VMware Horizon Client for Mac Compatibility Matrix

It’s an odd thing that VMware does not include this in their other Compatibility Matrix tools. If they do, they sure hide it well. I decided to make a quick chart for easy reference since there is a lot of confusion as to what can be installed on what versions. Take a look at the documentation for VMware Horizon Client for Mac page for Release Notes, User Guides, and Installation and Setup Guides. The Release Notes also include Resolved Issues and Known Issues for each version.

https://docs.vmware.com/en/VMware-Horizon-Client-for-Mac/index.html

Prepare macOS Catalina for Desktop Anywhere

No Smartcard Detected

Air Force Reserve Command (AFRC) has been at the forefront of many projects before “Big Blue”. The Desktop Anywhere service not only enables Reserve Air Force Airmen, but more recently enabled “Big Blue” to increase productivity and raise its awareness and use of the service.

Update: I am now retired from the Air Force, but I am still involved with the DoD. This page will not be maintained but please contact me if there are any questions that come up.


Disclaimer 1: I am a Traditional Reservist in the United States Air Force Reserve from the 914th Communications Squadron located in Niagara Falls, NY. My Air Force Specialty Code (AFSC) is 3D072 (Cyber Systems Operations).🤓 When I am not fulfilling my military obligation, I work as a Senior Consultant, Federal for VMware, Inc. Please follow along at your discretion. It is obligatory for me to write that these are my opinions and suggestions and my guidance only. The material provided here is not “Official” USAF or VMware, Inc guidance. Rest assured, what I provide you will likely result in a successfully working configuration, I just don’t want to be reprimanded or fired. 😉

Disclaimer 2: I am using a new and clean installed version of macOS Catalina 10.15.4 on a VMware Fusion virtual machine. While this should not cause any difference from a bare metal installation (like your MacBook or iMac), I wanted to provide full transparency.

Assumptions: If you are reading this, I assume you need a little guidance, but are not such a novice that you won’t know to click an ‘OK’ button, open a web browser, navigate and download programs, or something similar. I will do my best to make this as easy as possible, but within reasonable expectations that you know how to use your computer. If you need further assistance from what’s provided here, please feel free to reach out to me on the the Facebook Group.

Update Your Mac

It is always wise to ensure you are running the newest versions of software, especially your Operating System. I am writing this using Version 10.15.4.

Ref: https://support.apple.com/en-us/HT201541

Hardware Component

Check with your local unit to see if they can provide you with a card reader. I am unsure the policy at every installation. My unit provided me with a HID OMNIKEY 3121 USB Card Reader. I like this reader because it is well built and Mac friendly.

Software Components

You can look at the Public DoD Cyber Exchange’s website for getting started if you need more guidance. (https://public.cyber.mil/pki-pke/end-users/getting-started/#toggle-id-2)

DoD Certificates (Mandatory)

Download: https://public.cyber.mil/pki-pke/tools-configuration-files/

Another article on my site for help with DoD Certificates on macOS Catalina can be found here: https://www.aaronrombaut.com/dod-certificates-on-macos-catalina/

VMware Horizon Client (Mandatory)

Download: https://my.vmware.com/web/vmware/details?downloadGroup=CART21FQ1_MAC_542&productId=863&rPId=44670

Smart Card Driver (Optional, but most likely needed)

If you have a HID Smart Card Reader, you will need drivers.

Download: https://www.hidglobal.com/drivers?field_driver_brand_tid_selective=All&field_driver_product_reference_nid_selective=All&field_driver_operating_systems_tid_selective=187&title=

I noticed a lot of people have an Identiv Smart Card Reader. Please use the following download link to get the driver for your Identiv reader model.

Download: https://support.identiv.com/products/smart-card-readers/

If you have a different brand of reader, hopefully it will be a truly plug-and-play model, and will not need a driver. Seek out support from your card manufacturer for support if you need it. You can try to navigate through the MilitaryCAC.com family of websites, but I find the site very obtuse to navigate through. Maybe you will have better luck, though.

Downloaded software components for macOS 10.15.4

Keychain Access

The first step is to install and trust the DoD certificates. Open up Keychain Access and verify your current certificates. Make sure you see only one login Keychain. If you have more than one, backup the items from the old Keychain and remove it so that you only have one active. Change the Category to Certificates so that you can see what certificates are currently loaded. If you see any certificates that are expired, you will want to remove them.

Double-click on each file ending in .pem and .p7b. You may be prompted to provide the Keychain you want to add the certificates. Choose your login keychain.

At this point, you should see a lot of DoD-related certificates in Keychain Access. Scroll down until you see the DoD Root CA certificates. You should notice that they have a white x in a red circle. This indicates that they are not trusted.

Double-click on each of the root certificates, expand Trust, and change the When using this certificate: from Use System Defaults to Always Trust. Only do this for the DoD Root CA certificates.

Before changing When using this certificate:
After changing When using this certificate:

Close the windows and provide authentication, either password or fingerprint if you have that configured.

Once you trust the four DoD Root CA certificates, the icons should now be white + in a light blue circle. This indicates the certificate is trusted.

This completes the steps necessary to add the DoD certificates to your Keychain Access and trust the DoD Root CA certificates.

VMware Horizon Client – Installation

Double-click on the VMware Horizon Client package file you downloaded earlier. The installer will open to the License Agreement.

Click Agree, then the actual installer will open. Like typical Mac software, drag the VMware Horizon Client icon onto the Applications Shortcut.

There will not be an indicator that the installation completes besides finding the new icon in the Applications menu of your Finder window. You can close the VMware Horizon Client installer utility. Please refer to VMware’s documentation for Release Notes, Known Issues, User Guides, and Installation and Setup Guides found at https://docs.vmware.com/en/VMware-Horizon-Client-for-Mac/index.html

This completes the installation of the VMware Horizon Client.

VMware Horizon Client – Configuration

Double-click the VMware Horizon Client icon. You can find it using a Spotlight Search (command + space bar) or look in the Applications menu in Finder. You should receive a security warning.

Click Open to allow the Horizon Client to open.

Optional: If you want easier access to the VMware Horizon Client in the future, after you open up the software, right-click (or ctrl + click if right-click option is not configured) on the icon in the Dock and choose Options > Keep in Dock.

On the first launch, you should be presented with a window prompting you to Enter the name of the Connection Server.

At the time of this writing, the address for general use is:

afrcdesktops.us.af.mil

Click Connect.

You should receive a Disclaimer window. If you followed the section above about adding and trusting DoD Certificates, you should see the https in green. If you see it in red, this indicates that your certificates are not being trusted.

Click Accept.

You should now see a Login window requesting your certificate.

Choose your non-email certificate and click Continue.

Enter your PIN and click Continue.

At this point, you should now be presented with your entitled Apps. Your entitlements will most likely not be the same as mine.

Click on the Windows 10 SDC 5.5 (or similar desktop if your base has a different image) in order to access your desktop.

This completes the VMware Horizon Client – Configuration section. I am going to include a troubleshooting section below in case there are any issues.

Smart Card Reader – Troubleshooting

Note: the section below is not complete and most likely never will with the way technology changes. I will try to update it as new issues arise.

If you have not connected your reader or plugged in your Common Access Card (CAC), you should receive the following Alert.

If you have connected your reader and plugged in your CAC, but your CAC is not being recognized, you should receive the following Login window.

The above most likely is a result of not having the appropriate driver for your Card Reader. You can test if your Card Reader is detected from the Terminal.

Open Terminal, type:

pcsctest

Once you press Enter, you will (or you won’t) see your card reader listed.

As you can see, my card reader is not being detected. This indicates that I will need to go to the manufacturer’s website and download and install the correct driver. Once I installed and restarted my computer, I re-ran the command in a Terminal.

If you have received any errors at this point, leave your CAC in the reader, close VMware Horizon Client, Restart your computer, and re-open VMware Horizon Client.

VMware ESXi SSL Certificate Signing Request (CSR)

Need to replace the certificates with a custom certificate from a commercial or corporate Certificate Authority (CA)? You are going to need a Certificate Signing Request (CSR).

I use the certificate-manager tool (see below) included with vCenter to generate all of my requests. I found recently that you can skip this altogether if you can include the certificate’s key from the CA. In the traditional method, though, you will generate a CSR, submit to CA, and receive back a custom signed certificate.

/usr/lib/vmware-vmca/bin/certificate-manager
  • Connect to your Platform Services Controller (PSC) via SSH. This could be the same as your vCenter server.
  • Create a temporary directory to store your files in when you run the certificate-manager tool. Create a directory for each system you intend to generate CSR files for. I use the following format for my directory:
/tmp/hostname1
/tmp/hostname2
...
/tmp/hostnamen
  • Run the certificate-manager tool:
/usr/lib/vmware-vmca/bin/certificate-manager
  • Select option 1 to replace the Machine SSL.
  • Provide the administrator username if the SSO domain is not default or press Enter.
  • Provide the administrator password.
  • Select option 1 to Generate Certificate Signing Request(s)…
  • Provide an Output directory path such as
/tmp/hostname

The next information you will be requested to enter is for the certificate.

  • Country – Use two digit code (https://www.iso.org/obp/ui/#search)
  • Name – Use the fully qualified domain name of the server here
  • Organization – Name of your organization
  • OrgUnit – Name of your department
  • State – The state where the system resides (no abbreviations)
  • Locality – The city where the system resides
  • IPAddress – IP address of the system
  • Email – Email address for person or department responsible for administration of the system
  • Hostname – It’s best to always include a fully qualified domain name as well as a short name.
  • Proper value of VMCA ‘Name’ – I use the fully qualified domain name here

Press option 2 to Exit certificate-manager. Your csr and key files will be stored at the location you specified.

Apple Computer

If you use an Apple computer, you can use scp in the Terminal to copy the files.

$mkdir ~/Documents/Certificates/hostname/
$cd ~/Documents/Certificates/hostname/
$scp [email protected]:/tmp/hostname/*.* .

Windows Computer

If you use Windows, I recommend WinSCP. You will first need to set the shell on the Platform Services Controller to Bash.

chsh -s /bin/bash root

Follow the instructions of your CA on how to submit the CSR to be signed.

Section 1 – Install and Configure Horizon Server Components

Objective 1.1 – Describe techniques to prepare environment for Horizon

This is a very odd objective to work through. I think the word “techniques” is what is throwing me off. To me, the word should be “requirements” and is asking the test taker what is required to prepare the environment for the installation of VMware Horizon 7.

According to the Horizon 7 Installation guide, “Horizon Connection Server has specific hardware, operating system, installation, and supporting software requirements.” (Reference: https://docs.vmware.com/en/VMware-Horizon-7/7.7/horizon-installation/GUID-858D1E0E-C566-4813-9D53-975AF4432195.html) I would also add licenses to this list as not all features are supported in all versions.

Hardware Requirements – https://docs.vmware.com/en/VMware-Horizon-7/7.7/horizon-installation/GUID-332CFB83-784A-4578-9354-888C0538909A.html

Supported Operating Systems – https://docs.vmware.com/en/VMware-Horizon-7/7.7/horizon-installation/GUID-30AA88CF-8CDF-42E5-97D4-D75B2171434B.html

Virtualization Software Requirements – https://docs.vmware.com/en/VMware-Horizon-7/7.7/horizon-installation/GUID-BB3405C3-7026-47BE-A994-0E2C01651BBF.html

Network Requirements – https://docs.vmware.com/en/VMware-Horizon-7/7.7/horizon-installation/GUID-2EC85E02-D6A8-4A75-B8B2-E7A6AE62E7CC.html

The three editions of Horizon 7 are Horizon Standard, Horizon Advanced, and Horizon Enterprise.

Objective 1.2 – Determine procedures to install Horizon Components

The following link provides a high level overview of the installation procedures. https://docs.vmware.com/en/VMware-Horizon-7/7.7/horizon-getting-started/GUID-C4C7ACB1-2283-4D6B-92CB-058DA94A4F2F.html

Objective 1.3 – Determine steps to configure Horizon Components

The link in Objective 1.2 has links to each step that help with the configuration of the components. So far though, the components have not been listed. Below is a list of a few of the components of Horizon 7.

  • View composer – used if linked clone desktops are going to be deployed
  • Horizon Connection server – this is the server that clients use to connect to the Horizon environment
  • JMP (Just-In-Time Management Platform)
  • Horizon Agent
  • Horizon Client
  • ThinApp
  • App Volumes

Objective 1.4 – Analyze End User Requirements for Display Protocol Performance

End user requirements for display protocol performance are limited to the way the client connects to the virtual desktop. The three display protocols offered are VMware Blast Extreme , PCoIP, and Microsoft RDP. Clients that connect to the desktop with HTML Access use Blast Extreme, and not PCoIP or Microsoft RDP.

For more information choosing a display protocol, reference the following VMware Doc, here.

Objective 1.5 – Diagnose and solve issues related to connectivity between Horizon server Components

This objective seems to be calling out the ports and protocols that are used within the Horizon environment. There are a lot of them as this technology ties together a lot of different components. Also, the firewall will have to be taken into account and configured appropriately. If the components are configured in the local area network or DMZ, this should cut down on the configuration needed at the edge and also provide for a more secure installation.

Here is a link to the VMware docs for the communications protocols.

Default Ports
Protocol Port
JMS TCP port 4001
TCP port 4002
AJP13 TCP port 8009
HTTP TCP port 80
HTTPS TCP port 443
MMR/CDR TCP port 9427
RDP TCP port 3389
SOAP TCP port 80 or 443
PCoIP TCP port 4172
UDP ports 4172, 50002, 55000
USB redirection TCP port 32111
VMware Blast Extreme TCP ports 8443, 22443
UDP ports 443, 8443, 22443
HTML Access TCP ports 8443, 22443

Dell EMC Avamar and VMware 6.5 Snapshot Quiescing Error

During a rebuild of a Dell EMC Avamar backup solution, we ran into an issue where VMware was logging, “An error occurred while quiescing the virtual machine. See the virtual machine’s event log for details.” for a few virtual machine backups. While testing, we noticed that it was not occurring on all backups.

On a functional backup with no errors, a machine had a service called VMware Snapshot Provider and this service was set to manual. On the machine I was troubleshooting, this service didn’t even show up in the list. I opted to uninstall tools, restart the server, and then reinstall VMware tools. Upon inspection of the services listing this time, the service was present and set to manual. I tested a backup and there were no failures and the machine backed up fine.

I tested another virtual machine that I knew previously worked and this time I went to services and set the VMware Snapshot Provider service to disabled and initiated a backup on the Avamar UI (AUI). As expected, VMware logged an event as noted above.

In conclusion, if you notice this error occurring, regardless if there were no errors previously, check for this service. The service can be reinstalled by invoking the VMware Tools installer again and changing the installed features. If all else fails, just remove, reboot, and re-install.