VMware has enhanced the capabilities of Encrypted Virtual Machines to include the ability to expire the virtual machine on a certain date and time. This feature enables an administrator to create virtual machine that can be shared with other users that will run until the given date and time.
This feature establishes a secure connection to a time server at VMware or a server of your choice to validate the current date and time, which prevents users from rolling back the clock on their host machine to avoid expiration. VMware has also added the ability to set the synchronization frequency to control the load on the network and a lease period to allow users to run expiring virtual machines while offline.
To add restrictions to a virtual machine:
- Power off the virtual machine.
- Click VM > Settings for the virtual machine.
- Click the Options tab.
- Click Access Control.
- Click Encrypt.
- Enter a password when prompted.
Note: The password is required to use the virtual machine. Provide it to the end user of the virtual machine.
- Click Encrypt. The encryption process starts. The time taken to encrypt depends on the size of the virtual machine.
- When the encryption process is complete, the Enable restrictions option is activated.
- Click Enable restrictions.
- Set the Restrictions password.
Note: This password is required to make restriction changes to the virtual machine. This password should be documented with the administrator and not made available to the end user.
- Select Require the user to change the encryption password if you want the end user to change the password when the virtual machine is moved or copied.
- Select Allow USB devices to be connected to this virtual machine if you want the end user to connect USB devices present on the host machine.
- Select Expire the virtual machine after and set a date and time for the expiration.
Note: This advanced option allows you to:
- Change the message that displays when the virtual machine has expired.
- Add a message that displays when the virtual machine is about to expire. You can change the time when the message displayed. The default is 10 days before expiration.
- Change the Restrictions Management Server. The default server is a VMware time server. You can change this to any server that supports HTTPS protocol.
- Change the server contact frequency to verify the time. The default is 30 minutes.
- Change the maximum time the virtual machine can be used offline without any contact to the Restrictions Management Server.
- Click OK.