Embed Size (px)
Citation preview
REVISED 6 NOVEMBER 2018
COMPONENT DESIGN: USERENVIRONMENT MANAGERARCHITECTURE
COMPONENT DESIGN: USER ENVIRONMENT MANAGER ARCHITECTURE
GUIDE | 2
Table of Contents
Component Design: User Environment Manager Architecture
– User Profile Strategy
– Infrastructure
– Key Design Considerations
– Multi-site Design
– Installation
– Next Steps
COMPONENT DESIGN: USER ENVIRONMENT MANAGER ARCHITECTURE
GUIDE | 3
VMware Workspace ONE Cloud-Based ReferenceArchitecture - Component Design: User EnvironmentManager Architecture
Component Design: User Environment Manager Architecture
VMware User Environment Manager™ provides profile management by capturing user settings forthe operating system and applications. Unlike traditional application profile management solutions,User Environment Manager does not manage the entire profile. Instead it captures settings that theadministrator specifies. This reduces login and logout time because less data needs to be loaded.The settings can be dynamically applied when a user launches an application, making the loginprocess more asynchronous. User data is managed through folder redirection.
Figure: User Environment Manager
Note: VMware App Volumes™ AppStack applications are not currently supported on MicrosoftAzure.
User Environment Manager is a Windows-based application that consists of the followingcomponents.
COMPONENT DESIGN: USER ENVIRONMENT MANAGER ARCHITECTURE
GUIDE | 4
Table: User Environment Manager ComponentsComponent Description
Active Directory GroupPolicy
- Mechanism for configuring User Environment Manager.- ADMX template files are provided with the product.
NoAD mode XML file
- An alternative to using Active Directory Group Policy for configuring UserEnvironment Manager. With NoAD mode, you do not need to create a GPO, writelogon and logoff scripts, or configure Windows Group Policy settings.
IT configuration share
- A central share (SMB) on a file server, which can be a replicated share (DFS-R)for multi-site scenarios, as long as the path to the share is the same for all clientdevices.- Is read-only to users.- If using DFS-R, it must be configured as hub and spoke. Multimaster replicationis not supported.
Profile Archives share
- File shares (SMB) to store the users’ profile archives and profile archivebackups.- Is used for read and write by end users.- For best performance, place archives on a share near the computer where theUser Environment Manager FlexEngine (desktop agent) runs.
UEM FlexEngine - The User Environment Manager Agent that resides on the virtual desktop orRDSH server VM being managed.
Application Profiler - Utility that creates a User Environment Manager Flex configuration file from anapplication by determining where the application stores configuration data in theregistry and file system. User Environment Manager can manage settings forapplications that have a valid Flex configuration file in the configuration share.
Helpdesk SupportTool
- Allows support personnel to reset or restore user settings.- Enables administrators to open or edit profile archives.- Allows analysis of profile archive sizes.- Includes a log file viewer.
Self-Support - Optional self-service tool to allow users to manage and restore theirconfiguration settings on an environment setting or application.
The following figure shows how these components interact.
COMPONENT DESIGN: USER ENVIRONMENT MANAGER ARCHITECTURE
GUIDE | 5
Figure: User Environment Manager Logical Architecture
User Profile Strategy
A Windows user profile is made of multiple components, including profile folders, user data, and theuser registry. See About User Profiles for more information about Windows user profiles.
There are a number of user profile types, such as local, roaming, and mandatory. User EnvironmentManager complements each user profile type, providing a consistent user experience as end usersroam from device to device. User Environment Manager is best-suited to run long-term with localand mandatory profile types. See User Environment Manager Scenario Considerations in the VMware
User Environment Manager documentation for more information and considerations when using roamingprofiles.
Folder redirection can be used to abstract user data from the guest OS, and can be configuredthrough GPO or using the User Environment Manager user environment settings.
COMPONENT DESIGN: USER ENVIRONMENT MANAGER ARCHITECTURE
GUIDE | 6
Figure: User Environment Manager User Profile Strategy
Design decision: Mandatory profiles and folder redirection were used in this reference architecture.A mandatory user profile is a preconfigured roaming user profile that specifies settings for users.With mandatory user profiles, a user can modify their desktop during a session, but the changes arenot saved when the user logs out. Because all settings are managed by User Environment Manager,there is no need to persist these settings on log-out.
To learn more, see the blog post VMware User Environment Manager, Part 2: Complementing Mandatory Profiles with
VMware User Environment Manager.
We followed the process outlined in Creating an Optimized Windows Image for a VMware Horizon Virtual Desktop tocreate the mandatory profile. Restrictions in the Microsoft Azure interface interfere with the creationof a mandatory profile on an Azure VM. Instead, we completed the process on a vSphere VM in theon-premises data center, and copied the mandatory profile to Azure.
Important: If you take this approach, use the same Windows build and profile version when buildingthe mandatory profile as you will deploy in Horizon Cloud on Microsoft Azure. See the VMwareHorizon Cloud Service on Microsoft Azure Release Notes in the VMware Horizon Cloud Service on Microsoft
Azure documentation for a list of supported guest OS versions. For a list of associated profileversions, see Create Mandatory User Profiles.
Infrastructure
User Environment Manager requires little infrastructure. AD GPOs are used to specify UserEnvironment Manager settings, and SMB shares are used to host the configuration data and profiledata. Administrators use the User Environment Manager Management Console to configure settings.
COMPONENT DESIGN: USER ENVIRONMENT MANAGER ARCHITECTURE
GUIDE | 7
Figure: User Environment Manager Infrastructure
Design decision: Active Directory Group Policy was chosen over NoAD mode. This design choiceprovides the flexibility to apply different user environment configuration settings for different users.An ADMX template is provided to streamline configuration.
If you choose to use NoAD mode:
The FlexEngine agent must be installed in NoAD mode.Important: If you use the Import Image wizard from the Azure Marketplace with Horizon Cloudon Microsoft Azure, the FlexEngine agent will be automatically installed for use with GPOs.You will need to reinstall the agent in NoAD mode.
Be sure to configure your User Environment Manager configuration share before installing theFlexEngine agent. You must specify the path to the configuration share as part of the NoAD-mode installation process.
Key Design Considerations
When designing an infrastructure for User Environment Manager, use the following guidelines:
Use DFS-R or file-server clustering to provide HA to configuration and user shares.
COMPONENT DESIGN: USER ENVIRONMENT MANAGER ARCHITECTURE
GUIDE | 8
DFS-R can only be hub and spoke. Multimaster replication is not supported.
See the Microsoft KB article Microsoft’s Support Statement Around Replicated User Profile Data forsupported scenarios.
Use loopback processing when applying the GPO settings to computer objects.
Multi-site Design
User Environment Manager data consists of the following types. This data is typically stored onseparate shares and can be treated differently for availability:
IT configuration data – IT-defined settings that give predefined configuration for the userenvironment or applications
Profile archive (user settings and configuration data) – The individual end user’scustomization or configuration settings
It is possible to have multiple sets of shares to divide the user population into groups. This canprovide separation, distribute load, and give more options for recovery. By creating multiple UserEnvironment Manager configuration shares, you create multiple environments. You can use a centralinstallation of the Management Console to switch between these environments and export andimport settings between environments. You can also use User Environment Manager group policiesto target policy settings to specific groups of users, such as users within a particular Active DirectoryOU.
To meet the requirements of having User Environment Manager IT configuration data and usersettings data available across two sites, this design uses Distributed File System Namespace (DFS-N) for mapping the file shares.
Although we used DFS-N, you are not required to use DFS-N. Many different types of storagereplication and common namespaces can be used. The same design rules apply.
IT Configuration Share
For IT configuration file shares, DFS-N is fully supported.
Note: The configuration share should allow users only to read and not to write or make any changes.Only administrators should be able to make changes to the content of the share.
COMPONENT DESIGN: USER ENVIRONMENT MANAGER ARCHITECTURE
GUIDE | 9
Figure: IT Configuration Share – Supported DFS Topology
Profile Archive Shares
For user settings file shares, DFS-N is fully supported.
COMPONENT DESIGN: USER ENVIRONMENT MANAGER ARCHITECTURE
GUIDE | 10
Figure: Profile Archive Shares – Supported DFS Topology
Switching to another file server in the event of an outage requires a few simple manual steps:Manually disable the active DFS-N folder target.1.
Enable the passive DFS-N folder target.2.
Remove the read-only option on the target.3.
COMPONENT DESIGN: USER ENVIRONMENT MANAGER ARCHITECTURE
GUIDE | 11
Figure: Profile Archive Shares – Failover State
The User Environment Manager Management Console can be installed on as many computers asdesired. If the Management Console is not available after a disaster, you can install it on a newmanagement server or on an administrator’s workstation and point that installation to the UserEnvironment Manager configuration share.
Installation
You can install and configure User Environment Manager in a few easy steps:
Create SMB file shares for configuration data and user data.1.
Import ADMX templates for User Environment Manager.2.
Create Group Policy settings for User Environment Manager.3.
Install the FlexEngine agent on the virtual desktop or RDSH server VMs to be managed.4.
COMPONENT DESIGN: USER ENVIRONMENT MANAGER ARCHITECTURE
GUIDE | 12
If you manually create a master VM, install the FlexEngine agent according to the VMware
User Environment Manager documentation.The FlexEngine agent is automatically installed when the image is created using theImport Image wizard to import from the Azure Marketplace.The installation directory defaults to C:\Program Files\VMware\HorizonAgents\User Environment Manager.
Install the User Environment Manager Management Console and point to the configuration5.
share.
Refer to Installing and Configuring User Environment Manager in the VMware User Environment Manager
documentation for detailed installation procedures. Also see the Quick-Start Tutorial for User Environment Manager.We used User Environment Manager 9.4.
Next Steps
After installing User Environment Manager, perform the following tasks to verify functionality:
Install the User Environment Manager Agent (FlexEngine agent) on one or more virtualdesktop or RDSH server VMs to be managed.
Set a few customizations (for example, desktop shortcuts for VLC, Notepad++).
Use the Management Console to download and use configuration templates for one or moreapplications. Configuration templates are preconfigured Flex configuration files that aredesigned to facilitate the initial implementation of popular applications.
The configuration templates are starter templates that you must test in your environment andpossibly modify to suit the needs of your organization. See Download Configuration Templatesin the VMware User Environment Manager Administration Guide.
(Optional) Use the Easy Start feature when performing a proof of concept. Easy Start is notrecommended for production implementations.
Important: If the FlexEngine agent was automatically installed in your Windows desktop imageas part of the Horizon Cloud on Microsoft Azure Import Image wizard, any desktop shortcutthat references FlexEngine.exe will need to be modified to reflect the correct executablepath.
Log in to the virtual desktop or RDSH-published application and verify that User EnvironmentManager has made the requested changes.
Check the user log to verify that User Environment Manager is working, or troubleshoot if it isnot working as expected. The logs folder is in the SMB share specified for user data.
Familiarize yourself with Horizon Smart Policies and Horizon Client Property conditions. SeeUsing Smart Policies in Configuring Remote Desktop Features in Horizon 7 for requirements, settings, andconfiguration details.
COMPONENT DESIGN: USER ENVIRONMENT MANAGER ARCHITECTURE
GUIDE | 13
Important: Take note of the following nuances when using Smart Policies with Horizon CloudService with Microsoft Azure as opposed to Horizon 7.
The Horizon Client Property Pool Name applies to pools in Horizon 7, but in HorizonCloud, this property applies to a similar construct called an Assignment.The Horizon Client Property Launch Tags is applicable only to Horizon 7. Horizon CloudService on Microsoft Azure does not support the Launch Tags property.
VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright © 2017 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listedat http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may betrademarks of their respective companies.
