FSLogix has long had some cool features, especially outside of the container aspect of the suite. FSLogix App Masking is widely used to control access to sensitive applications, or even do “reverse layering” to skin different application sets from single golden images.
App Masking has long been the go-to technology when wanting to hide apps in this way, but in many environments, I also tend to see a push to try and simplify the technology stacks in use. This probably explains why Citrix have now given us the same basic “App Masking” functionality in a new UPM feature called App Access Control. For customers already using UPM, it probably makes sense to roll this functionality into the core UPM product and not have to lean out onto FSLogix for this additional tooling.
I’m not sure how App Access Control operates under the hood but am assuming it probably uses a filter driver like FSLogix does, possibly the same one used for App Layering, although this is just idle speculation on my part. It only replicates (at the moment!) the “Hiding” functionality of FSLogix that can hide or reveal filesystem entries or Registry entries – there is no current equivalent to the infinitely-useful but little-known FSLogix Redirection Rules.
Setting it up
Firstly, you need to install UPM version 2303 or later which contains this (and other, soon-to-be-blogged) cool new features. Get it installed on your endpoints. I had a little bit of chew upgrading from 2209, which resulted in me rebuilding a couple of devices, so be careful.
Also make sure you get the new ADMX files from your UPM installation and add them to your Group Policy stores so you can activate the new functionality.
Create a blank GPO for your App Access Control rules ahead of starting this. You should also create AD groups if that’s how you’re going to deploy your rulesets.
Next we need to run a PowerShell script which is in the UPM installation files. It is in a subfolder called Tool and is called CPM_App_Access_Control_Config.ps1
When you run this script (you need to run it as admin), it will first tell you that there’s a GUI tool available to do it from the WEM Hub which you can download from Citrix Cloud. Right at the minute, you can’t get it because it’s not in the WEM Hub yet, but I will update this post when it is available.
So for the minute we just need to run the PowerShell to generate our rules and the policies.
There are a bunch of apps already defined but listed as “Not Configured” when you run the Tool, these are simply read from your local device and aren’t a preloaded list (I was a tad confused at first!)
Firstly hit A and then add the name of the application you’re going to manage. I chose Notepad++. This simply adds an entry to the index and gives it a number – make a note of the number (36 in my example)
Next, enter the new app’s number into the script so you can edit it
Firstly it will ask for the installation path of the app (wherever it is installed – you don’t have to run the config script on a device where the app is installed, you can just provide the info). I know Notepad++ installs into c:\Program Files\Notepad++ so I will input this
Next you can see we have options 4-9, which deal with adding or removing files/folders and Registry entries. Let’s add in the Registry keys/values and filesystem entries that we know are pertinent to Notepad++. For both filesystem and Registry, you can add multiple entries at once separated by pipes – I – or simply add them one by one.
I can now review what I have input using options 4 and 5 (for files and folders) or 6 and 7 (Registry keys and values).
You may be thinking that using the FSLogix Rules Editor’s “Scan” function would be really handy here for finding out what you need to be adding, and you’d be right 🙂 Let’s hope Citrix add something similar to the GUI tool they are producing, either in the first or later releases. For now, you can install the Rules Editor if you need to analyze the app rather than guessing.
Once you’ve added all the paths you need to choose option 0 to assign the rules to a user, group, OU, computer or process (or any combination of the above). We are simply going to apply them to a group called “UPMHidingRule_NotepadPlusPlus” which we created earlier, so we use option 6 – choose the option you require as necessary
Once you’ve configured your assignments choose option 4 to generate the rules for assignment to machines
You can choose to apply them to the local machine, not apply them at all (which seems a bit mental) or apply them to a GPO. I’m not clear here how you’d apply them through Citrix Studio, if that is how you deploy your UPM settings, but maybe it gives you that option if you run it from a machine with Studio installed (I haven’t checked as I don’t often spin up my on-premises kit these days). I choose the option to deploy to a GPO because I do my Citrix policies in AD. It will then enumerate your domain and ask you which GPO to apply them to, so it helps if you’ve created a blank one before starting like I did. Give it the number of the GPO (probably the last in the list if you’ve just created it)
This will then automatically populate your GPO by enabling the policy for App Access Control (in a sub-node of Profile Management) and populating the rules
The weird thing is if you edit the GPO directly the policy shows as Enabled, but the “Rules” section is blank. Maybe this is just a glitch.
Once you apply this GPO to your target machines, the Registry will be populated under HKLM\Software\Policies\Citrix\UserProfileManager\AppAccessControlRules as below.
Note that there are zero other UPM settings configured. You don’t need to set the UPM policy for UPM to be “Enabled” for App Access Control to work – all it needs is the Citrix Profile Management service to be running and the rules to be applied to the Registry in some way. This is similar to FSLogix in that the “profile” components are mostly separate from the “app masking” ones.
This is all you need to do, once those rules are on your target devices you just need to test.
So I’ve added my test user into the AD group that hides Notepad++ and opened up a session. As you can see, Notepad++ is not visible in the Start Menu, and neither can you see the “Edit with Notepad++” option when you right-click a compatible file.
But if I take the user out of the “hiding group” and then log out and back in, the shortcut and the context menu are both now visible.
There you go – a nice simple way to do app masking in UPM natively.
Update – the WEM Tool Hub is now available which allows you to set up and target App Access Control rules through a GUI, so no more messing with PowerShell as above 🙂
This is a cool feature, and now with the GUI available, it’s pretty straightforward to use. What it does lack is things like the advanced FSLogix features like Redirection Rules. It would also be good if we could choose to “Hide” or “Show” apps for specific groups rather than just having the option to hide them only. Hopefully, though, this feature will continue to evolve and become much more developed and feature-rich in future.