Beruflich Dokumente
Kultur Dokumente
Administration Guide
Guide
Notice
The information contained in this document ("the Material") is believed to be
accurate at the time of printing, but no representation or warranty is given (express
or implied) as to its accuracy, completeness or correctness. AppSense Limited, its
associated companies and the publisher accept no liability whatsoever for any
direct, indirect or consequential loss or damage arising in any way from any use of
or reliance placed on this Material for any purpose.
Copyright in the whole and every part of this manual belongs to AppSense Limited
("the Owner") and may not be used, sold, transferred, copied or reproduced in whole
or in part in any manner or form or in or on any media to any person other than in
accordance with the terms of the Owner's Agreement or otherwise without the prior
written consent of the Owner.
Trademarks
AppSense and the AppSense logo are registered trademarks of AppSense Holdings
Ltd. Microsoft, Windows and SQL Server are trademarks or registered trademarks
of Microsoft Corporation. Fluent is a trademark of Microsoft Corporation and the
Fluent user interface is licensed from Microsoft Corporation. Other brand or product
names are trademarks or registered trademarks of their respective holders.
ii
C O N T E N T S
vii
Welcome
Chapter 1
Chapter 2
vii
vii
Feedback
viii
Product Overview
Architecture
Policy Configuration
User Personalization
Components
Key Benefits
The Console
Feature Summary
Configurations
12
Configurations
12
Save a Configuration
12
Tasks
14
iii
CONTENTS
Chapter 3
Best Practices
15
Chapter 4
Node Management
20
Node Structure
20
Library
20
Computer
22
User
23
Edit Nodes
25
Arrange Nodes
27
Tasks
27
Action Management
29
Actions
29
Chapter 5
30
Registry
30
36
47
ODBC
49
App-V Wizard
49
50
Group Policy
52
Environment Variables
53
Shortcut
53
Run Node
54
Heal Actions
55
Tasks
57
Troubleshooting
60
iv
Chapter 6
Chapter 7
Chapter 8
CONTENTS
Condition Management
61
Conditions
62
Directory Membership
63
User
63
Computer
63
63
Custom
63
Run Conditions
66
Tasks
66
Lockdown Management
68
Lockdown
68
General Wizard
68
Keyboard Wizard
71
Office Wizard
72
Message Libraries
74
User Personalization
76
76
82
Personalization Applications
82
Personalization Groups
87
Sites
96
Personalization Analysis
100
Size
101
102
104
Archives
106
Rollback
106
Authorized Users
107
Troubleshooting
108
CONTENTS
Auditing
109
Audit
109
Local Events
110
Configuration Profiler
115
Report Type
115
Report Criteria
115
Report Output
117
Appendix A
System Requirements
119
Appendix B
121
Appendix C
123
Appendix D
126
Appendix E
Wildcards
127
Appendix F
Licensing
128
129
Managing Licenses
130
Troubleshooting
131
132
Principles
132
Prerequisites
132
Initial Steps
133
133
134
Streamed Applications
135
Citrix XenApp
135
136
Chapter 9
Chapter 10
Appendixes
Appendix G
Appendix H
Glossary
138
vi
W E L C O M E
Feedback
APEM80-04-130209-2
Publication number
Document Conventions
Convention
Use
Bold
Highlights items you can select in Windows and the product interface, including
nodes, menus items, dialog boxes and features.
Code
Italic
Highlights values you can enter in console text boxes and titles for other guides and
Helps in the documentation set.
vii
Table 3.1
WELCOME
Feedback
Convention
Use
>
Feedback
The AppSense Documentation team aim to provide accurate and high quality documentation to
assist you in the installation, configuration and ongoing operation of AppSense products.
We are constantly striving to improve the documentation content and value any contribution
you wish to make based on your experiences with AppSense products.
Please send any comments to the following email address:
documentation.feedback@appsense.com
Thanks in advance,
The AppSense Documentation team
viii
Product Overview
Architecture
Key Benefits
The Console
Feature Summary
Product Overview
AppSense Environment Manager enables you to control and manage all levels of user access to
the physical and virtual desktop and server environment of your organization and includes easy
to configure User Personalization and Policy Configuration.
Environment Manager provides a more efficient alternative to roaming profiles, reducing the
potential for profile corruption and providing users with a consistent and seamless working
experience.
Through a combination of company policy and user personalization, administrators are able to
deliver optimal user environments regardless of how the environment is delivered to the user.
Environment Manager provides one profile management solution across Citrix, Microsoft
Terminal Server, Virtual Desktop and physical desktop environments.
Policy Configuration - controls what users can do so as to match what they need to do.
User Personalization - delivers user personalization into physical and virtual desktops.
Architecture
The AppSense Environment Manager system consists of the AppSense Environment Manager
console, Environment Manager Agent, Personalization Server and database.
The console is an administrative tool to create and manage configurations. The Agent resides
on the controlled computers and can receive configurations from the AppSense Management
Center or third party deployment system to manage the machine and user environment. The
console also provides a live connection to the Personalization database.
The Personalization Server runs as a website, using IIS on either Windows Server 2003 or
Windows Server 2008. Client machines (Tier 1) connect through HTTP(s) handlers, and the
console uses WCF Services.
The Personalization Server acts as a broker between the client and database, providing a secure
channel to read and write the Personalization data. It is designed to support 1000s of users
simultaneously and multiple Personalization Servers can be configured in parallel to use a single
database.
Environment Manager can operate either in Standalone or Enterprise modes. In Standalone
mode, the console saves its settings directly to the local system. In Enterprise mode, different
configurations can be deployed to the controlled computers depending on your system
requirements. This guide describes the use of AppSense Environment Manager in Standalone
Mode. For details on centralized management mode please refer to the AppSense Management
Center Administrator Guide.
Policy Configuration
User Personalization
Policy Configuration and User Personalization work together to provide complementary control
of the entire user environment. Inevitably there are some areas of overlap. The profile settings
are applied in the following stages:
Policy Configuration
Policy Configuration enables the administrator to configure both default and enforced
corporate policies that can be applied to either the computer or user under a number of
different scenarios.
User Personalization
A three-tier architecture is utilized consisting of the following basic components:
Tier 1 - Environment Manager Agent
Installed on each managed endpoint, responsible for ensuring user personalization data is saved
and restored on demand and also ensures policy configuration settings are applied when
required.
Tier 2 - Personalization Server
An IIS web server responsible for synchronizing user personalization settings between the SQL
database and the Environment Manager Agent when the user logs on or off or when an
application is started or stopped.
Tier 3 - SQL Database
Holds information related to personalization sites and servers, users and groups, applications,
endpoint configuration data and user personalization data.
How it works
When a user logs on to a managed endpoint, the Environment Manager Agent contacts the
Personalization Server with details of the user logging on. The Personalization Server passes this
information to the SQL database, which in turn, retrieves the configuration for the user and
returns it to the Personalization Server. The Personalization Server then passes back the relevant
configuration to the managed endpoint.
When a user launches an application on the endpoint, a component of the Environment
Manager Agent called the Personalization Virtualization Component (PVC) is injected into the
running process. The PVC verifies if the application in question is under the management of
Environment Manager.
The PVC contacts the Personalization Server to request that a personalization cache on the
endpoint is updated with the latest personalization settings from the SQL database and streams
these settings down to the endpoint.
Whilst the application is running and the user continues to change personalization settings
within it, these changes are virtualized and are written to the personalization cache on the
endpoint, rather than into the physical registry or file system. This ensures the user has access to
a local copy of the personalization settings, whilst abstracting the users personality from the
physical operating system.
When the application is closed, the PVC notifies the Personalization Server that the application
is closing and provides a copy of the modified personalization settings which are stored in the
SQL database.
This means the user now also has a centralized copy of their latest personalization settings. If
the user has two or more open concurrent sessions, personalization settings can now be
streamed to each of their concurrent sessions for that application, on demand, when the
application is launched. This ensures consistent application and environment settings across
open, concurrent sessions without the user having to log off or back on again.
When the user does log off, any open applications are closed and the process as described
above takes place. Session specific settings are also synchronized back to the SQL database at
this point and by default, the local personalization cache on the endpoint is purged.
Components
Client Computer
Personalization Server
SQL Database
Key Benefits
This section provides key benefits of using AppSense Environment Manager, they are as follows:
Enable consistent quality of service to the user regardless of the environment delivery
mechanism.
Ensure users remain compliant with policy regardless of how they receive their working
environment.
Quickly implement business policies which can be shared and utilized across operating
system boundaries and different application delivery mechanism by use of triggers, actions
and conditions.
Introduce pre-built corporate policy best practice with AppSense Policy Templates.
The Console
The Environment Manager Console launches when the link is selected in the Start > All
Programs > AppSense menu.
Application Menu
The Application Menu provides options for managing configurations including create new,
open existing, save, import and export configurations and print.
The Preferences option allows you to modify the console skin and set basic behavior settings,
including, Show splash screen.
Option
Description
New
Open
Save
Save As
Saves the configuration with a new name to one of the following locations:
Live configuration on this computer
Configuration in the Management Center
Configuration file on a local or network drive: AppSense Environment Manager Package
Files format (aemp).
Note A live configuration is located on a computer which has Environment Manager Agent
installed and running.
Warning If using Microsoft Vista or Windows Server 2008 operating systems with UAC
enabled, you must ensure that you open the console with Administrator privileges.
Exit
Imports a configuration from MSI format, usually legacy configurations which have been
exported and saved from legacy consoles.
Exports a configuration to MSI format.
Button
Description
Save
Save changes to the configuration. The configuration will remain locked if opened from the AppSense
Management Center.
Save and Unlock
Save changes and unlock the configuration. These changes can now be deployed from the
Management Center.
Undo
Clear the action history. Up to 20 previous actions are listed. Select the point at which you want to
clear the actions. The action selected and all proceeding actions are undone.
Redo
Re-apply the cleared action history. Up to 20 cleared actions are listed. Select the point at which you
want to redo the actions. The action selected and all subsequent actions are redone.
Back
Navigate back through the views visited in this session.
Forward
Navigate forward through the views visited this session.
Ribbon Pages
Ribbon Pages include buttons for performing common actions arranged in ribbon groups
according to the area of the Console to which the actions relate. For example, the Home ribbon
page includes all common tasks, such as Cut, Paste and Copy, Help, AppSense website and
Support links.
Split ribbon buttons contain multiple options and are indicated by an arrow just below the
button. Click the arrow to display and select the list of options, or simply click the button for the
default action.
Help
The Home ribbon page includes a Help button which launches the Help for the product and
displays the topic relating to the current area of the console in view. A smaller icon for
launching the Help displays at the far right of the console, level with the ribbon page tabs, for
convenience when the Home ribbon page is not in view. You can also press F1 to launch the
Help topic for the current view.
Navigation Pane
The Navigation Pane consists of the navigation tree and navigation buttons. The navigation
tree is the area for managing nodes of the configuration. The navigation buttons allow you to
view the different areas of the console.
Work Area
The Work Area provides the main area for managing the settings of the configuration and
product. The contents of the work area vary according to the selected nodes in the navigation
tree and the selected navigation buttons. Sometimes the work area is split into two panes. For
example, one pane can provide a summary of the settings in the other pane.
Additional Console Features
Shortcut Menu right-click shortcuts are available in the navigation tree and some areas
of the Console.
Drag and Drop this feature is available in some nodes of the navigation tree.
Cut/Copy/Paste these actions can be performed using the buttons in the Home ribbon
page, shortcut menu options and also using keyboard shortcuts.
Feature Summary
This section provides a summary of Environment Manager features.
User Personalization
Personalization Analysis
Generate tabular and graphical reports based on personalization settings across a group, an
individual user or an application, identify resource bottlenecks and streamline
personalization settings to improve end user performance.
Personalization Rollback
Instigate personalization restore points so that personalization settings can be restored, on
a per user or application basis, in the event of data loss or desired state machines.
Offline Mode
Ensure mobile users have access to the latest version of their personalization settings whilst
working offline and ensure their settings are synchronized across open concurrent sessions
when back online.
Migration Mode
Seamlessly migrate existing local or roaming user profiles or upgrade older versions of
Environment Manager to use the application personalization streaming solution.
10
Self Healing
Ensures critical files, registry settings, processes and services remain unaltered using the Self
Healing mechanism.
Self healing actions ensure that computer and user settings are restored to their original state in
the event of software failure or unauthorized changes.
Self Healing actions can be applied to processes, services, files and the registry.
Self Healing can be used to ensure critical applications, such as security software, are restarted
or repaired immediately following any failure resulting from malicious or accidental actions and
provides security against the threat of Trojans, worms or spyware attempting to infiltrate and
alter registry settings or modify content.
The self healing mechanism restores settings in real-time.
For example, if a Trojan virus is added to any of the Windows start up keys, Self Healing
immediately removes the threat.
Currently only 32-bit and 64-bit applications are fully supported by the self healing process
mechanism. It is not recommended to self heal DOS or 16-bit applications using this method.
Attempting to self heal a DOS or 16-bit application process may present multiple instances of
the same application in a short period of time.
11
Configurations
This section provides details on Environment Manager configurations, and includes the
following:
Configurations
Save a Configuration
Tasks
Configurations
A configuration is a collection of control settings which contain functionality and settings for
management of your system. The configuration is made up of 2 main nodes, trigger nodes and
sub nodes. Configuration files can be saved from the console and exported/imported to other
computers which have the Environment Manager Agent running as a Service.
You can use the Find and Replace facility to help manage your configurations, for example, if
you need to change the name of a server located within your configuration or the IP address
of a machine. For further details see the Appendix Find and Replace.
Save a Configuration
When changes are made to a configuration you have the following options:
Save - This is the default Save action and is the same as Save on the Quick Access Toolbar
Save and continue editing - Save the configuration to the Management Center and
keep the configuration locked and open for editing.
Save and Unlock this configuration - Save the current configuration in the
Management Center and unlock to allow other users to edit the configuration.
Unlock without saving - Unlock the current configuration in the Management Center
without saving changes.
Save As
12
2 CONFIGURATIONS
Save a Configuration
Create this configuration in the package store on the selected Management Center.
13
CONFIGURATIONS
Tasks
Tasks
This section includes useful tasks and includes:
CREATE A CONFIGURATION
1. Launch the Environment Manager console from Start > Programs > AppSense >
Environment Manager.
AppSense Environment Manager console displays.
2. Click the Application Menu button.
3. Click New.
A new configuration displays.
You must Save a new configuration before any settings are implemented.
IMPORT A CONFIGURATION
EXPORT A CONFIGURATION
14
Best Practices
This section outlines the key points for consideration when setting up your Environment
Manager configuration, and includes:
Configure generic Action settings on a computer that is used by multiple users to ensure that
common settings are applied to the computer for all users.
For example, map common drives or printers by default for all users in the Computer > Startup
node.
Simplify the configuration with actions that apply to groups of users rather than individual
users, where appropriate. This reduces the complexity of the configuration and ensures the XML
run-time engine can execute the configuration faster, improving user log on times.
Creating large configurations by grouping similar action types, such as actions which lockdown
applications, under a single node or as few sub nodes as possible.
Grouping similar actions types under a single node creates configurations which are less
complex to navigate and actions can be ordered in execution sequence, as required.
For more information, see Execute Actions in Sequence.
Multiple actions grouped together under a single node may need to execute in a certain order.
For example, a sub node under the User > Logon node creates a folder, copies some files into
the folder and sets attributes for those files. The folder must exist before the files are copied into
it and the files must be present in the folder before the attributes can be set.
Order the actions in the Actions panel by clicking Move left, Move right, Move up or Move
down in the Arrange ribbon group or by dragging them up or down the list. Once actions are
correctly ordered, the actions execute in order from the top down.
15
BEST PRACTICES
When related actions are not grouped together in the same node, it may be necessary to ensure
the actions in one node are executed before the actions in another can take place.
A node can be dependent on any other parent node.
Configure complex environments which span multiple operating system versions using
environment variables.
For example, you may wish to launch an application from the system root drive of a computer.
Under Windows 2000, the system root drive is C:\WINNT but under Windows XP it is
C:\WINDOWS.
By utilizing an environment variable, such as %systemroot%\app.exe, the application can
execute independent of the operating system on which it is hosted as the variable is expanded
at runtime by the Environment Manager Agent on the specific machine.
Environment variables can also be used for configuring system drive letters, user-based rules
and managing profiles.
Configure warning messages when locking down applications so that users are aware that they
have been prevented from accessing the relevant application component or device.
Failure to configure a message may cause increased numbers of help desk calls and reduce user
satisfaction.
When configuring Self Healing actions, it is recommended that only small files are configured to
be self healed.
Targeting only small files reduces the resource load on the Environment Manager Agent during
run-time.
Otherwise, self healing large files can raise the following issues:
Resource load is significantly increased as the Environment Manager Agent creates backup
copies of the files.
Resource load is significantly increased as the Environment Manager Agent heals a large
file.
16
BEST PRACTICES
Stability issues may arise if administrative installed patches and software are added to the
system, as the Environment Manager agent automatically self heals these changes and
removes them from the registry.
When configuring Self Healing Registry actions, it is recommended that only relevant sections of
the registry are configured to be self healed.
Targeting only specific portions of the registry reduces the resource load on the Environment
Manager Agent during run-time.
Otherwise, self healing the whole registry can raise the following issues:
Resource load is increased as the Environment Manager Agent continually checks the whole
registry structure for changes.
Stability issues may arise if administrative installed patches and software are added to the
system, as the Environment Manager agent automatically self heals these changes and
removes them from the registry.
Currently only 32-bit or 64-bit applications are fully supported by the self healing mechanism. It
is not recommended to self heal DOS or 16-bit applications.
Attempting to self heal a DOS or 16-bit application, may present multiple instances of the same
application in a short period of time.
When configuring Self healing actions using Environment Manager, it is recommended that
only critical application and operating system components are self healed.
Self healing should only be used for important processes, files, services and registry keys that are
critical to the day-to-day running of the system.
Non-critical items, such as user introduced shortcuts, non-corporate software and low key
services should not require self healing.
Currently only 32-bit and 64-bit applications are fully supported by the Lockdown mechanism. It
is not recommended to lockdown DOS or 16-bit applications.
Environment Manager can record important security and management events in industry
standard formats such as the system event log, e-mail and SNMP through the Management
Center.
Although Environment Manager deters the majority of users, effective auditing pinpoints those
users who continually attempt to bypass system security. In particular, any attempts by users to
plant Trojans or worms, or terminate installed security software, need to be identified.
17
BEST PRACTICES
USE SITES
To share personalization settings between related applications e.g. MS Word & MS Excel.
To aid in the construction of configurations over time make use of AppSense Policy Templates
which allow you to save and restore specific areas of a configuration.
To create well known actions, use the Quick Setup Wizard which contains a number of
recommended industry standard actions.
BLACKLIST APPLICATION
Ensure that any processes which are not required to be managed and are not in the Default
Blacklist are added to the Personalization Group Blacklist.
WHITELIST APPLICATION
It is possible to configure Offline mode on a per Personalization Group basis. Enabling this
option ensures that at user logoff the local personalization cache is persisted on the endpoint. It
is recommended that this option only be applied to mobile devices to ensure disk space on the
endpoint device is not unnecessarily consumed.
To ensure user data is available between different or concurrent sessions redirect well known
folders to a central location such as My Documents on the users home drive.
18
BEST PRACTICES
When using AppSense Environment Manager with streamed applications, for example, Citrix
XenApp, ensure the relevant exclusions are setup. For details refer to the Streamed Applications
appendix.
19
Node Management
This section provides details on the Policy Configuration nodes, and includes the following:
Node Structure
Edit Nodes
Arrange Nodes
Tasks
Node Structure
The Policy Configuration navigation tree consists of the following 3 main Fixed nodes:
Library
Computer
User
Library
The Library node contains 2 fixed nodes; Reusable Nodes and Reusable Conditions. These
are nodes and conditions that can be used multiple times within your configuration. They are
ideal for grouping common sets of actions together that will regularly need to run in a variety of
circumstances.
Reusable Nodes are highlighted in blue and Reusable Conditions are highlighted on orange.
When creating a Registry, File & Folder or Group Policy action for a Reusable Node, a
Personalization (UEM) tab is available on the action dialog box. Use the checkbox Allow
Personalization Override on the Personalization (UEM) tab to control the interaction of
Policy settings with User Personalization settings. Select the checkbox to apply Policy settings
after, and therefore override, User Personalization settings.
20
NODE MANAGEMENT
Node Structure
When nodes or conditions are reused you can only assign them to the triggers that allow that
action or condition. For a full list of permissions see the Triggers and Actions Appendix.
Select the Clone ribbon button and select Copy to Reusable Conditions.
Right-click to display the context menu and click Copy to Reusable Conditions.
When you have reusable nodes and conditions in the Library you can use them throughout the
configuration.
Reusable Nodes and Conditions Rules
If the Reusable Node or Reusable Condition in the Library node is enabled, the referenced
node state can be toggled independently of the Reusable Node/Condition in the Library
node.
If the Reusable Node or Reusable Condition in the Library node is disabled, the referenced
node cannot be enabled.
Amendments to the Reusable Node or Condition can only be made from within the Library
and not from within any other node where it is referenced.
Any amendments made to the node or condition in the Library will take effect in every re-used
instance.
For information on import and export rules for Reusable Nodes and Conditons refer to
Import and Export Rules.
21
NODE MANAGEMENT
Node Structure
Computer
The Computer node contains triggers for a particular computer state. Create nodes under the
fixed trigger nodes to setup specific actions.
The Computer fixed trigger nodes are as follows:
Startup
Shutdown
Process Started
Process Stopped
In order for Shutdown Actions to take effect you must shutdown and restart for the
configuration to update and then shutdown again for the Action to take effect.
Add Node
Import/Export Template
Add Node
Delete Node
Rename
Toggle State - to switch the node between an enabled and disabled state.
When you disable a parent node all child nodes are also disabled. Likewise, if you enable
a parent node all child nodes are also enabled.
Clone
Import/Export Template
Move Left, Right, Up or Down - this is dependant on the level of node in the hierarchy.
22
NODE MANAGEMENT
Node Structure
User
The User node contains Triggers for a particular user state. Create nodes under the fixed trigger
nodes to setup specific actions relevant to individual users or groups.
The User Triggers are as follows:
Logon
Logoff
In order for Logoff Actions to take effect you must Logoff and Logon so that the service
is re-started and the configuration is updated and then Logoff again for the Action to
take effect.
Process Started
When creating a Registry, File & Folder or Group Policy action for Process Started, a
Personalization (UEM) tab is available on the action dialog box. Use the checkbox
Allow Personalization Override on the Personalization (UEM) tab to control the
interaction of Policy Settings with User Personalization settings. Select the checkbox to
apply Policy settings after, and therefore override, User Personalization settings.
Process Stopped
Network Disconnected
Network Connected
Session Disconnected
Session Reconnected
Session Locked
Session Unlocked
If using Remote Desktop Protocol v6.0 use Session Disconnect for user logoff actions, not
Logoff. The reason is that the remote application procedure does not logoff, it just
disconnects.
If a Terminal Services session is Reset by the Administrator, the Logoff and Session
Disconnected trigger events will be initiated. Therefore, any action configured under these
triggers will be executed.
23
NODE MANAGEMENT
Node Structure
Add Node
Import/Export Template
Add Node
Delete Node
Rename
Toggle State - to switch the node between an enabled and disabled state.
When you disable a parent node all child nodes are also disabled. Likewise, if you enable
a parent node all child nodes are also enabled.
Clone
Import/Export Template
Move Left, Right, Up or Down - this is dependant on the level of node in the hierarchy.
24
NODE MANAGEMENT
Edit Nodes
Edit Nodes
The Edit options available for each node on the Navigation Tree are shown in Table 4.1
Table 4.1
Fixed
Node
Library
Reusable
Node
Add
Node
Delete
Node
Rename
Toggle
State
Clone
Find &
Replace
AppSense
Policy
Templates
Node
Sub Node
Computer
Startup
Node
Sub Node
User
Logon
Node
Sub Node
Reference
25
NODE MANAGEMENT
Edit Nodes
This is useful for quick troubleshooting purposes or where complex configurations can be
tailored without deleting content.
If you export from a Reusable Node, you can only import to a Reusable Node.
If you export from a Reusable Condition, you can only import to a Reusable Condition.
If you export from Logon or any other Trigger node, you can import to any Trigger, but not
a Reusable Node.
For further information on Reusable Nodes and Conditions refer to the Library section.
26
NODE MANAGEMENT
Arrange Nodes
Import Template
Import a partial configuration template file .xml to the current node. The Open dialog box is
displayed for you to select the location from which to import the file.
A check is done to ensure that any actions being imported are valid for the node selected.
Export Template
Export the current node settings as a partial configuration template file .xml. The Save As
dialog box is displayed for you to select the location to save the file.
Arrange Nodes
The order in which the nodes are displayed in the Navigation Tree determine the level of
dependency. For example, If all the nodes are at the same level in the hierarchy then the actions
will be executed in parallel. However, if the nodes are at different levels in the hierarchy this will
indicate a dependency on the node above and therefore actions will be executed in sequence.
To arrange the nodes you can do one of the following:
Highlight the node to move. Right-click to display the context menu, click Move, Left, right,
Up or Down. The options available for the particular node will be highlighted in green.
Tasks
This section includes common node management tasks:
27
NODE MANAGEMENT
Tasks
Click Copy to Reusable Nodes (with dependents) if the selected node has
dependents and you want to re-use them.
28
Action Management
This chapter provides details on Policy Configuration Actions and includes the following:
Actions
Heal Actions
Tasks
Troubleshooting
Actions
Policy Configuration allows the administrator to configure both default and enforced corporate
policies that can be applied to either the computer or user under a number of different
scenarios.
Computer based actions can be triggered to apply when the computer starts up or shuts down
or when a system process is started or stopped.
User based actions can be triggered to apply when the user logs on or logs off, when a user
process is started or stopped, when the network is connected or disconnected, when a session
is disconnected or reconnected or when a session is locked or unlocked.
This section covers all Actions and includes the following:
Registry
ODBC
App-V Wizard
Group Policy
Environment Variables
Shortcut
Run Node
29
ACTION MANAGEMENT
Actions
Registry
Registry manipulation enables the administrator to setup registry keys and values on behalf of
the user for the delivered application set. Most applications require some form of default
configuration to be present in order for correct operation.
Registry Actions include the ability to create or delete registry keys and set, create, delete or set
a default value for registry keys. Additionally, it is possible to import desired state settings from
an existing machine or exported registry file or even manipulate registry settings using registry
hiving.
When creating a registry action for User > Process Started. Each Registry Action dialog box,
has a Personalization (UEM) tab. Use the checkbox Allow Personalization Override to
control the interaction of Policy settings with User Personalization settings. Select the checkbox
to apply Policy settings after, and therefore override, User Personalization settings.
HKEY_CLASSES_ROOT
Contains information relating to file associations and for object linking and embedding.
30
ACTION MANAGEMENT
Actions
HKEY_CURRENT_USER
Contains the profile settings for the current user.
HKEY_LOCAL_MACHINE
Contains configuration settings for the computer itself
HKEY_USERS
Contains all the actively loaded user profiles on the computer.
HKEY_CURRENT_CONFIG
Contains settings related to installed software and device drivers.
Whenever a user makes any changes to their personal settings, the information is stored in the
HKEY_CURRENT_USER (HKCU) hive area of the registry. Therefore, if the registry settings are
saved out when the user logs off and re-imported the next time the user logs on, the users
personal settings are available to roam with them, even if they are using a mandatory profile.
This is achieved using the Registry Hiving action within AppSense Environment Manager.
Registry Hiving
The following are examples of how to create a User Logoff Registry Action and a User Logon
Registry Action to hive out and back in user profile settings.
1. As an administrative user, navigate to the User > Logoff node within the Environment
Manager console.
2. Select Add Node on the Nodes ribbon page > Edit group.
3. Select the new node youve just created and rename to Export Registry Settings.
4. Click Registry on the Actions ribbon page > Actions group.
5. Select Registry Hiving.
The Registry Hiving dialog box displays.
6. Enter a Title for example, User Profile Settings.
7. Enter the Location or select the ellipsis (...) to Browse For Folder, where the settings will
be saved, preferably on a network share so that settings can be accessed from multiple
computers, for example \\<servername>\<sharename>. It is not necessary to create
separate folders for each user as Environment Manager will separate the user information
being saved using the following format:
<registry key name>_<domain>_<username>
8. Select Export the hive from the registry to file.
9. Click Add. The Registry Key dialog box displays.
10. Click the ellipsis (...) to dipslay the Browse Registry dialog box.
11. Select the areas of the HKCU registry you want to hive out. This can be from the local
computer registry or a registry on another machine.
Repeat the Browse process for each registry key you want to hive out.
31
ACTION MANAGEMENT
Actions
32
ACTION MANAGEMENT
Actions
This will ensure that if the user logs on to Server A, then Server As settings are restored. If the
user logs on to Server B then Server Bs settings are restored instead.
Reference
CREATE KEY
DELETE KEY
SET VALUE
33
ACTION MANAGEMENT
Actions
Value Name
Enter the Value, alternatively, click in the box to display the ellipsis (...) and select to display the
Browse Registry dialog box. Locate the Value you want to add.
Value Type
Click on the drop-down arrow to select the Value Type from the drop-down list.
Value
Enter the value.
DELETE VALUE
34
ACTION MANAGEMENT
Actions
Value Type
Click on the drop-down arrow to select the Value Type from the drop-down list.
Value
Enter the default value.
REGISTRY HIVING
The Filename is the name of registry key by default but this can be overwritten.
REGISTRY IMPORT
Import File
Displays the Open dialog box.
Navigate and select the required registry files (.reg) to import.
Browse...
Displays the Browse Registry dialog box.
Select to import Computer registry keys from HKEY_LOCAL_MACHINE or User registry keys
from HKEY_CURRENT_USER. Alternatively, select My Computer or Connect to display registry
keys for an alternative computer.
Restart
Click to remove all registry keys currently listed.
A confirmation message displays. Click Yes to confirm.
35
ACTION MANAGEMENT
Actions
Delete
Select to create a Delete Registry Key.
The shortcut menu allows you to add the following:
Main Key
Key
String Value
Binary Value
Multi-String Value
File
Copy
Delete
Move
Rename
Modify File Attributes - Select files to modify the read-only, hidden, system, archive and
temporary attributes. You must set at least one to something other than Ignore.
Folder
Create - add the path for the folder you are creating.
Copy
Delete
36
ACTION MANAGEMENT
Actions
Folder Redirection - allows the personal files and settings of a user to be saved to
another location. Folders can be redirected to any available location including a local
folder, a network drive and the most common place being the users home drive.
Reference
COPY FILE
Files to Copy
Source
Select Add to add a source. Enter the Source file, alternatively select the ellipsis (...) to display
the Open dialog box, locate the file and click Open.
Target
Enter the Target file name, alternatively select the ellipsis (...) to display the Browse For Folder
dialog box, locate the location and click OK.
Fail if Exists
If selected the file will not be copied if it already exists in the target location.
Add
Select to add an new entry to the table.
Condition
File
Click the drop-down arrow to select a file from the drop-down list, alternatively leave the
default All files.
Date
Select to amend the Date of the file. Only the Date or File Size can be selected.
Property
Click the drop-down arrow and select one of the following from the drop-down list:
Created Time
When
Click the drop-down arrow and select one of the following from the drop-down list:
Equal To
37
Not Equal To
Less Than
Greater Than
Between
ACTION MANAGEMENT
Actions
Compare to destination
Select to compare to destination, alternatively, enter a Date and Time.
File Size
Select to amend the File Size. Only the Date or File Size can be selected.
When
Equal To
Not Equal To
Less Than
Greater Than
Between
Compare to destination
Select to compare to destination, alternatively, enter a Size and unit of measure.
DELETE FILE
Select File
Source
Enter the file you want to delete, if you do not know the file name select the ellipsis (...) to
display the Open dialog box to locate the file.
Force Delete
Select to force the delete, if selected read-only file attributes are changed to normal so that the
file can be deleted.
Add
Select to add a new entry to the table.
38
ACTION MANAGEMENT
Actions
Condition
File
Click the drop-down arrow to select a file from the drop-down list, alternatively leave the
default All files.
Date
Select to amend the Date of the file. Only the Date or File Size can be selected.
Property
Click the drop-down arrow and select one of the following from the drop-down list:
Created Time
When
Click the drop-down arrow and select one of the following from the drop-down list:
Equal To
Not Equal To
Less Than
Greater Than
Between
Compare to destination
Select to compare to destination, alternatively, enter a Date and Time.
File Size
Select to amend the File Size. Only the Date or File Size can be selected.
When
Equal To
Not Equal To
Less Than
Greater Than
Between
39
ACTION MANAGEMENT
Actions
Compare to destination
Select to compare to destination, alternatively, enter a Size and unit of measure.
MOVE FILE
Files to Move
Source
Enter the file you want to move, if you do not know the file name select the ellipsis (...) to
display the Open dialog box to locate the file.
Target
Enter the Target file name, alternatively select the ellipsis (...) to display the Browse For Folder
dialog box, locate the location and click OK.
Fail if Exists
If selected the file will not be moved it already exists in the target location.
Add
Select to add a new entry to the table.
Condition
File
Click the drop-down arrow to select a file from the drop-down list, alternatively leave the
default All files.
Date
Select to amend the Date of the file. Only the Date or File Size can be selected.
Property
Click the drop-down arrow and select one of the following from the drop-down list:
Created Time
When
Click the drop-down arrow and select one of the following from the drop-down list:
Equal To
Not Equal To
Less Than
40
Greater Than
Between
ACTION MANAGEMENT
Actions
Compare to destination
Select to compare to destination, alternatively, enter a Date and Time.
File Size
Select to amend the File Size. Only the Date or File Size can be selected.
When
Equal To
Not Equal To
Less Than
Greater Than
Between
Compare to destination
Select to compare to destination, alternatively, enter a Size and unit of measure.
RENAME FILE
Rename From
Enter the file you want to rename, if you do not know the file name select the ellipsis (...) to
display the Open dialog box to locate the file.
Rename
Enter the new file name, alternatively select the ellipsis (...) to display the Browse For Folder
dialog box, locate the location and click OK.
Add
Select to add a new entry to the table.
41
ACTION MANAGEMENT
Actions
Source
Enter the file you want to modify, if you do not know the file name select the ellipsis (...) to
display the Open dialog box to locate the file.
Remove the filename to modify the Folder attributes.
Add
Select to add a new entry to the table.
Attributes
Select from the following attributes to modify to Ignore, Set or Unset:
Read-Only
Hidden
System
Archive
Temporary
You must set at least one attribute to something other than Ignore.
CREATE FOLDER
Source
Enter the folder you want to create, alternatively select the ellipsis (...) to display the Browse
For Folder dialog box, locate the folder location and click OK.
Add
Select to add a new entry to the table.
COPY FOLDER
42
ACTION MANAGEMENT
Actions
Target
Enter the Target folder name, alternatively select the ellipsis (...) to display the Browse For
Folder dialog box, locate the location and click OK.
Fail if Exists
If selected, the folder will not be moved it already exists in the target location.
Copy Subfolders
Select to copy any subfolders for the selected folder.
Do not Overwrite Files
Select to prevent overwriting files in the destination folder if they already exist.
Add
Select to add a new entry to the table.
Conditions > File Conditions
Use File Conditions
Select to use file conditions when copying within the folder.
File
Click the drop-down arrow to select a file from the drop-down list, alternatively leave the
default All files.
Date
Select to amend the Date of the file. Only the Date or File Size can be selected.
Property
Click the drop-down arrow and select one of the following from the drop-down list:
Created Time
When
Click the drop-down arrow and select one of the following from the drop-down list:
Equal To
Not Equal To
Less Than
Greater Than
43
Between
ACTION MANAGEMENT
Actions
Compare to destination
Select to compare to destination, alternatively, enter a Date and Time.
File Size
Select to amend the File Size. Only the Date or File Size can be selected.
When
Equal To
Not Equal To
Less Than
Greater Than
Between
Compare to destination
Select to compare to destination, alternatively, enter a Size and unit of measure.
Conditions > Folder Conditions
Use Folder Conditions
Select to use folder conditions when copying.
File
Click the drop-down arrow to select a file from the drop-down list, alternatively leave the
default All files.
Date
Select to amend the Date of the file. Only the Date or File Size can be selected.
Property
Click the drop-down arrow and select one of the following from the drop-down list:
Created Time
When
Click the drop-down arrow and select one of the following from the drop-down list:
44
Equal To
Not Equal To
Less Than
Greater Than
Between
ACTION MANAGEMENT
Actions
Compare to destination
Select to compare to destination, alternatively, enter a Date and Time.
File Size
Select to amend the File Size. Only the Date or File Size can be selected.
When
Equal To
Not Equal To
Less Than
Greater Than
Between
Compare to destination
Select to compare to destination, alternatively, enter a Size and unit of measure.
DELETE FOLDER
Delete Folder
Source
Enter the folder you want to delete, if you do not know the folder name select the ellipsis (...) to
display the Browse For Folder dialog box to locate the folder.
Force Delete
Select to force the delete. If selected, read-only folder attributes are changed to normal so that
the folder can be deleted.
Add
Select to add a new entry to the table.
45
ACTION MANAGEMENT
Actions
Condition
File
Click the drop-down arrow to select a file from the drop-down list, alternatively leave the
default All files.
Date
Select to amend the Date of the file. Only the Date or File Size can be selected.
Property
Click the drop-down arrow and select one of the following from the drop-down list:
Created Time
When
Click the drop-down arrow and select one of the following from the drop-down list:
Equal To
Not Equal To
Less Than
Greater Than
Between
Compare to destination
Select to compare to destination, alternatively, enter a Date and Time.
File Size
Select to amend the File Size. Only the Date or File Size can be selected.
When
Equal To
Not Equal To
Less Than
Greater Than
Between
46
ACTION MANAGEMENT
Actions
Compare to destination
Select to compare to destination, alternatively, enter a Size and unit of measure.
FOLDER REDIRECTION
Add
Select to add an entry to the table.
Known Folder
Click the drop-down arrow and select the folder you want to redirect from the drop-down list.
Destination
Enter the destination location, alternatively select the ellipsis (...) and select the location from
the Browse For Folder dialog box.
Reference
MAP DRIVE
Add
Select to add an entry to the table.
Drive Letter
Click the drop-down arrow to select the drive letter from the drop-down list.
Path
Enter the path to which to map the drive letter, alternatively select the ellipsis (...) and select the
location from the Browse For Folder dialog box.
UNMAP DRIVE
Add
Select to add an entry to the table.
47
ACTION MANAGEMENT
Actions
Drive Letter
Click the drop-down arrow to select the drive letter you want to unmap from the drop-down
list.
MAP PRINTER
Add
Select to add an entry to the table.
Path
Enter the path for the printer you want to map, alternatively select the ellipsis (...) to select the
path from the Browse for Printer dialog box.
Share Name
If selected, it indicates the string entered as the Path is the printer share name.
Set Default
Select to set as default printer.
UNMAP PRINTER
Add
Select to add an entry to the table.
Path
Enter the path for the printer you want to unmap, alternatively select the ellipsis (...) to select
the path from the Browse for Printer dialog box.
Share Name
If selected, it indicates the string entered as the Path is the printer share name.
48
ACTION MANAGEMENT
Actions
ODBC
An interface to create, amend or delete an ODBC database connection.
Reference
Connection Details
Connection Name
Enter the name of the connection.
Driver Type
Click the drop-down arrow to select the driver type from the drop-down list.
Current Connections
A list of all current connections, highlight one and click Select to pick that connection.
ODBC Data Pairs
Value Name
Enter the value name.
Value Data
Enter the value data.
Add
Select to add an entry to the table.
App-V Wizard
The App-V Wizard takes you through the steps to extend an OSD file.
An OSD file is generated by App-V to define how an application is launched and configured.
The App-V action is designed to extend the capabilities of application delivery offered by
Microsoft App-V.
It can be used to manipulate an OSD configuration file for an App-V sequenced application to
configure associated settings including environment variables, registry keys, pre and post launch
scripts and policies.
This allows the App-V delivered application to be tailored based on how or where the user is
accessing the streamed application.
49
ACTION MANAGEMENT
Actions
Custom Actions - Provides the ability to cater for any processing for which the main
Environment Manager does not support.
Custom Actions can be generated with the use of either a Visual Basic or Java Script.
The scripts are held within the XML configuration, copied to disk at runtime, executed and
then deleted upon completion.
Separate auditing events are created for successful and unsuccessful actions, these can be
viewed through the Auditing ribbon button in Home > Common.
Execute Action
Provides the ability to execute an application with defined parameters and working
directory.
Avoid including Execute Actions in nodes set to execute in sequence for files which require
user interaction to complete, such as program files. Otherwise, the logon process is halted
indefinitely as the logon script waits for the execute script to complete. For example, if the
Execute action launches notepad.exe, the logon script waits for Notepad to end before
proceeding with the logon process.
This scripts opens and prints a Word document called Example.doc from the c:drive.
Set objWord = CreateObject("Word.Application")
Set objDoc = objWord.Documents.Open("c:\Example.doc")
objDoc.PrintOut()
objWord.Quit
Reference
CUSTOM
Type in by hand.
50
ACTION MANAGEMENT
Actions
Returning 0 is Success
Returning 1 is Failure
Import
Select to display the Open dialog box. Select the script to import (.vbs or .js).
Export
Select to display the Save As dialog box. Save the script in .vbs or .js format.
Prevent script from running interactively
The scripts are run in batch mode so you have the option to allow or prevent prompts and
messages from being used in the scripts, the default is to prevent them because it may stall
logon processes if any of them are interactive.
EXECUTE
Filename
The name of the executable for which to create the Action.
Working Directory
The path to the executable.
Parameter
The parameter to pass to the executable, for example, if the Filename is Winword.exe the
parameter could be the name of the file that you want to be opened each time Word is
executed.
The parameter is optional and only required if the executable is to open a certain item.
Expand parameters using environment variables
Select to display the parameter using environment variables.
Complete before executing further actions
Select to make executable finish before proceeding with another action.
51
ACTION MANAGEMENT
Actions
Group Policy
Set the Group Policies ADM and ADMX files.
When creating a Group Policy Action for User > Process Started. Each group policy action
dialog box, has a Personalization (UEM) tab. Use the checkbox Allow Personalization
Override to control the interaction of Policy settings with User Personalization settings. Select
the checkbox to apply Policy settings after, and therefore override, User Personalization settings.
Reference
52
ACTION MANAGEMENT
Actions
Environment Variables
Set, append or delete environment variables details for computer or user nodes.
Reference
Environment Variable
Variable Name
The available variables are listed in the table. To select a variable either, click on a Variable Name
listed and click Select, or, double-click on a Variable Name listed.
Variable Value
The available variable values are listed in the table. To select a variable value either, click on a
Variable Value listed and click Select, or, double-click on a Variable Value listed.
Expand variables in the entered value
Select to expand the environment variable to include the actual string value.
Shortcut
Shortcuts can be created to target a specific file and location and multiple LNK shortcut files can
be imported to create multiple shortcut actions simultaneously.
Create Shortcut
Create a shortcut to a target file and specify the shortcut location.
Reference
Shortcut Import
Import
Select to display the Open dialog box, locate the shortcut file and click Open.
Shortcut File Path
Enter the path to the shortcut file, alternatively select the ellipsis (...) and select from the
Browse For Folder dialog box.
Target
Enter the target location, alternatively select the ellipsis (...) and select from the Browse For
Folder dialog box.
53
ACTION MANAGEMENT
Actions
Run Node
The Run Node is used to assign Reusable Nodes to other nodes throughout the configuration.
The Run Node action is only available once a Reusables Node has been created.
When Nodes or Conditions are reused you can only assign them to Triggers that allow that
action or condition. For a full list of permissions see the Triggers and Actions Appendix.
See Applying the Run Node action in the Tasks section for further details.
54
ACTION MANAGEMENT
Heal Actions
Heal Actions
Self Healing is a mechanism to automatically restore environment items including files,
processes, services or registry keys/values. Conditions can be applied to user self heal actions.
Stability issues may arise if you install software patches or upgrades to areas of your system
which you have chosen to self heal as Environment Manager automatically self heals these
changes and removes them.
Currently only 32-bit and 64-bit applications are fully supported by the self healing process
mechanism. It is not recommended to self heal DOS or 16-bit applications using this method.
Attempting to self heal a DOS or 16-bit application process, may present multiple instances of
the same application in a short period of time.
Reference
55
ACTION MANAGEMENT
Heal Actions
Process Name
Enter the name of a process to be self healed or select the ellipsis (...) to display the Open dialog
box, browse to select a process.
If a process is selected from the Open dialog box, the Process Directory text box displays the
path.
Process Directory
Enter the path (excluding the name) of the process specified in Process Name or select the
ellipsis (...) to display the Open dialog box, browse to select a folder.
Parameters
Enter any parameters, separated by spaces, that the process needs to run. For example, a word
processing application may need the name of a file to open upon launch.
Expand parameters using environment variables
Select to display the full environment variables.
Set a Service for Self Healing. Only applicable to the Computer node.
Display Name
Click Add >Add Entry to enter the Display Name, alternatively, click Add > Browse Services
to display the Service Browser dialog box to select a Service.
Service Name
The Service Name, this field must be completed.
Status
Select to have the Service Always running or Never started.
Parameters
Enter any parameters, separated by spaces, that the service needs to run. For example, Auditing
can take the name of a file in which it logs various data. This can be entered as follows:
-log C:\Temp\MyLogFilename.txt
56
ACTION MANAGEMENT
Tasks
ellipsis (...)
Select to display the Browse Registry dialog box where you can select the required Registry
Key or Value.
Sub Key
Enter the registry sub key or browse to select from the Browse Registry dialog box.
Value Name
Enter the registry value or browse to select from the Browse Registry dialog box.
Use Default Value
Automatically selected if the registry value selected to self heal is the Default registry value.
Ensure the registry item remains unchanged
Select to ensure that no changes can be made to the registry item.
Ensure the registry item never exists
Select to ensure the registry item doesnt get created.
Tasks
This section includes useful tasks.
To make an Action complete in sequence they need to be indented in the tree hierarchy.
Select the Arrow ribbon buttons on the Nodes page > Arrange group to move the Actions to
different levels, alternatively use Ctrl + arrow key.
If an action cannot be completed the next action will not be run.
However, if you have a parent node with multiple child nodes each with multiple actions to be
applied in sequence, each action is taken in turn and attempted moving down through all the
nodes, even if some of the actions return a fail.
57
ACTION MANAGEMENT
Tasks
Figure 5.2
To make an Action complete in parallel they need to be at the same level in the tree hierarchy.
Select the Arrow ribbon buttons on the Nodes page > Arrange group to move the Actions to
different levels, alternatively use Ctrl + arrow key.
Access to applications requires that shortcuts, folders, files and registry settings are correctly
setup on the machine. You use Environment Manager to setup or remove these settings for
each user profile to control access to the applications.
Conditions are set up for allowing or blocking user access to an application. Conditions are
applied to nodes to determine whether the actions are applied to the user or machine.
Conditions are evaluated to ensure that only those actions which are applicable are executed.
58
ACTION MANAGEMENT
Tasks
Users customizing the computer Desktop are a constant problem for administrators. The
Environment Manager Self Healing functionality ensures that a specific file, such as a shortcut,
remains on the desktop as originally set up and is always in place for the computer or user and
contains the same content. A more serious threat comes from viruses and malware that
attempts to modify the content of critical files, such as hosts and .ini files or VB wraparound
scripts.
The Self Healing mechanism is set to restore the file in real-time. The system creates a copy
when the trigger occurs replacing the item should the user delete it or modify the contents, the
modified date is used to determine whether the file has changed.
Self healing services allow the administrator to enforce the states of critical services. This self
healing of the service allows a service to be always stopped or always running.
For example, you can create an action for the Computer Self Healing node that sets the
Messenger service to never start so that the service is not available from that machine.
Alternatively, the Automatic Updates service can be self healed so that it is always running and
the computer in question has access to download and install Windows updates at all times.
The Environment Manager Lockdown feature enables you to remove functionality from an
application. Lockdown can be achieved in several ways depending on requirements. Adding an
entry to block a dialog box can work as effectively as removing the menu item, toolbar button
or accelerator key.
The simplest way to remove the functions is to block the dialog box for the macros as these
tend to be accessible from user definable toolbars and hot keys.
While running an application and displaying the macro selection dialog box, use the General
Wizard to create a lockdown action and, using the wizard Spy Tool, select the Macros Dialog
Box.
Help files can also cause breaches the administrator may not anticipate. A relatively new type of
breach is found in html help files which have a link to the supplier website for further help.
Use Keyboard Lockdown to block the F1 key and render the Help files inaccessible via the
application. Alternatively, use the General WIzard to select the link in the Help file to generate
a Microsoft Active Accessibility (MSAA) action type to disable the link.
59
Troubleshooting
This section includes some troubleshooting tasks.
License installed
License installed
ACTION MANAGEMENT
Troubleshooting
60
Condition Management
This chapter provides details on Policy Configuration Conditions and includes the following:
Conditions
Tasks
61
CONDITION MANAGEMENT
Conditions
Conditions
Conditions can be applied to enable actions to be executed based on who, where from or how
a user is connecting to a computer or application. These conditions include Directory
Membership, User, Computer, Session and Client based rules. The table shows which
conditions can be applied to Computer and User.
Conditions are highlighted in green.
Directory Membership
User
Computer
62
Custom
Run Conditions
CONDITION MANAGEMENT
Conditions
Directory Membership
Create a condition to check membership of the following:
OU - the condition can be to match a member as Equal or Not Equal, alternatively you can
enter a wildcard Query.
User
Create a condition to match a User Name, User Group or Primary Group as Equal or Not Equal,
alternatively you can enter a wildcard Query.
You can also create a condition to check if the user is an Administrator.
A condition to match the Process Name as Equal or Not Equal can also be created.
Computer
Create a condition to match a Computer Name, Computer Domain, Computer NETBIOS Name,
Computer Group or Process Name as Equal or Not Equal, alternatively you can enter a wildcard
Query.
You can also create a condition to match the IP Address as Equal, Not Equal or Between a
range.
A condition to match the MAC address as Equal or Not Equal can also be created.
A Published Application Name or Client NETBIOS Name as Equal or Not Equal, alternatively
you can enter a wildcard Query.
The Client Connection Protocol to Equal or Not Equal a Console, RDP or ICA.
The Client Screen Resolution to Equal, Not Equal, be Between or From specified X and Y
values.
The Client Color Screen Depth to Equal, Not Equal, be Between or From a set number of
colors. Click and drag the slider to set the number of colors.
Custom
Custom conditions can be generated with the use of either a Visual Basic or Java Script based
on any scenario, for example date/time, existence of a file or registry entries.
63
CONDITION MANAGEMENT
Conditions
The scripts are held within the XML configuration, copied to disk at runtime, executed and then
deleted upon completion.
Separate auditing events are created for successful and unsuccessful conditions, these can be
viewed through the Auditing ribbon button in Home > Common.
EXAMPLE SCRIPT
64
CONDITION MANAGEMENT
Conditions
Script
You can enter the script by one of the following methods:
Type in by hand.
Returning 0 is Success
Returning 1 is Failure
The scripts are run in batch mode, meaning any prompts or message boxes are ignored and
the script will exit without being executed. Therefore, ensure any custom script does not
contain prompts and message boxes or comment these out in the script.
Import
Select to display the Open dialog box. Select the script to import (.vbs or .js).
Export
Select to display the Save As dialog box. Save the script in .vbs or .js format.
65
CONDITION MANAGEMENT
Tasks
Run Conditions
Once you have created a reusable condition the Run Conditions option is available on the
Conditions ribbon page > Conditions group.
Tasks
This section includes useful tasks.
To make a Condition complete in sequence they need to be indented in the tree hierarchy.
If you have two or more conditions indented in the hierarchy, as shown in Figure 6.2 they
become AND conditions.
Select the Arrow ribbon buttons on the Nodes page > Arrange group to move the Conditions to
different levels, alternatively use Ctrl + arrow key.
If a condition cannot be completed the next condition will not be run.
However, if you have a parent node with multiple child nodes each with multiple conditions to
be applied in sequence, each condition is taken in turn and attempted moving down through all
the nodes, even if some of the conditions return a fail.
Conditions are highlighted in green.
66
CONDITION MANAGEMENT
Tasks
To make an Condition complete in parallel they need to be at the same level in the tree
hierarchy.
If you have two or more conditions at the same level in the hierarchy, as shown in Figure 6.3
they become OR conditions and are shown by a blue highlighted bracket.
Select the Arrow ribbon buttons on the Nodes page > Arrange group to move the Conditions
to different levels, alternatively use Ctrl + arrow key.
Conditions are highlighted in green.
67
Lockdown Management
This section provides details on all lockdown actions and includes the following:
Lockdown
General Wizard
Keyboard Wizard
Office Wizard
Message Libraries
Lockdown
Lockdown is a mechanism to restrict or disable access to specific application and operating
system functionality, keyboard shortcuts, MS Office application menus, toolbars and ribbons.
Conditions can be applied to lockdown actions to offer comprehensive lockdown in varied
scenarios.
Useful lockdown actions that could be enforced are:
General Wizard
The General Lockdown Wizard enables you to block or remove Windows objects in the
operating system and application interfaces. Windows objects, called controls, belong to
hierarchies and can contain many child controls.
Control Attributes
The Environment Manager agent blocks or removes controls based on several attributes.
Standard window controls have the following basic attributes:
68
LOCKDOWN MANAGEMENT
General Wizard
Class Name - The specific type or class to which a Windows control belongs, class such as
Edit, Button or SysListView32.
Process Name - The filename of the application to which the Windows control belongs.
Parent Text - The text associated with the parent window of the Windows control.
Some applications may override the functionality of certain controls with custom controls, called
Owner Drawn controls, to which custom attributes are applied rather than the standard
operating system attributes. You can disable these controls using the Microsoft Active
Accessibility (MSAA) blocking functionality which is detected using the General Lockdown
Wizard.
Control Types
You can lockdown the following control types:
Tree Controls - Controls which are organized in a hierarchal structure with configuration
options under each branch, such as the Windows Explorer Tools > Folder Options menu
or the Taskbar and Start Menu Advanced tab.
Environment Manager restricts access to components of a Tree Control by removing
options.
List Controls - Contains a list of items for selection. For example, drop-down lists in the
Internet Explorer Internet Options > Programs tab or a list of drives, folders and files in
Windows Explorer.
Environment Manager restricts access to items within a List Control, by removing specific
items from the list.
Edit Controls - Controls which contain fields into which you enter text, such as the Internet
Explorer Address Bar or the Run dialog box.
Although it is possible to protect the system by using group policy/system policy objects,
such as; Hide these Specified Drives in My Computer and Prevent Access to Drives
from My Computer, these settings can leave security loopholes. These types of policyenforced objects only apply to Windows Explorer, allowing any application to request and
receive access to the local server drives.
Environment Manager addresses these security loopholes by controlling entered text. Users
who are not authorized to access the C drive can be blocked by entering C: in an Edit
Control.
Menu Controls - Controls which contain menu items for selection within an application,
such as the File menu item or Format menu item in Notepad.
Environment Manager restricts access to the options within a Menu Control, by disabling
specific items.
Dialog Controls - Controls which launch separate dialog boxes for particular applications,
such as the Open dialog box in Notepad or the Internet Options dialog box in Internet
Explorer.
Environment Manager restricts access to dialog boxes by intercepting and blocking the
dialog box from launching for specific users and groups.
69
LOCKDOWN MANAGEMENT
General Wizard
Windows Controls - Controls that appear within Windows which can take numerous forms,
such as the Open button in a File > Open dialog box or the Browse or Color buttons in
the Display Properties dialog box.
Environment Manager restricts access to these types of control by hiding the control.
Toolbar Controls - Buttons that appear on a toolbar, such as Back, Forward, Delete and
Undo.
Environment Manager restricts access to the buttons on a toolbar by disabling them.
Some toolbar buttons in Windows Explorer and Internet Explorer display popup menus
when clicked. You must disable the menu items to restrict access, not just the toolbar
button. For more information see the relevant steps for using the spy tool target to select
popup menus in To Perform a General Lockdown.
1. Launch the window or application in which the item you want to lockdown appears.
2. In Environment Manager, navigate to the node in the navigation tree for which you want to
create the lockdown action. Select General Wizard on the Lockdown page > Lockdown
group.
The General Wizard dialog box displays.
3. Click and drag the Spy Tool over the area containing the control you want to lockdown.
A red border indicates the control selected and the green message indicates which
lockdown options are available for that control.
70
LOCKDOWN MANAGEMENT
Keyboard Wizard
When you have highlighted the control you want, release the mouse. If there are lockdown
options available the Select Lockdown Type dialog box displays, if there are no options
available the General Wizard re-displays with the screen relevant to the type of control.
Table 7.1
Lockdown
Control
Lockdown Option
Screen Displayed
Window
N/A
Window Control
List
List Control
Window Control
Tree
Tree Control
Window Control
Edit
Edit Control
Window Control
Tab
Tab Control
Window Control
MSAA
N/A
MSAA Control
Menu
Menu Control
Dialog
N/A
Dialog
Keyboard Wizard
The Keyboard Wizard allows you to prevent users from using certain keyboard keys or
combination of keys within a particular application or applications.
TO LOCKDOWN A KEYSTROKE
1. Navigate to the node, in the navigation tree, for which you want to create the Keyboard
Lockdown action.
2. Select Keyboard Wizard on the Lockdown ribbon page > Lockdown group.
The Keyboard Lockdown dialog box displays.
3. Enter the key you want to disable.
To lockdown a key combination simply select the keys, for example to lockdown Ctrl + F,
press Ctrl then F.
71
LOCKDOWN MANAGEMENT
Office Wizard
4. Select whether you want to distinguish between left and right keys, for example the left Alt
and the right Alt keys.
5. Select to apply the lockdown to all applications or a selected application. If you select a
specific application you can enter it directly into the text box, click the ellipsis (...) to display
the Open dialog to locate the application or if the required application is open you can
drag and drop the spy tool to the application.
6. Click OK to create the lockdown action.
The lockdown action is added to Actions work area for the relevant node.
Office Wizard
Office Lockdown allows you to disable Microsoft Office features. A list of Office suites,
applications and the types of features you can lockdown are shown in Table 7.2 on page 72.
For steps on creating an Office Lockdown action, see To Lockdown an Office Menu Item,
Toolbar and Ribbon.
Table 7.2
Office Suite
Application
Features
Menus
Toolbars
Ribbons
Office 2000
Access
Office XP
Excel
Office 2003
Outlook
Powerpoint
Word
Access
Excel
Outlook
Powerpoint
Word
Office 2007
72
LOCKDOWN MANAGEMENT
Office Wizard
1. Navigate to the node for which you want to create the action in the navigation tree.
2. Select Office Wizard on the Lockdown page > Lockdown group.
The Microsoft Office Lockdown Wizard displays.
3. Click Next in the Welcome screen to proceed to the application selection screen.
All supported Microsoft Office applications installed are listed.
4. Select the application you want to lockdown and click Next.
The selected application opens so that all menu items can be registered.
(Office 2000, XP and 2003, and Outlook 2007 only)
A collapsible list of all menus displays in which you can select each menu including all
items, or expand the menu lists to select specific items to disable.
6. Click Next to display the toolbar items list which you can populate using the spytool.
(Office 2000, XP and 2003 only)
7. Click and drag the Spy tool to the toolbar item, within the application, that you want to
disable, release the target icon when the toolbar item is highlighted with a black border.
The name and description of the selected toolbar item are now displayed.
Repeat this process to add multiple toolbar items.
8. Click Next to display a list of ribbons with collapsible lists of ribbon items allowing you to
select specific items to disable.
(Office 2007 only)
Enter the name of a specific item to search in the text edit box and click Find. If the item
is found the relevant ribbon list expands allowing you to locate the required item.
73
LOCKDOWN MANAGEMENT
Message Libraries
Message Libraries
The Message Libraries consist of Blocked Text and Blocked Message.
Blocked Text allows you to configure a list of words or expressions that can be used to filter the
text entered into Edit boxes.
The Blocked Text Library is only applicable to the Edit Control Lockdown functionality.
Blocked Messages allow you to configure messages that are displayed when using the
Lockdown feature.
The Blocked Message Library is only applicable to the Edit Control and MSAA Control
Lockdown functionality.
Reference
Remove all text if blocked - to delete all of the text entered if it contains any blocked text.
Remove blocked text only - to delete only the blocked text entered.
Replace with
Enter the text that will replace the removed blocked text.
Expand Environment Variable
Select to expand text at runtime to the full environment variable path.
Block Drive Letter
Select to block the input of any drive letter that has been hidden from the Explorer view for the
specific user by Microsoft Windows Policy.
74
LOCKDOWN MANAGEMENT
Message Libraries
75
User Personalization
This section provides details on User Personalization, and includes the following:
Personalization Analysis
Troubleshooting
76
8 USER PERSONALIZATION
About User Personalization
Checks the configuration is correct for example, database, accounts, roles, servers, IIS, ASP,
shown in the Variance report.
User Personalization settings are configured through the database scripts provided as part of
the AppSense Personalization Server Configuration utility.
The Server Configuration utility is a dual purpose tool. The first time it is run, it runs in
configure mode, this configures the Personalization Server website and creates the database
with the correct accounts. Subsequent runs of the utility run in report mode, which shows
any variances from the initial configuration.
For further information see the AppSense Management Suite Architecture and Installation
Guide.
In the Environment Manager console the User Personalization view requires a live connection to
the SQL Database. This means that changes are committed immediately to the database,
therefore Open and Save are meaningless.
If you navigate back to Policy Configuration the database connection remains open. If you
want to disable User Personalization you must select Disconnect in the Personalization
ribbon page > Connection group.
DEFAULT BEHAVIOR
User Personalization is designed to allow every user to have every application they run
discovered and then managed.
The Discover All Processes and Manage All Processes options must be enabled in the
User Personalization Group Settings.
The configuration retrieved by the client session from the database at logon determines which
applications are managed and the data that it to be virtualized. If a new user logs on to the
system, and this user is not recognized then no configuration is returned and therefore no
applications will be managed.
In a similar way, if a known user logs on but doesnt have a configuration, no applications will
be managed. However, in this scenario the desktop settings will still be managed, unless they
are disabled in the Users Personalization Group Settings.
Both instances will produce an audit event.
Any changes to the User Personalization data within the console are dependent on when the
local configuration is updated, this can be the configuration poll period or when the EMAgent
Service is restarted. The changes are then written to the SQL database and hence are applied
immediately, the next time a user launches an application the new settings are applied.
77
8 USER PERSONALIZATION
About User Personalization
Environment Manager applies last write wins behavior on a per application level. Whenever a
user closes an application, the personalization changes for that application are saved back to
the server immediately, so if an application is changed in two concurrent sessions the last
running version of the application dictates what is stored on the server.
Each application in the configuration has a set of inclusions and exclusions. They are
processed in the following order:
If a user is a member of more than one group in the database, then the settings used will
be for the first group rule that is matched.
USER IDENTIFICATION
When a log on request is received, the Personalization Server needs to determine who the user
is in order to provide the correct configuration. Configurations are stored in the database on a
per group basis, so the user should be assigned to a group.
The client sends up details about the user logging on, such as name, client machine name and
IP address.
STREAMED APPLICATIONS
Once an application is under the control of User Personalization a user will receive their
managed personalization data no matter how they access the application.
Virtualized environments are becoming increasingly commonplace in the corporate
environment with applications being streamed from a server instead of being run locally.
Streaming usually involves packaging an application in some way so that it is self contained,
with the personalization data existing within this package, nevertheless, User Personalization
can still manage streamed applications in the same way as local applications. The streaming
applications currently supported are as follows:
78
8 USER PERSONALIZATION
About User Personalization
DESKTOP SETTINGS
Desktop Settings can also be managed by registry actions in Policy Configuration. However,
we recommend you only use either Policy Configuration or User Personalization, but not both
simultaneously, to ensure optimum performance.
For further information on registry actions in Policy Configuration refer to the Registry in the
Action Management chapter.
When User Personalization is enabled all desktop settings are managed, unless explicitly
disabled in the users Personalization Group Settings. When User Personalization is disabled no
desktop settings are managed in User Personalization.
Desktop Settings include:
Accessibility settings
Appearance settings
Cursors
Keyboard settings
Language settings
Mouse settings
Certificates
Desktop Settings are for all users and are cross platform for example, Vista to XP, with the
exception of Themes and Icons.
Desktop settings can still be configured manually in Policy Configuration as registry hives.
Although all desktop settings are implicitly managed. The administrator is able to control which
desktop settings are to be included via the Desktop Settings dialog in the console.
If you have an empty cache, for example the first time you install the Environment Manager
agent, or if the local cache has been removed, you must logoff and then log back on to start
managing the Desktop Settings, on the next logoff the settings will be saved to the cache.
79
8 USER PERSONALIZATION
About User Personalization
Keys can be added and removed as required. The Add button displays the Add a new desktop
setting key dialog box, where you can browse the registry to locate the key you want to add.
It is possible to remove all entries which would effectively disable the feature.
Care must be taken when removing individual entries in case they are linked to other entries.
The desktop is updated with the latest data from the database but will only return data for
settings that are actually being managed.
80
8 USER PERSONALIZATION
About User Personalization
81
8 USER PERSONALIZATION
Personalization Node Management
Personalization Applications
Personalization Groups
Sites
Personalization Applications
Set up global settings which are applied to all managed applications and application groups.
You can specify which registry keys and which folders to include or exclude from management.
Include and Exclude Rules
Exclusions take priority over inclusions, except where the include path is deeper.
If you have global includes/excludes along with Application or Application Group includes/
excludes, these are collated together but still follow the above rule.
Include Path
Exclude Path
C:\Test
Behaviour
Include C:\Test
C:\AppX
Exclude C:\AppX
C:\Ambiguous
C:\Ambiguous
Exclude C:\Ambiguous
C:\Program Files\AppSense
C:\Program Files
C:\Windows
C:\Windows\System32
Include C:\Windows
Exclude C:\Windows\System32
Application Groups - A collection of applications which are managed as a single group. The
groups can contain additional registry or folders to include or exclude from management.
Applications - Applications to be managed on the client computer.
82
8 USER PERSONALIZATION
Personalization Node Management
Application Groups
An Application Group is a collection of applications which are managed as a single group, for
example Microsoft Office Suite. Includes details of the version, the OS and the inclusions and
exclusions.
All applications in a group share a cache, therefore personalization settings will be
synchronized from the server when the first application in the group is opened and
synchronized back when the last application is closed.
Default Whitelist - A default list of applications which are included in the Personalization
management for all users.
The Default Whitelist group is empty by default.
Default Blacklist - A default list of applications which are excluded from Personalization
management for all users, for example mmc.exe or explorer.exe.
To add applications right-click to display the shortcut menu and select Add Application. For
further details see To Add an Application Group from point 3.
83
8 USER PERSONALIZATION
Personalization Node Management
5. You can specify Registry keys and Folders to include or exclude from this group.
You can include or exclude registry keys and folders for management in the group.
To include a registry key that will be managed across all applications within the application
group.
1. Navigate to the relevant Application Group in the navigation tree.
2. Click the Registry tab in the Application Group work area.
3. Click in the first blank box under Include.
4. Right-click to display the shortcut menu, select Add Path.
The ellipsis (...) display at the end of the box.
5. Click the ellipsis (...).
The Browse Registry dialog box displays. You can select from your local computer or click
Connect to display the Active Directory Select Computer dialog box to select another
computer to browse.
6. Locate the required Registry Key and click OK.
The selected Registry Key is added to the Include list in the work area.
You can add a Registry Key exclusion by following the same process as to add an inclusion.
84
8 USER PERSONALIZATION
Personalization Node Management
Version RegEx
Displays the Version regular expression.
Applications
A list of applications which can be managed on the client computer. Set up how the
applications are to be managed, including details of the version, the OS and the registry and
folder inclusions and exclusions.
The Personalization Analysis tool can be used to view Discovered Managed applications and
create explicit database entries for them by migrating them to being Whitelisted Applications.
See Personalization Analysis for further details.
TO ADD AN APPLICATION
4. Enter the application executable name. To search for an executable select the ellipsis (...).
The Select Application dialog box displays.
An application executable name may need to be entered directly, if the required
executable is not installed on the Administrators machine.
7. Click OK.
The Application is added to the Applications list in the Applications work area and a new
node is created under the Applications node in the navigation tree.
85
8 USER PERSONALIZATION
Personalization Node Management
86
8 USER PERSONALIZATION
Personalization Node Management
OS RegEx
Operating System regular expression. The default is .* to match all operating systems.
Version RegEx
Version regular expression. The default is .* to match any version of the application. To match a
particular versions amend the regular expression accordingly or enter a specific version.
Personalization Groups
A personalization group is used to group together similar users so they have the same managed
applications and managed application groups.
Default Users
There is a default Personalization Group in a new configuration.
Any users that are not assigned to an alternative Personalization Group will be placed in the
Default Users group.
This is a catch all for any users that are using User Personalization. If a user is already assigned to
another group then they will take their configuration from their group settings. If not they will
use the configuration specified here.
The Default Whitelist and Blacklist Application Groups are added to the Default Users
Personalization Group by default.
Excluded Users
You can switch off Personalization for specific users by creating an Excluded group.
The Personalization settings are unmanaged for any users that are assigned to this group.
For further information on assigning users to Personalization Groups refer to Create a
Personalization Group Membership Rule.
Clear all checkboxes on the Personalization Group work area > Settings tab.
Remove all entries from the Personalization Group work area > Whitelists tab.
87
8 USER PERSONALIZATION
Personalization Node Management
This task only moves the user data from one personalization group to another. An
administrator must move the actual user from one group to another using the
Personalization Group > Membership Rules, otherwise any new data will go to the
old group.
1. Navigate to the Personalization Group in the navigation tree which the user you want to
move belongs.
2. Click Personalization Analysis on the Tools ribbon page > Management group.
The Personalization Analysis dialog box displays.
3. Leave the default settings of <All Users> in the By user field. Select Display.
The report for all users displays.
4. Click on the user you want to move and right-click to display the context menu.
5. Click Move the settings for <user> to another group...
The Select Destination Group dialog box displays listing all of the possible target groups.
6. Select the group to which to move the user.
Only one user can be moved at a time.
88
8 USER PERSONALIZATION
Personalization Node Management
9. If the user and the associated data is successfully moved a confirmation message displays,
click OK.
The graph is refreshed and the user bar disappears.
The Whitelists for Applications and Application Groups for the new group, need to
match the old group to ensure the applications are managed.
Once moved, the user data no longer exists in the old group.
Offline Mode
When a user is logged on to a managed computer the personalization data is stored locally in a
virtual cache. By default, when the user logs off this cache is deleted and recreated on next log
on. This is to help minimize excessive disk storage on terminal servers with large numbers of
users logging on.
In offline mode the users data is persisted even if they have a mandatory profile as the
personalization data is stored in a separate cache found at
%APPSENSEPROFILEDIRROOT%\AppSenseVirtual.
Note: %APPSENSEPROFILEDIRROOT% is a fixed string not an environment variable and
resolves to the drive letter of the users profile directory, for example C:\
However, it may be desirable to keep the virtual cache available on the local machine, perhaps
when the user is logging onto a notebook and intends to work from home. It would be useful if
the personalization data was available even when there is no connection to the corporate
network.
The administrator can enable Offline Mode on a per-group basis. The cache will be
permanently available on the machine used to log in.
Select Allow Offline Mode in User Personalization > Personalization Groups > Settings >
Offline Options.
89
8 USER PERSONALIZATION
Personalization Node Management
Personalization Group
Manage the rules which determine the users that belong to this group. Also, manage the list of
managed applications and managed application groups which are assigned to this group
(whitelist) and those which are excluded (blacklist). You can also control various settings related
to profile migration, certificates and offline mode.
The Personalization Analysis option is available to analyze the current and historical
personalization data for users, their applications and application groups.
For further information refer to the Personalization Analysis section.
90
8 USER PERSONALIZATION
Personalization Node Management
1. Highlight the relevant Condition Group in the Membership Rules tab in the
Personalization Group work area.
2. Right-click to display the shortcut menu, select Insert Condition.
3. Select whether to add a User Condition or Computer Condition.
4. Select the type of User or Computer Condition you want to create, for example User Name.
The relevant dialog box for the selected condition type displays.
For further information on Conditions refer to the Condition Management chapter.
5. The new Condition displays in the Condition Group under Membership Rules.
You can OR rules together by clicking below any existing membership rule and selecting Add
Condition Group.
Reference
Membership Rules
Add conditions to determine which users belong to the group.
Settings > Migration Options
Migrate Existing Profiles
Disabled by default. This option can be used for the following reasons:
91
8 USER PERSONALIZATION
Personalization Node Management
TO RETAIN PROFILE SETTINGS FROM ROAMING, LOCAL OR OTHER HYBRID PROFILE SOLUTIONS
If you have a roaming, local or hybrid profile and you want to start using Environment Manager
v8.0, select Migrate Existing Profiles to migrate the profile settings to the Personalization
database. Once the settings have been migrated, turn the roaming, local or hybrid profile
solution off.
1. Open the v7.x configuration in the v8.0 console, this upgrades the configuration.
2. Save the converted configuration out to the endpoint devices.
3. To detect the settings do one of the following:
Wait for 5 minutes. This is the automatic poll period for refreshing User Personalization
settings from the database.
4. Run every application that has currently been hived at least once. This must be done for
each user.
This loads the v7.x Environment Manager registry hives.
You can check which applications have been run and the frequency in Personalization
Analysis.
5. User Personalization takes over responsibility for all personalization settings for all managed
applications.
In User Personalization there are no rules governing which desktop settings to manage
under which conditions. The desktop settings will always be applied when User
Personalization is enabled. However, desktop settings can be disabled by clearing the
Manage Desktop Settings checkbox on the Personaliztion Group > Settings tab or
by deleting all the entries in the Desktop Settings dialog box.
6. Once all applications have been migrated clear Migrate Existing Profiles to disable the
migration mode.
User Personalization mechanism writes to the cache every time a managed application
writes to the registry or file system. However, when Migrate Existing Profiles is
enabled, each time a registry key or file is read for a managed application, it is also saved
to the cache. So to reduce the volume of data collected, it is recommended migration
mode is disabled when not in use.
92
8 USER PERSONALIZATION
Personalization Node Management
7. Delete the associated hives from the Policy Configuration XML file.
During the migration process the actual profile data is not changed at all, therefore the
administrator can revert back to using the roaming profiles by just disabling User
Personalization.
If Manage All Processes is selected, any applications that are not explicitly configured will be
Discovered Managed. In the Personalization Analysis Reports these will be shown as:
93
8 USER PERSONALIZATION
Personalization Node Management
Offline Resiliency
Enabled by default. Select to enable offline resiliency. If selected, if a network disconnects, all
changes held locally will be synchronized when the network connection reconnects.
Settings > Desktop & Certificates
Manage Desktop Settings
Enabled by default. If selected, desktop settings are managed for the Personalization Group.
Manage Certificates
Enabled by default. If selected, user certificates can be added to the local certificate store when
using a mandatory profile and are managed and therefore are available if a user logs on to
another computer.
If you have an empty cache, for example the first time you install the Environment Manager
agent, or if the local cache has been removed, you must logoff and then log back on to start
managing Certificates. On the next logoff the certificates will be saved to the cache.
Whitelists
Whitelist Application Groups
Add Application Groups to the Whitelist. All Applications in the selected Application Groups will
be included in the personalization management for this Personalization Group.
To add an Application Group, right-click in the blank area under Whitelist Application Groups.
Select Add Application Group. The Select Application Groups dialog box displays. Locate
the Application Group and click OK.
The Default Whitelist Application Group is added by default to a new Personalization Group.
94
8 USER PERSONALIZATION
Personalization Node Management
Whitelist Applications
Add Applications to the Whitelist. All Applications will be included in the personalization for this
Personalization Group.
To add an Application, right-click in the blank area under Whitelist Applications. Select Add
Application. The Select Applications dialog box displays. Locate the Application and click
OK.
All applications in a group share a cache, therefore personalization settings will not be
synchronized until all applications in the group are closed.
Blacklists
Blacklist Application Groups
Add Application Groups to the Blacklist. All Applications in the selected Application Groups will
be excluded in the personalization management for this Personalization Group.
To add an Application Group, right-click in the blank area under Blacklist Application Groups.
Select Add Application Group. The Select Application Groups dialog box displays. Locate
the Application Group and click OK.
The Default Blacklist Application Group is added by default to a new Personalization Group.
Blacklist Applications
Add Applications to the Blacklist. All Applications will be excluded in the personalization for this
Personalization Group.
To add an Application, right-click in the blank area under Blacklist Applications. Select Add
Application. The Select Applications dialog box displays. Locate the Application and click
OK.
If an application is in the whitelist and blacklist the application will be blacklisted on the
client.
95
8 USER PERSONALIZATION
Personalization Node Management
Sites
Allows you to group Personalization Servers to particular sites. The sites node is populated from
the values provided by the administrator when setting up the Personalization Server via the
AppSense Personalization Server Configuration utility.
The Default Site is added when User Personalization is enabled and the Server is selected from
the Select Personalization Server dialog box.
Synchronize Site Databases
Synchronize Site Databases is on the Tools ribbon page > Replication group.
Select to replicate personalization data between site databases on demand.
In order to use Synchronize Site Databases you must have setup replication, refer to
Personalization Database Replication Appendix for details.
TO ADD A SITE
Site
Manage the membership rules to determine from which site user personalization data is
supplied.
If any changes are made to the Active Directory settings that will affect the Personalization
Group and the Site membership assignment, the affected users should log off and back on to
pick up the changes.
Add conditions to determine from which site a users personalization data is supplied.
Membership Rules are not applicable to the Default Site.
96
8 USER PERSONALIZATION
Personalization Node Management
2. Right-click in the blank area on the Membership Rules tab to display the shortcut menu.
3. Select Add Condition Group.
4. Select Computer Condition.
5. Select the type of Computer Condition you want to create, for example Computer Name.
The relevant dialog box for the selected Condition type displays.
For further information on Conditions refer to the Condition Management chapter.
1. Highlight the relevant Condition Group in the Membership Rules tab in the Site work
area.
2. Right-click to display the shortcut menu, select Insert Condition.
3. Select Computer Condition.
4. Select the type of Computer Condition you want to create, for example Computer Name.
The relevant dialog box for the selected condition type displays.
For further information on Conditions refer to the Condition Management chapter.
The new Condition displays in the Condition Group under Membership Rules.
You can OR rules together by clicking below any existing membership rule and selecting Add
Condition Group.
97
8 USER PERSONALIZATION
Personalization Node Management
High Availability
Multiple personalization servers can be added to the Policy Configuration. This ensures
connectivity is always possible if there is a problem connecting to one server, as alternatives are
available. Therefore, user personalization settings are always available to download from the
database, for the first time and any time there after.
Initial Setup
When User Personalization is first setup, connection to the database is required in order to
download the personalization settings, as set up in the Personalization Server Configuration
Utility, done at time of installation.
For further information refer to the AppSense Management Suite Architecture and
Installation Guide.
98
8 USER PERSONALIZATION
Personalization Node Management
How to add, amend or delete the list of personalization servers for a site.
1. Select the User Personalization navigation button.
Ensure User Personalization is enabled from the Policy Configuration side of the
configuration.
7. Add or Delete as many servers as required to complete the Personalization Server list.
The User Personalization mechanism attempts to connect to the first server listed, if that
attempt fails, connection is attempted on the next server in the list and so on until a connection
has been successful.
99
USER PERSONALIZATION
Personalization Analysis
Personalization Analysis
Personalization Analysis is available for Personalization Groups on the Tools ribbon page >
Management group.
Personalization Analysis provides the ability to connect to the Personalization Server from the
Environment Manager console and display current and historical personalization usage data for
users, their applications and application groups and select a day from the history to rollback the
selected users personalization settings.
Examples of the sort of data you can pull out of the database are:
Size
Archives
100
USER PERSONALIZATION
Personalization Analysis
Size
The Size report displays the user name on the vertical axis and the Personalization data size for
the user on the horizontal axis.
From here you have the following options available on the right-click shortcut menu:
Delete ALL settings for <DOMAIN\User> - This option deletes all settings and archives
for the specified user. The Confirm Personalization Analysis Operation dialog box
displays, click Continue to complete the deletion.
Move the settings for <User> to another group... - This option allows you to move the
personalization data for the user to another personalization group. The Select Destination
Group dialog box displays, select the group to which to move the user and whether to
Include Discovered Applications. Click Continue to complete the move.
This task only moves the user data from one personalization group to another. An
administrator must move the actual user from one group to another using the
Personalization Group > Membership Rules.
Refer to the Personalization Groups section for further details on how To Move Users
Between Personalization Groups Whilst Retaining Settings.
To drill further down the Size report, click on a user bar to display application name on the
vertical axis and the Personalization data size for the application on the horizontal axis.
The bars display in either orange or blue. An orange bar represents a Whitelisted Application
which means the application is in the Whitelist in the Users Personalization Group. A blue bar
represents a Discovered Managed Application which means the application is not explicitly
configured in either a Whitelist or Blacklist but is being managed.
An application will be managed when not explicitly configured only when Manage All
Processes is enabled in Personalization Group > Settings, which is Off by default.
From here you have the following options available on the right-click shortcut menu:
Delete <Application Name> Settings for <DOMAIN\User> - This option deletes the
cache for the selected application so next time the application starts it will revert to the
default settings.
View application file list - displays the View Application File List dialog box. The cache
files for the selected application are listed, and you also have the option to delete.
101
USER PERSONALIZATION
Personalization Analysis
Convert discovered application - This option is only available when selecting a blue bar
indicating a Discovered Managed application. Allows you to do the following:
On selection of one of the above options the Convert Application <application name>
dialog box displays. Complete the Application Name and Executable details and set the
Operating System and Application Version details, for example, you can use the
wildcard .* if you want all versions of the application to be added to the Applications list
and not just the version that has been discovered.
Delete ALL settings for <DOMAIN\User> - This option deletes all settings and archives
for the specified user. The Confirm Personalization Analysis Operation dialog box
displays, click Continue to complete the deletion.
Delete ALL settings for <DOMAIN\User> - This option deletes all settings and archives
for the specified user. The Confirm Personalization Analysis Operation dialog box
displays, click Continue to complete the deletion.
102
USER PERSONALIZATION
Personalization Analysis
Move the settings for <User> to another group... - This option allows you to move the
user to another personalization group whilst retaining the personalization settings. The
Select Destination Group dialog box displays, select the group to which to move the user
and whether to Include Discovered Applications. Click Continue to complete the move.
This task only moves the user data from one personalization group to another. An
administrator must move the actual user from one group to another using the
Personalization Group > Membership Rules.
Refer to the Personalization Groups section for further details on how To Move Users
Between Personalization Groups Whilst Retaining Settings.
To drill further down the Whitelist Application Usage report, click on a user bar to display
application name on the vertical axis and the Accesses (frequency) on the horizontal axis.
From here you have the following options available on the right-click shortcut menu:
Delete <Application Name> Settings for <DOMAIN\User> - This option deletes the
cache for the selected application so next time the application starts it will revert to the
default settings.
View application file list - the View Application File List dialog box displays. The cache
files for the selected application are listed, and you also have the option to delete.
Delete ALL settings for <DOMAIN\User> - This option deletes all settings and archives
for the specified user. The Confirm Personalization Analysis Operation dialog box
displays, click Continue to complete the deletion.
103
USER PERSONALIZATION
Personalization Analysis
Delete ALL settings for <DOMAIN\User> - This option deletes all settings and archives
for the specified user. The Confirm Personalization Analysis Operation dialog box
displays, click Continue to complete the deletion.
Move the settings for <User> to another group... - This option allows you to move the
user to another personalization group whilst retaining the personalization settings. The
Select Destination Group dialog box displays, select the group to which to move the user
and whether to Include Discovered Applications. Click Continue to complete the move.
This task only moves the user data from one personalization group to another. An
administrator must move the actual user from one group to another using the
Personalization Group > Membership Rules.
Refer to the Personalization Groups section for further details on how To Move Users
Between Personalization Groups Whilst Retaining Settings.
To drill further down the Discovered Application Usage report, click on a user bar to display
application name on the vertical axis and the Accesses (frequency) on the horizontal axis.
The bars display in either blue or grey, both bars indicate the application is not explicitly
configured in either a Whitelist or Blacklist. A blue bar represents a Discovered Managed
Application, indicating the Manage All Processes option is enabled in Personalization Group >
Settings and data has been collected and can therefore be viewed. A grey bar represents a
Discovered Unmanaged Application, indicating the Discover All Processes option is enabled
but the Manage All Processes option is disabled in the Personalization Group > Settings, and
data has not been collected.
An application will be discovered only when Discover All Processes is enabled in
Personalization Group > Settings, which is disabled by default.
An application will be managed, when not explicitly configured, only when Manage All
Processes is enabled in Personalization Group > Settings, which is disabled by default.
From here you have the following options available on the right-click shortcut menu:
Delete <Application Name> Settings for <DOMAIN\User> - This option deletes the
cache for the selected application so next time the application starts it will revert to the
default settings.
104
USER PERSONALIZATION
Personalization Analysis
View application file list - Only available on a blue bar. The View Application File List
dialog box displays. The cache files for the selected application are listed, and you also have
the option to delete.
Convert discovered application - This option is only available when selecting a blue bar
indicating a Discovered Managed application. Allows you to do the following:
On selection of one of the above options the Convert Application <application name>
dialog box displays. Complete the Application Name and Executable details and set the
Operating System and Application Version details, for example, you can use the
wildcard .* if you want all versions of the application to be added to the Applications list
and not just the version that has been discovered.
Delete ALL settings for <DOMAIN\User> - This option deletes all settings and archives
for the specified user. The Confirm Personalization Analysis Operation dialog box
displays, click Continue to complete the deletion.
105
USER PERSONALIZATION
Personalization Analysis
Archives
Copies of the current database are taken automatically overnight and stored as backup
archives. Up to five archives are stored by default before the old ones are deleted.
A tree view displays the archives available for each application for the selected user.
You must select a specific User not All Users to produce the Available Archives report.
1. Select the required application and right-click to display the shortcut menu.
2. Select Archive <ApplicationName> now...
The Confirm Personalization Analysis Operation message box displays.
3. Click Continue.
A message displays to inform you the application settings were successfully archived.
4. Click OK.
The Archive displays under the relevant application in the Available Archives tree view.
Any archive can be selected for Rollback.
Rollback
Part of the disaster recovery capabilities of User Personalization is the ability to rollback to a
previous version of the personalization data, on a per application basis.
Rollbacks are available at the granularity of a day, unless you have manually created archives
other than the automatic overnight backups.
For more information on manually creating archives refer to To Manually Create an Archive.
The user is unable to restore a particular set of settings that were applied previously.
106
USER PERSONALIZATION
Authorized Users
TO ROLLBACK
We recommend the user requesting the rollback is logged off during this procedure or
logged out of the relevant application.
1. In the Available Archives view select the required archive for the relevant application.
2. Right-click to display the shortcut menu.
3. Select Rollback to this archive.
The Confirm Personalization Analysis Operation message box displays.
4. Click Continue.
A message displays informing you the data is rolling back.
5. A message displays to inform you the application settings were successfully rolled back.
Click OK.
The rollback is complete. All application settings are set to as they were at the date of the
selected archive.
Authorized Users
Add authorized users.
The user that runs the Personalization Server Configuration utility is added to the database as an
authorized administrator, initially this is the only user that can connect to the database through
the console. This user can add users to the database via Authorized Users on the Tools ribbon
page > Security group.
The two roles that can be added are:
User - These users can view and modify the contents of the database.
Admin - These users can do everything a user can, as well as create other users.
107
Troubleshooting
This section includes some troubleshooting tasks:
User/groups membership
License installed
USER PERSONALIZATION
Troubleshooting
108
Auditing
This section provides details on AppSense Environment Manager Auditing and includes the
following:
Audit
Local Events
Audit
Auditing allows you to define rules for the capture of auditing information, includes rules about
where event data is stored for logging to a local file and the application event log, and includes
a filter for specifying the events you wish to capture in the log.
Local Auditing allows you to specify whether to log events in the Windows Application Event
Log or to a custom AppSense Event Log. Events can be written to a local file in CSV or XML
format.
By default, the log file is located at
%SYSTEMDRIVE%\AppSenseLogs\Auditing\EnvironmentManagerEvents_%COMPUTERNAME
%.csv (or .xml)
An alternative location can be configured for the log file. In this mode auditing also includes an
event filter to log only specific events.
In Enterprise installations, events can be forwarded to the AppSense Management Center via
the Client Communications Agent (CCA). When using this method for auditing, event data
storage and filtering is configured through the AppSense Management Console. For more
information see the AppSense Management Center Administration Guide.
Reference
Summary
The following allows you to configure the event logging:
Send events to the Application Event Log
Select whether to send events to the Application Event log.
109
9 AUDITING
Local Events
Text box
The path for the local log file. The default is:
%SYSTEMDRIVE%\AppSenseLogs\Auditing\EnvironmentManagerEvents_%COMPUTE
RNAME%.xml or csv
Local Events
The Event filter table is a comprehensive list of all events and is used to select the events you
wish to audit. You can sort the table numerically by ID number, or alphabetically by Event Name
or Event Description. Selected events are highlighted in bold. Click Toggle to change the states
between selected and cleared.
Table 9.1
Event ID
Event Name
Event Description
9300
Information
9301
Information
9302
Information
9303
Information
9304
Information
110
Table 9.1
9 AUDITING
Local Events
Event ID
Event Name
Event Description
9305
Information
9306
Information
9307
Information
9308
Information
9399
Software is not
licensed
Warning
9400
Lockdown edit
control blocked
drive
Information
9401
Lockdown edit
control blocked text
Information
9402
Lockdown
accelerator keys
blocked
Information
9403
Lockdown dialog
blocked
Information
9404
Lockdown MSAA
access blocked
Information
9405
Information
9406
Information
9407
Information
9408
Information
9409
Computer startup
action success
Information
9410
Computer startup
action fail
Information
9420
User session
reconnect action
success
Information
9421
User session
reconnect action
fail
Information
111
Table 9.1
9 AUDITING
Local Events
Event ID
Event Name
Event Description
9422
User session
disconnect action
success
Information
9423
User session
disconnect action
fail
Information
9424
Information
9425
Information
9426
User session
unlocked action
success
Information
9427
User session
unlocked action fail
Information
9428
Information
9429
Information
9430
Process stopped
action success
Information
9431
Process stopped
action fail
Information
9432
Network
connection action
success
Information
9433
Network
connection action
fail
Information
9434
Network
disconnected action
success
Information
9435
Network
disconnected action
fail
Information
9495
Not configured
Warning
9496
Configuration
unsupported
Warning
9501
Removable storage
device has been
disabled
Information
112
Table 9.1
9 AUDITING
Local Events
Event ID
Event Name
Event Description
9502
Removable storage
device has readonly access
Information
9650
Managed
application start
Information
9651
Managed
application stop
Information
9652
Personalization load
error
Error
9653
Personalization save
error
Error
9654
Blacklisted process
started
Information
9655
Personalization not
saved
Information
9656
Offline resiliency
save started
Information
9657
Offline resiliency
save complete
Information
9658
Personalization
settings purged
Information
9659
Personalization
settings updated
Information
9660
Personalization
failed
Error
9661
Timeout
Communicating
with Personalization
Server
Warning
113
9 AUDITING
Local Events
Event ID
Event Name
Event Description
9600
Failed to connect to
Personalization
Database
Error
9601
Windows
Impersonation
Logon Failed.
Error
9602
Failed database
compatibility check
Error
System Events
The following are non-configurable system events:
Table 9.3
Event ID
Event Description
8000
Service Started.
8001
Service Stopped.
8399
No License
9495
9596
Reference
114
10
Configuration Profiler
This section provides details on the Configuration Profiler and includes the following:
Report Type
Report Criteria
Report Output
Report Type
The configuration profiler allows administrators to report on the locally loaded configuration in
the console. General reports are produced to assist auditing and compliance such as Sarbanes
Oxley or HIPAA. Custom reports can be produced to assist troubleshooting of large
configurations.
The configuration profiler is a basic reporting tool that can be used to generate quick reports
based on the details of a loaded product configuration. The report can be generated in the
following ways:
Complete Report - Produces a report which Includes all aspects of the configuration.
Report based on specific criteria - Produces a report which is based on the specified criteria
as selected in the Report Criteria section.
Enter an asterisk (*) as the criterion value to see all actions controlled by a particular type
of condition.
Report Criteria
Use the criteria to specify what is to be included in the report.
Enter the value to match for any of the following:
Computer Name
The criterion must be entered in full Active Directory format for example, CN=John
Smith, OU=AppSense, OU=AppSense User Account, DC=appsense, DC=com or
workgroup format for example, SERVER/Administrator, as entered in the user conditions
dialog.
115
Computer Domain
Computer Group
Computer IP Address
MAC Address
Service Name
OU Membership
10
CONFIGURATION PROFILER
Report Criteria
Only finds OU Membership conditions with names matching the entered OU. Ignores the
Include all Sub-OUs option and the Member of field when matching a Query type.
Site Membership
User Name
The criterion must be entered in full Active Directory format for example, CN=John
Smith, OU=AppSense, OU=AppSense User Account, DC=appsense, DC=com or
workgroup format for example, SERVER/Administrator, as entered in the user conditions
dialog.
User Group
The criterion must be entered in full Active Directory format for example, OU=AppSense,
OU=AppSense User Account, DC=appsense, DC=com or workgroup format for example,
SERVER/Administrator, as entered in the user conditions dialog.
IS Administrator
Primary Group
The criterion must be entered in full Active Directory format for example, OU=AppSense,
OU=AppSense User Account, DC=appsense, DC=com or workgroup format for example,
SERVER/Administrator, as entered in the user conditions dialog.
Process Name
Client IP Address
116
10
CONFIGURATION PROFILER
Report Output
Custom Condition
The name of the condition is used to look up custom conditions. Enter * to display all
custom conditions.
Report Output
The report output is produced in sections and sub-sections.
In the preview window you can change the following:
Paper
Size
Watermarks
The option to Save the report in various formats for example, PDF and Print the report is also
available from this preview view.
117
A P P E N D I X E S
This section provides additional or supporting information about topics covered in the Guide
and includes:
System Requirements
Wildcards
Licensing
Streamed Applications
118
SYSTEM REQUIREMENTS
System Requirements
This appendix provides details on the system requirements for AppSense Environment Manager.
Supported Operating Systems
The following 32-bit and 64-bit Operating Systems are supported:
Supported Technologies
Citrix XenApp
Citrix XenDesktop
119
SYSTEM REQUIREMENTS
Required Components
The following components are required when using the Personalization Server:
Installed Components
The following components are installed as part of the AppSense Management Suite Installer:
120
Tr i g g e r s a n d A c t i o n s
The table shows which Actions can be assigned to which Triggers in Policy Configuration.
121
122
This appendix lists all of the default settings for the Quick Setup Wizard which is on the
Actions ribbon page > Actions group.
Internet Explorer
Lockdown
Miscellaneous Settings
Self Healing
123
Remove Set Program Access and Defaults from the Start Menu
Remove Windows Security from the Start Menu (Terminal Server only)
Disable Screensaver
124
125
The Find and Replace feature enables you to search for specific text within your configuration
and replace it with new text. You can conduct the find and replace from the top level Policy
Configuration node or any subsequent level, the search is then carried out on all lower levels.
To include configured conditions in the Find you must select the top level Policy
Configuration node when using Find and Replace.
1. Click on the level from which you want to conduct the find and replace.
2. Select the Find and Replace ribbon button on the Nodes ribbon page > Edit group.
The Find and Replace dialog box displays.
3. Enter the text you want to find in Find What.
4. Click Find to display any matches in the Matches section.
5. Enter the replacement text in Replace With.
6. Select any of the Find Options required. You can choose one or more of the following:
Match Case - To return any words that match the case entered.
Match Whole Word - To return any words that match the whole word entered.
Use Regular Expressions - To return any words that match the text pattern/regular
expression entered. See the Appendix Wildcards on page 127 for further details.
7. Select which instance/s of the text you want to replace from the list displayed and click
Replace, alternatively click Replace All to replace all text found.
8. Close the dialog box.
126
Wildcards
This appendix contains a list of Wildcards that are supported when using Actions and
Conditions and the Lockdown functionality in AppSense Environment Manager.
Table E.1
Supported Wildcards
Metacharacter
Meaning
Matches zero or more of any character, for example *at would match cat, bat, at
and so on.
Matches any single character, for example ?at would match cat but not at.
[abc]
Character group. Matches any character in group, for example bat passes.
[abc!]
Negative character group. Matches any character not in group, for example cat fails
but dog passes.
127
Licensing
AppSense Environment Manager allows you to create and manage AppSense product licenses.
This section provides details about using the console, and includes the following:
Managing Licenses
Troubleshooting
128
F LICENSING
About License Manager
Manage licenses for single products, the AppSense Management Suite or Evaluation
licenses.
Export license packages to MSI file format for saving to the AppSense Management Center
or other computers which can be remotely accessed.
It is recommended to use the Management Center Enterprise Licensing for Enterprise
installations.
License
Description
Activate
AppSense Management
Suite
Application Manager
Performance Manager
Environment Manager
Evaluation
129
F LICENSING
Managing Licenses
Managing Licenses
The following procedures show how to add and activate a new license and import and export
licenses to Microsoft Windows Installer files (*.msi) file for distribution to other computers or to
backup a set of licenses.
1. Click Add to create a new entry in the license grid and enter the license code in the License
Code entry box.
You can manually enter each digit or copy and paste the license straight in to the entry box.
When a license entry is highlighted, a description displays in the lower portion of the
console and includes the following details:
License Code
Expiry Date
2. Click Activate to enter the activation code by entering each digit manually or copy and
paste the activation code directly in to the Activation Code entry box, and click Enter.
The description in the grid view updates with the license information as do the details
about the license validation status and, where relevant, the expiry date, in the lower portion
of the console.
Once a license is active, the icon changes to indicate the current license state.
3. Save the configuration to confirm your settings.
1. Click Import to display the file Open dialog box and navigate to the location of the license
MSI file.
2. Click Open to load the license file in the Environment Manager.
1. Click Export to display the file Save As dialog box and browse to the location for saving
the license MSI file.
2. Provide a name for the file and click Save to save the file.
You can copy this file to any network location and load the file in a Environment Manager
or in Management Center Enterprise Licensing.
130
F LICENSING
Troubleshooting
Troubleshooting
I received an AppSense license, what do I do?
If you have received an AppSense product license, from AppSense, you can load the license by
launching the Local Licensing Console on your client computer and entering the license code
and activation code.
Enter the product license exactly as received. Once a license has been successfully entered, the
system updates the description details stating the products and duration for which the license is
valid.
I have entered an AppSense license, but it is for evaluation, what does this
mean?
If you are trying an AppSense product before purchasing, the product installs with an option to
automatically install an evaluation license. Evaluation licenses are limited to 21 days, during
which time you can familiarize yourself with the product.
Once the expiry date has been reached, contact AppSense to obtain a full license to continue
using the product.
I have entered an AppSense license, but it says it is not activated, why?
AppSense licenses require activation, apart from evaluation licenses, before they can be used.
Activation codes are provided by AppSense. Activate a license by entering the activation code.
For more information, see Managing Licenses.
I have tried to enter an AppSense license, but it says it is invalid, what can I
do?
Check that the license code has been typed correctly. Check it is a license code and not an
activation code that has been entered.
If you are still sure you have entered the license correctly but it is not accepted, contact
AppSense support.
131
This appendix provides details on how to set up replication and includes the following:
Principles
Prerequisites
Initial Steps
Principles
Environment Manager Personalization Server replication requires one database to be the
master, and the other databases to be subscribers, in replication terms. If the systems are a mix
of SQL Server 2000 and SQL Server 2005 systems, the master must be a SQL2005 system.
SQL Server 2008, SQL Express and MSDE databases are not supported.
It is important to realize that when a subscriber system is first added, all the existing data is
deleted and replaced with data from the master. After replication is set up, data can be
created on the subscriber and merged with the master regularly.
Prerequisites
The setup files required can be found, for a default installation on Drive C:, in the folder
C:\Program Files\AppSense\Environment Manager\Personalization Server\Replication
on any personalization server. This folder should be copied to the master SQL Server database
machine, if it is not a personalization server itself.
132
Initial Steps
1. Ensure that all SQL Server 2005 databases are set for remote access. This is done with the
SQL Server 2005 Surface Area Configuration Tool.
Remote Access is not the default.
2. Ensure that Personalization Server databases have been created on all servers, by installing
Personalization Servers connecting to the databases.
3. Ensure that any firewall software allows remote access to SQL Server. This affects Windows
Server 2008 systems, where the firewall is enabled by default.
For further information on Microsoft Server 2008 systems refer to the Microsoft Help.
4. The master database requires that the replication folder is shared, as the scripts
ConfigAC.sql, ConfigDC.sql, DataDC.sql and DataAC.sql are accessed through this share.
Ensure the share is set up before starting the setup process. The setup file will ask for the
UNC path of the share. For example \\Server1\Replication.
5. The SQL Agent service on the master must be running under an account that has sysadmin
database access to all servers via Windows Authentication, this is not the default. This can
be changed with the Services applet in Administrative Tools.
6. To run the setup procedure you must be logged in to an account that has sysadmin
database access to all servers via Windows Authentication.
These files can be found in either the SQL2000 or SQL2005 subfolders of the Replication folder,
and are always run on the master database machine. Select the correct subfolder for your
master and run the files either by opening a command prompt and entering the name of the file
when in the current directory, or simply double-clicking on the files from Windows Explorer.
SetMasterUp prompts for the following information:
"Server instance name and personalization database name of the master database
"Path for the snapshot folder - This is a scratch folder used by replication. The command file
should offer a standard default which is OK to accept.
"UNC Path for the drop/add constraint scripts. This is the share from step 4 in the Initial Steps..
The command file then sets up the master and for convenience automatically runs
AddSubscriber.cmd.
133
134
Streamed Applications
This section provides details on how to allow Environment Manager to work with Streamed
Applications and includes the following:
Citrix XenApp
Citrix XenApp
To set up Citrix XenApp to work with Environment Manager functionality you need to specify
certain exclusions, as follows:
1. Navigate to Citrix Streaming Profiler for Windows.
2. Open the Application Profile.
3. Highlight the relevant Target and select the Edit menu.
4. Select Target Properties.
The Target Properties screen displays.
5. Select Rules.
The Rules work area displays on the right hand side.
6. Click Add in the Rules work area.
The New Rule Select Action and Objects dialog box displays.
7. In the Action section leave the default setting as Ignore.
8. In the Object section select Named Objects and click Next.
The New Rule Select Objects dialog box displays.
9. Select All Named Objects and click Next.
The New Rule Name Rule dialog box displays.
10. Enter a name for the rule or accept the default and click Finish.
11. Click OK.
The Target Properties screen re-displays and the Ignore all named objects rule is now
listed in the work area on the right hand side.
135
H STREAMED APPLICATIONS
Microsoft SoftGrid 4.2 and Microsoft App-V 4.5
136
H STREAMED APPLICATIONS
Microsoft SoftGrid 4.2 and Microsoft App-V 4.5
137
G L O S S A R Y
ADM
ADMX
Agent
Blacklist
CCA
Client Communications Agent
Configuration
Configuration File
Configuration Profiler
Console
Deploy
Deployment
Desktop Settings
Discovered Managed
Discovered Unmanaged
Fixed
Instance
Lockdown
Management Server
Personalization Analysis
Personalization Server
Personalization Server Configuration Utility
Policy Configuration
PVC
Regular Expression
Reusable Condition
138
GLOSSARY ADM
Blacklist
Reusable Node
Self Healing
Site
Trigger
User Personalization
Whitelist
Whitelisted Application
Wildcards
ADM
ADM files are template files that are used by Group Policies to describe where registry based
policy settings are stored in the registry.
ADMX
ADM files are template files that are used by Group Policies to describe where registry based
policy settings are stored in the registry for Microsoft Windows Vista and Server 2008.
Agent
An executable component of the AppSense software which takes actions according to
AppSense product configuration settings. For example, the Environment Manager agent is
software that runs as a Windows service to carry out tasks on a computer, as specified by the
configuration deployed to that computer.
Blacklist
Applications which are excluded from User Personalization management.
CCA
Client Communications Agent. See Client Communications Agent.
Client Communications Agent
Installed on computers operating in centralized management mode to provide a link between
the product agent running on a managed computer and the AppSense Management Center.
The CCA sends event data generated by the product agents to the Management Server and
also polls the Management Server and manages the download and installation for software
configuration, agent and package updates.
The CCA can be downloaded and installed directly on managed machines from the
Management Server website.
Configuration
A collection of settings created in the Environment Manager console that details how Triggers,
Actions, Conditions, Lockdown and Self Healing should be controlled on a computer to which
the configuration is deployed. In the Environment Manager console, a tree of component
139
GLOSSARY CONSOLE
Instance
settings is used to graphically represent the configuration while it is created and modified by the
Administrator. A configuration file may then be saved from the console for deployment or for
editing at a later time.
Configuration File
An Environment Manager configuration saved from the Console in .aemp file format. The file
can be installed on any computer and the configuration rules applied when Environment
Manager Agent is running as a Service on a computer.
Configuration Profiler
Generates reports detailing the current settings in the Configuration. Filtering options allow you
to query settings affecting specific users or groups, devices and files or folders.
Console
AppSense management software interface.
Deploy
To deliver a configuration file or installation package for an AppSense agent to one or more
computers (this may include the local machine).
Deployment
Deploying a configuration or software installation using the AppSense Management Center.
Desktop Settings
User Personalization session specific settings which include; Accessibility, Appearance,
Keyboard, Mouse, Language, Screensaver, Cursors and Certificates.
Discovered Managed
A discovered managed application is an application that is not explicitly configured (in either a
Whitelist or Blacklist) but is managed and data collected when Discover All Processes and
Manage All Processes is enabled in Personalization Group > Settings > Processes.
Discovered Unmanaged
A discovered unmanaged application is an application that is discovered and listed as an
application that has been run. However, it is an application that is not explicitly configured in
either a Whitelist or Blacklist and is not managed, therefore no data is collected. A discovered
unmanaged application is recorded when Discover All Processes is enabled and Manage All
Processes disabled in the Personalization Group > Settings > Processes.
Fixed
A fixed node is one that cannot be deleted or edited.
Instance
Any process that has been launched to create a running application. There may be more than
one instance of an application at any particular time.
140
GLOSSARY LOCKDOWN
Reusable Node
Lockdown
Mechanism to restrict or disable access to specific application and operating system
functionality, keyboard shortcuts, MS Office application menus and toolbars. Conditions can be
applied to lockdown actions to offer comprehensive lockdown in varied scenarios.
Management Server
The machine on which product configurations and configuration versions are stored, from
which configurations can be deployed to machines designated by the Administrator.
Personalization Analysis
Enables administrators to monitor which applications are being controlled by Environment
Manager including how much data is being stored, convert discovered applications to Whitelists
and to rollback to Personalization restore points.
Personalization Server
Acts as a broker between the client and database, providing a secure channel to read and write
the Personalization data.
Personalization Server Configuration Utility
A dual purpose tool, first time it is run it configures the Personalization Server website and
creates the database with the correct accounts. Subsequent runs check the configuration is
correct and reports any variances.
Policy Configuration
Enables the administrator to configure both default and enforced corporate policies that can be
applied to either the computer or user under a number of different scenarios.
PVC
Personalization Virtualization Component is responsible for redirecting reads and writes of
profile data from within a managed application.
Regular Expression
Often called a pattern, is an expression that describes or matches a set of strings, they are
usually used to give a concise description of a set without having to list all elements and are
used to search and manipulate bodies of text based on certain patterns.
Reusable Condition
Conditions that can be used multiple times within a configuration, ideal for grouping common
sets of conditions together that will regularly need to be run in a variety of circumstances.
Reusable Node
Nodes that can be used multiple times within a configuration, ideal for grouping common sets
of actions together that will regularly need to run in a variety of circumstances.
141
GLOSSARY
SELF HEALING
Wildcards
Self Healing
Mechanism to automatically restore environment items, including files, processed, services or
registry keys. Conditions can be applied to Computer or User self heal actions.
Site
A logical grouping of Clients and Personalization Servers communicating with a database.
Trigger
Preset User and Computer events that trigger actions and conditions.
User Personalization
Provides ability to capture the changes that users make to their applications on a per application
basis and also desktop settings on a per session basis and restore the settings when required.
Whitelist
Applications which are included in the User Personalization management.
Whitelisted Application
Application is in the Whitelist in the Users Personalization Group.
Wildcards
Both the asterisk (*) and question mark (?) characters can be used in a file or folder path in the
Environment Manager Console. The asterisk represents one or more characters, excluding the
back slash (\) character, whilst the question mark wildcard represents one character, excluding
the forward slash (/) character. Both of the wildcard characters can be used in any part of a file
path, including the drive letter for local paths.
For example c:\sample path\test?\*.exe, matches all files with the .exe extension that existed in
the folders c:\sample path\test1, c:\sample path\test2, ... c:\sample path\testn, etc. But since the
question mark can only replace one character, it does not match c:\sample path\test100
142