specific applications, allowing varying requirements to evaluate whether an application can launch based on the location of the user, which device they are using, and how they are authenticating.

Enterprise Application Workspace Service

The Enterprise Application Workspace service has a similar configuration to the Enterprise Productivity service, but also includes access to Horizon Cloud applications. Horizon Cloud resources can be synced with Workspace ONE through an outbound-only connection from the VMware Identity Manager Connector. This method allows entitlements to sync to the service. Inbound access to the Horizon Cloud node, virtual desktops, and applications is still required. Therefore, Unified Access Gateway is also part of this solution.

Components in the Enterprise Application Workspace have the following unique characteristics.

Enterprise Application Workspace Service Details

Component

Purpose

VMware Identity Manager Connector

The connector component of VMware Identity Manager is installed and run as a service on a Windows server (or delivered as a virtual appliance running Linux).

The connector integrates with your enterprise directory to sync users and groups to the VMware Identity Manager service and to provide authentication.

Horizon Cloud entitlements

Entitlements are enabled through the VMware Identity Manager catalog by connecting to Horizon Cloud tenants that expose user-entitled apps and desktops to both Horizon Cloud and Horizon 7.

The Horizon-based services that facilitate these entitlements are described separately, in the Horizon Cloud Use Case Service Integration section of this guide.

VMware Unified Access Gateway

This component enables external VMware Horizon® Client devices to securely access cloud-based Horizon Cloud resources for virtual apps and desktops.

Figure: Enterprise Application Workspace Service

 

Table: Configuration Considerations for VMware Identity Manager

Configuration Item

Tasks and Considerations

VMware Identity Manager Connector deployment

Perform these tasks: 

  • The connector can be deployed either on-premises or in any data center that has a line of sight to Active Directory domain controllers. Instructions for deploying the connector are given in Installing and Configuring VMware Identity Manager Connector.
  • The connector can support Horizon entitlement sync when configured as an outbound-only connector, which does not require inbound ports opened at the network perimeter beyond the ports required to access virtual desktop and application resources. Instructions for enabling the outbound-only authentication adapters are in Using Built-In Identity Providers in the VMware Identity Manager Administration Guide (Cloud).
  • This authentication method, when enabled, is referred to as Password (cloud deployment). See Using Outbound Connector for Authentication in Built-in Identity Providers in the VMware Identity Manager Administration Guide (Cloud).

Directory sync

After the connector is deployed, directory synchronization is performed to sync Active Directory users and groups with the VMware Identity Manager service. For more information, see Integrating Your Enterprise Directory with VMware Identity Manager in the VMware Identity Manager Cloud Deployment documentation.

Access to Horizon Cloud desktops and applications in the Workspace ONE app catalog

To make Horizon Cloud resources available in the Workspace ONE app, you create one or more virtual apps collections in the VMware Identity Manager administration console.

The collections contain the configuration information for the Horizon Cloud tenants, as well as sync settings. See Providing Access to VMware Horizon Cloud Service Desktops and Applications in Setting Up Resources in VMware Identity Manager (Cloud).

User entitlements for apps and desktops are made available through the Horizon Cloud configuration and automatically appear in the Workspace ONE app and in a web browser.

Access to Horizon Cloud from external devices

Perform these tasks:  

  • To access the resources made available through Horizon Cloud, you must establish a means of access from Internet-based devices.
  • You can configure Unified Access Gateway along with True SSO to allow egress and provide connectivity to the Horizon Cloud nodes.

    Unified Access Gateway appliances can be automatically deployed in external or internal configurations. See Introduction to Horizon Cloud and Horizon Cloud Nodes in the VMware Horizon Cloud Service on Microsoft Azure Administration Guide.

 

Table: Configuration Considerations for VMware Horizon Client

Configuration Item

Consideration

Horizon Client native app

When Horizon Cloud resources are used in Workspace ONE, the resources appear on the Launcher page of the app, but the resources launch using the Horizon Client native mobile app. For environments planning to access Horizon Cloud–based apps and desktops, an automatic deployment of the native clients is recommended.

Horizon Cloud Use Case Service Integration

The following table details the parts required for each Horizon Cloud–based service. The rest of this section details the design and build of each of these services.

 

Published Application Service

GPU-Accelerated Application Service

Secure Desktop Service

Windows 10 clone

 

 

P

RDSH clone

P

P

 

VMware User Environment Manager™

P

P

P

Smart Policies

P

P

P

Application blocking

 

P

P

Folder redirection

P

P

P

Mandatory profile

P

P

P

GPO

P

P

P

Virtual printing (ThinPrint)

P

P

P

VMware ThinApp® Packages

 

P

P

Unified Access Gateway

P

P

P

True SSO

 

P

P

GPU

 

P

 

Table: Components Required by Horizon Cloud Services

Published Application Service

This service is created for the static task worker use case identified earlier. Static task workers require a small number of Windows applications.

Core Service

The core service consists of RDSH-published applications that are made available to end users through the Workspace ONE app catalog.

Figure: Published Application Service – Core

Table: Configuration Considerations for the Core of the Published Application Service

RDSH Server Clone

Configuration Considerations

Windows Server master VM

  • Build a Windows Server VM. See the  VMware Horizon Cloud Service on Microsoft Azure Release Notes in the VMware Horizon Cloud Service on Microsoft Azure documentation for a list of supported operating systems.
  • You can build the master VM automatically, by using an import process from the Azure Marketplace, or you can build the VM manually.
  • For details on creating and customizing a master VM, as well as publishing an image, see Creating Desktop Images for a Horizon Cloud Node in Microsoft Azure in the VMware Horizon Cloud Service on Microsoft Azure Administration Guide.

 

Automated RDSH farm

Applications

The actual applications available from the RDSH server farm should be installed in the master VM image, along with any other customization or optimization settings. Optionally, applications can be streamed using ThinApp. We install applications on the master VM, and then publish an image from the master VM. Each RDSH server clone in the farm inherits the same set of applications from the published image, which can then be published to end users.

Figure: Published Application Service – Applications

 

Table: Application Considerations in the Published Application Service

Published Application Process

Configuration Considerations

Overview After the farm of RDSH servers is created, you add applications from the farm to the Horizon Cloud inventory. After the applications are in the inventory, remote application assignments can be created to entitle end users to the applications.

Adding and assigning applications

Perform these tasks:

  • From the Horizon Cloud Inventory tab, add new applications. You can import applications automatically, by performing an auto-scan from farm operation, or you can add them manually.
  • After applications are added to the Horizon Cloud inventory, create application assignments to entitle users and groups to the applications.
  • See Applications in Your Horizon Cloud Inventory in the VMware Horizon Cloud Service on Microsoft Azure Administration Guide.

Profile and User Data

With User Environment Manager, a combination of the mandatory profile, Windows and application environment settings, user preference settings, and folder redirection all work together to create and maintain the user profile.

Figure: Published Application Service – Profile and User Data

For instructions on all of the tasks mentioned in the following table, see the VMware User Environment Manager Administration Guide.

 

Table: Configuration Considerations for User Profiles in the Published Application Service

Configuration Item

Tasks and Considerations

 

Mandatory profile

 Perform these tasks:

  • Set up a mandatory profile, and use a group policy to assign it to the OU that contains the computer objects.
  • Follow the process outlined in Creating an Optimized Windows Image for a VMware Horizon Virtual Desktop to create a mandatory profile.
  • Restrictions in the Microsoft Azure interface interfere with the creation of a mandatory profile on an Azure VM. One option is to complete the process on an on-premises Windows server, and copy the mandatory profile to Azure.
  • It is important to use the same Windows build and profile version when building the mandatory profile as will be deployed in Horizon Cloud on Microsoft Azure.

See the VMware Horizon Cloud Service on Microsoft Azure Release Notes in the VMware Horizon Cloud Service on Microsoft Azure documentation for a list of supported guest OS versions. For a list of associated profile versions, see Create Mandatory User Profiles in the Microsoft documentation.

Environment settings

Perform these tasks: 

  • Map the H: drive to the user’s home drive with User Environment Manager.
  • Map location-based printers with User Environment Manager, according to the IP address range.

Personalization –

applications

Perform these tasks: 

  • Verify that User Environment Manager Flex configuration files are created and configured properly for each application that allows users to save preference settings.
  • Verify that each application that persists user settings across sessions has a User Environment Manager Flex configuration file.
  • If a User Environment Manager Flex configuration file does not exist, download a configuration file template from the VMware Marketplace, or use the Application Profiler to create one and place it in the configuration share.

Folder redirection

Folder redirection is configured from User Environment Manager, which redirects user profile folders to a file share so that user data persists across sessions. See Configure Folder Redirection in the VMware User Environment Manager Administration Guide.

Smart Policies

Leverage Horizon Smart Policies to apply the Internal Horizon Smart Policy profile, which allows USB, copy and paste, client-drive redirection, and printing. See Using Smart Policies in Configuring Remote Desktop Features in Horizon 7.

For example policies, see User Environment Manager Smart Policies  in Appendix B: Horizon Configuration of this guide.

GPU-Accelerated Application Service

This service is similar to the Published Application service but uses hardware-accelerated rendering with NVIDIA GRID graphics cards available through Microsoft Azure.

Core Service

The core is constructed using Horizon Cloud RDSH server farms. A master VM is created, configured, and published as an image. The published image is used to create a farm of RDSH servers. Because we are using folder redirection, there should be little data stored on the hosts in the farm.

Figure: GPU-Accelerated Application Service – Core

When creating the master VM, you must prepare the VM for NVIDIA GRID GPU capabilities. Follow the steps in Install NVIDIA Graphics Drivers in a GPU-Enabled Master Image in the VMware Horizon Cloud Service on Microsoft Azure Administration Guide.

When importing a VM into Horizon Cloud, select an OS that supports an NVIDIA GPU, and enable the Include GPU option. This ensures that a GPU-backed VM type will be imported from the Azure Marketplace.

Table: Configuration Considerations for the GPU-Accelerated Application Service

RDSH Server Clone

Tasks and Considerations

Windows Server 2016 master VM

Perform these tasks: 

  • Build a Windows Server 2016 VM. See the VMware Horizon Cloud Service on Microsoft Azure Release Notes in the VMware Horizon Cloud Service on Microsoft Azure documentation for a list of supported operating systems.
    Note: Windows Server 2012 R2 limits the maximum number of sessions and is not recommended.
  • You can build the master VM automatically, by using an import process from the Azure Marketplace, or you can build the VM manually.
  • If you create a master image VM with a GPU, you must log in to the VM’s Windows operating system and install the supported NVIDIA graphics drivers to get the GPU capabilities of that VM. You install the drivers after the VM is created and after the Imported VMs page shows the agent-related status is active.

See Creating Desktop Images for a Horizon Cloud Node in Microsoft Azure in the VMware Horizon Cloud Service on Microsoft Azure Administration Guide for details to create and customize a master VM, configure the VM for NVIDIA GPU, and publish an image.

Automated desktop pool

Create a Horizon Cloud automated RDSH server farm using the published image. See Farms in Horizon Cloud in the VMware Horizon Cloud Service on Microsoft Azure documentation for details.

Applications

This service uses the same structure and design for applications as was outlined previously in Published Application Service section of this guide.

Profile and User Data

This service uses the same structure and design for profile and user data as was outlined previously in the Published Application Service section of this guide.

Policy

Table: Configuration Considerations for User Profiles in the GPU-Accelerated Application Service

Configuration Item

Tasks and Considerations

Smart Policies

For the multimedia designer use case:

  • Internal location: Apply an internal Horizon Smart Policy.
  • External location: Apply an external Horizon Smart Policy.

For more information, see Using Smart Policies in Configuring Remote Desktop Features in Horizon 7.

Application blocking

Do not use application-blocking settings.

Secure Desktop Service

This service is created for the mobile knowledge workers and contractors use cases, who require a large number of core and departmental applications, require access from many external locations, and might need access to USB devices.

Core Service

The core service consists of a Windows 10 virtual desktop, which can optionally be made available to end users through the Workspace ONE app catalog.

Figure: Secure Desktop Service – Core

 

Table: Configuration Considerations for Windows 10 Desktops

Windows 10 Clone

Tasks and Considerations

Windows 10 master VM

Perform these tasks: 

 

Desktop assignment

Create a Horizon Cloud desktop assignment from the published image. See Creating Desktop Assignments in Horizon Cloud in the VMware Horizon Cloud Service on Microsoft Azure Administration Guide for details.

Applications

The majority of applications should be installed in the master VM image, along with any other customization or optimization settings. Optionally, conflicting applications are packaged with ThinApp and made available through the Workspace ONE app catalog. We install applications on the master VM, and then publish an image from the master VM. A new dedicated or floating desktop assignment is created and entitled to groups or individual users. Each Windows 10 VM created as part of the desktop assignment inherits the applications, customizations, and optimization settings from the referenced published image.

Figure: Secure Desktop Service – Applications

Profile and User Data

This service uses the same structure and design for profile and user data as outlined in the GPU-Accelerated Application Service section of this guide.

Policy

Tabble: Configuration Considerations for User Profiles in the Secure Desktop Service

Configuration Item

Tasks and Considerations

 

Smart Policies

Perform these tasks: 

  • For the mobile knowledge worker use case:
    •  
    • Internal location: Apply an internal Horizon Smart Policy.
    • External location: Apply an external Horizon Smart Policy.
  • For the contractor use case: Apply the restrictive zContractor Horizon Smart Policy at all times.
    Note: Smart Policies are evaluated in alphabetical order. Adding the z character before Contractor places the policy name at the bottom of the sort group. For examples, see User Environment Manager Smart Policies in Appendix B: Horizon Configuration of this guide.

Application blocking

Leverage application blocking in User Environment Manager to block executables such as Cmd.exe.

Recovery Service Integration

With a focus on disaster recovery, consideration must be given to the questions of if and how the user is to consume an equivalent service in the event of a site outage. With cloud-based services, such as Workspace ONE UEM and VMware Identity Manager, availability is delivered as part of the platform.

However, some services, including Horizon Cloud, might contain user configuration settings and user data, and might be running in a single Azure region. To provide full disaster recovery, a second, equivalent service can be built in a different Azure region.

The following sections detail the components required for a Horizon Cloud Service on Microsoft Azure recovery service and the steps for implementing an active/passive recovery service type.

Components of a Recovery Service for Horizon Cloud Use Cases

To provide an equivalent service in different Microsoft Azure regions, certain configuration settings and user data might need to be replicated or reproduced between the regions.

  • User Environment Manager GPO (ADMX) configuration 
    • User Environment Manager configuration data
    • User Environment Manager profile archive data
  • Mandatory profile
  • Redirected user data (folder redirection, and so on)

To build equivalent entitlements in a second region, a comparable master VM must also be created in that region, using the same process that was used in the first region.

Any design that includes separate locations or regions should also consider the supporting infrastructure, such as AD, DNS, VNET configuration and other components as detailed in the  Environment Infrastructure Design section of this guide.

Steps for Implementing an Active/Passive Recovery Service 

The following figure outlines the components you must implement for an effective recovery service.

Figure: Active/Passive Recovery Service Components

Desktops and RDSH-Published Applications

The first step is to create the Windows component of the service. This consists of either desktops or RDSH servers in desktop assignments or server farms, repectively, at both sites. Users are then entitled to resources at the primary site. In the case of a site failure, entitlements can be duplicated at the secondary site.

Table: Steps for Creating the Windows Component of an Active/Passive Service

Step 

Details 

Create a master VM 

Perform these tasks: 

Create desktops assignments or farms 

Perform these tasks: 

  • For desktops, create identical desktop assignments in both sites based on the master VM.
  • For RDSH-published applications: 
  • Create RDSH server farms in both sites using the master VM image. 
  • Add application pools in both sites containing the required applications. 

Profile (User Environment Manager) and User Creation 

To manage user settings, user data, and users’ access to applications, file replication needs to be set up to ensure that a copy exists outside of the first region. The example here uses Distributed File Shares (DFS), although other file replication technology could also be used.

Table: Steps for Creating the User Profile Component of an Active/Passive Service

Step 

Details 

File shares 

  1. Create the following four file shares on the file server in region 1 and set the relevant permissions:
    • User Environment Manager IT configuration 
    • User Environment Manager profile archive 
    • Mandatory profile 
    • Home file shares for redirected folders (optional) 
  2. Set up four equivalent file shares in a separate location, such as region
  3. Configure DFS replication and namespaces.

Refer to the multi-site design section of Design Component: User Environment Manager Architecture in this guide for considerations on setting up DFS-Replication and DFS-Namespace.