VMware User Environment Manager – Quick Setup Cheat Sheet

Below is quick glance of share/permissions/GPO requirements of VMware User Environment Manager.  Main steps are; create AD groups, setup shares, Import ADMX/ADML and then create GPO to apply configurations. Then you can easily install the UEM Manager and start using UEM.

We will start with AD groups;

UEM AD Groups

You need two AD groups prepared beforehand. These groups will be used to grant permissions to shares.

  • UEM-Administrators: Add users who needs to manage UEM Config.
  • UEM-Users: Add users that will use UEM.

UEM SHARES

One share is for UEM configuration Files. The requirement is to have \\server\UEMConfiguration with minimum;

  • share permissions: 
    • “Change” for Administrators
    • “Read” for Users.
  • NTFS Permissions:
    • UEM Administrators: Full control
    • UEM Users: Read & Execute

Sample Config:

I have file server with D:\ is for file sharing.  You can edit per your environment:

REM Create Share and Add Share & NTFS Permisson
md D:\UEMShares\UEMConfiguration
net share UEMConfiguration=D:\UEMShares\UEMConfiguration /GRANT:vmw\UEM-Administrators,CHANGE /GRANT:vmw\UEM-Users,READ
REM Not a requirement but I also add Administrators to the shares
icacls D:\UEMShares\UEMConfiguration /inheritance:r
icacls D:\UEMShares\UEMConfiguration /grant vmw\UEM-Users:(OI)(CI)RX
icacls D:\UEMShares\UEMConfiguration /grant vmw\UEM-Administrators:(OI)(CI)F
REM If you want to remove administrators
REM icacls D:\UEMShares\UEMConfiguration /remove Administrators

 

The second share is for Profiles and achieves.

\\server\UEMProfiles

  • Share permissions
    • “Change” for all users.
  • NTFS permissions
    • UEM administrators and  help desk: Full control, This folder, subfolders and files
    • UEM Users: Read & execute, Create folders/append data, This folder only
    • Creator-owner: Full control, Subfolders and files only

Sample Config:

REM Create Share and Add Share & NTFS Permisson
md D:\UEMShares\UEMProfiles
net share UEMProfiles=D:\UEMShares\UEMProfiles /GRANT:vmw\UEM-Users,CHANGE /GRANT:vmw\UEM-Administrators,CHANGE
icacls D:\UEMShares\UEMProfiles /inheritance:r
icacls D:\UEMShares\UEMProfiles /grant vmw\UEM-Users:(NP)(RX,AD)
icacls D:\UEMShares\UEMProfiles /grant vmw\UEM-Administrators:(OI)(CI)F
icacls D:\UEMShares\UEMProfiles /grant "CREATOR OWNER":(OI)(CI)F
REM icacls D:\UEMShares\UEMProfiles /remove Administrators

GPO Configuration:

First Step, Copy admx files within installation media to Domain Controller’s PolicyDefinitions folder. (Managing ADMX Files)

  • Copy .admx to C:\Windows\SYSVOL\sysvol\<domainname>\Policies\PolicyDefinitions
  • Copy .adml to C:\Windows\SYSVOL\sysvol\<domainname>\Policies\PolicyDefinitions\en-US

Then Create a GPO and apply to clients:

Location: User Configuration\ Administrative Templates\VMware UEM\FlexEngine.

  • Flex Config Files: \\Server\UEMShares\General and select the option Process folder recursively.
  • Profile archives: \\Server\UEMprofiles\%username%\archives and Compress profile archives.
  • Profile archive backups: \\Server\UEMprofiles\%username%\backups
    • For number of backups per profile archive, select the required number.
  • Run FlexEngine as Group Policy Extension: to run FlexEngine automatically during login by running as a Group Policy client-side extension.
    • To guarantee; enable Always wait for the network at computer startup and logon at Computer Configuration > Policies > Administrative Templates > System > Logon.
  • FlexEngine logging: \\Server\UEMprofiles\%username%\logs
    • Log level: Debug
    • Warn in a production environment.
    • Maximum log file size in KB: 512
  • UEM FlexEngine logout command: User Configuration > Windows Settings > Scripts and configure the logout command: C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe –s
Bulent Tolu

Bulent Tolu

Sr. Systems Engineer at VMware
Bulent is an IT professional with Master's in MIS and 10-years of experience in broad range of Information Technologies. He is exposed to engineering/architecting, implementation/integration, and administration of various high-available IT systems and infrastructure. He has a passion to continually research, test and evaluate new technologies and follow industry best practices to secure and optimize IT systems. Currently, he lives in Istanbul and works as a Sr. Systems Engineer at VMware.
Bulent Tolu

Leave a Reply

Your email address will not be published. Required fields are marked *

Post Navigation

Share
Translate »