As administrators of VMs infrastructure based on VMware Horizon 7 well know, the last version of VMware User Environment Manager 9.0 (UEM) solution provides an interesting feature – Smart Policies. This functionality allows customization of user environment on a virtual desktop, depending on various conditions, such as the location from which the user logs in.
Here are functionalities of client access that can be controlled with Smart Policies:
- USB redirection – determines whether the user can locally attach USB-devices, such as flash drives, cameras, and printers, and pass them through to his remote desktop.
- Printing – controls whether the user is allowed to print a document from a remote desktop using the network- or a USB-printer connected to the client computer.
- Clipboard – controls whether the user can copy and paste text and graphics from a client computer to a remote desktop, from remote desktop to the client computer, in both directions or in none of them.
- Client drive redirection – controls folders sharing between the client computer and the remote desktop. This mode can be used with the read-only setting, for example.
- HTML Access file transfer (available on User Environment Manager 9.1 and higher) – controls whether you can upload and download files from a remote desktop using HTML Access.
- Bandwidth profile – determines the access speed that the agent will use to maintain the session with a remote desktop. For example, it prevents an attempt of transmitting data at a rate higher than the physical bandwidth of the link. This setting determines both Blast Extreme protocol mode and PCoIP (only UEM 9.1 and higher).
Smart Policies work the next way: you choose settings for the Horizon 7 features that you want to control in accordance with specific conditions under which policies take effect. If you do not define the specific conditions, the policies will be applied to all users in an OU container configured for User Environment Manager. The settings are always deployed when the user logs in. But you can set triggers, which, when activated, can force settings to be deployed at any other time, for example, when the user reconnects to the desktop or application.
Policies are applied only to users who meet certain conditions. If the user does not, then default policies are applied, which are related to all users in the pool.
Let’s take a look at a specific situation. Suppose we want separate remote desktop users (HR department, for example) to be able to copy data to the clipboard and attach the USB-device to a virtual desktop to copy data while being connected from the internal environment of the enterprise with their remote desktop. Moreover, to get access using Blast Extreme or PCoIP protocol a network profile for the local network (LAN) should be applied.
Let’s open the Management Console tool in User Environment Manager, choose Horizon Smart Policies on the left and click Create:
The first thing we select after setting the name and tag are features to be activated and their parameters. Set them to enable both USB redirection and clipboard operations, and the bandwidth profile should be set to LAN:
Next, we go to the Conditions tab – these are the conditions to trigger politics. Click on Add button and select Client Location property and set it to Internal (users connecting from inside the company via the View Connection Server):
Here you also can set the property to External. In this case, the policy would apply to customers who operate through Access Point appliance or Security Server (that is, links coming from the WAN-network).
Next, we add one more property – virtual desktop pool name. In this case, we know that, for example, in HR-department, they all start with “HR” prefix. Let’s create the following property:
Right here, on the Conditions tab, you can set the parameters of the combination of conditions that set policies to take effect. The default logical operator is AND, which means that all conditions must be met:
Now, let us proceed to triggers (choose Triggered Tasks section on the left). We click on the Create button and see the following picture:
Here we set the trigger itself (Reconnect session – that is, when the user has reconnected to his PC), and the action that is performed when it is activated. We choose here User Environment refresh (that is, re-initialization of the environment using smart policies).
Further, we should check a checkbox to apply the trigger action to Horizon Smart Policies, then click Save:
This is where simple operations with smart policies come to an end. As you can see, policies for external access to virtual desktops the are set in the same way, where on the contrary, you can ban connection of USB-devices and copying data via the Clipboard.
If this knowledge is not enough for you – take a look at the document “Reviewer’s guide for View in VMware Horizon 7: Smart Policies”, which has a lot of interesting information about the work of smart policies.
- Instant Clone functionality in VMware Horizon 7 – how quickly and efficiently it works
- VMware Horizon FLEX. The architecture and the key features