If you’re using Microsoft App-V to deploy packages to users, you know the benefits of virtualized applications. But you still have a big problem:
Once the application is deployed, how do you mange, change or configure that application? Microsoft App-V has NO Group Policy support inside of sequences. So, if you needed to tweak a configuration file, edit the registry, or otherwise configure your App-V packages, you’ve got a real problem.
See this detailed blog entry and example.
Good news for you: We’ve got that problem totally handled.
Watch this video (exclusively for App-V administrators) to see exactly how to manage App-V sequences using Group Policy using PolicyPak:
You’re smart. You picked App-V to make application deployment easier.
Now, you can be smarter to make application management easier too.
Microsoft should have baked the ability to use Group Policy into App-V sequences. But they didn’t. So, we did it for them – with PolicyPak.
So now, if you need to change a setting, you don’t have to re-open and re-sequence that package.
You can create your own PolicyPak for your applications to manage all the application’s settings, or use one of our preconfigured Paks for lots of common applications like Firefox, WinZip, Office 2010 and more.
You’ll be managing your App-V sequences’ settings using Group Policy – quickly and easily.
There’s nothing extra to buy – this functionality is all included when you’re a PolicyPak Professional customer.
PolicyPak was designed by Group Policy MVP Jeremy Moskowitz – who “wrote the book” on Group Policy, runs GPanswers.com, and lives and breathes Group Policy and enterprise software deployments and desktop lockdown.
When you’re ready to manage your App-V packages using Group Policy, PolicyPak is here for you.
Manage App-V applications dynamically with Group Policy video transcript
Hi, this is Jeremy Moskowitz, Founder of PolicyPak Software and Group Policy MVP. I want to show you in this video how you can use PolicyPak and Group Policyto deliver settings to any Microsoft App-V virtualized application.
Let’s go ahead and run this first one. This is “WinZip.” You can see it’s launching WinZip for the first time coming down from the server. What you’ll notice if you consider what users see, they go to “Options/Configuration…” and there’s a lot of stuff for users to get wrong here.
You might have a situation where you want to deliver the settings separately for one OU versus another OU, and we can talk about any kind of application. Of course, this application stores its things in the virtual registry.
Let’s go ahead and look at another application, which would be Firefox. If you run Firefox, you can see it’s launching Firefox from the server, coming on down from the App-V streaming server, and it will launch. The thing about this application is that, just to make things difficult, Firefox doesn’t store its items in a registry. No, it stores its stuff in the file system – in a very strange place in the file system, no less.
What we want to try to do is to see if we can use application virtualization plus PolicyPak to deliver settings to these applications. To do this, to get started here we’re going to go over to this other machine, which is acting in multiple capacities. One of the things that it’s doing is it has our PolicyPak Creation Station utilities on it, called the PolicyPak Design Studio.
We’ll go ahead and click “Start,” and fire up the “PolicyPak Design Studio” utilities. We can see the “Group Policy Management” console here in the background. We’ll get to that in a moment. On the download for PolicyPak, what we’ll see is a bunch of our PreConfigured PolicyPaks. Now PolicyPak can either be used with a PreConfigured PolicyPak, or you can design your own with the PolicyPak Design Studio.
To get started here, what we’re going to do is we’re just going to take over the “Firefox” Pak. I’ll just copy that XML file here. I’ll also take over the “WinZip” Pak, which I’ve got here. What I’m going to do is I’m going to “Load a project from XML file.” Again, these are PreConfigured Paks. You could start a new project if you want to, but we’re just going to “Load a project from XML file” here.
We’ll go ahead and click on “WinZip” first. Now when WinZip comes up in the PolicyPak Design Studio, it’s already prebuilt from our company ready to rock. But the one thing we don’t know is what the App-V application GUID is, because when you repackaged your version of WinZip and somebody else repackaged their version of WinZip, it’s going to have a different App-V GUID.
On my server here, in the “C:\SGContent” directory, I have a bunch of virtualized applications. I can see I’ve got WinZip and Firefox and a bunch of other things here. Well, with PolicyPak Design Studio, we make this super easy. Like I said, we’ve already preconfigured this Pak for all the knowledge we need.
But when we click on the “Project Properties” here, we can see the “Microsoft AppV compatibility” flyout. We’ll go ahead and click on the “GUIDs.” We can either “Add GUID manually” or “Add GUID automatically from OSD file.”
All we’re going to do is bang in the “C:\sgcontent” directory. We can see we’ve got WinZip 14, Firefox and a couple of other applications there. I’ll click on “WinZip 14” here. It jams in the GUID. This is a registry virtualized application, so we’re going to be able to punch in all these items right into the virtual registry.
No changes are required on the App-V package. All we’re going to do is take our PolicyPak and “Save pXML and Compile” it. We’ll use it in just a moment. We’re going to do the same thing for also Firefox, because the idea is again somebody in Company A might have created the App-V package and it has one GUID and another person might have a different one.
Let’s go to “Desktop” here. We’ll click on “firefox.” There’s our Firefox Pak. Again, it’s preconfigured, ready to rock right out of our company here. We’ll click on “Project Properties.” I have a GUID in there already, but I’ll show you how we do this. I’ll go ahead and “View, edit or delete existing GUIDs” just for fun. We’ll get rid of this guy here.
Now what I’ll do is I’ll click on the same thing “…” and I will “Add GUID automatically from OSD file,” pick “C:\sgcontent” and there is my “Firefox” application, and it jams in the correct GUID there. That’s it. I’ll go to “Compilation,” and I’ll “Save pXML and Compile.” Again, this is preparing it for use inside of Group Policy.
Alright, now all we’re going to do is to “Create a GPO” here. We can call this Group Policy Object “Configure Winzip and Firefox.” Two separate things, but we can do that in the same PolicyPak if we want to. We’ll go ahead and click “Edit…” here. This is hooking right into the Group Policy infrastructure. We’ll go to “New/Application,” and we’ll do “PolicyPak for WinZip 14 and 15” first.
In WinZip, we’ll go ahead and we’ll deliver some “Passwords” settings. We’ll go ahead and check all these guys here. We’ll jam this guy up to 11, but we’re going to go an extra mile here. We know that it’s in the virtual registry, but we can also on the fly make sure users can’t manipulate the settings.
So we’ll "Disable corresponding control in target application.” We’re literally going to gray it out. We’ll also gray it out here, and we’ll also "Hide corresponding control in target application" on this last one just for fun.For Cameras, we’ll right click over “Cameras” and we’ll also"Disable whole tab in target application."So we’re actually manipulating that guy on the fly.
That’s it. We’re delivering settings to both a virtualized registry based application and a file based application. We’re logged in as the correct user here. Let’s go ahead and run GPUpdate. We could also log off and log back on, if we were so inclined. As soon as this is done, we have locked and loaded everything we need.
We’ll start out by running “WinZip” here. Again, this application is being launched from the App-V server. We’ll go ahead and click “Options/Configuration…” here. Click on “Passwords,” and sure enough it has dictated the settings directly into the virtual registry. We can see here we’ve also manipulated the application so it can’t be changed. We can’t change that as a user. Also, we’ve eliminated that tab from being checked upon.
What’s more, if the user unchecks these checkboxes and goes to rerun the application, just as soon as they rerun the application we keep those settings permanent. So if they do figure out a way to work around those settings or you decided not to configure them, the next time the application runs we jam those settings directly back in.
Let’s go ahead and check out Firefox since we’re here. We’ll go ahead and run “Mozilla Firefox” here. If all went well, we see that we’ve got the “www.Test1.com” as we expected. Even if a user decides they want to go in here, change this to “www.test5.com” or something that they shouldn’t really be doing, again the very next time that they try to run Firefox what’s going to happen? We’re going to ensure that the settings that we set using PolicyPak are back for the user.
One last thing, let’s go ahead and make this policy fall out of scope. We’ll go ahead and “Delete” this GPO, which means that none of the users in the OU will get affected anymore. Let’s go ahead and run GPUpdate again on this machine. What do we expect to happen? Well, the settings that we said to revert will revert back. The settings that we said to leave alone will be left alone. All the App Lock stuff, all those lock out functions that we have, will be removed from the client machine.
Let’s go ahead and check it out. Let’s go ahead and run “WinZip” first. Go to “Options/Configuration…” here, and sure enough we’ve got all the lock out stuff removed. We didn’t tell it to revert the settings back, but it absolutely would. PolicyPak has a superpower to revert the setting to the default value when it’s no longer applied.
Let’s go ahead and check that out in Firefox, and sure enough. If you go to “Tools/Options…” here, you’ll see that it got delivered back to “about:blank,” which is the absolute default that Firefox has.
So the key takeaway with regards to PolicyPak and App-V is you get to sequence your application one time and then change the settings to various OUs on the fly. We’ll deliver the settings, lock out the applications UI so users can’t possibly work around it. Even if they do, we replace those settings back the very next time that the application is run.
I hope that gives you a lot of insight. A lot of folks love the idea of being able to tap into both the virtual registry and the virtual file system on the fly using technology they already have, which is the Group Policy infrastructure.
Thank you very much for watching, and looking forward to seeing you test out PolicyPak Software.
Thanks so much.