Today I want to share a deeper look at FSLogix Apps on Citrix XenApp with you. I will explain how the get started with the installation, the creation of rules, the assignment of Profile Containers and show you how it works in real life.
FSLogix is an agent that is installed on a server or client that controls the visibility of installed components. It is capable of managing registry and file system access. It does not replace technologies like application virtualization nor does it change the way you install and manage applications on your endpoints.
This is one big advantage over other products because it can be integrated seamlessly into every environment and you can take advantage of the features and possibilities.
Very simple! FSLogix controls the visibility of applications running on you platforms, no matter if VDI, RDSH, physical or virtual. You can control access on a system, user or group level and hidden applications or drivers react as if they were not installed on the system. You can redirect files, directories, registry values und registry key objects for specific users, reducing the need to create additional silos or integrate technologies like application virtualization.
You simplify the complete technology stack by reducing the technologies you need in place to provide services to your customers or users.
And the best thing in my opinion is: you can automate it!
First off all you need Windows Vista or Windows Server 2008 and later as platform. Then you need the installation files. Get them here: https://info.fslogix.com/request-an-evaluation.
FSLogix comes with three installation files:
The FSLogix Apps Agent needs to be installed on the systems you want to control. The RuleEditors are only needed on the machines you create the rules on e.g. a packaging or development system.
All executables come with the same setup parameters. Installation is easy this way:
Is there a service running?
After the installation of the agent you will find a new service on your systems. The Service is named FSLogix Apps Services. It runs the frxsvc.exe in “C:\Program Files\FSLogix\Apps\” and it is running under the SYSTEM account.
Are there any filter drivers?
Run fltmc in a command prompt or PowerShell console to see the newly added filter driver “frxdrv”:
What about the installation directory?
The installation directory contains five folders. The most important folder is the “Rules” folder. The Rules created with the help of the RuleEditors must be placed here in order to take effect.
Where do I find logs?
Logfiles are created in the following path: “%ProgramData%\FSLogix\Logs\”
If a user logs in for the first time information about that is tracked in the log file. See for yourself:
There are two ways you can create rules. The first one is by using the FSLogix Apps RulesEditor. The second way is with the help of the command line. Let´s check the RulesEditor way first. Start it by choosing FSLogix Apps RuleEditor in the start menu.
This will open the RuleEditor.
Create a new rule and give it a name:
The rules will be placed under “C:\Users\%username%\Documents\FSLogix Rule Sets”.
Now choose the application you want to hide and if necessary browse to the installation directory. Click “SCAN” and “OK” when finished.
Congratulations! You now have your first rule:
Now check the button to see what happens.
Et voila, the installation directory and the UNINSTALL string are gone.
The next step you should do is to assign the rule. You can add users, groups, processes, network locations, computers or directory containers.
For this test I will assign one of my test users. We have two options for the assignment:
Click OK when you´re finished. You should now have two new files in your user´s documents folder:
Notepad_plusplus.fxr – Contains the rules for the application or system
Notepad_plusplus.fxa – Contains the groups, users or systems the rule applies to
You should now copy these files to “C:\Program Files\FSLogix\Apps\Rules”. The rules will be applied immediately.
Alternative way of creating rules
You can use the command line to create rules that apply to the system. In the recent version of FSLogix Apps there is no way of creating the assignment files (FRA) without the help of the RuleEditor.
In order to create rules with the command line have a look at the following command:
[17:58:55][C:\Program Files\FSLogix\Apps|26]# .\frx.exe add-rule ? Examples: frx add-rule -redirect -src-parent C:\Windows -src=test.ini -dest-parent __USER_PROFILE_PATH__ -dest test.ini frx add-rule -hide -src-parent C:\Windows frx add-rule -hide -src-parent \Registry\User\*\Software -src MySoftware frx add-rule -specific-data -src-parent \Registry\Machine\Software -src Value -datatype DWORD -data 42000000 frx add-rule -vhd-attach -src-parent C:\MyVolFolder -dest C:\VHDs\mydisk.vhd
All the options for the command line are specified in the Automation chapter below
I have installed FSLogix Apps on one RDSH server with the following applications installed:
I have two users that launch a desktop session each on the same RDSH server.
User “TestA” is not allowed to use Microsoft Project 2016, Mozilla Firefox and Foxit Reader. He has a text file on his desktop that should be launched from the local system. “TestA” is also allowed to use Profile Containers.
You can see that the text file located in “C:\Users\Public\Desktop” is opened locally and that the user is allowed to start Adobe Reader DC. Microsoft Project 2016 is not available.
User “TestB” is allowed to launch Microsoft Project 2016 and is not allowed to use Adobe Reader DC. He has the exact same textfile on his desktop that is redirected to a file located on a file server. “TestB” is configured to use a Roaming Profile.
You can see in this example that the file located in C:\Users\Public\Desktop is opened from the file server although the details show something different. You can also see that Microsoft Project 2016 can be used by this user and that he openes PDF documents with Foxit Reader instead of Adobe Reader DC.
This is a very simple example to give you an idea how rules work and what can be done with them. Let´s look at another feature…
In order to have a sleak and thin base image you can attach VHD or VHDX files from other locations to folders on your systems. Let me show you how.
I will attach a VHD with system tools to a folder on my RDSH server under the following path: “C:\tools”. The VHD is located on my file server.
This is the rule I will apply it to the system:
Now watch what happens after applying it:
This is so freakin´ simple and we haven´t even begun to be creative with that stuff.
I really love automation and I love to be able to create configurations by writing scripts. If you want to have a baseline configuration of certain systems you could create a script that automatically creates the rules. This could look like this:
.\frx.exe add-rule -hide -src-parent="C:\" -src="Personality.ini" .\frx.exe add-rule -hide -src-parent="C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools" .\frx.exe add-rule -hide -src-parent="C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility" .\frx.exe add-rule -hide -src-parent="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\" .\frx.exe add-rule -hide -src-parent="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\" .\frx.exe add-rule -hide -src-parent="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight\" .\frx.exe add-rule -hide -src-parent="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\" .\frx.exe add-rule -hide -src-parent="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows System\" .\frx.exe add-rule -hide -src-parent="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Accessories\" .\frx.exe add-rule -hide -src-parent="C:\temp"
Look at the further Parameters we have here. We could attach VHDs wherever we want, hide certain Printers or redirect files and folders.
Parameters: [Rule Type] Only one of the following rule types may be specified -hide Hiding rule -redirect Redirection rule -vhd-attach VHD auto-attach rule -printer Printer hiding rule -specific-data Returns specific data for a registry value -src-parent Parent directory/key or printer to which the rule applies -src *File or value name -dest-parent *Destination directory or key (redirection rules only) -dest *Destination file or value (redirection rules only) -no-copy *Creates a blank copy of the item upon redirection if it does not exist (default is to copy the source item) -volatile *Volatile rule that will not persist across a machine reboot -datatype *Type of specific data to return (SZ, DWORD) -data *Hexadecimal representation of data to return * Optional parameters Special Variables (usable in -dest-parent/-dest parameters): __USER_SID__ User's SID __USER_NAME__ User's username __USER_PROFILE_PATH__ Path to users profile
If you do it this way you should be aware of the fact that no rule in the Rules folder is created. You will find these rules in the CompiledRules folder and as _DefaultRules.fxc file:
A deeper look into the file reveals the details. If you like you can edit the file directly.
Because the FXR and FXA files are simple text files we could also create them with a script without the need of using the RuleEditors. But you should be very careful with that. Today there is no documentation about the HEX values in the config files. I might try to document them if I find the time to test them and to be sure that they work.
This is it for a first look. I hope it was interesting and usefull for you. Now we will switch to the Profile Containers.
In order to get Profile Containers up and running you need to change a few things on your target system.
First of all you should have a look at your local security groups. There should be two groups after the installation of the FSLogix components:
The Include List has “Everyone” as member. If you don´t want this you need to remove the Everyone-group and insert whoever you want to have user Profile Containers enabled. I would suggest adding the users via Group Policy to have a standardized way for all your systems in your environment.
You need to configure the Profile Containers Path in the registry. Add the Key “VHDLocations” as REG_MULTI_SZ with a minimum of one Path under the following path “HKLM\SOFTWARE\FSLogix\Profiles”. If there is no path inserted or the key is missing it won´t work.
There are some other optional keys you can set to configure the Profile Containers:
VHDLocations as REG_MULTI_SZ
(\\server\share\Profiles). Local paths must be in drive letter format (C:\Profiles).
VolumeType as REG_SZ
(optional) Type of container to use, VHD or VHDX – If not specified, default is VHD. Note that VHDX format is only supported on Windows 8 or Server 2012 (or later).
VHDXSectorSize as REG_DWORD
(optional) Sector size, 0 or 4096 (0x1000) – If not specified, default is 0 which simply triggers the container default.
SizeInMBs as REG_DWORD
(optional) Size in MBs for new containers. If not specified, default is 30000 (30 GBs). Pay attention to Decimal vs Hex when specifying the number.
IsDynamic as REG_DWORD
(optional) 0 indicates Full Allocation, and 1 indicates Dynamic. Full Allocation means that the VHD file is immediately sized to the specified size of the disk. Dynamic Allocation means that the file is resized as new space is required. Full Allocation is slower at creation time, but produces better performance when writes happen since the entire space is already allocated. Dynamic is faster at creation time but may result in some latency as the file is resized accordingly.
If everything is fine you will see a Profile Container in the configured path.
If you want to migrate your existing profiles to Profile Containers you can use the command line:
[18:47:28][C:\Program Files\FSLogix\Apps|25]# .\frx.exe copy-profile copy-profile Copies the specified user profile into a VHD or VHDX. If the VHD or VHDX file does not exist, it will be created. By default the VHD or VHDX will be 30 GBs and sized dynamically. Parameters: -filename Specifies the path to the VHD or VHDX file -username 'username' or 'domain\username' -sid Can be used instead of username to identify the profile -size-mbs *Size in number of MBs for new VHD/VHDX -vhdx-sector-size *VHDX sector size -dynamic *Set to 1 if VHD should be dynamic, 0 for full allocation -src-parent *Path to the parent VHD(X) file for differencing disks -verbose *Enables verbose output -profile-path *Specify the profile path -label *Disk volume label (default is Profile) * Optional parameters Example: frx copy-profile -filename C:\Profile.vhd -username DOMAIN\USERNAME
A Profile Container will only be created if there is no existing user profile for the user on the system the user logs on to. Otherwise no Profile Container will be created. In this case look at the command line above.
And you must be aware of the fact that the Profile Container can only be accessed from one location at a time. If you start applications from multiple RDSH servers you won´t be able to access the Profile Container from the second machine.
A few words about rule assignments. In a XenApp or XenDesktop environment you typically create a domain local group for the resource assignment (e.g. Published application). A domain local group is used to integrate the users and this group is nested into the resource group.
I suggest you use the same resource group for the Published Applications and the Rule Assignment in FSLogix. This makes administration easy and you can implement a clean process.
As long as you have programs that are easy to scan with the RuleEditor everything is easy. Things are getting harder when you have to take care of FTAs or you want to install different versions of the same applications side-by-side. If you are a geek and are aware of that then you shouldn´t have any problems. If you don´t have deeper operating system knowledge you might get stuck here and there. And don´t hide important operating system files. Be aware of the fact that rules are created for everyone as long as you don’t change this with an assignment. You might create a system that is not working anymore.
The overall experience is great and most problems you might have are very simple to solve. Look at me, I could solve some access and redirection scenarios on my own ;-).
All information without warranty.
I love to hear from your experiences with FSLogix and if you achieved a major hack with it I would be glad if you would share it. If someone knows what “enable-shnot” does, let me know. I couldn’t find anything in the documentation. Thanks!
Der RISC.Blog beschäftigt sich mit den zahlreichen Facetten moderner IT-Infrastruktur. Angefangen von neuesten Trends und Entwicklungsstufen der Enterprise-IT berichtet das Expertenteam der RISC über technische Problemstellungen verschiedenster Projekte und deren detaillierten Lösungen.
Wir hoffen damit anregende Diskussionen zu schaffen und laden Sie herzlich dazu ein, Ihre Erfahrungen durch Kommentare zu den einzelnen Themen zu teilen.