XenApp packages with Group Policy

If you’re using VMware ThinApp to deploy packages to users, you know the benefits of virtualized applications.

But you still have some big problems:

  • Once the application is deployed, how do you manage, change or configure that application?
  • How do you prevent users from working around your important application settings?
  • How can you maintain those settings even when the computer is offline?
  • Good news for you: We’ve got that problem totally handled.

Watch this video (exclusively for VMware ThinApp administrators) to see exactly how to manage ThinApp packages using Group Policy and PolicyPak:

So, if you needed to tweak a configuration file, edit the package’s registry, or otherwise configure your ThinApp package, you’ve got a real problem.

You would have to:

  • Re-open the package
  • Make those settings
  • Re-build and
  • Redeploy

Then, if a user worked around your settings, what would you do next?

Instead, you can be smarter and have the right tool to manage those ThinApp packages – after those packages are already deployed.

You can create your own PolicyPaks for your applications to manage all the application’s settings, or use one of our preconfigured Paks for lots of common applications like Firefox, WinZip, Office 2010 and more.

There’s nothing extra to buy – this functionality is all included when you’re a PolicyPak Professional customer.

PolicyPak was designed by Microsoft MVP, Enterprise Mobility Jeremy Moskowitz – who “wrote the book” on Group Policy, runs MDMandGPanswers.com, and lives and breathes Group Policy and enterprise software deployments and desktop lockdown.

When you’re ready to manage your ThinApp packages using Group Policy, PolicyPak is here for you.

Click on Webinar to get the software and try it out for yourself.

Manage ThinApp Packages with Group Policy and PolicyPak

Hi, this is Jeremy Moskowitz, Founder of PolicyPak Software. In this video demonstration, I’m going to show you how PolicyPak can use Group Policy to configure ThinApped apps.

Let me show you what I’ve got here on my target machine. I’m just logged on as some regular guy. If I go to the “Control Panel” and I got to “Uninstall a program” here, I just want to show you that we have very little running on this machine. I just have the “PolicyPak Client Side Extension” and absolutely no other applications installed.

If I were to try to connect to a network share that might have something like “Acrobat Reader X” here and run the “bin” of that – I’ll go ahead and click “Acrobat Reader X” here – you can see that ThinApp application is launching on the bottom right real fast and the application will run.

Now that it’s running, the trick is how can you use Group Policy to manage the important settings in this application? You might prebake them into the application, but then there’s absolutely nothing preventing a user from unchecking checkmarks like this or like that and just doing things that they really shouldn’t do, for instance. If they have admin rights, the can click on “Automatically install updates” and all sorts of things you don’t want them to do.

What we’re going to show you is a couple of applications in a row and how to use Group Policy with PolicyPak in order to configure that.

What we’re going to do next is for all of our “East Sales Users” we’re going to “Create a GPO in this domain, and Link it here…,” and we’ll call this “Acrobat with Group Policy and Thinapp.” We’ll right click over this, and we’ll click “Edit…” here. We’ll dive down under “User Configuration/Policies/PolicyPak/Applications/New/Application”and we’ll pick “PolicyPak for Acrobat Reader X.”

We’ve got over 35 preconfigured applications paks ready to go, and Acrobat Reader is one of them. You can create your own using the PolicyPak Design Studio and manage any ThinApp application.

But for now for “JavaScript,” we want to make sure that this “Enable Acrobat JavaScript” checkbox is in fact unchecked. While we’re here, we’re going to go the extra mile. PolicyPak has a superpower where we can right click over and “Disable corresponding control in target application.” We’re going to literally gray it out so a user can’t work around this setting.

For “Security (Enhanced)” we want to make sure that “Enable Enhanced Security” is in fact enforced on. So we’re going to right click over that guy and also “Disable corresponding control in target application.” So we’ve checked it, and underline means we’re going to deliver a checked box.

For “Updater,” maybe we made a mistake inside our package and we have it set to “Automatically install updates.” We can guarantee it and dictate “Do not download or install updates automatically.” Once again, we can right click over it and “Disable corresponding control in target application” or “Hide corresponding control in target application.”

We’ve locked and loaded our directives inside Group Policy land. Let’s go ahead and before we rerun Acrobat Reader,we’re going to run “gpupdate” and we’re going to get the latest, greatest Group Policy settings from Active Directory. We’ve loaded our directive inside of Active Directory. With a GPUpdate, we’re downloading those directives.

The very next time we go to run Acrobat Reader, the ThinApp app, something special’s going to happen. We’re going to call PolicyPak automatically. You can see that “Acrobat Reader” is running right here. The next time the user goes to“Edit/Preferences…” inside Acrobat Reader, let’s go right to “JavaScript,” check it out. We’ve unchecked the checkbox just like we wanted to, and we’ve grayed out the setting so the user can’t work around the setting.

This is not some magical version of Acrobat Reader. It’s the version that you get, that I get, but we at PolicyPak have the ability to dictate the settings and restrict the UI control. We’ll dive down under “Security (Enhanced).” We’ve checked that checkbox here. If we go to “Updater,” we’ve also again set the proper setting and guaranteed it to lock it down just like that.

Let’s go over another example real fast. Here in my little “thinapps” directory I also have “WinZip 14.0.” Let’s go ahead and run “WinZip”really fast just to prove a point here. We’ll go ahead and run WinZip. There’s the ThinApp version. It’s doing its thing. I don’t want any of that stuff.

If I go to “Options/Configuration…” you can see I’ve got all these settings for a user to possibly mess up inside their ThinApp app. What we’re going to do is we’re going to use Group Policy to dictate those settings.

We’ll go ahead and create a new Group Policy Object here. We’ll call this “WinZip Settings.” Again, I want to stress that even though PolicyPak has preconfigured paks for these common applications, you can build your own using our Design Studio. No matter what your ThinApp app is, custom or common, you can immediately and very quickly create an application settings directive using PolicyPak.

We’re going to dictate all four checkboxes here. We’ll jam this guy up to “11.” While we’re here, we’re going to right click and “Disable corresponding control in target application.”We’ll once again restrict this setting so it can’t be worked around.

We’ll also right click over and we’ll “Hide corresponding control in target application”for this one and we’ll “Disable corresponding control in target application”for this one. So we’re doing some magic over there.

For “Cameras,” we can lock out the entire “Cameras” tab. We’ll “Disable whole tab in target application.”We’ll literally remove the ability for the user to manipulate that.

Let’s go back over to our application here, and let’s go ahead and run “gpupdate” and see what happens here. We’re getting the latest, greatest directives. Once this is done, let’s go ahead and run “WinZip” and see what has in fact occurred. Go ahead and run WinZip here. We can see WinZip launching there. Of course, we don’t want to be asked that. Of course, you can configure this using PolicyPak. I just didn’t choose to do that.

Now if we go to “Options/Configuration…” let’s see what occurred here. Notice how the UI lockout occurred. We said to lockout the “Cameras” tab. We said to hide a setting and disable a setting. But if you’ll remember, I said to set “Minimum password length” up to “11,” and I also checked all four of those checkboxes. Well, why didn’t that occur?

Well, the thing about ThinApp applications is that they run in their own sandbox. Now the good news about PolicyPak is that we can get into the sandbox if you let us. I just want to show you exactly what you would do for your own applications if they are already ThinApped and what you’re going to do.

It turns out that all you’re going to do is take an existing little vb file – there it is, this is the extent of the modifications – you’re going to take this little vb file that’s going to execute the process called “ppupdatew /thinapp” (that’s our command). What this does is it says go ahead and read the Group Policy settings that we’ve already staged using GPUpdate and then bring them into the virtual sandbox.

Now I did that for the other application. I did that for Acrobat Reader just to prove a point. I didn’t do it for WinZip also to prove a point. I’m just showing you what you’re going to have to do in your ThinApp application.

We’re going to copy “pp.vbs” into the “WinZip 14.0” directory. This is my “ThinApps” directory here. Once that’s in there, and you can see it’s listed right there as “pp.vbs,” that’s all you’ve got to do. At this stage now, you just rerun your “build.bat.”

Again, this is standard practice for creating ThinApp packages. If you have ever created ThinApp packages, you’ve done this before. It’s super simple. We’re done. That ThinApp application has got the little boost it needs right there, “pp.vbs,” to pick up the PolicyPak secret sauce.

We actually don’t even need to run GPUpdate, but we’ll go ahead and do it anyway just for fun. We’ll run “gpupdate” here. Now the very next time we run WinZip, the WinZip ThinApp version is going to run that little “pp.vbs” file that’s going to call our secret sauce. Now the next time we run “WinZip,” we’re going to see the settings backed right into WinZip right like that.

If a user goes and they do things they shouldn’t do, is that the end of the world? No. Well, let’s go ahead and see what happens if we rerun “WinZip.” What happens? We go to “Options/Configuration…,” it just puts it right back.

We can dictate those settings to the application no matter what that application is – if it’s registry based, if it’s file based. You see I’ve got a bunch of applications here to play with. I’ve got “Mozilla Firefox” and “OpenOffice3” or “Acrobat Reader X” or “WinZip 14.0.” No matter what the application is, if you’ve ever said to yourself that you wanted to dictate the settings into the application using Group Policy and optionally lock it down, well, we can now do it using PolicyPak for ThinApp applications.

We also do it for Microsoft Application Virtualization (App-V) and also for XenApp from Citrix as well. There are other demonstrations on the website that show that, but I wanted to show you here for ThinApp.

That’s it for now. If you have any questions, we do have a section on this in our manual, and we’re also happy to field questions as you need to.

Thanks so much for watching, and talk to you soon.