- Catalogs / Delivery Groups
- RDSH Application Testing
- Application Groups (XenApp 7.9 and newer)
- Limit Icon Visibility based on AD Group Membership
- Published Content (XenApp 7.11 and newer)
- Application Usage Limits
- Keywords for StoreFront
- Secure Browser
- App-V – hotfix, Citrix’s Share Method
- Published Desktop Icon
- Other Published App Tips – Chrome 💡
- Hide Disabled Published Applications
- Bidirectional Content Redirection
- Local App Access (Reverse Seamless)
- Anonymous Apps
- Export/Import Published Applications
💡 = Recently Updated
RDSH Application Testing
Installing apps on Remote Desktop Session Host (XenApp) is more complicated than installing apps on a single-user operating system (virtual desktop). Here are some RDSH-specific considerations that must be tested before integrating a new application into RDSH. These considerations usually don’t apply to virtual desktops.
- Multi-user Capable – can the application run multiple times on the same machine by different users? Most applications don’t have a problem, but a few do, especially applications that put temporary files or other writable files in global locations. For example, the first user of an app could write temporary files to C:\Temp. The second user writes to the same location, overwriting the temp files needed by the first user. Test the app with multiple users running the app on the same RDSH machine.
- Lockdown to prevent one user from affecting another – What restrictions are needed to prevent one user from affecting another? For example, if an app’s configuration files are stored in a global location, you don’t want one user to edit the configuration file, and thus affect a different user. Test the app with multiple users running the app on the same RDSH machine.
- Permission Relaxations – what relaxations (e.g. NTFS) are needed to allow non-administrators and GPO locked-down users to run the application? Test the application as a non-administrator with GPO lock down policies applied.
- First Time Use – when a user launches an application the first time, the application should be automatically fully configured with default settings (e.g. back-end server connections). Use group policy to apply application settings. Automated FTU also helps with a user whose profile is reset. Test the RDSH app with a user that has a new (clean) profile.
- Roaming – users could connect to a different RDSH machine every day, and thus user settings need to roam across machines. Test running the app on one RDSH, make changes, then login to a different RDSH machine to ensure the changes are still there.
- Application Licensing – if an application requires licensing, can licensed and non-licensed users connect to the same machine? Can it be guaranteed that non-licensed users can’t run the application that requires licensing? Adobe Acrobat is an example of a challenging application because of the global .pdf file-type association, and the global PDF printer.
- Client Devices (USB, printers, COM ports) – the client device mapping capabilities on RDSH are not as extensive as virtual desktops. For example, generic USB wasn’t added until Windows Server 2012 R2. When the application prints, does it show printers from every user, instead of just the user running the app? Does the app need COM port mapping?
- Shared IP – does the app have any problems with multiple users sharing the same IP address? If so, you might have to configure RDS IP Virtualization.
- Fair Sharing of Hardware Resources– does the app sometimes consume a disproportionate amount of hardware resources? For example, can the app be used to launch a task that consumes 100% CPU for some time? One option is to put this app on its own Delivery Group. Or you can use Citrix Workspace Environment Manager to ensure fair sharing of hardware resources.
- Published Application – can the app run as a published application that doesn’t have Explorer running in the background? Does the app (e.g. Internet Explorer web apps) need RunOnce.exe /AlternateShellStartup to fully initialize before it will run correctly as a published application? Some apps work without issue in a published desktop, but don’t work properly as published applications. When testing a published app, test it with a user that has a new (clean) profile. Connecting to the published desktop once will cause Active Setup to run, changing the user’s profile, thus distorting the published app testing results.
- Integration Testing – when installing a new app on a RDSH server, don’t forget to test the other apps already on the RDSH server, because the new app might have broken the other apps. The more apps you put on an RDSH server, the longer it takes to perform integration testing.
Also see MSDN Remote Desktop Services programming guidelines.
Some of the issues in this list can be overcome by using an application virtualization tool (e.g. Microsoft App-V) that runs apps in isolated bubbles.
Citrix Blog Post Introducing Application Groups in XenApp and XenDesktop 7.9
XenApp 7.9 and newer has an Application Group feature. This feature lets you group published apps together so you can more easily apply properties to every app in the group. Today, you can do the following:
- Control visibility of every app in the app group (Users page).
- Publish every app on the same Delivery Groups.
- Prevent or allow apps in different Application Groups from running in the same session.
- With one published app icon, test users launch from test Delivery Group, while production users launch from production Delivery Group.
To create an Application Group:
- In Citrix Studio, right-click Applications, and click Create Application Group.
- In the Getting Started page, click Next.
- In the Delivery Groups page, select the delivery groups you want these apps published from.
- In the Users page, select the users that can see the apps in this app group.
- Note: there are three levels of authorization. An app is only visible to a user if the user is assigned to all of the following:
- Delivery Group
- Application Group
- Individual Published Apps in the Application Group
- Click Next.
- In the Applications page, publish applications like normal, and then click Next.
- In the Summary page, give the Application Group a name, and click Finish.
- In the Applications node in Studio, there’s a new Application Groups section.
- If you highlight your Application Group, on the right is the list of apps in the group. You can edit each of these published apps like normal.
- You can drag applications into an Application Group.
- However, this more of a copy than a move. To actually move the app exclusively into the Application Group, edit the individual app, and on the Groups page, remove all Delivery Groups (or other Application Groups). The app will instead inherit the Delivery Groups from the app group.
- If you edit the Application Group:
- The Settings page has an option for session sharing between Application Groups. Clearing this checkbox allows you to force applications in different Application Groups to run in different sessions.
- The Delivery Groups tab lets you set Delivery Group priority. If priority is identical, then sessions are load balanced. If priorities are different, then sessions are launched on Delivery Groups in priority order.
- In XenApp/XenDesktop 7.13 and newer, you can use PowerShell to cause an Application Group to launch multiple app instances in separate sessions. Citrix Blog Post XenApp and XenDesktop 7.13: Launching an Application in Multiple Sessions. 💡
Limit Icon Visibility
For Published Applications, there are three levels of application authorization: Delivery Group, Application Groups, and Published App Limit Visibility. A published app icon is only visible if the user is added to all three levels.
- Delivery Group (Users page). If the user is not assigned to the Delivery Group, then the user won’t see any application or desktop icon published from that Delivery Group.
- Limit Visibility – You can use the published app’s Limit Visibility page to restrict an icon to a subset of Delivery Group users.
- In XenApp/XenDesktop 7.9 and newer, you can use Application Groups to restrict access to published icons.
- App Icons won’t appear unless users are added to all three of the above locations.
Published Desktops have separate authorization configuration:
- XenApp/XenDesktop 7.8 and newer have a Desktops page in Delivery Group properties where you can publish multiple desktops and restrict access to those individual published desktops.
- In XenApp/XenDesktop prior to version 7.8, if a desktop is published from the Delivery Group, by default, every user assigned to the Delivery Group can see the icon. You can use the PowerShell command
Set-BrokerEntitlementPolicyRuleto limit the desktop icon to a subset of the users assigned to the Delivery Group.
Get-BrokerEntitlementPolicyRuleto see the published desktops.
- Then run
Set-BrokerEntitlementPolicyRuleto set the IncludedUsers or ExcludedUsers filters.
XenApp 7.11 adds Published Content where you can publish URLs that are opened in the user’s local browser. You can also publish UNC paths, which are opened with local Explorer or local application.
Currently there is no GUI to publish content. Instead, use PowerShell.
New-BrokerApplication cmdlet requires you to specify a Delivery Group. This Delivery Group must have at least one registered machine in it. However, the published content does not actually launch from the Delivery Group since the URLs and/or UNCs open locally.
New-BrokerApplication -ApplicationType PublishedContent. Here is a sample PowerShell command:
New-BrokerApplication -Name "CitrixHomePage" -PublishedName "Citrix Home Page" -ApplicationType PublishedContent -CommandLineExecutable https://www.citrix.com -DesktopGroup RDSH12R2
Instead of publishing to a Delivery Group, you can publish to an Application Group by using the
-ApplicationGroup switch. The Application Group must have Delivery Group(s) assigned to it.
Once the Published Content is created, you can see it in Studio. You can also edit it from Studio, including Limit Visibility and Groups (to move it to an Application Group).
Published Content can be placed in Application Groups. You can then use the Application Group properties to restrict access to the shortcut.
It does not appear to be possible to set the icon from Studio, but you can do it using PowerShell. See Citrix Blog Post @XDtipster – Changing Delivery Group Icons Revisited (XD7) for instructions to convert an icon to a base64 string, and import to XenApp using
New-BrokerIcon -EnCodedIconData "Base64 String". Then you can link the icon to the Published Content using
Set-BrokerApplication "App Name" -IconUid.
In StoreFront 3.7, you can click the icon and URLs will open in a new browser tab.
HTTP/HTTPS Published Content should open in Receiver. Other URLs (e.g. file:// or UNC path) will probably show an error message.
You can override this restriction by enabling the group policy setting Allow/Prevent users to publish unsafe content at Computer Configuration | Policies | Administrative Templates | Citrix Components | Citrix Receiver | SelfService. This assumes you’ve installed the Receiver .admx files. (h/t David Prows at CUGC forums). 💡
Application Usage Limits
In XenApp/XenDesktop 7.7 or newer, if you edit an application’s Properties, on the Delivery page, you can restrict the number of concurrent instances of the application.
Keywords for StoreFront
In a published application’s Properties, on the Identification page, in the Description and keywords field, you can enter KEYWORDS to control how the app behaves when displayed by StoreFront.
- Enter KEYWORDS:Mandatory or KEYWORDS:Auto to cause the application to automatically be subscribed or favorited in Citrix Receiver.
- In StoreFront 3.0 and newer, the user can go to the Apps tab, click an App’s Details button, and mark the app as a Favorite.
- In the older StoreFront interface, users subscribe to applications by clicking the plus icon to add the application to the middle of the screen.
- Mandatory means the app can’t be removed from Favorites or unsubscribed.
- Auto means the app is automatically favorited or subscribed, and can be un-favorited or unsubscribed by the user.
- Enter KEYWORDS:Featured to make the application show up in the Featured list.
- You can separate multiple keywords with a space. KEYWORDS:Mandatory Featured.
- See the StoreFront 3.7 Keywords documentation at Citrix Docs for more information.
Users will have a better experience with StoreFront if applications are published into folders. The folder name is specified in the Delivery page in the Category field. Note: Add shortcut to user’s desktop works in newer versions of Receiver assuming the app is marked as a Favorite.
Citrix has a deployment guide for publishing a browser from XenApp. Here’s an overview of the configuration:
- Install Chrome on an RDSH VDA.
- In Studio, publish IE and/or Chrome in Kiosk Mode to anonymous users.
- Create a different published app for each website.
- In StoreFront, create a Store for Unauthenticated Users.
- In StoreFront, enable Receiver for HTML5.
- In StoreFront, enable web links so you can link to the published browser from a different website.
When a user launches the published browser, the HTML5 client opens the published app in a local browser tab. The published browser runs in kiosk mode so that the published browser’s user interface is hidden. It looks like the website is running on the local browser but actually it’s running from a published browser.
There’s a special XenApp Secure Browser Edition that is only licensed for publishing browsers from RDSH. See the press release Citrix Radically Simplifies the Secure Delivery of Browser-based Apps.
App-V Client Hotfix
The latest App-V 5.1 hotfix is June 2017 servicing release for Microsoft Desktop Optimization Pack. Note: Windows 10 1607 and Windows 2016 get App-V updates through Windows Update. 💡
The latest App-V 5.0 hotfix is Hotfix Package 3 for Microsoft Application Virtualization 5.0 SP3.
There is a special version of App-V client for RDS (Remote Desktop Session Host). The normal App-V client in MDOP won’t work. Get the RDS version from the Microsoft Volume Licensing website.
App-V GPO ADMX templates
The latest GPO ADMX templates for App-V can be downloaded from Microsoft Desktop Optimization Pack Group Policy Administrative Templates.
App-V and Logon Times
- Microsoft App-V Team Blog: Support Tip: Mandatory user profiles and App-V integration with Configuration Manager – configure SCCM to run a logon script to republish App-V packages at every logon.
- Thamim Karim: Driving Down App-V Publishing Times in Non Persistent VDI Environments – various optimization tips and performance measurements
- Måns Hurtigh: Integrate Application Virtualization with Citrix Provisioning Services – pre-load App-V apps in master image, then run startup script on Target Devices to update App-V cache
XenApp 7.8 and newer App-V
XenApp 7.8 no longer requires App-V management infrastructure and can instead pull the App-V packages directly from an SMB share as detailed at App-V at Citrix Docs. The computer accounts for Delivery Controllers and VDAs must have read access to the share. An easy method is to add Domain Computers. See CTX221296 Citrix App-V Integration Minimum Permission Requirements.
XenApp 7.11 adds an Isolation Groups tab.
Once App-V packages are added to Citrix Studio, you can publish an app and select App-V from the drop-down.
The App-V apps show up as AppLibrary App-V and support the same options as other published applications.
Make sure the App-V Components are installed on your VDA. It’s not checked by default in 7.12 and newer.
On your VDA Windows 10/2016 or newer, in PowerShell, run Enable-Appv. For older OS, install the App-V client.
There appears to be some limitations to the package share method as detailed by Joe Robinson at discussions.citrix.com:
- No File Type Associations
- No Custom Deployment Config Files (no scripts)
- No Category for published App-V apps
Joe Robinson provided a script to force the App-V client to sync before launching the user’s App-V application.
Launch App Inside App-V Bubble
From Citrix Blog Post Process Launching in an App-V V5 Virtual Environment:
- On any executable, add the
/appvve:<PackageID>_<VersionID>of the package in which one would like the executable to run
- If the App-V process is already running then use the
/appvpid:<ProcessId>to inject into a running App-V virtual environment
- If you want something more permanent, you can set the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual\<YourApplicationName>with a default REG_SZ key that has the executable name in it.
Also see Microsoft Knowledgebase article How to launch processes inside the App-V 5.0 virtualized environment.
Change Published Desktop Icon
Citrix Blog Post Changing Delivery Group Icons Revisited (XD7) has instructions on how to use PowerShell to import a Base-64 icon and then link it to the published desktop.
StoreFront 3.0 and newer overrides custom desktop icons. Run the following PowerShell command (from discussions.citrix.com) to restore custom desktop icons:
& 'C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1' Disable-DSStoreSubstituteDesktopImage -SiteId 1 -VirtualPath /Citrix/Store
Other Published App Tips
CTX209199 Published 64 bit Aps Can’t Be Started With %ProgramFiles% in Command Line If It’s Not the first Application to Start: You can try the following methods to address this issue:
- Use the absolute path to publish the application.
2. Use %ProgramW6432% for 64-bit applications instead of %ProgramFiles%.
See Dennis Span Google Chrome on Citrix deep-dive. 💡
CTX132057 Google Chrome Becomes Unresponsive when Started as Published Application: add the parameters
--allow-no-sandbox-job --disable-gpu in the published app command line. According to Dennis Span, this is no longer needed in Chrome 58 and newer.
CTX205876 Non-published Google Chrome browser on XenApp server, called and launched from any published app, is seen in black/grey screen: The command line parameter has to be added to registry shell open command for the Chrome browser:
- In Regedit, navigate to HKEY_CLASSES_ROOT\http\shell\open\command
- Edit the Default value as follows:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --allow-no-sandbox-job --disable-gpu -- "%1"
Disable Application and Hide It
- In Studio, you can disable a published application by right-clicking it, and clicking Disable.
- In older versions of XenApp/XenDesktop, when you disable the application, it leaves the application visible but it is grayed out thus preventing users from launching it. In 7.8, the disabled app is automatically hidden (no longer shown in the apps list).
- If desired, you can hide or unhide the disabled application icon by running a PowerShell command:
asnp citrix.* Set-BrokerApplication MyApp -Visibile $false
- When you re-enable the application, Visibility is automatically set back to true.
Bidirectional Content Redirection
Receiver 4.7 and newer, combined with and VDA 7.13 and newer, support redirecting URLs from client to VDA (published Internet Explorer), or from VDA to client. See Bidirectional content redirection policy settings at Citrix Docs for requirements and limitations.
- Make sure Local App Access is not enabled on the VDAs.
- Make sure Internet Explorer is published. Internet Explorer is not in the Start Menu, so you have to publish it Manually. Only Internet Explorer is supported for bidirectional.
- Edit a GPO that applies to VDA users.
- Go to User Config | Policies | Citrix Policies, and edit a Citrix Policy.
- Find the setting Allow Bidirectional Content Redirection, and enable it (Allowed).
- Also configure the Allowed URLs policy settings to indicate which URLs should be redirected in either location.
- Copy the receiver.admx file from Receiver 4.7 or newer to PolicyDefinitions (SYSVOL or C:\Windows\PolicyDefinitions).
- Edit a GPO that applies to client devices (endpoints).
- Go to User Configuration | Policies | Administrative Templates | Citrix Receiver | User experience.
- Double-click the setting Bidirectional Content Redirection.
- Enable the setting.
- In the Published Application field, enter the name of the Internet Explorer published application.
- In the Allowed URLs fields, configure the URLs you want to redirect in either direction.
- On the VDA, run the following command to register the Internet Explorer add-on.
"C:\Program Files (x86)\Citrix\System32\VDARedirector.exe" /regIE
- On the client device, run the following command to register the Internet Explorer add-on.
"C:\Program Files (x86)\Citrix\ICA Client\redirector.exe" /regIE
- When you run Internet Explorer on the VDA or client device, you’ll be prompted to enable the add-on. You can configure a GPO to enable this add-on automatically. Redirection won’t work unless the add-on is enabled.
Local App Access
Some applications are not suitable for centralization and instead should run on endpoint devices. These applications include: phone software, applications needing peripherals, etc. Citrix Local App Access lets you access these endpoint-installed applications from inside a published desktop. This is sometimes called Reverse Seamless.
Local App Access has three modes of functionality:
- User-managed local applications. Any shortcuts in the endpoint’s local Start Menu and local Desktop are made available from inside the published desktop.
- Administrator-managed local applications. Use Studio to publish a local application, which is created as a shortcut inside the published desktop. When the shortcut is launched, it is actually running from the endpoint device (reverse seamless) instead of the centralized desktop. If you enable administrator-managed local applications then user-managed local applications are disabled.
- URL Redirection. Administrators define some URLs that should be opened in a local endpoint browser instead of a VDA browser and then display the local browser inside the published desktop (reverse seamless).
Local App Access requires Platinum Licensing.
Do the following to configure Local App Access:
- In a Citrix Policy that applies to the VDAs, enable the Allow local app access policy setting.
- The URL redirection black list setting lets you define a list of URLs that should be opened on the endpoint’s browser instead of the VDA browser.
- On the Endpoints, install Receiver using the ALLOW_CLIENTHOSTEDAPPSURL=1 switch. Feel to add /includeSSON too. Run the installer from an elevated (Administrator) command prompt. This switch automatically enables both Local App Access and URL Redirection. Note: the URL Redirection code does not install on VDAs so URL Redirection might not work if your endpoint has VDA software for Remote PC.
- After installation of Receiver, launch Internet Explorer. You should see a prompt to enable the Citrix URL-Redirection Helper add-on.
- You can also go to Tools > Manage Add-ons to verify the Browser Helper Object.
- By default, Local App Access redirects the endpoint’s Start Menu and Desktop. You can control which folders are redirected by editing the endpoint’s registry at HKCU\Software\Citrix\ICA Client\CHS. Create the Multi-String Values named ProgramsFolders and Desktop Folders and point them to folders containing shortcuts that you want to make available from inside the published desktop. Andrew Morgan has a GUI tool for editing these registry values.
- When you connect to a published desktop, by default, there will be a Local Programs folder in the Start Menu containing shortcuts to programs on the endpoint’s Start Menu. These are user-managed shortcuts.
- On the VDA Desktop there will be a Local Desktop folder containing shortcuts from the endpoint’s desktop. These are user-managed shortcuts.
- The Local Desktop and Local Programs folders on the VDA can be renamed by editing the VDA’s registry at HKCU\Software\Citrix\Local Access Apps. Andrew Morgan has a GUI tool to modify these registry values.
- To enable administrator-managed local applications, login to a machine that has Citrix Studio installed and edit the registry. Go to HKLM\Software\Wow6432Node\Citrix\DesktopStudio and create the DWORD value named ClientHostedAppsEnabled and set it to 1.
- When you open Studio and go to Delivery Groups > Applications, there is a new link to Create or Add Local App Access Application.
- In the Getting Started with Local Access Applications page, click Next.
- In the Groups page, select the Delivery Group or Application Group whose published desktop will receive the shortcut, and click Next.
- In the Location page, enter the path to the executable. This is the path on the endpoint. Also enter a Working Directory. You can get this information from the properties of the shortcut on the endpoint device. Click Next.
- In the Identification page, enter a name for the shortcut and click Next.
- In the Delivery page, these options work as expected. Click Next.
- In the Summary page, click Finish.
- When you login to the desktop, you’ll see the administrator-managed application. If any administrator-managed Client Hosted Applications are delivered to the user then the default Local Programs and Local Desktop folders no longer appear.
- To enable URL Redirection, login to the VDA and run
"C:\Program Files (x86)\Citrix\System32\VDARedirector.exe" /regall. This registers the browser helpers.
- In Internet Explorer, if you go to Tools > Manage Add-ons, you’ll see the Citrix VDA-URL-Redirection Helper add-on.
- From inside the published desktop, if you go to a website on the blacklist, the VDA browser will close and a local browser will open in Reverse Seamless mode. If you then go to a website that is not on the blacklist the local browser will close and the VDA browser will open again.
Andrew Morgan Citrix reverse seamless application deep dive presentation contains details on the inner workings of Local App Access. The same webpage also contains the GUI configuration tools mentioned above.
Citrix TV – Local App Access in XenDesktop 7
XenApp 7.6 and newer supports publishing apps to anonymous users. Edit the Delivery Group and on the Users page check the box next to Give access to unauthenticated (anonymous) users.
Anonymous Users are managed differently than regular Domain Users. See VDA Anon instructions for adding anon accounts, configuring session timeouts, and configuring local group policy.
Anonymous published apps should show up for all authenticated users. However, you can also create a StoreFront store that does not require any authentication.
Export/Import Published Applications
Dominik Britz Export And Import Citrix XenDesktop Published Apps – two PowerShell scripts, one to export all published apps to json files and one to import apps with the information of the exported json files. Get the scripts from the Blog Post.