FsLogix is a new way to manage application visibility and availability on a per user basis by creating a set of rules for the applications. For locally installed applications it enables you to make the application invisible to a user that is not granted permissions to use it. If you have not yet looked at the product I would recommend you do so. If you are interested in more information then please Contact Us. The hiding is not done at the NTFS level but lower down and when a user is not in the permitted group the application is literally not there. (N.B. Doug Brown has a really good overview on Installing and configuring FsLogix over on his site so rather than go through the whole overview, install and configuration please head over here and have a read. (http://docs.dabcc.com/byod/document/fslogix-apps-overview/). I will concentrate in this article about creating rules for managing App-V apps with FsLogix.
So having played with the product, it got me thinking about whether I could manage App-V applications without the need for a heavy management framework. I know there are the App-V infrastructure and SCCM and other App-V deployment mechanisms but I was looking for a way to deploy App-V applications without the need to introduce lots of server infrastructure. I wanted to utilise the PowerShell capabilities (Or App-V Scheduler) to deploy the apps to any platform, but still be able to present the apps to the users based on AD user groups. (See here for an overview of the end Solution – AD&M Part 1).
Creating FsLogix Rules for App-V Packages
The first thing we need to do is to import the App-V package into the Cache. We do this so that the application is available and all integration points are added. The FsLogix Rules creator will then help to find the items that we would want to hide as part of the rules. There are a number of ways to add the package to the client cache:
- Download Amberreef’s free App-V 5 client tool. (http://www.amberreef.co.uk/site/Downloads.aspx under “Free Amberreef Tools” choose the AR.c Package Client.)
- By PowerShell: Use the command
Add-AppvClientPackage –Path “Path to .AppV File” | Publish-AppvClientPackage –Global
Once the package has been added to the Cache and published type Get-AppvClientPackage -Name "Name of Package" and take a note of the PackageID and VersionID of the package
- Now the package has been added, open the FsLogix Rules editor and create a new Rule
Select the "Enter Program Files Path:" option and browse to the App-V Cache (%ProgramData%\App-V\"PackageID"\"VersionID") and select the "Root" folder
Select the SCAN option in the FsLogix Rules Editor followed by OK
The FsLogix Rule will include the install directory and any "COM" objects that it has been able to discover. These will then be masked from App-V integration points when the rule is applied. In the above example for &Zip the COM Object refers to the Shell Extension when you right click on a file.
- Hiding the Shortcuts is why we have published the application as –Global above. If we were to be managing our App-V apps with FsLogix then we would be doing the same at the client anyway. We can now browse the File system with the FsLogix Rules Editor and select them.
Create New Rules (Either Directory or file depending on what the package has laid down) to hide the shortcuts.
(N.B. it the program menu folder is only holding icons for the application hide the “Directory”, if it is a shared folder like office and you are deploying Visio, only hide the file)
You will find them in %ProgramData%\Microsoft\Windows\Start Menu\Programs and C:\Users\Public\Desktop
- Add any other relevant Registry values:
In the instance below for 7-zip I am adding the RegValue hiding rule HKLM\Software\Classes\.zip\(Default). When the FsLogix rule is applied this will revert the file association back to the standard Explorer Zip association. Without this in place there would be no Zip association and the user would be asked to create on when they try to open a zip file.
- Next you would create your user group association file and save the FsLogix rule for distribution along with the package. If you now publish the package globally to the end device and login as a user without permissions to the application they will not have it.
(N.B. Although not tested at this time I would expect that this application masking capability would also prevent Users from Publishing applications much like the enhanced functionality " Require publish as administrator " added in recent App-V SP3)
MAIN CONSIDERATION: IF you update the package a new PACKAGEID and/or VERSIONID will be created and the Rule will need to also be updated to reflect the New ID’s, but I hope that the above process has shown that the effort to do this in minimal (it shouldn’t take more than 5 minutes to create the rules).