Thursday, 12 September 2013

Use of AppSense DesktopNow with Citrix User Profile Management

I'm sure that title has you wondering...why on earth would you use AppSense DesktopNow alongside Citrix User Profile Management (UPM, from hereon in)? Surely these two products are competitors, rather than in any way complimentary?

UPM and AppSense DesktopNow together?

Well, contrary to what you may believe or be led to believe, they can sit nicely together and get along. :-) Let's not forget that AppSense is used in a lot of different organizations with wide-ranging sets of enterprise software and user requirements. But one fairly common factor is the presence of Citrix platforms....and if you have the right level of licensing (Enterprise or Platinum, last time I checked), you will get UPM thrown in at no extra cost.

The Citrix Profile Management on a per-edition basis

But if you've already purchased DesktopNow as well as Citrix XenApp or XenDesktop, why would you use UPM instead of the Personalization Server aspect of Environment Manager?

There are a few answers to this. One of the more common ones is that for all its power, Personalization Server isn't always a good fit for every organization. It relies on SQL Server to function. It also involves a lot of extra complexity and invested time to get it up and running properly - and if you misconfigure it, trimming the data down can be a gargantuan task in itself. If you want full redundancy, there may be a significant infrastructure investment required if you don't have it already available. While I'm a big fan of Personalization Server, I can readily concede that these considerations often make a difference to whether an enterprise chooses to deploy it or not.

UPM, on the other hand, is quite ridiculously easy to set up, and because it runs through the Group Policy engine, you should already have a fully-redundant infrastructure to support it (assuming your Active Directory is set up correctly). UPM runs as a service on your Windows machines, the settings of which are then controlled by a Group Policy Object. Even though you purchase UPM as part of Citrix XenApp or XenDesktop, there isn't any need to run it specifically on XenApp or XenDesktop systems - it will quite happily work on RDS and indeed any other Windows platform. I'm not sure how that ties in with Citrix's licensing model, however, so I'd be interested to hear whether there is any official line on that - but suffice to say there is no actual technical barrier to installing it on non-Xen systems.

As it's a standard installer, you can use SCCM, AD, a script, or your deployment mechanism of choice to distribute UPM to your endpoints. From then you simply need to configure it using the ADM file supplied with the setup files - there's an ADMX file available as well, since the advent of version 5.0, if that's the format you prefer. You can even import these files quite happily into Environment Manager, allowing you to take advantage of AppSense's awesome library of Conditions for deploying UPM settings. This combination of AppSense power and UPM simplicity allows you to extend the capabilities of the base UPM product, which is good news all round.

Using AppSense EM to deploy UPM settings based around several Conditions

Normally people redirect the actual UPM profile data into a subfolder of the user's home drive (assuming the home drive is networked). I usually go for %HOMEDRIVE%\Citrix\UPM - this is configured using the "Path to user store" policy.

Policy setting that defines the path to where the profile data is stored

Folder Redirection

Now, if you're intending to use UPM to manage your user data, then Folder Redirection will become intimately familiar to you. The key to keeping your UPM profile data as lean and mean as possible is to redirect as much as you can.

An aggressive Folder Redirection strategy - necessary with UPM

Now I know putting %AppData% in there is opening a huge can of worms, and the likes of Aaron Parker, Helge Klein and Shawn Bass are always very keen to debate heavily the issues around redirection of %AppData%. I've run through this in the next section, as it is best kept separate.

Folder Exclusions

Once you've set up the Folder Redirection, you need to configure the UPM policies so that the Redirected folders are excluded from being saved into your UPM profile. Specifying the name of a folder like "Desktop" in here will do it relevant to the user profile - i.e. that will exclude %userprofile%\Desktop

NOTE - I've also included a default set of folders here that come from Dan Allen's superb article on setting up UPM. You should definitely reference this if you are going to be using UPM and DesktopNow side by side - there are also two more parts to the article that deal with setting up your file services correctly.

Exclusion list that includes all of the Redirected folders
Folder Inclusions

Any application that writes to folders outside of the expected locations will need to be added in as Inclusions rather than Exclusions. As Dan's article also points out, two possible areas a lot of people may come across are PKI certificates and Microsoft Office toolbars. The links are in his article dealing with these, but they're also included below




Redirection of AppData?

This is a heated subject - a lot of people believe that redirection of AppData can cause poor performance of applications, usually based around network IO. On the flip side, some people believe that it isn't so much of an issue, mainly because in modern deployments, particularly SBC and VDI, most of the "local" storage is effectively network-based anyway. I'm definitely not weighing in to this argument - you can read plenty about the subject on the Internet - but I will make a few points that you may want to take in.

If you want to do this *perfectly*, you should exclude the entire AppData folder and not redirect it, in my opinion...then do detailed application analysis and find out exactly what you need to synchronize, before adding these folders into the Folder Synchronization on an individual basis. In this way, you're only saving exactly what each application needs to function. Of course, the problem with this is that there's a lot of time and testing involved in getting it up and running, and usually one of the drivers for using UPM is that it is simple and quick to deploy. So if you did it this way, you'd probably be defeating one of the objects of the exercise anyway...but if you can, this would definitely be the best way to do it, IMHO.

If you do redirect AppData, I would definitely recommend redirecting AppData to a different area than you redirect My Documents, Desktop, Pictures, etc. to. If you do this, you will keep any application activity separate from user file-related activity.

On a similar line, try not to redirect all AppData to the same file server or NAS area. Spreading the load across distributed servers, whether using DFS or another mechanism, will also help mitigate against any possible issues.

Really the only way to be sure is to ensure that you've architected your file services correctly, and that you test all of your applications thoroughly, before deciding whether AppData redirection is going to be right for your environment.


Cookie handling

One of the best things I like about UPM is the cookie handling. It's actually really clever how it is done, and this is one thing that I don't believe AppSense EM can handle natively. Basically the UPM process leaves cookie handling late enough in the logon process so that the index.dat file is released, which allows you to get rid of stale cookies (reducing profile bloat) and removing the chance of losing cookie information because the index.dat gets out of sync with the cookies themselves. Nifty!

You configure this by using the "Process internet cookies at logoff" part of the UPM policy object


and also by configuring a "Folder mirroring" action in the UPM policy object. You could do this with native EM Actions, but I'd leave it in the UPM object for posterity


This handling of cookies is a feature that I haven't noticed in any other UEM products - if there's a way anyone knows of to do it in EM natively, I'd definitely be very interested in hearing about it!

Base profile

UPM also allows you to specify a template profile for new users logging on to the system, which functions in a slightly similar way to a mandatory profile. The beauty of this option is it can be excluded from local Administrators by configuring the Process Local Administrators option along with the Path To User Store option, and just apply the base profile to new users. This gives it an advantage over deploying mandatory profiles via standard GPO - as the GPO is a Computer setting, it also applies to local Administrators and can be quite annoying.

Summary

There aren't a huge amount of features that UPM and Environment Manager clash over - as long as you are talking about the Policy features of EM, rather than the Personalization aspect. Inclusions of files and folders or Registry keys in UPM probably comes quite close to AppSense's Registry Hiving and File/Folder Actions, but aside from that there's not much that they you'll have to make a decision about where to configure things.

When I've done UPM-EM deployments I always try to keep the Folder Redirection and the actual deployment of the UPM settings in the EM console itself - that makes it feel more like they're part of the same solution rather than two different solutions stuck together.

If the UPM side is configured correctly you can definitely have very quick logons and small profile sizes, and if you then leverage the multi-threaded, multi-triggered model of AppSense EM to deploy your policy settings you can certainly make sure that the session is always as streamlined as possible.

I thought I'd put this quick post together because there is a perception that AppSense is complicated, bloated and requires a significant infrastructure investment to get it working correctly - and also that you have to use Personalization Server, which then necessitates a dependence on SQL Server. These things simply aren't true - you can quite easily combine DesktopNow with technologies like UPM to produce a simpler, leaner implementation in which the two products are quite complimentary to each other. Hopefully this quick skim over UPM should allow you to see that there are other hybrid options available to people looking to deploy user virtualization technologies.

3 comments:

  1. Nice post. I think this approach is more for the "smaller" RDS/Citrix/VDI setups. But still useful to know that it's possible.

    ReplyDelete
    Replies
    1. Thanks Ralph. I've also seen this approach used in larger environments where they didn't want the added overhead of the infrastructure to support PS. When you think about it, putting Personalization together for a large, multi-site environment with geographically dispersed Citrix farms involves quite a bit of back-end provision.

      Cheers,



      JR

      Delete
  2. Hi James,

    Thanks for posting this very good and interesting article. As you've mentioned, I never thought of putting AppSense EM and Citrix UPM together before due to the myth that they are in direct competition with each other. With the flexibility of EM and the simplicity of UPM, this would make a very good User Virtualisation solution - hopefully I'll get the chance to recommend this at some point. As you say, it's usually Personalisation that adds complexity and headaches for larger environments.

    In regards to the Citrix UPM licensing, Enterprise licensing allows you to install UPM on all your XenApp/XenDesktop servers/desktops but you would need to purchase separate licenses if you wanted to install it on local desktops. With Platinum licenses, you're covered for all of your Citrix products, as well as the local desktops - at least this is how it was last time I checked.

    Thanks,

    Stephen

    ReplyDelete