Define what devices are allowed in a Horizon View desktop with UEM Smart Policies

When designing  a new Horizon View environment, one of the design phases is to identify what requirements there are when accessing (redirecting) devices in a Horizon View desktop of published app. In other words what redirection and devices are available and permitted in the VDI desktop or published app such as:

  • USB devices
  • Clipboard (copy/paste) redirection
  • Client Drives Redirection (CDR)
  • Printing redirection

For the most environments different requirements are needed when accessing devices from inside or outside the company.  Here is an example what redirection/devices are allowed when accessing from inside or outside the company:

Endpoint

location 

USB Client drive redirection clipboard printing
inside yes yes yes no
outside no no no yes

In User Environment Manager (UEM) 9 there is a new functionality called “Smart Policies”. With Smart Policies you can define what devices are allowed in the VDI desktop based on dynamic conditions such as:

  • The endpoint location (inside or outside the company)
  • Horizon Tags
  • Desktop pool name
  • Other View Client variables such as:

vars

With the endpoint “Client location” condition it is possible to determine when accessing from inside or outside the company. When connecting through the internal Horizon View Connection server the “Client Location” gets the value Internal. When connecting through the Horizon View Security Server or Access Point the “Client location” condition get the value External. For the different requirements, 2 policies are needed, 1 for internal and 1 for external.

Exterbal Internal

After defining the policy a condition needs to be set.

  • For the internal policy: Property “Client Location” is equal to Internal
  • For the external policy: Property “Client Location” is equal to External

Example:

 

43

After defining the conditions both policies are ready to use. In this blog post I showed the strength of using the new Smart Policies option in UEM9. Smart Policies requires UEM9 and Horizon 7 to function.

VMware Horizon View Agent installation order

When configuring a Windows VDI desktop or RDSH session with Horizon, different software components must be installed such as the VMware Tools and the VMware Horizon View Agent. When using User Environment Manager and App Volumes they require an agent too. All these software components must be installed in the correct order in the master/golden image to prevent problems such as for example a black screen when connecting to a Windows VDI desktop using the PCoIP protocol.

The following order can be used with a clean installation:

  1. VMware Tools (*1) (*4)
  2. VMware Horizon Agent
  3. VMware Horizon Direct-Agent
  4. VMware User Environment (DEM) agent
  5. VMware App Volumes (Agent) (*2)
  6. NVIDIA driver (*3)

Uninstall order:

  1. NVIDIA driver and reboot
  2. VMware App Volumes agent and reboot
  3. VMware DEM agent and reboot
  4. VMware Horizon Agent and reboot
  5. VMware Tools and reboot

Update VMware tools

Upgrade of VMware Tools does not require uninstall and reinstall of Horizon Agent as of Horizon 7.13 and Horizon 8 2106.

 

(*1) The NSX File and Network Introspection drivers are not installed by default.

(*2) In App Volumes 2.9 and later you can install the agent in any order.

(*3) When using NVIDIA GPUs

(*4) Upgrade of VMware Tools does not require uninstall and reinstall of Horizon Agent as of Horizon 7.13 and Horizon 8 2106.

 

Windows 10 with Horizon View Agent generates BSOD

After installing the VMware Horizon View Agent (6.1.1)  on a Windows 10 (tested with build 10240), it generates a Blue Screen Of Death (BSOD) when pressing Ctrl+Alt+Del/Ins.

PSOD

 

The error is: DRIVER_IRQ_NOT_LESS_OR_EQUAL (kbdclass.sys).

To fix the problem (The solution was found on the Microsoft Community site, link):

  • RDP to the Windows 10 VM
  • Edit HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\UpperFilters
  • Put the kbdclass before the vmkbd value
  • Reboot the VM

Upperclasses Uppper2

After changing the UpperFilters value I was able to login the Horizon View desktop without BSOD.