Lab Overview - HOL-2251-01-DWS - VMware Horizon - Getting Started with App and Desktop Virtualization
Note: It may take more than 90 minutes to complete this lab. You should expect to only finish 2-3 of the modules during your time. The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.
The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.
VMware Horizon is a modern platform for secure delivery of virtual desktops and apps across clouds to empower anywhere workspace technology for distributed workers. Preparing for a future of more flexible work, use this introduction lab to learn more about the trusted tools available within your Horizon Platform. This modern management endpoint approach will showcase how to start breaking away from legacy endpoint management.
This lab will use VMware Horizon 8 to create and manage Instant Clone pools, RDSH & App farms. In this lab, we expect to show getting started techniques to ensure the lab taker will have a foundational understanding of Horizon. The lab will showcase desktops and apps with a single sign-on experience integrating VMware Horizon with True SSO, and VMware Workspace ONE Access. User control through Dynamic Environment Manager and Application layer using App Volumes will also be showcased. We will complete the "Empower Distributed Workers with the VMware Anywhere Workspace" vision with Modern management through Workspace ONE UEM auto enrollment.
Lab Module List:
Lab Principals:
Lab Captains:
Associate Lab Captains:
Odyssey Captains:
Special Thanks:
This lab manual can be downloaded from the Hands-on Labs Document site found here:
This lab may be available in other languages. To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:
http://docs.hol.vmware.com/announcements/nee-default-language.pdf
During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.
You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.
You can also use the Online International Keyboard found in the Main Console.
In this example, you will use the Online Keyboard to enter the "@" sign used in email addresses. The "@" sign is Shift-2 on US keyboard layouts.
Notice the @ sign entered in the active console window.
When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.
One of the major benefits of virtualization is that virtual machines can be moved and run on any platform. The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple data centers. However, these data centers may not have identical processors, which triggers a Microsoft activation check through the Internet.
Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements. The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation. Without full access to the Internet, this automated process fails and you see this watermark.
This cosmetic issue has no effect on your lab.
Please check to see that your lab is finished all the start-up routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes. If after 5 minutes your lab has not changed to "Ready", please ask for assistance.
Module 1 - Virtual Desktop Pools (30 minutes)
This Module contains the following lessons:
VMware Horizon is a platform for delivering virtual desktops and apps efficiently and securely across hybrid cloud for the best end-user digital workspace experience.
Horizon helps IT efficiently deploy and scale virtual desktops and apps from a single control plane with rapid provisioning, automation and simplified management.
Leveraging best-in-class management capabilities and deep integrations with the VMware technology ecosystem, the Horizon platform delivers a modern approach for desktop and app management that extends from on-premises to the hybrid and multi-cloud. The result is fast and simple virtual desktop and application delivery that extends an optimal experience to all applications.
VMware Horizon uses desktop pools as its basis of centralized management. In Horizon, you create pools of virtual machines and select settings that give all the machines in a pool a common desktop definition. Horizon can then deliver the desktops to end users via Horizon Clients. Horizon can deliver desktops from single-user virtual desktop machines, which can be virtual machines that are managed by vCenter Server, virtual machines that run on another virtualization platform, or physical computers.
You create a desktop pool from one of the following sources:
Dedicated-assignment pools
Each user is assigned a particular remote desktop and returns to the same desktop at each login. Dedicated assignment pools require a one-to-one desktop-to-user relationship. For example, a pool of 100 desktops are needed for a group of 100 users.
Floating-assignment pools
Using floating-assignment pools also allows you to create a pool of desktops that can be used by shifts of users. For example, a pool of 100 desktops could be used by 300 users if they worked in shifts of 100 users at a time. The remote desktop is optionally deleted and re-created after each use, offering a highly controlled environment.
With single-user desktops, each virtual machine allows a single end-user connection at a time. In contrast, with session-based desktops, one RDSH server can accommodate many concurrent user connections.
We will walk through the process of creating an Instant Clone Desktop Pool. A clone is a copy of a parent VM with a unique identity of its own, including a MAC address, UUID, and other system information. The VMware Instant Clone Technology improves and accelerates the process of creating cloned VMs over the previous View Composer linked-clone technology. In addition, instant clones require less storage and less expense to manage and update because the desktop is deleted when the user logs out, and a new desktop is created using the latest parent VM image.
This exercise makes use of an interactive demo to work around constraints of the HOL lab environment. Though not required, it is recommended you use speakers or headphones for the demo.
An instant-clone desktop pool is an automated desktop pool. vCenter Server creates the desktop VMs based on the settings that you specify when you create the pool. Instant clones share a virtual disk of the golden image and therefore consume less storage than full VMs. In addition, instant clones share the memory of the golden image.
Before you can deploy a pool of desktops, you must create an optimized golden image, which includes installing and configuring a Windows or Linux operating system in a VM, optimizing the OS, and installing the various VMware agents required for desktop pool deployment.
You will not be creating the optimized master image in this lab as it has already been set up for us in the interest of time. For step-by-step instructions, see the guide Manually Creating Optimized Windows Images for VMware Horizon VMs.
You configure entitlements to control which remote desktops and applications your users can access. Before users can access remote desktops or applications, they must be entitled to use a desktop or application pool. In this exercise, we will add an entitlement to an existing desktop pool.
Launch Google Chrome from the desktop of the Main Console
Click on Add
Note you may need to scroll down or resize the window to be able to select the user. You can also click the box next to Name to select all, then click ok.
Congratulations on completing Module 1.
If you are looking for additional information on Horizon, try one of these:
Proceed to any module below which interests you most.
To end your lab, click on the END button.
Interested in learning more about VMware End User Computing (EUC) but don't know where to start? Look no further than https://techzone.vmware.com, your fastest path to understanding, evaluating, and deploying VMware End User Computing products!
Tech Zone focuses on providing practical product guidance, curated activity paths, and technical content to take you from zero to hero! Our mission at Tech Zone is to provide you with the resources you need to keep leveling up your knowledge no matter where you are in your digital workspace journey.
Interested? Check us out at https://techzone.vmware.com!
Module 2 - Instant Clone RDSH Farms (30 minutes)
This module contains the following lessons:
Today, end users are more mobile and productive than ever with the need to access their Windows apps alongside their SaaS and web applications, from their personal or business devices. In this new mobile cloud world, managing and delivering services to end users with traditional PC-centric tools has become increasingly difficult. Data loss and image drift have become real security and compliance concerns with organizations further struggling to contain costs.
Horizon Apps provides organizations with a streamlined approach to deliver, protect, and manage Windows applications while containing costs and ensuring that end users can work anytime, anywhere, on any device.
With VMware's next-gen desktop and application platform leveraging the power of the Just-in-Time Management Platform (or JMP, pronounced "jump"), IT can deliver just-in-time apps to streamline management, reduce costs, and easily maintain compliance. These applications can be accessed by end users with the efficiency and flexibility that business demands.
JMP is the next-generation desktop and application delivery platform from VMware, and is a key component of VMware Horizon. It enables you to focus on defining outcomes based on business needs instead of maintaining and troubleshooting environments. JMP leverages VMware Instant Clones, VMware App Volumes, and VMware Dynamic Environment Manager technologies to untangle the operating system, applications, and user personalization. By doing so, all the component pieces together can be automatically assembled on demand to deliver just-in-time desktops and apps to any device. Horizon with JMP lets you deliver Windows as a service.
JMP technologies include VMware Instant Clones technology together with VMware App Volumes and VMware Dynamic Environment Manager. This not only dramatically reduces the infrastructure requirements, but also enhances security, allowing you to deliver a brand new personalized desktop and application services instantly to end users every time they log in. Here are just a few of the benefits:
A farm is a group of Windows Remote Desktop Services (RDS) hosts. You can create published desktops associated with a farm. You can also deliver a published application to many users by creating application pools. The published applications in application pools run on a farm of RDS hosts.
You will work with application pools in Module 3 of this lab.
Farms simplify the task of managing RDS hosts, published desktops, and applications in an enterprise. You can create manual or automated farms to serve groups of users that vary in size or have different desktop or application requirements.
A manual farm consists of RDS hosts that already exist. The RDS hosts can be physical or virtual machines. You manually add the RDS hosts when you create the farm.
An automated farm consists of RDS hosts that are instant-clone virtual machines in vCenter Server.
The Horizon Connection Server creates the instant-clone virtual machines based on the parameters that you specify when you create the farm. Instant clones share a virtual disk of a parent VM and therefore consume less storage than full virtual machines. In addition, instant clones share the memory of a parent VM and are created using the vmFork technology.
When you create an application pool or a published desktop pool, you must specify one and only one farm. The RDS hosts in a farm can host published desktops, applications, or both. A farm can support at most one published desktop pool, but it can support multiple application pools. A farm can support both types of pools simultaneously.
An automated instant clone pool or farm is created directly from an image VM Replica using the vSphere instant clone API without creating any parent VM.
Horizon automatically chooses the type to provision based on :
This is a little slower to provision than a pool created with Parent VMs, but memory and disk space savings offset this.
Follow the KB to switch provisioning scheme for your Horizon Pool or Farm.
The first three minutes of the video provides a technical overview of Instant Clone technology.
This exercise makes use of an interactive demo to work around constraints of the HOL lab environment. Though not required, it is recommended you use speakers or headphones for the demo.
Load balancing sessions across the RDS hosts in a Horizon RDSH farm improves utilization of resources, resulting in a better end-user experience.
You can configure load balancing for RDS hosts by configuring load balancing settings in Horizon Administrator or by creating and configuring load balancing scripts.
In this lesson you will configure load balancing settings for an existing RDSH farm.
Horizon calculates the Server Load Index based on the load balancing settings you configure in Horizon Administrator. The Server Load Index indicates the load on the server. The Server Load Index can range from 0 to 100, where 0 represents no load and 100 represents full load. A Server Load Index of -1 indicates that load balancing is disabled.
On the summary page for RDSH-01 scroll down to the Load Balancing Settings. Notice that no settings are configured.
Enter the following values:
This is the end of the exercise "Configure RDSH Load Balancing"
In this module, we have learned about RDSH farms (using a full demonstration simulator), how to create an RDSH farm and also all the components such as JMP that enable a succesful delivery of Session Farms for both desktops and applications. The last part of the module looked at load balancing Horizon Farms and making sure you can qualify the settings for this setup. Feel free to use the material and links below to learn more about the topics we have just covered.
Congratulations on completing Module 2.
If you are looking for additional information on Horizon, try one of these:
Proceed to any module below which interests you most.
To end your lab click on the END button.
Interested in learning more about VMware End User Computing (EUC) but don't know where to start? Look no further than https://techzone.vmware.com, your fastest path to understanding, evaluating, and deploying VMware End User Computing products!
Tech Zone focuses on providing practical product guidance, curated activity paths, and technical content to take you from zero to hero! Our mission at Tech Zone is to provide you with the resources you need to keep leveling up your knowledge no matter where you are in your digital workspace journey.
Interested? Check us out at https://techzone.vmware.com!
Module 3 - Application Publishing (30 minutes)
This module contains the following lessons:
With application pools, you deliver a single, published application to many users. The application runs on a farm of RDS hosts.
Horizon automatically distributes client requests for the application among the RDS hosts in the farm. Therefore, it is important that all RDS hosts in the farm are configured the same way. Horizon Instant Clone technology is ideal for creating scalable RDS farms with identical configurations.
In this lesson, you will create an application pool using an existing Horizon farm: RDSH-01.
An application pool contains a single application and is associated with a single farm. To avoid errors, you must install the application on all of the RDS hosts in the farm. One of the benefits of using instant clones to create farms of RDS hosts is the assurance of a consistent configuration.
When you create an application pool, Horizon automatically displays the applications that are available on all the RDS hosts in the farm. You can select one or more applications from the list. If you select multiple applications from the list, a separate application pool is created for each application. You can also manually specify an application that is not on the list.
Horizon published applications can be accessed using VMware Blast, PCoIP, or HTML Access.
In this lesson you will create multiple applications pools from an existing RDSH farm.
Administrator
VMware1!
Notice there are a number of Application Pools already created and associated with Farm RDSH-01
Review the applications and details.
This option performs an automated scan of the applications installed on the RDS hosts in Farm RDSH-01
You will now edit the Application Pool to customize the parameters.
https://techzone.vmware.com
You will now create a second application pool using the same application.
This option performs an automated scan of the applications installed on the RDS hosts in Farm RDSH-01
You will now edit the Application Pool to customize the parameters.
https://www.vmware.com
You should now have two application pools: Web App IE and Web App IE2
Note - Leave the Horizon Admin page open to the Application Pools page, as you will start here in the next lesson.
Beginning with Horizon 7.9, you are able to publish applications from a Windows 10 desktop pool using the same deployment and configuration process as you do for desktops.
We will walk through that process below. First, we will edit the existing desktop pool and make it a desktop and application pool. Then we will add an application pool using the application discovered in the desktop pool.
Go back to the Horizon Console on Horizon-01.corp.local.
Supported Session Types can be configured for the Desktop Pool. There are 3 options:
If you choose to support application sessions, then this desktop pool can be used to publish application pools.
Next we are going to add an application from the desktop pool.
With Application Pools, you can deliver a single application to many users. The application runs on a farm of RDS Hosts or a desktop pool. You will add an application from a desktop pool here.
Notice that the WIN10Hosted-Wordpad was added and Pool or Farm is listed as Instant Clone Pool. You may have to scroll down to see it in the list.
Login to VMware Horizon
Notice that the application launched and looked exactly like an RDSH hosted application.
We will delete the IC Application Pool so that it doesn't interfere with the modules that follow this. Switch back to the Horizon Administrator tab in Chrome.
We need to modify IC-Pool1 to be only a desktop pool for the next modules.
We will change the Session Type back to Desktop only for the remainder of this lab.
Congratulations on completing Module 3.
If you are looking for additional information on Horizon, try one of these:
Proceed to any module below which interests you most.
To end your lab click on the END button.
Interested in learning more about VMware End User Computing (EUC) but don't know where to start? Look no further than https://techzone.vmware.com, your fastest path to understanding, evaluating, and deploying VMware End User Computing products!
Tech Zone focuses on providing practical product guidance, curated activity paths, and technical content to take you from zero to hero! Our mission at Tech Zone is to provide you with the resources you need to keep leveling up your knowledge no matter where you are in your digital workspace journey.
Interested? Check us out at https://techzone.vmware.com!
Module 4 - Virtual Desktop Modern Management (30 minutes)
As more companies embrace modern management for mobile devices, macOS and Windows devices, management of virtualized environments is a logical extension for systems management. Recently, Workspace ONE UEM was certified as a management platform for managing Horizon virtual desktops to offer administrators a single management solution for mobile, physical and virtual platforms of all kinds. With Workspace ONE UEM, an administrator can manage Horizon virtual desktops as well as the endpoints used to access those VMs in one console.
By managing Horizon virtual desktops in Workspace ONE UEM, administrators can have a single software library, consistent policies, consolidated and flexible Windows update settings and a unified reporting and automation solution delivered across physical and virtual systems.
While managing physical and virtual in one console provides simplicity to the administrator, considerations must be given to the Windows configurations that will be deployed. Key considerations around VDI management include ensuring required services are running, other services are prevented from starting and tools such as the OS Optimization Tool is using appropriate settings for a VM.
This lab will walk through the basics of golden image creation, the enrollment process for VMs in Workspace ONE UEM and the basics of policy management and app distribution. Additional details on managing Windows through Workspace ONE UEM can be found in the following labs:
Management of Horizon Desktops on Workspace ONE UEM is only supported when both of the following are true:
The solution is currently supported on Horizon 7.8 and Workspace ONE UEM 1903 and later
See more on compatibility here
To begin this lab, you will need to login to the Workspace ONE UEM admin console.
Double-click the Google Chrome shortcut located on the desktop of the virtual machine you are currently connected to.
VMware1!
The password field is displayed.
VMware1!
in the Password field.NOTE: You may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.
You will be presented with the Workspace ONE UEM Terms of Service. Click the Accept button.
NOTE: The following steps are only performed for the initial login to the administration console.
After accepting the Terms of Use, you will be presented with this Security Settings pop-up
The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.
VMware1!
in the Password Recovery Answer field.VMware1!
in the Confirm Password Recovery Answer field.1234
in the Security PIN field.1234
in the Confirm Security PIN field.
A popup window will appear after you complete your security questions.
Click the 'X' in the upper right corner to close the Workspace ONE UEM Console Highlights window.
We will now prepare the Horizon desktop to automatically enroll to Workspace ONE. This will include:
The agent may take a few minutes to become available
We won't run the OSOT in this lab due to lab resources.
There is an VMware Horizon 8.x on Workspace ONE template that must be used. The golden image used for Horizon managed by Workspace ONE needs to have the OS Optimization Fling run on it to make sure that it properly works with Workspace ONE. This ensures the system is optimized for Horizon VDI and also optimized for Workspace ONE.
Why Optimize? Windows was designed for physical hardware, specifically desktops, and for that hardware to be accessed by just one user at a time. Windows uses many resources to present a responsive desktop, but many of its settings are unnecessary or even detrimental when applied to a virtual environment. These actions include, for example, animating windows as the user opens them. Performing this animation takes significant CPU resources, which decreases the number of desktops that you can host per VMware vSphere server. Consequently, this non-essential function in a virtual machine (VM) environment increases the amount of system hardware that you need.
Even if the hardware is adequate, Windows animations do not perform well when accessed remotely, especially when connecting over a slow WAN or Internet connection. As a result, keeping animations enabled (in addition to other features unnecessary for VMs) impairs the end-user experience. Another example of desktop optimization in a virtual machine environment is to disable Windows Update so that control of the service is isolated to administrators. Administrators can run Windows Update in batch mode for the VMs as opposed to users performing this task.
Before using the OSOT, which contains recommended configurations in the built-in OSOT templates, your IT organization should investigate and evaluate the benefits of the various optimizations. There is sometimes a trade-off between productivity and optimization. Also, test before and after using the OSOT to ensure that optimizations do not interfere with other software that might be in use within your organization.
Using the OSOT involves the following steps:
In the Workspace ONE UEM Console,
We will need to enter it into the enrollment batch file
Double-click the Win10-01a RDP link on the Control Center desktop. You will be automatically logged in as an Admin
We will now install the Horizon Agent in order to connect to this desktop via the Horizon Client
Monitor the progress of the installation
We will now edit the enrollment batch file with your GroupID in order to do command line enrollment into Workspace ONE.
DO NOT use yourid1234, be sure to use your own Group ID.
This batch file will automatically add a key to the registry that will cause the enroll.bat file to run automatically upon the next device boot.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
pathC:\tools\enroll.bat
This will cause the enroll.bat file to run automatically when the device reboots, which will trigger the Workspace ONE UEM agent installation and enrollment process. The device is now ready to be rebooted.
While the Win10-01a desktop is restarting, we will create a manual pool in Horizon that contains the Win10-01a desktop and then enroll it to Workspace ONE. You will perform these actions from the Main Console.
From the Main Console virtual machine:
Administrator
for the usernameVMware1!
for the password
Horizon_WSO
as the IDHorizon_WSO
as the Display nameHorizon Managed by Workspace ONE UEM
in the description field
Leave all default settings and click Next
Leave all default settings and click Next
Click Next on the Advanced Storage Options page
Click Add to add new Entitlements
Jim
in the Name/User name search field
Click OK to save the entitlement. You have created and entitled a desktop pool to be managed by Workspace ONE UEM.
Click the link for the Horizon_WSO pool
We will now connect into the new Horizon pool and enroll it to Workspace ONE
We receive this error because we just installed the agent since we use this VM for other modules in this lab. Here is the KB on how to remove this message for production installations.
Click OK on this box if it pops-up or if the Audio Box pops-up
It may take a few minutes to log in and run the script. This is the first time Jim has logged into this box, so have a look at the below points to make sure you have no issues before continuing with this exercise.
Review details on Jim's device in Workspace ONE UEM - we have successfully enrolled a Horizon desktop, next we will push a profile down to it.
We will be doing the next few steps in the Workspace ONE UEM Console
The following steps should be done on the Main Console desktop.
NOTE: Be sure to click Windows, not Windows Rugged
Desktop Background
This will cause this profile, named Desktop Background, to be deployed to all of the devices (dictated by the All Devices smart group) in your organization.
This will enable the Personalization payload for this profile, which you will use to push a desktop background image down to the device.
NOTE: If you are prompted to login, remember that the username is Jim
and the password is VMware1!
.
Notice that the desktop background was pushed down to the endpoint. The Horizon desktop is now managed by Workspace ONE UEM.
In this module we did the following:
This module was a brief walk-through of managing Horizon desktops with Workspace ONE UEM
To learn more about managing Windows 10 with Workspace UEM, take the following labs.
Congratulations on completing Module 4.
If you are looking for additional information on Horizon, try one of these:
Proceed to any module below which interests you most.
To end your lab click on the END button.
Interested in learning more about VMware End User Computing (EUC) but don't know where to start? Look no further than https://techzone.vmware.com, your fastest path to understanding, evaluating, and deploying VMware End User Computing products!
Tech Zone focuses on providing practical product guidance, curated activity paths, and technical content to take you from zero to hero! Our mission at Tech Zone is to provide you with the resources you need to keep leveling up your knowledge no matter where you are in your digital workspace journey.
Interested? Check us out at https://techzone.vmware.com!
Module 5 - Identity Integration - Workspace ONE Access (60 minutes)
VMware Workspace ONE Access can be deployed on-premises or consumed as a cloud service. Deployment of Workspace ONE Access is outside the scope of this lab.
In this module, you will integrate VMware Horizon with an on-premises installation of VMware Workspace ONE Access. The Workspace ONE Access appliance has already been deployed, and you will configure it for Horizon integration.
Integrating VMware Horizon with the VMware Workspace ONE Access service provides users with the ability to access their entitled Horizon desktops and applications from the Workspace ONE portal or app. You can integrate independent Horizon pods, which consist of Horizon Connection Server instances, and pod federations, which contain multiple pods and can span multiple sites and data centers.
You deploy and manage desktop and application pools in the Horizon Administrator interface. You also create entitlements for Active Directory users and groups in Horizon, not in Workspace ONE Access. You must sync these users and groups to the Workspace ONE Access service from Active Directory before integrating with Horizon.
To integrate Horizon pods and pod federations with Workspace ONE Access, you create one or more virtual apps collections in the Workspace ONE Access administration console. The collections contain the configuration information for the pods and pod federations, as well as sync settings. You then sync the Horizon resources and entitlements to Workspace ONE Access.
In the Workspace ONE Access administration console, you can view the Horizon desktops and applications. You can also view user and group entitlements.
End users can run their entitled desktops and applications from the Workspace ONE portal or app. These desktops and apps can be accessed over HTML in a browser or over a supported display protocol in the Horizon Client.
Integrating Horizon with Workspace ONE Access enables you to sync desktop and application resources, along with entitlements (assignments) to these resources to Access.
Workspace ONE Access appliance (access-01.corp.local) has already been deployed and configured for integration with the Horizon-01.corp.local Connection Server.
In this lesson, you will integrate the Horizon-02 Connection Server with Workspace ONE Access. VMware Horizon has already been installed on Horizon-02.corp.local.
In this section you will use the Horizon Console to verify desktop entitlements, which will be used for WS1 Access integration.
Wait for the success message to confirm the machine was added successfully.
Continue to the next step when this message is displayed.
Leave the VMware Horizon Console tab open in Chrome, as you will use it in the next lesson.
Workspace ONE provides users with the ability to run Horizon applications and desktops from a user portal. Workspace ONE Access provides single-sign-on to these applications and desktops by sending SAML assertions to VMware Horizon.
In this section, you will configure SAML authentication in Horizon.
To launch remote desktops and applications from Workspace ONE Access or to connect to remote desktops and applications through a third-party load balancer or gateway, you must create a SAML authenticator in Horizon.
A SAML authenticator contains the trust and metadata exchange between Horizon and the device to which clients connect.
You associate a SAML authenticator with a Connection Server instance. If your deployment includes more than one Connection Server instance, you must associate the SAML authenticator with each instance.
Note there are options to configure Workspace ONE mode.
Workspace ONE Access administrators can configure access policies to restrict access to entitled desktops and applications in Horizon. To enforce policies created in WS1 Access you put Horizon client into Workspace ONE mode so that Horizon client can push the user into Workspace ONE client to launch entitlements. When you log in to the Horizon Client, the access policy directs you to log in through Workspace ONE to access your published desktops and applications.
In order to enable and use this feature, the Delegation of authentication to VMware Horizon must be set to required.
Workspace ONE mode will not be used in this lab.
Be careful not to modify the rest of the Metadata URL
You have successfully configured your Horizon Connection Server for SAML authentication.
Leave Chrome running as you will use it in the next lesson.
Workspace ONE Access is an Identity-as-a-Service (IDaaS) offering, providing application provisioning, self-service catalog, conditional access controls and single sign-on (SSO) for SaaS, web, cloud and native mobile applications.
You can integrate the following types of resources with Workspace ONE Access:
In this lesson you will configure Workspace ONE Access for integration to an existing, on-premises VMware Horizon pod.
The Horizon Cloud Pod Architecture (CPA) feature links together multiple Horizon pods to form a single, large desktop and application brokering and management environment called a pod federation. A pod federation can span multiple sites and data centers.
While CPA is outside the scope of this lab, note that Workspace ONE Access can be integrated with both single Horizon pods as well as CPA pod federations.
To integrate Horizon pods in Workspace ONE Access, you create one or more virtual apps collections in the Workspace ONE Access administration console. The collections contain the configuration information for the Horizon Connection Servers as well as sync settings.
The System Directory is a local directory that is automatically created in the service when Workspace ONE Access is initially set up. This directory has the domain System Domain. You cannot change the name or domain of the System Directory, or add new domains to it, nor can you delete the System Directory or the System Domain.
The local administrator user that is created when you first set up the Workspace ONE Access appliance is created in the System Domain of the System Directory.
The System Directory is typically used to set up a few local administrator users to manage the service. In the following step, you will authenticate with a local administrator account called admin.
You can integrate Horizon desktops and applications, Horizon Cloud desktops and applications, Citrix published resources, and ThinApp applications with WS1 Access.
Note: The Virtual Apps page may take several seconds to load the first time. If the list of apps does not show up within several seconds, please refresh the Chrome browser window.
Workspace ONE Access has already been integrated with one Horizon Pod containing a single Horizon Connection Server: Horizon-01.corp.local.
There are a number of configurable options when configuring Horizon Collection. Only some of these will be used for this lab. Any options not specified in the lab manual should be left as default.
Local Entitlements refer to the desktop and application entitlements for a given Horizon pod. Global Entitlements refer to desktop and application entitlements across Horizon pods in a Cloud Pod Architecture (multiple pod) implementation.
In this lab, you are working with a single Horizon pod so all entitlements are local.
The Connection Server field must use the FQDN of one of the Horizon Connection Servers.
In production Horizon implementations, it is common to configure a load-balancer virtual IP (VIP) in front of your Connection Servers. Do not use the VIP for this configuration step. You will configure the Client Access URL with the load-balancer VIP in a later exercise.
It may take several minutes for the Calculating Sync Actions step to complete.
Review the success message. Continue to the next step.
Workspace ONE Access is now syncing Horizon resources from two independent Horizon implementations. WS1 Access creates a single catalog of desktop and application resources that can be distributed to end users.
Leave the Workspace ONE Management Console tab open in Chrome, as you will use it in the next lesson.
Workspace ONE provides users with the ability to run Horizon applications and desktops from a user portal. Workspace ONE Access provides single sign-on to these applications and desktops by sending SAML assertions to VMware Horizon.
In this section, you will authenticate to Workspace ONE as an end user, then launch Horizon resources.
In this exercise you will connect to Workspace ONE using end user credentials. To do this, it is important that any existing Workspace ONE sessions are logged off.
You should still have Chrome opened with a tab for VMware Workspace ONE.
If you checked the Remember this settings box when logging in last time, you will be prompted to sign in with a System Domain account again. If this occurs, click Change to a different domain. If this screen is not displayed, ignore these instructions.
Continue to the next step.
Once logged on to Workspace ONE, your catalog of applications and desktops is available.
Workspace ONE is currently configured to launch apps and desktops using the Horizon Client.
While this option provides the best overall user experience, Horizon also supports HTML access for added flexibility.
Workspace ONE Access checks the network and access policy rules, then passes a SAML token to Horizon to start and authenticate to the remote desktop.
If you get a popup warning while connecting to the Horizon desktop pool:
Leave this page open as you will use it in the next exercise.
The Workspace ONE Access service attempts to authenticate users based on the authentication methods, the default access policy, network ranges, and the identity provider instances you configure.
A policy rule can also be configured to deny access to users by network range and device type.
When users attempt to log in, the service evaluates the default access policy rules to select which rule in the policy to apply. The authentication methods are applied in the order they are listed in the rule. The first identity provider instance that meets the authentication method and network range requirements of the rule is selected. The user authentication request is forwarded to the identity provider instance for authentication. If authentication fails, the next authentication method configured in the rule is applied.
You should already be at the Workspace ONE login page. If so, skip to the Sign In step.
The System Directory is a local directory that is automatically created in the service when Identity Manager is first set up. This directory has the domain System Domain. You cannot change the name or domain of the System Directory, or add new domains to it. Nor can you delete the System Directory or the System Domain.
The local administrator user that is created when you first set up the Workspace ONE Access appliance is created in the System Domain of the System Directory.
The System Directory is typically used to set up a few local administrator users to manage the service. In the following step you will authenticate with a local administrator account called admin.
Authenticate to the System Domain as admin.
A default network range containing all IP addresses is created be default. You can modify the existing range, and/or add new ranges.
In this lesson, you will create a new network range and use it to apply policies.
The Workspace ONE Access service includes a default access policy that controls user access to their Workspace ONE portals and their Web applications. You can edit the policy to change the policy rules as necessary.
When you enable authentication methods other than password authentication, you must edit the default policy to add the enabled authentication method to the policy rules.
Each rule in the default access policy requires that a set of criteria be met to allow user access to the applications in the portal. You apply a network range, select which type of user can access the content, and select the authentication methods to use.
The default policy can be modified as needed.
A policy rule can be configured to deny access to users by network range and device type.
You will create a rule to deny access to a Horizon published application when it is accessed from a specific network.
If the application list does not populate immediately, wait a few seconds and click in the Select applications from your catalog... window again.
Domain Users
into the User Group search
Wait for the success message indicating the policy has been added.
The client access URL is used to launch locally-entitled resources from the Horizon pod, when users request applications and desktops via Workspace ONE Access.
In an earlier exercise, you configured Horizon Virtual Apps, and supplied the FQDN of a single Connection Server to complete the Workspace ONE Access integration with your Horizon pod.
In production Horizon implementations, it is common to configure a load-balancer virtual IP (VIP) in front of your Connection Servers or UAGs. The client access URL should be configured so it directs requests for Horizon resources to the VIP.
Workspace ONE Access supports using different Client Access URLs for each network range. This provides the flexibility to direct users to internal Connection Servers, external UAGs, or different Horizon pods in a Cloud Pod Architecture (CPA) implementation.
The Client Access FQDN for the Internal Network you created is blank by default. For the purposes of this lab, you will configure the Client Access URL to use the FQDN of the Horizon Connection Server.
It is important that each network range in your environment contains a client access URL.
Leave this page open as you will use it in the next lesson.
You have successfully:
In the previous exercise, you created a new network range for the corporate network and a new policy to deny access for a specific Horizon resource when accessed from this network.
In this section, you will authenticate to Workspace ONE as an end user and attempt to launch the Horizon Desktop pool.
You should already have Chrome open with a tab to VMware Workspace ONE. If so, you can skip the next couple of steps and proceed to Authenticate to Workspace ONE as an End User.
This time the Horizon Desktop can not be opened due to the deny rule you created in the previous exercise.
Congratulations on completing Module 5.
If you are looking for additional information on Horizon, try one of these:
Proceed to any module below which interests you most.
To end your lab click on the END button.
Interested in learning more about VMware End User Computing (EUC) but don't know where to start? Look no further than https://techzone.vmware.com, your fastest path to understanding, evaluating, and deploying VMware End User Computing products!
Tech Zone focuses on providing practical product guidance, curated activity paths, and technical content to take you from zero to hero! Our mission at Tech Zone is to provide you with the resources you need to keep leveling up your knowledge no matter where you are in your digital workspace journey.
Interested? Check us out at https://techzone.vmware.com!
Module 6 - Identity Integration for Single Sign-On (30 minutes)
This Module contains the following lessons:
True SSO provides a way to authenticate to Microsoft Windows, retaining all of the users normal domain privileges, without requiring them to provide AD credentials. True SSO is a VMware Horizon technology that integrates VMware Identity Manager with Horizon. With the True SSO (single sign-on) feature, after users log in to VMware Identity Manager using a smart card or RSA SecurID or RADIUS authentication, users are not required to also enter Active Directory credentials in order to use a virtual desktop or published desktop or application.
True SSO uses SAML (Security Assertion Markup Language) to send the User Principal Name (for example, sarah@example.com) to the identity providers authentication system to access AD credentials. Horizon then generates a unique, short-lived certificate for the Windows login process.
For True SSO to function, several components must be installed and configured within the environment. The enrollment server is responsible for receiving certificate signing requests (CSR) from the Connection Server. The enrollment server then passes the CSRs to the Microsoft Certificate Authority to sign using the relevant certificate template. The Enrollment Server is a lightweight service that can be installed on a dedicated Windows Server instance, or it can co-exist with the MS Certificate Authority service.
True SSO cannot be co-located on a Connection Server.
When True SSO is enabled in Horizon, users do not require a password to log into their Windows desktops. However, if users are logged into VMware Identity Manager using a non-password authentication method such as SecureID, when they launch their Windows desktops, they are prompted for a password. You can enable True SSO to prevent a password dialog box from being shown to users.
Many user authentication options are available for logging in to VMware Workspace ONE Access. Active Directory credentials are only one of these many authentication options. Ordinarily, using anything other than AD credentials would prevent a user from being able to single-sign-on to a Horizon virtual desktop or published application. After selecting the desktop or published app from the catalog, the user would be prompted to authenticate again, this time with AD credentials.
True SSO provides users with SSO to Horizon desktops and applications regardless of the authentication mechanism used. True SSO uses SAML, where Workspace ONE is the Identity Provider and the Horizon server is the Service Provider. True SSO generates unique, short-lived certificates to manage the login process.
The high-level steps that need to be completed are below but we will not be performing them in this lab. They have already been set up for us in this lab to save time.
vdmUtil --authAs administrator --authDomain CORP --authPassword VMware1! --truesso --environment --add --enrollmentServer truesso-01.corp.local
vdmUtil --authAs administrator --authDomain CORP --authPassword VMware1! --truesso --environment --list --enrollmentServer truesso-01.corp.local --domain corp.local
vdmUtil --authAs administrator --authDomain CORP --authPassword VMware1! --truesso --create --connector --domain corp.local --template TrueSSOHOL --primaryEnrollmentServer truesso-01.corp.local --certificateServer controlcenter-ca --mode enabled
vdmUtil --authAs administrator --authDomain CORP --authPassword VMware1! --truesso --list --authenticator
vdmUtil --authAs administrator --authDomain CORP --authPassword VMware1! --truesso --authenticator --edit --name vidm-01 --truessoMode enabled
Note: These steps are already set up in this lab. The next steps are to turn on TrueSSO in Workspace ONE Access under the Virtual Apps. We will set up another Authentication source (RADIUS). We can then connect to vIDM with our RADIUS login and launch an application with no password prompt.
For more information on how to install and configure True SSO, see Setting Up True SSO.
In this lesson we will setup RADIUS as an additional authentication and configure it to work with our FreeRADIUS.net instance
VMware Workspace ONE using Identity Manager allows for setting up Network Ranges and different authentication policies that can be assigned to different network ranges. For example, you might want your end-users to authenticate with their Active Directory credentials when they are in the office and connected to the corporate network. You might want your users to use 2-factor authentication when working from home. You might have a group of users requiring Multi-Factor Authentication (MFA) because of the applications they can access.
For this lab, we are using FreeRADIUS.net to simulate a RADIUS compatible authentication adapter, in a real-world scenario this could be your RSA server or any other 2-factor authentication solution supporting RADIUS protocol. We have setup a different password (2251) other than the default AD-password (VMware1!) typically used in the HOL, so consider this your RSA token. We will start this simulation in the next steps.
We will walk through the configuration of the RADIUS authentication adapter within Workspace ONE Access and assign RADIUS authentication to all connections coming from a specific network range.
Attention: Please leave the FreeRADIUS START window open or minimize it, but DO NOT close it.
From the main console, Open Google Chrome
This will redirect you to the Admin Console to edit the Authentication Adapter.
Note: Leave all of the settings that we don't mention below to their defaults
Confirm no errors at the top.
Confirm that RadiusAuthAdapter shows Enabled.
To limit RADIUS authentication to clients in a specific network, we have to create a networks range and modify the default policy to use RADIUS for this specific range we create. We will be logging in from a Windows 10 Desktop in the Instant Clone pool so will use that network range to use to login with RADIUS authentication.
Click Add Network Range
This will add all the 192.168.100.xxx IP addresses to the RADIUS Test network range and will include our test VM.
Click default_access_policy_set
Click Edit
Click Add Policy Rule
We will add a policy to use RADIUS for our newly created network range test
Besides setting the time after which a user has to re-authenticate, you can configure a Custom Error Message, Custom Error Link Text and a Custom Error Link URL, where you could guide the user to a how-to document or further information on how to resolve any issues with authentication.
Please take a minute to look at all the different and authentication method options, allowing you to setup different authentication methods for different devices/access methods and locations (based on network range). You can also combine multiple authentication methods if you need more than 2-factor authentication.
You have set up a new policy rule to use RADIUS authentication with the IP range specified. Next we will test connecting from a desktop in that IP range and see we are prompted for our RADIUS password instead of our AD password.
The next steps are to turn on True SSO in vIDM under the Virtual Apps configuration.
Verify that True SSO is now enabled
Now we will test the RADIUS authentication. We will test the connection by first opening up a Windows 10 VM via the Horizon Client and then logging in via RADIUS authentication from that client that is in the IP range we specified.
Open Horizon Client from the Main Console desktop
Double-click Instant Clone Pool to open the Windows10 VM
Wait for the Instant Clone VM to load, then
Since the IP address of our test VM is within the RADIUS test network range (192.168.100.180-192.168.100.190) we defined earlier, we now (as expected) get prompted for the RADIUS Passcode instead of our CORP.LOCAL domain password.
Since we are logging in as a new user, there are no favorite applications defined. Click the Apps tab to see the applications assigned to this user.
You will now see all applications which are assigned to the user.
Let's launch an application and verify that we are not prompted for login or password for AD using True SSO.
Congratulations on completing Module 6.
If you are looking for additional information on Horizon, try one of these:
Proceed to any module below which interests you most.
To end your lab click on the END button.
Interested in learning more about VMware End User Computing (EUC) but don't know where to start? Look no further than https://techzone.vmware.com, your fastest path to understanding, evaluating, and deploying VMware End User Computing products!
Tech Zone focuses on providing practical product guidance, curated activity paths, and technical content to take you from zero to hero! Our mission at Tech Zone is to provide you with the resources you need to keep leveling up your knowledge no matter where you are in your digital workspace journey.
Interested? Check us out at https://techzone.vmware.com!
Module 7 - Dynamic Environment Manager (45 minutes)
VMware Dynamic Environment Manager (DEM) offers personalization and dynamic policy configuration across any virtual, physical, or cloud-based Windows desktop environment. Dynamic Environment Manager simplifies end-user profile management by providing organizations with a single, light-weight, and scalable solution that leverages existing infrastructure. It accelerates time-to-desktop and time-to-application by replacing bloated roaming profiles and unmanageable, complex logon scripts. It maps environmental settings (such as networked drives and printers), and dynamically applies end user security policies and personalizations. This focused, powerful, and scalable solution is engineered to deliver workplace productivity while driving down the cost of day-to-day desktop support and operations.
Some of the most popular reasons why enterprises choose Dynamic Environment Manager include:
Historically, DEM was included with Horizon 7 Enterprise licensing, or could be purchased stand-alone for use with Horizon Standard and Advanced licenses. With the release of Horizon 8 (2006), DEM licensing has been updated to make some DEM features available with all Horizon licenses.
A new version, DEM Standard, is now available for Horizon 7 and Horizon 8 Standard and Advanced. DEM Standard edition includes the following features:
The full-featured DEM Enterprise continues to be bundled with Horizon Enterprise. DEM Enterprise provides all the capabilities of DEM Standard plus application blocking, privilege elevation, and more.
There are three main components of Dynamic Environment Manager:
This overview of the architecture shows how the components relate to each other. All components of Dynamic Environment Manager communicate using the SMB protocol.
NOTE: This lab is using NoAD Mode
NOTE: This has already been done for you in this lab.
By default, Dynamic Environment Manager does not manage any applications or environment settings after you install it. You must specify which applications and settings to manage. Although this approach takes a little more work up front, this solution prevents excessive profile growth and profile corruption, enables user settings to roam across Windows versions, and gives you granular control to manage as much or as little of the user experience as needed.
To help with getting started, the Easy Start button instantly adds many common Windows applications, including several versions of Microsoft Office, to the list of applications managed by Dynamic Environment Manager. Many Windows environment settings are also added by Easy Start. You can then easily select an application or Windows setting to review and change the default settings.
In this lab we will go over VMware Dynamic Environment Manager. The lab will explore
With Dynamic Environment Manager personalization, end users can roam between physical, virtual, and cloud-based devices while preserving custom application and Windows settings. When a user logs in to a virtual desktop or application, Dynamic Environment Manager reads the profile archive file for that user's profile and dynamically applies customized settings. Whether roaming from device to device, or accessing non-persistent virtual machines, DEM personalization provides a consistent user experience.
Dynamic Environment Manager provides granular control over which apps or settings may be persisted between sessions. As the IT administrator, you control personalization through the use of application and Windows templates. A number of templates are included with DEM. In this lab, several templates have already been applied using the Easy Start feature. You can create your own templates using a simple utility, which is covered in the Application Profiler exercise. You also have the option to download a variety of templates from VMware. See the feature walkthrough on Tech Zone for more information on this feature.
From the Main Console, double-click the DEM Management Console shortcut on the desktop. This will open up the Dynamic Environment Manager Management Console.
You may need to minimize the Chrome Browser so you can see the desktop.
The personalization template for WordPad has been applied for you using the DEM Easy Start feature.
In this exercise you will open WordPad, customize the layout, and verify those changes persist between sessions.
Leave the DEM management console open as you will use it again later in this exercise.
The Instant Clone desktop pool is configured for one-time use Windows 10 desktops, which are discarded at logoff.
From the desktop of the Main Console, double-click the VMware Horizon Client shortcut.
Double-click horizon-01.corp.local
user1mod7
VMware1!
Double-click Instant Clone Pool to connect to a Windows 10 instant clone VM.
Click Allow for the Drive Sharing popup.
Once you are logged in, review and note the VM host name printed on the desktop. It may take several seconds after logon for this information to appear.
Note: You may get a different VM than what is pictured in this lab manual. Just take note of your host name as it will be used later in this exercise.
From the desktop of the instant clone VM, double-click the Wordpad shortcut.
Click the X to close WordPad.
Click OK to confirm.
The instant clone VM is immediately deleted and recreated.
Double-click Instant Clone Pool to connect to a new Windows 10 instant clone VM.
NOTE: If you receive an error stating that the Desktop is logging off from a previous session, wait a few seconds and try the operation again.
While your host name may not match this screen shot, you should be connected to a different Windows 10 instant clone VM than you had previously.
From the desktop of the instant clone VM, double-click the WordPad shortcut.
Leave the Instant Clone Pool VM running as you will use it again in the next section. Minimize the window if you need to.
Along with persisting custom user settings, DEM personalization can be used to customize the user environment while an application is in use.
In this exercise you will configure WordPad personalization to map a drive at application open and disconnect the drive at application close. This type of dynamic drive mapping ensures resources are only consumed if and when they are needed, rather than performing unnecessary actions at logon.
If you do not still have the DEM management console running, open it from the Main Console desktop shortcut.
Click Save Config File to commit the changes.
Click to maximize the Instant Clone Pool VM.
From the Instant Clone VM, click Windows Explorer
From the desktop of the instant clone VM, double-click the Wordpad shortcut.
Note that E:\ is mapped as WordPad opens.
Click the X to close WordPad.
Note the drive mapping is disconnected as WordPad is closed.
Click OK to confirm.
The instant clone VM is immediately deleted and recreated.
This concludes the DEM personalization module.
Leave the DEM management console open as you will use it in the next module.
Application Profiler is a standalone tool that helps you determine where in the file system or registry an application is storing its user settings. The output from Application Profiler is a configuration file (template) which can be used to preserve and roam application settings for your end users. Optionally, you can record a default set of application settings and apply and/or enforce these defaults for your users based on a variety of conditions.
Application Profiler analyzes where an application stores its file and registry configuration. The analysis results in an optimized Flex configuration file, which you can edit in the Application Profiler or use directly in the Dynamic Environment Manager environment.
With Application Profiler, you can also create application-specific predefined settings, with which you can set the initial configuration state of applications. Save the Flex configuration file with predefined settings to export the current application configuration state.
Application Profiler is licensed as a VMware Dynamic Environment Manager component and is available in both DEM Standard and DEM Enterprise.
In the following steps, you will profile an application following these simple steps:
If you already have the DEM management console running from a previous exercise, skip this step.
From the Main Console, double-click the DEM Management Console shortcut on the desktop. This will open up the Dynamic Environment Manager Management Console.
On the left side, expand the Applications folder to view the list of Flex configuration files in this environment. DEM provides personalization only for those applications and Windows settings you configure by adding Flex configuration files to the management console. You can add configuration files in several ways, including the use of downloadable templates. See the module on Personalization for more information.
Notice Notepad++ is not in the list of applications.
In this module, you will profile the Notepad++ application so you can provide personalization, predefined settings, and more for your end users.
Minimize the DEM Management Console, but do not close it.
From the Main Console Desktop, click on the DEM Application Profiler shortcut to open the Application Profiler tool.
The application profiler produces four files upon completion of profiling an app:
The ZIP file is not to be opened directly. It is critical to use the Edit Profile Archive button in the Application Profiler. Using anything else will render the file unreadable by FlexEngine!
The Application Profiler invokes the executable to start Notepad++. As you make changes to the application configuration, the Application Profiler monitors the file system and registry to track where the changes are made.
Note: In this example exercise, you are making minimal changes to the application. In practice, you should update many settings for an application to ensure all locations are captured by the Application Profiler tool. Remember, profiling an application is not about capturing specific settings, it is about learning where an application stores settings in the file system or registry. Some applications use the registry for some settings and an INI file for others. The more settings you change during profiling, the better the Application Profiler tool can learn to provide personalization for an application.
Application Profiler detects when Notepad++ has stopped running and terminates the monitoring process.
Minimize the Application Profiler and continue to the next step.
%appdata%
, then press ENTER
.
Double-click Notepad++
Notepad++ stores all sorts of configuration data in this location. During the application profiling process, you changed two settings which were written to files in this location. Application Profiler will produce a Flex configuration file that monitors this entire directory for changes because it has learned this is where the application stores them.
If you would like to see where the settings you changed (Big icons, hide status bar) were written:
CTRL+F
and type guiconfig
to search)
Note: Because you selected Save Config File, rather than Save Config File with Predefined Settings, the preference settings you changed in this lab will NOT be presented to end users or when you launch the Notepad++ application in the next steps. You changed only preference settings in Notepad++ so that Application Profiler could monitor and determine the location in which Notepad++ stores configuration changes.
If you select Save a Flex Configuration File with Predefined Settings, a profile archive is created to use for predefined settings when a user logs in.
NPP
for the File name
Now that you have profiled Notepad++, you can import the files created by the Application Profiler to the DEM Management Console. Once imported, you can use the Flex config file to provide personalization to end users for the Notepad++ application.
Note: The files may not be together on the desktop. Drag and drop them so they are together and you can easily select them.
Remember the INI file is the application config file, the INI.FLAG file tells DEM to import and export the settings when the application opens and closes, and ICO is the icon file.
VMware provides application management templates for commonly-used software packages, and the VMware Dynamic Environment Manager Community Forum contains many more templates created with an included tool called Application Profiler.
Application Profiler is a standalone tool that helps you determine where in the file system or registry an application is storing its user settings. The output from Application Profiler is a configuration file which can be used to preserve and roam application settings for your end users. Optionally, you can record a default set of application settings, and apply and/or enforce these defaults for your users based on a variety of conditions.
This is the conclusion of this exercise - we have gone over how to use Application Profiler.
Congratulations on completing Module 7.
If you are looking for additional information on Horizon, try one of these:
Proceed to any module below which interests you most.
To end your lab click on the END button.
Interested in learning more about VMware End User Computing (EUC) but don't know where to start? Look no further than https://techzone.vmware.com, your fastest path to understanding, evaluating, and deploying VMware End User Computing products!
Tech Zone focuses on providing practical product guidance, curated activity paths, and technical content to take you from zero to hero! Our mission at Tech Zone is to provide you with the resources you need to keep leveling up your knowledge no matter where you are in your digital workspace journey.
Interested? Check us out at https://techzone.vmware.com!
Module 8 - Application Management - App Volumes (45 minutes)
During this lab you will:
App Volumes is a real-time application delivery and lifecycle management tool. Enterprises use App Volumes to centrally manage applications that are deployed to desktops with virtual disks. App Volumes scales easily and cost effectively without compromising the end-user experience. In App Volumes 4, a new single-app packaging strategy makes it easier to package applications individually and deliver them in any combination.
With App Volumes 4, simplified application management (SAM) improves the way the application lifecycle is managed. Instead of capturing applications in objects called AppStacks, as you did in App Volumes 2.x, you now work with applications, packages, and programs. These additional components provide you with granular control over the application lifecycle and improve administrative workflows.
What is an Application Package?
In App Volumes 4, applications are associated with certain VMDK or VHD files, which are called packages. (They were called AppStacks earlier, in App Volumes 2.x.) One or more packages are assigned to an application, and it is at the application level that you assign the packages to desktops.
With App Volumes, applications are presented to the operating system (OS) as if they were natively installed. Quickly providing users with applications that require no installation reduces infrastructure strain and overhead and simplifies application lifecycle management. When an application is no longer required, you can easily remove it.
Applications delivered by App Volumes follow users seamlessly across sessions and devices. Administrators can assign, update, or remove applications at the next user login.
In this lesson, you will:
On the Main Console desktop, launch the Google Chrome browser
To login to the App Volumes Manager:
Administrator
VMware1!
Applications are a logical construct new to App Volumes 4.x and represent a collection of packaged versions of a particular application. Packages are entitled to end users and computers at the application layer.
7-Zip 19.00
. Note that we are using the version name here, because we are creating a package for this specific version of 7-Zip.
Win10
IMPORTANT: If CORP\WIN10-01B$ shows Powered Off instead of Available, follow the steps below. Otherwise, continue to the next step.
win10-01b.corp.local
for the Computer name.VMware1!
for the password.
On the Win10-01b virtual machine:
services
.
After this is completed, return to the App Volumes Manager in Google Chrome on the Main Desktop and complete steps at the top of this section again by re-searching for Win10 in the Packages tab. The CORP\WINI10-01B$ computer should now show as Available.
To log in to vCenter:
administrator@vsphere.local
VMware1!
The packaging machine is a specialized VM that is used to create application packages. It is running the same version of Windows 10 as the gold image that will be used to create the VMware Horizon pools to which we will be deploying App Volumes packages. In order to avoid capturing any unnecessary software in the App Volumes application package, a minimum amount of software and agents are installed on the packaging machine. Once the creation of the packaging machine is completed but before any application packages have been packaged, a snapshot of the packaging machine should be taken so that the packaging machine can be reverted to a known clean version for subsequent packaging captures. For more information on preparing the packaging machine, visit Best Practices for Packaging Applications.
user1mod8
VMware1!
Note the VMware App Volumes - Packaging in progress dialogue box in the lower right. Do not click OK at this time.
NOTE: The App Volumes popup may take 20-30 seconds to display.
After the packaging machine reboots, you will need to log in to the packaging VM as the capture user one more time to complete the package capture process.
VMware1!
Click OK on the Packaging successful! dialogue box to complete the capture process. It may take a few moments for it to appear.
Note: At this point in a production environment, we would revert the packaging machine back to a known clean snapshot in vCenter. Because this is the only application we are capturing in this lab, we are skipping this step in the lab.
You may find that your session has timed out, and you must log in again.
Administrator
VMware1!
In App Volumes 4.x, you have the option to use dynamic marker-based entitlements when assigning application packages. Marker-based entitlements allow the App Volumes administrator to designate a package as Current, and then create an entitlement that states a given user, computer, or group should receive the version of the application that carries the Current tag. Static package-based assignments are also available should a user, computer, or group require a specific version of an application. If there is a conflict (i.e. if one user has both a dynamic and a static entitlement), static package-based assignments have precedence over dynamic marker-based assignments.
Next, we will assign the application to a group of end users using a dynamic marker-based entitlement.
Next, we will log in to a VMware Horizon virtual desktop to verify that the assigned application package is successfully deployed.
Minimize the Chrome Browser, and double-click the VMware Horizon Client on the desktop of the Main Console VM.
Double-click horizon-01.corp.local
Log into VMware Horizon.
user1mod8
VMware1!
Double click on the Instant Clone Pool to launch the virtual desktop
Close 7-Zip. Note the Host Name of the virtual desktop you are currently logged into. It may differ from what you see in the image.
NOTE: The Host Name on the virtual desktop may take a few minutes to display.
In this exercise, you will update an application package currently deployed using dynamic marker entitlements to a new version by moving the Current marker from one package to another.
appwiz.cpl
and hit ENTER
on the keyboard
In this lab, we have an existing entitlement for CORP\Domain Users to receive the version of VLC Media Player that is tagged as Current. To save time, we have pre-packaged the new version of VLC, Media Player 3.0.14. To update VLC Media Player for CORP\Domain Users, we need to move the Current marker from VLC 3.0.13 to VLC 3.0.14.
Note that the green Current tag has now moved to VLC 3.0.14. Only one version of an application package can be set to Current at a time.
NOTE: If you were signed out of horizon-01.corp.local, follow the below steps to sign-in again. Otherwise, continue to the next step.
user1mod8
for User name.VMware1!
for the Password.Follow the first steps in this section to launch the Instant Clone Pool after logging in.
On the Instant Clone Pool virtual machine:
appwiz.cpl
and hit ENTER
on the keyboard
In this lesson you will upload a writable volume template and create a user writable volume.
The App Volumes Writable Volumes feature enables the creation of a per-user volume where the following user-centric data can be installed and configured in different ways and move with the users:
The key differences between Application Packages and Writable Volumes are:
Writable Volumes are not a replacement, but a complementary option to a user environment management solution. VMware Dynamic Environment Manager is a companion to App Volumes and provides management of user application settings that are applied when the user logs in or when an application launches. VMware Dynamic Environment Manager can manage data within writable volumes at a more granular level, and provide contextual rules to enforce policies based on different conditions or events. To find out more information on VMware Dynamic Environment Manager please see Module 7 of this lab.
You are now ready to walk through the creation of a Writable Volume.
If Google Chrome is not already opened on the Main Console:
If you still have the App Volumes Manager tab open in Google Chrome, return to the tab.
If you closed the App Volumes Manager session or were signed out after the last exercise:
Administrator
VMware1!
There are three user writable volume templates available, each providing different capabilities. Before creating a user writable volume, you must upload the template or templates you want to use.
In this lab you will only use the UIA Only template. In practice, you may choose to upload multiple templates to provide different capabilities to various groups of end users.
The template should take just a few seconds to upload. The update icon with a "1" will change back to "0" once the process is completed.
No action is required on this step.
First you need to determine who the writable volume will be assigned to.
user1mod8
In this window you enter a variety of information pertaining to the writable volume. This includes the template type. Your template type determines what types of information will be stored within your writable volume.
Enter the following information:
Base
. This will prevent the writable volume from attaching to any virtual machines who's machine name doesn't begin with "base."
With a simple registry edit you can allow your users to view the size of their writable volume. Please consult the following KB for more information.
In this lesson you will learn about App Volumes 4, delivered as part of the Horizon Cloud Service. Using an interactive demo, you will be guided through the import of a VM from the Azure Marketplace, creation of an image, desktop and application assignment creation, and copying Application Packages between Horizon Cloud pods.
Note: The interactive demo is best experienced with audio. Please have your speakers turned on before continuing.
Click to begin interactive demo.
Congratulations on completing Module 8.
If you are looking for additional information on Horizon, try one of these:
Proceed to any module below which interests you most.
To end your lab click on the END button.
Interested in learning more about VMware End User Computing (EUC) but don't know where to start? Look no further than https://techzone.vmware.com, your fastest path to understanding, evaluating, and deploying VMware End User Computing products!
Tech Zone focuses on providing practical product guidance, curated activity paths, and technical content to take you from zero to hero! Our mission at Tech Zone is to provide you with the resources you need to keep leveling up your knowledge no matter where you are in your digital workspace journey.
Interested? Check us out at https://techzone.vmware.com!
Module 9 - Introduction to VMware Horizon Service (45 minutes)
This Module contains the following lessons:
Horizon Cloud Services transforms traditional virtual desktop and application infrastructure with unprecedented simplicity and flexibility.
Horizon Cloud provides a multi-tenant, cloud-scale architecture that enables you to choose where virtual desktops and apps reside: VMware-managed cloud, BYO cloud, or both. Horizon Cloud makes it easier than ever for end users to securely access their digital workspace on any device, anytime, anywhere regardless of your cloud choice.
Horizon Cloud also includes functionality above and beyond Microsoft Windows Virtual Desktop, including user environment management, application management, advanced power management, support for hybrid environments, and more as we will see in this module
Horizon helps IT efficiently deploy and scale virtual desktops and apps from a single control plane with rapid provisioning, automation, and simplified management.
Horizon technology also leverages best-in-class management capabilities and deep integrations with the VMware technology ecosystem. The Horizon platform delivers a modern approach for desktop and app management that extends from on-premises to the hybrid and multi-cloud. The result is fast and simple virtual desktop and application delivery that extends an optimal experience to all applications with multiple delivery combinations.
In summary, the outcome will deliver:
Getting started with VMware Horizon on VMware Cloud on one of the supported public clouds or VMware Horizon Cloud Service on Microsoft Azure can be accomplished in a few steps:
The Horizon Control Plane Services are feature-rich, cloud-based services that use a multi-tenant, cloud-scale architecture and enable administrators to choose where virtual desktops and applications reside.
Example services enabled by the Horizon Control Plane include:
VMware Horizon for Azure VMware Solution(AVS) delivers a seamlessly integrated hybrid cloud for virtual desktops and applications. It combines the enterprise capabilities of the VMware Software-Defined Data Center (SDDC), delivered as infrastructure as a service (IaaS) on AVS, with the market-leading capabilities of VMware Horizon for a simple, secure, and scalable solution. You can easily address use cases such as on-demand capacity, disaster recovery, and cloud co-location without buying additional data center resources.
For customers who are already familiar with Horizon or have Horizon deployed on-premises, deploying Horizon on Azure VMware Solution lets you leverage a unified architecture and familiar tools. This means that you use the same expertise you know from VMware vSphere and Horizon for operational consistency and leverage the same rich feature set and flexibility you expect. By outsourcing the management of the vSphere platform to Microsoft, you can simplify the management of Horizon deployments.
Azure VMware Solution private clouds use vSphere role-based access control for enhanced security. You can integrate vSphere SSO LDAP capabilities with Azure Active Directory
Click the link if you are interested in taking the Azure VMware Solution - Lightning Lab
VMware Horizon for VMware Cloud on AWS delivers a seamlessly integrated hybrid cloud for virtual desktops and applications. It combines the enterprise capabilities of the VMware Software-Defined Data Center (SDDC), delivered as a service on Amazon Web Services (AWS), with the market-leading capabilities of VMware Horizon for a simple, secure, and scalable solution. You can address use cases such as on-demand capacity, disaster recovery, and cloud co-location without buying additional data center resources.
For customers who are already familiar with Horizon or have Horizon environment on-premises, deploying Horizon on VMware Cloud on AWS lets you leverage a unified architecture and familiar tools. This means that you use the same expertise you know from VMware vSphere and Horizon for operational consistency and leverage the same rich feature set and flexibility you expect. By outsourcing the management of the SDDC to VMware, you can simplify the operation of Horizon deployments
VMware Horizon for Google Cloud VMware Engine (GCVE) delivers a seamlessly integrated hybrid cloud for virtual desktops and applications. It combines the enterprise capabilities of the VMware Software-Defined Data Center (SDDC), delivered as a service on Google Cloud Platform (GCP), with the market-leading capabilities of VMware Horizon for a simple, secure, and scalable solution. You can easily address use cases such as on-demand capacity, disaster recovery, and cloud co-location without buying additional data center resources.
For customers who are already familiar with Horizon or have Horizon deployed on-premises, deploying Horizon on Google Cloud VMware Engine lets you leverage a unified architecture and familiar tools. This means that you use the same expertise you know from VMware vSphere and Horizon for operational consistency and leverage the same rich feature set and flexibility you expect. By outsourcing the management of the vSphere platform to VMware, you can simplify the management of Horizon deployments. For more information about Horizon for Google Cloud VMware Engine, visit Google Cloud VMware Engine.
Follow this link to learn more at TechZone.
You can deploy Horizon on VMware Cloud on Dell EMC to scale Horizon desktops and applications with the simplicity and agility of the public cloud and the security and control of on-premises infrastructure delivered as a service to data center and edge locations.
It is built upon the latest VMware software defined data center suite, including industry-leading compute, storage, and network virtualization that is optimized for Dell EMC VxRail hyperconverged infrastructure. It is quick and easy to procure and delivers a cloud-style consumption model for a range of use cases. VMware provides fully automated lifecycle management and monitors the health of the entire SDDC stack around the clock. The combined software, hardware, and services offering enables customers to focus technology resources on initiatives that differentiate the business, instead of spending time on infrastructure management.
To learn more, use this link to take the 30 minute lightning lab: VMware Cloud on Dell EMC Lab.
Horizon Cloud Service provides a single cloud control plane, run by VMware, that enables the central orchestration and management of remote desktops and applications in your Microsoft Azure capacity, in the form of one or multiple subscriptions in Microsoft Azure.
VMware is responsible for hosting the Horizon Cloud Service control plane and providing feature updates and enhancements for a software-as-a-service experience. The Horizon Cloud Service is an application service that runs in multiple Microsoft Azure regions.
The cloud control plane also hosts a common management user interface called the Horizon Cloud Administration Console, or Administration Console for short. The Administration Console runs in industry-standard browsers. It provides you with a single location for management tasks involving user assignments, virtual desktops, RDSH-published desktop sessions, and applications. This service is currently hosted in multiple Azure regions. The Administration Console is accessible from anywhere at any time, providing maximum flexibility.
We have a complete Horizon Cloud on Azure Lab if you wish to learn more. Click HOL-2251-02-ISM - Getting Started with Horizon Cloud on Azure to get started!
The Horizon Cloud Connector is a virtual appliance that connects the existing on-premises Horizon deployments to the Horizon Control Plane, a cloud management console that consists of a set of services that not only provides licensing to Horizon on Premises but simplifies Day 2 management for all your Horizon environments regardless if they are on-premises or in the cloud.
The Cloud Connector is a pure add-on appliance and doesn’t require any changes to the Horizon infrastructure.
To establish connectivity between Horizon Control Plane and Horizon on-premises deployments, administrators need to complete the pairing of Cloud Connector with Connection Servers. As the result of the process, the Horizon Cloud Connector virtual appliance connects the Connection Server in order to manage the Horizon subscription license and other Horizon Control Plane services mentioned above.
The minimum Connection Server version required to use all Cloud Connector features is 7.10. Horizon Cloud Connector and Connection Server compatibility can be checked at the Compatibility matrix.
You will now setup the Cloud Connector and walk through the steps required to secure communication to the Cloud Connector and accounts.
This part of the lab is presented as a Hands-on Labs Interactive Simulation. This will allow you to experience steps which would be time-consuming or resource intensive to perform in a live environment. In this simulation, you can use the software interface as if you are interacting with a live environment.
Congratulations on completing Module 9.
If you are looking for additional information on Horizon, try one of these:
Proceed to any module below which interests you most.
To end your lab click on the END button.
Interested in learning more about VMware End User Computing (EUC) but don't know where to start? Look no further than https://techzone.vmware.com, your fastest path to understanding, evaluating, and deploying VMware End User Computing products!
Tech Zone focuses on providing practical product guidance, curated activity paths, and technical content to take you from zero to hero! Our mission at Tech Zone is to provide you with the resources you need to keep leveling up your knowledge no matter where you are in your digital workspace journey.
Interested? Check us out at https://techzone.vmware.com!
Conclusion
Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.
Lab SKU: HOL-2251-01-DWS
Version: 20230320-205353