Dynamic Environment Manager Configuration

This chapter is one of a series that make up the Omnissa Workspace ONE and Horizon Reference Architecture, a framework that provides guidance on the architecture, design considerations, and deployment of Omnissa Workspace ONE and Omnissa Horizon solutions.  This chapter provides information about common configuration and deployment tasks for Omnissa Dynamic Environment Manager.

Creating SMB Shares

Dynamic Environment Manager utilizes two SMB shares. The configuration share contains policy configuration data and is updated by administrators. The profile archive share is used to store and persist customized user settings and log files.

See Infrastructure Requirements for detailed information about creating and configuring NTFS and share permissions for these shares.

Note: NTFS security permissions must be created properly to ensure users are able to automatically create folders on first use, and to limit a user’s access to only their own folder.

The following sections illustrate the NTFS and share permissions used in the reference architecture.

Permissions for the Configuration Share

The following figure shows the NTFS permissions used in this reference architecture.

Figure 1: NTFS File Permissions on the Configuration Share

The following figure shows the share permissions used in this reference architecture.

Figure 2: Share Permissions for the Configuration Share

Permissions for the Profile Archive Share

The following figure shows the NTFS permissions used in this reference architecture.

Figure 3: Full Control Is Limited to CREATOR OWNER, SYSTEM, and Dynamic Environment Manager Admins

The following figure shows the share permissions used in this reference architecture.

Figure 4: Share Permissions for the Profile Archive Share Are Granted to Everyone

Optional, computer-based Horizon Smart Policies are available to customize the Horizon user experience for settings stored in the HKLM registry hive. Implementing computer-based policies requires agent and management console configurations, in addition to additional share permissions. See Horizon Smart Policies for additional information.

Computer-based Horizon Smart Policy settings were configured for FlexEngine (that is, the Dynamic Environment Manager agent) on the instant-clone golden image. Logging computer-based settings was configured for \\domain.com\share\DEM_Profiles\ComputerLogs\%computername%.log

Figure 5: LogFileName Is Set to the Computer Name for Computer-Based Smart Policies

In this case, the computer account of the instant-clone VM will create a log file in the ComputerLogs folder with a unique computer name.

The following additional NTFS advanced permissions were configured on the ComputerLogs folder: For Domain Computers, the Create files / write data and Create folders / append data check boxes were selected.

Figure 6: Additional Computer-Based Permissions Using Domain Computers Group

Group Policy Settings

Dynamic Environment Manager provides a number of mandatory, optional, and advanced policy settings to optimize your deployment. The following instructions are excerpted from the Dynamic Environment Manager Administration Guide. Refer to this guide for more details on Group Policy settings.

Mandatory GPO Settings

1. Copy the DEM.admx and DEM FlexEngine.admx ADMX template files (and their corresponding ADML files) from the download package to the ADMX location as described in the Managing Group Policy ADMX Files Step-by-Step Guide on the Microsoft Web site.
2. Open the Group Policy Management Console and create a new GPO or select an existing GPO that is applied to the users for which you want to configure FlexEngine.
3. Open the Group Policy Management Editor by right-clicking the selected GPO and clicking Edit. The FlexEngine ADMX template is available under User Configuration > Administrative Templates > VMware DEM > FlexEngine.
4. Configure the appropriate Group Policy settings for Dynamic Environment Manager. At a minimum, the following must be set:
   
   1. Flex config files – Location of the Dynamic Environment Manager configuration share.
   2. Profile archives – Location of the Dynamic Environment Manager user profile archive share.
5. Configure FlexEngine to run during the Windows login process so that Dynamic Environment Manager can get all the settings for the Windows device and apply some of them as soon as the user logs in. Use either of the following mechanisms:
   
   1. Configure FlexEngine to run as a Group Policy extension (recommended).
   2. Configure FlexEngine to run using a logon script.
6. Define a logoff script to configure FlexEngine to export and store profile settings when the user logs off the operating system. The syntax of the logoff script is:

“C:\Program Files\VMware\Horizon Agents\Dynamic Environment Manager\FlexEngine.exe” -s

The Group Policy settings to use are listed in the following tables.

Table 1: Dynamic Environment Manager GPO Settings for User Configuration > Policies > Administrative Templates > VMware UEM > FlexEngine

Table 2: Dynamic Environment Manager GPO Settings for User Configuration > Policies > Windows Settings > Scripts

Optional GPO Settings

Dynamic Environment Manager has several optional GPO settings. Although not required, the following optional settings are recommended.

• Use the Profile Archive Backups Group Policy setting to configure the location and number of backups to create. Users can restore a profile archive using either the Self-Support tool or the Helpdesk Support Tool. Keeping several backup copies increases the likelihood of successfully restoring to a known good working state. For additional information, see:
  
  • Using Dynamic Environment Manager Self-Support
  • Helpdesk Support Tool Administration Guide
• Use the FlexEngine Logging Group Policy setting to configure the location and filename of the FlexEngine log file, the level of log detail, and the maximum size of the log file.
• For test environments or troubleshooting purposes, you can select the Debug log level to produce verbose log files. For production deployments, consider using a log level other than Debug or Info to prevent delayed logon times and excessive log growth.
• Note: Debug logging can be enabled for an individual user without changing the log level for all users. This is useful for troubleshooting individual user issues. See the Knowledge Base article Enabling debug logging for a single user in Omnissa Dynamic Environment Manager (2113514)

The Group Policy settings to use are listed in the following table.

Table 3: Dynamic Environment Manager GPO Settings for User Configuration > Policies > Administrative Templates > VMware DEM > FlexEngine

Horizon Smart Policies

Horizon Smart Policies represent an integration between Dynamic Environment Manager and Horizon. Although a number of ADMX templates are available to configure Horizon, Dynamic Environment Manager provides you the ability to fine tune the Horizon user experience by combining policy settings with conditions, while removing the dependency on GPOs. See Create a Horizon Smart Policy in Dynamic Environment Manager to learn more.

Many of the Horizon Smart Policy settings can be used to optimize the Blast Extreme display protocol.

Figure 7: User-Based (on Left) and Computer-Based (on Right) Horizon Smart Policy Settings

The Dynamic Environment Manager Enhanced Horizon Smart Policies feature walk-through provides an overview of both user- and computer-based Horizon Smart Policy options.

See the Blast Extreme Optimization Guide for guidance on tuning Blast Extreme for your use cases and network conditions.

The following tables contain some simple sample Horizon Smart Policies, which are defined in the Dynamic Environment Manager Management Console. Adapt them to suit the use case and environment.

Table 4: Horizon Smart Policies – External

Table 5: Horizon Smart Policies – Internal

Table 6: Horizon Smart Policies – ZContractor

You should also configure a triggered task to ensure that Smart Policies are reevaluated every time a user reconnects to a session, so the user gets the appropriate policy applied. See Configure Triggered Tasks for more information.

Table 7: Triggered Task – Horizon Smart Policies

Additional Configuration

Dynamic Environment Manager provides options to manage many aspects of the user environment. The following configurations were made for this reference architecture.

• Configure folder redirection to abstract user data to SMB shares. Use the Dynamic Environment Manager user environment settings described in the following table.

Table 8: Folder Redirection – User Environment Policies

• Configure application blocking to prevent users from running cmd.exe. See Configure Application Blocking to enable and configure the application-blocking rules.
• Configure Dynamic Environment settings to map the H: drive to the user’s home drive and to map location-based printers. See Using the User Environment Tab for more information.
• As was described earlier in this chapter, in Group Policy Settings, to configure FlexEngine, you create a GPO in Active Directory. To configure the GPO, use the administrative templates that are provided with Dynamic Environment Manager.

You can use multiple GPOs if you need to provide different FlexEngine configurations, for example, to manage multiple environments for multiple users. An example of different GPOs is shown in the following figure.

Figure 8: Example of Dynamic Environment Manager GPOs

Important: Command-line arguments can override all FlexEngine settings configured through a GPO. FlexEngine command-line arguments have a higher priority than GPO settings. See FlexEngine Command-Line Arguments for additional information.

High Availability with Windows Failover Clustering

Because Dynamic Environment Manager leverages the existing infrastructure, you do not need to take many measures to make a highly available solution.

For an example Dynamic Environment Manager configuration with Microsoft DFS, see the Multi-site Design section in Dynamic Environment Manager Architecture.

You can also use Windows failover clustering for high availability of the Dynamic Environment Manager file shares. A failover cluster is a group of independent computers that provide continuous availability for applications and services. If one computer fails, another computer continues to provide the service, and users experience minimum downtime. For more information, see the Microsoft article, Failover Cluster Step-by-Step Guide: Configuring a Two-Node File Server Failover Cluster.

Figure 9: Select an Option for a Clustered File Server

Important: When Using Windows Server 2012, select File Server for general use. Do not select the Scale-Out File Server for application data option, because it is incompatible with Dynamic Environment Manager data, user profiles, redirected folders, and home drives.

You can combine DFS and clustering for better scalability and high availability. For more information, see the Microsoft blog post, Deploying DFS Replication on a Windows Failover Cluster – Part III.

Folder Redirection

Folder redirection, which is described in the Microsoft topic Folder Redirection and Roaming User Profiles, has been available for many versions of Windows. This technology enables certain folders in a user profile, which contain user data and user configuration data, to be redirected to a network share. Users and applications interact with the folders as if they were local to the guest OS, though the content resides on a remote share.

For the purposes of this section, the following definitions are used:

• User data – Content created by an end user (examples: document, graphic, or presentation) and saved to one of the predefined Windows profile folders (examples: Documents, Pictures, or Desktop).
• User configuration data – Windows and application configuration settings that control the look and behavior of Windows and applications. As users customize their desktop environment, configuration data is stored in the registry (HKCU) or in configuration files (examples: INI or XML files stored in the AppData folder).

Folder redirection has been used for years with physical and virtual PCs for two key reasons:

• End users are free to roam from device to device in their organization, and still have access to user content data and user configuration data.
• Redirecting data to network shares makes it considerably easier for IT to back up and restore data as needed.

Folder Redirection with Dynamic Environment Manager

Dynamic Environment Manager is designed to manage user configuration data, while relying on complementary technology such as folder redirection to persist user data.

Which folder you choose to redirect will vary. Dynamic Environment Manager environment settings can be used to configure folder redirection. This method provides some guidance on recommended folders to redirect. The Desktop folder requires special consideration. Users may choose to save user data, desktop shortcuts, and more to this location, though it is not an ideal candidate for redirection.

Best practice is to redirect profile folders that contain user data to the user’s home directory so that the content is always available and easy to back up.

Unlike a roaming profile solution, which copies user data from the network to the guest and back with each Windows session, folder redirection simply redirects file access to the network share. In comparison, folder redirection can dramatically improve login and logout times, and reduce the likelihood of data corruption.

Configuring Folder Redirection in Dynamic Environment Manager

You can configure folder redirection in the Dynamic Environment Manager Management Console, as shown in the following figure.

Figure 10: Folder Redirection Configuration

Using Dynamic Environment Manager to configure folder redirection offers several advantages:

• Consolidation of folder redirection settings in a common management interface used for various other user environment settings
• Flexibility to make changes to folder redirection without having to undergo GPO change control processes
• Ability to combine folder redirection configurations with the conditions that Dynamic Environment Manager provides

You can alternatively configure folder redirection through standard group policies available in Active Directory. Using the GPO option provides some additional functionality not available when using Dynamic Environment Manager to configure folder redirection.

• GPO offers the option to move existing user data to the redirected folder.
• GPO can also enable offline files, which makes the redirected folders available offline. This option is mainly used for roaming laptops.

When users roam across physical or virtual desktops or RDSH servers, we recommend redirecting only profile folders that contain user data, such as the Documents and Pictures folders, to the user’s home directory.

For performance reasons, we do not recommend redirecting folders like AppData and the Programs menu. Instead, for profile folders that contain application and Windows configurations, such as AppData, we recommend creating Flex configuration files and using the Dynamic Environment Manager import and export functionality to manage which personalization settings to store. The following figure shows the import/export configuration for Adobe Acrobat Reader.

Figure 11: Adobe Acrobat Reader Configuration File Import/Export Section

Additional benefits of managing profile settings with Dynamic Environment Manager include:

• Reduced network storage because the folders and files have stricter management and compression
• Cross-platform usage for settings
• Fewer open file handles to the file servers

Troubleshooting

With its few infrastructure dependencies and verbose, human readable logging capabilities, Dynamic Environment Manager is relatively easy to troubleshoot. The following resources will help you quickly resolve common issues.

• See the Troubleshooting section of the Dynamic Environment Manager Tech Zone product page.
• To turn off FlexEngine for a single user, see the Knowledge Base article, Skipping the path-based import/export, Offline import, DirectFlex refresh, and DEM refresh for single user in Omnissa Dynamic Environment Manager (2138928)
• Dynamic Environment Manager can generate an XML file that contains information about all configuration files and user environment settings that have been processed. See Generating Reports About Flex Configuration Files and User Environment Settings.
• The Helpdesk Support Tool is an optional Dynamic Environment Manager component. It provides support capabilities for Dynamic Environment Manager profile archives and profile archive backups through an intuitive graphical user interface. The Helpdesk Support Tool also displays total profile archive sizes for a user and an integrated log file viewer. See the Helpdesk Support Tool Administration Guide.
• Dynamic Environment Manager provides a Self-Support tool as part of the FlexEngine installation. See Using Dynamic Environment Manager Self-Support.
• To troubleshoot issues when running Windows logon scripts on Windows 7 and Windows Server 2008 R2 synchronously, see the Microsoft article, Group Policy logon scripts do not run in Windows 7 or in Windows Server 2008 R2.
• When a user starts both a published desktop and one or more published applications, the user could have multiple sessions on the same RDSH server. In this case, the default Windows behavior is for all sessions to share the same user profile and registry, causing issues such as drive mappings not appearing. Dynamic Environment Manager has a workaround: Add the parameter –HorizonMultiSession (for Horizon) or -MultiSession (for Microsoft RDS and Citrix) to the Dynamic Environment Manager logon and logoff scripts.

Summary and Additional Resources

Now that you have come to the end of this configuration chapter on Omnissa Dynamic Environment Manager, you can return to the reference architecture landing page and use the tabs, search, or scroll to select further chapter in one of the following sections:

• Overview chapters provide understanding of business drivers, use cases, and service definitions.
• Architecture chapters give design guidance on the Omnissa products you are interested in including in your deployment, including Workspace ONE UEM, Access, Intelligence, Workspace ONE Assist, Horizon Cloud Service, Horizon 8, App Volumes, Dynamic Environment Manager, and Unified Access Gateway.
• Integration chapters cover the integration of products, components, and services you need to create the environment capable of delivering the services that you want to deliver to your users.
• Configuration chapters provide reference for specific tasks as you deploy your environment, such as installation, deployment, and configuration processes for Omnissa Workspace ONE, Horizon Cloud Service, Horizon 8, App Volumes, Dynamic Environment Management, and more.

Additional Resources

For more information about Dynamic Environment Manager, you can explore the following resources:

• Dynamic Environment Manager product page
• Dynamic Environment Manager documentation

• Knowledge Base

Changelog

The following updates were made to this guide:

Author and Contributors

This chapter was written by:

• Josh Spencer, Senior Product Line Manager, Omnissa.
• Graeme Gordon, Senior Staff Architect, Omnissa.
• Pim van de Vis, Lead Solution Engineer, Omnissa.

Feedback

Your feedback is valuable. To comment on this paper, either use the feedback button or contact us at tech_content_feedback@omnissa.com.