General global settings determine session timeout lengths, SSO enablement and timeout limits, status updates in Horizon Console, whether prelogin and warning messages are displayed, whether Horizon Console treats Windows Server as a supported operating system for remote desktops, and other settings.
In Horizon Console, you can configure global settings by navigating to .
Changes to any of the settings in the following table take effect immediately. You do not need to restart Connection Server or Horizon Client.
Setting | Description |
---|---|
View Administrator session timeout | Determines how long an idle Horizon Console session continues before the session times out.
Important: Setting the
Horizon Console session timeout to a high number of minutes increases the risk of unauthorized use of
Horizon Console. Use caution when you allow an idle session to persist a long time.
By default, the Horizon Console session timeout is 30 minutes. You can set a session timeout from 10 to 4320 minutes (72 hours). Before a session times out, a warning message appears with a 60 second countdown. If you click in the session before the countdown ends, the session continues. After 60 seconds, an error message appears informing you that the session has timed out and you need to log in again. |
Forcibly disconnect users | Disconnects all desktops and applications after the specified number of minutes has passed since the user logged in to VMware Horizon. All desktops and applications will be disconnected at the same time regardless of when the user opened them. For clients that do not support application remoting, a maximum timeout value of 1200 minutes applies if the value of this setting is Never or greater than 1200 minutes. The default is After 600 minutes. |
Single sign-on (SSO) | If SSO is enabled, VMware Horizon caches a user's credentials so that the user can launch remote desktops or applications without having to provide credentials to log in to the remote Windows session. The default is Enabled. If you plan to use the True SSO feature, introduced in VMware Horizon or later, SSO must be enabled. With True SSO, if a user logs in using some other form of authentication than Active Directory credentials, the True SSO feature generates short-term certificates to use, rather than cached credentials, after users log in to VMware Identity Manager.
Note: If a desktop is launched from
Horizon Client, and the desktop is locked, either by the user or by Windows based on a security policy, and if the desktop is running
VMware Horizon Agent 6.0 or later or
Horizon Agent 7.0 or later, Connection Server discards the user's SSO credentials. The user must provide login credentials to launch a new desktop or a new application, or reconnect to any disconnected desktop or application. To enable SSO again, the user must disconnect from Connection Server or exit
Horizon Client, and reconnect to Connection Server. However, if the desktop is launched from
Workspace ONE or VMware Identity Manager and the desktop is locked, SSO credentials are not discarded.
|
Enable automatic status updates | Determines if status updates appear in the global status pane in the upper-left corner of Horizon Console every few minutes. The dashboard page of Horizon Console is also updated every few minutes. By default, this setting is not enabled. |
For clients that support applications. If the user stops using the keyboard and mouse, disconnect their applications and discard SSO credentials: |
Protects application sessions when there is no keyboard or mouse activity on the client device. If set to After ... minutes, VMware Horizon disconnects all applications and discards SSO credentials after the specified number of minutes without user activity. Desktop sessions are not disconnected. Users must log in again to reconnect to the applications that were disconnected or launch a new desktop or application. This setting also applies to the True SSO feature. After SSO credentials are discarded, users are prompted for Active Directory credentials. If users logged in to VMware Identity Manager without using AD credentials and do not know what AD credentials to enter, users can log out and log in to VMware Identity Manager again to access their remote desktops and applications.
Important: Users must be aware that when they have both applications and desktops open, and their applications are disconnected because of this timeout, their desktops remain connected. Users must not rely on this timeout to protect their desktops.
If set to Never, VMware Horizon never disconnects applications or discards SSO credentials due to user inactivity. The default is Never. |
Other clients. Discard SSO credentials: |
Discards SSO credentials after the specified number of minutes. This setting is for clients that do not support application remoting. If set to After ... minutes, users must log in again to connect to a desktop after the specified number of minutes has passed since the user logged in to VMware Horizon, regardless of any user activity on the client device. If set to Never, VMware Horizon stores SSO credentials until the user closes Horizon Client, or the Forcibly disconnect users timeout is reached, whichever comes first. The default is After 15 minutes. |
Display a pre-login message | Displays a disclaimer or another message to Horizon Client users when they log in. Type your information or instructions in the text box in the Global Settings dialog box. To display no message, leave the check box unselected. |
Display warning before forced logoff | Displays a warning message when users are forced to log off because a scheduled or immediate update such as a desktop-refresh operation is about to start. This setting also determines how long to wait after the warning is shown before the user is logged off. Check the box to display a warning message. Type the number of minutes to wait after the warning is displayed and before logging off the user. The default is 5 minutes. Type your warning message. You can use the default message: Your desktop is scheduled for an important update and will be shut down in 5 minutes. Please save any unsaved work now. |
Enable Windows Server desktops | Determines whether you can select available Windows Server 2008 R2 and Windows Server 2012 R2 machines for use as desktops. When this setting is enabled, Horizon Console displays all available Windows Server machines, including machines on which VMware Horizon server components are installed.
Note: The
Horizon Agent software cannot coexist on the same virtual or physical machine with any other
VMware Horizon server software component, including a Connection Server.
|
Clean Up Credential When Tab Closed for HTML Access | Removes a user's credentials from cache when a user closes a tab that connects to a remote desktop or application, or closes a tab that connects to the desktop and application selection page, in the HTML Access client. When this setting is enabled, VMware Horizon also removes the credentials from cache in the following HTML Access client scenarios:
Enabling this setting also affects how HTML Access behaves when it is started from Workspace ONE. For more information, see the Workspace ONE documentation. When this setting is disabled, the credentials remain in cache. This feature is disabled by default. |
Hide server information in client user interface | Enable this security setting to hide server URL information in Horizon Client. |
Hide domain list in client user interface | Enable this security setting to hide the Domain drop-down menu in Horizon Client. When users log in to a Connection Server instance for which the Hide domain list in client user interface global setting is enabled, the Domain drop-down menu is hidden in Horizon Client and users provide domain information in the Horizon Client User name text box. For example, users must enter their user name in the format
Important: If you enable the
Hide domain list in client user interface setting and select two-factor authentication (RSA SecureID or RADIUS) for the Connection Server instance, do not enforce Windows user name matching. Enforcing Windows user name matching prevents users from entering domain information in the user name text box and login always fails. This does not apply to
Horizon Client version 5.0 and later if there is a single user domain.
Important: For more information about the security and usability implications of this setting, see the
Horizon Security document.
|
Send domain list | Select the checkbox to allow the Connection Server to send the list of domain names to the client before the user is authenticated.
Important: For more information about the security and usability implications of this setting, see the
Horizon Security document.
|
Enable 2 Factor Reauthentication | Select this setting to enable two-factor authentication to occur for an end user after a session times out. |