Here’s the 500-word blog post based on the information provided:

Port-Based Authentication is a security feature that allows only authorized client devices to access the network. In order to prevent unauthorized devices from gaining access, some organizations use Port-Based Authentication. To enable this feature, the client device must have a certificate. Integrating an internal Certificate Authority with Workspace ONE UEM allows you to provide computer certificates to client devices.

To begin, open the Certification Authority and right-click on Certificate Template. Click on Manage and then right-click on Computer to duplicate the template. On the General tab, change the name of the template to ComputerUEM. On the Subject Name tab, choose the Supply in the request. On the Security tab, add the account that has Enroll permission.

Next, log in to WS1 UEM and go to All Settings. Click on Enterprise Integration and then click on Certificate Authorities. Click Add and type a name for the certificate authority. Choose Microsoft ADCS and enter the CA server name and authority name. Also, enter the service account username and password. Click Test Connection and then save.

After setting up the certificate authority, you can create a request template in WS1 UEM. To do this, click on Request Templates and type the name of the template, issuing template, subject name, and SAN type. Click Save.

Now, when you enroll a Windows device, the device will receive a certificate with the device UDID, which can be used for Port-Based Authentication. To enable this feature on your devices, follow these steps:

1. Create a new profile in WS1 UEM and select Windows as the platform.

2. Select Device Profile and type the name of the profile.

3. Add a smart group that will receive the certificate.

4. Go to Credentials and configure the CA and template.

5. Save and publish the profile.

With these steps, you can ensure that only authorized client devices can access your network using Port-Based Authentication. This feature provides an additional layer of security for your organization’s network and devices.

Configuring Horizon Smart Policies with DEM and Horizon Client Properties

In this blog post, we will discuss how to configure Horizon Smart Policies with DEM (Desktop Environment Manager) and Horizon Client Properties to allow endpoints joined to a specific domain to use the clipboard. We will also explore other options available in the Horizon Client Property registry key and show you how to configure them in your environment.

Before we begin, it’s essential to understand that the steps outlined in this blog post are for educational purposes only and should not be attempted on a production environment without proper testing and validation. It’s also important to note that the screenshots and options may vary based on your Horizon version and configuration.

Step 1: Open the Registry on a Virtual Desktop

To configure Horizon Smart Policies with DEM and Horizon Client Properties, we need to open the registry on a virtual desktop. To do this, log in to a virtual desktop through the Horizon Client, and then follow these steps:

1. Press the Windows key + R to open the Run dialog box.

2. Type regedit and press Enter.

3. Navigate to the following registry key: ComputerHKEY_LOCAL_MACHINESOFTWAREVMware, Inc.VMware VDMSessionData1

This registry key contains all the options available for use with Client Property in DEM Conditions. In our case, we will use ViewClient_Machine_Domain.

Step 2: Create a Condition Set in DEM

Open DEM and create a new condition set. In the condition set, select the Property drop-down menu and choose Is equal to. Then type your domain name (Lab.local) in the Value field. This will create a condition set that allows endpoints joined to the Lab.local domain to use the clipboard.

Step 3: Create a Horizon Smart Policy

Next, we need to create a new Horizon Smart Policy and bind the condition set we created to this policy. To do this, follow these steps:

1. Open DEM and go to the Policies tab.

2. Click the Create Policy button and select Horizon Smart Policy from the drop-down menu.

3. Enter a name for your policy (e.g., Allow Clipboard for Lab.local Endpoints) and click Next.

4. Select the condition set we created earlier and click Next again.

5. Enable the Clipboard option, and then click Finish to save your policy.

Now that you have created your Horizon Smart Policy, all endpoints joined to the Lab.local domain will be allowed to use the clipboard when they log in through the Horizon Client.

Other Options Available in the Horizon Client Property Registry Key

The Horizon Client Property registry key (ComputerHKEY_LOCAL_MACHINESOFTWAREVMware, Inc.VMware VDMSessionData1) contains several other options that you can use with Client Property in DEM Conditions. Here are some of the most commonly used options:

1. ViewClient_Machine_OS: This property specifies the operating system of the endpoint device. You can use this property to allow or block specific OS versions from accessing the Horizon environment.

2. ViewClient_Machine_Architecture: This property specifies the architecture of the endpoint device (e.g., x86 or x64). You can use this property to restrict access to specific architectures.

3. ViewClient_Machine_Language: This property specifies the language of the endpoint device. You can use this property to allow or block access based on the user’s language preferences.

4. ViewClient_Machine_UUID: This property specifies the unique identifier of the endpoint device (also known as the universally unique identifier or UUID). You can use this property to identify specific devices and apply policies accordingly.

5. ViewClient_Machine_Manufacturer: This property specifies the manufacturer of the endpoint device. You can use this property to allow or block access based on the user’s device manufacturer.

6. ViewClient_Machine_Model: This property specifies the model of the endpoint device. You can use this property to allow or block access based on the user’s device model.

7. ViewClient_Machine_BIOS: This property specifies the BIOS version of the endpoint device. You can use this property to allow or block access based on the user’s BIOS version.

8. ViewClient_Machine_Firmware: This property specifies the firmware version of the endpoint device. You can use this property to allow or block access based on the user’s firmware version.

9. ViewClient_Machine_Hardware: This property specifies the hardware version of the endpoint device. You can use this property to allow or block access based on the user’s hardware version.

10. ViewClient_Machine_Software: This property specifies the software version of the endpoint device. You can use this property to allow or block access based on the user’s software version.

Conclusion

In this blog post, we have shown you how to configure Horizon Smart Policies with DEM and Horizon Client Properties to allow endpoints joined to a specific domain to use the clipboard. We have also explored other options available in the Horizon Client Property registry key and showed you how to configure them in your environment. Remember to test your policies thoroughly before deploying them to your production environment.

If you found this blog post helpful, please share it with your colleagues and friends who work with Horizon. We value your feedback and would love to hear your comments and suggestions for future blog posts.

Managing Multiple Users on a Single Windows Device with VMware Workspace ONE UEM

In today’s blog post, we will discuss how to manage multiple users on a single Windows device using VMware Workspace ONE Unified Endpoint Management (UEM). We will cover how to enable features, register devices, and manage different user accounts on a shared device.

Enable Features and Register Devices

To manage multiple users on a single Windows device with UEM, you need to have the following features enabled in your UEM SaaS tenant:

1. MultiUserPhase1EnrollmentSupportFeatureFlag

2. DeviceStateChannelInterfaceEnabledFeatureFlag

You can enable these features by creating a support ticket with VMware and requesting that they be activated in your UEM SaaS tenant. Once enabled, you must set the “Default Action For Inactive Users” to “Restrict Additional Device Enrollment” in UEM. Additionally, ensure that “Publish Workspace ONE Intelligent Hub” is enabled.

Registering devices as Corporate-Shared is required for managing multiple users on a single device. To register a device, you need the Serial Number of the machine. You can find the Serial Number using the following command in the Command Prompt:

wmic bios get serialnumber

Once you have the Serial Number, log in to the UEM console and go to the “Devices” tab. Click on “Lifecycle” and then select “Enrollment Status.” Click on “ADD – Register Device” and select “Ownership” as Corporate-Shared. Enter the Serial Number, and click on “SAVE.”

Managing Different User Accounts

To manage different user accounts on a shared device, you need to join the device to Azure Active Directory (AAD). You can do this by following these steps:

1. Log in to Windows using a local admin account.

2. Open the Microsoft account window and click on “Join this device to Azure Active Directory.”

3. Type in the first AAD user account and click on “NEXT.”

4. The first account will always get the local admin permission, and all other accounts will get the user account permission.

5. Click on “Join.”

6. Sign out from the windows local admin account and click on “Other user.”

7. Log in with your AAD first user account, and wait until the device is set up.

At this point, you will notice that Workspace ONE Intelligent Hub is installed automatically, which is required to install IH for all users. Never install Intelligent Hub manually for Shared devices.

Start the Hub and log in as the first user. In UEM, check the current user name. Restart the Windows machine and log in with the second AAD account. Start the Intelligent Hub and log in with the second AAD account. Notice the same machine with different user accounts. Also, check the UEM console to see the different user name on the same Windows machine.

Current Limitations of Shared Devices

While managing multiple users on a single Windows device with UEM is possible, there are some current limitations with shared devices. VMware is working to resolve these limitations with upcoming releases. Some of the limitations include:

1. Only Azure AD users can be managed as Corporate-Shared devices.

2. Only one user can use the device at a time. If multiple users try to log in simultaneously, only the first user will be able to access the device.

3. The device will always enroll using the first user’s credentials, even if other users attempt to enroll the device.

4. Users will not be able to use their own credentials to enroll the device.

5. Shared devices do not support Fully OOBE with Windows Autopilot. You must use the Azure AD join method to connect the device to Azure AD.

Conclusion

Managing multiple users on a single Windows device with VMware Workspace ONE UEM is possible by enabling specific features, registering devices as Corporate-Shared, and joining the device to Azure Active Directory. While there are some current limitations with shared devices, VMware is working to resolve these limitations with upcoming releases. With this information, you can effectively manage multiple users on a single Windows device using UEM.

As an IT professional, I am always on the lookout for new and innovative technologies that can help me streamline my workflows and improve my productivity. Recently, I stumbled upon an old IGEL UD Pocket USB while rummaging through my storage room. To my surprise, it still worked perfectly fine even after all these years!

Excited by this discovery, I decided to test it out in one of my NUC LAB devices running ESXi. After inserting the USB into the device, I was able to boot up the IGEL UD Pocket as a virtual machine (VM) within ESXi. The setup process was incredibly easy and quick, taking only a few minutes to get everything up and running.

Once the VM was up and running, I decided to test out its capabilities by connecting it to VMware Horizon Windows 10 VD. To my amazement, the IGEL UD Pocket USB seamlessly integrated with the Horizon environment and allowed me to access all of my applications and desktops without any hassle.

But that’s not all – the real magic happened when I started using Liquidware Stratusphere UX, an incredibly powerful and easy-to-use monitoring and reporting tool. With just a few clicks, I was able to gather a wealth of information about my Horizon environment, including detailed statistics on application usage, user activity, and more.

One of the things that really impressed me about Liquidware Stratusphere UX is its ability to provide real-time monitoring and reporting. With just a few clicks, I can generate detailed reports on everything from user logons and logoffs to application launches and terminations. This information is invaluable for troubleshooting issues and optimizing my Horizon environment for maximum performance and security.

Another feature that really stood out to me was the ability to create custom dashboards within Liquidware Stratusphere UX. With this feature, I can quickly and easily create a personalized view of my Horizon environment that is tailored to my specific needs and requirements. This allows me to quickly identify any issues or anomalies in my environment and take action to address them before they become major problems.

Overall, I am absolutely thrilled with the performance and capabilities of the IGEL UD Pocket USB and Liquidware Stratusphere UX. These tools have not only saved me time and effort, but have also provided me with valuable insights into my Horizon environment that I never thought possible.

If you’re looking for a reliable, easy-to-use solution for monitoring and reporting on your Horizon environment, then I highly recommend checking out Liquidware Stratusphere UX. And if you have any old IGEL UD Pocket USBs lying around, then definitely give them a try – you might be surprised at how well they still work!

Instant Auto-Removal of Failed Aria Automation Deployments

In a recent project, I was tasked with creating an instant auto-removal feature for failed Aria Automation deployments using a custom day 2 operation in the Aria Automation Deployment API. Specifically, we wanted to execute the deployment resource “delete” action every time a deployment fails, and use an Extensibility subscription to be automatically triggered if the status of the deployment is “FAILED” and the event type equals “CREATE_DEPLOYMENT”.

To achieve this, we used Aria Orchestrator to create a custom action. The actual implementation consisted of the following steps:

1. Create a new workflow for the Extensibility subscription, e.g. name it “Delete Deployment”.

2. Create a new input parameter named “inputProperties” with a type of “Properties”. This input parameter will be used to pass the deployment ID and other properties as needed.

3. Inside the workflow, create a scriptable task with the following JavaScript code:

“`javascript

var vraHostVcoEndpoint = getVraHostVcoEndpoint();

var requestBody = {

“actionId”: “Deployment.Delete”,

“inputProperties”: {

“deploymentId”: ““

}

};

var request = new Request(vraHostVcoEndpoint + “/deployment/api/requests”, null, “POST”, requestBody);

request.setAsync(true);

request.send();

“`

In this code, we first determine the Aria Automation endpoint in the Orchestrator environment using the `getVraHostVcoEndpoint` action. Since we are in a lab environment, we use the default on-premises endpoint. Then, we create a `Request` object with the endpoint, HTTP method (`POST`), and request body. Finally, we set the asynchronous flag to `true` and send the request.

4. To trigger the workflow every time a Aria Automation deployment fails, we create an Extensibility subscription as follows:

“`json

{

“extensibilitySubscription”: {

“displayName”: “Delete Deployment”,

“description”: “Deletes a failed deployment”,

“eventTypes”: [“CREATE_DEPLOYMENT”],

“action”: {

“actionId”: “Delete Deployment”,

“inputProperties”: [“deploymentId”]

},

“filters”: [

{

“filterType”: “AND”,

“filters”: [

{

“filterType”: “EQUALS”,

“property”: “status”,

“value”: “FAILED”

},

{

“filterType”: “EQUALS”,

“property”: “eventType”,

“value”: “CREATE_DEPLOYMENT”

}

]

}

]

}

}

“`

In this subscription, we specify the display name, description, event types, and action. We also define filters to apply to the event, such as status equal to “FAILED” and event type equal to “CREATE_DEPLOYMENT”.

With these steps completed, every time a Aria Automation deployment fails, the custom workflow will be triggered automatically to execute the deployment resource “delete” action. To limit it to a given cloud template, we could use an additional “event.data.blueprintId” condition which specifies the corresponding Cloud template Id.

In conclusion, this feature allows for instant auto-removal of failed Aria Automation deployments using a custom day 2 operation in the Aria Automation Deployment API. By leveraging an Extensibility subscription and the `getVraHostVcoEndpoint` action, we can automatically trigger the workflow every time a deployment fails, and limit it to a given cloud template if necessary.

This is a comprehensive guide on how to set up an NSX-T lab environment with multiple Edge nodes and Tier-0 Gateway. The guide covers the following topics:

1. Preparing the ESXi hosts for NSX-T installation

2. Creating Transport Node Profiles and applying them to the ESXi cluster

3. Deploying Edge Nodes and configuring the Edge Uplink Trunk segment and Edge Transit segment

4. Configuring a Tier-0 Gateway with north-south connectivity and static routing

5. Creating NSX segments for VM connectivity

6. Verifying connectivity between Tier-0 and uplink router

The guide provides detailed steps and screenshots for each task, making it easy to follow and understand. The guide is written in a humorous way, with references to popular culture and memes, which adds a touch of personality and fun to the tutorial. Overall, this guide is an excellent resource for anyone looking to set up an NSX-T lab environment with multiple Edge nodes and Tier-0 Gateway.

Building an RDSH Farm in Horizon: A Step-by-Step Guide

In this blog post, we will guide you through the process of creating an RDSH (Remote Desktop Session Host) farm in Horizon 8 (2212), with a focus on the new feature “Published Apps On Demand”. This feature allows users to access published applications on demand, without the need for a dedicated application server.

Prerequisites:

Before we begin, there are a few prerequisites you need to be aware of:

1. You need an RDSH server with Horizon installed.

2. It is recommended to have the DEM (Desktop and Application Management) and App Volumes Agent installed as well.

3. Create a snapshot of your VM before proceeding, as this is required for cloning.

Creating an RDSH Farm:

To create an RDSH farm, follow these steps:

1. Open the Horizon management console and navigate to Farms.

2. Click “Add” to start creating a new farm.

3. Leave the “Automated Farm” setting on default, and click “Next”.

4. Select your vCenter Server and click “Next”.

5. Leave the “Storage Optimization” settings as default, as we don’t use vSAN in our lab. Click “Next”.

6. Enter a Farm ID and specify any additional settings if desired. For this blog, we will leave these settings default. Click “Next”.

7. Choose a Naming Pattern and select the maximum number of machines you want to create in your farm. Click “Next”.

8. Specify the VM and snapshot of the VM you have created. Select the location where you want the cloned VMs to land. Click “Next”.

9. Select your Instant Clone Domain Account and the OU where the computer objects need to be created. Click “Next”.

10. Review your selected settings, then click “Submit” to start the cloning process.

Monitoring the Cloning Process:

After submitting your settings, you can monitor the progress by selecting your farm. When the cloning process is successfully finished, the state should be “Published”.

Navigating to the RDS Hosts Tab:

To see the hosts you’ve created, navigate to the “RDS Hosts” tab in the Horizon management console.

Conclusion:

In this blog post, we have demonstrated how to create an RDSH farm in Horizon 8 (2212) with the new feature “Published Apps On Demand”. We have also covered the prerequisites and the step-by-step process for creating a farm. We hope this guide has been informative and helpful for you. If you have any questions, feel free to contact us.

About the Author:

Hi, my name is Age Roskam, and I work as a Consultant at ITQ. Over the last decade, I’ve gained a lot of knowledge and experience in the field of End User Computing, and in recent years, also in the world of Cyber Security. Since 2018, I’ve been awarded the VMware vExpert status every year. In 2020, I received the honor to be part of the first vExpert EUC subprogram, and in addition to that, I’m part of the vExpert Security subprogram since 2021. When I’m offline, I enjoy family, sports, and grilling on my BBQs.

Creating an On-Demand Package in App Volumes: A Step-by-Step Guide

In this blog post, I will guide you through the steps of creating an on-demand package in App Volumes. This type of package allows users to access the application only when they need it, reducing the storage requirements and improving performance. I will be using 7-Zip as the example application, but the process applies to any application.

Step 1: Log in to App Volumes Manager

To create an on-demand package, you need to have App Volumes Manager installed and created a package VM. Open App Volumes Manager and log in to your account.

Step 2: Create the Application

Click on the “Create” button to create a new application. Give the application a name, and select the “On-demand” radio button. Click “Create” again to continue.

Step 3: Attach the Package VM

Now it’s time to attach the empty .vmdk to the package machine. Click on “Package” and search for your package VM. Select it and click “Create” again. Click “Start Packaging” to start the attachment process.

Step 4: Install the Application

When you are logged into your package VM, you’ll see a small window in the bottom right corner. Do not click OK yet! First, install the application. In this case, I’m using 7-Zip, so I’ll run the installer and follow the steps to install and configure the application.

Step 5: Finalize the Package

When you have finished installing and configuring the application, click OK. You’ll be prompted to review the name and version of the package, and you can add some notes if needed. Click “Finalize” to finalize the package.

Step 6: Set the CURRENT Marker

Now we need to set the CURRENT marker on the package we’ve just created. In the App Volumes Management console, click on the “Set CURRENT” button and select the package you just created. Click “Set Current” to set the marker.

Step 7: Assign the Package

The final step is to assign the package to the user(s). On the home screen of the management console, click on the + icon of the application and click on “Assign.” In my case, I’m going to assign it to an AD security group. Enter the name, select the right group, and click “Assign.” Leave the Assignment Type on Marker!

That’s it! You have now successfully created an on-demand package in App Volumes. This type of package allows users to access the application only when they need it, reducing storage requirements and improving performance. If you have any questions or need further assistance, feel free to contact me.

Published Apps on Demand in Horizon version 2212: A Game Changer!

In the latest version of Horizon, version 2212, Published Apps on Demand have been released as GA. This feature allows you to publish applications on demand, making it possible to provide users with a more flexible and efficient way of accessing applications. In this blog, I will guide you through the steps required to configure this new feature in the Horizon Management console and test a brand new On-demand Published App.

Prerequisites:

* A Horizon environment up and running together with an App Volumes manager.

* At least one “on-demand” package created in App Volumes.

Configuring Published Apps on Demand:

1. Open the Horizon management console.

2. Navigate to Servers, App Volumes Managers, and click Add.

3. Enter the App Volumes manager FQDN, port number, and credentials. Click OK.

4. Important: Your App Volumes manager needs to have a valid SSL certificate signed by a trusted CA. The default, a self-signed certificate will not work unless it’s added to the trust store. However, I don’t recommend doing that in a production environment.

5. Repeat the steps if necessary.

6. Associate the App Volumes manager with a Farm in Horizon. If you don’t have a farm ready, follow the steps here.

7. Navigate to the Applications tab, select Add, and Add from App Volumes Manager.

8. Select the applications you want to add as published apps, and click Next.

9. Review the ID and Display Name of the apps, and click Submit.

10. Select the added applications, click Entitlements, and select Add Entitlements. Click on Add, enter and select the group or user(s) you want to entitle, and click OK.

Testing Published Apps on Demand:

1. Log in on the RDSH server to show that none of the applications I’ve just added is installed or attached to the host. It’s called Published Apps on Demand for a reason ;-).

2. In the App Volumes Manager, you can see that there is not a single package attached to a machine.

3. Open the Horizon HTML5 client, and you will see the three applications I’ve added to the Horizon management console as published apps. When I start Notepad++, I don’t see a virtual desktop, just the application running in the browser.

4. When I go back to my RDP session, I’m refreshing the programs and features windows I had open, and there you go! It looks like Notepad++ is installed on this machine.

5. When I refresh my App Volumes management console, I now see one attachment of Notepad++ to my RDS host.

Conclusion:

Published Apps on Demand in Horizon version 2212 is a real game changer! It provides users with a more flexible and efficient way of accessing applications, and it’s easy to configure in the Horizon Management console. I have a great use case for it, which I’ll explain in another blog. Thank you for reading, and if you have any questions, feel free to contact me.

Agustín Malanco is a VMware CTO Ambassador and recently attended the OCTO Global Field & Industry program, where he had the opportunity to learn about new technologies and architectures that are being developed or have already been introduced within the VMware ecosystem. One of the most striking new technologies he encountered was Bitfusion, which was acquired by VMware a few months ago.

Bitfusion is a solution that enables the creation of a distributed pool of GPU resources, allowing applications to access these resources as if they were local, thereby improving the utilization of available resources and enabling more flexible and scalable computing environments. This technology has the potential to revolutionize the way we approach computing and data processing, particularly in fields such as machine learning (ML), artificial intelligence (AI), and big data.

So, what do these technologies have in common? They all rely on the use of GPUs to process large amounts of data quickly and efficiently. However, traditional methods of accessing GPU resources have been limited by the need for local access and management of these resources, which can lead to silos within data centers and suboptimal resource utilization.

Bitfusion changes this by providing a distributed pool of GPU resources that can be accessed by applications as needed, without the need for physical local access or rearchitecture of applications. This allows for more flexible and scalable computing environments, and enables applications to take advantage of the vast processing power of GPUs without the limitations of traditional GPU access methods.

The architecture of Bitfusion is designed to be simple and straightforward, with three main components:

1. The Bitfusion Client: This component provides a simple interface for applications to request access to the distributed pool of GPU resources.

2. The Bitfusion Server: This component manages the pool of GPU resources and directs requests from the client to the appropriate resource.

3. The GPU Resources: These are the actual GPU resources that are being pooled and made available for access by applications.

There are several key considerations when designing with Bitfusion, including:

1. Resource Management: Bitfusion must be able to manage the pool of GPU resources effectively to ensure that they are utilized efficiently and that there is no wasted capacity.

2. Application Compatibility: Bitfusion must be able to work seamlessly with a wide range of applications, without requiring any modifications or rearchitecture of these applications.

3. Security: Bitfusion must provide robust security features to ensure the integrity and confidentiality of data being processed by the GPU resources.

Overall, Bitfusion represents an exciting development in the field of computing and data processing, and has the potential to enable new use cases and applications that were previously not possible. As more and more organizations look for ways to harness the power of GPUs, solutions like Bitfusion will play an increasingly important role in enabling flexible, scalable, and efficient computing environments.