VMware Hands-on Labs - HOL-1891-01-CHG


Lab Overview - HOL-1891-01-CHG - Horizon - Challenge Lab

Lab Guidance


Note: It will take more than 90 minutes to complete this lab. You should expect to only finish 2-3 of the modules during your time. The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing. Please use the Module Switcher located on the Desktop to prepare the environment for the module in which you select.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

 

Lab Module List:

 Lab Captains:

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

VMware Technology Network (VMTN)

For additional hints and to discuss the challenges presented in the lab further, be sure to visit the VMware Technology Netowork (VMTN) Community Pages:

https://communities.vmware.com/community/vmtn/challenge-lab/vrealize-operations

 

 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

Module 1 - First day at work: Introduction to the Environment (30 minutes)

Introduction


This module will challenge you to understand the Horizon Environment that you have just inherited.

This Module contains the following lessons:


 

Look at the lower right portion of the screen

 

Please check to see that your lab has finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

Module Switcher Instructions


The following steps will instruct you on how to launch the modules using the Module Switcher tool.


 

Start Module Switcher Application

 

If the Hands-on Labs Module Switcher is not running, you can launch it by double clicking on the Module Switcher Icon on the Desktop.

 

 

Start Module 1

 

Click on the Start Button Below Module 1

 

 

Module Start

 

Wait for script to finish running. Press Enter to continue when the script prompts you to do so.

 

Challenge: Inventory


During this module you will get familiarized with the Horizon environment you just inherited from the previous administrator. You will leverage tools and consoles for Horizon, vSphere, and App Volumes to get a better understanding of the current infrastructure. 

Take note of all resources, applications, performance, etc. Understanding the environment you have just inherited is very important as the CEO will be calling upon your expertise to help with company deliverables. You will be required to use these accounts (located here and in the Readme.txt file on the Desktop of the Main Console) and URLs to access the appropriate tools to remedy the challenges ahead.

You can also view hints on the VMware Technology Network Communities here:

https://communities.vmware.com/docs/DOC-37021


 

Open Chrome Browser from Windows Quick Launch Task Bar

 

To review the environment, you are going to need a web browser to connect to most administrator consoles.

  1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.

 

 

Review vSphere Environment

 

Log in to the vSphere Web Client and correlate some of the components: 


vSphere Web Client: https://vcsa-01a.corp.local/vsphere-client

  1. User: administrator@corp.local
  2. Password: VMware1!
  3. Click on Login

TIP: You can save time by clicking on User Windows session authentication and then on the Login button.

 

 

Review Networking & Security (NSX)

 

Log into NSX Manager:

Please use the "Networking & Security" link from vCenter to review the configuration

 

 

Review Active Directory

 

Login into Active Directory Users and Computers:

The Active Directory Users and Computers console can be launched from:

  1. Start Menu -> All Programs
  2. Administrative Tools
  3. Active Directory Users and Computers

Active Directory Console: accessed from Main Console

 

 

Review View Environment

 

Log into Horizon View admin console: 


View Admin Console: https://view-01a.corp.local/admin

  1. User name: administrator
  2. Password: VMware1!
  3. Domain: CORP
  4. Click on Log In

 

 

Log in to the User Environment Manager Console

 

Log in to User Environment Manager Console:

 

You can access the User Environment Manager Console by double clicking its icon on the Main Console desktop.

***PLEASE NOTE: User Environment Manager has not been configured and will prompt you to enter a UNC path. Please disregard as this will be configured later in the lab (Module 4). At this time, it is more important to recognize that User Environment Manager is licensed and available; even though it is not utilized at this point.***

 

 

Review App Volumes Deployed App Stacks

 

Log into App Volumes:

 

Connect to the App Volumes Management Console using the bookmark or go to https://appvol-01a.corp.local/login

  1. Username: administrator
  2. Password: VMware1!
  3. Domain: CORP
  4. Click on Login

 

Key Takeaways


Upon review of the environment, you will now have a good understanding of what you have just inherited.  You should understand potential limitations and concerns that could potentially come up as a result of how your predecessor deployed the End User Compute Resources.


 

Conclusion

This concludes Module 1: First day at work: Introduction to the Environment.  We hope you have enjoyed taking it. Please do not forget to fill out the survey when you are finished.

Always remember to review the current documentation and release notes.

https://docs.vmware.com/en/VMware-Horizon-7/index.html

https://docs.vmware.com/en/VMware-Horizon/7/rn/horizon-72-view-release-notes.html

 

Module 2 - Just-in-time Management Platform (JMP) Desktops (45 minutes)

Module Switcher Instructions


The following steps will instruct you on how to launch the module using the Module Switcher tool.


 

Look at the lower right portion of the screen

 

Please check to see that your lab has finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

 

Start Module Switcher Application

 

If the Hands-on Labs Module Switcher is not running, you can launch it by double clicking on the Module Switcher Icon on the Desktop.

 

 

Start Module 2

 

Click on the Start button below Module 2

 

 

Stop Module 1

 

If you ran a previous module before Module 2, the STOP script for that module will be run (Module 1 is shown in the image). If this is the first module you are running, this step is not necessary and will be skipped.

Wait for the script that stops the previous module to finish and press Enter to continue.

 

 

Module 2 Start

 

Wait for the Module 2 START script to finish running. Press Enter to continue when the script prompts you to do so.

 

Challenge: Growth and Environment Optimization


As part of optimizing your environment, you have been tasked with reducing the storage footprint and reducing the burden on the maintenance windows required for desktop recomposing. During this module you will use Instant Clone technology to provide users with the ultimate flexible desktop: Just-in-Time desktops!


 

Challenge Description

A new project (sponsored by the CEO) has just kicked off. As a result, you have been asked to give all users access to specific applications and desktops. Normally, that should be an easy ask, however, you were recently informed that almost all of the storage provisioned for your Virtual Desktop environment has been consumed. So...HOW ARE YOU going to meet this requirement? What are some of the things you will need to consider and deploy to make this feasible?

You know your predecessor did some research into the advantages of leveraging Instant Clone technology to deploy Just-in-Time Desktops and found tremendous advantages:

You can find more information on Just-In-Time Desktops and Instant Clone technology here:

https://blogs.vmware.com/euc/2017/02/13490.html

https://blogs.vmware.com/euc/2017/02/jmp-modern-workspace-management.html

http://blogs.vmware.com/euc/2016/02/horizon-7-view-instant-clone-technology-linked-clone-just-in-time-desktop.html

These are the specific requirements for this challenge:

 

 

Required Information

The following information will be helpful in solving the challenge:

https://view-01a.corp.local/admin/

You can also view hints on the VMware Technology Network Communities here:

https://communities.vmware.com/docs/DOC-37022

 

Hint: Where do I start?


Remember the blog post we referenced a couple of steps ago? Maybe there's some information there on how to create the desktop pool.

Just so you don't have to go back and look for the URL, here it is again: http://blogs.vmware.com/euc/2016/02/horizon-7-view-instant-clone-technology-linked-clone-just-in-time-desktop.html

Need more detailed information? There's always the official documentation: http://pubs.vmware.com/horizon-7-view/topic/com.vmware.horizon-view.desktops.doc/GUID-F5C53552-F6C8-4BE8-B486-9D172CA1F5CD.html

More? Tom Fenton at Virtualization Review has a great step-by-step guide: https://virtualizationreview.com/articles/2016/03/24/how-to-use-vmware-instant-clone-setup-and--installation.aspx

 


 

Hint 1: Where do I start? (answers)

At this point your Just-In-Time Desktop pool should be up and running and ready, but in case it is not, the following steps will guide you through the entire process.

 

 

Open Chrome Browser from Windows Quick Launch Task Bar

 

To connect to the Horizon View Administrator Console, you will need to launch Google Chrome:

  1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.

 

 

Open a New Tab

 

Open a new tab by clicking on the free tab button.

 

 

Start the Horizon View Administrator Console

 

Start the Horizon View Administrator Console by clicking on the provided bookmark. Alternatively, you can connect to https://view-01a.corp.local/admin

 

 

Log In to the VMware Horizon Administrator Console

 

  1. User name: administrator
  2. Password: VMware1!
  3. Domain: CORP
  4. Click on Log In

 

 

Open Desktop Pools

 

In the Inventory panel on the left, under Catalog, click on Desktop Pools.

 

 

Add a New Desktop Pool

 

Click on the Add... button to create a new desktop pool.

 

 

Automated Desktop Pool

 

Just-In-Time Desktop pools are always automated. Select Automate Desktop Pool and click Next >.

 

 

User Assignment

 

Just-In-Time Desktops are always Floating desktops. Select Floating and click Next >.

 

 

vCenter Server

 

Just-In-Time desktops use vSphere Instant Clone technology to create new VMs in a matter of seconds. Select Instant Clones, click on the vcsa-01a vCenter Server, and click Next >.

 

 

Desktop Pool Identification

 

Enter the following information and click Next >

 

 

Desktop Pool Settings

 

There is no need to change anything here. You can just click Next >

 

 

Provisioning Settings

 

  1. Naming pattern: W10-IC-{n:fixed=2}
  2. Max number of machines: 10
  3. Provision machines on demand: Select
  4. Click on Next >

 

 

Storage Optimization

 

We do not have VSAN set up or a different datastore to keep replicas, so just click Next >.

 

 

vCenter Settings (1)

 

Click on Browse.. to select the Parent VM.

 

 

Select Parent VM

 

Select the base-w10-x64-01 parent VM and click OK.

 

 

vCenter Settings (2)

 

Click on Browse... to select a snapshot.

 

 

Select Snapshot

 

There should only be one available snapshot in the parent VM, called Base-IC. Select it and click OK.

 

 

vCenter Settings (3)

 

To select the VM Folder Location, click Browse...

 

 

Select VM Folder Location

 

Select the RegionA01 folder and click OK.

 

 

vCenter Settings (4)

 

Click Browse... to select a Cluster.

 

 

Select Cluster

 

Select the RegionA01-IC01 cluster and click OK.

 

 

vCenter Settings (5)

 

Click Browse... to select a Resource Pool.

 

 

Select Resource Pool

 

Select the RegionA01-IC01 Resource Pool and click OK.

 

 

vCenter Settings (6)

 

Click Browse... to select the datastore.

 

 

Select Datastore

 

Select the COMP01-ISCSI01 datastore and click OK. You might need to expand the column size to see the full name of the datastores.

 

 

vCenter Settings (7)

 

Check that all the information is correct and complete and click Next >.

 

 

Guest Customization (1)

 

To specify an Active Directory Organization Unit (OU). Click on Browse...

 

 

Select AD Container

 

Expand the corp.local domain and search for the OU=Horizon. Select it and click OK.

 

 

Guest Customization (2)

 

Confirm that the AD conatiner is configured to OU=Horizon. Click Next >.

 

 

Ready to Complete

 

Select the option to Entitle users after this wizard finishes. Review the information and click Finish to start the desktop pool creation and provisioning.

NOTE: The full provisioning process will take between 20 - 30 minutes.

 

 

Entitlements (1)

 

Click the Add... button to add a user or group.

 

 

Find User or Group

 

  1. Deselect Users
  2. Look for Horizon
  3. Click on the Find button
  4. The Horizon Users group should populate in the results pane. Make sure to select it.
  5. Click OK.

 

 

Entitlements (2)

 

Make sure Horizon Users is entitled to the desktop pool. Click Close.

 

 

Monitor the Desktop Pool Provisioning (1)

 

To monitor the desktop pool provisioning, double-click on the Win10-IC desktop pool.

 

 

Monitor the Desktop Pool Provisioning (2)

 

In the Summary tab, scroll down until you see the vCenter Server section. There you will see the Pending Image status, in this case the state is Publishing and the operation is Initial Publish. This process will take between 20 and 30 minutes.

 

 

Monitor the Desktop Pool Provisioning (3)

 

When the process is finished, you will see the state change to Published.

 

Validate your Results


Now that we have created and provisioned our Just-In-Time Desktops pool, it is time to test it and validate it by connecting as an end user to the environment.


 

Test the new Just-In-Time desktop

 

From the desktop of the Main Console, launch the VMware Horizon Client.

 

 

Connect to Horizon View Connection Server

 

Double-click the icon for "view-01a.corp.local"

 

 

Authenticate as "Lab1User"

 

  1. User name: "Lab1User"
  2. Password: VMware1!
  3. Domain: CORP
  4. Click "Login"

 

 

Connect to the Just-In-Time Desktop

 

Connect to the Just-In-Time Desktop by double-clicking on Windows 10 Instant Clone Desktops.

 

 

User Personalization

 

Once you log in, you will see the Windows 10 user profile creation process. This will take a few minutes.

Since this is a floating desktop, what is going to happen the next time the user logs in?

How could you mitigate this issue if you actually wanted the user profile to be destroyed after the session ends?

What if you want to keep the user configuration and profile?

 

 

Just-In-Time Desktop

 

You will eventually be logged in to the user desktop. Note that all your App Stacks will be available!

NOTE: If a dialog box with an UEM-related error appears, you can safely ignore it. UEM will be covered on a different module.

 

 

Open Chrome Browser from Windows Quick Launch Task Bar

 

To check the status of the VMs you are going to need the vCenter Web Client connected to vCenter vcsa-01a.corp.local:

  1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.
  2. Log in using the username administrator@corp.local and password VMware1! (you can also use Windows Session Authentication)

 

 

Launch vSphere HTML5 Client

 

Use the provided bookmark to launch the vCenter HTML5 Client, or go to https://vcsa-01a.corp.local/ui/

 

 

vCenter Server (1)

 

Look at the VM inventory. You should see two desktop VMs (if both are not present, wait a minute and refresh): the current desktop VM the user is using (W10-IC01, in our case) and the new one that was just created to support new connections. In a production environment W10-IC02 would have been created in a matter of a few seconds.

 

 

Log Off from the Just-In-Time Desktop (1)

 

Click on the windows Start button. Click on the user name on top.

 

 

Log Off from the Just-In-Time Desktop (2)

 

In the pop-up menu, click on Sign out.

 

 

vCenter Server (2)

 

Switch windows to the vCenter Server Web Client (Google Chrome). Look at the VM inventory. Notice that the W10-IC01 desktop VM was destroyed after the user log off was finalized.

 

Conclusion


This module showed us a much better way to provision virtual desktops: Instant Clone technology.

Delivering Just-In-Time desktops using Instant Clone technology we:


 

Extra Credit

During this exercise we created a non-persistent desktop VM, meaning that the user data and configuration will be lost after each log out.

What if that is not our use case? What if we need to provide a persistent experience to the end user, but leveraging the simplicity and agility of Just-In-Time Desktops?

Using the same lab environment try to create a persistent experience by:

 

Module 3 - Just-in-time Management Platform (JMP) Applications (45 minutes)

Module Switcher Instructions


The following steps will instruct you on how to launch the modules using the Module Switcher tool.


 

Look at the lower right portion of the screen

 

Please check to see that your lab has finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

 

Start Module Switcher Application

 

If the Hands-on Labs Module Switcher is not running, you can launch it by double clicking on the Module Switcher Icon on the Desktop.

 

 

Start Module 3

 

Click on the Start button below Module 3.

 

 

Stop Module 2

 

If you ran a previous module before Module 3, the STOP script for that module will be run (Module 2 is shown in the image). If this is the first module you are running, this step is not necessary and will be skipped.

Wait for the script that stops the previous module to finish and press Enter to continue.

 

 

Module 3 Start

 

Wait for the script to finish running. Press Enter to continue when the script prompts you to do so. This may take a few minutes.

 

Challenge: Deploying applications in a better way


After solving the main user reported issues, you finally get the opportunity to start improving your Horizon infrastructure. You have been assigned the task to provide users with two applications that are critical to the business operations at Rainpole: Notepad++ and PuTTY.

During this module you will leverage App Volumes 2.12.1 to deliver applications faster using a more reliable, modern architecture that separates application from OS image management.


 

Problem Description

Desktops without applications are... well, pointless. From your previous experience managing Virtual Desktop Infrastructure (VDI), Remote Desktop, and Published Application environments, you have dealt first hand with the difficulties of managing applications that are directly installed on OS images.

In this scenario, we need to deliver our two main business applications in the following manner:

Case in point: For this very simple scenario with two (2) applications and three (3) users, we would require three (3) different desktop pools if we were to install the applications directly on the OS image. Part of this lab challenge is to deliver all applications to all users, using a single Horizon View desktop pool and OS image.

It appears that your predecessor already started this process, given that:

 

 

Lab Notes

The following notes should be taken into consideration, given the nature of the lab environment:

 

 

Open Chrome Browser from Windows Quick Launch Task Bar

 

To solve the issue, you are going to need the vCenter Web Client connected to vCenter vcsa-01a.corp.local:

  1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.
  2. Use Windows Session Authentication to log in. Alternatively, you can log in using the username administrator@corp.local and password VMware1!

 

Hint 1: Who has access to Notepad++?


The first thing we want to do is verify the status of Notepad++, particularly:

  1. Which users currently have access to Notepad++?
  2. Which AppStack contains the Notepad++ application?
  3. Where is this AppStack stored?

The answers will be given in the next step.


 

Hint 1: Who has access to Notepad++? (answers)

The first thing we want to do is verify the status of Notepad++, particularly:

  1. Which users currently have access to Notepad++?

Five users (Lab1User through Lab5User) currently have access to Notepad++. This needs to be corrected since according to the requirements, only the "Lab1User" and "Lab2User" should have access to the application.

  1. Which AppStack contains the Notepad++ application?

The application Notepad++(7.4.1) is contained in the Notepad++ AppStack.

  1. Where is this AppStack stored?

The AppStack is located in the COMP01-ISCSI01 datastore in /appvolumes/apps/notepad.vmdk with its corresponding notepad.vmdk.metadata file.

You can also view hints on the VMware Technology Network Communities here:

https://communities.vmware.com/docs/DOC-37023

The following steps will detail the process of obtaining the information and addressing the required configuration changes.

 

 

Opening the App Volumes Admin Console

 

  1. Open a new tab on Google Chrome by clicking on the next empty tab.
  2. Click on the provided App Volumes Admin bookmark. Alternatively, you can enter the full address in the location bar: https://appvol-01a.corp.local/.

 

 

Logging in to the App Volumes Admin Console

 

Use the following information to log in to the App Volumes Manager Console:

  1. Username: administrator
  2. Password: VMware1!
  3. Domain: CORP
  4. Click on Login

 

 

Checking Application Entitlements

 

Once connected, select the Volumes tab on the toolbar. Then proceed to select the AppStacks tab.

You will see a list of all the application assignments in the environment. Select the + sign to expand the details for the Notepad appstack.

 

 

Assignment Properties

 

To review existing assignments, click on the Assignments link. This will display all users that have been granted access to this appstack.

Our requirement states that only the "Lab1User" and "Lab2User" should have access to this application. Let's go ahead and fix this.

 

 

Modifying Appstack User Assignments

 

Click on the Unassign button to remove user assignments.

 

Ensure that only "Lab1User" and "Lab2User" are assigned. Use the checkbox in the dialog box to select the users that need to be unassigned. Click the Unassign button and follow the prompts.

LAB NOTE: In a production environment it is recommended that you assign applications to security groups rather than directly to users.

 

 

What AppStack contains this application?

 

An AppStack might contain several applications. In this case, we want to know which AppStack is serving the Notepad++ application. To accomplish this:

  1. Click on the Applications tab on the toolbar. Scroll to find the application in question (in this case it is Notepad++).
  2. Refer to the middle column called AppStack. Here you will find the name of the appstack in which the application resides. You will notice it states Notepad. Click on Notepad.

 

 

Application Properties

 

In our case the AppStack is also called Notepad. The names do not have to necessarily match in all circumstances. Notepad could have been part of an AppStack called Executive-Apps serving multiple applications, Notepad++ being just one of them.

 

 

Where is the AppStack stored?

 

To find out the where the AppStacks are being stored:

  1. Click on Locations.
  2. A dialogue box will appear to the right displaying the location where the appstack is being stored.

 

 

App Stacks Location

 

Now that we know where the AppStack is being stored, let's take a closer look.

  1. Login to the vSphere Client (Launch the Chrome Browser from the Main Console Desktop).
  2. The tab should default to the vSphere Client. Alternatively, you can use: http://vcsa-01a.corp.local/ to launch the vSphere Client.

Use the following information to log in to the vSphere Client:

  1. Username: administrator@corp.local
  2. Password: VMware1!
  3. Click on Login

 

Once in the vSphere Client...

  1. Click on the Datastore icon.
  2. Click on the Datastore listed in the left tree.
  3. In the right hand pane, click on Configure -> Files.
  4. Select the appvolumes folder and then select the apps folder.

You will now see all of the AppStacks being stored on the App Volumes repository. We have one last item for you to be aware of. Please go back to the AppVolume Manager Console.

 

 

Edit Storage Location

 

In order to define or modify the storage location for the appstacks you must go into the Configuration tab in the Appvolume Manager Console.

  1. Select the Configuration tab.
  2. Select the Storage tab.
  3. From here you can see and modify all of the information pertaining to where and how the AppStacks are stored.

 

There it is! You can see that the AppStacks are being stored in the /appvolumes/apps folder in the COMP01-ISCSI01 datastore. This will be very important if we want to add new AppStacks, and since we don't have an AppStack for PuTTY, it will be a good idea to write this down so we know where to put our new AppStacks.

 

Hint 2: How do we deliver Putty?


At this point we have taken care of Notepad++ and the appropriate users have access to it. Now we have to find a way to deliver Putty to "Lab1User" and "Lab3User".

As you try your own approach to delivering Putty, think of the following:

  1. What mechanisms are available in our environment to deliver Putty?
  2. Should we create a new AppStack or can we add the application to an existing one?

You can find the answers to these questions in the following step.

You can also view hints on the VMware Technology Network Communities here:

https://communities.vmware.com/docs/DOC-37023


 

Hint 2: How do we deliver Putty? (answers)

 

As you try your own approach to delivering Putty, think of the following:

  1. What mechanisms are available in our environment to deliver Putty?

You could either install the application natively on the OS image, or deliver it using App Volumes. Since not all users will have access to the application and we want to separate and simplify our application management, the recommended approach is to leverage App Volumes.

  1. Should we create a new AppStack or can we add the application to an existing one?

In AppVolumes 2.12.1 assignments are mapped to AppStacks. In the lab we will create a new AppStack for Putty.

The best place to start is the documentation. http://pubs.vmware.com/appvolumes-212/index.jsp#com.vmware.ICbase/PDF/ic_pdf.html

 

 

The Clean Machine

 

To capture applications, you will need a clean machine to create or modify AppStacks. In our lab environment this machine is called Appvol-Capture. A snapshot of the machine's clean state has already been taken so you can revert to it after capturing a new application.

From the vCenter Web Client, search for the Appvol-Capture machine and click on its name in the search result box.

 

 

Launch AppCapture Remote Console

 

Launch the AppCapture machine's Remote Console by clicking on Launch Remote Console.

 

 

Log into AppVolumes Admin Console (1)

 

  1. Open a new tab on Google Chrome by clicking on the next empty tab.
  2. Click on the provided App Volumes Admin bookmark. Alternatively, you can enter the full address in the location bar: https://appvol-01a.corp.local/.

 

 

Log into AppVolumes Admin Console (2)

 

Use the following information to log in to the App Volumes Manager Console:

  1. Username: administrator
  2. Password: VMware1!
  3. Domain: CORP
  4. Click on Login

 

 

Create an AppStack (1)

 

  1. Select Volumes and then select the AppStacks tab.
  2. Click on Create AppStack.

 

 

Create an AppStack (2)

 

  1. Fill in Name field with Putty.
  2. Populate the Description field with Putty Appstack.
  3. Click Create.

 

 

Create an AppStack (3)

 

Leave the default. Click Create.

 

 

Wait for the creation process to finish

 

Wait until the pending operation finishes. The number in the top right corner will go back to 0 once the process finishes.

 

 

Refresh Console

 

Click on the browser's refresh button to update the list of available AppStacks.

 

 

Select the Putty AppStack

 

Click on the recently created Putty AppStack. Note that it's current status is listed as Unprovisioned.

 

 

Provision Putty AppStack (1)

 

Click Provision.

 

 

Provision Putty AppStack (2)

 

  1. Type app in the Find Provisioning Computer search field and click Search.
  2. Click the radio button on the right hand side to select the APPVOL-CAPTURE machine.
  3. Click Provision.

WARNING: If the APPVOL-CAPTURE machine shows as Disabled, you will need to re-sync the AppVolumes Manager with the machine  agents. Go to  Directory -> Computers and click on the blue Sync button. Wait for all 59 machines to sync. You will see the progress in the upper right of tthe console.

 

 

Provision Putty AppStack (3)

 

Click Start Provisioning.

 

 

Provision Putty AppStack (4)

 

The Putty appstack will now display a Complete button. DO NOT click this button at this time. This has now enabled the appvol-capture machine to be ready for the application provisioning process. We now have to move to the appvol-capture machine to start the application installation and provisioning. We will return to this step once we have completed the application install process.

 

 

Log in to the AppCapture machine

 

Return to the remote console session (appvol-capture) you had opened earlier. You will now see a dialogue box in the middle of the screen. DO NOT touch this box at this time.

 

 

Putty Installation Files (1)

 

Browse to \\controlcenter\c$\Program Files (x86). Select the PuTTY folder and Right-click and select copy.

 

 

Putty Installation Files (2)

 

Right-click and paste it to the local C:\Program Files (x86).

 

 

Putty Installation Files (3)

 

Click Continue, if you receive a folder permissions issue.

 

 

Putty Installation Files (4)

 

You will now see the PuTTY folder in the directory. Next you will need to create a shortcut for the PuTTY application and place it in the Public Users Desktop folder.

 

 

Permissions for Public Users (1)

 

Next you will need to create a shortcut for the PuTTY application and place it in the Public Users Desktop folder. Right-click on the PuTTY.exe file and select Create shortcut.

 

 

Permissions for Public Users (2)

 

Click Yes.

 

 

Permissions for Public Users (3)

 

The shortcut will now appear on the desktop.

 

 

Permissions for Public Users (4)

 

Next, rename the shortcut to putty (appstack). This will allow you to identify it as an application published via an appstack.

 

 

Permissions for Public Users (5)

 

Next, Right-click and select cut on the putty (appstack) shortcut. Proceed to Right-click and paste it to the C:\Users\Public\Public Desktop folder.

 

 

Permissions for Public Users (6)

 

Click Continue, if you receive a folder permissions issue.

 

 

Finish Provisioning Process (1)

 

Once the copy is complete, proceed to close the open folder window. The desktop should now look as above. Now that you have setup PuTTY, you can finish the provisioning process. Click Ok.

 

 

Finish Provisioning Process (2)

 

Click Yes.

 

 

Finish Provisioning Process (3)

 

Click Ok.

 

 

Finish Provisioning Process (4)

 

Click Ok.

 

 

Finish Provisioning Process (5)

 

The appvol-capture machine will now restart. The machine will log back into the desktop automatically.

 

 

Finish Provisioning Process (6)

 

If you receive the above message. Click Ok. This means that the application provisioning process has completed. You have now captured the application. DO NOT forget to shutdown and revert to your saved snapshot for the appvol-capture machine. This will allow you to provision a clean appstack going forward.

You will now return to the AppVolume Manager Console to finish the last steps of the provisioning process.

 

 

Finish Provisioning Process (7)

 

Now that the Provisioning process is complete. You are can now proceed to assign the appstack to users.

 

Hint 3: Assign Putty


Now that we have a Putty App Stack, it is time to assign it to the right users!

See if you can assign the application to the "Lab1User" and "Lab3User" users.

In the following steps, the process will be shown.

You can also view hints on the VMware Technology Network Communities here:

https://communities.vmware.com/docs/DOC-37023


 

Assign the Putty appstack to users

 

In the App Volumes Manager console, select the Volumes tab. Then select the AppStack tab. Expand the Putty appstack and then click on Assign.

 

 

Assign the Putty application to users (1)

 

  1. Type "lab" in the Search Active Directory" field and then click Search.
  2. This will populate the list of lab users in the environment.

 

 

Assign the Putty application to users (2)

 

  1. Use the checkbox to select which users need to be assigned.
  2. Click on Assign.

 

 

Confirm Assignment (1)

 

Determine when you would like to assign this appstack to the user(s). In the case of this lab, we will use the default.

Click Assign to continue.

 

 

Confirm Assignment (2)

 

Notice it now shows 2 Assignments. You have successfully assigned users to this appstack.

 

Validate your results!


Log in to the published desktop with each user to validate the applications. The following steps will detail the process.


 

Connecting to the Desktop

 

From the desktop of the Main Console, launch the VMware Horizon Client.

 

 

Connect to Horizon View Connection Server

 

Double-click the icon for "view-01a.corp.local"

 

 

Authenticate as the appropriate User

 

  1. User name: "Lab1User", "Lab2User" or "Lab3User". (Depending on which user you are testing).
  2. Password: VMware1!
  3. Domain: CORP
  4. Click "Login"

 

 

Set Desktop Pool to Fullscreen

 

Verify that the deskop pool is set up to be displayed in full screen mode. To accomplish this, right-click on the desktop icon and select Display->Fullscreen.

 

 

Validate AppStack Assignment

 

Once logged into the virtual desktop, you will quickly tell whether your effort to create and assign an appstack was successful or not. If successful, you should see something similar to what is above.

Validate your findings. Log in with lab1user and check that they see both apps, lab2user should only have notepad and putty, and lab3user putty only.

 

Conclusion


When connecting to the virtual desktops of the "Lab1User", "Lab2User", and "Lab3User" users, you should be able to see the right applications available on their desktop (see next step).

As you have seen during this module, App Volumes provides a much better way to deliver applications to users. Among other things:

  1. Did you notice that we NEVER touched the base OS image? No more maintenance windows, recomposing, etc.!
  2. Although the lab is limited in resources, you could deliver an application instantly to thousands of users across your organization from a single console.
  3. The separation of management layers, from base OS to application, makes for a better IT organizational structure. You could delegate the administration of the applications to the line of business owners.
  4. Application Lifecycle Management is streamlined by controlling which users can access the application, delivering fast updates, rolling back versions in case of emergency, and decomissioning applications.

 

The "Lab1User" Desktop

 

This is what the "Lab 1User" desktop should look like, with both applications available on the desktop. The "Lab2User" and "Lab3User" desktop should only show the Notepad++ and PuTTY applications respectively.

 

Module 4 - Just-in-time Management Platform (JMP) User Configuration (30 Minutes)

Introduction


This module will challenge you to understand the Horizon Environment that you have just inherited.

In order to complete this module you will need to ensure that you have completed the following:


 

Look at the lower right portion of the screen

 

Please check to see that your lab has finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

Module Switcher Instructions


The following steps will instruct you on how to launch the module using the Module Switcher tool.


 

Start Module Switcher Application

 

If the Hands-on Labs Module Switcher is not running, you can launch it by double clicking on the Module Switcher Icon on the Desktop.

 

 

Start Module 4

 

Click on the Start button below module 4.

 

 

Stop Module 3

 

If you ran a previous module before Module 4, the STOP script for that module will be run (Module 3 is shown in the image). If this is the first module you are running, this step is not necessary and will be skipped.

Wait for the script that stops the previous module to finish and press Enter to continue.

 

 

Module 4 Start

 

Wait for the Module 4 START script to finish running. Press Enter to continue when the script prompts you to do so. This may take a few minutes.

 

Challenge: Provide Users with consistent experience


With multiple access methods, users are reporting that their user experience is not consistent across the board. During this module, you will leverage User Environment Manager to address this issue and provide your users with a consistent experience across Instant Clone Desktops, RDS Hosted Desktops and Traditional Virtual Desktops.

Please access the User Environment Manager Console from the Main Console.

Please note that UEM files are stored in \\controlcenter\config\general.


 

Problem Description

Different tools make sense for different use cases. Sometimes it will be more practical to deliver an application as a published application from a Remote Desktop Session Host (RDSH) server, in other cases a Virtual Desktop (VDI) will provide a better user experience.

Regardless of the method we choose to deliver a desktop or application, user acceptance hinges heavily on them having a good consistent experience across the board, be it using RDSH, VDI, or even their physical desktops.

Based on the business requirements, the following technical configuration needs to be achieved:

  1. User should always have an F: drive mapped to \\controlcenter\AppStacks
  2. A log of the user customization process must be kept
  3. Provide consistent user experience for PuTTY.
  4. Provide consistent user experience for Notepad++.

The above configuration should be available regardless if the user is connecting using VDI or RDSH.

 

 

Lab Notes

For this challenge, you will be leveraging VMware User Environment Manager (UEM) to maintain, deliver, and enforce the required user configurations.

The following notes should be taken into consideration, given the nature of the lab environment:

QUESTION: Where is the UEM server? That is a trick question because there is no UEM server. The entire configuration is kept in file shares.

 

 

Log in to the User Environment Manager Console

 

You can access the User Environment Manager Console by double clicking its icon on the Main Console desktop.

 

 

What now? Documentation

A good place to start is the UEM Administrator Guide: http://pubs.vmware.com/uem-92/index.jsp

The following link provides a good overview of the implementation process: http://pubs.vmware.com/uem-92/topic/com.vmware.user.environment.manager-install-config/GUID-49DCFF50-0522-4A43-8874-93CD78C8E540.html

Remember your predecessor already started the process, so the required software is already installed, even the UEM Administrative Templates for Group Policy Objects (GPOs) are ready, but the GPOs are not there yet. The required file shares are also created.

You can also view hints on the VMware Technology Network Communities here:

https://communities.vmware.com/docs/DOC-37024

 

Hint 1: Let's review all the steps


The UEM Administrator Guide has a good list of high level steps required to implement UEM. Review the list and determine which steps you need to take to accomplish your task.


 

List of required steps

 

In the image you will see the list of high level steps required to implement UEM, directly obtained from the UEM Administrator Guide.

The crossed out steps are not required because they have been done already by your predecessor. We will run FlexEngine as a Group Policy extension, so there is no need for a logon script.

That means that the only steps left are:

 

Hint 2: Consistency across RDS and Traditional Virtual Desktops


How do you create consistency across the various user environments, etc.?

Have you considered using RDS Volatile Environment Variables?


Hint 3: UEM Management Console configuration


First things first: we need to configure the UEM Management Console to be able to manage UEM.

Check the UEM Administrator Guide to configure the UEM Management Console.


 

Configure the UEM Management Console

 

The UEM Administrator Guide details the UEM Management console process.

 

After starting the UEM Management Console for the first time, you have to select a location where the UEM configuration will be stored:

  1. Enter \\controlcenter\config in the Location field
  2. Click OK

For our requirements, that is it. Simple enough.

*http://pubs.vmware.com/uem-92/topic/com.vmware.user.environment.manager-install-config/GUID-9F060F1C-DF57-4227-876E-D694B27C5379.html?resultof=%22%63%6f%6e%73%6f%6c%65%22%20%22%63%6f%6e%73%6f%6c%22%20%22%63%6f%6e%66%69%67%75%72%61%74%69%6f%6e%22%20%22%63%6f%6e%66%69%67%75%72%22%20

 

 

Hint 4: Point the clients in the right direction


The next step in the process will be to point clients in the right direction. To put it another way: How are the users going to know from where to pull their configuration information?


 

Let's check out the list

 

According to our list we now need to create a UEM GPO. That is from where our users are going to pull their UEM configuration.

This process is described in the UEM Administrator Guide starting on page 23. Try for yourself, but if you get stuck the next steps will guide you through the process.

 

 

Start the Group Policy Management Console

 

You will find the Group Policy Management Console in the Main Console, under:

 

 

Create the GPO

 

In the Group Policy Management Console, navigate the AD tree until you find the Horizon OU. Right-click and select Create a GPO in this domain, and Link it here...

 

 

Name the GPO

 

  1. Name the new GPO UEM Policy
  2. Click OK to continue

 

 

Edit the GPO

 

  1. Expand the Horizon OU by clicking on the triangle on the left
  2. Right-click on the UEM Policy
  3. Select Edit...

 

 

Configure FlexEngine Settings

 

Expand the GPO tree on the left until you get to:

FlexEngine is the UEM component that runs on the user's desktop, physical or virtual. Sometimes it is casually referred to as the "UEM Client".

We are going to configure the following FlexEngine Settings:

 

 

Flex config files

 

This is the setting that tells the FlexEngine (UEM Client) from where to get the configuration.

  1. Click on Enable
  2. Enter \\controlcenter\config\general
  3. Click OK

Leave the option to Process folder recursively enabled.

 

 

Profile archive backups

 

  1. Click on Enabled
  2. Enter the following location for storing user profiles archive backups: \\controlcenter\profiles\%username%\backups
  3. Click OK to continue

 

 

Profile Archives

 

  1. Click on Enabled
  2. Enter the following location for storing user profile archives: \\controlcenter\profiles\%username%\Archives
  3. Click on OK to continue

 

 

Run FlexEngine as Group Policy Extension

 

We are going to run FlexEngine as a Group Policy Extension so that we will not need a logon script. We will need a logoff script that we will set up later, as well as make sure to wait for the network at computer startup and logon, to make sure the FlexEngine configuration is processed before the user session starts.

  1. Click on Enabled
  2. Click on OK

 

 

FlexEngine logging

 

  1. Click on Enabled
  2. Enter the following path and name of log file: \\controlcenter\profiles\%username%\logs\flexengine.log
  3. Click on OK to continue

You can leave the rest of the parameters with their default values.

 

 

Always wait for the network at computer startup and logon

To make sure that that the UEM configuration is processed properly, we need to make sure that the network is available to the user desktop before processing Group Policy Extensions.

Since this is a computer configuration, rather than a user configuration, we would need to create or modify an existing  GPO and link it to the user's computers. In our case, all computers are in the Computers container (this would not be recommended in a real production environment). Since Computers is a container, we cannot link an OU here, so we will have to bind it at the domain level. In our case, we will modify the Default Domain Policy.

 

 

 

Edit the GPO

 

Go back to the Group Policy Management Console:

  1. Expand the corp.local domain by clicking on the triangle on the left
  2. Right-click on the Default Domain Policy GPO
  3. Select Edit...

 

 

Configure Logon Settings

 

Expand the GPO tree on the left until you get to:

Double click on Always wait for the network at computer startup and logon

 

 

Always wait for the network at computer startup and logon

 

  1. Click on Enabled
  2. Click on OK

 

Hint 5: Make sure the user configuration is saved at logoff


To make sure that the user configuration persists from one session to the next, make sure that the user configuration is saved at logoff.

You can always check the UEM Administrator Guide* to understand the process and try for yourself, or look at the following steps for details.


 

Let's check out the list

 

According to our list, we now need to add a command to the logoff script. That is how we are going to make sure that any user configuration changes are saved before the user logs off.

This process is described in the UEM Administrator Guide. Try for yourself, but if you get stuck, the next steps will guide you through the process.

QUICK TIP: In the lab environment, the FlexEngine installed in the clients was installed in the C:\Program Files\Immidio\Flex Profiles\.

 

 

Edit the UEM GPO

 

Go back to the Group Policy Management Console and edit the UEM Policy (see previous steps if you need help)

Navigate to

Double-click on Logoff to edit the setting.

 

 

Logoff Properties

 

In the Logoff Properties dialog box, click on Add...

 

 

Add a Script

 

Use the following command for the Script Name:

C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe -s

 

Click OK.

 

Hint 6: Configure the Applications


We have User Environment Manager up and running, but it is not actually doing anything because we have not set up any configuration yet.

Maybe we should be looking at how to configure UEM to manage the configuration for PuTTY and Notepad++.

 


 

Let's check out the list

 

According to our list, we now need to create the Flex config files. That is how we are going to manage the application configuration, save it, and make sure it is available to provide a consistent user experience.

This process is described in the UEM Administrator Guide starting on page 37. Try for yourself, but if you get stuck, the next steps will guide you through the process.

 

 

Create Config File

 

Click the Create Config File button.

 

 

Create a custom config file

 

  1. Select Create a custom config file
  2. Click Next to continue

 

 

Config file name

 

  1. Enter Notepad++ for the File name
  2. Click Finish

 

 

Import / Export Settings (1)

 

We are in luck because we know very well how Notepad++ keeps its configuration. Everything is kept in several files in %AppData%\Notepad++ according to their documentation: http://docs.notepad-plus-plus.org/index.php/Configuration_Files So we need to make sure that everything in that folder tree is kept as part of the user configuration.

  1. Click anywhere in the white edit area to declare the Import / Export settings.
  2. Click on the Section button to add a new section.
  3. Select IncludeFolderTrees from the dropdown menu

 

 

Import / Export Settings (2)

 

Complete the information so that the Import / Export configuration looks like this:

[IncludeFolderTrees]
<AppData>\Notepad++

Select the DirectFlex tab before proceeding to the next step.

 

 

DirectFlex Configuration

 

Configuring DirectFlex will allow us to load and save the configuration of an application when the application is launched and closed. This will be very useful later when we are running a VDI session and we decide to launch a Published Application before finishing the VDI session.

Click on Enable DirectFlex for this config file

 

 

DirectFlex Executable Path

 

  1. Enter the following path for the executable: C:\Program Files (x86)\Notepad++\Notepad++.exe
  2. Click OK to continue

 

 

Save Config File

 

Click on Save Config File

 

 

EXTRA CREDIT: PuTTY Configuration

 

To create the configuration file for PuTTY, repeat the same process we used to create the configuration file for Notepad++, with the following changes:

 

Hint 7: Mapped Drives


We only have one more thing on our list: mapping the F: drive to \\controlcenter\AppStacks.

The UEM Administrator Guide surely has information on the subject.


 

Let's check out the list

 

Last thing on our list! We need to configure the user environment to set up the network drive mapping.

This process is described in the UEM Administrator Guide starting on page 77. Try for yourself, but if you get stuck, the next steps will guide you through the process.

 

 

Create Drive Mapping

 

  1. Select the User Environment tab
  2. Select Drive Mapping from the list on the left
  3. Click on the Create button

 

 

Drive Mapping Information

 

Enter the following information:

  1. Name: AppStacks
  2. Drive Letter: F
  3. Remote Path: \\controlcenter\appstacks
  4. Click on Save to continue

 

Solution


With multiple access methods users are reporting that their user experience is not consistent across the board. You were given the task of creating a consistent user experience by leveraging User Environment Manager.

There are 3 key components in User Environment Manager that need to be configured. These are:

  1. Configure Flex Config File(s)
  2. Create Condition Sets
  3. Enable FlexEngine Policies and leverage RDS Volatile Environment Variables in order to provide a consistent user experience.

 

Add Flex Config File Location (This has already been completed for you in the lab)

 

 

 

Modify the VMware UEM policy. Select the User Configuration->Administrative Templates->VMware UEM->FlexEngine Policy.

 

 

 

Create a User Environment Policy

 

 

 

Modify the Drive Mappings Attributes

 

 

 

Create Conditions for Notepad++

 

 

 

Ensure the Users are in Active Directory

 

 

 

Create a .BAT file to easily launch the PowerShell Script

 

Create a ViewVariables.bat file that contains the logic to launch the PowerShell script.

The script should contain the following.

@ECHO OFF
c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden “&  ‘\\controlcenter\software\ViewVariables.ps1′”

Note The \\unc-path to your ViewVariables PowerShell Script.

***This has already been created for you in the lab. Reference for this solution comes from https://virtualmarkr.wordpress.com/2015/11/23/vmware-euc-uem-using-rds-volatile-environment-variables/***

 

 

User Environment Logon Tasks

Since we need the variables to be available for other configurations you will want to configure a Logon Task to launch the script.

This task will run a script located on a \\unc\path for any user that logs on to a server name that starts with RDS.

 

 

User Environment Triggered Tasks

One of the benefits of a remote session is that you can connect from multiple locations and multiple device types and when you are leveraging an RDS session. Many times your users are still logged on to the RDS server, but their session is disconnected.  These variables need to be updated on every connection to be available for other configurations you will want to configure a Triggered Task to launch the script.

This task will run a scripted located on a \\unc\path for any user that logs on to a server name that starts with RDS.

 

 

Condition Sets

Conditions are used to control whether and when certain User Environment Manager actions are performed, and condition sets are used to centrally group conditions that are then available for reuse

 

Validation


All the hard work is done and now it's time to validate that everything is working properly.

To validate our configuration we are going to:

EXTRA CREDIT: If you ran through Module 3 Just-in-time Management Platform (JMP) Applications you can validate that the application configuration persists even if the desktop is destroyed after the user logs off.

* NOTE: PuTTY will only be available if you ran through Module 3


 

Launch VMware Horizon Client

 

From the desktop of the Main Console, launch the VMware Horizon Client.

 

 

Connect to Horizon View Connection Server

 

Double-click the icon for "view-01a.corp.local"

 

 

Authenticate as "Lab1User"

 

  1. User name: Lab1User
  2. Password: VMware1!
  3. Domain: CORP
  4. Click Login

 

 

Set Desktop Pool to Fullscreen

 

Verify that the deskop pool is set up to be displayed in full screen mode. To accomplish this, right-click on the desktop icon and select Display->Fullscreen.

 

 

Launch the Win10-IC Desktop

 

Double-click on the Windows 10 Instant Clone icon

 

 

Verify Drive F Mapping

 

Wait for the desktop to launch.

Once Windows Explorer finishes loading, verify that the F drive was properly mapped by

  1. Clicking on the folder icon in the Quick Launch Bar
  2. Click on This PC to get a list of the drives
  3. There it is!

 

 

Launch Notepad++

 

Close the Windows Explorer windows and launch Notepad++ from the desktop icon.

 

 

Change Notepad++ Preferences

 

Change the user preferences by selecting the Settings -> Preferences... menu.

 

 

Set Big Icons

 

  1. Select Big icons
  2. Click Close

Notice our new fancy big icons and close the application.

 

 

Launch Notepad++ Published Application

 

Minimize the VDI session to go back to the Main Console.

Use the Horizon Client to launch the Notepad++ Published Application.

 

 

Verify Big Icons

 

Wait for the Notepad++ Published Application to launch and you will see the big icons in the toolbar. The setting was preserved from one session to another, from one machine to another, from one OS to another!

 

 

Verify Drive F Mapping

 

Use the File -> Open menu to verify that you can access the F drive from the Published Application.

 

Key takeaways


User Environment Manager is very powerful and, with the correct conditions, can be extremely granular providing user environment setup or application configuration management.

Leveraging custom scripts will allow you to enhance your deployment and manage every use case that comes your way.

Folder Redirection lets you configure redirection of a folder from within the VMware User Environment Manager. Hence Active Directory GPOs for redirection are not required.

Horizon Policies or Smart Policies are an integration between UEM 9 and Horizon 7 with conditional support for poolnames, tags, endpoint location, and View name and IP information. Administrators can use Horizon Policies to contextually and dynamically control the system clipboard, client drive, USB access, printing capabilities, and bandwidth profiles for PCoIP connections.

 

Documentation to reference:

User Environment Manager Administrator’s Guide https://www.vmware.com/pdf/uem-90-admin-guide.pdf

Aaron Black's blog on Horizon 7 Smart Policies http://blogs.vmware.com/euc/2016/05/vmware-horizon-7-implementation-with-smart-policies.html

Dale Carter’s blog on VMware User Environment Manager Deployed in 60 Minutes or Less
 https://blogs.vmware.com/euc/2015/04/vmware-horizon-view-user-environment-manager-deploy-60-minutes.html

Mark Richards blog on Using RDS Volatile Environment Variables https://virtualmarkr.wordpress.com/2015/11/23/vmware-euc-uem-using-rds-volatile-environment-variables/

VMware End-User-Computing TV 
https://bit.ly/how-to-uem


 

Conclusion

This concludes Module 4: Just-in-time Management Platform (JMP) User Configuration.  We hope you have enjoyed taking it. Please do not forget to fill out the survey when you are finished.

 

Module 5 - Horizon Published Apps (30 minutes)

Module Switcher Instructions


The following steps will instruct you on how to launch the module using the Module Switcher tool.


 

Look at the lower right portion of the screen

 

Please check to see that your lab has finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

 

Start Module Switcher Application

 

If the Hands-on Labs Module Switcher is not running, you can launch it by double clicking on the Module Switcher Icon on the Desktop.

 

 

Start Module 5

 

Click on the Start button below Module 5

 

 

Stop Module 4

 

If you ran a previous module before Module 5, the STOP script for that module will be run (Module 4 is shown in the image). If this is the first module you are running, this step is not necessary and will be skipped.

Wait for the script that stops the previous module to finish and press Enter to continue.

 

 

Module 5 Start

 

Wait for the Module 5 START script to finish running. Press Enter to continue when the script prompts you to do so.

 

Challenge: Delivering applications to users


Now that you have proven that you can deliver desktops to any user on any device, your organization has a new challenge. As it turns out, certain users do not need a desktop but what they do need are applications.

The marketing department at your organization has decided to give access to a third party to videos that have been created in-house. Being very sensitive about their intellectual property, they do not want the video files being transmitted or kept in devices outside of the organization.

So as you start thinking about delivering virtual desktops to the users with the required applications, you realize this third party users already have a local desktop on their devices that is completely out of your management or control. If only you could deliver only the required application without the whole desktop!


 

Challenge Description

The marketing department has asked you to deliver VLC to a third party, so that they can review videos that are produced in-house, making sure that the connection is secure and encrypted, and without transmitting any files.

You have been asked, if possible, not to deliver an entire desktop, since the remote users already have a local desktop that it is being managed by the third party.

Going through your inventory, you realize you already have an AppStack with VLC installed on it, that you are currently using for virtual desktops. Would it be possible to re-use the same AppStack to deliver only the application?

These are the specific requirements for this challenge:

 

 

Required Information

The following information will be helpful in solving the challenge:

You can also view hints on the VMware Technology Network Communities here:

https://communities.vmware.com/docs/DOC-37025

 

Hint 1: Publishing Applications


If you do not need to deliver a full desktops experience to your users, App Publishing is a great mechanism to securely deliver just the required application in a way that integrates with the user's local desktop.

Here is a good introduction to the functionality: https://blogs.vmware.com/euc/2014/09/vmware-horizon-6-supports-application-delivery-rds-hosting.html

Need more detailed information? There's always the official documentation: http://pubs.vmware.com/horizon-71-view/topic/com.vmware.horizon.published.desktops.applications.doc/GUID-432D8E41-476E-49E9-8539-1F56E89DD73C.html


 

Hint 1: Publishing Applications

You are half way there. You have a mechanism to deliver an application from a server to the end user. But how are you going to get the application to the server in the first place?

Continue to the next step to see the next hint.

 

Hint 2: AppStacks!


The best way to manage applications in a VDI or Application Publishing environment is by using AppStacks managed by App Volumes.

This way you can de-couple applications from the desktop or server base images, and manage the provisioning of applications separately from the delivery of applications or desktops.

In previous modules we looked at assigning AppStacks to specific users, so that an application would be available to them, regardless of which desktop they used to connect to the environment. How could we translate AppStack assignment when Publishing Applications?

 


 

Hint 2: AppStacks!

Now we have the other half. In order to provision VLC to the RDSH-01A server, we need to assign an AppStack to it.

Try to finish the challenge with this information, but if you are stuck, the following steps will walk you through the entire process of assigning the AppStack and publishing VLC.

 

Solution


The following steps will walk you through the solution to the challenge.


 

Opening the App Volumes Admin Console

 

  1. Open a new tab on Google Chrome by clicking on the next empty tab.
  2. Click on the provided App Volumes Admin bookmark. Alternatively, you can enter the full address in the location bar: https://appvol-01a.corp.local/.

 

 

Log In to the App Volumes Management Console

 

Use the following information to log in to the App Volumes Manager Console:

  1. Username:administrator
  2. Password:VMware1!
  3. Domain:CORP
  4. Click onLogin

 

 

Look for the Sample Apps AppStack

 

  1. Select Volumes.
  2. Then select the AppStacks tab.
  3. Click on + to expand the Sample Apps.

 

 

Assign the Sample Apps AppStack

 

  1. Select Sample Apps.
  2. Select the checkbox on the right hand side.
  3. Click Assign.

 

 

Assign AppStack to RDSH server

 

  1. In the Search Active Directory field, type "rdsh".
  2. Click on Search.

 

 

Assign AppStack to RDSH server (2)

 

  1. Select RDSH-01A.
  2. Select the checkbox on the right hand side
  3. Click Assign.

 

 

Assign AppStack to RDSH server (3)

 

  1. Select the bottom radio button, "Attach AppStacks immediately".
  2. Click Assign.

 

 

Connect to vSphere Client

 

If you don't have a tab open to the vSphere Client, open one by clicking on the new tab and selecting the HOL-1891 Admin -> vCenter Web Client bookmark.

 

Use the following information to log in to the vSphere Client:

  1. Username:administrator@corp.local
  2. Password:VMware1!
  3. Click onLogin

 

 

Search for the RDSH VM

 

  1. In the search field, type "RDSH".
  2. Click on rdsh-01a.

 

 

Launch Remote Console

 

  1. Click on the Summary tab.
  2. Click on Launch Remote Console.

 

 

Press Ctrl+Alt+Delete to sign in

 

  1. On the VMRC console window, click on the "Ctrl+Alt+Del" icon.

 

 

Log in to the RDSH console

 

Use the following information to log in to the RDSH Console:

  1. Username:corp\administrator
  2. Password:VMware1!
  3. Click on Login

 

 

Verify App Stack has been mounted

 

Once logged in, confirm that the VLC application appears on the desktop.

NOTE: You might receive an error dialog related to UEM if you have not done Module 4 yet. You can safely ignore the error message.

 

 

Sign out from the RDSH Console

 

Log out of the RDSH Console.

  1. Right-click on the Windows icon.
  2. Select Shutdown or signout and then proceed to select Sign out.

This will log you out of the console.

 

 

Connect to Horizon View Administrator Console

 

On the Main Console, double click on Google Chrome. Alternatively, you can use an existing browser session if you have one left open.

 

  1. Open a new tab on Google Chrome by clicking on the next empty tab.
  2. Click on the provided View-01A Admin bookmark. Alternatively, you can enter the full address in the location bar: https://vcsa-01a.corp.local/.

 

 

Log in to Horizon View Administrator Console

 

Use the following information to log in to the Horizon View Administrator Console:

  1. Username:Administrator
  2. Password:VMware1!
  3. Domain:CORP
  4. Click on Login

 

 

Load Application Pools

 

In the View Administrator Console:

  1. Click on the arrow beside Catalog.
  2. Click on Application Pools.

 

 

Add new Application Pool

 

  1. Click on Add...

 

 

Select VMC media player

 

  1. Select the radio button beside Select installed applications.
  2. Type VLC in the search field.
  3. Click Find.
  4. Click on the checkbox beside VLC media player.
  5. Click Next.

 

 

Finish Application Pool creation

 

  1. Accept the default information.
  2. Click Finish.

 

 

Add Entitlements

 

  1. Click Add...

 

 

Add the Horizon Users Group

 

  1. Select the checkbox beside Groups.
  2. Type Horizon in the search field under Name/User name.
  3. Click Find.
  4. Select Horizon Users.
  5. Click OK.

 

 

Finish adding Entitlements

 

Horizon Users should now appear in the Entitlement window.

  1. Click OK.

 

 

Launch the VMware Horizon Client

 

On the Main Console desktop, double-click on the VMware Horizon Client. This will allow you to test your entitlements.

 

 

Connect to View-01a.corp.local

 

  1. Click on the view-01a.corp.local icon.

 

 

Log In to VMware Horizon

 

Use the following information to log in to the VMware Horizon Client:

  1. Username:lab1user
  2. Password:VMware1!
  3. Domain:CORP
  4. Click on Login

 

 

Open VLC media player

 

Notice that VLC media player now appears when you log into the VMware Horizon Client.

  1. Double-click on the VLC media player icon. This will launch your newly entitled application.

 

 

VLC media player available!

 

Congratulations! You have successfully entitled and launched VLC media player.

 

Module 6 - Securing your Horizon Environment (60 minutes)

Introduction


As the organization continues to adopt and develop virtual desktop use cases, the Security Team has raised concerns around the ability to access critical database and application resources when using virtual desktops. In this module, you will leverage network virtualization to ensure isolation of applications, databases and desktops.


 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes you lab has not changed to "Ready", please ask for assistance.

 

Module Switcher Instructions


The following steps will instruct you on how to launch the module using the Module Switcher tool.


 

Start Module Switcher Application

 

If the Hands-on Labs Module Switcher is not running, you can launch it by double clicking on the Module Switcher Icon on the Desktop.

 

 

Start Module 6

 

Click on the Start button below Module 6

 

 

Stop Module 5

 

If you ran a previous module before Module 6, the STOP script for that module will be run (Module 5 is shown in the image). If this is the first module you are running, this step is not necessary and will be skipped.

Wait for the script that stops the previous module to finish and press Enter to continue.

 

 

Module 6 Start

 

Wait for the script to finish running. Press Enter to continue when the script prompts you to do so.

 

Challenge: Isolation of Desktops from Internal Resources


Security has raised concerns around users having visibility of applications and information that are outside of their departments. It is up to you to mitigate their concerns. Rather than making traditional firewall rules for every individual connection, what if you could make a policy associated to an Active Directory (AD) User/Group? Wouldn't that make life so much easier? (HINT: NSX and Active Directory Integration).

 

Create a Policy to isolate traffic based on Users or Domain Group membership. Ensure the user(s) are only able to communicate with the required applications and not with other resources.


 

Challenge Description

During the last Security Joint Task Force meeting, it was brought to your attention that some unauthorized users were trying to access the main router's SSH interface from the VDI environment. They even questioned the security of your VDI environment, arguing that it is too dangerous to have users running desktops in the datacenter where there is no control as to what resources they can connect to!

But you know better. The security team is thinking in terms of traditional physical network security but what they do not know is that you have the power of NSX to make your environment even MORE secure than a physical one.

Apparently your predecessor also started some of the work leveraging NSX, as the main components are already installed and deployed. While assessing the infrastructure, you realize that Guest Introspection has been installed, but it seems like the Distributed Firewall functionality has not been used yet.

These are the specific requirements for this challenge:

 

 

Required Information

The following information will be helpful in solving the challenge:

You can also view hints on the VMware Technology Network Communities here:

https://communities.vmware.com/docs/DOC-37026

 

Hint 1: User distinction (or "Do you know WHO I AM?")


Before we go ahead and create firewall rules, we are going to have to be able to distinguish between authorized and unauthorized users.

The AD part is straight forward: we need to create an AD security group, but how can we implement this distinction in NSX?

For the answer and implementation guidance see the following steps.


 

Hint 1: User distinction (answer)

Before we go ahead and create firewall rules, we are going to have to be able to distinguish between authorized and unauthorized users.

The AD part is straight forward: we need to create an AD security group, but how can we implement this distinction in NSX?

You can try for yourself. The process is described in the NSX Administration Guide here:   http://pubs.vmware.com/nsx-63/topic/com.vmware.nsx.admin.doc/GUID-B9FC0D05-BE96-4D83-8C58-98B0F96DB342.html

In the following steps we will go through this process in detail.

 

 

Open Active Directory Users and Computers

 

From the Start menu, open:

 

 

Create new AD Group

 

  1. Select the Users container
  2. Click the Create a new group button

 

 

Type a name for the AD Security Group

 

  1. Group name: Network Admins
  2. Click OK to continue

 

 

Add lab1user to the Network Admins AD Group

 

  1. Select the Users OU
  2. Select the Lab 1 User
  3. Click on the Add selected object to a group icon

 

 

Search for AD Security Group

 

  1. Type Network Admins in the text box.
  2. Click on Check Names. Make sure the group name in the text box is underlined to confirm that it was found in the AD.
  3. Click on OK to continue.

 

 

Accept and close AD Users and Computers

 

After successfully adding the lab1user to the Network Admins group, click OK to dismiss the dialog box and close Active Directory Users and Computers.

 

 

Open Chrome Browser from Windows Quick Launch Task Bar

 

To connect to the vSphere Web Client, you are going to need a web browser.

  1. Click on the Chrome Icon on the Windows Quick Launch Task Bar.

 

 

Log in to the vSphere Web Client

 

Log in to the vSphere Web Client: 

  1. Use the provided bookmark (HOL-1891 Admin -> vCenter Web Client) to launch the console
  2. User: administrator@corp.local
  3. Password: VMware1!
  4. Click on Login

TIP: You can save time by clicking on User Windows session authentication and then on the Login button.

 

 

Open Networking & Security (NSX)

 

Use the Networking & Security link from the vSphere Web Client Home screen.

 

 

Open NSX Managers

 

Under Networking & Security click NSX Managers.

 

 

Configure NSX Manager

 

Click on the NSX Manager name 192.168.110.31 to configure it.

 

 

Update local state of AD Objects

 

Since we just created the AD Security Group, we need to manually synchronize the NSX Manager with AD so that it is aware of the existence of the new group.

  1. Click on the Manage tab
  2. Click on the Domains tab
  3. Select the corp.local domain
  4. Click on the Update the local state for all AD objects icon

 

 

Add Security Group

 

  1. Click on the Manage tab
  2. Click on the Grouping Objects tab
  3. Click Security Group
  4. Click the Add Security Group (+) icon

 

 

Type a name for the Security Group

 

  1. Name: Network Admins
  2. Click Next to continue

 

 

Define Dynamic Membership

 

  1. Use the dropdown to select Entity
  2. Click on the Select Entity button

 

 

Select Entity

 

  1. Use the dropdown to select Directory Group entity type.
  2. Use the search box to shorten the list of available groups. Type Network in the search box.
  3. Click on the radio button to select the Network Admins group.
  4. Click on OK to continue.

 

 

Select objects to include

 

We are not adding any additional static objects, so just click Next to continue.

 

 

Select objects to exclue

 

Again, not excluding any static objects either, so click Next to continue.

 

 

Ready to Complete

 

Check your configuration and click Finish.

 

Hint 2: Rule enforcement


So now that we know how to distinguish the users, we need to enforce rules around that distinction, so only authorized users can connect to the lab router SSH interface.

What would be the best place to enforce those rules?


 

Hint 2: Rule enforcement (answer)

So now that we know how to distinguish the users, we need to enforce rules around that distinction, so only authorized users can connect to the lab router SSH interface.

What would be the best place to enforce those rules?

How do we do this? The NSX Administration Guide explains it well, so you can try for yourself: http://pubs.vmware.com/nsx-63/topic/com.vmware.nsx.admin.doc/GUID-C7A0093A-4AFA-47EC-9187-778BDDAD1C65.html

Or you can continue to the next steps to see a detailed walkthrough.

 

 

Go back to Networking and Security Home

 

Go back to the Networking and Security home by:

  1. Clicking on the Home icon
  2. Selecting Networking & Security from the dropdown

 

 

Navigate to Firewall

 

Navigate to Firewall.

 

 

Gain screen space by collapsing the right Task Pane

 

  1. Clicking on the Push-Pins will allow task panes to collapse and provide more viewing space to the main pane.  You can also collapse the left-hand pane to gain the maximum space.

 

 

Expand Layer 3 Rules Section

 

  1. Expand Default Section Layer3 using the triangle on the left.
  2. Select Rule 2 Default Rule DHCP
  3. Click on the Add Rule (+) button

 

 

Name the rule (1)

 

Hover the mouse over the top right corner of the name field of your new rule (number 3) until a pencil icon appears. Click on the pencil icon to edit the rule's name.

 

 

Name the rule (2)

 

  1. Rule Name: Router SSH Reject
  2. Click Save

 

 

Set the Source

 

Hover the mouse over the top right corner of the source field of your new rule (number 3) until a pencil icon appears. Click on the pencil icon to edit the rule's source.

 

 

Create Virtual Desktops Security Group

 

First, we will create a rule to reject any connection attempt to the router SSH interface from all virtual desktops. Later we will create a higher priority rule to allow access to the users of the AppVol Admins group.

  1. Use the dropdown to set the Object Type to Security Group
  2. Click on New Security Group

 

 

Create Virtual Desktops Security Group (2)

 

  1. Enter the name Virtual Desktops
  2. Click Next

 

Since the source VMs are dynamic in number and IPs, the best way to define them in our case will be by using the prefix "W10-IC-" since we know that all virtual desktop names start with that string. Other alternatives to define the source are tags, resource pools, or clusters; among others.

  1. From the first drop down, select VM Name
  2. From the second drop down, select Starts with
  3. Enter W10-IC-
  4. Click Finish

 

 

Finish setting ther Source

 

Verify that the recently created Security Group Virtual Desktops is in the Selected Objects column and click OK.

 

 

Set the Destination

 

Hover the mouse over the bottom right corner of the destination field of your new rule (number 3) until the IP icon appears. Click on the IP icon to edit the rule's destination.

 

 

Destination IP Address

 

  1. Enter the router's IP address, 192.168.100.1
  2. Click Save

 

 

Set the Service

 

Hover the mouse over the top right corner of the service field of your new rule (number 3) until the pencil icon appears. Click on the pencil icon to edit the rule's service.

 

 

Specify Service

 

  1. Click on the search box and type SSH
  2. Select SSH from the Available Objects List
  3. Click on the -> icon to add the service
  4. Click on OK to continue

 

 

Set the Action

 

Hover the mouse over the top right corner of the action field of your new rule (number 3) until a pencil icon appears. Click on the pencil icon to edit the rule's action.

 

 

Edit Action

 

  1. Use the dropdown to select the Reject action
  2. Click Save to continue

EXTRA CREDIT: What's the difference between the Block and Reject actions? Tip: the answer is in the NSX Administrator Guide here: http://pubs.vmware.com/nsx-63/topic/com.vmware.nsx.admin.doc/GUID-C7A0093A-4AFA-47EC-9187-778BDDAD1C65.html

 

 

Copy Reject Rule to create the Allow Rule

 

Right click on the firewall rule number and select Copy

 

 

Paste Reject Rule to create the Allow Rule

 

Right click on the firewall rule and select Paste Above

 

 

Name the Allow Rule (1)

 

Hover the mouse over the top right corner of the name field of your new rule (number 3) until a pencil icon appears. Click on the pencil icon to edit the rule's name.

 

 

Name the Allow Rule (2)

 

  1. Rule Name: Router SSH Allow
  2. Click Save

 

 

Set the Source

 

Hover the mouse over the top right corner of the source field of your new rule (number 3) until a pencil icon appears. Click on the pencil icon to edit the rule's source.

 

 

Remove Virtual Desktops from the Source

 

  1. In the list of selected objects select Virtual Desktops
  2. Click on the <- icon to remove the Virtual Desktops object

 

 

Add Network Admins Group to the Source

 

Now we will create a rule to accept any connection attempt to the router from the Network Admins. This is the NSX Security Group that we created earlier that references the AD Security Group.

  1. Use the dropdown to set the Object Type to Security Group
  2. In the list of available objects select Network Admins
  3. Click on the -> icon to add the Network Admins object
  4. Click OK to continue

 

 

Set the Action

 

Hover the mouse over the top right corner of the action field of your new rule (number 3) until a pencil icon appears. Click on the pencil icon to edit the rule's action.

 

 

Edit Action

 

  1. Use the dropdown to select the Allow action
  2. Click Save to continue

 

 

Publish Changes

 

The firewall rules that we just created will not be deployed to the Distributed Firewall until we click on the Publish Changes button. Go ahead and click the Publish Changes button.

 

Validation


We have finished with the required security configuration. so all that is left to do is validate that our configuration is working properly.

To validate our configuration we are going to:


 

Launch VMware Horizon Client

 

From the desktop of the Main Console, launch the VMware Horizon Client.

 

 

Connect to Horizon View Connection Server

 

Double-click the icon for "view-01a.corp.local"

 

 

Authenticate as lab1user

 

  1. User name: lab1user
  2. Password: VMware1!
  3. Domain: CORP
  4. Click Login

 

 

Set Desktop Pool to Fullscreen

 

Verify that the deskop pool is set up to be displayed in full screen mode. To accomplish this, right-click on the desktop icon and select Display->Fullscreen.

 

 

Launch the Windows 10 Instant Clone

 

Double-click on the Windows 10 Instant Clone icon.

 

 

Launch Putty

 

Browse to \\controlcenter\c$\Program Files (x86). Select the PuTTY folder and Double-click to open the folder. Launch the Putty.exe application.

When asked for authentication credentials enter the following information:

 

 

Connect to Router SSH interface

 

  1. Enter the IP address of the router 192.168.110.1
  2. Click Open

 

 

Successful Connection

 

You should receive a PuTTY Security Alert, since the server's rsa2 key fingerprint in unknown as this is the first time the user is connecting to the server. Click Yes.

 

 

Successful Connection (2)

 

The SSH connection will be established and you will be asked for login credentials. We have verified that the user can connect to the router's SSH interface. Close the window.

 

 

Sign out from the desktop

 

Right-click on the Start menu button, select Shutdown or sign out, and click on Sign out.

 

 

Disconnect from Horizon

 

Use the disconnect button to sign out from Horizon. Confirm by clicking OK.

 

 

Change the user

We were successful connecting as lab1user. Now we will try to connect as lab2user and see if things change.

 

 

Connect to Horizon View Connection Server

 

Double-click the icon for "view-01a.corp.local"

 

 

Authenticate as lab2user

 

  1. User name: lab2user
  2. Password: VMware1!
  3. Domain: CORP
  4. Click Login

 

 

Launch the Windows 10 Instant Clone

 

Double-click on the Windows 10 Instant Clone icon.

 

 

Launch PuTTY

 

Wait for the desktop to launch.

Once Windows Explorer finishes loading, launch PuTTY by clicking on its icon on the desktop.

 

 

Connect to Router SSH interface

 

  1. Enter the IP address of the router 192.168.110.1
  2. Click Open

 

 

Connection Rejected

 

The connection should be rejected. That means everything worked out as expected: the lab1user user was allowed access, while other users (lab2user in this case) were denied.

 

Key takeaways


Using NSX on a VDI/RDSH environment gives you the ability to secure the environment beyond what is available in traditional physical deployments.

Rules do not have to be limited to physical constructs such as IP addresses, ports, network segments, etc. but can actually leverage user identity and group memberships which relate directly to the business process.

For example, you can restrict user access to the backend database and make sure all users connect to the application layer that in turn connects to the database.

You can find more information on NSX and Horizon here:

https://www.vmware.com/products/horizon/horizon-nsx.html


 

Conclusion

This concludes Module 6: Securing your Horizon Environment. We hope you have enjoyed taking it. Please do not forget to fill out the survey when you are finished.

 

Module 7 - Horizon Automation (30 minutes)

Module Switcher Instructions


The following steps will instruct you on how to launch the module using the Module Switcher tool.


 

Look at the lower right portion of the screen

 

Please check to see that your lab has finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

 

Start Module Switcher Application

 

If the Hands-on Labs Module Switcher is not running, you can launch it by double clicking on the Module Switcher Icon on the Desktop.

 

 

Start Module 7

 

Click on the Start button below Module 7

 

 

Stop Module 6

 

If you ran a previous module before Module 7, the STOP script for that module will be run (Module 6 is shown in the image). If this is the first module you are running, this step is not necessary and will be skipped.

Wait for the script that stops the previous module to finish and press Enter to continue.

 

 

Module 7 Start

 

Wait for the Module 7 START script to finish running. Press Enter to continue when the script prompts you to do so.

 

Challenge: Automate Desktop Creation



Hint 1: Desktop Specification File


We will use PowerShell to create a JSON specification file based on the existing Win10-IC desktop pool.

The easiest way to create a new desktop pool from a PowerShell script, is by using a Specifications File. This is a JSON file that includes all the necessary information and parameters to create new Desktop Pool.

The VMware.Hv.Helper module is documented here: https://github.com/vmware/PowerCLI-Example-Scripts/blob/master/Modules/VMware.Hv.Helper/VMware.HV.Helper.psm1

Look for details on the Get-HVPool and Get-HVPoolSpec functions.

Try to get the DesktopInfo object from Get-HVPool and use it as an input for the Get-HVPoolSpec function.

Go to the next step to see step-by-step instructions 


 

Start PowerShell as Administrator

 

 

 

Import Horizon PowerShell Modules

 

Type the following commands in the PowerShell window to load the HorizonView and HV.Helper modules:

Import-Module VMware.VimAutomation.HorizonView
Import-Module VMware.HV.Helper

 

 

Connect to the Horizon View Connection Server

 

Type the following commands in the PowerShell window to connect to the Horizon View Connection Server:

Connect-HVServer -server view-01a.corp.local -user Administrator -password VMware1! -domain CORP

 

 

Get Specification File

 

Type the following commands in the PowerShell window to connect to create the Specification File

Get-HVPool -PoolName 'Win10-IC' | Get-HVPoolSpec -FilePath "C:\Automation\AutoDesktopPool.json"

 

 

Open JSON file

 

Since we need to modify the specifications from the original Win10-IC desktop pool, we going to edit the JSON file using Notepad++.

Go to the C:\Automation folder, right click on the file name and select Edit with Notepad++

 

 

Disable Desktop Pool

 

Per the requirements, we want the desktop pool to be provisioned in the disabled state.

Find the DesktopSettings.Enabled setting (line 9) and change it from true to false.

 

 

Disable Provisioning

 

The requirements also calls for provisioning to be disabled.

Find the AutomatedDesktopSpec.virtualCenterProvisioningSettings.EnableProvisioning setting (line 52) and change it from true to false.

 

 

Change the Desktop Pool Description

 

Find the Base.description setting (line 4) and change it from null to "Auto created Desktops"

 

 

Save the JSON file and close Notepad++

 

Click on the Save icon and close Notepad++

 

Hint 2: The Main Script


This are the main fuctions that you will need to use to create the script:

You can find documentation for New-ADGroup here: https://technet.microsoft.com/en-us/library/ee617258.aspx

You can find documentation for New-HVPool and New-HVEntitlement here: https://github.com/vmware/PowerCLI-Example-Scripts/blob/master/Modules/VMware.Hv.Helper/VMware.HV.Helper.psm1

Continue to see the entire code for the solution

Use this code to create a script to handle the requirement and basic error handling. Copy the content to a the file C:\Automation\CreateDesktopPool.ps1 to test it.

param([string]$name=$null)
Write-Host 'Attempting to create AD Security Group' $name
try {
    New-ADGroup –name $name –groupscope Global -ErrorAction Stop
    Write-Host 'AD Security Group' $name 'created successfuly'`n
}
catch {
    Write-Host 'There was an error creating the AD Security Group:' $_.Exception.Message
    Break
}
Import-Module VMware.VimAutomation.HorizonView
Import-Module VMware.HV.Helper 
Connect-HVServer -server view-01a.corp.local -user Administrator -password VMware1! -domain CORP
Write-Host `n'Attempting to create Desktop Pool' $name
try {
    New-HVPool -Spec C:\Automation\AutoDesktopPool.json -PoolName $name
    Write-Host 'Desktop Pool' $name 'created successfuly'`n
}
catch {
    Write-Host 'There was an error creating the Desktop Pool:' $_.Exception.Message
    Break
}
Write-Host 'Waiting for Horizon View to finish creating' $name 'desktop pool...'
$searchPool = Get-HVPool -PoolName $name
while ($searchPool -eq $null) {
    Write-Host 'Waiting 5 seconds...'
    Start-Sleep -s 5
    $searchPool = Get-HVPool -PoolName $name
}
Write-Host 'Adding Entitlement...'
try{
    New-HVEntitlement -ResourceName $name -User CORP\$name -ResourceType Desktop -Type Group
    Write-Host 'Success!'
}
catch {
    Write-Host 'There was an error creating the Entitlement:' $_.Exception.Message
    Break
}

 

Run the script

 

Type the following command to execute and test the script:

C:\Automation\CreateDesktopPool.ps1 -name HOL-TEST

 

 

Verify that the Desktop Pool was created

 

Verify that the recently created HOL-TEST desktop pool was created and it is disabled.

Double-click on HOL-TEST to look at the Entitlements.

 

 

Verify Entitlements

 

Click on the Entitlements tab. You should see that the newly created desktop pool has been entitled to the HOL-TEST group.

 

Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1891-01-CHG

Version: 20180215-205736