Using Microsoft’s Application Virtualization (App-V) 4.5 SP1 product, in conjunction with their new AppLocker feature on Windows 7Enterprise and Ultimate, Clients(and even Windows Server 2008 R2 clients).

AppLocker Rules for Virtual Applications

Local administrators can create Windows AppLocker rules that restrict the running of programs (.exe, .msi, .msp, .ps, .bat, .cmd, .vbs and .js files). The administrator does this by using a reference computer that has the App-V client installed and that has all the relevant virtual applications streamed to the client cache. The administrator then uses the Windows AppLocker section of the Local Security Policy Microsoft Management Console (MMC) snap-in on the reference computer to create the rules.

When you browse to find a directory path or specific file for which you want to create a rule, you can access the App-V drive by using the path to the hidden share.

For example, you can browse to \\localhost\Q$, where the App-V drive is drive Q.

However, to create the rule, you must edit the path to remove the reference to \\localhost\Q$ and use Q:\ instead. You must start each application on the reference computer to access the application’s files.

Overview

HTTP Publishing provides complete control over which applications are delivered to each user. Criteria could base on the ACLs associated with the package files. If the user has access to package files, then the applications in the package are published to the user.

Publishing Architecture

The client sends a request to the server asking for the list of applications for the user. This request is sent while impersonating the user, so that the server can access the user’s token, if needed.

The server’s response is a single XML file that contains the publishing information associated with each application, including its shortcuts, file type associations and DDE entries.

Generating the Publishing Document

App-V 4.5 introduced the concept of package manifest files, which contains all of this information in the correct format. This makes creating an HTTP publishing server a much easier task.

The following is an example publishing document that contains the information for a single application. While it contains a lot of information, most of it comes directly from the package’s manifest file. This simple implementation makes an assumption about the information that is in the manifest file. It assumes that the URLs for OSDs and icons in the manifest file point to the appropriate locations.

As can be seen in this sample, the document element is called <DESKTOPCONFIG>. It contains two child elements, <POLICY> and <APPLIST>. The <POLICY> element has a <REFRESH> element that allows you to specify the Publishing Refresh frequency, in minutes and a Boolean that determines if Publishing Refresh occurs when the user first logs in.

The <APPLIST> section is nothing but a concatenation of the <APPLIST> sections from each of the package manifests to which the user has access. The sample code that follows describes how to generate this list. The <APPLIST> element is where all of the application-specific publishing information is placed. This information is taken directly from the manifest files that were generated by the Sequencer.

The end result of this processing is an XML document that contains all of the information for each package that the user has permission to use. Point your web browser at the publishing.aspx page and check out the results. Remember to enable Windows Integrated Authentication on the website and ACL the package directories appropriately.

Configuring the Client

Once the publishing.aspx page is working correctly, all you need to do to use it is to configure the client to point at the page.

Configure the client:

In this example, the client will connect to the ‘appvwebserver.app-v.in’ webserver over port 80 and retrieve the contents of the ‘appvpublishing.aspx’ page. It will then process the XML document that is returned by the server.

Note that this example uses the standard HTTP protocol, which will not verify the identity of the webserver and will return the data unencrypted. This is only appropriate for scenarios that are inside the corporate firewall. If this were a public Internet scenario, you would use the HTTPS protocol to guard against man-in-the-middle attacks.

As part of our promise to maximize productivity, manageability and TCO for enterprise desktops, we are excited to announce our new version of Microsoft Desktop Optimization Pack (MDOP), available for purchase to Software Assurance customers.  MDOP 2009 includes the first release of Microsoft Enterprise Desktop Virtualization (MED-V 1.0), a Cumulative Update to Microsoft Application Virtualization (App-V 4.5 CU1) and an update to the Asset Inventory Service (AIS). Alongside these updated releases, MDOP 2009 also includes the other standard MDOP tools: Microsoft Diagnostics and Recovery Toolset, Microsoft Advanced Group Policy Management, and Microsoft System Center Desktop Error Monitoring. The updates are available to 14.4 million MDOP customers.

MED-V provides deployment and management of virtual Windows desktops to enable key enterprise scenarios.    MED-V 1.0 helps enterprises upgrade to the latest version of Windows even when some applications are not yet compatible.   MED-V builds on top of Microsoft Virtual PC to run two operating systems on one device, adding virtual image delivery, policy-based provisioning and centralized management.

A recent brief by Enterprise Management Associates (EMA) emphasized some of the customer benefits of using MED-V:  ”We found that MED-V really solved our application compatibility problems. It allowed us to deploy the applications that we were having difficulty with, where third party vendors were not providing a supported version. Where we used to have hundreds of images, we were able to move to one [Windows] Vista image, and use MED-V to deploy [legacy] applications on top of that,” said IT Deployment Manger at Belfast Health and Social Care Trust, an organization of 22,000 staff members.

“We are really happy with MED-V. We can virtualize the applications that are made only for XP, and they work fine, with all the functionality intact,” said a large European telecommunications company with almost 80,000 employees.

App-V 4.5 CU1 is now available as part of MDOP 2009.  App-V 4.5 CU1 adds support for Windows 7 beta, so customers can move ahead with application testing in preparation for enterprise deployments. It also contains a few improvements such as instant access or removal of applications assigned to end users.  When Windows 7 releases, we are committed to supporting the final product within 90 days of general availability.

AIS 1.5 update, now available to all MDOP end users through Windows Update, enhances the license reconciliation feature and the task scheduler. It now provides a detailed report for each application (e.g. whether license type is retail or volume license) to simplify license inventory tasks and to improve licensing compliance. The inventory scan scheduling has been improved to ensure data is collected even from devices that are turned off regularly.

MDOP 2009 is available for MDOP subscribers at Microsoft Volume Licensing Site (MVLS).

Microsoft announces that engineering of the next App-V release is progressing well, and will be opening the Technical Adoption Program (TAP) for App-V 4.6 shortly. When released, App-V 4.6 will be available to all existing MDOP customers and provide new key features including 64-bit platform support. Customers interested in App-V 4.6 can watch for registration to become available at Microsoft Connect in Q1 of 2009.

Microsoft released a cumulative update to its application virtualization solution, which now supports the Windows 7 Beta, according to an announcement issued by the company on Thursday.

The new Microsoft Application Virtualization (App-V) 4.5 Cumulative Update 1 release contains all current hotfixes, along with an update that lets it run on the Windows 7 Beta operating system

The Microsoft Desktop Optimization Pack (MDOP) team explained that in order to carry out application virtualization, App-V needs to be updated to reflect the underlying operating system, including the Windows 7 Beta.

MDOP subscribers can register to download App-V 4.5 CU1 from the Microsoft Connect Web portal. The solution is available now for subscribers.