Air Force Reserve Command (AFRC) has been at the forefront of many projects before “Big Blue”. The Desktop Anywhere service not only enables Reserve Air Force Airmen, but more recently enabled “Big Blue” to increase productivity and raise its awareness and use of the service.
Update: I am now retired from the Air Force, but I am still involved with the DoD. This page will not be maintained but please contact me if there are any questions that come up.
Disclaimer 1: I am a Traditional Reservist in the United States Air Force Reserve from the 914th Communications Squadron located in Niagara Falls, NY. My Air Force Specialty Code (AFSC) is 3D072 (Cyber Systems Operations).🤓 When I am not fulfilling my military obligation, I work as a Senior Consultant, Federal for VMware, Inc. Please follow along at your discretion. It is obligatory for me to write that these are my opinions and suggestions and my guidance only. The material provided here is not “Official” USAF or VMware, Inc guidance. Rest assured, what I provide you will likely result in a successfully working configuration, I just don’t want to be reprimanded or fired. 😉
Disclaimer 2: I am using a new and clean installed version of macOS Catalina 10.15.4 on a VMware Fusion virtual machine. While this should not cause any difference from a bare metal installation (like your MacBook or iMac), I wanted to provide full transparency.
Assumptions: If you are reading this, I assume you need a little guidance, but are not such a novice that you won’t know to click an ‘OK’ button, open a web browser, navigate and download programs, or something similar. I will do my best to make this as easy as possible, but within reasonable expectations that you know how to use your computer. If you need further assistance from what’s provided here, please feel free to reach out to me on the the Facebook Group.
Table of Contents
Update Your Mac
It is always wise to ensure you are running the newest versions of software, especially your Operating System. I am writing this using Version 10.15.4.
Ref: https://support.apple.com/en-us/HT201541
Hardware Component
Check with your local unit to see if they can provide you with a card reader. I am unsure the policy at every installation. My unit provided me with a HID OMNIKEY 3121 USB Card Reader. I like this reader because it is well built and Mac friendly.
Software Components
You can look at the Public DoD Cyber Exchange’s website for getting started if you need more guidance. (https://public.cyber.mil/pki-pke/end-users/getting-started/#toggle-id-2)
DoD Certificates (Mandatory)
Download: https://public.cyber.mil/pki-pke/tools-configuration-files/
Another article on my site for help with DoD Certificates on macOS Catalina can be found here: https://www.aaronrombaut.com/dod-certificates-on-macos-catalina/
VMware Horizon Client (Mandatory)
Download: https://my.vmware.com/web/vmware/details?downloadGroup=CART21FQ1_MAC_542&productId=863&rPId=44670
Smart Card Driver (Optional, but most likely needed)
If you have a HID Smart Card Reader, you will need drivers.
I noticed a lot of people have an Identiv Smart Card Reader. Please use the following download link to get the driver for your Identiv reader model.
Download: https://support.identiv.com/products/smart-card-readers/
If you have a different brand of reader, hopefully it will be a truly plug-and-play model, and will not need a driver. Seek out support from your card manufacturer for support if you need it. You can try to navigate through the MilitaryCAC.com family of websites, but I find the site very obtuse to navigate through. Maybe you will have better luck, though.
Keychain Access
The first step is to install and trust the DoD certificates. Open up Keychain Access and verify your current certificates. Make sure you see only one login Keychain. If you have more than one, backup the items from the old Keychain and remove it so that you only have one active. Change the Category to Certificates so that you can see what certificates are currently loaded. If you see any certificates that are expired, you will want to remove them.
Double-click on each file ending in .pem and .p7b. You may be prompted to provide the Keychain you want to add the certificates. Choose your login keychain.
At this point, you should see a lot of DoD-related certificates in Keychain Access. Scroll down until you see the DoD Root CA certificates. You should notice that they have a white x in a red circle. This indicates that they are not trusted.
Double-click on each of the root certificates, expand Trust, and change the When using this certificate: from Use System Defaults to Always Trust. Only do this for the DoD Root CA certificates.
Close the windows and provide authentication, either password or fingerprint if you have that configured.
Once you trust the four DoD Root CA certificates, the icons should now be white + in a light blue circle. This indicates the certificate is trusted.
This completes the steps necessary to add the DoD certificates to your Keychain Access and trust the DoD Root CA certificates.
VMware Horizon Client – Installation
Double-click on the VMware Horizon Client package file you downloaded earlier. The installer will open to the License Agreement.
Click Agree, then the actual installer will open. Like typical Mac software, drag the VMware Horizon Client icon onto the Applications Shortcut.
There will not be an indicator that the installation completes besides finding the new icon in the Applications menu of your Finder window. You can close the VMware Horizon Client installer utility. Please refer to VMware’s documentation for Release Notes, Known Issues, User Guides, and Installation and Setup Guides found at https://docs.vmware.com/en/VMware-Horizon-Client-for-Mac/index.html
This completes the installation of the VMware Horizon Client.
VMware Horizon Client – Configuration
Double-click the VMware Horizon Client icon. You can find it using a Spotlight Search (command + space bar) or look in the Applications menu in Finder. You should receive a security warning.
Click Open to allow the Horizon Client to open.
Optional: If you want easier access to the VMware Horizon Client in the future, after you open up the software, right-click (or ctrl + click if right-click option is not configured) on the icon in the Dock and choose Options > Keep in Dock.
On the first launch, you should be presented with a window prompting you to Enter the name of the Connection Server.
At the time of this writing, the address for general use is:
afrcdesktops.us.af.mil
Click Connect.
You should receive a Disclaimer window. If you followed the section above about adding and trusting DoD Certificates, you should see the https in green. If you see it in red, this indicates that your certificates are not being trusted.
Click Accept.
You should now see a Login window requesting your certificate.
Choose your non-email certificate and click Continue.
Enter your PIN and click Continue.
At this point, you should now be presented with your entitled Apps. Your entitlements will most likely not be the same as mine.
Click on the Windows 10 SDC 5.5 (or similar desktop if your base has a different image) in order to access your desktop.
This completes the VMware Horizon Client – Configuration section. I am going to include a troubleshooting section below in case there are any issues.
Smart Card Reader – Troubleshooting
Note: the section below is not complete and most likely never will with the way technology changes. I will try to update it as new issues arise.
If you have not connected your reader or plugged in your Common Access Card (CAC), you should receive the following Alert.
If you have connected your reader and plugged in your CAC, but your CAC is not being recognized, you should receive the following Login window.
The above most likely is a result of not having the appropriate driver for your Card Reader. You can test if your Card Reader is detected from the Terminal.
Open Terminal, type:
pcsctest
Once you press Enter, you will (or you won’t) see your card reader listed.
As you can see, my card reader is not being detected. This indicates that I will need to go to the manufacturer’s website and download and install the correct driver. Once I installed and restarted my computer, I re-ran the command in a Terminal.
If you have received any errors at this point, leave your CAC in the reader, close VMware Horizon Client, Restart your computer, and re-open VMware Horizon Client.
Leave a Reply