FSLogix App has been around for a while, and it is one of the products that we love to talk about more and more! Reason for this is that it just made so many aspects of a Shared Infrastructure easy!! We worked on a couple of scenarios where customers had use cases to deploy a context based user experience / access on the shared desktop! Where in essentially an access to any application / data is strictly provided on a need basis rather than users having access to it.. just because it is installed on the system and intended for a different purpose!
So what factors does the FSLogix App-Masking actually help a VDI Architect with?
- Maintain a sort of Compliance across a Shared Desktop infrastructure (not that it cannot be used with a pooled desktop or even dedicated desktop! but the maximum use cases are for Shared Desktop infrastructure)
- Restrict access to licensed apps and provide access only based on the requirement!!
- Save yourself from horrible Audit calls! (Yes it does help there), In the past there was no way for us to provide a detailed report on how many users have accessed the Visio app vs how many were actually licensed to show the compliance. Now you would be able to prove the users that have access to it.. and also the number of users using the licenses.
- Save $$ and efforts- If your organization uses Hosted Shared Desktop / Pooled desktop, it helps you save some administrative overhead by reducing the number of images that you would have to maintain. Simply because you can load a whole bunch of applications on a single image, and just provide access to the users on a need basis
Phew… enough with the Chatter! Now lets see how it works in Practical:
- 1 Machine catalog
- 2 Session Host
- 1 Delivery Group assigned to all domain users
- Citrix Virtual apps and Desktop Version: 1912
- Session Host desktop name: “Corp Desktop” restricted to users with group: “Session Desktop”
- Apps Installed: Notepad++, Mozilla FIrefox
- A group named “Notepad License” is created to provide access to notepad++
- A group named “Firefox License” is created to provide access to users entitled for Firefox
- User1 is entitled to “Notepad License” Group (So he should only see Notepad++ when logged into Shared Desktop)
- User2 is entitled to “Firefox License” Group (So he should only see Firefox when logged into Shared desktop)
This is how the desktop looks like without FSLogix App Masking, As you can see we have both Notepad++ and Firefox showing up for the user “User1” and “User2”
So further to that we download and install FSLogixAppsSetup and FSLogixAppRuleseditorSetup! On both the Servers in the pool!
Points to Note:
- If these machines are identical, and all apps are installed in identical paths. Then you do not have to do the below steps on both the machines! Just do it on one! and replicate your rules.
- To edit the rules you would open the FSLogix Apps RulesEditor from the start menu! Below are the steps for same
Open the FSLogix Apps Rules Editor and Select New
Provide a name for the rule, this basically will create a FXR file
This file would usually store in the user’s Documents folder, but this one doesnt matter! just store it where you please!
FSLogix will scan the application attributes and provide a list of all places where the application has it’s files / references / registry entries
Click OK to proceed once Scan is completed
You will now be presented with all the attributes related to the app!
However, its not done yet! as the rule has no Assignments, In my case i want to apply Assignments based on Active Directory Group.
Right click on the Rule and Select “Manage Assignment”
You will notice a Default Assignment created.
You can remove the default Assignment
Click Add to Provide assignment for the rule
There is just more than one way to do the assignment! however for this demo i will choose “Group”. And Contradictory to default usage of “Hiding the selected App”, we will enable selected app to specific user group and disable for everyone else!
Note: The way FSLogix Works is – the assignment qualifying for Hide takes precedence over Show in case of a Assignment Conflict due to conflicting User Group mapping in AD and such!
After selecting the “Group” in previous screen, proceed to add the AD group that you want to set the rules for!
In My case i have created a group named “Notepad License” to provide access to users to Notepad++. Only users in this group will get access to Notepad!
The Rule Set Order is very important! First add the group you want to allow the Notepad to! and then add the Groups you do not want to allow the app to be visible!
In My Case i will just include the group to which i do not want the rule to be applied. FSLogix assumes that it needs to hide the app for anyone other than this group!
(You may want to add Administrators to rules exclusion for troubleshooting in realtime)
Once you have created the Rule Set Assignments.. and applied, Right Click and Apply the rules by selecting “Apply Rules to System”
This basically is just to test the Rule!
You will notice that there are 2 files in the file system path where you have chosen to store your rule file. FXR and FXA
You will need to replicate both of these files on every server where you want to apply this rule into the path: <FSLOGIX install directory>\Apps\Rules
Consider implementing an automation in production for this step
And.. You are done! just reboot the machine so that the FSLogix can compile the rules.
TO verify if compilation is successful go to <FSLogix Install directory>\Apps\CompiledRules you will be able to find an FXC and FXAC file for the rule created.
Safe to assume that the FSLogix rules are applied if you find these.
Repeat the steps for any other applications you might have! And… the results are as below:
Notice that both the users have logged on to the same machine “App-Pool2” and each one has access to only the application that they are entitled to.. the user cannot find the app even on start-menu or anywhere in file system!!