VMware User Environment Manager – Quick Setup Cheat Sheet

VMware User Environment Manager – Quick Setup Cheat Sheet

Below is quick glance of share/permissions/GPO requirements of VMware User Environment Manager.  Main steps are; create AD groups, setup shares, Import ADMX/ADML and then create GPO to apply configurations. Then you can easily install the UEM Manager and start using UEM.

We will start with AD groups;

UEM AD Groups

You need two AD groups prepared beforehand. These groups will be used to grant permissions to shares.

  • UEM-Administrators: Add users who needs to manage UEM Config.
  • UEM-Users: Add users that will use UEM.

UEM SHARES

One share is for UEM configuration Files. The requirement is to have \\server\UEMConfiguration with minimum;

  • share permissions: 
  • “Change” for Administrators
  • “Read” for Users.
  • NTFS Permissions:
    • UEM Administrators: Full control
    • UEM Users: Read & Execute

    Sample Config:

    I have file server with D:\ is for file sharing.  You can edit per your environment:

    REM Create Share and Add Share & NTFS Permisson
    md D:\UEMShares\UEMConfiguration
    net share UEMConfiguration=D:\UEMShares\UEMConfiguration /GRANT:vmw\UEM-Administrators,CHANGE /GRANT:vmw\UEM-Users,READ
    REM Not a requirement but I also add Administrators to the shares
    icacls D:\UEMShares\UEMConfiguration /inheritance:r
    icacls D:\UEMShares\UEMConfiguration /grant vmw\UEM-Users:(OI)(CI)RX
    icacls D:\UEMShares\UEMConfiguration /grant vmw\UEM-Administrators:(OI)(CI)F
    REM If you want to remove administrators
    REM icacls D:\UEMShares\UEMConfiguration /remove Administrators

     

    The second share is for Profiles and achieves.

    \\server\UEMProfiles

    • Share permissions
    • “Change” for all users.
  • NTFS permissions
    • UEM administrators and  help desk: Full control, This folder, subfolders and files
    • UEM Users: Read & execute, Create folders/append data, This folder only
    • Creator-owner: Full control, Subfolders and files only

    Sample Config:

    REM Create Share and Add Share & NTFS Permisson
    md D:\UEMShares\UEMProfiles
    net share UEMProfiles=D:\UEMShares\UEMProfiles /GRANT:vmw\UEM-Users,CHANGE /GRANT:vmw\UEM-Administrators,CHANGE
    icacls D:\UEMShares\UEMProfiles /inheritance:r
    icacls D:\UEMShares\UEMProfiles /grant vmw\UEM-Users:(NP)(RX,AD)
    icacls D:\UEMShares\UEMProfiles /grant vmw\UEM-Administrators:(OI)(CI)F
    icacls D:\UEMShares\UEMProfiles /grant "CREATOR OWNER":(OI)(CI)F
    REM icacls D:\UEMShares\UEMProfiles /remove Administrators

    GPO Configuration:

    First Step, Copy admx files within installation media to Domain Controller’s PolicyDefinitions folder. (Managing ADMX Files)

    • Copy .admx to C:\Windows\SYSVOL\sysvol\<domainname>\Policies\PolicyDefinitions
    • Copy .adml to C:\Windows\SYSVOL\sysvol\<domainname>\Policies\PolicyDefinitions\en-US

    Then Create a GPO and apply to clients:

    Location: User Configuration\ Administrative Templates\VMware UEM\FlexEngine.

    • For number of backups per profile archive, select the required number.
  • Run FlexEngine as Group Policy Extension: to run FlexEngine automatically during login by running as a Group Policy client-side extension.
    • To guarantee; enable Always wait for the network at computer startup and logon at Computer Configuration > Policies > Administrative Templates > System > Logon.
  • FlexEngine logging: \\Server\UEMprofiles\%username%\logs
    • Log level: Debug
    • Warn in a production environment.
    • Maximum log file size in KB: 512
  • UEM FlexEngine logout command: User Configuration > Windows Settings > Scripts and configure the logout command: C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe –s
  • Bulent Tolu
    Latest posts by Bulent Tolu (see all)
    Share
    Translate »