All TKB Articles in Digital Workspace

I've created a DEM config file for the new Microsoft Teams AppX application that was released October 2023: https://adoption.microsoft.com/en-us/new-microsoft-teams/ DirectFlex is not enabled, and does not make sense for the app to be enabled since it typically auto starts at logon and keeps running in the background until logoff. These are the locations that are managed, since it's an AppX application the locations are slightly different compared to classic apps.  === [IncludeIndividualRegistryKeys] HKCU\Software\Microsoft\Teams [IncludeFolderTrees] <LocalAppData>\Packages\MSTeams_8wekyb3d8bbwe <LocalAppData>\Publishers\8wekyb3d8bbwe [ExcludeFolderTrees] <LocalAppData>\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView <LocalAppData>\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\Logs

Is it recommended to share the same connection servers for internal and external (with UAG in front fro external traffic) access? Or not to share the same connection servers(replicas) Couldn't find any design documents on the best practice for internal and external traffic and the implications if we choose any of that 2 options Would be grateful if anyone can share your thoughts or related documents. Unified Access Gateway Architecture | VMware

Introduction – Why companies should enforce Device Trust Goal: Only allow compliant devices to access Google Workspace apps. Before any device is allowed access to company resources on Google Workspace apps, such as Gmail, Google Calendar, and Google Drive, the device must pass Zero Trust checks. These checks should include device trust requirements such as contain security and compliance policies, approved and trusted corporate certificates, and more. These Zero Trust requirements imply  that the device first needs to be registered or enrolled into a corporate device management tool which can scan the device and validate the requirements, prior to allowing access to secure resources. Enforcing Device Trust also ensures that unsecure (or unknown) devices cannot access secure corporate resources through the Google Workspace apps, even though a user may have the necessary password and credentials. Device Trust enables multiple factor authentication: something a user knows (credentials) and something a user has (secure device).   Background – The Android problem with Google Workspace Google Workspace customers are presented with an implementation challenge when enabling Device Trust for Android devices. We have already established that all devices need to first enroll into a device management tool to validate device posture. The issue becomes clear when we understand that Android devices need to authenticate into Google Workspace to enroll into any device management tool. However, they are unable to prove they are a trusted device when prompted by Google Workspace for registration and enrollment. To put it another way : For Android devices to enroll, they need to authenticate into Google Workspace. To authenticate, they need a certificate. To receive the certificate, they need to enroll! It is an endless cycle. For iOS devices, this is not a problem, as users can enroll their devices into the device management tool by authenticating directly with that tool or with an Identity Provider, without authenticating into Google Workspace.   Context – Scenarios and pre-requirements For this conversation, we will focus on Mobile platforms only: Android and iOS devices. The requirement is to federate authentication for Google Workspace to an Identity Provider. For the below example we will be using Workspace ONE Access, but this solution should work with any Identity Provider that is able to separate authentication policies for mobile traffic (such as Okta Identity products).   Procedure – Steps to deploy iOS Device Trust For iOS devices, we will rely on Identity Management tool to validate device compliance prior to authenticating. iOS devices that are registered and enrolled into device management – such as Workspace ONE UEM – can be validated for the device compliance requirements, marked as “compliant” and receive a corporate certificate to present during authentication. If the device becomes non-compliant, the certificate can be revoked, and the device marked as “non-compliant.” When the device tries to access any Google Workspace app, the authentication is federated to an Identity Provider – such as Workspace ONE Access – with policies to validate Device Trust by either (a) asking for a certificate during authentication, or (b) asking for device compliance. It is important to note that there should not be a fallback authentication option such as Username/Password, as this would allow iOS devices to bypass the Device Trust validations.   This flow now enforces Device Compliance for iOS devices.   Android Device Trust As discussed at the start of this article, Android poses a chicken-and-egg problem with Google Workspace. Android devices need to authenticate into Google Workspace to register and enroll, but at that moment they are still unknown and unapproved devices. The solution is to allow unknown Android devices to authenticate into Google Workspaces only for enrollment purposes, and in addition enable policy enforcement for access to the corporate apps. The steps to accomplish this are straightforward in the Google Admin console: Configure your EMM provider (such as Workspace ONE UEM) as the EMM provider of choice. Enforce EMM policies on Android devices, which will validate each device’s compliance after authentication, by asking your EMM Provider of choice to validate Device Trust. The result is that Android devices can authenticate without passing Device Trust policies, but still cannot access the corporate resources and Workspace apps until after proving Device Trust.   Android EMM Registration Enable Android EMM Registration in the Workspace ONE UEM Console, under Groups & Settings > All Settings > Devices & Users > Android > Android EMM Registration. This integration will register Workspace ONE UEM as your Enterprise Mobility Management (EMM) provider with Google and is required before you start enrolling Android devices. Please reference the VMware Docs for Workspace ONE UEM to learn more about how to complete the Registration. https://docs.vmware.com/en/VMware-Workspace-ONE-UEM   Enforce EMM policies on Android devices Once you register Workspace ONE UEM as your EMM provider with Google, you will need to enable the checkbox to “Enforce EMM policies on Android devices” in the Google Workspace Admin Console Third-Party integrations, under Manage EMM provider for Android > General Settings > Android > Enforce EMM policies on Android devices.   This flow now enforces Device Compliance for Android devices.   Google Sync (ActiveSync) protocol Note: Google recommends that you transition off Google Sync, given there are more secure alternatives available. Option 1: Disable Google Sync completely This protocol will allow devices using the Native Mail apps or other third-party Mail apps to connect via ActiveSync and access corporate email, calendar, and more. To block access to this protocol, the best course of action is to disable it completely, under Devices > Mobile and endpoints > Universal settings > Data Access > Google Sync > Allow work data to sync via ActiveSync > OFF.     Option 2: Allow Google Sync and enable device compliance In Workspace ONE UEM, enable MEM via Integrate Direct Model Using Directory APIs.   Enable “Mobile Management,” for ‘Google Sync’ ONLY. Do not enable Mobile Management for the other platforms, as they are already enabled for Device Trust via the previous above steps.   Check “Require admin approval” in the Google Workspace Admin Console.   Conclusion By following the steps in this article, we have improved security by enabling a Device Trust approach to access. In addition, we have also enhanced the user experience by enabling passwordless authentication into Google Workspace apps via Mobile SSO, and we have improved the adoption of mobile devices. The next step is to enable data protection on Laptops and Desktop devices. We will cover how to approach a Zero Trust framework for Endpoint devices on a separate article.

If you want to manage the Mozilla Firefox browser for enterprise with VMware Dynamic Environment Manager (DEM), here is a good working template. Recommended is to deploy the Firefox Extended Support Release, which can be found here: https://www.mozilla.org/en-US/firefox/enterprise/ This DEM config file will capture all important Firefox settings, but still maintain a relative small .ZIP archive. Although it could still grow, so keep an eye on the filesize. I don't recommended enabling DirectFlex for this application, since the Export will always fail because of some strange behavior by Firefox. How to implement: Create a new DEM config file using the DEM management console and just copy-paste these lines: === [IncludeRegistryTrees] HKCU\SOFTWARE\Mozilla HKCU\SOFTWARE\mozilla.org HKCU\SOFTWARE\MozillaPlugins [IncludeFolderTrees] <AppData>\Mozilla [ExcludeFolderTrees] <AppData>\Mozilla\Firefox\Crash Reports <AppData>\Mozilla\Firefox\Profiles\[MATCHALL]\crashes <AppData>\Mozilla\Firefox\Profiles\[MATCHALL]\storage [ExcludeFiles] *.tmp ===  

we introduced you to our virtual desktop infrastructure (VDI) cloud management services providing universal brokering, monitoring, image, application and lifecycle management. IT can leverage these services for a unified and simplified management experience across Horizon Pods, regardless if the pods are on-premises or in the cloud. We also looked closer at Image Management for Horizon which simplifies and accelerates the use of templates across multiple sites, pods and pools while providing next-generation change tracking and easy to use pool to image update instructions. https://blogs.vmware.com/euc/2021/08/announcing-image-management-for-horizon-cloud-on-azure.html  

If you want to manage Zoom with VMware Dynamic Environment Manager (DEM), here is a good working template. Recommended is to deploy the Zoom MSI full installer for system wide installation: which can be found here: https://support.zoom.us/hc/en-us/articles/201362163 Alternatively Zoom also provides Group Policy Options for the Windows desktop client and Zoom Rooms: https://support.zoom.us/hc/en-us/articles/360039100051 I don't recommended enabling DirectFlex for this application, since the application will launch automatically at logon anyway. I've excluded capturing the virtual background video's to keep the size of the DEM .ZIP profile small. How to implement: Create a new DEM config file using the DEM management console and just copy-paste these lines: === # Zoom MSI full installer for system wide installation: # https://support.zoom.us/hc/en-us/articles/201362163 # Group Policy Options for the Windows desktop client and Zoom Rooms: # https://support.zoom.us/hc/en-us/articles/360039100051 [IncludeFolderTrees] <AppData>\Zoom\data [ExcludeFolderTrees] <AppData>\Zoom\data\Emojis <AppData>\Zoom\data\ConfAvatar <AppData>\Zoom\data\VirtualBkgnd_Video === The end result should look like this:  

If you want to manage Microsoft Teams with VMware Dynamic Environment Manager (DEM), here is a good working template. Recommended is to deploy Teams using the MSI installer, which can be found here: https://docs.microsoft.com/en-us/microsoftteams/msi-deployment This will install the MSI into the Program Files directory, and will install Teams into the Roaming AppData folder for each user that logs on to the machine. I don't recommended enabling DirectFlex for this application, since the application will automatically launch at logon anyway. How to implement: Create a new DEM config file using the DEM management console and just copy-paste these lines: === # Microsoft Teams MSI installer # https://docs.microsoft.com/en-us/microsoftteams/msi-deployment [IncludeRegistryTrees] HKCU\Software\Microsoft\Office\Teams [IncludeFolderTrees] <AppData>\Microsoft\Teams <AppData>\Teams [ExcludeFolderTrees] <AppData>\Microsoft\Teams\Cache <AppData>\Microsoft\Teams\Code Cache <AppData>\Microsoft\Teams\GPUCache <AppData>\Microsoft\Teams\Service Worker\CacheStorage [ExcludeFiles] old_logs_*.txt logs.txt === The end result should look like this:  

If you want to manage the Microsoft Edge Chromium browser with VMware Dynamic Environment Manager (DEM), here is a good working template. Recommended is to deploy the Microsoft Edge Chromium browser for business, which can be found here: https://www.microsoft.com/en-us/edge/business This DEM config file will capture all important Microsoft Edge settings, but still maintain a relative small .ZIP archive. Although it could still grow, so keep an eye on the filesize. I have tested with the official 'Roaming Profile support' for Microsoft Edge (https://docs.microsoft.com/en-us/deployedge/microsoft-edge-on-premises-sync) but this is too limited for most customers, since this will miss many important settings like cookies and also requires a (roaming) profile associated with the AD account. I don't recommended enabling DirectFlex for this application, since this application is so embedded in Windows and many applications depend on it. How to implement: Create a new DEM config file using the DEM management console and just copy-paste these lines: === # Microsoft Edge Chromium for business # https://www.microsoft.com/en-us/edge/business [IncludeRegistryTrees] HKCU\Software\Microsoft\Edge [IncludeFiles] <LocalAppData>\Microsoft\Edge\User Data\First Run <LocalAppData>\Microsoft\Edge\User Data\Local State <AppData>\Microsoft\Edge\User Data\Default\profile.pb [IncludeFolderTrees] <LocalAppData>\Microsoft\Edge\User Data\Default [ExcludeFolderTrees] <LocalAppData>\Microsoft\Edge\User Data\Default\Cache <LocalAppData>\Microsoft\Edge\User Data\Default\Code Cache <LocalAppData>\Microsoft\Edge\User Data\Default\GPUCache <LocalAppData>\Microsoft\Edge\User Data\Default\IndexedDB <LocalAppData>\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage <LocalAppData>\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache === The end result should look like this:  

If you want to manage the Google Chrome browser for enterprise with VMware Dynamic Environment Manager (DEM), here is a good working template. Recommended is to deploy the Google Chrome browser for enterprise, which can be found here: https://chromeenterprise.google/browser/download/ This DEM config file will capture all important Google Chrome settings, but still maintain a relative small .ZIP archive. Although it could still grow, so keep an eye on the filesize. I have tested with the official 'Roaming Profile support' for Google Chrome (https://chromeenterprise.google/policies/?policy=RoamingProfileSupportEnabled) but this is too limited for most customers, since this will miss important settings like cookies. I don't recommended enabling DirectFlex for this application, since the Export will always fail because of some strange behavior by Chrome.  How to implement: Create a new DEM config file using the DEM management console and just copy-paste these lines: === [IncludeRegistryTrees] HKCU\Software\Google [IncludeFiles] <LocalAppData>\Google\Chrome\User Data\First Run <LocalAppData>\Google\Chrome\User Data\Local State <AppData>\Google\Chrome\User Data\Default\profile.pb [IncludeFolderTrees] <LocalAppData>\Google\Chrome\User Data\Default [ExcludeFolderTrees] <LocalAppData>\Google\Chrome\User Data\Default\Cache <LocalAppData>\Google\Chrome\User Data\Default\Code Cache <LocalAppData>\Google\Chrome\User Data\Default\GPUCache <LocalAppData>\Google\Chrome\User Data\Default\IndexedDB <LocalAppData>\Google\Chrome\User Data\Default\Service Worker\CacheStorage <LocalAppData>\Google\Chrome\User Data\Default\Service Worker\ScriptCache === The end result should look like this:  

ONLY if you use FSLogix Office containers & DEM. FSLogix is saving most items, but a few are currently not captured with FSLogix O365 Containers.  DEM can pick up the slack... - Signatures: AppData\Roaming\Microsoft\Signatures - Spellcheck and Proofing too [IncludeFolderTrees] <AppData>\Microsoft\Signatures <AppData>\Microsoft\Spelling <AppData>\Microsoft\UProof

These settings will retain the Calculator's windows position and history. I did not run it as a DirectFlex...but it could be.  I was just keeping it simple.  ======================================================= [IncludeRegistryTrees] HKCU\SOFTWARE\Classes\calculator HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowscalculator_8wekyb3d8bbwe HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsCalculator_8wekyb3d8bbwe [IncludeFolderTrees] <LocalAppData>\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe  

Ideally, I'd like that ability to pass a username and password into the UAG login screen. However, it is my understanding that VMware does not allow the password to be prepopulated or sent in as a url parameter for security purposes. Is there another way such as single sign on that this could be accomplished?  The goal is that users can access their desktop via UAG with a prepopulated set of credentials.

We have 4 connection servers installed by a previous admin - I'm new to this position and planning an upgrade from 7.3.2 to 7.13.  In reading the documentation, instructions say to choose either standard server or replica server installers.  I know our first 2 connection servers were installed as standard, then the other two are replicas.  In performing the upgrade, do I use replica installers the same way, or since it's an upgrade, should I just use the standard installer for all 4?