These steps are applicable when your Horizon Cloud environment is configured for single-pod brokering and when you have integrated your Workspace ONE Access environment with your pods in Microsoft Azure. Horizon Cloud provides this feature by which you can specify that end users must go through Workspace ONE Access to access their pod-provisioned desktops and remote applications. Requiring end users to access their desktops through Workspace ONE Access prevents direct desktop access using their Horizon Client or by HTML access. This enforcement is useful when you want to use the two-factor authentication method that is set in your Workspace ONE Access environment.

Your end users typically launch their entitled desktops using the following methods.

In the Horizon Universal Console, you can optionally configure your Horizon Cloud environment to require your end users use Workspace ONE Access only. You can configure enforcement on users who are accessing their desktops and applications from locations outside your corporate network or on users accessing from inside your corporate network, or both. You can also configure the client to automatically redirect to Workspace ONE Access the enforcement is enabled.

The feature to force end-user access to Workspace ONE Access works with the Workspace ONE Access redirection feature in the following ways.

Force end-user access through Workspace ONE Access setting Workspace ONE Access redirection setting What happens when the end user's client connects to Horizon Cloud to access their desktops and applications
Enabled (yes) Enabled (yes) Client is automatically redirected to Workspace ONE Access.
Enabled (yes) Deactivated (no) Client displays a message that tells the user that they must access Horizon Cloud using Workspace ONE Access. Automatic redirection does not occur.
Deactivated (no) Enabled (yes) Client displays the Horizon Cloud login screen for the end user to log in. Automatic redirection does not occur because forced access to Workspace ONE Access is not enabled.
Deactivated (no) Deactivated (no) Client displays the Horizon Cloud login screen for the end user to log in. In this scenario, both forced access and the automatic redirection features are deactivated.

Prerequisites

Verify that your Horizon Cloud and Workspace ONE Access environments are successfully integrated. See A Horizon Cloud Environment with Single-Pod Brokering — Integrating the Environment's Horizon Cloud Pods in Microsoft Azure with Workspace ONE Access.

Procedure

  1. In the console, navigate to Settings > Identity Management and click Configure.
  2. In the dialog box, make selections according to your organization's needs.
    Option Description
    Force Remote Users to Workspace ONE Access When set to Yes, users that are trying to access their desktops from locations outside of your corporate network must log in to Workspace ONE Access and access desktops from there.
    Force Internal Users to Workspace ONE Access When set to Yes, users that are trying to access their desktops from locations within your corporate network must log in to Workspace ONE Access and access desktops from there.
  3. Click Save to confirm the configuration to the system.
  4. (Optional) Set Workspace ONE Access redirection on the identity management configuration.
    Note: You can have Workspace ONE Access redirection enabled for only one of the identity management URLs that are configured on the Identity Management page. If your Identity Management page lists multiple configurations with different identity management URLs, and one is associated with the toggle is set to YES, when you try to set the toggle to YES for a different identity management URL, an error message is displayed.
    1. On the Identity Management page, select the check box for the Workspace ONE Access configuration for which you want to set redirection and click Edit to open its configuration.
    2. Set the Workspace ONE Redirection toggle to YES.
    3. Click Save.

What to do next

Verify that the desktop access behaves according to your settings by trying to access a desktop using the Horizon Client or using a browser directly instead of through Workspace ONE Access.