Jump to content
Welcome to our new Citrix community!
  • 0

Handling multiple Applications when users belong to conflicting AD groups


Barry

Question

I'm new to WEM and currently testing it out on a test lab I've set up.

For Context
I'm trying to set up a shared system that will be used by multiple users at the same time.
100+ users will be added to an AD Group Win10 Users and by default all users should have Application A

There will come a time when a user can request access to Application B this is a more advanced version of Application A
The request will automatically add the user to a different AD group AppB for that specific application 
When the user logs into the desktop, Application A should not be deployed to the user if they are a member of both Win10 Users and AppB and they should only be able to see Application B

Users
User A
User B

Applications
Application A
Application B

Machine
Win10 VM

AD Groups
Win10 Users - User A and User B are both members
AppB - User B is a member

 

  1. I have added both AD groups to the Active Directory Objects section via the WEM Admin console
  2. I've added both applications to Actions
  3. I've created a Filter Condition called AppB and set it to Enabled > Active Directory Group Match > AppB
  4. I've created a Filter Rule called AppB and set it to Enabled and added AppB to the Configured section
  5. I've assigned the Application A application to the Win10 VM group via Assignments via the Always True filter > Create Desktop Enable
  6. I've assigned the Application B application to the Win10 VM group via Assignments via the AppB filter > Create Desktop Enable
  7. To try and hide the Application A application from the AD group AppB users. I've added Application A to the AppB group via Assignments via Always True and set Create Desktop to Disable
  8. I've set the Priority of Win10 Users to 99 and left AppB at 100 to try to make the AppB Assignment run last so it hides the Application B, however, this does not happen
  9. When User B logs into the Win10 VM they see both desktop applications
  10. When User A logs into the Win10VM they only get Application A which is correct

 

I think I might be misunderstanding the functionality of what the Application Create Desktop being set to Disable does

However, I would like to try to avoid having to create another AD Group as the setup would be automated with the two groups that already exist.

Is the only way to accomplish this, to create a 3rd AD group for Application A?

 

Link to comment

3 answers to this question

Recommended Posts

  • 1

Good start, but it's a touch more simple than you think:

  • Add a Filter Condition called "Not In Group AppB". Use the condition type "No Active Directory Group Match" and specify DOMAIN\AppB
  • Create a Filter Rule that contains Condition "Not In Group AppB"
  • Assign the Application A application to the Win10 Users group and apply the No Active Directory Group Match Filter Rule. Set Create Desktop to True
  • Assign the Application B application to the AppB group. Set Create Desktop to True. You can use always true here for the filter rule 
  • Under Advanced Settings -> Advanced Options -> Unassigned Actions Revert Processing -> Revert Unassigned Applications: Enabled

The behavior should now be:

  • If the user is in the Win10 Users Group and NOT in the AppB group, they will get application A with a shortcut on their desktop
  • If the user is added to the AppB group, WEM will put a shortcut to application B on their desktop
  • If the user WAS in Win10 Users Group, and is now in the AppB group, WEM will remove the shortcut it created for Application A

The Create Desktop shortcut setting dumps a shortcut on the user desktop. If WEM does this, it tracks it. Thus, if you enable the revert unassigned applications setting and then change the group assignments, WEM will effectively "unassign" the application, which will trigger a removal, and a replacement with the other

 

Clear as mud?

  • Like 2
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...