Application Isolated Environments & How To Implement

[John Hooper1709162241]

Good Evening All,

 

I have an application that will only function with a single user on the same machine and want to use this in a multi user environment.

 

Several years ago when wanting to configure a published application within XenApp (On Windows server 2003) that would not work well as a multi user application I would simply set up Isolation Environments for the application to run in.  It seems with new versions of Citrix on Windows 2019 etc. I cannot find for the life me where I can set up Isolation Environments. Does it still exist? I have an application at the moment that just does not want to work in a multi user environment and am positive if I am able to set up isolated environments I can get this functional.

 

I remember in the older versions of XenApp all I needed to do was configure an isolated environment (file and registry setting locations etc..), give it a name and then publish the application ticking the Isolated Application checkbox and selecting the isolated environment.

 

Seeking a little assistance or being pointed in the right direction.

 

Cheers & thanks in advance,

 

John

(Oh and apologies in advance if this is in the wrong forum)

[Joe Robinson]

Hey Jon,

 

I remember Application Isolation Enviromnets.  I was very sad when they went away and they have not returned.  It was a very, very valuatble feature and the way it was implemented made it very easy to implement.  I'm sad to say, there is no feature like this available in the later versions of the product.

 

I can suggest some alternatives that you may already be licensed for.  

 

FSLogix, which is now owned by microsoft, has a feature called App Masking.  While this isn't exact partiy to AIEs, it could help you in the scenario where applications are writing configuration files on a per user basis and multiple users would be stepping on each other.  This would be more similar to File Redirection Rules back.  You can take a file and redirect it somewhere else making an application THINK its writing to one location, when really it's writing somewhere else (instead of C:\Program Files\Whatever it's writing to %appdata%\Whatever).  This probably isn't going to work if you need true isolation.

 

Another solution would be some sort of App Virtualization software.  I've used Microsoft App-V for years now and have been very happy with it.  It's actually built into the newer operating systems and the OS understands it.  The best way for me to describe it would be Application Isolation Environments on Steroids!  You could easily sequence a blank appv package and then start the executable inside this virtual environment.  This should "hide" the app from other users on the same machine and isolate the process a bit more.  There are lots of rules to play around with, but by default -- andything written to folders in the App-V package get virtualized on a per user basis very similar to AIEs.  You can even add registry settings to virtualize as well.  These settings then become part of the users profile and you can roam them like any other file and registry setting.

 

PRO TIP:  When you start your application, you can pull it into the virtual environment created by App-V using the /appvve switch.  App-V Packages have two unique GUIDs that identify them -- The Package and the Version.   Each time you add rules, fules, or any changes -- the version GUID regenerates, but the Package stays the same.  The OS adds this switch to all Executables and you can just run myapp.exe /appvve:<applicationguid>_<versionguid> and it will start the application inside the virtual environment for you. 

 

A thid "option" I'm going to throw out is one that isn't going to work on it's own.  Microsoft has a very powerful set of tools that allow you to create what they call Shims.  These Shims are able to fake the application into behaving differently.  If you look at the "compatibility" settings on an executable or shortcut, you'll see options like running it for a different OS, different color modes, etc.  These are just shims, and only a very, very small subset of them.  Shims can get complicated to create, but at a very high level you use the editor to create a database file.  The database file is then deployed to the machine and the shims become active. 

 

PRO TIP: These database files are really just registry settings (for all the shims I've used at least).  When you install the database file, it just sets a registry key.  I've taken to skipping the database file and applying the shims directly to the registry via GPO, WEM, or directly in my images/installs.  I find adding processes to registry keys that I already know about to be alot easier than using the editor, creating a database, deploying the database, and then going back and editing said database every time I want to make a change (and then redeploying it to all machines).

 

I hope this gets you going on some of the alternatives.  If you end up finding something different, please do share!  AIEs were an amazing tool almost ahead of their time.  I absolutely love this type of technology!  Feel free to reach out if you want to chat more about any of the options above.  

[John Hooper1709162241]

Good Morning Joe,

Thank you so very much for such an in-depth response. I truly appreciate it. This is exactly the information I have been looking for. I have not played with this side of the house for many years and 'back then' things seemed a lot easier to do within XenApp ?

 

All the methods you have described may indeed fit the bill on what I am trying to achieve. If I go down the road of the App-V packaging I may need to involve other teams which I would like to avoid as much as possible as the application I need to publish changes frequently and involving other departments will introduce delays. If I can package the application myself (without the need of the other teams) and get it onto the Citrix server that will a great option.  Ill have to study up on App-V packaging and deployment onto Citrix servers. I have access to the servers and can install applications onto them, however not to sure if I can publish App-V packages to the servers (something Ill have to check). I have seen the option within the App-V part of the Citrix Studio where there was an option of Isolation Groups (not to sure if I have access to that or not - but Ill investigate next week) and not to sure if this is the same thing as thing as the older AIEs.

 

These Application Shim seems a nice idea as well. Something I really want to investigate further.

 

The application that I am trying to solve actually functions well when published. The problem however is when a second user launches the published application it kicks the first user out.

 

With regards to the older AIEs, yes they were great and very easy to set up. While I do acknowledge that technology moves on and we must keep abreast of this I do always see that sometimes it was just easier to do previously, published content is another example ? (This I have solved worked out already ?)

 

Thanks once again Joe and Ill be sure to touch base again should I have any more questions.

 

Cheers and have a great day,

 

John