Security-related settings are provided in ADM and ADMX template files for View Agent and Horizon Agent. The ADM and ADMX template files are named vdm_agent.adm and vdm_agent.admx. Unless noted otherwise, the settings include only a Computer Configuration setting.

Security Settings are stored in the registry on the guest machine under HKLM\Software\VMware, Inc.\VMware VDM\Agent\Configuration.

Table 1. Security-Related Settings in the View Agent (for Horizon 6) or Horizon Agent (for Horizon 7) Configuration Template
Setting Description
AllowDirectRDP

Determines whether clients other than Horizon Client devices can connect directly to remote desktops with RDP. When this setting is disabled, the agent permits only Horizon-managed connections through Horizon Client.

When connecting to a remote desktop from Horizon Client for Mac, do not disable the AllowDirectRDP setting. If this setting is disabled, the connection fails with an Access is denied error.

By default, while a user is logged in to a remote desktop session, you can use RDP to connect to the virtual machine. The RDP connection terminates the remote desktop session, and the user's unsaved data and settings might be lost. The user cannot log in to the desktop until the external RDP connection is closed. To avoid this situation, disable the AllowDirectRDP setting.

Important: The Windows Remote Desktop Services service must be running on the guest operating system of each desktop. You can use this setting to prevent users from making direct RDP connections to their desktops.

This setting is enabled by default.

The equivalent Windows Registry value is AllowDirectRDP.

AllowSingleSignon

Determines whether single sign-on (SSO) is used to connect users to desktops and applications. When this setting is enabled, users are required to enter their credentials only once, when they log in to the server. When this setting is disabled, users must reauthenticate when the remote connection is made.

This setting is enabled by default.

The equivalent Windows Registry value is AllowSingleSignon.

CommandsToRunOnConnect

Specifies a list of commands or command scripts to be run when a session is connected for the first time.

No list is specified by default.

The equivalent Windows Registry value is CommandsToRunOnConnect.

CommandsToRunOnDisconnect

Specifies a list of commands or command scripts to be run when a session is disconnected.

No list is specified by default.

The equivalent Windows Registry value is CommandsToRunOnReconnect.

CommandsToRunOnReconnect

Specifies a list of commands or command scripts to be run when a session is reconnected after a disconnect.

No list is specified by default.

The equivalent Windows Registry value is CommandsToRunOnDisconnect.

ConnectionTicketTimeout

Specifies the amount of time in seconds that the Horizon connection ticket is valid.

Horizon Client devices use a connection ticket for verification and single sign-on when connecting to the agent. For security reasons, a connection ticket is valid for a limited amount of time. When a user connects to a remote desktop, authentication must take place within the connection ticket timeout period or the session times out. If this setting is not configured, the default timeout period is 900 seconds.

The equivalent Windows Registry value is VdmConnectionTicketTimeout.

CredentialFilterExceptions

Specifies the executable files that are not allowed to load the agent CredentialFilter. Filenames must not include a path or suffix. Use a semicolon to separate multiple filenames.

No list is specified by default.

The equivalent Windows Registry value is CredentialFilterExceptions.

For more information about these settings and their security implications, see the View Administration document.