What version of Horizon are you using? You need version 6.2 or newer if I'm not mistaken. Make sure the Horizon Agent and Client are also updated.
And could it be that you still have 'old' GPO's to configure Horizon Redirection that could conflict?
I did also some tests with Horizon Smart Policies and Horizon properties as a condition.
We use the lastet version of UEM 9.1, Horizon 7.0.3 and a patched win7 x64.
In general it works, that a user from a external location is restricted to use clipboard and client drive redirection.
Internal users are allowed to use both. I also did tests what happened if I do a reconnect to an exisiting session and switched between internal horizon client and an external client.
It doesn't work smootly all the time. I often had to close the horizon client and have to log on again. after that the smart policies are correct.
And yes, I set a uem refresh trigger to update all the environment variable after a reconnect (independeant of ip change or something else).
I also want diiferent conditions for a logon script which should check the horizon properties like "machine_name" or "remote_broker_ip_address".
I know that is possible to use them.
It looks like that uem is not able to check this condition during a windows user logon. Because this information is not yet avaiable there.
If I do a reconnect to the same session again (so the trigger runs) I am able to run some other scripts with a horizon property condition. But same here, the horizon propertie are not all the time correct.
You can actually use UEM smart policies to key on those settings at log on. For instance if you want the smart policy to use the remote IP address regkey in a smart policy you would create a Horizon Smart Policy and use for the condition Horizon Client Property. DO NOT use the Registry Key condition as that will fail when you login and only work during reconnection. You NEED to use the Horizon Client Property condition. In that condition there will be a dropdown with the 3 settings Client location, Launch tag(s) and Pool Name which obviously don't have the settings you want, but you can actually still use the settings you want. Just type into the Property box Broker_Remote_IP_Address if you want to key on the remote IP address. Basically take whatever regkey you want and remove the ViewClient_ part of it and put that in the property box. So if the Value is ViewClient_Broker_DomainName it then is just
From my testing this works every time as long as UEM itself is working. As a safeguard I have set it up so that if it does in fact fail to read the settings it will set to the more secure setting i.e. clipboard will not be available unless it properly reads the Broker_Remote_IP_Address property.
I cant seem to get smart policies to apply on the initial logon, just reconnects.
It would be nice if we get an offical statement from vmware regarding this behavior.
I cannot trust the smart policies
Our initial testing of Horizon Smart Policies worked great with a Windows 10 x64 1511 buildt on UEM9.1, Horizon 7.0.2. No issues with the detection and applying at both login and with the triggered task of re applying the policies at reconnect of session. At some point it stopped working and we are experiencing the same issue where the smart policies are not applying correctly at logon and only at reconnects. In the DEBUG logs it says it applies the correct policy (Disable USB redirection, clipboard, etc.) but during testing I am able to pass through a USB through the Horizon View Client. The only thing that would have changed in between our initial testing and now is we moved to a brand new Windows 10 x64 1607 Anniversary Update image.
UEM 9.1 fully supports WIndows 10 v1607, and I think Horizon 7.0.2 does as well. Can you provide a FlexEngine log file at log level DEBUG?
And, just as some general background information for anyone following this thread, UEM's Horizon Smart Policies feature is basically just a fancy name for "provide configuration settings for certain Horizon components" :-)
Not intended as "blame shifting" or anything like that, but after UEM has applied its Smart Policies settings, it's up to the corresponding Horizon components to pick up those settings and act on them. That also means (as was seemingly the issue in one of the earlier posts in this thread) that for instance setting Client drive redirection to Allow all through UEM Smart Policies does not magically give you client drive redirection – for the actual functionality we fully depend on that feature to be installed and enabled in the Horizon agent and client.
Thank you for the log file and screenshots, VDINinja311.
Looking at the FlexEngine log file, there is no difference between the Horizon Smart Policies settings that are applied during logon, and the settings that are applied during the UEM refresh. In both cases we see [INFO ] Applied Horizon Smart Policies settings, without any warnings or errors.
I think the next step in troubleshooting this would be to review the Horizon-related logs for the components that take their config through Horizon Smart Policies. Unfortunately, I don't know where to find these logs, how to enable them, or how to interpret them – I only know about the UEM side of Horizon Smart Policies :-(
1 person found this helpful
I realize I am a bit late here but I have this same issue with UEM 9.1 and my Horizon Smart Policies not applying correctly on initial login, but applying correctly on reconnects. I opened a ticket with VMware and this was the workaround we came up with:
- On virtual desktop agent: HKLM\Software\VMware, Inc.\VMware VDM\Agent\USB\UemTimeouts DWORD set to 120 decimal
- On Windows client: HKLM\SOFTWARE\WOW6432Node\VMware, Inc.\VMware VDM\Client\UemTimeout DWORD set to 120 decimal
The tech I spoke with confirmed that this was a known issue and the fix would be pushed in a future update. I am wondering if anyone has upgraded to UEM 9.2 and that resolved their issues with the Smart Policies not applying even though it was not listed in the release notes as a resolved issue.
Thanks for replying to the thread. I will attempt your workaround, but have a question with it. Do you have to do both registry changes or one or the other? I am definitely fine with modifying the registry on our VDI Master Images, but no way are we able to modify the registry of the end users devices.
We just upgraded last week to UEM 9.2 for the publisher based app white listing and I have just confirmed that the issue still exists in UEM 9.2. No change for us anyway.
I had to apply both of the registry keys to fix. I tried just using each key on its own and the Smart Policies would still not apply on login. Thankfully we were already planning to deploy SCCM to better manage our physical fleet which can push out the registry setting via a script. Not sure if you have access to something similar or could push the registry key via GPO?
Thanks for the info on 9.2, I had a feeling that was the answer.