Configuring Pool Settings and Connecting to Virtual Desktops

Configuring pool settings

Entitlement option

Specify users to access virtual machines in the pool

Disable pool

View unentitled desktops and policies

Pool settings summary

Edit pool settings

Tags to identify which server your clients connects to

Tags are set on the View connection server

Once tags are set, they are available in the pool settings connection server restrictions

Example of Placement of tags

Display pool inventory of desktops

Properties of the desktop in the pool

Display vcenter managing the desktop in the pool

pool session

Displays pool entitlements

Pool level policies.  Applied policies showed the resulting application of the local and global pool polices.

Pool events

Pool level policies inherts from global policy

Global policy

Global Pool settings at the View global level

Add users to overrride configured polices






Installing VMware view client

Connecting to a Virtual desktop

Option to specify settings for View Client connection

Options once connected to the diesktop

Deplying group policy for client configuration

Add View administrative templates into group policy

vdm_client controls View clients

Note that there is the computer and user configuration registry settings.  Use group policy loopback in which  user configuration policy applied to computer User configuration settings.

Import certificate to AD

Managing for Kiosk Mode

Kiosk mode uses thin client or locked down PCs running the View Client to connect to virtual desktops

• End users do not login to the client device (kiosk)
• View Manager uses Flexible Aunthentication to authenticate a client device rather than the end user
• This authentication can be by MAC address or by a computer name beginning a configurable prefix string

Prepare AD for Kiosk Mode

Use of vdmadmin.exe command to manage Kiosks
Run the vdmadmin command using the -domain and -clientid options to specify the domain and the name or the MAC address of the client.

vdmadmin -Q -clientauth -add [-b authentication_arguments] -domain domain_name  

-clientid client_id [-password "password" | -genpassword] [-ou DN] 

[-expirepassword | -noexpirepassword] [-group group_name | -nogroup] 

[-description "description_text"]

Option	Description
-clientid client_id	Specifies the name or the MAC address of the client.
-description "description_text"	Creates a description of the account for the client device in Active Directory.
-domain domain_name	Specifies the domain for the client.
-expirepassword	Specifies that the expiry time for the password on the client's account is the same as for the View Connection Server group. If no expiry time is defined for the group, the password does not expire.
-genpassword	Generates a password for the client's account. This is the default behavior if you do not specify either -password or -genpassword. A generated password is 16 characters long, contains at least one uppercase letter, one lowercase letter, one symbol, and one number, and can contain repeated characters. If you require a stronger password, use the -password option to specify the password.
-group group_name	Specifies the name of the group to which the client's account is added. The name of the group must be specified as the pre-Windows 2000 group name from Active Directory. If you previously set a default group, client's account is added to this group.
-noexpirepassword	Specifies that the password on the client's account does not expire.
-nogroup	Specifies that the client's account is not added to the default group.
-ou DN	Specifies the distinguished name of the organizational unit to which the client's account is added. For example: OU=kiosk-ou,DC=myorg,DC=com
-password "password"	Specifies an explicit password for the client's account.

The command creates a user account in Active Directory for the client in the specified domain and group (if any).

Example: Adding Accounts for Clients

Add an account for a client specified by its MAC address to the MYORG domain, using the default settings for the group kc-grp.

vdmadmin -Q -clientauth -add -domain MYORG -clientid 00:10:db:ee:76:80 -group kc-grp

Add an account for a client specified by its MAC address to the MYORG domain, using an automatically generated password.

vdmadmin -Q -clientauth -add -domain MYORG -clientid 00:10:db:ee:76:80 -genpassword

Add an account for a named client, and specify a password to be used with the client.

vdmadmin -Q -clientauth -add -domain MYORG -clientid custom-Terminal21 -password "guest" -ou "OU=kiosk-ou,DC=myorg,DC=com" -description "Terminal 21"

Add an account for a named client, using an automatically generated password.

vdmadmin -Q -clientauth -add -domain MYORG -clientid custom-Kiosk11 -genpassword -ou "OU=kiosk-ou,DC=myorg,DC=com" -description "Kiosk 11"

What to do next

Create OU for Kiosk

Create a user for the Kiosk computers















Set default client values and add client accounts

Set the defaults of the client values.

On the PC running the View Client, urn the command WSWC.exe  to display the MAC address of the PC.

Add the PC accounts that will participate as kiosks. You can configure a View connection server instance to authenticate clients that identify themselves by their MAC or by user name that starts with the characters "custom-" or with an alternative prefix that you have defined in ADAM.



Enable client authentication

Enable client authentication and confirm clients participating as kiosks

Connect to Desktops from Clients in Kiosk Mode

You can run View Client from the command line or use a script to connect a client to a remote session.

You would usually use a command script to run View Client on a deployed client device.

For an example of a script that runs View Client on a Windows system, examine the file C:\Program Files\VMware\VMware View\Client\bin\kiosk_mode.cmd.

Note

On a Windows client, USB devices on the client are not forwarded automatically if they are in use by another application or service when the desktop session starts. You must ensure that you have installed the drivers on the client for any device that you want to forward. On both Windows and Linux clients, human interface devices (HIDs) and smart card readers are not forwarded by default.

Procedure

♦	To connect to a remote session, type the appropriate command for your platform. If View Manager authenticates the kiosk client and a View desktop is available, the command starts the remote session.

Example: Running View Client on Clients in Kiosk Mode

Run View Client on a Windows client whose account name is based on its MAC address, and which has an automatically generated password.

C:\Program Files\VMware\VMware View\Client\bin\wswc -unattended -serverURL consvr2.myorg.com

Run View Client on a Linux client using an assigned name and password.

vmware-view -unattended -s 145.124.24.100 --once -u custom-Terminal21 -p "Secret1!"

VMware script to view client in kiosk mode.

After user logs out, computer re-enters into kiosk mode.  The PC desktop is bypassed and launches View client into kiosk's desktop.

Managing User Settings with View Persona Management

VMware View Persona Management is enhanced Microsoft's roaming profiles solution.


Configure a Profile Store


Refernce: http://msdn.microsoft.com/en-us/library/cc757013(v=ws.10).aspx

Granting profile share permissions

A common error in user profiles is permissions that are incorrectly set. To ensure that permissions are set correctly, use the following guidelines:

• When you create the shared folders for roaming user profiles, limit access to the folder to only users who need access.
• Because a roaming profile contains personal information, such as the user’s documents and EFS certificates, it is important to ensure that roaming user profiles are secure. Here are some ways you can enhance the security of roaming user profiles:
  
  
  • Restrict the shared folder to only users who need access. Create a security group for users who have profiles on a particular shared folder, and then limit access to only those users.
  • When you create the shared folder, hide the folder by putting a dollar sign ($) after the share name. This hides the folder from casual browsers and hides the folder in My Network Places.
  • Unless you need special permissions on the profile folder, do not create profile folders in advance for the user. Instead, allow the system to create them.
  • Assign users the minimum permissions that are required as described in Tables 7.7, 7.8, and 7.9. These tables list the required NTFS and share level server message block (SMB) permissions for roaming user profile shares and folders.

NTFS Permissions for Roaming Profile Parent Folder

User Account	Minimum Permissions Required
Creator Owner	Full Control, Subfolders and Files Only
Administrator	None
Security group of users needing to put data on share	List Folder/Read Data, Create Folders/Append Data - This Folder Only
Everyone	No permissions
Local System	Full Control, This Folder, Subfolders and Files

 Share level (SMB) Permissions for Roaming Profile Share 

User Account	Default Permissions	Minimum Permissions Required
Everyone	Read only	No permissions
Security group of users needing to put data on share	N/A	Full Control

NTFS Permissions for Each User’s Roaming Profile Folder 

User Account	Default Permissions	Minimum Permissions Required
%Username%	Full Control, Owner of Folder	Full Control, Owner of Folder
Local System	Full Control	Full Control
Administrators	No Permissions*	No Permissions
Everyone	No Permissions	No Permissions

* No permissions is the default unless the Add the Administrator security group to the roaming user profile share policy setting is set, in which case the Administrators group has full control. 

Configure View Persona GPOs


View Persona is configured via GPO.

Create a GPO for persona management

Add the View PM template

GPO control various aspects of Persona mangement

Enable Persona Management and specify a interval to sync profile to server

Specify the persona store.

Other persona settings for Roaming and synchronization

Persona settings for Folder redirection.  Folders stored on offline location.  Slow links will cause issues.

Reference: VMware-View-Persona-Management-Deployment-Guide

Notification for files from persona repository

Persona logging settings

Createing View Desktops That Use Persona Management

To use View Persona Management with View desktops, you must create desktop pools with a View Persona Management agent installed on each desktop.

You cannot use View Persona Management on Microsoft Terminal Servers.

You cannot use View Persona Management with desktops that run in local mode.

Prerequisites

■	Verify that View Agent with the View Persona Management setup option is installed on the virtual machine that you use to create the desktop pool. See Install View Agent with the View Persona Management Option.
■	If you intend to configure View Persona Management policies for this pool only, verify that you added the View Persona Management ADM Template file to the virtual machine and configured group policy settings in the Local Computer Policy configuration. See Add the Persona Management ADM Template to a Single System and Configure View Persona Management Policies.

Procedure

■	Generate a snapshot or template from the virtual machine and create an automated desktop pool. You can configure View Persona Management with pools that contain full virtual machines or linked clones. The pools can use dedicated or floating assignments.
■	(Optional) To use View Persona Management with manual desktop pools, select desktop sources on which View Agent with theView Persona Management option is installed.

Note

After you deploy View Persona Management on your View desktops, if you remove the View Persona Management setup option on the desktops, or uninstall View Agent altogether, the local user profiles are removed from the desktops of users who are not currently logged in. For users who are currently logged in, the user profiles are downloaded from the remote profile repository during the uninstall process.