Horizon Kiosk with CloudReady Chrome OS

I have been messing around with Chrome OS devices and I came across the Kiosk feature. I thought it would be helpful to write down how I configured it using Workspace ONE

CloudReady OS

I’m going to be using the CloudReady OS from Neverware. It is a Chrome OS built to repurpose old hardware. There is a free version you can use at home, but the paid version gives you the ability to enroll the device into your G-Sute account. Enrolling your device gives you the ability to manage it through the G-Suite or WorkspaceOne consoles.
Installing the CloudReady OS is fairly easy, I’m on a Mac so I downloaded the image from the website, and then used Balena Etcher to flash a USB drive with the downloaded image. When you sign up for the enterprise version of CloudReady you will be provisioned a management portal for your devices, this is where you should download an image that is specific to your account.

Workspace ONE
Device Profile and Assignment Group Creation

You will need to create a smart group to add the Chrome devices. You can use Criteria to put all the Chrome OS devices in a group, or if you don’t want all your Chrome OS devices to be Kiosks then you need add the devices manually. It would be really nice if you could add tags to Chrome OS devices in the console but as of today you can’t.

Once the group is created you can create a Profile for the Chrome OS Kiosk. Add a new profile and choose Chrome OS. We want a Device profile.


In the General setting Name the profile and assign it to the group you created for Chrome Kiosk devices.


You will need the App Id of the Horizon Client for Chrome, You can get it from the url of the application here is a link Horizon Client for Chrome OS

The Auto Login Bailout give the user a chance to quit Kiosk mode before it starts. I disabled it for my deployment.
The Extension policy is how you can configure the Horizon Client. You add JSON code to the text field and it will configure all kinds of things when the Horizon Client launches. Here is a link to the documentation for the different JSON properties. My example defines one server and a description. Click save and Publish and once the profile is pushed down to the device and it reboots you will have a Chrome OS Kiosk. I have a video below of the Chrome Device rebooting and going into Kiosk mode.

I’d like to thank Bill McLoughin, Nick Fuchs and Peter Freudenberger for helping me out with trial licenses to explore their product further. For more information about Neverware and CloudReady OS head to https://www.neverware.com/

Hope this is helpful!

Setting up RDS and RemoteApp for the first time

I wanted to check out the new features in Microsoft's RDS and RemoteApp offerings for a while and I finally got around to it. I used a Windows Azure 30 day trial for my test environment because I currently don't have a home lab. 

I followed a set of 2 TechNet blog posts from Keith Mayer but I added some steps to make it easier to test the newer iOS and Android devices.

The first post outlines the benefits of hosting RDS on the Windows Azure platform. 

The second post is where the good stuff is. Keith uses a host file modification to do the testing on a PC but host files don't work to well on an iPhone so here are the places that I went off script a little bit. 

Exercise 4 Step 13

Instead of using the contoso.com domain like all Microsoft labs and tutorials, I used a domain name that I own. I used thickguythinapp.com. This enables us to create a CName DNS record later to test from the mobile apps.


Exercise 6 Step 2

Instead of adding a host file to the local machine, I created a DNS Cname entry for the server using my DNS host Hover.com. 
In the Azure management portal go to the dashboard of the Remote Desktop host(the Second VM you configured)  use this DNS name as the target host of CName and use the host name of the server as the subdomain. 

For example, the external DNS name is rdstest01.cloudapp.net and the host name of the server is rdlab01.thickguythinapp.com your Cname should have rdlab01.thickguythinapp.com point to rdtest01.cloudapp.net. I hope I explained that well enough,

SSL Issues 

One of the tests I wanted to do was test the integration of the RDS server with the Windows OS (Windows 7  in my case) but you can not accept an untrusted SSL cert in the control panel. So I followed this TechNet forum post that gave directions on how to export the SSL cert from the RD host and import it into my windows 7 machine. 


Hope this helps you get started with RDS and RemoteApp. 

VMworld from a far Day 2

Yesterday was day 2 of VMworld and there wasn't really any new announcements in the keynote. It mainly focused on going deeper into the technical details of the announcements of day 1. Here are links to some of the live blogs.  

Scott Lowe 


Usually the day 2 keynote has a lot of information on the EUC arm of VMware. This was not the case in 2013. Most of the keynote focused on the technical aspects of IT-as-a-Service and the software defined data center. VMware is going all in with the software defined data center I think the key to this is the Software defined Networking in the NSX product. It seems to me like this is the "secret sauce" that will make the 'Hybrid Cloud" more attainable to the greatest number of people. 

From the EUC side of things some of the announcements I found interesting were the further collaboration of Lakeside Software and Login VSI. The solution they have come up with seems to compete with the assessment and monitoring suite from Liquidware labs, but you have to deal with 2 different vendors. I hope to be able to test the solution in a lab and post the comparisons here. 

Speaking of Liquidware labs they announced FlexDisk and Flex-IO this week. I am looking forward to trying out the FlexDisk. hopefully the mounting process will be faster than the VHD mounting process for FlexApp and portability. You might not think that 2-5 seconds is a long time but when staring at that Profile Unity splash screen it is seems like forever. 

Finally the tech preview of Project Orcha brings us a step closer to the promise of AppBlast that was promised 2 VMworlds ago. The workflow of being able to click a button on a file in Horizon Workspace and have it open in your virtual desktop is a nice feature that uses from what I understand no new Tech. 


VMworld from a far day 1

I decided to put together a list of articles that I thought were interesting from the first day of VMworld 2013. 

Keynote replay - A lot to go over here and most of the articles below cover it. 

Scott Lowe's Live blog of the keynote  - I follow Scott's twitter feed and he always has insightful commentary 

One of the things I liked the most was the lifting of the limits on the vCenter appliance. I feel the less you need to depend on a direct competitors technology (Microsoft) the better. Duncan Epping has a good overview of the new limits. 

One of the keys to building scalable View environments is to not have to rely on a SAN. The new and hopefully vastly improved VMware vSphere Virtual SAN will make that happen. The best part is is integrated in the hypervisor and not an bolt on Virtual Appliance like most vSAN products.  Duncan Epping has a great intro to VMware's software defined storage

Fusion-io announced their new ioVDI product. Server side Flash to "offload most reads and up to 80% of the writes from primary storage..." we will see if you need this add on product or if the newly announced vSphere Flash Read Cache will be enough for most deployments. 

The final thing I wanted to point out was that VMware is planing on adding a DaaS (Desktop as as Service) offering that integrates with Horizon Suite. This will be a part of the newly out of beta vCloud Hybrid Service. This service will rely on VMware's integration of all the recent "software defined" acquisitions. It will leverage hevily on the network virtualization platform VMware NSX. Looks like it is time to work on my network weak spot. 

There is a lot I missed here but these are the things that stood out to me . 

Certificates Who needs em?

So you have upgraded to View 5.0 and like a lot of people you never installed a certificate in your connection broker(self-signed or otherwise) your users will now get a prompt every time they login.


There are a few ways to handle this, you could get all secure and stuff by creating a self-signed certificate and follow the Directions(for once) to install the cert on the connection broker.

Or you have 3 options to "work around" this new feature, Group Policy, Registry Keys, or modify your ThinApp. 

Group Policy 

If your client machines are part of your domain, you can use the .adm template located at 

%programfiles%\vmware\VMware View\Server\extras\GroupPolicyFiles\vdm_client.adm 

import that into a new GPO and under Computer Configuration\Administrative Templates\Classic Administrative Templates(ADM)\VMware View Client Configuration\Security Settings change the Certificate Verification Mode setting to "No Security" 

BTW the default is "Warn But Allow" this gives the prompt above. You can set it to "Full Security" and this will prevent the user from connecting to a connection broker with an invalid certificate. 

Registry Settings

Your client machines are not part of your domain you say? You can change add this setting to the registry HKLM\Software\Policies\VMware, Inc.\Vmware VDM\Client\Security add a String value with the name "CertCheckMode" and choose your value below

0 = No Security

1 = Warn But Allow 

2 = Full Security


Your View Client is ThinApped you say? Well you need to add the following keys to the HKEY_LOCAL_MACHINE.txt

Once you rebuild the ThinApp your users will no longer see the prompt. 

Change Application Name in ThinApp Pop-Up

I have come across many people that use ThinApp to distribute web apps. Sometimes because they require a specific version of Java, or Internet Explorer, other time they do it just cuz they can (that is a valid reason when using ThinApp). 

Well when you package IE the little ThinApp pop-up (that you are not allowed to turn off for "legal" reasons) shows "Internet Explorer" and not the name of the web app "Just Cuz I Can"  

So to change that to the web app name "Just Cuz I Can" you add a parameter in the entry point section of the Package.ini for that app called StatusBarDisplayName=Just Cuz I Can  like in the picture below 

Now once you rebuild you get this for the pop-up (that you can't remove)

Thanks to Coby Gurr and Dean Flaming from VMware for the tip.