VMware Hands-on Labs - HOL-2151-01-DWS


Lab Overview - HOL-2151-01-DWS - VMware Horizon - Getting Started with App and Desktop Virtualization

Lab Guidance


Note: It will take more than 90 minutes to complete this lab. You should expect to only finish 2-3 of the modules during your time.  The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

This lab will use VMware Horizon to create and manage Instant Clone desktop pools and RDSH farms. In this lab expect to learn common troubleshooting techniques to ensure a great user experience. The lab will be consuming desktops and apps with a single sign-on experience which integrates VMware Horizon, True SSO, and Workspace ONE Access.

Lab Module List:

Lab Captains:

  • Josh Spencer, Staff Technical Marketing Architect- Desktop, USA
  • Chris Halstead, Staff Technical Marketing Architect- Desktop, USA

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

Module 1 - Create a Desktop Pool (30 minutes)

Introduction


This Module contains the following lessons:

  • Overview of Desktop Pools will have a quick introduction to desktop pools
  • Create a Desktop Pool will walk through the process of setting up a desktop pool
  • Entitlement for a Desktop Pool will add a user to access a desktop pool

 

Horizon

Virtual desktop infrastructure (VDI) products, such as VMware Horizon, enable IT departments to run virtual machine (VM) desktops and applications in the data center and remotely deliver these desktops and applications to users as a managed service. This computer-within-a-computer strategy enables multiple VMs to be run per physical server core.

For administrators, this means desktop and application management can be simplified and automated. Admins can quickly create virtual desktops on demand based on location and profile, and securely deliver desktops as a service from a central location.

End users can access their personalized virtual desktops or remote applications from company laptops, their home PCs, thin client devices, Macs, tablets, or smartphones. Horizon is the leading platform for Windows desktop and application virtualization, providing a consistent user experience across devices and locations while keeping organizations data compliant and securely stored in the data center.

When VDI solutions first started appearing, about a decade ago, the strategy was to take a Windows desktop system, virtualize it, and place it in the data center. Unlike this traditional VDI, Horizon is built on technologies that allow components of a desktop or application to be decoupled and managed independently in a centralized manner, yet reconstituted on demand to deliver a personalized user workspace. For example, when the user logs in, a virtual desktop can assemble itself on the fly by combining an instant clone of a master image (VM) with a user environment profile and one or more containerized applications that attach themselves to (but are not installed in) the VM.

In addition, Horizon integrates with VMware Workspace ONE on a common identity framework to provide a single catalog for accessing Windows applications and desktops, as well as software-as-a-service (SaaS), web, cloud, and native mobile applications.

If you are not familiar with Horizon you can read more on our Digital Workspace Tech Zone at

https://techzone.vmware.com/resource/what-horizon-7

 

 

Why Consider Horizon?

Horizon is a complete solution that delivers, manages, and protects virtual desktops, RDSH-published desktops, and applications across devices and locations. From provisioning to management and monitoring, Horizon offers an integrated stack of enterprise-class technologies that can deploy hundreds of customized desktops and RDSH servers in a few minutes from centralized single images.

 

Overview of Desktop Pools


With Horizon, you can create desktop pools that include thousands of virtual desktops. You can deploy desktops that run on virtual machines (VMs) and physical machines. Create one VM as a Parent image, and Horizon can generate a pool of virtual desktops from that image. The Parent image is also known as a base image or a golden image.

There are two main types of virtual desktop pools: automated and manual. Automated desktop pools use a vCenter Server virtual machine template or snapshot to create a pool of identical virtual machines. Manual desktop pools are a collection of Server virtual machines, physical computers, or third-party virtual machines. In automated or manual pools, each machine is available for one user to access remotely at a time.


 

Advantages of Desktop Pools

Horizon offers the ability to create and provision pools of desktops as its basis of centralized management. If you use a vSphere virtual machine as a desktop source, you can automate the process of making as many identical virtual desktops as you need. You can set a minimum and maximum number of virtual desktops to be generated for the pool. Setting these parameters ensures that you always have enough remote desktops available for immediate use but not so many that you overuse available resources.

Using pools to manage desktops allows you to apply settings or deploy applications to all remote desktops in a pool. You can also specify how users are assigned desktops in a pool.

 

 

Desktop Pools

 

With single-user desktops, each virtual machine allows a single end-user connection at a time. In contrast, with session-based desktops, one RDSH server can accommodate many concurrent user connections.

We will walk through the process of creating an Instant Clone Desktop Pool. A clone is a copy of a Parent VM with a unique identity of its own, including a MAC address, UUID, and other system information. The VMware Instant Clone Technology improves and accelerates the process of creating cloned VMs over the previous View Composer linked-clone technology. In addition, instant clones require less storage and less expense to manage and update because the desktop is deleted when the user logs out, and a new desktop is created using the latest Parent VM image.

 

 

Create a Desktop Pool


This exercise makes use of an interactive demo to work around constraints of the HOL lab environment. Though not required, it is recommended you use speakers or headphones for the demo.


 

Instant Clone Desktop Pool

An instant-clone desktop pool is an automated desktop pool. vCenter Server creates the desktop VMs based on the settings that you specify when you create the pool. Instant clones share a virtual disk of the master image and therefore consume less storage than full VMs. In addition, instant clones share the memory of the master image.

Before you can deploy a pool of desktops, you must create an optimized master image, which includes installing and configuring a Windows or Linux operating system in a VM, optimizing the OS, and installing the various VMware agents required for desktop pool deployment.

You will not be creating the optimized master image in this lab as it has already been set up for us in the interest of time. For step-by-step instructions, see the guide Creating an Optimized Windows Image for a VMware Horizon Virtual Desktop.

https://techzone.vmware.com/creating-optimized-windows-image-vmware-horizon-virtual-desktop

 

 

Launch Interactive Demo

 

Add Entitlement to a Desktop Pool


You configure entitlements to control which remote desktops and applications your users can access. Before users can access remote desktops or applications, they must be entitled to use a desktop or application pool.  In this exercise we will add an entitlement to an existing desktop pool.


 

Launch Google Chrome Browser

 

Launch Google Chrome from the desktop of the Main Console

 

 

Launch Horizon Console

 

  1. Click on Horizon in the Chrome bookmarks bar
  2. Click Horizon-01-AdminConsole

 

 

Login to VMware Horizon Console

 

  1. Enter Administrator as username
  2. Enter VMware1! as the password
  3. Click Sign in

 

 

IC-Pool1 Desktop Pool

 

  1. Click on Desktops under Inventory

 

 

Edit Entitlement to the IC-Pool1

 

  1. Click on the check box next to the existing IC-Pool1
  2. Click on Entitlements to see options of either add or remove entitlements for this desktop pool
  3. Click on Add Entitlements

 

 

Add Entitlements

 

Click on Add

 

 

Find User or Group

 

  1. Enter Jim in the Name/user name contains field
  2. Click on Find
  3. Select  Jim Hendrix  by clicking on the check box
  4. Click OK

Note you may need to scroll down or resize the window to be able to select the user. You can also click the box next to Name to select all, then click ok.

 

 

Add Entitlements

 

  1. Check the box next to jim@corp.local
  2. Click OK

 

 

Verify the entitlement was added

 

Click on IC-Pool1 to go to the Desktop Pool details

 

 

Entitlements Tab

 

  1. Click on the Entitlements tab
  2. Verify that Jim@corp.local (Jim Hendrix) is entitled to the pool

 

 

Exercise Complete

 

Click back on the desktops tab - congratulation you have finished the exercise to add an entitlement to an existing pool!

 

Conclusion


This module included exercises to create and entitle a Desktop Pool in Horizon.


 

You've finished Module 1

 

Congratulations on completing  Module 1.

If you are looking for additional information on Horizon, try one of these:

Proceed to any module below which interests you most.

 

 

 

How to End Lab

 

To end your lab click on the END button.  

 

Module 2 - Create an RDSH Farm - Instant Clones (15 minutes)

Introduction


This module contains the following lessons:

  • Lesson 1 - Overview of RDSH Farms
  • Lesson 2 - Create an RDSH Farm
  • Lesson 3 - Configure Load Balancing for Horizon Farms

 

Horizon Apps

 

Today, end users are more mobile and productive than ever with the need to access their Windows apps alongside their SaaS and web applications, from their personal or business devices. In this new mobile cloud world, managing and delivering services to end users with traditional PC-centric tools has become increasingly difficult. Data loss and image drift are real security and compliance concerns. And organizations are struggling to contain costs.

Horizon Apps provides IT with a new streamlined approach to deliver, protect, and manage Windows applications while containing costs and ensuring that end users can work anytime, anywhere, on any device.

Built on JMP, the VMware next-gen desktop and application delivery platform, Horizon Apps securely publishes Windows apps in the data center and delivers end users all their apps including virtualized applications, apps packaged and isolated with VMware ThinApp, SaaS apps, and mobile apps in one unified digital workspace on any device, anywhere. Leveraging the power of JMP, IT can deliver Just-in-Time apps to streamline management, reduce costs, and easily maintain compliance. These applications can be accessed by end users with the efficiency and flexibility that business demands.

 

 

Just-in-Time App Provisioning with Instant Clones Technology

 

Overview of RDSH Farms


A farm is a group of Windows Remote Desktop Services (RDS) hosts. You can create published desktops associated with a farm. You can also deliver a published application to many users by creating application pools. The published applications in application pools run on a farm of RDS hosts.

You will work with application pools in Module 3 of this lab.


 

RDSH Farm Types

 

 

 

Instant Clone RDSH Farms

 

The Horizon Connection Server creates the instant-clone virtual machines based on the parameters that you specify when you create the farm. Instant clones share a virtual disk of a parent VM and therefore consume less storage than full virtual machines. In addition, instant clones share the memory of a parent VM and are created using the vmFork technology.

When you create an application pool or a published desktop pool, you must specify one and only one farm. The RDS hosts in a farm can host published desktops, applications, or both. A farm can support at most one published desktop pool, but it can support multiple application pools. A farm can support both types of pools simultaneously.

 

 

Additional Information on Horizon Instant Clone Technology

Overview

  • Leverages vmFork in vSphere 6.0 U1 and later
  • Cloning and customization done without reboots of the guest OS
  • Provision RDSH farms and desktop pools

Benefits

  • Rapidly provision RDSH servers
  • Expand or shrink existing RDSH farm in seconds
  • Streamlines, rolling maintenance operations

 

Create an RDSH Farm


This exercise makes use of an interactive demo to work around constraints of the HOL lab environment. Though not required, it is recommended you use speakers or headphones for the demo.


 

Launch Interactive Demo

 

Configure Load Balancing for Horizon Farms


Load balancing sessions across the RDS hosts in a Horizon farm improves utilization of resources, resulting in a better end user experience.

You can configure load balancing for RDS hosts by configuring load balancing settings in Horizon Administrator or by creating and configuring load balancing scripts.

In this lesson you will configure load balancing settings for an existing RDS farm.


 

Launch Browser

 

  1. From the Desktop of the Main Console, double-click Google Chrome

 

 

Navigate to Horizon Administrator

 

  1. Select Horizon from the bookmarks bar
  2. Select Horizon-01-AdminConsole

 

 

Authenticate to Horizon Administrator

 

  1. User name: administrator
  2. Password: VMware1!
  3. Click Sign in

 

 

Open Dashboard and View System Health

 

  1. Click on Dashboard to open the Horizon Dashboard
  2. Click View under System Health

 

 

RDS Farms

 

  1. Click on RDS Farms
  2. Click RDSH-01

 

 

View Details for RDSH-01

 

  1. Scroll down on the right side
  2. Scroll all the way to the right
  3. View Load Index and notice that Load Balancing is Disabled
  4. Click OK

Horizon calculates the Server Load Index based on the load balancing settings you configure in Horizon Administrator. The Server Load Index indicates the load on the server. The Server Load Index can range from 0 to 100, where 0 represents no load and 100 represents full load. A Server Load Index of -1 indicates that load balancing is disabled.

 

 

Navigate to RDSH-01 Farm

 

  1. Click on Farms
  2. Click on the RDSH-01 Farm

 

 

Load Balancing Details

 

On the summary page for RDSH-01 scroll down to the Load Balancing Settings.  Notice that no settings are configured.

 

 

Edit RDSH-01 Farm

 

Click on Edit to modify the RDSH-01 Farm

 

 

Edit Load Balancing Settings

 

Click on Load Balancing Settings

 

 

Review Load Balancing Options

 

  1. Click the ? icons to learn more about each of the load balancing settings

 

 

Enter Load Balancing Settings

 

Enter the following values:

  1. CPU Usage Threshold:  90
  2. Memory Usage Threshold:  90
  3. Click OK

 

 

Open Dashboard and View Updated Load Index

 

  1. Click on Dashboard to open the Horizon Dashboard
  2. Click View under System Health

 

 

RDS Farms

 

  1. Click on RDS Farms
  2. Click RDSH-01

 

 

View Details for RDSH-01

 

  1. Scroll down on the right side
  2. Scroll all the way to the right
  3. Note the Server Load Index has changed to reflect the current load on the server.
    1. Note - The actual value of the Server Load Index will vary from this screen shot, as the value is being dynamically populated.
  4. Select OK

This is the end of the exercise "Configure RDSH Load Balancing"

 

Conclusion


This module covered how to create an RDSH Farm with Instant Clones.


 

You have Finished Module 2

 

Congratulations on completing Module 2.

If you are looking for additional information on Horizon Instand Clone farms, try one of these:

Proceed to any module below which interests you most.

 

 

How to End Lab

 

To end your lab click on the END button.  

 

Module 3 - Application Pools (15 Minutes)

Introduction


This module contains the following lessons:

  • Lesson 1 - Overview of Application Pools
  • Lesson 2 - Create an RDSH Application Pool
  • Lesson 3 - Create VM Hosted Application Pool
  • Lesson 4 - Testing End User Experience

Overview of Application Pools


With application pools you deliver a single, published application to many users. The application runs on a farm of RDS hosts.

Horizon automatically distributes client requests for the application among the RDS hosts in the farm. Therefore, it is important that all RDS hosts in the farm are configured the same way. Horizon Instant Clone technology is ideal for creating scalable RDS farms with identical configurations.

In this lesson, you will create an application pool using an existing Horizon farm: RDSH-01.


 

Application Pools

 

 

Create an RDSH Application Pool


In this lesson you will create multiple applications pools from an existing RDSH farm.


 

Launch Browser

 

  1. From the Desktop of the Main Console, double-click Google Chrome

 

 

Navigate to Horizon Console

 

  1. Select Horizon from the bookmarks bar
  2. Select Horizon-01-AdminConsole

 

 

Login to Horizon Console

 

  1. User name: Administrator
  2. Password: VMware1!
  3. Click Sign in

 

 

Navigate to Applications

 

  1. Select Applications

 

 

Review Existing Application Pools

 

Notice there are a number of Application Pools already created and associated with Farm RDSH-01

Review the applications and details.

 

 

Add Application Pool

 

  1. Select Add
  2. Select Add from Installed Applications

This option performs an automated scan of the applications installed on the RDS hosts in Farm RDSH-01

 

 

Select Installed Applications

 

  1. Make sure that RDS Farm and RDSH-01 are selected
  2. Type internet into the filter box
  3. Scroll down until you find Internet Explorer in the list of installed applications
  4. Check the box for Internet Explorer where the installation path matches C:\Program Files\Internet Explorer\iexplore.exe
  5. Select Next

 

 

Customize the Display Name

 

  1. In the Display name field overwrite the existing content with Web App 1
  2. Select Submit

 

 

Add Entitlements

 

  1. Select Add

 

 

Find User or Group

 

  1. Enter user1mod3
  2. Select Find
  3. Check the box for User1 Mod3
  4. Select OK

 

 

Confirm Entitlements

 

  1. Select OK

 

 

Edit an Application Pool

You will now edit the Application Pool to customize the parameters.

 

 

Create a Second Application Pool

You will now create a second application pool using the same application.

 

 

Review New Application Pools

 

You should now have two application pools: Web App 1 and Web App 2

Note - Leave the Horizon Admin page open to the Application Pools page, as you will start here in the next lesson.

 

Create a VM Hosted Application Pool


With the latest version of Horizon agents, you are able to publish applications from a Windows 10 Desktop Pool using the same deployment and configuration process as you do for Desktops.

We will walk through that process below.  First we will edit the existing desktop pool and make it a desktop and application pool. Then we will add an application pool using the Application discovered in the Desktop Pool.  


 

VM Hosted Application Use Cases

  • Windows 10 UWP Apps: these are the Universal Windows Platform Apps developed for Windows 10 that run on Windows 10 devices such as PC, Tablet, Xbox, HoloLens, Surface Hub and IoT Devices without the need to be rewritten for each
  • Applications and .NET framework version compatibility
  • Applications that don't behave well in RDSH
  • Applications that require special device support, where drivers may not run or be supported on RDSH
  • Application is only tested/certified on Windows 10
  • ISV's that require installed license & use reporting
  • Windows Virtual Desktop on Azure

 

 

Edit the IC Pool

 

Go back to the Horizon Console on Horizon-01.corp.local.

  1. Under Inventory, click on Desktops
  2. Click the check for the IC-Pool1 Desktop pool
  3. Click on Edit

 

 

Click on Desktop Pool Settings

 

Click on the Desktop Pool Settings tab

 

 

Edit Session Types

 

  1. Scroll down
  2. Under the General Section, Select Session Types and pick Desktop & Application
  3. Under Remote Settings, confirm Empty Session timeout is set to After = 1 minutes
  4. Click OK

Supported Session Types can be configured for the Desktop Pool. There are 3 options:

  • Desktop: only desktop sessions are supported
  • Application: only application sessions are supported
  • Desktop & Application: A Pool can be set to Application and Desktop session type, but they cannot be used at the same time

If you choose to support application sessions then this desktop pool can be used to publish application pools.

 

 

Add VM Hosted Application Pool  

 

We are going to now add an application from the desktop pool.

  1. Under Inventory on the left, Click on Applications
  2. Click on Add
  3. Select Add from Installed Applications

With Application Pools, you can deliver a single application to many users. The application runs on a farm of RDS Hosts or a desktop pool. We will show running an application from a desktop pool here.

 

 

Select Desktop Pool

 

  1. Under Select RDS Farm or Desktop Pool, Select Desktop Pool. It will take a few seconds to populate the list of installed applications.
  2. Make sure IC-Pool1 is selected
  3. Type Wordpad into the filter box
  4. Check on the Wordpad app.
  5. Notice Entitle users after this wizard finishes is checked
  6. Click Next

 

 

Edit Application

 

  1. Change the Display name to VMHosted-WordPad so you can distinguish this application coming from the IC Desktop pool.
  2. Click Submit

 

 

Add Entitlements

 

Click on Add to add user to this pool

 

 

Find User for Domain Users

 

  1. Under Name/User name Contains enter in the box domain users
  2. Click on Find
  3. Click the check next to Domain Users
  4. Click OK

 

 

Ok to Add Entitlement

 

Click OK

 

 

Observe Application Pool Added

 

Notice that the VMHosted-Wordpad was added and Pool or Farm is listed as Instant Clone Pool. You may have to scroll down to see it in the list.

 

 

Launch VMware Horizon Client

 

  1. On the desktop of the Main Console - double-click the VMware Horizon Client to open it.
  2. Click on horizon-01.corp.local

 

 

Login to VMware Horizon

 

Login to VMware Horizon

  1. User name: user1mod3
  2. Password: VMware1!
  3. Click on Login

 

 

Launch VM Hosted App

 

  1. Notice the VMHosted-Wordpad appliation. This is the one we just created.
  2. Also notice the Instant Clone Pool is present as well since we chose the Desktop and Application session type.
  3. Double-Click on the VMHosted-WordPad Application to launch it 

 

 

Review Application

 

Notice that the application launched and looked exactly like an RDSH hosted application.  

 

 

Delete the IC Application Pool

 

We will delete the IC Application Pool so that it doesn't interfere with the modules that follow this.

  1. Under Inventory, Click on the Applications
  2. Type WordPad in the filter
  3. Select the WordPad application
  4. Click Delete

 

 

Confirm Delete

 

Confirm delete of the Application pool, click on OK

 

 

Edit Desktop Pool

 

We need to edit the Desktop pool to put back as an Instant Clone Desktop pool for the next modules.

  1. Under Inventory, click on Desktops
  2. Click the Checkbox to select the IC-Pool1
  3. Click Edit

 

 

Change to Desktop Session Type

 

We will change the Session Type back to Desktop only for the remainder of this lab.

  1. Click on Desktop Pool Settings
  2. Under Session Types, Click on Desktop
  3. Click OK

 

Conclusion


This module covered creating and editing an application pool from a Horizon farm.


 

You have Finished Module 3

 

Congratulations on completing Module 3.

If you are looking for additional information on Horizon application pools, try one of these:

Proceed to any module below which interests you most.

 

 

How to End Lab

 

To end your lab click on the END button.  

 

Module 4 - Modern Management of Horizon Desktops (15 Minutes)

Overview of Horizon Desktops on Workspace ONE


As more companies embrace modern management for mobile device, MacOS and Windows devices, management of virtualized environments is a logical extension for systems management.  Recently, Workspace ONE UEM was certified as a management platform for managing Horizon virtual desktops to offer administrators a single management solution for mobile, physical and virtual platforms of all kinds.  With Workspace ONE UEM, an administrator can manage Horizon virtual desktops as well as the endpoints used to access those VMs in one console.

By managing Horizon virtual desktops in Workspace ONE UEM, administrators can have a single software library, consistent policies, consolidated and flexible Windows update settings and a unified reporting and automation solution delivered across physical and virtual systems. 

While managing physical and virtual in one console provides simplicity to the administrator, considerations must be given to the Windows configurations that will be deployed.  Key considerations around VDI management include ensuring required services are running, other services are prevented from starting and tools such as the OS Optimization Tool is using appropriate settings for a VM.

This lab will walk through the basics of gold image creation, the enrollment process for VMs in Workspace ONE UEM and the basics of policy management and app distribution. Additional details on managing Windows through Workspace ONE UEM can be found in the following labs:

  • HOL-2051-09-UEM - Getting Started with Workspace ONE UEM
  • HOL-2051-10-UEM - Advanced Topics with Workspace ONE UEM
  • HOL-2051-11-UEM - Desktop Management with Workspace ONE UEM

Management of Horizon Desktops on Workspace ONE UEM is only supported in the following scenario

  • Persistent Desktop
  • Dedicated Assignment

The solution is currently supported on Horizon 7.8 and Workspace ONE UEM 1903 and later

See more on compatibility here


Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Connect to Workspace ONE UEM

 

Click the WS1 folder and the click the WS1 UEM Console link.

 

 

Enter your Admin Username for the Workspace ONE UEM Admin Console

 

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Click Next.

 

 

Authenticate to the Workspace ONE UEM Console

 

The password field will be displayed after entering your username.

  1. Enter VMware1! for the Password field.
  2. Click the Log In button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

Leave this tab open - we will return to the Workspace ONE UEM Console a bit later

 

Prepare Horizon Desktop


We will now prepare the Horizon desktop to automatically enroll to Workspace ONE.    This will include:

  • Optimizing the master image with the VMware OS Optimization Fling
  • Command line enrollment into Workspace ONE
  • Installing the Horizon Agent and setting up a manual dedicated pool

 

VMware OS Optimization Fling (OSOT)

We won't run the OSOT in this lab due to lab resources.

The master image used for Horizon managed by Workspace ONE needs to have the OS Optimization Fling run on it to make sure that it properly works with Workspace ONE.   This ensures the system is optimized for Horizon VDI and also optimized for Workspace ONE.  There is an VMware Horizon 7 on Workspace ONE template that must be used.

 

 

Obtain your Group ID from the Workspace ONE UEM Console

 

In the Workspace ONE UEM Console,

  1. Click on your Organization Group name.
  2. Copy or write down your Group ID value. In this example, the Group ID is yourid1234.

We will need to enter it into the enrollment batch file

 

 

Connect to Win10-01a Desktop

 

Double-Click the Win10-01a RDP link on the Control Center desktop.  You will be automatically logged in as an Admin

 

 

Install Horizon Agent

We will now install the Horizon Agent in order to connect to this desktop via the Horizon Client

 

 

Edit Enrollment Batch file

We will now edit the enrollment batch file with your GroupID in order to do command line enrollment into Workspace ONE.

 

  1. In Windows File Explorer browse to c:\tools
  2. Select Enroll.bat
  3. Right-Click and choose Edit
  4. Turn on Word Wrap by selecting Format and then Word Wrap
  5. Replace yourgroupid with the groupid from Workspace ONE that you captured earlier
  6. Click File and then Save to save the file
  7. Click the X to close Notepad

DO NOT use yourid1234 as shown, be sure to use your own Group ID.

 

 

Open Regedit to create RunOnce Key

 

  1. Click the search button on the taskbar.
  2. Type Regedit in the search box.
  3. Click on Registry Editor.

 

 

Create Desktop Pool

We will now create a manual pool with the Win10-01a desktop and then enroll it to Workspace ONE.

 

Connect to Horizon Desktop and Enroll to Workspace ONE


We will now connect into the new Horizon pool and enroll it to Workspace ONE


 

Launch Horizon HTML Access

 

  1. Click on the VMware Horizon link
  2. Click on VMware Horizon HTML Access

 

 

Open Workspace ONE UEM

 

Open the Workspace ONE UEM console if open, otherwise referece this:  Open Workspace ONE UEM Console

  1. Select Devices
  2. Select List View
  3. You will see Jim's device listed - click on the link to see more details on the device.

 

Manage Horizon Desktop with Workspace ONE



 

Open the Workspace ONE UEM Console

We will be doing the next few steps in the Workspace ONE UEM Console

The following steps should be done on the Main Console desktop.

 

Conclusion


This module was a brief peek at the current state of Modern Management of desktops when deploying Windows 10 with Horizon 7.


 

You've finished Module 4

 

Congratulations on completing  Module 4

If you are looking for additional information on Horizon, try one of these:

Proceed to any module below which interests you most.

 

 

How to End Lab

 

To end your lab click on the END button.  

 

Module 5 - Integrate Horizon with Workspace ONE Access (60 minutes)

Introduction


VMware Workspace ONE Access can be deployed on-premises or consumed as a cloud service. Deployment of WS1 Access is outside the scope of this lab.

In the module you will integrate VMware Horizon with an on-premises installation of VMware Workspace ONE Access. The Workspace ONE Access  appliance has already been deployed, and you will configure it for Horizon integration.

  • Lesson 1 - Prepare for Horizon integration with WS1 Access
  • Lesson 2 - Configure SAML authentication
  • Lesson 3 - Configure Horizon Pods and Pod Federations in WS1 Access
  • Lesson 4 - Launching Horizon desktops and applications from Workspace ONE
  • Lesson 5 - Configure Access and Network Policies and Client Access URL
  • Lesson 6 - Launching Horizon Desktops with Deny Access Policy Rule

 

Integrating Horizon with Workspace ONE Access

 

Integrating VMware Horizon with the VMware Workspace ONE Access service lets you provide users the ability to access their entitled Horizon desktops and applications from the Workspace ONE portal or app. You can integrate independent Horizon pods, which consist of Horizon Connection Server instances, and pod federations, which contain multiple pods and can span multiple sites and data centers.

You deploy and manage desktop and application pools in the Horizon Administrator interface. You also create entitlements for Active Directory users and groups in Horizon, not in WS1 Access. You must sync these users and groups to the WS1 Access service from Active Directory before integrating with Horizon.

To integrate Horizon pods and pod federations with WS1 Access, you create one or more virtual apps collections in the WS1 Access administration console. The collections contain the configuration information for the pods and pod federations, as well as sync settings. You then sync the Horizon resources and entitlements to WS1 Access.

In the WS1 Access administration console, you can view the Horizon desktops and applications. You can also view user and group entitlements.

End users can run their entitled desktops and applications from the Workspace ONE portal or app. These desktops and apps can be accessed over HTML in a browser or over a supported display protocol in the Horizon Client.

 

Prepare for Horizon Integration with Workspace ONE Access


Integrating Horizon with Workspace ONE Access enables you to sync desktop and application resources, along with entitlements (assignments) to these resources to Access.  

An Access appliance (vidm-01.corp.local) has already been deployed and configured for integration with the Horizon-01.corp.local Connection Server.

In this lesson, you will integrate the Horizon-02 Connection Server with WS1 Access. VMware Horizon has already been installed on Horizon-02.corp.local.

In this section you will use the Horizon Console to verify desktop entitlements, which will be used for WS1 Access integration.


 

Launch Browser

 

  1. From the Desktop of the Main Console, double-click Google Chrome

 

 

Navigate to Horizon Console

 

  1. Select Horizon from the bookmarks bar
  2. Select Horizon-02-AdminConsole

 

 

Login to Horizon Console

 

  1. User name: administrator
  2. Password: VMware1!
  3. Click Sign in

 

 

Navigate to Desktop Pool

 

  1. Select Desktops from the Inventory drop-down

 

 

Select the Desktop Pool

 

  1. Select Manual-Pool from the list of Desktop Pools

 

 

Review Entitlements

 

  1. Select Entitlements
  2. Verify the Domain Users group has been entitled to the Desktop Pool

 

 

Navigate to Machines

 

  1. Click the Machines tab
  2. Note there are currently no VMs in this pool
  3. Click ADD

 

 

Add VM to Desktop Pool

 

  1. Check the box to select base-w10-x64-01
  2. Click OK

 

 

Success

 

Wait for the success message

 

 

Refresh Horizon Console

 

  1. Refresh the window
  2. Verify the VM is added to the pool

 

 

Leave the Horizon Console Open

 

Leave the VMware Horizon Console tab open in Chrome, as you will use it in the next lesson.

 

Configure SAML Authentication


Workspace ONE provides users with the ability to run Horizon applications and desktops from a user portal. WS1 Access provides single sign-on to these applications and desktops by sending SAML assertions to VMware Horizon.

In this section, you will configure SAML authentication in Horizon.


 

Configure SAML Authentication on Horizon Connection Server

To launch remote desktops and applications from Workspace ONE Access or to connect to remote desktops and applications through a third-party load balancer or gateway, you must create a SAML authenticator in Horizon.

A SAML authenticator contains the trust and metadata exchange between Horizon and the device to which clients connect.

You associate a SAML authenticator with a Connection Server instance. If your deployment includes more than one Connection Server instance, you must associate the SAML authenticator with each instance.

 

 

SAML Configuration Complete

You have successfully configured your Horizon Connection Server for SAML authentication.

 

 

Next Steps

Leave Chrome running as you will use it in the next lesson.

 

Configure Horizon Pods and Pod Federations in Workspace ONE Access


Workspace ONE Access is an Identity as a Service (IDaaS) offering, providing application provisioning, self-service catalog, conditional access controls and Single Sign-On (SSO) for SaaS, web, cloud and native mobile applications.

You can integrate the following types of resources with Workspace ONE Access:

  • Web applications
  • VMware Horizon Cloud Service applications and desktops
  • VMware Horizon desktop and application pools
  • Citrix-published resources
  • VMware ThinApp packaged applications

In this lesson you will configure Workspace ONE Access for integration to an existing, on-premises VMware Horizon pod.


 

Integrate Horizon Cloud Pod Architecture Pod Federations with Workspace ONE Access

 

The Horizon Cloud Pod Architecture (CPA) feature links together multiple Horizon pods to form a single, large desktop and application brokering and management environment called a pod federation. A pod federation can span multiple sites and data centers.

While CPA is outside the scope of this lab, note that WS1 Access can be integrated with both single Horizon pods as well as CPA pod federations.

 

 

Integrate an Independent Horizon Pod with WS1 Access

To integrate Horizon pods in WS1 Access, you create one or more virtual apps collections in the WS1 Access administration console. The collections contain the configuration information for the Horizon Connection Servers as well as sync settings.

 

 

Open a New Tab in Chrome

 

  1. Open a New Tab in the Chrome browser.

 

 

Navigate to the Workspace ONE Access Login Page

 

  1. Select WS1 from the shortcut menu
  2. Select VIDM-01 Admin

 

 

Choose System Domain

 

  1. Click the drop-down menu to select a domain
  2. Select System Domain
  3. Clear the checkbox for Remember this setting
  4. Select Next

The System Directory is a local directory that is automatically created in the service when WS1 Access is initially set up. This directory has the domain System Domain. You cannot change the name or domain of the System Directory, or add new domains to it. Nor can you delete the System Directory or the System Domain.

The local administrator user that is created when you first set up the WS1 Access appliance is created in the System Domain of the System Directory.

The System Directory is typically used to set up a few local administrator users to manage the service. In the following step you will authenticate with a local administrator account called admin.

 

 

Sign In to Workspace ONE as Admin

 

  1. username = admin
  2. password = VMware1!
  3. Select Sign in

 

 

Create Virtual Apps Collection

You can integrate Horizon desktops and applications, Horizon Cloud desktops and applications, Citrix published resources, and ThinApp applications with WS1 Access.

 

Launching Horizon Desktops and Applications from Workspace ONE


Workspace ONE provides users with the ability to run Horizon applications and desktops from a user portal. WS1 Access provides single sign-on to these applications and desktops by sending SAML assertions to VMware Horizon.

In this section you will authenticate to Workspace ONE as an end user, then launch Horizon resources.


 

Log Out of Previous Workspace ONE Sessions

In this exercise you will connect to Workspace ONE using end user credentials. To do this, it is important that any existing Workspace ONE sessions are logged off.

 

 

Navigate to Existing Workspace ONE Tab in Chrome

 

  1. Navigate to the VMware Workspace ONE tab in Chrome.

You should still have Chrome opened with a tab for VMware Workspace ONE.

 

 

Logout of VIDM-01

 

  1. Select the drop-down menu next to the logged on user
  2. Select Logout

 

 

Go Back to Login Page

 

  1. Select Go back to login page

 

 

Change Domain

 

 

 

Verify Authentication Domain

 

  1. Verify the domain selected is corp.local
  2. Select Remember this setting
  3. Select Next

 

 

Authenticate to Workspace ONE as an End User

 

  1. username = user1mod1
  2. password = VMware1!
  3. Select Sign in

 

 

 

Review Workspace ONE Preferences

Once logged on to Workspace ONE, your catalog of applications and desktops is available.

 

 

Navigate to User Settings

 

  1. Select the drop-down menu
  2. Select Settings

 

 

Review Horizon Remote Apps Configuration

 

Workspace ONE is currently configured to launch apps and desktops using the Horizon Client.

While this option provides the best overall user experience, Horizon also supports HTML access for added flexibility.

 

 

Configure Horizon Remote Apps for Browser

 

  1. Select Browser
  2. Click UPDATE

 

 

Navigate to Apps Catalog

 

  1. Select Apps

 

 

View All Apps

 

  1. Click All Apps

 

 

Launch Remote Desktop

 

  1. Click the star to make Man-Pool1 a favorite
  2. Select Open on the Man-Pool1 desktop pool

WS1 Access checks the network and access policy rules, then passes a SAML token to Horizon to start and authenticate to the remote desktop or application.

 

 

Allow Popups

 

If you get a popup warning while connecting to the Horizon desktop pool:

  1. Click the popup settings
  2. Select Always allow pop-ups...
  3. Click Done

 

 

VMware Horizon HTML Access

 

  1. The remote desktop is opened in a new Chrome tab
  2. Click to expand the Horizon Client controls

 

 

Log Out of Windows

 

  1. Select Options for the running VM
  2. Select Log Off

 

 

Confirm Log Off

 

  1. Select OK
  2. Select Close

 

 

Sign out of Horizon HTML Access

 

  1. Select Options for Horizon
  2. Select Log out

 

 

Confirm Log Off

 

  1. Select OK

 

 

Sign Out of Workspace ONE

 

  1. Expand the drop-down menu
  2. Select Sign Out

 

 

Sign In Page

 

Leave this page open as you will use it in the next exercise.

 

Configure Access and Network Policies and Client Access URL


The Workspace ONE Access service attempts to authenticate users based on the authentication methods, the default access policy, network ranges, and the identity provider instances you configure.

A policy rule can also be configured to deny access to users by network range and device type.

When users attempt to log in, the service evaluates the default access policy rules to select which rule in the policy to apply. The authentication methods are applied in the order they are listed in the rule. The first identity provider instance that meets the authentication method and network range requirements of the rule is selected. The user authentication request is forwarded to the identity provider instance for authentication. If authentication fails, the next authentication method configured in the rule is applied.

You should already be at the Workspace ONE login page. If so, skip to the Sign In step.


 

Launch Chrome Browser

 

  1. From the Desktop of the Main Console, double-click Google Chrome

 

 

Navigate to the WS1 Access Login Page

 

  1. Select WS1 from the shortcut menu
  2. Select VIDM-01 Admin

 

 

Sign In

 

  1. Select Sign In

 

 

Change Authentication Domain

 

  1. The logon page is currently configured to authenticate to the corp.local domain
  2. Select Change to a different domain

 

 

Choose System Domain

 

  1. Click the drop-down menu to select a domain
  2. Select System Domain
  3. Clear the checkbox for Remember this setting
  4. Select Next

The System Directory is a local directory that is automatically created in the service when Identity Manager is first set up. This directory has the domain System Domain. You cannot change the name or domain of the System Directory, or add new domains to it. Nor can you delete the System Directory or the System Domain.

The local administrator user that is created when you first set up the WS1 Access appliance is created in the System Domain of the System Directory.

The System Directory is typically used to set up a few local administrator users to manage the service. In the following step you will authenticate with a local administrator account called admin.

 

 

Sign In to Workspace ONE

 

Authenticate to the System Domain as admin.

  1. username = admin
  2. password = VMware1!
  3. Select Sign in

 

 

Navigate to Policies

 

  1. Select Identity & Access Management
  2. Select Policies

 

 

Network Ranges

 

  1. Select Network Ranges

 

 

Verify Default Access Policy Settings

The WS1 Access service includes a default access policy that controls user access to their Workspace ONE portals and their Web applications. You can edit the policy to change the policy rules as necessary.

When you enable authentication methods other than password authentication, you must edit the default policy to add the enabled authentication method to the policy rules.

Each rule in the default access policy requires that a set of criteria be met to allow user access to the applications in the portal. You apply a network range, select which type of user can access the content, and select the authentication methods to use.

 

 

Create a New Access Policy to Deny Application Access

A policy rule can be configured to deny access to users by network range and device type.

You will create a rule to deny access to a Horizon published application when it is accessed from a specific network.

 

 

Configure Client Access URL

The client access URL is used to launch locally-entitled resources from the Horizon pod, when users request applications and desktops via Workspace ONE and Identity Manager.

In an earlier exercise you configured Horizon Virtual Apps, and supplied the FQDN of a single connection server to complete the Identity Manager integration with your Horizon pod.

In production Horizon implementations, it is common to configure a load-balancer virtual IP (VIP) in front of your Connection Servers or UAGs. The client access URL should be configured so it directs requests for Horizon resources to the VIP.

 

 

Configure Access and Network Policies and Client Access URL Complete

You have successfully:

  • Added and configured a network range.
  • Create an access policy to deny access to an application from a specific network range.
  • Configured the client access URL access to your Horizon pod resources.

 

Launching Horizon Desktops with Deny Access Policy Rule


In the previous exercise you created a new network range for the corporate network, and a new policy to deny access for a specific Horizon resource when accessed from this network.

In this section you will authenticate to Workspace ONE as an end user, and attempt to launch the Horizon Desktop pool.


 

Navigate to VMware Workspace ONE Tab in Chrome

You should already have Chrome open with a tab to VMware Workspace ONE. If so, you can skip the next couple of steps and proceed to Authenticate to Workspace ONE as an End User.

 

 

Launch Chrome Browser

 

  1. From the Desktop of the Main Console, double-click Google Chrome

 

 

Navigate to Workspace ONE

 

  1. Select WS1 from the Chrome bookmarks bar
  2. Select VIDM-01 Admin

 

 

Verify Domain

 

  1. Verify the domain selected is corp.local
  2. Select Next

 

 

Authenticate to Workspace ONE as an End User

 

  1. username = user1mod1
  2. password = VMware1!
  3. Select Sign in

 

 

View All Apps

 

  1. Select All Apps

 

 

Launch App

 

  1. Select OPEN for Man-Pool1

 

 

Access Denied Due to Policy

 

  1. Select OK

This time the Horizon Desktop can not be opened due to the deny rule you created in the previous exercise.

 

 

Conclusion


Congratulations!  You have now completed Module 5.  You should be familiar with the integration of Horizon with VMware Workspace ONE Access.  


 

Horizon Integration

 

If you are looking for additional information:

  • Click on this link
  • Or use your smart device to scan the QRC Code.

Proceed to any module below which interests you most.

 

 

How to End Lab

 

To end your lab click on the END button.  

 

Module 6 - Single Sign-On with True SSO and Workspace ONE Access (30 Minutes)

Introduction


This Module contains the following lessons:

  • True SSO Overview
  • Setup RADIUS as an Authenticated Adapter
  • Create Network Range and Modify Policy
  • Verify SSO via RADIUS
  • Single Sign-on to Horizon with True SSO

True SSO Overview


True SSO provides a way to authenticate to Microsoft Windows, retaining all of the users normal domain privileges, without requiring them to provide AD credentials. True SSO is a VMware Horizon technology that integrates VMware Identity Manager with Horizon.  With the True SSO (single sign-on) feature, after users log in to VMware Identity Manager using a smart card or RSA SecurID or RADIUS authentication, users are not required to also enter Active Directory credentials in order to use a virtual desktop or published desktop or application.

True SSO uses SAML (Security Assertion Markup Language) to send the User Principal Name (for example, jdoe@example.com) to the identity providers authentication system to access AD credentials. Horizon then generates a unique, short-lived certificate for the Windows login process.


 

Benefits of True SSO

  • Separates authentication (validating a users identity) from access (such as to a specific Windows desktop or application).
  • Provides enhanced security. User credentials are secured by a digital certificate. No passwords are vaulted or transferred within the data center.
  • Supports a wide range of authentication methods. Selecting or changing authentication protocols has a limited impact on the infrastructure of the enterprise.

 

 

How True SSO Works

 

  1. User authenticates to VMware Identity Manager using an extensive set of authentication methods (RSA SecurID, RADIUS, Biometric, etc). After authentication the user selects a desktop or application to launch.
  2. Horizon Client is launched with the user's identity and credentials are directed to the Connection Server.
  3. The connection server validates the user's identity with Identity Manager by sending a SAML assertion.
  4. Using the certificate enrollment service, Horizon requests the Microsoft Certificate Authority (CA) generate a temporary, short-lived certificate on behalf of that user.
  5. Horizon presents the certificate to the Windows operating system.
  6. Windows validates the authenticity of the certificate with Active Directory.
  7. The user is logged in to the Windows desktop or application, and a remote session is initiated on the Horizon Client.

 

 

TrueSSO Architecture

 

For True SSO to function, several components must be installed and configured within the environment. The enrollment server is responsible for receiving certificate signing requests (CSR) from the Connection Server. The enrollment server then passes the CSRs to the Microsoft Certificate Authority to sign using the relevant certificate template. The Enrollment Server is a lightweight service that can be installed on a dedicated Windows Server instance, or it can co-exist with the MS Certificate Authority service.

True SSO cannot be co-located on a Connection Server.

 

True SSO Configuration


When True SSO is enabled in Horizon, users do not require a password to log into their Windows desktops. However, if users are logged into VMware Identity Manager using a non-password authentication method such as SecurID, when they launch their Windows desktops, they are prompted for a password. You can enable True SSO to prevent a password dialog box from being shown to users.


 

True SSO and SSO

Many user authentication options are available for logging in to VMware Workspace ONE Access.  Active Directory credentials are only one of these many authentication options. Ordinarily, using anything other than AD credentials would prevent a user from being able to single-sign-on to a Horizon virtual desktop or published application. After selecting the desktop or published app from the catalog, the user would be prompted to authenticate again, this time with AD credentials.

True SSO provides users with SSO to Horizon desktops and applications regardless of the authentication mechanism used. True SSO uses SAML, where Workspace ONE is the Identity Provider and the Horizon server is the Service Provider. True SSO generates unique, short-lived certificates to manage the login process.

 

 

High Level Configuration for True SSO

The high-level steps that need to be completed are below but we will not be performing them in this lab. They have already been set up for us in this lab to save time.

  1. Configure Horizon and VMware Identity Manager Integration.
  2. Install and configure Microsoft Certificate Authority service.
  3. Set up a certificate template for use with True SSO.
  4. Install and configure the enrollment servers. Setup Software on Enrollment Server.
  5. Export Horizon certificate import to the Enrollment Server
  6. Run the following commands on the Connection Server (Horizon-01)
    1. vdmUtil --authAs administrator --authDomain CORP --authPassword VMware1! --truesso --environment --add --enrollmentServer truesso-01.corp.local
    2. vdmUtil --authAs administrator --authDomain CORP --authPassword VMware1! --truesso --environment --list --enrollmentServer truesso-01.corp.local --domain corp.local
    3. vdmUtil --authAs administrator --authDomain CORP --authPassword VMware1! --truesso --create --connector --domain corp.local --template TrueSSOHOL --primaryEnrollmentServer truesso-01.corp.local --certificateServer controlcenter-ca --mode enabled
    4. vdmUtil --authAs administrator --authDomain CORP --authPassword VMware1! --truesso --list --authenticator
    5. vdmUtil --authAs administrator --authDomain CORP --authPassword VMware1! --truesso --authenticator --edit --name vidm-01 --truessoMode enabled

Note: These steps are already set up in this lab. The next steps are to turn on TrueSSO in Workspace ONE Access under the Virtual Apps. We will set up another Authentication source (RADIUS). We can then connect to vIDM with our RADIUS login and launch an application with no password prompt.

For more information on how to install and configure True SSO, see Setting Up True SSO.

 

Setup RADIUS as an Authentication Adapter


In this lesson we will setup RADIUS as an additional authentication and configure it to work with our FreeRADIUS.net instance

VMware Workspace ONE using Identity Manager allows for setting up Network Ranges and different authentication policies that can be assigned to different network ranges. For example, you might want your end-users to authenticate with their Active Directory credentials when they are in the office and connected to the corporate network.  You might want your users to use 2-factor authentication when working from home. You might have a group of users requiring Multi-Factor Authentication (MFA) because of the applications they can access.

For this lab, we are using FreeRADIUS.net to simulate a RADIUS compatible authentication adapter, in a real-world scenario this could be your RSA server or any other 2-factor authentication solution supporting RADIUS protocol. We have setup a different password (123456) other than the default AD-password (VMware1!) typically used in the HOL, so consider this your RSA token.  We will start this simulation in the next steps.

We will walk through the configuration of the RADIUS authentication adapter within Workspace ONE Identity Manager and assign RADIUS authentication to all connections coming from a specific network range.


 

Start FreeRADIUS.net

 

  1. Open the Start Menu on the main console
  2. Select FreeRADIUS START
  3. Verify FreeRADIUS is started and Ready to process requests.

Attention: Please leave the FreeRADIUS START window open or minimize it, but DO NOT close it.

 

 

Launch Browser

 

From the main console, Open Google Chrome

 

 

Open Identity Manager Console

 

  1. Click WS1 on the Bookmark bar and open VIDM-01 Admin to open Management Console
  2. If prompted for Select your domain, confirm corp.local and click Next

 

 

Login to Identity Manager

 

  1. Username: administrator
  2. Password: VMware1!
  3. Click Sign in

 

 

Setup Authentication Adapters

 

  1. Click Identity & Access Management tab
  2. Click Setup on the tab to the right next to manage
    1. You should be on the Legacy Connectors tab
  3. Click on conn-01 under Worker.  conn-01 is the Workspace One Access Connector that is already setup to handle synchronization of the directory / Horizon and to configure authentication.

 

 

Modify Authentication Adapters

 

  1. Click Auth Adapters in the center top
  2. Click RadiusAuthAdapter at the bottom, and notice it is disabled so we will enable it in the next step

This will redirect you to the Admin Console to edit the Authentication Adapter.

 

 

Configure RADIUS

 

Note:  Leave all of the settings that we don't mention below to their defaults

  1. Check 'Enable RADIUS Adapter'
  2. Check 'Enable direct authentication' to Radius server during auth chaining'
  3. Set 'Number of attempts to Radius server' to 5
  4. Set 'Server timeout in seconds' to 5
  5. Specify 192.168.110.10 as the RADIUS server ip. This is the IP of the Main Console where we are running FreeRADIUS.
  6. Scroll down
  7. Set Accounting port to 1813
  8. Chose PAP as Authentication type
  9. Enter HOLrocks! as the shared secret
  10. Leave configuration for secondary server empty
  11. Click Save

Confirm no errors at the top.

 

 

Confirm RadiusAuthAdapter is Enabled

 

Confirm that RadiusAuthAdapter shows Enabled.

 

 

Return to Admin Console

 

Close this tab to return to the Admin Console

 

Create Network Range and Modify Policy


To limit RADIUS authentication to clients in a specific network, we have to create a networks range and modify the default policy to use RADIUS for this specific range we create. We will be logging in from a Windows 10 Desktop in the Instant Clone pool so will use that network range to use to login with RADIUS authentication.


 

Manage Policies

 

  1. Click Manage on the right side next to Setup
  2. Click Policies
  3. Click Network Ranges

 

 

Add Network Range

 

Click Add Network Range

 

 

Define the Network Range

 

  1. Enter RADIUS Test as 'Name' for the network range
  2. Provide a description RADIUS Test (optional)
  3. Enter 192.168.100.1 as 'From'
  4. Enter 192.168.100.255 as 'To'
  5. Click Save

This will add all the 192.168.100.xxx IP addresses to the RADIUS Test network range and will include our test VM.

 

 

Verify the new network range has been added

 

  1. Verify RADIUS Test IP Address Range was created
  2. Close the Network Ranges Window

 

 

Change default access policy

 

Click default_access_policy_set

 

 

Edit the default Policy

 

Click Edit

 

 

Ignore Warning

 

  1. Click the X to ignore the warning about modifying the default policy
  2. Click the Next

 

 

Add Policy Rule

 

Click Add Policy Rule

We will add a policy to use RADIUS for our newly created network range test

 

 

Configure Policy Rule

 

  1. Select RADIUS Test from dropdown menu for "If a user's network range is"
  2. Select Web Browser from dropdown menu for "and user accessing content from"
  3. Select RADIUS from dropdown menu for "then the user may authenticate using"
  4. Select Password from dropdown menu for "If the preceding method fails or is not applicable, then"
  5. Scroll Down

 

 

Advanced Properties

 

  1. Click on Advanced Properties

Besides setting the time after which a user has to re-authenticate, you can configure a Custom Error Message, Custom Error Link Text and a Custom Error Link URL, where you could guide the user to a how-to document or further information on how to resolve any issues with authentication.

Please take a minute to look at all the different and authentication method options, allowing you to setup different authentication methods for different devices/access methods and locations (based on network range). You can also combine multiple authentication methods if you need more than 2-factor authentication.

  1. Click Save

 

 

Change Policy Rule Order

 

  1. Hover the mouse cursor over Radius Test until the cursor changes, then click on Radius Test and keep the button pushed
  2. Drag the rule all the way to the top
  3. Release the Radius Test Policy Rule

 

 

Verify Rule Order

 

  1. Verify Radius Test is listed as the first rule
  2. Click Next

 

 

Policy Summary

 

  1. Verify Policy Rule
  2. Click Save

You have set up a new policy rule to use RADIUS authentication with the IP range specified. Next we will test connecting from a desktop in that IP range and see we are prompted for our RADIUS password instead of our AD password.

 

Enable True SSO for the Virtual Apps Collection


The next steps are to turn on True SSO in vIDM under the Virtual Apps configuration.


 

Virtual Apps in Workspace ONE Access

 

  1. In the Workspace ONE Access admin console, click on the Catalog pull down
  2. Select Virtual Apps Collection

 

 

Virtual App Configuration

 

Click on the Virtual Apps Collection named Horizon

 

 

Edit Horizon Collection

 

Click Edit

 

 

Select Connector

 

Click Next

 

 

Update Horizon Connection Server Configuration

 

  1. Notice that True SSO is set to disabled currently
  2. Click on the Horizon Connection Server horizon-01.corp.local
  3. Set True SSO to Enabled
  4. Click Save

 

 

Verify True SSO Enabled

 

Verify that True SSO is now enabled

Click Next

 

 

Configuration Tab

 

Click Next

 

 

Summary Tab

 

Review configuration and click Save

 

Verify SSO via RADIUS with True SSO


Now we will test the RADIUS authentication. We will test the connection by first opening up a Windows 10 VM via the Horizon Client and then logging in via RADIUS authentication from that client that is in the IP range we specified.


 

Open the Horizon Client

 

Open Horizon Client from the Main Console desktop

 

 

Connect to Horizon-01

 

Click horizon-01.corp.local

 

 

Login to Horizon-01

 

  1. User name: user1mod1
  2. Password: VMware1!
  3. Click Login

 

 

Open Instant Clone Pool

 

Double-click Instant Clone Pool to open the Windows10 VM

 

 

Open Google Chrome Browser in the Windows 10 VM

 

Wait for the Instant Clone VM to load, then

  1. Notice the subnet of the VM is 192.168.100.xxx (which is within the Network Range we defined earlier in the policy)
  2. Open the Google Chrome Browser

 

 

Connect to Workspace ONE Access Server

 

  1. Browse to https://vidm-01.corp.local
  2. If prompted, confirm domain is set to corp.local and click Next

 

 

Authenticate using RADIUS

 

Since the IP address of our test VM is within the RADIUS test network range (192.168.100.180-192.168.100.190) we defined earlier, we now (as expected) get prompted for the RADIUS Passcode instead of our CORP.LOCAL domain password.

  1. Notice "Please enter RADIUS Passcode" message
  2. Username: user1mod1
  3. RADIUS Passcode: 123456
  4. Click Sign In

 

 

Workspace ONE Intelligent Hub Favorites Tab

 

Since we are logging in as a new user, there are no favorite applications defined.  Click the Apps tab to see the applications assigned to this user.

 

 

Workspace ONE Intelligent Hub Applications

 

You will now see all applications which are assigned to the user.  

Let's launch an application and verify that we are not prompted for login or password for AD using True SSO.

  1. Click on All Apps
  2. Click on Open for the Horizon Application Calculator.

 

 

Launch an Application to verify SSO with True SSO

 

  1. You will see a separate tab open up on the browser and credentials passed to the Horizon-01 environment. It may take a minute in this limited lab environment to open up this application.
  2. Verify that Calculator launches and doesn't ask for login. You may need to close the Horizon slide out to see the application. To close the slide out just click on the three lines on the pull out.
  3. Click X to close the calculator app.

 

 

Disconnect and Log off

 

  1. Click Options at the top of the Windows 10 VM window
  2. Select Disconnect and Log Off
  3. Click OK

 

 

Close Horizon Client

 

Click the X to close the Horizon Client

 

Conclusion


In this module we went over Single Sign-on with TrueSSO and Workspace ONE Access.


 

You've finished Module 6

 

Congratulations on completing  Module 6.

If you are looking for additional information on Single Sign On with True SSO and Workspace ONE Access, try one of these:

Proceed to any module below which interests you most.

 

 

How to End Lab

 

To end your lab click on the END button.  

 

Module 7 - Dynamic Environment Manager (DEM) (60 Minutes)

Introduction - Dynamic Environment Manager


VMware Dynamic Environment Manager (DEM) offers personalization and dynamic policy configuration across any virtual, physical, or cloud-based Windows desktop environment. Dynamic Environment Manager simplifies end-user profile management by providing organizations with a single, light-weight, and scalable solution that leverages existing infrastructure. It accelerates time-to-desktop and time-to-application by replacing bloated roaming profiles and unmaintainable, complex logon scripts. It maps environmental settings (such as networks and printers), and dynamically applies end user security policies and personalizations. This focused, powerful, and scalable solution is engineered to deliver workplace productivity while driving down the cost of day-to-day desktop support and operations.


 

Features

  • Centralized and Simplified Management of Windows Environments
  • Dynamic, Contextual Policy Management
  • Consistent User Experience Across Devices and Locations
  • Integration with Horizon through Smart Policies
  • Easy Start for Adding Applications and Environment Settings to Manage
  • Application Templates and Application Profiler
  • Self-Support Tool
  • Helpdesk Support Tool

 

 

Use Cases

Some of the most popular reasons why enterprises choose Dynamic Environment Manager:

  • Saving Users' Settings Across Devices for a consistent user experience
  • Improving Logon Times by carrying out tasks dynamically, if and when needed, instead of all at logon time
  • Managing Least Privileges to improve IT ops with privilege elevation to elevate permissions instead of granting local admin privilege to end users
  • Providing Desktops Just in Time giving user flexibility to customize while maintaining non-persistent desktops for streamline management

 

 

Dynamic Environment Manager Standard Edition

Historically, DEM has been included with Horizon 7 Enterprise licensing, or could be purchased stand-alone for use with Horizon Standard and Advanced licenses. With the release of Horizon 8 (2006), DEM licensing has been updated to make some DEM features available with all Horizon licenses.

A new version, DEM Standard, is now available for Horizon 7 and Horizon 8 (2006) Standard and Advanced. DEM Standard edition includes the following features:

  • Personalization
  • User Environment Configuration - Drive mapping, folder redirection, logon/logoff tasks, and printer mapping
  • Condition Sets
  • Application Profiler
  • Helpdesk Support Tool

The full-featured DEM Enterprise continues to be bundled with Horizon Enterprise. DEM Enterprise provides all the capabilities of DEM Standard plus application blocking, privilege elevation, and more.

 

 

Components of Dynamic Environment Manager

Dynamic Environment Manager can be summarized in three parts:

  1. Management Console - Primary application interface for IT to configure and manage Dynamic Environment Manager.
  2. FlexEngine - Agent component, which is installed on the virtual or physical machines that you want to manage.
  3. File shares - Dynamic Environment Manager relies on a folder hierarchy to store configuration files in the configuration share and user data in the profile archives share.

 

 

Architecture of Dynamic Environment Manager

 

Overview of the architecture shows how the components relate to each other. All components of Dynamic Environment Manager that you deploy communicate between each other by using the SMB protocol.

  • Dynamic Environment Manager GPO - You create a GPO for each Active Directory organizational unit (OU) you want to manage.
  • Dynamic Environment Manager NoAD Mode - The NoAD mode is an alternative to configuring Dynamic Environment Manager with Active Directory Group Policy. You do not need to create a GPO, logon and logoff scripts, or configure Windows Group Policy settings.  In NoAD mode, all Dynamic Environment Manager GPO settings are ignored. If settings from a previous GPO-based deployment are encountered, no actions are performed and a message is logged to the FlexEngine log file.  You can provide the settings for configuring Dynamic Environment Manager with the NoAD mode through an XML file on the central configuration share. When a user logs in, FlexEngine reads the settings from the XML file and applies them to the registry.
  • Dynamic Environment Manager Management Console - You use this Dynamic Environment Manager administrative UI to configure application settings, Windows environment manager settings, conditions under which the settings go into effect, and various other configuration settings and Horizon Smart Policies for things like printer mapping, attaching devices to the virtual desktop or application, and the ability to copy and paste text.
  • Dynamic Environment Manager Application Profiler - For the few applications for which you cannot find an already-created application template, you can use this standalone application that analyzes where the application stores its file and registry configuration, and also set the initial configuration state of the application.
  • Central configuration share - You create this file share to store the Management Console configuration and Dynamic Environment Manager configuration files. The Dynamic Environment Manager agent (FlexEngine) on virtual desktops and RDSH servers reads the configuration file on this share and applies the settings specified in the configuration file.
  • Network folder per user - In this file share that you create, each folder, or profile archive, contains ZIP files where the Dynamic Environment Manager agent (FlexEngine) stores the personalized settings of a user. For each Dynamic Environment Manager (Flex) configuration file that you create, FlexEngine creates a profile archive for each user.
  • Dynamic Environment Manager Helpdesk Support Tool - This tool provides capabilities to support and maintain the Dynamic Environment Manager profile archives and profile archive backups.
  • Clients with Dynamic Environment Manager FlexEngine - The agent software, FlexEngine, runs on each virtual desktop or RDSH server whose applications are to be managed. This agent reads the centralized configuration file, applies Dynamic Environment Manager settings, and saves those user settings that end users are allowed to control. In this client-server architecture, the FlexEngine agent software plays the client role, and the Dynamic Environment Manager Flex configuration file plays the server role.
  • SyncTool - Laptop users who are not always connected to the corporate network need access to their Dynamic Environment Manager configuration files while offline. SyncTool makes all VMware Dynamic Environment Manager configuration files available locally and synchronizes changes when users connect to the corporate network. Additionally, users with a slow WAN connection can use local Dynamic Environment Manager configuration files, thus limiting network traffic and avoiding continuously roaming personal settings.

This lab is using NoAD Mode

 

 

Easy Start

 

This has already been done for you in this lab.

By default, Dynamic Environment Manager does not manage any applications or environment settings after you install it. You must specify which applications and settings to manage. Although this approach takes a little more work up front, this solution prevents excessive profile growth and profile corruption, enables user settings to roam across Windows versions, and gives you granular control to manage as much or as little of the user experience as needed.

To help with getting started, the Easy Start button instantly adds many common Windows applications, including several versions of Microsoft Office, to the list of applications managed by Dynamic Environment Manager. Many Windows environment settings are also added by Easy Start. You can then easily select an application or Windows setting to review and change the default settings.

 

Personalization


With Dynamic Environment Manager personalization, end users can roam between physical, virtual, and cloud-based devices while preserving custom application and Windows settings. When a user logs in to a virtual desktop or application, Dynamic Environment Manager reads the profile archive file for that user's profile and dynamically applies customized settings. Whether roaming from device to device, or accessing non-persistent virtual machines, DEM personalization provides consistent user experience.


 

Configuring Application and Windows Personalization

Dynamic Environment Manager provides granular control over which apps or settings may be persisted between sessions. As the IT administrator, you control personalization through the use of application and Windows templates. A number of templates are included with DEM. In this lab, several templates have already been applied using the Easy Start feature. You can create your own templates using a simple utility, which is covered in the Application Profiler exercise. You also have the option to download a variety of templates from VMware. See the feature walkthrough on Tech Zone for more information on this feature.

 

 

Open DEM Management Console

 

From the Main Console, double-click the DEM Management Console shortcut on the desktop.  This will open up the Dynamic Environment Manager Management Console.

You may need to minimize the Chrome Browser so you can see the desktop.

 

 

Personalization of Applications in DEM

 

  1. Click the Personalization tab
  2. Expand the Applications by clicking the + sign by the applications under General
  3. Click on Wordpad
  4. Note the DirectFlex is configured and enabled for this application

The personalization template for Wordpad has been applied for you using the DEM Easy Start feature.

In this exercise you will open Wordpad, customize the layout, and verify those changes persist between sessions.

Leave the DEM management console open as you will use it again later in this exercise.

 

 

 

Connect to Horizon Instant Clone non-persistent VM

The Instant Clone desktop pool is configured for one-time use Windows 10 desktops, which are discarded at logoff.

 

 

 

Take Note of VM Host Name

 

Once you are logged in, review and note the VM host name printed on the desktop. It may take several seconds after logon for this information to appear.

Note: You may get a different VM than what is pictured in this lab manual. Just take note of your host name as it will be used later in this exercise.

 

 

Open Wordpad

 

From the desktop of the instant clone VM, double-click the Wordpad shortcut.

 

 

Personalize Wordpad

 

  1. Clear the checkboxes for Ruler and Status Bar.
  2. Change the Measurement units from Inches to Centimeters.

 

 

Close Wordpad

 

Click the X to close Wordpad.

 

 

Disconnect and Log Off the Instant Clone VM

 

  1. Click Options
  2. Click Disconnect and Log Off

 

 

Confirm Disconnect and Log Off

 

Click OK to confirm.

The instant clone VM is immediately deleted and recreated.

 

 

Open Desktop Pool

 

Double-click Instant Clone Pool to connect to a new Windows 10 instant clone VM.

 

 

Take Note of VM Host Name

 

While your host name may not match this screen shot, you should be connected to a different Windows 10 instant clone VM than you had previously.

 

 

Open Wordpad

 

From the desktop of the instant clone VM, double-click the Wordpad shortcut.

 

 

Verify Personalization Persisted Custom Settings

 

  1. Click View
  2. Verify checkboxes for Ruler and Status Bar are still cleared.
  3. Verify the Measurement units is still configured for Centimeters.

 

 

Close Wordpad

 

Click the X to close Wordpad.

Leave the Instant Clone Pool VM running as you will use it again in the next section.
Minimize the window if you need to.

 

 

Adding User Environment Configurations to Personalization

Along with persisting custom user settings, DEM personalization can be used to customize the user environment while an application is in use.

In this exercise you will configure Wordpad personalization to map a drive at application open and disconnect the drive and application close. This type of dynamic drive mapping ensures resources are only consumed if and when they are needed, rather than performing unnecessary actions at logon.

 

 

Navigate to the DEM Management Console

 

If you do not still have the DEM management console running, open it from the Main Console desktop shortcut.

 

 

Add a Drive Mapping

 

  1. Click Personalization
  2. Navigate to Wordpad
  3. Select the User Environment tab
  4. Click Add
  5. Click Drive Mapping

 

 

Complete Drive Mapping Configuration

 

  1. Name: Map Apps
  2. Drive letter: E
  3. Remote path: \\controlcenter\sourceapps
  4. Friendly name: Apps
  5. Select Undo at application exit
  6. Click Save

 

 

Save Config File

 

Click Save Config File to commit the changes.

 

 

Navigate to the Instant Clone Pool

 

Click to maximize the Instant Clone Pool VM.

 

 

Open Windows Explorer

 

From the Instant Clone VM, click Windows Explorer

 

 

Arrange the Window

 

  1. Click This PC
  2. Click View
  3. Click Small icons
  4. Drag the Explorer window to one side of the screen so you can easily see the drive mappings in durin the next steps.

 

 

Review Mapped Drive

 

Note the E:\ is mapped as Wordpad opens.

 

Application Profiling


Application Profiler is a standalone tool that helps you determine where in the file system or registry an application is storing its user settings. The output from Application Profiler is a configuration file (template) which can be used to preserve and roam application settings for your end users. Optionally, you can record a default set of application settings, and apply and/or enforce these defaults for your users based on a variety of conditions.

Application Profiler analyzes where an application stores its file and registry configuration. The analysis results in an optimized Flex configuration file, which you can edit in the Application Profiler or use directly in the Dynamic Environment Manager environment.

With Application Profiler, you can also create application-specific predefined settings, with which you can set the initial configuration state of applications. Save the Flex configuration file with predefined settings to export the current application configuration state.

Application Profiler is licensed as a VMware Dynamic Environment Manager component.


 

Application Profiling Overview

To profile an application, follow these simple steps:

  1. Start Application Profiler.
  2. From within Application Profiler, invoke the application you want to profile.
  3. In the background, Application Profiler monitors the registry and file system actions of the running application.
  4. Change the necessary settings in the application to make sure that all application settings are saved, and exit the application.
  5. Application Profiler stops monitoring and outputs the collected information as a Flex configuration file.

 

 

Launch Dynamic Environment Manager Management Console

 

If you already have the DEM management console running from a previous exercise, skip this step.

From the Main Console, double-click the DEM Management Console shortcut on the desktop. This will open up the Dynamic Environment Manager Management Console.

 

 

Applications with Flex Configuration Files

 

In the left side expand the Applications folder to view the list of Flex configuration files in this environment. DEM provides personalization only for those applications and Windows settings you configure by adding Flex configuration files to the management console. You can add configuration files in several ways, including the use of downloadable templates. See the module on Personalization for more information.  

Notice Notepad++ is not in the list of applications.

In this module you will profile the Notepad++ application so you can provide personalization, predefines settings, and more of this application for your end users.

Minimize the DEM Management Console, but do not close it.

 

 

Open the Application Profiler

 

From the Main Console Desktop click on the DEM Application Profiler shortcut to open the Application Profiler tool.

 

 

Application Profiler Overview

The application profiler produces four files upon completion of profiling an app:

  1. INI - Dynamic Environment Manager configuration file containing the import and export locations. This file defines the parameters for Dynamic Environment Manager to manage the application.
  2. ICO - Icon used by Dynamic Environment Manager Management Console and the Self-Support tool.
  3. FLAG - Flag file for FlexEngine, when DIrectFlex is enabled (default)
  4. ZIP - Contains the predefined user settings. (Only produced when creating predefined settings)

The ZIP file is not to be opened directly. It is critical to use the Edit Profile Archive button in the Application Profiler. Using anything else will render the file unreadable by FlexEngine!

 

 

Start Session

 

  1. Click Start Session from the top left toolbar of the Application Profiler.
  2. Navigate to and select Notepad++.
  3. Click OK.

The Application Profiler invokes the executable to start Notepad++. As you make changes to the application configuration, the Application Profiler monitors the file system and registry to track where the changes are made.

 

 

Customize Notepad++

 

  1. From the menu bar, select Settings
  2. Click on Preferences

 

 

Modify Various Settings

 

  1. From the Toolbar list, select Big icons.
  2. De-select the Show status bar Show status bar check box.
  3. Close the preferences box.

Note: In this example exercise you are making minimal changes to the application. In practice, you should update many settings for an application to ensure all locations are captured by the Application Profiler tool. Remember, profiling an application is not about capturing specific settings, it is about learning where an application stores settings in the file system or registry. Some applications use the registry for some settings and an INI file for others. The more settings you change during profiling, the better the Application Profiler tool can learn to provide personalization for an application.

 

 

Close Notepad++

 

 

 

Finish Application Profiling the App

 

Application Profiler detects when Notepad++ has stopped running and terminates the monitoring process.

  1. The Application Profiler has determined the changes you made to the application settings were stored in <AppData>\Notepad++.
  2. Click OK

Leave the Application Profiler and continue to the next step.

 

 

Navigate to AppData

 

  1. Click Start
  2. Enter: %appdata%
  3. Press: Enter

 

 

Open Notepad++ Folder

 

Double-click Notepad++

 

 

Review Settings Changes

 

The Notepad++ stores all sorts of configuration data in this location. During the application profiling process you changed two settings which were written to files in this location. Application Profiler will produce a Flex configuration file that monitors this entire directory for changes because it has learned this is where the application stores them.

 

 

Review Specific Settings

 

If you would like to see where the settings you changed (Big icons, hide status bar) were written:

  1. Double-click config.xml
  2. Scroll or search for guiconfig

 

 

Save the Config File

 

  1. Restore the VMware Dynamic Environment Manager Application Profiler from the taskbar
  2. From the DEM Application Profiler, Click on Save
  3. Click Save Config File from the choices.

Note: Because you select Save Config File, rather than Save Config File with Predefined Settings, the preference settings you changed in this lab will NOT be presented to end users or when you launch the Notepad++ application in the next steps.  You changed preference settings in Notepad++ only so that Application Profiler could monitor and determine the location Notepad++ stores configuration changes.  

If you select Save a Flex Configuration File with Predefined Settings, a profile archive is created to use for predefined settings when a user logs in.

 

 

Save Config Files to Desktop

 

  1. Save the files to the desktop by selecting Desktop in the left menu.
  2. Give File name of NPP
  3. Click Save
  4. Close the Application Profiler by clicking on the X in the top right corner of the Application Profiler window.

 

 

Using the New Flex Configuration File

Now that you have profiled Notepad++ you can import the files created by the Application Profiler to the DEM management console. Once imported, you can use the Flex config file to provide personalization to end users for the Notepad++ application.

 

 

Copy the Config Files

 

Note:  The files may not be together on the desktop.  Drag and drop them so they are together and you can easily select them.

  1. On the desktop of the Main Console, select all three files created by the Application Profiler: NPP.ini, NPP.ini.flag, NPP.ico.
  2. Once all three are selected, Right click on them and select Copy.

Remember the INI file is the application config file, the INI.FLAG file tells DEM to import and export the settings when the application opens and closes, and ICO is the icon file.

 

 

Paste the files to the Application Folder on Config Share

 

  1. Open Windows Explorer from the taskbar
  2. Navigate to C:\DEMProd\general\Applications
  3. Paste the 3 files here by right clicking then select Paste.

 

 

Refresh the DEM Management Console

 

  1. Navigate to the DEM Management Console. Be sure NOT to click on the Application Profiler window.
  2. Click the Refresh Tree Button on the top left bar under Personalization.

 

 

Review New Application

 

Notepad++ (NPP per the name assigned) is located in the list of managed applications.

 

 

Conclusion

VMware provides application management templates for commonly-used software packages, and the VMware Dynamic Environment Manager Community Forum contains many more templates created with an included tool called Application Profiler.

Application Profiler is a standalone tool that helps you determine where in the file system or registry an application is storing its user settings. The output from Application Profiler is a configuration file which can be used to preserve and roam application settings for your end users. Optionally, you can record a default set of application settings, and apply and/or enforce these defaults for your users based on a variety of conditions.

This is the conclusion of this exercise - we have gone over how to use Application Profiler.

 

Conclusion


In this module we went over Dynamic Environment Manager.  We looked at Application Customization, Application Profiling


 

You've finished Module 7

 

Congratulations on completing Module 7.

If you are looking for additional information on User Environment Manager, try one of these:

Proceed to any module below which interests you most.

 

 

How to End Lab

 

To end your lab click on the END button.  

 

Module 8 - App Volumes (60 Minutes)

Introduction


During this lab you will:

  • Learn about the new simplified application management capabilities of App Volumes 4
  • Create an Application Package
  • Learn to use the new stage and marker capabilities to streamline application lifecycle management
  • Assign Packages using new assignment types
  • Work with Writable Volumes

 

What is VMware App Volumes?

 

App Volumes is a portfolio of industry-leading application and user management solutions for Horizon, Citrix Virtual Apps and Desktops, and RDSH virtual environments. App Volumes can help reduce IT costs by up to 70% and is a key component of JMP  the next generation of desktop and application delivery. 

 

Managing Application Packages with App Volumes 4 Simplified Application Management


In this lesson you will learn about the new capabilities of App Volumes 4. Using an interactive demo, you will be guided through the new components, features, and processes of building and deploying Application packages.

Note: The interactive demo is best experienced with audio. Please have your speakers turned on before continuing.


 

Launch the Interactive Demo

 

Working with Writable Volumes


In this lesson you will upload a writable volume template and create a user writable volume.


 

What is a Writable Volume?

 

The App Volumes Writable Volumes feature enables the creation of a per-user volume where the following user-centric data can be installed and configured in different ways and move with the users:

  • Application settings
  • Licensing information
  • Configuration files
  • User-installed applications

The key differences between Application Packages and Writable Volumes are:

  • Package VMDKs are mounted as read-only and can be shared among multiple desktop virtual machines (VMs) within the data center.
  • Writable Volumes are dedicated to individual users and are mounted as the user authenticates to the desktop. Writable volumes roam with the user for non-persistent desktops.

Writable Volumes are not a replacement, but a complementary product to a user environment management solution.  VMware Dynamic Environment Manager is a companion to App Volumes and provides management of user application settings that are applied when the user logs in or when an application launches. VMware Dynamic Environment Manager can manage data within writable volumes at a more granular level, and provide contextual rules to enforce policies based on different conditions or events.  To find out more information on VMware Dynamic Environment Manager please see Module 7 of this lab.

 

 

 

Creating and Assigning a Writable Volume

You are now ready to walk through the creation of a Writable Volume.

 

 

Launch Google Chrome

 

 

  1. On the Main Console desktop, launch the Google Chrome browser

 

 

Log in to App Volumes Manager

 

To login to the App Volumes Manager:

  1. Open the AppVolumes shortcut folder
  2. Click on AppVol-01 shortcut
  3. Enter Username: administrator
  4. Enter Password: VMware1!
  5. Click Login

 

 

 

Upload Writable Volume Template

There are three user writable volume templates available, each providing different capabilities. Before creating a user writable volume, you must upload the template or templates you want to use.

  • Profile-Only:  Captures and persists the entire Windows profile for the assigned user.
  • UIA Only - The user-installed applications template captures and persists any software programs installed to a non-persistent Windows VM. Windows profile data is ignored, and may be addressed using alternative technologies such as Dynamic Environment Manager. Note: End users must have the appropriate permissions in Windows to install software. Dynamic Environment Manager privilege elevation may be combined with UIA only user writable volumes to support the user-installed applications use case for end users with standard Windows permissions.
  • UIA+Profile -  This template captures and persists both the Windows profile and user-installed applications.

 

 

Create Writable Volume

 

  1. Start on the INVENTORY tab
  2. Click Writables
  3. Click Create

 

 

Allow End Users to Review Size of Their Writable Volume

With a simple registry edit you can allow your users to view the size of their writable volume.  Please consult the following KB for more information.

 

App Volumes 4 with Horizon Cloud Service on Microsoft Azure


In this lesson you will learn about App Volumes 4, delivered as part of the Horizon Cloud Service. Using an interactive demo, you will be guided through the import of a VM from the Azure Marketplace, creation of an image, desktop and application assignment creation, and copying Application Packages between Horizon Cloud pods.  

Note: The interactive demo is best experienced with audio. Please have your speakers turned on before continuing.


 

Launch the Interactive Demo

 

Conclusion


In this module you learned how simplified application management with App Volumes 4 works to streamline application lifecycle management. Using the new assignment types and markers, you created and assigned an Application Package. In addition to working with Packages, you uploaded a template and created a user writable volume to capture and persist app installations for users roaming between non-persistent desktops. 


 

Congratulations on completing Module 8

 

If you are looking for additional information on VMware App Volumes, try one of these:

Proceed to any module below which interests you most.

 

 

How to End Lab

 

  1. To end your lab click on the END button.  

 

Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-2151-01-DWS

Version: 20201027-015553