You can set up unattended clients that can obtain access to their desktops from VMware Horizon.

A client in kiosk mode is a thin client or a lock-down PC that runs Horizon Client to connect to a Connection Server instance and launch a session. End users do not typically need to log in to access the client device, although the published desktop might require them to provide authentication information for some applications. Sample applications include medical data entry workstations, airline check-in stations, customer self-service points, and information terminals for public access.

You should ensure that the desktop application implements authentication mechanisms for secure transactions, that the physical network is secure against tampering and snooping, and that all devices connected to the network are trusted.

Clients in kiosk mode support the standard features for remote access such as automatic redirection of USB devices to the remote session and location-based printing.

VMware Horizon uses the Flexible Authentication feature to authenticate a client device in kiosk mode rather than the end user. You can configure a Connection Server instance to authenticate clients that identify themselves by their MAC address or by a user name that starts with the characters "custom-" or with an alternate prefix string that you have defined in ADAM. If you configure a client to have an automatically generated password, you can run Horizon Client on the device without specifying a password. If you configure an explicit password, you must specify this password to Horizon Client. As you would usually run Horizon Client from a script, and the password would appear in clear text, you should take precautions to make the script unreadable by unprivileged users.

Only Connection Server instances that you enable to authenticate clients in kiosk mode can accept connections from accounts that start with the characters "cm-" followed by a MAC address, or that start with the characters "custom-" or an alternate string that you have defined. Horizon Client does not allow the manual entry of user names that take these forms.

As a best practice, use dedicated Connection Server instances to handle clients in kiosk mode, and to create dedicated organizational units and groups in Active Directory for the accounts of these clients. This practice not only partitions these systems against unwarranted intrusion, but also makes it easier to configure and administer the clients.

In a Cloud Pod Architecture environment, the Connection Server instances in the pod federation do not share information about clients in kiosk mode. To implement a workaround, see VMware Knowledge Base (KB) article 2148888.