smart policies

Security Update: 8 Advances in End-User Computing from VMware

Employees across enterprise organizations in today&#rsquo;s mobile-cloud world expect simple user experiences to help them be productive. IT often runs into challenges supporting these expectations while keeping their environments secure.

Our team has focused on empowering organizations with an enterprise-secure approach and consumer-simple experience through a digital workspace. Employees can securely access any app, on any device in their own digital workspace provided by VMware Workspace ONE, powered by VMware AirWatch unified endpoint management technology.

Over the course of 2017, we&#rsquo;ve introduced many security capabilities across the Workspace ONE platform, which includes advancements in VMware Horizon 7 and VMware Horizon Cloud. Let&#rsquo;s take a closer look at those security capabilities, as well as existing security integrations and security features that elevate Workspace ONE to the digital workspace platform that organizations can trust.

1. Derived Credentials

Earlier this year, we announced our derived credentials solution as part of Workspace ONE. This was huge news for organizations mandated by certain directives, such as FIPS 201, that require use of smart cards, personal identification verification (PIV) or common access cards (CAC) for access to physical, logical and network resources.

Smart cards, PIV and CAC worked great on desktops and laptops, but the experience on mobile devices was poor and costly because special hardware was needed to read the cards. To help with this issue, the National Institute of Standards and Technology (NIST) updated FIPS 201 in 2013 and the following year released SP 800-157, with guidelines on how to generate and utilize alternative tokens, which they refer to as a derived PIV credentials, also commonly referred to as derived credentials or PIV-D. This helped provide better experience, implementation and deployment on mobile devices accessing physical, logical and network resources.

We released our derived credentials app, called VMware PIV-D Manager, that enables the use of derived credentials with native apps and profiles, VMware apps and third-party AirWatch SDK-enabled apps. PIV-D Manager even integrates with other derived credentials solution providers such as Entrust and Intercede.

2. Boxer S/MIME

VMware Boxer, one of our Workspace ONE productivity apps, is an integrated mobile email, calendar and contacts app that helps increase productivity by giving end users a great user experience. Security was a big focus on our Boxer app this year.

We started by enabling S/MIME support for sending and receiving signed and/or encrypted mail. S/MIME is a standard for public key encryption and signing of MIME (Multipurpose Internet Mail Extensions) data that allows for secure email exchange. Organizations have the option of signing an email for authenticity and/or encrypting email messages for an added layer of security.

3. Boxer Classification Markings

In various regulated industries, such as public sector, healthcare and financial, sensitive emails often need to be specifically marked or classified when they are sent and received. When it comes to email, messages typically get a classification appended in the subject line, top or bottom of the body, etc. For example, an email message should be marked &#rsquo;unclassified&#rdquo; or &#rsquo;secret&#rdquo; depending on the content of the email.

Earlier this year, we announced support for classification markings in the Boxer app, which integrates with the built-in Microsoft Exchange transport rules. This capability also integrates with TITUS, Boldon James and janusNET.

4. Boxer Information Rights Management

In addition to S/MIME and classification marking support, we added full support for information rights management (IRM). IRM is a form of data loss prevention (DLP), which can specify access permissions to email messages, including the ability to restrict copy-paste, restrict email forwarding, enforce email message content expiration and more. As you can tell, we put a lot of emphasis on email security through our Boxer app!

5. AirWatch & NSX Integration

AirWatch and NSX integration was introduced over a year ago, and the amount of customer interest in it hasn&#rsquo;t slowed down since. When apps on mobile devices have access to communicate to any resource in the data center, this represents a challenge for IT as the attack surface within the data center can be large.

The AirWatch and NSX integration aims to solve this problem by limiting each mobile app to only communicate to the server that it needs to talk to, using the tunneling capability in AirWatch and the micro-segmentation capability in NSX. Combining these two technologies vastly reduces the access footprint from the mobile device and the attack surface in the data center.

Organizations, like Vallejo Sanitation and Flood Control District, can raise their security posture from the mobile device to the data center using the AirWatch and NSX integration.This type of integration can also help organizations along their journey towards General Data Protection Regulation (GDPR) compliance, as data in transit utilizes AES-256 bit encryption.

VMworld 2017 Panel Discussion:

“Data Privacy, theGDPR &the Globalization of Compliance”

Add GRC3109PU via VMworld U.S. schedule builder.

AddGRC3109PE via VMworld Europe schedule builder.

6. Horizon & NSX Integration

We know that apps on mobile devices and data center resources can be tunneled and micro-segmented for an extra layer of security. We can take that same concept and apply it towards desktop virtualization.

Integrating Horizon and NSX, customers can effectively secure east-west traffic within the data center, preventing malware from spreading across the data center if a virtual desktop is compromised because each desktop is effectively isolated from other desktops. IT can quickly and easily administer networking and security policy that dynamically follows end users&#rsquo; virtual desktops and apps across infrastructure, devices and locations. This extra level of security takes desktop virtualization to a whole new level!

VMworld 2017 Breakout Session:

“Securing Your Horizon Virtualized Apps & Desktop Investments with NSX”

Add SIE2034BU via VMworld U.S. schedule builder.

Add SIE2034BE via VMworld Europe schedule builder.

7. Just-in-Time Management Platform (JMP)

We introduced JMP earlier this year, our next-generation desktop and application delivery platform, which enables fust-in-time desktops and apps. Imagine a virtual desktop that is created when a user logs in and destroyed when that user logs out. IT can set up a pool of virtual desktops that fits this model, including pools that can access the internet and pools that cannot, effectively creating separation parameters for higher security. Virtual desktops in each pool only get created when a user logs into a specific pool.

With the JMP platform extending across Horizon 7 and Horizon Cloud, IT has the ability to inject apps and user environment settings into the desktop the moment a user logs in. Having pristine desktops created at every login and destroyed at every logoff eliminates malware that the user may have accidentally installed during the session.

8. Smart Policies

Smart Policies are available in Horizon 7 and Horizon Cloud for IT to provide end users with a truly contextual user experience. For example, policies dynamically change depending on the device used or the location services are being accessed from.

True single sign-on (SSO) enables end-to-end authentication from Workspace ONE to Horizon virtual desktops and apps, for a secure and simple user experience. Users aren&#rsquo;t prompted for multiple logins once they&#rsquo;ve authenticated into the Workspace ONE portal. Client policies such as enabling or disabling clipboard redirection, USB, printing and more can be set by IT using Smart Policies. Horizon is certified to meet FIPS 140-2 and Common Criteria requirements as a result of the secure policies powered by Smart Policies.

For organizations looking for even more advanced security capabilities across Workspace ONE, look no further than Workspace ONE integrations with our ecosystem of mobile security leaders in the VMware Mobile Security Alliance. Workspace ONE integrates with technologies from our Mobile Threat Defense partners, Cloud Access Security Brokers partners and more to further enable comprehensive cybersecurity across mobile devices, apps, networks and cloud services.

Learn more about our end-user computing (EUC) security initiatives at VMworld U.S.andVMworld Europe. If you&#rsquo;re not attending VMworld, you still have time to register!

To learn more about the security capabilities in Workspace ONE, visit vmware.com/workspaceone.

The post Security Update: 8 Advances in End-User Computing from VMware appeared first on VMware End-User Computing Blog.

Read more..

Horizon Cloud Service with Hosted Infrastructure – July 2017 Technical Updates

There are several technical updates to the VMware Horizon Cloud Service with Hosted Infrastructure this quarter. The updates for this release focus on expanding capabilities from the initial release in February. VMware will contact all customers individually to schedule the upgrade of their tenant(s) to the new release (17.1). For more details on this release, see the Horizon Cloud with Hosted Infrastructure 17.1 Release Notes.

New Data Center Availability Added!

VMware is continuing its partnership with IBM to bring VMware Horizon Cloud Service to more regions. Since Februrary, we have added capabilities to host Horizon Cloud in the United Kingdom (May), Germany (June) and in California (July). We now have three data centers in the U.S., one in Japan, and two in Europe. The Horizon Cloud team will continueto add more data centers in the next few months. Stay tuned!

Native Applications with App Volumes Technology Is Generally Available

In February, we enabled a few select customers to use VMware App Volumes technology to create and leverage AppStacks in Horizon Cloud. This feature is now generally available to any customer who requests it. Note that add-on storage is required to use this feature. If you are a HorizonCloud customer and would like to use Native Applications powered by App Volumes technology, consult with your VMware sales team.

Smart Policies Support

You can now leverage Smart Policies in Horizon Cloud. Smart Policies allow you to have fine-grain control over a user&#rsquo;s desktop experience. You can dynamically enable, disable, or control access to user features in Horizon Cloud based on who the user is, and how they are accessing Horizon Cloud. Smart Policies were released as an integration between VMwareHorizon 7 and VMware User Environment Manager in 2016.

For example, with Smart Policies, an administrator can decide to disable access to USB devices or to cut-and-paste from within the Horizon Client if a user is attempting to access the HorizonCloud environment from an untrusted or external network. You can also dynamically control display-protocol configurations based on the type of device that is being used.

Smart Policies in Horizon Cloud work the same as they do in Horizon 7. VMware Senior Product Line Manager Aaron Black wrote an excellent blog post pointing out some great use cases for Smart Policies. If you want to try out Smart Policies in your Horizon Cloud deployment, download the Reviewers Guide for View in VMware Horizon 7: Smart Policies.

Windows Server 2016 Support

Horizon Cloud continues to provide support for customers wanting to use the latest editions of Windows operating systems. With this release, Horizon Cloud with Hosted Infrastructure now supports Windows Server 2016 for RDSH hosts and for skinned Windows Server based virtual desktops. For full details on OS support in Horizon Cloud with Hosted Infrastructure, see the Horizon Cloud with Hosted Infrastructure Service Description document, which can be found in the Horizon Cloud Service with Hosted Infrastructure Terms of Service page.

Horizon Virtualization Pack for Skype for Business Support

Full support for the Horizon® Virtualization Pack for Skype for Business isreleased for Windows clientswith Horizon Cloud. This solution enables customers to use Skype for Business within Horizon desktops to make optimized audio-video calls and telephony features using the native Skype client. Please note that this functionality is only available on VDI desktops today, but will be made available on RDSH desktops / apps in the future. Details on what features are supported with this release can be found in the release notes for Horizon 7.2.

Enhanced Troubleshooting Capabilities through Console Access (BETA)

We have added more troubleshooting features to the Horizon Air Console Access - HACA tool. HACA, which is currently in Beta,gives administrators direct access to individual desktop consoles for troubleshooting purposes. The tool has been enhanced to allow administratorsthe abilitytotroubleshootvirtual machines that get stuck during the Windows OS startup process, before the Horizon Agent starts.

Horizon Agent 7.2 / Client 4.5 Support

Horizon Cloud with Hosted Infrastructure supports the latest Horizon clients and agents. Organizations can take advantage of new feature enhancements in the latest clients including enhanced security with Blast Extreme with support of SHA-256 encryption. You can download the latest clients from the Horizon Clientdownload page.

The post Horizon Cloud Service with Hosted Infrastructure - July 2017 Technical Updates appeared first on VMware End-User Computing Blog.

Read more..

What’s New in VMware Horizon 7.2 and Horizon Client 4.5

We have just announced the general availability of VMware Horizon 7.2 and Horizon Client 4.5. This is a significant release for our flagship product, with improvements across the board—from scalability and user experience to deep technical innovations and improved policy controls. Let us dive straight in and highlight the key technical advances this release delivers.

Horizon 7.2

What&#rsquo;s New Highlights

Horizon Help Desk Tool
  • Provides user-session details for the Horizon 7 environment.
  • Single console for troubleshooting and solving user issues.
Workspace ONE mode
  • Forces using Workspace ONE when the client supports it.
  • Optionally blocks clients that do not support it.
Reuse AD account for instant-clone pool
  • Create a new computer account only if it does not exist.
Graphics settings from snapshot
  • SVGA settings / vGPU profile from master snapshot.
ADM template removal
  • Only ADMX in 7.2.
Increased scale
  • Pod , Cloud Pod Architecture, and Connection Server.
Storage improvements
  • Storage DRS cluster, storage policy-based management, encryption, local storage.

Horizon Help Desk Tool

The Horizon Help Desk Tool provides a tailored troubleshooting interface for the help desk that is installed by default on the Connection Servers. To access the Horizon Help Desk Tool, navigate to https:///helpdesk, where CS_FQDN is the fully qualified domain name of the Connection Server, or click the Help Desk button in the Horizon Administrator console.

The Horizon Help Desk Tool reduces workload for administrators and provides quick troubleshooting and metrics for the help desk.

The tool allows help desk staff to easily perform the following tasks on the user machine:

  • Restart, Logoff, Reset, and Disconnect
  • Remote Assistance
  • Send Message

You can obtain the following metrics for the client and virtual machine:

  • Client
    • Username
    • Client IP, Name, and OS
    • Protocol, TX Bandwidth, and Frame Rate
  • VM
    • Computer Name
    • Agent Version
    • Session State and State Duration, Logon Time and Duration, and Session Duration
    • CPU, Memory, Latency, and Logon Segments
    • Connection Server
    • Pool
    • vCenter

To get logon segments in the help-desk feature, you need to enable timingProfiler writes to the event database on each Connection Server:

vdmadmin -I -timingProfiler -enable

For detailed information on the Horizon Help Desk Tool, see the VMware blog post Help&#rsquo;s on the Way with the New VMware Horizon Help Desk Tool.

Watch this quick demo of the Horizon Help Desk Tool to see it in action:

Workspace ONE Mode

Workspace ONE mode secures access to Horizon 7 by allowing applications and desktops to launch only from Workspace ONE. This setting enforces access policies per application or per desktop. You enable Workspace ONE mode on the Connection Servers. When a user connects to a Workspace ONE mode-enabled server in Horizon Client, they are redirected to the Workspace ONE portal to launch desktops or applications, and the Horizon Client will no longer show other items that are available to launch. You also have the option to disable clients that do not support Workspace ONE mode.

See Workspace ONE mode in action in this short demo:

Reuse AD Account for Instant-Clone Pool

You can now rebuild a virtual machine in an instant clone and keep all machine assignments by reusing the computer account.

Graphics Settings from Snapshot

Instant-clone desktop pools inherit graphics settings from the vCenter Server parent-VM snapshot:

  • Memory
  • Number of monitors (with a new maximum of four)
  • Resolution

Just as with the SVGA settings, the vGPU profile for an instant-clone desktop pool is automatically selected when you select the snapshot of the vCenter Server parent VM.

All Active Directory Group Policy Templates Are Available as ADMX

All policy settings have been migrated to ADMX, and ADM is now deprecated and no longer included with Horizon 7. With all settings now in the ADMX templates, managing Horizon 7 is more streamlined and simpler than ever because now all templates can be placed in a central store, and no redundant copies need to be made into Sysvol.

Scalability

Horizon 7.2 increases scalability for Cloud Pod Architecture deployments to now support up to 120,000 sessions across 12 View pods and five sites. Additionally, Horizon 7 can now support 4,000 desktops with a single VMware vCenter Server for linked-clone, full-clone and instant-clone deployments.

Local Storage Support for Instant Clones

You now have the option to use local storage as a low-cost storage tier for instant clones. However, for high-availability events, this requires careful pool capacity planning and adds complexity to vSphere host maintenance, which you would not have with vSAN.

Ability to Select Storage DRS Clusters for Full Clones

It is no longer required to select all storage devices belonging to a Storage DRS Cluster; you can now directly select the cluster for easier administration.

vSAN and Storage Policy-Based Management Improvements

Horizon 7.2 adds support for vSAN encryption and provides updated storage policy-based management for finer granularity.

Horizon Agent 7.2 for RDSH

What&#rsquo;s New Highlights

Smart Policies for applications
  • Extend support from desktop to remote applications.
Session pre-launch
  • Launch application on broker login.
  • Can be enabled per application.

Smart Policies for Applications

Smart Policies give administrators granular control of a user&#rsquo;s desktop experience. You can dynamically control a variety of Horizon 7 features based on user, device, and location. Horizon 7.2 now introduces Smart Policies for RDSH applications. Smart Policies for applications, together with tags, can control the behavior of published applications.

Following are client properties mapped to User Environment Manager properties:

Volatile Registry Key User Environment Manager Property Value
viewClient_Broker_GatewayLocation Client location Internal/External
viewClient_Launch_Matched_Tags Launch tag(s) Tags (comma)
viewClient_Launch_ID Pool name Pool ID

Edit the Connection Server settings to add a tag for a desktop pool. The tag can be any string value, for example, Internal or External.

Then, from User Environment Manager, create a Smart Policy and reference the tag name.

Or if you want this policy to apply only to specific applications, you can make the condition more specific, for example, only for applications that have Secure in their pool name:

But remember that the pool name that launched the session is evaluated at user-session launch time, so you cannot differentiate between applications on the same farm. If you want to differentiate, separate the applications with nonmatching settings into different farms and use OR to add all the applications to the conditions.

Session Pre-Launch

Administrators can configure a published application so that an application and remote desktop session are launched immediately after a user has authenticated to the Connection Server. When the user starts the session from Horizon Client, the session loads almost instantly. The pre-launch setting enables faster start times for frequently used applications. From the Horizon 7 Administrator console, you can configure pre-launch, as follows:

It is recommended to enable this option only for applications that the user will almost certainly use immediately after launching, to minimize unnecessary load on the farm. To further reduce impact, you can set a timeout for unused pre-launched applications, as follows:

To minimize impact even further, you can set a reasonable maximum amount of users, as determined by testing on the RDSH servers, and configure session load-balancing based on CPU and memory load, leaving enough headroom for boot storms.

For more information, see Configuring Load Balancing for RDS Hosts in View Administration.

Horizon Agent 7.2

What&#rsquo;s New Highlights

Recursive Unlock
  • Single unlock of the client device also unlocks the virtual desktop or published desktop.
USB over virtual channel
  • USB-redirection port consolidation.
HTML5 content redirection (beta)
  • Redirect HTML5 from agent to client.
Blast Extreme SHA-256
  • Upgraded to use the latest security algorithms.
Horizon Agent DX11
  • Complete rewrite of the D3D9 renderer.
Skype for Business GA
  • General availability.

Recursive Unlock

The Recursive Unlock feature unlocks all remote sessions after the client machine has been unlocked. After the user logs in to the server, remote sessions such as published applications, RDSH desktops, and Windows desktops are unlocked. This feature removes unnecessary authentication steps for the user.

Requirements for this feature include:

  • The Windows client device must be domain-joined
  • The user logging in to the client must be the same user logged in to the remote session
  • Enable the client setting Log in as current user
  • Enable the Group Policy setting Unlock remote sessions when the client machine is unlocked in ComputerPoliciesVMware Horizon Client ConfigurationSecurity.

USB over Virtual Channel

You can enable USB redirection without opening the firewall port 32111. USB over virtual channel allows USB over a side channel.

Configure this registry setting as follows:

  • Key path: HKEY_LOCAL_MACHINESOFTWAREVMware, Inc.VMware VDMAgentConfiguration
  • Key name: UsbVirtualChannelEnabled
  • Key value: true

HTML5 Redirection (Tech Preview)

The HTML5 redirection feature allows video content redirection for websites that do not use Adobe Flash Player. Benefits of this feature include reduced CPU usage and smoother video playback.

HTML5 redirection requires:

  • Windows 7 or Windows 10 Enterprise for the agent and client OS, with VMware Horizon 7 HTML5 redirection package (available by request)
  • Google Chrome 58 with extension, from Chrome Web Store
  • Setting URL lists in the registry, for example:

[HKEY_LOCAL_MACHINESOFTWAREPoliciesVMware, Inc.VMware HTML5MMR]

"enabled"=dword:00000001

[HKEY_LOCAL_MACHINESOFTWAREPoliciesVMware, Inc.VMware HTML5MMRUrlWhiteList]

"https://vimeo.com/*"=""

"https://www.youtube.com/*"=""

Note: Tech Preview features and capabilities arenot supported for production deployment. These features are available to test in a lab or UAT environment as a preview of potential upcoming innovations. You can provide feedback to improve these features throughVMware Communities.

Horizon Virtualization Pack for Skype for Business

Optimized audio and video calls are now possible with Skype for Business inside a virtual desktop without negatively affecting the virtual infrastructure and overloading the network. All media processing takes place on the client machine instead of in the virtual desktop during Skype audio and video calls. Using native Skype codecs, bandwidth usage is equivalent to native Skype for Business calls.

For detailed information on this feature, which is now generally available, see the VMware blog post VMware Horizon Virtualization Pack for Skype for Business (Beta) Is Now Available!.

Horizon Client 4.5

The Horizon Client has been updated, too, with availability of an XBox One Client in the Windows store, a new installer UI for Windows, dual-monitor support for HTML Access, SSO for RHEL/CentOS 7.x, and KDE and CDR support for Linux.

What&#rsquo;s New Highlights

For more information, see the Release Notes on the Horizon Clients Documentation page.

With all these great additions, it is easy to see why we are so excited about this release. We invite you to see it all yourself by visiting the Horizon 7.2 download page and the Horizon Clients download page.

 

The post What&#rsquo;s New in VMware Horizon 7.2 and Horizon Client 4.5 appeared first on VMware End-User Computing Blog.

Read more..

Horizon Cloud Service with On-Premises Infrastructure May 2017 Release Updates

There are several technical updates this quarter to VMware Horizon Cloud Service with On-Premises Infrastructure. For more details on this release, see the Horizon Cloud with On-Premises Infrastructure Release Notes.

Support for Cloud-Based Workspace ONE

With this release, we now support cloud-based deployments of VMware Workspace ONE. End users can access their VMware Horizon Cloud virtual desktops from the Workspace ONE application catalog and utilize single sign-on for authentication. We previously supported only on-premises deployments of Workspace ONE.

 

New Desktop Configuration – Performance (Enterprise Plus)

We have added a new desktop configuration option to better suit the needs of your power users. With Horizon Cloud with On-Premises Infrastructure, you can now deliver Performance (Enterprise Plus) Desktops, with an 8 vCPU and 16 GB vRAM configuration.

Smart Policies Support

You can now leverage Smart Policies in Horizon Cloud. Smart Policies allow you to have fine-grain control over a user&#rsquo;s desktop experience. You can dynamically enable, disable, or control access to user features in Horizon Cloud based on who the user is, and how they are accessing Horizon Cloud. Smart Policies were released as an integration between VMware Horizon 7 and VMware User Environment Manager in 2016.

For example, with Smart Policies, an administrator can decide to disable access to USB devices or to cut-and-paste from within the Horizon Client if users are attempting to access the Horizon Cloud environment from an untrusted or external network. You can also dynamically control display-protocol configurations based on the type of device that is being used.

Smart Policies in Horizon Cloud work the same as they do in Horizon 7. VMware Senior Product Line Manager Aaron Black wrote an excellent blog post pointing out some great use cases for Smart Policies. If you want to try out Smart Policies in your Horizon Cloud deployment, download the Reviewers Guide for View in VMware Horizon 7: Smart Policies.

vSphere 6.5 Support

We have added support for VMware vSphere 6.5 on certified vSAN Ready Nodes. For details on supported hardware models from partners, see the Horizon Cloud with On-Premises Infrastructure page.

SmartNode Consolidation

We have consolidated the management tier of a Horizon Cloud with On-Premises Infrastructure deployment into a single virtual appliance. The Horizon Cloud Node appliance manages all of the critical functions including App Volumes, Instant Clone creation, and communication with the Horizon Cloud control plane. This change was made to keep the Horizon Cloud Node footprint small and efficient. For more details, see Horizon Cloud with On-Premises Architecture.

Summary

With this release of Horizon Cloud with On-Premises Infrastructure, new features include

  • Support for cloud-based Workspace ONE
  • New desktop configuration: Performance (Enterprise Plus)
  • Smart Policies support
  • vSphere 6.5 support
  • Multi-region management
  • SmartNode consolidation

Horizon Cloud with On Premises Infrastructure continues to add new functionality on a regular basis. For more information, see Horizon Cloud Service with On-Premises Infrastructure.

The post Horizon Cloud Service with On-Premises Infrastructure May 2017 Release Updates appeared first on VMware End-User Computing Blog.

Read more..