The purpose of a virtual desktop deployment is to provide users access to applications. Application and data access is the reason to build a virtual desktop, like AVD, in the first place. Therefore, installing, updating, and delivering applications to end users is a critical component of a desktop virtualization strategy.
Azure Virtual Desktop host pools can be deployed as “personal” or “pooled”. In single-session, personal environments, each user is permanently assigned a dedicated VM as their desktop. In pooled environments, both single-session and multi-session, multiple users are connected to a “random” VM for the duration of their session and may be connected to a completely different VM the following day. The methods of managing applications on personal desktops are very different than those used with pooled desktops. Personal desktops (and Windows 365 Cloud PCs) behave exactly like a physical endpoint device and can be managed using traditional application delivery tools like Microsoft Endpoint Manager (SCCM and Intune).
Pooled desktops provide several advantages over personal desktops such as cost efficiency and ability to standardize the IT environment. However, they also come with unique application management challenges since most existing tools are built for a one-to-one user-to-desktop assignment, which is not the case with pooled desktops.
In this article, we’ll focus on the strategies available to manage applications in pooled AVD deployments.
The challenge with app management in pooled desktop environment can be boiled down to this – multiple users are sharing VMs, any installed app is available to all users. This “all or nothing” approach creates many challenges in situations where specific apps must be available to certain groups of users, but not to others. How can we selectively assign applications to individual users or groups of users?
Delivering apps to AVD users on pooled desktops requires two steps:
- Installing the application on either the image or session host VM
- Delivering the app to some or all users
Let’s take a look at the available options for each of these steps.
Installing applications in a pooled AVD environment can be accomplished in several ways.
- Manual install on image
- Scripted action install on image
- Microsoft Endpoint Manager (MEM) install on image
- Scripted action install on session hosts
- MEM install on session hosts
1. Manual Install On Image
The easiest way to install applications is by loading each app on the base image VM one at a time. Once all apps are installed, the image is “sealed” and can be used to build new session hosts or update existing ones. All installed apps will be available to all users who connect to these session hosts.
This method is easy to start with but becomes difficult and time consuming to maintain over time.
2. Scripted Action Install On Image
Script the installation of applications with Powershell, save these scripted actions in the Nerdio Manager Scripted Action library, and run the scripted actions on the image during creation or monthly patch cycle. Once the updated image is deployed to session hosts, all users can access all apps.
This method requires a bit of work to script the installation of each app but makes ongoing image and application updates easy and automated.
3. MEM Install On Image
Leverage existing MEM workflows to install and update applications on the base image. Once all apps are installed, the image is “sealed” and can be used to build new session hosts or update existing ones. All installed apps will be available to all users who connect to these session hosts.
This method required some upfront work to get all applications imported and configured in MEM.
4. Scripted Action Install On Session Hosts
Instead of pre-installing application on the image, deploy apps to session host VMs with Nerdio Manager using scripted actions while the VMs are being created. The latest base image can be pulled from the Azure Marketplace and all apps can be automatically installed during session host VM creation.
This method required a bit of work to script installation of each app but makes ongoing host updates easy and automated. All installed apps are available to all desktop users.
5. MEM Install On Session Hosts
Instead of pre-installing applications on the base image, deploy apps to session host VMs with MEM after the VMs are created. The most recent image can be pulled from the Azure Marketplace and all apps will be automatically installed once the session host VMs are created.
This method required some upfront work to get all applications imported and configured in MEM.
Once applications are installed, they need to be delivered to users. This is where the challenge of pooled desktops comes in. Regardless of which of the 5 methods above was used to install the apps, once installed, all users will have access to all apps. This may be OK in some scenarios but, often, this is not ideal.
The following methods can be used to selectively deliver specific apps to specific users or groups.
- Multiple images and host pools
- MSIX app attach
- Nerdio’s Installed Apps Management
1. Multiple Images and Host Pools
Since all installed apps on the image are available to all users assigned to a host pool based on this image, one way to selectively assign groups of apps to groups of users is by creating and maintaining multiple desktop images, each associated with its own host pool. Different groups of users are assigned to separate host pools that only have the apps that the users need.
Although this method can achieve the objective of selective app assignment in a pooled desktop environment, it is difficult to manage at scale. The number of images with unique configurations tends to be high and the effort required to maintain each individual image with its own set of apps is extremely time consuming.
If users don’t need access to a full desktop, RemoteApps can be selectively published to individual users or groups. Instead of launching a full desktop session, users will open individual apps published to them by the administrator.
3. MSIX App Attach
MSIX app attach is a relatively new technology available in AVD. Administrators can assign individual MSIX apps to specific users or groups. The application gets mounted when the user logs in and only entitled users can access the app. One session host VM can have multiple connected users with different apps available in their sessions.
MSIX app attach is great in concept and works well in practice. However, today very few applications are available in the new MSIX format and converting existing apps to MSIX is a challenging and time-consuming process. As a result, until the MSIX format becomes more widespread among software publishers, app attach is not very commonly used.
4. Nerdio’s Installed Apps Management
This is the most flexible and easy method to manage app assignment. It leverages a technology built into FSLogix called “Application Masking”. The concept is very simple: install a superset of apps on the image and use application masking to only reveal the apps an individual user need. App masking doesn’t just hide the application shortcut, it makes all components of the app (e.g. files, registry entries, shortcuts, etc.) completely invisible to users who have no access. There is nothing even a very sophisticated user can do to access an application that has been masked from them. Unfortunately, with out-of-the-box FSLogix tools, implementing app masking is challenging and extremely complex. It is difficult to initially configure and even more difficult to maintain at scale.
This is where Nerdio’s Installed Apps Management feature comes in. Nerdio Manager simplifies and automates the app masking configuration process down to 3 steps:
- Discover installed apps
- Create app-to-users assignment rules
- Apply rules to hosts
Let’s look at each of these steps in more detail.
1. Discover Installed Apps
Whenever a new host pool is created or an existing host pool is re-imaged, Nerdio Manager will automatically discover all installed applications on the host pool and create an inventory. This inventory of discovered apps will include all apps installed on the base image and directly on the session host VMs. Each discovered application will have several “paths” associated with it. These paths are locations of files and registry entries that belong to a specific application.
2. Create App-to-Users Assignment Rules
Once all apps are discovered, one or more rule sets can be created to define which apps are available to which users and groups. By default, all installed apps are available to all users. However, once an application is added to a rule set it can be made available to all users with exceptions (blacklist) or be made unavailable to all users with exceptions (whitelist).
Apps-to-users assignment rules can be used for individual apps or groups of applications. For example, there may be a rule set for Browsers that includes Microsoft Edge, Google Chrome, and Mozilla Firefox that is made available to all users except for certain group of task workers. And there could also be a rule set for Accounting Apps that includes various accounting and finance applications that are available only to members of Accounting and Finance security groups.
3. Apply Rules to Hosts
Once apps are automatically discovered and rule sets are created, Nerdio Manager applies these rule sets to all existing hosts and all newly created VMs in the host pool. The process of applying rule sets does not require a reboot of the VMs and can be done in production. Within a few minutes, users will notice apps appear or disappear depending on rule set configuration.
With these 3 simple steps, admins gain full control over users’ access to specific apps without creating and managing multiple images and host pools.
Application management is a critical component of AVD administration strategy and Nerdio Manager provides a complete suite of tools to install applications via images and scripted actions and to deliver apps to specific users with RemoteApps, MSIX app attach, and Installed Apps management.