By Peter Brown, Senior R&D Manager, VMware, London, UK


 

VMware View 5.1 and later provides broader USB device support and a new and expanded filtering mechanism for better management of devices on View Client and View Agent. You’ll find it easier than ever to filter and split USB devices when adding or subtracting them from your virtual machine pool.

 

 

What is Filtering and Splitting?

 

USB device filtering functionality allows:

  • Blocking of unwanted devices.
  • Blocking of devices that are normally forwarded by other means. This includes such devices as keyboards and smartcards if you do not want them to appear in the list of available USB devices for forwarding.

 

USB device splitting functionality permits:

  • Splitting functions between Client and Agent for complex composite devices (e.g.terminate mouse locally but forward audio and special button-presses). This allows for an improved user experience for some devices.

 

By default ALL devices can be forwarded except keyboards, mice, smartcards and audio-out only devices such as speakers, which are blocked by default. It is possible to enable these if required.

 

An example of splitting is a recording device used in a medical environment. Here the mouse function is left local to the client, but audio and button functions are forwarded to the guest desktop. Another example is a special keyboard that has multiple functions built in – the keyboard is left local, but the fingerprint scanner is forwarded to the guest.

 

USB Identification

USB devices are identified by a VID (vendor ID) and PID (product ID)

  • A VID identifies each USB device vendor. Every device the vendor makes has the same VID
  • A PID denotes a specific device from the vendor
  • The combination VID/PID is unique. It identifies a specific device to your operating system so your OS can load the correct device driver

 

USB devices are grouped into families such as Security, Human Interface Device, or Imaging. You can use these device families to perform filtering on a per-family basis in VMware View. You can set your filter for Video and exclude all video devices, for example. More information can be found in the View Documentation.

 

You can find the VID/PID of a device in Windows Device Manager by looking at its Hardware ID Properties. The image below shows the VID/ PID for a USB mouse device.

 

USB device information can also be found in the Client and Agent USB log files. When configuring splitting, this is the easiest place to look for the information you need. Look for log lines containing information such as:

 

           [vmware-view-usbd] DevFltr: Device id: Vid-0911_Pid-149a


Filtering rules can be applied to the following items:

  • VID – To block or allow all devices from a specific vendor
  • PID – To block or allow specific devices based on their product ID
  • VID/PID – To block or allow specific devices from a specific vendor
  • Families – To block or allow specific classes of devices

 

You can also filter for a combination of these, or use “wildcards” to produce complex filters based on partial matches of the items.

 

Client- vs. Agent-Side Configuration

The filtering and splitting functionality can be controlled via GPO by the administrator. Merge the Agent-side and Client-side rules to form the filter and splitting configuration you want.

 

 

Include vs. Exclude

 

Filter and splitting rules have Include and Exclude rules. The rules are applied in a specific order, as detailed in the list below. Rules allow you to exclude all devices from a specific family, for example, except for a specific device or vendor that you explicitly include.

Agent-Side Configuration

For the Agent-Side configuration, look for the physical location of your Agent at:

   HKLM\Software\Policies\VMware, Inc.\VMware VDM\Agent\USB


 

The Agent admin template file is located on the Connection Server at:

   <install location>\extras\vdm_agent.adm


Settings via Group Policy Editor are shown below.

groupPolicy.png

 

The filtering rules on the agent are applied in the following order, from highest priority to lowest priority:

  • Exclude a device by Vendor/Product ID. Wildcards accepted. Default Blank (i.e. not set)
  • Include a device by Vendor/Product ID. Wildcards accepted. Default Blank (i.e. not set)
  • Exclude a device by USB family. Default Blank (i.e. not set)
  • Include a device by USB family. Default Blank (i.e. not set)
  • Exclude All Devices. Default Blank (i.e. not set)

 

Boolean configuration values are also available on the Agent side, such as:

  • AllowHID
  • AllowKeyboardMouse
  • AllowSmartcard

 

 

Agent-Side Configuration Merge Rules

 

The settings between Client and Agent are merged together to produce the configuration that will be applied. When configuring rules on the Agent side, you can specify whether the Agent settings must be enforced or can be overridden by Client side settings. You can set the Merge and Override options in the GPO templates.

 

How Merge and Override Affect Filter/Split Settings

  • Merge (m) – The Agent settings will be merged with Client settings, and a super-set is produced
  • Override (o) – The Agent settings will override the Client settings

 

 

How MO Settings Affect Boolean Settings

 

  • Merge (m) – If Client settings are set, Agent settings are ignored. If Client settings are not set, Agent settings take effect
  • Override (o) – Client settings are overridden regardless

 

 

Exception

 

  • ExcludeAllDevices: If set to True on the Agent, the ExcludeAllDevices rule is also activated on the Client

 

Client-Side Configuration

For the Client-Side configuration, look for the physical location of your Client at:


  HKLM\Software\Policies\VMware, Inc.\VMware VDM\Client\USB


The Client admin template file is located on the Connection server at:

   <install location>\extras\vdm_client.adm

 

and on the Client at:

   <install location>\extras\vdm_client.adm

 

Settings via Group Policy Editor are shown below.

groupPolicy2.png

Quick Splitting Functionality

 

If you set filtering rules as outlined above, these rules can be used to perform intelligent splitting.

 

To enable this, set AllowAutoDeviceSplitting to True. If enabled, View will try to split the functions/interfaces automatically according to your filter settings.

 

For an example of performing USB Filtering and Splitting, see this blog post.

 

 

Filtering and Splitting rules can be applied at the Client for Windows, Linux and Mac OS X View clients from Client release 2.0 forward.