VMware Horizon View – Kiosk mode


Kiosk mode is a method of delivering a VMware Horizon View desktop to a zero client, a thin client or a PC without the need for an end-user to authenticate to the connection server. Instead of associating a VDI with a userID, kiosk mode associates a VDI with a MAC address or a clientID of an endpoint device.This allows an organisation to provide access to a VDI to users that do not have a user ID, which is typically the case in public places.

As there is no user authentication, there is obviously also no need to preserve user data or to deliver persistent desktops.

In some circumstances however, it might be required that all kiosk users log in to the VMware Horizon View desktop with the same, predetermined username and password. This scenario can be desirable when use of the kiosk or an application is restricted to a known set of users, such as company employees or registered students, but is not available to the general public. In this case, people who know the password can use the kiosk, but these users are not identified by personal credentials.


How to setup

The setup of kiosk mode in VMware Horizon View is rather simple, but does require the use of the command line tool vdmadmin.

Step 1: create a new organisational unit (OU) specific for kiosk users

This OU will contain all kiosk mode VDIs and all accounts that will have access to a kiosk mode VDI. Specific GPOs can be associated with this OU to lock down the VDI session.

Example: OU=kiosk,OU=vdi,DC=mydomain,DC=local

Step 2: create a new Active Directory Security group 

This security group will contain all accounts that will have access to a kiosk mode VDI

Example: gg-euc-kiosk

Step 3: create a new floating Desktop pool in VMware Horizon View

Add all the VDIs to the OU created in Step 1

Make sure to delete or refresh the VDI immediately at logoff

Entitle the group you created in step 2 to this desktop pool

Step 4: Set default values for the organisational unit (OU), password expiration, and group membership of clients in kiosk mode.

This is done by executing the vdmadmin command line utility. The vdmadmin utility is located at C:\Program Files\VMware\VMware View\Server\tools\bin of each VMware Horizon View Connection server and should be executed from a command line (as administrator) directly from a VMware Horizon View Connection server.

Example: vdmadmin -Q -clientauth -setdefaults -ou “OU=kiosk,OU=vdi,DC=mydomain,DC=local” -noexpirepassword -group gg-euc-kiosk

Step 5: Add accounts for clients in Kiosk mode

The VMware Horizon View Connection Server creates Active Directory user account and passwords for each client based on the client’s MAC address or client ID, which it uses to authenticate the client when connecting it to the View desktop.

The clientid parameter must be in the form <MAC-address>, cm-<MAC-address> or custom-<name> where <MAC-address> is of the form aa:cc:ff:aa-33-99

Example-1: vdmadmin -Q -clientauth -add -domain MYDOMAIN -clientid custom-kiosk01 -password “Secret_Password” -ou “OU=kiosk,OU=vdi,DC=mydomain,DC=local” -group gg-euc-kiosk -description “VDI Kiosk User 01” -noexpirepassword

Example-2:  vdmadmin -Q -clientauth -add -domain MYDOMAIN -clientid cm-00:50:56:82:81:ec -genpassword -ou “OU=kiosk,OU=vdi,DC=mydomain,DC=local” -group gg-euc-kiosk -description “Horizon View Kiosk account for client with MAC address 00:50:56:82:81:ec” -noexpirepassword

Step 6: Enable authentication of clients in kiosk mode for each View Connection Server instance

Example: vdmadmin -Q -enable -s MYCONNECTIONSERVER

Step 7: Setup clients to connect to the kiosk mode VDIs

Example when connecting via a specific username:

“C:\Program Files (x86)\VMware\VMware Horizon View Client\vmware-view.exe” -unattended -serverURL view.mydomain.local -userName custom-kiosk01 -password Secret_Password

Example when connecting via a specific endpoint who’s MAC address has been added as an account (Step 5):

“C:\Program Files (x86)\VMware\VMware Horizon View Client\vmware-view.exe” -unattended -serverURL view.mydomain.local



Leave a Reply

Your email address will not be published. Required fields are marked *