Add Restriction Tags to VMware Horizon 6 Hosted Applications


I have had several customers ask if it is possible to add restriction tags to Hosted Application pools in the same way they can be applied to desktop pools.    Restriction tags allow you to choose which connection server brokers a desktop (or application) is available from.   This can be used to restrict certain pools from being available only internally or only externally when paired with a security server.   This functionality has existed for a long time for Desktop pools, and there is no current way in the GUI to set this for Application Pools.

One of my colleagues was asking about this again last week, so I decided to dig into the View ADAM (Active Directory Application Mode) LDAP store and see if it was possible to manually add a tag to an application pool.   Tags are stored in an attribute called “pae-EntitlementsTagString” for both connection servers, and pools.

Before we get into the process, please note:

This post and application are just showing what is possible – use at your own risk!

Setting Tags on a Connection Server

Browse to a connection server in the View Administrator

  • Choose Edit
  • On the general tab to you will see a Tags section – add one or more tags separated by either semi-color or comma.

Any pools set with this tag can only be accessed from a connection server with the corresponding tag applied.

Screen Shot 2015-09-14 at 9.20.10 AM

Once you add the tags they are written into the “pae-EntitlementsTagString” attribute in the ADAM store.

Screen Shot 2015-09-14 at 9.47.48 AM

Setting a Tag on a Published Application

Once you have one or more tags added to one or more connection servers, you can apply the tag to a Desktop pool, or in this case an Application pool.   Each Application pool has the same “pae-EntitlementsTagString”.  

Screen Shot 2015-09-11 at 2.55.48 PM

If i manually add the “EXTERNAL” tag to the pool and then log into a connection server via either the Horizon Client or the HTML access portal I will see that the Calculator application as well as a Windows 7 pool which are both tagged “EXTERNAL” are only visible and available on the connection server which is tagged with “EXTERNAL”.  Ok, it works perfectly.   How to set this value easier and also provide a list of all connection server tags which are available?  That why I wrote the application.

Screen Shot 2015-09-11 at 6.31.12 PM

VMware Horizon Tag Published Apps Utility

To the the process of adding tags to published applications easier I wrote a small .NET application.  You specify the address of a valid connection server and it binds to the ADAM LDAP store and reads and write the appropriate data.

One you successfully connect it first provides a list of all published applications into a dropdown box.

NOTE: You must execute this application under the context of a View Administrator that has proper access to view and edit the ADAM store.  

Screen Shot 2015-09-14 at 10.17.55 AM

Then select one of the published applications or click the “Refresh Tags” button.  This will populate the “Connection Server Tags” list with all available Tags and it will check any tags that are currently applied to that published application.

Screen Shot 2015-09-14 at 10.14.00 AM

You can now check or uncheck tags as desired and hit “Save Settings”.   This will write the changes into the ADAM LDAP store and the changes are made dynamically.  Hit “Refresh Tags” to verify the changes.

Screen Shot 2015-09-14 at 10.25.09 AM

That’s it!  Pretty simple application that allows you to add tags to published applications in VMware Horizon 6.   But remember, this is not currently supported!  

The application is available from the link below – please test it out and let me know your feedback and suggestions!

Download the VMware Horizon Tag Apps Utility Here!

This entry was posted in Horizon View Utilities. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s