I've done quite a few VMware Horizon installations and almost every time, no matter what version I am installing, I end the engagement wondering; How did VMware yet again forget to include an idle timeout setting in their Horizon solution? Anyone who has worked with Citrix knows this is a pretty common and useful setting. Have the system check to sure that if a user is idle for a certain amount of time, it disconnects them, waits some more time and then logs off the session. This frees up the connections, makes for a happy security team and dumps the resources back into the pool to be made available for non idle workers. Seems like a pretty useful thing for a VDI solution. For whatever reason, there is absolutely no timeout settings in the Horizon infrastructure or UEM (User Environment Manager). Or at least I can't find anything. The closest 'solution' I can find on the internet is some hacky setup using a Scheduled Task in the golden images. This task would be triggered on a user idle period and then trigger an action to disconnect using the TSDISCON.EXE command. This is fine for a one size fits all solution I guess but this week, my client wanted more. They wanted to leverage UEM's ability to recognize and target external/internal connections to do different things. We wanted to disconnect the session if it was external and the user had eclipsed the idle time but if the user was internal, we would do nothing.
This UEM setting is the condition we want to use but unfortunately, there aren't any idle timeout triggers. ;( The closest thing we found was a Workstation Locked trigger.
We tried using this but it seems as though once the GPO for locked screen saver kicked in after an idle period, the session doesn't ACTUALLY lock until the user goes to move the mouse on the screensaver. Then it locked and disconnected immediately. ha! But of course, this was after all of the time being idle. So this solution didn't seem to work. It would probably satisfy the security concerns but not help with the resource freeing. The next thing we tried is using EUM to write a special environment variable called EXTERNAL that we could then test against in a batch file kicked off by the normal scheduled task workaround. This would allow us to use that one size fits all trick but selectively execute if the user was internal or external. This has been working via testing but at the end of the day, VMware could make this SOO easy by just adding in the idle timeout setting like the other VDI solutions out there. Am I missing something obvious? Maybe I've just been in the weeds with this one too long. Let me know in the comments… -Carlo via Latest imported feed items on VMware Blogs https://ift.tt/2vzN62i |
Comments
Post a Comment