This content is part of the Essential Guide: A complete guide to XenApp and XenDesktop vs. Horizon

Essential Guide

Browse Sections

Horizon 7 Smart Policies helps increase security

If you want to smarten up your security, using Policy-Managed Client Features in Horizon 7 can help.

When combined with VMware User Environment Manager 9, Horizon 7 offers a set of Smart Policies that can be applied based on certain conditions. These security-focused features are among many new improvements that were introduced in Horizon 7.

There are certain functions that companies will only want accessed from inside their private network. With Smart Policies, admins can choose when features such as printing, USB redirection, clipboard access, client drive redirection and PC over IP profiles can be used. Smart Policies can use a location or IP address to determine when those features can be accessed.

Policy Managed Client Features, which is a feature of Smart Policies in Horizon 7, can help accomplish this. If you open VMware User Environment Manager (UEM), you can set up policies under the User Environment tab. As seen in Figure A, you can toggle the different features from enable to disable.

Horizon Policy.
Figure A. Horizon Policy general settings.

These policies allow you to enable or disable settings or set values according to your organization's policy. But what makes them so smart? They can be activated based on conditions. There is a list of 16 conditions to choose from, including detecting if the client is running on its battery, if the IP address is between a specified range, a registry key, an exit code, a specific endpoint name and more. So, technically speaking, the policies themselves aren't all that smart -- it's the user who makes them smart.

With Horizon 7, for example, if you choose the IP address as the condition, you could pick your company's network IP address range. If you log in to the virtual desktop from an IP address outside the secure network, you will be able to see the different features, but you won't be able to use them. If you disabled a feature in the UEM, such as printing, you won't be able to print. If you access the virtual desktop from a secure IP address within the specified range, you will be able to access those features.

Setting the gateway location property.
Figure B. Setting the gateway location property.

In Figure B, I've displayed which policies allow features to be enabled when users are accessing the virtual desktop when at the office -- internal -- versus those which allow access from outside the office -- external. This can be accomplished by using the Horizon Client Property of Client Location and testing to see whether it is set to internal or external. By default, View Connection Server instances set the gateway location to internal, and security servers set the gateway location to external. You can change the default gateway location by setting the gateway location property in the file, but for our purposes we can use the default settings. The value can also be found in the environment variables, as is evident in Figure B.

There are a good number of new features in Horizon 7 but Smart Policies is one that stands out for security reasons. This feature helps admins choose when and how users can access certain tools.

Next Steps

VMware Horizon 6.1 accompanied by big changes

Understanding the facts of VMware Horizon Suite

What's new in VMware Horizon 6.2?

Dig Deeper on VMware updates, certifications and training

Virtual Desktop
Data Center
Cloud Computing