Deployment of Dynamic Environment Manager

Dynamic Environment Manager (DEM) is one of the key component of Horizon solution. it provide several major features to enhance the manageability of VDI desktop. Those features include:

• Centralizing user profiles

• Preserve application setting

• Deploy user group policy by DEM

By such features, admin can provide a better user experience on non-persistent or floating desktop scenario. User will not experience any difficulty even their desktop is not dedicated or will be refreshed regularly.

To deployment of DEM can be divided into following steps. Let's go through one by one.

1. Create AD Groups and SMB Shares

2. Install DEM and Basic Configuration

3. Enable DEM with Horizon GPO

4. Agent Installation

1. Create AD Groups and SMB Shares

To begin with the deployment, 2 AD groups will be created as following procedures. One is the DEM admin and one is the DEM users. User account can be added to those groups correspondingly.

• Logon to the Domain Controller.

• Launch the "Active Directory Users and Computer".

• Create 2 AD groups as follow.

• Add DEM users to corresponding group.

• Logon any Windows server planned for storing the user profiles and DEM setting.

**DEM not only support storing user profile and DEM setting on Windows share. Any device such as NAS which providing SMB share could serve the same purpose.

• Create 4 folders and share them with following permission.

• DEM_Config

Share Permission

Domain Admins = Full

DEM_Admin = Full

DEM_Users = Read

Share Caching

No files or programs from the shared folder are available offline

Security

Click "Advanced" button

Disable inheritance

Convert inherited permission into explicit permission on this object.

Add following:

DEM Admins = Full Control

DEM Users = Read & Execute, List Folders, Read

Creator Owner = Full Control

Remove following:

Users = Read & Execute

Users = Special

Replace all child object permission entries with inheritable permission...

** Repeat the procedure above for following SMB shares.

• DEM_Log

Share Permission

Domain Admins = Full

DEM_Admin = Full

DEM_Users = Change, Read

Share Caching

No files or programs from the shared folder are available offline

Security

Click "Advanced" button

Disable inheritance

Convert inherited permission into explicit permission on this object

Add following:

DEM Admins = Full Control

DEM Users = Traverse folder / Execute file, List folder / read folder, Read attributes, Read extended attributes, Create folders / append data, Read permission

Creator Owner = Full Control

Remove following:

Users = Read & Execute

Users = Special

Replace all child object permission entries with inheritable permission...

• DEM_Profiles

Share Permission

Domain Admins = Full

DEM_Admin = Full

DEM_Users = Change, Read

Share Caching

No files or programs from the shared folder are available offline

Security

Click "Advanced" button

Disable inheritance

Convert inherited permission into explicit permission on this object

Add following:

DEM Admins = Full Control

DEM Users = Traverse folder / Execute file, List folder / read folder, Read attributes, Read extended attributes, Create folders / append data, Read permission

Creator Owner = Full Control

Remove following:

Users = Read & Execute

Users = Special

Replace all child object permission entries with inheritable permission...

• DEM_Redirected

Share Permission

Domain Admins = Full

DEM_Admin = Full

DEM_Users = Change, Read

Share Caching

No files or programs from the shared folder are available offline

Security

Click "Advanced" button

Disable inheritance

Convert inherited permission into explicit permission on this object

Add following:

DEM Admins = Full Control

DEM Users = Traverse folder / Execute file, List folder / read folder, Read attributes, Read extended attributes, Create folders / append data, Read permission

Creator Owner = Full Control

Remove following:

Users = Read & Execute

Users = Special

Replace all child object permission entries with inheritable permission...

2. Install DEM and Basic Configuration

After prepared the AD groups and SMB shares, the next will be installing the DEM execute.

• Please prepare a Windows server.

• Logon to the server and run the DEM execute.

• Click "Next".

• Check "I accept the terms in the License Agreement".

• Click "Next".

• Confirm the installation path.

• Click "Next".

• Click "Custom".

• Select all components for installation.

• Click "Next".

• Click "Install".

• Wait for installation and click "Finish".

• After the installation. Launch the "Management Console" from "Start Menu".

• A Configuration Wizard will pop up. From the Configuration Wizard, assign the DEM_Config SMB path as configuration location.

• Click "OK".

• The DEM Manager will ready for use. From the "User Environment" tab, click "Easy start".

• Select the Office version your organization deployed. Click "OK".

• You will find the process created several pre-configured settings. One example, on the ribbon named "User Environment" -> "Shortcuts", DEM might create a Wordpad shortcut that says (created by VMware UEM). You can either Disable this item, or delete it.

• After the initial setup, you need to apply license for the DEM service.

• Launch the DEM Manager. Click the "Star" icon on the top right corner.

• Select "License".

• Click "Manage".

• Either provide the license with license key or license file.

• Click "OK".

• Click "OK" to complete the process.

• Once the DEM manager installed successful, here will configure the folder redirection policy for testing purpose.

• Launch the DEM Manager.

• Select "User Environment" tab on Ribbon.

• Select "Folder Redirection" from left pane.

• Click "Create".

• Give a name to the policy.

• Input an SMB path for the "Remote Path". My example in this blog is:

\\tfdemh801\DEM_Profiles\%username%\

• Select those items you want to be preserved by DEM.

• Click "Save".

3. Enable DEM with Horizon GPO

After configured the SMB shares and DEM server installation, next step will be enabling the DEM feature through GPO.

To do this, you will need to apply Horizon Bundled ADMX file before the GPO available for configuration. You may follow the past sharing below to apply the ADMX files.

https://www.tech-fellow.com/post/applying-horizon-bundled-admx-temple-to-ad

You may now create the GPO for enabling the DEM feature.

• Logon to the Domain Controller.

• Launch the Group Policy Management.

• Create a new Group Policy Object.

• Give the policy a name.

• Edit the new policy.

• Navigate to "User Configuration" -> Policies" -> "Administrative Templates" -> "VMware DEM" -> "FlexEngine".

• Edit the policy "Flex config files".

• Enable the policy.

• Input the DEM configuration path for "Central location" setting. My path with this blog is:

\\tfdemh801\DEM_Config\general

• Click "OK".

• Edit the policy "Run FlexEngine at logon and logoff".

• Enable the policy.

• Click "OK".

• Edit the policy "FlexEngine logging".

• Enable the policy.

• Input the path for "Path and file name of log file" setting. My path with this blog is:

\\tfdemh801\DEM_Log\%username%\Logs\FlexEngine.log

• Leave all other settings as default.

• Click "OK".

• Link the DEM GPO to the OU storing the VDI user accounts.

• Select DEM GPO and click "OK".

4. Agent Installation

Until now, the deployment is close to complete. The last step will be installing the DEM agent and creating the folder redirection configuration for testing.

• Logon to the Windows VDI machine.

• Run the DEM agent setup file.

• Click "Next".

• Check "I accept the terms in the License Agreement".

• Click "Next".

• Select the destination folder for installation.

• Click "Next".

• Click "Typical".

• Click "Install".

• Wait for installation to complete.

• Click "Finish".

• Reboot the VDI desktop.

• After rebooted, launch the file explorer.

• Select "Documents" from right pane. Right click and select "Properties".

• You will find the location of the documents folder has been redirected by DEM policy.

----- END -----