Desktop and Application Streaming

Simplify Amazon AppStream 2.0 image management with Application Masking

Application Masking manages access to applications, fonts, and other items for end users based on criteria determined by administrators. Application Masking is one of the features available in FSLogix. With Application Masking, administrators can show or hide applications and folders based on Active Directory security group membership, or based on an assigned Amazon AppStream 2.0 stack. We’ve previously written about the benefits of FSLogix for optimizing application settings persistence in Amazon AppStream 2.0 with Profile Containers.

Application Masking has several benefits for Amazon AppStream 2.0 Desktop View customers:

  1. Simplifies image management. AppStream 2.0 administrators might maintain several fleets for different user groups. With Application Masking, the administrator could install all their applications on a single “golden” image. Application Masking shows the correct applications to users in each fleet based on Active Directory security group membership. Similarly, entire directories can be hidden or made visible to certain groups of users without the need for multiple images or Group Policy.
  2. Assists with license compliance. An administrator might want to provide licensed software to a certain restricted list of end users. Administrators can add the licensed software to their AppStream 2.0 image, and then configure Application Masking to show the users only the software they are entitled to.
  3. Improves end user experience. In a previous blog, we covered using Microsoft AppLocker to manage application experience on Amazon AppStream 2.0. AppLocker allows administrators to control which applications users are authorized to use. However, with AppLocker, application files and executables are visible and throw an error should the user try to access an application which they are not authorized to run. Application Masking not only removes access but also hides applications (and other resources) on the Window’s Start menu, in File Explorer and on a user’s Desktop. This provides a simpler, potentially less frustrating experience for end users.

In this blog, we walk through the steps required to set up Application Masking in AppStream 2.0. We look at entitling specific end users to applications in two ways.

  1. Stack assignment. Can be used by customers who do not join their fleets to a domain. If you do not want to entitle users to applications based on Active Directory security group membership, you can use this strategy. It can also be used by customers who provide access to end users with a streaming URL or with User Pools.
  2. Active Directory security group membership. Can be used by customers who join their fleets to a domain, and want to use Active Directory group membership for entitlement.

Note that Application Masking does not make changes to the application catalog provided by Application View fleets. Customers using Application View fleets that are domain joined can use the Dynamic Application Framework to build a solution which creates an application catalog based on a user’s Active Directory security group membership.

Prerequisites:

  • An AWS account
  • An AppStream 2.0 environment with image builder, stack, and fleet.
  • For customers who have joined their AppStream 2.0 fleets to a domain, and want to use Active Directory groups to manage application entitlement:
    • An image builder and fleet joined to the domain. If your AppStream 2.0 fleet is not already configured in this manner, you can follow the instructions in Using Active Directory with AppStream 2.0.
    • An Active Directory group to which you will add entitled end users.
    • Access as a domain administrator, or a user with delegated permission to create a group and add domain users to that group.
  • AppStream 2.0 fleets that are configured to use Desktop View. If you are utilizing Application View in your fleets, FSLogix Application Masking will not automatically update the application catalog that is visible to users. For that scenario, use the AppStream 2.0 dynamic application framework to build a dynamic app provider.
  • You meet the entitlement requirements for FSLogix.

Entitle users to applications using stack assignment

In this section, we cover the steps to entitle end users to applications based on their assigned stack. We describe the steps to install and configure FSLogix Application Masking on an AppStream 2.0 image. We use the predefined AppStream_Stack_Name environment variable, which is one of the predefined user and instance metadata environment variables.

For example, you have two groups of users with different application requirements: group-1 and group-2; and you have a stack assigned to each user group (Group1Stack and Group2Stack) and a fleet associated with each stack (Group1Fleet and Group2Fleet). Application Masking allows the same image to be associated with both fleets. When your end users launch a session, the FSLogix agent reads the value of the AppStream_Stack_Name environment variable. The agent shows only the applications that particular group of users is entitled to see.

Step 1: Prepare the Image Builder

  1. In the AppStream 2.0 console, choose and launch or connect to an existing image builder.
  2. Log in to the instance as the Administrator local user.
  3. Download FSLogix from Microsoft on the image builder and run the installer (FSLogixAppsRuleEditorSetup.exe).
  4. Complete the installation wizard using the default options.
  5. Once installation is complete, stop and then re-launch your image builder.
  6. Start the FSLogix Rules Editor.

Step 2: Create a Rule Set

  1. Connect to the image builder as the Administrator local user.
  2. Open the FSLogix Rules Editor
  3. Create a rule set, and select applications or folders you’d like to make only visible to a specific set of users. FSLogix automatically detects dependencies for the application (for example, associated shortcuts, start menu items, application folders under Program Files, etc.). Alternatively, create a “hiding” rule to hide a specific resource. For more detail, refer to the official FSLogix documentation to create your first Rule Set.Select the application you want to hide in the Rule Editor

NOTE: Never hide applications or folders AppStream 2.0 requires for normal operation. This includes applications containing the name “Photon,” “NICE,” “AWS,” or “Storage Connector.” Hiding these applications can cause your AppStream 2.0 instance to become unstable, or unreachable.

Step 3: Test the rule set

  1. Select the Rule Set in the left-side panel of the Rules Editor, then select Apply Rules to System.  The rules that are within your Rule Set will be applied to your system. If your rule was a hiding rule on an application, the application will no longer be visible on the system.

    Test out your rules by clicking Apply Rules to System

  2. Validate that all associated shortcuts and application folders disappear as expected.

Step 4: Configure Rule Set Assignments

  1. In the FSLogix Apps RuleEditor choose File, then Manage Assignments.
  2. Add an assignment.
  3. Select “Environment Variable.”
  4. For Environment Variable, enter AppStream_Stack_Name. This variable will be set to the stack name when end users launch an AppStream session.
  5. For Value, enter the stack name that will be assigned to the group of users to whom you want this Rule Set to not apply.Add an Environment Variable assignment for your rules.
  6. Assignments are evaluated in sequential order. For hiding rules, set “Yes” (under the Applied column) for Everyone. Then, set a “No” assignment for the group to which you do not want to apply your hiding rules. It’s important that you exclude the local Administrator group, so that the Rule Set will not hide applications from administrators during image creation and management.
    Assignments are evaluated in sequential order. For hiding rules, set Yes (under the Applied column) for Everyone at the top position
  7. Complete Step 4.4 and 4.5 for each stack/group of users that you’d like to manage with Application Masking.
  8. Copy the rule files (.fxr) and assignment files (.fxa) into the rules directory located at C:\Program Files\FSLogix\Apps\Rules . Note: This location may be different if you changed the default installation directory of FSLogix.
  9. The FSLogix service will compile your rules and create .fxc and .fxac files in C:\Program Files\FSLogix\Apps\CompiledRules

Step 5: Create and deploy the image

  1. Finish creating your AppStream 2.0 image using the Image Assistant.
  2. Once the image is ready, deploy your AppStream 2.0 image to your Desktop View fleet. To update the fleet, stop/start the fleet if you’d like to update the fleet immediately.

Finally, test your configuration. When an end user logs in, FSLogix will read their assigned stack name from the AppStream_Stack_Name environment variable. FSLogix will apply the assigned Application Masking rules. This will hide applications not assigned to that stack.

Entitle users to applications using Active Directory group membership

Customers with AppStream 2.0 fleets joined to a domain may wish to apply Application Masking Rule Sets based on Active Directory group membership.

This can significantly reduce management and maintenance overhead of AppStream 2.0 environments. For example, a single AppStream 2.0 image, stack and fleet could be used by several groups of users with distinct application requirements. When a user launches a session, FSLogix examines the Active Directory group membership of the user. FSLogix then applies (or doesn’t apply) a particular Rule Set that hides specific applications.

Step 1: Prepare the Image Builder

  1. In the AppStream 2.0 console, choose Images and launch or connect to an existing image builder. Your image builder instance should be joined to a domain.
  2. When the image builder is ready, log in to the instance as a domain administrator.
  3. Download FSLogix from Microsoft on the image builder and run the installer (FSLogixAppsRuleEditorSetup.exe).
  4. Complete the installation wizard using the default options.
  5. Stop and then launch your image builder after installation completes.

Step 2: Create a Rule Set

  1. Connect to the image builder as a domain administrator.
  2. Start the FSLogix Rules Editor.
  3. Create your Rule Sets Assignments and test the configuration as described in Steps 2 through 4 in the previous section (“Entitle Users to Applications using Stack Assignment”) with one key difference: When configuring assignments, add a “Group” assignment and choose the Active Directory group to which you want your Rule Set to not apply.Add a Group assignment if you want to assign rule sets based on group membership
  4. When configuring your Assignments, also exclude the Group containing your AppStream 2.0 administrators. This step ensures that FSLogix does not hide applications from administrators during future image maintenance activities.
  5. Assignments are evaluated in sequential order. For hiding rules, set “Yes” (under the Applies column) for Everyone. Then, set a “No” assignment for the groups to which you do not want to apply your hiding rules. With this configuration, your hiding rules will apply to everyone except those users in the group you specify and your administrators.Assignments are evaluated in sequential order. For hiding rules, set Yes (under the Applied column) for Everyone at the top position
  6. Copy the rule files (.fxr) and assignment files (.fxa) into the rules directory located at C:\Program Files\FSLogix\Apps\Rules . Note: this location may be different if you changed the default installation directory of FSLogix.
  7. The FSLogix service will compile your rules and create .fxc and .fxac files in C:\Program Files\FSLogix\Apps\CompiledRules

Step 3: Create and deploy the image

  1. Finish creating your AppStream 2.0 image using the Image Assistant.
  2. Once the image is ready, deploy your AppStream 2.0 image to your domain joined Desktop View fleet. To update your fleet with the new image, stop and then start the fleet.
  3. Assign your AppStream 2.0 end users to the appropriate Active Directory groups (which you referenced when configuring Assignments in the FSLogix Rule Editor). This ensures that the correct Rule Set is applied when the end users start a session.

Finally, test your configuration. When a user starts a session, FSLogix determines if it should apply a Rule Set based on the user’s Active Directory group membership. If the user is in a group to which an Application Masking Rule Set is applied, FSLogix hides applications from the user in their session. The resources which might be hidden include application folders, shortcuts, and start menu items.

Clean up

To remove resources created in this blog:

  1. Stop and remove fleets assigned with the image(s) you created for testing.
  2. Remove Image Builder instances with the FSLogix components installed.
  3. Remove images you created using the Image Assistant.

Next steps and optimizations

  • In these steps, we saved our Application Masking rules in our AppStream 2.0 image. You can store Application Masking files (.fxr and .fxa) in a directory on a central network share, such as Amazon FSx for Windows File Server. Then, configure a Group Policy, or session script, to copy the files from the share to the rules directory when a user launches a session. The rules directory is C:\Program Files\FSLogix\Apps\Rules. With this configuration, you can manage Application Masking rules separately from the lifecycle of an AppStream 2.0 image.
  • You can assign Rule Sets based on custom environment variables. AppStream 2.0 supports passing custom environment variables into a session when users access a stack via streaming URL using session context. Otherwise, administrators must utilize the predefined User and Instance Metadata environment variables when configuring Application Masking rules.
  • In this blog, we utilized “hiding rules” to hide applications, associated application artifacts (shortcuts, start menu items, etc.) and folders from certain groups of users. Application Masking in FSLogix can also be used to redirect certain folders, files, or registry values with redirect rules.

Conclusion

Application Masking can be used by AppStream 2.0 administrators to simplify image management and license compliance. It allows customers to create a single image with many applications (including licensed applications) and then selectively hide those applications based on a user’s Active Directory security group membership. If customers do not use Active Directory with AppStream 2.0, they can apply Application Masking rules based on a user’s stack assignment.

Note that Application Masking will not make changes to the application catalog provided by Application View fleets. As a result, customers using Application View fleets that are domain joined can use the Dynamic Application Framework to create an application catalog based on a user’s Active Directory group membership.

To learn more about FSLogix and other available FSLogix features, such as Profile Containers, see the following:

To learn more about AppStream 2.0, see: