Is it possible to configure Writable Volumes in a way that it only accepts the storage of Outlook cache (.ost) and block installation of application and/or store all other data?
You cannot allow only a specific filetype such as OST on a Writeable Volume. If a user has no rights to install, then you do not need to take any further action.
One way to permanent block installation of applications is to adjust the snapvol.cfg in the writeable volume template. Below an snapvol.cfg example which works for me
scope=global
type=writable
# If this profile exists on the C: drive then delete it
delete_local_profile=true
################################################################
# File system
################################################################
################################################################
# Registry
################################################################
################################################################
# File system exclusions
################################################################
################################################################
# Registry exclusions
################################################################
################################################################
# Process exclusions
################################################################
exclude_process_path=\svruby
exclude_process_path=\Program Files\SnapVolumes
exclude_process_path=\Program Files\CloudVolumes
exclude_process_name=regedit.exe
exclude_process_name=CCmExec.exe
exclude_process_name=chkdsk.exe
exclude_process_name=chkntfs.exe
exclude_process_name=svcapture32.exe
exclude_process_name=svcapture64.exe
exclude_process_name=autochk.exe
exclude_process_name=wininit.exe
exclude_process_name=diskpart.exe
exclude_process_name=vds.exe
exclude_process_name=vdsldr.exe
# Windows Update
exclude_process_name=wuapp.exe
exclude_process_name=wuauclt.exe
exclude_process_name=wusa.exe
exclude_path=\Program Files\Immidio
# Windows Activation
exclude_path=%SystemRoot%\system32\wat
exclude_process_path=%SystemRoot%\system32\wat
# TrendMicro
exclude_path=\Program Files\Trend Micro
exclude_path=\Program Files\Common Files\Trend Micro
# Microsoft
exclude_path=\Program Files\Windows Defender
# Sophos
exclude_path=\Program Files\Sophos
exclude_path=\Program Files\Common Files\Sophos
# Kaspersky
exclude_path=\Program Files\Kaspersky
exclude_path=\Program Files\Common Files\Kaspersky
# McAfee
exclude_path=\Program Files\McAfee
exclude_path=\Program Files\Common Files\McAfee
# Symantec
exclude_path=\Program Files\Symantec
exclude_path=\Program Files\Common Files\Symantec
################################################################
# 64-Bit OS exclusions
################################################################
os=64
# CloudVolumes
exclude_process_path=\Program Files (x86)\SnapVolumes
exclude_process_path=\Program Files (x86)\CloudVolumes
exclude_path=\Program Files (x86)\SnapVolumes
exclude_path=\Program Files (x86)\CloudVolumes
# This should always be the last line in the policy
os=any
If you are using UEM, the 9.3 version has a feature to do this:
https://blogs.vmware.com/euc/2018/01/whats-new-vmware-user-environment-manager-9-3.html
To block installation and other data, i guess you could give a try by using only UIA writable template and do not grant administrative rights for the users.
Thx for the info, we'll give it a go in the next few days.
Lakshman
We have already configured the .OST option and are testing right now... Keep you posted.
Could you already test it?
I tried for few months to capture only a special folder (C:\AppsTemp\) to the writable volume.
I edited the snapvol.cfg of the writable volume. It works if I don't assign additional appstacks to the user.
All our users have appstacks and so the snapvol.cfg will be overwritten by the appstacks?!
We could see that the writable volume contains a lot of more files and folder at the end. Our user don't have any administrative permissions.