In Horizon we have many types of VDI & each type has a different use case.
Full Clone machines are independent virtual machines, because a full clone machine does not share virtual disks with the parent virtual machine. Full clones generally perform better than linked clones. However, full clones take longer to create than linked clones.
In this post today, I will dissect this particular use case on how we could manage Full Clone VDIs using Workspace ONE UEM.
There are a set of steps to be followed both from WS1 UEM end as well as Horizon end for this setup to work.
Let’s start with Workspace ONE UEM.
Configurations on WS1 UEM:
Since we would like to keep the virtual separate from physical devices, let us create a new OG , Steps as mentioned.
Step - 1
Navigate to Groups & Settings > Groups > Organization Groups > Details.
Select the Add Child Organization Group tab and complete the following settings
Step - 2
Once the OG is created, we consider the enrollment for these vms. Since we create the full clones and distribute to colleagues, we don’t want to interfere or manually run enrollment process for each device, the staged enrollment procedure is the best option in this usecase.
Navigate to Accounts > Users > List View and then select Add > Add User.
Enter the general information such as Username, Password, Full name, email address in the General tab for a single staging user in the Add/Edit User page.
In the Advanced tab, under Staging, enable Device Staging and Single User Devices.
Select Save to save the enrollment user.
Step - 3
Our next motive is to make sure that after the staged enrollment, when the actual user logs in to the VM, the checkout happens at the same OG which is VDI OG. We didn’t want it going back to parent OG or some other OG.
To make this possible, follow below steps:
Groups & Settings > All Settings > Devices & Users > General
Shared Device Under Grouping, Check the "Fixed Organization Group".
Under Enrollment - Enable the "Override" instead "Inherit" , so that enrollment with Group ID and server lands a device here.
Now the config are setup from WS1 UEM end are completed, so next step to go to the Horizon end to complete the other setup.
Configurations on Horizon View:
As there is no option / feature is available in Horizon admin console Pool settings for a Full Clone to point the device to be in specific OU in AD, we have created a custom domain join script which will join the device to predefined OU present in the script. We can predefine the AD OU in unattended xml which can trigger post the Sysprep or we can build a PowerShell script, so that it can be triggered as part of RUN ONCE Key. Here is the sample script which I am using in my LAB. As I mentioned earlier we have to enroll the Virtual Machine to WS1 with staging account. Enrollment script is also listed below, which can be used later .
Domain Join Script ( Code can be downloaded from the GitHub )
Workspace ONE Enrollment Script ( Code can be downloaded from the GitHub )
We have to create VM Customization profile for full clone pool, so that we can use the script for the Domain Join & Workspace ONE Enrollment.
Open vSphere web client and navigate to Policies and Profiles option from menu,
Select VM Customization and Specification > Click on +New.
Name and target OS
Name: Windows 10-FC-Domain Join-WS1
Description: Custom Spec for W10 Full Clone VDI
vCenter: santoshlab-vc.local
Target OS: Windows
Select Generate a new security identity (SID)
Click Next.
Registration information
Owner name : SantoshTech
Owner organization : SantoshTech
Computer name
Use the virtual machine name
Administrator password
Provide the Admin Password
Number of times to logon automatically - 2
Time zone
Specify a time zone for the virtual machine.
Commands to run once
Enter the commands to run the first time a user logs on.
Note : We will add the Domain Script & Workspace ONE Enrollment script in run one, make sure the script is copied to parent template as mentioned path.
Network
Specify the network settings for the virtual machine.- use default
Workgroup or domain
Select - WORKGROUP
Ready to complete
As mentioned above , Once the domain join is completed it will restart the VM and will do a auto login with administrator as mentioned in Autologin steps in the customization script.
Post restart it will do the Auto login and trigger the Workspace ONE staging script, which will download the WS1 latest agent and will stage the device, then restart the computer to make it available.
Now device is ready with staging enrollment and once end user logs in, it will assign that device to logged in user.
Validation in Horizon & WS1 UEM Console
Login to VMware Horizon Administrator Console and verify the VM ( VMC-FCD-ENG-01) & check the status as its showing as available because its not assigned to any end user Yet
Now login to Workspace ONE UEM console and we will verify the same device if its enrolled with staging user which we created earlier.
Now, VMware Horizon Administrator Console & Entitle the user to the Full Clone Pool & login the from Horizon Client to check if same device status.
As showing above, the same Computer is connected to VMware Workspace ONE MDM, now lets go go back to Workspace ONE UEM console , to reverify if the device assigned to real user instead of staging user.
Finally we can see the device is managed in Workspace ONE UEM.
Source Code from GitHub
That's all guys. I will discuss more on the Workspace ONE UEM in my upcoming post, stay tuned ..