You can restrict access to entitled desktop pools, published desktops, and application pools to specific client computers. To restrict access, you must add the names of the client computers that are allowed to access the desktop pools, published desktops, or applications in an Active Directory security group and then entitle this group to a pool. The Active Directory security group can contain client computers that belong to any AD Organizational Units (OUs) or default Computer container.

The client restrictions features has certain requirements and limitations.

  • You must enable the client restrictions policy when you create or modify the desktop pool, published desktop or application pool. By default, the client restrictions policy is disabled. For published desktop pool and application pool settings, and instant-clone, full-clone, and manual desktop pool settings, see the Windows Desktops and Applications in Horizon document.
  • When you create or modify entitlements for the desktop pool, published desktop, or application pool, you must add the Active Directory security group that contains the names of the client computers that are allowed to access the desktop pool, published desktop, or application pool.
  • The client restrictions feature allows only specific client computers to access desktop pools, published desktops, and application pools. It does not give users access to non-entitled desktop and application pools. For example, if a user is not included in an application pool entitlement (either as a user or as a member of a user group), the user cannot access the application pool, even if the user's client computer is part of the AD security group that is entitled to the application pool.
  • The client restrictions feature is supported only with Windows client computers.
  • When the client restrictions policy is enabled for desktop pools, published desktops, or application pools, non-Windows clients and HTML Access clients cannot launch the desktops or applications from the restricted pools.
  • The client restrictions feature only restricts new sessions from Windows clients. This feature does not restrict existing application session connections from previous user sessions.
  • Horizon Client for Windows requires that the client computers belonging to an Active Directory security group be located in the default AD location "CN=Computers."