Average time to read: 8 minutes

With the merge of XenApp into XenDesktop’s Flex Management Architecture (FMA) a lot changed, for most XenApp admins it meant they had to rethink their designs and as a result it was back to the drawing board. Take application, or resource, publishing for example, we now have to deal Delivery Groups and Machine Catalogs, nothing new if you’re used to working with XenDesktop, but if it’s ‘just’ XenApp you know, well… Even now where XenApp 7.5 is a product on it’s own, again, it’s still based on the Flex Management Architecture meaning it also still uses the same wizards and configuration options as in XenDesktop 7.x a few months ago, for the most part anyway.

Simply put

Machine Catalogs hold the machines from which our resources, applications and or desktops, are published. Delivery Groups (DG) are than used to take a few, or all, machines out of a Catalog (you can select them manually), next it will automatically discover all installed or available applications (it does this by communicating with the installed VDA), and last but not least, you will be able to assign these resources to your users, either individually or by AD groups. Per Delivery Group you can โ€˜publishโ€™ as many applications as you like, which are than managed through that particular Deliver Group. Of course resources, and users, can be added or deleted from the DG as needed and thereโ€™s basically no limit to the number of DGโ€™s you can create. Before I continue, if creating Machine Catalogs and Delivery Groups is something completely new to you, have a look here.

Separately

Which brings me to the following, what if we decide to publish, letโ€™s say, 10 applications from a single DG? No problem, it just means that all users assigned to that DG will see and have access to these applications and as such will be able to subscribe and launch them. Which of course could be exactly what you want. But what if youโ€™d like to manage and assign applications on a more granular level, per application or smaller applications groups for example?

citrix_logo_smallFirst off you can configure multiple separate Delivery Groups, one per application or smaller groups of applications per DG for example. Although due note that for this to work you will need to create multiple separate Machine Catalogs (MC) as well since a machine can only be a member of one Delivery Group (and Machine Catalog) at a time. Using this approach you might potentially end with as many Delivery Groups, and thus Machine Catalogs, as you have applications which for a lot of companies might be just fine. Just go through the process of creating a DG and an MC a few times, group your โ€˜baseโ€™ application set, and youโ€™ll be up and running in no time. Remember that this is just a way of making your resources available to your users, nothing more. It doesnโ€™t really matter if youโ€™re using PVS, MCS, App-V etc. if you donโ€™t assign users to your applications or desktops they wonโ€™t be able to access your resources no matter how they are provisioned.

Back to application publishing. If you need to publish and manage a few hundred applications the above method might not be your preferred approach. Having hundreds of Delivery Groups and Machine Catalogs probably isnโ€™t what you had in mind, so what else can we do? When applications get published, either all bundled into one Delivery Group or using separate Groups, you can still configure the properties of each application on a individual basis like we were used with earlier versions of XenApp, change its name, location, file type association etc. One of those properties is called Limit Visibility, this is what it looks like.

Limited 1When selecting โ€˜Limit visibility for this application to the users listed belowโ€™ it will do just that, only the users listed will see the published application and will be able to subscribe to it. Do note the explanation at the top, if you want to make sure that certain users wonโ€™t be able to launch a specific application (because not being able to see an icon doesnโ€™t mean it wonโ€™t launch), or a group of applications for that matter, you will need move them into a separate DG without those apps in it. The Limit Visibility feature is only available for applications, you canโ€™t use it to hide published desktops, but weโ€™ll get to that in a minute

LockFurther more, on a Hosted Shared Desktop environment you will need to make sure to โ€˜lock downโ€™ your desktop as you feel fit. Make sure that your users wonโ€™t be able to access any shares or other networks, browse the server file system, launch applications that way etc. In larger environments this is often accomplished with a little help from desktop management suites like RES Workspace Manager or AppSense for example. Of course these suites can do a lot more, and in my opinion should only be purchased if they are going to be used for a lot more than โ€˜justโ€™ locking down your desktop, but thatโ€™s another subject and beyond the scope of this article, for now this will do.

So you see, using the Limited Visibility feature enables you to configure dozens or hundreds of applications into one Delivery Group without you having to worry about needing to manage just as many Delivery groups or that all applications will be seen by all the members of that specific Delivery Group. Itโ€™s configurable on a per application basis.

Three delivery types to choose from

Remember that there are three Delivery types to choose from when creating a DG, you can choose to deliver Desktops, Desktops and Applications or ‘just’ applications. Now itโ€™s obvious that when you choose to publish either Desktops or Applications your users will get just that, a Hosted Shared Desktop or one or more applications to subscribe to and use depending on the DG they belong to. But what if you choose to create a Delivery Group that delivers both Desktops and Applications? In that case, by default, they will see the published desktop together with any applications that also might be published at that time, they will have permissions to launch both. Hereโ€™s on overview, as you can see, once you have created a Delivery Group itโ€™s always editable afterwards. The display name is the name given to the published desktop as seen by your users.

Limited 2Basically it comes down to this, you either publish multiple Delivery Groups, some with desktops (one published desktop per DG) and some with applications, and assign them accordingly. This way you can easily separate your different resources. However, when a user (or multiple) needs to use both the published desktop and a few published applications, he or she will need to be added to both, or at least multiple, Delivery Groups.

The other option is when users will use a specific set of applications together with a published desktop, in that case you might decide to go with the Desktop and Applications delivery type when configuring your Delivery Group. This is probably the preferred way of publishing a Hosted Shared Desktop (HSD) environment where your users will also use several published applications on that HSD. I say preferred because these applications are hosted on, and published from, the same underlying machines (Catalog) keeping them close to one another. When needed you can always hide one or two apps as weโ€™ve seen.

But wait, there is more

ApplicationHostingThere is a third option. What if we configure a Delivery Group, select Desktops and Applications as the delivery type but still want our users to be able to use either the published desktop or โ€˜justโ€™ the applications? As weโ€™ve learned earlier hiding applications is easy, just use the Limit Visibility feature and think about whether or not you need to lock down your desktop any further. But as mentioned , Limit Visibility doesnโ€™t apply to published desktops, so while we are able to hide applications from certain users they will always see the published desktop when using this type of Delivery Group. Does this mean that if we want to โ€˜hideโ€™ the desktop we are back to using multiple DGโ€™s again? The answer is no, and hereโ€™s why.

The power of shell

powershellOnce weโ€™ve configured a Delivery group with the Desktops and Applications delivery type we can use PowerShell to limit access to the HSD. By default, When you create a delivery group with the delivery type set to Desktops and Applications, Studio creates one Entitlement Policy Rule and one App Entitlement Policy Rule for the group, meaning that each user is entitled to one desktop session and one app session. Studio doesn’t expose the user filter on these objects, so both are available to all users of the delivery group.

Using the PowerShell command: Set-BrokerEntitlementPolicyRule we can change this behaviour. It can set the IncludeUserFilterEnabled parameter to True instead of False, enabling the user filter, and it also lets you add in an AD security group, this way limiting access to just that group and that group alone as apposed to all users that are a member of the Delivery group.

This is how itโ€™s done, first you log on to one of your Delivery Controllers and open up a PowerShell console. Next you need to load the appropriate PowerShell Citrix snap-ins using the following command: Add-PSSnapin Citrix*

PowerShell 1Than you need to determine the name of the desktop entitlement group using this command: Get-BrokerEntitlementPolicyRule. It will display all Delivery Groups configured, their names, whether these groups are enabled or disabled, if the IncludeUserFilterEnabled is set to False or True (disabled or enabled), which AD security group is bound to the IncludeUsers parameter, meaning, who has access to the published desktop, and a few more.

Once you have that information, assuming that the IncludeUserFilterEnabled parameter is still set to False and no AD security group has been configured, itโ€™s time run the Set-BrokerEntitlementPolicyRule command where you specify the Delivery group it applies to, which AD user group should be added and finally set the IncludeUserFilterEnabled parameter to True to make it active:

PS C:\> Set-BrokerEntitlementPolicyRule -Name “fill in the Delivery Group name” -AddIncludedUsers “Domain\fill in the AD Security group name” -IncludedUserFilterEnabled $true

Finally hit enter. Again use the Get-BrokerEntitlementPolicyRule command to see if things have worked out the way they should. The result should look something like this:

PowerShell 2

Round up

Thatโ€™s it, were good to go. Now that you know which options you have in configuring your Delivery Groups and publishing your applications and desktops, itโ€™s up to you to decide how to implement these features. Multiple DGโ€™s with separate applications or desktops, perhaps hide a few along the way, combine the two and assign the desktop to a few specific AD groups and do the same with the applications, mix and match as you feel fit!

, , , ,


14 responses to “Configuring Citrix XenDesktop 7.x Desktop publishing and Limited Visibility!”

  1. m waril Avatar

    needs more clarification. You mention ” … publish, letโ€™s say, 10 applications from a single DG? ” and then go on to explain how one can add several delivery groups.. However I dont seem able to get that to work. I have only 1 host, 1 machine catalog, and thus I can create only one delivery group. I think i have to add several applications to the single delivery group and then use application visibility to limit this.

    1. Bas van Kaam Avatar

      Hi, I’m not exactly sure what you mean, I guess I need to read through the article first, it’s been a while :-) I’m in Greece at the moment (summer holiday) so I’ll check once I’m back home again, will be somewhere next week. Perhaps I’ve made an error, could be. Thanks for reading and commenting!

      Regards,

      Bas.

      1. m waril Avatar

        wondering if you had chance to resolve this. I still have the same issue. It isn’t a high priority but it is an issue.

        1. Bas van Kaam Avatar

          Yes I have, and it turns out I was partly wrong, or at least I described it partly wrong. It’s relatively straightforward to be honest. A machine from a Catalog can only belong to one Delivery Group at a time, and it can’t be a member of multiple Catalogs. So for example, you could have one Catalog with multiple machines, let’s say three, than you create three separate Delivery Groups, assign every group one machine from the Catalog, add-in the AD security groups holding the users and assign the appropriate applications. Sorry for causing any confusion, I’ll change the article as well. Of course you can also use one Delivery Group and add-in all the machines from the Catalog. But then you will need to apply limited visibility and make sure that your users are not able to start the applications, that you hided from them, in any other way.

          1. For Static Desktops we will have only one option( desktop or Applications) In Random(Discard) Desktops we will have both options Desktop and Applications)

          2. why is “desktop and applications” option not available for static desktops?

  2. Terence Luk Avatar

    I’ve been spending the past hour trying to find the cmdlet for adding users to the “AssociatedUserNames” after using the cmdlet:

    Get-BrokerApplication -Name “Notepad” |
    Set-BrokerApplication -UserFilterEnabled:$true
    … to limit visibility. The SDK does not contain any reference to it so I was wondering if you knew. Thanks.

    1. Bas van Kaam Avatar

      Hi Terence,

      Unfortunately not. Perhaps, in the mean time, you have found it already? If so, please share :-) To bad about the lack of information with regards to the SDK!

      Regards,

      Bas.

    2. Peter DuDeck Avatar

      Add-BrokerUser -Application AppName “DOMAINsamAccountName”

  3. […] Bas van Kaam also has a good description of this configuration. […]

  4. Brad Davidson Avatar

    HI Guys, I have setup a new 7.6 installation and all things going well, however … i can not figure out how to define what the default client resolution for a hosted desktop is, it seems to default to full screen and only be configurable by the receiver itself?
    Additionally I want to specify things like where receiver should put the icons for published apps/desktops… by default its not putting them on the users desktop, only start menu … and we’re having to manipulate at the receiver end.
    Cheers,
    Brad.

  5. Hi,
    When I create a desktop group in xendesktop 7.5 I don’t get option for “‘desktops and applications” in the delivery type. I only get desktop as one option and applications as second option, don’t have 3rd option for desktops and aps. does anybody know why?

  6. Bas van Kaam Avatar

    Hi Eric,

    Have a look at: https://www.citrix.com/blogs/2014/05/20/now-you-see-me-now-you-dont-a-guide-to-hiding-published-resources/ And do a Google search for something called Self Service Mode, this should get you a long way.

    Hope it helps.

    Regards,

    Bas.

  7. Hi Bas
    Is there any way to access an individual Desktop of a server to make testing of a specific application on that server possible? This was something we used on our XenApp 6.5 environment.. Within 7.9 it seems impossible.. Is there a workaround for this?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

About

Lorem Ipsum has been the industrys standard dummy text ever since the 1500s, when an unknown prmontserrat took a galley of type and scrambled it to make a type specimen book.

Lorem Ipsum has been the industrys standard dummy text ever since the 1500s, when an unknown prmontserrat took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged.

Categories

Gallery

Verified by MonsterInsights