Define what devices are allowed in a Horizon View desktop with UEM Smart Policies

When designing  a new Horizon View environment, one of the design phases is to identify what requirements there are when accessing (redirecting) devices in a Horizon View desktop of published app. In other words what redirection and devices are available and permitted in the VDI desktop or published app such as:

  • USB devices
  • Clipboard (copy/paste) redirection
  • Client Drives Redirection (CDR)
  • Printing redirection

For the most environments different requirements are needed when accessing devices from inside or outside the company.  Here is an example what redirection/devices are allowed when accessing from inside or outside the company:

Endpoint

location 

USB Client drive redirection clipboard printing
inside yes yes yes no
outside no no no yes

In User Environment Manager (UEM) 9 there is a new functionality called “Smart Policies”. With Smart Policies you can define what devices are allowed in the VDI desktop based on dynamic conditions such as:

  • The endpoint location (inside or outside the company)
  • Horizon Tags
  • Desktop pool name
  • Other View Client variables such as:

vars

With the endpoint “Client location” condition it is possible to determine when accessing from inside or outside the company. When connecting through the internal Horizon View Connection server the “Client Location” gets the value Internal. When connecting through the Horizon View Security Server or Access Point the “Client location” condition get the value External. For the different requirements, 2 policies are needed, 1 for internal and 1 for external.

Exterbal Internal

After defining the policy a condition needs to be set.

  • For the internal policy: Property “Client Location” is equal to Internal
  • For the external policy: Property “Client Location” is equal to External

Example:

 

43

After defining the conditions both policies are ready to use. In this blog post I showed the strength of using the new Smart Policies option in UEM9. Smart Policies requires UEM9 and Horizon 7 to function.

Slow logoff from a Horizon View VDI desktop

When building a new Horizon Environment, the logoff and refresh  maintenance window takes a couple of minutes.

When a user is logging off from a Horizon VDI session the desktop refreshed in a floating pool. (A refresh action can be configured per pool). During the logoff and refresh window the desktop is in “maintenance mode” and the user is unable log in.

The following warning is displayed in the Horizon View Client when trying to connect:

The View Agent reports that this desktop is currently logging off a previous session. Please try again later.

1

The new installed Horizon environment has the following products and versions installed:

  • VMware vSphere 6.x
  • Virtual SAN 6.2
  • Horizon 7
  • App Volumes 2.10
  • User Environment Manager 9.0
  • Sophos Antivirus for vShield
  • Windows 7 desktop
  • Windows 2012 RDS

After some troubleshooting, I disabled the “Sophos Antivirus for vShield” appliance per ESXi server. After disabling the appliance the VDI desktop logoff and refresh window was finished in a couple of seconds instead of a couple of minutes. So the problem has something to do with the virusscanner or vShield Endpoint. After digging deeper it was VMware Tools related. In April 2016 VMware Tools 10.0.8 was released that fixes performance problems with NSX and VMware vCloud Networking and Security 5.5.x.

After upgrading the VMware Tools version to 10.0.8 in the golden image the slow logoff and refresh was solved. Within a couple of seconds the user is now able to log off again to a fresh new VDI desktop.

More information on VMware Tools 10.0.8: Link.

VMware Horizon View Agent installation order

When configuring a Windows VDI desktop or RDSH session with Horizon View, different software components must be installed such as the VMware Tools and the VMware Horizon View Agent. When using User Environment Manager and App Volumes they require an agent too. All these software components must be installed in the correct order in the master/golden image to prevent problems such as  for example a black screen when connecting to a Windows VDI desktop using the PCoIP protocol.

The following order can be used with a clean installation:

  1. VMware Tools (*1)
  2. VMware Horizon View Agent
  3. View Agent Direct-Connection
  4. VMware User Environment (UEM) agent
  5. VMware App Volumes (Agent) (*2)
  6. NVIDIA drivers (*3)

Uninstall order:

  1. NVIDIA drivers and reboot
  2. VMware App Volumes agent and reboot
  3. VMware UEM agent and reboot
  4. VMware Horizon Agents and reboot
  5. VMware Tools and reboot

(*1) The NSX File and Network Introspection drivers are not installed by default.

(*2) In App Volumes 2.9 and later you can install the agent in any order.

(*3) When using NVIDIA GPUs

When upgrading VMware tools I always uninstall and reinstall the agents in the order as mentioned .