Workspace Manager SR3 Highlights

By Max Ranzau

 

Update: Since the June 12th, the SR3 9.7.3.0 release has been updated. If you already read this article, cut to the chase below.

From the Yay-New-Toys! Dept. Yesterday we got the long awaited Workspace Manager Service Release 3. Due to yours truly being 6-9 hours behind the rest of the RESverse here in the Bay Area, you won’t hear it first on RESguru, but at least I get dibs on diving into the deep end of the feature pool and perhaps fill in a few blanks that you weren’t aware of. This time we’re in for a treat as there are several new SR3 features to look at. [RANT=ON] It took a little while extra tonight, as the retarded WordPress editor decided to hose my article – twice! And autosave had gone fishin’ as well..#@%&! [RANT=OFF] Anyway, you will find the release notes for download at the end of this article. Here is some of the new enhancements and features in no particular order:

wifi-radarWiFi based location detection. This is a biggie which I’ve been looking forward to seeing in the live product as we’ve been testing this for several months.Basically this is a set of new Zone rules which allows you to figure out where a WiFi enabled endpoint physically is, based on what WiFi AccessPoints/Hotspots it’s able to see. Note that Workspace Manager has to be installed on said endpoint. Those of you following me on twitter will already know that there’s a brand-spankin’ new whitepaper released which covers in detail how to configure these new zone rules. One thing I’d like to draw your attention to is that the Diagnostic tab in the users Workspace Preferences now displays the wireless connection details including what other access points are visible, their BSSID’s, MAC and signal strength percentage. It’s however not updated live in this view. There’s a couple of additional notes I’d like to offer as well:

  • new-rulesFirst, you have two new zone rules available under Network|Wireless : 1) What BSSID you are connected to and 2) The nearest one with the strongest signal. it’s important to understand what is meant by a Trusted Network in the context of Workspace Manager.
  • An important topic, to set the expectation level: It is not currently possible to do triangulation of any sorts, like specifying minimum signal strengths or similar in the current wireless zone rules. Second (I have yet to try this), I doubt if you can do a logical AND two or more Wireless rules together anyway. As I understand it, there will only be one that has the strongest signal level so &-ing two or more rules together would never test true if I read this correctly. Comments are welcome.
  • BSSIDWhile one could certainly wish for a nice overview of discovered access points in Worspace Analysis, it was decided not to do that natively in WM due to privacy concerns. If you are an evil controlfreak like me, still wanting this kind of information at hand, you could consider running an Execute Command job at log-in, with the following Windows command line: netsh wlan show networks mode=bssid. It will give you the same info, but you’d have to collect the output yourself. This can be done much easier with an Execute task in RES Automation Manager.
  • While we’re dealing with zones, you may notice a minor cosmetic change as the Zone icon has been replaced. Gone is the ol’ green earth, replaced by a GoogleMap-like ( pin-icon ) pin icon.

appv5-importApp-V 5.0 support. Three Cheers and a Hurray for this. Where as many workspace engineers around the globe had to come up with nifty workarounds to cater for App-V 5.0 in the interim period before SR3, it’s now supported natively. It is really not a big deal to use it, as all you have to do is point to a folder with .AppV files in it and they will be read in, just like AppV 4.6 and earlier .OSD files. User Settings, Prefetch, Configuration Actions and Process Interception should work fine as well for App-V 5.0 apps. A couple of sidenotes:

  • appv5-req-vistaWhen importing or creating App-V 5 apps, you have to do it from Vista or newer OS. If you try to run the import wizard on Server 2003/XP the Wizard will read any AppV 5 package as blank, i.e. with no apps in it. If you try to create an app from scratch and browse to the .AppV file, the WM console gives you this little number on the right. You can still import .OSD files from App-V 4.6 or earlier, from the console running on any supported OS.
  • As there no .OSD file to tinker with, the option to edit it from inside the Managed App (the ‘click here to edit OSD file’) is gone as well for an App-V 5 app.
  • The command line for an RES WM managed App-V5 app employs some new tags which look like environment variables but are not variables. An imported command line looks this: %APPVPACKAGEINSTALLATIONROOT% \PackageGUID\%APPVPACKAGECURRENTVERSION%\Root\VFS\ProgramFilesX86\SeqFolder\VirtualApp.exe

Windows 8 Compatibility: There’s been some changes behind the scenes to get things working as smooth as possible. There are however still a couple of gotcha’s you would do well to keep in mind. Quoting directly fom the release notes:

  • RES Workspace Manager dialog messages that are directly displayed after session logon will not be visible on the Windows 8 Metro Start Screen.
  • Windows Themes: Custom background images selected by the end user in Windows 8 are not applied in Windows 7, though changes made in Windows 7 are applied in Windows 8. Note: this kinda makes sense as it’s not to expected that an older version of Office would understand settings of a newer version.
  • When publishing a Managed Application from RES Workspace Manager to a Windows Server 2012, the published application is available in RES Workspace Manager sessions, but it does not appear in the list of published applications in the Windows Server Management Console.

New disc-launchUser Settings Discovery discovery-finishWizard. This makes it so much easier to create captured settings for an application. Rather than starting from either scratch, a template or adding settings one by one from the SampleMode log, you can now start a Wizard which will, much like we are used to by now with Registry Tracing, create the capture template based on what the application is doing.When you’re editing User Settings on a managed app, hit the Add button and a new option “Discover User Settings” is available.

basic-usNote: User Settings also now has a button at the bottom which toggles Basic vs. Advanced user settings. For those already savvy with WM’s User Settings, Advanced mode doesn’t add anything new. What’s changed is that Basic Mode just hides the stuff we normally don’t tinker with, unless special circumstances warrant it. Basic mode looks like shown on the bottom here on the right.

The discovery wizard and the basic/advanced button applies to UserSettings based on Apps as well as those defined globally under Composition|UserSettings

desktoptemplatesNew templates for User Settings. A ton of new UserSettings templates have been added to the list of known applications and OS items, for which Workspace Manager knows out of the box how to grab settings for. For old operating systems, a couple of templates have been added for XP/2003 environments to help migrate user data out. There is now a template respectively for Desktop contents and Desktop icons only, where the first one will grab everything including the kitchensink (Danger, Will Robinson! Large User Settings and henceforth long logon times can result if users are storing many items on the desktop), the latter will only grab .LNK and .URL files. Note: If you want to prevent storage of anything else than shortcuts on the desktops in the future, you probably want to have a look at this article. Also look into the new folder sync options, described on page 16 in the release notes. Besides these things, new templates have been added for IE10 and all the suite applications in Office 2013. It almost goes without saying that Workspace Manager SR3 supports MAPI configuration and email signatures for Outlook 2013 as well.

New Agent-Only installer: As you may have noticed on the WM download page on the RES support portal, there is now a new Agent-Only installer available (filename RES-WM-2012-Agent-SR3.msi). Even though the console can be protected by none less than 3 separate security barriers (no icon, AppGuard process blocking and the internal Administrative Roles), I guess that some folks are just more comfortable having an installer that only puts the RES WM agent (still consisting primarily of the RES service, Kernel drivers and Workspace Composer) on the endpoint. We still have the console-only installer, but as it doesn’t include the RegGuard driver either, the console-only installer is not applicable if you’re planning on using it for Registry Tracing.

bypassComposer Bypass option for Administrators: One thing that’s been driving me nuts for a long time is the fact that as soon as you flipped the composer switch on a WM Agent, Workspace Manager up until now launched the workspace composer regardless if you’re an admin or a regular peon. This has been fixed. Yay! Under Setup|Advanced Settings there’s now a new checkbox (number 3 from the top) that lets you specify a mask or specifically add usernames separated by semicolons for which Workspace Composer should not launch. Bottom line, using this option you can walk up to any regular computer managed with RES WM and if you’re the Man, you get a regular non-RES-managed windows environment. Note: Contrary to what the screenshot shows on the right, you must specify the admin as either DOMAIN\Administrator or .\Administrator (for local accounts)

newcolumnsEnhanced columns and GUI enhancements: Allow me start with another rant: Someone once said to me; “…but, Max all you care about is buttons!” Darn straight I do! – Obviously among other things. Said “buttons” are the interface of the tools we are given and if they suck and swallow, we might as well just forget about the whole thing and go back to scripting. In earnest, I believe that the quality of any solution is equal to the sum of its parts. One of those parts is when you set the tool in question to something and leave it on your workbench, you expect to find it in the same state when you come back. What I’m getting at, are these nice changes:

  • Now all list views in Workspace Manager are customizable. Examples are the Composition|Applications|Application list tab or the Security|Authorized files node. What you can do here is drag and drop the order of column headers left and right, resize them and they are remembered for the next time you use the console anywhere else.
  • Also the field Administrative Notes has been added to the Application List. Simple things, but nevertheless items that makes a product stand out. Thank you Product Management!
  • It’s possible now to batch enable/disable multiple apps from the QuickEdit menu. This also works when right-clicking on a folder in the Applications|Start Menu tab, making it easy to knock out a whole suite with one stroke.
  • If you’re running a large environment with many apps, you also should experience significant performance enhancements across the board. These are detailed in the releasenotes.

Last minute erata: It seems that while column properties for lists like Security|Authorized files are roamed from one console to another, the Application List is not roaming, but is being remembered per device. Small potatoes but hey – comment if you see it too.

new-autolaunchoptionsNew Autolaunch options on Managed Apps: You can now take a more granular approach to how managed apps are launched in the users session. Instead of previously just having a autolaunch checkbox alone under the managed apps Settings tab, you can now set the launch on an app as Voluntary, Mandatory or (the default) Take No action. The voluntary option gives an interesting option to organizations who for example would like to say to new users “We think you might like to launch your email when you log in, but if you hate it, you can change it”. The user would make said change in his Workspace Preferences panel. There are probably many other use-cases, but I’ll leave that up to your creativity.

Newhdmapping Drive and Port mapping option for HyperDrive. If you go to Setup|RES Software|HyperDrive and enable the HyperDrive integration in RES Workspace Manager, a new option for mapping drives presents itself under Composition|…|Drive and Port mappings. The releasenotes nor online help are not specific on the format of the Hyperdrive fileserver string, but consulting the HyperDrive admin guide reveals that you can specify a fileserver as a WebDAV URL like this: https://hyperdrive.yourcompany.com/webdav/FileServerName. This kinda makes sense as one of the little known facts of Workspace Manager’s drive mapping mechanism, is that WebDav drive mappings have been supported since way back in 2008. See this article. If this works differently, please comment

hyperdrive settingsNew Hyperdrive Client Management settings. While we have HyperDrive fresh in mind, let’s also have a quick look at the new Vault configuration settings. With these you can change the location of the HyperDrive client’s encrypted cache and several other items. See screenshot on the right. Note that your HyperDrive client must be version 4.8.21.10 or newer. If you haven’t done much in terms of HyperDrive integration before, now would be a great time. This part of the console basically allows you to customize and tweak almost every aspect of the HyperDrive clients behavior. Remember, as per usual you can leverage the PlusMenu (This is what the plusmenu icon looks like) to create different Workspace Models for different sets of context.

Last is a hodgepodge of other items which bear short mention:

  • New PWRGATE.EXE -55 parameter to force save and restart. This is an option needed sometimes for SCCM packages that need a reboot to work properly. See the updated Secrets of PwrGate article for details.
  • New unattended installation parameter CONNECTFILE. This allows you to specify an file containing encrypted datastore connection. For more details, see the updated WM parameter guide.
  • New entry for the PWRUSER.INI file in the user’s \Personal Settings folder to tweak printer notification behavior. NotifyDefaultPrinterChange=No|OncePerLocation. For now see page 27 of the release notes below for further info. Keep an eye out for a future PWRUSER.INI reference.
  • Threshold option to use cached AD credentials if DC is too slow. Under Setup|Advanced there is a new option (2nd from the bottom) to specify a latency threshold in milisecs if locally cached credendials should be used instead of pulling them from the Domain Controller. This should help speed things up as well.

To wrap things up, the WM ServicePack 3 is indeed a massive update, containing over 65 new enhancements and features and even more bugfixes, so this article would get quite exhaustive if I was to screenshot and discuss every one of them. Instead I would urge you to download the release notes and have a look for yourself. If there are any particular feature you would like to see further highlighted, comment below or hit me up on Twitter.

Update: The SR3 9.7.3.0 release has been updated since the original June 12th release. The latest version as of June 24th is 9.7.3.1. There are no new features in the .1 update, but several things have been fixed. Refer to section 4 of the updated releasenotes:

Click here to download the updated WM2012 SR3 release notes for 9.7.3.1: pdffile