AppSense Environment Manager Administration Guide

Environment Manager
Administration Guide
Guide
ENVIRONMENT MANAGER ADMINISTRATION GUIDE
Notice
The information contained in this document ("the Material") is believed to be
accurate at the time of printing, but no representation or warranty is given (express
or implied) as to its accuracy, completeness or correctness. AppSense Limited, its
associated companies and the publisher accept no liability whatsoever for any
direct, indirect or consequential loss or damage arising in any way from any use of
or reliance placed on this Material for any purpose.
Copyright in the whole and every part of this manual belongs to AppSense Limited
("the Owner") and may not be used, sold, transferred, copied or reproduced in whole
or in part in any manner or form or in or on any media to any person other than in
accordance with the terms of the Owner's Agreement or otherwise without the prior
written consent of the Owner.
Trademarks
AppSense and the AppSense logo are registered trademarks of AppSense Holdings
Ltd. Microsoft, Windows and SQL Server are trademarks or registered trademarks
of Microsoft Corporation. Fluent is a trademark of Microsoft Corporation and the
Fluent user interface is licensed from Microsoft Corporation. Other brand or product
names are trademarks or registered trademarks of their respective holders.
ii
C O N T E N T S
vii
Welcome
Chapter 1
Chapter 2
About this Document
vii
Terms and Conventions
vii
Feedback
viii
About Environment Manager
Product Overview
Architecture
Policy Configuration
User Personalization
Components
Key Benefits
The Console
Feature Summary
Configurations
12
Configurations
12
Save a Configuration
12
Tasks
14
iii
CONTENTS
Chapter 3
Best Practices
15
Chapter 4
Node Management
20
Node Structure
20
Library
20
Computer
22
User
23
Edit Nodes
25
Arrange Nodes
27
Tasks
27
Action Management
29
Actions
29
Chapter 5
Quick Setup Wizard
30
Registry
30
File and Folder
36
Drives and Printers
47
ODBC
49
App-V Wizard
49
Custom and Execute
50
Group Policy
52
Environment Variables
53
Shortcut
53
Run Node
54
Heal Actions
55
Tasks
57
Troubleshooting
60
iv
Chapter 6
Chapter 7
Chapter 8
CONTENTS
Condition Management
61
Conditions
62
Directory Membership
63
User
63
Computer
63
Session & Client
63
Custom
63
Run Conditions
66
Tasks
66
Lockdown Management
68
Lockdown
68
General Wizard
68
Keyboard Wizard
71
Office Wizard
72
Message Libraries
74
76
About User Personalization
76
Personalization Node Management
82
Personalization Applications
82
Personalization Groups
87
Sites
96
Personalization Analysis
100
Size
101
Whitelist Application Usage
102
Discovered Application Usage
104
Archives
106
Rollback
106
Authorized Users
107
Troubleshooting
108
CONTENTS
Auditing
109
Audit
109
Local Events
110
Configuration Profiler
115
Report Type
115
Report Criteria
115
Report Output
117
Appendix A
System Requirements
119
Appendix B
Triggers and Actions
121
Appendix C
Quick Setup Wizard Default Settings
123
Appendix D
Find and Replace
126
Appendix E
Wildcards
127
Appendix F
Licensing
128
About License Manager
129
Managing Licenses
130
Troubleshooting
131
Personalization Database Replication
132
Principles
132
Prerequisites
132
Initial Steps
133
Performing the Setup
133
Post Setup Steps
134
Streamed Applications
135
Citrix XenApp
135
Microsoft SoftGrid 4.2 and Microsoft App-V 4.5
136
Chapter 9
Chapter 10
Appendixes
Appendix G
Appendix H
Glossary
138
vi
W E L C O M E
This section includes the following:
About this Document
Feedback
About this Document

This document shows how to install, setup and use the components of AppSense Environment
Manager. The guide describes procedures that demonstrate the main functionality of
Environment Manager.
Document Information
Document Version
APEM80-04-130209-2
Publication number

Table 3.1 on page vii shows the textual and formatting conventions used in this document:
Table 3.1
Document Conventions
Convention
Use
Bold
Highlights items you can select in Windows and the product interface, including
nodes, menus items, dialog boxes and features.
Code
Used for scripting samples and code strings.
Italic
Highlights values you can enter in console text boxes and titles for other guides and
Helps in the documentation set.
vii
Table 3.1
WELCOME
Feedback
Document Conventions (continued)
Convention
Use
>
Indicates the path of a menu option. For example,

Select File > Open" means "click the File menu, and then click Open."
Note Highlights important points of the main text or provides supplementary
information.
Tip Offers additional techniques and help for users, to demonstrate the
advantages and capabilities of the product.
Caution/Warning Provides critical information relating to specific tasks or

indicates important considerations or risks.
Further Information Provides links to further information which include more

detail about the topic, either in the current document or related sources.
Feedback
The AppSense Documentation team aim to provide accurate and high quality documentation to
assist you in the installation, configuration and ongoing operation of AppSense products.
We are constantly striving to improve the documentation content and value any contribution
you wish to make based on your experiences with AppSense products.
Please send any comments to the following email address:
documentation.feedback@appsense.com
Thanks in advance,
The AppSense Documentation team
viii
About Environment Manager
This section provides the following:
Product Overview
Architecture
Key Benefits
The Console
Feature Summary
Product Overview
AppSense Environment Manager enables you to control and manage all levels of user access to
the physical and virtual desktop and server environment of your organization and includes easy
to configure User Personalization and Policy Configuration.
Environment Manager provides a more efficient alternative to roaming profiles, reducing the
potential for profile corruption and providing users with a consistent and seamless working
experience.
Through a combination of company policy and user personalization, administrators are able to
deliver optimal user environments regardless of how the environment is delivered to the user.
Environment Manager provides one profile management solution across Citrix, Microsoft
Terminal Server, Virtual Desktop and physical desktop environments.
Policy Configuration - controls what users can do so as to match what they need to do.
User Personalization - delivers user personalization into physical and virtual desktops.
Architecture
The AppSense Environment Manager system consists of the AppSense Environment Manager
console, Environment Manager Agent, Personalization Server and database.
The console is an administrative tool to create and manage configurations. The Agent resides
on the controlled computers and can receive configurations from the AppSense Management
Center or third party deployment system to manage the machine and user environment. The
console also provides a live connection to the Personalization database.
ABOUT ENVIRONMENT MANAGER

Architecture
The Personalization Server runs as a website, using IIS on either Windows Server 2003 or
Windows Server 2008. Client machines (Tier 1) connect through HTTP(s) handlers, and the
console uses WCF Services.
The Personalization Server acts as a broker between the client and database, providing a secure
channel to read and write the Personalization data. It is designed to support 1000s of users
simultaneously and multiple Personalization Servers can be configured in parallel to use a single
database.
Environment Manager can operate either in Standalone or Enterprise modes. In Standalone
mode, the console saves its settings directly to the local system. In Enterprise mode, different
configurations can be deployed to the controlled computers depending on your system
requirements. This guide describes the use of AppSense Environment Manager in Standalone
Mode. For details on centralized management mode please refer to the AppSense Management
Center Administrator Guide.
Environment Manager is made up of the following:

Architecture
Policy Configuration and User Personalization work together to provide complementary control
of the entire user environment. Inevitably there are some areas of overlap. The profile settings
are applied in the following stages:
Default Settings - Policy Configuration

Usually occur through the use of mandatory profiles, although Policy Configuration is free
to set anything at this stage.
Virtual Settings - User Personalization

User specific changes to their own personality settings that are being managed by User
Personalization, these are applied on top of the defaults.
Enforced Settings - Policy Configuration

Any policies that the administrator wants to set regardless of how the user has changed
their application previously, so these are applied last. The user may be free to change these
whilst the application is running, but they will be reapplied the next time the application
runs.
Policy Configuration enables the administrator to configure both default and enforced
corporate policies that can be applied to either the computer or user under a number of
different scenarios.

Architecture
A three-tier architecture is utilized consisting of the following basic components:
Tier 1 - Environment Manager Agent
Installed on each managed endpoint, responsible for ensuring user personalization data is saved
and restored on demand and also ensures policy configuration settings are applied when
required.
Tier 2 - Personalization Server
An IIS web server responsible for synchronizing user personalization settings between the SQL
database and the Environment Manager Agent when the user logs on or off or when an
application is started or stopped.
Tier 3 - SQL Database
Holds information related to personalization sites and servers, users and groups, applications,
endpoint configuration data and user personalization data.
How it works
When a user logs on to a managed endpoint, the Environment Manager Agent contacts the
Personalization Server with details of the user logging on. The Personalization Server passes this
information to the SQL database, which in turn, retrieves the configuration for the user and
returns it to the Personalization Server. The Personalization Server then passes back the relevant
configuration to the managed endpoint.
When a user launches an application on the endpoint, a component of the Environment
Manager Agent called the Personalization Virtualization Component (PVC) is injected into the
running process. The PVC verifies if the application in question is under the management of
The PVC contacts the Personalization Server to request that a personalization cache on the
endpoint is updated with the latest personalization settings from the SQL database and streams
these settings down to the endpoint.
Whilst the application is running and the user continues to change personalization settings
within it, these changes are virtualized and are written to the personalization cache on the
endpoint, rather than into the physical registry or file system. This ensures the user has access to
a local copy of the personalization settings, whilst abstracting the users personality from the
physical operating system.
When the application is closed, the PVC notifies the Personalization Server that the application
is closing and provides a copy of the modified personalization settings which are stored in the
SQL database.
This means the user now also has a centralized copy of their latest personalization settings. If
the user has two or more open concurrent sessions, personalization settings can now be
streamed to each of their concurrent sessions for that application, on demand, when the
application is launched. This ensures consistent application and environment settings across
open, concurrent sessions without the user having to log off or back on again.

Key Benefits
When the user does log off, any open applications are closed and the process as described
above takes place. Session specific settings are also synchronized back to the SQL database at
this point and by default, the local personalization cache on the endpoint is purged.
Components
Client Computer
Environment Manager Console
Environment Manager Agent (includes Personalization Virtualization Component)
Virtual Personalization Cache
Personalization Server
SQL Database
Key Benefits
This section provides key benefits of using AppSense Environment Manager, they are as follows:
Provide a flexible and robust solution to roaming profile issues.
Reduce administrative overhead associated with managing user profiles by automating

management of user application personalization.
Remove the potential for profile corruption.
Reduce logon times dramatically by streaming and synchronizing application

personalization settings at application start or stop.
Enable consistent quality of service to the user regardless of the environment delivery
mechanism.
Manage personalization settings across distributed server silos.
Simple migration from existing profiles.
Malicious or accidental user environment changes can be automatically self healed.
Minimize support costs and maximizes user productivity.
Apply user policy dynamically in any desktop delivery mechanism.
Ensure users remain compliant with policy regardless of how they receive their working
environment.
Quickly implement business policies which can be shared and utilized across operating
system boundaries and different application delivery mechanism by use of triggers, actions
and conditions.
Introduce pre-built corporate policy best practice with AppSense Policy Templates.

The Console
The Console
The Environment Manager Console launches when the link is selected in the Start > All
Programs > AppSense menu.
Figure 1.1 Environment Manager Console

The Console
Application Menu
The Application Menu provides options for managing configurations including create new,
open existing, save, import and export configurations and print.
The Preferences option allows you to modify the console skin and set basic behavior settings,
including, Show splash screen.
APPLICATION MENU OPTIONS
Option
Description
New
Creates a new default configuration which is locked for editing.
Open
Opens an existing configuration from one of the following locations:

Live configuration on this computer
Configuration from the Management Center
Configuration file on a local or network drive: AppSense Environment Manager Package
Files format (aemp).
Note A live configuration is located on a computer which has Environment Manager Agent
installed and running.
Save
Saves the configuration in one of the following states:

Save and continue editing - Save the configuration and keep it locked and open for
editing, you will not be able to deploy the configuration while it is locked.
Save and unlock - Save the configuration and unlock it ready for deployment.
Unlock without saving - Unlock the configuration without saving changes.
Save As
Saves the configuration with a new name to one of the following locations:
Configuration in the Management Center
Configuration file on a local or network drive: AppSense Environment Manager Package
Files format (aemp).
Note A live configuration is located on a computer which has Environment Manager Agent
installed and running.
Warning If using Microsoft Vista or Windows Server 2008 operating systems with UAC
enabled, you must ensure that you open the console with Administrator privileges.
Import & Export
Exit
Imports a configuration from MSI format, usually legacy configurations which have been
exported and saved from legacy consoles.
Exports a configuration to MSI format.
Closes the Console.

You are prompted to save any changes you have made to the current configuration.

The Console
Quick Access Toolbar

The Quick Access Toolbar provides quick functionality for managing the configuration setup,
such as Save, Save and Unlock, Undo, Redo, and navigation to previously and next displayed
views.
QUICK ACCESS TOOLBAR OPTIONS
Button
Description
Save
Save changes to the configuration. The configuration will remain locked if opened from the AppSense
Management Center.
Save and Unlock
Save changes and unlock the configuration. These changes can now be deployed from the
Management Center.
Undo
Clear the action history. Up to 20 previous actions are listed. Select the point at which you want to
clear the actions. The action selected and all proceeding actions are undone.
Redo
Re-apply the cleared action history. Up to 20 cleared actions are listed. Select the point at which you
want to redo the actions. The action selected and all subsequent actions are redone.
Back
Navigate back through the views visited in this session.
Forward
Navigate forward through the views visited this session.
Ribbon Pages
Ribbon Pages include buttons for performing common actions arranged in ribbon groups
according to the area of the Console to which the actions relate. For example, the Home ribbon
page includes all common tasks, such as Cut, Paste and Copy, Help, AppSense website and
Support links.
Split ribbon buttons contain multiple options and are indicated by an arrow just below the
button. Click the arrow to display and select the list of options, or simply click the button for the
default action.
Help
The Home ribbon page includes a Help button which launches the Help for the product and
displays the topic relating to the current area of the console in view. A smaller icon for
launching the Help displays at the far right of the console, level with the ribbon page tabs, for
convenience when the Home ribbon page is not in view. You can also press F1 to launch the
Help topic for the current view.

Feature Summary
Navigation Pane
The Navigation Pane consists of the navigation tree and navigation buttons. The navigation
tree is the area for managing nodes of the configuration. The navigation buttons allow you to
view the different areas of the console.
Work Area
The Work Area provides the main area for managing the settings of the configuration and
product. The contents of the work area vary according to the selected nodes in the navigation
tree and the selected navigation buttons. Sometimes the work area is split into two panes. For
example, one pane can provide a summary of the settings in the other pane.
Additional Console Features
Shortcut Menu right-click shortcuts are available in the navigation tree and some areas
of the Console.
Drag and Drop this feature is available in some nodes of the navigation tree.
Cut/Copy/Paste these actions can be performed using the buttons in the Home ribbon
page, shortcut menu options and also using keyboard shortcuts.
Optimum screen resolution for the console is 1024 x 768 pixels.
Feature Summary
This section provides a summary of Environment Manager features.
Automated Personalization Management

Automatically monitor and manage user personalization settings by saving and restoring
only the application changes that have been made within a users session. This reduces
administrative overhead and the complexity associated with identifying the personalization
settings.
Streamed Application Profiles

Manage User personalization settings when applications are started and stopped, as
opposed to only user log on or off, by streaming personalization settings as and when
required. This improves user logon times and makes the latest application personalization
settings available across concurrent open sessions.
Generate tabular and graphical reports based on personalization settings across a group, an
individual user or an application, identify resource bottlenecks and streamline
personalization settings to improve end user performance.
Personalization Rollback
Instigate personalization restore points so that personalization settings can be restored, on
a per user or application basis, in the event of data loss or desired state machines.

Feature Summary
Offline Mode
Ensure mobile users have access to the latest version of their personalization settings whilst
working offline and ensure their settings are synchronized across open concurrent sessions
when back online.
Migration Mode
Seamlessly migrate existing local or roaming user profiles or upgrade older versions of
Environment Manager to use the application personalization streaming solution.
Flexible Action Event Triggers

Configure personalization or policy settings to apply when certain triggers occur. This enables
more flexible control of user environments under heterogeneous delivery mechanisms.
Computer Action Event Triggers

Computer Actions can be configured to apply when the computer starts up or shuts down,
or when a process is started or stopped.
User Event Triggers

User Actions can be configured to apply when a user logs on or off, when an application is
started or stopped, when a network is connected or disconnected, a session is disconnected
or connected or when a session is locked or unlocked.
Microsoft App-V Management

The ability to customize App-V sequenced application settings based on user, session and
computer based rule conditions. Extend the delivery mechanism of App-V applications to the
client or user by enabling both custom OSD and icon file delivery.
Folder Redirection
Folder redirection allows end user data, such as personal documents and corporate data to be
stored outside of the profile. This has the added benefit of minimizing network bandwidth
consumption, saving and loading only the relevant areas of a users profile, rather than
transferring the whole profile across the network.
Lockdown
Removes unwanted functionality such as buttons, tree view options and menu items from
Windows applications.
Environment Manager allows you to strip out unwanted functionality from third party software
either for security reasons or to reduce the complexity of the end user experience.
Lockdown actions include the following:
General Lockdown - to hide or disable user interface controls.
Keyboard Lockdown - to block keyboard shortcuts for all or specific applications.
Office Lockdown - to disable any supported Microsoft Office application menu item, toolbar or
ribbon.
10

Feature Summary
Self Healing
Ensures critical files, registry settings, processes and services remain unaltered using the Self
Healing mechanism.
Self healing actions ensure that computer and user settings are restored to their original state in
the event of software failure or unauthorized changes.
Self Healing actions can be applied to processes, services, files and the registry.
Self Healing can be used to ensure critical applications, such as security software, are restarted
or repaired immediately following any failure resulting from malicious or accidental actions and
provides security against the threat of Trojans, worms or spyware attempting to infiltrate and
alter registry settings or modify content.
The self healing mechanism restores settings in real-time.
For example, if a Trojan virus is added to any of the Windows start up keys, Self Healing
immediately removes the threat.
Currently only 32-bit and 64-bit applications are fully supported by the self healing process
mechanism. It is not recommended to self heal DOS or 16-bit applications using this method.
Attempting to self heal a DOS or 16-bit application process may present multiple instances of
the same application in a short period of time.
AppSense Policy Templates

Ability to create a library of partial configurations by exporting templates from a full
configuration to a specified location, saving as xml files. These policy templates can then be
imported in to another configuration at a later date.
Windows ADM/ADMX File Support
Uses Windows ADM/ADMX files (Administrative templates) to create and apply user and system
policies.
Windows ADM/ADMX files can be imported and applied, bringing the management of existing
policies into the Environment Manager console, complementing existing Active Directory
environments or extending settings to computers outside of AD control.
Auditing
The Auditing facility allows you to specify where to log events and which events to include in
the audit.
Configuration Profiler allows you to generate summary reports of Environment Manager
configuration settings allowing you to analyze and troubleshoot complex configurations. You
can set up reports to provide information about actions, conditions and triggers relating to
specific users or groups, published applications and machines.
11
Configurations
This section provides details on Environment Manager configurations, and includes the
following:
Configurations
Tasks
Configurations
A configuration is a collection of control settings which contain functionality and settings for
management of your system. The configuration is made up of 2 main nodes, trigger nodes and
sub nodes. Configuration files can be saved from the console and exported/imported to other
computers which have the Environment Manager Agent running as a Service.
You can use the Find and Replace facility to help manage your configurations, for example, if
you need to change the name of a server located within your configuration or the IP address
of a machine. For further details see the Appendix Find and Replace.
When changes are made to a configuration you have the following options:
Save - This is the default Save action and is the same as Save on the Quick Access Toolbar
Save and continue editing - Save the configuration to the Management Center and
keep the configuration locked and open for editing.
Save and Unlock this configuration - Save the current configuration in the
Management Center and unlock to allow other users to edit the configuration.
Unlock without saving - Unlock the current configuration in the Management Center
without saving changes.
Save As

Save the current configuration as the live configuration on this computer.
Configuration in the Management Center
12
2 CONFIGURATIONS
Create this configuration in the package store on the selected Management Center.
Configuration file on disk

Save the current configuration as a file on a local or network drive.
Users with non-administrative rights operating a product console in Standalone mode can
only view configurations with read-only permissions. The user can interact with the
configuration settings in the console but the settings cannot be saved and are not
implemented or retained after the console is closed. The user can export a configuration to
XML format but not import a configuration.
13
CONFIGURATIONS
Tasks
Tasks
This section includes useful tasks and includes:
CREATE A CONFIGURATION
1. Launch the Environment Manager console from Start > Programs > AppSense >
AppSense Environment Manager console displays.
2. Click the Application Menu button.
3. Click New.
A new configuration displays.
You must Save a new configuration before any settings are implemented.
IMPORT A CONFIGURATION
Configurations can be imported in to Environment Manager.

2. Click Import & Export. The Import & Export Options display.
3. Click Import Configuration from MSI. The Open dialog box displays.
4. Navigate to the location of the MSI, select it and click Open.
EXPORT A CONFIGURATION
Configurations can be exported from Environment Manager.

2. Click Import & Export. The Import & Export Options display.
3. Click Export Configuration as MSI. The Save As dialog box displays.
4. Navigate to the location to where you want to save the MSI, click Save.
APPSENSE POLICY TEMPLATES
A library of partial components can be setup by importing/exporting configurations as xml files

to a specified location. To import an AppSense Policy Template do the following:
1. In the navigation tree navigate to the node where you want to import a partial
configuration.
2. Click AppSense Policy Templates in the Nodes ribbon page > Edit group.
3. Select Import Template.
The Open dialog box displays.
4. Locate the .xml file you want to import and click Open.
The .xml file is imported into the configuration.
14
Best Practices
This section outlines the key points for consideration when setting up your Environment
Manager configuration, and includes:
ASSIGN GENERIC COMPUTER SETTINGS
Configure generic Action settings on a computer that is used by multiple users to ensure that
common settings are applied to the computer for all users.
For example, map common drives or printers by default for all users in the Computer > Startup
node.
USE GROUP RULES
Simplify the configuration with actions that apply to groups of users rather than individual
users, where appropriate. This reduces the complexity of the configuration and ensures the XML
run-time engine can execute the configuration faster, improving user log on times.
GROUP SIMILAR ACTION TYPES
Creating large configurations by grouping similar action types, such as actions which lockdown
applications, under a single node or as few sub nodes as possible.
Grouping similar actions types under a single node creates configurations which are less
complex to navigate and actions can be ordered in execution sequence, as required.
For more information, see Execute Actions in Sequence.
EXECUTE ACTIONS IN SEQUENCE
Multiple actions grouped together under a single node may need to execute in a certain order.
For example, a sub node under the User > Logon node creates a folder, copies some files into
the folder and sets attributes for those files. The folder must exist before the files are copied into
it and the files must be present in the folder before the attributes can be set.
Order the actions in the Actions panel by clicking Move left, Move right, Move up or Move
down in the Arrange ribbon group or by dragging them up or down the list. Once actions are
correctly ordered, the actions execute in order from the top down.
15
BEST PRACTICES
For more information, see Group Similar Action Types.

Avoid including Execute actions in nodes set to execute in sequence for files which require
user interaction to complete, such as program files. Otherwise, the logon process is halted
indefinitely as the logon script waits for the Execute script to complete. For example, if the
Execute action launches notepad.exe, the logon script waits for the Notepad to end before
proceeding with the logon process.
EXECUTE NODES IN SEQUENCE
When related actions are not grouped together in the same node, it may be necessary to ensure
the actions in one node are executed before the actions in another can take place.
A node can be dependent on any other parent node.
USE ENVIRONMENT VARIABLES
Configure complex environments which span multiple operating system versions using
environment variables.
For example, you may wish to launch an application from the system root drive of a computer.
Under Windows 2000, the system root drive is C:\WINNT but under Windows XP it is
C:\WINDOWS.
By utilizing an environment variable, such as %systemroot%\app.exe, the application can
execute independent of the operating system on which it is hosted as the variable is expanded
at runtime by the Environment Manager Agent on the specific machine.
Environment variables can also be used for configuring system drive letters, user-based rules
and managing profiles.
CONFIGURE WARNING MESSAGES
Configure warning messages when locking down applications so that users are aware that they
have been prevented from accessing the relevant application component or device.
Failure to configure a message may cause increased numbers of help desk calls and reduce user
satisfaction.
USE SELF HEALING FOR SMALLER FILE SIZES
When configuring Self Healing actions, it is recommended that only small files are configured to
be self healed.
Targeting only small files reduces the resource load on the Environment Manager Agent during
run-time.
Otherwise, self healing large files can raise the following issues:
Resource load is significantly increased as the Environment Manager Agent creates backup
copies of the files.
Resource load is significantly increased as the Environment Manager Agent heals a large
file.
16
BEST PRACTICES
Stability issues may arise if administrative installed patches and software are added to the
system, as the Environment Manager agent automatically self heals these changes and
removes them from the registry.
USE SELECTIVE REGISTRY SELF HEALING
When configuring Self Healing Registry actions, it is recommended that only relevant sections of
the registry are configured to be self healed.
Targeting only specific portions of the registry reduces the resource load on the Environment
Manager Agent during run-time.
Otherwise, self healing the whole registry can raise the following issues:
Resource load is increased as the Environment Manager Agent continually checks the whole
registry structure for changes.
Stability issues may arise if administrative installed patches and software are added to the
system, as the Environment Manager agent automatically self heals these changes and
removes them from the registry.
ONLY SELF HEAL 32-BIT OR 64-BIT PROCESSES
Currently only 32-bit or 64-bit applications are fully supported by the self healing mechanism. It
is not recommended to self heal DOS or 16-bit applications.
Attempting to self heal a DOS or 16-bit application, may present multiple instances of the same
application in a short period of time.
ONLY SELF HEAL CRITICAL COMPONENTS
When configuring Self healing actions using Environment Manager, it is recommended that
only critical application and operating system components are self healed.
Self healing should only be used for important processes, files, services and registry keys that are
critical to the day-to-day running of the system.
Non-critical items, such as user introduced shortcuts, non-corporate software and low key
services should not require self healing.
ONLY LOCKDOWN 32-BIT AND 64-BIT APPLICATIONS
Currently only 32-bit and 64-bit applications are fully supported by the Lockdown mechanism. It
is not recommended to lockdown DOS or 16-bit applications.
AUDIT LOCKDOWN AND SELF HEALING ACTIONS
Environment Manager can record important security and management events in industry
standard formats such as the system event log, e-mail and SNMP through the Management
Center.
Although Environment Manager deters the majority of users, effective auditing pinpoints those
users who continually attempt to bypass system security. In particular, any attempts by users to
plant Trojans or worms, or terminate installed security software, need to be identified.
USE REUSABLE CONDITIONS
To reduce configuration size and speed up processing.
17
BEST PRACTICES
USE REUSABLE NODES
To reduce configuration size and speed up processing.
TOGGLE THE STATE OF NODES OR ACTIONS
For troubleshooting purposes
USE SITES
To ensure optimized personalization usage across geographical sites.
USE APPLICATION GROUPS
To share personalization settings between related applications e.g. MS Word & MS Excel.
USE PERSONALIZATION ROLLBACK ON A PER APPLICATION BASIS
To speed up the provisioning of personalization data.
USE PERSONALIZATION ANALYSIS
To identify personalization bottlenecks and assign discovered applications to the Applications

list or the Users Personalization Group Whitelist or Blacklist.
USE APPSENSE POLICY TEMPLATES
To aid in the construction of configurations over time make use of AppSense Policy Templates
which allow you to save and restore specific areas of a configuration.
USE QUICK SETUP WIZARD
To create well known actions, use the Quick Setup Wizard which contains a number of
recommended industry standard actions.
BLACKLIST APPLICATION
Ensure that any processes which are not required to be managed and are not in the Default
Blacklist are added to the Personalization Group Blacklist.
WHITELIST APPLICATION
As an alternative to managing all processes a Whitelist of managed applications can be created,

this can help to reduce storage space and improve performance.
ONLY USE OFFLINE MODE FOR MOBILE DEVICES
It is possible to configure Offline mode on a per Personalization Group basis. Enabling this
option ensures that at user logoff the local personalization cache is persisted on the endpoint. It
is recommended that this option only be applied to mobile devices to ensure disk space on the
endpoint device is not unnecessarily consumed.
USE FOLDER REDIRECTION
To ensure user data is available between different or concurrent sessions redirect well known
folders to a central location such as My Documents on the users home drive.
18
BEST PRACTICES
WORKING WITH STREAMED APPLICATIONS
When using AppSense Environment Manager with streamed applications, for example, Citrix
XenApp, ensure the relevant exclusions are setup. For details refer to the Streamed Applications
appendix.
19
Node Management
This section provides details on the Policy Configuration nodes, and includes the following:
Node Structure
Edit Nodes
Arrange Nodes
Tasks
Node Structure
The Policy Configuration navigation tree consists of the following 3 main Fixed nodes:
Library
Computer
User
Library
The Library node contains 2 fixed nodes; Reusable Nodes and Reusable Conditions. These
are nodes and conditions that can be used multiple times within your configuration. They are
ideal for grouping common sets of actions together that will regularly need to run in a variety of
circumstances.
Reusable Nodes are highlighted in blue and Reusable Conditions are highlighted on orange.
When creating a Registry, File & Folder or Group Policy action for a Reusable Node, a
Personalization (UEM) tab is available on the action dialog box. Use the checkbox Allow
Personalization Override on the Personalization (UEM) tab to control the interaction of
Policy settings with User Personalization settings. Select the checkbox to apply Policy settings
after, and therefore override, User Personalization settings.
20
NODE MANAGEMENT
Node Structure
When nodes or conditions are reused you can only assign them to the triggers that allow that
action or condition. For a full list of permissions see the Triggers and Actions Appendix.
To create a reusable node:

1. Select a trigger node or subnode and click the Add Node ribbon button or right-click to
display the context menu and click Add Node.
2. Select the Clone ribbon button and select to either:
Move to Reusable Nodes
Copy to Reusable Nodes
Copy to Reusable Nodes (with dependents)
To create a reusable condition:

1. Select a trigger node or subnode with conditional actions, highlight the condition you want
to move to the Library.
2. Do one of the following:
Select the Clone ribbon button and select Copy to Reusable Conditions.
Right-click to display the context menu and click Copy to Reusable Conditions.
When you have reusable nodes and conditions in the Library you can use them throughout the
configuration.
Reusable Nodes and Conditions Rules
If the Reusable Node or Reusable Condition in the Library node is enabled, the referenced
node state can be toggled independently of the Reusable Node/Condition in the Library
node.
If the Reusable Node or Reusable Condition in the Library node is disabled, the referenced
node cannot be enabled.
Amendments to the Reusable Node or Condition can only be made from within the Library
and not from within any other node where it is referenced.
Any amendments made to the node or condition in the Library will take effect in every re-used
instance.
For information on import and export rules for Reusable Nodes and Conditons refer to
Import and Export Rules.
21
NODE MANAGEMENT
Node Structure
Computer
The Computer node contains triggers for a particular computer state. Create nodes under the
fixed trigger nodes to setup specific actions.
The Computer fixed trigger nodes are as follows:
Startup
Shutdown
Process Started
Process Stopped
In order for Shutdown Actions to take effect you must shutdown and restart for the
configuration to update and then shutdown again for the Action to take effect.
For each Trigger you can do the following:
Add Node
Find and Replace

For further details on Find and Replace see the Find and Replace Appendix.
Import/Export Template
For each Node you can do the following:
Add Node
Delete Node
Rename
Toggle State - to switch the node between an enabled and disabled state.
When you disable a parent node all child nodes are also disabled. Likewise, if you enable
a parent node all child nodes are also enabled.
Clone
Find and Replace
Move Left, Right, Up or Down - this is dependant on the level of node in the hierarchy.
22
NODE MANAGEMENT
Node Structure
User
The User node contains Triggers for a particular user state. Create nodes under the fixed trigger
nodes to setup specific actions relevant to individual users or groups.
The User Triggers are as follows:
Logon
Logoff
In order for Logoff Actions to take effect you must Logoff and Logon so that the service
is re-started and the configuration is updated and then Logoff again for the Action to
take effect.
Process Started
When creating a Registry, File & Folder or Group Policy action for Process Started, a
Personalization (UEM) tab is available on the action dialog box. Use the checkbox
Allow Personalization Override on the Personalization (UEM) tab to control the
interaction of Policy Settings with User Personalization settings. Select the checkbox to
apply Policy settings after, and therefore override, User Personalization settings.
If using AppSense Environment Manager and Streamed Applications refer to the

Streamed Applications appendix.
Process Stopped
Network Disconnected
Network Connected
Session Disconnected
Session Reconnected
Session Locked
Session Unlocked
If using Remote Desktop Protocol v6.0 use Session Disconnect for user logoff actions, not
Logoff. The reason is that the remote application procedure does not logoff, it just
disconnects.
If a Terminal Services session is Reset by the Administrator, the Logoff and Session
Disconnected trigger events will be initiated. Therefore, any action configured under these
triggers will be executed.
23
NODE MANAGEMENT
Node Structure
For each Trigger you can do the following:
Add Node
Find and Replace

For further details on Find and Replace see the Find and Replace Appendix.
For each Node you can do the following:
Add Node
Delete Node
Rename
Toggle State - to switch the node between an enabled and disabled state.
When you disable a parent node all child nodes are also disabled. Likewise, if you enable
a parent node all child nodes are also enabled.
Clone
Find and Replace
Move Left, Right, Up or Down - this is dependant on the level of node in the hierarchy.
24
NODE MANAGEMENT
Edit Nodes
Edit Nodes
The Edit options available for each node on the Navigation Tree are shown in Table 4.1
Table 4.1
Node Management Edit Options
Fixed
Node
Library
Reusable
Node
Add
Node
Delete
Node
Rename
Toggle
State
Clone
Find &
Replace
AppSense
Policy
Templates
Node
Sub Node
Computer
Startup
Node
Sub Node
User
Logon
Node
Sub Node
Also applies to Reusable Conditions.

Also applies to Shutdown and Process Started & Stopped.
Also applies to Logoff, Process Started & Stopped, Network Disconnected & Connected, Session
Disconnected & Reconnected and Session Locked & Unlocked.
Reference
Nodes > Edit

Toggle State
Click to switch the node between an enabled and disabled state.
25
NODE MANAGEMENT
Edit Nodes
This is useful for quick troubleshooting purposes or where complex configurations can be
tailored without deleting content.
Nodes > Edit > Clone ribbon button

Clone Node with dependents
Create an exact replica of the node including any dependent sub nodes.
Move to Reusable Nodes
Remove the node from its current location and place in Library > Reusable Nodes.
Copy to Reusable Nodes
Create a copy of the node and place in Library > Reusable Nodes.
Copy to Reusable Nodes (with dependents)
Create a copy of the node and any dependent sub nodes and place in Library > Reusable Nodes.
Copy to Reusable Conditions
Creates a copy of the selected conditional action and places it in Library > Reusable Conditions.
Nodes > Edit > Find and Replace
Enables you to search for specific text within your configuration and replace it with new text.
For further details see the Appendix Find and Replace on page 126.
Nodes > Edit > AppSense Policy Templates ribbon button
Import and Export Rules
If you export from a Reusable Node, you can only import to a Reusable Node.
If you export from a Reusable Condition, you can only import to a Reusable Condition.
If you export from Logon or any other Trigger node, you can import to any Trigger, but not
a Reusable Node.
For further information on Reusable Nodes and Conditions refer to the Library section.
26
NODE MANAGEMENT
Arrange Nodes
Import Template
Import a partial configuration template file .xml to the current node. The Open dialog box is
displayed for you to select the location from which to import the file.
A check is done to ensure that any actions being imported are valid for the node selected.
Export Template
Export the current node settings as a partial configuration template file .xml. The Save As
dialog box is displayed for you to select the location to save the file.
Arrange Nodes
The order in which the nodes are displayed in the Navigation Tree determine the level of
dependency. For example, If all the nodes are at the same level in the hierarchy then the actions
will be executed in parallel. However, if the nodes are at different levels in the hierarchy this will
indicate a dependency on the node above and therefore actions will be executed in sequence.
To arrange the nodes you can do one of the following:
Click the Move - Left, Right, Up, Down ribbon buttons.
Highlight the node to move. Right-click to display the context menu, click Move, Left, right,
Up or Down. The options available for the particular node will be highlighted in green.
Drag and Drop.
Tasks
This section includes common node management tasks:
HOW TO MAKE NODES APPLY IN SEQUENCE

The physical structure of the Navigation Tree defines the dependency structure of nodes.
1. Select the node you want to make dependent on another node.

2. Click the Move Right ribbon button.
The selected node moves to the right and out of line with the node to which it is
dependent.
27
NODE MANAGEMENT
Tasks
HOW TO MAKE NODES APPLY IN PARALLEL

The physical structure of the Navigation Tree defines the dependency structure of nodes.
Nodes will be executed in parallel if they are in-line with each other in the Navigation Tree.
1. Select the node you want to execute in parallel.

2. Click the relevant Move Right, Left, Up or Down ribbon button to re-position it in-line
with the required nodes.
CREATING RE-USABLE NODES
1. Select the node you want to re-use.

2. Click the Clone ribbon button.
Options are presented.
3. Select whether you want to:
Move the node to the Reusable Node.
Make a copy of the node in the Reusable Node.
Click Copy to Reusable Nodes (with dependents) if the selected node has
dependents and you want to re-use them.
APPLYING THE RUN NODE ACTION

Once you have created a reusable node the Run Node option is available on the Actions
ribbon page > Actions group.
1. Select the node where you want to add a reusable node.

2. Click Run Node on the Actions ribbon page > Actions group. All available reusable nodes
are listed.
3. Select the reusable node you want to run.
All Actions from the reusable node are now referenced to be run from within the selected
node.
When Nodes or Conditions are reused you can only assign them to Triggers that allow
that action or condition. For a full list of permissions see the Triggers and Actions
Appendix.
APPLYING THE RUN CONDITIONS

Once you have created a reusable condition the Run Conditions option is available on the
Conditions ribbon page > Conditions group.
1. Select the node where you want to add a reusable condition.

2. Click Run Conditions on the Conditions ribbon page > Conditions group. All available
reusable conditions are listed.
3. Select the reusable condition you want to run.
The selected condition is now a conditional action for the selected node.
28
Action Management
This chapter provides details on Policy Configuration Actions and includes the following:
Actions
Heal Actions
Tasks
Troubleshooting
Actions
Policy Configuration allows the administrator to configure both default and enforced corporate
policies that can be applied to either the computer or user under a number of different
scenarios.
Computer based actions can be triggered to apply when the computer starts up or shuts down
or when a system process is started or stopped.
User based actions can be triggered to apply when the user logs on or logs off, when a user
process is started or stopped, when the network is connected or disconnected, when a session
is disconnected or reconnected or when a session is locked or unlocked.
This section covers all Actions and includes the following:
Quick Setup Wizard
Registry
File and Folder
Drives and Printers
ODBC
App-V Wizard
Custom and Execute
Group Policy
Shortcut
Run Node
29
ACTION MANAGEMENT
Actions
Quick Setup Wizard

The Quick Setup Wizard is used to create common actions.
1. Select the node for which you want to create actions and select Quick Setup Wizard on
the Actions page > Actions group.
The Quick Setup Wizard displays. A list of all commonly used actions are listed.
2. You can customize the display to show actions for specific Operating Systems or that
match specific Keywords, for example Lockdown, by using the filters below the display
table.
3. Select the required actions and click Next.
The Confirm screen displays for you to review your selection.
4. Click Finish to create the actions.
The actions are created under new sub nodes of the selected node.
To create an action that is not listed in the Quick Setup Wizard use the appropriate Action
option for example, Registry or File & Folder, from the Actions page > Actions group.
Registry
Registry manipulation enables the administrator to setup registry keys and values on behalf of
the user for the delivered application set. Most applications require some form of default
configuration to be present in order for correct operation.
Registry Actions include the ability to create or delete registry keys and set, create, delete or set
a default value for registry keys. Additionally, it is possible to import desired state settings from
an existing machine or exported registry file or even manipulate registry settings using registry
hiving.
When creating a registry action for User > Process Started. Each Registry Action dialog box,
has a Personalization (UEM) tab. Use the checkbox Allow Personalization Override to
control the interaction of Policy settings with User Personalization settings. Select the checkbox
to apply Policy settings after, and therefore override, User Personalization settings.
Registry Key Manipulation

Registry settings can be used to personalize applications and desktop settings. This can be
done in Policy Configuration and User Personalization. However, we recommend you only
use Policy Configuration or User Personalization to manage personalization to ensure
optimum performance.
For further information on managing personalization in User Personalization refer to About
User Personalization.
The Windows registry is divided into five separate keys:
HKEY_CLASSES_ROOT
Contains information relating to file associations and for object linking and embedding.
30
ACTION MANAGEMENT
Actions
HKEY_CURRENT_USER
Contains the profile settings for the current user.
HKEY_LOCAL_MACHINE
Contains configuration settings for the computer itself
HKEY_USERS
Contains all the actively loaded user profiles on the computer.
HKEY_CURRENT_CONFIG
Contains settings related to installed software and device drivers.
Whenever a user makes any changes to their personal settings, the information is stored in the
HKEY_CURRENT_USER (HKCU) hive area of the registry. Therefore, if the registry settings are
saved out when the user logs off and re-imported the next time the user logs on, the users
personal settings are available to roam with them, even if they are using a mandatory profile.
This is achieved using the Registry Hiving action within AppSense Environment Manager.
Registry Hiving
The following are examples of how to create a User Logoff Registry Action and a User Logon
Registry Action to hive out and back in user profile settings.
CREATE A USER LOGOFF REGISTRY HIVE ACTION
1. As an administrative user, navigate to the User > Logoff node within the Environment
Manager console.
2. Select Add Node on the Nodes ribbon page > Edit group.
3. Select the new node youve just created and rename to Export Registry Settings.
4. Click Registry on the Actions ribbon page > Actions group.
5. Select Registry Hiving.
The Registry Hiving dialog box displays.
6. Enter a Title for example, User Profile Settings.
7. Enter the Location or select the ellipsis (...) to Browse For Folder, where the settings will
be saved, preferably on a network share so that settings can be accessed from multiple
computers, for example \\<servername>\<sharename>. It is not necessary to create
separate folders for each user as Environment Manager will separate the user information
being saved using the following format:
<registry key name>_<domain>_<username>
8. Select Export the hive from the registry to file.
9. Click Add. The Registry Key dialog box displays.
10. Click the ellipsis (...) to dipslay the Browse Registry dialog box.
11. Select the areas of the HKCU registry you want to hive out. This can be from the local
computer registry or a registry on another machine.
Repeat the Browse process for each registry key you want to hive out.
31
ACTION MANAGEMENT
Actions
12. Click OK to save the action.

You should now see a Save User Profile Settings hive registry action within the Actions list in
the Node work area.
Once you have completed the Registry Hive actions that will apply at logoff, you need to
configure Environment Manager to import these registry settings when the user next logs on.
CREATE A USER LOGON REGISTRY HIVE ACTION
1. Navigate to User > Logon within the Environment Manager console.

2. Select Add Node on the Node ribbon page > Edit group.
3. Select the new node that you just created and rename to Import Registry Settings.
4. Navigate back to User > Logoff > Export Registry Settings, created earlier.
5. Right click on the Hive Registry action displayed under the Actions list and select Copy.
6. Navigate back to User > Logon > Import Registry Settings node.
7. Right click in the Actions list in the Node work area and select Paste.
8. Double click the Hive Registry action that has just been copied.
The Registry Hiving dialog box displays.
9. Rename the title to Load User Profile Settings.
10. Select Import the hive from file to the registry and click OK.
You will see a Load User Profile Settings hive registry action within the Actions list in the
Node work area.
Applying Conditions to cope with server silo environments

Sometimes it is necessary for administrators to create dedicated application servers (or server
silos) that have specific applications installed for specific tasks. This could be because of
application compatibility issues, to simplify application upgrades and to reduce server
maintenance downtime.
In this scenario, it is possible to assign specific conditions in AppSense Environment Manager
when saving out and restoring registry settings so that users who are logged on to multiple
servers in a farm do not experience profile contention when the user logs off and the profile
settings are saved.
For example, Server A is installed with a specific application, App X, but also has Microsoft
Office installed because App X relies on it.
Server B only has Microsoft Office installed as this is the main application server where the
majority of users will be accessing Microsoft Office from.
If a user logs off from Server B their Microsoft Office settings are saved out.
If the same user then logs off from Server A, both their App X and Microsoft Office settings are
saved out, but their original Microsoft Office settings from Server B are overwritten.
To alleviate this it is possible to assign a condition within AppSense Environment Manager
based on the published application name, or published desktop name.
32
ACTION MANAGEMENT
Actions
This will ensure that if the user logs on to Server A, then Server As settings are restored. If the
user logs on to Server B then Server Bs settings are restored instead.
Reference
CREATE KEY
To create a registry key

Add
Click to add a new entry in the table.
Hive
Click on the drop-down arrow to select from the drop-down list.
Key
Enter the Key you want to create, alternatively, click in the box to display the ellipsis (...) and
select to display the Browse Registry dialog box. Locate the Key you want to add.
DELETE KEY
To delete a registry key

Add
Hive
Key
Enter the Key you want to delete, alternatively, click in the box to display the ellipsis (...) and
select to display the Browse Registry dialog box. Locate the Key you want to add.
SET VALUE
To set a registry value

Add
Hive
Key
Enter the Key to which the value belongs, alternatively, click in the box to display the ellipsis (...)
and select to display the Browse Registry dialog box. Locate the Key you want to add.
33
ACTION MANAGEMENT
Actions
Value Name
Enter the Value, alternatively, click in the box to display the ellipsis (...) and select to display the
Browse Registry dialog box. Locate the Value you want to add.
Value Type
Click on the drop-down arrow to select the Value Type from the drop-down list.
Value
Enter the value.
DELETE VALUE
To delete a registry value.

Add
Hive
Key
Enter the Key to which the value you want to delete belongs, alternatively, click in the box to
display the ellipsis (...) and select to display the Browse Registry dialog box. Locate the Key.
Value Name
Enter the Value, alternatively, click in the box to display the ellipsis (...) and select to display the
Browse Registry dialog box. Locate the Value.
SET DEFAULT VALUE
Set a registry key default key.

Add
Hive
Key
Enter the Key to which the value belongs, alternatively, click in the box to display the ellipsis (...)
and select to display the Browse Registry dialog box. Locate the Key you want to add.
Value Name
The name of the value for the selected registry key.
34
ACTION MANAGEMENT
Actions
Value Type
Click on the drop-down arrow to select the Value Type from the drop-down list.
Value
Enter the default value.
REGISTRY HIVING
To import or export a registry hive key.

Title
Description of the hiving action.
Location
Enter the location of where to save (when exporting) or load (when importing) the hive file,
alternatively select the ellipsis (...) to display the Browse for Folder, navigate to the required
location and click OK.
Add
Select to display the Registry Key dialog box. Add a registry key to hive in or out. Select to
either:
Replace - overwrite existing values.
Merge - add individual values in without affecting the existing values.
The Filename is the name of registry key by default but this can be overwritten.
REGISTRY IMPORT
Import File
Displays the Open dialog box.
Navigate and select the required registry files (.reg) to import.
Browse...
Displays the Browse Registry dialog box.
Select to import Computer registry keys from HKEY_LOCAL_MACHINE or User registry keys
from HKEY_CURRENT_USER. Alternatively, select My Computer or Connect to display registry
keys for an alternative computer.
Restart
Click to remove all registry keys currently listed.
A confirmation message displays. Click Yes to confirm.
35
ACTION MANAGEMENT
Actions
Delete
Select to create a Delete Registry Key.
The shortcut menu allows you to add the following:
Main Key
Key
String Value
Binary Value
DWORD (32-bit) Value
QWORD (64-bit) Value
Multi-String Value
Expandable String Value
File and Folder

The File and Folder actions are useful for configuring the content of the users Start Menu prior
to the login process completing. This enables a truly dynamic approach to application
provisioning for the users of the physical or virtual desktop.
When creating a file or folder action for User > Process Started. Each file or folder action
dialog box, with the exception of Folder Redirection, has a Personalization (UEM) tab. Use
the checkbox Allow Personalization Override to control the interaction of Policy settings
with User Personalization settings. Select the checkbox to apply Policy settings after, and
therefore override, User Personalization settings.
Select to one of the following actions:
File
Copy
Delete
Move
Rename
Modify File Attributes - Select files to modify the read-only, hidden, system, archive and
temporary attributes. You must set at least one to something other than Ignore.
Folder
Create - add the path for the folder you are creating.
Copy
Delete
36
ACTION MANAGEMENT
Actions
Folder Redirection - allows the personal files and settings of a user to be saved to
another location. Folders can be redirected to any available location including a local
folder, a network drive and the most common place being the users home drive.
Reference
COPY FILE
Files to Copy
Source
Select Add to add a source. Enter the Source file, alternatively select the ellipsis (...) to display
the Open dialog box, locate the file and click Open.
Target
Enter the Target file name, alternatively select the ellipsis (...) to display the Browse For Folder
dialog box, locate the location and click OK.
Fail if Exists
If selected the file will not be copied if it already exists in the target location.
Add
Select to add an new entry to the table.
Condition
File
Click the drop-down arrow to select a file from the drop-down list, alternatively leave the
default All files.
Date
Select to amend the Date of the file. Only the Date or File Size can be selected.
Property
Click the drop-down arrow and select one of the following from the drop-down list:
Last Modified Time
Last Accessed Time
Created Time
When
Equal To
37
Not Equal To
Less Than
Less Than or Equal To
Greater Than
Greater Than or Equal To
Between
ACTION MANAGEMENT
Actions
Compare to destination
Select to compare to destination, alternatively, enter a Date and Time.
File Size
Select to amend the File Size. Only the Date or File Size can be selected.
When
Equal To
Not Equal To
Less Than
Greater Than
Between
Select to compare to destination, alternatively, enter a Size and unit of measure.
DELETE FILE
Select File
Source
Enter the file you want to delete, if you do not know the file name select the ellipsis (...) to
display the Open dialog box to locate the file.
Force Delete
Select to force the delete, if selected read-only file attributes are changed to normal so that the
file can be deleted.
Add
Select to add a new entry to the table.
38
ACTION MANAGEMENT
Actions
Condition
File
default All files.
Date
Property
Last Modified Time
Last Accessed Time
Created Time
When
Equal To
Not Equal To
Less Than
Greater Than
Between
File Size
When
Equal To
Not Equal To
Less Than
Greater Than
Between
39
ACTION MANAGEMENT
Actions
MOVE FILE
Files to Move
Source
Enter the file you want to move, if you do not know the file name select the ellipsis (...) to
Target
Enter the Target file name, alternatively select the ellipsis (...) to display the Browse For Folder
Fail if Exists
If selected the file will not be moved it already exists in the target location.
Add
Condition
File
default All files.
Date
Property
Last Modified Time
Last Accessed Time
Created Time
When
Equal To
Not Equal To
Less Than
40
Greater Than
Between
ACTION MANAGEMENT
Actions
File Size
When
Equal To
Not Equal To
Less Than
Greater Than
Between
RENAME FILE
Rename From
Enter the file you want to rename, if you do not know the file name select the ellipsis (...) to
Rename
Enter the new file name, alternatively select the ellipsis (...) to display the Browse For Folder
Add
41
ACTION MANAGEMENT
Actions
MODIFY FILE ATTRIBUTES
Source
Enter the file you want to modify, if you do not know the file name select the ellipsis (...) to
Remove the filename to modify the Folder attributes.
Add
Attributes
Select from the following attributes to modify to Ignore, Set or Unset:
Read-Only
Hidden
System
Archive
Temporary
You must set at least one attribute to something other than Ignore.
CREATE FOLDER
Source
Enter the folder you want to create, alternatively select the ellipsis (...) to display the Browse
For Folder dialog box, locate the folder location and click OK.
Add
COPY FOLDER
Copy Existing Folder

Source
Enter the folder you want to copy, if you do not know the folder name select the ellipsis (...) to
display the Browser For Folder dialog box to locate the folder.
42
ACTION MANAGEMENT
Actions
Target
Enter the Target folder name, alternatively select the ellipsis (...) to display the Browse For
Folder dialog box, locate the location and click OK.
Fail if Exists
If selected, the folder will not be moved it already exists in the target location.
Copy Subfolders
Select to copy any subfolders for the selected folder.
Do not Overwrite Files
Select to prevent overwriting files in the destination folder if they already exist.
Add
Conditions > File Conditions
Use File Conditions
Select to use file conditions when copying within the folder.
File
default All files.
Date
Property
Last Modified Time
Last Accessed Time
Created Time
When
Equal To
Not Equal To
Less Than
Greater Than
43
Between
ACTION MANAGEMENT
Actions
File Size
When
Equal To
Not Equal To
Less Than
Greater Than
Between
Conditions > Folder Conditions
Use Folder Conditions
Select to use folder conditions when copying.
File
default All files.
Date
Property
Last Modified Time
Last Accessed Time
Created Time
When
44
Equal To
Not Equal To
Less Than
Greater Than
Between
ACTION MANAGEMENT
Actions
File Size
When
Equal To
Not Equal To
Less Than
Greater Than
Between
DELETE FOLDER
Delete Folder
Source
Enter the folder you want to delete, if you do not know the folder name select the ellipsis (...) to
display the Browse For Folder dialog box to locate the folder.
Force Delete
Select to force the delete. If selected, read-only folder attributes are changed to normal so that
the folder can be deleted.
Add
45
ACTION MANAGEMENT
Actions
Condition
File
default All files.
Date
Property
Last Modified Time
Last Accessed Time
Created Time
When
Equal To
Not Equal To
Less Than
Greater Than
Between
File Size
When
Equal To
Not Equal To
Less Than
Greater Than
Between
46
ACTION MANAGEMENT
Actions
FOLDER REDIRECTION
Add
Select to add an entry to the table.
Known Folder
Click the drop-down arrow and select the folder you want to redirect from the drop-down list.
Destination
Enter the destination location, alternatively select the ellipsis (...) and select the location from
the Browse For Folder dialog box.
Drives and Printers

Actions to map or unmap a drive, a printer and to setup a default printer.
When you want to map a drive for which a mapping already exists, Environment Manager
unmaps the existing mapping and creates the new one.
Reference
MAP DRIVE
Add
Drive Letter
Click the drop-down arrow to select the drive letter from the drop-down list.
Path
Enter the path to which to map the drive letter, alternatively select the ellipsis (...) and select the
location from the Browse For Folder dialog box.
UNMAP DRIVE
Add
47
ACTION MANAGEMENT
Actions
Drive Letter
Click the drop-down arrow to select the drive letter you want to unmap from the drop-down
list.
MAP PRINTER
Add
Path
Enter the path for the printer you want to map, alternatively select the ellipsis (...) to select the
path from the Browse for Printer dialog box.
Share Name
If selected, it indicates the string entered as the Path is the printer share name.
Set Default
Select to set as default printer.
SET DEFAULT PRINTER
Remote Printer Path

Enter the path for the printer you want to set as the default, alternatively select the ellipsis (...)
to select the path from the Browse for Folder dialog box.
This is the printers share name
If selected, it indicates the string entered as the Remote Printer Path is the printer share name.
UNMAP PRINTER
Add
Path
Enter the path for the printer you want to unmap, alternatively select the ellipsis (...) to select
the path from the Browse for Printer dialog box.
Share Name
If selected, it indicates the string entered as the Path is the printer share name.
48
ACTION MANAGEMENT
Actions
ODBC
An interface to create, amend or delete an ODBC database connection.
Reference
Connection Details
Connection Name
Enter the name of the connection.
Driver Type
Click the drop-down arrow to select the driver type from the drop-down list.
Current Connections
A list of all current connections, highlight one and click Select to pick that connection.
ODBC Data Pairs
Value Name
Enter the value name.
Value Data
Enter the value data.
Add
App-V Wizard
The App-V Wizard takes you through the steps to extend an OSD file.
An OSD file is generated by App-V to define how an application is launched and configured.
The App-V action is designed to extend the capabilities of application delivery offered by
Microsoft App-V.
It can be used to manipulate an OSD configuration file for an App-V sequenced application to
configure associated settings including environment variables, registry keys, pre and post launch
scripts and policies.
This allows the App-V delivered application to be tailored based on how or where the user is
accessing the streamed application.
49
ACTION MANAGEMENT
Actions
Custom and Execute

Custom and Execute actions can be created and added to the configuration.
Custom Actions - Provides the ability to cater for any processing for which the main
Environment Manager does not support.
Custom Actions can be generated with the use of either a Visual Basic or Java Script.
The scripts are held within the XML configuration, copied to disk at runtime, executed and
then deleted upon completion.
Separate auditing events are created for successful and unsuccessful actions, these can be
viewed through the Auditing ribbon button in Home > Common.
Execute Action
Provides the ability to execute an application with defined parameters and working
directory.
Avoid including Execute Actions in nodes set to execute in sequence for files which require
user interaction to complete, such as program files. Otherwise, the logon process is halted
indefinitely as the logon script waits for the execute script to complete. For example, if the
Execute action launches notepad.exe, the logon script waits for Notepad to end before
proceeding with the logon process.
EXAMPLE EXECUTE SCRIPT
This scripts opens and prints a Word document called Example.doc from the c:drive.
Set objWord = CreateObject("Word.Application")
Set objDoc = objWord.Documents.Open("c:\Example.doc")
objDoc.PrintOut()
objWord.Quit
Reference
CUSTOM
Time Allowed to Run

The number of seconds after which the script will be terminated. This can be used to ensure
logon times are not adversely affected. Setting the value to 0 or leaving it blank will allow the
script infinite time to complete.
Script
You can enter the script by one of the following methods:
Type in by hand.
Drag/drop or copy/paste from another location.
50
ACTION MANAGEMENT
Actions
Click Import to select an existing script.

The results of a custom script should be based on:
Returning 0 is Success
Returning 1 is Failure
Import
Select to display the Open dialog box. Select the script to import (.vbs or .js).
Export
Select to display the Save As dialog box. Save the script in .vbs or .js format.
Prevent script from running interactively
The scripts are run in batch mode so you have the option to allow or prevent prompts and
messages from being used in the scripts, the default is to prevent them because it may stall
logon processes if any of them are interactive.
EXECUTE
Filename
The name of the executable for which to create the Action.
Working Directory
The path to the executable.
Parameter
The parameter to pass to the executable, for example, if the Filename is Winword.exe the
parameter could be the name of the file that you want to be opened each time Word is
executed.
The parameter is optional and only required if the executable is to open a certain item.
Expand parameters using environment variables
Select to display the parameter using environment variables.
Complete before executing further actions
Select to make executable finish before proceeding with another action.
51
ACTION MANAGEMENT
Actions
Group Policy
Set the Group Policies ADM and ADMX files.
When creating a Group Policy Action for User > Process Started. Each group policy action
dialog box, has a Personalization (UEM) tab. Use the checkbox Allow Personalization
Override to control the interaction of Policy settings with User Personalization settings. Select
the checkbox to apply Policy settings after, and therefore override, User Personalization settings.
Reference
Set an ADMX Policy

Policy Folder
Enter the policy folder, alternatively select the ellipsis (...) and select from the Browse for
Folder dialog box.
Policies to Set
Click Add to display the Policies dialog box listing the existing ADMX policies within the
selected folder.
Double-click a policy to display the Set Policy Values dialog box. Set the status of the policy to
Not Configured, Enabled or Disabled.
The Explain tab provides a detailed explanation of the policy setting.
Set an ADM Policy

Policy Folder
Enter the policy folder, alternatively select the ellipsis (...) and select from the Browse for
Folder dialog box.
Policies to Set
Click Add to display the Policies dialog box listing the existing ADMX policies within the
selected folder.
Double-click a policy to display the Set Policy Values dialog box. Set the status of the policy to
Not Configured, Enabled or Disabled.
The Explain tab provides a detailed explanation of the policy setting.
52
ACTION MANAGEMENT
Actions
Set, append or delete environment variables details for computer or user nodes.
Reference
Environment Variable
Variable Name
The available variables are listed in the table. To select a variable either, click on a Variable Name
listed and click Select, or, double-click on a Variable Name listed.
Variable Value
The available variable values are listed in the table. To select a variable value either, click on a
Variable Value listed and click Select, or, double-click on a Variable Value listed.
Expand variables in the entered value
Select to expand the environment variable to include the actual string value.
Shortcut
Shortcuts can be created to target a specific file and location and multiple LNK shortcut files can
be imported to create multiple shortcut actions simultaneously.
Import Shortcut Wizard

The Shortcut Import enables you to import LNK shortcut files from the target directory and
create multiple shortcut actions simultaneously.
Create Shortcut
Create a shortcut to a target file and specify the shortcut location.
Reference
Shortcut Import
Import
Select to display the Open dialog box, locate the shortcut file and click Open.
Shortcut File Path
Enter the path to the shortcut file, alternatively select the ellipsis (...) and select from the
Browse For Folder dialog box.
Target
Enter the target location, alternatively select the ellipsis (...) and select from the Browse For
Folder dialog box.
53
ACTION MANAGEMENT
Actions
Create Shortcut > Shortcut Information

Shortcut Location
Enter the location of where to place the shortcut. Click the drop-down arrow for common
location or the ellipsis (...) to select from the Open dialog box.
Create Shortcut From
Enter the location from where to run the shortcut. Select the ellipsis (...) to select from the
Open dialog box.
Target Parameters
Enter the parameters to pass to the program.
Start in Directory
Enter the working directory for the program.
Run
Click the drop-down arrow and select Normal, Minimized or Maximized.
Icon Filename
The filename of the icon to be used for the shortcut.
Run Node
The Run Node is used to assign Reusable Nodes to other nodes throughout the configuration.
The Run Node action is only available once a Reusables Node has been created.
When Nodes or Conditions are reused you can only assign them to Triggers that allow that
action or condition. For a full list of permissions see the Triggers and Actions Appendix.
See Applying the Run Node action in the Tasks section for further details.
54
ACTION MANAGEMENT
Heal Actions
Heal Actions
Self Healing is a mechanism to automatically restore environment items including files,
processes, services or registry keys/values. Conditions can be applied to user self heal actions.
Stability issues may arise if you install software patches or upgrades to areas of your system
which you have chosen to self heal as Environment Manager automatically self heals these
changes and removes them.
Currently only 32-bit and 64-bit applications are fully supported by the self healing process
mechanism. It is not recommended to self heal DOS or 16-bit applications using this method.
Attempting to self heal a DOS or 16-bit application process, may present multiple instances of
the same application in a short period of time.
You can select to Self Heal a File, Process, Service or Registry.

Self Heal Service is only available for actions created in the Computer node.
Reference
SELF HEAL FILE
Set a file for Self Healing.

Filename
Enter the name of the file to self heal, alternatively select the ellipsis (...) to display the Open
dialog box, locate the file and click Open.
Make sure the file is always present
Select to make sure the file is always present.
Ensure the file is never changed
Select to ensure the file is never changed.
If the contents of a file change, the file is self healed back to its original format from a backup
copy. The Modified Date is used to determine whether the file has changed.
Only applicable if Make sure the file is always present is selected.
Make sure the file is not present
Select to ensure the file is never present.
SELF HEAL PROCESS
Set a process for Self Healing.
55
ACTION MANAGEMENT
Heal Actions
Process Name
Enter the name of a process to be self healed or select the ellipsis (...) to display the Open dialog
box, browse to select a process.
If a process is selected from the Open dialog box, the Process Directory text box displays the
path.
Process Directory
Enter the path (excluding the name) of the process specified in Process Name or select the
ellipsis (...) to display the Open dialog box, browse to select a folder.
Parameters
Enter any parameters, separated by spaces, that the process needs to run. For example, a word
processing application may need the name of a file to open upon launch.
Expand parameters using environment variables
Select to display the full environment variables.
SELF HEAL SERVICE
Set a Service for Self Healing. Only applicable to the Computer node.
Display Name
Click Add >Add Entry to enter the Display Name, alternatively, click Add > Browse Services
to display the Service Browser dialog box to select a Service.
Service Name
The Service Name, this field must be completed.
Status
Select to have the Service Always running or Never started.
Parameters
Enter any parameters, separated by spaces, that the service needs to run. For example, Auditing
can take the name of a file in which it logs various data. This can be entered as follows:
-log C:\Temp\MyLogFilename.txt
SELF HEAL REGISTRY
Set a registry key or value for Self Healing.

Main Key
This read-only text box is set as either HKEY_LOCAL_MACHINE (on the Computer node) or
HKEY_CURRENT_USER (on the User node).
56
ACTION MANAGEMENT
Tasks
ellipsis (...)
Select to display the Browse Registry dialog box where you can select the required Registry
Key or Value.
Sub Key
Enter the registry sub key or browse to select from the Browse Registry dialog box.
Value Name
Enter the registry value or browse to select from the Browse Registry dialog box.
Use Default Value
Automatically selected if the registry value selected to self heal is the Default registry value.
Ensure the registry item remains unchanged
Select to ensure that no changes can be made to the registry item.
Ensure the registry item never exists
Select to ensure the registry item doesnt get created.
Tasks
This section includes useful tasks.
HOW TO MAKE ACTIONS APPLY IN SEQUENCE
Figure 5.1 Actions applied in Sequence
To make an Action complete in sequence they need to be indented in the tree hierarchy.
Select the Arrow ribbon buttons on the Nodes page > Arrange group to move the Actions to
different levels, alternatively use Ctrl + arrow key.
If an action cannot be completed the next action will not be run.
However, if you have a parent node with multiple child nodes each with multiple actions to be
applied in sequence, each action is taken in turn and attempted moving down through all the
nodes, even if some of the actions return a fail.
57
ACTION MANAGEMENT
Tasks
HOW TO MAKE ACTIONS APPLY IN PARALLEL
Figure 5.2
Actions applied in Parallel
To make an Action complete in parallel they need to be at the same level in the tree hierarchy.
Select the Arrow ribbon buttons on the Nodes page > Arrange group to move the Actions to
APPLYING THE RUN NODE ACTION

Once you have created a reusable node the Run Node option is available.
1. Select the node where you want to add a reusable node.

2. Click the Run Node ribbon button. All available reusable nodes are listed.
3. Select the reusable node you want to run.
All Actions from the reusable node are added to the selected node.
Reusable nodes are highlighted in blue.
When Nodes or Conditions are reused you can only assign them to Triggers that allow
that action or condition. For a full list of permissions see the Triggers and Actions
Appendix.
LIMIT ACCESS TO APPLICATIONS
Access to applications requires that shortcuts, folders, files and registry settings are correctly
setup on the machine. You use Environment Manager to setup or remove these settings for
each user profile to control access to the applications.
Conditions are set up for allowing or blocking user access to an application. Conditions are
applied to nodes to determine whether the actions are applied to the user or machine.
Conditions are evaluated to ensure that only those actions which are applicable are executed.
58
ACTION MANAGEMENT
Tasks
ENSURE FILES CANNOT BE RELOCATED, REMOVED OR MODIFIED
Users customizing the computer Desktop are a constant problem for administrators. The
Environment Manager Self Healing functionality ensures that a specific file, such as a shortcut,
remains on the desktop as originally set up and is always in place for the computer or user and
contains the same content. A more serious threat comes from viruses and malware that
attempts to modify the content of critical files, such as hosts and .ini files or VB wraparound
scripts.
The Self Healing mechanism is set to restore the file in real-time. The system creates a copy
when the trigger occurs replacing the item should the user delete it or modify the contents, the
modified date is used to determine whether the file has changed.
ENSURE A SERVICE FAILS TO RUN
Self healing services allow the administrator to enforce the states of critical services. This self
healing of the service allows a service to be always stopped or always running.
For example, you can create an action for the Computer Self Healing node that sets the
Messenger service to never start so that the service is not available from that machine.
Alternatively, the Automatic Updates service can be self healed so that it is always running and
the computer in question has access to download and install Windows updates at all times.
REMOVE THE MACRO FUNCTION FROM AN APPLICATION
The Environment Manager Lockdown feature enables you to remove functionality from an
application. Lockdown can be achieved in several ways depending on requirements. Adding an
entry to block a dialog box can work as effectively as removing the menu item, toolbar button
or accelerator key.
The simplest way to remove the functions is to block the dialog box for the macros as these
tend to be accessible from user definable toolbars and hot keys.
While running an application and displaying the macro selection dialog box, use the General
Wizard to create a lockdown action and, using the wizard Spy Tool, select the Macros Dialog
Box.
REMOVE HELP THAT CONTAINS HYPERLINKS
Help files can also cause breaches the administrator may not anticipate. A relatively new type of
breach is found in html help files which have a link to the supplier website for further help.
Use Keyboard Lockdown to block the F1 key and render the Help files inaccessible via the
application. Alternatively, use the General WIzard to select the link in the Help file to generate
a Microsoft Active Accessibility (MSAA) action type to disable the link.
59
Troubleshooting
This section includes some troubleshooting tasks.
ACTIONS NOT BEING APPLIED AS EXPECTED
License installed
Environment Manager Agent running
Node/Action not disabled in console
CUSTOM ACTION OR CONDITION NOT APPLYING
Script works outside of Environment Manager
EVENTS NOT BEING RAISED
License installed
Check CCA settings
Check AMC communication
ACTION MANAGEMENT
Troubleshooting
60
Condition Management
This chapter provides details on Policy Configuration Conditions and includes the following:
Conditions
Tasks
61
CONDITION MANAGEMENT
Conditions
Conditions
Conditions can be applied to enable actions to be executed based on who, where from or how
a user is connecting to a computer or application. These conditions include Directory
Membership, User, Computer, Session and Client based rules. The table shows which
conditions can be applied to Computer and User.
Conditions are highlighted in green.
Figure 6.1 Computer and User Conditions
The following Conditions can be created:
User
Computer
Session & Client
62
Custom
Run Conditions
Conditions
Create a condition to check membership of the following:
OU - the condition can be to match a member as Equal or Not Equal, alternatively you can
enter a wildcard Query.
Site - the condition can be to match a site as Equal or Not Equal.
User
Create a condition to match a User Name, User Group or Primary Group as Equal or Not Equal,
alternatively you can enter a wildcard Query.
You can also create a condition to check if the user is an Administrator.
A condition to match the Process Name as Equal or Not Equal can also be created.
Computer
Create a condition to match a Computer Name, Computer Domain, Computer NETBIOS Name,
Computer Group or Process Name as Equal or Not Equal, alternatively you can enter a wildcard
Query.
You can also create a condition to match the IP Address as Equal, Not Equal or Between a
range.
A condition to match the MAC address as Equal or Not Equal can also be created.
Session & Client

Create a condition to match:
A Published Application Name or Client NETBIOS Name as Equal or Not Equal, alternatively
you can enter a wildcard Query.
The Client Connection Protocol to Equal or Not Equal a Console, RDP or ICA.
The Client IP Address as Equal, Not Equal or Between a range.
The Client Screen Resolution to Equal, Not Equal, be Between or From specified X and Y
values.
The Client Color Screen Depth to Equal, Not Equal, be Between or From a set number of
colors. Click and drag the slider to set the number of colors.
Custom
Custom conditions can be generated with the use of either a Visual Basic or Java Script based
on any scenario, for example date/time, existence of a file or registry entries.
63
Conditions
The scripts are held within the XML configuration, copied to disk at runtime, executed and then
deleted upon completion.
Separate auditing events are created for successful and unsuccessful conditions, these can be
viewed through the Auditing ribbon button in Home > Common.
EXAMPLE SCRIPT
' --------------------------------------------------------' Checks to see if the Windows Firewall is ON

' -------------------------------------------------------strcomputer = "."
const HKLM = &H80000002
set x = getobject("winmgmts:\\" &strcomputer &"\root\default:stdregprov")
strreg =
"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\S
tandardProfile"
strregkey = "EnableFirewall"
x.getdwordvalue HKLM,strreg,strregkey,strvalue
if strvalue = 1 then
--------------------- Firewall Enabled
---------------------WScript.Quit 0
else
--------------------- Firewall Disabled
---------------------WScript.Quit 1
End if
Reference
Run as SYSTEM user

Select to run the script as a System user.
If selected, when you click OK a confirmation message displays, warning you that the system
will be vulnerable, click OK to continue.
Time allowed to run

The number of seconds after which the script will be terminated. This can be used to ensure
logon times are not adversely affected. Setting the value to 0 or leaving it blank will allow the
script infinite time to complete.
64
Conditions
Script
You can enter the script by one of the following methods:
Type in by hand.
Drag/drop or copy/paste from another location.
Click Import to select an existing script.

The results of a custom script should be based on:
Returning 0 is Success
Returning 1 is Failure
The scripts are run in batch mode, meaning any prompts or message boxes are ignored and
the script will exit without being executed. Therefore, ensure any custom script does not
contain prompts and message boxes or comment these out in the script.
Import
Select to display the Open dialog box. Select the script to import (.vbs or .js).
Export
Select to display the Save As dialog box. Save the script in .vbs or .js format.
65
Tasks
Run Conditions
Once you have created a reusable condition the Run Conditions option is available on the
Conditions ribbon page > Conditions group.
APPLYING THE RUN CONDITIONS
1. Select the node where you want to add a reusable condition.

2. Click Run Conditions on the Conditions ribbon page > Conditions group. All available
reusable conditions are listed.
3. Select the reusable condition you want to run.
4. The selected condition is now a conditional action for the selected node.
Tasks
This section includes useful tasks.
HOW TO MAKE CONDITIONS APPLY IN SEQUENCE
Figure 6.2 Conditions applied in Sequence
To make a Condition complete in sequence they need to be indented in the tree hierarchy.
If you have two or more conditions indented in the hierarchy, as shown in Figure 6.2 they
become AND conditions.
Select the Arrow ribbon buttons on the Nodes page > Arrange group to move the Conditions to
If a condition cannot be completed the next condition will not be run.
However, if you have a parent node with multiple child nodes each with multiple conditions to
be applied in sequence, each condition is taken in turn and attempted moving down through all
the nodes, even if some of the conditions return a fail.
66
Tasks
HOW TO MAKE CONDITIONS APPLY IN PARALLEL
Figure 6.3 Conditions applied in Parallel
To make an Condition complete in parallel they need to be at the same level in the tree
hierarchy.
If you have two or more conditions at the same level in the hierarchy, as shown in Figure 6.3
they become OR conditions and are shown by a blue highlighted bracket.
Select the Arrow ribbon buttons on the Nodes page > Arrange group to move the Conditions
to different levels, alternatively use Ctrl + arrow key.
67
Lockdown Management
This section provides details on all lockdown actions and includes the following:
Lockdown
General Wizard
Keyboard Wizard
Office Wizard
Message Libraries
Lockdown
Lockdown is a mechanism to restrict or disable access to specific application and operating
system functionality, keyboard shortcuts, MS Office application menus, toolbars and ribbons.
Conditions can be applied to lockdown actions to offer comprehensive lockdown in varied
scenarios.
Useful lockdown actions that could be enforced are:
Internet Explorer Settings, for example prevent users deleting history.
Prevent users from changing network settings.
Lockdown certain context menus
Lockdown certain shortcut keys, for example Print Screen.
General Wizard
The General Lockdown Wizard enables you to block or remove Windows objects in the
operating system and application interfaces. Windows objects, called controls, belong to
hierarchies and can contain many child controls.
Control Attributes
The Environment Manager agent blocks or removes controls based on several attributes.
Standard window controls have the following basic attributes:
Control ID - The unique ID Windows assigns to identify a Windows control.
Control Text - The text displayed by a Windows control, where relevant.
68
LOCKDOWN MANAGEMENT
General Wizard
Class Name - The specific type or class to which a Windows control belongs, class such as
Edit, Button or SysListView32.
Process Name - The filename of the application to which the Windows control belongs.
Parent Text - The text associated with the parent window of the Windows control.
Some applications may override the functionality of certain controls with custom controls, called
Owner Drawn controls, to which custom attributes are applied rather than the standard
operating system attributes. You can disable these controls using the Microsoft Active
Accessibility (MSAA) blocking functionality which is detected using the General Lockdown
Wizard.
Control Types
You can lockdown the following control types:
Tree Controls - Controls which are organized in a hierarchal structure with configuration
options under each branch, such as the Windows Explorer Tools > Folder Options menu
or the Taskbar and Start Menu Advanced tab.
Environment Manager restricts access to components of a Tree Control by removing
options.
List Controls - Contains a list of items for selection. For example, drop-down lists in the
Internet Explorer Internet Options > Programs tab or a list of drives, folders and files in
Windows Explorer.
Environment Manager restricts access to items within a List Control, by removing specific
items from the list.
Edit Controls - Controls which contain fields into which you enter text, such as the Internet
Explorer Address Bar or the Run dialog box.
Although it is possible to protect the system by using group policy/system policy objects,
such as; Hide these Specified Drives in My Computer and Prevent Access to Drives
from My Computer, these settings can leave security loopholes. These types of policyenforced objects only apply to Windows Explorer, allowing any application to request and
receive access to the local server drives.
Environment Manager addresses these security loopholes by controlling entered text. Users
who are not authorized to access the C drive can be blocked by entering C: in an Edit
Control.
Menu Controls - Controls which contain menu items for selection within an application,
such as the File menu item or Format menu item in Notepad.
Environment Manager restricts access to the options within a Menu Control, by disabling
specific items.
Dialog Controls - Controls which launch separate dialog boxes for particular applications,
such as the Open dialog box in Notepad or the Internet Options dialog box in Internet
Explorer.
Environment Manager restricts access to dialog boxes by intercepting and blocking the
dialog box from launching for specific users and groups.
69
LOCKDOWN MANAGEMENT
General Wizard
Windows Controls - Controls that appear within Windows which can take numerous forms,
such as the Open button in a File > Open dialog box or the Browse or Color buttons in
the Display Properties dialog box.
Environment Manager restricts access to these types of control by hiding the control.
MSAA Controls - Microsoft Active Accessibility (MSAA) technology enables the

development of applications which can support accessibility aids by revealing the elements
of a user interface and offers comprehensive lockdown capability of application
components. MSAA Controls can include hyperlinks in help files or whole sections of dialog
boxes.
Environment Manager disables application components but can not hide them. Warning
messages can be displayed to users informing them that Environment Manager has
disabled the feature when the user attempts to use a blocked item.
Toolbar Controls - Buttons that appear on a toolbar, such as Back, Forward, Delete and
Undo.
Environment Manager restricts access to the buttons on a toolbar by disabling them.
Some toolbar buttons in Windows Explorer and Internet Explorer display popup menus
when clicked. You must disable the menu items to restrict access, not just the toolbar
button. For more information see the relevant steps for using the spy tool target to select
popup menus in To Perform a General Lockdown.
TO PERFORM A GENERAL LOCKDOWN
1. Launch the window or application in which the item you want to lockdown appears.
2. In Environment Manager, navigate to the node in the navigation tree for which you want to
create the lockdown action. Select General Wizard on the Lockdown page > Lockdown
group.
The General Wizard dialog box displays.
3. Click and drag the Spy Tool over the area containing the control you want to lockdown.
A red border indicates the control selected and the green message indicates which
lockdown options are available for that control.
70
LOCKDOWN MANAGEMENT
Keyboard Wizard
When you have highlighted the control you want, release the mouse. If there are lockdown
options available the Select Lockdown Type dialog box displays, if there are no options
available the General Wizard re-displays with the screen relevant to the type of control.
Table 7.1
General Lockdown Controls screens
Lockdown
Control
Lockdown Option
Screen Displayed
Window
N/A
Window Control
List
List Items removed

Window Control hidden
List Control
Window Control
Tree
Tree Items removed

Tree Control
Window Control
Edit
Edit Control filtered

Edit Control
Window Control
Tab
Tab Control disabled

Tab Control
Window Control
MSAA
N/A
MSAA Control
Menu
Select Items for Lockdown
Menu Control
Dialog
N/A
Dialog
4. Click OK to create the lockdown action.

The action is listed in the Actions work area for the relevant node.
Keyboard Wizard
The Keyboard Wizard allows you to prevent users from using certain keyboard keys or
combination of keys within a particular application or applications.
TO LOCKDOWN A KEYSTROKE
1. Navigate to the node, in the navigation tree, for which you want to create the Keyboard
Lockdown action.
2. Select Keyboard Wizard on the Lockdown ribbon page > Lockdown group.
The Keyboard Lockdown dialog box displays.
3. Enter the key you want to disable.
To lockdown a key combination simply select the keys, for example to lockdown Ctrl + F,
press Ctrl then F.
71
LOCKDOWN MANAGEMENT
Office Wizard
4. Select whether you want to distinguish between left and right keys, for example the left Alt
and the right Alt keys.
5. Select to apply the lockdown to all applications or a selected application. If you select a
specific application you can enter it directly into the text box, click the ellipsis (...) to display
the Open dialog to locate the application or if the required application is open you can
drag and drop the spy tool to the application.
6. Click OK to create the lockdown action.
The lockdown action is added to Actions work area for the relevant node.
Office Wizard
Office Lockdown allows you to disable Microsoft Office features. A list of Office suites,
applications and the types of features you can lockdown are shown in Table 7.2 on page 72.
For steps on creating an Office Lockdown action, see To Lockdown an Office Menu Item,
Toolbar and Ribbon.
Table 7.2
Office Lockdown Support
Office Suite
Application
Features
Menus
Toolbars
Ribbons
Office 2000
Access
Office XP
Excel
Office 2003
Outlook
Powerpoint
Word
Access
Excel
Outlook
Powerpoint
Word
Office 2007
TO LOCKDOWN AN OFFICE MENU ITEM, TOOLBAR AND RIBBON

Some of the steps in this procedure may vary depending on the product and version, as
indicated.
72
LOCKDOWN MANAGEMENT
Office Wizard
1. Navigate to the node for which you want to create the action in the navigation tree.
2. Select Office Wizard on the Lockdown page > Lockdown group.
The Microsoft Office Lockdown Wizard displays.
3. Click Next in the Welcome screen to proceed to the application selection screen.
All supported Microsoft Office applications installed are listed.
4. Select the application you want to lockdown and click Next.
The selected application opens so that all menu items can be registered.
(Office 2000, XP and 2003, and Outlook 2007 only)
A collapsible list of all menus displays in which you can select each menu including all
items, or expand the menu lists to select specific items to disable.
5. Select the menu items you want to disable.

Enter the name of a specific item to search in the text edit box and click Find. If the item
is found, the relevant menu list expands allowing you to locate the required item.
6. Click Next to display the toolbar items list which you can populate using the spytool.
(Office 2000, XP and 2003 only)
7. Click and drag the Spy tool to the toolbar item, within the application, that you want to
disable, release the target icon when the toolbar item is highlighted with a black border.
The name and description of the selected toolbar item are now displayed.
Repeat this process to add multiple toolbar items.
8. Click Next to display a list of ribbons with collapsible lists of ribbon items allowing you to
select specific items to disable.
(Office 2007 only)
Enter the name of a specific item to search in the text edit box and click Find. If the item
is found the relevant ribbon list expands allowing you to locate the required item.
9. Click Next to provide a description for the Action.

10. Click Next to display the Completed Office Lockdown screen and click Finish to
complete the wizard. The lockdown action is now listed in the Actions section.
73
LOCKDOWN MANAGEMENT
Message Libraries
Message Libraries
The Message Libraries consist of Blocked Text and Blocked Message.
Blocked Text allows you to configure a list of words or expressions that can be used to filter the
text entered into Edit boxes.
The Blocked Text Library is only applicable to the Edit Control Lockdown functionality.
Blocked Messages allow you to configure messages that are displayed when using the
Lockdown feature.
The Blocked Message Library is only applicable to the Edit Control and MSAA Control
Lockdown functionality.
Reference
Blocked Text Library

Add > Add Blocked Text List
Click to create a Blocked Text List.
Add > Add Blocked Text Item
Click to add a Blocked Text Item to a List.
Behaviour
You have the option to select one of the following behaviour types for each blocked text library
instance created:
Use Regular Expressions
Remove all text if blocked - to delete all of the text entered if it contains any blocked text.
Remove blocked text only - to delete only the blocked text entered.
Replace with
Enter the text that will replace the removed blocked text.
Expand Environment Variable
Select to expand text at runtime to the full environment variable path.
Block Drive Letter
Select to block the input of any drive letter that has been hidden from the Explorer view for the
specific user by Microsoft Windows Policy.
74
Blocked Text Item

Enter the blocked text for the blocked text list.
Blocked Message Library
Display Scroll bar
Select to display the scroll bar on the message dialog box.
LOCKDOWN MANAGEMENT
Message Libraries
75
This section provides details on User Personalization, and includes the following:
Troubleshooting

User Personalization provides the ability to capture the changes that users make to their
applications on a per application basis and also desktop settings on a per session basis. These
changes are then stored in a central database, making them available to the user from wherever
they log on, regardless of operating system or delivery mechanism.
The changes made to an application are synchronized whenever the application starts or stops.
This enables changes to be shared between multiple sessions simultaneously, without the need
to log off.
Desktop Settings, such as wallpaper, keyboard and mouse are also managed, when the user
logs off and on.
Environment Manager enables this behavior automatically, for all users within the organization,
with minimal configuration.
User Personalization data is archived on a daily basis, providing the unique ability to rollback
changes to an application to those made on a previous day.
A Personalization Analysis tool is also provided which enables the administrator to monitor
which applications are being controlled by Environment Manager, including how much data is
being stored per-user and per-application.
76
8 USER PERSONALIZATION
APPSENSE PERSONALIZATION SERVER CONFIGURATION UTILITY
Checks the configuration is correct for example, database, accounts, roles, servers, IIS, ASP,
shown in the Variance report.
User Personalization settings are configured through the database scripts provided as part of
the AppSense Personalization Server Configuration utility.
The Server Configuration utility is a dual purpose tool. The first time it is run, it runs in
configure mode, this configures the Personalization Server website and creates the database
with the correct accounts. Subsequent runs of the utility run in report mode, which shows
any variances from the initial configuration.
For further information see the AppSense Management Suite Architecture and Installation
Guide.
LIVE DATABASE CONNECTION
In the Environment Manager console the User Personalization view requires a live connection to
the SQL Database. This means that changes are committed immediately to the database,
therefore Open and Save are meaningless.
If you navigate back to Policy Configuration the database connection remains open. If you
want to disable User Personalization you must select Disconnect in the Personalization
ribbon page > Connection group.
DEFAULT BEHAVIOR
User Personalization is designed to allow every user to have every application they run
discovered and then managed.
The Discover All Processes and Manage All Processes options must be enabled in the
User Personalization Group Settings.
The configuration retrieved by the client session from the database at logon determines which
applications are managed and the data that it to be virtualized. If a new user logs on to the
system, and this user is not recognized then no configuration is returned and therefore no
applications will be managed.
In a similar way, if a known user logs on but doesnt have a configuration, no applications will
be managed. However, in this scenario the desktop settings will still be managed, unless they
are disabled in the Users Personalization Group Settings.
Both instances will produce an audit event.
Any changes to the User Personalization data within the console are dependent on when the
local configuration is updated, this can be the configuration poll period or when the EMAgent
Service is restarted. The changes are then written to the SQL database and hence are applied
immediately, the next time a user launches an application the new settings are applied.
77
Environment Manager applies last write wins behavior on a per application level. Whenever a
user closes an application, the personalization changes for that application are saved back to
the server immediately, so if an application is changed in two concurrent sessions the last
running version of the application dictates what is stored on the server.
RULE PROCESSING ORDER
Each application in the configuration has a set of inclusions and exclusions. They are
processed in the following order:
Match against the exclusions list
Match against the inclusions list

For further information on Exclusions and Inclusions refer to the Include and Exclude Rules
section.
If a user is a member of more than one group in the database, then the settings used will
be for the first group rule that is matched.
A file is deemed changed if the modified file time is different.
USER IDENTIFICATION
When a log on request is received, the Personalization Server needs to determine who the user
is in order to provide the correct configuration. Configurations are stored in the database on a
per group basis, so the user should be assigned to a group.
The client sends up details about the user logging on, such as name, client machine name and
IP address.
STREAMED APPLICATIONS
Once an application is under the control of User Personalization a user will receive their
managed personalization data no matter how they access the application.
Virtualized environments are becoming increasingly commonplace in the corporate
environment with applications being streamed from a server instead of being run locally.
Streaming usually involves packaging an application in some way so that it is self contained,
with the personalization data existing within this package, nevertheless, User Personalization
can still manage streamed applications in the same way as local applications. The streaming
applications currently supported are as follows:
Microsoft SoftGrid 4.2
Microsoft App-V 4.5
Citrix XenApp (Streamed Apps)
Symantec Altiris SVS

For details on working with AppSense Environment Manager and Streamed Applications refer
to the Streamed Applications appendix.
78
DESKTOP SETTINGS
Desktop Settings can also be managed by registry actions in Policy Configuration. However,
we recommend you only use either Policy Configuration or User Personalization, but not both
simultaneously, to ensure optimum performance.
For further information on registry actions in Policy Configuration refer to the Registry in the
Action Management chapter.
When User Personalization is enabled all desktop settings are managed, unless explicitly
disabled in the users Personalization Group Settings. When User Personalization is disabled no
desktop settings are managed in User Personalization.
Desktop Settings include:
Accessibility settings
Appearance settings
Cursors
Keyboard settings
Language settings
Mouse settings
Screen Saver settings
Certificates
Desktop Settings are for all users and are cross platform for example, Vista to XP, with the
exception of Themes and Icons.
Desktop settings can still be configured manually in Policy Configuration as registry hives.
Although all desktop settings are implicitly managed. The administrator is able to control which
desktop settings are to be included via the Desktop Settings dialog in the console.
If you have an empty cache, for example the first time you install the Environment Manager
agent, or if the local cache has been removed, you must logoff and then log back on to start
managing the Desktop Settings, on the next logoff the settings will be saved to the cache.
79
Keys can be added and removed as required. The Add button displays the Add a new desktop
setting key dialog box, where you can browse the registry to locate the key you want to add.
It is possible to remove all entries which would effectively disable the feature.
Care must be taken when removing individual entries in case they are linked to other entries.
The desktop is updated with the latest data from the database but will only return data for
settings that are actually being managed.
ENABLING USER PERSONALIZATION
To enable User Personalization do the following:

1. In Policy Configuration navigate to the Home ribbon page > General Properties group.
2. Select Enable User Personalization.
The Select Personalization Server dialog box displays.
3. Right-click to display the shortcut menu, select New Server.
The Add Server dialog box displays.
The Personalization Server supports secure connections using HTTPS. For further details
please refer to the AppSense Management Suite Architecture and Installation Guide.
80
4. Enter the server details and click OK.

Do not select Localhost.
If you enter Localhost as the server name it is added to the Configuration.aemp file as
the location of the Personalization Server. Therefore, on the client it will try and connect
to http://localhost/PersonalizationServer/ which is incorrect and so User Personalization
will be disabled.
The server is listed in the Select Personalization Server dialog box.

5. Highlight the server you want to connect to and click Connect.
The Connect to <Server Name> dialog box displays.
6. Select Current or Custom User and click OK.
You will notice the Enable User Personalization symbol on the ribbon button turns green
to indicate that User Personalization is enabled.
7. Save the configuration to create a configuration.aemp file with the Personalization Server
details. This must then be deployed or installed on all machines that you want to be
managed.
8. Click the User Personalization navigation button in the navigation pane.
The User Personalization navigation tree displays.
9. Click Connect in the Personalization ribbon page > Connection group.
10. Highlight the Personalization Server you want to connect to and click Connect.
The User Personalization navigation tree displays.
81

The User Personalization navigation tree is made up of the following:
Sites
Set up global settings which are applied to all managed applications and application groups.
You can specify which registry keys and which folders to include or exclude from management.
Include and Exclude Rules
Exclusions take priority over inclusions, except where the include path is deeper.
If you have global includes/excludes along with Application or Application Group includes/
excludes, these are collated together but still follow the above rule.
Include and Exclude Examples

Inclusions and exclusions will apply to the Path and all subfolders subject to the rules.
Include Path
Exclude Path
C:\Test
Behaviour
Include C:\Test
C:\AppX
Exclude C:\AppX
C:\Ambiguous
C:\Ambiguous
Exclude C:\Ambiguous
C:\Program Files\AppSense
C:\Program Files
Exclude C:\Program Files

Include C:\Program Files\AppSense
C:\Windows
C:\Windows\System32
Include C:\Windows
Exclude C:\Windows\System32
Application Groups - A collection of applications which are managed as a single group. The
groups can contain additional registry or folders to include or exclude from management.
Applications - Applications to be managed on the client computer.
82
Application Groups
An Application Group is a collection of applications which are managed as a single group, for
example Microsoft Office Suite. Includes details of the version, the OS and the inclusions and
exclusions.
All applications in a group share a cache, therefore personalization settings will be
synchronized from the server when the first application in the group is opened and
synchronized back when the last application is closed.
There are two default Application Groups:
Default Whitelist - A default list of applications which are included in the Personalization
management for all users.
The Default Whitelist group is empty by default.
Default Blacklist - A default list of applications which are excluded from Personalization
management for all users, for example mmc.exe or explorer.exe.
To add applications right-click to display the shortcut menu and select Add Application. For
further details see To Add an Application Group from point 3.
TO ADD AN APPLICATION GROUP
1. Navigate to the Application Groups node in the navigation tree.

2. Click Add Application Group in the Personalization ribbon page > Nodes group.
A New Application Group node is created and highlighted ready to be renamed in the
navigation tree and the Application Group work area displays.
3. Add applications to the group, right-click to display the shortcut menu, select Add
Application.
The Select Applications dialog box displays.
Applications must first be added in Personalization Applications > Applications.
4. Select the application you want to add to the application group.

To select more than one application hold down the Ctrl key whilst selecting, or, select a
range whilst holding down the Shift key.
83
5. You can specify Registry keys and Folders to include or exclude from this group.
You can include or exclude registry keys and folders for management in the group.
TO ADD A REGISTRY KEY INCLUSION FOR AN APPLICATION GROUP
To include a registry key that will be managed across all applications within the application
group.
1. Navigate to the relevant Application Group in the navigation tree.
2. Click the Registry tab in the Application Group work area.
3. Click in the first blank box under Include.
4. Right-click to display the shortcut menu, select Add Path.
The ellipsis (...) display at the end of the box.
5. Click the ellipsis (...).
The Browse Registry dialog box displays. You can select from your local computer or click
Connect to display the Active Directory Select Computer dialog box to select another
computer to browse.
6. Locate the required Registry Key and click OK.
The selected Registry Key is added to the Include list in the work area.
You can add a Registry Key exclusion by following the same process as to add an inclusion.
TO ADD A FOLDER INCLUSION FOR AN APPLICATION GROUP
1. Navigate to the relevant Application Group in the navigation tree.

2. Click the Folders tab in the Application Group work area.
3. Click in the blank box under Include.
The Browse for Folder dialog box displays.
6. Locate the required Folder and click OK.
The selected Folder is added to the Include list in the work area.
You can add a Folder exclusion by following the same process as to add an inclusion.
Reference
Application Group > Applications

OS RegEx
Displays the Operating System regular expression.
84
Version RegEx
Displays the Version regular expression.
Applications
A list of applications which can be managed on the client computer. Set up how the
applications are to be managed, including details of the version, the OS and the registry and
folder inclusions and exclusions.
The Personalization Analysis tool can be used to view Discovered Managed applications and
create explicit database entries for them by migrating them to being Whitelisted Applications.
See Personalization Analysis for further details.
TO ADD AN APPLICATION
1. Navigate to Applications in the navigation tree.

2. Click Add Application on the Personalization ribbon page > Nodes group.
The Select Application dialog box displays.
3. Enter a friendly name for the application.
Duplicate names are not allowed.
4. Enter the application executable name. To search for an executable select the ellipsis (...).
The Select Application dialog box displays.
An application executable name may need to be entered directly, if the required
executable is not installed on the Administrators machine.
5. Locate the required program and click Open.

The selected program is entered into Application.
6. If you want to specify a particular Operating System or Application Version amend the
regular expressions, alternatively to include all operating systems and application versions
leave the default regular expression of .*.
The combination of Application executable name, Operating System and Application
Version must be unique.
7. Click OK.
The Application is added to the Applications list in the Applications work area and a new
node is created under the Applications node in the navigation tree.
85
TO ADD A REGISTRY KEY INCLUSION FOR AN APPLICATION
To include a registry key that will be managed for the application.

1. Navigate to the relevant Application in the navigation tree.
2. Click the Registry tab in the Application work area.
3. Click in the first blank box under Include.
The Browse Registry dialog box displays. You can select from your local computer or click
Connect to display the Active Directory Select Computer dialog box to select another
computer to browse.
6. Locate the required Registry Key and click OK.
The selected Registry Key is added to the Include list in the work area.
You can add a Registry Key exclusion by following the same process as to add an inclusion.
TO ADD A FOLDER INCLUSION FOR AN APPLICATION
To include a folder in the Personalization management of an application.

1. Navigate to the relevant Application in the navigation tree.
2. Click the Folders tab in the Application Group work area.
3. Click in the blank box under Include.
The Browse for Folder dialog box displays.
6. Locate the required Folder and click OK.
The selected Folder is added to the Include list in the work area.
You can add a Folder exclusion by following the same process as to add an inclusion.
Once Applications have been created, they can be added to Application Groups, see To Add an
Application Group for further details.
Reference
Application > Application

Executable
Enter the application. Select the ellipsis (...) to display the Select Program dialog box to search
for the application.
86
OS RegEx
Operating System regular expression. The default is .* to match all operating systems.
Version RegEx
Version regular expression. The default is .* to match any version of the application. To match a
particular versions amend the regular expression accordingly or enter a specific version.
A personalization group is used to group together similar users so they have the same managed
applications and managed application groups.
Default Users
There is a default Personalization Group in a new configuration.
Any users that are not assigned to an alternative Personalization Group will be placed in the
Default Users group.
This is a catch all for any users that are using User Personalization. If a user is already assigned to
another group then they will take their configuration from their group settings. If not they will
use the configuration specified here.
The Default Whitelist and Blacklist Application Groups are added to the Default Users
Personalization Group by default.
Excluded Users
You can switch off Personalization for specific users by creating an Excluded group.
The Personalization settings are unmanaged for any users that are assigned to this group.
For further information on assigning users to Personalization Groups refer to Create a
Personalization Group Membership Rule.
You must do the following:

3
Clear all checkboxes on the Personalization Group work area > Settings tab.
Remove all entries from the Personalization Group work area > Whitelists tab.
87
TO ADD A PERSONALIZATION GROUP
To create a new group for users.

1. Navigate to the Personalization Groups node in the navigation tree.
2. Click Add Personalization Group on the Personalization ribbon page > Nodes group.
A New Personalization Group node is created and highlighted ready to be renamed in
the navigation tree and the Personalization Group work area displays.
If any changes are made to the Active Directory settings that will affect the Personalization
Group assignment, the affected users should log off and back on to pick up the changes.
For further information on setting up a Personalization Group see Personalization Group.
TO MOVE USERS BETWEEN PERSONALIZATION GROUPS WHILST RETAINING SETTINGS

The user must log off before performing this task.
This task only moves the user data from one personalization group to another. An
administrator must move the actual user from one group to another using the
Personalization Group > Membership Rules, otherwise any new data will go to the
old group.
1. Navigate to the Personalization Group in the navigation tree which the user you want to
move belongs.
2. Click Personalization Analysis on the Tools ribbon page > Management group.
The Personalization Analysis dialog box displays.
3. Leave the default settings of <All Users> in the By user field. Select Display.
The report for all users displays.
4. Click on the user you want to move and right-click to display the context menu.
5. Click Move the settings for <user> to another group...
The Select Destination Group dialog box displays listing all of the possible target groups.
6. Select the group to which to move the user.
Only one user can be moved at a time.
88
7. Select whether to Include Discovered Applications.

8. Click Continue to proceed with the move.
A warning message displays if the user already has data in the selected destination
group. You have the option to Continue or Cancel.
9. If the user and the associated data is successfully moved a confirmation message displays,
click OK.
The graph is refreshed and the user bar disappears.
The Whitelists for Applications and Application Groups for the new group, need to
match the old group to ensure the applications are managed.
Once moved, the user data no longer exists in the old group.
Offline Mode
When a user is logged on to a managed computer the personalization data is stored locally in a
virtual cache. By default, when the user logs off this cache is deleted and recreated on next log
on. This is to help minimize excessive disk storage on terminal servers with large numbers of
users logging on.
In offline mode the users data is persisted even if they have a mandatory profile as the
personalization data is stored in a separate cache found at
%APPSENSEPROFILEDIRROOT%\AppSenseVirtual.
Note: %APPSENSEPROFILEDIRROOT% is a fixed string not an environment variable and
resolves to the drive letter of the users profile directory, for example C:\
However, it may be desirable to keep the virtual cache available on the local machine, perhaps
when the user is logging onto a notebook and intends to work from home. It would be useful if
the personalization data was available even when there is no connection to the corporate
network.
The administrator can enable Offline Mode on a per-group basis. The cache will be
permanently available on the machine used to log in.
Select Allow Offline Mode in User Personalization > Personalization Groups > Settings >
Offline Options.
89
Detecting Offline Mode

Offline mode is provided as part of the user configuration obtained from the database.
Therefore, each time the user logs in and retrieves the configuration the offline status is
provided. If the user goes offline then the cached copy of this setting is used. The next time the
user logs on and connects to the Personalization Server the offline status is updated.
If a user has modified the cache both online and offline and reconnects the offline session,
then last write wins based on the time stamp.
Personalization Group
Manage the rules which determine the users that belong to this group. Also, manage the list of
managed applications and managed application groups which are assigned to this group
(whitelist) and those which are excluded (blacklist). You can also control various settings related
to profile migration, certificates and offline mode.
The Personalization Analysis option is available to analyze the current and historical
personalization data for users, their applications and application groups.
For further information refer to the Personalization Analysis section.
CREATE A PERSONALIZATION GROUP MEMBERSHIP RULE
Add conditions to determine which users belong to the group.

Membership Rules are not applicable to the Default Users Personalization Group.
1. Navigate to the relevant Personalization Group in the navigation tree.

The Personalization Group work area displays.
2. Right-click in the blank area on the Membership Rules tab to display the shortcut menu.
3. Select Add Condition Group.
4. Select whether to add a User Condition or Computer Condition.
5. Select the type of User or Computer Condition you want to create, for example User Name.
The relevant dialog box for the selected condition type displays.
90
For further information on Conditions refer to the Condition Management chapter.
6. The new Condition Group displays under Membership Rules.

7. You now have the option to insert a Condition into that Condition Group. Refer to Insert a
Condition into a Condition Group for a Personalization Group for further details.
INSERT A CONDITION INTO A CONDITION GROUP FOR A PERSONALIZATION GROUP

To create an AND rule.
1. Highlight the relevant Condition Group in the Membership Rules tab in the
Personalization Group work area.
2. Right-click to display the shortcut menu, select Insert Condition.
3. Select whether to add a User Condition or Computer Condition.
4. Select the type of User or Computer Condition you want to create, for example User Name.
5. The new Condition displays in the Condition Group under Membership Rules.
You can OR rules together by clicking below any existing membership rule and selecting Add
Condition Group.
Reference
Membership Rules
Add conditions to determine which users belong to the group.
Settings > Migration Options
Migrate Existing Profiles
Disabled by default. This option can be used for the following reasons:
91
TO RETAIN PROFILE SETTINGS FROM ROAMING, LOCAL OR OTHER HYBRID PROFILE SOLUTIONS
If you have a roaming, local or hybrid profile and you want to start using Environment Manager
v8.0, select Migrate Existing Profiles to migrate the profile settings to the Personalization
database. Once the settings have been migrated, turn the roaming, local or hybrid profile
solution off.
TO UPGRADE A V7.X CONFIGURATION TO V8.0
1. Open the v7.x configuration in the v8.0 console, this upgrades the configuration.
2. Save the converted configuration out to the endpoint devices.
3. To detect the settings do one of the following:
Restart the Environment Manager Agent
Log user off and on again.
Wait for 5 minutes. This is the automatic poll period for refreshing User Personalization
settings from the database.
4. Run every application that has currently been hived at least once. This must be done for
each user.
This loads the v7.x Environment Manager registry hives.
You can check which applications have been run and the frequency in Personalization
Analysis.
5. User Personalization takes over responsibility for all personalization settings for all managed
applications.
In User Personalization there are no rules governing which desktop settings to manage
under which conditions. The desktop settings will always be applied when User
Personalization is enabled. However, desktop settings can be disabled by clearing the
Manage Desktop Settings checkbox on the Personaliztion Group > Settings tab or
by deleting all the entries in the Desktop Settings dialog box.
6. Once all applications have been migrated clear Migrate Existing Profiles to disable the
migration mode.
User Personalization mechanism writes to the cache every time a managed application
writes to the registry or file system. However, when Migrate Existing Profiles is
enabled, each time a registry key or file is read for a managed application, it is also saved
to the cache. So to reduce the volume of data collected, it is recommended migration
mode is disabled when not in use.
92
7. Delete the associated hives from the Policy Configuration XML file.
During the migration process the actual profile data is not changed at all, therefore the
administrator can revert back to using the roaming profiles by just disabling User
Personalization.
Settings > Processes

Applications are distinguished by the version number and the operating system (OS) they run
on. For example, if Notepad is run on Vista and XP it is treated as two separate applications,
with separate caches. They will therefore not be synchronized. In this case, Notepad needs to
be added to the user whitelist using wildcard version and OS matching to ensure
synchronization between Vista and XP.
Discover All Processes

Disabled by default. Select to capture information for example, executable name and version
and operating system version for every application a user runs. No further associated data is
collected as the application is not managed or personalized, and is therefore a safe way to
collect information on which applications are being run. This saves time from having to prepopulate the whitelist.
If however, an application is Blacklisted it will not be discovered.
Manage All Processes
Disabled by default and can only be enabled if Discover All Processes is selected. Select to
discover and manage all applications which are run, with the exception of Blacklisted
applications. This saves time in having to populate a Whitelist.
Selecting Manage All Processes can cause adverse behaviour in certain applications and
should be used with extreme caution. For example, if an attempt is made to manage an antivirus application it will detect any attempt to hook into it as a threat.
If Manage All Processes is selected, any applications that are not explicitly configured will be
Discovered Managed. In the Personalization Analysis Reports these will be shown as:
Discovered Unmanaged = grey bars
Discovered Managed = blue bars
93
Settings > Offline Options

Allow Offline Mode
Disabled by default. Select to enable Offline Mode. If selected, on logoff the local cache is not
deleted.
For more information on Offline Mode refer to Offline Mode.
Offline Resiliency
Enabled by default. Select to enable offline resiliency. If selected, if a network disconnects, all
changes held locally will be synchronized when the network connection reconnects.
Settings > Desktop & Certificates
Manage Desktop Settings
Enabled by default. If selected, desktop settings are managed for the Personalization Group.
Manage Certificates
Enabled by default. If selected, user certificates can be added to the local certificate store when
using a mandatory profile and are managed and therefore are available if a user logs on to
another computer.
If you have an empty cache, for example the first time you install the Environment Manager
agent, or if the local cache has been removed, you must logoff and then log back on to start
managing Certificates. On the next logoff the certificates will be saved to the cache.
Whitelists
Whitelist Application Groups
Add Application Groups to the Whitelist. All Applications in the selected Application Groups will
be included in the personalization management for this Personalization Group.
To add an Application Group, right-click in the blank area under Whitelist Application Groups.
Select Add Application Group. The Select Application Groups dialog box displays. Locate
the Application Group and click OK.
The Default Whitelist Application Group is added by default to a new Personalization Group.
94
Whitelist Applications
Add Applications to the Whitelist. All Applications will be included in the personalization for this
Personalization Group.
To add an Application, right-click in the blank area under Whitelist Applications. Select Add
Application. The Select Applications dialog box displays. Locate the Application and click
OK.
All applications in a group share a cache, therefore personalization settings will not be
synchronized until all applications in the group are closed.
Blacklists
Blacklist Application Groups
Add Application Groups to the Blacklist. All Applications in the selected Application Groups will
be excluded in the personalization management for this Personalization Group.
To add an Application Group, right-click in the blank area under Blacklist Application Groups.
Select Add Application Group. The Select Application Groups dialog box displays. Locate
the Application Group and click OK.
The Default Blacklist Application Group is added by default to a new Personalization Group.
Blacklist Applications
Add Applications to the Blacklist. All Applications will be excluded in the personalization for this
Personalization Group.
To add an Application, right-click in the blank area under Blacklist Applications. Select Add
Application. The Select Applications dialog box displays. Locate the Application and click
OK.
If an application is in the whitelist and blacklist the application will be blacklisted on the
client.
95
Sites
Allows you to group Personalization Servers to particular sites. The sites node is populated from
the values provided by the administrator when setting up the Personalization Server via the
AppSense Personalization Server Configuration utility.
The Default Site is added when User Personalization is enabled and the Server is selected from
the Select Personalization Server dialog box.
Synchronize Site Databases
Synchronize Site Databases is on the Tools ribbon page > Replication group.
Select to replicate personalization data between site databases on demand.
In order to use Synchronize Site Databases you must have setup replication, refer to
Personalization Database Replication Appendix for details.
TO ADD A SITE
1. Navigate to the Sites node in the navigation tree.

2. Select Add Site in the Personalization ribbon page > Nodes group.
A New Site node is created and highlighted ready to be renamed in the navigation tree
and the Site work area displays.
Site
Manage the membership rules to determine from which site user personalization data is
supplied.
If any changes are made to the Active Directory settings that will affect the Personalization
Group and the Site membership assignment, the affected users should log off and back on to
pick up the changes.
CREATE A SITE MEMBERSHIP RULE
Add conditions to determine from which site a users personalization data is supplied.
Membership Rules are not applicable to the Default Site.
1. Navigate to the relevant Site in the navigation tree.

The Site work area displays.
96
2. Right-click in the blank area on the Membership Rules tab to display the shortcut menu.
3. Select Add Condition Group.
4. Select Computer Condition.
5. Select the type of Computer Condition you want to create, for example Computer Name.
The relevant dialog box for the selected Condition type displays.
6. The new Condition Group displays under Membership Rules.

7. You now have the option to insert a Condition into that Condition Group. Refer to Insert a
Condition into a Condition Group for a Site for further details.
INSERT A CONDITION INTO A CONDITION GROUP FOR A SITE

To create an ADD rule.
1. Highlight the relevant Condition Group in the Membership Rules tab in the Site work
area.
2. Right-click to display the shortcut menu, select Insert Condition.
3. Select Computer Condition.
4. Select the type of Computer Condition you want to create, for example Computer Name.
The new Condition displays in the Condition Group under Membership Rules.
You can OR rules together by clicking below any existing membership rule and selecting Add
Condition Group.
TO ADD A SERVER TO A SITE
1. Navigate to the relevant Site in the navigation tree.

2. Click Add Site on the Personalization ribbon page > Nodes group.
The Active Directory Select Computers dialog box displays.
3. Locate the server and click OK.
The server is listed under Personalization Servers in the Site tab.
97
High Availability
Multiple personalization servers can be added to the Policy Configuration. This ensures
connectivity is always possible if there is a problem connecting to one server, as alternatives are
available. Therefore, user personalization settings are always available to download from the
database, for the first time and any time there after.
Initial Setup
When User Personalization is first setup, connection to the database is required in order to
download the personalization settings, as set up in the Personalization Server Configuration
Utility, done at time of installation.
For further information refer to the AppSense Management Suite Architecture and
Installation Guide.
ADD PERSONALIZATION SERVERS FOR THE FIRST TIME
1. Navigate to the Policy Configuration navigation tree in the Environment Manager

console.
2. Select Enable User Personalization on the Home ribbon page > General Properties
group.
3. Click the New Server icon.
The Add New Server dialog box displays.
4. Enter the server name and connection details. Click OK.
The server is added to the list in the Select Personalization Server dialog box.
The list of servers gets added to the configuration.aemp file.
The User Personalization mechanism attempts to connect to the first server listed, if that
attempt fails, connection is attempted on the next server in the list and so on until a connection
has been successful.
98
Personalization Server Management

Once the client has made the first connection to a Personalization Server and received the
configuration settings for the user, the new list of servers, as set up in the User
Personalization > Sites will replace any set up in the Policy Configuration side of the console.
AMEND LIST OF PERSONALIZATION SERVERS
How to add, amend or delete the list of personalization servers for a site.
1. Select the User Personalization navigation button.
Ensure User Personalization is enabled from the Policy Configuration side of the
configuration.
2. Select Connect on the Personalization ribbon page > Connection group.

3. Navigate to Sites in the navigation tree.
4. Expand the Sites node and select the relevant Site.
The Site work area displays.
5. Select the Site tab in the work area.
The Personalization Servers are listed.
6. Select Add Server on the Personalization ribbon page > Nodes group.
The Select Computers dialog box displays, conduct an Active Directory browse to select
the servers to add to the Personalization list.
Each server in the Personalization Server list is a separate node under the Site node in the
navigation tree. To amend server details, select the <server> node and amend any details in
the Personalization Server work area.
7. Add or Delete as many servers as required to complete the Personalization Server list.
The User Personalization mechanism attempts to connect to the first server listed, if that
attempt fails, connection is attempted on the next server in the list and so on until a connection
has been successful.
99
USER PERSONALIZATION
Personalization Analysis is available for Personalization Groups on the Tools ribbon page >
Management group.
Personalization Analysis provides the ability to connect to the Personalization Server from the
Environment Manager console and display current and historical personalization usage data for
users, their applications and application groups and select a day from the history to rollback the
selected users personalization settings.
Examples of the sort of data you can pull out of the database are:
The applications that have been run.
How much personalization data is stored per user.
How much personalization data is stored per application.

You can have multiple instances of Personalization Analysis open and therefore create
multiple reports at the same time.
TO PRODUCE A PERSONALIZATION ANALYSIS REPORT
1. Select to produce the report either By Application or By User.

2. Select the application or user from the drop-down list.
The Select Application or Application Group dialog box or the Select User dialog box
displays.
You can select All Applications or All Users to report on the group as a whole.
3. Click Display to view the Report.

The Usage Report includes the following:
Size
Archives
100
Size
The Size report displays the user name on the vertical axis and the Personalization data size for
the user on the horizontal axis.
From here you have the following options available on the right-click shortcut menu:
Delete ALL settings for <DOMAIN\User> - This option deletes all settings and archives
for the specified user. The Confirm Personalization Analysis Operation dialog box
displays, click Continue to complete the deletion.
Move the settings for <User> to another group... - This option allows you to move the
personalization data for the user to another personalization group. The Select Destination
Group dialog box displays, select the group to which to move the user and whether to
Include Discovered Applications. Click Continue to complete the move.
Personalization Group > Membership Rules.
Refer to the Personalization Groups section for further details on how To Move Users
Between Personalization Groups Whilst Retaining Settings.
To drill further down the Size report, click on a user bar to display application name on the
vertical axis and the Personalization data size for the application on the horizontal axis.
The bars display in either orange or blue. An orange bar represents a Whitelisted Application
which means the application is in the Whitelist in the Users Personalization Group. A blue bar
represents a Discovered Managed Application which means the application is not explicitly
configured in either a Whitelist or Blacklist but is being managed.
An application will be managed when not explicitly configured only when Manage All
Processes is enabled in Personalization Group > Settings, which is Off by default.
Delete <Application Name> Settings for <DOMAIN\User> - This option deletes the
cache for the selected application so next time the application starts it will revert to the
default settings.
Edit Application Registry

Edit Application Registry is an Advanced feature and should be used with care.
When selected, the Edit Registry Settings dialog box displays from there you can edit,
add or delete Registry Keys.
View application file list - displays the View Application File List dialog box. The cache
files for the selected application are listed, and you also have the option to delete.
101
Convert discovered application - This option is only available when selecting a blue bar
indicating a Discovered Managed application. Allows you to do the following:
Add to Applications list- adds the Discovered Managed application to the

Applications list in the configuration.
Add to Whitelist for <Personalization Group name> - the application is added to

the Users Personalization Group Whitelist found in the Personalization Groups work
area > Whitelists tab > Whitelist Applications.
If successful, the bar turns orange, click Refresh in the Personalization page > Nodes
group to see the application is also added to the Applications list in the navigation
tree.
Add to Blacklist for <Personalization Group name> - the application is added to

the Users Personalization Group Blacklist found in the Personalization Groups work
area > Blacklists tab > Blacklist Applications.
The entry and all associated data is removed and the application is no longer managed
for the group.
On selection of one of the above options the Convert Application <application name>
dialog box displays. Complete the Application Name and Executable details and set the
Operating System and Application Version details, for example, you can use the
wildcard .* if you want all versions of the application to be added to the Applications list
and not just the version that has been discovered.

The Whitelist Application Usage report displays the User name on the vertical axis and the
Accesses (frequency) along the horizontal axis.
You can select a time range on which to base the usage report.
102
user to another personalization group whilst retaining the personalization settings. The
Select Destination Group dialog box displays, select the group to which to move the user
and whether to Include Discovered Applications. Click Continue to complete the move.
To drill further down the Whitelist Application Usage report, click on a user bar to display
application name on the vertical axis and the Accesses (frequency) on the horizontal axis.
default settings.
Edit Application Registry

View application file list - the View Application File List dialog box displays. The cache
files for the selected application are listed, and you also have the option to delete.
103

The Discovered Application Usage report displays the User name on the vertical axis and the
Accesses (frequency) along the horizontal axis.
You can select a time range on which to base the usage report.
user to another personalization group whilst retaining the personalization settings. The
Select Destination Group dialog box displays, select the group to which to move the user
and whether to Include Discovered Applications. Click Continue to complete the move.
To drill further down the Discovered Application Usage report, click on a user bar to display
application name on the vertical axis and the Accesses (frequency) on the horizontal axis.
The bars display in either blue or grey, both bars indicate the application is not explicitly
configured in either a Whitelist or Blacklist. A blue bar represents a Discovered Managed
Application, indicating the Manage All Processes option is enabled in Personalization Group >
Settings and data has been collected and can therefore be viewed. A grey bar represents a
Discovered Unmanaged Application, indicating the Discover All Processes option is enabled
but the Manage All Processes option is disabled in the Personalization Group > Settings, and
data has not been collected.
An application will be discovered only when Discover All Processes is enabled in
Personalization Group > Settings, which is disabled by default.
An application will be managed, when not explicitly configured, only when Manage All
Processes is enabled in Personalization Group > Settings, which is disabled by default.
default settings.
104
Edit Application Registry - Only available on a blue bar.

View application file list - Only available on a blue bar. The View Application File List
dialog box displays. The cache files for the selected application are listed, and you also have
the option to delete.
Convert discovered application - This option is only available when selecting a blue bar
indicating a Discovered Managed application. Allows you to do the following:
Add to Applications list- adds the Discovered Managed application to the

Applications list in the configuration.
Add to Whitelist for <Personalization Group name> - the application is added to

the Users Personalization Group Whitelist found in the Personalization Groups work
area > Whitelists tab > Whitelist Applications.
In the User Personalization console, click Refresh in the Personalization ribbon page >
Nodes group to see the application is added to the Applications list in the navigation
tree.
Add to Blacklist for <Personalization Group name> - the application is added to

the Users Personalization Group Blacklist found in the Personalization Groups work
area > Blacklists tab > Blacklist Applications.
The entry and all associated data is removed and the application is no longer managed
for the group.
On selection of one of the above options the Convert Application <application name>
dialog box displays. Complete the Application Name and Executable details and set the
Operating System and Application Version details, for example, you can use the
wildcard .* if you want all versions of the application to be added to the Applications list
and not just the version that has been discovered.
105
Archives
Copies of the current database are taken automatically overnight and stored as backup
archives. Up to five archives are stored by default before the old ones are deleted.
A tree view displays the archives available for each application for the selected user.
You must select a specific User not All Users to produce the Available Archives report.
TO MANUALLY CREATE AN ARCHIVE
1. Select the required application and right-click to display the shortcut menu.
2. Select Archive <ApplicationName> now...
The Confirm Personalization Analysis Operation message box displays.
3. Click Continue.
A message displays to inform you the application settings were successfully archived.
4. Click OK.
The Archive displays under the relevant application in the Available Archives tree view.
Any archive can be selected for Rollback.
Rollback
Part of the disaster recovery capabilities of User Personalization is the ability to rollback to a
previous version of the personalization data, on a per application basis.
Rollbacks are available at the granularity of a day, unless you have manually created archives
other than the automatic overnight backups.
For more information on manually creating archives refer to To Manually Create an Archive.
The two likely reasons for requiring a rollback are as follows:
An application fails to run due to corrupted or inconsistent personalization settings.
The user is unable to restore a particular set of settings that were applied previously.
The user will have to request a rollback from the administrator.
106
Authorized Users
TO ROLLBACK
We recommend the user requesting the rollback is logged off during this procedure or
logged out of the relevant application.
1. In the Available Archives view select the required archive for the relevant application.
2. Right-click to display the shortcut menu.
3. Select Rollback to this archive.
The Confirm Personalization Analysis Operation message box displays.
4. Click Continue.
A message displays informing you the data is rolling back.
5. A message displays to inform you the application settings were successfully rolled back.
Click OK.
The rollback is complete. All application settings are set to as they were at the date of the
selected archive.
Authorized Users
Add authorized users.
The user that runs the Personalization Server Configuration utility is added to the database as an
authorized administrator, initially this is the only user that can connect to the database through
the console. This user can add users to the database via Authorized Users on the Tools ribbon
page > Security group.
The two roles that can be added are:
User - These users can view and modify the contents of the database.
Admin - These users can do everything a user can, as well as create other users.
107
Troubleshooting
This section includes some troubleshooting tasks:
PERSONALIZATION SYNCHRONIZATION NOT WORKING
Personalization Server IIS website up and running
Personalization Server SQL Database communication working
PERSONALIZATION SETTINGS NOT BEING APPLIED AS EXPECTED
Application groups membership
User/groups membership
Registry and folder inclusions/exclusions
Personalization Server communication ok
EVENTS NOT BEING RAISED
License installed
Check CCA settings
Check AMC communcation
Troubleshooting
108
Auditing
This section provides details on AppSense Environment Manager Auditing and includes the
following:
Audit
Local Events
Audit
Auditing allows you to define rules for the capture of auditing information, includes rules about
where event data is stored for logging to a local file and the application event log, and includes
a filter for specifying the events you wish to capture in the log.
Local Auditing allows you to specify whether to log events in the Windows Application Event
Log or to a custom AppSense Event Log. Events can be written to a local file in CSV or XML
format.
By default, the log file is located at
%SYSTEMDRIVE%\AppSenseLogs\Auditing\EnvironmentManagerEvents_%COMPUTERNAME
%.csv (or .xml)
An alternative location can be configured for the log file. In this mode auditing also includes an
event filter to log only specific events.
In Enterprise installations, events can be forwarded to the AppSense Management Center via
the Client Communications Agent (CCA). When using this method for auditing, event data
storage and filtering is configured through the AppSense Management Console. For more
information see the AppSense Management Center Administration Guide.
Reference
Summary
The following allows you to configure the event logging:
Send events to the Application Event Log
Select whether to send events to the Application Event log.
109
9 AUDITING
Local Events
Send events to the AppSense Event Log

Select whether to send events to the AppSense Event log.
You can only send the events to the Application Event Log or the AppSense Event Log.
Make events anonymous

Specify whether events are to be anonymous. If, Yes, the computer name and user name is
omitted from all events. Anonymous logging also searches the file path for any instances where
a directory matches the username and replaces the directory name with the string USERNAME.
Send events to local file log
Select whether to send events to the local file log. If Yes, the events are sent to the local log file
as specified in the Text box.
Text box
The path for the local log file. The default is:
%SYSTEMDRIVE%\AppSenseLogs\Auditing\EnvironmentManagerEvents_%COMPUTE
RNAME%.xml or csv
Local file log format

Specify whether the event log is to be saved in XML format or CSV format.
Local Events
The Event filter table is a comprehensive list of all events and is used to select the events you
wish to audit. You can sort the table numerically by ID number, or alphabetically by Event Name
or Event Description. Selected events are highlighted in bold. Click Toggle to change the states
between selected and cleared.
Table 9.1
Environment Manager Events List
Event ID
Event Name
Event Description
Event Log Type
9300
Self healing process

started
A process being monitored for self healing stopped

and has now been restarted.
Information
9301
Self healing registry

key replaced
A registry key being monitored for self healing was

changed and has now been reset.
Information
9302

key removed
A registry key being monitored for self healing was

inserted and has now been removed.
Information
9303
Self healing file

replaced
A file being monitored for self healing was modified

or removed and has now been replaced.
Information
9304
Self healing file

removed
A file being monitored for self healing was added

and has now been removed.
Information
110
Table 9.1
9 AUDITING
Local Events
Event ID
Event Name
Event Description
Event Log Type
9305
Self healing service

stopped
A service being monitored for self healing started

and has now been stopped.
Information
9306
Self healing service

started
A service being monitored for self healing stopped

and has now been restarted.
Information
9307

value replaced
A registry value being monitored for self healing

was changed and has now been reset.
Information
9308

removed
A registry value being monitored for self healing

was inserted and has now been removed.
Information
9399
Software is not
licensed
The Environment Manager software has not been

licensed.
Warning
9400
Lockdown edit
control blocked
drive
An edit control has had a blocked drive entered into

it.
Information
9401
Lockdown edit
control blocked text
An edit control has had blocked text entered into it.
Information
9402
Lockdown
accelerator keys
blocked
An application has had accelerator keys blocked.
Information
9403
Lockdown dialog
blocked
An application has had a dialog box blocked.
Information
9404
Lockdown MSAA
access blocked
An application has had access blocked for a control

using MSAA detection.
Information
9405
User logon action

success
A user logon action completed successfully.
Information
9406
User logon action

fail
A user logon action failed to complete successfully.
Information
9407
User logoff action

success
A user logoff action completed successfully.
Information
9408
User logoff action

fail
A user logoff action failed to complete successfully.
Information
9409
Computer startup
action success
A computer startup action completed successfully.
Information
9410
Computer startup
action fail
A computer startup action failed to complete

successfully.
Information
9420
User session
reconnect action
success
A user session reconnect action completed

successfully.
Information
9421
User session
reconnect action
fail
A user session reconnect action failed to complete

successfully.
Information
111
Table 9.1
9 AUDITING
Local Events
Event ID
Event Name
Event Description
Event Log Type
9422
User session
disconnect action
success
A user session disconnect action completed

successfully.
Information
9423
User session
disconnect action
fail
A user session disconnect action failed to complete

successfully.
Information
9424
User session locked

action success
A user session locked action completed successfully.
Information
9425
User session locked

action fail
A user session action failed to complete successfully.
Information
9426
User session
unlocked action
success
A user session unlocked action completed

successfully.
Information
9427
User session
unlocked action fail
A user session unlocked action failed to complete

successfully.
Information
9428
Process start action

success
A process start action completed successfully.
Information
9429
Process start action

fail
A process start action failed to complete

successfully.
Information
9430
Process stopped
action success
A process stopped action completed successfully.
Information
9431
Process stopped
action fail
A process stopped action failed to complete

successfully.
Information
9432
Network
connection action
success
A network connected action completed successfully.
Information
9433
Network
connection action
fail
A network connected action failed to complete

successfully
Information
9434
Network
disconnected action
success
A network disconnected action completed

successfully.
Information
9435
Network
disconnected action
fail
A network disconnected action failed to complete

successfully.
Information
9495
Not configured
AppSense Environment Manager has not been

configured.
Warning
9496
Configuration
unsupported
An old configuration has been found.
Warning
9501
Removable storage
device has been
disabled
The user has tried to access a device which has been

disabled.
Information
112
Table 9.1
9 AUDITING
Local Events
Event ID
Event Name
Event Description
Event Log Type
9502
Removable storage
device has readonly access
The user has tried to write to a device which has

read-only access.
Information
9650
Managed
application start
A managed application has started
Information
9651
Managed
application stop
A managed application has stopped
Information
9652
Personalization load
error
Personalization settings for a managed application

failed to load.
Error
9653
Personalization save
error
Personalization settings for a managed application

failed to save.
Error
9654
Blacklisted process
started
A managed process has launched a blacklisted

process.
Information
9655
Personalization not
saved
Personalization settings not saved as another group

application is running.
Information
9656
Offline resiliency
save started
Offline resiliency save has been started for a

managed application.
Information
9657
Offline resiliency
save complete
Offline resiliency has successfully saved a managed

applications personalization settings.
Information
9658
Personalization
settings purged
Personalization settings purged as offline mode is

disabled.
Information
9659
Personalization
settings updated
User personalization settings updated from

personalization server.
Information
9660
Personalization
failed
Personalization for a managed application failed.
Error
9661
Timeout
Communicating
with Personalization
Server
A timeout occurred whilst trying to communicate

with the Personalization Server.
Warning
113
9 AUDITING
Local Events
Personalization Server Events

The following are Personalization Server events:
Table 9.2
Personalization Server Events
Event ID
Event Name
Event Description
Event Log Type
9600
Failed to connect to
Personalization
Database
The Personalization Server failed to connect to the

Personalization Database.
Error
9601
Windows
Impersonation
Logon Failed.
The Personalization Server failed to log on, using

Windows Impersonation, with the credentials
supplied via the Server Configuration Utility.
Error
9602
Failed database
compatibility check
The protocol version used by the Personalization

Server database is incompatible with the version
used by the Personalization Server.
Error
System Events
The following are non-configurable system events:
Table 9.3
Environment Manager System Events
Event ID
Event Description
8000
Service Started.
8001
Service Stopped.
8399
No License
9495
Environment Manager not configured.
9596
Unsupported configuration detected.
Reference
Local Event Filter

Log Locally
Select the events to log locally.
Toggle Selected
Select any number of events from one to all. Toggle to switch the Log Locally check box
between being selected and cleared.
114
10
This section provides details on the Configuration Profiler and includes the following:
Report Type
Report Criteria
Report Output
Report Type
The configuration profiler allows administrators to report on the locally loaded configuration in
the console. General reports are produced to assist auditing and compliance such as Sarbanes
Oxley or HIPAA. Custom reports can be produced to assist troubleshooting of large
configurations.
The configuration profiler is a basic reporting tool that can be used to generate quick reports
based on the details of a loaded product configuration. The report can be generated in the
following ways:
Complete Report - Produces a report which Includes all aspects of the configuration.
Report based on specific criteria - Produces a report which is based on the specified criteria
as selected in the Report Criteria section.
Enter an asterisk (*) as the criterion value to see all actions controlled by a particular type
of condition.
Report Criteria
Use the criteria to specify what is to be included in the report.
Enter the value to match for any of the following:
Computer Name
The criterion must be entered in full Active Directory format for example, CN=John
Smith, OU=AppSense, OU=AppSense User Account, DC=appsense, DC=com or
workgroup format for example, SERVER/Administrator, as entered in the user conditions
dialog.
115
Computer Domain
Computer NETBIOS Name
Computer Group
Computer IP Address
MAC Address
Service Name
OU Membership
10
CONFIGURATION PROFILER
Report Criteria
Only finds OU Membership conditions with names matching the entered OU. Ignores the
Include all Sub-OUs option and the Member of field when matching a Query type.
Site Membership
User Name
The criterion must be entered in full Active Directory format for example, CN=John
Smith, OU=AppSense, OU=AppSense User Account, DC=appsense, DC=com or
workgroup format for example, SERVER/Administrator, as entered in the user conditions
dialog.
User Group
The criterion must be entered in full Active Directory format for example, OU=AppSense,
OU=AppSense User Account, DC=appsense, DC=com or workgroup format for example,
SERVER/Administrator, as entered in the user conditions dialog.
IS Administrator
Primary Group
The criterion must be entered in full Active Directory format for example, OU=AppSense,
OU=AppSense User Account, DC=appsense, DC=com or workgroup format for example,
SERVER/Administrator, as entered in the user conditions dialog.
Process Name
Published Application Name
Client Connection Protocol
Client IP Address
Client NETBIOS Name (Terminal Services)
116
10
CONFIGURATION PROFILER
Report Output
Client Screen Resolution

The client screen resolutions are a series of standard values for example, 800x600 and
1024x768. It is not possible to check X and Y resolutions separately.
Client Colour Screen Depth
Custom Condition
The name of the condition is used to look up custom conditions. Enter * to display all
custom conditions.
Report Output
The report output is produced in sections and sub-sections.
In the preview window you can change the following:
Paper
Size
Watermarks
The option to Save the report in various formats for example, PDF and Print the report is also
available from this preview view.
117
A P P E N D I X E S
This section provides additional or supporting information about topics covered in the Guide
and includes:
System Requirements
Triggers and Actions
Find and Replace
Wildcards
Licensing
118
SYSTEM REQUIREMENTS
System Requirements
This appendix provides details on the system requirements for AppSense Environment Manager.
Supported Operating Systems
The following 32-bit and 64-bit Operating Systems are supported:
Microsoft Windows XP SP2
Microsoft Windows Server 2003 SP1 (including Terminal Services)
Microsoft Windows Vista
Microsoft Windows Server 2008 (including Terminal Services)
Supported Technologies
Citrix XenApp
Citrix XenDesktop
Microsoft SoftGrid 4.2
Microsoft App-V 4.5
Symantec Altiris SVS

For details on working with AppSense Environment Manager and Streamed Applications refer
to the Streamed Applications appendix.
119
SYSTEM REQUIREMENTS
Required Components
The following components are required when using the Personalization Server:
Microsoft SQL Server 2000 SP4 or Microsoft SQL Server 2005

If you do not have a SQL Server installed on the target computer, the Management Suite
Installer installs Microsoft SQL Server 2005 Express Edition Service Pack 2.
Application Server Role created (IIS 6 or above)
Installed Components
The following components are installed as part of the AppSense Management Suite Installer:
Windows Installer 3.1 Redistributable (v2)
Microsoft Core XML Services (MSXML) 6.0
Microsoft .NET Framework 3.0 Redistributable Package
Microsoft Visual C++ 2005 SP1 Redistributable Package
Microsoft ASP.NET 2.0
120
Tr i g g e r s a n d A c t i o n s
The table shows which Actions can be assigned to which Triggers in Policy Configuration.
121
TRIGGERS AND ACTIONS
122
This appendix lists all of the default settings for the Quick Setup Wizard which is on the
Actions ribbon page > Actions group.
Internet Explorer
Security Zones: Do not allow users to change policies
Security Zones: Do not allow users to add/delete sites
Disable automatic install of Internet Explorer components
Disable periodic check for Internet Explorer updates
Lockdown
Disable Print Screen option
Disable Address bar in Internet Explorer
Disable Address bar in Windows Explorer
Miscellaneous Settings
Turn off Autoplay
Delete Cached copies of roaming profiles
Do not allow Windows Messenger to be run
Self Healing
Ensure hosts file is never changed
Start Menu & Taskbar Recommended Settings
Clear Programs in Start Menu
Disable Context Menus for the Desktop and Windows Explorer
Disable Context Menus on the Taskbar
Disable Drag & Drop on the Start Menu
Disable Shutdown for all users
Disable Recent Documents history
Force use of Classic Start Menu
123
QUICK SETUP WIZARD DEFAULT SETTINGS
Hide Clock on taskbar and in screensaver
Hide Disconnect for users on Terminal Servers
Hide Taskbar Settings on the Start Menu
Remove Active Desktop Options from the Settings Menu
Remove Help from the Start Menu
Remove Links and access to Windows Update
Remove My Documents from the Start Menu (XP/2003 only)
Remove My Favorites from the Start Menu
Remove My Network Places from the Start Menu (XP/2003 only)
Remove Network Connections from the Start Menu
Remove Recent Documents from the Start Menu
Remove Run from the Start menu
Remove Search from the Start Menu
Remove Set Program Access and Defaults from the Start Menu
Remove Shutdown from the Start Menu
Remove Start Banner on Taskbar
Remove Windows Security from the Start Menu (Terminal Server only)
Restrict Changes to active Desktop Settings
Disable Personalized Menus
Virtual Desktop Infrastructure (VDI) Recommended Settings
Disable Screensaver
Disable Menu Animations
Disable desktop backgrounds
Disable Ctrl+Alt+Delete at logon
Launch Windows Desktop as a separate process from Explorer
Disable NTFS Timestamps on the virtual machine
Disable System Beep while printing
Disable Print Notifications
Disable the display of the last logged on user name
Enable TCPKeepAlives & TCPMaxDataRentransmissions
Disable Persistent Network Drive Mappings
Disable Sound Schemes
124
QUICK SETUP WIZARD DEFAULT SETTINGS
Windows Explorer Recommended Settings
Disable Add/Remove Programs
Disable Control Panel
Hide Administrative Tools
Hide Computer Management Option
Hide Control Panel, Printer and Network Settings
Hide Internet Explorer icon
Hide My Computer Icon
Hide My Network Places Icon
Hide Recycle Bin Icon
Remove Open With... context menu in Windows Explorer
Remove Map and Disconnect Network Drive Options
Remove Properties from My Computer
125
Find and Replace
The Find and Replace feature enables you to search for specific text within your configuration
and replace it with new text. You can conduct the find and replace from the top level Policy
Configuration node or any subsequent level, the search is then carried out on all lower levels.
To include configured conditions in the Find you must select the top level Policy
Configuration node when using Find and Replace.
1. Click on the level from which you want to conduct the find and replace.
2. Select the Find and Replace ribbon button on the Nodes ribbon page > Edit group.
The Find and Replace dialog box displays.
3. Enter the text you want to find in Find What.
4. Click Find to display any matches in the Matches section.
5. Enter the replacement text in Replace With.
6. Select any of the Find Options required. You can choose one or more of the following:
Match Case - To return any words that match the case entered.
Match Whole Word - To return any words that match the whole word entered.
Use Regular Expressions - To return any words that match the text pattern/regular
expression entered. See the Appendix Wildcards on page 127 for further details.
7. Select which instance/s of the text you want to replace from the list displayed and click
Replace, alternatively click Replace All to replace all text found.
8. Close the dialog box.
126
Wildcards
This appendix contains a list of Wildcards that are supported when using Actions and
Conditions and the Lockdown functionality in AppSense Environment Manager.
Table E.1
Supported Wildcards
Metacharacter
Meaning
Matches zero or more of any character, for example *at would match cat, bat, at
and so on.
Matches any single character, for example ?at would match cat but not at.
[abc]
Character group. Matches any character in group, for example bat passes.
[abc!]
Negative character group. Matches any character not in group, for example cat fails
but dog passes.
127
Licensing
AppSense Environment Manager allows you to create and manage AppSense product licenses.
This section provides details about using the console, and includes the following:
Managing Licenses
Troubleshooting
128
F LICENSING

AppSense Environment Manager allows you to manage individual AppSense product licenses,
full Management Suite licenses and evaluation licenses for computers operating in Standalone
mode.
For information about Enterprise license management and deployment, see the AppSense
Management Center Administration Guide.
The console allows you to:

3
Manage licenses for single products, the AppSense Management Suite or Evaluation
licenses.
Export license packages to MSI file format for saving to the AppSense Management Center
or other computers which can be remotely accessed.
It is recommended to use the Management Center Enterprise Licensing for Enterprise
installations.
Import and manage licenses from MSI file format.
An installation requires one of the license codes shown in Table F.1:

Table F.1
AppSense License Types
License
Description
Activate
AppSense Management
Suite
Full Suite license.

Requires activation using the activation code sent from
AppSense Ltd. with the license code.
Application Manager
Single product license.

AppSense with the license code.
Performance Manager

Environment Manager

Evaluation
Full Suite or single product licenses.

Evaluation licenses are available during the first installation of
the product and do not require activation. They are valid for 21
days.
129
F LICENSING
Managing Licenses
Managing Licenses
The following procedures show how to add and activate a new license and import and export
licenses to Microsoft Windows Installer files (*.msi) file for distribution to other computers or to
backup a set of licenses.
ADD AND ACTIVATE A LICENSE
1. Click Add to create a new entry in the license grid and enter the license code in the License
Code entry box.
You can manually enter each digit or copy and paste the license straight in to the entry box.
When a license entry is highlighted, a description displays in the lower portion of the
console and includes the following details:
License Code
License State: Not Activated, Valid, Invalid
Expiry Date
Description indicates the number of days remaining.

A license remains invalid until a code is entered in the Activation Code column.
Evaluation licenses do not require activation.
2. Click Activate to enter the activation code by entering each digit manually or copy and
paste the activation code directly in to the Activation Code entry box, and click Enter.
The description in the grid view updates with the license information as do the details
about the license validation status and, where relevant, the expiry date, in the lower portion
of the console.
Once a license is active, the icon changes to indicate the current license state.
3. Save the configuration to confirm your settings.
TO IMPORT A LICENSE FILE
1. Click Import to display the file Open dialog box and navigate to the location of the license
MSI file.
2. Click Open to load the license file in the Environment Manager.
TO EXPORT A LICENSE FILE
1. Click Export to display the file Save As dialog box and browse to the location for saving
the license MSI file.
2. Provide a name for the file and click Save to save the file.
You can copy this file to any network location and load the file in a Environment Manager
or in Management Center Enterprise Licensing.
130
F LICENSING
Troubleshooting
Troubleshooting
I received an AppSense license, what do I do?
If you have received an AppSense product license, from AppSense, you can load the license by
launching the Local Licensing Console on your client computer and entering the license code
and activation code.
Enter the product license exactly as received. Once a license has been successfully entered, the
system updates the description details stating the products and duration for which the license is
valid.
I have entered an AppSense license, but it is for evaluation, what does this
mean?
If you are trying an AppSense product before purchasing, the product installs with an option to
automatically install an evaluation license. Evaluation licenses are limited to 21 days, during
which time you can familiarize yourself with the product.
Once the expiry date has been reached, contact AppSense to obtain a full license to continue
using the product.
I have entered an AppSense license, but it says it is not activated, why?
AppSense licenses require activation, apart from evaluation licenses, before they can be used.
Activation codes are provided by AppSense. Activate a license by entering the activation code.
For more information, see Managing Licenses.
I have tried to enter an AppSense license, but it says it is invalid, what can I
do?
Check that the license code has been typed correctly. Check it is a license code and not an
activation code that has been entered.
If you are still sure you have entered the license correctly but it is not accepted, contact
AppSense support.
131
This appendix provides details on how to set up replication and includes the following:
Principles
Prerequisites
Initial Steps
Post Setup Steps

The setup of Replication requires an experienced SQL Server Administrator.
This Appendix is aimed at guiding an experienced administrator through a quick setup only.
Principles
Environment Manager Personalization Server replication requires one database to be the
master, and the other databases to be subscribers, in replication terms. If the systems are a mix
of SQL Server 2000 and SQL Server 2005 systems, the master must be a SQL2005 system.
SQL Server 2008, SQL Express and MSDE databases are not supported.
It is important to realize that when a subscriber system is first added, all the existing data is
deleted and replaced with data from the master. After replication is set up, data can be
created on the subscriber and merged with the master regularly.
Prerequisites
The setup files required can be found, for a default installation on Drive C:, in the folder
C:\Program Files\AppSense\Environment Manager\Personalization Server\Replication
on any personalization server. This folder should be copied to the master SQL Server database
machine, if it is not a personalization server itself.
132
G PERSONALIZATION DATABASE REPLICATION

Initial Steps
Initial Steps
1. Ensure that all SQL Server 2005 databases are set for remote access. This is done with the
SQL Server 2005 Surface Area Configuration Tool.
Remote Access is not the default.
2. Ensure that Personalization Server databases have been created on all servers, by installing
Personalization Servers connecting to the databases.
3. Ensure that any firewall software allows remote access to SQL Server. This affects Windows
Server 2008 systems, where the firewall is enabled by default.
For further information on Microsoft Server 2008 systems refer to the Microsoft Help.
4. The master database requires that the replication folder is shared, as the scripts
ConfigAC.sql, ConfigDC.sql, DataDC.sql and DataAC.sql are accessed through this share.
Ensure the share is set up before starting the setup process. The setup file will ask for the
UNC path of the share. For example \\Server1\Replication.
5. The SQL Agent service on the master must be running under an account that has sysadmin
database access to all servers via Windows Authentication, this is not the default. This can
be changed with the Services applet in Administrative Tools.
6. To run the setup procedure you must be logged in to an account that has sysadmin
database access to all servers via Windows Authentication.

The two command files used are:
"SetMasterUp.cmd - Run to set up the master and the first subscriber.
"AddSubscriber.cmd - Run to add an additional subscriber. Do not run until
SetMasterUp.cmd has been run.
These files can be found in either the SQL2000 or SQL2005 subfolders of the Replication folder,
and are always run on the master database machine. Select the correct subfolder for your
master and run the files either by opening a command prompt and entering the name of the file
when in the current directory, or simply double-clicking on the files from Windows Explorer.
SetMasterUp prompts for the following information:
"Server instance name and personalization database name of the master database
"Path for the snapshot folder - This is a scratch folder used by replication. The command file
should offer a standard default which is OK to accept.
"UNC Path for the drop/add constraint scripts. This is the share from step 4 in the Initial Steps..
The command file then sets up the master and for convenience automatically runs
AddSubscriber.cmd.
133
G PERSONALIZATION DATABASE REPLICATION

Post Setup Steps
This prompts for the following information:

"Server name, Server database instance name and personalization database name of the slave
to be added
To add further subscribers, use AddSubscriber.cmd on the master. When run in this way, it
asks for the instance name and database name for the master database as well as the subscriber
details.
Post Setup Steps

After setup Synchronize Site Databases on the Tools ribbon page > Replication group in the
Environment Manager console, will not work unless the normal logon used by the
Personalization Server is given appropriate privileges in the database. Synchronize Site
Databases causes replication of user data to occur immediately, normally it is replicated at
midnight. The setup procedure intentionally does not set this up because of the possible
security implications.
To Synchronize Site Databases to work you have to identify the login used by the
Personalization Server, which will have been set up by the Server Configuration Utility at time of
installation, and change it using Management Studio/Enterprise Manager as follows:
SQL 2005: The login needs to be added to the SQLAgentOperatorRole in the msdb database.
SQL 2000: The login needs to be added to the sysadmin server role.
134
This section provides details on how to allow Environment Manager to work with Streamed
Applications and includes the following:
Citrix XenApp
Citrix XenApp
To set up Citrix XenApp to work with Environment Manager functionality you need to specify
certain exclusions, as follows:
1. Navigate to Citrix Streaming Profiler for Windows.
2. Open the Application Profile.
3. Highlight the relevant Target and select the Edit menu.
4. Select Target Properties.
The Target Properties screen displays.
5. Select Rules.
The Rules work area displays on the right hand side.
6. Click Add in the Rules work area.
The New Rule Select Action and Objects dialog box displays.
7. In the Action section leave the default setting as Ignore.
8. In the Object section select Named Objects and click Next.
The New Rule Select Objects dialog box displays.
9. Select All Named Objects and click Next.
The New Rule Name Rule dialog box displays.
10. Enter a name for the rule or accept the default and click Finish.
11. Click OK.
The Target Properties screen re-displays and the Ignore all named objects rule is now
listed in the work area on the right hand side.
135
H STREAMED APPLICATIONS
12. Save the Profile.

13. Repeat for each Application Profile as required.
If using Environment Manager User Personalization you need to complete the following task in
addition:
1. Navigate to Citrix Streaming Profiler for Windows.
2. Open the Application Profile.
3. Highlight the relevant Target and select the Edit menu.
4. Select Target Properties.
The Target Properties screen displays.
5. Select Rules.
The Rules work area displays on the right hand side.
6. Click Add in the Rules work area.
The New Rule Select Action and Objects dialog box displays.
7. In the Action section leave the default setting as Ignore.
8. In the Object section select Files and Folders and click Next.
The Select Objects dialog box displays.
9. Click Add.
The Choose Path dialog box displays.
10. In Path enter C:\AppSenseVirtual and click OK.
The New Rule Name Rule dialog box re-displays.
11. Click Next.
12. Enter a name for the rule or accept the default and click Finish.
13. Click OK to apply the rule.
14. Save the Profile.
15. Repeat for each Application Profile as required.

If using Environment Manager User Personalization and Microsoft SoftGrid or App-V you need
to setup the following exclusions:
1. Navigate to Microsoft Application Virtualization Sequencer.
2. Open the required Application Package.
3. Select Tools > Options.
The Options dialog box displays.
136
H STREAMED APPLICATIONS
4. Select the Exclusion Items tab.

5. Click New.
The Exclusion Item dialog box displays.
6. In the Exclude Path enter C:\AppSenseVirtual.
7. Select the Mapping Type VFS.
8. Click OK.
9. The main package screen is re-displayed, click OK.
10. Save the Package.
11. Repeat for each Application Package as required.
137
G L O S S A R Y
ADM
ADMX
Agent
Blacklist
CCA
Client Communications Agent
Configuration
Configuration File
Console
Deploy
Deployment
Desktop Settings
Discovered Managed
Discovered Unmanaged
Fixed
Instance
Lockdown
Management Server
Personalization Server Configuration Utility
PVC
Regular Expression
Reusable Condition
138
GLOSSARY ADM
Blacklist
Reusable Node
Self Healing
Site
Trigger
Whitelist
Whitelisted Application
Wildcards
ADM
ADM files are template files that are used by Group Policies to describe where registry based
policy settings are stored in the registry.
ADMX
ADM files are template files that are used by Group Policies to describe where registry based
policy settings are stored in the registry for Microsoft Windows Vista and Server 2008.
Agent
An executable component of the AppSense software which takes actions according to
AppSense product configuration settings. For example, the Environment Manager agent is
software that runs as a Windows service to carry out tasks on a computer, as specified by the
configuration deployed to that computer.
Blacklist
Applications which are excluded from User Personalization management.
CCA
Client Communications Agent. See Client Communications Agent.
Client Communications Agent
Installed on computers operating in centralized management mode to provide a link between
the product agent running on a managed computer and the AppSense Management Center.
The CCA sends event data generated by the product agents to the Management Server and
also polls the Management Server and manages the download and installation for software
configuration, agent and package updates.
The CCA can be downloaded and installed directly on managed machines from the
Management Server website.
Configuration
A collection of settings created in the Environment Manager console that details how Triggers,
Actions, Conditions, Lockdown and Self Healing should be controlled on a computer to which
the configuration is deployed. In the Environment Manager console, a tree of component
139
GLOSSARY CONSOLE
Instance
settings is used to graphically represent the configuration while it is created and modified by the
Administrator. A configuration file may then be saved from the console for deployment or for
editing at a later time.
Configuration File
An Environment Manager configuration saved from the Console in .aemp file format. The file
can be installed on any computer and the configuration rules applied when Environment
Manager Agent is running as a Service on a computer.
Generates reports detailing the current settings in the Configuration. Filtering options allow you
to query settings affecting specific users or groups, devices and files or folders.
Console
AppSense management software interface.
Deploy
To deliver a configuration file or installation package for an AppSense agent to one or more
computers (this may include the local machine).
Deployment
Deploying a configuration or software installation using the AppSense Management Center.
Desktop Settings
User Personalization session specific settings which include; Accessibility, Appearance,
Keyboard, Mouse, Language, Screensaver, Cursors and Certificates.
Discovered Managed
A discovered managed application is an application that is not explicitly configured (in either a
Whitelist or Blacklist) but is managed and data collected when Discover All Processes and
Manage All Processes is enabled in Personalization Group > Settings > Processes.
Discovered Unmanaged
A discovered unmanaged application is an application that is discovered and listed as an
application that has been run. However, it is an application that is not explicitly configured in
either a Whitelist or Blacklist and is not managed, therefore no data is collected. A discovered
unmanaged application is recorded when Discover All Processes is enabled and Manage All
Processes disabled in the Personalization Group > Settings > Processes.
Fixed
A fixed node is one that cannot be deleted or edited.
Instance
Any process that has been launched to create a running application. There may be more than
one instance of an application at any particular time.
140
GLOSSARY LOCKDOWN
Reusable Node
Lockdown
Mechanism to restrict or disable access to specific application and operating system
functionality, keyboard shortcuts, MS Office application menus and toolbars. Conditions can be
applied to lockdown actions to offer comprehensive lockdown in varied scenarios.
Management Server
The machine on which product configurations and configuration versions are stored, from
which configurations can be deployed to machines designated by the Administrator.
Enables administrators to monitor which applications are being controlled by Environment
Manager including how much data is being stored, convert discovered applications to Whitelists
and to rollback to Personalization restore points.
Acts as a broker between the client and database, providing a secure channel to read and write
the Personalization data.
Personalization Server Configuration Utility
A dual purpose tool, first time it is run it configures the Personalization Server website and
creates the database with the correct accounts. Subsequent runs check the configuration is
correct and reports any variances.
Enables the administrator to configure both default and enforced corporate policies that can be
applied to either the computer or user under a number of different scenarios.
PVC
Personalization Virtualization Component is responsible for redirecting reads and writes of
profile data from within a managed application.
Regular Expression
Often called a pattern, is an expression that describes or matches a set of strings, they are
usually used to give a concise description of a set without having to list all elements and are
used to search and manipulate bodies of text based on certain patterns.
Reusable Condition
Conditions that can be used multiple times within a configuration, ideal for grouping common
sets of conditions together that will regularly need to be run in a variety of circumstances.
Reusable Node
Nodes that can be used multiple times within a configuration, ideal for grouping common sets
of actions together that will regularly need to run in a variety of circumstances.
141
GLOSSARY
SELF HEALING
Wildcards
Self Healing
Mechanism to automatically restore environment items, including files, processed, services or
registry keys. Conditions can be applied to Computer or User self heal actions.
Site
A logical grouping of Clients and Personalization Servers communicating with a database.
Trigger
Preset User and Computer events that trigger actions and conditions.
Provides ability to capture the changes that users make to their applications on a per application
basis and also desktop settings on a per session basis and restore the settings when required.
Whitelist
Applications which are included in the User Personalization management.
Whitelisted Application
Application is in the Whitelist in the Users Personalization Group.
Wildcards
Both the asterisk (*) and question mark (?) characters can be used in a file or folder path in the
Environment Manager Console. The asterisk represents one or more characters, excluding the
back slash (\) character, whilst the question mark wildcard represents one character, excluding
the forward slash (/) character. Both of the wildcard characters can be used in any part of a file
path, including the drive letter for local paths.
For example c:\sample path\test?\*.exe, matches all files with the .exe extension that existed in
the folders c:\sample path\test1, c:\sample path\test2, ... c:\sample path\testn, etc. But since the
question mark can only replace one character, it does not match c:\sample path\test100
142

AppSense Environment Manager Administration Guide

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

AppSense Environment Manager Administration Guide

Hochgeladen von

Copyright:

Verfügbare Formate

Environment Manager

ENVIRONMENT MANAGER ADMINISTRATION GUIDE

About this Document

Terms and Conventions

About Environment Manager

ENVIRONMENT MANAGER ADMINISTRATION GUIDE

Quick Setup Wizard

File and Folder

Drives and Printers

Custom and Execute

ENVIRONMENT MANAGER ADMINISTRATION GUIDE

Session & Client

About User Personalization

Personalization Node Management

Whitelist Application Usage

Discovered Application Usage

ENVIRONMENT MANAGER ADMINISTRATION GUIDE

Triggers and Actions

Quick Setup Wizard Default Settings

Find and Replace

About License Manager

Personalization Database Replication

Performing the Setup

Post Setup Steps

Microsoft SoftGrid 4.2 and Microsoft App-V 4.5

This section includes the following:

About this Document

Terms and Conventions

About this Document

Terms and Conventions

Used for scripting samples and code strings.

ENVIRONMENT MANAGER ADMINISTRATION GUIDE

Document Conventions (continued)

Indicates the path of a menu option. For example,

Caution/Warning Provides critical information relating to specific tasks or

Further Information Provides links to further information which include more

About Environment Manager

This section provides the following:

ENVIRONMENT MANAGER ADMINISTRATION GUIDE

ABOUT ENVIRONMENT MANAGER

Environment Manager is made up of the following:

ENVIRONMENT MANAGER ADMINISTRATION GUIDE

ABOUT ENVIRONMENT MANAGER

Default Settings - Policy Configuration

Virtual Settings - User Personalization

Enforced Settings - Policy Configuration

ENVIRONMENT MANAGER ADMINISTRATION GUIDE

ABOUT ENVIRONMENT MANAGER

ENVIRONMENT MANAGER ADMINISTRATION GUIDE

ABOUT ENVIRONMENT MANAGER

Environment Manager Console

Environment Manager Agent (includes Personalization Virtualization Component)

Virtual Personalization Cache

Provide a flexible and robust solution to roaming profile issues.

Reduce administrative overhead associated with managing user profiles by automating

Remove the potential for profile corruption.

Reduce logon times dramatically by streaming and synchronizing application

Manage personalization settings across distributed server silos.

Simple migration from existing profiles.

Malicious or accidental user environment changes can be automatically self healed.

Minimize support costs and maximizes user productivity.

Apply user policy dynamically in any desktop delivery mechanism.

ENVIRONMENT MANAGER ADMINISTRATION GUIDE

ABOUT ENVIRONMENT MANAGER