VMware Horizon Community
SummaCollege
Hot Shot
Hot Shot
‎03-01-2018 06:52 AM

Allow only .OST on Writable Volume, deny other data?

Is it possible to configure Writable Volumes in a way that it only accepts the storage of Outlook cache (.ost) and block installation of application and/or store all other data?

Reply
0 Kudos
4 Replies
mrkasius
Hot Shot
Hot Shot
‎03-01-2018 07:38 AM

You cannot allow only a specific filetype such as OST on a Writeable Volume. If a user has no rights to install, then you do not need to take any further action.

One way to permanent block installation of applications is to adjust the snapvol.cfg in the writeable volume template. Below an snapvol.cfg example which works for me

scope=global

type=writable

# If this profile exists on the C: drive then delete it

delete_local_profile=true

################################################################

# File system

################################################################

################################################################

# Registry

################################################################

################################################################

# File system exclusions

################################################################

################################################################

# Registry exclusions

################################################################

################################################################

# Process exclusions

################################################################

exclude_process_path=\svruby

exclude_process_path=\Program Files\SnapVolumes

exclude_process_path=\Program Files\CloudVolumes

exclude_process_name=regedit.exe

exclude_process_name=CCmExec.exe

exclude_process_name=chkdsk.exe

exclude_process_name=chkntfs.exe

exclude_process_name=svcapture32.exe

exclude_process_name=svcapture64.exe

exclude_process_name=autochk.exe

exclude_process_name=wininit.exe

exclude_process_name=diskpart.exe

exclude_process_name=vds.exe

exclude_process_name=vdsldr.exe

# Windows Update

exclude_process_name=wuapp.exe

exclude_process_name=wuauclt.exe

exclude_process_name=wusa.exe

exclude_path=\Program Files\Immidio

# Windows Activation

exclude_path=%SystemRoot%\system32\wat

exclude_process_path=%SystemRoot%\system32\wat

# TrendMicro

exclude_path=\Program Files\Trend Micro

exclude_path=\Program Files\Common Files\Trend Micro

# Microsoft

exclude_path=\Program Files\Windows Defender

# Sophos

exclude_path=\Program Files\Sophos

exclude_path=\Program Files\Common Files\Sophos

# Kaspersky

exclude_path=\Program Files\Kaspersky

exclude_path=\Program Files\Common Files\Kaspersky

# McAfee

exclude_path=\Program Files\McAfee

exclude_path=\Program Files\Common Files\McAfee

# Symantec

exclude_path=\Program Files\Symantec

exclude_path=\Program Files\Common Files\Symantec

################################################################

# 64-Bit OS exclusions

################################################################

os=64

# CloudVolumes

exclude_process_path=\Program Files (x86)\SnapVolumes

exclude_process_path=\Program Files (x86)\CloudVolumes

exclude_path=\Program Files (x86)\SnapVolumes

exclude_path=\Program Files (x86)\CloudVolumes

# This should always be the last line in the policy

os=any

Reply
Lakshman
Champion
Champion
‎03-01-2018 08:01 AM

If you are using UEM, the 9.3 version has a feature to do this:

https://blogs.vmware.com/euc/2018/01/whats-new-vmware-user-environment-manager-9-3.html

Using VMware App Volumes and User Environment Manager to Store the Microsoft Outlook Cache (.OST) - ...

To block installation and other data, i guess you could give a try by using only UIA writable template and do not grant administrative rights for the users.

Reply
SummaCollege
Hot Shot
Hot Shot
‎03-01-2018 08:04 AM

Thx for the info, we'll give it a go in the next few days.

Lakshman

We have already configured the .OST option and are testing right now... Keep you posted.

Reply
0 Kudos
Erossman
Enthusiast
Enthusiast
‎03-28-2018 02:30 AM

Could you already test it?

I tried for few months to capture only a special folder (C:\AppsTemp\) to the writable volume.

I edited the snapvol.cfg of the writable volume. It works if I don't assign additional appstacks to the user.

All our users have appstacks and so the snapvol.cfg will be overwritten by the appstacks?!

We could see that the writable volume contains a lot of more files and folder at the end. Our user don't have any administrative permissions.

Reply
0 Kudos