AppSense How to Guide 2.0

user environment management

IMPLEMENTATION GUIDE

21 day trial of the software available at www.appsense.com/evaluate.

2

Contents

Introduction 4

Operating System Delivery Mechanisms 4

Traditional Desktops 4

Terminal Services 4

A new Approach - Virtual Desktops 4

What are the Benefits of VDI? 5

Managing a VDI implementation 5

User Environment Management across a mixed environment 6

Introduction to common personalization approaches 7

Group Policy Objects 7

Logon Scripts 7

Logoff Scripts 8

User Profiles 8

Local Profiles 8

Roaming Profiles 8

Mandatory Profiles 9

3rd party, commercial profile solutions 9

Introduction to the AppSense solution 10

Policy Configuration 11

User Personalization 11

Best practice approach 13

Create a mandatory profile 13

Prepare the profile 14

Copy the profile to a shared folder 14

Remove certain user specific settings 14

Assign the mandatory profile to users 15

3

Policy Configuration 17

Folder redirection 17

Redirecting folders to user home drives with AppSense Environment Manager 18

File & Folder manipulation 20

Registry key manipulation 20

Policy Enforcement 21

User Personalization 27

Desktop Settings 29

Offline Support 29

Migration 30

Personalization Analysis 31

Personalization Analysis based on Application Size 33

Personalization Analysis based on Application Usage 36

Personalization Rollback 38

Reducing the number of base build images 40

Conclusion 42


4

IntroductionCorporate IT departments face increasing pressure to deliver the right operating systems and applications

to the right people at the right time. New application delivery methods bring challenges in maintaining

optimal service levels to end users. From inconsistent working environments to unpredictable application

performance, users, IT and the business are impacted by these challenges.

These are core deliverables IT administrators must provide to their end users today and AppSense User

Environment Management simplifies the management of this increasingly complex IT infrastructure.

This document focuses on how AppSense Environment Manager 8.0 can be used to consistently ensure

corporate policy and personalized environment settings are provided to users, independent of how an

operating system or application is being delivered to the endpoint.

Combining company policy with user personalization across a range of application and operating system

delivery mechanisms reduces maintenance costs, secures the environment and increases user productivity.

Operating System Delivery MechanismsThe two common approaches to the delivery of client computing are the traditional desktop and

terminal services.

TRADITIOnAl DESkTOPS

Completely ubiquitous and representing over 90% of corporate desktops, these are self contained

machines that can trace their antecedents right back to the first ‘IBM Personal Computer’. Now much

altered and much faster, they represent an increasing management challenge both in terms of total

cost and service delivery.

An additional concern is the management of mobile users who make use of notebooks which could

be offline for some time.

TERMInAl SERVICES

This is the hosting of multiple users in a single copy of a server operating system. Users connect using

a remote display protocol from either a ‘thin client’ or a traditional PC. Terminal Services is a version

of a Microsoft Server operating system that supports multi-user working where users run individual

concurrent sessions. This solution works well for users who can be restricted to fit within a shared use

environment, concerns include performance, security and the acceptability to users.

A nEW APPROACh - VIRTUAl DESkTOPS

Virtual Desktop Infrastructure (VDI) is a solution for client computing that offers a wide range of benefits

over the traditional ways of deploying user desktops.

VDI seeks to keep the benefits of each of the above while avoiding the pitfalls. VDI allows multiple user

desktops to run as separate virtual machines (sometimes referred to as ‘images’) while sharing underlying

physical server hardware resources such as CPU, memory, networking and storage. This isolates users

from each other, giving each user their own operating system and application set, allowing the user to

customize their environment while protecting users from application crashes and operating system faults

caused by the activities of other users.

5

What are the Benefits of VDI?VDI retains many of the benefits associated with distributed computing while also realizing the benefits

of server based computing environment. By giving each user their own operating system, VDI retains

many of the positive features of traditional desktop computing including:

USER fAMIlIARITy: Users generally have considerable experience of traditional desktops and find a

well managed VDI implementation instantly familiar.

APPlICATIOn COMPATIBIlITy: Software developers typically target the traditional desktop so application

compatibility issues are significantly less in VDI than terminal services.

fUll PERSOnAlIzATIOn: PC users are able to tailor their working environment, providing a

personalized experience and enhancing user productivity.

However, since VDI is basically a server based computing model, it achieves the benefits commonly

associated with Terminal Server deployments, such as:

EASIER MAnAgEMEnT: Reduced desk-side management costs by centralising images.

SECURITy: Keeping data within the confines of the datacenter improves security.

SInglE COnSISTEnT IMAgE: All users can run a single desktop image aiding management, regression

testing and predictable service delivery.

MAnAgIng A VDI IMPlEMEnTATIOn

VDI technologies offer a pre-packaged way of implementing the bulk of the infrastructure and can solve

problems such as:

� Creating a fresh virtual desktop for a user, complete with installed applications by cloning a

reference image

� Connecting a user to a virtual desktop, either a specific one or from a pool

� Starting up or shutting down virtual desktops

Effectively these products manage the ‘outside’ of the virtual desktop. Additionally, there are a number

of critical areas that then need to be managed within the virtual machine. These represent the user’s

environment or ‘personality’.


6

User Environment Management across a mixed environmentThe key to understanding the importance of policy and personalization across a mixed desktop, terminal

server and VDI environment is to go back to the goals sought by moving to a VDI solution.

Many early VDI implementations were designed solely to provide a remote access solution that protected

corporate data by keeping that data within the datacenter. These deployments justified themselves on

the basis of security and compliance and were not concerned with potential management savings and

improved service delivery.

Nowadays people are looking at VDI to provide a number of more tangible benefits as well as

security and compliance. To achieve these benefits requires taking a fresh look at how you manage

client computing.

One of the key capabilities in VDI is to move towards a pooled environment with a small number of

images that are used across your user base. This represents the ultimate goal of many deployments

since traditional desktop environments will typically have very few desktops which are exactly identical,

meaning maintenance is far costlier. However, whether you are running a pooled environment or a

’one-to-one’ scenario, there are benefits to be had from extending management inside the virtual desktop:

POlICy COnfIgURATIOn: Control what users can do so as to match what they need to do.

USER PERSOnAlIzATIOn: Deliver user personalization into virtual desktops that are not already

personalized (new, pooled, etc.) and manage the degree of personalization that a user has.

By trading off the extent to which you control what the user can do (Policy Configuration) and the amount

of freedom they have (User Personalization) you can deliver a productive and easy to manage solution

within a mixed desktop, terminal server and VDI environment.

User personality includes all the information that pertains to the user of that specific desktop. In a

traditional desktop they would be tied into a particular machine, but in VDI this information can be

separated from the machine, OS and applications. By doing this you can make it far easier to manage

a mixed desktop, terminal server and VDI estate than an equivalent traditional desktop estate, while

improving the service delivered to users.

The rest of this document looks at how this can be done and the results achieved by doing so. We will

concentrate on three typical challenges inherent in a mixed environment implementation:

� Managing the user environment: By abstracting the user personality from the operating system and

applications, then centralizing this information, policy and personalization can be more easily

managed across the mixed environment.

� Moving to a VDI pooled image solution: Pooled environments deliver a fresh clean image to a user

every time they login. This eliminates most common patching issues and delivers great service and

cost characteristics. However the user’s personality must be delivered to the virtual desktop image

as they logon.

� Migrating users from a physical to a virtual desktop: Ensuring smooth, low cost migration that

approaches the point where users would be unaware that anything had changed

7

Introduction to common personalization approachesThere are many standard approaches that have been adopted over the years to deal with the very issues

highlighted above. A typical solution tends to be a mixture of different approaches that together combat

much of the complexity of managing the user and have not necessarily been aimed at managing

personalization. The most common approaches are listed below;

gROUP POlICy OBjECTS

In the delivery of Windows 2000, Microsoft introduced the Active Directory (AD), which brought with

it the Group Policy Object (GPO) that would be applicable to Windows 2000, 2003, 2008, XP and Vista

servers and desktop infrastructure. The GPO is a very powerful mechanism to pre-define common

configuration (Policy) that the Systems Administrator wants setting for a specific user / group on a

specific device / location for a specific application.

The GPO is the place that a Systems Administrator would typically configure desktop / application

settings that must always be set to the same value, regardless of what the user wants the value to be.

The GPO is therefore considered as applicable to policy configuration (as the name suggests) rather

than personalization.

The main challenge with GPO’s is quite simply the management overhead required to keep on top of

the ever changing requirements of the enterprise. Given that Policy is typically applied [within the AD]

at Domain level, Computer Organizational Unit (OU) level and at User OU level, it can easily and rapidly

become a management nightmare to ensure that the complexity does not overcome the needs of policy

configuration in the first place. This along with the GPO’s inability to have fine enough granularity

(limited to AD Groups and OU as the means of depicting whether Policy is applied) make GPO’s a

difficult method to accurately deliver the policy to the corporate end points and end users.

lOgOn SCRIPTS

The traditional logon script has long since been the de facto method to configure enterprise options for

a user and, as its name suggests, the logon scripts executes during login. This makes it a one stop ‘set

and forget’ solution in that once the value has been applied the script has performed its job.

A typical logon script will connect network drive mappings, printers and perform other tasks such as

ensuring corporate email clients are correctly configured as well as copying necessary files and / or

folders into place within the user’s home directory or profile.

Logon scripts have been historically written in the standard Microsoft command script language,

although Visual Basic Scripting (and to a lesser extent KiXtart) has become more commonplace over the

last few years due to its flexibility and feature sets.

Logon scripts by their very design are synchronous in their approach which can mean that while some

of the actions required to be part of the script are completely unrelated, they are addressed in line with

each other.

This shows itself as a user logon taking an unacceptable length of time due to the number of actions,

all of which are fed into the operating system line by line. At the same time, because the script is an

interpreted language, the styles of different authors can rapidly make the scripts difficult to read and

follow, making debugging or alterations a very time consuming task


8

lOgOff SCRIPTS

Logoff scripts were introduced to most systems administrators when they became an option within the

Active Directory GPO’s. They are not widely used but where they are, typically they extract data, with

examples being things such as user preferences and other application specifics that are copied out to

the home directory for later use (usually to be put back in during the next logon sequence).

As with logon scripts many different scripting languages may be utilised, but typically the same language

will be used as logon scripting as the same script developer(s) will have been responsible for both types

of script. Similarly the downsides of logoff scripts mirror those of logon scripts, and with a finite

window of opportunity to a logoff script, the script must complete in less than 60 seconds before the

Operating System will simply terminate the script and prevent further processing.

USER PROfIlES

Administrators must make a decision on the type of profile that best suits their desktop, terminal server

and VDI implementation. On computers running Microsoft Windows Operating Systems, user profiles

automatically create and maintain the desktop settings for each user’s environment on the local

computer. User Profiles are the main source of personalization in use today since they exist to provide

some level of personalization to the user population. There are currently four main profile options

available to administrators;

lOCAl PROfIlES

Administrators can elect to make use of the local user profile that is created the first time a user logs onto

a computer and is stored on the computer’s local hard disk. This type of profile is typically used within

a physical desktop infrastructure where users return to the same physical desktop day in day out. Any

changes made to the local user profile are specific to the computer on which the changes were made

and the changes are not reflected on any other desktop that the user logs onto. This approach can be

used if an organization decides that a one-to-one correlation of Virtual Desktops to VDI users is acceptable.

However there is still a lack of management for this type of profile which makes using them a complex

task even in the one-to-one scenario.

ROAMIng PROfIlES

Roaming Profiles are used where the user may logon to multiple similar workstations, e.g. VDI where

profile information needs to be stored in a central location and copied to the virtual desktop when the

user logs on, or when the user switches between many different Operating System delivery mechanisms.

Any changes to the profile are made to this local copy while the user is logged on. When the user logs

off the profile is copied back to the central location, replacing the previous copy. In this way the latest

version of the user profile is available to the user, independent of the session logged onto.

However, roaming profiles can present several issues to the enterprise including huge performance

degradation, heavy network utilization and often resulting in the profile growing in size to several

gigabytes. These issues quite often culminate in users experiencing slow logon times. As a note, these

problems also often also occur with local profiles.

9

As with logoff scripts the roaming profile only has a small window of time to copy back the local cache

to the central location at logoff. As the profile grows in size (with use), the likelihood of this copy being

terminated by the operating system mid-copy is increased, which culminates in inconsistencies in or

corruption of the content of the profile in the central location. The result is an unusable central profile

leaving the user unable to access the service provided with their personalization intact.

MAnDATORy PROfIlES

A Mandatory profile is usually stored locally on the virtual or physical desktop or terminal server and is

used as a base for each user profile. Mandatory profiles are read-only profiles that simply discard any

user modification / additions at user logoff. These are by their very design the lightest weight profile

that delivers the best logon performance and stability; however they bring with them many challenges.

For example, all user specific data (such as Microsoft Outlook connection settings, Microsoft Office

Toolbar options and such like) will all be lost as soon as the user logs off. As a result the Mandatory

profile is fast to load (logon) as well as unload (logoff), has little required management (the administrator

needs to create the profile just once and should only need to return to it should new application settings

be required) and cannot corrupt with use. However, mandatory profiles are unacceptable for most users

because of the lack of persistent personalization within the user’s environment.

3RD PARTy, COMMERCIAl PROfIlE SOlUTIOnS

There are a number of 3rd party commercial profile solutions on the market that cater for basic user

personalization. However, these solutions do not resolve the issue of user environment management

across operating system and application delivery mechanism boundaries and hence require the

administrator to configure the solution in different ways for each desired environment.

User personalization is typically managed at user logon and logoff and hence requires all user

personalization settings to be saved and restored during these times, thus adding load on the network

and introducing major inefficiencies into the logon and logoff processes.

Additionally these 3rd party, commercial solutions also fail to address the Policy Configuration aspect

of a true user environment management solution, leaving the administrator with a decision on which

other solution to utilize in order to address this.


10

Introduction to the AppSense solutionAppSense’s comprehensive user environment management solution delivers all the benefits of the above

techniques plus many unique and market-leading features all within a rich policy framework to allow

great flexibility.

AppSense Environment Manager removes the burden of managing the user environment by automating

the management of user personalization and dramatically simplifying policy configuration.

The AppSense Environment Manager console is split into two administrative sections:

� Policy Configuration

� User Personalization

11

POlICy COnfIgURATIOn

The Policy Configuration area of the console enables the administrator to very easily configure both default

and enforced corporate policies that can be applied to either the computer or user under a number of

different scenarios.

Computer based actions can be triggered to apply when the computer starts up or shuts down or when

a system process is started or stopped.

User based actions can be triggered to apply when the user logs on or logs off, when a user process is

started or stopped, when the network is connected or disconnected, when a session is disconnected or

reconnected or when a session is locked or unlocked.

Conditions can also be applied which enable actions to be executed based on who, where from or how

a user is connecting to a computer or application. These rule conditions include Directory Membership,

User, Computer, Session and Client based rules.

Policy Configuration actions include registry, file, folder, drive, printer, ODBC, App-V, custom, execute,

group policy, environment variable, shortcut, self-heal and lockdown.

By easily manipulating these triggers, conditions and actions, an administrator can quickly set up and

deploy a policy configuration for users which can be shared and utilized across operating system

boundaries and differing application delivery mechanisms.

USER PERSOnAlIzATIOn

Environment Manager 8.0 introduces a unique approach to the management of user personalization.

A three-tier architecture is utilized consisting of the following, basic components:


12

� Environment Manager Agent (tier 1)

Installed on each managed endpoint, this is responsible for ensuring user personalization data is saved

and restored on demand and also ensures policy configuration settings are applied when required.

� Personalization Server (tier 2)

An IIS web server responsible for synchronizing user personalization settings between the SQL

database and the Environment Manager Agent when the user logs on or off or when an application

application is started or stopped.

� SQl Database (tier 3)

This holds information related to personalization sites and servers, users and groups, applications,

endpoint configuration data and user personalization data.

When a user logs on to a managed endpoint, the Environment Manager Agent contacts the

Personalization Server with details of the user logging on. The Personalization Server passes this

information to the SQL database, which in turn, retrieves the configuration for the user and returns it

to the Personalization Server. The Personalization Server then passes back the relevant configuration

to the managed endpoint.

At this point, any session specific personalization settings for that user, such as accessibility, appearance,

cursor, keyboard, language, mouse, screen saver, theme and certificate settings are streamed from the

SQL database, via the Personalization Server and restored to the endpoint.

When a user launches an application on the endpoint, a component of the Environment Manager Agent

called the Profile Virtualization Component (PVC) is injected into the running process. The PVC verifies

if the application in question is under the management of Environment Manager.

The PVC (via a user-specific process called the EMAgentAssist) contacts the Personalization Server to

request that a personalization cache on the endpoint is updated with the latest personalization settings

from the SQL database and streams these settings down to the endpoint .

Whilst the application is running and the user continues to change personalization settings within it, these

changes are virtualized and are written to the personalization cache on the endpoint, rather than into

the physical registry or file system. This ensures the user has access to a local copy of the personalization

settings, whilst abstracting the user’s personality from the physical operating system.

When the application is closed, the PVC notifies the Personalization Server that the application is closing

and provides a copy of the modified personalization settings which are stored in the SQL database.

This means the user now also has a centralized copy of their latest personalization settings. If the user

has two or more open concurrent sessions, these personalization settings can now be streamed to each

of their concurrent sessions for that application, on demand, when the application is launched. This

ensures consistent application and environment settings across open, concurrent sessions without the

user having to log off or back on again.

When the user does log off, any open applications are closed and the process as described above takes

place. Session specific settings are also synchronized back to the SQL database at this point and by

default, the local personalization cache on the endpoint is purged.

13

Best practice approachAn enterprise planning a mixed physical desktop and VDI implementation needs to ensure that the

proposed solution maximises efficiency while reducing cost. To this end, the requirements as outlined

earlier in this document become ever more important and as an overall view, a high level requirement,

from a VDI perspectivewould be to house a minimal number of virtual images in the core library.

To make this possible, it is necessary to then make use of core functionality alongside third party

technologies to ensure that the user personality can be easily transferred between the virtual machines

as they provide application services to the users.

In order to deliver the necessary pooled solution we must make use of Environment Manager’s core

functionality. This requires users to be presented with personalized profile information regardless of

which virtual or physical desktop they log onto.

The recommended approach to this is to use a Mandatory Profile in conjunction with Environment

Manager. However, the Environment Manager 8.0 solution can also function with any other type

of profile.

CREATE A MAnDATORy PROfIlE

There are a couple of quick and easy ways in which a mandatory profile can be created including

1. Using a new user account on a virtual or physical desktop with no applications installed or

policies applied.

This is to ensure the mandatory profile does not contain any user specific settings and that it remains as

small as possible.

2. The same as 1. but on a virtual or physical desktop that has all the applications installed.

This will ensure that the mandatory profile contains as many application settings as possible, although

this will increase the size of the profile and could increase network utilization and user logon speeds.

In this example we shall use the first method and Microsoft Windows XP Professional as the target

Operating System for the physical or virtual desktop.


14

PREPARE ThE PROfIlE

� On a domain controller, create a new user account that has the same permissions as the user or

group for which you want to create a mandatory profile

� Log on to the physical or virtual desktop using the user account you just created

� A user profile is created on the physical or virtual desktop under the %SystemDrive%\Documents

and Settings\<username> folder

� Configure the desktop settings required in the profile including shortcuts, appearance settings and

Start menu options

� Once you are happy with the profile, log the user off the physical or virtual desktop.

COPy ThE PROfIlE TO A ShARED fOlDER

� Create a shared folder on the network in which you want to store the new, mandatory profile, for

example \\<servername>\<sharename>

� Assign “Change” permissions to the shared folder

� Assign “Read & Execute” permissions to this folder for users and groups who will utilize the

mandatory profile

� Log on to the domain as an administrative user on the same physical or virtual desktop

� Access the System Properties applet and on the Advanced tab, click Settings under “User Profiles”

� Under Profiles stored on this computer, select the profile created above and click “Copy To”

� In the Copy profile to field, enter the UNC path to the share created above

(for example \\<servername>\ <sharename>\<mandatory profile>) and click “OK”

� Under Permitted to use, click Change and add “Authenticated Users” and click “OK”

� On the physical or virtual desktop, navigate to the shared folder that contains the profile that has

been copied

� Rename the file Ntuser.dat to Ntuser.man

� Finally, ensure the ownership of all the files and folders in the <mandatory profile> folder belongs

to the “Administrators” group and not the “Administrator” user. Failure to do this can result in

permissions problems when users attempt to access the mandatory profile at logon

REMOVE CERTAIn USER SPECIfIC SETTIngS

� Make a back up copy of Ntuser.man

� Open the registry editor (REGEDIT.EXE)

� Navigate to the root key of the “HKEY_Users” hive

� Choose “Load Hive” from the File menu.

� Select the Ntuser.man file created earlier

� Enter a name, for example “Mandatory”

� Select the “Mandatory” sub-tree and expand it

� It is now possible to edit the registry and remove any user specific settings from the mandatory profile

without having to logon with that user account. This can be achieved by searching for known

usernames or SIDs

15

� It is also possible to review and set permissions on specific registry keys

� Once finished, unload Ntuser.man from the registry by selecting the “Mandatory” sub-tree and

choosing “Unload Hive” from the File menu

� Exit REGEDIT.EXE

ASSIgn ThE MAnDATORy PROfIlE TO USERS

� As the administrative user, launch “Active Directory Users and Computers”

� Locate the organizational unit that contains the user account whose setting you want to modify

� In the right-hand pane, right-click the user account and click “Properties”

� Select the “Profile” tab.

� In the Profile path field enter the location of the mandatory profile you wish to assign, for example \\<servername>\<sharename> where <servername> is the name of the computer where the profile is stored and <sharename> is the shared folder that contains the mandatory profile

� Click “OK”

� Logon to the physical or virtual desktop using the account to which you have assigned the mandatory profile and ensure the mandatory profile has been applied correctly

Note: We have just set up the user account to access the mandatory profile from a network share. As

the user will be accessing the file from a remote location, this may slow down the user logon process

and increase network utilization.

To resolve these issues, it is recommended you copy the Ntuser.man file from the network share and

store it locally on each physical or virtual desktop on which users will be logging onto.

The Profile Path within “Active Directory Users and Computers” can then be changed to point to the

local copy of Ntuser.man (for example “C:\mandatory”).

Alternatively you can also set the profile path with the Local Group Policy on each physical or

virtual desktop.

Finally, you will need to ensure that any version control mechanism (for the profile) is fully aware of

the local copy of the profile so that where any changes to the mandatory profile are made centrally,

the deployment mechanism of choice is made aware of the changes to ensure that the updated profile

is propagated down to the client machines appropriately.

Many enterprise users of Environment Manager have opted to configure the Environment Manager

Computer |Startup actions to ensure that the latest copy of the enterprise mandatory profile is in place

each and every time the physical or virtual desktop starts-up. This allows the administration team to be

able to make amendments to the profile once, place it into a central location and Environment Manager

ensures that it is copied to each machine when they next boot up. This has been deemed a simpler way

to ensure that the enterprise users are benefiting from the correct mandatory profile and that login

performance is maximized by storing the profile in the local machine, and that in order to accomplish

this, the administrators do not need to keep editing the master virtual images since Environment

Manager takes care of it.


16

As a final note you will need to ensure that each physical or virtual desktop successfully removes the

mandatory profile when the users logs off. The Windows XP operating system will actually cache a copy

of the profile being used after the user has logged off even if this profile is set to mandatory, and

occasionally this cache does not get removed properly during the logoff process.

Note: It is also recommended that on physical desktops the following Group Policy setting be enabled

to delete user’s cached profiles at logoff:

This will ensure that each loaded user profile, for example C:\Document and Settings\User is removed

at logoff, cleaning up your physical desktops.

Alternatively, this can be configured within the AppSense Environment Manager Console by making use

of a Computer | Startup ADMX Policy action.

A Microsoft solution for this is to use a Windows Resource Kit utility called “DelProf.exe” that needs

to be executed after the user has logged off but before they attempt to log back on. This will ensure

that any cached profile information is removed from the environment ready to create a clean

environment for the next user.

It is possible to execute DelProf.exe using an Environment Manager Computer |Startup Execute action

to ensure that all user information is properly cleaned as the system starts up and prior to the next user

accessing the solution. This can be seen in the screenshot opposite:

17

For further information please see:

� http://tinyurl.com/39vc9

� www.microsoft.com/downloads

Policy ConfigurationWe will now see how the Policy Configuration side of the Environment Manager Console can be utilized

to streamline user environment management across both physical and virtual desktops.

fOlDER REDIRECTIOn

Folder redirection can be used to help resolve personalization issues experienced when using mandatory

rofiles, although there are a number of considerations that need to be made:

The first is preventing users from saving personal information on the local drive of the physical or virtual

desktop; because the user is not always guaranteed to return to the same desktop (especially when

utilizing a pooled virtual desktop scenario). If the user saves work on the local drive, this information

is only ever available on that physical or virtual desktop, leading to users potentially losing track of

information between machines, and also the risk of information being lost permanently if the machine

in question is reimaged or taken offline.


18

Consider the following; a traditional desktop scenario with no network file storage and users who “hot

desk”. Very quickly information will be stored across many machines with no way to cross reference

where each piece of information actually resides.

The second being the physical size of a user profile; commonly used directories such as “My Documents”

and “Application Data” can grow dramatically over time as more documents are created and more

applications are installed on the physical or virtual desktop.

Folder redirection allows the user’s personal files and settings to be saved to another location, most

commonly to their home directory, which is outside of the profile itself. Most applications will use these

redirected folders when prompting users for loading and saving files, etc. This means that personal files

are retained at logoff and as these are no longer part of the profile, loading times during the logon

process are significantly improved.

Folders can be redirected to any available location including a local folder, a network drive, and the most

common place being the user’s home drive.

In this example, we are going to redirect folders to the user’s home directory so that user specific files

can be retained as well as being backed up each evening by the managed backup solution in place

within the enterprise. Another benefit is that by redirecting the “Desktop” folder to user home directories,

this can be included in the quota policy, where applicable, which prevents each user from having too

many large documents on the desktop.

We assume that a home drive has previously been set up by the administrator within the “Active Directory

User and Computers” console, although it is possible to configure this using Environment Manager

as appropriate.

REDIRECTIng fOlDERS TO USER hOME DRIVES WITh APPSEnSE EnVIROnMEnT MAnAgER

� Open the Environment Manager Console.

� Navigate to the Policy Configuration area of the console:

19

� Navigate to the User | Logon node.

� Select the Add Node option and rename the new node to Redirect Folders:

� From the Actions tab Expand the File & Folder ribbon option and select the Folder Redirection action:


20

� Select Add then choose the folder you wish to redirect in the drop down Known Folder column.

� Enter the location to where you wish to redirect the folder in the Destination column.

� You will need to repeat this process for each folder you wish to redirect:

� Click OK to complete the Folder Redirection Action

fIlE & fOlDER MAnIPUlATIOn

Once folder redirection has been configured, the need to manipulate specific files and folders is reduced

dramatically. However, it is still possible to control the contents of both the redirected folders and the

folders remaining within the actual profile directory.

The File and Folder actions are extremely useful for configuring the content of the user’s Start Menu prior

to the logon process completing. This enables a truly dynamic approach to application provisioning for

the users of the physical or virtual desktop.

This can be achieved by utilizing the Environment Manager File Action and Folder Action. Folder Actions

include the ability to create, copy or delete a folder (as well as folder redirection). File Actions include

the ability to move, copy, delete, rename or modify the attributes of a file.

For further details on File Actions and Folder Actions, please see the Environment Manager Administration

Guide or the Environment Manager online help files. You can get copies of these files by registering for

Environment Manager at www.appsense.com/evaluate.

REgISTRy kEy MAnIPUlATIOn

Registry manipulation enables the administrator to setup registry keys and values on behalf of the user

for the delivered application set. Most applications require some form of default configuration to be

present in order for correct operation. The Environment Manager Registry action enables the administrator

to be able to define such registry entries before the user makes use of the application set.

Registry Actions include the ability to create or delete registry keys and set, create, delete or set a default

value for registry keys. Additionally it is possible to import desired state settings from an existing machine

or exported registry file or even manipulate registry settings using registry hiving.

For further details on the Registry Action Wizard, please see the Environment Manager Administration

Guide or the Environment Manager online help files.

21

POlICy EnfORCEMEnT

Administrators require a greater degree of flexibility when it comes to managing what the users can access

regarding the physical or virtual desktop. We have already seen how folder redirection needs to be

implemented to reduce profile size and potentially prevent users from saving work on the local drive

(C:\) of the physical or virtual desktop.

Folder Redirection alone will not prevent the user from be able to gain access to the local drive. It is

commonly acknowledged that if a user gains access to the local drive (C:\) then this is where they will save

their data. It also means that the desktop build is potentially no longer in its original build state and

technically needs to be re-built or re-imaged.

By introducing Environment Manager Lockdown technology into the physical and virtual desktop build

the administrator can prevent users from gaining access to the areas of the system that need to be hidden

in order to preserve the quality of the build.

An example of stopping users accessing the local drive is shown below:

A user has accessed the Open dialog box from an application (in this simple example we use

Microsoft Notepad).

The user simply has to type “C:\windows” to access a part of the operating system that should technically

be out of bounds to users. Locking this functionality down using standard Microsoft Operating System

policies is difficult, preventing the user accessing the local drive (C:\) using file system security will also

prevent the application from accessing the drive and the application will almost certainly stop functioning

correctly. We also note that occasionally applications do not function correctly when they cannot directly

“see” the folder structure here, so simply applying the hide attributes to the folders may not necessarily

be the correct solution for all applications.


22

However by implementing Environment Manager, an Administrator is able to restrict the user from

gaining access the local drive(C:\) without effecting the functionality of the application set in use.

This is achieved by applying Lockdown actions. These can be applied from the Policy Configuration side

of the console by creating a User specific trigger node. In this example we are going to lockdown the

notepad Open Dialog as soon as the user logs on. To do this:

� From within the Environment Manager Console, navigate to Lockdown tab on the ribbon

� Select the Blocked Text Library ribbon option:

� Add a blocked text list and name it System Drive Access.

� We now must identify the text that needs to be prevented.

23

� This will ensure that local drives as above cannot be accessed. Please note that we have also added

“\\” to prevent the beginning of any UNC path from being typed into this text entry box.

� Click OK to continue.

� From within the Environment Manager Console, navigate to Lockdown tab on the ribbon

� Select the Blocked Message Library ribbon option:

� Choose to add a message and configure it how you would like it to appear to users:


24


� Launch Notepad.exe as the administrator and open the Open Dialog

� From within the Environment Manager Console, navigate to the User | Logon node.

� Select the Add Node option and rename the new node to Lockdown:

� From the Lockdown tab select the General Wizard:

� In the General Wizard dialog, select the Spy Tool and hold down the left mouse button then release

it over the File Name edit box in the Notepad Open Dialog.

25

� The spy tool then identifies the parts of the application that can be locked down:

� Highlight the edit control filtered option and select OK.

� Select the message you would like to associate with this locked down option and choose the Block

Text Lists to apply:


26


� Save and deploy the configuration to the endpoint

The next time the user attempts to enter any of the blocked text into the Notepad Open dialog, they

are prevented:

Other useful lockdown action that could be enforced include:

� Internet Explorer Settings (prevent users deleting history etc.)

� Prevent users from changing network settings

� Locking down certain context menus

� Locking down certain shortcut keys (Print Screen etc.)

27

User PersonalizationEnvironment Manager 8.0 utilizes a unique, on-demand streaming solution to resolve the issue of

managing user personalization.

When the user logs on, only the desired personalization settings required at that point are loaded,

meaning much faster logon times. As the user starts to make use of applications, then the application

specific personalization settings are streamed down from a centralized SQL server when the application

is launched.

When the application is closed, only the changes made by the user and written out by the application

are synchronized back to the central database. This allows application personalization settings to be

shared across open concurrent sessions without the user having to logoff and back on again.

In order to enable this functionality, the user must access the Home tab from the Policy Configuration

side of the console and select the Enable User Personalization option in the ribbon:

On the Select Personalization Server dialog, select the Add Server option and enter the name Friendly

Name and Sever Name (or IP address) of the Personalization Server you wish to connect to and click OK.


28

Finally, click Connect to connect the Environment Manager Console to the selected Personalization Server.

It is recommended that the Environment Manager Policy Configuration now be saved so that these

connection details will be remembered.

Next click on the User Personalization navigation option:

From the Personalization tab on ribbon bar, select the Connect option.

This presents a list of the available Personalization Servers. Identify the relevant Personalization Server

and select Connect.

On the User Personalization tree in the left-hand column of the console, expand Personalization Groups

and select the Default Users group.

In the right-hand pane select the Settings tab.

In the Processes box, ensure the Manage All Processes option is enabled - this should be enabled by

default. This will ensure that any application a user launches, that is not blacklisted, is discovered and

managed automatically, reducing the overhead of administrators having to identify which applications

are being used by users.

29

Alternatively, it is possible to create a whitelist of managed applications. Only those processes listed in

the whitelist will be managed (that is if the Manage All Processes option has been disabled). An empty

Default Whitelist application group is added to the whitelist by default.

It is also possible to create a blacklist of unmanaged applications.

A Default Blacklist application group is added to the blacklist by default. This ensures that certain

applications are not managed by the Environment Manager Agent.

DESkTOP SETTIngS

By default, Environment Manager 8.0 will manage all user desktop settings out of the box, assuming the

User Personalization option has been enabled.

Desktop settings include:

� Accessibility settings

� Appearance settings

� Cursors

� Keyboard settings

� Language settings

� Mouse settings

� Screen Saver settings

� Certificates

These settings are synchronized to the SQL database at logoff and restored again when the user next

logs on.

Once the Environment Manager Agent and configuration have been deployed to the physical or virtual

endpoint, the management of personalized settings for users should now automatically take place.

OfflInE SUPPORT

For mobile users who make use of notebook devices, it is possible to have their personalized settings

roam with them whilst offline and then synchronize their latest settings once they return online.

Each time a user logs onto a managed endpoint, a Personalization Cache is created locally which

contains virtualized registry and file system settings that have been manipulated by the user during

that session.

By default, when the user logs off, this local Personalization Cache is purged to ensure disk space is not

unnecessarily consumed.

By enabling Offline Mode, this local Personalization Cache is retained at logoff so that the user’s

personalized settings are still available to them whilst they roam.


30

Offline mode is enabled on a per personalization group basis. It is enabled from the Settings tab of the

selected Personalization Group:

MIgRATIOn

Migration can come in many forms - from physical to virtual desktop; from local or roaming profile to

a mandatory profile; or from one windows Operating System, such as Windows XP to Windows Vista.

Introducing users to a new virtual desktop environment in a Greenfield scenario is a relatively simple

process since there are no previous configuration or usage expectations from the user population.

However migrating users from an existing physical desktop to a brand new virtual desktop can often lead

to user personalization being lost within the process, and hence user dissatisfaction, especially when

migrating across operating system boundaries.

Ensuring that the user’s transition to a virtual desktop is as transparent as possible is a key ingredient to

the success of the project. Fortunately, this significantly painful issue can easily be mitigated by

implementing Environment Manager into the existing physical desktop environment that may or may

not make use of a local or roaming profile.

Once installed, Environment Manager 8.0 can be configured, on a per Personalization Group basis to be

switched into Migration Mode.

By default Environment Manager 8.0 utilizes a technique called ‘virtualize on write’ which intercepts any

attempted application writes to the physical registry or file system and redirects these settings to the

local Personalization Cache.

By switching on Migration Mode Environment Manager instead utilizes a technique called ‘virtualize on

read’ which reads in all of the local or roaming profile session and application specific settings as and

when the user uses them. This setting needs to be switched on for a period of time to ensure that all

the profile settings are successfully migrated.

31

Migration Mode is enabled on a per personalization group basis. It is enabled from the Settings tab of

the selected Personalization Group:

Environment Manager should also be configured to copy existing profile folders (e.g. Desktop and My

Documents) from the current profile to the location where you wish your folders to be ultimately redirected

to. In our example from earlier, this could be the user’s home drive (H:/). This means users can now be

migrated without losing any of the personal settings that are contained within the existing physical

environment. It also means that, following user migration, you now have all personalization information

located and managed centrally, away from the physical or virtual desktops themselves.

Personalization AnalysisEnvironment Manager 8.0 includes a rich and interactive set of reports and graphs providing visibility into

personalization activity across the desktop environment and the application landscape. This allows the

administrator to identify trends in profile use and potential bottlenecks enabling extraneous data to be

omitted from the user profile where necessary.

The Personalization Analysis mechanism allows the administrator to filter reports based on personalization

group, user or individual applications.

Application personalization settings for each user can be manually edited by the administrator within

the console and immediately streamed down to the user on next use.

Personalization Analysis is instigated on a per personalization group.

�Within the User Personalization area of the Environment

Manager Console, expand the Personalization Groups

tree in the navigation pane and select the Default

Users group


32

� On the Tools ribbon select the Personalization Analysis option from the Management section:

� The Personalization Analysis dialog is launched for the Default Users Personalization Group:

33

It is now possible to generate reports based on:

� Application Size

� Application Usage

� Available Archives

PERSOnAlIzATIOn AnAlySIS BASED On APPlICATIOn SIzE

Environment Manager 8.0 can be used to identify the size of the personalization settings on a per user

or per application basis.

The screenshot below shows an Application Size report based on the users held within the SQL Database


34

This example shows that the personalization settings for the user PROFILEDEMO\Test total around 4 MB

in size.

If the administrator now clicks on the bar graph for the PROFILEDEMO\Test user, this 4 MB total of

personalization settings is then broken down into the individual desktop and application personalization

settings for that user.

We can then start to see what the user personalization settings are made up of and which applications

are utilizing the most storage space.

In the example below you can see that the desktop settings take up most of the total followed closely

by winword.exe and outlook.exe personalization settings.

You will also note that some of the applications are displayed in orange whilst others are displayed in blue.

Those applications in orange are termed managed applications as they have been manually added to a

whitelist by the administrator.

Those applications in blue are termed discovered applications as they have been discovered by the

Environment Manager Agent when the Manage All Processes option was enabled.

35

It is now possible to convert a discovered application to a managed application by right-clicking on the

relevant discovered application and choosing the Convert to managed application... option.

This will add the discovered application to the list of managed, personalization applications.

Alternatively, you can add the discovered application directly to a whitelist or blacklist for the selected

personalization group, which will also automatically add it to the list of known personalization applications

by choosing either the Add to <personalization group>’s whitelist or Add to <personalization group>’s

blacklist option respectively.

As you can see from the menu options above, it is also possible to delete the personalization settings for an

application from within here, or even edit the registry settings associated with the personalized settings.

Editing the application registry settings results in a registry browser being launched which allows the

administrator to amend the stored personalization settings for that user’s application. The example

below shows the personalization settings stored for notepad.exe for the user PROFILEDEMO\Test:


36

The administrator could now easily change the font type from Arial to Webdings and the user would

receive this updated font the next time they launched notepad.exe.

NOTE: Caution should be exercised when editing registry settings using this method as this can result

in personalization inaccuracies.

PERSOnAlIzATIOn AnAlySIS BASED On APPlICATIOn USAgE

Environment Manager 8.0 can be used to identify the usage count of applications on a per user or per

application basis.

By entering values for the Start Date and End Date, details of application usage can be provided for the

user between the period selected.

The screenshot below shows an Application Usage report based on the users held within the

SQL Database:

37

This example shows that the total number of application launches for the user PROFILEDEMO\Test is 29.

If the administrator now clicks on the bar graph for the PROFILEDEMO\Test user, this information is

broken down into the individual desktop and application personalization settings for that user.

We can then start to see how many times each application has been launched by the user during the

timescale provided.

In the example below you can see that notepad.exe has been launched the most number of times during

the time period selected, closely followed by winword.exe then mspaint.exe.

This functionality is useful for monitoring application usage with a view to identifying application

license requirements.


38

PERSOnAlIzATIOn ROllBACk

One of the most common and time consuming tasks for administrators or IT support is resolving profile

related support cases. When profile corruption or inconsistencies occur, users often complain ‘it worked

yesterday’ and do not understand why through no fault of their own, they are unable to work effectively.

Incorrect, damaged or corrupt profiles are typically dealt with by resetting the profile and having the user

rebuild their personalization settings from scratch.

Environment Manager 8.0 introduces the concept of Personalization Rollback, whereby an ‘archive’ or

restore point can be taken based on a user’s personalization settings. In the event of profile inconsistencies

caused by user or system error, a user’s personalized settings can be restored to a ‘last known good

configuration’ on a per application basis.

By default, a restore point is taken once per day for all users and applications stored in the database.

Additionally, application restore points can be taken manually by the administrator on a per user basis

at any given time.

Personalization Rollback is achieved via the Available Archives tab within the Personalization Analysis dialog.

The administrator can search for a particular user and the discovered and managed applications for that

user will be displayed in the report. The example below shows all the discovered and managed applications

for the PROFILEDEMO\Test user:

39

To take a personalization restore point or ‘archive’ for a particular application, right-click on the

chosen application and select the Archive <application name> option:

This will take a snapshot of the application settings for that user at that point in time.

The time-stamped archive, along with details of its size will now be available from within the list:

If a user makes a modification to an application that causes inconsistencies with the personalization

settings, rather than destroy the whole user profile, the selected archive for that specific application

can be restored.

This is achieved by right-clicking on the relevant archive and choosing the Roll back this archive option:

As you can see archives can also be deleted from the database from here.

This functionality offers a powerful and flexible alternative to current methods of restoring user profiles

in the event of profile inconsistencies or corruption.


40

Reducing the number of base build imagesWe have discussed and demonstrated how we can best personalize both physical and pooled VDI images,

but we must still address a key challenge regarding the number of base images required by the enterprise.

The lower the number of base builds means less management complexity is involved and a significantly

lower amount of network storage space is required to house the images. This is of course a very easy

statement to make, but is significantly less easy to deliver since the images themselves will need to ensure

that all applications and their associated shortcuts are included in these images. The additional complexity

is then put onto the administrator in terms of needing to figure out how to only allow the users who

hold licenses for the applications to get access and to revoke access to those who do not.

Environment Manager enables the level of complexity with the build to be reduced by managing this

aspect of complexity. Using Environments Managers’ Policy Configuration technology you can assign

application shortcuts based on a certain criteria e.g. Active Directory Group.

In the example below when a user logs on they receive all shortcuts available, however they have no need

for Microsoft Access, but because other users require it, it needs to be part of the build and present

and associated licenses are required.

If Environment Manager is present we can very easily tailor the physical or virtual desktop based on the

following criteria or indeed a hybrid of the criteria to deliver a truly granular approach for the administrator

(for example User Group = “Access Users” AND the Device Name of the image begins with “Virtual”):

41

In this case any user who is a member of the Access Users Group who is logging onto a device name

beginning with “Virtual” is automatically assigned the relevant shortcut.

This time when the user logs on they only see the application shortcuts that are applicable to them.

Note: By introducing AppSense Application Manager, another product in the AppSense solution set,

administrators also have the ability to prevent user from actually executing applications that are not made

available to them, even if they manage to locate the application binaries within the virtual image. For

example, a user may not have a shortcut to Microsoft PowerPoint but if they are sent a PowerPoint

presentation as an attachment in their email, by doubling clicking the attachment PowerPoint would be

launched. Application Manager would prevent this from happening by disallowing PowerPoint from

executing for that user, therefore restricting the user to his/her authorized applications.

As an alternative to this scenario, Environment Manager could be utilized to allow alternative technology

to be used in lieu of the standard application by dynamically altering file associations to deliver the right

application to the right user in real-time. The example here may be the use of the PowerPoint viewer

instead of the full PowerPoint product, hence potentially saving in application licensing or indeed forcing

the user to only be enabled to read presentations sent through email.

Further details of the Application Manager product can be found at www.appsense.com


42

ConclusionIn its simplest terms, a physical or virtualized desktop environment can be seen as the combination of

an operating system, a set of applications and the personality of the user. That personality comprises a

combination of corporate policy and user preferences. The key to effective management of the user

experience and hence to happy and productive users, is finding the balance between these aspects of

the user personality, as well as the ability to implement modifications when needed. The management

of this personality is central to the AppSense user environment management solution.

As has been presented in this guide, attempting to manage all aspects of a user’s personality in both a

physical and virtual desktop environment without the appropriate tools is a significant challenge.

AppSense technology has been designed from inception with this challenge in mind.

There are three key challenges to a successful, mixed environment implementation that user environment

management can significantly impact:

� Migrating users from a physical to a virtual desktop: Ensuring smooth, low cost migration that

approaches the point where users would be unaware that anything had changed

� Managing the user environment: By abstracting the user personality from the physical or virtual

desktop and centralizing this information, policy and personalization can be more easily managed

across operating system boundaries and application delivery mechanisms

� Moving to a pooled virtual image solution: Pooled environments deliver a fresh, clean image to a

user every time they logon. This eliminates most common patching issues and delivers great service

and cost characteristics. However the user’s personality must be delivered to the virtual desktop

image as they logon.

By combining tailored corporate policy with user personalization and managing this separately from the

desktop, the user’s working environment is predictable, managed and flexible regardless of how it is

accessed. The IT department is now able to use a combination of delivery mechanisms with no impact

to the user experience.

The information contained in this document (“the Material”) is believed to be accurate at the time of printing, but no representation or warranty is given (express or implied) as to its accuracy, completeness or correctness. Neither AppSense nor the publisher accepts any liability whatsoever for any direct, indirect or consequential loss or damage arising in any way from any use of or reliance placed on this Material for any purpose.

© 2000-2008 APPSENSE LIMITED. ALL RIGHTS RESERVED

AppSense is a registered trademark of AppSense Ltd. All other brands or product names are trademarks or registered trademarks of their respective companies.

AppSense How to Guide 2.0

Documents

Transcript of AppSense How to Guide 2.0