Security-related settings are provided in the ADMX or ADM template files for Horizon Agent. The ADMX template files are named (vdm_agent.admx). The ADM template files are named (vdm_agent.adm). Unless noted otherwise, the settings include only a Computer Configuration setting.

Security Settings are stored in the registry on the guest machine under HKLM\Software\VMware, Inc.\VMware VDM\Agent\Configuration.

Note:

In Horizon 7 version 7.1, the ADM template files are deprecated and the ADMX template files are added.

Table 1. Security-Related Settings in the View Agent (for Horizon 6) or Horizon Agent (for Horizon 7) Configuration Template

Setting

Description

AllowDirectRDP

Determines whether clients other than Horizon Client devices can connect directly to remote desktops with RDP. When this setting is disabled, the agent permits only View-managed connections through Horizon Client.

When connecting to a remote desktop from Horizon Client for Mac, do not disable the AllowDirectRDP setting. If this setting is disabled, the connection fails with an Access is denied error.

By default, while a user is logged in to a Horizon 7 desktop session, you can use RDP to connect to the virtual machine from outside of Horizon 7. The RDP connection terminates the Horizon 7 desktop session, and the user's unsaved data and settings might be lost. The user cannot log in to the desktop until the external RDP connection is closed. To avoid this situation, disable the AllowDirectRDP setting.

Important:

The Windows Remote Desktop Services service must be running on the guest operating system of each desktop. You can use this setting to prevent users from making direct RDP connections to their desktops.

This setting is enabled by default.

The equivalent Windows Registry value is AllowDirectRDP.

AllowSingleSignon

Determines whether single sign-on (SSO) is used to connect users to desktops and applications. When this setting is enabled, users are required to enter their credentials only once, when they log in to the server. When this setting is disabled, users must reauthenticate when the remote connection is made.

This setting is enabled by default.

The equivalent Windows Registry value is AllowSingleSignon.

CommandsToRunOnConnect

Specifies a list of commands or command scripts to be run when a session is connected for the first time.

No list is specified by default.

The equivalent Windows Registry value is CommandsToRunOnConnect.

CommandsToRunOnDisconnect

Specifies a list of commands or command scripts to be run when a session is disconnected.

No list is specified by default.

The equivalent Windows Registry value is CommandsToRunOnReconnect.

CommandsToRunOnReconnect

Specifies a list of commands or command scripts to be run when a session is reconnected after a disconnect.

No list is specified by default.

The equivalent Windows Registry value is CommandsToRunOnDisconnect.

ConnectionTicketTimeout

Specifies the amount of time in seconds that the View connection ticket is valid.

Horizon Client devices use a connection ticket for verification and single sign-on when connecting to the agent. For security reasons, a connection ticket is valid for a limited amount of time. When a user connects to a remote desktop, authentication must take place within the connection ticket timeout period or the session times out. If this setting is not configured, the default timeout period is 900 seconds.

The equivalent Windows Registry value is VdmConnectionTicketTimeout.

CredentialFilterExceptions

Specifies the executable files that are not allowed to load the agent CredentialFilter. Filenames must not include a path or suffix. Use a semicolon to separate multiple filenames.

No list is specified by default.

The equivalent Windows Registry value is CredentialFilterExceptions.

For more information about these settings and their security implications, see the View Administration document.