Published Applications

Last Modified: Mar 4, 2017 @ 4:17 pm


ūüí° = Recently Updated

RDSH Application Testing

Installing apps on Remote Desktop Session Host (XenApp) is more complicated than installing apps on a single-user operating system (virtual desktop). Here are some RDSH-specific considerations that must be tested before integrating a new application into RDSH. These considerations usually don’t apply to virtual desktops.

  • ¬†Multi-user Capable ‚Äď can the application run multiple times on the same machine by different users? Most applications don‚Äôt have a problem, but a few do, especially applications that put temporary files or other writable files in global locations. For example, the first user of an app could write temporary files to C:\Temp. The second user writes to the same location, overwriting the temp files needed by the first user. Test the app with multiple users running the app on the same RDSH machine.
  • Lockdown to prevent one user from affecting another¬†‚Äď What restrictions are needed to prevent one user from affecting another? For example, if an app’s configuration files are stored in a global location, you don‚Äôt want one user to edit the configuration file, and thus affect a different user. Test the app with multiple users running the app on the same RDSH machine.
  • Permission Relaxations ‚Äď what relaxations (e.g. NTFS) are needed to allow non-administrators and GPO locked-down users to run the application? Test the application as a non-administrator with GPO lock down policies applied.
  • First Time Use ‚Äď when a user launches an application the first time, the application should be automatically fully configured with default settings (e.g. back-end server connections). Use group policy to apply application settings. Automated FTU also helps with a user whose profile is reset. Test the RDSH app with a user that has a new (clean) profile.
  • Roaming ‚Äď users could connect to a different RDSH machine every day, and thus user settings need to roam across machines. Test running the app on one RDSH, make changes, then login to a different RDSH machine to ensure the changes are still there.
  • Application Licensing ‚Äď if an application requires licensing, can licensed and non-licensed users connect to the same machine? Can it be guaranteed that non-licensed users can‚Äôt run the application that requires licensing? Adobe Acrobat is an example of a challenging application because of the global .pdf file-type association, and the global PDF printer.
  • Client Devices (USB, printers, COM ports) – the client device mapping capabilities on RDSH are not as extensive as virtual desktops. For example, generic USB wasn’t added until Windows Server 2012 R2. When the application prints, does it show printers from every user, instead of just the user running the app? Does the app need COM port mapping?
  • Shared IP – does the app have any problems with multiple users sharing the same IP address? If so, you might have to configure¬†RDS IP Virtualization.
  • Fair Sharing of Hardware Resources– does the app sometimes consume a disproportionate amount of hardware resources? For example, can the app be used to launch a task that consumes 100% CPU for some time? One option is to put this app on its own Delivery Group. Or you can use Citrix Workspace Environment Manager to ensure fair sharing of hardware resources.
  • Published Application – can the app run as a published application that doesn’t have Explorer running in the background? Does the app (e.g. Internet Explorer web apps) need RunOnce.exe /AlternateShellStartup to fully initialize before it will run correctly as a published application? Some apps work without issue in a published desktop, but don’t work properly as published applications. When testing a published app, test it with a user that has a new (clean) profile. Connecting to the published desktop once will cause Active Setup to run, changing the user’s profile, thus distorting the published app testing results.
  • Integration Testing – when installing a new app on a RDSH server, don’t forget to test the other apps already on the RDSH server, because¬†the new app might have broken the other apps. The more apps you put on an RDSH server, the longer it takes to perform integration testing.

Also see MSDN Remote Desktop Services programming guidelines.

Some of the issues in this list can be overcome by using an application virtualization tool (e.g. Microsoft App-V) that runs apps in isolated bubbles.

Application Groups

Citrix Blog Post Introducing Application Groups in XenApp and XenDesktop 7.9

XenApp 7.9 and newer has an Application Group feature. This feature lets you group published apps together so you can more easily apply properties to every app in the group. Today, you can do the following:

  • Control visibility of every app in the app group (Users page).
  • Publish every app on the same Delivery Groups.
  • Prevent or allow apps in different Application Groups from running in the same session.
  • With one published app icon, test users launch from test Delivery Group, while production users launch from production Delivery Group.

To create an Application Group:

  1. In Citrix Studio, right-click Applications, and click Create Application Group.
  2. In the Getting Started page, click Next.
  3. In the Delivery Groups page, select the delivery groups you want these apps published from.
  4. In the Users page, select the users that can see the apps in this app group.
  5. Note: there are three levels of authorization. An app is only visible to a user if the user is assigned to all of the following:
    • Delivery Group
    • Application Group
    • Individual Published Apps in the Application Group
  6. Click Next.
  7. In the Applications page, publish applications like normal, and then click Next.
  8. In the Summary page,  give the Application Group a name, and click Finish.
  9. In the Applications node in Studio, there’s a new¬†Application Groups section.
  10. If you highlight your Application Group, on the right is the list of apps in the group. You can edit each of these published apps like normal.
  11. You can drag applications into an Application Group.

  12. However, this more of a copy than a move. To actually move the app exclusively into the Application Group, edit the individual app, and on the Groups page, remove all Delivery Groups (or other Application Groups). The app will instead inherit the Delivery Groups from the app group.
  13. If you edit the Application Group:
  14. The Settings page has an option for session sharing between Application Groups. Clearing this checkbox allows you to force applications in different Application Groups to run in different sessions.
  15. The Delivery Groups tab lets you set Delivery Group priority. If priority is identical, then sessions are load balanced. If priorities are different, then sessions are launched on Delivery Groups in priority order.
  16. In XenApp/XenDesktop 7.13 and newer, you can use PowerShell to cause an Application Group to launch multiple app instances in separate sessions. Citrix Blog Post¬†XenApp and XenDesktop 7.13: Launching an Application in Multiple Sessions.¬† ūüí°

Limit Icon Visibility

For Published Applications, there are three levels of application authorization: Delivery Group, Application Groups, and Published App Limit Visibility. A published app icon is only visible if the user is added to all three levels.

  1. Delivery Group (Users page). If the user is not assigned to the Delivery Group, then the user won’t see any application or desktop icon published from that Delivery Group.
  2. Limit Visibility – You can use the published app’s Limit Visibility page to restrict an icon to a subset of Delivery Group¬†users.
  3. In XenApp/XenDesktop 7.9 and newer, you can use Application Groups to restrict access to published icons.
  4. App Icons won’t appear unless users are added to all three of the above locations.

Published Desktops have separate authorization configuration:

  1. XenApp/XenDesktop 7.8 and newer have a Desktops page in Delivery Group properties where you can publish multiple desktops and restrict access to those individual published desktops.
  2. In XenApp/XenDesktop prior to version 7.8, if a desktop is published from the Delivery Group, by default, every user assigned to the Delivery Group can see the icon. You can use the PowerShell command Set-BrokerEntitlementPolicyRule to limit the desktop icon to a subset of the users assigned to the Delivery Group.
    1. Run asnp citrix.*
    2. Run Get-BrokerEntitlementPolicyRule to see the published desktops.
    3. Then run Set-BrokerEntitlementPolicyRule to set the IncludedUsers or ExcludedUsers filters.

Published Content

XenApp 7.11 adds Published Content where you can publish URLs that are opened in the user’s local browser.¬†You can also publish UNC paths, which are opened with local Explorer or local application.

Currently there is no GUI to publish content. Instead, use PowerShell.

The New-BrokerApplication cmdlet requires you to specify a Delivery Group. This Delivery Group must have at least one registered machine in it. However, the published content does not actually launch from the Delivery Group since the URLs and/or UNCs open locally.

First run asnp citrix.*

Then run New-BrokerApplication -ApplicationType PublishedContent. Here is a sample PowerShell command:

New-BrokerApplication -Name "CitrixHomePage" -PublishedName "Citrix Home Page" -ApplicationType PublishedContent -CommandLineExecutable -DesktopGroup RDSH12R2

Instead of publishing to a Delivery Group, you can publish to an Application Group by using the -ApplicationGroup switch. The Application Group must have Delivery Group(s) assigned to it.

Once the Published Content is created, you can see it in Studio. You can also edit it from Studio, including Limit Visibility and Groups (to move it to an Application Group).

Published Content can be placed in Application Groups. You can then use the Application Group properties to restrict access to the shortcut.

It does not appear to be possible to set the icon from Studio, but you can do it using PowerShell. See Citrix Blog Post¬†@XDtipster ‚Äď Changing Delivery Group Icons Revisited (XD7) for instructions to convert an icon to a base64 string, and import to XenApp¬†using¬†New-BrokerIcon -EnCodedIconData "Base64 String". ¬†Then you can link the icon to the Published Content using Set-BrokerApplication "App Name" -IconUid.

In StoreFront 3.7, you can click the icon and URLs will open in a new browser tab.

Application Usage Limits

In XenApp/XenDesktop 7.7 or newer, if you edit an application’s Properties, on the Delivery page, you can restrict the number of concurrent instances of the application.

Keywords for StoreFront

In a published application’s Properties, on the Identification page, in the Description and keywords field, you can enter KEYWORDS to control how the app behaves when displayed by StoreFront.

  • Enter KEYWORDS:Mandatory¬†or KEYWORDS:Auto to cause the application to automatically be subscribed or favorited in Citrix Receiver.
    • In StoreFront 3.0 and newer, the user can go to the¬†Apps tab, click an App’s Details button, and mark the app as a Favorite.¬†
    • In the older StoreFront interface,¬†users subscribe to applications by clicking the plus icon to add the application to the middle of the screen.¬†
    • Mandatory means the app can’t be removed from Favorites or unsubscribed.
    • Auto means the app is automatically favorited or subscribed, and can be un-favorited or unsubscribed¬†by the user.
  • Enter¬†KEYWORDS:Featured to make the application show up in the Featured list.
  • You can separate multiple keywords with a space. KEYWORDS:Mandatory Featured.
  • See the StoreFront 3.7 Keywords documentation at Citrix Docs for more information.

Users will have a better experience with StoreFront if applications are published into folders. The folder name is specified in the¬†Delivery¬†page in the¬†Category field. Note:¬†Add shortcut to user’s desktop works in newer versions of Receiver assuming the app is marked as a Favorite.

Secure Browser

Citrix has a deployment guide for publishing a browser from XenApp. Here’s an overview of the configuration:

  • Install Chrome on an RDSH VDA.
  • In Studio, publish IE and/or Chrome in Kiosk Mode to anonymous users.
    • Create a¬†different published app for each website.
  • In StoreFront, create a Store for Unauthenticated Users.
  • In StoreFront, enable Receiver for HTML5.
  • In StoreFront, enable web links so you can link to the published browser¬†from a different website.

When a user launches the published browser, the HTML5 client opens the published app in a local browser tab. The published browser runs in kiosk mode so that the published browser’s user interface is hidden. It looks like the website is running on the local browser but actually it’s running from a published browser.

There’s a special XenApp Secure Browser Edition¬†that is only licensed for publishing browsers from RDSH. See the press release¬†Citrix Radically Simplifies the Secure Delivery of Browser-based Apps.


App-V Client Hotfix

The latest App-V 5.1 hotfix is December 2016 servicing release for Microsoft Desktop Optimization Pack. Note: Windows 10 1607 and Windows 2016 get App-V updates through Windows Update.

The latest App-V 5.0 hotfix is Hotfix Package 3 for Microsoft Application Virtualization 5.0 SP3.

There is a special version of App-V client for RDS. The normal App-V client in MDOP won’t work. Get the RDS version from the Microsoft Volume Licensing website.

App-V and Logon Times


XenApp 7.8 and newer App-V

XenApp 7.8 no longer requires App-V management infrastructure and can instead pull the App-V packages¬†directly from an SMB share as detailed at App-V at Citrix Docs. The computer accounts for Delivery Controllers and VDAs must have read access to the share. An easy method is to add Domain Computers. See¬†CTX221296¬†Citrix App-V Integration Minimum Permission Requirements.¬† ūüí°

XenApp 7.11 adds an Isolation Groups tab.

Once App-V packages are added to Citrix Studio, you can publish an app and select App-V from the drop-down.

The App-V apps show up as AppLibrary App-V and support the same options as other published applications.

Make sure the App-V Components are installed on your VDA. It’s not checked by default in 7.12 and newer.

On your VDA Windows 10/2016 or newer, in PowerShell, run Enable-Appv. For older OS, install the App-V client.

There appears to be some limitations to the package share method as detailed by Joe Robinson at

Joe Robinson provided a script to force the App-V client to sync before launching the user’s App-V application.

Launch App Inside App-V Bubble

From Citrix Blog Post Process Launching in an App-V V5 Virtual Environment:

  • On any executable, add the /appvve:<PackageID>_<VersionID> of the package in which one would like the executable to run
  • If the App-V process is already running then use the /appvpid:<ProcessId> to inject into a running App-V virtual environment
  • If you want something more permanent, you can set the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual\<YourApplicationName> with a default REG_SZ key that has the executable name in it.

Also see Microsoft Knowledgebase article How to launch processes inside the App-V 5.0 virtualized environment.



Change Published Desktop Icon

Citrix Blog Post Changing Delivery Group Icons Revisited (XD7) has instructions on how to use PowerShell to import a Base-64 icon and then link it to the published desktop.

StoreFront 3.0 and newer overrides custom desktop icons. Run the following PowerShell command (from to restore custom desktop icons:

& 'C:\Program Files\Citrix\Receiver StoreFront\Scripts\ImportModules.ps1'

Disable-DSStoreSubstituteDesktopImage -SiteId 1 -VirtualPath /Citrix/Store

Other Published App Tips

CTX209199¬†Published 64 bit Aps Can’t Be Started With %ProgramFiles% in Command Line If It’s Not the first Application to Start:¬†You can try the following methods to address this issue:

  1. Use the absolute path to publish the application.
    2. Use %ProgramW6432% for 64-bit applications instead of %ProgramFiles%.


CTX132057 Google Chrome Becomes Unresponsive when Started as Published Application: add the parameters --allow-no-sandbox-job --disable-gpu in the published app command line.

CTX205876 Non-published Google Chrome browser on XenApp server, called and launched from any published app, is seen in black/grey screen: The command line parameter has to be added to registry shell open command for the Chrome browser:

  1. In Regedit, navigate to HKEY_CLASSES_ROOT\http\shell\open\command
  2. Edit the Default value as follows:
    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --allow-no-sandbox-job --disable-gpu -- "%1"

Disable Application and Hide It

  1. In Studio, you can disable a published application by right-clicking it, and clicking Disable.
  2. In older versions of XenApp/XenDesktop, when you disable the application, it leaves the application visible but it is grayed out thus preventing users from launching it. In 7.8, the disabled app is automatically hidden (no longer shown in the apps list).
  3. If desired, you can hide or unhide the disabled application icon by running a PowerShell command:
    asnp citrix.*
    Set-BrokerApplication MyApp -Visibile $false

  4. When you re-enable the application, Visibility is automatically set back to true.

Local App Access

Some applications are not suitable for centralization and instead should run on endpoint devices. These applications include: phone software, applications needing peripherals, etc. Citrix Local App Access lets you access these endpoint-installed applications from inside a published desktop. This is sometimes called Reverse Seamless.

Local App Access has three modes of functionality:

  • User-managed local applications. Any shortcuts in the endpoint‚Äôs local Start Menu and local Desktop are made available from inside the published desktop.
  • Administrator-managed local applications. Use Studio to publish a local application, which is created as a shortcut inside the published desktop. When the shortcut is launched, it is actually running from the endpoint device (reverse seamless) instead of the centralized desktop. If you enable administrator-managed local applications then user-managed local applications are disabled.
  • URL Redirection. Administrators define some URLs that should be opened in a local endpoint browser instead of a VDA browser and then display the local browser inside the published desktop (reverse seamless).

Local App Access requires Platinum Licensing.

Do the following to configure Local App Access:

  1. In a Citrix Policy that applies to the VDAs, enable the Allow local app access policy setting.
  2. The URL redirection black list setting lets you define a list of URLs that should be opened on the endpoint’s browser instead of the VDA browser.
  3. On the Endpoints, install Receiver using the ALLOW_CLIENTHOSTEDAPPSURL=1 switch. Feel to add /includeSSON too. Run the installer from an elevated (Administrator) command prompt. This switch automatically enables both Local App Access and URL Redirection. Note: the URL Redirection code does not install on VDAs so URL Redirection might not work if your endpoint has VDA software for Remote PC.
  4. After installation of Receiver, launch Internet Explorer. You should see a prompt to enable the Citrix URL-Redirection Helper add-on.
  5. You can also go to Tools > Manage Add-ons to verify the Browser Helper Object.
  6. By default, Local App Access redirects the endpoint’s Start Menu and Desktop. You can control which folders are redirected by editing the endpoint’s registry at HKCU\Software\Citrix\ICA Client\CHS. Create the Multi-String Values named ProgramsFolders and Desktop Folders and point them to folders containing shortcuts that you want to make available from inside the published desktop. Andrew Morgan has a GUI tool for editing these registry values.

  7. When you connect to a published desktop, by default, there will be a Local Programs folder in the Start Menu containing shortcuts to programs on the endpoint’s Start Menu. These are user-managed shortcuts.
  8. On the VDA Desktop there will be a Local Desktop folder containing shortcuts from the endpoint’s desktop. These are user-managed shortcuts.
  9. The Local Desktop and Local Programs folders on the VDA can be renamed by editing the VDA’s registry at HKCU\Software\Citrix\Local Access Apps. Andrew Morgan has a GUI tool to modify these registry values.

  10. To enable administrator-managed local applications, login to a machine that has Citrix Studio installed and edit the registry. Go to HKLM\Software\Wow6432Node\Citrix\DesktopStudio and create the DWORD value named ClientHostedAppsEnabled and set it to 1.

  11. When you open Studio and go to Delivery Groups > Applications, there is a new link to Create or Add Local App Access Application.
  12. In the Getting Started with Local Access Applications page, click Next.
  13. In the Groups page, select the Delivery Group or Application Group whose published desktop will receive the shortcut, and click Next.
  14. In the Location page, enter the path to the executable. This is the path on the endpoint. Also enter a Working Directory. You can get this information from the properties of the shortcut on the endpoint device. Click Next.
  15. In the Identification page, enter a name for the shortcut and click Next.
  16. In the Delivery page, these options work as expected. Click Next.
  17. In the Summary page, click Finish.
  18. When you login to the desktop, you’ll see the administrator-managed application. If any administrator-managed Client Hosted Applications are delivered to the user then the default Local Programs and Local Desktop folders no longer appear.
  19. To enable URL Redirection, login to the VDA and run "C:\Program Files (x86)\Citrix\System32\VDARedirector.exe" /regall. This registers the browser helpers.

  20. In Internet Explorer, if you go to Tools > Manage Add-ons, you’ll see the Citrix VDA-URL-Redirection Helper add-on.
  21. From inside the published desktop, if you go to a website on the blacklist, the VDA browser will close and a local browser will open in Reverse Seamless mode. If you then go to a website that is not on the blacklist the local browser will close and the VDA browser will open again.

Andrew Morgan Citrix reverse seamless application deep dive presentation contains details on the inner workings of Local App Access. The same webpage also contains the GUI configuration tools mentioned above.

Citrix TV – Local App Access in XenDesktop 7

Anonymous Apps

XenApp 7.6 and newer supports publishing apps to anonymous users. Edit the Delivery Group and on the Users page check the box next to Give access to unauthenticated (anonymous) users.

Anonymous Users are managed differently than regular Domain Users. See VDA Anon instructions for adding anon accounts, configuring session timeouts, and configuring local group policy.

Anonymous published apps should show up for all authenticated users. However, you can also create a StoreFront store that does not require any authentication.

Export/Import Published Applications

Dominik Britz¬†Export And Import Citrix XenDesktop Published Apps¬†–¬†two PowerShell scripts, one to export all published apps to json files and one to import apps with the information of the exported json files. Get the scripts from the Blog Post.

Related Topics

139 thoughts on “Published Applications”

  1. Does XenApp 7.12 offers offline access? I need to deploy some apps where users will stay disconnected but still need access to the application and once connected, app will synchronize. I remember in the past there was something called Streamed Apps.

    Thx Carl

          1. Not in Citrix, no. They figured that App-V already does it so no point in Citrix doing it.

            Citrix also has a DesktopPlayer product that can run desktops offline.

  2. We are running XAXD712, After application installation on a 2012 RDSH VDA , all the application published from that server like note pad, calc gets access denied error ” the domain\user ” does not have acces

    1. Is the server locked down using GPO or similar? If so, you’ll have to look in Event Viewer > Windows Logs > Security to see what user right is missing. Or maybe procmon for access denied messages. Users also must be in Remote Desktop Users group.

  3. Good Morning Carl,

    I am aware that I can add another desktop for the same Environment, but it would have to be named differently and would be very confusing to our users who are not very sophisticated. Are you aware of any way to get v7.12 (or 7.13 – I have no issues upgrading) to get one icon to deliver multiple desktops to a single user. Seems like Citrix deprecated a very valuable function for some users and I cannot get Citrix support to provide a firm answer on this. Is this by design or just overlooked? If the function is never coming back, I would like to know so we can figure out how to move forward.

    Thanks for your input.

    Mike Altman

    1. Didn’t they show up with a :1, :2, etc? Maybe you can simulate something similar with the multiple published desktops.

  4. Hi Carl,

    Sorry I did not clarify. These are desktops. Apparently multiple sessions are not an issue for applications in 7.12. However, most everything we do are with desktops. To clarify further our Citrix support guy tells us that this function is by design and should not have worked in 7.6. However, it is clear form the posts around 7.6 – we are not the only users to get multiple sessions to work in 7.6. It’s just not clear why it would stop working.


    Mike Altman

  5. Hi Carl,

    Thanks for all your efforts to clarify Citrix. I could not do my job without them. I have an issue I am struggling with for some time. We have installed Citrix 7.12 in a Test ENV. We have been unable to open multiple sessions for a single user in this ENV. We did not have this issue with v7.6 provided we used -sessionreconnection – Disconnectedonly (which I got from your post). However this no longer works. Is there any info on this.

    Thanks in advance!!

  6. For large enterprise clients with perhaps hundreds of App V applications would you recommend creating the APP V infrastructure i.e. management console etc. or just use studio? I found publishing APP V apps in 7.9 a little “flaky” and resorted to the 3rd party app V launcher utility community version.

    1. Are you asking the PowerShell command to create a LAA? In Studio, after you create something, click the top left node, and then click the PowerShell tab. I see the following:

      New-BrokerApplication -ApplicationType “InstalledOnClient”

      1. Hello Carl,

        I need to publish a network share to 3rd party users using file explorer as a published app in XD 7.6.
        Ideally I need to lock down the network discovery of domain machines when the user hits network option. I did manage to hide the network icon using ADM template, however if the user hits back to the UNC path, he can reach the network location where he can see all the domain machines.(3rd party user has domain user access which brings him all the domain machine to be visible). Is there any way that I can disable address bar or loack down the file explorer to let them see only the folders?


        1. Citrix doesn’t offer anything to do this. I think AppSense does. Or you can put some VDAs in a firewalled security zone and only allow them to access certain other machines.

Leave a Reply