Setting Up the Tenancy

To set up the tenancy for Secure Desktops, the tenancy administrator must set up compartments, create policies for users and groups, and configure the available images, storage, and network for the desktop administrator to use.

Note

Oracle recommends using the Secure Desktops Resource Manager (ORM) Stack to simplify the process of setting up the tenancy. The ORM stack assists with several process tasks to help ensure the tenancy is set up according to best practices.

  • Creating policies, dynamic groups, and user access for the Secure Desktops service.
  • Creating or onboarding existing network resources.
  • Importing a custom image for use in a Secure Desktops pool.

Download the required ORM stack setup file from the Oracle Cloud Marketplace.

For instructions on using the ORM stack, refer to OCI Secure Desktops: How To Configure Tenancy Using ORM Stack (KB48885).

Setting Up Compartments

Set up the compartments required by Secure Desktops to control access to desktop pools.

  1. Work with the desktop administrator to understand which compartments are required.

    Use compartments to control access to desktops. For example, you are likely to need one compartment per desktop pool, and there will be multiple desktop pools. See Understanding Desktop User Access to a Desktop Pool and Desktop Pools. You may also need to use compartments to keep other resources separate.

  2. Create compartments as described in Learn Best Practices for Setting Up Your Tenancy.

Creating Policies for the Service

Define a dynamic group and add policies to allow the Secure Desktops service to run within the tenancy.

  1. Add a dynamic group for desktop pools in the compartments you manage. See Managing Dynamic Groups for instructions on creating dynamic groups. To define the dynamic group using compartments, follow these steps:
    1. Give the dynamic group a name that you will use in the policy statements, for example DesktopPoolDynamicGroup.
    2. Select the Match all rules defined below option for the dynamic group.
    3. Add the following matching rule to identify the desktop pool resource:
      resource.type = 'desktoppool'
    4. Optionally, add an additional matching rule to identify compartments that will contain desktop pools:
      Any {resource.compartment.id = '<ocid>', resource.compartment.id = '<ocid>'}

      Where <ocid> is the Resource ID for each compartment. For example:

      Any {resource.compartment.id = '<OCID-OracleLinux8Standard>', resource.compartment.id = '<OCID-OracleLinux8Extra>'}
  2. In the root compartment, add the following policies for each dynamic group you added. This allows the desktop pools in the dynamic groups to access required tenancy level resources.

    For an introduction to policies, see Getting Started with Policies.

    To create a policy, see Create a Policy with the Console.

    In the following examples, dynamic groups are evaluated as if they belong to the default identity domain. If you are using a non-default identity domain, you must include the identity domain name before the dynamic group in the policy statement. For more information, including syntax examples, see Policy Syntax.

    Allow dynamic-group <dynamic-group> to {DOMAIN_READ} in tenancy 
    Allow dynamic-group <dynamic-group> to inspect users in tenancy 
    Allow dynamic-group <dynamic-group> to inspect compartments in tenancy
    Allow dynamic-group <dynamic-group> to use tag-namespaces in tenancy

    Where <dynamic-group> is the name of the dynamic group specifying a set of desktop pools.

  3. (Optional) If Zero Trust Packet Routing (ZPR) is enabled in your tenancy, add the following policies in the root compartment for each dynamic group you added. This allows you to control access to Secure Desktops based on security attributes.
    Allow dynamic-group <dynamic-group> to use security-attribute-namespace in tenancy
    Allow dynamic-group <dynamic-group> to {VNIC_CREATE, VNIC_UPDATE, VNIC_DELETE} in compartment <desktop-compartment>

    Where <dynamic-group> is the name of the dynamic group specifying a set of desktop pools, and <desktop-compartment> is the name of the compartment where the desktops are located.

    The tenancy/security administrator must create security attribute namespaces and security attributes, and write ZPR policies for them. To use attribute based access control, the desktop pool administrator adds security attributes to the desktop pools. For more information, see Zero Trust Packet Routing.

    To allow the Secure Desktops service to connect to the desktops, and the desktops to communicate with Oracle services, create these ZPR policies:

    in <desktop.vcn.namespace:key> VCN allow <desktop.vnic.namespace:key> endpoints to connect to 'osn-services-ip-addresses'
    in <desktop.vcn.namespace:key> VCN allow osd.service:Public endpoints to connect to <desktop.vnic.namespace:key> endpoints

    Where:

    • <desktop.vcn.namespace:key> is the security attribute, formatted as namespace:key, applied to a VCN to which desktop instances are connected

    • <desktop.vnic.namespace:key> is the security attribute, formatted as namespace:key, applied to the VNIC of a desktop instance

    • osd.service:Public endpoints refers to the public endpoints of the Secure Desktops service. If you're planning to create private desktop pools, replace it with the Private access network IP address in full CIDR notation. This IP can be found in the desktop pool Details tab in the Console.

    For example:

    in osd.vcn:test VCN allow osd.desktop:test endpoints to connect to 'osn-services-ip-addresses'
    in osd.vcn:test VCN allow osd.service:Public endpoints to connect to osd.desktop:test endpoints
    in osd.vcn:test VCN allow '10.80.11.65/32' to connect to osd.desktop:test endpoints
  4. In the root compartment, or the compartment above the desktop pool compartments you manage, add the following policies to allow the desktop pools in each dynamic group to interact with the necessary resources.

    To create a policy, see Create a Policy with the Console.

    Allow dynamic-group <dynamic-group> to use virtual-network-family in compartment <desktops-network-compartment>
    Allow dynamic-group <dynamic-group> to {VCN_ATTACH, VCN_DETACH} in compartment <desktops-network-compartment>
    Allow dynamic-group <dynamic-group> to manage virtual-network-family in compartment <desktop-compartment>
    Allow dynamic-group <dynamic-group> to read instance-images in compartment <image-compartment>
    Allow dynamic-group <dynamic-group> to manage instance-family in compartment <desktop-compartment>
    Allow dynamic-group <dynamic-group> to manage volume-family in compartment <desktop-compartment> 
    Allow dynamic-group <dynamic-group> to manage dedicated-vm-hosts in compartment <desktop-compartment>
    Allow dynamic-group <dynamic-group> to manage orm-family in compartment <desktop-compartment> 
    Allow dynamic-group <dynamic-group> to {VNIC_CREATE, VNIC_DELETE} in compartment <desktop-compartment>
    Allow dynamic-group <dynamic-group> to manage instance-configurations in compartment <desktop-compartment>
    
                        
    Where:
    • <dynamic-group> is the name of the dynamic group specifying a set of desktop pools.
    • <desktops-network-compartment> is the name of the compartment containing the VCN used by the desktop pools. If this compartment is not a child of the compartments above the desktop pool compartments, then the policy must be specified in the root compartment.
    • <image-compartment> is the name of the compartment containing desktop image instances used by the desktop pools. If this compartment is not a child of the compartments above the desktop pool compartments, then the policy must be specified in the root compartment.
    • <desktop-compartment> is the name of either:
      • The compartment containing desktop pools and associated storage volumes and resources.
      • A parent of the compartments containing desktop pools.
    Note

    If you are planning to create private desktop pools, additional policies may be required. For more information, see Enabling Private Desktop Access.

    This example shows the policies required for two desktops in two independent compartments, OracleLinux8Standard and OracleLinux8Extra. If all compartments under a common parent use the same policies then you can list these once using the parent compartment to avoid the need for duplication.

    Allow dynamic-group DesktopPoolDynamicGroup to {DOMAIN_READ} in tenancy 
    Allow dynamic-group DesktopPoolDynamicGroup to inspect users in tenancy 
    Allow dynamic-group DesktopPoolDynamicGroup to inspect compartments in tenancy
    Allow dynamic-group DesktopPoolDynamicGroup to use tag-namespaces in tenancy
    
    Allow dynamic-group DesktopPoolDynamicGroup to manage virtual-network-family in compartment VirtualCloudNetworks
    Allow dynamic-group DesktopPoolDynamicGroup to read instance-images in compartment Images
    
    Allow dynamic-group DesktopPoolDynamicGroup to read instance-images in compartment OracleLinux8Standard
    Allow dynamic-group DesktopPoolDynamicGroup to manage instance-family in compartment OracleLinux8Standard
    Allow dynamic-group DesktopPoolDynamicGroup to manage volume-family in compartment OracleLinux8Standard 
    Allow dynamic-group DesktopPoolDynamicGroup to manage dedicated-vm-hosts in compartment OracleLinux8Standard
    Allow dynamic-group DesktopPoolDynamicGroup to manage orm-family in compartment OracleLinux8Standard 
    Allow dynamic-group DesktopPoolDynamicGroup to {VNIC_CREATE, VNIC_DELETE} in compartment OracleLinux8Standard 
    Allow dynamic-group DesktopPoolDynamicGroup to manage instance-configurations in compartment OracleLinux8Standard
    Allow dynamic-group DesktopPoolDynamicGroup to manage virtual-network-family in compartment OracleLinux8Standard
    
    Allow dynamic-group DesktopPoolDynamicGroup to read instance-images in compartment OracleLinux8Extra
    Allow dynamic-group DesktopPoolDynamicGroup to manage instance-family in compartment OracleLinux8Extra
    Allow dynamic-group DesktopPoolDynamicGroup to manage volume-family in compartment OracleLinux8Extra 
    Allow dynamic-group DesktopPoolDynamicGroup to manage dedicated-vm-hosts in compartment OracleLinux8Extra
    Allow dynamic-group DesktopPoolDynamicGroup to manage orm-family in compartment OracleLinux8Extra 
    Allow dynamic-group DesktopPoolDynamicGroup to {VNIC_CREATE, VNIC_DELETE} in compartment OracleLinux8Extra 
    Allow dynamic-group DesktopPoolDynamicGroup to manage instance-configurations in compartment OracleLinux8Extra
    Allow dynamic-group DesktopPoolDynamicGroup to manage virtual-network-family in compartment OracleLinux8Extra
    

Creating Policies for User Authorization

Set up appropriate user access to enable desktop administrators to manage pools and desktop users to connect to desktops.

Two types of groups are required:

  • Administrator groups for the desktop administrators that use the service to provide desktops.
  • User groups for the desktop users that connect to the desktops.
These groups are in addition to the tenancy administrator group used to grant permission for creating compartments, images and so on. See, for example, Manage Custom Images.

Membership in an administrator group does not grant permission to connect to a desktop in the pool, only to create and manage the pools. A desktop user can connect to one desktop from each of the pools within the compartment they are authorized to access. To isolate user groups, for example to restrict access to a particular type of desktop, the desktops must be in different compartments (see Understanding Desktop User Access to a Desktop Pool) and the groups must have access to those compartments as appropriate. For information on creating groups, see Working with Groups.

For an introduction to policies, see Getting Started with Policies.

To create a policy, see Create a Policy with the Console.

  1. Add policies for desktop administrators:

    • Policy for desktop pool family:
      Allow group <desktop-administrators> to manage desktop-pool-family in compartment <desktop-compartment>

      For example:

      Allow group Desktop_Admins to manage desktop-pool-family in compartment OracleLinux8Standard
      Allow group Desktop_Admins to manage desktop-pool-family in compartment OracleLinux8Extra
    • Policy for read resources:
      Allow group <desktop-administrators> to read all-resources in compartment <desktop-compartment>

      For example:

      Allow group Desktop_Admins to read all-resources in compartment OracleLinux8Standard
      Allow group Desktop_Admins to read all-resources in compartment OracleLinux8Extra
    • Policy for virtual network family:
      Allow group <desktop-administrators> to use virtual-network-family in compartment <desktops-network-compartment>

      For example:

      Allow group Desktop_Admins to use virtual-network-family in compartment VirtualCloudNetworks
    • Policy for instance images:
      Allow group <desktop-administrators> to use instance-images in compartment <images-compartment>

      For example:

      Allow group Desktop_Admins to use instance-images in compartment Images
    • (Optional) Policy for attribute based access control with Zero Trust Packet Routing (ZPR):

      Allow group <desktop-administrators> to use zpr-security-attributes in compartment <desktop-compartment>

      To write ZPR policies and define security attributes for desktop pool resources, a tenancy/security administrator requires these permissions:

      Allow group <security-administrators> to manage security-attribute-namespaces in tenancy
      Allow group <security-administrators> to manage zpr-policy in tenancy
      Allow group <security-administrators> to manage zpr-configuration in tenancy
  2. Add policies for desktop users:

    • Policy for all desktop pools within a compartment:
      Allow group <desktop-users> to use published-desktops in compartment <desktop-compartment>

      For example:

      Allow group Dev_Users to use published-desktops in compartment OracleLinux8Standard
      Allow group IT_Users to use published-desktops in compartment OracleLinux8Extra
    • Policy for specific desktop pools within a compartment:
      Allow group <desktop-users> to use published-desktops in compartment <desktop-compartment>
      where all {target.desktoppool.name = '<pool_name>', target.desktoppool.id = '<pool_ocid>'}

      Optionally, use where statements along with the following context variables to specify one or more desktop pools by name or OCID:

      • target.desktoppool.name
      • target.desktoppool.id

      For example:

      Allow group Dev_Users to use published-desktops in compartment OracleLinux8Standard
      where target.desktoppool.name = '<pool-name>'
      Allow group Dev_Users to use published-desktops in compartment OracleLinux8Standard
      where any {target.desktoppool.name = '<pool-name_1>', target.desktoppool.name = '<pool-name_2>'...}
      Allow group Dev_Users to use published-desktops in compartment OracleLinux8Standard
      where target.desktoppool.id = '<pool-ocid>'

Configuring the Network

Set up the Virtual Cloud Network (VCN) to connect to Secure Desktops.

Each desktop pool requires access to a suitable subnet to connect the Secure Desktops service to the desktop instances. This subnet can be private or public. When creating the subnet for your desktop pools, ensure the number of IP addresses available in the subnet matches the number of desktops you want to provision. For example, a class C subnet can only provide 254 IPv4 addresses.

Network Security Groups

At desktop pool creation, Secure Desktops creates a Network Security Group (NSG) with security rules that provide network connectivity for the service. This NSG, desktop_pool_instances_<ocid>_nsg, is only visible from the compute instance associated with the desktop.

If you choose to use additional NSGs, you must create the NSGs and apply them when you create the desktop pool. See Creating a Desktop Pool.

See Network Security Groups for more information.

Service Gateway

To use the Oracle Cloud Agent plugin (required for Windows and Linux desktops), you must set up a service gateway for your VCN. Steps include creating the service gateway, updating routing for the subnet by adding a routing rule, and adding an egress security rule to allow desired traffic. See Access to Oracle Services: Service Gateway.

For more information about the Oracle Cloud Agent plugin, see Oracle Cloud Agent.

Note

If you want to enable private desktop access, see Enabling Private Desktop Access for additional network requirements.

Importing Images

Import images and properly tag them so that Secure Desktops recognizes them as images to use for a desktop pool.

Import images into the compartment and add image tags:

  • Required:

    oci:desktops:is_desktop_image true

    This tag allows the service to determine which images to display as an option when you create a desktop pool.

  • Optional:
    • oci:desktops:image_os_type [Oracle Linux | Windows]
    • oci:desktops:image_version <version>

      where <version> is a meaningful reference for your use.

For more information, see Secure Desktops Tags.

Exporting Images to Another Region

An image only exists within a single region of a tenancy. If you want to make an image available in another region in your tenancy, you must export the image and then import it to the other region.

  1. Create an object storage bucket to store the image.
  2. Export the image to the storage bucket using the .oci image format.
  3. Once the export completes, switch to the bucket and create a pre-authenticated request for the image. Copy the URL provided.
  4. Switch to the receiving tenancy and region. Import the image from the object storage URL using the type OCI.
  5. Add the appropriate tags to the image before using it as a desktop image.
  6. After importing the image to all required regions, you can delete the image object from the storage bucket.

Allocating Dedicated Virtual Machine Hosts

If your license agreement doesn't allow Windows 10 or Windows 11 virtualization in a public cloud environment, provision the desktops on Dedicated Virtual Hosts. Ensure that you allocate enough Dedicated Virtual Host resources in the tenancy to run the Windows desktops.

You must set the tenancy limit for dedicated virtual machine hosts to enable all Windows desktops to be provisioned on dedicated virtual machines. You do not need to start the hosts, Secure Desktops does this as required.

For more information, see Dedicated Virtual Machine Hosts.

Note

  • Secure Desktops does not allocate DVHs for Linux desktop pools.

Use Appropriate Shapes for Desktop Pools

For Windows desktop pools, that is desktop pools that require dedicated virtual machine hosts, use one of the following preferred shapes, as they are pre-mapped to DVH shapes for allocation of OCPUs and memory:

  • Flex Low (2 OCPUs, 4GB RAM)
  • Flex Medium (4 OCPUs, 8GB RAM)
  • Flex High (8 OCPUs, 16GB RAM)
Note

  • During desktop pool creation, Secure Desktops calculates the required number of dedicated virtual machine hosts to be allocated for a desktop pool.
  • When a desktop pool is deleted, all dedicated virtual machine hosts allocated for that desktop pool are also deleted.

Alternatively, the administrator can choose a specific VM shape from a set of VM shapes supported by the pool image. In this case, Secure Desktops assigns a corresponding DVH shape to host the VM shape.

The following table lists supported VM shapes and their corresponding DVH shapes:

VM Shape DVH Shape
VM.Standard2.2 DVH.Standard2.52:Flex Low
VM.Standard2.4 DVH.Standard2.52:Flex Medium
VM.Standard2.8 DVH.Standard2.52:Flex High
VM.Standard3.Flex DVH.Standard3.64
VM.Standard.E3.Flex DVH.Standard.E3.128
VM.Standard.E4.Flex DVH.Standard.E4.128
VM.DenselIO2.8 DVH.DenseIO2.52:Flex Low
VM.DenselIO2.16 DVH.DenseIO2.52:Flex Medium
VM.DenselIO2.24 DVH.DenseIO2.52:Flex High
VM.Optimized3.Flex DVH.Optimized3.36
VM.Standard.E2.2 DVH.Standard.E2.64:Flex Low
VM.Standard.E2.4 DVH.Standard.E2.64:Flex Medium
VM.Standard.E2.8 DVH.Standard.E2.64:Flex High
Note

If an unsupported VM shape is specified, pool creation fails and an error is returned.

If you want to specify a specific DVH shape for your desktops, you can add the appropriate tag when creating the desktop pool. See Secure Desktops Tags.