Control user access to applications
The app access control feature lets you control user access to applications using rules. It helps you streamline the management of applications and images. For example, you can deliver identical machines to different departments while meeting their unique application requirements, thus reducing the number of images.
This article walks you through the process of enabling app access control and configuring the control rules. It also provides an example of using this feature to simplify image management in virtual environments.
Overview
With the app access control feature, you can hide applications from users, machines, and processes by configuring hiding rules.
An app hiding rule defines two parts of information:
-
Objects to hide. Files, folders, and registry entries you want to hide for an application.
For example, to hide an application, you must specify all objects associated with this application, such as files, folders, and registry entries.
-
Assignments. Users, machines, and processes you want to hide the application from.
Assignment types
Assignments in hiding rules come in three categories: users, machines, and processes. The detailed assignment types are as follows:
- Users
- User groups
- Machines
- Organizational Units (OU)
- Processes
Note:
In the context of app access control, OUs are used as containers only for machines. As a result, an OU assignment hides the app only from machines in the OU. It doesn’t hide the app from users in the OU.
When an app hiding rule has multiple assignments configured, be aware of the following considerations:
- If those assignments are of the same category (for example, user A and user group B), the application is hidden from all objects specified in those assignments (user A and all users in user group B).
- If those assignments are of different categories (for example, user A and machine X), the application is hidden when the conditions specified in all those assignments are met (when user A signs in to machine X).
- If those assignments are of the process category, the application is hidden from all processes specified in those assignments.
Note:
If no assignments are configured for a rule, the application specified in the rule is hidden.
Workflow
With the app access control feature, Profile Management can hide applications from users, machines, and processes based on the rules you provide.
To apply app access control to your environment, you must first create hiding rules. To do so, use Rule Generator, a PowerShell tool delivered with the Profile Management installation package.
At a high level, the procedure for creating hiding rules is as follows:
-
Create a hiding rule for an application:
- Specify files, folders, and registry entries that you want to hide for the application.
- Configure assignments for the rule. To do this, specify groups of users, machines, or processes you want to hide the application from. For more information, see Assignment types.
-
Repeat step 1 to create hiding rules for other applications.
-
Generate raw data for all the rules you configured.
For more information about Rule Generator, see Create, manage, and deploy rules using Rule Generator.
-
Use GPOs to apply hiding rules to machines in your environment. For more information, see Enable app access control using GPOs.
Create, manage, and deploy rules using Rule Generator
This section provides guidance on using the PowerShell-based Rule Generator to create, manage, and deploy rules.
Before you begin, make sure that the machine where you run the tool:
- Has Windows 10 or 11, or Windows Server 2016, 2019, or 2022 installed
- Is in the same domain as your users and machines
The general procedure is as follows:
- Run Windows PowerShell as an administrator.
- Access the \tool folder in the Profile Management installation package, and then run CPM_App_Access_Control_Config.ps1.
- Follow the onscreen instructions to create, manage, and generate hiding rules:
-
View each application installed on the machine and its state:
- Not configured. No rules are configured for the application.
- Configured. One or more rules are configured for the application and none of them are applied to machines.
- Configured and applied. One or more rules are configured for the application and at least one rule is applied to machines.
-
From the application list, select an application you want to hide by entering its index. All files, folders, and registry entries that will be hidden for the application appear.
-
To hide additional files, folders, or registry entries for the selected application, add them to the application by entering their paths.
You can use system environment variables (such as %windir%) in the paths. User environment variables (such as %appdata%) aren’t supported.
Note:
You can also manually define an application by associating it with certain files, folders, and registry entries.
-
Configure assignments for the rule. In detail, specify the assignment type (users, user groups, machines, OUs, or processes) and then enter the specific objects in the selected type that you want to hide the application from. For users, user groups, and OUs, enter their AD domain names. For machines, enter their DNS host names.
Note:
If you don’t configure any assignments for a rule, the app specified in the rule is invisible.
-
- Repeat step 3 to create hiding rules for other applications.
- Follow the onscreen prompt to generate the raw data for the rules you configured and then save it in a .txt file for future use.
- To test the effectiveness of the rules, deploy them to the local registry or to the registries of a group of machines through a GPO.
Note:
We don’t recommend using this tool to deploy rules to production environments.
Enable app access control using GPOs
After you create and generate your app access control rules, you can use GPOs to apply the rules to machines in your environment.
To apply control rules to machines using a GPO, follow these steps:
- Open the Group Policy Management Editor.
- Access Policies > Administrative Templates: Policy definitions (ADMX files) > Citrix Components > Profile Management > App access control.
- Double-click App access control.
- In the policy window that appears, select Enabled.
- Open the .txt file where you saved the generated rules, copy the content, and paste it to the App access control rules field.
- Click OK.
The configuration precedence for the feature is as follows:
- If this setting isn’t using a GPO, Studio, or WEM, the value from the .ini file is used.
- If this setting isn’t configured anywhere, the feature is disabled.
Example
This section uses an example to guide you through implementing app access control for an image.
Requirements
Requirements in this example are as follows:
- Use a single image to create virtual machines for the Sales, HR, and Engineering departments.
- Control user access to the following applications:
- Microsoft Excel: invisible to users in the HR department.
- Visual Studio Code: invisible to users in the Sales or HR department.
Solution
Install Profile Management to control user access to installed applications.
Install a template machine
Install a template machine for capturing the image. The procedure is as follows:
- Join a new machine to the same AD domain as your users and machines.
- Install the following software on the machine:
- Windows 10 or 11, or Windows Server 2016, 2019, or 2022, as needed
- Profile Management version 2303 or later
- All required applications
Create and generate hiding rules
-
On the template machine, use Rule Generator to create and generate hiding rules.
- Rule 1: To hide Microsoft Excel from users in the HR department (Application: Microsoft Excel; Assignment: HR user group)
- Rule 2: To hide Visual Studio Code from users in the Sales or HR department (Application: Visual Studio Code; Assignments: Sales user group and HR user group)
-
Generate raw data for the two rules and save it to a .txt file.
For more information about how to use the tool, see Create, generate, and deploy rules using Rule Generator.
Now you can capture the image from the template machine.
Enable app access control using GPOs
After virtual machines are created, use GPOs to centrally enable app access control and apply the generated rules to machines. For more information, see Enable app access control using GPOs.