Before implementing restricted entitlements, you must be aware of certain considerations and limitations.
A single Connection Server instance or desktop pool can have multiple tags.
Multiple Connection Server instances and desktop pools can have the same tag.
Any Connection Server instance can access a desktop pool that does not have any tags.
Connection Server instances that do not have any tags can access only desktop pools that also do not have any tags.
If you use a security server, you must configure restricted entitlements on the Connection Server instance with which the security server is paired. You cannot configure restricted entitlements on a security server.
You cannot modify or remove a tag from a Connection Server instance if that tag is still assigned to a desktop pool and no other Connection Server instances have a matching tag.
Restricted entitlements take precedence over other desktop entitlements or assignments. For example, even if a user is assigned to a particular machine, the user cannot access that machine if the tag assigned to the desktop pool does not match the tag assigned to the Connection Server instance to which the user is connected.
If you intend to provide access to your desktops through VMware Identity Manager and you configure Connection Server restrictions, the VMware Identity Manager app might display desktops to users when those desktops are actually restricted. When a VMware Identity Manager user attempts to log in to a desktop, the desktop does not start if the tag assigned to the desktop pool does not match the tag assigned to the Connection Server instance to which the user is connected.