Oracle Cloud Infrastructure Documentation

Setting Up the Tenancy

To set up the tenancy for Secure Desktops, the tenancy administrator must set up compartments, create policies for users and groups, and configure the available images, storage, and network for the desktop administrator to use.

Note

Oracle recommends using the Secure Desktops Resource Manager (ORM) Stack to simplify the process of setting up the tenancy. The ORM stack assists with several process tasks to help ensure the tenancy is set up according to best practices.

  • Creating policies, dynamic groups, and user access for the Secure Desktops service.
  • Creating or onboarding existing network resources.
  • Importing a custom image for use in a Secure Desktops pool.

Download the required ORM stack setup file from the Oracle Cloud Marketplace.

For instructions on using the ORM stack, refer to OCI Secure Desktops: How To Configure Tenancy Using ORM Stack (2948207.1).

Setting Up Compartments

Set up the compartments required by Secure Desktops to control access to desktop pools.

  1. Work with the desktop administrator to understand which compartments are required.

    Use compartments to control access to desktops. For example, you are likely to need one compartment per desktop pool, and there will be multiple desktop pools. See Understanding Desktop User Access to a Desktop Pool and Desktop Pools. You may also need to use compartments to keep other resources separate.

  2. Create compartments as described in Learn Best Practices for Setting Up Your Tenancy.

Creating Policies for the Service

Define a dynamic group and add policies to allow the Secure Desktops service to run within the tenancy.

  1. Add a dynamic group for desktop pools in the compartments you manage. Refer to Managing Dynamic Groups for instructions on creating dynamic groups. To define the dynamic group using compartments, follow these steps:
    1. Give the dynamic group a name that you will use in the policy statements, for example DesktopPoolsDynamicGroup.
    2. Choose the Match all rules defined below option for the dynamic group.
    3. Add the following matching rule to identify the desktop pool resource: 
      resource.type = 'desktoppool'
    4. Optionally, add an additional matching rule to identify compartments that will contain desktop pools: 
      Any {resource.compartment.id = '<ocid>', resource.compartment.id = '<ocid>'}

      Where <ocid> is the Resource ID for each compartment. For example:

      Any {resource.compartment.id = '<OCID-OracleLinux8Standard>', resource.compartment.id = '<OCID-OracleLinux8Extra>'}
  2. In the root compartment, add the following policies for each dynamic group you added. This allows the desktop pools in the dynamic groups to access required tenancy level resources.

    For an introduction to policies, see Getting Started with Policies.

    To create a policy, see Create a Policy with the Console.

    In the following examples, dynamic groups are evaluated as if they belong to the default identity domain. If you are using a non-default identity domain, you must include the identity domain name before the dynamic group in the policy statement. For more information, including syntax examples, see Policy Syntax.

    Allow dynamic-group <dynamic-group> to {DOMAIN_INSPECT} in tenancy 
Allow dynamic-group <dynamic-group> to inspect users in tenancy 
Allow dynamic-group <dynamic-group> to inspect compartments in tenancy
Allow dynamic-group <dynamic-group> to use tag-namespaces in tenancy

    Where <dynamic-group> is the name of the dynamic group specifying a set of desktop pools.

  3. In the root compartment, or the compartment above the desktop pool compartments you manage, add the following policies to allow the desktop pools in each dynamic group to interact with the necessary resources.

    To create a policy, see Create a Policy with the Console.

    Allow dynamic-group <dynamic-group> to use virtual-network-family in compartment <desktops-network-compartment>
Allow dynamic-group <dynamic-group> to {VCN_ATTACH, VCN_DETACH} in compartment <desktops-network-compartment>
Allow dynamic-group <dynamic-group> to manage virtual-network-family in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to read instance-images in compartment <image-compartment>
Allow dynamic-group <dynamic-group> to manage instance-family in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to manage volume-family in compartment <desktop-compartment> 
Allow dynamic-group <dynamic-group> to manage dedicated-vm-hosts in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to manage orm-family in compartment <desktop-compartment> 
Allow dynamic-group <dynamic-group> to {VNIC_CREATE, VNIC_DELETE} in compartment <desktop-compartment>
Allow dynamic-group <dynamic-group> to manage instance-configurations in compartment <desktop-compartment>
    Where:
    • <dynamic-group> is the name of the dynamic group specifying a set of desktop pools.
    • <desktops-network-compartment> is the name of the compartment containing the VCN used by the desktop pools. If this compartment is not a child of the compartments above the desktop pool compartments, then the policy must be specified in the root compartment.
    • <image-compartment> is the name of the compartment containing desktop image instances used by the desktop pools. If this compartment is not a child of the compartments above the desktop pool compartments, then the policy must be specified in the root compartment.
    • <desktop-compartment> is the name of either:
      • The compartment containing desktop pools and associated storage volumes and resources.
      • A parent of the compartments containing desktop pools.
    Note

    If you are planning to create private desktop pools, additional policies may be required. For more information, see Enabling Private Desktop Access.

    This example shows the policies required for two desktops in two independent compartments, OracleLinux8Standard and OracleLinux8Extra. If all compartments under a common parent use the same policies then you can list these once using the parent compartment to avoid the need for duplication.

    Allow dynamic-group DesktopPoolDynamicGroup to {DOMAIN_INSPECT} in tenancy 
Allow dynamic-group DesktopPoolDynamicGroup to inspect users in tenancy 
Allow dynamic-group DesktopPoolDynamicGroup to inspect compartments in tenancy
Allow dynamic-group DesktopPoolDynamicGroup to use tag-namespaces in tenancy

Allow dynamic-group DesktopPoolDynamicGroup to manage virtual-network-family in compartment VirtualCloudNetworks
Allow dynamic-group DesktopPoolDynamicGroup to read instance-images in compartment Images

Allow dynamic-group DesktopPoolDynamicGroup to read instance-images in compartment OracleLinux8Standard
Allow dynamic-group DesktopPoolDynamicGroup to manage instance-family in compartment OracleLinux8Standard
Allow dynamic-group DesktopPoolDynamicGroup to manage volume-family in compartment OracleLinux8Standard 
Allow dynamic-group DesktopPoolDynamicGroup to manage dedicated-vm-hosts in compartment OracleLinux8Standard
Allow dynamic-group DesktopPoolDynamicGroup to manage orm-family in compartment OracleLinux8Standard 
Allow dynamic-group DesktopPoolDynamicGroup to {VNIC_CREATE, VNIC_DELETE} in compartment OracleLinux8Standard 
Allow dynamic-group DesktopPoolDynamicGroup to manage instance-configurations in compartment OracleLinux8Standard
Allow dynamic-group DesktopPoolDynamicGroup to manage virtual-network-family in compartment OracleLinux8Standard

Allow dynamic-group DesktopPoolDynamicGroup to read instance-images in compartment OracleLinux8Extra
Allow dynamic-group DesktopPoolDynamicGroup to manage instance-family in compartment OracleLinux8Extra
Allow dynamic-group DesktopPoolDynamicGroup to manage volume-family in compartment OracleLinux8Extra 
Allow dynamic-group DesktopPoolDynamicGroup to manage dedicated-vm-hosts in compartment OracleLinux8Extra
Allow dynamic-group DesktopPoolDynamicGroup to manage orm-family in compartment OracleLinux8Extra 
Allow dynamic-group DesktopPoolDynamicGroup to {VNIC_CREATE, VNIC_DELETE} in compartment OracleLinux8Extra 
Allow dynamic-group DesktopPoolDynamicGroup to manage instance-configurations in compartment OracleLinux8Extra
Allow dynamic-group DesktopPoolDynamicGroup to manage virtual-network-family in compartment OracleLinux8Extra

Creating Policies for User Authorization

Set up appropriate user access to enable desktop administrators to manage pools and desktop users to connect to desktops.

Two types of groups are required:

  • Administrator groups for the desktop administrators that use the service to provide desktops.
  • User groups for the desktop users that connect to the desktops.
These groups are in addition to the tenancy administrator group used to grant permission for creating compartments, images and so on. See, for example, Manage Custom Images.

Membership in an administrator group does not grant permission to connect to a desktop in the pool, only to create and manage the pools. A desktop user can connect to one desktop from each of the pools within the compartment they are authorized to access. To isolate user groups, for example to restrict access to a particular type of desktop, the desktops must be in different compartments (see Understanding Desktop User Access to a Desktop Pool) and the groups must have access to those compartments as appropriate. For information on creating groups, see Working with Groups.

For an introduction to policies, see Getting Started with Policies.

To create a policy, see Create a Policy with the Console.

  1. Add policies for desktop administrators:

    • Policy for desktop pool family:
      Allow group <desktop-administrators> to manage desktop-pool-family in compartment <desktop-compartment>

      For example:

      Allow group Desktop_Admins to manage desktop-pool-family in compartment OracleLinux8Standard
Allow group Desktop_Admins to manage desktop-pool-family in compartment OracleLinux8Extra
    • Policy for read resources:
      Allow group <desktop-administrators> to read all-resources in compartment <desktop-compartment>

      For example:

      Allow group Desktop_Admins to read all-resources in compartment OracleLinux8Standard
Allow group Desktop_Admins to read all-resources in compartment OracleLinux8Extra
    • Policy for virtual network family:
      Allow group <desktop-administrators> to use virtual-network-family in compartment <desktops-network-compartment>

      For example:

      Allow group Desktop_Admins to use virtual-network-family in compartment VirtualCloudNetworks
    • Policy for instance images:
      Allow group <desktop-administrators> to use instance-images in compartment <images-compartment>

      For example:

      Allow group Desktop_Admins to use instance-images in compartment Images

  2. Add policies for desktop users:

    Allow group <desktop-users> to use published-desktops in compartment <desktop-compartment>

    For example:

    Allow group Dev_Users to use published-desktops in compartment OracleLinux8Standard
Allow group IT_Users to use published-desktops in compartment OracleLinux8Extra

Configuring the Network

Set up the Virtual Cloud Network (VCN) to connect to Secure Desktops.

Each desktop pool requires access to a suitable subnet to connect the Secure Desktops service to the desktop instances. This subnet can be private or public. When creating the subnet for your desktop pools, ensure the number of IP addresses available in the subnet matches the number of desktops you want to provision. For example, a class C subnet can only provide 254 IPv4 addresses.

Network Security Groups

At desktop pool creation, Secure Desktops creates a Network Security Group (NSG) with security rules that provide network connectivity for the service. This NSG, desktop_pool_instances_<ocid>_nsg, is only visible from the compute instance associated with the desktop.

If you choose to use additional NSGs, you must create the NSGs and apply them when you create the desktop pool. See Desktop Pool Parameters.

See Network Security Groups for more information.

Service Gateway

To use the Oracle Cloud Agent plugin (required for Windows and Linux desktops), you must set up a service gateway for your VCN. Steps include creating the service gateway, updating routing for the subnet by adding a routing rule, and adding an egress security rule to allow desired traffic. See Access to Oracle Services: Service Gateway.

For more information about the Oracle Cloud Agent plugin, see Oracle Cloud Agent.

Note

If you want to enable private desktop access, see Enabling Private Desktop Access for additional network requirements.

Importing Images

Import images and properly tag them so that Secure Desktops recognizes them as images to use for a desktop pool.

Import images into the compartment and add the following tags:

  • oci:desktops:is_desktop_image true

  • oci:desktops:image_os_type [Oracle Linux | Windows]

  • oci:desktops:image_version <version>, where <version> is a meaningful reference for your use.

These tags allow the service to determine which images to display as an option when you create a desktop pool. See Secure Desktops Tags.

Exporting Images to Another Region

An image only exists within a single region of a tenancy. If you want to make an image available in another region in your tenancy, you must export the image and then import it to the other region.

  1. Create an object storage bucket to store the image.
  2. Export the image to the storage bucket using the .oci image format.
  3. Once the export completes, switch to the bucket and create a pre-authenticated request for the image. Copy the URL provided.
  4. Switch to the receiving tenancy and region. Import the image from the object storage URL using the type OCI.
  5. Add the appropriate tags to the image before using it as a desktop image.
  6. After importing the image to all required regions, you can delete the image object from the storage bucket.

Allocating Dedicated Virtual Machine Hosts

If the desktop pool image is for Windows desktops, the desktops in the pool will be hosted on Dedicated Virtual Machine Hosts (DVH) by default. Ensure you allocate sufficient DVH resources in the tenancy to run the Windows desktops.

For more information, see Dedicated Virtual Machine Hosts.

Note

  • If your license agreement allows virtualizing Windows 10/11 desktops in a cloud environment, you can disable DVH provisioning by adding the appropriate tag when creating the desktop pool. See Secure Desktops Tags.
  • Secure Desktops does not allocate DVHs for Linux desktop pools.

You must set the tenancy limit for dedicated virtual machine hosts to enable all Windows desktops to be provisioned on dedicated virtual machines. You do not need to start the hosts, Secure Desktops does this as required.

Use Appropriate Shapes for Desktop Pools

For Windows desktop pools, that is desktop pools that require dedicated virtual machine hosts, use one of the following preferred shapes, as they are pre-mapped to DVH shapes for allocation of OCPUs and memory:

  • Flex Low (2 OCPUs, 4GB RAM)
  • Flex Medium (4 OCPUs, 8GB RAM)
  • Flex High (8 OCPUs, 16GB RAM)
Note

  • During desktop pool creation, Secure Desktops calculates the required number of dedicated virtual machine hosts to be allocated for a desktop pool.
  • When a desktop pool is deleted, all dedicated virtual machine hosts allocated for that desktop pool are also deleted.

Alternatively, the administrator can choose a specific VM shape from a set of VM shapes supported by the pool image. In this case, Secure Desktops assigns a corresponding DVH shape to host the VM shape.

The following table lists supported VM shapes and their corresponding DVH shapes:

VM Shape DVH Shape
VM.Standard2.2 DVH.Standard2.52:Flex Low
VM.Standard2.4 DVH.Standard2.52:Flex Medium
VM.Standard2.8 DVH.Standard2.52:Flex High
VM.Standard3.Flex DVH.Standard3.64
VM.Standard.E3.Flex DVH.Standard.E3.128
VM.Standard.E4.Flex DVH.Standard.E4.128
VM.DenselIO2.8 DVH.DenseIO2.52:Flex Low
VM.DenselIO2.16 DVH.DenseIO2.52:Flex Medium
VM.DenselIO2.24 DVH.DenseIO2.52:Flex High
VM.Optimized3.Flex DVH.Optimized3.36
VM.Standard.E2.2 DVH.Standard.E2.64:Flex Low
VM.Standard.E2.4 DVH.Standard.E2.64:Flex Medium
VM.Standard.E2.8 DVH.Standard.E2.64:Flex High
Note

If an unsupported VM shape is specified, pool creation fails and an error is returned.

If you want to specify a specific DVH shape for your desktops, you can add the appropriate tag when creating the desktop pool. See Secure Desktops Tags.