NEW FEATURE No. 1 – AppSense Environment Manager 8.0 Service Pack 2 – Run As

August 24, 2009

This is the first installment in a series of posts about the new features and options in AppSense Version 8 Service Pack 2.  (If you have not yet downloaded this latest release, you can read more info and download it from here )

AppSense Environment Manager 8.0 Service Pack 2 introduces a new option – Run As.

This emulates the Microsoft Run As command and allows actions to be executed in the context of another, specified user.  For example launching an application in a different user context.

When selecting the Run As tab in an action you are presented with one, two or three options:

Current User: Available on all relevant User actions. This is the default selected method and runs the action in the context of the logged on user.

System: Available on all actions. This is the default method for Computer nodes and runs the action in the context of the System user.

User: Available on all relevant User actions. On selection of this option the administrator is prompted to select a friendly name to run as. If no friendly name exists, the Run As Library can be launched where friendly names, usernames and passwords can be stored for re‐use.

The friendly names are stored in the configuration in a reusable library section. Each friendly name is accompanied by the username and password. The password is encrypted using a one‐way public key. This prevents passwords from being reverse engineered.

During installation of the AppSense Environment Manager Agent, the private key is added to the machines key store. This is a write only store, i.e. it cannot be read.

When an action is run as a specified user the associated username and password are used to impersonate said user. AppSense Environment Manager uses a handle to the private key to decrypt the password at this point.

Note: The Run As specified user only impersonates that user. This means the user’s profile and registry hive are not loaded from the domain due to the associated overhead. This results in the environment variables for the action representing the System user and not the currently logged on user or specified user.

Note: This is both a very powerful and potentially dangerous function. Even though the password is encrypted, the username and password pair can be applied to any action and a malicious user may be able to alter the configuration to possibly bypass security. Therefore, this function must be used with extreme care.

P:S
As this is an ever growing blog topic, more posts on the other new features we have detailed can be found below:

NEW FEATURE No. 1 – AppSense Environment Manager 8.0 Service Pack 2 – Run As

NEW FEATURE No. 2 – AppSense Environment Manager 8.0 Service Pack 2 – Connect As

NEW FEATURE No. 3 – AppSense Environment Manager 8.0 Service Pack 2 – Improved compression and data handling protocol

NEW FEATURE No. 4 – AppSense Environment Manager 8.0 Service Pack 2 – Manipulation of files in Personalization Analysis

NEW FEATURE No. 5 – AppSense Environment Manager 8.0 Service Pack 2 – Run Once

NEW FEATURE No. 6 – AppSense Environment Manager 8.0 Service Pack 2 – Group SID Refresh

NEW FEATURE No. 7 – AppSense Environment Manager 8.0 Service Pack 2 – Trigger Action Time Audit Event

NEW FEATURE No. 8 – AppSense Environment Manager 8.0 Service Pack 2 – Stop If Fails

NEW FEATURE No. 9 – AppSense Environment Manager 8.0 Service Pack 2 – New Application Categories in the User Interface

NEW FEATURE No. 10 – AppSense Environment Manager 8.0 Service Pack 2 – Refresh

NEW FEATURE No. 11 – AppSense Environment Manager 8.0 Service Pack 2 – Registry Hive Exclusions


AppSense Technical University Training For Partners

July 22, 2009

I am excited about writing this one, the much awaited 2009 AppSense Technical University is soon upon us! It will take place in October and November!!  Following on from our previous events, there are some exciting new developments at AppSense that we would like to share with you; amongst other topics:

  • User Introduced Applications (UIA) Technology – do we need, and how do we enable, users to install applications into non-persistent VDI sessions, and have the applications (and settings and preferences) remain available in the next non persistent vdi session?!
  • AppSense Management Suite Version 8.1 Product RoadMap
  • ‘Policy & Personalization’ best practices across virtual and multi OS platform environments

Uni

 

Why attend the AppSense Technical University?

The AppSense University is a ‘free of charge’ event to our AppSense Certified Solution Partners, and is a great chance to meet up with the AppSense Technical teams, as well as your peers from within the community. As a valued member of our Certified Solutions Partner program, you are invited to this comprehensive technical update and networking event.

The 2 day event will include in-depth, hands on training designed to enable you to provide consultancy services and implement the AppSense Management Suite for prospects and customers.

Register for further information

As always, AppSense is hosting several Technical University events in locations around the globe. If you are interested in attending an AppSense Technical University, click on the country or region most relevant to you and we will keep you informed of the event details:

United States, November 2009 

United Kingdom, October 2009

Norway, November 2009

DACH Region, November 2009

BeNeLux, November 2009

Australia, October/November 2009

We look forward to seeing you there!

Best Regards,

The AppSense Technical University Team.

Website: http://www.appsense.com
Email: university@appsense.com
Telephone: +44 (0)1928 793 444


Microsoft Application Device License Control in SBC, VDI and Streamed Environments

June 30, 2009

Many Microsoft applications, including Microsoft Office™, Project™ and Visio™, are licensed on a per-device basis. This means a desktop application license is required for each and every device that is able to potentially access the application or server where the application is installed, regardless of whether a user executes and runs the application of not. 

This makes licensing Microsoft applications in virtual environments a tricky, potentially very costly, and misunderstood subject.  So, let us take just two minutes to cover some of the most common misunderstandings as to Microsoft Application/Device licensing in SBC (Microsoft Terminal Server and Citrix XenApp), VDI (Citrix XenDesktop and VMware View) and Application Virtualization/Streaming (Microsoft App-V, VMware ThinApp, Citrix Streaming, InstallFree etc) estates.

One misconception is that by ‘publishing’ or ‘streaming’ applications to a limited “user” group, that group is compliant with the Microsoft license agreement – in other words, Microsoft licenses their applications per user.  This is in fact in breach of the Microsoft licensing model, and can lead to legal action.

‘Publishing’ or ‘streaming’ applications to a limited “user” group is not a valid approach to license restriction, since users within the group can potentially access the application from any device that can connect to the server hosting the application binaries, or, any device the virtualization server can see or stream to. This means desktop application licenses may need to be purchased for devices where the user of that device does not actually use the application.

Furthermore, Microsoft technologies such as Group Policies and Software Restriction Policies cannot be used as a means of enforcing licensing control, as these methods apply to “users”, or groups of “users”.

For Microsoft applications which are licensed on a per device basis application access must be controlled at the “device” level.

AppSense Application Manager (is to my knowledge) the only officially, Microsoft approved and recognized means of controlling application access on a per device basis in SBC/Terminal Server, Virtual Desktop or streamed application environment with regards to license enforcement.

AppSense Application Manager operates with a kernel level filter driver within the Windows operating system. This filter intercepts all file execution requests prior to an application actually launching, to determine if the request is to be authorized or prohibited. Any unauthorized requests are blocked and the user receives a message, configurable by the administrator, stating that execution has been denied.

A flexible and granular rule set enables the Administrator to restrict access to applications by a range of variables, but specific to device based licensing, AppSense can restrict access based on device name or IP address. This enables AppSense Application Manager to effectively control, manage and in most cases, reduce the required number of Microsoft licenses.

AppSense Application Manager also provides detailed insight into user activity and application usage through reporting and auditing functionality. By reporting on application usage at a user and device level, AppSense Application Manager helps organizations verify compliance with Microsoft desktop application license models and provide estimates of license volume typically required across the user base.

To learn more about Microsoft Licensing and how AppSense Application Manager can be used to not only ensure compliance, but also reduce the amount of device licenses required, saving operational costs and providing almost immediate return on investment, please visit http://www.appsense.com/solutions/licensemanagement.aspx 

Furthermore, a copy of the Official Microsoft approved whitepaper on use of AppSense for application access and license control in virtual environments can be found at http://www.appsense.com/Files/Documents/Microsoft%20Application%20License%20Control%20(US).pdf