NeoChen176
Enthusiast
Enthusiast

Condition of horizon smart policy have no effect

Why does setting the condition of horizon smart policy have no effect?

I want to block client drive and when I set the condition about Group Membership or horizon client property etc. only seting IP can do it.

My horizon VDI version 2206, vmware 7.0u3 , desktop is window 10 with pcoip , windows 2019 AD ,DEM the same 2206

 

Thank you

0 Kudos
8 Replies
DEMdev
VMware Employee
VMware Employee

@NeoChen176,

Can you provide a log file (at log level DEBUG) so we can see what exactly is going on w.r.t. evaluating those conditions?

0 Kudos
NeoChen176
Enthusiast
Enthusiast

Hi @DEMdev 

I don't think my DEM policy is set on my desktop,I have set them to the same subnet,

but it always looks like default domain policy.

Sorry, I'm new to DEM. How do I set the debug log.

Thank you

0 Kudos
BenTrojahn
Enthusiast
Enthusiast

I have never had an issue with application of Smart policies  but we are only on DEM 2111.   Hopefully its something simple and not a defect...

It should be noted that smart policies and many other DEM settings are processed alphabetically.   We typically use an underscore for the blanket policy and then override that.  The smart polices are cumulative for the policies that are matched but last match wins so for the client drive policy would only need to have the specific client drive setting in it. 

_Smart Policies Default External  (condition Client location=external) blanket disable client drive

Allow Clientdrives Read Write (condition user group membership) allow all.

Besides checking your DEM logs, for quick verification, settings should  be here when applied though session id key may only be RDSH. Some values can be manipulated on the fly for testing and some require a fresh session start.  

HKEY_CURRENT_USER\SOFTWARE\Policies\VMware, Inc.\VMware Blast\Config\[session id] 

a success full clipboard redirection DEM smartpolicy would have  a "ClipboardState" value in the above key.

 

0 Kudos
NeoChen176
Enthusiast
Enthusiast

HI @BenTrojahn 

You mean that the policy of DEM will inherit, if I have two conditions for the same policy? I would like to ask if ad also has GPO and DEM policy, will DEM policy override GPO?

In addition, how to view the log?

Thank you

 

0 Kudos
BenTrojahn
Enthusiast
Enthusiast

not sure if you have competing GPO and DEM  USER settings which one wins out probably depends on processing order.  I have not looked for the user GPO for CDR but I don't think there is one.  Either way I would recommend using one method for these values. 

Policy for DEM logging including path and loglevel is in this policy:   VMware DEM\FlexEngine\FlexEngine logging\
 

You can have as many conditions as you want on the policy, Once you set DEM logging that will tell you if it matched the condition or not, or if your logic is wrong 😉  If you have multiple smart policies,  the settings of the smart policies that match the conditions are aggregated alphabetically.  In this live example below,  if a the "Allow Client drives Read Write"  matched the condition and executed, whatever was set in that policy would win over the other two that are processed alphabetically from top to bottom.
BenTrojahn_0-1659235943900.png

0 Kudos
NeoChen176
Enthusiast
Enthusiast

Hi @DEMdev 

 

Can you successfully block this client drive with the client drive policy of horizon smart policy?

I have tried for several days, but it has no effect. At present, it seems that there is only  default domain policy setting.

I want to block Drive Sharing of the horizom client's Setting , like picture. 

horizon1.png

0 Kudos
NeoChen176
Enthusiast
Enthusiast

Hi @DEMdev 

I put two logs on it, and I built two smart policies,

MS_ Log can upload and download files to the desktop, dev can only upload

can't download (but the actual test upload and download errors are prohibited.

Please help check again.

Thank you.

0 Kudos
DEMdev
VMware Employee
VMware Employee

@NeoChen176,

That DEV_FlexEngine2.log you provided shows that VDI Policy Can Copy in and out was skipped due to conditions, and that the following Smart Policies settings were picked up from VDI Policy Only Can Copy in:

  • Drag and drop is allowed from client to agent
  • Printing is disabled
  • Client drive redirection is set to read-only
  • Clipboard redirection allows copy from client to agent
  • USB redirection is disabled
  • Web and Chrome file transfer allows upload from client to agent

That seems to match the "dev can only upload" scenario you described.

Note that DEM just provides configuration settings. Whether these are actually taking effect is up to the individual Horizon components. You would need to check the logs on the Horizon side to see if there might be any conflicting configuration (from GPO, for instance.)

0 Kudos