2. Using Dynamic Environment Manager as part of a Workspace ONE solution for usability and security.
Horizon and Dynamic Environment Manager (DEM) provide a great combination of capabilities to apply DLP controls depending on a range of endpoint parameters and location information.
There are some features that might be used in the context of security, in our research. we have discovered some constraints with certain parameters and we will address the potential and the downside to this functionality
Part 1: Identifying registry based configurations as a basis for the Conditional elements we could possibly use when using Horizon Smart Policies
This section will serve as an introduction to registry based configurations and what we choose from in the registry if we are wanting to use this configuration with Horizon Smart Policies
You might still be logged in from a previous lab on the Horizon Client with the Craig accounts.
If you are you might be able to move down immediately to Step 9 in Part 1
- On your ControlCenter server
- from the Desktop
- Open the Remote Desktops \ Site 1 folder
- Launch the W11Client-01a.rdp shortcut
- from the Desktop
- In the Windows Security page
- ensure Craig is the username
- in the password area
- enter VMware1!
- select OK
- On your W11Client-01a desktop
- From the taskbar or Desktop
- launch your VMware Horizon Client
- In the VMware Horizon Client window
- select corp.euc-livefire.com broker URL
- From the taskbar or Desktop
- In the Microsoft Sign in window
- enter Craig@corpXXX.euc-livefire.com
- where XXX is your assigned Domain identifier
- select Next
- enter Craig@corpXXX.euc-livefire.com
- In the Microsoft Enter password window
- enter VMware1!
- select Sign in
- In the Microsoft Stay signed in?
- select Yes
- On your W11Client-01a desktop
- on the Open VMware Horizon Client? window
- select Open VMware Horizon Client
- on the Open VMware Horizon Client? window
- In the VMware Horizon Client login window
- select the Enterprise_Desktop entitlement
- On your Horizon Desktop session
- from the taskbar
- select and right-click the START button
- from the inventory
- select Run
- from the taskbar
- In the Run window
- next to Open:
- enter regedit.exe
- select OK
- next to Open:
- In the Registry Editor window
- from the left Inventory pane
- select and expand HKEY_LOCAL_MACHINE > SOFTWARE > VMware, Inc. > VMware VDM > SessionData > 1
- In the SessionData \ 1 folder
- Note the registry based ViewClient_ parameters that are available. These can serve as part of a Conditional Element in Horizon Smart Policies
- Other than Risk Scoring functionality, with DEM Conditions, Its important to note, these are the only parameters we might consider using to manage and control the endpoint session in Dynamic Environment Manager.
- In the next Parts we will look at example parameters like and evaluate how secure this approach ACTUALLY is
- ViewClient_MDMDeviceID : enrolled devices
- ViewClient_Broker_GatewayLocation or Client Location: which has the value of Internal or External
- Other examples of contributing to endpoints being Secured and Usable when accessing resources using Horizon in an Organization could be
- ViewClient_ Machine_Domain: the remote Windows 10/11 clients domain name
- ViewClient_Machine_Name: the remote Windows 10/11 clients PC name
- In the Horizon Client VDI session
- next to Exit Fullscreen
- select the more options icon
- select Logoff Desktop
-
In the Disconnect and log off desktop? window
- select OK
- select the more options icon
- next to Exit Fullscreen
Part 2: Setting up VMware Horizon Smart Policies with VMware Dynamic Environment Manager
This part is divided up into two sections.
Section 1: We will create a Horizon Smart Policy for external endpoints that are Managed by Workspace ONE UEM
Section 2: We will create a Horizon Smart Policy for external endpoints that are UnManaged by Workspace ONE UEM
- On your ControlCenter server Desktop
- from the Taskbar
- select and launch, the DEM management Console shortcut
- from the Taskbar
- In the Dynamic Environment Manager Console
- Select the User Environment tab
- In the Dynamic Environment Manager Console
- In the User Environment Inventory
- Select Horizon Smart Policies,
- Right-click and select Create Horizon Smart Policies setting...
- In the User Environment Inventory
- In the Horizon Smart Policies, window
- Under the Settings tab
- enter the following:-
- Under General Settings, enter the following, next to:
- Name: Compliant Endpoints
- Label: USB, Clipboard and Client drive
- Tag: Managed
- In the Horizon Smart Policy Settings, enable the following checkboxes, next to:
- Audio Playback : Enable
- Bandwidth Profile : Broadband WAN
-
Blast Extreme protocol
- H.264: Enable
- JPG: Enable
- Max frame rate : 30
- Drag and drop : Allow all
- Printing : Enable
- In the Redirection settings, enable the following checkboxes and associated settings, next to:
- Client drive : Allow all
- Clipboard : Allow all
- USB : Enable
- Web and Chrome file transfer: Allow all
- Under General Settings, enter the following, next to:
- enter the following:-
- Under the Settings tab
- In the Horizon Smart Policies window
- Select the Conditions tab
- Under Conditions, select the dropdown next to Add
- In the Add Condition dropdown
- Select Horizon Client Property
- Note: By default, if you connect directly to a View Connection Server,
- the gateway location is Internal
- If you connect to an Unified Access Gateway Server,
- the gateway location is External by default.
- Select Horizon Client Property
- In the Horizon Client Property, add the following:
- next to Property,
- from the dropdown
- select Client location
- from the dropdown
- next to Is equal to,
- from the dropdown
- select External
- from the dropdown
- To close the Horizon Client Property
- select OK
- next to Property,
- In the Horizon Smart Policies window
- In the Conditions tab
- next to Add
- select the dropdown
- next to Add
- In the Conditions tab
- In the Add Condition dropdown
- Select Horizon Client Property
- In the Horizon Client Property window,
- next to Property:
- enter Broker_GatewayType
- next to Broker_GatewayType
- from the dropdown
- select Is equal to
- from the dropdown
- In the box area, to the right of Is equal to
- enter AP
- select OK
- next to Property:
- In the Horizon Smart Policies window
- In the Conditions tab
- next to Add
- select the dropdown
- next to Add
- In the Conditions tab
- In the Add Condition dropdown
- Select Horizon Client Property
- In the Horizon Client Property window,
- next to Property:
- enter MDMDeviceID
- next to MDMDeviceID
- ensure Exists is selected
- select OK
- next to Property:
- In the Horizon Smart Policies window
- Select Save
- In the User Environment Inventory
- Select Horizon Smart Policies,
- Right-click and select Create Horizon Smart Policies setting...
- In the Horizon Smart Policies, Settings tab enter the following:-
- Under General Settings, enter the following, next to:
- Name: Non Compliant Endpoints
- Label: USB, Clipboard and Client drive disabled
- Tag: UnManaged
- In the Horizon Smart Policy Settings, enable the following checkboxes, next to:
- Audio Playback : Enable
- Bandwidth Profile : Broadband WAN
-
Blast Extreme protocol
- H.264: Enable
- Max frame rate : 30
- Drag and drop : Disable
- In the Redirection settings, enable the following checkboxes and associated settings, next to:
- Client drive : Disable
- Clipboard : Disable
- USB : Disable
- Web and Chrome file transfer: Disable
- Under General Settings, enter the following, next to:
- In the Horizon Smart Policies window
- Select the Conditions tab
- Under Conditions, select the dropdown next to Add
- In the Add Condition dropdown
- Select Horizon Client Property
- In the Horizon Client Property, add the following:
- next to Property,
- from the dropdown
- select Client location
- from the dropdown
- next to Is equal to,
- from the dropdown
- select External
- from the dropdown
- To close the Horizon Client Property
- select OK
- next to Property,
- In the Horizon Smart Policies window
- In the Conditions tab
- next to Add
- select the dropdown
- next to Add
- In the Conditions tab
- In the Add Condition dropdown
- Select Horizon Client Property
- In the Horizon Client Property window,
- next to Property:
- enter Broker_GatewayType
- next to Broker_GatewayType
- from the dropdown
- select Is equal to
- from the dropdown
- In the box area, to the right of Is equal to
- enter AP
- select OK
- next to Property:
- In the Horizon Smart Policies window
- In the Conditions tab
- next to Add
- select the dropdown
- next to Add
- In the Conditions tab
- In the Add Condition dropdown
- Select Horizon Client Property
- In the Horizon Client Property window,
- next to Property:
- enter MDMDeviceID
- next to MDMDeviceID
- ensure Exists is selected
- select OK
- next to Property:
- In the Horizon Smart Policies window
- next to AND Horizon client property 'MDMDeviceID' exists
-
select & right-click and from the dropdown
- select AND NOT
-
select & right-click and from the dropdown
- Select Save
- next to AND Horizon client property 'MDMDeviceID' exists
Part 3 : Testing your Smart Policies.
- We will demonstrate the following in this exercise
- That being Drag and Drop functionality.
- USB redirection (limited functionality here)
- We will use the Dynamic Environment Manager Logs, to see if the settings are effective.
- We will use a Managed and UnManaged device to test this setup
- W11Client-01a is our managed device
- W11EXT-01a is our unmanaged device
- We will use the Sales User Mark to test this functionality
- On your ControlCenter server desktop
- Open the Remote Desktop \ Site 1 folder
- launch W11Client-01a.RDP
- In the Windows Security page
- using the W11client-01a\craig as username
- in the password area
- enter VMware1!
- select OK
- On your W11Client-01a desktop
- From the taskbar or Desktop
- launch your VMware Horizon Client
- In the VMware Horizon Client window
- select corp.euc-livefire.com broker URL
- From the taskbar or Desktop
- In the Microsoft Sign in window
- enter Craig@corpXXX.euc-livefire.com
- where XXX is your assigned Domain identifier
- select Next
- enter Craig@corpXXX.euc-livefire.com
- In the Microsoft Enter password window
- enter VMware1!
- select Sign in
- In the Microsoft Stay signed in?
- select Yes
- On your W11Client-01a desktop
- on the Open VMware Horizon Client? window
- select Open VMware Horizon Client
- on the Open VMware Horizon Client? window
- In the VMware Horizon Client login window
- select the Enterprise_Desktop entitlement
- In the VMware Horizon Client
- next to USB Devices
- select the dropdown arrow,
- Note, No suitable USB devices available, is the message you get.
- Therefore if there were physical devices connected to the endpoint, its most likely that USB redirection would work
- select Exit Fullscreen
- next to USB Devices
- From your W11Client-01a desktop
-
With your mouse, select the Google Chrome shortcut
-
Drag it over into the Horizon Client session
- Note that you will get a + type Icon , just below your cursor.
-
Drag it over into the Horizon Client session
- Release your mouse button to Drop the Console within the Horizon Session
-
With your mouse, select the Google Chrome shortcut
- In the Horizon Client session
- From the Taskbar,
- select the File Explorer folder shortcut
- From the Taskbar,
- In the File Explorer Window
- Select This PC in the left Inventory
- To the right, scroll down and observe, there are network locations configured. ie the Z: drive
- On the ControlCenter server
- Open your File Explorer Icon, from the Taskbar
- On the C:\, open your UEMProfiles\YOUR Custom Test User\Logs folder
- In File Explorer C:\UEMProfiles\user1\Logs
- Select and right-click FlexEngine.log
- Select Edit with Notepad++
- In the Notepad++ session
- Reload your logs, by selecting File > Reload from Disk
-
Scroll down, right to the bottom of your logs,
- Scroll up until you find the YOUR Custom Test User and the Performing path-based import logs starting
- Observe that each configuration is processed and logged as disabled / enabled or True / False
- Note its the Internal Policy that is being applied
- Note what features are allowed or enabled
- On the ControlCenter server
- switch back to your Horizon Client session
- next to Fullscreen,
- next to Options,
- select the See more (3 buttons),
- select Log Off Desktop
- On the Disconnect and log off desktop? window
- select OK
- next to Options,
- On the ControlCenter server
- Open the Remote Desktops \ Site1 folder
- Open w11EXT-01a.RDP
- On the Windows Security window
- Ensure w11ext-01a\nancy is the username
- In the password area
- enter VMware1!
- select OK
- On the W11Ext-01a desktop
- Launch the VMware Horizon Client shortcut
- In the VMware Horizon Client
- select + Add Server
- In the VMware Horizon Client
- Launch the VMware Horizon Client shortcut
- On the W11Ext-01a desktop
- In the Name of the Connection Server window
- enter corp.euc-livefire.com
- select Connect
- In the Name of the Connection Server window
- In the Microsoft Sign in window
- enter nancy@corpXXX.euc-livefire.com
- where XXX is your assigned Domain identifier
- select Next
- enter nancy@corpXXX.euc-livefire.com
- In the Microsoft Enter password window
- enter VMware1!
- select Sign in
- In the Microsoft Stay signed in?
- select Yes
- On your W11Client-01a desktop
- on the Open VMware Horizon Client? window
- select Open VMware Horizon Client
- on the Open VMware Horizon Client? window
- In the VMware Horizon Client login window
- select the Enterprise_Desktop entitlement
- In the Horizon Client
- In the top bar, next to Connect USB Device, select the drop-down
- Notice that USB is "Initializing" is the state of USB ( a change of state)
- We will read the logs to validate
- Notice that USB is "Initializing" is the state of USB ( a change of state)
- In the top bar, next to Connect USB Device, select the drop-down
- In the Horizon Client Desktop
- On the title bar,
- select the File Explorer Icon
-
Ensure This PC is selected in the left inventory
-
Scroll down on the right side to the bottom of the window.
- Notice that you have no Network drive Mappings
-
In the Horizon W11 desktop session
- Close all windows
-
Scroll down on the right side to the bottom of the window.
- On the title bar,
- In the W11EXT-01a Desktop
- Attempt to drag the VMware Horizon shortcut into the Horizon Desktop session.
- From the Horizon Desktop session
- attempt to drag the Google shortcut to the W11EXT-01a desktop
- On the W11EXT-01a desktop
- Switch back to your Horizon Client session
- to the right of FullScreen
- select ... (see more)
- select the drop down,
- select Log Off Desktop
-
In the Disconnect and log off desktop? window
- Select OK
- to the right of FullScreen
- Switch back to your Horizon Client session
- On the ControlCenter server
- From the Taskbar
- open your File Explorer Icon,
- On the C:\
- Browse to UEMProfiles > nancy > Logs folder
- From the Taskbar
- In File Explorer C:\UEMProfiles\nancy\Logs
- select and right-click FlexEngine.log
- select Edit with Notepad++
- In the Notepad++ session
- Reload your logs, by selecting File > Reload from Disk
-
Scroll down, right to the bottom of your logs,
- Scroll up until you find the Performing path-based import logs starting
- Note the Compliant Endpoints.xml is skipped due to conditions
- Note the Applied Horizon Smart Policies
- Drag and drop is disabled
- Client drive redirection is disabled
- Clipboard redirection is disabled
- USB redirection is disabled
- Web and Chrome file transfer is disabled
- Note what features are allowed or enabled
So far everything looks amazing. However we have discovered the following regarding this configuration
- On your ControlCenter desktop
- switch to your Chrome Browser
- open a new tab
- from the Favourites bar
- launch the Workspace ONE UEM shortcut
- switch to your Chrome Browser
- In the Workspace ONE UEM login
- under Username
- enter your Registered course Username
- select Next
- under Password
- enter VMware1!
- select Log In
- under Username
- In the Workspace ONE UEM Admin console
- select DEVICES
-
under Dashboard
- select List View
- In the Workspace ONE UEM Admin console
-
List View console
- Next to Craig W11CLIENT-01A
- select the checkbox
- In the middle of the pane
-
MORE ACTIONS
- select the dropdown
- In the dropdown
- select Enterprise Wipe
-
MORE ACTIONS
- Next to Craig W11CLIENT-01A
-
List View console
- In the Restricted Action - Enterprise Wipe window
- below Security Pin
- enter your PIN
- switch back to your W11Client-01a session
- below Security Pin
- On your W11Client-01a desktop
- On Taskbar / Search box
- enter intelligent hub
- notice that all you see is AirwatchAgent.msi
- enter intelligent hub
- On Taskbar / Search box
- On your W11Client-01a desktop
- On Taskbar / Search box
- enter Control Panel
- from the Best Match
- select Control Panel
- In the Control Panel app
- under Programs
- select Uninstall a program
- under Programs
- On Taskbar / Search box
- In the Programs and Features section
- Note there is no Workspace ONE Intelligent HUB on this endpoint
- On your W11Client-01a desktop
- launch the VMware Horizon client shortcut
- In the VMware Horizon Client
- select the corp.euc-livefire.com broker url
- On your W11Client-01a desktop
- on the Open VMware Horizon Client? window
- select Open VMware Horizon Client
- on the Open VMware Horizon Client? window
- In the VMware Horizon Client login window
- select the Enterprise_Desktop entitlement
- In the VMware Horizon Client session
- from the taskbar
- select the Folder icon
- In the Quick Access pane
- select This PC
- In This PC area
- Note you have a drive mapping
- Feel free to attempt to drag and drop
- from the taskbar
- In the Horizon Client session
- next to Fullscreen
- select the dropdown
- select Logoff Desktop
- select the dropdown
- In the Disconnect and log off desktop?
- select OK
- In the VMware Horizon Client
-
top left corner
- select the back arrow
-
In the Log off server? window
- select OK
-
top left corner
- minimize the w11Client-01a session
- next to Fullscreen
- On the ControlCenter server
- From the Taskbar
- open your File Explorer Icon,
- On the C:\
- Browse to UEMProfiles > mark > Logs folder
- From the Taskbar
- In File Explorer C:\UEMProfiles\mark\Logs
- select and right-click FlexEngine.log
- select Edit with Notepad++
- In the Notepad++ session
- Reload your logs, by selecting File > Reload from Disk
-
Scroll down, right to the bottom of your logs,
- Scroll up until you find the Performing path-based import logs starting
- Note the Non Compliant Endpoints.xml is skipped due to conditions
- Note the Applied Horizon Smart Policies
- Drag and drop is allowed
- Client drive redirection is allowed
- Clipboard redirection is allowed
- USB redirection is allowed
- Web and Chrome file transfer is allowed
We will now investigate why this is happening
- Switch back to your W11Client-01a RDP session
- On the W11Client-01a desktop session
- From the taskbar
- In the Search area
- enter registry Editor
-
In the Best Match area
- select Run as administrator
- In the Search area
- From the taskbar
- In User Account Control window
- Below admin
- enter VMware1! as the password
- select Yes
- Below admin
- In the Registry editor
- In the Inventory
- browse to
- HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Provisioning > OMADM > MDMDeviceID
- Notice that you still have a DeviceClientId value in the registry
- browse to
-
In the Inventory
-
select & right-click the MDMDeviceID folder
- select Delete
-
select & right-click the MDMDeviceID folder
- In the Inventory
- On your W11Client-01a desktop
- launch the VMware Horizon client shortcut
- In the VMware Horizon Client
- select the corp.euc-livefire.com broker url
- On your W11Client-01a desktop
- on the Open VMware Horizon Client? window
- select Open VMware Horizon Client
- on the Open VMware Horizon Client? window
- In the VMware Horizon Client login window
- select the Enterprise_Desktop entitlement
- In the VMware Horizon Client session
- from the taskbar
- select the Folder icon
- In the Quick Access pane
- select This PC
- In This PC area
- Note that you now dont have a drive mapping
- Feel free to attempt to drag and drop
- from the taskbar
In Summary
Using the registry element for Conditions within Dynamic Environment Manager is more a usability solution than a security solution and we are not able to rely on this alone.
Other Client System Information that is registry based that we might consider for Conditions might be
- Machine_Domain: the remote Windows 10 clients domain name
- Machine_Name: the remote Windows 10 clients PC name
- Broker_GatewayLocation or Client Location which has the value of Internal or External
In a later lab we will look at a 3rd Party solution called OPSWAT that will allow us to provide a broad range of rules to ensure compliant
0 Comments
Add your comment