Chris,
We are having the very same issues that you are looking into. We have been talking with VMware the past few weeks and I have a phone conference call on the 7th of February to discuss it again. They believe that they have a way to disable USB redirection when connecting externally.
Would it matter if you disabled the clipboard both externally and internally? We have done that because internally the users use thin clients so there is no copying internally. This was done by not allowing the users to select RDP when making the connection. PCoIP doesn't allow the clipboard to work.
The ThinPrint service is what redirects the printer from the local device to the VM. Below is a script that I found that will only enable the ThinPrint service if the user is a member of a certain AD group. NOTE: I have not tested this script yet. It's on my list of things to do.
Good Luck!
In case anyone is interested i managed to resolve this by
using a vbs script run using the RunOnConnect option from the View agent GPO.
It queries the volatile environmental variables for the name of the external
access view connection servers. and if it matches it then checks group
membership. If not a member of the remote-printing-allowed group it disables
the thinprint services.
strComputer = "."
Set objNetwork =
WScript.CreateObject("Wscript.Network")
Set objSysInfo = CreateObject("ADSystemInfo" )
strUserDN = objSysInfo.userName
Set objUser = GetObject("LDAP://" &
strUserDN)
Set objWMIService = GetObject("winmgmts:\\"
& strComputer & "\root\cimv2")
Set objShell = CreateObject("WScript.Shell")
'--------------------------------------------------------
' IsMember Function
'--------------------------------------------------------
Function IsMember(strGroup)
' Function to test one user for group membership.
' objUser is the user object with global scope.
' strGroup is the NT Name of the group to test.
' objGroupList is a dictionary object with global scope.
' Returns True if the user is a member of the group.
Dim objGroup
If IsEmpty(objGroupList) Then
Set objGroupList =
CreateObject("Scripting.Dictionary" )
objGroupList.CompareMode = vbTextCompare
For Each objGroup In objUser.Groups
objGroupList(objGroup.sAMAccountName) = True
Next
End If
IsMember = objGroupList.Exists(strGroup)
End Function
'--------------------------------------------------------
' Check to see if client logged into external View
Connection Servers
' Disable printing if not member of AD Group
remote-printing-allowed
'--------------------------------------------------------
If
objShell.ExpandEnvironmentStrings("%ViewClient_Broker_DNS_Name%") =
"GR1VCSV01.domain.net"
_
Or
objShell.ExpandEnvironmentStrings("%ViewClient_Broker_DNS_Name%") =
"GR1VCSV02.domain.net"
_
Then
If IsMember("remote-printing-allowed") Then
echo "Virtual Printing Enabled"
Else
Set colServiceList = objWMIService.ExecQuery _
("Select * from Win32_Service where Name =
'TPAutoConnSvc' OR Name = 'TPVCGateway'")
For Each objService in colServiceList
If objService.State = "Running" Then
objService.StopService()
Wscript.Sleep 5000
End If
errReturnCode =
objService.ChangeStartMode("Disabled")
end if
end If