Mobility means everything these days. Phones and tablets are dominating our world and it’s becoming more and more challenging to avoid them. Just the other day I met a friend at a coffee shop and paid for my drink on the store’s iPad. Later we went out to dinner and every table was equipped with tablets where you could order your food and play games while you waited.
Being the EUC advocate that I am, this got me thinking about application and desktop delivery on a public device utilizing Horizon View. Tablets are where it’s at, but what’s to stop the user from killing the app and downloading Pokémon GO instead? What sort of security can be utilized to lock down the device?
In this post, we’re going to walk through how to set an iPad to run in Kiosk Mode for Horizon View. Normally, Kiosk Mode allows access to a View resource via the client device’s MAC address rather than username and password. The issue with this is that it only supports Thin Clients, Zero Clients, Windows Clients, and Linux Clients. This is going to cause us to redefine Kiosk Mode for iPad as a locked down iPad that runs nothing but Horizon View and the entitled Horizon content using a common username/password. Don’t worry though, this isn’t too far-fetched of an idea.
From VMware’s Kiosk Mode White Paper:
“In some circumstances, however, an administrator might require all kiosk users to log in to the View desktop with the same, predetermined username and password. This scenario can be desirable when use of the kiosk or an application is restricted to a known set of users, such as company employees or registered students, but is not available to the general public. In this case, people who know the password can use the kiosk, but these users are not identified by personal credentials.
Because kiosks are usually placed in public locations, kiosk mode is not recommended for transactions that require transfer of sensitive information, such as credit card numbers, user email addresses and passwords, or patient records.”
If you’re looking to utilize an iPad (or any iOS device) for the sole purpose of running a Virtual Desktop or Virtualized Application, and wish to restrict the use of the iPad to that single resource, follow these steps.
Disclaimer: There is no official iPad Kiosk Mode offered by VMware. We will be working around this using a feature of iOS called Guided Access.
If you aren’t familiar with Guided Access in iOS, it’s a neat feature that allows you to
- Restrict your iOS device to a single application
- Disable specified areas of the screen to reduce tampering
- Disable home/power/volume buttons
- Read more about Guided Access here.
The end result we’re looking for is an iPad that is locked to running Horizon View and the properly entitled content (virtual desktops, apps, etc.).
Configure Horizon View for iPad Kiosk Users
- Create your Kiosk Users Security Group in Active Directory and add or create the users. In our example, we’ll create Security Group Kiosk Users and add users Kiosk 1 and Kiosk 2 to the group. Remember, because we can’t configure a login via the iPad’s MAC address, we’ll want to set up user accounts where the username and password can be shared.
Creating a Kiosk User and a Security Group for them to live
- Create your Kiosk Pools in Horizon Administrator (be it a desktop pool or application pool) and entitle the users. We will be entitling our Kiosk Users group to the Linked Clone Pool Win7-Float which has a display name of Hall of Justice. I recommend configuring a non-persistent pool that refreshes upon logoff.
Entitle Kiosk users to the desired pool/resource
- Verify access to the pool for your Kiosk Users from a client device with Horizon Client already installed. Here I tested a login from my Mac with the user Kiosk1 and verified they see their one and only entitlement, Hall of Justice
Configure the iPad for Guided Access
From Apple’s Support Site:
- Tap Settings > General > Accessibility > Guided Access
- Turn Guided Access on
- Set a passcode that controls the use of Guided Access and prevents someone from leaving an active session
- Enable the Accessibility Shortcut to allow triple-click of the Home Button Settings > General > Accessibility > Guided Access
Now, let’s open the Horizon Client app (click here to download from iTunes if you haven’t already). Once the app has been launched, Triple Click the Home button and you will see Guided Access offer a few more settings before it’s enabled.
You can circle the sections of the screen that you’d like to disable for the end user. This could prevent them from adding new Horizon Servers, changing the applications Settings, etc.
Once you click Start, you will notice the disabled sections of the screen.
The grey circles indicate disabled sections of the screen
Notice if you attempt to push the power button, home button, or take a screenshot, Guided Access will prompt you Triple-click the home button and enter the configured password first.
iPad is isolated to Horizon View
The last setting you may find useful is auto-connecting to the desired desktop. You can get all the way logged in to present the desktop or application, and choose to connect to that resource by default for your Kiosk User.
I hope you found this post useful! Thanks for following along and be sure to check back often on VMware’s TAM blog!
Ryan Klumph is a Technical Account Manager for VMware’s VTA Services. Based in Colorful Colorado, Ryan has been with VMware since 2011 in many capacities from GSS to PSO. Ryan runs a personal blog at https://thatvirtualboy.com. Connect with Ryan on Twitter!