Ensuring Endpoint Device Compliance for VMware Horizon Access

Jan 3, 2018
Mark Benson

Author:

Mark Benson is a senior staff engineer for the VMware EUC CTO Office (specializing in desktop and application virtualization technologies such as authentication, security, HA and remote access) and senior architect for VMware UAG, based in London. Mark also works with VMware technology partners.

Share This Post On

Ensure all client devices accessing VMware Horizon virtual desktops and applications comply with a set of administrator-defined device policies with a new feature, endpoint compliance check, made after user authentication. VMware partnered with security software company OPSWAT to enable this new Horizon security feature through OPSWAT MetaAccess, a cloud-based access control solution that helps organisations enforce endpoint compliance, and VMware Unified Access Gateway (UAG), typically used to provide security protection when remotely accessing Horizon desktops and applications.

Administrators can carefully control access by Horizon clients based on endpoint client device characteristics, such as antivirus levels; operating system versions and patch levels; and client device features such as password protection, screen lock and encrypted hard drives. This feature is particularly beneficial in bring-your-own-device (BYOD) use cases, where an organisation has no control over the management of the user’s client device.

endpoint-compliance-check-sequence

This diagram illustrates the sequence of endpoint compliance checks made with this feature for secure access to Horizon.

VMware UAG 3.1.1 and newer can be configured to perform endpoint compliance checks for all devices remotely accessing a Horizon environment for virtual desktops and applications. This 18-minute video describes and demonstrates this new feature and goes through configuration details for both OPSWAT MetaAccess and VMware UAG.

FAQs

How is this new feature licensed?

To use this feature, you must have a Horizon license and a license to deploy OPSWAT MetaAccess agents on all client devices.

Which client operating systems are supported?

Currently, this feature is supported for Windows and macOS clients.

How can I set my definition for what constitutes a compliant device?

You do this directly through the OPSWAT console webpage. It allows a very comprehensive set of compliance features to be specified.

Does the compliance check take a long time for every desktop or application launch?

No. The status of the device is continuously updated in the OPSWAT cloud, independently of any UAG checks. This means that at anytime, the OPSWAT cloud instantly knows the status of each device. This means that the check made by UAG is very quick, usually done in a fraction of a second, and is not noticeable by the user.

What is the user interface like for this?

For a user with a compliant device accessing a Horizon virtual desktop or application, there is no change to the user interface. It just works as before.

For a user with a non-compliant device, the user will not be able to launch a virtual desktop or application session. Instead, the user will see an error message indicating that their client device does not comply with the service access policy.

This error message appears after attempted access using a non-compliant device, which is denied Horizon Client access.

The user can click in the MetaAccess system tray icon to get more information on exactly what is wrong and what to do about it. In the example below, the policy requires that the client device disk is encrypted, and this client device does not have an encrypted disk. For most non-compliant issues, the user will already know whether their device is compliant or not, so in the vast majority of cases the user will never see this error message.

non-compliant_endpoint_device_metaaccess

Here, the user can find out why their device isn’t in compliance and how to fix the issue(s).

What about HTML Access?

Many customers want to use endpoint compliance checks for the BYOD use case, when employees or contractors provide their own client computer.

When Horizon Client runs on native operating systems, such as Windows and macOS, users have access to advanced remote features such as client drive redirection (CDR) and USB redirection. These features make it is easy for users to move files between their virtual desktop and the local client machine, and so an administrator may want to use compliance checks to ensure the use of an encrypted drive and particular levels of antivirus protection and operating system patches.

However, Horizon HTML Access doesn’t support CDR and USB redirection, and so compliance checks for HTML Access are less necessary and unsupported by this feature. Instead, UAG provides a separate policy for HTML Access, to simply allow or deny access.

Many administrators will be content allowing HTML Access without the compliance check capabilities. Administrators that require that all devices are checked can disable HTML Access to ensure that only compliant Windows and macOS devices are granted access.

Is this feature supported for VMware Workspace ONE launch for Horizon access?

Yes. Irrespective of whether the user connects directly from launching Horizon Client or whether their Horizon session is launched from Workspace ONE, UAG will perform the compliance check at the time of virtual desktop or application launch if configured to do so.

More Information

Refer to the OPSWAT Integration Guide for details on configuring OPSWAT MetaAcccess and UAG for this feature.

Related

468 ad