VMware User Environment Manager – Quick Setup Cheat Sheet

Below is quick glance of share/permissions/GPO requirements of VMware User Environment Manager. Main steps are; create AD groups, setup shares, Import ADMX/ADML and then create GPO to apply configurations. Then you can easily install the UEM Manager and start using UEM.

We will start with AD groups;

UEM AD Groups

You need two AD groups prepared beforehand. These groups will be used to grant permissions to shares.

UEM-Administrators: Add users who needs to manage UEM Config.

UEM-Users: Add users that will use UEM.

UEM SHARES

One share is for UEM configuration Files. The requirement is to have \\server\UEMConfiguration with minimum;

share permissions:

“Change” for Administrators

“Read” for Users.

NTFS Permissions:

UEM Administrators: Full control

UEM Users: Read & Execute

Sample Config:

I have file server with D:\ is for file sharing. You can edit per your environment:

REM Create Share and Add Share & NTFS Permisson

md D:\UEMShares\UEMConfiguration

net share UEMConfiguration=D:\UEMShares\UEMConfiguration /GRANT:vmw\UEM-Administrators,CHANGE /GRANT:vmw\UEM-Users,READ

REM Not a requirement but I also add Administrators to the shares

icacls D:\UEMShares\UEMConfiguration /inheritance:r

icacls D:\UEMShares\UEMConfiguration /grant vmw\UEM-Users:(OI)(CI)RX

icacls D:\UEMShares\UEMConfiguration /grant vmw\UEM-Administrators:(OI)(CI)F

REM If you want to remove administrators

REM icacls D:\UEMShares\UEMConfiguration /remove Administrators

The second share is for Profiles and achieves.

\\server\UEMProfiles

Share permissions

“Change” for all users.

NTFS permissions

UEM administrators and help desk: Full control, This folder, subfolders and files

This folder, subfolders and files UEM Users: Read & execute , Create folders/append data, This folder only

, This folder only Creator-owner: Full control, Subfolders and files only

Sample Config:

REM Create Share and Add Share & NTFS Permisson

md D:\UEMShares\UEMProfiles

net share UEMProfiles=D:\UEMShares\UEMProfiles /GRANT:vmw\UEM-Users,CHANGE /GRANT:vmw\UEM-Administrators,CHANGE

icacls D:\UEMShares\UEMProfiles /inheritance:r

icacls D:\UEMShares\UEMProfiles /grant vmw\UEM-Users:(NP)(RX,AD)

icacls D:\UEMShares\UEMProfiles /grant vmw\UEM-Administrators:(OI)(CI)F

icacls D:\UEMShares\UEMProfiles /grant "CREATOR OWNER":(OI)(CI)F

REM icacls D:\UEMShares\UEMProfiles /remove Administrators

GPO Configuration:

First Step, Copy admx files within installation media to Domain Controller’s PolicyDefinitions folder. (Managing ADMX Files)

Copy .admx to C:\Windows\SYSVOL\sysvol\<domainname>\Policies\PolicyDefinitions

Copy .adml to C:\Windows\SYSVOL\sysvol\<domainname>\Policies\PolicyDefinitions\en-US

Then Create a GPO and apply to clients:

Location: User Configuration\ Administrative Templates\VMware UEM\FlexEngine.

Flex Config Files: \\Server\UEMShares\General and select the option Process folder recursively .

. Profile archives : \\Server\UEMprofiles\%username%\archives and Compress profile archives.

: \\Server\UEMprofiles\%username%\archives Compress profile archives. Profile archive backups: \\Server\UEMprofiles\%username%\backups

For number of backups per profile archive, select the required number.

Run FlexEngine as Group Policy Extension: to run FlexEngine automatically during login by running as a Group Policy client-side extension.

To guarantee; enable Always wait for the network at computer startup and logon at Computer Configuration > Policies > Administrative Templates > System > Logon.

FlexEngine logging: \\Server\UEMprofiles\%username%\logs

Log level: Debug

Warn in a production environment.

in a production environment. Maximum log file size in KB: 512

UEM FlexEngine logout command: User Configuration > Windows Settings > Scripts and configure the logout command: C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe –s