VMware AppVolume and Dynamic Environment Manager

VMware AppVolumes Documentation

https://docs.vmware.com/en/VMware-App-Volumes/index.html

VMware Dynamic Environment Manager

https://docs.vmware.com/en/VMware-Dynamic-Environment-Manager/index.html

Master Dynamic Environment Manager

https://techzone.vmware.com/mastering-dynamic-environment-manager

AppVolumes 4 - 2103 Installation Guide

### AppVolumes 4 - 2103 Installation Guide

AppVolumes 4 - 2103 Administration Guide

App Volume 4 Administration Guide

VMware Dynamic Environment Manager Administration Guide

VMware Dynamic Environment Management Admin Guide

Load Balancing VMware App Volumes

https://www.loadbalancer.org/applications/load-balancing-vmware-app-volumes/

F5 App Volume Load Balancing

F5 AppVolume Load Balancing

VMware Dynamic Environment Manager Key Benefits

VMware Dynamic Environment Manager helps you build on the existing infrastructure

1. Centralized and simplified dynamic environment management with policies and settings
2. Consistent and personalized user experience
3. Enterprise-grade scalability
4. Building block for Just-in-Time

App Volumes

AppVolume Architecture

https://techzone.vmware.com/resource/app-volumes-architecture#introduction

App Volumes logical components

Using App Volumes delivers applications concurrently to virtualized desktop environments:

1. IT can build a concurrent application delivery system that centrally manages all applications.
2. Applications are delivered to virtual desktops through VM disks (VMDK) without modifying the VM or applications themselves.
3. Manage all or some applications inside App Volumes Application Packages.

Scalability and Availability

As with all server workloads, it is strongly recommended that enterprises host App Volumes Manager servers as vSphere virtual machines. vSphere availability features such as cluster HA, VMware vSphere® Replication™, and VMware Site Recovery Manager™ can all complement App Volumes deployments and should be considered for a production deployment.

In production environments, avoid deploying only a single App Volumes Manager server. It is far better to deploy an enterprise-grade load balancer to manage multiple App Volumes Manager servers connected to a central, resilient SQL Server database instance.

App Volumes Managers

App Volumes Managers are the primary point of management and configuration, and they broker volumes to agents. For a production environment, deploy at least two App Volumes Manager servers. App Volumes Manager is stateless—all of the data required by App Volumes is located in a SQL database. Deploying at least two App Volumes Manager servers ensures the availability of App Volumes services and distributes the user load.

Application Packaging

App Volumes packages applications to an entity without sequencing or streaming

1. Create an emtpy Application
2. Add a Package to the Application
3. On the packaging machine, install the application and finalize packaging
4. on AppVolume Server, assing a specific Package from the Application to a user, machine or OU
5. Package is attached at user login or computer startup

App Volumes enables you to manage your VDI and Remote Desktop Services (RDS) application life cycle from a single place:

1. A packaging VM is used to capture one or more installers, and the output is a VMDK that can be distributed to AD objects such as users or groups.
2. Packagers can unlock single application packaging making it easier to package individually and deliver applications in any combination. Single application packaging facilitates quick logins when 20–30 applications are attached.
3. Packagers can package each application individually and deliver it in any combination.
4. Applications are deliver, update, patch, and retire using the same capture method to enforce a user profile and policy.

App Volumes Storage Groups

Storage groups can be defined to automatically replicate packages or distribute writable volumes across multiple datastores

1. Storage group automation
    a. Automatic replication: Replicate any package placed on any datastore across all datastores
    b. Automatic import: After replication, import packages into the App Volumes Manager
2. Storage group distribution strategy
    a. Spread: Distributed files evenly
    b. Round-Robin: Distributed files sequentially

App Volumes Installation Components

App Volumes Manager

1. Web Console for assignments and configurations integrated with AD and vSphere
2. Manages assignments of volumes to users, groups, and target computers
3. Automates the assignment of applications and writable volumes for agents during the desktop startup and user login

App Volumes Agent

1. File system and registry abstraction layer running on the target system
2. Virtualizes file system and write operations when used with a writable volume
3. Components include: Service component for communication and Driver component for virtualization

App Volumes Database

1. MS SQL database
2. Contains configuration information for packages, writable volumes, users, machines, entitlements, and transaction

App Volumes Components

Application Package

1. A read-only volume containing the logical construct of an application
2. Can map more than one package per user or target
3. Deploys applications to virtual desktops or RDS desktops
4. After a package is attached, a user can run the associated application
5. Thin-provisioned disk

Writable Volume

1. A read-write volume that is used to retain user-installed applications and changes to the local profile
2. One writable volume per user
3. Provides storage for user-specific application profile settings, documents, and installed applications.
4. Provides added flexibility for users

Data flow without a Direct-to-host connection

An App Volumes data flow for user connections without a direct-to-host connection as follows

1. The user connects to Virtual Desktop.
2. App Volumes Agent queries the App Volumes Manager for an assigned writable volume and assigned packages to mount.
3. Attachment of packages and the writable volume begins during the desktop login.
4. The App Volumes Manager directs to vCenter Server to get ESXi to mount the assigned writable volume and packages.

Data Flow with Direct-to-Host Connection (Mount on Host)

In a direct-to-host connections data flow is as follows:

1. The user connects to a virtual desktop.
2. The App Volumes Agent queries the App Volumes Manager for an assigned writable volume and assigned packages to mount.
3. Attachment of packages and writable volumes begins during the desktop login. However, when the asynchronous mounting setting is enabled, the App Volumes Manager no longer waits for disks to be attached before responding to the agent.
4. The best practice for large-scale deployments is to have App Volumes Manager direct ESXi to mount the assigned writable volume and packages, without going through a vCenter Server

App volumes deployment overview

1. Install App Volume Manager on App Volume Server
2. Complete the initial configuration
3. Install App Volume agents
4. Create Application, add Package to the Application
5. Use the packaging machine to package the application which autogenerates the Program
6. Make the Package CURRENT and assign it to users or machines

Networking Requirements

The App Volumes Manager and SQL DB Networking have the following requirements

App Volumes Manager
a. Agent and manager communications
b. TCP 80 (HTTP)
c. TCP 443 (HTTPS) 
App Volumes SQL Database
a. Database comcommunication
b. TCP 1433 (SQL)

For high availability, App Volumes supports the following database features

1. SQL Server Clustered Instances
2. SQL Server Mirroring

App Volumes Requirements: Access Rights

The following access rights are required:

1. A service account with the following attributes, which enables the App Volumes Manager to connect to the AD
    a. Read access to the AD domain without requiring administrator permissions
    b. No expiration date for the password.
2. A designated AD group that gives the App Volumes administrators access to the App Volumes Manager.
3. A vCenter Server administrator account that has administrator permissions at the data center level for packages VM provisioning
    a. The account must have browsing permissions for vSphere datastores.

Multiple vCenter Server Instances

When using multiple vCenter Server instances, a package is tied to the storage available to each vCenter Server instance:

1. If one of the vCenter Server instances does not have access to the shared storage, it is unable to use the packages.
2. Use storage groups to replicate packages across vCenter Server instances.

Backup and Recovery Processes

App Volumes backup and restore process

# Back up the following component
1. SQL database
2. Packages
3. Writable volumes 

# The recovery process steps are as follows
1. Restore SQL Database 
2. Install App Volumes Manager 
3. Update App Volumes Agent, and restart the service 
4. Import packages volumes as required 
5. Import writable volumes, as required

App Volume Manager installation process

1. Verify the app volume server requirements
2. Accept user license agreement
3. Select the App Volumes Manager component for the installation
    "Install App Volume Manager"
    Note:
    There are 3 installation components
    a. Install App Volume Agent
    b. Install App Volume Manager
    c. Install App volume Tools
4. Select the database server and the authentication method
    Prefer use remote SQL server
    Note: 
    a. Only support SQL local account
    b. Ensure that "Overwrite existing database (if any) check box is DESELECTED
        when upgrade App Volumes server or install additional App Volume manager server
5. Specify the required netowrk ports
6. Specify the features and verify the installation location
7. Execute the installer for the App Volumes Manager

App Volumes Manager Initial Configuration

The first time that the Web interface for the App Volumes Manager is started, you must perform the following configuration steps:

1. Verify the license information for the console. You can use the embedded evaluation license or install a license file for production.
2. Configure an AD connection. App Volumes uses AD to assign applications.
3. Set up the App Volumes administrators group for users who can log in to the App Volumes Manager. The first time that the App Volumes Manager is started, authentication is not required.
4. Set up a VM manager connection to determine the operation mode. You cannot change the operation mode after you configure a VM manager.
5. To configure App Volumes storage, select the datastores and paths where packages and writable volumes are stored

The Configuration page in the App Volumes Manager has the following tabs:

1. License: Contains information on the license. A valid license is required to use the App Volumes Manager.
2. Active Directory: Provides information about your AD. App Volumes uses AD to assign packages to users, computers, and groups.
3. Administrators: Enables the choice of the AD group that is responsible for administering an App Volumes Manager.
4. Virtual Machine Managers: Enables you to specify the login credentials to a VM manager, such as vCenter Server. The VMs being managed are the ones on which packages and writable volumes are attached.
5. Storage: Enables you to set the default database where packages and writable volumes are stored.

Hypervisor Connection Types

You can configure App Volumes to store packages and writable volumes. The packages and writable volumes are stored as a VMDK on hypervisor storage or as a VHD on a CIFS file share.

Note: Prefer vCenter Server

It supports
1. vCenter Server
2. Single ESXi host
3. VHD In-Guest services

Adding vCenter Server as a Virtual Machine Managers

Enables the use of VMDK Direct Attached operation mode for mid-to-large environments

1. You can add additional vCenter Server instances.
2. Mount Local: Select if your VM has local copies of volumes and you want to mount the local copies

Configuring Storage and Uploading Templates

After the initial datastore choices are made, additional information is required for uploading the prepackaged App Volumes templates:

1. An ESXi host requires access to the datastore where the templates (volumes) are uploaded.
2. App Volumes uses the ESXi host to upload the templates.
3. A dialog box confirms the selected templates and datastore before the upload begins.
4. If Import volumes immediately is selected for the import of the default templates, then administrative tasks are suspended during the import process

App Volumes uses an ESXi host to upload the prepackaged template volumes. Verify that the host can access the datastore where the templates are uploaded. By default, four writable volume templates are available when the App Volumes Manager is installed:

1. A template for user-installed applications only on machines with App Volume 4.0 agent
2. A template for user-installed applications and the user profile on machines with App Volume 4.0 agent
3. A template for user-installed applications only on machines with App Volume 2.x agent
4. A template for user-installed applications and the user profile on machines with App Volume 2.x agent

App volume agents

The App Volumes Agent runs as a service and uses a filter driver to manage application calls and file system redirects to the packages and writable volumes that are assigned to a VM:

1. The App Volumes Agent has the following major components

SVdriver
    Responsible for the virtualization of volumes into the OS.
SVservice
    Responsible for how the virtualization and volumes are controlled, and for the communication with the App Volumes Manager.

2. You must install the various user experience, environment, and VDI agents in a VM in a prescribed order

1. Hypervisor tools, such as VMware Tools 
2. VDI agent, such as Horizon Agent 
3. Dynamic Environment Manager Agent (FlexEngine) 
4. App Volumes Agent

Note: Order is important

The App Volumes Agent 4 or above must be installed on the VM that you are using to package the application. The VM must also be configured to connect to the App Volumes Manager or a load balancer for multiple managers.

The App Volumes Agent must be installed on the target machines for volume assignments and it must also be configured to connect to the App Volumes Manager or the load balancer. The App Volumes Manager must be in place before installing the agent. Otherwise, when the VM is restarted after the agent installation, the agent reports an error because it cannot connect with the manager. For a Windows desktop, the agent only alerts you about the problem. If the VM is a Windows Server VM, a long timeout delay occurs before the error is reported.

The App Volumes Agent also creates a unique identifier that is used for the assignment of packages and writable volumes.

Advanced Configuration for the App Volumes Agent

The advanced configuration methods are for advanced users and administrators who want to perform advanced configuration, configure scripting, and configure other variable settings:

1. The App Volumes Agent runs batch script files either when a package or a writable volume is attached dynamically or at various points during the system startup and login

There are 13 predefined scripts that contain all scriptable actions.

2. Setting registry keys and their optional values configure SVservice

a. LogFileSizeInKB
b. DriveLetterSettings
c. MaxDelayTimeOutS
d. VolWaitTimeout

Scaling App Volumes

The App Volumes Agent can be configured to communicate with multiple managers:

1. When you configure the App Volumes Agent, you can specify the load-balanced fully qualified domain name of the managers.
2. Alternatively, modifying registry keys after the standard installation configures the App Volumes Agent to communicate with multiple managers.

SSL Certificates in App Volumes

App Volumes can use certificates to secure the communication between App Volumes Manager, vCenter Server, App Volumes Agent, Load Balancers, and SQL. The App Volumes Manager can perform the following tasks to configure and use SSL certificates

1. Replace, import, disable, and manage the SSL certificates that are used for an SSL communication and validation.
2. Configure AD to reject the connection with the App Volumes Manager if an SSL certificate validation fails.
3. Add and upload trusted SSL certificates from the App Volumes Manager console to establish a secure connection to vCenter Server and the remote SQL server

Establishing Secure vCenter Server Connections in App Volumes

Securing vCenter Server connections in App Volumes is an important step to ensure your data is protected:

1. Certificate validation is required between the App Volumes Manager and vSphere.
2. Accept the vCenter Server certificate when you are creating a VM manager in the App Volumes Manager.
3. No custom certificate is required.

Certificates in App Volumes: Load Balancers

Certificates in App Volumes:

1. The SSL ends at the load balancer.
2. Uses HTTPS between the load balancer and the App Volumes Manager.
3. Secured with SSL between App Volumes Agents and the load balancer.
4. When using a CA-signed certificate for the load balancer, ensure that all App Volume Agent machines trust the CA.

Certificates in App Volumes: MS SQL Server

App Volumes permits the encryption of the connection with the MS SQL Server:

1. Configure encryption on the MS SQL Server instance, so that all databases on a shared MS SQL Server are affected.
2. Use the SQL Server Configuration Manager to configure the Force Encryption setting and specify the SQL certificate.

The MS SQL Server service account must have read permissions to the private key of the MS SQL Server SSL certificate. To verify the service:

1. Click SQL Server Configuration Manager > SQL Server Services > SQL Server (SQL) > log in.
2. The default setting is NT Service\MSSQL$SQL which does not have the necessary permissions.

Application upgrade process

1. Create an empty Application
2. Create a Package for the Application
3. Package the application on a packaging VM
    Note:
        a. Snapshot the VM before install application/program
        b. Finalize and complete the installation
        c. Shutdown the packaging VM
        d. Revert to the clean snapshot (before application installation)
4. Mark the package CURRENT
5. Assign the Application to user, machien or OU
6. Create a new/update Package
7. Set the CURRENT flag on the new/update Package
8. All assignment get the new package automatically on next login

Components Required for Packaging

The process of packaging an application into a virtual disk requires the following components:

1. An application with at least one package.
2. Template:
    a. A template is copied to create an empty application
    b. A default 20 GB template is created at installation.
    c. The template can be customized and created manually.
3. Packaging VM
    a. A clean desktop VM that includes the OS, updates and service packs, core applications, and an App Volumes Agent. 
    b. Snapshot of the powered off VM is used for a rollback to a clean VM. 

Writable Volume

Writable volumes are user-specific volumes that are used to store user-installed applications (UIA) and local profile information. You can create writable volumes for any computer and later assign these profiles to other computers and users

You must designate a template when you create a volume or when you upload volumes packaged with your instance of App Volumes Manager to the selected datastore

1. You have three types of source template available
    a. Profile-only
        Captures user profile information but does not collect any configuration information related to user-installed applications.
    b. UIA only
        Captures only user-installed applications.
    c. UIA+profile: Captures both user-installed applications and user profile data.
2. A 10 GB default template is created at installation.
3. Templates can be customized and created manually.
4. Create templates for writable volumes as necessary to support individual use cases or storage scenarios.

Assigning and Attaching Writable Volumes

You can assign Writable Volumes to a user, group, computer, or organizational unit (OU).

Note the following considerations and limitations when you assign and attach Writable Volumes:

1. When a Writable Volume is created for a user, it is assigned to the user immediately. 
2. When the volume is assigned to a group, it is created when a user belonging to the assigned group logs in to the machine.
3. A user can have more than one Writable Volume attached at the same time if the volume is OS-specific, 
    or created for a computer with a specific prefix. 
    For example, suppose that you create a Writable Volume for each of the following:
    a. A Windows 7 machine
    b. A Windows 10 machine
    c. A computer with Win2012-dev prefix to its name
    d. A computer with Win2012-test prefix to its name
    Then, when the user logs in to these different machines at the same time, 
    each Writable Volume that is assigned to the specific machine is attached to the user at the same time.
4. A machine can have only one Writable Volume attached to it at a given point in time.
5. A Writable Volume must be enabled before it can be attached. See Enable a Writable Volume (2.x).
6. Automatic Windows updates must be disabled.
7. Detach the volume before performing any update to the OS.
8. Detach all Writable Volumes when performing any revert, recompose, or refresh of the virtual machines.

Note:
A user can also have multiple volumes attached to the same OS if there are two separate nodes and the user logs in to the desktop on both nodes.

App Volume Drive Letter Settings

You can configure the App Volumes agent to interact with mapped volumes by using a system path to the volume, instead of mapping it to a drive letter.

Most modern applications are compatible with this behavior, but some applications might require a drive letter to access program or application files. To support such situations while maintaining the familiar user interface, App Volumes can hide the drive from Windows Explorer after it is mapped.

Configure this behaviour with the DriveLetterSettings registry value. The value for DriveLetterSettings is in a hexadecimal format, and any number of flags might be combined to implement multiple parameters.

Value       Description
-----------------------------------------------------------------------
0x0000004   DRIVELETTER_HIDE_WRITABLE. Hide drive letter for writable volumes.
0x0000008   DRIVELETTER_HIDE_READONLY. Hide drive letter for AppStack volumes.

Note:
By default, a drive letter is not assigned to either application packages or Writable Volumes.

AppStack

An AppStack is a read-only volume containing one or more Windows applications. The Enable Volumes (2.x) toggle switch helps in supporting the co-existence of both Application Packages and AppStacks.

AppStack Migration Tool

AppStack Migration tool is a VMware Fling utility

1. Migrates AppStacks that are provisioned by VMware App Volumes 2.x, to the new application package format of App Volumes 4.x.
2. Start the Migration Fling Utility and login to the App Volumes Manager server.
3. The utility lists the 2.x AppStacks that are accessible to the App Volumes Manager.
4. Select one or more AppStacks and click Migrate.

VMware Dynamic Environment Manager

https://techzone.vmware.com/resource/dynamic-environment-manager-architecture#introduction

https://www.carlstalhood.com/vmware-user-environment-manager/

https://nolabnoparty.com/en/vmware-dynamic-environment-manager-dem-configuration/

https://kb.vmtestdrive.com/hc/en-us/articles/360000931134-Dynamic-Environment-Manager-Walkthrough

VMware Dynamic Environment Manager provides you with personalization and dynamic policy configuration across virtual, physical, and cloud-based environments. Dynamic Environment Manager can simplify user profile management by providing organizations with a single scalable product that uses the existing infrastructure.

With Dynamic Environment Manager, you can map infrastructure, including networks and printer mappings, dynamically set policies for users, and support more use cases securely. With Dynamic Environment Manager, you can ensure that users have quick access to their Windows workspace and applications, with a personalized and consistent experience across devices and locations.

VMware Horizon Smart Policies and Dynamic Environment Manager

Smart policies give administrators detailed control of the user desktop:

1. With smart policies, administrators can enable or disable features including clipboard redirection, USB access, printing, and client drive redirection.
2. Smart policies can be enforced based on role and evaluated at login and log out, on disconnect and reconnect, and at predetermined refresh intervals.

These capabilities and detailed control enable one desktop pool to address many different use cases.

Smart policies can be used to enable, restrict, or disable VMware Horizon features, such as clipboard redirection, USB access, printing, and client drive redirection. You can also select a profile that manages bandwidth use.

Application Configuration

You can configure the initial application settings of applications without relying on the default settings.

1. Maintains a single Application Package. Different settings can be applied based on the user environment.
2. Ensures compliance with company standards. Prevents users from misconfiguring error-prone applications.

There are The predefined settings of the application can be used in the following ways:

1. Default Settings only
    no user profile archive exists. 
2. Partially Enforced Settings
     after the user profile archive (if any) is imported.
3. Default Settings with Partial Enforcement
     A combination of the first two setting types. The default settings are applied if no user profile archive exists, 
     then the user profile archive (if any) is imported, and finally the partially enforced settings are applied.
4. Fully Enforced Settings
    always apply the settings with no user profile archive to be created, 
    which means that the changes made during an application session do not persist.

Using the Dynamic Environment Manager Application Profiler, you can capture the predefined settings for an application. You do so by running the application on a reference system that the Application Profiler monitors and then configuring it as needed.

Components of Dynamic Environment Manager

The components of Dynamic Environment Manager can be summarized in three parts:

1. Management console
    The primary application interface used to configure and manage Dynamic Environment Manager.
2. FlexEngine
    An agent component, installed on the virtual or physical machine
3. File shares
    a. Dynamic Environment Manager relies on a folder hierarchy.
    b. File share stores configuration files in the configuration share.
    c. User data is stored in the public archives share.

The VMware Dynamic Environment Manager management console is the main interface that you use to manage user profiles.

A Flex configuration file contains content specific for VMware Dynamic Environment Manager. Flex configuration files are created and managed from the management console. Each application has a separate flex configuration file that contains the locations of the settings that the Dynamic Environment Manager manages. You can create a custom configuration file, use Windows Common Settings, or use an application template.

The Dynamic Environment Manager configuration share is the UNC path to the share where the management console configuration and Dynamic Environment Manager configuration files are stored.

Infrastructure Design

Design the infrastructure to support VMware Dynamic Environment Manager high availability (HA), scalability, disaster recovery (DR), and the steps we must follow to upgrade it:

 1. Scalability
    Dynamic Environment Manager can scale up to 10,000 users.
2. HA and DR
    a. VMware Dynamic Environment Manager uses the existing infrastructure.
    b. No extra measures are required to make VMware Dynamic Environment Manager highly available.
    c. Because VMware Dynamic Environment Manager uses the existing file servers and domain controllers,
    you must ensure that these servers are HA with a DR plan in place.

With enough CPU and RAM, a single Windows file server can scale up to 10,000 users for VMware Dynamic Environment Manager. For a dedicated file server, at least 4 CPUs and 16 GB RAM are required to scale to 10,000 users.

Registry Access Requirements

VMware Dynamic Environment Manager might not work properly on some Windows versions if access to regedit.exe is disabled through Group Policy:

1. FlexEngine uses regedit.exe to add user-specific settings to the registry.
2. If users are not permitted to run regedit.exe silently, an error message might display at login.

FlexEngine uses Regedit.exe to add user-specific settings to the registry. To enable access to Regedit.exe, you must configure the Disable Regedit setting from running silently to No. You also must ensure that Regedit.exe is not blocked by the User Account Control (UAC) settings.

If users cannot run Regedit.exe silently, an error message might be displayed at login and written to the FlexEngine log file.

File Shares and Permissions Requirements

The environment on which you plan to install VMware Dynamic Environment Manager must meet the following file share and permissions requirements

1. The central configuration share is the location for all configuration files
    a. Replicated shares can be used when all clients have the same path to share
    b. DFS namespace is supported
2. The user share (profile archive) is the location for user personalization files (one folder per user)

Licensing Requirements

FlexEngine requires a valid license file before it can be installed:

1. To apply a new license file, you do not reinstall any Dynamic Environment Manager components.
2. Replace the old license file with the new license file, retaining both the license filename and the location in the file system
    a. The license filename
        FlexEngine.lic
    b. The default path is C:\Program Files\Immidio\Flex Profiles

Note:
A license file is not required on installation of VMware Horizon. 
A license file is required only when you install VMware Dynamic Environment Manager as a standalone installation.

Dynamic Enironment Manager Installation

https://www.carlstalhood.com/vmware-user-environment-manager/#prereqs

Pre-installation steps

1. Create central configuration share
2. Create user archive share
3. Import VMware DEM ADMS templates
    Copy the DEM ADMX files and corresponding AMDL files to Active Directory Policy Definitions folder
4. Create GOP in AD where DEM ADMS templates will be applied
5. Link GPO to test users, or
    computers with Lookback policy enabled
6. Configure "Always Wait for Network at Computer Startup" in GPO
7. Set up folder redirection for user data (optional)

Install Dynamic Environment Manager

1. Run the installer
2. Choose setup type
    a. Typical
    b. Custom
        Choose Custom
            i. Select "VMware DEM Management Console"
            ii. Select Entire feature will be installed on local hard drive
        Note:
        Do NOT select "VMware DEM FlexEngine"
    c. Complete

Dynamic Enironment Manager group policy settings

After adding VMware Dynamic Environment Manager administrative templates, you can configure all VMware Dynamic Environment Manager settings through the GPO

1. The following Dynamic Environment Manager Group Policy settings must be configured
a. Configuration file location    
    \\<DFS-share>\Application\DEM\DEMConfig\General    
    Use this setting to configure the central location of the Flex configuration files to be used by FlexEngine. 
    FlexEngine runs with the user's credentials and processes each Flex configuration file that the user has NTFS read permission 
b. Profile archives location
    \\<DFS-share>\Application\DEM\UEMProfiles\%username%\Archives    
    Configure the location of the profile archives share from where FlexEngine reads and stores user profile archives and related settings. 
c. Profile archive backups location
    \\<DFS-share>\Application\DEM\UEMProfiles\%username%\Backups 
    Set the directory location of the profile archives backup
d. Run FlexEngine as Group Policy Extension
e. FlexEngine logging
    \\<DFS-share>\Application\DEM\UEMProfiles\%username%\flexengine.log
    Configure the location and filename of the FlexEngine log file.
    Log Level
        i. Error
        ii. Debug (Use only for troubleshooting, and disable it asap)

2. Additional settings include
a. FlexEngine log out command
    The FlexEngine log out command that must run during the log out process
    C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe" -s
b. Always wait for the network at the computer startup and login.

Application Blocking Precedence

Application blocking allows you to enable or block applications from launching.

By default, once you enable application blocking, only applications from the Windows folder, C:\Program Files, and C:\Program Files (x86) are allowed to run. To fine-tune application blocking, you can further specify applications to allow or block based on path, hash, or publisher.

You can configure the following types of application blocking:

Path-based. You can specify a path to a folder. Or, you can specify a fully qualified file name (the configured path includes the full path and file name of the executable). Hash-based. You can specify to allow or block based on a hash that matches a particular executable. Publisher-based. You can specify a publisher to allow, and executables associated with that publisher can launch. You cannot block applications by publisher.

When you configure multiple types of application blocking, the order in which the blocking is evaluated is as follows

1. Hash-based rules 
2. Path-based rules 
3. Publisher-based rules

Microsoft Recommended Block Rules

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules

Configuring Privilege Elevation for Elevated Applications

Use the Privilege Elevation type setting Path-based elevated applications to elevate previously installed applications

1. Select the path of the EXE file or the parent folder: Elevates EXEs only (not MSIs).
2. Selecting "Also elevate child processes" elevates child processes on a global level. 
    If this setting is selected, all processes of a user-installed application run elevated.
    Elevations can be of the following types
    a. Path-based
    b. Hash-based
    c. Publisher-based
    d. Argument-based (only to be used with elevated applications)

Application Configuration Management

VMware Dynamic Environment Manager provides several optional capabilities that help users and administrators create and troubleshoot FlexEngine configurations.

The Dynamic Environment Manager SyncTool enables offline operation and keeps the local and remote configuration files synchronized.

Dynamic Environment Manager Self-Support

The Dynamic Environment Manager Self-Support tool is available to a user

1. The Self-Support tool displays a list of the applications that are managed with Dynamic Environment Manager.
2. Users can click Restore to restore application settings from a backup or click Reset to reset settings to their defaults.
3. Self-Support runs on client systems with FlexEngine deployed.
4. For users to use the Self-Support tool, the following FlexEngine Group Policy settings must be configured
    a. Flex config files
    b. Profile archives

Helpdesk Support Tool

With the Helpdesk Support Tool, administrators and their help desk staff can support personalization tasks

1. Reset a profile archive (or multiple profile archives) for a user. 
    The multiple profile archive feature is available only if it is enabled in the Helpdesk Support Tool Group Policy.
2. Restore a profile archive backup for a user.
3. Jump to a profile archive for a user in Windows Explorer.
4. Edit a profile archive for a user
5. View FlexEngine log files for a user and search for text.
6. View total profile archive and profile archive backup sizes for a user. 

Horion 7 requirement for ThinApp Applications

https://docs.vmware.com/en/VMware-Horizon-7/7.13/horizon-administration/GUID-BD84A763-EA51-44B0-A271-762279E7460E.html

When capturing and storing ThinApp applications that will be distributed to remote desktops in Horizon Administrator, you must meet certain requirements.

1. You must package your applications as Microsoft Installation (MSI) packages.
2. You must use ThinApp version 4.6 or later to create or repackage the MSI packages.
3. You must store the MSI packages on a Windows network share that resides in an Active Directory domain that is accessible to your Connection Server host and remote desktops. The file server must support authentication and file permissions that are based on computer accounts.
4. You must configure the file and sharing permissions on the network share that hosts the MSI packages to give Read access to the built-in Active Directory group Domain Computers. If you plan to distribute ThinApp applications to domain controllers, you must also give Read access to the built-in Active Directory group Domain Controllers.
5. To allow users access to streaming ThinApp application packages, you must set the NTFS permission of the network share that hosts the ThinApp packages to Read&Execute for users.
6. Make sure that a disjoint namespace does not prevent domain member computers from accessing the network share that hosts the MSI packages. A disjoint namespace occurs when an Active Directory domain name is different from the DNS namespace that is used by machines in that domain. See VMware Knowledge Base (KB) article 1023309 for more information.
7. To run streamed ThinApp applications on remote desktops, users must have access to the network share that hosts the MSI packages.

HelpDesk Tool

Helpdesk Support Tool is an optional component of VMware Dynamic Environment Manager that does not require extra licensing. It provides capabilities to support and maintain the VMware Dynamic Environment Manager profile archives and profile archive backups. Helpdesk Support Tool also provides the total profile archive sizes for a user and an integrated FlexEngine log file viewer, which allows you to analyze the logs in detail.

As a VMware Dynamic Environment Manager administrator, you can use Helpdesk Support Tool yourself, or you can make it available to another department that is in charge of providing support in the area of personalization. The Helpdesk Support Tool users are called operators.

You can use Helpdesk Support Tool to perform the following tasks:
1. Reset one or more profile archives for a user.
2. Restore a profile archive backup for a user.
3. Open a profile archive for a user in Windows Explorer.
4. Edit a profile archive for a user.
5. View FlexEngine log files for a user, and search for a specific log string.
6. View the total size of profile archives and profile archive backups for a user.

Supported computer and user assignments combinations for AppStacks and Writable Volumes (2151829)

https://kb.vmware.com/s/article/2151829

This article lists the supported computer and user assignment combinations for AppStacks and Writable Volumes for App Volumes 2.X

Supported App Volumes Scenarios - App Volume 4

https://docs.vmware.com/en/VMware-App-Volumes/2009/app-volumes-install-guide/GUID-FD2CD152-1B9F-4E74-923A-8A2273B2362E.html

https://docs.vmware.com/en/VMware-App-Volumes/2009/app-volumes-admin-guide/GUID-F5DD8B8F-B00C-491E-BC3D-540667DD42C2.html

Lock Down Access to the Management Console

If you provide environment configuration by using a policy, you can lock down access to the VMware Dynamic Environment Manager Management Console.

Enabling the Lock down access to VMware DEM Management Console policy setting from the VMware DEM Management Console.admx template locks down access to the VMware Dynamic Environment Manager Management Console. By using the policy options, you can allow access to certain features only.

Note:
If you use this policy, the following are NOT available
1. the Configure button
2. Easy Start button
3. Configure Helpdesk Support Tool menu option
4. Manage Templates button in ADMX-based Settings
5. Global Configuration button in Application Blocking and Privilege Elevation
6. and Explore and Properties menu items in Personalization

Locking down access to the Management Console does not lock down file system access to the DEM configuration share.

# Prerequisites
Configure an environment by using Group Policy.

# Procedure
1. Open the Group Policy Management Editor and access the Management Console folder, 
    located in User Configuration > Policies > Administrative Templates: 
    Policy definitions (ADMX files) retrieved from the local computer. > VMware DEM.
2. Double-click the Lock down access to VMware DEM Management Console policy and click Enabled.
3. Enable the policy options you want to use.
4. Click OK

Profile Archive Share

The profile archives share stores the personal settings for users as FlexEngine creates a subfolder for each user. The share contains VMware Dynamic Environment Manager profile archives, which are ZIP files. FlexEngine reads personal user settings from the profile archives share when a user logs in to the environment or launches a DirectFlex-enabled application. FlexEngine writes the modified settings when the user logs out, or closes a DirectFlex-enabled application.

In a typical deployment, profile archive backups and log files are stored on the same share, but you can configure different locations in the FlexEngine GPO.

Use a share that is dedicated to the profile archives. A dedicated share improves performance, simplifies configuring the VMware Dynamic Environment Manager SyncTool, and makes it easier to configure permissions for the Helpdesk Support Tool.

Note:
Do not use the Home drive share. 
    Using this share can cause synchronization conflicts between Offline Files and the VMware Dynamic Environment Manager SyncTool, 
    and allows users to delete their profile archives.

Folder Structure

The profile archives share has a one-on-one relation to the naming and folder structure of the VMware Dynamic Environment Manager configuration share and the Management Console

### Requirements
Requirement                 Description
--------------------------------------------------------------------------------
Networking requirements     
                For best performance and to optimize login times, 
                ensure that the computer from which the end user logs in has a 1-Gbps connection to the profile archives share. 
                If an end user has limited bandwidth or has a laptop that is often offline, 
                use the SyncTool. This tool improves connectivity to the profile archives share under these conditions.
Storage 
                Storage requirements might vary based on the specific deployment. 
                A general guideline is to have at least 100 MB per user.
Share permissions   
                The Everyone group must have Change permissions applied.
NTFS security permissions   
                Setting the following NTFS security permissions on the profile archives share creates a folder for each user on first login 
                and limits the user to their own folder.
                a. For VMware Dynamic Environment Manager administrators and help desk: 
                    Full Control applied to This folder, subfolders and files.
                b. For End users: 
                    Create folders / append data applied to This folder only.
Note:
If you want to use VMware Dynamic Environment Manager computer environment settings, 
remote computer accounts must also have Create folders / append data permissions applied to This folder only.
For Creator Owner: Full Control applied to Subfolders and files only.

Flex Configuration Files

A Flex configuration file is a configuration file containing content specific for VMware Dynamic Environment Manager. You create and manage Flex configuration files with the Management Console.

Each application has a separate Flex configuration file that contains the locations of the settings that are managed with VMware Dynamic Environment Manager.

# You can either
1. create a custom configuration file
2. download a configuration template
3. use Windows Common Settings, or 
4. use an application template.

1. With a custom configuration file, you manually define the settings to manage for an application.
2. Configuration templates are pre-configured Flex configuration files for popular applications. Using the Management Console, you can download the available templates directly from VMware Marketplace.
3. indows Common Settings and application templates are Flex configuration definitions for commonly used Windows settings and applications.

VMware installation - supported Windows versions

Supported Windows Versions

1. Windows 7 Professional, Enterprise, and Ultimate x86 and x64 SP1
2. Windows Server 2008 R2 Standard and Enterprise x64 SP1
3. Windows Server 2012 Standard and Datacenter x64
4. Windows 8.1 Professional and Enterprise x86 and x64 with Update
5. Windows Server 2012 R2 Standard and Datacenter x64 with Update
6. Windows 10 Version Professional and Enterprise x86 and x64
7. Windows Server 2016 Standard and Datacenter x64
8. Windows Server 2019 Standard and Datacenter x64

How to assign an AppStack to a computer

After you create and provision an AppStack, you can assign the AppStack to a computer or user.

Real-time attachment of computer-assigned AppStacks works 
    if the user who is logged in does not have any user or group attachments. (Writable or application)

# Procedure
1. From the App Volumes Manager, go to DIRECTORY > Computers.
    The Managed Computers page with a list of computers is displayed.
2. Select the computer for which you want to assign the AppStack.
    Ensure that the status of the computer is set to Enabled.
3. Click Assign AppStack.
4. Select an available AppStack from the list.
5. (Optional) Select the Detach on shutdown if you want the assigned AppStack to be detached when the user logs off from the assigned computer.
6l. Select one of the following methods of assignment:
Option                  Description
------------------------------------------------------------
Attach AppStack on next login or reboot 
                The AppStack is attached when the computer is started.
Attach AppStack immediately 
                The volume is attached instantly to all computers on which the selected users are logged in. 
                If you are assigning the AppStack to a group or organizational unit, 
                all users or computers in that group get the attachments immediately.

After the AppStack is assigned to the selected entity, the entity becomes known to the App Volumes Manager.

VMware Dynamic Environment Manager Application Profiler

Application Profiler is a standalone application that simplifies the creation of Flex configuration files and predefined settings for use with VMware Dynamic Environment Manager.

Application Profiler analyzes where an application stores its file and registry configuration. The analysis results in an optimized Flex configuration file, which you can edit in the Application Profiler or use directly in the VMware Dynamic Environment Manager environment.

With Application Profiler, you can also create application-specific predefined settings, with which you can set the initial configuration state of applications. Save the Flex configuration file with predefined settings to export the current application configuration state.

Application Profiler is licensed as a VMware Dynamic Environment Manager component.

Verify existing App Volumes installation and version

# Login to the App Volumes Manager server, and Verify the registry key
HKLM\Software\WOW6432Node\CloudVolumes\Agent\
    Manager_address: <AppVolumes manager FQDN>
    Manager_port:   <443/80>
    Product Version: <AppVolume installed version>
    svService_Management: <auto>