Archives

VMware User Environment Manager

Delivering a Seamless Digital Workspace Experience with Horizon Cloud

VMware Workspace ONE integrates with VMware Horizon Cloud to provide a simple and secure enterprise platform that allows end users to access their applications, data and services from any device, anywhere. Both platforms were built to integrate with each other, which provides a single user interface (UI) through the Workspace ONE enterprise catalog, to deliver applications to end users.

Explore Workspace ONE further in a Hands-on Lab.

About Workspace ONE

Workspace ONE combines identity, real-time application delivery and mobility management to provide a digital workspace to your end users. This digital workspace delivers Software-as-a-Service (SaaS) applications, public native mobile applications—and when integrated with Horizon Cloud, virtual applications and desktops—all from a single, unified application store.

About Horizon Cloud

Horizon Cloud enables the delivery of cloud-hosted or on-premises virtual desktops and applications. With Horizon Cloud, you can leverage a cloud-based management plane and even infrastructure, instead of deploying an entire infrastructure to support VDI desktops and RDS applications traditionally. Your IT organization can focus on delivering applications and desktops, instead of spending time maintaining the infrastructure.

Benefits of Integration

The integration of Workspace ONE and Horizon Cloud provides a number of benefits:

Single Sign-On

One of the primary advantages that Workspace ONE and Horizon Cloud provide is secure, single sign-on (SSO) to both desktops and applications. This provides simplicity and ease of access while maintaining security. Users can utilize either the Workspace ONE web-based portal from any HTML 5 web browser or the Workspace ONE mobile application. And when used with an iOS-based device, users can utilize touch ID for SSO.

Two-Factor Authentication

Workspace ONE provides multiple multi-factor authentication methods, such as RSA, Radius, Certificate, Kerberos, and VMware Verify to protect your environment beyond the basic user ID and password. Workspace ONE also provides two-factor authentication (2FA) for Horizon Cloud to secure your Digital Workspace.

In addition, you can utilize step-up authentication, which allows additional multi-factor authentication beyond the initial authentication into Workspace ONE when accessing a desktop or application. This increases the security by requiring two-factor authentication to access a specific desktop or application, even if you don&#rsquo;t require it to access Workspace ONE.

Three Integration Options

Both Horizon Cloud and Workspace ONE have a cloud hosted option and an on-premises option. You can integrate the Horizon Cloud options with the Workspace ONE options in the following configurations:

Figure 2: Possible Integration Configuration Options

Although the two types of deployment have unique architecture requirements, both require an on-premises component. The on-premises component can be a virtual appliance or a Windows server, based on the type of deployment. For more information on the different deployments and their architecture, see VMware Workspace ONE Documentation.

Integration 1: Horizon Cloud with Hosted Infrastructure and Workspace ONE Cloud

Horizon Cloud with Hosted Infrastructure supports only Workspace ONE Cloud.

Figure 3: Integration 1: Horizon Cloud with Hosted Infrastructure and Workspace ONE Cloud

The following Figure 4 illustrates the integration option for Horizon Cloud with Hosted Infrastructure and Workspace ONE Cloud. The VMware Identity Manager Connector (a) is deployed on-premises in your data center. This integrates with your Active Directory and synchronizes the resources between Horizon Cloud and Workspace ONE, along with desktop and application entitlements. This synchronization between the VMware Identity Manger Connector and Horizon Cloud occurs over the VPN or Direct Connect (b), which connects your data center to your Horizon Cloud tenant (c). The VMware Identity Manager Connector then synchronizes the resources and entitlements to the VMware Identity Manager (IDM) Cloud service (d).

Figure 4: Integration 1: Horizon Cloud with Hosted Infrastructure and Workspace ONE Cloud

Integration 2: Horizon Cloud On Premises and Workspace ONE On Premises

Horizon Cloud with On-Premises Infrastructure supports both the on-premises and cloud versions of Workspace ONE.

Figure 5: Integration 2: Horizon Cloud On-Premises and on-premises version of Workspace ONE

You can use Horizon Cloud with On-Premises Infrastructure to run desktops and applications in their data center using Hyper Converged Infrastructure (HCI) Appliances, but with abut with a cloud base control plane.

Figure 6 illustrates the integration option for Horizon Cloud On-Premises Infrastructure and on-premises version of Workspace ONE. VMware Identity Manager (a) is deployed as a virtual appliance in your data center. This provides integration with your Active Directory (b) and also performs the synchronization of the resources between Horizon Cloud and Workspace ONE (c), along with desktop entitlements.

Figure 6: Integration 2: Horizon Cloud On-Premises and on-premises version of Workspace ONE

Integration 3: Horizon Cloud On Premises and Workspace ONE Cloud

Horizon Cloud with On-Premises Infrastructure supports both the on-premises version of Workspace ONE and Workspace ONE Cloud.

Figure 7: Integration 3: Horizon Cloud On Premises and Workspace ONE Cloud

For Workspace ONE Cloud, the VMware Identity Manager Connector (a) is deployed on-premises in your data center (b). This provides integration with your Active Directory and also performs the synchronization (c) of the resources between Horizon Cloud and Workspace ONE, along with desktop entitlements. The VMware Identity Manager Connector then synchronizes the resources and entitlements to the IDM Cloud service (d).

Figure 8: Integration 3: Horizon Cloud On Premises and Workspace ONE Cloud

Tips on How to Integrate

To integrate Horizon Cloud with Workspace ONE, you deploy VMware Identity Manager or VMware Identity Manager Connector on-premises with one of the Horizon Cloud Service options described earlier. To start the integration, ensure that VMware Identity Manager or VMware Identity Manager Connector is configured and integrated with your Enterprise Directory.

For more information, see the VMware Horizon Cloud Service Documentation or VMware Workspace ONE Documentation.

Enable Horizon Cloud Desktops and Applications in VMware Identity Manager

With a Horizon Cloud and Workspace ONE integration, you can use the VMware Identity Manager Administration Console, a component of Workspace ONE, to enable desktops and applications.

  1. Log in to the VMware Identity Manager Administration Console.
  2. In the Catalog tab, select Manage Desktops and Applications > Horizon Cloud.
  3. Select Enable Horizon Cloud Deployments and Applications.
  4. Enter the following information for your environment:
  5. Click Save.
  6. Click Sync now to sync Desktop and App entitlements from the Horizon Cloud environment.

Configure SAML Authentication

You should configure a a SAML authentication between Horizon Cloud and VMware Identity Manager, the identity provider, to enable trust between the two. To establish trust, you first create a Federation Artifact for Horizon Cloud, then set up custom user ID mapping, and finally configure SAML authentication.

Create Federation Artifact for Horizon Cloud

To enable trust between Horizon Cloud and VMware Identity Manager, you create the Federation Artifact in the VMware Identity Manager Administration Console and add a SAML authentication in the Horizon Cloud Administration Console.

  1. In the VMware Identity Manager Administration Console, click the arrow on the Catalog tab and select Settings.
  2. In the left pane, select Horizon Cloud.
  3. Enter the following information for your Horizon Cloud environment:
  4. Click the Accept Certificate link next to the Tenant Appliance URLs.
  5. Click Save.

After creating a federation artifact, set the custom User ID mapping.

Custom User ID Mapping

You can use custom User ID Mapping to customize the user ID that is used in the SAML response when users launch Horizon Cloud Desktops and Applications. You can resolve SSO launch failures that are caused by a mismatch of the user ID attribute between VMware Identity Manager and Horizon Cloud.

  1. In the VMware Identity Manager Administration Console, click the arrow on the Catalog tab and select Settings.
  2. Click Horizon Cloud on the left.
  3. In the Horizon Cloud page, specify the name ID format to use.
  4. Click Save.

After setting the custom User ID mapping, configure the SAML authentication.

Configure SAML Authentication in Horizon Cloud

To configure SAML authentication in Horizon Cloud:

  1. In the VMware Identity Manager Administration Console, click the arrow on the Catalog tab and select Settings.
  2. In the left pane, click SAML Metadata.
  3. Click the Identity Provider (iDP) metadata link.
  4. Make a note of the URL from the browser&#rsquo;s address bar, such as https://VMwareIdentityMangerFQDN/SAAS/API/1.0/GET/metadata/idp.xml
  5. Log in to the Horizon Cloud Tenant.
  6. Navigate to Settings > General Settings > Edit.
  7. In the VMware Identity Manager section, enter the following required information:
  8. Click Save.

Enforce User Authentication through Workspace ONE Portal

You can set Horizon Cloud to enforce end user authentication through the Workspace ONE portal, requiring SAML-based authentication.

Figure 13: Enforcing User Authentication

  1. In the Administration Console, navigate to Settings > General Settings, and click Edit.
  2. In the User Account Configuration section, make selections according to your organization’s needs.
    • Force Remote Users to vIDM – When set to Yes, users that are trying to access their desktops from locations outside of your corporate network must log in to their Workspace ONE portal and access desktops and applications from that portal.
    • Force Internal Users to vIDM – When set to Yes, users that are trying to access their desktops from locations within your corporate network must log in to their Workspace ONE portal and access desktops and applications from that portal.
  3. Click Save to confirm the configuration to the system.

After you verify that user authentication is enforced, your users can launch desktops and applications securely from Workspace ONE.

Launch a Desktop or Application using Horizon Client or Supported Browser

Your end users can use either the Horizon Client or any supported HTML 5 browser to launch desktops and applications.

  1. In the Workspace ONE portal, click Bookmarks
  2. Double-click the desktop or application to launch.

To Wrap this up….

Step-by-step documentation on how to integrate Horizon Cloud with VMware Identity Manager can be found in the VMware Horizon Cloud Service Documentation and VMware Workspace ONE Documentation. If you want to try configuring the integration yourself, but do not have a Horizon Cloud or Workspace ONE environment yet, you are in luck. At VMworld, we are releasing a Hands-on-Labs for Horizon Cloud, which contains an entire module that walks you through the configuration of the integration. Make sure to check out HOL-1856-ADV-1 in the Hands-on-Labs at VMworld in Las Vegas!

 

The post Delivering a Seamless Digital Workspace Experience with Horizon Cloud appeared first on VMware End-User Computing Blog.

Read more..

Horizon Cloud Service with Hosted Infrastructure – July 2017 Technical Updates

There are several technical updates to the VMware Horizon Cloud Service with Hosted Infrastructure this quarter. The updates for this release focus on expanding capabilities from the initial release in February. VMware will contact all customers individually to schedule the upgrade of their tenant(s) to the new release (17.1). For more details on this release, see the Horizon Cloud with Hosted Infrastructure 17.1 Release Notes.

New Data Center Availability Added!

VMware is continuing its partnership with IBM to bring VMware Horizon Cloud Service to more regions. Since Februrary, we have added capabilities to host Horizon Cloud in the United Kingdom (May), Germany (June) and in California (July). We now have three data centers in the U.S., one in Japan, and two in Europe. The Horizon Cloud team will continueto add more data centers in the next few months. Stay tuned!

Native Applications with App Volumes Technology Is Generally Available

In February, we enabled a few select customers to use VMware App Volumes technology to create and leverage AppStacks in Horizon Cloud. This feature is now generally available to any customer who requests it. Note that add-on storage is required to use this feature. If you are a HorizonCloud customer and would like to use Native Applications powered by App Volumes technology, consult with your VMware sales team.

Smart Policies Support

You can now leverage Smart Policies in Horizon Cloud. Smart Policies allow you to have fine-grain control over a user&#rsquo;s desktop experience. You can dynamically enable, disable, or control access to user features in Horizon Cloud based on who the user is, and how they are accessing Horizon Cloud. Smart Policies were released as an integration between VMwareHorizon 7 and VMware User Environment Manager in 2016.

For example, with Smart Policies, an administrator can decide to disable access to USB devices or to cut-and-paste from within the Horizon Client if a user is attempting to access the HorizonCloud environment from an untrusted or external network. You can also dynamically control display-protocol configurations based on the type of device that is being used.

Smart Policies in Horizon Cloud work the same as they do in Horizon 7. VMware Senior Product Line Manager Aaron Black wrote an excellent blog post pointing out some great use cases for Smart Policies. If you want to try out Smart Policies in your Horizon Cloud deployment, download the Reviewers Guide for View in VMware Horizon 7: Smart Policies.

Windows Server 2016 Support

Horizon Cloud continues to provide support for customers wanting to use the latest editions of Windows operating systems. With this release, Horizon Cloud with Hosted Infrastructure now supports Windows Server 2016 for RDSH hosts and for skinned Windows Server based virtual desktops. For full details on OS support in Horizon Cloud with Hosted Infrastructure, see the Horizon Cloud with Hosted Infrastructure Service Description document, which can be found in the Horizon Cloud Service with Hosted Infrastructure Terms of Service page.

Horizon Virtualization Pack for Skype for Business Support

Full support for the Horizon® Virtualization Pack for Skype for Business isreleased for Windows clientswith Horizon Cloud. This solution enables customers to use Skype for Business within Horizon desktops to make optimized audio-video calls and telephony features using the native Skype client. Please note that this functionality is only available on VDI desktops today, but will be made available on RDSH desktops / apps in the future. Details on what features are supported with this release can be found in the release notes for Horizon 7.2.

Enhanced Troubleshooting Capabilities through Console Access (BETA)

We have added more troubleshooting features to the Horizon Air Console Access - HACA tool. HACA, which is currently in Beta,gives administrators direct access to individual desktop consoles for troubleshooting purposes. The tool has been enhanced to allow administratorsthe abilitytotroubleshootvirtual machines that get stuck during the Windows OS startup process, before the Horizon Agent starts.

Horizon Agent 7.2 / Client 4.5 Support

Horizon Cloud with Hosted Infrastructure supports the latest Horizon clients and agents. Organizations can take advantage of new feature enhancements in the latest clients including enhanced security with Blast Extreme with support of SHA-256 encryption. You can download the latest clients from the Horizon Clientdownload page.

The post Horizon Cloud Service with Hosted Infrastructure - July 2017 Technical Updates appeared first on VMware End-User Computing Blog.

Read more..

What’s New in VMware Horizon 7.2 and Horizon Client 4.5

We have just announced the general availability of VMware Horizon 7.2 and Horizon Client 4.5. This is a significant release for our flagship product, with improvements across the board—from scalability and user experience to deep technical innovations and improved policy controls. Let us dive straight in and highlight the key technical advances this release delivers.

Horizon 7.2

What&#rsquo;s New Highlights

Horizon Help Desk Tool
  • Provides user-session details for the Horizon 7 environment.
  • Single console for troubleshooting and solving user issues.
Workspace ONE mode
  • Forces using Workspace ONE when the client supports it.
  • Optionally blocks clients that do not support it.
Reuse AD account for instant-clone pool
  • Create a new computer account only if it does not exist.
Graphics settings from snapshot
  • SVGA settings / vGPU profile from master snapshot.
ADM template removal
  • Only ADMX in 7.2.
Increased scale
  • Pod , Cloud Pod Architecture, and Connection Server.
Storage improvements
  • Storage DRS cluster, storage policy-based management, encryption, local storage.

Horizon Help Desk Tool

The Horizon Help Desk Tool provides a tailored troubleshooting interface for the help desk that is installed by default on the Connection Servers. To access the Horizon Help Desk Tool, navigate to https:///helpdesk, where CS_FQDN is the fully qualified domain name of the Connection Server, or click the Help Desk button in the Horizon Administrator console.

The Horizon Help Desk Tool reduces workload for administrators and provides quick troubleshooting and metrics for the help desk.

The tool allows help desk staff to easily perform the following tasks on the user machine:

  • Restart, Logoff, Reset, and Disconnect
  • Remote Assistance
  • Send Message

You can obtain the following metrics for the client and virtual machine:

  • Client
    • Username
    • Client IP, Name, and OS
    • Protocol, TX Bandwidth, and Frame Rate
  • VM
    • Computer Name
    • Agent Version
    • Session State and State Duration, Logon Time and Duration, and Session Duration
    • CPU, Memory, Latency, and Logon Segments
    • Connection Server
    • Pool
    • vCenter

To get logon segments in the help-desk feature, you need to enable timingProfiler writes to the event database on each Connection Server:

vdmadmin -I -timingProfiler -enable

For detailed information on the Horizon Help Desk Tool, see the VMware blog post Help&#rsquo;s on the Way with the New VMware Horizon Help Desk Tool.

Watch this quick demo of the Horizon Help Desk Tool to see it in action:

Workspace ONE Mode

Workspace ONE mode secures access to Horizon 7 by allowing applications and desktops to launch only from Workspace ONE. This setting enforces access policies per application or per desktop. You enable Workspace ONE mode on the Connection Servers. When a user connects to a Workspace ONE mode-enabled server in Horizon Client, they are redirected to the Workspace ONE portal to launch desktops or applications, and the Horizon Client will no longer show other items that are available to launch. You also have the option to disable clients that do not support Workspace ONE mode.

See Workspace ONE mode in action in this short demo:

Reuse AD Account for Instant-Clone Pool

You can now rebuild a virtual machine in an instant clone and keep all machine assignments by reusing the computer account.

Graphics Settings from Snapshot

Instant-clone desktop pools inherit graphics settings from the vCenter Server parent-VM snapshot:

  • Memory
  • Number of monitors (with a new maximum of four)
  • Resolution

Just as with the SVGA settings, the vGPU profile for an instant-clone desktop pool is automatically selected when you select the snapshot of the vCenter Server parent VM.

All Active Directory Group Policy Templates Are Available as ADMX

All policy settings have been migrated to ADMX, and ADM is now deprecated and no longer included with Horizon 7. With all settings now in the ADMX templates, managing Horizon 7 is more streamlined and simpler than ever because now all templates can be placed in a central store, and no redundant copies need to be made into Sysvol.

Scalability

Horizon 7.2 increases scalability for Cloud Pod Architecture deployments to now support up to 120,000 sessions across 12 View pods and five sites. Additionally, Horizon 7 can now support 4,000 desktops with a single VMware vCenter Server for linked-clone, full-clone and instant-clone deployments.

Local Storage Support for Instant Clones

You now have the option to use local storage as a low-cost storage tier for instant clones. However, for high-availability events, this requires careful pool capacity planning and adds complexity to vSphere host maintenance, which you would not have with vSAN.

Ability to Select Storage DRS Clusters for Full Clones

It is no longer required to select all storage devices belonging to a Storage DRS Cluster; you can now directly select the cluster for easier administration.

vSAN and Storage Policy-Based Management Improvements

Horizon 7.2 adds support for vSAN encryption and provides updated storage policy-based management for finer granularity.

Horizon Agent 7.2 for RDSH

What&#rsquo;s New Highlights

Smart Policies for applications
  • Extend support from desktop to remote applications.
Session pre-launch
  • Launch application on broker login.
  • Can be enabled per application.

Smart Policies for Applications

Smart Policies give administrators granular control of a user&#rsquo;s desktop experience. You can dynamically control a variety of Horizon 7 features based on user, device, and location. Horizon 7.2 now introduces Smart Policies for RDSH applications. Smart Policies for applications, together with tags, can control the behavior of published applications.

Following are client properties mapped to User Environment Manager properties:

Volatile Registry Key User Environment Manager Property Value
viewClient_Broker_GatewayLocation Client location Internal/External
viewClient_Launch_Matched_Tags Launch tag(s) Tags (comma)
viewClient_Launch_ID Pool name Pool ID

Edit the Connection Server settings to add a tag for a desktop pool. The tag can be any string value, for example, Internal or External.

Then, from User Environment Manager, create a Smart Policy and reference the tag name.

Or if you want this policy to apply only to specific applications, you can make the condition more specific, for example, only for applications that have Secure in their pool name:

But remember that the pool name that launched the session is evaluated at user-session launch time, so you cannot differentiate between applications on the same farm. If you want to differentiate, separate the applications with nonmatching settings into different farms and use OR to add all the applications to the conditions.

Session Pre-Launch

Administrators can configure a published application so that an application and remote desktop session are launched immediately after a user has authenticated to the Connection Server. When the user starts the session from Horizon Client, the session loads almost instantly. The pre-launch setting enables faster start times for frequently used applications. From the Horizon 7 Administrator console, you can configure pre-launch, as follows:

It is recommended to enable this option only for applications that the user will almost certainly use immediately after launching, to minimize unnecessary load on the farm. To further reduce impact, you can set a timeout for unused pre-launched applications, as follows:

To minimize impact even further, you can set a reasonable maximum amount of users, as determined by testing on the RDSH servers, and configure session load-balancing based on CPU and memory load, leaving enough headroom for boot storms.

For more information, see Configuring Load Balancing for RDS Hosts in View Administration.

Horizon Agent 7.2

What&#rsquo;s New Highlights

Recursive Unlock
  • Single unlock of the client device also unlocks the virtual desktop or published desktop.
USB over virtual channel
  • USB-redirection port consolidation.
HTML5 content redirection (beta)
  • Redirect HTML5 from agent to client.
Blast Extreme SHA-256
  • Upgraded to use the latest security algorithms.
Horizon Agent DX11
  • Complete rewrite of the D3D9 renderer.
Skype for Business GA
  • General availability.

Recursive Unlock

The Recursive Unlock feature unlocks all remote sessions after the client machine has been unlocked. After the user logs in to the server, remote sessions such as published applications, RDSH desktops, and Windows desktops are unlocked. This feature removes unnecessary authentication steps for the user.

Requirements for this feature include:

  • The Windows client device must be domain-joined
  • The user logging in to the client must be the same user logged in to the remote session
  • Enable the client setting Log in as current user
  • Enable the Group Policy setting Unlock remote sessions when the client machine is unlocked in ComputerPoliciesVMware Horizon Client ConfigurationSecurity.

USB over Virtual Channel

You can enable USB redirection without opening the firewall port 32111. USB over virtual channel allows USB over a side channel.

Configure this registry setting as follows:

  • Key path: HKEY_LOCAL_MACHINESOFTWAREVMware, Inc.VMware VDMAgentConfiguration
  • Key name: UsbVirtualChannelEnabled
  • Key value: true

HTML5 Redirection (Tech Preview)

The HTML5 redirection feature allows video content redirection for websites that do not use Adobe Flash Player. Benefits of this feature include reduced CPU usage and smoother video playback.

HTML5 redirection requires:

  • Windows 7 or Windows 10 Enterprise for the agent and client OS, with VMware Horizon 7 HTML5 redirection package (available by request)
  • Google Chrome 58 with extension, from Chrome Web Store
  • Setting URL lists in the registry, for example:

[HKEY_LOCAL_MACHINESOFTWAREPoliciesVMware, Inc.VMware HTML5MMR]

"enabled"=dword:00000001

[HKEY_LOCAL_MACHINESOFTWAREPoliciesVMware, Inc.VMware HTML5MMRUrlWhiteList]

"https://vimeo.com/*"=""

"https://www.youtube.com/*"=""

Note: Tech Preview features and capabilities arenot supported for production deployment. These features are available to test in a lab or UAT environment as a preview of potential upcoming innovations. You can provide feedback to improve these features throughVMware Communities.

Horizon Virtualization Pack for Skype for Business

Optimized audio and video calls are now possible with Skype for Business inside a virtual desktop without negatively affecting the virtual infrastructure and overloading the network. All media processing takes place on the client machine instead of in the virtual desktop during Skype audio and video calls. Using native Skype codecs, bandwidth usage is equivalent to native Skype for Business calls.

For detailed information on this feature, which is now generally available, see the VMware blog post VMware Horizon Virtualization Pack for Skype for Business (Beta) Is Now Available!.

Horizon Client 4.5

The Horizon Client has been updated, too, with availability of an XBox One Client in the Windows store, a new installer UI for Windows, dual-monitor support for HTML Access, SSO for RHEL/CentOS 7.x, and KDE and CDR support for Linux.

What&#rsquo;s New Highlights

For more information, see the Release Notes on the Horizon Clients Documentation page.

With all these great additions, it is easy to see why we are so excited about this release. We invite you to see it all yourself by visiting the Horizon 7.2 download page and the Horizon Clients download page.

 

The post What&#rsquo;s New in VMware Horizon 7.2 and Horizon Client 4.5 appeared first on VMware End-User Computing Blog.

Read more..

Announcing the Introduction to VMware Horizon 7 for Citrix Administrators

We are excited to announce the Introduction to VMware Horizon 7 for Citrix Administrators white paper. This guide is for Citrix administrators or anyone with a Citrix background who wants to learn about VMware Horizon 7. It offers a tour of Horizon 7, how the Citrix components map to a Horizon 7 deployment, and the steps to get you started in evaluating Horizon 7.

This guide covers some of the recent advances in Horizon 7, as well as how VMware JMP technologies deliver an enterprise-class, innovative solution. We also detail the key areas where Horizon 7 delivers a modern, enterprise-secure, and consumer-simple virtual desktop and application solution:

  • Enterprise-class application-publishing and virtual-desktop solution
  • Simple, fast, efficient management at scale
  • Consistent, adaptive user experience
  • Flexible, robust security

Did you know that Citrix XenApp and XenDesktop are very similar in architecture to VMware Horizon 7? Both solutions use a combination of connection brokers, web-based application catalogs, and RDSH or VDI servers to securely deliver virtual desktops and applications.

The following diagram compares the major Citrix XenApp and XenDesktop components to those of VMware Horizon 7.

For details on this diagram and more, download the Introduction to VMware Horizon 7 for Citrix Administrators now.

The post Announcing the Introduction to VMware Horizon 7 for Citrix Administrators appeared first on VMware End-User Computing Blog.

Read more..

STEM for All at UMass Lowell

The scientists of the future are embracing consumer-simple, enterprise-secure digital workspace solutions at UMass Lowell. With more than 17,750 students—and a strategic plan to increase enrollment to 20,000 over the next few years—this university is known for its educational initiatives in science, technology, engineering and math (STEM). Part of that mission is providing easier access to computationally complex and expensive STEM software packages.

What started as a simple need for more space on campus grew into an initiative that brought virtual desktops and simplified application access to students, faculty and staff. In 2013, the university needed to find a way to reclaim classroom space to teach its growing student body. The school was &#rsquo;bursting at the seams,&#rdquo; according to Steve Athanas, the school&#rsquo;s director of platforms and systems engineering.

&#rsquo;VDI, for us, started as a way to turn computer labs back into usable teaching space. But it turned out to be significantly more than that. Our VDI story is about fundamentally transforming the way we teach and the way we conduct business.&#rdquo;

To learn more about how UMass Lowell uses digital workspace solutions to simplify access to education, read the case study.

UMass Lowell Extends STEM Education with Digital Workspaces

Want to Calculate Fluid Dynamics on Your Phone at a Hockey Game?

UMass Lowell uses VMware Horizon for virtual desktops,VMware App Volumes to distribute applications and VMware User Environment Manager to maintain application settings across sessions. Through a portal called vLabs, UMass Lowell users can access university virtual desktops and apps from anywhere at any time, on any device.

According to Athanas, &#rsquo;Once students realized they were able to access their applications anytime and anywhere, it changed how they functioned as students.&#rdquo; Instead of having to log time in an on-campus computer lab, students could bring a mobile device with them and study whenever it&#rsquo;s convenient. &#rsquo;That&#rsquo;s really important because a huge percentage of our students have either full-time or part-time jobs as they&#rsquo;re achieving their education,&#rdquo; said Athanas.

&#rsquo;The way that VMware is simplifying app distribution is really huge. It means my team spends less time setting up and more time working with our ultimate customers, delivering value to the organization.&#rdquo;

Partnerships for Education

VMware technology partners are playing important roles in the UMass Lowell IT department and in campus academics. The school recently launched a high-performance Horizon cluster with virtual graphics processing units (GPUs) from NVIDIA. Computationally and graphics-intensive design and engineering programs now run on any student or faculty device that can run a Horizon desktop. The university has added additional NVIDIA GPU support to its base image to support the graphical look and feel of a Windows 10 deployment.

Athanas cited VMware partner StacksWare as a critical addition to his IT arsenal. StacksWare metrics for App Volumes deployments provide real-time, deep inspection of application usage.

&#rsquo;This software can tell me right now which users on campus are using which applications, where they’re using them from and how long they’re using them. I can roll all that up and make better decisions about software licenses for the campus. It&#rsquo;s been really transformative for us.&#rdquo;

From &#rsquo;It Works&#rdquo; to &#rsquo;Thank You&#rdquo;

Athanas cited a UMass Lowell study showing that 66 percent of students said that vLabs improved their academic success.

&#rsquo;You know you’re hitting the right mark when instead of users saying &#lsquo;It works,&#rsquo; or &#lsquo;It hasn’t had any problems,&#rsquo; they come up to you and say, &#lsquo;Thank you.&#rsquo; We’re now in a position where faculty and especially students say, &#lsquo;Thank you, this has saved me time, this has saved me effort, my job is easier, my academics are easier.&#rsquo; That’s transformative.&#rdquo;

The post STEM for All at UMass Lowell appeared first on VMware End-User Computing Blog.

Read more..

WannaCry Fallout: Implement ‘Least Privilege’ Now

Co-Author: Sisimon Soman is a senior member of the technical staff for VMware EUC, responsible for VMware User Environment Manager R&D. Having worked at Bromium, Citrix, EMC and others, he is well versed in end-user security and threat remediation.

It&#rsquo;s been a few weeks since WannaCry ransomware captured headlines and computers the world over. We now know how it spread, and how it captured so many Windows 7 machines.

The WannaCry (also known as WannaCryptor) attack was first reported on May 12 and spread to more than 230,000 computers in over 150 nations. Attackers used strong encryption to render captured computers useless without the correct unlock keys. Additionally, there are reports that victims could not decrypt their files even after paying the ransom.

WannaCry&#rsquo;s ransomware component of the payload works just like other ransomware; it searches for files with specified extensions and encrypts them. But its worm component is different, and it uses an Server Message Block (SMB) v1 vulnerability (CVE-2017-0144) to spread.

Microsoft released a security update (MS17-010) to fix this vulnerability on March 14, 2017. This March-to-May windowdemonstrates that even if OEM manufacturers respond in a timely manner to exploits, often, the weak link is the end user failing to apply the required patch.

At VMware, we believe there&#rsquo;s another way. If computers and networks are intelligently locked down, then end-user tardiness may be temporarily mitigated.

Technical Details

After the infection, the malware dropper code attempts to connect to the below URL using InternetOpenA() WinInet API and exits if the connection is successful. We therefore recommend that you allow this traffic through your filters in order to stop the malware activity.

www [dot] iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea [dot] com

Next, the dropper installs and starts a service named mssecsvc2.0, which in turn, drops the payload &#lsquo;C:WINDOWStasksche.exe&#rsquo; and executes it. Prior to copying the payload, dropper renames the existing tasksche.exe.

The worm component scans all internal and external endpoints, and exploits the SMB v1 vulnerability to spread. The ransomware component searches files with specified extensions (Microsoft research shows 178 file types) and encrypts them.

Attack Vectors

According to Microsoft there are two highly likely scenarios used by WannaCry:

  1. SMB vulnerability
  2. Social engineering

It is not easy to exploit the SMB vulnerability from outside an organization because of the multiple layers of protection (firewalls, multi-tiered DMZ, etc.) commonlydeployed. It&#rsquo;s often easier to trick a user into clicking and launching malware using social engineering and phishing techniques.

After this initial infection within the organization, it can then use the SMB vulnerability to spread inside. Our analysis shows that this initial attack vector, using social engineering, can be prevented by enforcing the principle of “least privilege.”

As part of infecting an endpoint, WannaCry performs the following actions:

  1. Drops a payload to the C:WINDOWS directory
  2. Creates / updates several HKLM keys including ‘Run’ key
  3. Creates a service

When a user inadvertently clicks on a malware attachment in an environment where they do not have local admin privileges or elevated permissions to system folders and the HKLM registry hive, the process does not have the ability to drop and execute its payload.

In other words, if computers and networks are intelligently locked down, then malware struggles to propagate. Although the SMB vulnerability vector does not require any user action, the social engineering vector does, and the principle of least privilege could potentially prevent infection. The United States Computer Emergency Readiness Team(US-CERT) mentions the principle of least privilege as one of their recommended steps for preventing attacks like this.

Removing Users’ Admin Rights

Part of the answer to attacks like WannaCry is to simply remove admin rights from end users. However, that&#rsquo;s not as straightforward as it may sound. There are a couple of reasons why enterprises continue to provide local admin access to user accounts:

  1. Legacy applications (vendor and in-house written) update files and sub-folders in system and program files directories instead of writing to user data folders. Some of them also update HKLM locations instead of HKCU.
  2. Users need to install applications.

Balancing Least Privilege & User Empowerment

Very few users are happy with a totally locked down PC. There&#rsquo;s often a case for a user patching software, or installing something that is outside of a corporation&#rsquo;s standard image in order to be more productive at their job.

What is needed is a smart management system, that allows for the flexible application of admin rights in a policy-controlled way. Many vendors offer such a system. VMware&#rsquo;s answer is VMware User Environment Manager. (Clearly, we believe our technology is better than that of our competitors, but for the sake of computers everywhere, please investigate deploying such a solution.)

It is precisely for handling the use cases mentioned above—whilst maintaining the principle of least privilege—that we recently announced the ability to configure privilege elevation for applications in our newest release of User Environment Manager 9.2. You can remove the administrator privilege from domain users and still allow users to start certain applications as administrators.

[Read more: Introducing VMware User Environment Manager 9.2 with Privilege Elevation]

Additionally, if your internal network is completely open, we strongly encourage you to consider micro-segmentation to help arrest the spread of infections should your perimeter defenses prove insufficient.

[Read more: Use a Zero Trust Approach to Protect Against WannaCry]

VMware is committed to help IT secure interactions between users, applications and data, in an environment that is changing and becoming increasingly dynamic—from public and private multi-cloud environments to the proliferation of mobile devices. Read more about our approach to transforming security, or download a free trial of User Environment Manager and experience policy-controlled least privilege yourself.

References:

  1. https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
  2. https://www.us-cert.gov/ncas/alerts/TA17-132A

The post WannaCry Fallout: Implement &#lsquo;Least Privilege&#rsquo; Now appeared first on VMware End-User Computing Blog.

Read more..

WannaCry Fallout: Implement ‘Least Privilege’ Now

Co-Author: Sisimon Soman is a senior member of the technical staff for VMware EUC, responsible for VMware User Environment Manager R&D. Having worked at Bromium, Citrix, EMC and others, he is well versed in end-user security and threat remediation.

It&#rsquo;s been a few weeks since WannaCry ransomware captured headlines and computers the world over. We now know how it spread, and how it captured so many Windows 7 machines.

The WannaCry (also known as WannaCryptor) attack was first reported on May 12 and spread to more than 230,000 computers in over 150 nations. Attackers used strong encryption to render captured computers useless without the correct unlock keys. Additionally, there are reports that victims could not decrypt their files even after paying the ransom.

WannaCry&#rsquo;s ransomware component of the payload works just like other ransomware; it searches for files with specified extensions and encrypts them. But its worm component is different, and it uses an Server Message Block (SMB) v1 vulnerability (CVE-2017-0144) to spread.

Microsoft released a security update (MS17-010) to fix this vulnerability on March 14, 2017. This March-to-May windowdemonstrates that even if OEM manufacturers respond in a timely manner to exploits, often, the weak link is the end user failing to apply the required patch.

At VMware, we believe there&#rsquo;s another way. If computers and networks are intelligently locked down, then end-user tardiness may be temporarily mitigated.

Technical Details

After the infection, the malware dropper code attempts to connect to the below URL using InternetOpenA() WinInet API and exits if the connection is successful. We therefore recommend that you allow this traffic through your filters in order to stop the malware activity.

www [dot] iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea [dot] com

Next, the dropper installs and starts a service named mssecsvc2.0, which in turn, drops the payload &#lsquo;C:WINDOWStasksche.exe&#rsquo; and executes it. Prior to copying the payload, dropper renames the existing tasksche.exe.

The worm component scans all internal and external endpoints, and exploits the SMB v1 vulnerability to spread. The ransomware component searches files with specified extensions (Microsoft research shows 178 file types) and encrypts them.

Attack Vectors

According to Microsoft there are two highly likely scenarios used by WannaCry:

  1. SMB vulnerability
  2. Social engineering

It is not easy to exploit the SMB vulnerability from outside an organization because of the multiple layers of protection (firewalls, multi-tiered DMZ, etc.) commonlydeployed. It&#rsquo;s often easier to trick a user into clicking and launching malware using social engineering and phishing techniques.

After this initial infection within the organization, it can then use the SMB vulnerability to spread inside. Our analysis shows that this initial attack vector, using social engineering, can be prevented by enforcing the principle of “least privilege.”

As part of infecting an endpoint, WannaCry performs the following actions:

  1. Drops a payload to the C:WINDOWS directory
  2. Creates / updates several HKLM keys including ‘Run’ key
  3. Creates a service

When a user inadvertently clicks on a malware attachment in an environment where they do not have local admin privileges or elevated permissions to system folders and the HKLM registry hive, the process does not have the ability to drop and execute its payload.

In other words, if computers and networks are intelligently locked down, then malware struggles to propagate. Although the SMB vulnerability vector does not require any user action, the social engineering vector does, and the principle of least privilege could potentially prevent infection. The United States Computer Emergency Readiness Team(US-CERT) mentions the principle of least privilege as one of their recommended steps for preventing attacks like this.

Removing Users’ Admin Rights

Part of the answer to attacks like WannaCry is to simply remove admin rights from end users. However, that&#rsquo;s not as straightforward as it may sound. There are a couple of reasons why enterprises continue to provide local admin access to user accounts:

  1. Legacy applications (vendor and in-house written) update files and sub-folders in system and program files directories instead of writing to user data folders. Some of them also update HKLM locations instead of HKCU.
  2. Users need to install applications.

Balancing Least Privilege & User Empowerment

Very few users are happy with a totally locked down PC. There&#rsquo;s often a case for a user patching software, or installing something that is outside of a corporation&#rsquo;s standard image in order to be more productive at their job.

What is needed is a smart management system, that allows for the flexible application of admin rights in a policy-controlled way. Many vendors offer such a system. VMware&#rsquo;s answer is VMware User Environment Manager. (Clearly, we believe our technology is better than that of our competitors, but for the sake of computers everywhere, please investigate deploying such a solution.)

It is precisely for handling the use cases mentioned above—whilst maintaining the principle of least privilege—that we recently announced the ability to configure privilege elevation for applications in our newest release of User Environment Manager 9.2. You can remove the administrator privilege from domain users and still allow users to start certain applications as administrators.

[Read more: Introducing VMware User Environment Manager 9.2 with Privilege Elevation]

Additionally, if your internal network is completely open, we strongly encourage you to consider micro-segmentation to help arrest the spread of infections should your perimeter defenses prove insufficient.

[Read more: Use a Zero Trust Approach to Protect Against WannaCry]

VMware is committed to help IT secure interactions between users, applications and data, in an environment that is changing and becoming increasingly dynamic—from public and private multi-cloud environments to the proliferation of mobile devices. Read more about our approach to transforming security, or download a free trial of User Environment Manager and experience policy-controlled least privilege yourself.

References:

  1. https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
  2. https://www.us-cert.gov/ncas/alerts/TA17-132A

The post WannaCry Fallout: Implement &#lsquo;Least Privilege&#rsquo; Now appeared first on VMware End-User Computing Blog.

Read more..

[Video] Western Carolina University Extends Digital Workspace Solutions Campus-Wide

Nestled in the mountain town of Cullowhee, Western Carolina University (WCU) is the westernmost school in the University of North Carolina system. From the residence hall to the science lab, the school is extending digital workspace solutions to all corners of the campus and beyond.

WCU was the first campus in the University of North Carolina system to require its students to bring a computer to school. Now its 10,800 students show up with a variety of devices, from desktop and laptop computers to tablets and smartphones. The University needed a way to provide consistent and easy-to-access resources to each student, no matter what kind of device they have or whether the student is on or off campus.

Single Sign-on, Simple Access

The University tied their existing student portal to VMware Workspace ONE using SAML and VMware Identity Manager. Now only one login is needed to access apps, from Microsoft Office 365 to specialized programs for academics. With Workspace ONE, users log in once, then they can launch any desktop, RDSH or Software-as-a-Service (SaaS) applications they have access to.

&#rsquo;The fact that we can consistently and conveniently offer all this software is a huge benefit to our community.&#rdquo;
— Mark Ellersick, Technology Support Analyst, Western Carolina University

Apps are distributed and customized with VMware App Volumes. App Volumes customizes desktops based on student profiles. When a student finishes a class, their access to apps for that class is withdrawn—saving money for WCU&#rsquo;s IT department.

Any App at Any Time

VMware Horizon provides nonpersistent virtual desktops for students. &#rsquo;The great thing about the technology is that students don&#rsquo;t notice it,&#rdquo; said Mark. &#rsquo;They walk into a lab, log in and do their work. When they walk out of that lab and go to their residence, or even to another town or state, they can access that same resource. Now the lab is open 24 hours a day, seven days a week.&#rdquo;

To access published apps, the WCU IT staff uses Horizon&#rsquo;s RDS Hosted Applications feature. If someone doesn&#rsquo;t need access to a full desktop (McGraw cites the University&#rsquo;s IT ticketing system, as an example) they simply authenticate to Horizon and then launch a published app, save files and use network resources from a remote RDSH server as if it were on their local device.

With VMware User Environment Manager, dynamic personalization management manages specific experiences around locations or user groups. For example, campus printers are made available based on users&#rsquo; locations, and UEM makes it easy to add or take away card-key access to electronic locks on campus.

High-Powered Graphics—Not Just for Engineering Class

WCU uses products from VMware partner NVIDIA for both academic and personal computing. NVIDIA GRID cards bring the power of the NVIDIA graphics processing unit (GPU) to Horizon virtual desktops, speeding graphics performance and rendering for applications such as 3D modeling and computer-aided design. To support all the streaming services and videos that students watch in their free time, the WCU IT team is also expanding NVIDIA cards to each host box they deploy.

Windows 10 Made Easy

WCU is finding that virtualization is a big help in getting their community acclimated to Windows 10 as the University begins to upgrade.

Patrick McGraw, virtualization and tier one engineer, said, &#rsquo;Some people are hesitant about adopting Windows 10 because it&#rsquo;s a big change. We created a pool of Windows 10 desktops so people can play with the software and get to know it. Then when we upgrade their machine, they&#rsquo;re already used to the technology, and that makes them happy. We&#rsquo;ve gotten a lot of positive responses.&#rdquo;

&#rsquo;We&#rsquo;re excited, as a university and as an IT department, to give students a consistent experience and really level the playing field. We&#rsquo;re breaking down barriers and making resources more accessible. We&#rsquo;re excited that we can bring everything together in a very intuitive and easy-to-use package.&#rdquo;
—Mark Ellersick

Learn more about the technologies powering WCU&#rsquo;s digital workspace:

  • VMware Identity Manager—A BYOD Solution Everyone Can Agree On
  • The Best Keeps Getting Better: Introducing App Volumes 2.12
  • VMware Horizon 7.1 Technical Deep Dive
  • Understanding the Benefits of User Environment Manager
  • Experience High-Performance Graphics with Free NVIDIA GRID & VMware Blast Extreme Test Drive

The post [Video] Western Carolina University Extends Digital Workspace Solutions Campus-Wide appeared first on VMware End-User Computing Blog.

Read more..

This Week’s Top EUC News Will Blow Your Mind

Never miss an announcement. Get top end-user computing (EUC) news in your inbox every Friday. Sign up to the right.

&#rsquo;Microsoft Azure users now have access to genuine desktop as a service solution.&#rdquo;

That&#rsquo;s SiliconANGLE on our huge news this week: We&#rsquo;re delivering VMware Horizon Cloud on Microsoft Azure. By connecting Azure to the Horizon Cloud control plane, our joint customers are empowered with more flexibility to deliver virtual desktops and apps. Get the FAQs here.

&#rsquo;Our customers have their preference of public cloud offerings and should be able to choose the industry leader in desktop and app virtualization regardless of that cloud preference.&#rdquo;
—Dave Grant, VP of Product Marketing for VMware End-User Computing, at VMware Radius

Plus, using Horizon Cloud with on-premises infrastructure? Here&#rsquo;s what&#rsquo;s new for you.

The digital workspace just upped its IQ.

VMware also announced the acquisition of Apteligent this week and the integration of the mobile app intelligence solution into our digital workspace platform. Read the juicy details here.

&#rsquo;The Apteligent platform enables both mobile app developers and IT organizations to analyze mobile application performance in real time, enabling them to understand user behavior to address the issues that matter the most—and directly impact business and revenue.&#rdquo;
—Sumit Dhawan, VMware EUC SVP & GM of Desktop Products & Solutions

Forget stereotypes. We&#rsquo;re all Generation Digital.

Millennials aren&#rsquo;t the only generation demanding mobile technology at work. Employees of all ages recently said mobile tech makes them more productive (60%), more creative (45%) and more satisfied at work (53%). Read more in this new VMware Radius series.

It&#rsquo;s a &#rsquo;privilege&#rdquo; to meet you, VMware User Environment Manager 9.2.

User Environment Manager (UEM) essentially separates a user&#rsquo;s personality from the underlying Windows machine, said Andy Morris, virtualizing their preferences. Version 9.2 offers a cool new trick: User privilege elevation. Here&#rsquo;s what it does.

Plus, watch these six videos for a technical deep dive into UEM 9.2.

And IT lived happily ever after.

User satisfaction is up, and costs are down at Memorial Healthcare after the hospital deployed VMware NSX, VMware AirWatch and Horizon. Hear their digital clinical workspace story.

&#rsquo;I don&#rsquo;t think there&#rsquo;s much within our infrastructure that VMware hasn&#rsquo;t enabled.&#rdquo;
—Thomas Kurtz, Ph. D, VP of Information Services & CIO for Memorial Healthcare

Let&#rsquo;s talk tech.

  • Citrix Synergy, May 23–25 in Orlando (VMware booth 309)
  • VMware SociaLabs—Horizon 7 & AirWatch, May 23 (San Diego), June 6 (Reston) & June 20 (Halifax)
  • Boston Summer VMUG UserCon, June 1
  • Unlocking Mobility with Derived Credentials &AirWatch, June 23 online
  • VMworld 2017, Aug. 27–31 in Vegas

The post This Week&#rsquo;s Top EUC News Will Blow Your Mind appeared first on VMware End-User Computing Blog.

Read more..

VMware User Environment Manager 9.2 Technical Deep Dive

We are excited about the newest release of VMware User Environment Manager - version 9.2. This release includes some great new features that enhance the product functionality and continue to offer administrators more flexibility in managing the user experience. We have put together a series of videos that will help you learn about User Environment Manager, get up to speed on the new features, and see demos of some of those features.

User Environment Manager 9.2 Technical Overview

Before you dive into the new features, this brief technical-overview video will introduce you to User Environment Manager, provide some details about how it works, and examine the architecture. If you are new to the product, or want a short refresher, this is a great place to begin.

User Environment Manager 9.2 – What&#rsquo;s New

Two videos explain the new features of User Environment Manager 9.2. The first video focuses on the privilege elevation feature and publisher-based rules for application blocking and privilege elevation.

The second video discusses the additional new features of automation with new environment variables, new config file templates for better personalization, and several additional topics.

Privilege Elevation

This video discusses and demonstrates the new privilege elevation feature of User Environment Manager 9.2. Privilege elevation is designed as a tool for IT administrators to mitigate risks in their privilege-management strategy. Applications that are already installed and require elevated privileges to run, as well as application installers, can have privileges elevated.

Publisher-Based Application Blocking and Privilege Elevation

User Environment Manager 9.2 added the ability to use a software publisher&#rsquo;s certificate to configure application blocking or privilege-elevation rules. This enables the IT administrator to allow all applications or elevate privileges for all applications from a software publisher. This video provides the details and a demo of how this works.

Scripting Variables

This video looks at and demonstrates the use of environment variables automatically created by User Environment Manager. These environment variables can be leveraged for automation scripting.

Summary

We hope you learn a lot from these videos covering new features in VMware User Environment Manager. User Environment Manager 9.2 is available for download today.

To comment on any of the videos, contact VMware End-User-Computing Technical Marketing ateuc_tech_content_.

 

The post VMware User Environment Manager 9.2 Technical Deep Dive appeared first on VMware End-User Computing Blog.

Read more..

Go Que Newsroom

Categories