Welcome – A letter from the Founder

Max Ranzau (aka RESguru 1)My name is Max Ranzau. I founded RESguru.com as a technical blog at the end of of 2008, dedicating my time and efforts towards creating better IT solutions through use of RES Software products in the enterprise. This site is the home of RCS – RESguru Consulting Services and is one of the primary go-to places for independent information, brain-share and tools for the workspace and automation engineers across the planet. I intend to keep it just that way.

If you are a new visitor, allow me a moment to welcome you properly, by immediately dispensing with the glossy marketeering and cut to the chase:

I am here to change Enterprise IT for the better.

I dare to guess that plenty suit & tie jobs have said something similar to you over the years. Nothing more or less, it’s the best one-liner by which it can be expressed what RCS does. Fact: it is exceptionally hard to explain what exactly and completely RES Software does in one sentence, without either becoming too vague or a long winded tale. Trust me on this, the good folks at RES Software have been grappling with this conundrum over the last 15 years: Having a stellar product suite, but no quick and singular way of explaining what it does!

I’m not going to pretend I’m driving around with the tomes of messaging wisdom* in my trunk. However, that is not going to prevent me from pitching in my two cents. As I see it, there are two main avenues of putting RES technology into context:

A) Presuming you’re technically oriented:  tbox

  • Get rid of complexity in  policy management, point-solution utilities and scripting. You know as well as I, that enough of this, or  by inheriting someone else’s hand-me-down environment, you’ll be up to your eyeballs figuring out what’s going on before you can make any changes.
  • Best profile+configuration management: Microsoft’s ways of handling configuration, both central (policies) and users (profiles) haven’t changed much in 20 years. The RES Suite will make profile management work smoothly for you.
  • Automation of complex script-less tasks across the entire IT estate, independently of domains. 150+ built in graphical tasks range from the simplest of deployment/configuration items to VDI, Mobile Device Management and Helpdesk, integrating with all the major vendors.
  • Workflows can be automated. The RES Suite will allow a company to define and execute workflows for almost anything that can be given to a user. It’s all about service. I usually tell my students that you can make workflows for giving employees their phones, forklifts or PhotoShop. It doesn’t matter as you model the business in the software, define who is qualified to automatically get or request what, assign any approvals to the workflow and then tie it all into the automation and configuration management where necessary. The real strength here is that all 3 products in the RES Suite talk together.
  • Documentation: As engineers, we just love cranking it out by the page, right? That was sarcasm! We love building great solutions but creating the associated paperwork afterwards is a hassle, even if it’s billable. For admins in terms of auditing, it’s the same challenge. The RES suite can do the documentation for you.

The RES Suite is like a well-organized Swiss Army knife, with 15.000+ blades. There are loads of other things the RES suite can do for you, and hopefully you’ll get a sense of this when you browse through the Tech Library of the RESguru site. There is over 100 and counting free practical how-to articles on how to solve common everyday problems with RES technology. Have a look at the intro page here for a proper introduction and tour around the site.

brfcaseB) Presuming you are financially oriented:

  • 60% savings on current support/helpdesk/administrative load is not unheard of.
  • 90% savings on external consultants camping in your data-center for months at a time as your own staff becomes able to do most things faster on their own. These kind of numbers been reported by some of my clients.
  • 20% more users typically on a central environment – just by virtue of efficient management.
  • No doctors with flashlights were involved in obtaining the numbers above! These are based on real RES projects that I have worked over the last 15 years. Having said that, obviously your mileage may vary in accordance with what you are trying to solve.
  • Business Processes – any organization has them. If your ever move people around, hiring or firing, the IT folks are usually the last to know, resulting in a long time before new employees can do what they’re paid to or exposing the company to unnecessary risk, by not closing down access properly when someone leaves. Sometimes I encounter customers who have custom-built and rather byzantine systems in place, some may be even manual of tossing around emails or even paper forms for approvals. As long as nothing changes you can maintain status-quo, however when the business requirements change, that’s where your costs become evident.
  • Appsense. Have you been struggling with their products for too long not being able to get things to work for you as promised? Spent countless hours having consultants in and out the door on break/fix missions? It’s time to stop and look at a Real Enterprise Solution.
  • Agility: What can be stood up in a few days by a engineer proficient in RES tech, can in most cases match and trump what would take a team of engineers using classic tools and methodology several months to implement.

The above should provide you with an decent idea of what is within the realm of the possible in the RES universe. RES technology is not rocket science, it’s just good product design and common sense for the modern enterprise. Covering the entire RES Suite, RCS offers the following on all VDI platforms, TS/Citrix, Laptops, Mobile devices, Windows and Linux environments:

  • Consulting, advisory and managed service agreements for new and existing RES installations
  • Scoping and technical presales assistance to integrators
  • Design and technical architecture documentation
  • Implementations, remote and on-site.
  • Technical competitive analysis. Here is a couple of examples.
  • Training, Education and Workshops in all RES products both online and on-site. See this for details.

For information on services, rates, schedules and anything else, reach out via the contact page , or call +1 610 462 2200. I look forward to talking with you.

With best regards,

Max Ranzau

 

Setting up a Lab HR system for IT Store

By Max Ranzau

 

From the Lab Essentials Dept. One of the things we always talk about in regards to RES IT Store, is the ability to do employee on/offboarding. However if you want to test this out for real, you probably won’t get access to a live HR system in production. You could alternatively just fake it by simulating HR by way of a couple of CSV files, however it may not be adequate for the full experience.

This article is to show you how you can stand up your very own free HR system and hook it up with IT Store. You may even have seen this particular system in a demo before in the past, as it’s quite popular with the RES presales teams as well. Just to be clear, this is far from SAP/HR, but a free web-based open-source Apache/MySQL/Paerl based HR System, called OrangeHRM (nope, besides the color there’s nothing in common with RES :). Since I am in the process of building out a new Cloudlab these days, I figured I might as well take the time to share how to stand up this component as it may come in handy for everyone involved.

xor-logoOrange HRM is essentially a website like IT Store itself, just  running off the Apache webserver instead. This means it can run on top of Linux and MacOS as well. In this article I will just cover the Windows installation, as there is a couple of qwirks you need to know about to get it up and running in one smooth go. You can run the OrangeHRM server off most versions of Windows. Excluded are Windows XP and Server 2003.

Step 1: Gathering the components.

  1. First, you will need to download the OrangeHRM system. It’s only about 9MB. There are two downloads, a self-extractor and a ZIP file. In the past I’ve encountered some weird issues with the SFX thus I recommend you download the ZIP version. There are download links pages here and here.
  2. In order to run Orange HRM, you’ll need MySQL, Apache and Pearl. All these are wrapped up in a 150MB package called XAMPP. Download link is here. I pulled down the latest version at the time of writing (5.5.19), which does the job nicely.
  3. For IT Store to be able to interface with the OrangeHRM MySQL database, it’s necessary to download the MySQL ODBC drivers as these aren’t part of Windows. Download drivers here. Be sure to download the MSI version and the proper bit-version for your environment.
  4. The MySQL ODBC driver install can be a bit fickle to work with. The installer handles like something out of the early 90’s and indeed it actually needs an old Microsoft DLL, MSVCR100.DLL in order to install properly. Grab the bitversion you need here: x64 or x86.

Step 2: Installing XAMPP

  1. First, go to the computer where your OrangeHRM system is going to live. I’d recommend a clean server 2008 and up, however if you are pressed for server real estate in your lab, you may opt to slap it on top of an existing server. If said server already is running IIS, the Apache server can co-exist with it. However you’ll need to tell it to run http and https on other ports than respectively tcp/80 and tcp/443.  This also means you’ll have to include the port number in the URL to access OrangeHRM later. Also the Tomcat (javahost) will come up and complain if you are running the ITStore Catalog Server, as both uses tcp/8080. See RES port reference here. I’ll show you how to remap the Apache, but I’m leaving Tomcat out, as we don’t need it for OrangeHRM anyway. I trust you see my point in using a clean server now.
  2. Start by launching the XAMPP package, in this case xampp-win32-5.6.3-0-VC11-installer.exe.
  3. xampp-inst2It will prompt you for what items you’ll want to install. Just un-select Tomcat as shown on the right You get a Filezilla FTP server as well as a Mercury mailserver thrown in as well, and those might perhaps come in handy later for alerts and whatnot. Hit Next.
  4. The XAMPP install directory defaults to C:\xampp. Go with this unless you have explicit reasons not to and generally know what you’re doing. The installer notes warns of some potential permission issues if you install to %programfiles%. Hit Next.
  5. We don’t need additional items on top at this point, so untick the ‘Learn more about Bitnami for XAMPP’ and hit Next.
  6. The setup takes a few minutes to complete. Sometimes it may sit on the last few percent of the progress bar for a few minutes, appearing to do absolutely nothing.  Your milage may vary.
  7. At finish the XAMPP installer will ask you if you want to launch the XAMPP control panel. Say yes to the dress and it will appear as an orangy icon in the system tray and launch after a few moments:

xamppcpl1

As you can see above, we need to do some tinkering to get Apache and Tomcat running (I don’t think OrangeHRM uses Tomcat, but I don’t like loose ends). Read on and we’ll get it all sorted. If you did take my advice and installed XAMPP on a clean server without IIS and RES ITS Catalog server you should be able to skip the next step and proceed to step 4 below.

Step 3 – Configuring Apache to run on alternate ports.

  • Obviously, Apache refuses to start due to the port conflicts on tcp/443 with my IIS. It also complains about tcp/80 further up although it’s not evident from the screenshot. Hit the config button and select Apache (httpd.conf), which opens up a notepad with the config file for the Apache http daemon.
  • apacheconfig1In the config file, scroll down to around line 58 and look for the Listen 80 entry, change the number to your desired (non conflicting port). In my case I chose 90. Save and exit, but dont try to Apache just yet as we need to take care of tcp/443 as well.
  • Back in the XAMPP Control Panel, hit the config button again, and select Apache (httpd-ssl.conf). Same deal as above. Scroll down to around line 36 and look for the Listen 443 entry. I changed mine to 444. Save and exit.
  • If you have a port conflict for MySQL’s TCP/3306 then the procedure to fix that is exactly the same. I’m presuming that you don’t have that issue.
  • serviceport-configYou will also need to configure these ports in another place, if you are going to run Apache and MySQL as services. In the XAMPP controlpanel, hit the Config button in the upper right, then hit the Service and Port setting button, and enter the alternate ports for main port and SSL.
  • To test that Apache and MySQL can start, just  hit the start buttons and they should launch with green status.
  • You’ll want run both as NT services. To do this, stop them again for a moment. Then hit the red X to the left of each of them and say yes to installing the service. Then start them again. If you’ve done everything right, your XAMPP control panel should look like this.

xampp configured

Step 4: Installing OrangeHRM

  • You can close the XAMPP control panel at this point.
  • Now that Apache and MySQL are up and running, we’ll need to install the OrangeHRM website: Unzip the contents of the previously downloaded orangehrm-3.2.1.zip into a temporary location (there’s 5k+ files in there so it may take a bit). A folder called orangehrm-3.2.1 will be created.
  • Rename this folder to hr.
  • Move this folder to c:\xampp\htdocs
  • Open a browser and navigate to http://localhost:<portnumber>/hr. In my case that would be http://localhost:90/hr. Again this business with the port number could have been avoided if you installed on a server without conflicting ports.
  • At this point you should be seeing the OrangeHRM setup screen, which will walk you through the database setup:

orangehrmsetup1

Step 5: Configuring the OrangeHRM database

  1. Hit next to get started and accept the license agreement.
  2. xora-setup1On the Database configuration screen, leave everything as you found it, unless of course you in the meantime on your own have changed the root password for MySQL, which is blank (!!) per default. Relax, this is for a lab setup. In here we can get away with both murder and blank passwords :) Note: At this point you can’t specify another host besides localhost, since all external access must first be enabled in MySQL. Besides, it’s really not an issue since Apache and MySQL live on the same box in this case. See Step 6
  3. When you hit next, the OrangeHRM installer will perform a Systems Check to verify that everything is kosher and give you a summary. If everything is green, then go ahead and hit next.
  4. Setup the password for the OrangeHRM Admin. This is the account you’ll be logging into the HR system with initially until you create other users. Hit next, confirm the settings and start the installation.
  5. After a few moments you will be asked if you want to register. This is entirely optional as the software is free. Once you hit the Finish button, you will be taken back to http://localhost:<port>/hr, which now presents a logon screen where you can login with the Admin account. Once you’re in, it should look like this:

xor-mainscreen

From here-on, it’s really all up to yourself how you want to structure your virtual company in the HR system. I’m confident there are plenty of tutorials available on how to setup an organization in OrangeHRM, but that goes beyond the scope of this article. However I do suppose you want to get some employees and departments created as a bare minimum. The next step is to establish the ability to talk with the OrangeHRM database inside the MySQL DBMS.

Step 6: Installing the MySQL ODBC drivers:

  1. Since Windows doesn’t include MySQL drivers per default, we’ll have to download those and install them. Where do you install them? Presuming you have your ITS Console, Transaction Engine and Catalog Server on separate computers, you would need to install the ODBC drivers on the computers running the Console and the Transaction engine as these components talk to the external datasouces you define in ITS. If you in your lab have all the ITS components on one box it’s fine as well.
  2. First, we need to solve a prereq issue for installing the ODBC drivers: Extract the msvcr100x<bitversion>.zip you downloaded in step 1, then place the extracted msvcr100.dll file in %systemroot%\system32.
  3. Next, install the mysql-connector-odbc-5.3.4-winx<bitversion>.msi you downloaded in step 1. Just breeze through it, using default options.
  4. odbcdriversThe ODBC drivers should now be properly installed. To verify, go to Administrative Tools | ODBC Data Sources (<bitversion>-bit) and check the Drivers tab. You should now see a couple of MySQL drivers available.
  5. Now let’s create a DSN to connect to from IT Store. Being fully aware of the virtues of User/File DSN’s versus System DSN’s, I’m completely ignoring this and just setting up a System DSN for ease of use.
  6. connectionPicking the Unicode driver over the old ANSI driver ensures compatibility with foreign character sets.
  7. In the Connection Parameters dialog, you can go with localhost for the TCP/IP server field, if both RES ITS and MySQL is on the same box. However since I recommended you initially to install XAMPP and OrangeHRM on a clean server, you will probably want to have the FQDN of that server in the ODBC connection info. However if you try to put anything else than localhost in, you will get a connection error. In order to deal with this, you need to do a bit of one-off tinkering on the MySQL box to allow it to be addressed by anything else than localhost:

Step 7: Enable MySQL remote access:

  1. Open up a command prompt in this location: C:\xampp\mysql\bin and run mysql.exe -u root -p
  2. This will prompt you for the password (which is blank) and then give you a mysql> prompt.
  3. Issue the following command to allow the root user access to the DBMS from a given host: GRANT ALL PRIVILEGES ON *.* TO root@yourserver.fqdn; (the semicolon is important as that signifies end of commandline!) Alternatively, f you want to completely remove host access restriction and combine it with a password, you can use this command: GRANT ALL PRIVILEGES ON *.* TO root@’%’ IDENTIFIED BY ‘passwordhere'; The % char is a wildcard for any host. Be careful with that. More info here.
  4. phpmyadminEither command will return something like Query OK, 0 rows affected. This is fine as we are in fact adding a record.
  5. Follow either command with this command to make it take effect immediately: flush privileges;
  6. Terminate the mysql command line tool with the command exit, where after you can close the command prompt.
  7. You can at any time check the rules that are in effect by going to http://server:port/phpmyadmin/, then navigating to mysql -> users as seen on the right.

finisheddatasourceYes… I’ll probably make a buildingblock for the MySQL remote access one fine day. Once we’re done with the MySQL tinkering, you can fill out the ODBC connection information properly and select the proper database called: orangehmr_mysql. Save the DSN, then it’s time to move onto reaching the data source from within the IT Store.

Step 8: Reading HR data into RES IT Store

  1. its-hr-datasourceFirst, let’s fire up the RES IT Store Console and go int the menu Data Model|Datasources. We will likely need to create more than one ITS Datasource in hee, as you’ll want to be reading multiple tables such as employees, departments, etc. You will need a ITS Datasource definition for each. There is also provision in the IT Store for creating SQL queries. This is discussed in detail in the IT STore Admin guide, on page 141.
  2. RES-IT-Store-2014-Administration-Guide For now, fill out a name, the description and pick out the System DSN we created before. Be sure to fill out the credentials as root/password (if any).
  3. You are now able to browse the tables from the HR System and can start importing relevant data into your IT Store’s identity warehouse.

To wrap things up, now you have a fully functional and completely free HR system at your disposal. When you combine this with the RES Suite you will have the ability to configure automatic onboarding and offboarding, but that’s a story for another day.

Workspace Life on Windows 10

By Max Ranzau

 

From the Somebody-had-to-try-it Dept. So, the other day I decided to check out Windows 10 and see how it works with RES. You may recall I did a similar piece on Windows 8 back in the day, where we looked at alternative ways to bring back the start menu. Bringing back the start menu via the RES classic shell may not be that important anymore, as the Windows start menu is (almost) back in business. See further down. The obvious question I wanted an answer to is, how well does the RES products work at this point with the Win10 tech preview. I deployed the usual complement of endpoint items onto the Windows 10 client:

  • RES Workspace Manager 2014 SR2
  • RES Automation Manager 2014 SR2
  • RES IT Store Client

Logging in: I gave the stack a quick whirl to see what works and not. No, I did not test every nut & bolt. Allegedly there’s people at the mothership that get paid to do that.. ;) After installation I set the WM Composer to Automatic and logged in as a regular user. First thing I noticed; I got what looked like the dreaded black screen of death. Okay, unfazed this gave me an opportunity to test the Automation Manager agent. I scheduled an AM module to reboot the computer and it came up again nicely. I decided to switch the workspace composer back to manual and launch the Composer binary pwrstart.exe by hand, to see if/when anything went pear-shaped. It seemed to launch okay. Deciding it might have been a fluke (tech preview and all), I set the composer back to automatic and logged in again. WM’s Composer seemed to come up fine again and again after that. So far so good.

win8focusgroupStart Menu management: As most of us know by now, Microsoft finally opted to send the poo-flinging primates who occupied their Windows 8 focus group room back to the zoo. As mentioned above the start menu is back. Well… sort of – I guess they had to compromise somewhere, so instead of the horrible fullscreen Metro/Modern tablet experience that blotted out your Windows 8 desktop, now the Start menu has been expanded with a “mini-metro” to the right. I for one can live with that. Thanks for listening Microsoft!

win10 with res wm

nowin9By the way, if you’re wondering why they skipped the Windows 9 version, one possible explanation is to avoid potential issues with software checking for or against oldschool Windows 95 or Windows 98. Think about it; chances are if you’re a developer and wrote a line of code to make sure your software does not attempt to run on old Win9x, you might just use a wildcard like Windows 9* – Q.E.D.

schmockeandapancakeAs for RES Workspace Manager 2014 on the Win 10 Tech preview, it’s hardly surprising the WM start menu management doesn’t work 100% yet. Ischn’t tish weird? I’m shure tere’sh shomewone working on tish (that’s how you write with a Dutch accent, kids. Don’t try this at home :) Seriously though, it’s clearly evident the Startmenu has undergone a large overhaul, thus it’s likely working differently than the current release of Workspace Manager thinks. For example Replace Mode does not blow away the start menu, instead it looks like Merge Mode for now. Also there is obviously no way as of yet to handle the tiles. If the next FR/Major release of WM does not support native tile management then if someone figures out the proper HKCU/%userprofile% hacks to wrangle them, let me know. Placing desktop icons on the desktop seems to work as well too. Besides that, Process Intercept seems to work just fine too.

ITS Client: One thing I noted, when you install the RES IT Store Client, it doesn’t launch when you have switched shortcut management to replace mode. This is not entirely unexpected as Win7 does the same thing. WM removes the Startup folder when in replacemode, i.e. the ITS client doesn’t launch as a result. It’s just a little bit weird when WM seems to leave the startmenu alone on Win10. Anyway this is not a hard snafu to overcome, if you’re currently testing the tech preview, just add an Execute Command item to launch “%programfiles%\RES Software\IT Store\Client for Windows\resocw.exe” at session start. Alternatively you could create an AM job that launches said binary in HKLM\…\Windows\Run.

mr-potato-headOther small potatoes: Putting up a wallpaper logo from WM, I noticed that Windows 10 apparently doesn’t care for if you select placement in one of the upper corners. The wallpaper will be placed centered on the screen. Other than that, for obvious reasons, neither WM or AM is currently able to natively determine it’s Windows 10 as there aren’t zone/team/condition rules for it yet. Again, if you’re hacking around the tech preview, you could consider create a zone that checks for a registry key identifying the OS, like I’ve previously described here for Win8 back in the pre-release days. You would instead be looking for the value ‘Windows Technical Preview’ and perhaps the number in the CurrentBuildNumber REG_SZ value.

conclusionIn summary: the WM/Win10 combo looks very promising. Already now with a few limitations it’s actually quite usable, if not just for starting to become familiar with Windows 10 in a workspace manager context. Now we just have to wait for Jan 15th where apparently Microsoft will be letting us all know when to expect the release and RES will more than likely be well and ready to support Windows 10 when it goes GA.

Until then, keep doing things you’re not supposed to do! ;)

 

Managing VMware AppVolumes with RES

By Max Ranzau

 

 
From the Skunkworks Dept. This is an article I’ve been looking forward to writing for a while. I had the opportunity to look at AppVolumes when it was still pre-VMware Cloudvolumes, but as you know – timing is everything, so I decided to hang back until VMware released AppVolumes today! In this article I will share some thoughts on how the AppVolumes product can be augmented by RES technology to offer some very interesting options for integrators.

 

AppVolumes – 7 steps towards understanding:

29_063.jpgSo, what’s all the fuss about then? Easy. AppVolumes effectively eliminates golden image management, by letting you to seamlessly attach applications to the image, no installation required. You’ll need vCenter and ESX to use it. If you are familiar with AppV it’s easy to understand the concept, however there some differences between AppVolumes and AppV. Here are the ground rules in rapid fire succession:

  1. There is no spoon and there is no bubble. This is essentially layering/shim technology and not application isolation/virtualization. AppVolumes alone is not going to help you solve application conflicts, multiple co-existing Java versions and such.
  2. On the plus side, there is no network streaming involved either delivering an AppVolume When an AppVolume is attached, it’s happening in the virtual disk system, making the distribution nearly instantaneous.
  3. As far as limits goes, it is currently recommended to attach no more than 10-20 volumes to a client. ThThe max. size of an AppVolume is around 20GB and you can have multiple apps per AppVolume.
  4. Creating an AppVolume is relatively easy. Without going overboard in details, it involves spinning up an empty target workload, installing the apps(s) you want and then AppVolumes taking care of the rest.
  5. Architecture-wise AppVolumes is relatively simple; you have a management server, that serves up a web-based console and an agent which is installed into the golden image. You can also deploy it on the fly later if you are supporting multiple images.
  6. Attaching a volume is done via mentioned console, you can specify either AD users, groups or an OU for a given AppVolume. Once you do, the apps in the AppVolume appear in the Program & Features control panel, in the filesystem and HKLM etc.
  7. When you dismount an appvolume all non-user specific data will be removed, being data in %programfiles*% and HKLM. However anything the application deposits within the user’s profile will be left behind.

The challenges

challenge-accepted

While AppVolumes on it’s own presents a most interesting way of managing changes in a VDI environment, the limitations above are fairly obvious – especially in the last step. Let’s look at the challenges one at a time here:

  1. Unless you limit yourself to one app per volume, there isn’t really a granular method for controlling access to the individual AppVolume-delivered applications. Since there is a rather low limit to AppVolume attachments, one app per volume really isn’t a viable option option in most scenarios.
  2. Presuming you are supporting non-persistent workloads, where you want your user settings to survive, you’ll need something to pick up the changes.
  3. Due to mentioned limitation on mounted volumes, you’ll need to decide on a way to organize the contents of said volumes, in other words what apps go together into which volumes. Since there’s no application isolation. I imagine one interesting method to deal with potential app conflicts would be to wrap difficult applications within a ThinApp virtualization wrapper, again stored inside the AppVolume, thereby having application isolation within the environment. Someone will have to test this and let me know if it works. Presuming it does, you could in theory keep your master image very lean and load up the apps in one big honking AppVolume, with all the apps under the sun you’ll ever need. However, this won’t solve access restriction to the individual apps and also you got to think about what needs to happen when an app inside a volume needs to be updated.

There are several ways to skin the cat, as to how you divide up your apps across AppVolumes. Above in item #3, we discussed one potential deployment AppVolume strategy; using one big volume for all your apps. This may perhaps not be the best approach if you have apps in the mix that are often updated (Yes, Firefox, I’m looking at you…) You might be better off putting these types of apps in a separate volume. Another scenario may force you to spread your apps across multiple volumes if the 20GB size limit is of any concern. Finally another conceivable strategy could be to lump often-used-together-apps into the same AppVolumes. For example; make an AppVolume out of all the Adobe Apps. Remember you don’t have to do this as this for the purpose of security segregation: This isn’t MS-AppV bubbles: All AppVolumes apps can talk together across volumes like normal locally installed apps.

What should not be a concern, is access and security around the available apps. That’s something we can do something about! However, let’s be careful out there: Like some people maintain multiple golden master images for the sole purpose of security segregating usage groups, I’m sure there will be some who would be applying the same mode of thought to AppVolumes. This is not necessary. Allow me to explain why:

 

How RES technology fits the picture

memory-laneA bit of background: Years before images, VDI and such came around, RES Workspace Manager (or PowerFuse back then) already had the ability to cover up the presence of any and all applications on a given computer, either locally installed or virtual. The only apps the user would see, would be what they had been given access to. By today’s standard, even that is considered fairly static, as you may need to offer up certain apps as self-service with optional time limitations and/or approval workflows. We will discuss these scenarios further below.

accesscontrolLimiting Access: In short, you can have 300 apps installed on a computer, but suppose Max Generic User logs in, and I only have access to, say Word and Excel, then that’s all I’m ever going to see and able to access under any circumstances. With the start menu (yes, it’s coming back in Windows 10) locked down and managed, drives hidden and the Workspace Manager security subsystems enabled, then for all intents and purposes the apps WILL NOT be available. This is also important for licensing purposes. If I try to get cute and write a macro in Excel to launch an app that  I somehow figured out is underneath the RES abstraction layer, all I’ll accomplish is receiving a message that I’m not allowed to do that, and attract the attention of the administrative staff as a log-entry and perhaps even a real-time alert will be issued immediately upon the execution of my high crime.

newgearsUser specific configuration on app launch: Using Workspace Manager’s native functionality of simply managing the shortcuts and the security around the workspace as described above, takes care of the first challenge. This has already been tried and tested in the RESguru Skunkworks lab and I can report it works nicely. Add in the ability to configure AppVolume-delivered apps upon launch, makes the packaging process a breeze. Back in the dark ages one had during MSI packaging to worry about Active Setup, but with Workspace Manager in the mix, all you really have to do is next-next-finish package your app, regardless of the deployment method, being regular MSI, ThinApp, or AppVolumes. Draw a line between deployment and user configuration, leaving the configuration to the live Workspace – simplifying the AppVolume packaging process –  is the overall takeaway here.

installAppVolumes Agent deployment and population: As it stands today, you’re supposed to configure all volume access via the AppVolume web console,  but just as we learned about the old SoftGrid client (remember the file:// .osd trick?), there’s usually always a way to load up the agent directly without the involvement of a server and AppVolumes is not an exception. The AppVolumes agent can manually load up a volume by running C:\Program Files (x86)\CloudVolumes\Agent\svservice.exe attach <volumename>. Another thing you can do (that is, if you’re going to use the management server) is deploy the AppVolumes agent using RES Automation Manager. The parameters you’ll need for the AppVolumesAgent.MSI is MANAGER_ADDR=<fqdn of management server> and MANAGER_PORT=<default is 80>

itstore1Offering AppVolumes content as subscribed services: By far, I think this is one of the most interesting avenues of integrating RES and VMware AppVolumes. One thing is the ability of workspace manager to only expose assigned apps, but combining this with self-serviced applications as well as approval workflows is pretty killer. If one already have a client where Cloudvolumes have been deployed and a given volume has been assigned to for example an AD group, I would use RES IT Store to pre-qualify users to the same AD group. There’s several ways to do this, but I’d probably do it this way:

  1. create a hidden ITS service (not displayed to the users in the store, service panel, etc) which is assigned to the AD group that a given volume is assigned to.
  2. Using the RES Workspace Manager ITS publishing wizard, I would then create managed apps + services for the individual apps in the volume
  3. Last, I’d configure a service dependency onto the hidden volume service.

If you remove someone from the AD group assigned to a given AppVolume, or if you remove the group as a whole from an AppVolume,  the advantage of this approach is that RES IT Store would be able detect the change and automatically run return workflows in IT Store, thereby proper handling of licensing, de-configuration (remember, removed AppVolume based apps will still leave gunk in your profile), desktop, etc – all in one smooth automatic motion.

Before we wrap up let’s just recap the advantages of combining VMware AppVolumes with the RES Suite:

  • Govern access, licensing and security around individual apps made available across multiple volumes
  • Configure application on the fly (or rather, at launch) eliminating the need to to worry about user config at packaging time
  • Capture the users changes to all apps, regardsless if AppVolumes are dismounted later
  • Deploy the AppVolumes agent as well as attaching the volumes themselves using Automation Manager
  • Create self service AppVolume based, apps by creating a IT Store service for each application.
  • Allow for approval workflows, time-based access, plus auditing of access and usage.

Looking back, it’s been a while since I’ve seen such a great fit between technologies. I believe we are going to see a lot more of RES/VMware combined solutions in the near future.

 

Inside Workspace Manager 2014 SR2

By Max Ranzau

 

 

res-wm2014-00From the Nuts&Bolts Dept. Last week saw the release of Workspace Manager 2014 Service Release 2. You may have read the initial post over at RES, but as always here at RESguru.com we like to kick the tires and take it for a spin around the block. There’s several items in this release that are important to know about and I’m going to highlight some and give you my view on them. You can of course dust through the full release notes here as well. Let’s roll up the sleeves and get started:

Update considerations:

First of all, when rolling out the SR2 update, keep in mind that if you occasionally are using the Force Cache update on the agents view, you want to get all agents spun up to SR2 as quickly as possible. RES has changed some of the security underneath the hood, so a SR2 console can’t force-cache-update an SR1 agent, and vice-versa. You may recall the TCP/1942 port, which needs to be open on the WM agent. This port hasn’t changed, but the comms on it has. The schematic below explains it pretty well:

sr1-sr2-force-cache-update-schematc

 

Finally! Batch Buildingblock processing:

Long awaited is the ability to export and manage buildingblocks. Many customers I’ve trained and worked with over the years had a hard time understanding why it was only possible to batch import buildingblocks with the current pre-FR2 /add parameter, but it wasn’t possible run a regular backup/export. Well, lo and behold we now have the following new commandline options for the WM console binary, pwrtech.exe:

  • /del – delete configuration items currently inside the WM datastore. You can use both a buildingblock, thereby mass-deleting items, or just deleting one item by specifying it’s GUID (this can be found by exporting a buildingblock and looking for the <guid> tag.)
  • /export – the droid we’ve been looking for. This allows you to export any one object by specifying a guid. It can also export all configuration objects of one or more given type keywords separated by commas.
  • /addresource – Allows you to upload any file as a custom resource to the WM datastore. With a /path parameter you can specify where in the custom resource folder structure the resource will be placed, or you can just leave it in the root. Using a /guid parameter you can overwrite an existing resource
  • /exportresource – Does pretty much the opposite. Either a /path inside the custom resource structure or a /guid to what you want to export can be optionally specified
  • /delresource – Deletes a custom resource. Again either /path or /guid can be specified.

A couple of random neuron-misfires here:

  • This makes me wish RES would put in a GUID field in the console (which can be copied from, thank you very much) on each and every last item, thus it would be quick to reference it as the alternative is to sit and munch through buildingblock XML. Besides, we already have the GUID visible on managed applications, so why not make it consistent
  • Also, these new commandlines gives food for thought. One could quite easily imagine future customers subscribing to new WM content made available from someone (like RCS), running a BuildingBlock IT store, powered by Automation Manager downloading buildingblocks and importing them… Now there’s an idea! :)

For now, go look at page 16 of the release notes for the exact commandline syntax until we get the WM Commandline Reference updated accordingly with the new stuff. Also be sure to check the type reference on page 18.

 

Automatic agent cleanup

agentcleanupAnother item that is handled better in SR2 is the list of WM agents. It stands to reason that in non-persistent VDI environment, you would end up with a boatload of inactive agents as your hypervisor is generating new computernames, depending on your agent identification method.  Prior to SR2 you would have to clean these out yourself on a regular basis. This is no longer necessary as the Settings tab for the agents now has a setting for automatic agent removal. Besides having it turned off, you can choose between 45, 60, 90 and 120 days where you haven’t heard from an agent and it’ll automagically be removed.

Loads of new registry settings

regedit-supericonThe new Workspace Manager SR2 includes about 9 new behinds-the-scenes registry treaks. There are several settings relating to the WM Relay servers. to configure custom certificates to secure the communications between agents and as well as handling log cleanup and connection timeout. You can check out the tweaks in the updated WM Registry Guide available here.

 

New filehash based whitelisting.

filehash1Whfilehash2en authorizing files in Workspace Manager security, you can now add SHA-1 filehashes to the authorization. In the past the Appsense guys were moaning on about how that was a big differentiator to their advantage, so there – another FUDbomb defused. Besides, their filehash was afaik MD5 based, which generally is considered inferior to SHA-1, due to a lower bitlength and fewer rotations. Stones and glasshouses, lads. Note that the SHA-1 filehashes can either be imported via the Authorized Files node, or on the new log screen. I’m guessing there might be a new new logtype in the database as a result, so perhaps we soon might see an update of Patrik G’s DB Cleanup Tool. One important thing to mention is that you can also batch import the SHA-1 filehashes with a command line, like this: Pwrtech.exe /importhashes=<file> /createifnotexists.

 

XenApp 7.x Publishing

ctxreceiverWhat’s there to say; it just works. While some of us were banging around with the SR1 9.9.1.91 update pack for a while which had a few snafu’s, they to have been ironed out nicely in the SR2 release. One weird thing I’ve come across a couple of times is that for no apparent reason, you may get the WM ‘The application cannot be started”-popup on the XA box, however it seems that a de-publish/republish via QuickEdit resolves that and the problem doesn’t come back. One thing to note, it looks like Citrix brought back Session Lingering in XA 7.6, so while Workspace Manager SR2 offers a surrogate solution via a reghack, it looks like it’s only relevant up to XA 7.5

 

The above is a small sample of all the improvements that SR2 offers, which I found interesting at this point. There’s plenty more. Again, I cannot emphasize this too mch: When there is a new major release or update to any of the RES products, always take the time to read the release notes. There are loads of goodies in there!

 

Updated WM Registry Guide

iabtFrom the About-Damn-Time Dept. One of the most popular articles on RG is the Registry reference for RES Workspace Manager. Unfortunately it’s been sitting on the backburner for a while, but no more! As of this weeks release of Workspace Manager 2014 FR2, the guide has been updated with all published registry settings available from the base 2014 release notes and up to. If you come across missing or any other spooky settings, feel free to contribute in the comments section on the article.

doc-icon2<<< Click to view the WM Registry Guide.

 

Free RES Consultancy

Is your company a RES Software customer? Are you considering if you are getting enough out of your investment? Want to make sure you’re doing it right, and the products have been implemented as they should to suit your business needs? Have a great use-case but not sure how to best go about it?

Why not take advantage of the 15 years of RES experience through RCS and find out how you can extract even more value out of you RES software purchase. RESguru Consulting offers:

  • wbRES Environment health check
  • Tune-up / Optimizations sessions
  • Best practice audits and advisory
  • Design Q&A whiteboarding sessions
  • Technical Workshops

Reach out today to RESguru Consulting Services for a free 3-4 hour online consultation with no strings attached. Until December 31st 2014, RCS is running a global campaign for new and current RES customers. Only requirement is that you currently own RES licenses. No Software Assurance? Not a problem.

Call +1 610 462 2200 or contact m.ranzau@resguru.com to schedule your free consultation.

 

New Technote: Webservices & Automation Manager

Animated, Gears, boxFrom the Technotes-R-Us Dep: Today I have the pleasure of sharing a new article based on some preliminary work I did for a couple of clients who are looking to integrate SOAP based web-services into RES Workspace Manager. I put together a simple demo that show how to use SOAP calls to pull a live weather report from major airport cities around the world. If you can make that work, you can do pretty much anything from configuring a firewall, set up infrastructure or even process creditcard payments.

This is the first of a two-part article, where we next time will look at wrapping a service around the module and learning a few nifty tricks on how to deal with value dependent dropdowns.

doc-icon2<<< Click here to read part one

doc-icon2<<< Click here to read part two

Automated XenDesktop 7.5 Build with RES AM

By Max Ranzau

 

From the BuildingBlock Dept. You may recall a couple of years ago that I published a RES Automation Manager buildingblock for Citrix Xen Desktop 5.5, XA and PVS.  Today it’s my pleasure to publish a new buildingblock that will do the same for Xen Desktop 7.5. It’s pretty slick, as it hardly needs any configuration or special prerequisites and allows you to choose all the install options for Xen Desktop.

mr-jMy friend and co-blogger Mr. Jeroen Speetjens from the Netherlands has been kind to share this with the RES community. You folks over at Citrix might also want to take note of this work. In order to use this buildingblock, all you need is the Xen Desktop ISO and a fresh Server 2008 or 2012. Deploy a RES Automation Manager agent to the target server, then import and schedule the module. The module contained in this RES Automation Manager buildingblock will configure everything else you need.

res_am_fileshareWhen you import the buildingblock, you will be prompted for the path to the contens of the XD .iso file, as shown on the screenshot below It is recommended to either mount it somewhere and share it, or copy all the files out of the ISO to a share. Either way, it’s about 2GB and you don’t want to add that as a AM resource, not that Automation Manager can’t handle it, it’s just a hassle next time you’re updating the binaries when you have a new .iso.

XD75_01When you schedule the module to the target server, the module will prompt you for what kind of installation you want. After that it’s off to the races: The average deployment time is about 10 minutes on a target system with SSD’s.

Note: If you decide to download this AM buildingblock and take it for a spin, I kindly ask you to take a moment to comment your feedback below and send thanks to Jeroen for his efforts.

Click the brick as per usual to download the buildingblock:  legobrick-cropped

Remember: RESguru.com is still the number one place to get noticed if you are doing cool stuff with RES: If you’ve got something to share – the guru community cares!

Updated: DB Cleanup Tool 2.0

By Max Ranzau

 

From the Tools-R-Us Dept. You may recall a while back in February, I reported on a cool utility to address the issue with clearing individual log files in RES Workspace Manager. There’s now a new version 2.0 out from one of our community heroes (=someone who contributes and shares stuff), Patrick van Grinsven in the Netherlands (For the record, Morgan Freeman did not develop it ;). The SQL Database Logging Cleanup Tool has seen a few GUI changes and some other improvements:

  • It is now possible to directly Analyze / Query / Clear the configured logging database if the supplied connection details and logs are valid.
  • It is now possible to Analyze / Query / Clear the logging between dates, or to completely clear the selected log (1)
  • Logging analysis is being sorted descending.
  • Displayed record count added (2)

If you are a RES engineer or admin, this utility should most definitely be in your Bat-utility belt.

For further information and downloads, see the updated article here: doc-icon2