Advanced Connection Groups – The Sanity Check

Since the release of App-V 5.0, connection groups have been a highly rated feature of the release, it is something that brought about a whole new level of flexibility and manageability compared to dynamic suite composition in 4.x. However connection groups have evolved overtime and there are many nuances to behaviours depending on how they are used. This set of statements reflects the current state of play with the latest version (App-V 5.0 SP3) and I will update it should things change. I hope it serves as a quick sanity check and a guide when planning your connection group strategy…

The Sanity Check

1. Connection groups use two key files

descriptors
Connection groups work off a template and effective .xml. The PackageGroupDescriptorTemplate.xml provides a structure to compose (template) and the PackageGroupDescriptor.xml is the current composed connection group (effective)

There is also a third file called UserPackageGroupDescriptor.xml which is generated when a connection group is published to the user and acts the same as the effective connection group descriptor but for the user

2. Connection groups can be published either globally or to user

This is achieved by using the -Global switch when running the Enable-AppvClientConnectionGroup cmdlet

3. Connection groups can contain a mixture of both user and globally targeted packages

This is done on a package level by adding the -Global switch when running the Publish-AppvClientPackage cmdlet

4. Connection groups targeted globally cannot contain any user targeted packages

If attempting to deliver a mixed scope connection group to the computer you will get the following event 1048 error:

mixedCGpublishedtouser

5. Connection groups targeted at the user can contain both user and computer targeted packages

Mixed scope connection groups always need to be targeted at the user

6. Connection groups must have at least one mandatory package

There must be at least one mandatory package per connection group otherwise delivery will fail with the following event 8004 error:

atleastonemandatoryCG

7. Connection groups will fail to publish if a mandatory package is not published

Mandatory packages are required to be present in cache for a connection group to be published otherwise delivery will fail with the following event 8012 error:

manadatorypackagenotpublished
8. Packages will fail to unpublish if they are a mandatory member of a published connection group

Packages must be detached from any connection groups for which they are mandatory members before they can be published otherwise the action will fail with the following event 1016 error:

mandatorypackageunpublishfail

9. Packages in a connection group set to use any version or set as optional will always use the latest version in cache when initially delivered

Regardless of whether a package is published, aslong as it is present in cache it will be generated into the effective connection group when the connection group is delivered. For regeneration behaviour after delivery of connection groups read the following:

10. Connection groups added or targeted globally will automatically be re-generated on add/remove of an eligible optional package

This can be found in %PROGRAMDATA%\Microsoft\AppV\Client\Catalog\PackageGroups\

11. Connection groups added or targeted globally will automatically be re-generated on add/remove of an eligible use any version package

This can be found in %PROGRAMDATA%\Microsoft\AppV\Client\Catalog\PackageGroups\

12. Connection groups enabled to the user will automatically be re-generated on publish/unpublish or remove of an eligible optional package

This can be found in %APPDATA%\Microsoft\AppV\Client\Catalog\PackageGroups\

13. Connection groups enabled to the user will automatically be re-generated on publish/unpublish or remove of an eligible optional package

This can be found in %APPDATA%\Microsoft\AppV\Client\Catalog\PackageGroups\

14. Connection groups can hold priorities which dictate how overlap conflicts are resolved at launch

This is handled by the Priority=”_” value within the effective .xml. More details on connection group conflicts can be read here

15. Packages within a connection group have priority over each other

This is dictated by the order in which the packages are listed in the connection group (highest priority first). Merged roots in SP3 now mean that conflicting paths will be merged however file conflicts will still be handled via the priority handler I.e file will be read from package with most priority where it can

16. Connection group priority, optional and use any version is not supported within SCCM 2012 native functionality

This applies when using the native ‘Virtual Environments’ functionality for connection groups within SCCM 2012 at this point in time

17. Connection groups can be enabled or disabled to a specific user by an administrator using PowerShell

This is achieved by using the -UserSID parameter when using the Enable-AppVClientConnectionGroup or Disable-AppVClientConnectionGroup cmdlet

0 Comments
February 3, 2015

Issue with RequirePublishAsAdmin with SCCM 2012 and User Targeting

SP3 for App-V 5.0 introduced a new feature called RequirePublishAsAdmin which allows Administrators to restrict non-admins publishing packages to themselves if they are already added to the machine. For a full run down of this feature read here, it was on this post a commenter brought up the question of whether or not this feature would work with SCCM delivery (Thanks IV!), assuming it would work I thought I would test just to confirm however what I found is the commenters concerns were indeed justified….

The Error

Once RequirePublishAsAdmin is enabled and a non-admin user tries to take delivery of a user targeted App-V application the delivery fails and the following error occurs:

failed2

failed3.1

The Cause

The cause of this error is exactly as suspected by the commenter on my previous post, the PowerShell process running the publish command runs as th user and therefore is automatically blocked from running.

If we dig into the AppEnforce.log we find evidence of this:

failed4

failed3

Above you can see the first App-V command which is the Add operation runs with a PID 2916 and completes successfully with a return code of 0.

However the second command which is the Publish operation runs with a PID of 1572 and fails with a return code of 1.

failed4.2

A quick ProcMon shows us that as suspected PID 2916 (Add) runs as system and PID 1572 (Publish) runs as the user and therefore fails.

Summary

In summary the RequirePublishAsAdmin feature is not fully compatible with SCCM 2012 user targeted deliveries. I have tested the same scenario with App-V Server with no issues.

0 Comments
January 13, 2015

Running App-V 5.0 Commands on a Remote Machine with or without PSRemoting

Since the introduction of App-V 5.0 and the PowerShell commands which we have come to know and love there has always been the question around ways we can execute these commands remotely. As more and more organisations start to look at how they go about supporting their App-V environments and build up their own tooling, whether it be for desktop support activities or cache maintenance, the question about remote management arises.

Now the obvious answer for running PowerShell commands on a remote endpoint is enabling and leveraging PSRemoting however I have found certain organisations tend not to allow this feature to be enabled over security concerns. Lets take a look at the options either way:

With PSRemoting

PSRemoting is very powerful allowing us to run PowerShell commands on a remote machine as if it was being run locally. First thing to do is enable PSRemoting:

1. Enable PSRemoting

There are various ways to enable PSRemoting which basically needs the WinRM service, the easiest way to do it across multiple machines is via Group Policy:

Just open: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service 

Enable the Allow Remote Server management through WinRM policy setting.

winrm1

Alternatively if you are just testing you can enable it on a particular machine using the Enable-PSRemoting cmdlet.

enablepsr2

Click here to read more on TechNet about the Enable-PSRemoting cmdlet.

You can test connectivity from a remote machine using Test-WsMan COMPUTERNAME

testpsr

Now all you need to do is run your commands!

2. Use PSRemoting

There are two main ways you can run your commands, either by issuing a single command or via an interactive PowerShell session.

To issue a command use the following syntax:

Invoke-Command -ComputerName COMPUTERNAME -ScriptBlock { COMMAND} -credential USERNAME

For example here I have remotely removed a package from cache:

psr1

We can do the same thing from an interactive console if we wanted to run more than one command:

Enter-PSSession -ComputerName COMPUTERNAME -Credential USERNAME

psr2

Above you can see how I am using an interactive session to interact with my remote client by querying a package and then removing it. To be honest this is just the tip of the iceberg, there is so much more you can do. I have seen some organisations write their own custom tools which use PSRemoting to enable them to support and maintain their environment. If your in the same position hopefully you can leverage the same techniques, better yet why not check out some of the toolsets already out there, my favourite is Bram Wolfs App-V Scheduler - which amongst other features includes much more user friendly way to query remote endpoints using its Central View console.

Without PSRemoting

So what if PSRemoting is disabled in your environment and restricted due to organisational policies? Well all is not lost! Recently someone from a large insurance company contacted me about this scenario and was kind of enough to share how they worked around not having PSRemoting enabled (Thanks Gyan!).

The workaround involves invoking PowerShell via WMI using the Create method of Win32_Process:

1. Assign to Variable

First thing we need to do is assign the WMI Class Win32_Process of the remote machine to a variable from our local machine:

$Process = [WMICLASS]”\\COMPUTERNAME\root\cimv2:Win32_Process”

wmiclass

2. Invoke Process

So now all we need to do is utilise the Create method of Win32_Process to invoke whatever we want. In this case we want to use PowerShell to remove a package from cache on a remote machine:

$Process.Create(“PowerShell.exe Remove-AppvClientPackage PACKAGENAME”)

wmiclass2

What the above will go and do is go invoke PowerShell on the remote machine and run my specified command, so one minute I have my package and next minute it’s gone! The great thing about all this is it doesn’t need PSRemoting enabled as its all done over WMI. The not so great thing is the feedback, as you can see from above the returned information once issuing the command isn’t that meaningful.

We can however query WMI to find out if the package is there:

Get-Wmiobject -ComputerName COMPUTERNAME -NameSpace Root\APPV -Class AppvClientPackage | where-object {$_.Name -eq “PACKAGENAME”}

wmiclass4

Above is the output you can expect when the package is present, you will get a null return if the package isn’t there. There is a lot more you can do with the WMI provider for App-V to query and execute commands however it probably just needs a bit more investment of time compared to using remote PowerShell.

So in summary if PSRemoting is enabled in your environment you can very easily begin to put together your remote support solutions or even look at some of the third party tools out there already. If PSRemoting is restricted in your environment then WMI is your answer, it may be a little harder to get familiar with but it does offer a lot of potential to act remotely.

0 Comments
January 8, 2015

Everything you need to know about App-V 5.0 SP3

App-V 5.0 SP3 is now available on MSDN as part of MDOP 2014 R2, there are some great features that you need to check out! Here are detailed posts detailing the key features of this release:

- Connection Groups 2.0 – More Manageable & More Flexible

- User RunVirtual Key

- Merged Roots and PVAD changes

- Require Admin for Publishing

- Advanced Connection Groups – The Sanity Check

You can download it as separate .ISO files or as part of MDOP 2014 R2:

downloads

Don’t get thrown off by the “Application Virtualization Hosting” – its just the desktop client, server and sequencer!

Check out Microsoft’s TechNet documentation on the release here.

Also check out Tim’s great breakdown of all the new features here.

Enjoy!

7 Comments
December 4, 2014

RequirePublishAsAdmin in App-V 5.0 SP3

Right so pre SP3 for App-V 5.0, aslong as a package was added into the client cache, any user (admin or non admin) could go ahead and publish the application to themselves with a quick and easy line or PowerShell. There weren’t really many ways to negate this apart from custom ACLs on the package store or using a feature called PackageStoreAccessControl, a feature which has now been deprecated and is no longer supported.

Enter RequirePublishAsAdmin…

You might notice this new setting available on the App-V 5.0 SP3 client when running a Get-AppvClientConfiguration

setting

You enable this setting with a simple Set-AppvClientConfiguration -RequirePublishAsAdmin 1

Once enabled exactly what you expect takes effect, the next time a non admin user logs on, even if a package has already been added to the client they lose the ability to publish packages to themselves. To understand more about the difference between adding and publishing read here.

Here we can see a standard user has visibility of the fact a package is in cache but not currently published to them:

getdash

If this non-admin user tries to publish this package they will get the following message warning them they need admin rights:

publishdash

This is well welcomed feature, however there is no thing to note, unlike PackageStoreAccessControl, RequirePublishAsAdmin does not prevent a non admin user browsing the package store cache and reading the contents or even copying contents out. It does however stop a non admin gaining access to a package that has not been authorised to them.

2 Comments
December 4, 2014

Merged Roots in App-V 5.0 SP3 – Free from the PVAD

Before I say too much lets play a game of spot the difference! Below are two screenshots of me sequencing Paint.NET in both pre-SP3 and SP3 for App-V 5.0:

Pre-SP3

preSP3PVAD

SP3

SP3noPVAD

Spotted it?! Of course you have. You will notice that the SP3 sequencer no longer requires the entering of a Primary Virtual Application Directory or PVAD prior to sequencing. Now to say the PVAD has been the subject of a lot of discussion since the release of App-V 5.0 RTM would be a massive understatement! I can recall countless conversations/debates about what the standard should be, most people had strong feelings that the best way forward was to avoid the PVAD and go VFS all the way! Well check out how this package looks when sequenced as default now:

SP3VFSMerge

That’s right, everything is now put into VFS. Cutting down the confusion and making things much clearer! Another massive benefit of this and one of the reasons people used to specify “dummy PVADs” is now the roots of packages inside a connection group will merge. Not to be confused with the Merge with Local Directory setting, even as standard without tweaking the behaviour if I were to the sequence another package which shared the same root, the packages will automatically merge. For example I have sequenced the following plugin for Paint.NET:

SP3VFSMerge1

As you can see the plugin package shares the same root as the parent package, no worries however, with merged roots the default, without any extra tweaks once these packages are deployed in a connection group, the roots will merge seamlessly allowing Paint.NET to see and load in the plugin package.

But I really want to use the PVAD!

Really? Well there are ways to bring it back:

1. Launch the Sequencer from a command prompt and specify: Sequencer.exe -EnablePVADControl

2. Populate a DWORD value called EnablePVADControl in registry here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Sequencer\Compatibility. Setting the value to 1 will enable the PVAD field next time you launch the Sequencer and 0 will turn it back off.

enablepvad

3. Use the command line sequencer and specify the -PrimaryVirtualApplicationDirectory argument against New-AppvSequencerPackage.

So is the PVAD debate well and truly over? More or less I’d say as the default to approach of VFS is now inherently part of the sequencer GUI. However there is the option to use PVAD via the methods above so we cannot say goodbye to the concept just yet!

Read more about the improvements of App-V SP3 here!

0 Comments
December 4, 2014