user environment management

IMPLEMENTATION GUIDE

Contents
Introduction Operating System Delivery Mechanisms Traditional Desktops Terminal Services A new Approach - Virtual Desktops What are the Benefits of VDI? Managing a VDI implementation User Environment Management across a mixed environment Introduction to common personalization approaches Group Policy Objects Logon Scripts Logoff Scripts User Profiles Local Profiles Roaming Profiles Mandatory Profiles 3rd party, commercial profile solutions Introduction to the AppSense solution Policy Configuration User Personalization Best practice approach Create a mandatory profile Prepare the profile Copy the profile to a shared folder Remove certain user specific settings Assign the mandatory profile to users 4 4 4 4 4 5 5 6 7 7 7 8 8 8 8 9 9 10 11 11 13 13 14 14 14 15

21 day trial of the software available at www.appsense.com/evaluate.

Policy Configuration Folder redirection Redirecting folders to user home drives with AppSense Environment Manager File & Folder manipulation Registry key manipulation Policy Enforcement User Personalization Desktop Settings Offline Support Migration Personalization Analysis Personalization Analysis based on Application Size Personalization Analysis based on Application Usage Personalization Rollback Reducing the number of base build images Conclusion

17 17 18 20 20 21 27 29 29 30 31 33 36 38 40 42

Introduction
Corporate IT departments face increasing pressure to deliver the right operating systems and applications to the right people at the right time. New application delivery methods bring challenges in maintaining optimal service levels to end users. From inconsistent working environments to unpredictable application performance, users, IT and the business are impacted by these challenges. These are core deliverables IT administrators must provide to their end users today and AppSense User Environment Management simplifies the management of this increasingly complex IT infrastructure. This document focuses on how AppSense Environment Manager 8.0 can be used to consistently ensure corporate policy and personalized environment settings are provided to users, independent of how an operating system or application is being delivered to the endpoint. Combining company policy with user personalization across a range of application and operating system delivery mechanisms reduces maintenance costs, secures the environment and increases user productivity.

Operating System Delivery Mechanisms

The two common approaches to the delivery of client computing are the traditional desktop and terminal services. TRADITIOnAl DESkTOPS Completely ubiquitous and representing over 90% of corporate desktops, these are self contained machines that can trace their antecedents right back to the first IBM Personal Computer. Now much altered and much faster, they represent an increasing management challenge both in terms of total cost and service delivery. An additional concern is the management of mobile users who make use of notebooks which could be offline for some time. TERMInAl SERVICES This is the hosting of multiple users in a single copy of a server operating system. Users connect using a remote display protocol from either a thin client or a traditional PC. Terminal Services is a version of a Microsoft Server operating system that supports multi-user working where users run individual concurrent sessions. This solution works well for users who can be restricted to fit within a shared use environment, concerns include performance, security and the acceptability to users. A nEW APPROACh - VIRTUAl DESkTOPS Virtual Desktop Infrastructure (VDI) is a solution for client computing that offers a wide range of benefits over the traditional ways of deploying user desktops. VDI seeks to keep the benefits of each of the above while avoiding the pitfalls. VDI allows multiple user desktops to run as separate virtual machines (sometimes referred to as images) while sharing underlying physical server hardware resources such as CPU, memory, networking and storage. This isolates users from each other, giving each user their own operating system and application set, allowing the user to customize their environment while protecting users from application crashes and operating system faults caused by the activities of other users.

21 day trial of the software available at www.appsense.com/evaluate.

What are the Benefits of VDI?

VDI retains many of the benefits associated with distributed computing while also realizing the benefits of server based computing environment. By giving each user their own operating system, VDI retains many of the positive features of traditional desktop computing including: USER fAMIlIARITy: Users generally have considerable experience of traditional desktops and find a well managed VDI implementation instantly familiar. APPlICATIOn COMPATIBIlITy: Software developers typically target the traditional desktop so application compatibility issues are significantly less in VDI than terminal services. fUll PERSOnAlIzATIOn: PC users are able to tailor their working environment, providing a personalized experience and enhancing user productivity. However, since VDI is basically a server based computing model, it achieves the benefits commonly associated with Terminal Server deployments, such as: EASIER MAnAgEMEnT: Reduced desk-side management costs by centralising images. SECURITy: Keeping data within the confines of the datacenter improves security. SInglE COnSISTEnT IMAgE: All users can run a single desktop image aiding management, regression testing and predictable service delivery.

MAnAgIng A VDI IMPlEMEnTATIOn VDI technologies offer a pre-packaged way of implementing the bulk of the infrastructure and can solve problems such as: Creating a fresh virtual desktop for a user, complete with installed applications by cloning a reference image Connecting a user to a virtual desktop, either a specific one or from a pool Starting up or shutting down virtual desktops Effectively these products manage the outside of the virtual desktop. Additionally, there are a number of critical areas that then need to be managed within the virtual machine. These represent the users environment or personality.

User Environment Management across a mixed environment

The key to understanding the importance of policy and personalization across a mixed desktop, terminal server and VDI environment is to go back to the goals sought by moving to a VDI solution. Many early VDI implementations were designed solely to provide a remote access solution that protected corporate data by keeping that data within the datacenter. These deployments justified themselves on the basis of security and compliance and were not concerned with potential management savings and improved service delivery. Nowadays people are looking at VDI to provide a number of more tangible benefits as well as security and compliance. To achieve these benefits requires taking a fresh look at how you manage client computing. One of the key capabilities in VDI is to move towards a pooled environment with a small number of images that are used across your user base. This represents the ultimate goal of many deployments since traditional desktop environments will typically have very few desktops which are exactly identical, meaning maintenance is far costlier. However, whether you are running a pooled environment or a one-to-one scenario, there are benefits to be had from extending management inside the virtual desktop: POlICy COnfIgURATIOn: Control what users can do so as to match what they need to do. USER PERSOnAlIzATIOn: Deliver user personalization into virtual desktops that are not already personalized (new, pooled, etc.) and manage the degree of personalization that a user has. By trading off the extent to which you control what the user can do (Policy Configuration) and the amount of freedom they have (User Personalization) you can deliver a productive and easy to manage solution within a mixed desktop, terminal server and VDI environment. User personality includes all the information that pertains to the user of that specific desktop. In a traditional desktop they would be tied into a particular machine, but in VDI this information can be separated from the machine, OS and applications. By doing this you can make it far easier to manage a mixed desktop, terminal server and VDI estate than an equivalent traditional desktop estate, while improving the service delivered to users. The rest of this document looks at how this can be done and the results achieved by doing so. We will concentrate on three typical challenges inherent in a mixed environment implementation: Managing the user environment: By abstracting the user personality from the operating system and applications, then centralizing this information, policy and personalization can be more easily managed across the mixed environment. Moving to a VDI pooled image solution: Pooled environments deliver a fresh clean image to a user every time they login. This eliminates most common patching issues and delivers great service and cost characteristics. However the users personality must be delivered to the virtual desktop image as they logon. Migrating users from a physical to a virtual desktop: Ensuring smooth, low cost migration that approaches the point where users would be unaware that anything had changed

21 day trial of the software available at www.appsense.com/evaluate.

Introduction to common personalization approaches

There are many standard approaches that have been adopted over the years to deal with the very issues highlighted above. A typical solution tends to be a mixture of different approaches that together combat much of the complexity of managing the user and have not necessarily been aimed at managing personalization. The most common approaches are listed below; gROUP POlICy OBjECTS In the delivery of Windows 2000, Microsoft introduced the Active Directory (AD), which brought with it the Group Policy Object (GPO) that would be applicable to Windows 2000, 2003, 2008, XP and Vista servers and desktop infrastructure. The GPO is a very powerful mechanism to pre-define common configuration (Policy) that the Systems Administrator wants setting for a specific user / group on a specific device / location for a specific application. The GPO is the place that a Systems Administrator would typically configure desktop / application settings that must always be set to the same value, regardless of what the user wants the value to be. The GPO is therefore considered as applicable to policy configuration (as the name suggests) rather than personalization. The main challenge with GPOs is quite simply the management overhead required to keep on top of the ever changing requirements of the enterprise. Given that Policy is typically applied [within the AD] at Domain level, Computer Organizational Unit (OU) level and at User OU level, it can easily and rapidly become a management nightmare to ensure that the complexity does not overcome the needs of policy configuration in the first place. This along with the GPOs inability to have fine enough granularity (limited to AD Groups and OU as the means of depicting whether Policy is applied) make GPOs a difficult method to accurately deliver the policy to the corporate end points and end users. lOgOn SCRIPTS The traditional logon script has long since been the de facto method to configure enterprise options for a user and, as its name suggests, the logon scripts executes during login. This makes it a one stop set and forget solution in that once the value has been applied the script has performed its job. A typical logon script will connect network drive mappings, printers and perform other tasks such as ensuring corporate email clients are correctly configured as well as copying necessary files and / or folders into place within the users home directory or profile. Logon scripts have been historically written in the standard Microsoft command script language, although Visual Basic Scripting (and to a lesser extent KiXtart) has become more commonplace over the last few years due to its flexibility and feature sets. Logon scripts by their very design are synchronous in their approach which can mean that while some of the actions required to be part of the script are completely unrelated, they are addressed in line with each other. This shows itself as a user logon taking an unacceptable length of time due to the number of actions, all of which are fed into the operating system line by line. At the same time, because the script is an interpreted language, the styles of different authors can rapidly make the scripts difficult to read and follow, making debugging or alterations a very time consuming task

8
lOgOff SCRIPTS Logoff scripts were introduced to most systems administrators when they became an option within the Active Directory GPOs. They are not widely used but where they are, typically they extract data, with examples being things such as user preferences and other application specifics that are copied out to the home directory for later use (usually to be put back in during the next logon sequence). As with logon scripts many different scripting languages may be utilised, but typically the same language will be used as logon scripting as the same script developer(s) will have been responsible for both types of script. Similarly the downsides of logoff scripts mirror those of logon scripts, and with a finite window of opportunity to a logoff script, the script must complete in less than 60 seconds before the Operating System will simply terminate the script and prevent further processing. USER PROfIlES Administrators must make a decision on the type of profile that best suits their desktop, terminal server and VDI implementation. On computers running Microsoft Windows Operating Systems, user profiles automatically create and maintain the desktop settings for each users environment on the local computer. User Profiles are the main source of personalization in use today since they exist to provide some level of personalization to the user population. There are currently four main profile options available to administrators; lOCAl PROfIlES Administrators can elect to make use of the local user profile that is created the first time a user logs onto a computer and is stored on the computers local hard disk. This type of profile is typically used within a physical desktop infrastructure where users return to the same physical desktop day in day out. Any changes made to the local user profile are specific to the computer on which the changes were made and the changes are not reflected on any other desktop that the user logs onto. This approach can be used if an organization decides that a one-to-one correlation of Virtual Desktops to VDI users is acceptable. However there is still a lack of management for this type of profile which makes using them a complex task even in the one-to-one scenario. ROAMIng PROfIlES Roaming Profiles are used where the user may logon to multiple similar workstations, e.g. VDI where profile information needs to be stored in a central location and copied to the virtual desktop when the user logs on, or when the user switches between many different Operating System delivery mechanisms. Any changes to the profile are made to this local copy while the user is logged on. When the user logs off the profile is copied back to the central location, replacing the previous copy. In this way the latest version of the user profile is available to the user, independent of the session logged onto. However, roaming profiles can present several issues to the enterprise including huge performance degradation, heavy network utilization and often resulting in the profile growing in size to several gigabytes. These issues quite often culminate in users experiencing slow logon times. As a note, these problems also often also occur with local profiles.

21 day trial of the software available at www.appsense.com/evaluate.

9
As with logoff scripts the roaming profile only has a small window of time to copy back the local cache to the central location at logoff. As the profile grows in size (with use), the likelihood of this copy being terminated by the operating system mid-copy is increased, which culminates in inconsistencies in or corruption of the content of the profile in the central location. The result is an unusable central profile leaving the user unable to access the service provided with their personalization intact. MAnDATORy PROfIlES A Mandatory profile is usually stored locally on the virtual or physical desktop or terminal server and is used as a base for each user profile. Mandatory profiles are read-only profiles that simply discard any user modification / additions at user logoff. These are by their very design the lightest weight profile that delivers the best logon performance and stability; however they bring with them many challenges. For example, all user specific data (such as Microsoft Outlook connection settings, Microsoft Office Toolbar options and such like) will all be lost as soon as the user logs off. As a result the Mandatory profile is fast to load (logon) as well as unload (logoff), has little required management (the administrator needs to create the profile just once and should only need to return to it should new application settings be required) and cannot corrupt with use. However, mandatory profiles are unacceptable for most users because of the lack of persistent personalization within the users environment. 3RD PARTy, COMMERCIAl PROfIlE SOlUTIOnS There are a number of 3rd party commercial profile solutions on the market that cater for basic user personalization. However, these solutions do not resolve the issue of user environment management across operating system and application delivery mechanism boundaries and hence require the administrator to configure the solution in different ways for each desired environment. User personalization is typically managed at user logon and logoff and hence requires all user personalization settings to be saved and restored during these times, thus adding load on the network and introducing major inefficiencies into the logon and logoff processes. Additionally these 3rd party, commercial solutions also fail to address the Policy Configuration aspect of a true user environment management solution, leaving the administrator with a decision on which other solution to utilize in order to address this.

10

Introduction to the AppSense solution

AppSenses comprehensive user environment management solution delivers all the benefits of the above techniques plus many unique and market-leading features all within a rich policy framework to allow great flexibility. AppSense Environment Manager removes the burden of managing the user environment by automating the management of user personalization and dramatically simplifying policy configuration. The AppSense Environment Manager console is split into two administrative sections: Policy Configuration User Personalization

21 day trial of the software available at www.appsense.com/evaluate.

11
POlICy COnfIgURATIOn The Policy Configuration area of the console enables the administrator to very easily configure both default and enforced corporate policies that can be applied to either the computer or user under a number of different scenarios. Computer based actions can be triggered to apply when the computer starts up or shuts down or when a system process is started or stopped. User based actions can be triggered to apply when the user logs on or logs off, when a user process is started or stopped, when the network is connected or disconnected, when a session is disconnected or reconnected or when a session is locked or unlocked. Conditions can also be applied which enable actions to be executed based on who, where from or how a user is connecting to a computer or application. These rule conditions include Directory Membership, User, Computer, Session and Client based rules. Policy Configuration actions include registry, file, folder, drive, printer, ODBC, App-V, custom, execute, group policy, environment variable, shortcut, self-heal and lockdown. By easily manipulating these triggers, conditions and actions, an administrator can quickly set up and deploy a policy configuration for users which can be shared and utilized across operating system boundaries and differing application delivery mechanisms. USER PERSOnAlIzATIOn Environment Manager 8.0 introduces a unique approach to the management of user personalization. A three-tier architecture is utilized consisting of the following, basic components:

12
Environment Manager Agent (tier 1) Installed on each managed endpoint, this is responsible for ensuring user personalization data is saved and restored on demand and also ensures policy configuration settings are applied when required. Personalization Server (tier 2) An IIS web server responsible for synchronizing user personalization settings between the SQL database and the Environment Manager Agent when the user logs on or off or when an application application is started or stopped. SQl Database (tier 3) This holds information related to personalization sites and servers, users and groups, applications, endpoint configuration data and user personalization data. When a user logs on to a managed endpoint, the Environment Manager Agent contacts the Personalization Server with details of the user logging on. The Personalization Server passes this information to the SQL database, which in turn, retrieves the configuration for the user and returns it to the Personalization Server. The Personalization Server then passes back the relevant configuration to the managed endpoint. At this point, any session specific personalization settings for that user, such as accessibility, appearance, cursor, keyboard, language, mouse, screen saver, theme and certificate settings are streamed from the SQL database, via the Personalization Server and restored to the endpoint. When a user launches an application on the endpoint, a component of the Environment Manager Agent called the Profile Virtualization Component (PVC) is injected into the running process. The PVC verifies if the application in question is under the management of Environment Manager. The PVC (via a user-specific process called the EMAgentAssist) contacts the Personalization Server to request that a personalization cache on the endpoint is updated with the latest personalization settings from the SQL database and streams these settings down to the endpoint . Whilst the application is running and the user continues to change personalization settings within it, these changes are virtualized and are written to the personalization cache on the endpoint, rather than into the physical registry or file system. This ensures the user has access to a local copy of the personalization settings, whilst abstracting the users personality from the physical operating system. When the application is closed, the PVC notifies the Personalization Server that the application is closing and provides a copy of the modified personalization settings which are stored in the SQL database. This means the user now also has a centralized copy of their latest personalization settings. If the user has two or more open concurrent sessions, these personalization settings can now be streamed to each of their concurrent sessions for that application, on demand, when the application is launched. This ensures consistent application and environment settings across open, concurrent sessions without the user having to log off or back on again. When the user does log off, any open applications are closed and the process as described above takes place. Session specific settings are also synchronized back to the SQL database at this point and by default, the local personalization cache on the endpoint is purged.

21 day trial of the software available at www.appsense.com/evaluate.

13

Best practice approach

An enterprise planning a mixed physical desktop and VDI implementation needs to ensure that the proposed solution maximises efficiency while reducing cost. To this end, the requirements as outlined earlier in this document become ever more important and as an overall view, a high level requirement, from a VDI perspectivewould be to house a minimal number of virtual images in the core library. To make this possible, it is necessary to then make use of core functionality alongside third party technologies to ensure that the user personality can be easily transferred between the virtual machines as they provide application services to the users. In order to deliver the necessary pooled solution we must make use of Environment Managers core functionality. This requires users to be presented with personalized profile information regardless of which virtual or physical desktop they log onto. The recommended approach to this is to use a Mandatory Profile in conjunction with Environment Manager. However, the Environment Manager 8.0 solution can also function with any other type of profile.

CREATE A MAnDATORy PROfIlE There are a couple of quick and easy ways in which a mandatory profile can be created including 1. Using a new user account on a virtual or physical desktop with no applications installed or policies applied. This is to ensure the mandatory profile does not contain any user specific settings and that it remains as small as possible. 2. The same as 1. but on a virtual or physical desktop that has all the applications installed. This will ensure that the mandatory profile contains as many application settings as possible, although this will increase the size of the profile and could increase network utilization and user logon speeds. In this example we shall use the first method and Microsoft Windows XP Professional as the target Operating System for the physical or virtual desktop.

14
PREPARE ThE PROfIlE On a domain controller, create a new user account that has the same permissions as the user or group for which you want to create a mandatory profile Log on to the physical or virtual desktop using the user account you just created A user profile is created on the physical or virtual desktop under the %SystemDrive%\Documents and Settings\<username> folder Configure the desktop settings required in the profile including shortcuts, appearance settings and Start menu options Once you are happy with the profile, log the user off the physical or virtual desktop. COPy ThE PROfIlE TO A ShARED fOlDER Create a shared folder on the network in which you want to store the new, mandatory profile, for example \\<servername>\<sharename> Assign Change permissions to the shared folder Assign Read & Execute permissions to this folder for users and groups who will utilize the mandatory profile Log on to the domain as an administrative user on the same physical or virtual desktop Access the System Properties applet and on the Advanced tab, click Settings under User Profiles Under Profiles stored on this computer, select the profile created above and click Copy To In the Copy profile to field, enter the UNC path to the share created above (for example \\<servername>\ <sharename>\<mandatory profile>) and click OK Under Permitted to use, click Change and add Authenticated Users and click OK On the physical or virtual desktop, navigate to the shared folder that contains the profile that has been copied Rename the file Ntuser.dat to Ntuser.man Finally, ensure the ownership of all the files and folders in the <mandatory profile> folder belongs to the Administrators group and not the Administrator user. Failure to do this can result in permissions problems when users attempt to access the mandatory profile at logon REMOVE CERTAIn USER SPECIfIC SETTIngS Make a back up copy of Ntuser.man Open the registry editor (REGEDIT.EXE) Navigate to the root key of the HKEY_Users hive Choose Load Hive from the File menu. Select the Ntuser.man file created earlier Enter a name, for example Mandatory Select the Mandatory sub-tree and expand it It is now possible to edit the registry and remove any user specific settings from the mandatory profile without having to logon with that user account. This can be achieved by searching for known usernames or SIDs

21 day trial of the software available at www.appsense.com/evaluate.

15
It is also possible to review and set permissions on specific registry keys Once finished, unload Ntuser.man from the registry by selecting the Mandatory sub-tree and choosing Unload Hive from the File menu Exit REGEDIT.EXE ASSIgn ThE MAnDATORy PROfIlE TO USERS As the administrative user, launch Active Directory Users and Computers Locate the organizational unit that contains the user account whose setting you want to modify In the right-hand pane, right-click the user account and click Properties Select the Profile tab. In the Profile path field enter the location of the mandatory profile you wish to assign, for example \\<servername>\<sharename> where <servername> is the name of the computer where the profile is stored and <sharename> is the shared folder that contains the mandatory profile Click OK Logon to the physical or virtual desktop using the account to which you have assigned the mandatory profile and ensure the mandatory profile has been applied correctly Note: We have just set up the user account to access the mandatory profile from a network share. As the user will be accessing the file from a remote location, this may slow down the user logon process and increase network utilization. To resolve these issues, it is recommended you copy the Ntuser.man file from the network share and store it locally on each physical or virtual desktop on which users will be logging onto. The Profile Path within Active Directory Users and Computers can then be changed to point to the local copy of Ntuser.man (for example C:\mandatory). Alternatively you can also set the profile path with the Local Group Policy on each physical or virtual desktop. Finally, you will need to ensure that any version control mechanism (for the profile) is fully aware of the local copy of the profile so that where any changes to the mandatory profile are made centrally, the deployment mechanism of choice is made aware of the changes to ensure that the updated profile is propagated down to the client machines appropriately. Many enterprise users of Environment Manager have opted to configure the Environment Manager Computer |Startup actions to ensure that the latest copy of the enterprise mandatory profile is in place each and every time the physical or virtual desktop starts-up. This allows the administration team to be able to make amendments to the profile once, place it into a central location and Environment Manager ensures that it is copied to each machine when they next boot up. This has been deemed a simpler way to ensure that the enterprise users are benefiting from the correct mandatory profile and that login performance is maximized by storing the profile in the local machine, and that in order to accomplish this, the administrators do not need to keep editing the master virtual images since Environment Manager takes care of it.

16
As a final note you will need to ensure that each physical or virtual desktop successfully removes the mandatory profile when the users logs off. The Windows XP operating system will actually cache a copy of the profile being used after the user has logged off even if this profile is set to mandatory, and occasionally this cache does not get removed properly during the logoff process. Note: It is also recommended that on physical desktops the following Group Policy setting be enabled to delete users cached profiles at logoff:

This will ensure that each loaded user profile, for example C:\Document and Settings\User is removed at logoff, cleaning up your physical desktops. Alternatively, this can be configured within the AppSense Environment Manager Console by making use of a Computer | Startup ADMX Policy action. A Microsoft solution for this is to use a Windows Resource Kit utility called DelProf.exe that needs to be executed after the user has logged off but before they attempt to log back on. This will ensure that any cached profile information is removed from the environment ready to create a clean environment for the next user. It is possible to execute DelProf.exe using an Environment Manager Computer |Startup Execute action to ensure that all user information is properly cleaned as the system starts up and prior to the next user accessing the solution. This can be seen in the screenshot opposite:

21 day trial of the software available at www.appsense.com/evaluate.

17

For further information please see: http://tinyurl.com/39vc9 www.microsoft.com/downloads

Policy Configuration
We will now see how the Policy Configuration side of the Environment Manager Console can be utilized to streamline user environment management across both physical and virtual desktops. fOlDER REDIRECTIOn Folder redirection can be used to help resolve personalization issues experienced when using mandatory rofiles, although there are a number of considerations that need to be made: The first is preventing users from saving personal information on the local drive of the physical or virtual desktop; because the user is not always guaranteed to return to the same desktop (especially when utilizing a pooled virtual desktop scenario). If the user saves work on the local drive, this information is only ever available on that physical or virtual desktop, leading to users potentially losing track of information between machines, and also the risk of information being lost permanently if the machine in question is reimaged or taken offline.

18
Consider the following; a traditional desktop scenario with no network file storage and users who hot desk. Very quickly information will be stored across many machines with no way to cross reference where each piece of information actually resides. The second being the physical size of a user profile; commonly used directories such as My Documents and Application Data can grow dramatically over time as more documents are created and more applications are installed on the physical or virtual desktop. Folder redirection allows the users personal files and settings to be saved to another location, most commonly to their home directory, which is outside of the profile itself. Most applications will use these redirected folders when prompting users for loading and saving files, etc. This means that personal files are retained at logoff and as these are no longer part of the profile, loading times during the logon process are significantly improved. Folders can be redirected to any available location including a local folder, a network drive, and the most common place being the users home drive. In this example, we are going to redirect folders to the users home directory so that user specific files can be retained as well as being backed up each evening by the managed backup solution in place within the enterprise. Another benefit is that by redirecting the Desktop folder to user home directories, this can be included in the quota policy, where applicable, which prevents each user from having too many large documents on the desktop. We assume that a home drive has previously been set up by the administrator within the Active Directory User and Computers console, although it is possible to configure this using Environment Manager as appropriate. REDIRECTIng fOlDERS TO USER hOME DRIVES WITh APPSEnSE EnVIROnMEnT MAnAgER Open the Environment Manager Console. Navigate to the Policy Configuration area of the console:

21 day trial of the software available at www.appsense.com/evaluate.

19
Navigate to the User | Logon node. Select the Add Node option and rename the new node to Redirect Folders:

From the Actions tab Expand the File & Folder ribbon option and select the Folder Redirection action:

20
Select Add then choose the folder you wish to redirect in the drop down Known Folder column. Enter the location to where you wish to redirect the folder in the Destination column. You will need to repeat this process for each folder you wish to redirect:

Click OK to complete the Folder Redirection Action fIlE & fOlDER MAnIPUlATIOn Once folder redirection has been configured, the need to manipulate specific files and folders is reduced dramatically. However, it is still possible to control the contents of both the redirected folders and the folders remaining within the actual profile directory. The File and Folder actions are extremely useful for configuring the content of the users Start Menu prior to the logon process completing. This enables a truly dynamic approach to application provisioning for the users of the physical or virtual desktop. This can be achieved by utilizing the Environment Manager File Action and Folder Action. Folder Actions include the ability to create, copy or delete a folder (as well as folder redirection). File Actions include the ability to move, copy, delete, rename or modify the attributes of a file. For further details on File Actions and Folder Actions, please see the Environment Manager Administration Guide or the Environment Manager online help files. You can get copies of these files by registering for Environment Manager at www.appsense.com/evaluate. REgISTRy kEy MAnIPUlATIOn Registry manipulation enables the administrator to setup registry keys and values on behalf of the user for the delivered application set. Most applications require some form of default configuration to be present in order for correct operation. The Environment Manager Registry action enables the administrator to be able to define such registry entries before the user makes use of the application set. Registry Actions include the ability to create or delete registry keys and set, create, delete or set a default value for registry keys. Additionally it is possible to import desired state settings from an existing machine or exported registry file or even manipulate registry settings using registry hiving. For further details on the Registry Action Wizard, please see the Environment Manager Administration Guide or the Environment Manager online help files.

21 day trial of the software available at www.appsense.com/evaluate.

21
POlICy EnfORCEMEnT Administrators require a greater degree of flexibility when it comes to managing what the users can access regarding the physical or virtual desktop. We have already seen how folder redirection needs to be implemented to reduce profile size and potentially prevent users from saving work on the local drive (C:\) of the physical or virtual desktop. Folder Redirection alone will not prevent the user from be able to gain access to the local drive. It is commonly acknowledged that if a user gains access to the local drive (C:\) then this is where they will save their data. It also means that the desktop build is potentially no longer in its original build state and technically needs to be re-built or re-imaged. By introducing Environment Manager Lockdown technology into the physical and virtual desktop build the administrator can prevent users from gaining access to the areas of the system that need to be hidden in order to preserve the quality of the build. An example of stopping users accessing the local drive is shown below: A user has accessed the Open dialog box from an application (in this simple example we use Microsoft Notepad).

The user simply has to type C:\windows to access a part of the operating system that should technically be out of bounds to users. Locking this functionality down using standard Microsoft Operating System policies is difficult, preventing the user accessing the local drive (C:\) using file system security will also prevent the application from accessing the drive and the application will almost certainly stop functioning correctly. We also note that occasionally applications do not function correctly when they cannot directly see the folder structure here, so simply applying the hide attributes to the folders may not necessarily be the correct solution for all applications.

22
However by implementing Environment Manager, an Administrator is able to restrict the user from gaining access the local drive(C:\) without effecting the functionality of the application set in use. This is achieved by applying Lockdown actions. These can be applied from the Policy Configuration side of the console by creating a User specific trigger node. In this example we are going to lockdown the notepad Open Dialog as soon as the user logs on. To do this: From within the Environment Manager Console, navigate to Lockdown tab on the ribbon Select the Blocked Text Library ribbon option:

Add a blocked text list and name it System Drive Access. We now must identify the text that needs to be prevented.

21 day trial of the software available at www.appsense.com/evaluate.

23
This will ensure that local drives as above cannot be accessed. Please note that we have also added \\ to prevent the beginning of any UNC path from being typed into this text entry box. Click OK to continue. From within the Environment Manager Console, navigate to Lockdown tab on the ribbon Select the Blocked Message Library ribbon option:

Choose to add a message and configure it how you would like it to appear to users:

24
Click OK to continue. Launch Notepad.exe as the administrator and open the Open Dialog From within the Environment Manager Console, navigate to the User | Logon node. Select the Add Node option and rename the new node to Lockdown:

From the Lockdown tab select the General Wizard: In the General Wizard dialog, select the Spy Tool and hold down the left mouse button then release it over the File Name edit box in the Notepad Open Dialog.

21 day trial of the software available at www.appsense.com/evaluate.

25
The spy tool then identifies the parts of the application that can be locked down:

Highlight the edit control filtered option and select OK. Select the message you would like to associate with this locked down option and choose the Block Text Lists to apply:

26
Click OK to continue. Save and deploy the configuration to the endpoint The next time the user attempts to enter any of the blocked text into the Notepad Open dialog, they are prevented:

Other useful lockdown action that could be enforced include: Internet Explorer Settings (prevent users deleting history etc.) Prevent users from changing network settings Locking down certain context menus Locking down certain shortcut keys (Print Screen etc.)

21 day trial of the software available at www.appsense.com/evaluate.

27

User Personalization
Environment Manager 8.0 utilizes a unique, on-demand streaming solution to resolve the issue of managing user personalization. When the user logs on, only the desired personalization settings required at that point are loaded, meaning much faster logon times. As the user starts to make use of applications, then the application specific personalization settings are streamed down from a centralized SQL server when the application is launched. When the application is closed, only the changes made by the user and written out by the application are synchronized back to the central database. This allows application personalization settings to be shared across open concurrent sessions without the user having to logoff and back on again. In order to enable this functionality, the user must access the Home tab from the Policy Configuration side of the console and select the Enable User Personalization option in the ribbon:

On the Select Personalization Server dialog, select the Add Server option and enter the name Friendly Name and Sever Name (or IP address) of the Personalization Server you wish to connect to and click OK.

28
Finally, click Connect to connect the Environment Manager Console to the selected Personalization Server. It is recommended that the Environment Manager Policy Configuration now be saved so that these connection details will be remembered. Next click on the User Personalization navigation option:

From the Personalization tab on ribbon bar, select the Connect option. This presents a list of the available Personalization Servers. Identify the relevant Personalization Server and select Connect. On the User Personalization tree in the left-hand column of the console, expand Personalization Groups and select the Default Users group. In the right-hand pane select the Settings tab. In the Processes box, ensure the Manage All Processes option is enabled - this should be enabled by default. This will ensure that any application a user launches, that is not blacklisted, is discovered and managed automatically, reducing the overhead of administrators having to identify which applications are being used by users.

21 day trial of the software available at www.appsense.com/evaluate.

29
Alternatively, it is possible to create a whitelist of managed applications. Only those processes listed in the whitelist will be managed (that is if the Manage All Processes option has been disabled). An empty Default Whitelist application group is added to the whitelist by default. It is also possible to create a blacklist of unmanaged applications. A Default Blacklist application group is added to the blacklist by default. This ensures that certain applications are not managed by the Environment Manager Agent. DESkTOP SETTIngS By default, Environment Manager 8.0 will manage all user desktop settings out of the box, assuming the User Personalization option has been enabled. Desktop settings include: Accessibility settings Appearance settings Cursors Keyboard settings Language settings Mouse settings Screen Saver settings Certificates These settings are synchronized to the SQL database at logoff and restored again when the user next logs on. Once the Environment Manager Agent and configuration have been deployed to the physical or virtual endpoint, the management of personalized settings for users should now automatically take place. OfflInE SUPPORT For mobile users who make use of notebook devices, it is possible to have their personalized settings roam with them whilst offline and then synchronize their latest settings once they return online. Each time a user logs onto a managed endpoint, a Personalization Cache is created locally which contains virtualized registry and file system settings that have been manipulated by the user during that session. By default, when the user logs off, this local Personalization Cache is purged to ensure disk space is not unnecessarily consumed. By enabling Offline Mode, this local Personalization Cache is retained at logoff so that the users personalized settings are still available to them whilst they roam.

30
Offline mode is enabled on a per personalization group basis. It is enabled from the Settings tab of the selected Personalization Group:

MIgRATIOn Migration can come in many forms - from physical to virtual desktop; from local or roaming profile to a mandatory profile; or from one windows Operating System, such as Windows XP to Windows Vista. Introducing users to a new virtual desktop environment in a Greenfield scenario is a relatively simple process since there are no previous configuration or usage expectations from the user population. However migrating users from an existing physical desktop to a brand new virtual desktop can often lead to user personalization being lost within the process, and hence user dissatisfaction, especially when migrating across operating system boundaries. Ensuring that the users transition to a virtual desktop is as transparent as possible is a key ingredient to the success of the project. Fortunately, this significantly painful issue can easily be mitigated by implementing Environment Manager into the existing physical desktop environment that may or may not make use of a local or roaming profile. Once installed, Environment Manager 8.0 can be configured, on a per Personalization Group basis to be switched into Migration Mode. By default Environment Manager 8.0 utilizes a technique called virtualize on write which intercepts any attempted application writes to the physical registry or file system and redirects these settings to the local Personalization Cache. By switching on Migration Mode Environment Manager instead utilizes a technique called virtualize on read which reads in all of the local or roaming profile session and application specific settings as and when the user uses them. This setting needs to be switched on for a period of time to ensure that all the profile settings are successfully migrated.

21 day trial of the software available at www.appsense.com/evaluate.

31
Migration Mode is enabled on a per personalization group basis. It is enabled from the Settings tab of the selected Personalization Group:

Environment Manager should also be configured to copy existing profile folders (e.g. Desktop and My Documents) from the current profile to the location where you wish your folders to be ultimately redirected to. In our example from earlier, this could be the users home drive (H:/). This means users can now be migrated without losing any of the personal settings that are contained within the existing physical environment. It also means that, following user migration, you now have all personalization information located and managed centrally, away from the physical or virtual desktops themselves.

Personalization Analysis
Environment Manager 8.0 includes a rich and interactive set of reports and graphs providing visibility into personalization activity across the desktop environment and the application landscape. This allows the administrator to identify trends in profile use and potential bottlenecks enabling extraneous data to be omitted from the user profile where necessary. The Personalization Analysis mechanism allows the administrator to filter reports based on personalization group, user or individual applications. Application personalization settings for each user can be manually edited by the administrator within the console and immediately streamed down to the user on next use. Personalization Analysis is instigated on a per personalization group. Within the User Personalization area of the Environment Manager Console, expand the Personalization Groups tree in the navigation pane and select the Default Users group

32
On the Tools ribbon select the Personalization Analysis option from the Management section:

The Personalization Analysis dialog is launched for the Default Users Personalization Group:

21 day trial of the software available at www.appsense.com/evaluate.

33
It is now possible to generate reports based on: Application Size Application Usage Available Archives

PERSOnAlIzATIOn AnAlySIS BASED On APPlICATIOn SIzE Environment Manager 8.0 can be used to identify the size of the personalization settings on a per user or per application basis. The screenshot below shows an Application Size report based on the users held within the SQL Database

34
This example shows that the personalization settings for the user PROFILEDEMO\Test total around 4 MB in size. If the administrator now clicks on the bar graph for the PROFILEDEMO\Test user, this 4 MB total of personalization settings is then broken down into the individual desktop and application personalization settings for that user. We can then start to see what the user personalization settings are made up of and which applications are utilizing the most storage space. In the example below you can see that the desktop settings take up most of the total followed closely by winword.exe and outlook.exe personalization settings. You will also note that some of the applications are displayed in orange whilst others are displayed in blue. Those applications in orange are termed managed applications as they have been manually added to a whitelist by the administrator. Those applications in blue are termed discovered applications as they have been discovered by the Environment Manager Agent when the Manage All Processes option was enabled.

21 day trial of the software available at www.appsense.com/evaluate.

35
It is now possible to convert a discovered application to a managed application by right-clicking on the relevant discovered application and choosing the Convert to managed application... option.

This will add the discovered application to the list of managed, personalization applications. Alternatively, you can add the discovered application directly to a whitelist or blacklist for the selected personalization group, which will also automatically add it to the list of known personalization applications by choosing either the Add to <personalization group>s whitelist or Add to <personalization group>s blacklist option respectively. As you can see from the menu options above, it is also possible to delete the personalization settings for an application from within here, or even edit the registry settings associated with the personalized settings. Editing the application registry settings results in a registry browser being launched which allows the administrator to amend the stored personalization settings for that users application. The example below shows the personalization settings stored for notepad.exe for the user PROFILEDEMO\Test:

36
The administrator could now easily change the font type from Arial to Webdings and the user would receive this updated font the next time they launched notepad.exe. NOTE: Caution should be exercised when editing registry settings using this method as this can result in personalization inaccuracies. PERSOnAlIzATIOn AnAlySIS BASED On APPlICATIOn USAgE Environment Manager 8.0 can be used to identify the usage count of applications on a per user or per application basis. By entering values for the Start Date and End Date, details of application usage can be provided for the user between the period selected. The screenshot below shows an Application Usage report based on the users held within the SQL Database:

21 day trial of the software available at www.appsense.com/evaluate.

37
This example shows that the total number of application launches for the user PROFILEDEMO\Test is 29. If the administrator now clicks on the bar graph for the PROFILEDEMO\Test user, this information is broken down into the individual desktop and application personalization settings for that user. We can then start to see how many times each application has been launched by the user during the timescale provided. In the example below you can see that notepad.exe has been launched the most number of times during the time period selected, closely followed by winword.exe then mspaint.exe. This functionality is useful for monitoring application usage with a view to identifying application license requirements.

38
PERSOnAlIzATIOn ROllBACk One of the most common and time consuming tasks for administrators or IT support is resolving profile related support cases. When profile corruption or inconsistencies occur, users often complain it worked yesterday and do not understand why through no fault of their own, they are unable to work effectively. Incorrect, damaged or corrupt profiles are typically dealt with by resetting the profile and having the user rebuild their personalization settings from scratch. Environment Manager 8.0 introduces the concept of Personalization Rollback, whereby an archive or restore point can be taken based on a users personalization settings. In the event of profile inconsistencies caused by user or system error, a users personalized settings can be restored to a last known good configuration on a per application basis. By default, a restore point is taken once per day for all users and applications stored in the database. Additionally, application restore points can be taken manually by the administrator on a per user basis at any given time. Personalization Rollback is achieved via the Available Archives tab within the Personalization Analysis dialog. The administrator can search for a particular user and the discovered and managed applications for that user will be displayed in the report. The example below shows all the discovered and managed applications for the PROFILEDEMO\Test user:

21 day trial of the software available at www.appsense.com/evaluate.

39
To take a personalization restore point or archive for a particular application, right-click on the chosen application and select the Archive <application name> option:

This will take a snapshot of the application settings for that user at that point in time. The time-stamped archive, along with details of its size will now be available from within the list:

If a user makes a modification to an application that causes inconsistencies with the personalization settings, rather than destroy the whole user profile, the selected archive for that specific application can be restored. This is achieved by right-clicking on the relevant archive and choosing the Roll back this archive option:

As you can see archives can also be deleted from the database from here. This functionality offers a powerful and flexible alternative to current methods of restoring user profiles in the event of profile inconsistencies or corruption.

40

Reducing the number of base build images

We have discussed and demonstrated how we can best personalize both physical and pooled VDI images, but we must still address a key challenge regarding the number of base images required by the enterprise. The lower the number of base builds means less management complexity is involved and a significantly lower amount of network storage space is required to house the images. This is of course a very easy statement to make, but is significantly less easy to deliver since the images themselves will need to ensure that all applications and their associated shortcuts are included in these images. The additional complexity is then put onto the administrator in terms of needing to figure out how to only allow the users who hold licenses for the applications to get access and to revoke access to those who do not. Environment Manager enables the level of complexity with the build to be reduced by managing this aspect of complexity. Using Environments Managers Policy Configuration technology you can assign application shortcuts based on a certain criteria e.g. Active Directory Group. In the example below when a user logs on they receive all shortcuts available, however they have no need for Microsoft Access, but because other users require it, it needs to be part of the build and present and associated licenses are required.

If Environment Manager is present we can very easily tailor the physical or virtual desktop based on the following criteria or indeed a hybrid of the criteria to deliver a truly granular approach for the administrator (for example User Group = Access Users AND the Device Name of the image begins with Virtual):

21 day trial of the software available at www.appsense.com/evaluate.

41
In this case any user who is a member of the Access Users Group who is logging onto a device name beginning with Virtual is automatically assigned the relevant shortcut. This time when the user logs on they only see the application shortcuts that are applicable to them.

Note: By introducing AppSense Application Manager, another product in the AppSense solution set, administrators also have the ability to prevent user from actually executing applications that are not made available to them, even if they manage to locate the application binaries within the virtual image. For example, a user may not have a shortcut to Microsoft PowerPoint but if they are sent a PowerPoint presentation as an attachment in their email, by doubling clicking the attachment PowerPoint would be launched. Application Manager would prevent this from happening by disallowing PowerPoint from executing for that user, therefore restricting the user to his/her authorized applications. As an alternative to this scenario, Environment Manager could be utilized to allow alternative technology to be used in lieu of the standard application by dynamically altering file associations to deliver the right application to the right user in real-time. The example here may be the use of the PowerPoint viewer instead of the full PowerPoint product, hence potentially saving in application licensing or indeed forcing the user to only be enabled to read presentations sent through email. Further details of the Application Manager product can be found at www.appsense.com

42

Conclusion
In its simplest terms, a physical or virtualized desktop environment can be seen as the combination of an operating system, a set of applications and the personality of the user. That personality comprises a combination of corporate policy and user preferences. The key to effective management of the user experience and hence to happy and productive users, is finding the balance between these aspects of the user personality, as well as the ability to implement modifications when needed. The management of this personality is central to the AppSense user environment management solution. As has been presented in this guide, attempting to manage all aspects of a users personality in both a physical and virtual desktop environment without the appropriate tools is a significant challenge. AppSense technology has been designed from inception with this challenge in mind. There are three key challenges to a successful, mixed environment implementation that user environment management can significantly impact: Migrating users from a physical to a virtual desktop: Ensuring smooth, low cost migration that approaches the point where users would be unaware that anything had changed Managing the user environment: By abstracting the user personality from the physical or virtual desktop and centralizing this information, policy and personalization can be more easily managed across operating system boundaries and application delivery mechanisms Moving to a pooled virtual image solution: Pooled environments deliver a fresh, clean image to a user every time they logon. This eliminates most common patching issues and delivers great service and cost characteristics. However the users personality must be delivered to the virtual desktop image as they logon. By combining tailored corporate policy with user personalization and managing this separately from the desktop, the users working environment is predictable, managed and flexible regardless of how it is accessed. The IT department is now able to use a combination of delivery mechanisms with no impact to the user experience.

21 day trial of the software available at www.appsense.com/evaluate.

43

The information contained in this document (the Material) is believed to be accurate at the time of printing, but no representation or warranty is given (express or implied) as to its accuracy, completeness or correctness. Neither AppSense nor the publisher accepts any liability whatsoever for any direct, indirect or consequential loss or damage arising in any way from any use of or reliance placed on this Material for any purpose. 2000-2008 APPSENSE LIMITED. ALL RIGHTS RESERVED AppSense is a registered trademark of AppSense Ltd. All other brands or product names are trademarks or registered trademarks of their respective companies.