Filter policy settings that you configure for Horizon Agent and Horizon Client establish which USB devices can be redirected from a client computer to a remote desktop or application. USB device filtering is often used by companies to disable the use of mass storage devices on remote desktops, or to block a specific type of device from being forwarded, such as a USB-to-Ethernet adapter that connects the client device to the remote desktop.
When you connect to a desktop or application, Horizon Client downloads the Horizon Agent USB policy settings and uses them in conjunction with the Horizon Client USB policy settings to decide which USB devices it will allow you to redirect from the client computer.
Horizon applies any device splitting policy settings before it applies the filter policy settings. If you have split a composite USB device, Horizon examines each of the device's interfaces to decide which should be excluded or included according to the filter policy settings. If you have not split a composite USB device, Horizon applies the filter policy settings to the entire device.
The device splitting policies are included in the Horizon Agent Configuration ADMX template file (vdm_agent.admx).
Interaction of Agent-Enforced USB Settings
The following table shows the modifiers that specify how Horizon Client handles a Horizon Agent filter policy setting for an agent-enforceable setting if an equivalent filter policy setting exists for Horizon Client.
Modifier | Description |
---|---|
m (merge) | Horizon Client applies the Horizon Agent filter policy setting in addition to the Horizon Client filter policy setting. In the case of Boolean, or true/false, settings, if the client policy is not set, the agent settings are used. If the client policy is set, the agent settings are ignored, except for the Exclude All Devices setting. If the Exclude All Devices policy is set on the agent side, the policy overrides the client setting. |
o (override) | Horizon Client uses the Horizon Agent filter policy setting instead of the Horizon Client filter policy setting. |
For example, the following policy on the agent side overrides any include rules on the client side, and only device VID-0911_PID-149a will have an include rule applied:
IncludeVidPid: o:VID-0911_PID-149a
You can also use asterisks as wildcard characters; for example: o:vid-0911_pid-****
Interaction of Client-Interpreted USB Settings
The following table shows the modifiers that specify how Horizon Client handles a Horizon Agent filter policy setting for a client-interpreted setting.
Modifier | Description |
---|---|
Default (d in the registry setting) | If a Horizon Client filter policy setting does not exist, Horizon Client uses the Horizon Agent filter policy setting. If a Horizon Client filter policy setting exists, Horizon Client applies that policy setting and ignores the Horizon Agent filter policy setting. |
Override (o in the registry setting) | Horizon Client uses the Horizon Agent filter policy setting instead of any equivalent Horizon Client filter policy setting. |
Horizon Agent does not apply the filter policy settings for client-interpreted settings on its side of the connection.
The following table shows examples of how Horizon Client processes the settings for Allow Smart Cards when you specify different filter modifiers.
Allow Smart Cards Setting on Horizon Agent | Allow Smart Cards Setting on Horizon Client | Effective Allow Smart Cards Policy Setting Used by Horizon Client |
---|---|---|
Disable - Default Client Setting (d:false in the registry setting) | true (Allow) | true (Allow) |
Disable - Override Client Setting (o:false in the registry setting) | true (Allow) | false (Disable) |
If you set the Disable Remote Configuration Download policy to true, Horizon Client ignores any filter policy settings that it receives from Horizon Agent.
Horizon Agent always applies the filter policy settings in agent-enforceable settings on its side of the connection even if you configure Horizon Client to use a different filter policy setting or disable Horizon Client from downloading filter policy settings from Horizon Agent. Horizon Client does not report that Horizon Agent is blocking a device from being forwarded.
Precedence of Settings
Horizon Client evaluates the filter policy settings according to an order of precedence. A filter policy setting that excludes a matching device from being redirected takes precedence over the equivalent filter policy setting that includes the device. If Horizon Client does not encounter a filter policy setting to exclude a device, Horizon Client allows the device to be redirected unless you have set the Exclude All Devices policy to true. However, if you have configured a filter policy setting on Horizon Agent to exclude the device, the desktop or application blocks any attempt to redirect the device to it.
Horizon Client evaluates the filter policy settings in order of precedence, taking into account the Horizon Client settings and the Horizon Agent settings together with the modifier values that you apply to the Horizon Agent settings. The following list shows the order of precedence, with item 1 having the highest precedence.
- Exclude Path
- Include Path
- Exclude Vid/Pid Device
- Include Vid/Pid Device
- Exclude Device Family
- Include Device Family
- Allow Audio Input Devices, Allow Audio Output Devices, Allow HIDBootable, Allow HID (Non Bootable and Not Mouse Keyboard), Allow Keyboard and Mouse Devices, Allow Smart Cards, and Allow Video Devices
- Combined effective Exclude All Devices policy evaluated to exclude or include all USB devices
You can set Exclude Path and Include Path filter policy settings only for Horizon Client. The Allow filter policy settings that refer to separate device families have equal precedence.
If you configure a policy setting to exclude devices based on vendor and product ID values, Horizon Client excludes a device whose vendor and product ID values match this policy setting even though you might have configured an Allow policy setting for the family to which the device belongs.
The order of precedence for policy settings resolves conflicts between policy settings. If you configure Allow Smart Cards to allow the redirection of smart cards, any higher precedence exclusion policy setting overrides this policy. For example, you might have configured an Exclude Vid/Pid Device policy setting to exclude smart-card devices with matching path or vendor and product ID values, or you might have configured an Exclude Device Family policy setting that also excludes the smart-card device family entirely.
If you have configured any Horizon Agent filter policy settings, Horizon Agent evaluates and enforces the filter policy settings in the following order of precedence on the remote desktop or application, with item 1 having the highest precedence.
- Include a device by Vendor/Product ID
- Include a device by USB family
- Exclude a device by Vendor/Product ID
- Exclude a device by USB family
- Exclude all USB devices
Horizon Agent enforces this limited set of filter policy settings on its side of the connection.
By defining filter policy settings for Horizon Agent, you can create a filtering policy for non-managed client computers. The feature also allows you to block devices from being forwarded from client computers, even if the filter policy settings for Horizon Client permit the redirection.
For example, if you configure a policy that permits Horizon Client to allow a device to be redirected, Horizon Agent blocks the device if you configure a policy for Horizon Agent to exclude the device.
Examples of Setting Policies to Filter USB Devices
The vendor IDs and product IDs used in these examples are examples only. For information about determining the vendor ID and product ID for a specify device, see Using Log Files for Troubleshooting and to Determine USB Device IDs.
- On the client, exclude a particular device from being redirected:
Exclude Vid/Pid Device: Vid-0341_Pid-1a11
- Block all storage devices from being redirected to this desktop or application pool. Use an agent-side setting:
Exclude Device Family: o:storage
- For all users in a desktop pool, block audio and video devices to ensure that these devices will always be available for the Real-Time Audio-Video feature. Use an agent-side setting::
Exclude Device Family: o:video;audio
Note that another strategy would be to exclude specific devices by vendor and product ID.
- On the client, block all devices from being redirected except one particular device:
Exclude All Devices: true Include Vid/Pid Device: Vid-0123_Pid-abcd
- Exclude all devices made by a particular company because these devices cause problems for your end users. Use an agent-side setting:
Exclude Vid/Pid Device: o:Vid-0341_Pid-*
- On the client, include two specific devices but exclude all others:
Exclude All Devices: true Include Vid/Pid Device: Vid-0123_Pid-abcd;Vid-1abc_Pid-0001