Combining a User Based collection model (i.e. Pooled Desktops collection type, Permanently Assigned Desktops collection type or Existing Desktops collection type) with device restrictions is useful, particularly if you want to allow users to roam only within a subset of your overall environment. A good example of such a use case is within a hospital that must restrict access to patient records based on the physical location of the user (a nurse) and the patient.
In this simple scenario, a hospital may want to implement a policy that allows nurses to access only records from patients on the same floor as the nurse. Within that floor, the nurse should be free to roam among multiple Pano devices; but if the nurse moves to a different floor, she should no longer access information from the previous floor.
Such a policy can be supported by creating a separate Pooled Desktops collection type for each floor of the hospital. Nurses can be entitled to use some or all of these collections. In addition, the administrator can specify that DVMs in the collection can only be accessed from a specified set of Pano devices.
The result is that a nurse who uses a Pano device on floor 2 will be assigned to a DVM from the collection that corresponds to floor 2. The administrator needs to have configured the DVMs within the collection to access only the authorized data. This is done using a 3rd party access management solution.
A device restriction is a property of the collection, not the device. While device restrictions limit the devices from which a specified collection can be accessed, it does not limit the collections to which the device may potentially connect.
Set Up Collections with Device Restrictions outlines the steps to follow when setting up a configuration that utilizes a User Based collection with the device restrictions feature.
Set device restrictions for Device Based collections if you wanted to prevent a user from inadvertently establishing an assignment between a device and a Device Based collection.
Let’s assume you created an Automatic Login collection type. One way to assign a device to such a collection is to log on to an unassigned Pano device using the credentials of the specified user. If you have setup device restrictions as part of the collection properly, you can prevent someone from logging on to the collection and establishing the assignment with an unauthorized device.