Smart Policy

You can use Smart Policies to create policies that control the behavior of the USB redirection, virtual printing, clipboard redirection, client drive redirection, and Blast display protocol features on specific remote desktops.

With Smart Policies, you can create policies that take effect only if certain conditions are met. For example, you can configure a policy that disables the client drive redirection feature if a user connects to a remote desktop from outside your corporate network.

You use the User Environment Manager Management Console to create a Horizon smart policy in User Environment Manager. When you define a Horizon smart policy, you can add conditions that must be met for the smart policy to take effect.

What are Horizon Smart Policies?

With Smart Policies, administrators have granular control of a users desktop experience. A number of key Horizon 7 features can be dynamically enabled, disabled, or controlled based not only on who the user is, but on the many different variables available through Horizon 7: client device, IP address, pool name, and so on.

You can use Smart Policies to enable or disable features including clipboard redirection, USB access, printing, and client drive redirection. For example, you can create a policy so that a desktop login from outside the corporate network results in disabling of security-sensitive features such as cut-and-paste or USB drive access. Additionally, bandwidth profile settings allow you to customize the user experience based on user context and location.

Smart Policies can be enforced based on role, and evaluated at login and logout, disconnect and reconnect, and at predetermined refresh intervals. With all these capabilities and fine grain control, you can use one desktop pool to address many different use cases.

Note: In most cases, Smart Policy settings that you configure for remote desktop features in User Environment Manager override any equivalent registry key and group policy settings.

Overview of Features controlled by Smart Policies

The features controlled by Smart Policies.

You can use Smart Policies to enable, restrict, or disable Horizon 7 features that include clipboard redirection, USB access, printing, and client drive redirection, and you can select a profile that manages bandwidth usage.

  • Audio Playback - Controls Audio Playback
  • Bandwidth profile - Prevents the agent (remote desktop) from attempting to transmit data at a higher rate than the link capacity.
  • Blast Extreme Protocol - H.264, H.264 high color accuracy, H.264 minimum quality, HEVC/H.265, JPG, and Max frame rate
  • Drag and Drop -  Determine behavior when dragging and dropping items between client and agent
  • Printing -  Controls if a user is allowed to print documents from the remote desktop to a network printer or a USB printer that is attached to the client computer.  
  • USB redirection -  Controls whether a user is allowed to use locally attached USB devices, such as thumb flash drives, cameras, and printers, from the remote desktop.  
  • Clipboard redirection -  Controls whether users are allowed to copy and paste text and graphics only from the client system to the remote desktop, only from the remote desktop or application to the client system, or both, or neither.
  • Client drive redirection -  Controls whether drives and folders on the client system are shared with the remote desktop and, if so, whether they are readable only or readable and writeable.  
  • Web and Chrome file transfer - Controls whether you can upload files from the client system to the remote desktop, download files from the remote desktop to the client system, or both, or neither, when you are using the web client to access the remote desktop.

How Smart Policies are Applied

To create a Smart Policy, you select settings for the Horizon 7 features that you want to control and specify the conditions, if any, under which the policy will go into effect. If you do not specify any conditions, the policy is applied to all users in the user OU configured for User Environment Manager. Settings are always applied when the user logs in. You can optionally configure triggers to also re-evaluate the settings at other times, such as when users reconnect to the desktop or application.

Overview of lab

In this section of the lab, Horizon Smart Policies will be used to conditionally enable drag and drop and clipboard use.

Open UEM Management Console

Click on the Management Console on the Main Console desktop to launch the UEM Management Console.

Create Horizon Smart Policies

  1. In the User Environment Manager Management Console, select the User Environment tab and click Horizon Smart Policies in the tree view.
  2. Existing Horizon smart policy definitions, if any, appear in the Horizon Smart Policies pane. Right-click Horizon Smart Policies.
  3. Select Create Horizon Smart Policies setting... to create a new smart policy.

You can also select Horizon Smart Policies and then click on Create to open the create Horizon Smart Policy dialog box.

Create Smart Policies for Internal User

The Horizon Smart Policy dialog box appears.

In the Settings tab you define the smart policy settings.

  1. In the General Settings section,
    • Type a name for the smart policy in the Name text box: Inside Corporate Network
    • Type a Label: Allow Drag and Drop and Clipboard
    • Tag: Internal
  2. In the Horizon Smart Policy Settings section, we will select the features and settings to include in the smart policy.
    • Click on box to enable Drag and drop and select Allow All.
    • Click on Clipboard and select Allow All.

Don't hit save button yet as we will set Conditions in next step.  If you went ahead and hit save you can click on the Internal Corporate Network Smart Policy and hit Edit then proceed to next step.

Add a Condition

To add a condition to the smart policy, select the Conditions tab, click Add, and select a condition.

You can add multiple conditions to a smart policy definition.

  1. Click on the Conditions tab
  2. Click Add
  3. Select Horizon Client Property

Set the Client Location to Internal

  1. For Property, select Client location
  2. Set the location to Internal
  3. Click OK

When you connect directly to a Connection Server, the gateway location is Internal. If you connect to a VMware Unified Access Gateway appliance or Security Server, the gateway location is External.

Save the Horizon Smart Policies

Click on Save to save the Horizon Smart Policy we just created with the condition.

The Smart Policy setting and condition are now defined. These settings are always evaluated and applied whenever the user logs in. You can specify an event that triggers the re-evaluation of the Smart Policy whenever the user reconnects, rather than logs in. This is called a triggered task.

Copy some text to the clipboard

  1. Double-click the README.txt on the desktop of the Control Center.
  2. Select some text
  3. Right-click and choose Copy to copy the text to the clipboard
  4. Minimize notepad

Open VMware Horizon Client

We will now test connecting in as an internal user using the VMware Horizon Client.

Click on VMware Horizon Client from the desktop of the main console to open up the Horizon Client.

Connect to the Horizon-01 Server

Click the horizon-01.corp.local server.

We will now test the ability to paste from the clipboard internally.

Login as the user2mod1 user

Login as user2mod1 user with password of VMware1! and click Login.

Connect to the Notepad Published App

Double-click the the Notepad application to launch it.

 

Paste text into Notepad

  1. Right-Click in the whitespace and choose Paste from the menu
  2. You are able to paste the text that we copied earlier because UEM detected you are connecting via an internal connection.
  3. Close Notepad and don't save the file by clicking the X in the top right corner

Launch the Paint Published Application

From the Horizon Client, double-click Paint to launch the published application.

Drag and drop file to Paint

  1. Open Windows Explorer from the taskbar
  2. Browse to c:\tools\UEM-Lab in Windows Explorer
  3. Select the Horizon.jpeg file
  4. Drag it over to the Paint published application and drop it
  5. Notice that the image was dragged from the local system to the published application when connecting internally
  6. Close paint by clicking the X in the top right

Reset Published Applications

  1. Click the gear at the top right of the Horizon Client
  2. Click on Reset
  3. Click Yes to confirm that you want to reset all remote applications
  4. Click OK

Disconnecting from the Horizon-01 Server

  1. Click the Disconnect symbol in the top left of the VMware Horizon Client window.
  2. Confirm by clicking OK when prompted.
  3. Minimize the Horizon Client

Horizon Smart Policies External

Now we will set a Horizon Smart Policy and Condition based on an external user to the system.  This user will not have access to copy/paste or drag and drop.  

  1. Open the VMware User Environment Management Console, by clicking it in the taskbar or opening it from the desktop.
  2. In the User Environment Manager Management Console, select the User Environment tab.
  3. Click Horizon Smart Policies in the tree view.
  4. Select Create to create a new Horizon Smart Policy for external users.

Create External Access Smart Policies

The Horizon Smart Policy dialog box appears.

In the Settings tab you define the smart policy settings.

  1. In the General Settings section,
    • Type a name for the smart policy in the Name text box: External Horizon Session
    • Type a Label: No Clipboard or Drag and drop
    • Tag: External
  2. In the Horizon Smart Policy Settings section, select the remote desktop features and settings to include in the smart policy. You can select multiple remote desktop features.
    • Click on box for Drag and drop and select Disable.
    • Click on Clipboard and select Disable.

Don't hit save button yet as we will set Conditions in next step.  If you went ahead and hit save you can click on the External Horizon Session and hit Edit then proceed to next step.

Add a Condition for External User Smart Policy

  1. Click on the Conditions tab
  2. Click Add
  3. Select Horizon Client Property

Set the Client Location to External

  1. For Property, select Client location from the drop down
  2. Set the location to External
  3. Click OK

Save External Policy

Click on Save to save the Horizon Smart Policy we just created with the condition.

The Smart Policy setting and condition are now defined. These settings are always evaluated and applied whenever the user logs in. You can specify an event that triggers the reevaluation of the Smart Policy whenever the user reconnects, rather than logs in. This is called a triggered task.

Remember by default: When you connect directly to a Connection Server, the gateway location is Internal. If you connect to a VMware Unified Access Gateway appliance or Security Server, the gateway location is External.

Copy Text into the Clipboard

  1. On the Main Console, click README.txt to open the file in Notepad you minimized earlier.
  2. Highlight some text and right click.
  3. Select Copy.

Connect Through the VMware Unified Access Gateway

This time we will connect in through the VMware Unified Access Gateway to show how an external user would access the environment.  

  1. Click on the VMware Horizon Client from the taskbar to open it.
  2. Click the uag-01.corp.local server to connect to the Unified Access Gateway.  It might be in a different order than pictured above.

We will show how we disabled the ability to copy/paste to the clipboard and drag and drop files.

Login as the user2mod1 user

Login as the user2mod1 user with password of VMware1! and click Login.

Connect to the Notepad Published Application

Double-click the Notepad application icon to bring up Notepad.

External User No Paste

Right click in the document, Paste is greyed out

You are not able to paste into this environment due to the Horizon Smart Policy.

Close Notepad

Close notepad by clicking the X in the top right - don't save the file.

Connect to Paint

Click on the Paint application to launch it.

Attempt to Drag and drop a file

  1. Open Windows Explorer from the taskbar of the Main Console desktop.
  2. Browse to c:\tools\UEM-Lab from Windows Explorer
  3. Select the Horizon.jpeg file
  4. Drag and attempt to drop the file into the Paint published application
  5. Notice you can't drop the file when connecting externally.  This is due to the external Smart Policy we set.
  6. Close Windows Explorer
  7. Close Paint

Disconnecting from the UAG-01 Server

  1. Click the Disconnect symbol in the top left of the VMware Horizon Client window.
  2. Confirm by clicking OK when prompted.

Close VMware Horizon Client

Click the X in the top right corner to close the VMware Horizon Client.

Close the README.txt File

Click the X in the top right corner to close the README.txt file.

This is the conclusion of this exercise - we have gone over how to use Horizon Smart Polices