Tune and Test the VDI Policy

After you configure the golden image, tune and test the policy using the following workflow.
  1. Fine-tune the exploit and malware protection policies for your VDI.
    If your organization supports a mixed environment of VDI and non-VDI instances, you can apply the Condition for VDI Machine to each rule that applies to only the VDI instances. For example, you can configure Traps to:
  2. Use the golden image to spawn a small pool of persistent sessions (2 or 3). Deploy the sessions in a production environment and imitate the expected day-to-day user behavior, such as browsing, development, and dedicated application usage).
  3. Gather additional information during this period to further optimize the default session policy and test any special restrictions applied to the non-persistent sessions. Typically, clients deployed in persistent mode enable better forensics collection than clients deployed in non-persistent mode.
  4. Resolve any stability issues on the test machine and on the test VDI pool that were caused by the exploit or malware protection policies.
  5. After the VDI server spawns a session from the golden image and connects to the ESM Server, disconnect the golden image. Then revise the VDI policy so that WildFire integration is enabled, EPM Injection is set according to the configuration tested on the golden image, heartbeat and reporting settings use longer intervals (60 minutes is recommended), and memory dumps are sent automatically.
    Traps will replace the initial golden image with the revised VDI policy. Changing the VDI policy affects all spawned session on the next restart.
  6. Recompile the golden image.
    1. Restart the image.
    2. Verify that the image can connect to the ESM Server.
    3. Shut down the image and then recompile it.
  7. Log into the ESM Console and verify the health of the VDI instances on the MonitorAgentHealth page. If your organization uses a mixed environment, you can filter the machine Type column to show only VDI instances. The ESM Console should display the status of the VDI instances as connected.

Related Documentation