Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Size: px
Start display at page:

Download "Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1"

Transcription

1 Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

2 Setting Up Resources in VMware Identity Manager (On Premises) You can find the most up-to-date technical documentation on the VMware Web site at: The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: Copyright VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc Hillview Ave. Palo Alto, CA VMware, Inc.

3 Contents Setting Up Resources in VMware Identity Manager (On Premises) 5 1 Introduction to Setting Up Resources in VMware Identity Manager 7 2 Providing Access to Web Applications 9 Adding Web Applications to Your Organization's Catalog 9 Entitling Users and Groups to Web Applications 14 Using Provisioning Adapters 15 Additional Information 23 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools 25 Integrating Independent View Pods 26 Integrating View Cloud Pod Architecture (CPA) Deployments 32 Enabling Multiple Client Access URLs for Custom Network Ranges 43 Viewing the Connection Information for View Desktop and Application Pools 44 Viewing User and Group Entitlements to View Desktop and Application Pools 44 Setting the Deployment Type for View Entitlements 45 Viewing Launch Options for View Desktops and Applications 47 Launching a View Desktop or Application 48 Allowing Users to Reset Their View Desktops in VMware Identity Manager 49 Setting Access Policies for Specific Applications and Desktops 49 Reducing Resource Usage and Increasing Performance of VMware Identity Manager Desktop in Non-Persistent View Desktops 50 4 Providing Access to VMware Horizon Cloud Service 53 Integrating Horizon Cloud Desktops and Applications 53 Viewing Details of Horizon Cloud Desktop and Application Pools 60 Viewing User and Group Entitlements to Horizon Cloud Desktops and Applications 61 Setting Access Policies for Specific Applications and Desktops 61 Setting the Deployment Type for Horizon Cloud Entitlements 62 Launching a Horizon Cloud Desktop or Application 64 5 Providing Access to Citrix-Published Resources 65 Overview 65 Components Required for Citrix Integration 66 High-level Integration Design 66 Prerequisites for Citrix Integration 71 Configuring Citrix Server Farms in VMware Identity Manager 87 Configuring Citrix Resource Launch in VMware Identity Manager 90 Configuring VMware Identity Manager Settings for Citrix Integration 94 VMware, Inc. 3

4 Setting Up Resources in VMware Identity Manager (On Premises) Upgrade Impact on Citrix-Published Resources Integration Troubleshooting VMware Identity Manager Resource Configuration 103 Troubleshooting Horizon Integration 103 Troubleshooting Citrix-Published Resources Integration 104 Index VMware, Inc.

5 Setting Up Resources in VMware Identity Manager (On Premises) Setting Up Resources in VMware Identity Manager provides instructions about how to add resources to the VMware Identity Manager catalog. The instructions include information about customizing the resources and making them available from users' systems, such as from their desktops and mobile devices. Supported resources include Web applications, Horizon desktop and application pools, and Citrix-published resources. Intended Audience This information is intended for anyone who configures and administers the resources for VMware Identity Manager. The information is written for experienced Windows or Linux system administrators who are familiar with virtual machine technology. VMware, Inc. 5

6 Setting Up Resources in VMware Identity Manager (On Premises) 6 VMware, Inc.

7 Introduction to Setting Up Resources 1 in VMware Identity Manager After you install and configure VMware Identity Manager, to provide users access to supported resources you must enable the resources in the VMware Identity Manager administration console. Except for Web applications, each resource type requires you to integrate VMware Identity Manager with another product or component. You can integrate the following types of resources with VMware Identity Manager: Web applications VMware Horizon Cloud Service applications and desktops Horizon 7, Horizon 6, and View desktop and application pools Citrix-published resources You integrate these resources from the Catalog tab in the administration console. To integrate Web applications, you use the Add Application menu in the Catalog tab. To integrate and enable Horizon 7, Horizon 6, or View desktop and application pools, VMware Horizon Cloud Service desktops and applications, or Citrix-published resources, you use the Manage Desktop Applications menu in the Catalog tab. You can manage global settings for integrated resources from the Catalog > Settings page. You can manage settings for individual applications by selecting the application in the Catalog tab. VMware, Inc. 7

8 Setting Up Resources in VMware Identity Manager (On Premises) 8 VMware, Inc.

9 Providing Access to Web 2 Applications In the VMware Identity Manager service, you can add your organization's external Web applications and entitle users to them. To enable users to access a Web application through the service, verify that the following requirements are met: If you configure the Web application to use a federation protocol, use SAML 1.1, SAML 2.0, or WS- Federation 1.2. Configuring the Web application to use a federation protocol is not a requirement. The users you plan to entitle to the Web application are registered users of that application, or you plan to configure the provisioning adapter for the application, if available, to provision VMware Identity Manager users in the application. If the Web application is a multitenant application, the service points to your instance of the application. This chapter includes the following topics: Adding Web Applications to Your Organization's Catalog, on page 9 Entitling Users and Groups to Web Applications, on page 14 Using Provisioning Adapters, on page 15 Additional Information, on page 23 Adding Web Applications to Your Organization's Catalog You can add your organization's Web applications to your catalog and make these applications accessible to your users and groups. When you add an entry for a Web application to the catalog, you create an application record and configure the address of the Web application. The VMware Identity Manager service uses the application record as a template to establish a secure connection with the Web application. The following methods can be used to add application records of Web applications to your catalog from the Catalog tab. VMware, Inc. 9

10 Setting Up Resources in VMware Identity Manager (On Premises) Method From the cloud application catalog Create a new one Import a ZIP or JAR file Description Popular enterprise Web application types are listed in the cloud application catalog. These applications are partially configured. You must complete the rest of the application record form. You can add Web applications to your catalog that are not listed in the cloud application catalog. The application record for these Web applications are more generic than that of cloud application catalog applications. You enter the application description and configuration information to create the application record. You can import a Web application that you previously configured in the service. You might want to use this method to move a deployment from staging to production. In such a situation, you export a Web application from the staging deployment as a ZIP file. You then import the ZIP file to the production deployment. After you add Web applications to the catalog, you can configure entitlements, access policies, licensing, and provisioning information. Web applications are added in the administration console. Log in with the administrator user role assigned from your Active Directory or LDAP directory. Add a Web Application to Your Catalog from the Cloud Application Catalog The cloud application catalog is populated with Web applications. These applications include some information in their application records. When you add a Web application to your catalog from the cloud application catalog, you must provide additional information to complete the application record. You might also need to work with your Web application account representatives to complete other required setup. Many of the applications in the cloud application catalog use Security Assertion Markup Language (SAML 1 or SAML 2) to exchange authentication and authorization data to verify that users can access a Web application. When you add a Web application to the catalog, you are creating an entry that points indirectly to the Web application. The entry is defined by the application record, which is a form that includes a URL to the Web application. You can apply an access policy to control user access to the application. If you do not want to use the default access policy, create a new one. See VMware Identity Manager Administration Guide for information about managing access policies. 1 In the administration console, click the Catalog tab. 2 Click Add Application > Web Application...from the cloud application catalog. 3 Click the icon of the Web application you want to add. The application record is added to your catalog, and the Details page appears with the name and authentication profile already specified. 4 (Optional) Customize the information on the Details page for your organization's needs. Items on the page are populated with information specific to the Web application. You can edit some of the items, depending on the application. Form Item Name Description Require VMware Browser Description The name of the application. A description of the application that users can read. Enable this check box to require this application to only open in the VMware Browser when the app is access through the Workspace ONE app on ios and Android devices. 10 VMware, Inc.

11 Chapter 2 Providing Access to Web Applications Form Item Icon Categories Description Click Browse to upload an icon for the application. Icons in PNG, JPG, and ICON file formats, up to 4MB, are supported. The app icons that you upload must be a minimum of 180 x 180 pixels. If the icon is too small, the icon does not display. In that case, the Workspace ONE icon is displayed. To allow the application to appear in a category search of catalog resources, select a category from the drop-down menu. You must have created the category earlier. 5 Click Save. 6 Click Configuration, edit the application record's configuration details, and click Save. Some of the items on the form are prepopulated with information specific to the Web application. Some of the prepopulated items are editable, while others are not. The information requested varies from application to application. For some applications, the form has an Application Parameters section. If the section exists for an application and a parameter in the section does not have a default value, provide a value to allow the application to launch. If a default value is provided, you can edit the value. 7 Select the Entitlements, Licensing, and Provisioning tabs and customize the information as appropriate. Tab Entitlements Access Policies Licensing Provisioning Description Entitle users and groups to the application. You can configure entitlements while initially configuring the application or anytime in the future. Apply an access policy to control user access to the application. Configure license tracking. Add license information for the application to track license use in reports. Select a provisioning adapter, if applicable. Provisioning provides automatic application user management from a single location. Provisioning adapters allow the Web application to retrieve specific information from the VMware Identity Manager service as required. For example, to enable automatic user provisioning to Google Apps, user account information, such as the user name, first name, and last name must exist in the Google Apps database. An application might require other information, such as groupmembership and authorization-role information. See Using Provisioning Adapters, on page 15 for more information. What to do next For details about adding user and group entitlements for Web applications, see Entitling Users and Groups to Web Applications, on page 14. Add Web Application to Your Catalog to Match Application Records You can add Web applications to your catalog that are not listed in the cloud application catalog. You create an application record when you add the Web application. When you create an application record for a Web application that you add to your catalog, you select the authentication profile to use to authenticate users when they access the application. Many applications use Security Assertion Markup Language (SAML) to exchange authentication and authorization data to verify that users can access a Web application. VMware, Inc. 11

12 Setting Up Resources in VMware Identity Manager (On Premises) Web applications that cannot use Federation for authentication can be configured with either the HTTP Basic or HTML Form authentication profile. This type of authentication profiles a single sign-on experience for users. Security benefits inherent to a federation protocol, such as user deprovisioning, are not included. The following authentication profiles are supported in VMware Identity Manager. SAML 2.0 POST Profile. The SAML 2.0 authentication profile enables single sign-on from VMware Identity Manager to the Web application. SAML 1.1 POST Profile. SAML 1.1 is an older SAML authentication profile. For better security, implement SAML 2.0. WSFed 1.2 POST Profile. When the Web app supports WS-Federation authentication, select this authentication type to provide single sign-on to those Web applications. HTTP Basic authentication uses the user name and password to authenticate the user against a Web application. The login request is managed by the browser. When users log in to the Web application the first time, they are asked for their user name and password. The Workspace ONE browser extension collects the credentials and securely stores them in VMware Identity Manager for replay on subsequent login attempts. Users only reenter credentials again when the credentials are changed. HTML Form authentication can be configured for Web applications that use an HTML login page. You configure VMware Identity Manager to recognize the user name and password login fields. The Workspace ONE browser extension collects the credentials and securely stores them in VMware Identity Manager for replay on subsequent login attempts. Users only reenter credentials again when the credentials are changed. You can also select No Authentication. VMware Identity Manager does not manage the authentication. Workspace ONE Extension To have the single sign-on experience with Web applications that use HTTP Basic and HTML Form authentication, the Workspace ONE extension must be installed in the browser. The extension enables a secure, single sign-on experience on desktop Web browsers. The Workspace ONE browser extension must be added to the users' browsers to benefit from a single signon experience for HTTP Basic and HTML Form applications. The admin configures a profile to understand custom third-party Web applications. The extension downloads this profile. This extension records and replays user credentials. The extension supports user names, password, and other generic text fields. When users are entitled to an application that uses HTTP Basic or HTML Form authentication profiles, they are asked to install the Workspace ONE browser extension from the Workspace ONE Web portal. A banner at the bottom of the portal prompts users to install the extension. If users decline to install the extension, another prompt displays when users try to access an application in their portal that can take advantage of the extension. If the Workspace ONE extension is not installed, users must enter their credentials to access the application. Add a Web Application to Your Catalog by Creating a New Application Record You can add Web applications to your catalog that are not listed in the cloud application catalog. You create an application record when you add the Web application. When you successfully complete the application record for a Web application, an entry is created in your catalog that points indirectly to the Web application, and the Web application and the VMware Identity Manager service can use SAML to communicate with each other. You can apply an access policy to control user access to the application. If you do not want to use the default access policy, create a new one. See VMware Identity Manager Administration Guide for information about managing access policies. 12 VMware, Inc.

13 Chapter 2 Providing Access to Web Applications 1 In the administration console, click the Catalog tab. 2 Click Add Application > Web Application...create a new one. The application record is added to your catalog, and the system displays the record's Details page. 3 Complete the information on the Details page, and click Next. Form Item Name Description Icon Authentication Profile Description Provide the name of the application. (Optional) Provide a description of the application. (Optional) Click Browse to upload an icon for the application. Icons in PNG, JPG, and ICON file formats, up to 4 MB, are supported. The app icons that you upload must be a minimum of 180 x 180 pixels. If the icon is too small, the icon does not display. In that case, the Workspace ONE icon is displayed. Specify the appropriate federation protocol, if any. 4 In the Configuration page, edit the application record's configuration details as necessary, and click Save. Some of the items on the form are prepopulated. When the SAML 2.0 POST Profile is selected on the Details page, the Configuration page includes the Configure Via section. Use the options in the Configure Via section to specify how the application metadata is retrieved. You can select retrieval by auto-discovery URL, meta-data XML, or manual configuration. Option Auto-discovery (meta-data) URL Meta-data XML Manual configuration Action If the XML metadata is accessible on the Internet, provide the URL. If the XML metadata is not accessible on the Internet, but is available to you, paste the XML in the text box. If the XML metadata is not available to you, complete the XML manual configuration items. 5 Select the Entitlements, Licensing, and Provisioning tabs and customize the information as appropriate. Tab Entitlements Access Policies Licensing Provisioning Description Entitle users and groups to the application. You can configure entitlements while initially configuring the application or anytime in the future. Apply a Web application-specific access policy to control user access to the application. Configure license tracking. Add license information for the application to track license usage in reports. Select a provisioning adapter, if applicable. Provisioning provides automatic application user management from a single location. Provisioning adapters allow the Web application to retrieve specific information from the VMware Identity Manager service as required. For example, to enable automatic user provisioning to Google Apps, user account information, such as the user name, first name, and last name must exist in the Google Apps database. An application might require other information, such as groupmembership and authorization-role information. See Using Provisioning Adapters, on page 15 for more information. VMware, Inc. 13

14 Setting Up Resources in VMware Identity Manager (On Premises) What to do next See Entitling Users and Groups to Web Applications, on page 14 for details about adding user and group entitlements for Web applications. Add a Web Application to Your Catalog by Importing a ZIP or JAR File You can import to your catalog a Web application that was previously configured in the VMware Identity Manager service. For example, you might want to import an application from your staging environment to your production environment. This process involves exporting the application bundle from the service and importing it into the new environment. The application might not require further configuration, especially if you thoroughly tested the configuration values in the original environment. To further configure the Web application after importing it, see Add a Web Application to Your Catalog from the Cloud Application Catalog, on page 10 or Add a Web Application to Your Catalog by Creating a New Application Record, on page Log in to the administration console of the service from which to export a Web application. 2 Click the Catalog tab. 3 Click Any Application Type > Web Applications. 4 Click the icon of the Web application to export. 5 Click Export. 6 Save the zipped application bundle to your local system. 7 Log in to the administration console of the service in which to import the Web application. 8 Click the Catalog tab. 9 Click Add Application > Web Application...import an application. 10 Click Browse, browse to the location on your local system where you saved the application bundle as a ZIP file, select the file, and click Submit. 11 Edit the information on the Details, Configuration, Entitlements, Access Policies, Licensing, and Provisioning pages as necessary. What to do next For details about adding user and group entitlements for Web applications, see Entitling Users and Groups to Web Applications, on page 14. For information about provisioning adapters, see Using Provisioning Adapters, on page 15. Entitling Users and Groups to Web Applications After you add Web applications to your catalog, you can entitle users and groups to them. You can entitle VMware Identity Manager users to Web applications. When you entitle a user to a Web application, the user sees the application and can launch it from their Workspace ONE portal. If you remove the entitlement, the user cannot see or launch the application. In many cases, the most effective way to entitle users to Web applications is to add a Web application entitlement to a group of users. However, in certain situations entitling individual users to a Web application is more appropriate. 1 Log in to the administration console. 14 VMware, Inc.

15 Chapter 2 Providing Access to Web Applications 2 Entitle users to a Web application. Method Access a Web application and entitle users or groups to it. Description a Click the Catalog tab. b Click Any Application Type > Web Applications. c Click the Web application to which to entitle users and groups. Access a user or group and add Web application entitlements to that user or group. d e f g a b c d e f g h The information page for the Web application appears with the Entitlements tab selected by default. Group entitlements and user entitlements are listed in separate tables. Click Add group entitlement or Add user entitlement. Type the names of the groups or users. You can search for users or groups by starting to type a search string and allowing the autocomplete feature to list the options, or you can click browse to view the entire list. Use the drop-down menu to select how to activate the Web application. Automatic displays the application by default in the Launcher page the next time the user logs in to the Workspace ONE portal. User-Activated requires that the user must select the application in the Workspace ONE portal Catalog page and add it to the Launcher page to activate it. Click Save. Click the Users & Groups tab. Click the Users tab or the Groups tab. Click the name of a user or group. Click the Apps tab, then click Add Entitlement. In the Application Type drop-down list, select Web Applications. Select the check boxes next to the Web applications to which you want to entitle the user or group. In the DEPLOYMENT column, select how to activate each Web application. Automatic displays the application by default in the Launcher page the next time the user logs in to the Workspace ONE portal. User-Activated requires that the user must select the application in the Workspace ONE portal Catalog page and add it to the Launcher page to activate it. Click Save. The selected user or group is now entitled to use the Web application. Using Provisioning Adapters Provisioning provides automatic application user management from a single location. Provisioning adapters allow Web applications to retrieve specific information from the VMware Identity Manager service as required. For example, to enable automatic user provisioning to Google Apps, required user account information, such as the user name, first name, and last name can be retrieved from the VMware Identity Manager service. If provisioning is enabled for a Web application, when you entitle a user to the application in the VMware Identity Manager service, the user is provisioned in the Web application. The VMware Identity Manager service currently includes provisioning adapters for these applications. Google Apps See Example: Using the Google Apps Provisioning Adapter, on page 18. Office 365 VMware, Inc. 15

16 Setting Up Resources in VMware Identity Manager (On Premises) Socialcast Configure a Provisioning Adapter Provisioning adapters are available for some Web applications. Provisioning adapters let you provision VMware Identity Manager users in the Web application. 1 In the administration console, click the Catalog tab. 2 Click the Web application, for example, Google Apps. 3 In the Modify application page, click Provisioning. 4 Configure provisioning. Option Configuration tab Description Configure the provisioning adapter. a Click Enable Provisioning. b Enter the Web application account information. The information required varies based on the application. For example, for Google Apps, you enter the Google service account information. User Provisioning tab Specify the attributes with which to provision users in the Web application. Only attributes that have a value are used. You can either map the attributes to VMware Identity Manager user attributes or enter another value. Some attributes are required, which means they must have a value. To specify or change the value for an attribute, click the edit icon next to the attribute, select or enter a value, and click Save. The expressions in the drop-down list are those listed in the Identity & Access Management > Setup > User Attributes page. To add items to the drop-down list, add them to the User Attributes page. You can also type a value directly. Group Provisioning tab For some attributes, you can specify multiple values. To delete an attribute mapping, click the delete icon next to the attribute. The Group Provisioning tab appears only for the provisioning adapters that support group provisioning. You select the VMware Identity Manager group that you want to provision in the Web application, and enter the required information. Groups are provisioned immediately. For example: 16 VMware, Inc.

17 Chapter 2 Providing Access to Web Applications The provisioning adapter is configured and provisioning is enabled. When you entitle a user to the Web application in VMware Identity Manager, the user is also created in the Web application. If the deployment type of the entitlement is Automatic, the user is provisioned immediately. If the deployment type is User-Activated, the user is provisioned when the user adds the Web application to the Launcher page in the Workspace ONE portal. Groups are provisioned immediately after you add them to the Group Povisioning tab. Enable or Disable a Provisioning Adapter You can enable or disable a Web application provisioning adapter after configuring it. If the provisioning adapter is enabled, when you entitle a user to the Web application in the VMware Identity Manager service, the user is also created in the Web application. You can disable the provisioning adapter if you do not want to provision users in the Web application. Prerequisites You have configured the provisioning adapter. 1 In the administration console, click the Catalog tab and select the Web application. 2 In the Modify application page, click Provisioning. 3 In the Configuration tab, select the Enable Provisioning check box to enable the adapter or deselect the check box to disable the adapter. View the Provisioning Status Report If provisioning is enabled for a Web application, you can view the Provisioning Status report for the application. The report lists the users provisioned in the application, the provisioning status of each user, any error messages, and the result of the last event for the user. 1 In the administration console, click the arrow on the Dashboard tab and select Reports. 2 In the Reports page, select Provisioning Status from the drop-down menu. VMware, Inc. 17

18 Setting Up Resources in VMware Identity Manager (On Premises) 3 Select the application for which you want to view the report and click Show. For example: Example: Using the Google Apps Provisioning Adapter You can use the Google Apps provisioning adapter to automatically provision users in Google from the VMware Identity Manager service. If provisioning is enabled, whenever you entitle a user to Google Apps in the service, the user is created in Google. You can also use the adapter to provision groups in Google. Configure a Google Service Account Before you can enable the Google Apps provisioning adapter in VMware Identity Manager, you must create a Google service account. 1 Create a Google service account and its credentials. You will need your service account s client ID, address, and private key file to enable provisioning. 2 After you create the Google service account, enable Google Apps domain-wide delegation. a In the API Manager Credentials > Create credentials page, click Manage service accounts. b Click the icon next to your service account and select Edit. c Select the Enable Google Apps Domain-wide Delegation checkbox, and click Save. 18 VMware, Inc.

19 Chapter 2 Providing Access to Web Applications 3 Delegate Google Apps domain-wide authority to your service account from the Security > Advanced Settings > Authentication > Manage API client access page in the Google Admin console. See the Google documentation for more information. When you delegate domain-wide authority to the service account, enter the following values for the One or More API Scopes field: h/admin.directory.user.alias.readonly, ias, n.directory.group.readonly, nly, uth/admin.directory.group You can now enable provisioning in the VMware Identity Manager service. What to do next Configure the Google Apps provisioning adapter in the VMware Identity Manager service. Configure the Google Apps Provisioning Adapter Configure the Google Apps Provisioning Adapter to provision users and groups in Google from the VMware Identity Manager service. If provisioning is enabled, whenever you entitle a user to Google Apps in the service, the user is also created in Google. You can also provision groups in Google. 1 Log in to the VMware Identity Manager administration console. 2 Click the Catalog tab. 3 Click Google Apps. 4 In the Modify application page, click Provisioning. 5 In the Configuration tab, configure the provisioning adapter. Option Enable Provisioning Admin User Name Service Account Private Key Description Select this option. Your Google Apps administrator user name. Do not include the domain name. For example: admin The client of the service account. You can get the client from the key file. Copy and paste the service account's private key. VMware, Inc. 19

20 Setting Up Resources in VMware Identity Manager (On Premises) Option Domain Name Suspend On Deprovisioning Description Your company's domain name. For example: example.com Select this option if you want users to be suspended in Google when you remove their entitlement to Google Apps. For example: 6 Click Test Connection. If the connection is successful, a "Made a connection to Google service" message appears at the top of the page. 7 Click Save. Provisioning is now enabled. When you entitle a user to Google Apps, if the user does not exist in Google, the user will be created. What to do next To complete the user provisioning set up, specify the attributes with which to provision users in Google. Provision Users in Google To provision users in Google, you configure the Google Apps adapter, enable provisioning, and specify the attributes with which to provision users in Google. A list of Google attributes is available. For the attributes that you want to use, specify the attribute mapping. You can either map the attributes to VMware Identity Manager user attributes or enter other values. The following attributes are required for users provisioned to Google. These attributes have default values. User Name First Name Last Name Prerequisites You have configured the Google Apps provisioning adapter and enabled provisioning. See Configure the Google Apps Provisioning Adapter, on page VMware, Inc.

21 Chapter 2 Providing Access to Web Applications 1 In the Google Apps Provisioning page, click the User Provisioning tab. 2 Select the attributes with which to provision users in Google by setting values for them. a b Click the edit icon next to the attribute. Select or type a value. The expressions in the drop-down list are the ones listed in the Identity & Access Management > Setup > User Attributes page. If you want to add any expressions to the list, add them to the User Attributes page. You can also type in a value directly. For some attributes, you can specify multiple values. Click the + icon at the top-right to add another value. For example, you can specify multiple phone numbers for the Phones attribute. c Click Save. 3 To delete an attribute mapping, click the delete icon next to the attribute. Attributes without values are not used when users are provisioned in Google. User provisioning is now configured. When you entitle a user to Google Apps, if the user does not exist in Google, the user will be created. Note When you entitle a user to Google Apps, if you set the deployment type to Automatic, the user is provisioned immediately. If you set the deployment type to User-Activated, the user is provisioned when the user adds Google Apps to the Launcher page in the Workspace ONE portal. Provision Groups in Google You can provision groups in Google from the VMware Identity Manager service using the Google Apps provisioning adapter. You can select any of your VMware Identity Manager groups to provision, regardless of whether they are created locally or synced from your enterprise directory. The group is created in Google and the addresses of the group members are added to it. Groups in Google can be used as mailing lists. They can also be used to manage access to documents, sites, calendars, and so on. After you provision a group in Google, you can manage it like any other Google group. For example, you can add or delete users. Prerequisites You have configured the Google Apps provisioning adapter and enabled provisioning. See Configure the Google Apps Provisioning Adapter, on page 19. VMware, Inc. 21

22 Setting Up Resources in VMware Identity Manager (On Premises) 1 In the VMware Identity Manager administration console, click the Catalog tab. 2 Click Google Apps. 3 In the Modify application page, click Provisioning. 4 In the Provisioning page, click the Group Provisioning tab. 5 Click Add Group to Provision. 6 In the Add Group to Provision page that appears, enter the following information. Option Group Name Group Owner Group Description Enter the name of the VMware Identity Manager group you want to provision in Google. You can start typing to search for a group. Enter the address of the owner of the group. Enter an address for the group in Google. The group will be created in Google with this address. The address must either be new or belong to an existing Google group. It must not belong to a user. If a group with this address already exists in Google, members of the VMware Identity Manager group you selected are added to that group. Important Ensure that the domain of the address matches the domain you specified in the Domain Name text box in the Configuration tab. For example: 7 Click Provision. The group is provisioned in Google with the same name as the VMware Identity Manager group and with the address you specified. The provisioning status is displayed in the Group Provisioning tab. What to do next To verify that the group is provisioned in Google, follow these steps. 1 Log in to the Google Admin console. 2 Click the Groups icon. You may need to click MORE CONTROLS at the bottom of the page to see the Groups icon. 3 Select the new group to view details. 22 VMware, Inc.

23 Chapter 2 Providing Access to Web Applications Deprovision Groups in Google You can deprovision groups that you provisioned in Google from the VMware Identity Manager service. Deprovisioning a group deletes the group in Google. Prerequisites Verify that the Google Apps provisioning adapter is configured in the VMware Identity Manager service. See Configure the Google Apps Provisioning Adapter, on page In the VMware Identity Manager administration console, click the Catalog tab. 2 Click Google Apps. 3 In the Modify application page, click Provisioning, then click the Group Provisioning tab. 4 In the table, select the check box next to the group you want to deprovision and click Deprovision. The group is deleted in Google. It is also removed from the Group Provisioning page. Enable or Disable the Google Apps Provisioning Adapter If the Google Apps provisioning adapter is enabled, whenever you entitle a user to Google Apps, the user is also created in Google. You can disable the provisioning adapter if you do not want to provision users to Google. 1 In the administration console, click the Catalog tab. 2 Click Google Apps. 3 In the Modify application page, click Provisioning. 4 In the Provisioning page, click the Configuration tab, if it is not selected. 5 Select the Enable Provisioning check box to enable the adapter or deselect the check box to disable the adapter. 6 Click Save. Additional Information Additional information is available on configuring SAML-based single sign-on to specific Web applications, such as Office 365 and Google Apps. Information on provisioning adapters is included, if applicable. See the VMware Identity Manager Integrations Documentation site. VMware, Inc. 23

24 Setting Up Resources in VMware Identity Manager (On Premises) 24 VMware, Inc.

25 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools 3 By integrating your organization's View, Horizon 6, or Horizon 7 environment with your VMware Identity Manager deployment, you give your VMware Identity Manager users the ability to use the Workspace ONE portal to access their entitled View desktop and application pools. You can integrate independent View pods, which consist of View Connection Server instances, and pod federations, which contain multiple pods and can span multiple sites and data centers. You deploy and manage desktop and application pools in the View administrator interface. You also create entitlements for Active Directory users and groups in View. When you integrate View pods or pod federations with your VMware Identity Manager service, you sync information about these resources and entitlements to VMware Identity Manager. In the VMware Identity Manager administration console, you can see the associations between users and groups and the View pools to which they are entitled. For information about configuring View, see the View, Horizon 6, or Horizon 7 documentation. Supported Versions VMware Identity Manager supports the following versions and features. Integrating independent View pods is supported for View 5.3 and later. Integrating pod federations, created using the Cloud Pod Architecture feature, is supported for Horizon 6.2 and later. HTML Access is supported for Horizon and later. Certificate SSO is supported for Horizon 7.x. Also see the VMware Product Interoperability Matrix for the latest support information. This chapter includes the following topics: Integrating Independent View Pods, on page 26 Integrating View Cloud Pod Architecture (CPA) Deployments, on page 32 Enabling Multiple Client Access URLs for Custom Network Ranges, on page 43 Viewing the Connection Information for View Desktop and Application Pools, on page 44 Viewing User and Group Entitlements to View Desktop and Application Pools, on page 44 Setting the Deployment Type for View Entitlements, on page 45 Viewing Launch Options for View Desktops and Applications, on page 47 Launching a View Desktop or Application, on page 48 Allowing Users to Reset Their View Desktops in VMware Identity Manager, on page 49 VMware, Inc. 25

26 Setting Up Resources in VMware Identity Manager (On Premises) Setting Access Policies for Specific Applications and Desktops, on page 49 Reducing Resource Usage and Increasing Performance of VMware Identity Manager Desktop in Non-Persistent View Desktops, on page 50 Integrating Independent View Pods To integrate independent View pods, you add the View Connection Server details in the VMware Identity Manager administration console and sync with the View Connection Server instance. Before you perform any integration tasks in the VMware Identity Manager administration console, set up View. You create and configure View pools in View, not in VMware Identity Manager. You also set entitlements for Active Directory users and groups in View. Integrating View involves the following high-level tasks. Deploy and configure View. Deploy View desktop and application pools, with entitlements set for Active Directory users and groups. Enable the userprincipalname attribute in the VMware Identity Manager administration console, on the User Attributes page. Sync Active Directory users and groups who are entitled to View pools in View Connection Server instances to the VMware Identity Manager service using directory sync. Later, when you add View pods to VMware Identity Manager, you can also select the Perform Directory Sync option. This option specifies that directory sync be performed as part of View sync if any users and groups that are entitled to View pools in the View Connection Server instances being synced are missing in the VMware Identity Manager directory. Join VMware Identity Manager to the same Active Directory domain as View if you intend to sync any View Connection Server 5.x instances or use the Perform Directory Sync option. Both these configurations use an alternative way of syncing, which requires the domain to be joined. Add View pods to VMware Identity Manager. Configure SAML authenticator on the View Connection Server. You must always use the VMware Identity Manager FQDN on the Authenticator configuration page. Set up View To use View with VMware Identity Manager, you must first install and configure View. VMware Identity Manager supports View 5.3 and later versions. Also, see the VMware Product Interoperability Matrix for the latest support information. Note HTML Access is supported for Horizon and later. When you configure View, ensure that you meet the following requirements. Deploy View Connection Servers on the default port 443 or on a custom port. Verify that you have a DNS entry and an IP address that can be resolved during reverse lookup for each View Connection Server in your View setup. VMware Identity Manager requires reverse lookup for View Connection Servers, View Security server, and load balancer. If reverse lookup is not properly configured, the VMware Identity Manager integration with View fails. Deploy and configure View pools and desktops with entitlements set for Active Directory users and groups. Ensure that users have the correct entitlements. 26 VMware, Inc.

27 Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools While configuring desktop pools, ensure that in Remote Settings, you set the Automatically log off after disconnect option to 1 or 2 minutes instead of immediately. Ensure that you create View pools in the root folder of View. If you create View pools in a folder other than the root folder, VMware Identity Manager cannot query those View polls and entitlements. Extending the SAML metadata expiration period to 90 days on the View Connection Servers is recommended. See Change the Expiration Period for Service Provider Metadata on View Connection Server for information. Join Active Directory Domain Before you integrate with View, you must join VMware Identity Manager to the Active Directory domain used for View if you intend to sync any View Connection Server 5.x instances or use the Perform Directory Sync option. Both these configurations use an alternative way of syncing, which requires the domain to be joined.. Prerequisites Verify that you have an Active Directory domain name, username, and password, with the rights to join the domain. See "Integrating with Active Directory" in Installing and Configuring VMware Identity Manager for more information about joining a domain. Verify that the attribute userprincipalname in the VMware Identity Manager User Attributes page is enabled. You can access this page in the administration console by clicking Identity & Access Management > Setup > User Attributes. Verify that users and groups with View Pool entitlements are synced to VMware Identity Manager using Directory sync. If applicable, establish a connection to multi-domains or trusted multi-forest domains in Active Directory. See VMware Identity Manager Installation and Configuration. 1 Log in to the administration console. 2 Click Identity & Access Management. 3 Click Setup. 4 In the Connectors page, click Join Domain next to the appropriate directory. 5 Enter the information for the Active Directory domain and click Join Domain. Do not use non-ascii characters when you enter your domain information. Option Domain Domain User Domain Password Organizational unit (OU) of domain to join Description Select the domain to join or select Custom Domain and type the domain name. Ensure that you type the fully qualified Active Directory domain name For example, server.example.com. Note The Active Directory FQDN must be in the same domain as the View Connection Server. Otherwise, your deployment fails. Type the username of an account in Active Directory that has permissions to join systems to that Active Directory domain. Type the password associated with the AD Username. This password is not stored by VMware Identity Manager. (Optional) The organizational unit (OU) to join. This option joins the machine to the specified OU instead of the default Computers OU. For example, ou=testou,dc=test,dc=example,dc=com. VMware, Inc. 27

28 Setting Up Resources in VMware Identity Manager (On Premises) 6 To configure View integration in a multi-domain environment, verify that VMware Identity Manager and the View servers are joined to the same domain. What to do next Add View pods to VMware Identity Manager. Add Horizon View Pods to VMware Identity Manager and Sync Resources You can add multiple View pods to VMware Identity Manager. After you add the pods, configure client access URLs for the different pods. You add View pods in the View Pools page of the VMware Identity Manager administration console. You can return to the page at any time to modify the View configuration, or to add or remove View pods. Prerequisites For each View pod, you need the credentials of a user who has the Administrators role. 1 Log in to the VMware Identity Manager administration console. 2 Click the Catalog tab. 3 Click Manage Resource Types and select View Application. 4 Check the Enable View Pools check box. 5 Click Add View Pod for each View pod you want to add. 6 Provide the configuration information specific to each View pod. Connection Server Username Password Using Smart Card Authentication with Third-Party Identity Provider True SSO Enabled on Horizon View Sync Local Entitlements Enter the fully qualified hostname of the Horizon Connection Server instance, such as connectionserver.example.com. The domain name must exactly match the domain name to which you joined the Horizon Connection Server instance. Enter the administrator username for this View pod. The user must have the Administrators role in View. Enter the administrator password for this View pod. If users use smart card authentication to sign in to this View pod instead of passwords, select the check box. This option only applies to Horizon versions that support the True SSO feature. When True SSO is configured in View, users do not require a password to log into their Windows desktops. However, if users are logged into VMware Identity Manager using a non-password authentication method such as SecurID, when they launch their Windows desktops, they are prompted for a password. You can select this option to prevent a password dialog box from being shown to users in that scenario. If local entitlements are configured for the pod, select this option. 7 From the Deployment Type drop-down list, select how View resources are made available to users in the user portal. User-Activated View resources are added to the Catalog page in Workspace ONE. To use a resource, users must move the resource from the Catalog page to the Launcher page. Automatic View resources are added directly to the Launcher page in Workspace ONE for users' immediate use. 28 VMware, Inc.

29 Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools The deployment type that you select here is a global setting that applies to all user entitlements for all the resources in your View integration. You can modify the deployment type for individual users or groups per resource, from the resource's Entitlements page. Setting the global deployment type to User-Activated is recommended. You can then modify the setting for specific users or groups per resource. For more information about setting the deployment type, Setting the Deployment Type for View Entitlements, on page Select the Do not sync duplicate applications check box to prevent duplicate applications from being synced from multiple servers. When VMware Identity Manager is deployed in multiple data centers, the same resources are set up in the multiple data centers. Selecting this option prevents duplication of the desktop or application pools in your VMware Identity Manager catalog. 9 Select the Configuring 5.x Connection Server check box if any of the View Connection Server instances that you have configured on this page is version 5.x. Selecting this option enables an alternative way of syncing resources that is required for View 5.x. Note If you select the Perform Directory Sync option, the Configuring 5.x Connection Server option is also automatically selected as both options rely on the alternative way of syncing resources. 10 Select the Perform Directory Sync check box if you want directory sync to be performed as part of View sync when any users and groups that are entitled to View pools in the View Connection Server instances are missing in the VMware Identity Manager directory. The Perform Directory Sync option does not apply to Cloud Pod Architecture pod federations. If users and groups with global entitlements are missing in the VMware Identity Manager directory, directory sync is not triggered. Users and groups synced through this process can be managed like any other users added by VMware Identity Manager directory sync. Important View sync takes longer when you use the Perform Directory Sync option. Note When this option is selected, the Configuring 5.x Connection Server option is also selected automatically as both options rely on an alternative way of syncing resources. 11 From the Choose View Pool Sync Frequency drop-down list, select how often you want to sync from the View Connection Server. You can set up a regular sync schedule or choose to sync manually. If you choose Manually, you must return to this page and click Sync Now whenever there is a change in your View resources or entitlements. VMware, Inc. 29

30 Setting Up Resources in VMware Identity Manager (On Premises) 12 From the Select Default Launch Client drop-down list, select the default client in which to launch View applications or desktops. Option None Browser Client Description No default preference is set at the administrator level. If this option is set to None and an end user preference is not set either, the View Default display protocol setting is used to determine how to launch the desktop or application. View desktops and applications are launched in a web browser by default. End user preferences, if set, override this setting. View desktops and applications are launched in the Horizon Client by default. End user preferences, if set, override this setting. This setting applies to all users and all resources in your View integration. The following order of precedence, listed from highest to lowest, applies to the default launch client settings: a b c End user preference setting, set in the Workspace ONE portal. This option is not available in the Workspace ONE app. Administrator Select Default Launch Client setting, set in the View Pools page in the VMware Identity Manager administration console. Horizon View Remote Display Protocol > Default display protocol setting for the desktop or application pool, set in Horizon Administrator. For example, when the display protocol is set to PCoIP, the application or desktop is launched in the Horizon Client. 13 Click Save. 14 Click Sync Now. Each time you change settings in View, such as add an entitlement or add a user, a sync is required to propagate the changes to VMware Identity Manager. 15 Configure the Client Access URLs for the View pods. a b c d e Click the Identity & Access Management tab, then click Setup. Click Network Ranges. Select a network range. In the Edit Network Range page, in the View Pod section, enter the View Pod client access URL host name and port number for that network range. In the IP Ranges section, specify the IP ranges to which you want to apply the settings. f Click Save. See also Enabling Multiple Client Access URLs for Custom Network Ranges, on page 43. Configure SAML Authentication To launch a View, Horizon 6, or Horizon 7 application or desktop from the VMware Identity Manager service and have single sign-on from VMware Identity Manager to the application or desktop, you must configure SAML authentication in all the View Connection Server instances in your View deployment. Do not perform this task if your organization uses smart card authentication to view resources using a thirdparty identity provider. 1 Log in to the View Administrator Web interface as a user with the Administrator role assigned. 30 VMware, Inc.

31 Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools 2 Configure SAML authentication for each View Connection Server instance in your View deployment. You must use your VMware Identity Manager service's fully-qualified domain name on the Authenticator configuration page. Important View and VMware Identity Manager must be in time sync. If View and VMware Identity Manager are not in time sync, when you try to launch a View application or desktop, an invalid SAML message occurs. What to do next You must establish and maintain SSL Trust between VMware Identity Manager and the View Connection Server. Establish or Update SSL Trust between VMware Identity Manager and the View Connection Server Initially, you must accept an SSL certificate on the View Connection server to establish trust between VMware Identity Manager and the View Connection server. If you change an SSL certificate on the View Connection server after the integration, you must return to VMware Identity Manager and reestablish that trust. Prerequisites Verify that View has an SSL certificate installed. By default, View has a self-signed certificate. In View, change the certificate of the View Connection Server to a root-signed certificate. See the VMware View documentation for information about configuring a View Connection server instance or Security Server to use a new certificate. Configure SAML authentication on the View Connection server. You must always use the VMware Identity Manager FQDN on the authenticator configuration page. Note If you use a third-party identity provider to access View desktops from VMware Identity Manager, SAML authentication on the View Connection server must be set to allowed. 1 In the VMware Identity Manager administration console, click the Catalog tab. 2 Click Manage Resource Types and select View Application. 3 Click the Update SSL Cert link next to the Replicated Server Group. 4 Click Accept on the Certificate Information page. If the VMware Identity Manager certificate changes after the initial configuration, you must accept the SAML Authenticator from View again. If the View certificate changes, you must accept the SSL certificate in VMware Identity Manager. VMware, Inc. 31

32 Setting Up Resources in VMware Identity Manager (On Premises) Integrating View Cloud Pod Architecture (CPA) Deployments In addition to integrating independent View pods with VMware Identity Manager, you can integrate View Cloud Pod Architecture (CPA) deployments. Figure 3 1. Integrating View Pod Federations with VMware Identity Manager Site A Site B Independent Pod CPA Federation Pod 1 Pod 2 Pod 3 VCS 1 VCS 3 Global LDAP Replication VCS 5 VCS 2 VCS 4 VCS 6 LDAP Replication LDAP Replication LDAP Replication VMware Identity Manager On Premises Connector Service The View Cloud Pod Architecture feature links together multiple View pods to form a single large desktop and application brokering and management environment called a pod federation. A pod federation can span multiple sites and data centers. You can integrate one or more pod federations with the VMware Identity Manager service. Note that pod federations are created and managed in View, and that user and group entitlements to the pod federation's desktops and application pools are set in View. You sync the resources and entitlements to VMware Identity Manager. Pod federations have global entitlements, which enable you to entitle users to desktops and applications which can be accessed from any pod in the pod federation. A global entitlement can consist of resources from multiple pods in the federation. For example, a global desktop entitlement might contain desktop pools from three different pods in three different data centers. Individual pods in the pod federation can also have local entitlements configured. You can sync both global and local entitlements to VMware Identity Manager. Integrating a View pod federation with the VMware Identity Manager service involves the following highlevel tasks in the VMware Identity Manager administration console: Add all the pods that form the pod federation, specifying View Connection Server details for each. While VMware Identity Manager can sync global entitlements from any one of the pods in the pod federation, it needs to connect to each pod to sync metadata required for SAML authentication. It also needs to connect to the pods to sync local entitlements, if applicable. Add the pod federation details and specify the global launch URL. The global launch URL, typically the global load balancer URL, is used to launch globally-entitled desktops and applications. You can customize the global launch URL for specific network ranges, for example for internal and external access. 32 VMware, Inc.

33 Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools Sync resources and entitlements from the pod federation to the VMware Identity Manager service. Note Only global entitlements that have the All Sites scope policy in a pod federation are synced. The All Sites scope policy sets the scope of the search for an application or desktop to all the pods across the pod federation. Customize the global launch URL by setting client access URLs for specific network ranges. These URLs are used to launch globally-entitled resources from the pod federation. By default, the global launch URL you specify while adding the federation is used as the global launch URL for all network ranges. Specify client access URLs for each pod in the pod federation that has local entitlements configured. These URLs are used to launch locally-entitled desktops and applications from the pod. A client access URL can be a View Connection Server URL, a Security Server URL, or a load balancer URL. Client access URLs are set for specific network ranges. By default, the View connection server you specify while adding the pod is used as the client access URL for all network ranges. When you integrate a pod federation with the VMware Identity Manager service, the service does the following: Syncs all global entitlements, that have the All Sites scope policy, from the pod federation. Syncs local entitlements, if selected, from the pods that are part of the pod federation. Syncs metadata from all the View Connection Servers in the pod federation. Allows end users to access their View applications and desktops from the Workspace ONE portal. End users access can access their View applications and desktops from the Workspace ONe portal. All the resources to which they are entitled, whether through global entitlements or local entitlements, are displayed. Applications and desktops are launched in the Horizon Client. When a user launches a locallyentitled application or desktop, it is launched from the View Connection Server to which the user connects. Globally-entitled resources are launched from the View Connection Server in which the resource is located. Sample Cloud Pod Architecture Deployment The following diagram shows a sample cloud pod architecture deployment and how it is integrated with the VMware Identity Manager service. VMware, Inc. 33

34 Setting Up Resources in VMware Identity Manager (On Premises) Figure 3 2. Cloud Pod Architecture Deployment Example Internet Internal URL EG Global LB Federation 1 (F1) Pod 1 (P1) URL E1 LB Security Server Security Server Pod 2 (P2) Connection Server Connection Server URL I1 LB Sync 1 Local Connector URL E2 LB Security Server Security Server Connection Server Connection Server URL I2 LB URL IG Global LB Sync 2 Local Sync 3 Local Sync API Service Pod 3 (P3) Connection Server Connection Server URL I3 LB Sync 4 Local VMware Identity Manager On Premises This diagram depicts a sample pod federation deployment. A pod federation, named Federation 1, is created in Horizon 6. It has three pods, Pod 1, Pod 2, and Pod 3. Pod 1 and Pod 2 are configured with Security Server instances for each View Connection Server and an external load balancer for external access, and with an internal load balancer for internal access. Pod 3 is configured for only internal access with an internal load balancer. The pod federation as a whole has an external global load balancer and an internal global load balancer. Desktop and application pools are deployed on the pods. Global entitlements are configured for Federation 1 and local entitlements are also configured for the individual pods. Federation 1 is integrated with the VMware Identity Manager service. The VMware Identity Manager service syncs global entitlements as well as local entitlements from Federation 1. Because global entitlements are replicated in each pod, it syncs global entitlements from Pod 1. It also syncs local entitlements from Pod 1, Pod 2, and Pod 3. End users can view all the desktops and applications to which they are entitled, whether through global entitlements or local entitlements, in the VMware Identity Manager Workspace ONE portal. When a user launches a desktop or application, if it is part of a global entitlement, the launch request goes to the external or internal global load balancer, URL EG or URL IG, based on the network range of the user. If the resource is from a local entitlement, the launch request goes to the internal or external load balancer of the pod on which the resource is deployed, based on the network range of the user. For example, for a resource on Pod 2, the request goes to URL I2 or URL E2. 34 VMware, Inc.

35 Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools Requirements for Integrating View Pod Federations Integrating View pod federations with VMware Identity Manager has the following requirements. VMware Identity Manager supports the Cloud Pod Architecture feature in Horizon 6.2 and later, for both applications and desktops. You can integrate a maximum of 10 pod federations with the VMware Identity Manager service. Each federation can contain up to 7 pods. Deploy View Connection Server instances on the default port 443 or on a custom port. Verify that you have a DNS entry and an IP address that can be resolved during reverse lookup for each View Connection Server instance in your View environment. VMware Identity Manager requires reverse lookup for View Connection Server, View Security Server, and load balancer instances. If reverse lookup is not properly configured, the VMware Identity Manager integration with View fails. The VMware Identity Manager connector, a component of the service, must be able to reach all the View Connection Server instances in the pod federation. All the View Connection Server instances in the pod federation must have SAML authentication configured, with the VMware Identity Manager service specified as the identity provider. You must use the service's fully-qualified domain name as part of the URL. See Configure SAML Authentication, on page 30 for more information. Extending the SAML metadata expiration period to 90 days on the View Connection Server instances is recommended. See Change the Expiration Period for Service Provider Metadata on View Connection Server for information. View Connection Server certificates will be synced to VMware Identity Manager. Deploy application and desktop pools in the View pods. While configuring desktop pools, ensure that in Remote Settings, you set the Automatically log off after disconnect option to 1 or 2 minutes instead of immediately. Ensure that you create View pools in the root folder of View. If you create View pools in a folder other than the root folder, VMware Identity Manager cannot query those View pods and entitlements. If you add or remove application or desktop pools after integrating with VMware Identity Manager, for the changes to appear in the VMware Identity Manager service, you must sync again. You must create the pod federation in your View environment, by initializing the Cloud Pod Architecture feature from one of the pods and joining all the other pods to the federation, before integrating with the VMware Identity Manager service. Global entitlements are replicated to pods when they join the federation. If you join or remove a pod from the pod federation after you integrate with the VMware Identity Manager service, you must edit the pod federation details in the VMware Identity Manager administration console to add or remove the pod, save your changes, and sync again. In your View environment, create global entitlements in the pod federation to entitle Active Directory users or groups to desktops and applications. The global entitlements that you want to sync to VMware Identity Manager must have the All sites scope policy set. Entitlements with any other scope policy are not synced. VMware, Inc. 35

36 Setting Up Resources in VMware Identity Manager (On Premises) To enable end users to launch desktops or application in a Web browser, select the HTML Access option for the global entitlement in View. (Optional) Create local entitlements on the pods, if required. For more information about configuring View, see the Horizon 6 or Horizon 7 documentation. Set up Your VMware Identity Manager Environment After setting up your View environment, you must set up your VMware Identity Manager environment before integrating pod federations with the service. Prerequisites You have a username and password with the rights to join the Active Directory domain that is used with View. For more information about the rights required to join a domain, see "Integrating with Active Directory" in Installing and Configuring VMware Identity Manager. 1 Verify that the attribute userprincipalname in the VMware Identity Manager User Attributes page is marked required. a b c In the administration console, click the Identity & Access Management tab. Click Setup and select the User Attributes tab. If the Required checkbox for the userprincipalname attribute is not selected, select it. Important You must do this before you create the VMware Identity Manager directory. User attributes cannot be changed to required after the directory is created. 36 VMware, Inc.

37 Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools 2 Sync the users and groups that have global or local entitlements in your View environment from Active Directory to the VMware Identity Manager service through directory sync. a b c d To view current users and groups, click the Users & Groups tab. Select the Identity & Access Management > Directories tab. Select the appropriate directory. Modify the directory settings if needed, and click Sync Now. 3 If applicable, establish a connection to multi-domains or trusted multi-forest domains in Active Directory. See Installing and Configuring VMware Identity Manager for information. 4 Join the VMware Identity Manager directory to the same Active Directory domain as View if you are syncing any View Connection Server 5.x instances or if you intend to use the Perform Directory Sync option. Both these configurations use an alternative way of syncing, which requires the domain to be joined.. a b c d Click the Identity & Access Management tab. Click Setup and select the Connectors tab. Click Join Domain next to the appropriate directory. Type the information for the Active Directory domain and click Join Domain. Do not use non- ASCII characters when you enter your domain information. Option Domain Domain User Domain Password Organizational unit (OU) of domain to join Description Select the domain to join or select Custom Domain and type the domain name. Ensure that you type the fully qualified Active Directory domain name For example, server.example.com. Note The Active Directory FQDN must be in the same domain as the View Connection Server instances. Otherwise, your deployment fails. Type the username of an Active Directory user who has permissions to join systems to that Active Directory domain. Type the password for the user. This password is not stored by VMware Identity Manager. (Optional) The organizational unit (OU) to join. This option joins the machine to the specified OU instead of the default Computers OU. For example, ou=testou,dc=test,dc=example,dc=com. e Verify that VMware Identity Manager and the View servers are joined to the same domain. Add a Cloud Pod Federation and Sync Resources To add a pod federation, you first add all the pods that belong to the pod federation, then add the pod federation details, specify a global launch URL for global entitlements, sync entitlements, and set client access URLs for specific network ranges. Prerequisites Set up your View environment following the requirements described in Requirements for Integrating View Pod Federations, on page 35. Set up your VMware Identity Manager instance according to the requirements described in Set up Your VMware Identity Manager Environment, on page 36. For each View pod, you need the credentials of a user who has the Administrators role. 1 In the administration console, click the Catalog tab. VMware, Inc. 37

38 Setting Up Resources in VMware Identity Manager (On Premises) 2 Click Manage Desktop Applications and select View Application. 3 In the Pods and Sync tab, select the Enable View Pools checkbox, if it is not already checked. 4 Add all the View pods that are part of the cloud pod federation, one at a time. a Provide the View pod details. Option Connection Server Username Password Using Smart Card Authentication with Third-Party Identity Provider True SSO Enabled on Horizon View Sync Local Entitlements Description Enter the fully qualified domain name (FQDN) of the Horizon Connection Server instance, for example, pod5server.example.com. The domain name must match the domain name to which you joined the Horizon Connection Server instance. The administrator user name for the pod. The user must have the Administrators role in View. The administrator password for the pod. If users use smart card authentication to sign in to this View pod instead of passwords, select the checkbox. This option only applies to Horizon versions that support the True SSO feature. When True SSO is configured in View, users do not require a password to log into their Windows desktops. However, if users are logged into VMware Identity Manager using a non-password authentication method such as SecurID, when they launch their Windows desktops, they are prompted for a password. You can select this option to prevent a password dialog box from being shown to users in that scenario. If local entitlements are configured for the pod, select this checkbox. For example: b c Click Add View Pod and add the next pod. Repeat these steps until you have added all the pods in the cloud pod federation. 5 Click Save. Replicated servers in each pod are displayed. 6 Click the Federation tab and select the Enable CPA Federations checkbox. 38 VMware, Inc.

39 Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools 7 In the Federation Name field, type the name of the cloud pod federation. 8 In the Launch URL field, type the global launch URL to be used to launch globally-entitled desktops or applications. For example, federationa.example.com. The launch URL is typically the global load balancer URL of the cloud pod federation. You can customize the launch URL for specific network ranges later in the configuration process. 9 Select a pod that belongs to the cloud pod federation. All the pods that you added in the Pods and Sync tab are listed in the drop-down list. 10 Click Add Pod and select all the pods that are part of the cloud pod federation, one at a time. 11 Click Save. VMware, Inc. 39

40 Setting Up Resources in VMware Identity Manager (On Premises) 12 Click the Pods and Sync tab, scroll to the bottom of the page, and set the deployment and sync options for your configuration. Option Deployment type Do not sync duplicate applications Configuring 5.x Connection Server Perform Directory Sync Description Select how View resources are made available to users. User-Activated: VMware Identity Manager adds View resources to the Catalog page in Workspace ONE. To use a resource, users must move the resource from the Catalog page to the Launcher page. Automatic: VMware Identity Manager adds the resources directly to the Launcher page for users' immediate use. The deployment type that you select here is a global setting that applies to all user entitlements for all the resources in your View integration. You can modify the deployment type for individual users or groups per resource, from the resource's Entitlements page. Setting the global deployment type to User-Activated is recommended. You can then modify the setting for specific users or groups per resource. For more information about setting the deployment type, Setting the Deployment Type for View Entitlements, on page 45. Select this option if you want to prevent duplicate applications from being synced from multiple servers. When VMware Identity Manager is deployed in multiple data centers, the same resources are set up in the multiple data centers. Selecting this option prevents duplication of the desktop or application pools in your VMware Identity Manager catalog. Select this check box if any of the View Connection Server instances that you have configured on this page is version 5.x. Selecting this option enables an alternative way of syncing resources that is required for View 5.x. Note If you select the Perform Directory Sync option, the Configuring 5.x Connection Server option is also automatically selected as both options rely on the alternative way of syncing resources. Select this check box if you want directory sync to be performed as part of View sync when any users and groups that are entitled to View pools in the Horizon Connection Server instances are missing in the VMware Identity Manager directory. The Perform Directory Sync option only applies to local entitlements. It does not apply to global entitlements. If users and groups with global entitlements are missing in the VMware Identity Manager directory, directory sync is not triggered. Users and groups synced through this process can be managed like any other users added by VMware Identity Manager directory sync. Important View sync takes longer when you use the Perform Directory Sync option. Note When this option is selected, the Configuring 5.x Connection Server option is also selected automatically as both options rely on an alternative way of syncing resources. 40 VMware, Inc.

41 Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools Option Choose View pool Sync Frequency Select Default Launch Client Description Select how often you want View resources and entitlements to sync. You can set up a regular sync schedule or choose to sync manually. If you choose Manually, you must return to this page and click Sync Now whenever there is a change in your View resources or entitlements. Select the default client in which to launch View applications or desktops. Option None Browser Client Description No default preference is set at the administrator level. If this option is set to None and an end user preference is not set either, the View Default display protocol setting is used to determine how to launch the desktop or application. View desktops and applications are launched in a web browser by default. End user preferences, if set, override this setting. View desktops and applications are launched in the Horizon Client by default. End user preferences, if set, override this setting. This setting applies to all users and all resources in your View integration. The following order of precedence, listed from highest to lowest, applies to the default launch client settings: a b c End user preference setting, set in the Workspace ONE portal. This option is not available in the Workspace ONE app. Administrator Select Default Launch Client setting, set in the View Pools page in the VMware Identity Manager administration console. Horizon View Remote Display Protocol > Default display protocol setting for the desktop or application pool, set in Horizon Administrator. For example, when the display protocol is set to PCoIP, the application or desktop is launched in the Horizon Client. 13 Click Save. 14 Click Sync Now. Each time you change information in View, such as add an entitlement or add a user, a sync is required to propagate the changes to VMware Identity Manager. 15 At the top-right of the page, click Admin Console. 16 Click the Identity & Access Management tab and click Setup on the right of the page. 17 Click the Network Ranges tab. VMware, Inc. 41

42 Setting Up Resources in VMware Identity Manager (On Premises) 18 Customize launch URLs for specific network ranges. For example, different launch URLs are typically set for internal and external access. a Select a network range. You can select an existing network range or create a new one. You can also edit the default ALL RANGES network range. The Edit Network Range page is displayed. The View CPA federation section lists the global launch URL of the pod federation you added in the Federation tab. If you added multiple pod federations, all are listed. The View Pod section lists all the View pods from the Pods and Sync tab that have the Sync Local Entitlements option selected. b In the View CPA federation section, for the global launch URL, specify the fully-qualified domain name of the server to which to direct launch requests for global entitlements that come from this network range. This is typically the global load balancer URL of the View pod federation deployment. For example: lb.example.com The global launch URL is used to launch globally-entitled resources. c In the View Pod section, for each of the View pod instances, specify the fully-qualified domain name of the server to which to direct launch requests for local entitlements that come from this network range. You can specify a View Connection Server instance, a load balancer, or a security server. For example, if you are editing a range that provides internal access, you would specify the internal load balancer for the pod. For example: lb.example.com The client access URL is used to launch locally-entitled resources from the pod. See also Enabling Multiple Client Access URLs for Custom Network Ranges, on page 43. Configure SAML Authentication To launch a View, Horizon 6, or Horizon 7 application or desktop from the VMware Identity Manager service and have single sign-on from VMware Identity Manager to the application or desktop, you must configure SAML authentication in all the View Connection Server instances in your View deployment. Do not perform this task if your organization uses smart card authentication to view resources using a thirdparty identity provider. 1 Log in to the View Administrator Web interface as a user with the Administrator role assigned. 42 VMware, Inc.

43 Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools 2 Configure SAML authentication for each View Connection Server instance in your View deployment. You must use your VMware Identity Manager service's fully-qualified domain name on the Authenticator configuration page. Important View and VMware Identity Manager must be in time sync. If View and VMware Identity Manager are not in time sync, when you try to launch a View application or desktop, an invalid SAML message occurs. What to do next You must establish and maintain SSL Trust between VMware Identity Manager and the View Connection Server. Establish or Update SSL Trust between VMware Identity Manager and the View Connection Server Initially, you must accept an SSL certificate on the View Connection server to establish trust between VMware Identity Manager and the View Connection server. If you change an SSL certificate on the View Connection server after the integration, you must return to VMware Identity Manager and reestablish that trust. Prerequisites Verify that View has an SSL certificate installed. By default, View has a self-signed certificate. In View, change the certificate of the View Connection Server to a root-signed certificate. See the VMware View documentation for information about configuring a View Connection server instance or Security Server to use a new certificate. Configure SAML authentication on the View Connection server. You must always use the VMware Identity Manager FQDN on the authenticator configuration page. Note If you use a third-party identity provider to access View desktops from VMware Identity Manager, SAML authentication on the View Connection server must be set to allowed. 1 In the VMware Identity Manager administration console, click the Catalog tab. 2 Click Manage Resource Types and select View Application. 3 Click the Update SSL Cert link next to the Replicated Server Group. 4 Click Accept on the Certificate Information page. If the VMware Identity Manager certificate changes after the initial configuration, you must accept the SAML Authenticator from View again. If the View certificate changes, you must accept the SSL certificate in VMware Identity Manager. Enabling Multiple Client Access URLs for Custom Network Ranges If your company uses multiple client access URLs for different network ranges, you must edit the default network range so the end user connects to the correct client access URL and port number. If these settings are not updated, the Horizon Client will not launch. 1 Log in to the VMware Identity Manager administration console. 2 Click the Identity & Access Management tab. 3 Click Setup on the right, then click Network Ranges. VMware, Inc. 43

44 Setting Up Resources in VMware Identity Manager (On Premises) 4 Click the network range to modify. The Edit Network Range page appears. The View CPA federation section appears only if you integrated Cloud Pod Architecture (CPA), deployments, also known as pod federations. This section lists the global launch URL you specified for the pod federation in the Federation tab of the View Pools page. The View Pod section lists all the View pods that have the Sync Local Entitlements option selected. 5 Specify the client access URL and port in the Client Access URL Host and URL Port fields, using your company's configuration. For example: pod6.mycompany.com 6 Verify that each network range in your environment contains a client access URL. Important If you miss a network range, end users who launch through that network range might have problems. Viewing the Connection Information for View Desktop and Application Pools You can view the information about the connection between VMware Identity Manager and a View desktop or application pool. 1 Log in to the administration console. 2 Click the Catalog tab. 3 To view desktop pools, click Any Application Type > View Desktop Pools. To view application pools, click Any Application Type > View Hosted Applications. 4 Click the name of the View application or desktop pool. 5 Click Details on the left. 6 View the connection information, which consists of attributes retrieved from the View Connection Server instance. See the View documentation for details about these attributes. Viewing User and Group Entitlements to View Desktop and Application Pools You can see the View pools to which your VMware Identity Manager users and groups are entitled. Prerequisites Synchronize information and the respective entitlements from the View Connection Server instances to VMware Identity Manager. You can force a sync on the View Pools page in the administration console, by clicking Sync Now. 1 Log in to the administration console. 44 VMware, Inc.

45 Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools 2 View user and group entitlements to View desktop and application pools. Option List users and groups entitled to a specific View desktop pool. List of View desktop and application pool entitlements for a specific user or group. Action a b c Click the Catalog tab. Click Any Application Type > View Desktop Pools or View Hosted Applications. Click the icon for the View pool for which you want to list entitlements. The Entitlements tab is selected by default. Group entitlements and user entitlements are listed in separate tables. a b c d Click the Users & Groups tab. Click the Users tab or the Groups tab. Click the name of an individual user or group. Click the Apps tab. View desktop and application pools to which the user or group is entitled are listed. Setting the Deployment Type for View Entitlements You can set the deployment type for View resources, which determines how the resources are made available to users in Workspace ONE. Setting the deployment type to User-Activated adds the resources to the Catalog page. To use a resource, users must move the resource from the Catalog page to the Launcher page. Setting the deployment type to Automatic adds the resources directly to the Launcher page for users' immediate use. You can set the deployment type at different levels. Global level The global setting applies to all user entitlements for all the View resources in your deployment. You specify the global deployment type when you first integrate View resources with VMware Identity Manager from the View Pools page. After the initial integration, you can modify the global setting from the same page. Note that if you change the global setting after the initial integration, the new setting only applies to new entitlements that are synced. To modify existing entitlements, you can change the setting at the individual resource level. Note Setting the global deployment type to User-Activated is recommended. In typical scenarios, you set the global setting to User-Activated, and then modify it to Activated for specific user and group entitlements. User or group entitlement level You can also set the deployment type at the individual application or desktop level for specific users and groups. This setting overrides the global setting. This setting will not be changed during subsequent syncs. During sync, the deployment type for existing entitlements is not changed. For new entitlements in the sync, the global setting is applied. Note Once a resource has been activated, that is, once it appears in the Launcher page for a user, it will continue to appear in the Launcher page unless the user deletes it. Any changes to the deployment type will not remove it from the Launcher page. VMware, Inc. 45

46 Setting Up Resources in VMware Identity Manager (On Premises) 1 To set the deployment type at the global level, follow these steps. a b c Click the Catalog tab and select Manage Desktop Applications > View Application. Select the Pods and Sync tab. In the Deployment Type field, select User-Activated or Automatic. Note Setting the global deployment type to User-Activated is recommended. d Click Save. The setting will be applied to all new entitlements beginning with the next sync. 2 To set the deployment type for a specific user or group entitlement, follow these steps. a b c Click the Catalog tab. Click the application or desktop whose entitlement you want to edit. Click Entitlements to display the Entitlements page for the application. You can view the current deployment settings for user and group entitlements in the DEPLOYMENT column. d e Click Edit next to the entitlement you want to edit. In the Edit User Entitlement dialog box, select the deployment type for the entitlement. f Click Save. The deployment type set at the user or group entitlement level has precedence over the global deployment type setting, and will not be modified during sync. 46 VMware, Inc.

47 Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools Viewing Launch Options for View Desktops and Applications View desktops and applications can be launched from Workspace ONE in the Horizon Client or a Web browser, based on how the desktop or application has been configured in View. If a View desktop or application is only configured for the Horizon Client, users must install the Horizon Client on their systems. The HTML Access feature of View provides View administrators the option of configuring a View desktop or application for browsers. This configuration is done in View and no configuration is required in VMware Identity Manager. In Horizon 7, the Allow HTML Access to desktop and applications on this farm setting determines whether users in VMware Identity Manager have the option to launch desktops or applications from that farm in a browser. VMware Identity Manager supports HTML Access for Horizon and later. VMware Identity Manager also supports all the display protocols that View supports for the Horizon Client. For Horizon 7, VMware Identity Manager supports the Blast protocol in addition to PCoIP and RDP for Horizon Client 4.0. When VMware Identity Manager users launch a desktop or application in the Horizon Client, it uses the protocol that is set for the farm in View. Note In View, in addition to setting the default display protocol, administrators can specify whether users are allowed to choose a display protocol. If you want to support versions of Horizon Client that do not support the default protocol, allowing users to choose the display protocol is recommended. Otherwise, the application or desktop cannot be launched. For information about configuring the display protocols and launch options, see the Horizon 7, Horizon 6, or View documentation. In the VMware Identity Manager administration console, you can check the launch options that a View desktop or application supports. 1 Log in to the VMware Identity Manager administration console. 2 Click the Catalog tab. 3 To display desktop pools, click Any Application Type > View Desktop Pools. To display applications, click Any Application Type > View Hosted Applications. 4 Click the name of the View application or desktop. 5 Click Details on the left. The Supported client types field displays the launch options. VMware, Inc. 47

48 Setting Up Resources in VMware Identity Manager (On Premises) The value of the field can be NATIVE or BROWSER, or both. If only NATIVE is listed, the desktop or application can only be launched in the Horizon Client. Users must install the Horizon Client on their systems before starting the application from Workspace ONE. If BROWSER is listed, users can start the application or desktop in a browser. If both are specified, users can select how they want to start the application. Note For Horizon 7 integrations, the Allow HTML Access to desktop and applications on this farm option must be enabled in Horizon 7 for the BROWSER option to appear in the Supported client types list. Launching a View Desktop or Application Users can launch a View desktop or application from the Workspace ONE portal or app. Based on how an application or desktop has been configured in View, it can be launched in the Horizon Client or in a browser. For applications or desktops that can only be launched in the Horizon Client, users must install the Horizon Client on their systems. For applications and desktops that can be launched in either the Horizon Client or a browser, users can select the launch method. Users can also set their default launch preference in the Preferences page in the Workspace ONE portal. This user preference overrides any default launch preference set at the administrator level. Note Users cannot set a default launch preference in the Workspace ONE app. Prerequisites Based on how the application or desktop has been configured in View, users might need to install the Horizon Client. For supported Horizon Client versions, see the VMware Product Interoperability Matrix at 1 Log in to the Workspace ONE portal. 2 Right-click the desktop or application you want to use and check the launch options available. If a launch option is not available, the link is disabled. 3 Install the Horizon Client on your system, if it is required and you have not yet installed it. 48 VMware, Inc.

49 Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools 4 Right-click the desktop or application and select either Launch in Browser or Launch in Client. If you chose the Browser option, the application or desktop is started in a browser. If you are using Horizon or later, the browser window also displays an HTML Access Tray. Note If the SAML metadata on the View Connection Server instances has expired, the application or desktop will not launch. To resolve this issue, you must sync the View resources to VMware Identity Manager again. Click Sync Now in the View Pools page in the administration console. Allowing Users to Reset Their View Desktops in VMware Identity Manager Depending on how you configure View and VMware Identity Manager, users can use the apps portal to reset an unresponsive View desktop. When you configure View to allow users to reset their desktops, the configuration applies to both View and VMware Identity Manager. Prerequisites Configure View to allow users to reset their desktops. See the documentation for View, Horizon 6, or Horizon 7, specifically the View Administration guide. To ensure that specific View desktops are resettable by users, the client access URLs for the respective pods should have trusted certificates. If the URLs have root-signed or self-signed certificates, configure VMware Identity Manager to trust those certificates. See VMware Identity Manager Installation and Configuration for information about applying a root certificate. u (Optional) Verify that VMware Identity Manager lists a given desktop as resettable by users. a b c d e In the administration console, select the Catalog tab. In the Any Application Type drop-down menu, select View Desktop Pools. Click the name of the desktop. Click Details. Confirm that the Reset allowed setting is set to true. What to do next If the setting is false, then View is not configured to allow users to reset the desktop. If a View desktop becomes unresponsive in the future, you or users can reset the desktop in the apps portal by right-clicking the unresponsive desktop and clicking Reset Desktop. Setting Access Policies for Specific Applications and Desktops The default access policy set applies to all applications and desktops in your catalog. You can also set access policies for individual applications or desktop pools, which override the default access policy. You can apply an access policy to one or more applications and desktops from the Policies page or select the access policy for a specific application from the application configuration page. For more information on access policies, see the VMware Identity Manager Administration Guide. VMware, Inc. 49

50 Setting Up Resources in VMware Identity Manager (On Premises) 1 To apply an access policy to applications and desktops from the Policies page, follow these steps. a b c d e Navigate to the Identity & Access Management > Manage > Policies page. Click a policy to edit it or click Add Policy to create a new policy. In the policy page, edit or define the policy. In the Applies to section, select the applications to which you want to apply the policy. Click Save. 2 To select an access policy for a specific application from the application configuration page, select these steps. a b c d Click the Catalog tab. Click the application. Click Access Policies in the left pane. Select the access policy for the application and click Save. Reducing Resource Usage and Increasing Performance of VMware Identity Manager Desktop in Non-Persistent View Desktops To reduce resource usage and increase performance when using the Workspace ONE portal in nonpersistent desktops, also known as stateless desktops, you can configure the client with settings optimized for using it in a non-persistent View desktop. Problem When a non-persistent View desktop has the VMware Identity Manager Desktop application installed in the View desktop, each time a user starts a session, an increased amount of resources are used, such as storage I/Os. Cause Non-persistent View desktops are inherently stateless. Such View desktops are also known as floating desktops, and new sessions can be created when the floating desktops are recomposed or the user is given a new desktop from the pool. Unless the VMware Identity Manager Desktop application used in the nonpersistent desktops is configured with settings that are optimized for this scenario, users might experience degraded performance when accessing ThinApp packages. Typically, you configure the VMware Identity Manager Desktop application for the View desktops using the command-line installer options. SeeCommand-Line Installer Options for VMware Identity Manager Desktop. Solution u Install the VMware Identity Manager Desktop application in the template that is used for the nonpersistent View desktops using the recommended command-line installer options. /v Installer Option Description ENABLE_AUTOUPDATE = 0 Prevents the automatic update of the VMware Identity Manager Desktop application to a newer version. Typically, your View administrator updates the application in the template. 50 VMware, Inc.

51 Chapter 3 Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools /v Installer Option Description INSTALL_MODE = RUN_FROM_SHARE If you plan to have the users use ThinApp packages in these View desktops, use this option to have the ThinApp packages streamed from the server instead of downloaded to the Windows system. The following is an example of installing the VMware Identity Manager Desktop application with an optimal configuration for non-persistent View desktops where the users are expected to use ThinApp packages. The WORKSPACE_SERVER option specifies the VMware Identity Manager server for this installation. VMware-Identity-Manager-Desktop-n.n.n-nnnnnnn.exe /v WORKSPACE_SERVER=" ENABLE_AUTOUPDATE=0 INSTALL_MODE=RUN_FROM_SHARE VMware, Inc. 51

52 Setting Up Resources in VMware Identity Manager (On Premises) 52 VMware, Inc.

53 Providing Access to 4 VMware Horizon Cloud Service VMware Horizon Cloud Service with Hosted or On-Premises Infrastructure can be integrated with the VMware Identity Manager service. Integrating Horizon Cloud with the VMware Identity Manager service provides users the ability to access their entitled Horizon Cloud applications and desktops from the Workspace ONE portal or app. This provides users a single place for accessing all their applications across devices. Desktop and application pools, also known as assignments, are configured in the Horizon Cloud tenant. You also set user and group entitlements in the Horizon Cloud tenant, not in the VMware Identity Manager service. You must sync these users and groups to the VMware Identity Manager service from Active Directory before integrating with the Horizon Cloud tenant. After you integrate the Horizon Cloud tenant with VMware Identity Manager, you can see the Horizon Cloud desktops and applications in the VMware Identity Manager administration console. You can also view user and group entitlements. You can set up a sync schedule to regularly sync resources and entitlements from the Horizon Cloud tenant to the VMware Identity Manager service. End users can launch their entitled desktops and apps from the Workspace ONE portal or app. These desktops and apps can be accessed over HTML in a browser or over a supported display protocol in the VMware Horizon Client. Horizon Client versions 3.4 and later are supported. This chapter includes the following topics: Integrating Horizon Cloud Desktops and Applications, on page 53 Viewing Details of Horizon Cloud Desktop and Application Pools, on page 60 Viewing User and Group Entitlements to Horizon Cloud Desktops and Applications, on page 61 Setting Access Policies for Specific Applications and Desktops, on page 61 Setting the Deployment Type for Horizon Cloud Entitlements, on page 62 Launching a Horizon Cloud Desktop or Application, on page 64 Integrating Horizon Cloud Desktops and Applications To integrate Horizon Cloud desktops and applications with the VMware Identity Manager service, you add your Horizon Cloud tenant details in the VMware Identity Manager administration console and sync resources and entitlements from the Horizon Cloud tenant. You also configure SAML authentication to enable trust between the Horizon Cloud tenant and the VMware Identity Manager service. VMware, Inc. 53

54 Setting Up Resources in VMware Identity Manager (On Premises) Prerequisites for Integration Before you integrate Horizon Cloud with VMware Identity Manager, ensure that you meet the prerequisites. Verify that you have the following setup: A VMware Identity Manager on-premises deployment A Horizon Cloud tenant that is accessible by the VMware Identity Manager service. Work with your Horizon Cloud representative to set this up. Important Your VMware Identity Manager deployment and your Horizon Cloud tenant need VPN connectivity to work. If you use an additional, external connector, ensure that you use version or later. Verify that your Horizon Cloud tenant meets the following requirements. The tenant name must be a fully qualified domain name (FQDN), not just a host name. For example, server-ta1.example.com instead of server-ta1. The tenant appliances must have valid, signed certificates issued by a CA. Self-signed certificates are not supported. The certificate must match the FQDN of the tenant appliance. If you created your VMware Identity Manager directory with UPN as a search attribute, and you intend to sync static desktop pools from the Horizon Cloud tenant, your service provider must enable UPN for the tenant and restart the tenant appliance, otherwise users will be unable to launch static desktops. Ensure that the Horizon Cloud tenant and the VMware Identity Manager service are in time sync. If they are not in time sync, an invalid SAML error can occur when users launch Horizon Cloud desktops and applications. Create and configure desktop and application pools, also known as assignments, in the Horizon Cloud tenant administration console. You can create the following types of pools in the Horizon Cloud tenant: Dynamic desktop pool, also known as floating desktop assignment Static desktop pool, also known as dedicated desktop assignment Session-based pool with desktops, also known as session desktop assignment Session-based pool with applications, also known as remote application assignment For more information about the types of pools, see the Horizon Air documentation. The following limitations apply. You can only sync from a single Horizon Cloud tenant to VMware Identity Manager. Set user and group entitlements to Horizon Cloud desktops and applications in the Horizon Air tenant administration console. Note Only entitlements for users that belong to a registered group are synced. Users who do not belong to any group will not see their entitlements in VMware Identity Manager. In the VMware Identity Manager administration console, ensure that users and groups with these entitlements are synced from Active Directory to VMware Identity Manager using directory sync. 54 VMware, Inc.

55 Chapter 4 Providing Access to VMware Horizon Cloud Service Enable Horizon Cloud Desktops and Applications in VMware Identity Manager To integrate Horizon Cloud desktops and applications with the VMware Identity Manager service, you add your Horizon Cloud tenant details in the VMware Identity Manager administration console and sync resources and entitlements from the Horizon Cloud tenant to the VMware Identity Manager service. Note If you have set up multiple connectors in a high availability scenario, you must configure Horizon Cloud integration in all the connectors. You can set an automated sync schedule on one of the connectors but must set manual sync on the other connectors. Prerequisites Verify that you meet the prerequisites described in Prerequisites for Integration, on page 54. Verify that the Horizon Cloud tenant name is a fully-qualified domain name (FQDN). For example, server-ta1-1.example.com instead of server-ta1-1. Verify that the v tenant appliance has a valid SSL certificate from a CA installed. Self-signed certificates are not supported. The certificate must match the FQDN of the tenant appliance. 1 Log in to the VMware Identity Manager administration console. 2 In the Catalog tab, select Manage Desktop Applications > Horizon Cloud. 3 Select the Enable Horizon Cloud Desktops and Applications check box. 4 Enter the information for your environment. Important Do not use non-ascii characters when you enter your domain information. Option Tenant Host Description Fully-qualified domain name of your tenant host. For example: tenant1.example.com Tenant Port Port number of your tenant host. For example: 443 Admin Username Admin Password Admin Domain Domains to Sync User name for your tenant administrator account. For example: tenantadmin Password for your tenant administrator account. Active Directory NETBIOS domain name in which the tenant administrator resides. Active Directory NETBIOS domain names for syncing Horizon Cloud resources and entitlements. Note This field is case-sensitive. Ensure that you use the proper case when you enter the names. VMware, Inc. 55

56 Setting Up Resources in VMware Identity Manager (On Premises) Option Deployment Type Choose Horizon Air Sync Frequency Select Default Launch Client Description Select how Horizon Cloud resources are made available to users. User-Activated: Horizon Cloud resources are added to the Catalog page in Workspace ONE. To use a resource, users must move the resource from the Catalog page to the Launcher page. Automatic: Horizon Cloud resources are added directly to the Launcher page in Workspace ONE for users' immediate use. The deployment type that you select here is a global setting that applies to all user entitlements for all the resources in your Horizon Cloud integration. You can modify the deployment type for individual users or groups per resource, from the resource's Entitlements page. Setting the global deployment type to User-Activated is recommended. You can then modify the setting for specific users or groups per resource. For more information about setting the deployment type, Setting the Deployment Type for Horizon Cloud Entitlements, on page 62. The frequency at which to sync Horizon Cloud resources and entitlements. You can set up a regular sync schedule or choose to sync manually. If you choose Manually, you must return to this page and click Sync Now whenever there is a change in your Horizon Cloud resources or entitlements. Select the default client in which to launch Horizon Cloud applications or desktops. Option None Browser Client Description No default preference is set at the administrator level. If this option is set to None and an end user preference is not set either, the Horizon Cloud Default Protocol setting is used to determine how to launch the desktop or application. Horizon Cloud desktops and applications are launched in a web browser by default. End user preferences, if set, override this setting. Horizon Cloud desktops and applications are launched in the Horizon Client by default. End user preferences, if set, override this setting. This setting applies to all users and all resources in your Horizon Cloud integration. The following order of precedence, listed from highest to lowest, applies to the default launch client settings: a b c End user preference setting, set in the Workspace ONE portal. This option is not available for the Workspace ONE app. Administrator Select Default Launch Client setting, set in the Horizon Cloud Resources page in the VMware Identity Manager administration console. Horizon Cloud Default Protocol settings. For example: 56 VMware, Inc.

57 Chapter 4 Providing Access to VMware Horizon Cloud Service 5 Click Save. 6 Click Sync Now to sync resources and entitlements from the Horizon Cloud tenant to the VMware Identity Manager service. What to do next Configure SAML Authentication, on page 57. Configure SAML Authentication Configure SAML authentication to enable trust between the service provider, the Horizon Cloud tenant, and the identity provider, VMware Identity Manager. To configure SAML authentication, you create a federation artifact for the Horizon Cloud tenant in the VMware Identity Manager administration console and configure SAML authentication in the Horizon Cloud tenant. Create Federation Artifact for Horizon Cloud To configure SAML authentication, you need to create a federation artifact for the Horizon Cloud tenant. Prerequisites Verify the following with your service provider: The Horizon Cloud tenant name is a fully-qualified domain name (FQDN). For example, serverta1-1.example.com instead of server-ta1-1. The Horizon Cloud tenant appliances have valid SSL certificates from a CA installed. Self-signed certificates are not supported. The certificate must match the FQDN of the tenant appliance. 1 In the VMware Identity Manager administration console, click the arrow on the Catalog tab and select Settings. VMware, Inc. 57

58 Setting Up Resources in VMware Identity Manager (On Premises) 2 In the left pane, select Horizon Cloud. 3 Enter the information for your environment to create a federation artifact. Setting Assertion Consumer Service Audience Tenant Appliance URLs Description URL to which to post the SAML assertion. This URL is typically the Horizon Cloud tenant's floating IP or Access Point URL. For example, Unique identifier of the Horizon Cloud tenant. This URL is typically the Horizon Cloud tenant's floating IP or Access Point URL. For example, The URL of the Horizon Cloud tenant appliance, in the format If you have multiple tenant appliances, click Add Tenant Appliance URL to add the URLs. If the tenant appliances are behind a floating IP or Access Point appliance, specify the floating IP or Access Point appliance URL, in the format For example: 4 Click the Accept Certificate link next to each Horizon Cloud tenant appliance URL to accept the certificate. Important If you change the SSL certificate on the Horizon Cloud tenant appliance after integration, you must return to this page and accept the certificate again to re-establish trust. 5 Click Save. What to do next Configure SAML authentication in the Horizon Cloud tenant. Configure SAML Authentication in the Horizon Cloud Tenant After you create a federation artifact in the VMware Identity Manager administration console, configure SAML authentication in the Horizon Cloud tenant. Note Do not configure SAML authentication if your organization uses smart card authentication to view resources using a third-party identity provider. Note The Horizon Cloud tenant appliance and VMware Identity Manager must be in time sync. If they are not in time sync, when you try to launch Horizon Cloud desktops and applications, an invalid SAML message appears. 58 VMware, Inc.

59 Chapter 4 Providing Access to VMware Horizon Cloud Service 1 In the VMware Identity Manager administration console, click the arrow on the Catalog tab and select Settings. 2 In the left pane, click SAML Metadata. 3 Click the Identity Provider (IdP) metadata link. 4 Make a note of the URL from the browser's address bar, such as 5 Log in to the Horizon Cloud tenant. 6 Navigate to Settings > General Settings > Edit. 7 In the IDM section, enter the information required. Option Description IDM URL The VMware Identity Manager IdP metadata URL you copied in step 4. Timeout SSO Token Data Center Tenant Address (Optional) The amount of time, in minutes, after which the SSO token times out. The Horizon Cloud data center name. For example, Horizon. The Horizon Cloud tenant address. Specify the floating IP address or hostname, or Access Point IP address or hostname of the Horizon Cloud tenant appliance. For example, mytenant.example.com. Your integration is complete. You can now view Horizon Cloud desktop and application pools in the VMware Identity Manager administration console and end users can launch the resources to which they are entitled. Customizing the User ID for Horizon Cloud Integration You can customize the user ID that is used in the SAML response when users launch Horizon Cloud applications and desktops. By default, User Principal Name is used. You can choose to use other name ID formats such as samaccountname or address and customize the value. The ability to select the name ID format is useful in scenarios such as the following: When users from multiple sub-domains are synced, User Principal Name may not work. You can use a different name ID format such as samaccountname or address to uniquely identify users. Important Ensure that the name ID format setting is the same in both Horizon Cloud and VMware Identity Manager. Prerequisites You have enabled and configured the Horizon Cloud integration in the Horizon Cloud Resources page, accessed from Catalog > Manage Desktop Applications > Horizon Cloud. VMware, Inc. 59

60 Setting Up Resources in VMware Identity Manager (On Premises) 1 In the VMware Identity Manager administration console, click the arrow on the Catalog tab and select Settings. 2 Click Horizon Cloud on the left. 3 In the Horizon Cloud page, specify the name ID format to use. Option Name ID Format Name ID Value Description Select the name ID format, such as address or User Principal Name. The default value is Unspecified (username). Click Select from suggestions and pick from a predefined list of values or click Custom value and enter the value. The default value is $ {user.userprincipalname}. 4 Click Save. What to do next Every time you make a change and click Save in the Horizon Cloud Resources integration page, accessed from Catalog > Manage Desktop Applications > Horizon Cloud, return to the Catalog > Settings > Horizon Cloud page, verify the settings, and click Save again. If an error occurs while saving the settings on this page, click Reset, then enter the configuration details again and click Save. Syncing Horizon Cloud Desktops and Applications with VMware Identity Manager When you initially integrate Horizon Cloud with VMware Identity Manager, you sync resources and entitlements from the Horizon Cloud tenant to the VMware Identity Manager service. Subsequently, resources and entitlements are synced at regular intervals if you set up a sync schedule. In addition, you can sync updates to VMware Identity Manager at any time by using the Sync Now option. 1 Log in to the VMware Identity Manager administration console. 2 In the Catalog tab, click Manage Desktop Applications > Horizon Cloud. 3 Click Sync Now. 4 (Optional) To specify a regular sync schedule, select one of the options in the Choose Horizon Cloud Sync Frequency field and click Save. Viewing Details of Horizon Cloud Desktop and Application Pools In the VMware Identity Manager administration console, you can view information about the synced Horizon Cloud desktop and application pools. 1 Log in to the VMware Identity Manager administration console. 2 Click the Catalog tab. 3 Click Any Application Type and select Horizon Cloud Desktops or Horizon Cloud Applications. 4 Select a desktop or application pool. 60 VMware, Inc.

61 Chapter 4 Providing Access to VMware Horizon Cloud Service 5 Click Details. Attributes retrieved from the Horizon Cloud tenant are displayed. See the Horizon Cloud documentation for information about these attributes. Viewing User and Group Entitlements to Horizon Cloud Desktops and Applications In the VMware Identity Manager administration console, you can view the Horizon Cloud entitlements for specific users and groups. User and group entitlements to Horizon Cloud resources are set in the Horizon Cloud tenant administrative interface and cannot be modified from the VMware Identity Manager administration console. Prerequisites To see the latest information, sync Horizon Cloud desktops and applications. You can force a sync by selecting Catalog > Manage Desktop Applications > Horizon Cloud to go to the Horizon Air Resources page, and clicking Sync Now. 1 Log in to the VMware Identity Manager administration console. 2 View user and group entitlements to Horizon Cloud desktops and applications. Option List users and groups entitled to a specific Horizon Cloud desktop or application pool. List of Horizon Cloud desktop and application pool entitlements for a specific user or group. Action a b c Click the Catalog tab. Click Any Application Type > Horizon Cloud Desktops or Horizon Cloud Applications. Select the pool for which you want to list entitlements. The Entitlements tab is selected by default. Group entitlements and user entitlements are listed in separate tables. a b c d Click the Users & Groups tab. Click the Users tab or the Groups tab. Click the name of an individual user or group. Click the Apps tab. Horizon Cloud desktop and application pools to which the user or group is entitled are listed. Setting Access Policies for Specific Applications and Desktops The default access policy set applies to all applications and desktops in your catalog. You can also set access policies for individual applications or desktop pools, which override the default access policy. You can apply an access policy to one or more applications and desktops from the Policies page or select the access policy for a specific application from the application configuration page. For more information on access policies, see the VMware Identity Manager Administration Guide. 1 To apply an access policy to applications and desktops from the Policies page, follow these steps. a b c Navigate to the Identity & Access Management > Manage > Policies page. Click a policy to edit it or click Add Policy to create a new policy. In the policy page, edit or define the policy. VMware, Inc. 61

62 Setting Up Resources in VMware Identity Manager (On Premises) d e In the Applies to section, select the applications to which you want to apply the policy. Click Save. 2 To select an access policy for a specific application from the application configuration page, select these steps. a b c d Click the Catalog tab. Click the application. Click Access Policies in the left pane. Select the access policy for the application and click Save. Setting the Deployment Type for Horizon Cloud Entitlements You can set the deployment type for Horizon Cloud resources, which determines how the resources are made available to users. Setting the deployment type to User-Activated adds the resources to the Catalog page in Workspace ONE. To use a resource, users must move the resource from the Catalog page to the Launcher page. Setting the deployment type to Automatic adds the resources directly to the Launcher page for users' immediate use. You can set the deployment type at different levels. Global level The global setting applies to all user entitlements for all the Horizon Cloud resources in your deployment. You specify the global deployment type when you first integrate Horizon Cloud resources with VMware Identity Manager from the Horizon Air Resources page. After the initial integration, you can modify the global setting from the same page. Note that if you change the global setting after the initial integration, the new setting only applies to new entitlements that are synced. To modify existing entitlements, you can change the setting at the individual resource level. Note Setting the global deployment type to User-Activated is recommended. In typical scenarios, you set the global setting to User-Activated, and then modify it to Activated for specific user and group entitlements. User or group entitlement level You can also set the deployment type at the individual application or desktop level for specific users and groups. This setting overrides the global setting. This setting will not be changed during subsequent syncs. During sync, the deployment type for existing entitlements is not changed. For new entitlements in the sync, the global setting is applied. Note Once a resource has been activated, that is, once it appears in the Launcher page for a user, it will continue to appear in the Launcher page unless the user deletes it. Any changes to the deployment type will not remove it from the Launcher page. 62 VMware, Inc.

63 Chapter 4 Providing Access to VMware Horizon Cloud Service 1 To set the deployment type at the global level, follow these steps. a b Click the Catalog tab and select Manage Desktop Applications > Horizon Cloud. In the Deployment Type field in the Horizon Cloud Resources page, select User-Activated or Automatic. Note Setting the global deployment type to User-Activated is recommended. c Click Save. The setting will be applied to all new entitlements beginning with the next sync. 2 To set the deployment type for a specific user or group entitlement, follow these steps. a b c Click the Catalog tab. Click the application or desktop whose entitlement you want to edit. Click Entitlements to display the Entitlements page for the application. You can view the current deployment settings for user and group entitlements in the DEPLOYMENT column. d e Click Edit next to the entitlement you want to edit. In the Edit User Entitlement dialog box, select the deployment type for the entitlement. f Click Save. The deployment type set at the user or group entitlement level has precedence over the global deployment type setting, and will not be modified during sync. VMware, Inc. 63

64 Setting Up Resources in VMware Identity Manager (On Premises) Launching a Horizon Cloud Desktop or Application End users can log in to the Workspace ONE portal or app and launch the Horizon Cloud desktops and applications to which they are entitled. Based on how an application or desktop has been configured in the Horizon Cloud tenant, it can be launched in the Horizon Client or in a browser. For applications or desktops that can only be launched in the Horizon Client, users must install the Horizon Client on their systems. For applications and desktops that can be launched in either the Horizon Client or a browser, users can select the launch method. Users can also set their default launch preference in the Preferences page in the Workspace ONE portal. This user preference overrides any default launch preference set at the administrator level. Note Users cannot set a default launch preference in the Workspace ONE app. 1 Log in to the Workspace ONE portal. 2 Right-click the desktop or application you want to use and check the launch options available. If a launch option is not available, the link is disabled. 3 Install the Horizon Client on your system, if required. 4 Right-click the desktop or application and select either Launch in Browser or Launch in Client. 64 VMware, Inc.

65 Providing Access to Citrix-Published 5 Resources Overview You can integrate your Citrix deployment with VMware Identity Manager to provide Workspace ONE users access to Citrix-published resources. This chapter includes the following topics: Overview, on page 65 Components Required for Citrix Integration, on page 66 High-level Integration Design, on page 66 Prerequisites for Citrix Integration, on page 71 Configuring Citrix Server Farms in VMware Identity Manager, on page 87 Configuring Citrix Resource Launch in VMware Identity Manager, on page 90 Configuring VMware Identity Manager Settings for Citrix Integration, on page 94 Upgrade Impact on Citrix-Published Resources Integration, on page 102 You can provide Workspace ONE users access to Citrix-published resources by integrating your Citrix deployment with VMware Identity Manager. Citrix-published resources include applications and desktops within Citrix XenApp and XenDesktop farms. Desktops are also referred to as Citrix-published delivery groups. End users can launch Citrix-published applications and desktops from the Workspace ONE portal or app. They install Citrix Receiver on their systems and devices to access the resources to which they are entitled. You manage Citrix-published applications and desktops, and entitle users to resources, in Citrix. In the VMware Identity Manager administration console, you can view the resources and their entitlements. You can also edit ICA session settings, such as the settings that control resolution or compression, from VMware Identity Manager. You can configure the settings globally for all the Citrix resources in the VMware Identity Manager catalog, or for individual Citrix resources. VMware Identity Manager supports Citrix deployments that include Citrix Netscaler. Supported Versions VMware Identity Manager supports XenApp 5.0, 6.0, 6.5, and 7.x, and XenDesktop 7.x. Supported operating systems for the Integration Broker, the VMware Identity Manager component that communicates with the Citrix deployment, are Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. VMware, Inc. 65

66 Setting Up Resources in VMware Identity Manager (On Premises) To use the Citrix StoreFront ReST API, Integration Broker or later is required. To use XenApp 7.x or XenDesktop 7.x, Integration Broker 2.6 or later is required. To use the Netscaler feature, Integration Broker 2.4 or later is required. Note Using the latest available version of VMware Identity Manager and its components is recommended. Components Required for Citrix Integration To integrate a Citrix deployment with the VMware Identity Manager service, you need the following components. A VMware Identity Manager instance installed on premises. An Integration Broker instance installed on a supported Windows server on premises. The Integration Broker, a component of VMware Identity Manager, is the component that communicates with Citrix server farms. You can download the Integration Broker from A Citrix deployment on premises. While deploying the components, ensure that you meet these requirements: The VMware Identity Manager service must be able to communicate with the Integration Broker. If you deploy multiple instances of the service appliance, ensure that all of them can communicate with the Integration Broker. The Integration Broker must be able to communicate with the Citrix server farm. Note Using the latest available version of VMware Identity Manager and its components is recommended. High-level Integration Design VMware Identity Manager uses the Integration Broker and other components to synchronize Citrixpublished resources to VMware Identity Manager and to launch the resources from the Workspace ONE portal or app. Synchronization of Citrix-published Resources and Entitlements VMware Identity Manager synchronizes Citrix-published applications and desktops, and user entitlements, from the Citrix server farm to the VMware Identity Manager service. You can set a sync schedule to sync the resources and entitlements at regular intervals. The Citrix farm is the single source of truth for all supported operations in VMware Identity Manager. You manage the resources and entitle users to them in Citrix. When resources or entitlements are added, changed, or deleted in the Citrix farm, the information is updated in VMware Identity Manager after a sync. 66 VMware, Inc.

67 Chapter 5 Providing Access to Citrix-Published Resources Synchronization Architecture Diagram Workspace ONE Citrix Receiver Receiver Client HTML5 Receiver Receiver For Web (Browser) VMware Identity Manager Configuration Citrix Components 4 3 VMware Identity Manager Service Connector 1 Integration Broker PowerShell 2 StoreFront Controller XML Server Session Host Session Host Session Host Active Directory Citrix Configuration Users and groups are synced from your enterprise directory to the VMware Identity Manager service by the VMware Identity Manager connector. Citrix-published resources and entitlements are synced from the Citrix server farm to VMware Identity Manager using the connector, Integration Broker, and PowerShell SDK. Launch of Citrix-published Applications and Desktops VMware Identity Manager uses the Integration Broker component and the Citrix Web Interface SDK or Citrix StoreFront REST API to launch Citrix-published applications from the Workspace ONE portal or app. You can configure internal and external access to the Citrix-published resources. End users must install Citrix Receiver on their systems or devices to launch the applications and desktops. VMware, Inc. 67

68 Setting Up Resources in VMware Identity Manager (On Premises) Launch Architecture Diagram (Internal Access) Workspace ONE 5 Citrix Receiver 1 4 ICA File VMware Identity Manager Service 2 3 Connector Integration Broker Citrix Components Web Interface SDK/ StoreFront API 6 REST API Authenticate and Request ICA File StoreFront Controller XML Server STA Server Session Host Session Host Session Host Citrix Configuration 1 A user launches a Citrix-published application or desktop from the Workspace ONE portal or app. 2 The request goes to the VMware Identity Manager service, connector, and Integration Broker. 3 The Integration Broker communicates with the Citrix server farm through the Web Interface SDK or StoreFront REST API to authenticate and request the ICA file. 4 The ICA file is retrieved and passed to the Workspace ONE portal or app. 5 The ICA file is passed to the Citrix Receiver. 6 The Citrix Receiver launches the application or desktop. 68 VMware, Inc.

69 Chapter 5 Providing Access to Citrix-Published Resources Launch Architecture Diagram (External Access) Workspace ONE 5 Citrix Receiver 1 4 ICA File VMware Identity Manager Service 2 3 Connector Integration Broker Citrix Components Web Interface SDK/ StoreFront API 6 7 REST API Authenticate and Request ICA File StoreFront Controller XML Server STA Server Session Host Session Host Session Host NetScaler 8 Citrix Configuration 1 A user launches a Citrix-published application or desktop from the Workspace ONE portal or app. 2 The request goes to the VMware Identity Manager service, connector, and Integration Broker. 3 The Integration Broker communicates with the Citrix server farm through the Web Interface SDK or StoreFront REST API to authenticate and request the ICA file. 4 The ICA file is retrieved and passed to the Workspace ONE portal or app. 5 The ICA file is passed to the Citrix Receiver. 6 Citrix Receiver communicates with Netscaler. 7 NetScaler communicates with the Citrix STA server with the STA ticket and gets the Citrix session server information. 8 NetScaler communicates with the Citrix Session Host server and creates a session for application launch. Note In version 7.x, the Citrix Session Host server is the Citrix VDA server. In version 6.5, it is the Citrix Worker server. Using StoreFront REST API or Web Interface SDK for Launch The Integration Broker can use the Citrix Web Interface SDK and the Citrix StoreFront REST API to communicate with the Citrix deployment to launch applications or desktops. When the StoreFront REST API is used, the Integration Broker acts like a REST client. The Web Interface SDK and the StoreFront REST API are used to authenticate with and generate the ICA file from the Citrix deployment. You can specify which option to use by selecting or deselecting the Use StoreFront check box in the Citrix configuration page in the VMware Identity Manager administration console. VMware, Inc. 69

70 Setting Up Resources in VMware Identity Manager (On Premises) An Integration Broker instance can use both the Web Interface SDK and the StoreFront REST API. If you want to communicate with one Citrix farm using the Web Interface SDK and another Citrix farm using the StoreFront REST API, select or deselect the Use StoreFront check box as required. To use the StoreFront REST API option, which is available in VMware Identity Manager and later, ensure the following requirements are met. Install Integration Broker or later. Ensure that StoreFront is supported by the XenApp or XenDesktop version you are using. Ensure that the Integration Broker can communicate with the StoreFront server. When you enable the StoreFront REST API, the Integration Broker communicates with the StoreFront server to generate the ICA file. Enable HTTP Basic Authentication as an authentication method in the Citrix StoreFront store. This is required for internal access only. Caution If you do not enable HTTP Basic Authentication, authentication will fail. Note To use the StoreFront REST API, you do not need to download or copy any additional files to your installation. 70 VMware, Inc.

71 Chapter 5 Providing Access to Citrix-Published Resources Prerequisites for Citrix Integration Before you configure Citrix server farm details in the VMware Identity Manager administration console, you must complete certain prerequisite tasks. You must deploy and configure the Integration Broker, a VMware Identity Manager component, on a supported Windows Server and set up Citrix PowerShell remoting to enable communication between the Integration Broker and the Citrix server farm. The high-level tasks include the following: Prepare the Windows Server for the Integration Broker installation. Add roles and features. Install Microsoft J# 2.0 Redistributable Package. Microsoft J# 2.0 is not required if you plan to use the Storefront ReST API instead of the Citrix Web Interface SDK to connect to the Citrix server farm. Install Integration Broker. Download and install the Integration Broker. Configure IIS Manager settings for the Integration Broker. Set up HTTPS bindings for the Integration Broker. Set up Citrix PowerShell remoting to enable remote invocations between the Integration Broker server and the Citrix server farm. Install Citrix PowerShell SDK on the Integration Broker server. Enable PowerShell remoting on the Citrix servers (Citrix 6.0 and 5.0 only). Download and copy Citrix Web Interface SDK dll files. Citrix Web Interface SDK is not required if you plan to use the Storefront ReST API to connect to the Citrix server farm. About Deploying the Integration Broker The Integration Broker is a VMware Identity Manager component that is used to communicate with the Citrix server farm. You install the Integration Broker on premises on a supported Windows Server. Follow these guidelines when you deploy the Integration Broker. You can install the Integration Broker on Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2. To use the NetScaler feature, you must install Integration Broker 2.4 or later. For XenApp or XenDesktop 7.x, you must install Integration Broker 2.6 or later. To use the Citrix StoreFront REST API, you must install Integration Broker or later. The VMware Identity Manager connector must be able to communicate with the Integration Broker. If you have set up multiple connector instances, ensure that all of them can communicate with the Integration Broker. A single Integration Broker instance can support multiple Citrix 5.x, 6.x, and 7.x environments. If you are using the VMware Enterprise Systems Connector on Windows, note the following. Download the Integration Broker from the VMware Identity Manager product page on My VMware. Installing the Integration Broker and the VMware Enterprise Systems Connector on different servers is recommended. VMware, Inc. 71

72 Setting Up Resources in VMware Identity Manager (On Premises) If you are installing the Integration Broker on the same server as the connector, ensure that the HTTP and HTTPS binding ports do not conflict with the ports used by the VMware Identity Manager Connector component. The VMware Identity Manager Connector component always uses port 80. It also uses 443, unless a different port is configured during installation. A self-signed certificate is generated during the connector installation. If you are installing the Integration Broker on the same server as the connector, you can use this certificate. Install the certificate in the Microsoft store and use it for the HTTPS binding. Before you start, also plan your deployment strategy. Consider whether you will use multiple Integration Broker instances. Multiple instances are useful for high-availability and load-balancing purposes. For high availability, set up a cluster of two or more Integration Broker instances. You can use the same cluster for syncing resources and entitlements and for launching resources, or set up different clusters, based on your requirements. If your deployment distributes heavy traffic, increase the number of Integration Broker instances used for launching resources. Consider whether you will use load balancers. If your deployment uses multiple Integration Broker instances for high-availability or load-balancing purposes, consider installing them behind one or more load balancers. Prepare Windows Server for the Integration Broker Installation Before you install Integration Broker, you must configure the Windows server. The following operating systems are supported for the Integration Broker server. Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Note See the VMware Product Interoperability Matrixes at for the latest information about supported versions. Add Windows Server Roles and Features Add the required roles, features, and role services in the Integration Broker server. Note The steps in this procedure refer to the Windows Server 2012 R2 or Windows Server 2012 user interface. Where applicable, any differences for Windows Server 2008 R2 are noted. Prerequisites Verify that Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 is installed with the latest updates. To check for updates, select Control Panel > Windows Update. Create an application pool, if necessary. You can use the default application pool or create an application pool that is dedicated to Integration Broker. 1 Select Start > Server Manager. 2 In Server Manager, select Manage > Add Roles and Features. 72 VMware, Inc.

73 Chapter 5 Providing Access to Citrix-Published Resources 3 In the Add Roles and Features wizard, click Next until the Server Roles page appears. 4 Select the following roles, then click Next. Roles Application Server File and Storage Services Web Server (IIS) Note When you select Web Server (IIS), a dialog box appears prompting you to confirm features that are required for Web Server (IIS). Verify that Management Tools is included, then click Add Features. VMware, Inc. 73

74 Setting Up Resources in VMware Identity Manager (On Premises) 5 In the Features page, select the following features. Features.NET Framework 3.5 Features.NET Framework 3.5 (includes.net 2.0 and 3.0) HTTP Activation When you select HTTP Activation, a dialog box appears prompting you to confirm features that are required for HTTP Activation. Click Add Features. Note On Windows Server 2008 R2, you select these options:.net Framework 3.5 Features.NET Framework 3.5 WCF Activation HTTP Activation IIS Hostable Web Core Windows Process Activation Service WinRM IIS Extension For example: Figure 5 1. Windows Server 2012 R2 6 Click Next, then click Next again to display the Application Server Role Services page. 74 VMware, Inc.

75 Chapter 5 Providing Access to Citrix-Published Resources 7 In the Application Server Role Services page, select the following role services. Application Server Role Services Application Server Role Services.NET Framework 4.5 (do not change if preselected) Web Server (IIS) Support Note When you select Web Server (IIS), a dialog box appears prompting you to confirm features that are required for Web Server (IIS). Click Add Features. Windows Process Activation Service Support HTTP Activation For example: 8 Click Next and click Next again to display the Web Server Role (IIS) Role Services page. VMware, Inc. 75

76 Setting Up Resources in VMware Identity Manager (On Premises) 9 In the Web Server Role (IIS) Role Services page, select the following role services. Web Server Role (IIS) Role Services Web Server Accept the default selections Enable the following option: Management Tools IIS Management Console IIS 6 Management Compatibility For example: 10 Click Next. 11 Click Install. 12 When the installation is finished, click Close to close the Add Roles and Features wizard. What to do next Install Microsoft Visual J# 2.0 Redistributable Package, if necessary. Install Microsoft Visual J# bit Redistributable Package Download and install Microsoft Visual J# bit Redistributable Package - Second Edition. This step is not required if you plan to use the Citrix Storefront REST API instead of the Citrix Web Interface SDK to connect to the Citrix server farm. 1 Download the Microsoft Visual J# bit Redistributable Package - Second Edition from the Microsoft web site. 2 Double-click the vjredist.exe file and follow the wizard to install the package. Deploy Integration Broker To deploy Integration Broker, you download and install the Integration Broker on a supported Windows server, configure IIS Manager settings for it, and set up HTTPS and HTTP bindings. 76 VMware, Inc.

77 Chapter 5 Providing Access to Citrix-Published Resources Install Integration Broker Install Integration Broker on the Windows server that you configured. Prerequisites Prepare the Windows server. See Prepare Windows Server for Integration Broker Installation. Download Integration Broker from the VMware Identity Manager product page on My VMware. 1 Log in as a Windows administrator. 2 Click the setup.exe file to run the Integration Broker installer. 3 Accept the end user license agreement. 4 Select the Web location where you want to install the Integration Broker. 5 (Optional) If you created a separate application pool for the Integration Broker, select the application pool. Caution Do not change the Virtual Directory name. 6 Click Next to finish installing Integration Broker. What to do next Configure IIS Manager Settings. Configure IIS Manager Settings Configure the required IIS Manager settings for the Integration Broker. Note The steps in this procedure refer to the Windows Server 2012 or Windows Server 2012 R2 user interface. Where applicable, any differences for Windows Server 2008 R2 are noted. Prerequisites The credentials for the Identity user. The Identity user must meet the following requirements: Domain user Privileges to enable PowerShell Remoting on the Integration Broker server: a b Launch PowerShell with administrator privileges Run Enable-PSRemoting One of the following roles on the Citrix server: At least Read Only Administrator (version 7.x) or View Only Administrator (version 6.x) A custom administrator role that has the permissions to execute the following PowerShell cmdlets. These cmdlets are used to retrieve applications, server, farm, and icon information from the Citrix server farm. On XenApp 6.5: Get-XAApplication Get-XAServer Get-XAAccount VMware, Inc. 77

78 Setting Up Resources in VMware Identity Manager (On Premises) Get-XAApplicationIcon Get-XAFarm On XenApp or XenDesktop 7.x: Get-BrokerApplication Get-BrokerIcon Get-BrokerDesktopGroup Get-BrokerAccessPolicyRule Get-BrokerAppEntitlementPolicyRule Get-BrokerIcon Get-BrokerEntitlementPolicyRule 1 Click Start > Server Manager. 2 In Server Manager, select Tools > Internet Information Services (IIS) Manager. 3 In IIS Manager, configure the application pool that you selected while installing the Integration Broker. Tip To verify the correct application pool, click Application Pools in the left pane, right-click the application pool and select View Applications, and verify that the Integration Broker appears in the list. a b c In the left pane, click Application Pools. Select the application pool that you are using for the Integration Broker. Click Advanced Settings in the right pane. 78 VMware, Inc.

79 Chapter 5 Providing Access to Citrix-Published Resources d In the Advanced Settings dialog box, configure the following settings. Option.NET CLR Version Enable 32-bit Applications Description Verify that the value is v2.0. Note In Windows 2012 and Windows 2012 R2, the application pool may have been configured to a different.net version by default. Ensure that you configure it to v2.0. Set the value to True. Identity 1 Click Identity. 2 Click the... icon. 3 In the Application Pool Identity dialog box that opens, click Custom Account, then click Set. 4 Enter the user name and password for the Identity user. See the requirements for the Identity user in the Prerequisites section. 5 Click OK and click OK again. e Click OK to close the Advanced Settings dialog box. Set HTTPS Site Binding for the Integration Broker You must set the HTTPS site binding for the Integration Broker. To set the binding, you need an SSL certificate for the Integration Broker server. You can obtain a certificate from a Certificate Authority or create a self-signed certificate. Note If you are using the on Windows and you are installing the Integration Broker on the same server as the connector, ensure that the HTTP and HTTPS binding ports do not conflict with the ports used by the VMware Identity Manager Connector component. The VMware Identity Manager Connector component always uses port 80. It also uses 443, unless a different port is configured during installation. For more information on the ports used, see VMware Enterprise Systems Connector Installation and Configuration. Installing the Integration Broker and the VMware Enterprise Systems Connector on different servers is recommended. VMware, Inc. 79

80 Setting Up Resources in VMware Identity Manager (On Premises) Prerequisites Obtain an SSL certificate for the Integration Broker server. You can get a certificate from a Certificate Authority or create a self-signed certificate. Install the certificate in the Microsoft store in the Integration Broker server. See Example: Create a Self-signed Certificate Using IIS Manager and Example: Create a Self-signed Certificate Using OpenSSL. Note If you are using the VMware Enterprise Systems Connector on Windows and have installed the Integration Broker on the same server as the connector, you can use the self-signed certificate that is generated during the connector installation. Install the certificate in the Microsoft store and use it for the HTTPS binding. If you use an internal CA to create the certificate, to enable VMware Identity Manager to trust the certificate you must upload the root certificate of the internal CA at on the Terminate SSL on a Load Balancer tab, where vidmhostname is the VMware Identity Manager instance where the Citrix integration is configured. In a SaaS environment, go to 1 In IIS Manager, in the left pane, click the web site under which you installed the Integration Broker. Tip To verify the correct web site, you can expand the site in the left pane and check that the Integration Broker is listed under it. 2 In the right pane, under Edit Site, click Bindings. 3 Add the HTTPS binding using the certificate you created. a b c d Click Add. In the Type field, select https. If you are using IIS 8.0 or later, verify that the Host name field is empty. It must not have any value. In the SSL Certificate field, select the SSL certificate you created. For example: e Click OK. 4 Restart IIS. a b Open the Command Prompt window as administrator. Type iisreset. 80 VMware, Inc.

81 Chapter 5 Providing Access to Citrix-Published Resources What to do next Verify the bindings. Verify that the HTTP binding produces the expected output by typing /IB/API/RestServiceImpl.svc/ibhealthcheck in the address bar of a browser. Expected output: All ok Verify that the HTTPS binding produces the expected output by typing /IB/API/RestServiceImpl.svc/ibhealthcheck in the address bar of a browser. Expected output: All ok Note In Internet Explorer, the All ok output is not displayed directly. Instead, the output file is downloaded. Open the file to view the output. Example: Create a Self-Signed Certificate Using IIS Manager You can create a self-signed certificate for the Integration Broker server using IIS Manager. 1 Start IIS Manager. 2 Navigate to Server Certificates. 3 In the right pane, under Action, select Create Self-signed Certificate. 4 Follow the wizard to generate the self-signed certificate. The certificate is installed automatically in the Microsoft store in the Integration Broker server. What to do next Use the certificate for the HTTPS binding for the Integration Broker web site. Example: Create a Self-signed Certificate Using OpenSSL These instructions provide a sample for how to set a self-signed certificate using OpenSSL for Integration Broker. 1 Create a self-signed certificate for the Integration Broker server. 2 Create the ibcerts folder to use as the working directory. VMware, Inc. 81

82 Setting Up Resources in VMware Identity Manager (On Premises) 3 Create a configuration file using the vi openssl_ext.conf command. a Copy and paste the following OpenSSL commands into the configuration file. # openssl x509 extfile params extensions = extend [req] # openssl req params prompt = no distinguished_name = dn-param [dn-param] # DN fields C = US ST = CA O = VMware (Dummy Cert) OU = Horizon Workspace (Dummy Cert) CN = hostname (Virtual machine hostname where the Integration Broker is installed. ) address = PROTECTED [extend] # openssl extensions subjectkeyidentifier = hash authoritykeyidentifier = keyid:always keyusage = digitalsignature,keyencipherment extendedkeyusage=serverauth,clientauth [policy] # certificate policy extension data Note Type the CN value before you save the file. b Run this command to generate a private key. openssl genrsa -des3 -out server.key 1024 c d Type the passphrase for server.key, for example, vmware. Rename the server.key file to server.key.orig. mv server.key server.key.orig e Remove the password associated with the key. openssl rsa -in server.key.orig -out server.key 4 Create a CSR (certificate signing request) with the generate key. The server.csr is stored in your working directory. openssl req -new -key server.key -out server.csr -config./openssl_ext.conf 5 Sign the CSR. openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt -extfile openssl_ext.conf The expected output displays. Signature ok subject=/c=us/st=ca/o=vmware (Dummy Cert)/OU=Horizon Workspace (Dummy Cert)/CN=w2-hwdog-xa.vmware.com/ Address= PROTECTED Getting Private key 82 VMware, Inc.

83 Chapter 5 Providing Access to Citrix-Published Resources 6 Create P12 format. openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 a Press Enter at the prompt for an export password. Important Do not enter a password. The expected output is server.p12 file. b c d e f Move the server.p12 file to the Windows machine where Integration Broker is installed. From the Command Prompt, type mmc. Click File > Add or Remove Snap-ins. In the Snap-in window, click Certificates and click Add. Select the Computer account radio button. 7 Import the certificate into the root and personal store certificates. a b c d e Choose All Files in the dialog. Select the server.p12 file. Click the Exportable check box. Leave the password blank. Accept the defaults for the subsequent steps. 8 Copy the certificate into the Trusted Root CAs in the same mmc console. 9 Verify that the content of the certificate includes these elements. Private key CN in the subject attribute that matches the Integration Broker Host Name Extended key usage attribute with both client and server authentication enabled Enable Citrix PowerShell Remoting You must enable remote invocations between the Integration Broker and the Citrix server farm by setting up Citrix PowerShell Remoting. To set up Citrix PowerShell remoting, you install the Citrix PowerShell SDK on the Integration Broker server and verify that PowerShell remoting is enabled on the Citrix servers. On the Integration Broker server, you must install the appropriate version of the Citrix PowerShell SDK. If you connect to multiple versions of Citrix server farms, install all the required versions of the Citrix PowerShell SDK on the Integration Broker server as the SDKs are not backwards compatible. PowerShell remoting must be enabled on Citrix servers so that the Integration Broker server can connect to them and retrieve required information such as resources information, entitlements, and icons. You need to enable PowerShell remoting only on the Delivery Controllers or XML Brokers that you will configure in VMware Identity Manager, not on all the servers in your server farm. In XenApp or XenDesktop 7.x, these are the Delivery Controllers, which also act as XML Brokers. In Citrix server farms 6.5, 6.0, or 5.0, these are the XML Broker servers. For Citrix server farm versions 6.0 and 5.0, Citrix PowerShell Remoting requires a secure HTTPS channel to make remote calls. Ensure that the Citrix Delivery Controllers or XML Brokers have valid SSL certificates. VMware, Inc. 83

84 Setting Up Resources in VMware Identity Manager (On Premises) Install Citrix PowerShell SDK on the Integration Broker Server You must install the Citrix PowerShell SDK on the Integration Broker server to enable connections between the Integration Broker server and the Citrix server farm. Download and install the Citrix PowerShell SDK version that corresponds to the Citrix server farm that you are integrating with VMware Identity Manager. If you connect to multiple versions of Citrix server farms, install all the required versions of the Citrix PowerShell SDK on the Integration Broker server as the SDKs are not backwards compatible. 1 Log in to the Integration Broker server. 2 If you are connecting to XenApp or XenDesktop 7.x, follow these steps. a b Download and install Citrix Studio on the Integration Broker server. Verify the installation. 1 Open Windows PowerShell as administrator. 2 Enter this command: Add-PSSnapin Citrix* 3 Enter the following commands: Get-BrokerDesktopGroup -AdminAddress CitrixDeliveryController Get-ConfigSite -AdminAddress CitrixDeliveryController Note If you get an authentication error, set the execution policy with the setexecutionpolicy remotesigned command, then try the commands again. 3 If you are connecting to Citrix server farm 6.5, follow these steps. a b Download and install Citrix PowerShell SDK 6.5 on the Integration Broker server. Verify the installation. 1 Open Program Files > Citrix PowerShell Module. 2 Enter this command: Get-XAApplication -ComputerName CitrixServer Verify that the list includes all the applications hosted by Citrix. Note If the command fails, verify that the XenApp Commands Remoting service is running on the Citrix server. 4 If you are connecting to Citrix server farm 6.0 or 5.0, download and install Citrix PowerShell SDK 6.0 or 5.0 on the Integration Broker server, depending on your Citrix server farm version. Enable Citrix PowerShell Remoting on the Citrix Server Farm Enable Citrix PowerShell remoting on the Citrix server farm, if necessary. On Citrix XenApp or XenDesktop 7.x, verify that PowerShell remoting is enabled on the Delivery Controllers to which VMware Identity Manager will connect. On Citrix 6.5, verify that the Citrix XenApp Commands Remoting service is running on the XML Brokers to which VMware Identity Manager will connect. 84 VMware, Inc.

85 Chapter 5 Providing Access to Citrix-Published Resources On Citrix 6.0 or 5.0, enable PowerShell Remoting. See Setting up Citrix PowerShell Remoting on Citrix Server Farm 5.0 or 6.0, on page 85. Setting up Citrix PowerShell Remoting on Citrix Server Farm 5.0 or 6.0 You must enable Citrix PowerShell remoting on the Citrix XML Broker servers that you are integrating with VMware Identity Manager. Citrix PowerShell remoting enables connections between Integration Broker and the Citrix server farm. Note You need to enable Citrix PowerShell remoting only on the XML Brokers that will be configured in VMware Identity Manager, not on all the servers in your server farm. Prerequisites If you do not have Winrm installed, download and install Winrm from the Microsoft Web site. Verify that the Citrix XML Brokers have valid SSL certificates. Also, click Properties and verify that Server Authentication is enabled for the certificates. 1 Open PowerShell in administrator mode. 2 Enable Citrix PowerShell Remoting. a b Type the Get-Service winrm command to verify that Winrm is installed on the server. Type the Enable-PSRemoting command. This command enables PowerShell Remoting on the server. c d Install the Citrix PowerShell SDK 5.0 or 6.0 depending on the Citrix server version. Enable winrm HTTPS listener from the command prompt. 1 Create a certificate on the server. 2 Record the certificate's thumb print. 3 Verify that the certificate's thumb print is configured. winrm quickconfig -transport:https e Verify that the listener was created. winrm e winrm/config/listener This server is ready to use. f After the listener is created, go to the Integration Broker server to verify that PowerShell remoting is installed correctly. winrm identify -r: -u:username Output: IdentifyResponse ProtocolVersion= ProductVendor=Microsoft Corporation ProductVersion=OS: SP: 2.0 Stack: 2.0 VMware, Inc. 85

86 Setting Up Resources in VMware Identity Manager (On Premises) Verify the Connection to the Citrix Server Farm After you deploy the Integration Broker and set up PowerShell remoting, verify the connection to the Citrix server farm. 1 In a browser, enter the appropriate URL for your Citrix farm version. Citrix XenApp or XenDesktop server farm 7.x computername=xenappserverhostname&xenappversion=version7x Citrix server farm computername=xenappserverhostname&xenappversion=version65orlater Citrix server farm 5.0 or computername=xenappserverhostname&xenappversion=legacy 2 Review the output. If Integration Broker is properly configured, the page displays Citrix server farm information, such as the following: "[{\"FarmName\":\"test data\",\"serverversion\":\" \",\"AdministratorType\":\"Full\",\"SessionCount\":\"2\",\"MachineName\":\"test data\"}] If the Web page does not display the server farm information, review the logs on the Integration Broker server at %programdata%/vmware/horizonintegrationbroker. Download Citrix Web Interface SDK 5.4 The Citrix Web Interface SDK is used to authenticate with and generate the ICA file from the Citrix Delivery Controllers or XML Brokers to launch Citrix-published applications and desktops. Note If you plan to use the Citrix StoreFront ReST API to communicate with the Citrix farm to generate the ICA file, you do not need to install the Citrix Web Interface SDK. 1 Download the Citrix Web Interface SDK 5.4 (WISDK zip file) from the Citrix Web site. 2 Unzip the wisdk.zip file. 3 Copy the contents from the WI5_4_0_SDK/zipfiles/sdkdemo/wisdk directory to the Integration Broker default bin directory at c:\inetpub\wwwroot\ib\bin. 4 Restart IIS. a b Open the Command Prompt window as administrator. Type iisreset. 86 VMware, Inc.

87 Chapter 5 Providing Access to Citrix-Published Resources Configuring Citrix Server Farms in VMware Identity Manager To configure Citrix-published resources in VMware Identity Manager, you enter the Integration Broker and Citrix server farm information in the VMware Identity Manager administration console, and schedule the synchronization frequency between VMware Identity Manager and the Citrix server farm. Before you configure Citrix-published resources in VMware Identity Manager, ensure that you meet all the prerequisites. Also follow these guidelines for Citrix server farm settings. Syncing Delivery Groups A delivery group's Delivery Type setting in Citrix determines how VMware Identity Manager syncs the delivery group. VMware Identity Manager syncs a delivery group only if its Delivery Type is set to DesktopsAndApps or DesktopsOnly. If the delivery group's Delivery Type is set to AppsOnly, its applications are synced but the delivery group itself is not synced and does not appear in the VMware Identity Manager catalog. Configure your delivery groups accordingly. In XenDesktop and XenApp 7.9, if you use the Limited Visibility Group option to restrict users, ensure that the Limited Visibility Group contains users or groups. If it does not contain any users or groups, sync to VMware Identity Manager will not work. Ensure that all Citrix-published applications and desktops in a Site contain valid users. If you delete a user or group, make sure that you remove the user or group from Citrix-published resources too. Make sure that users and groups have been assigned to the correct Delivery Group. If you select settings to restrict users, make sure that they include users and groups. Prerequisites Configure VMware Identity Manager. See Installing and Configuring VMware Identity Manager and VMware Identity Manager Administration for information. Make sure that users and groups with Citrix entitlements have been synced from your enterprise directory to VMware Identity Manager using directory sync. Verify that distinguishedname is marked as a required attribute in the VMware Identity Manager directory. Citrix-published resources cannot be synced without this. Required attributes must be set before a directory is created. If you have already created a directory and distinguishedname is not a required attribute, delete the directory, make distinguishedname a required attribute in the Identity & Access Management > Setup > User Attributes page and then create a new directory. Deploy the Integration Broker and ensure that you have met all the prerequisites described in Prerequisites for Citrix Integration, on page 71. To distribute the load in a large-scale enterprise deployment, dedicate two or more Integration Broker instances for sync purposes and two or more Integration Broker instances for SSO purposes. If you use multiple Integration Broker instances for sync purposes or for SSO purposes, put a load balancer in front of the Integration Broker instances, and note the host name or IP address of the load balancer for use during this task. If you want to use the Use StoreFront option, available in VMware Identity Manager and later, ensure the following requirements are met. Install Integration Broker or later. Ensure that StoreFront is supported by the XenApp or XenDesktop version you are using. VMware, Inc. 87

88 Setting Up Resources in VMware Identity Manager (On Premises) Ensure that the Integration Broker can communicate with the StoreFront server. When you enable the StoreFront ReST API, the Integration Broker communicates with the StoreFront server to generate the ICA file. Enable HTTP Basic Authentication as an authentication method in the Citrix StoreFront store. Thisi requirement is for internal access only. Caution If you do not enable HTTP Basic Authentication, authentication will fail. Review Citrix documentation for your version of Citrix XenApp or XenDesktop. 1 Log in to the VMware Identity Manager administration console. 2 Select the Catalog tab. 3 Click Manage Desktop Applications and select Citrix Published Applications from the drop-down menu. 4 In the Published Apps - Citrix page, select the Enable Citrix-based Applications check box. 5 Enter the Sync Integration Broker or load balancer host name and port number. If you configured a load balancer in front of multiple Integration Broker instances used for sync purposes, enter the host name or IP address and port name of the load balancer. Select Use SSL if you are connecting to the Integration Broker over SSL. 6 Enter the SSO Integration Broker information. If you are using the same Integration Broker instance for both sync and single sign-on, click the Use same as Sync Integration Broker button. If you configured dedicated sync and SSO Integration Broker instances, enter the following information. a Type the SSO Integration Broker or load balancer host name and port number. If you configured a load balancer in front of multiple Integration Broker instances dedicated to providing SSO, enter the host name or IP address and port number of the load balancer. b Select Use SSL if you are connecting to the Integration Broker over SSL. 7 Enter the Citrix server farm details. To add multiple farms, click +Add Server Farm. Option Version Use StoreFront Description Select the Citrix server farm version: 5.0, 6.0, 6.5, or 7.x. Select this option if you want XenApp resources launched using the Citrix StoreFront ReST API. When this option is selected, the Integration Broker uses the Citrix StoreFront ReST API to communicate with the StoreFront server and retrieve the ICA file. If this option is not selected, the Integration Broker uses the Citrix Web Interface SDK to communicate with Citrix components and retrieve the ICA file. Note If you select or deselect this option after the initial setup and synchronization, click Save and then click Sync Now to sync again for the change to take effect. 88 VMware, Inc.

89 Chapter 5 Providing Access to Citrix-Published Resources Option StoreFront URL Server name Servers (failover order) Transport type Port numbers Description Enter the StoreFront server URL in the following format: transporttype://storefrontserverfqdn/citrix/storenameweb For example: Note This is the Store Web Receiver Website URL. Important Also enter this URL in the Client Access URL Host field in the XenApp section of Network Range settings. Server name assigned in your environment. Organize the Citrix XML brokers (servers) in failover order. VMware Identity Manager respects this order during SSO and under failover conditions. Note The XML brokers must have PowerShell Remoting enabled. Transport type used in your Citrix server configuration: HTTP, HTTPS, or SSL RELAY. Note The transport type and port must match your Citrix server configuration. Port setting used in your Citrix server configuration Note The transport type and port must match your Citrix server configuration. 8 From the Deployment Type drop-down list, select how Citrix-published resources are made available to users in Workspace ONE. User-Activated - VMware Identity Manager adds Citrix resources to the Catalog page. To use a resource, users must move the resource from the Catalog page to the Bookmarks page. Automatic - VMware Identity Manager adds the resource directly to the Bookmarks page for users' immediate use. The deployment type that you select here is a global setting that applies to all user entitlements for all the resources in your Citrix integration. You can modify the deployment type for individual users or groups per resource, from the application or desktop's Entitlements page. Setting the global deployment type to User-Activated is recommended. You can then modify the setting for specific users or groups per resource. For more information about setting the deployment type, see Setting the Deployment Type for Citrix Entitlements, on page Select Sync categories from server farms if you want to sync categories from Citrix farms to VMware Identity Manager. 10 Select Do not sync duplicate applications to prevent duplicate applications from being synced from multiple servers. When VMware Identity Manager is deployed in multiple data centers, the same resources are set up in the multiple data centers. Checking this option prevents duplication of the desktops or applications in your VMware Identity Manager catalog. 11 In the Choose frequency field, select how frequently you want to sync resources and entitlements automatically from the Citrix farms. If you do not want to set up an automatic sync schedule, select Manually. 12 Click Sync Now to synchronize Citrix-published resources to VMware Identity Manager. At times, when you synchronize Integration Broker with SSL, the synchronization can be slow depending on factors in your environment, such as network speed and traffic. Synchronization can also be slow if your Citrix deployment is very large, for example, over 300 applications. Note The anonymous user group feature in the Citrix product is not supported with VMware Identity Manager. VMware, Inc. 89

90 Setting Up Resources in VMware Identity Manager (On Premises) 13 Click Save. A dialog box appears that lists the number of applications, delivery groups (desktops), and entitlements that will be synced. You can click on the links to view details. Click Save and continue in the dialog box. Citrix-published resources and corresponding entitlements are synchronized with VMware Identity Manager. What to do next If you selected the Use StoreFront option, edit the network range settings and, in the Client Access URL Host field in the XenApp section, enter the same URL that you entered in the StoreFront URL field. Configuring Citrix Resource Launch in VMware Identity Manager After configuring the Citrix Published Applications page, configure network IP ranges for resource launch. You can specify whether users' application or desktop launch traffic (ICA traffic) from specific network ranges is routed through NetScaler or through a direct connection to the XenApp server. This enables you to serve the needs of users for both external and internal access to the Citrix resources in your deployment. When a user launches an application or desktop from the Workspace ONE portal, if the user's IP address falls in a network range configured for NetScaler, the ICA traffic is routed through NetScaler to the XenApp server. If the IP address falls in the direct connection range, the ICA traffic is routed directly to the XenApp server. Configuring Resource Launch for Internal Network You can configure the network ranges for which users' application or desktop launch traffic (ICA traffic) should be routed directly to the XenApp server. This is typically used to provide internal access to the Citrix-published resources. When a user launches an application or desktop from the Workspace ONE portal, if the user's IP address falls in the direct connection range, the ICA traffic is routed directly to the XenApp server. Note To configure resource launch for external networks, see Configuring Resource Launch for External Networks with NetScaler. 1 Log in to the VMware Identity Manager administration console. 2 Click the Identity & Access Management tab. 3 Click Setup and select the Network Ranges tab. 90 VMware, Inc.

91 Chapter 5 Providing Access to Citrix-Published Resources 4 Select an existing network range or click Add Network Range to create a new one. 5 If you are creating a new network range, provide a name and description for the network range. 6 In the XenApp section of the page, enter the following information. a Enter the XenApp server host name in the Client Access URL Host field. For example: xenapphost.example.com Note If you selected the Use StoreFront checkbox for the server farm in the Published Apps - Citrix page, enter the same URL that you entered in the StoreFront URL field. b Enter the port in the URL Port field. For example: 443 c Deselect the NetScaler checkbox for direct connections. 7 In the IP Ranges field, specify the IP range to which your selections apply. 8 Click Save. Configuring Resource Launch for External Networks with NetScaler VMware Identity Manager supports Citrix deployments that include NetScaler. A NetScaler appliance is typically used to provide external access to XenApp or XenDesktop applications or desktops. If your Citrix deployment includes a NetScaler appliance, you can configure VMware Identity Manager with the appropriate settings so that when users launch Citrix resources, the traffic is routed through NetScaler to the XenApp server. In VMware Identity Manager, you need to specify the Secure Ticket Authority (STA) server for each XenApp farm. The STA server is used to generate and validate STA tickets during the application launch process. You can also set policies on client network IP ranges that specify whether launch traffic is routed through NetScaler to the XenApp server or whether it is routed directly to the XenApp server. This allows you to meet both external and internal access needs. Note To use the NetScaler feature, you must use Integration Broker 2.4 or later. You can download Integration Broker from My VMware. Upgrade is not supported. Uninstall the older version, then install the new version. VMware, Inc. 91

92 Setting Up Resources in VMware Identity Manager (On Premises) Configuring NetScaler Settings in VMware Identity Manager To configure VMware Identity Manager for NetScaler, you need to specify a Secure Ticket Authority (STA) server for each XenApp farm in your Citrix deployment. The STA server is used to generate and validate STA tickets during the application or desktop launch process. When a user launches an application or desktop, VMware Identity Manager obtains a ticket from the STA server. The ticket is presented to NetScaler, along with other information, and NetScaler validates the ticket with the STA server before establishing a secure connection to the XenApp farm. Prerequisites You have integrated Citrix published resources with VMware Identity Manager and completed the configuration in the Catalog > Manage Desktop Applications > Citrix Published Applications page. 1 In the VMware Identity Manager administration console, click the arrow on the Catalog tab and select Settings. 2 Select Citrix Published Applications from the left pane. 3 Select the NetScaler Configuration tab. 4 The Farm UUID, Farm Name, Farm Version and XML Servers fields are pre-filled and you cannot modify the values. 5 Specify one or more STA servers. a In the STA Server field, enter the STA server URL in the following format. transporttype://server:port For example: Only alphanumeric characters, period (.), and hyphen (-), are allowed in the URL. b Click Add To List. The server appears in the XenApp STA Servers list. 92 VMware, Inc.

93 Chapter 5 Providing Access to Citrix-Published Resources c d (Optional) Enter additional STA servers, if required. For example, you may want to specify a second STA server for failover purposes. If you added multiple STA servers, select the order in the XenApp STA Servers fields by clicking Move Up or Move Down. 6 Click Update. 7 If there are multiple XenApp farms in your deployment, specify an STA server for each farm. What to do next Configure policies for specific network IP ranges that specify that launch traffic should be routed through NetScaler to the XenApp server. Configure Network Range for NetScaler You can configure the network ranges for which users' application or desktop launch traffic (ICA traffic) should be routed through NetScaler to the XenApp server. This is typically used to provide external access to the Citrix-published resources. When a user launches an application or desktop from the Workspace ONE portal, if the user's IP address falls in the range configured for Netscaler, the ICA traffic is routed through NetScaler to the XenApp server. Note To configure resource launch for internal networks, see Configuring Resource Launch for Internal Network, on page 90. Prerequisites You have configured VMware Identity Manager for NetScaler in the Catalog > Settings > Citrix Published Applications > Netscaler Configuration tab. 1 Log in to the VMware Identity Manager administration console. 2 Click the Identity & Access Management tab. 3 Click Setup and click the Network Ranges tab. 4 Select an existing network range or click Add Network Range to create a new one. VMware, Inc. 93

94 Setting Up Resources in VMware Identity Manager (On Premises) 5 If you are creating a new network range, provide a name and description for the network range. 6 In the XenApp section of the page, enter the following information. a Enter the NetScaler host name in the Client Access URL Host field. For example: netscalerhost.example.com Note If you selected the Use StoreFront checkbox for the server farm in the Published Apps - Citrix page, enter the same URL that you entered in the StoreFront URL field. b Enter the port in the URL Port field. For example: 443 c Select the NetScaler checkbox. 7 In the IP Ranges field, specify the IP range to which your selections apply. 8 Click Save. Configuring VMware Identity Manager Settings for Citrix Integration You can configure several settings in VMware Identity Manager for the Citrix integration. Setting the Deployment Type for Citrix Entitlements You can set the deployment type for Citrix-published resources, which determines how the resources are made available to users. Setting the deployment type to User-Activated adds the resources to the Catalog page. To use a resource, users must move the resource from the Catalog page to the Bookmarks page. Setting the deployment type to Automatic adds the resources directly to the Bookmarks page for users' immediate use. You can set the deployment type at different levels. Global level The global setting applies to all user entitlements for all the Citrix-published resources in your deployment. You specify the global deployment type when you first integrate Citrix-published resources with VMware Identity Manager from the Published Apps - Citrix page. After the initial integration, you can modify the global setting from the same page. Note that if you change the global setting after the initial integration, the new setting only applies to new entitlements that are synced. To modify existing entitlements, you can change the setting at the individual resource level. Note Setting the global deployment type to User-Activated is recommended. In typical scenarios, you set the global setting to User-Activated, and then modify it to Activated for specific user and group entitlements. User or group entitlement level You can also set the deployment type at the individual application or desktop level for specific users and groups. This setting overrides the global setting. This setting will not be changed during subsequent syncs. During sync, the deployment type for existing entitlements is not changed. For new entitlements in the sync, the global setting is applied. Note Once a resource has been activated, that is, once it appears in the Bookmarks page for a user, it will continue to appear in the Bookmarks page unless the user deletes it. Any changes to the deployment type will not remove it from the Bookmarks page. 94 VMware, Inc.

95 Chapter 5 Providing Access to Citrix-Published Resources 1 To set the deployment type at the global level, follow these steps. a b Click the Catalog tab and select Manage Desktop Applications > Citrix Published Application. In the Deployment Type field, select User-Activated or Automatic. Note Setting the global deployment type to User-Activated is recommended. c Click Save. The setting will be applied to all new entitlements beginning with the next sync. 2 To set the deployment type for a specific user or group entitlement, follow these steps. a b c Click the Catalog tab. Click the application or desktop whose entitlement you want to edit. Click Entitlements to display the Entitlements page for the application. You can view the current deployment settings for user and group entitlements in the DEPLOYMENT column. d e Click Edit next to the entitlement you want to edit. In the Edit User Entitlement dialog box, select the deployment type for the entitlement. f Click Save. The deployment type set at the user or group entitlement level has precedence over the global deployment type setting, and will not be modified during sync. VMware, Inc. 95

96 Setting Up Resources in VMware Identity Manager (On Premises) Managing Categories for Citrix-Published Resources You can use the VMware Identity Manager administration console and your Citrix deployment to manage Citrix-published resource categories. In your Citrix deployment, you give a Citrix-published application or desktop a category name by editing the Client application folder text box in the resource's properties. When you integrate your Citrix deployment with VMware Identity Manager, existing category names for Citrix-published applications and desktops are carried over to VMware Identity Manager. After the integration, you can continue to create categories in your Citrix deployment. If you enabled the Sync categories from server farms check box on the Published Apps - Citrix page, the new categories are carried over to VMware Identity Manager during the next sync. See Configuring Citrix Server Farms in VMware Identity Manager, on page 87. You can also create categories directly in VMware Identity Manager. See the VMware Identity Manager Administration Guide for information about using resource categories. In the administration console, you can create and view categories of all Citrix-published resources by clicking the Catalog tab, then clicking Any Application Type and selecting Citrix Published Applications for applications or Citrix Published Delivery Groups for desktops You can view and edit the categories of a specific Citrix-published resource by clicking the name of the resource and selecting Details. When you create a category in VMware Identity Manager, the category never appears in your Citrix deployment. When you create a category in your Citrix deployment, the category appears in VMware Identity Manager at the next sync. When you update a category name in your Citrix deployment, the updated category name appears in VMware Identity Manager while the original category name remains. If you want to remove the original category name from VMware Identity Manager, you must remove it manually. Configuring Delivery Settings (ICA Properties) for Citrix-Published Resources You can edit the delivery settings of Citrix-published applications and desktops in the VMware Identity Manager administration console. Desktops are referred to as delivery groups. You can edit the delivery settings globally for all of the Citrix-published applications and Citrix-published desktops available from your VMware Identity Manager deployment, or individually for specific Citrixpublished resources. You configure the delivery settings by editing Independent Computing Architecture (ICA) properties. ICA is a Citrix proprietary protocol. A wide range of ICA properties are available, controlling areas such as security, display, and compression. For more information about configuring ICA properties, see the Citrix documentation. VMware Identity Manager includes default global settings that define how the configured Citrix deployment delivers Citrix-published resources to users. You can edit the default VMware Identity Manager settings and add new settings. You can also specify delivery settings for individual resources. Settings for individual resources take precedence over global settings. When you provide ICA properties for the delivery of a specific resource, list all the properties necessary for the Citrix deployment to deliver the resource in the manner you expect. When delivery settings exist in VMware Identity Manager for an individual resource, VMware Identity Manager applies only those settings and ignores all global resource delivery settings. 96 VMware, Inc.

97 Chapter 5 Providing Access to Citrix-Published Resources Edit Resource Delivery Settings Globally for All Citrix-Published Resources You can edit the global delivery settings for Citrix-published applications and desktops in your VMware Identity Manager deployment. The ICA properties fields for these global settings are populated with default values until you edit them. Important ICA properties specified in the Citrix Published Applications > ICA Configuration or Citrix Published Delivery Groups > ICA Configuration tab apply to launch traffic that goes through a direct connection. For launch traffic that is routed through Netscaler, see Editing ICA Properties for NetScaler, on page Log in to the administration console. 2 Click the arrow on the Catalog tab and select Settings. 3 Select Citrix Published Applications to edit ICA settings for applications or Citrix Published Delivery Groups to edit ICA settings for desktops. For example: 4 In the ICA Configuration tab, edit the ICA properties according to Citrix guidelines. The ICA Client Properties and ICA Launch Properties fields must be used together. Both fields must have values or both must be empty. 5 Click Save. Unless individual resources have their own resource delivery settings, your Citrix deployment applies the global ICA properties when it delivers Citrix-published resources available through VMware Identity Manager to users. Edit the Delivery Settings for a Single Citrix-Published Resource You can edit the delivery settings (ICA properties) for individual Citrix-published applications and desktops in your VMware Identity Manager deployment. The ICA properties text boxes for individual applications are empty by default. VMware, Inc. 97

98 Setting Up Resources in VMware Identity Manager (On Premises) When you edit the ICA properties of an individual Citrix-published resource, those settings take precedence over the global settings. For information on global settings, see Edit Resource Delivery Settings Globally for All Citrix-Published Resources, on page 97. Important ICA properties set on individual applications or desktops do not apply to ICA traffic that is routed through Netscaler. Only the global settings in the Netscaler ICA Properties page, accessed from the Catalog > Settings > Citrix Published Applications tab and the Catalog > Settings > Citrix Published Delivery Groups tab apply to ICA traffic routed through Netscaler. For more information, see Editing ICA Properties for NetScaler, on page Log in to the administration console. 2 Click the Catalog tab. 3 Click Any Application Type > Citrix Published Applications to edit settings for applications or Any Application Type > Citrix Published Delivery Groups to edit settings for desktops. 4 Click the name of the Citrix-published resource to edit. 5 Click Configuration. 6 View the information about the resource as carried forward from your Citrix deployment. The page provides several details about the resource, such as the resource name, resource ID, server name, and so on. Also, the page displays information about the resources enablement. If the Enabled check box is not selected, the resource is disabled in your Citrix deployment and is hidden from users. 7 In the ICA properties text boxes, add properties or edit existing properties according to Citrix guidelines. Note Both the ICA Client Properties and ICA Launch Properties text boxes must have values or both must be empty. 8 Click Save. Editing ICA Properties for NetScaler You can configure delivery settings for Citrix-published resources by editing the ICA properties. For ICA traffic that is routed through NetScaler, you edit the ICA properties in the Citrix Published Applications > NetScaler ICA Configuration or Citrix Published Delivery Groups > NetScaler ICA Configuration tabs. For applications, use Citrix Published Applications > NetScaler ICA Configuration. For desktops, use Citrix Published Delivery Groups > NetScaler ICA Configuration. Application delivery settings that are set on individual Citrix resources do not apply to ICA traffic routed through NetScaler. Note To edit ICA properties for ICA traffic that goes through a direct connection, and not through NetScaler, see Edit Resource Delivery Settings Globally for All Citrix-Published Resources, on page Log in to the administration console. 2 Click the arrow on the Catalog tab and select Settings. 3 Select Citrix Published Applications for applications or Citrix Published Delivery Groups for desktops, then select the NetScaler ICA Properties tab. The properties fields are populated with default settings. 98 VMware, Inc.

99 Chapter 5 Providing Access to Citrix-Published Resources 4 Edit the ICA client properties or launch properties. You can change the values of the properties or add new ones. See the Citrix documentation for information about ICA properties. Note The ICA Client Properties and ICA Launch Properties fields must be used together. Both fields must have values or both must be empty. 5 Click Save. Setting Access Policies for Specific Applications and Desktops The default access policy set applies to all applications and desktops in your catalog. You can also set access policies for individual applications or desktop pools, which override the default access policy. You can apply an access policy to one or more applications and desktops from the Policies page or select the access policy for a specific application from the application configuration page. For more information on access policies, see the VMware Identity Manager Administration Guide. 1 To apply an access policy to applications and desktops from the Policies page, follow these steps. a b c d e Navigate to the Identity & Access Management > Manage > Policies page. Click a policy to edit it or click Add Policy to create a new policy. In the policy page, edit or define the policy. In the Applies to section, select the applications to which you want to apply the policy. Click Save. 2 To select an access policy for a specific application from the application configuration page, select these steps. a b c d Click the Catalog tab. Click the application. Click Access Policies in the left pane. Select the access policy for the application and click Save. VMware, Inc. 99

100 Setting Up Resources in VMware Identity Manager (On Premises) Viewing User and Group Entitlements to Citrix-Published Resources You can see the Citrix-published applications and desktops to which your VMware Identity Manager users and groups are entitled. Desktops are referred to as delivery groups in the VMware Identity Manager administration console. Important You cannot use VMware Identity Manager to make changes to your Citrix deployment. If a Citrix administrator makes any changes, such as entitling new users to a Citrix-published resource, or adding a new server farm, you must force a sync to propagate the changes to VMware Identity Manager. Prerequisites Verify that VMware Identity Manager is integrated with your Citrix deployment. See Chapter 5, Providing Access to Citrix-Published Resources, on page 65. Synchronize information, including entitlements, from your Citrix deployment to VMware Identity Manager. You can force a sync with the following steps: 1 Log in to the VMware Identity Manager administration console. 2 Select the Catalog tab. 3 Click Manage Desktop Applications and select Citrix Published Application from the drop-down menu. 4 In the Published Apps - Citrix page, click Sync Now. 1 Log in to the VMware Identity Manager administration console. 2 View user and group entitlements to Citrix-published resources. Citrix-published resources include Citrix-published applications and Citrix-published desktops, also referred to as delivery groups. Option View the list of users and groups entitled to a specific Citrixpublished resource. Action a b c Click the Catalog tab. Click Any Application Type and select Citrix Published Applications to view applications or Citrix Published Delivery Groups to view desktops. Click the name of the Citrix-published resource for which you want to list entitlements. View the list of Citrix-published resource entitlements for a specific user or group. a b c d The Entitlements tab is selected by default. Group entitlements and user entitlements are listed in separate tables. Click the Users & Groups tab. Click the Users tab or the Groups tab. Click the name of an individual user or group. Click the Apps tab. Entitled Citrix-published resources are listed in the Citrix Published Applications and Citrix Published Delivery Groups tables. 100 VMware, Inc.

101 Chapter 5 Providing Access to Citrix-Published Resources Launching Citrix-Published Resources in Different Browsers When users launch a Citrix-published desktop or application from the Workspace ONE portal, an ICA file is downloaded and passed to the Citrix Receiver. Citrix Receiver is a native OS application which launches Citrix-published desktops and applications. The launch experience varies across different platforms and browsers. Launch Process Depending on the platform and browser, the application or desktop is launched differently. In some cases the application or desktop is launched directly. In other cases, the user needs to associate the.ica file type with the Citrix Receiver first so that the application or desktop can be launched directly. In a few cases, the user needs to click the downloaded ICA file to launch the application or desktop. See the table for detailed information. Platform Browser How the application or desktop is launched Action Required Windows Firefox Launches the application or desktop directly None Chrome Internet Explorer Edge Launches the application or desktop directly. Note With Citrix 4.5 Receiver and XenDesktop, there are known issues with delivery group launch. Downloads the ICA file with a.ica extension. After the file type is associated with the Citrix Receiver, launches the application or desktop automatically. Launches the application or desktop directly. Note With Citrix 4.5 Receiver and XenDesktop, there are known issues with delivery group launch. None In the browser, associate the.ica file type with the Citrix Receiver. None Mac Safari, Firefox Launches the application or desktop directly None Chrome Launches the application or desktop directly None Windows Surface Chrome Downloads the ICA file with a.ica extension. After the file type is associated with the Citrix Receiver, launches the application or desktop automatically. In the browser, associate the.ica file type with the Citrix Receiver. Android Chrome Downloads the ICA file Click the ICA file to launch the desktop or application. ios Safari Downloads the ICA file Click the ICA file to launch the desktop or application. Chrome Unable to download the ICA file This scenario is not supported. Allowing Citrix Receiver Plugin on Firefox On Firefox, when users launch a Citrix-published application, they are prompted to allow the Citrix Receiver plugin. Allow to run Citrix Receiver? VMware, Inc. 101

102 Setting Up Resources in VMware Identity Manager (On Premises) Users must click Allow Now or Allow and Remember to launch the application. Upgrade Impact on Citrix-Published Resources Integration No additional setup is required after a VMware Identity Manager upgrade or a Citrix product upgrade to maintain the integration between VMware Identity Manager and Citrix-published resources. To upgrade Integration Broker, you must uninstall the older version and then install the new version. To reinstall Citrix Receiver, see the Citrix documentation. 102 VMware, Inc.

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8 Setting Up Resources in VMware Identity Manager VMware Identity Manager 2.8 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments

More information

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager Setting Up Resources in VMware Identity Manager (SaaS) You can find the most up-to-date technical documentation

More information

Setting Up Resources in VMware Identity Manager

Setting Up Resources in VMware Identity Manager Setting Up Resources in VMware Identity Manager VMware Identity Manager 2.7 This document supports the version of each product listed and supports all subsequent versions until the document is replaced

More information

Setting Up Resources in VMware Identity Manager 3.1 (On Premises) Modified JUL 2018 VMware Identity Manager 3.1

Setting Up Resources in VMware Identity Manager 3.1 (On Premises) Modified JUL 2018 VMware Identity Manager 3.1 Setting Up Resources in VMware Identity Manager 3.1 (On Premises) Modified JUL 2018 VMware Identity Manager 3.1 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2 VMware Identity Manager Administration MAY 2018 VMware Identity Manager 3.2 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments

More information

VMware Identity Manager Administration

VMware Identity Manager Administration VMware Identity Manager Administration VMware AirWatch 9.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition.

More information

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager VMware Identity Manager Cloud Deployment DEC 2017 VMware AirWatch 9.2 VMware Identity Manager You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager VMware Identity Manager Cloud Deployment Modified on 01 OCT 2017 VMware Identity Manager You can find the most up-to-date technical documentation on the VMware Web site at: https://docs.vmware.com/ The

More information

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3. Installing and Configuring VMware Identity Manager Connector 2018.8.1.0 (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.3 You can find the most up-to-date technical documentation on

More information

Integrating AirWatch and VMware Identity Manager

Integrating AirWatch and VMware Identity Manager Integrating AirWatch and VMware Identity Manager VMware AirWatch 9.1.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a

More information

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1 Guide to Deploying VMware Workspace ONE VMware Identity Manager 2.9.1 VMware AirWatch 9.1 Guide to Deploying VMware Workspace ONE You can find the most up-to-date technical documentation on the VMware

More information

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE Guide to Deploying VMware Workspace ONE with VMware Identity Manager SEP 2018 VMware Workspace ONE You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

VMware Identity Manager Administration

VMware Identity Manager Administration VMware Identity Manager Administration VMware Identity Manager 2.4 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

More information

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1 Guide to Deploying VMware Workspace ONE DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

VMware Identity Manager Connector Installation and Configuration (Legacy Mode) VMware Identity Manager Connector Installation and Configuration (Legacy Mode) VMware Identity Manager This document supports the version of each product listed and supports all subsequent versions until

More information

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2 Deploying VMware Identity Manager in the DMZ JULY 2018 VMware Identity Manager 3.2 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have

More information

Administering Workspace ONE in VMware Identity Manager Services with AirWatch. VMware AirWatch 9.1.1

Administering Workspace ONE in VMware Identity Manager Services with AirWatch. VMware AirWatch 9.1.1 Administering Workspace ONE in VMware Identity Manager Services with AirWatch VMware AirWatch 9.1.1 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3 Deploying VMware Identity Manager in the DMZ SEPT 2018 VMware Identity Manager 3.3 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have

More information

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018 VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018 Table of Contents Introduction to Horizon Cloud with Manager.... 3 Benefits of Integration.... 3 Single Sign-On....3

More information

Directory Integration with VMware Identity Manager

Directory Integration with VMware Identity Manager Directory Integration with VMware Identity Manager VMware AirWatch 9.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a

More information

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE Integrating VMware Workspace ONE with Okta VMware Workspace ONE You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this

More information

Horizon Workspace Administrator's Guide

Horizon Workspace Administrator's Guide Horizon Workspace Administrator's Guide Horizon Workspace 1.5 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition.

More information

Deploying VMware Workspace ONE Intelligent Hub. October 2018 VMware Workspace ONE

Deploying VMware Workspace ONE Intelligent Hub. October 2018 VMware Workspace ONE Deploying VMware Workspace ONE Intelligent Hub October 2018 VMware Workspace ONE You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have

More information

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Table of Contents Introduction.... 3 Requirements.... 3 Horizon Workspace Components.... 3 SAML 2.0 Standard.... 3 Authentication

More information

Using the Horizon vrealize Orchestrator Plug-In

Using the Horizon vrealize Orchestrator Plug-In Using the Horizon vrealize Orchestrator Plug-In VMware Horizon 6 version 6.2.3, VMware Horizon 7 versions 7.0.3 and later Modified on 4 JAN 2018 VMware Horizon 7 7.4 You can find the most up-to-date technical

More information

Administering Cloud Pod Architecture in Horizon 7. Modified on 4 JAN 2018 VMware Horizon 7 7.4

Administering Cloud Pod Architecture in Horizon 7. Modified on 4 JAN 2018 VMware Horizon 7 7.4 Administering Cloud Pod Architecture in Horizon 7 Modified on 4 JAN 2018 VMware Horizon 7 7.4 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810 Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN VMware Workspace ONE UEM 1810 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

Administering Cloud Pod Architecture in Horizon 7. Modified on 26 JUL 2017 VMware Horizon 7 7.2

Administering Cloud Pod Architecture in Horizon 7. Modified on 26 JUL 2017 VMware Horizon 7 7.2 Administering Cloud Pod Architecture in Horizon 7 Modified on 26 JUL 2017 VMware Horizon 7 7.2 Administering Cloud Pod Architecture in Horizon 7 You can find the most up-to-date technical documentation

More information

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager. IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS VMware Identity Manager February 2017 V1 1 2 Table of Contents Overview... 5 Benefits of BIG-IP APM and Identity

More information

Administering View Cloud Pod Architecture. VMware Horizon 7 7.0

Administering View Cloud Pod Architecture. VMware Horizon 7 7.0 Administering View Cloud Pod Architecture VMware Horizon 7 7.0 You can find the most up-to-date technical documentation on the VMware Web site at: https://docs.vmware.com/ The VMware Web site also provides

More information

Installing and Configuring vcloud Connector

Installing and Configuring vcloud Connector Installing and Configuring vcloud Connector vcloud Connector 2.6.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

More information

VMware Workspace Portal End User Guide

VMware Workspace Portal End User Guide VMware Workspace Portal End User Guide Workspace Portal 2.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition.

More information

Workspace ONE UEM Certificate Authority Integration with Microsoft ADCS Using DCOM. VMware Workspace ONE UEM 1811

Workspace ONE UEM Certificate Authority Integration with Microsoft ADCS Using DCOM. VMware Workspace ONE UEM 1811 Workspace ONE UEM Certificate Authority Integration with Microsoft ADCS Using DCOM VMware Workspace ONE UEM 1811 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810 Workspace ONE UEM Integration with RSA PKI VMware Workspace ONE UEM 1810 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments

More information

Using the Horizon vcenter Orchestrator Plug-In. VMware Horizon 6 6.0

Using the Horizon vcenter Orchestrator Plug-In. VMware Horizon 6 6.0 Using the Horizon vcenter Orchestrator Plug-In VMware Horizon 6 6.0 You can find the most up-to-date technical documentation on the VMware Web site at: https://docs.vmware.com/ The VMware Web site also

More information

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902 Workspace ONE UEM Certificate Authentication for EAS with ADCS VMware Workspace ONE UEM 1902 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

VMware Enterprise Systems Connector Installation and Configuration. JULY 2018 VMware Identity Manager 3.2 VMware Identity Manager VMware AirWatch 9.

VMware Enterprise Systems Connector Installation and Configuration. JULY 2018 VMware Identity Manager 3.2 VMware Identity Manager VMware AirWatch 9. VMware Enterprise Systems Connector Installation and Configuration JULY 2018 VMware Identity Manager 3.2 VMware Identity Manager VMware AirWatch 9.3 You can find the most up-to-date technical documentation

More information

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: VMWARE IDENTITY MANAGER ARCHITECTURE

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: VMWARE IDENTITY MANAGER ARCHITECTURE REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: VMWARE IDENTITY MANAGER ARCHITECTURE Table of Contents Component Design: VMware Identity Manager Architecture Design Overview VMware Identity Manager Connector

More information

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo Configuring Single Sign-on from the VMware Identity Manager Service to Marketo VMware Identity Manager JANUARY 2016 V1 Configuring Single Sign-On from VMware Identity Manager to Marketo Table of Contents

More information

Installing and Configuring VMware Identity Manager. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Installing and Configuring VMware Identity Manager. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1 Installing and Configuring VMware Identity Manager DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE GUIDE AUGUST 2018 PRINTED 4 MARCH 2019 INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE Table of Contents Overview Introduction Purpose Audience Integrating Okta with VMware

More information

Using VMware Identity Manager Apps Portal

Using VMware Identity Manager Apps Portal Using VMware Identity Manager Apps Portal VMware Identity Manager This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

More information

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE GUIDE MARCH 2019 PRINTED 28 MARCH 2019 CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE VMware Workspace ONE Table of Contents Overview Introduction Audience AD FS

More information

Workspace ONE UEM Integration with OpenTrust CMS Mobile 2. VMware Workspace ONE UEM 1811

Workspace ONE UEM Integration with OpenTrust CMS Mobile 2. VMware Workspace ONE UEM 1811 Workspace ONE UEM Integration with OpenTrust CMS Mobile 2 VMware Workspace ONE UEM 1811 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you

More information

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3. Android Mobile Single Sign-On to VMware Workspace ONE SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.3 You can find the most up-to-date technical documentation on the VMware

More information

Administering Cloud Pod Architecture in Horizon 7. VMware Horizon 7 7.1

Administering Cloud Pod Architecture in Horizon 7. VMware Horizon 7 7.1 Administering Cloud Pod Architecture in Horizon 7 VMware Horizon 7 7.1 Administering Cloud Pod Architecture in Horizon 7 You can find the most up-to-date technical documentation on the VMware Web site

More information

VMware Horizon Cloud Service on Microsoft Azure Administration Guide

VMware Horizon Cloud Service on Microsoft Azure Administration Guide VMware Horizon Cloud Service on Microsoft Azure Administration Guide Modified on 03 APR 2018 VMware Horizon Cloud Service VMware Horizon Cloud Service on Microsoft Azure 1.5 You can find the most up-to-date

More information

Horizon Console Administration. 13 DEC 2018 VMware Horizon 7 7.7

Horizon Console Administration. 13 DEC 2018 VMware Horizon 7 7.7 Horizon Console Administration 13 DEC 2018 VMware Horizon 7 7.7 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this

More information

Installing and Configuring VMware Identity Manager. Modified on 14 DEC 2017 VMware Identity Manager 2.9.1

Installing and Configuring VMware Identity Manager. Modified on 14 DEC 2017 VMware Identity Manager 2.9.1 Installing and Configuring VMware Identity Manager Modified on 14 DEC 2017 VMware Identity Manager 2.9.1 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

Workspace ONE UEM Certificate Authority Integration with JCCH. VMware Workspace ONE UEM 1810

Workspace ONE UEM Certificate Authority Integration with JCCH. VMware Workspace ONE UEM 1810 Workspace ONE UEM Certificate Authority Integration with JCCH VMware Workspace ONE UEM 1810 Workspace ONE UEM Certificate Authority Integration with JCCH You can find the most up-to-date technical documentation

More information

VMware Horizon Cloud Service on Microsoft Azure Administration Guide

VMware Horizon Cloud Service on Microsoft Azure Administration Guide VMware Horizon Cloud Service on Microsoft Azure Administration Guide VMware Horizon Cloud Service VMware Horizon Cloud Service on Microsoft Azure 1.4 You can find the most up-to-date technical documentation

More information

Installing and Configuring VMware Identity Manager for Linux. Modified MAY 2018 VMware Identity Manager 3.2

Installing and Configuring VMware Identity Manager for Linux. Modified MAY 2018 VMware Identity Manager 3.2 Installing and Configuring VMware Identity Manager for Linux Modified MAY 2018 VMware Identity Manager 3.2 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

VMware AirWatch Content Gateway for Windows. VMware Workspace ONE UEM 1811 Unified Access Gateway

VMware AirWatch Content Gateway for Windows. VMware Workspace ONE UEM 1811 Unified Access Gateway VMware AirWatch Content Gateway for Windows VMware Workspace ONE UEM 1811 Unified Access Gateway You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

Installing and Configuring VMware Identity Manager

Installing and Configuring VMware Identity Manager Installing and Configuring VMware Identity Manager VMware Identity Manager 2.7 This document supports the version of each product listed and supports all subsequent versions until the document is replaced

More information

REVIEWERS GUIDE NOVEMBER 2017 REVIEWER S GUIDE FOR CLOUD-BASED VMWARE WORKSPACE ONE: MOBILE SINGLE SIGN-ON. VMware Workspace ONE

REVIEWERS GUIDE NOVEMBER 2017 REVIEWER S GUIDE FOR CLOUD-BASED VMWARE WORKSPACE ONE: MOBILE SINGLE SIGN-ON. VMware Workspace ONE REVIEWERS GUIDE NOVEMBER 2017 REVIEWER S GUIDE FOR CLOUD-BASED VMWARE WORKSPACE ONE: VMware Workspace ONE Table of Contents Introduction.... 3 Purpose of This Guide....3 Audience...3 Before You Begin....3

More information

Using vrealize Operations Tenant App as a Service Provider

Using vrealize Operations Tenant App as a Service Provider Using vrealize Operations Tenant App as a Service Provider Using vrealize Operations Tenant App as a Service Provider You can find the most up-to-date technical documentation on the VMware Web site at:

More information

SAML-Based SSO Configuration

SAML-Based SSO Configuration Prerequisites, page 1 SAML SSO Configuration Task Flow, page 5 Reconfigure OpenAM SSO to SAML SSO Following an Upgrade, page 9 SAML SSO Deployment Interactions and Restrictions, page 9 Prerequisites NTP

More information

VMware Skyline Collector Installation and Configuration Guide. VMware Skyline 1.4

VMware Skyline Collector Installation and Configuration Guide. VMware Skyline 1.4 VMware Skyline Collector Installation and Configuration Guide VMware Skyline 1.4 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have

More information

Horizon Cloud with On-Premises Infrastructure Administration Guide. VMware Horizon Cloud Service Horizon Cloud with On-Premises Infrastructure 1.

Horizon Cloud with On-Premises Infrastructure Administration Guide. VMware Horizon Cloud Service Horizon Cloud with On-Premises Infrastructure 1. Horizon Cloud with On-Premises Infrastructure Administration Guide VMware Horizon Cloud Service Horizon Cloud with On-Premises Infrastructure 1.3 Horizon Cloud with On-Premises Infrastructure Administration

More information

Migrating vrealize Automation 6.2 to 7.2

Migrating vrealize Automation 6.2 to 7.2 Migrating vrealize Automation 6.2 to 7.2 vrealize Automation 7.2 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition.

More information

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway VMware AirWatch Content Gateway for Linux VMware Workspace ONE UEM 1811 Unified Access Gateway You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

Migrating vrealize Automation 6.2 to 7.1

Migrating vrealize Automation 6.2 to 7.1 Migrating vrealize Automation 6.2 to 7.1 vrealize Automation 7.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition.

More information

Installing and Configuring vcloud Connector

Installing and Configuring vcloud Connector Installing and Configuring vcloud Connector vcloud Connector 2.5.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

More information

vrealize Suite Lifecycle Manager 1.0 Installation and Management vrealize Suite 2017

vrealize Suite Lifecycle Manager 1.0 Installation and Management vrealize Suite 2017 vrealize Suite Lifecycle Manager 1.0 Installation and Management vrealize Suite 2017 vrealize Suite Lifecycle Manager 1.0 Installation and Management You can find the most up-to-date technical documentation

More information

VMware Enterprise Systems Connector Installation and Configuration. Modified 29 SEP 2017 VMware AirWatch VMware Identity Manager 2.9.

VMware Enterprise Systems Connector Installation and Configuration. Modified 29 SEP 2017 VMware AirWatch VMware Identity Manager 2.9. VMware Enterprise Systems Connector Installation and Configuration Modified 29 SEP 2017 VMware AirWatch 9.1.1 VMware Identity Manager 2.9.1 You can find the most up-to-date technical documentation on the

More information

Google Sync Integration Guide. VMware Workspace ONE UEM 1902

Google Sync Integration Guide. VMware Workspace ONE UEM 1902 Google Sync Integration Guide VMware Workspace ONE UEM 1902 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation,

More information

VMware Enterprise Systems Connector Installation and Configuration

VMware Enterprise Systems Connector Installation and Configuration VMware Enterprise Systems Connector Installation and Configuration Modified APR 2018 VMware Identity Manager 3.1 VMware Identity Manager VMware AirWatch 9.2 You can find the most up-to-date technical documentation

More information

Using the vrealize Orchestrator Operations Client. vrealize Orchestrator 7.5

Using the vrealize Orchestrator Operations Client. vrealize Orchestrator 7.5 Using the vrealize Orchestrator Operations Client vrealize Orchestrator 7.5 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments

More information

VMware Skyline Collector Installation and Configuration Guide. VMware Skyline Collector 2.0

VMware Skyline Collector Installation and Configuration Guide. VMware Skyline Collector 2.0 VMware Skyline Collector Installation and Configuration Guide VMware Skyline Collector 2.0 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If

More information

TECHNICAL WHITE PAPER AUGUST 2017 REVIEWER S GUIDE FOR VIEW IN VMWARE HORIZON 7: INSTALLATION AND CONFIGURATION. VMware Horizon 7 version 7.

TECHNICAL WHITE PAPER AUGUST 2017 REVIEWER S GUIDE FOR VIEW IN VMWARE HORIZON 7: INSTALLATION AND CONFIGURATION. VMware Horizon 7 version 7. TECHNICAL WHITE PAPER AUGUST 2017 REVIEWER S GUIDE FOR VIEW IN VMWARE HORIZON 7: INSTALLATION AND CONFIGURATION VMware Horizon 7 version 7.x Table of Contents Introduction.... 3 JMP Next-Generation Desktop

More information

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

VMware Workspace ONE UEM VMware AirWatch Cloud Connector VMware AirWatch Cloud Connector VMware Workspace ONE UEM 1811 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this

More information

Getting Started with VMware View View 3.1

Getting Started with VMware View View 3.1 Technical Note Getting Started with VMware View View 3.1 This guide provides an overview of how to install View Manager components and provision virtual desktops. Additional View Manager documentation

More information

VMware App Volumes Installation Guide. VMware App Volumes 2.13

VMware App Volumes Installation Guide. VMware App Volumes 2.13 VMware App Volumes Installation Guide VMware App Volumes 2.13 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this

More information

VMware AirWatch Certificate Authentication for EAS with ADCS

VMware AirWatch Certificate Authentication for EAS with ADCS VMware AirWatch Certificate Authentication for EAS with ADCS For VMware AirWatch Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

More information

VMware Mirage Web Manager Guide

VMware Mirage Web Manager Guide Mirage 5.3 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document,

More information

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

VMware AirWatch Certificate Authentication for Cisco IPSec VPN VMware AirWatch Certificate Authentication for Cisco IPSec VPN For VMware AirWatch Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

More information

VMware Horizon JMP Server Installation and Setup Guide. 13 DEC 2018 VMware Horizon 7 7.7

VMware Horizon JMP Server Installation and Setup Guide. 13 DEC 2018 VMware Horizon 7 7.7 VMware Horizon JMP Server Installation and Setup Guide 13 DEC 2018 VMware Horizon 7 7.7 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you

More information

MANAGING ANDROID DEVICES: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

MANAGING ANDROID DEVICES: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE GUIDE APRIL 2019 PRINTED 17 APRIL 2019 MANAGING ANDROID DEVICES: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE Table of Contents Overview Introduction Audience Getting Started with Android

More information

VMware AirWatch Integration with Microsoft ADCS via DCOM

VMware AirWatch Integration with Microsoft ADCS via DCOM VMware AirWatch Integration with Microsoft ADCS via DCOM For VMware AirWatch Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

More information

Table of Contents. Configure and Manage Logging in to the Management Portal Verify and Trust Certificates

Table of Contents. Configure and Manage Logging in to the Management Portal Verify and Trust Certificates Table of Contents Configure and Manage Logging in to the Management Portal Verify and Trust Certificates Configure System Settings Add Cloud Administrators Add Viewers, Developers, or DevOps Administrators

More information

Upgrading to VMware Identity Manager 2.7

Upgrading to VMware Identity Manager 2.7 Upgrading to VMware Identity Manager 2.7 VMware Identity Manager 2.7 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

More information

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1 VMware Workspace ONE Quick Configuration Guide VMware AirWatch 9.1 A P R I L 2 0 1 7 V 2 Revision Table The following table lists revisions to this guide since the April 2017 release Date April 2017 June

More information

Using VMware View Client for Mac

Using VMware View Client for Mac May 2012 View Client for Mac This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions

More information

VMware vcloud Air User's Guide

VMware vcloud Air User's Guide vcloud Air This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document,

More information

VMware vrealize Operations for Horizon Installation. VMware vrealize Operations for Horizon 6.5

VMware vrealize Operations for Horizon Installation. VMware vrealize Operations for Horizon 6.5 VMware vrealize Operations for Horizon Installation VMware vrealize Operations for Horizon 6.5 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

VMware Skyline Collector User Guide. VMware Skyline 1.4

VMware Skyline Collector User Guide. VMware Skyline 1.4 VMware Skyline Collector User Guide VMware Skyline 1.4 VMware Skyline Collector User Guide You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If

More information

Workspace ONE UEM Notification Service. VMware Workspace ONE UEM 1811

Workspace ONE UEM  Notification Service. VMware Workspace ONE UEM 1811 Workspace ONE UEM Email Notification Service VMware Workspace ONE UEM 1811 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments

More information

Dell Provisioning for VMware Workspace ONE. VMware Workspace ONE UEM 1902

Dell Provisioning for VMware Workspace ONE. VMware Workspace ONE UEM 1902 Dell Provisioning for VMware Workspace ONE VMware Workspace ONE UEM 1902 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments

More information

VMware AirWatch Integration with RSA PKI Guide

VMware AirWatch Integration with RSA PKI Guide VMware AirWatch Integration with RSA PKI Guide For VMware AirWatch Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com. This product

More information

Upgrading to VMware Identity Manager 3.0. SEP 2017 VMware AirWatch 9.2 VMware Identity Manager 3.0

Upgrading to VMware Identity Manager 3.0. SEP 2017 VMware AirWatch 9.2 VMware Identity Manager 3.0 Upgrading to VMware Identity Manager 3.0 SEP 2017 VMware AirWatch 9.2 VMware Identity Manager 3.0 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

Upgrade to VMware Identity Manager 3.3 (Windows) SEP 2018 VMware Identity Manager 3.3

Upgrade to VMware Identity Manager 3.3 (Windows) SEP 2018 VMware Identity Manager 3.3 Upgrade to VMware Identity Manager 3.3 (Windows) SEP 2018 VMware Identity Manager 3.3 Upgrade to VMware Identity Manager 3.3 (Windows) You can find the most up-to-date technical documentation on the VMware

More information

Using VMware Horizon Workspace to Enable SSO in VMware vcloud Director 5.1

Using VMware Horizon Workspace to Enable SSO in VMware vcloud Director 5.1 Using VMware Horizon Workspace to Enable SSO in VMware vcloud Director 5.1 March 2013 Using VMware Horizon Workspace to Enable SSO This product is protected by U.S. and international copyright and intellectual

More information

vrealize Operations Manager Customization and Administration Guide vrealize Operations Manager 6.4

vrealize Operations Manager Customization and Administration Guide vrealize Operations Manager 6.4 vrealize Operations Manager Customization and Administration Guide vrealize Operations Manager 6.4 vrealize Operations Manager Customization and Administration Guide You can find the most up-to-date technical

More information

CONFIGURING BASIC MACOS MANAGEMENT: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

CONFIGURING BASIC MACOS MANAGEMENT: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE GUIDE FEBRUARY 2019 PRINTED 26 FEBRUARY 2019 CONFIGURING BASIC MACOS MANAGEMENT: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE Table of Contents Overview Introduction Purpose Audience

More information

Upgrading VMware Identity Manager Connector. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Upgrading VMware Identity Manager Connector. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1 Upgrading VMware Identity Manager Connector DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1 Upgrading VMware Identity Manager Connector You can find the most up-to-date technical documentation

More information

vcloud Director User's Guide

vcloud Director User's Guide vcloud Director 5.6 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of

More information

APM Proxy with Workspace One

APM Proxy with Workspace One INTEGRATION GUIDE APM Proxy with Workspace One 1 Version History Date Version Author Description Compatible Versions Mar 2018 1.0 Matt Mabis Initial Document VMware Identity Manager 3.2.x and Above (1)

More information

vcloud Director Administrator's Guide

vcloud Director Administrator's Guide vcloud Director 5.1.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of

More information

Configuring Single Sign-on from the VMware Identity Manager Service to Trumba

Configuring Single Sign-on from the VMware Identity Manager Service to Trumba Configuring Single Sign-on from the VMware Identity Manager Service to Trumba VMware Identity Manager JULY 2016 V1 Table of Contents Overview... 2 Adding Trumba to VMware Identity Manager Catalog... 2

More information

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP For VMware AirWatch Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

More information