VMware Horizon Community
VirtualRedneck
Contributor
Contributor

Horizon Smart Policies not working

Hello Everyone,

I am trying to test out some of the Smart Policies in UEM 9.1 for a new requirement for the users. I am trying to implement the following.

  • Printing
  • Clipboard
  • Client Drive Redirection

I did find an initial issue and have fixed that. (The Horizon Agent has been reinstalled with the mentioned features installed -- previously missing)

Now, when I log in the only item that seems to work is the clipboard. I have turned up the logging to DEBUG so that I can see what is going on. I pulled the following out of the log file where it is saying my condition (IP Based) is passing the check and that it is applying the settings, but when I log in I do not see any of my printers from the local system on the VDI session, nor do I see the drives. I was able to copy something out of the session to my local machine.

2016-12-21 17:41:11.094 [DEBUG] Conditions: Check for endpoint IP address = true

2016-12-21 17:41:11.094 [DEBUG] Collected Horizon Smart Policies settings to apply for printing ('TestingLocalDrive.xml')

2016-12-21 17:41:11.102 [DEBUG] Collected Horizon Smart Policies settings to apply for clipboard ('TestingLocalDrive.xml')

2016-12-21 17:41:11.102 [DEBUG] Collected Horizon Smart Policies settings to apply for client drive redirection ('TestingLocalDrive.xml')

Any help is appreciated on what might be causing the issue.

thanks

VR

34 Replies
Pim_van_de_Vis

What version of Horizon are you using? You need version 6.2 or newer if I'm not mistaken. Make sure the Horizon Agent and Client are also updated.

And could it be that you still have 'old' GPO's to configure Horizon Redirection that could conflict?

Reply
0 Kudos
Erossman
Enthusiast
Enthusiast

Hi Guys,

I did also some tests with Horizon Smart Policies and Horizon properties as a condition.

We use the lastet version of UEM 9.1, Horizon 7.0.3 and a patched win7 x64.

In general it works, that a user from a external location is restricted to use clipboard and client drive redirection.

Internal users are allowed to use both. I also did tests what happened if I do a reconnect to an exisiting session and switched between internal horizon client and an external client.

It doesn't work smootly all the time. I often had to close the horizon client and have to log on again. after that the smart policies are correct.

And yes, I set a uem refresh trigger to update all the environment variable after a reconnect (independeant of ip change or something else).

I also want diiferent conditions for a logon script which should check the horizon properties like "machine_name" or "remote_broker_ip_address".

I know that is possible to use them.

It looks like that uem is not able to check this condition during a windows user logon. Because this information is not yet avaiable there.

If I do a reconnect to the same session again (so the trigger runs) I am able to run some other scripts with a horizon property condition. But same here, the horizon propertie are not all the time correct.

Regards,

VM-Master

Reply
0 Kudos
jmatz135
Hot Shot
Hot Shot

You can actually use UEM smart policies to key on those settings at log on.  For instance if you want the smart policy to use the remote IP address regkey in a smart policy you would create a Horizon Smart Policy and use for the condition Horizon Client Property.  DO NOT use the Registry Key condition as that will fail when you login and only work during reconnection.  You NEED to use the Horizon Client Property condition.  In that condition there will be a dropdown with the 3 settings Client location, Launch tag(s) and Pool Name which obviously don't have the settings you want, but you can actually still use the settings you want.  Just type into the Property box Broker_Remote_IP_Address if you want to key on the remote IP address.  Basically take whatever regkey you want and remove the ViewClient_ part of it and put that in the property box.  So if the Value is ViewClient_Broker_DomainName it then is just

Property:  Broker_DomainName

From my testing this works every time as  long as UEM itself is working.  As a safeguard I have set it up so that if it does in fact fail to read the settings it will set to the more secure setting i.e. clipboard will not be available unless it properly reads the Broker_Remote_IP_Address property.

Reply
0 Kudos
Aaron206
Contributor
Contributor

I cant seem to get smart policies to apply on the initial logon, just reconnects.

Reply
0 Kudos
Erossman
Enthusiast
Enthusiast

It would be nice if we get an offical statement from vmware regarding this behavior.

I cannot trust the smart policies

Reply
0 Kudos
DEMdev
VMware Employee
VMware Employee

Hi Erossman​,

Can you provide a FlexEngine log file (at DEBUG log level) that illustrates what isn't working for you?

Reply
0 Kudos
VDINinja311
Enthusiast
Enthusiast

Our initial testing of Horizon Smart Policies worked great with a Windows 10 x64 1511 buildt on UEM9.1, Horizon 7.0.2. No issues with the detection and applying at both login and with the triggered task of re applying the policies at reconnect of session. At some point it stopped working and we are experiencing the same issue where the smart policies are not applying correctly at logon and only at reconnects. In the DEBUG logs it says it applies the correct policy (Disable USB redirection, clipboard, etc.) but during testing I am able to pass through a USB through the Horizon View Client. The only thing that would have changed in between our initial testing and now is we moved to a brand new Windows 10 x64 1607 Anniversary Update image.

Reply
0 Kudos
DEMdev
VMware Employee
VMware Employee

Hi VDINinja311​,

UEM 9.1 fully supports WIndows 10 v1607, and I think Horizon 7.0.2 does as well. Can you provide a FlexEngine log file at log level DEBUG?

And, just as some general background information for anyone following this thread, UEM's Horizon Smart Policies feature is basically just a fancy name for "provide configuration settings for certain Horizon components" 🙂

Not intended as "blame shifting" or anything like that, but after UEM has applied its Smart Policies settings, it's up to the corresponding Horizon components to pick up those settings and act on them. That also means (as was seemingly the issue in one of the earlier posts in this thread) that for instance setting Client drive redirection to Allow all through UEM Smart Policies does not magically give you client drive redirection – for the actual functionality we fully depend on that feature to be installed and enabled in the Horizon agent and client.

Reply
0 Kudos
VDINinja311
Enthusiast
Enthusiast

UEMdev I have uploaded the relevant DEBUG log file and some screenshots, only visible to you. Please note the comments on each file.

Reply
0 Kudos
DEMdev
VMware Employee
VMware Employee

Thank you for the log file and screenshots, VDINinja311​.

Looking at the FlexEngine log file, there is no difference between the Horizon Smart Policies settings that are applied during logon, and the settings that are applied during the UEM refresh. In both cases we see [INFO ] Applied Horizon Smart Policies settings, without any warnings or errors.

I think the next step in troubleshooting this would be to review the Horizon-related logs for the components that take their config through Horizon Smart Policies. Unfortunately, I don't know where to find these logs, how to enable them, or how to interpret them – I only know about the UEM side of Horizon Smart Policies 😞

Reply
0 Kudos
JonAmadori
Enthusiast
Enthusiast

Hi,

I realize I am a bit late here but I have this same issue with UEM 9.1 and my Horizon Smart Policies not applying correctly on initial login, but applying correctly on reconnects.  I opened a ticket with VMware and this was the workaround we came up with:

  1. On virtual desktop agent: HKLM\Software\VMware, Inc.\VMware VDM\Agent\USB\UemTimeouts                                DWORD set to 120 decimal
  2. On Windows client: HKLM\SOFTWARE\WOW6432Node\VMware, Inc.\VMware VDM\Client\UemTimeout                   DWORD set to 120 decimal

The tech I spoke with confirmed that this was a known issue and the fix would be pushed in a future update.  I am wondering if anyone has upgraded to UEM 9.2 and that resolved their issues with the Smart Policies not applying even though it was not listed in the release notes as a resolved issue.

VDINinja311
Enthusiast
Enthusiast

JonAmadori

Thanks for replying to the thread. I will attempt your workaround, but have a question with it. Do you have to do both registry changes or one or the other? I am definitely fine with modifying the registry on our VDI Master Images, but no way are we able to modify the registry of the end users devices.

We just upgraded last week to UEM 9.2 for the publisher based app white listing and I have just confirmed that the issue still exists in UEM 9.2. No change for us anyway.

Thanks,

Jeremy

Reply
0 Kudos
JonAmadori
Enthusiast
Enthusiast

VDINinja311

I had to apply both of the registry keys to fix.  I tried just using each key on its own and the Smart Policies would still not apply on login. Thankfully we were already planning to deploy SCCM to better manage our physical fleet which can push out the registry setting via a script.  Not sure if you have access to something similar or could push the registry key via GPO?

Thanks for the info on 9.2, I had a feeling that was the answer.

Reply
0 Kudos
VDINinja311
Enthusiast
Enthusiast

JonAmadori

We could do it to corporate devices easy, but not employee's computers Smiley Happy

Reply
0 Kudos
VDINinja311
Enthusiast
Enthusiast

As we are starting to roll out to end users that will be using personal computers to connect to our VDI environment and since we can't rely on the Smart Policies to work at logon we did a little work around for now. To at least disable access to USB drives from the end users' personal computers when connecting we set the following ADMX-based settings that apply only when the end users connect to our internet facing F5 appliance with our enterprises non-domain machines.

It still passes through the USB drive in the Horizon View Client, but this will make it so nothing can read/write to it.

pastedImage_0.png

Reply
0 Kudos
DEMdev
VMware Employee
VMware Employee

Hi VDINinja311​,

I'd still like to try and get to the bottom of why smart policies don't seem to apply during logon.

Are you still on the same UEM and View versions for which you sent me a FlexEngine log a little while ago?

Are you using App Volumes?

Are you using smartcards for SSO?

Are you using zero clients?

Have you opened a case with VMware support?

Reply
0 Kudos
VDINinja311
Enthusiast
Enthusiast

UEMdev

I was going to just wait for the fix in a future release as I am not able to do the fix that JonAmadori​ was provided as I cannot control registry entries on our users' personal computers.

To answer your questions:

We are now on UEM 9.2 from 9.1 when I sent the logs but still on View 7.0.2. No difference in the issue though when going to 9.2

Still using AV 2.11

No smartcards

We use both Thin Clients and Horizon View Clients, only really concerned about the Smart Policies on Horizon View Clients on our users' personal computers.

Have not opened a case yet with VMware support.

JonAmadori

Did you have a case # for when you talked with VMware support?

Reply
0 Kudos
jmatz135
Hot Shot
Hot Shot

What are the conditions you are using in your Horizon Smart Policies for determining whether you get the smart policy or not? 

I use Horiizon Client Property with

Property: Broker_Remote_IP_Address

with the ip address equal to the address given from our F5 APM that we use as our access point in.

This seems to work for me at login and at reconnect.

Reply
0 Kudos
VDINinja311
Enthusiast
Enthusiast

We are using two conditions:

1. Horizon client property "Machine_Domain" is NOT equal to "ourdomain"

2. AND Horizon client properly "Broker_URL" is equal to "https://ourexternalF5vIPDNS:443"

I know the conditions work, but the Smart Policy of being able to pass through USB isn't applying at Login, but will on a reconnect. (We have a triggered task to refresh Smart Policies on reconnect)

Reply
0 Kudos