In on of my last posts I have explained what the basic concept of VMware’s User Environment Manager (UEM) is and how we can use it to pre-configure or enforce specific settings of applications in our Desktop environment.
In the following I am going to dig a little bit deeper and show you how those concepts get configured and can be used in the world of UEM.
### Check my further readings ########################
- My Installation and Troubleshooting guide
- My opinion about Virtualized Desktop Infrastructure (VDI) in the year 2016
- UEM Collection (Update, Troubleshooting, Predefined settings, etc.)
############################################################
Create Default Settings with the Application Profiler
Once we have installed the Application Profiler we are able to create config files for UEM that explain which portion of the filesystem/registry is a part of the application’s user data.
The process is quiet simple. Start the Application Profiler, start the application from within and configure the relevant settings you want to enforce or have as a default configuration.
Once you are done, close your application and save the outcome as a pre-defined setting.
Create Default / enforced settings without the Application Profiler
In case you cannot use the Application Profiler (Applications which config files are part of the UEM installation cannot be captured via Application Profiler) you can also use another method to create default or enforced settings.
Specific application is available as an Application Template in the Flex Profile Management Console
Requirements:
- A functional config file for the Application must exist
- A sample AD user which profile is managed by UEM (I call this user: profiledev)
Login with this profiledev to a Desktop which Application settings you want to capture.
and start the Application where you want to create default/enforced settings.
Once you defined all relevant settings. Close the Application and logoff your Desktop session. Make sure that an export of the profile occured by validating your UEM log-file (Check my troubleshooting post).
Open the UEM Management Console and go to your config file. In my case Internet Explorer -> Predefined settings.
Create a new Predefined setting and call it appropriately.
Once you click install you can select for the Application profile archive that should be used for your predefined/enforced setting. In our case I select that one created by the user profiledev which can be found on the User Profile Archive File Share.
Voila that’s it.
Important:
You can analyze and edit the pre-defined User profile Archive, but you must do it via the management console and the edit Button.
Extracting the profile via Windows Explorer, changing and compressing it again will not work out of the box!!!
You can always edit files or portions of the registry here to clean up or achieve the result you want to have. I will show you an use case later on that topic.
The same mechanisms apply if you want to use partial/fully enforced or default settings. Every time you select a profile a copy on the config share will be created. Which one will be taken by UEM? The one where our defined conditions in the end get applied (top -> down -> last hit counts).
On the Config file share you will find the predefined/default configuration files as CONFIGNAME-UEM-PD-#N.zip file
Within your UEM user’s log (remember the log file get’s written during the export of the profile) file you are able to figure out which setting are getting applied.
Create a fully enforced and secure Internet Explorer
Keep in mind that all of the pre-defined characteristics only apply during the import step of the UEM process. When does the import occur?
- During Logon (Default setting)
- During Application Start (If DirectFlex has been configured for the Application)
If we want to create a secure unchangeable Internet Explorer for our Security Zone Users (the story is pure fiction) we need to fully-enforce a setting that also disables the possibility to change the Internet Explorer settings.
How do we do that? Use the techniques we have learned so far.
We create a new fully-enforced setting and specify our condition when this policy should be applied.
Afterwards we select the profile we want to use (e.g. configured with highest possible IE standards) and edit the profile (similar as mentioned above).
Additionally to the default settings we will add the following line to the registry file which leads to the situation that our Internet Explorer will not allow us to do any changes right here.
NoBrowserOptions = 1
For sure we need to know such characteristics of our applications. Once again the slogan within a great VDI environment is:
‘Know the User, Know the Apps’
I call it the KUKA principle ;-)
Whatever… If a user logs in now and the conditions we have defined make him a Top Secret member, the hardened IE Settings are getting applied and the user cannot change anything.
That’s it.. Quiet cool…quiet useful isn’t it? UEM is a quiet powerful solution I would always recommend when you go the VDI road.
Pingback: VMware User Environment Manager – Carl Stalhood
Pingback: VMware用户环境管理器9.3 | 涂杰克的博客