- Published on
VMware Identity Manager and Horizon
- Authors
- Name
- Jackson Chen
Horizon Clound with VMware Identity Manager Quick Start
VMware Identity Manager with Horizon Quck Start
Setting Up Resources in VMware Identity Manager 3.3
Setting Up Resources in VMware Identity Manager 3.3
Setting Up Resources in VMware Identity Manager 19.03
Setting Up Resources in VMware Identity Manager 19.03
References
VMware Workspace ONE Access 21.08
https://www.carlstalhood.com/vmware-access
VMware Identity Manager Integration with Horizon
Virtual Apps
Entitle Users and Groups to ThinApp Packages
You can entitle users and groups to Windows applications that are captured as ThinApp packages.
You can only entitle VMware Identity Manager users, users who are imported from your directory server, to ThinApp packages. When you entitle a user to a ThinApp package, the user sees the application and can start it from the VMware Identity Manager Desktop application on their system.
Prerequisites
Set up a virtual apps collection for ThinApp packages from the Catalog > Virtual Apps > Virtual Apps Configuration page. After you create the collection, sync the ThinApp packages to VMware Identity Manager. When the ThinApp packages are synced to your catalog, you can entitle them to your users and groups.
# Procedure
1. Log in to the VMware Identity Manager console.
2. Entitle users to a ThinApp package.
Option Description
-------------------------------------------------------------------------------
Access a ThinApp package
and entitle users or groups to it.
a. Click the Catalog > Virtual Apps tab.
b. Click Any Application Type > ThinApp Packages.
c. Click the ThinApp package to entitle users and groups to.
The Entitlements tab is selected by default.
Group entitlements are listed in one table, user entitlements are listed in another table.
d. Click Add group entitlement or Add user entitlement.
e. Type the names of the groups or users.
You can search for users or groups by starting to type a search string and
allowing the autocomplete feature to list the options.
You can click browse to view the entire list.
f. From the drop-down menu, select the activation method for the ThinApp package.
With both the optons
i. User Activated
ii. Automatic
the resources are added to the Catalog page.
Users can use the resources from the Catalog page or move them to the Bookmarks page.
However, to set up an approval flow for any of the apps, you must select User Activated for that app.
g. Click Save.
Access a user or group and
add ThinApp package entitlements to that user or group.
a. Click the Users & Groups tab.
b. Click the Users tab or the Groups tab.
c. Click the name of an individual user or group.
d. Click the Apps tab.
e. Click Add entitlement.
f. In the Application Type drop-down list, select ThinApp Packages.
g. Click the check boxes next to the ThinApp packages to which to entitle the user or group.
h. In the DEPLOYMENT column, select the activation method for the ThinApp package.
i. With both the User Activated and Automatic options,
the resources are added to the Catalog page.
Users can use the resources from the Catalog page or move them to the Bookmarks page.
However, to set up an approval flow for any of the apps, you must select User Activated for that app.
j. Click Save.
Providing Access to CitrixPublished Resources
You can provide Workspace ONE users access to Citrix-published resources by integrating your Citrix deployment with VMware Identity Manager. Citrix-published resources include applications and desktops within Citrix XenApp and XenDesktop server farms. Desktops are also referred to as Citrix-published delivery groups.
You manage Citrix-published applications and desktops in the Citrix administrative interface. You also set user and group entitlements in the Citrix interface, not in the VMware Identity Manager service. You must sync these users and groups to the VMware Identity Manager service from Active Directory before integrating with the Citrix server farms.
To integrate Citrix server farms with VMware Identity Manager, you create one or more virtual app collections in the VMware Identity Manager console. The collections contain the configuration information for the server farms as well as sync settings.
After you integrate the Citrix server farms, you can view the synced resources and entitlement in the VMware Identity Manager console. You can also edit ICA session settings, such as the settings that control resolution or compression. You can configure the settings globally for all the Citrix resources in the VMware Identity Manager catalog, or for individual Citrix resources.
End users can launch Citrix-published applications and desktops from the Workspace ONE portal or app. They install Citrix Receiver on their systems and devices to access the resources to which they are entitled.
Configure Triggered Tasks
Select tasks that are triggered when certain actions are performed in the user environment.
With triggers, a user can unplug a laptop, move it to another location, plug it in again, and maintain their current session while using more appropriate infrastructure resources. Triggers also provide a seamless experience for users who log in to the same virtual desktop session from different devices.
When running in a remote session, the following special environment variables are available for use in custom commands or messages:
%CURRENT_CLIENTIP% The endpoint IP address.
%PREVIOUS_CLIENTIP% The previous endpoint IP address.
This variable only exists for the Session reconnected trigger and
if the user is connecting from a different client.
%CURRENT_CLIENTNAME% The endpoint name.
Note:
VMware Dynamic Environment Manager evaluates conditions on triggered task settings when it processes the settings themselves,
not when it performs the resulting actions after the triggers occur.
# Procedure
1. Start the VMware Dynamic Environment Manager Management Console.
2. Open the User Environment tab.
3. Select Triggered Tasks and click Create.
4. Enter a name for the settings definition.
5. Configure the triggered task settings.
Option Description
------------------------------------------------
Trigger Select the event that is used to trigger this task.
a. Workstation locked
b. Workstation unlocked
c. Session disconnected
d. Session reconnected
e. All AppStacks attached
Once App Volumes attaches all AppStacks, it initiates the All AppStacks attached event.
This event is useful when VMware Dynamic Environment Manager performs actions during logon
with conditions that rely on an AppStack not yet attached.
Only applies if (endpoint) IP has changed
Action
Show message
Caption
Message
Close automatically after
Also allow user to dismiss message
6. click Save
Permissions Required for Joining a Domain (Linux Virtual Appliance Only)
You may need to join the VMware Identity Manager connector to a domain in some cases. For Active Directory over LDAP directories, you can join a domain after creating the directory. For directories of type Active Directory (Integrated Windows Authentication), the connector is joined to the domain automatically when you create the directory.
Note:
You can see the host name in the Host Name column on the Connectors page in the administration console.
Click Identity & Access Management > Setup > Connectors to view the Connectors page.
The Join Domain command is available on the Connectors page,
accessed by clicking Identity & Access Management > Setup > Connectors
Replace SSL Certificate in VMware Identity Manager Service
When the certificate on the service expires, you update the certificate from the VMware Identity Manager console.
# Prerequisites
Obtain updated server and intermediate certificates from the CA before the currently valid certificates expire.
# Procedure
1. In the VMware Identity Manager console, click the Appliance Settings tab.
2. Click Manage Configuration and enter the admin user password.
3. Select Install SSL Certificates > Server Certificate.
4. In the SSL Certificate text box, select Custom Certificate.
5. To import the file, click Choose File and navigate to the certificate file to import.
For PEM files, make sure that the file includes the entire certificate chain in the correct order.
Everything between and including the lines -----BEGIN CERTIFICATE----- and -----END CERTIFICATE---- must be included.
6. If a PEM file is imported, import the private key, Private Key.
Everything between ----BEGIN RSA PRIVATE KEY and ---END RSA PRIVATE KEY must be included.
If a PFX file is imported, enter the pfx password.
7. Click Save.
Note: The service is restarted and the certificate is updated
Updating AppStacks and Writable Volumes - VMware App Volumes Operational Tutorial
Operational Procedures and Troubleshooting
How to shutdown vRealize Identity Manager Properly
1. ssh to vIDM appliance
2. run commands
a. service horizon-workspace stop
b. service elasticsearch stop
c. shutdown
VMware Security Advisories - VSMA-2022-0011
https://kb.vmware.com/s/article/88099
It is strongly recommended to take a snapshot or backup of the Appliance(s) and the database server before applying the hotfix.
# Hotfix for VMSA-2022-0011 for vIDM 3.3.6
HW-154129-Appliance-3.3.6.zip
File size: 164.77 MB
File type: zip
Patch Deployment Procedure:
- Login as sshuser, sudo to root level access.
- Download and transfer HW-154129-Appliance-version.zip to the virtual appliance. This zip file can be saved anywhere on the file system. VMware recommends SCP protocol to transfer the file to the appliance. Tools such as winscp can also be used to transfer the file to the appliance.
- Unzip the file using the command below.
unzip HW-154129-Appliance-<Version>.zip
- Navigate to the files within the unzipped folder using the command below.
cd HW-154129-Appliance-<Version>
- Run the patch script using the command below
./HW-154129-applyPatch.sh
NOTE: If you are running a cluster deployment, repeat the steps above on all additional nodes of the cluster.
V# alidate flags in
/usr/local/horizon/conf/flags/ - HW-154129-3.3.6.0-hotfix.applied