Tagarchief: Workspace

Ivanti Workspace Control vs User Workspace Manager Matrix

Now that the acquisition off RES Software is more and more adopted and spotted a place on the calendar off most IT departments it’s time to share some experience from the field.

Things that keep IT Manager awake are how to migrate their Workspace(s) to a new Workspace Management tool like UWM. Best option could be to wait until a refresh off the current workspace environment or infrastructure is needed or already planned on the IT calendar.

The other thing they struggle with is the adoption off other Workspace Management tools (Like UWM) in their environment, RES Workspace Manager (Ivanti Workspace Control) is very intuitive and easily adopted by (new) admins. If you want your admins to do the same tasks using UWM they will need training!

Don’t worry. I can advise you about the best choice(s) for your situation or help your team to migrate your workspace(s). See my contact page about how to contact me.

Another important thing that’s on their list is to find out if UWM can do the same thing for their Workspaces? Don’t worry, that’s why I created this Workspace Control (RES) vs User Workspace Manager (Appsense) table for you.

Workspace Control (RES) vs UWM (Appsense)

Item Description Workspace Control (RES) UWM (AppSense)
Desktop Composition
Logon Script Replacement UI removes the need to use VBS or PowerShell YesYes
Manage and Deploy Group Policy settings Yes Yes
Desktop Icons Manage items on the desktopYes Yes
Session and Environment Variables Manage session and environment variablesYes Yes
Printers Map printers, drivers, set default printer, save printer preferencesYesYes
Configure Start Menu Manage the Start MenuYes Yes (Except Tiles)
Pinned items Pin items on Taskbar or StartmenuYesNo
Manage Tiles in Startmenu Manage tiles in startmenuYesNo
Trigger on logon, logoff, process start/stop, connect/disconnect Yes Yes
Pre-session trigger Actions can be run early in logon process for settings like DPI and session timeouts No Yes
Desktop Created trigger Logon actions can be delayed until after the Windows desktop is visible to the user Yes – “after logon” Yes
Computer Start and Stop Non-session triggers YesYes
Additional configuration Triggers Configure settings during User Workspace SessionConnectivity Change, Session Reconnect, Session Refresh by admin or user.Lock, Unlock, Network Ready, Connectivity Change
Contextual Configuration rules Set configuration based on Workspace ContextYes Yes
Parallel Processing Fast logons as agent runs actions in parallel Most Composition actions can be set to start in a new thread All actions can run in parallel using a configurable thread pool
Real-time configuration changes on desktops Applied config can be applied immediately to clients workspace?Yes (Refresh Workspace)Partial, Best practice is to delay config changes to next logon
Desktop Refresh Update desktop with new settings without a logoff/logonYesNo
Target configurations at user groups or devices Configurations Settings for groups or devicesYesYes
Configuration Rollback Version control and approval workflowYes (buildingblocks per changed item)Yes (Config files with all last changes)
Configuration distribution methodScale-out vs scale-up Relay Servers for > 3k endpoints, or low bandwidth sitesAdd more IIS servers
Profile Management
Profile Storage to (SMB) File Share Persist user settings using SMB file shares as storage Yes Yes
Saves profiles in native Windows format YesYes
Profile rollback/reset Allow Servicedesk, Admin or user(s) to rollback Profile Settings.Yes Yes
End user Self Service Allow user(s) to use Self Service Yes Yes
Central reporting Yes Yes
Personalization Analysis Explore and edit user data in central store NoYes
Bulk changes Profile data edit/delete NoYes
API and PowerShell for managing profile data No Yes
Profile operations console for Help Desk YesYes
UWP App support Manage Windows Store appsNo Yes
Application Control
Application Whitelisting Yes Yes
App digital certificate Yes Yes
Monitor/Audit mode Used in pilot, brownfield or initial rollout Yes Yes
Metadata Support Allow/deny using app metadata such as vendor, version, etc… Yes Yes
Trusted Ownership Checking No Yes
Trusted Process Allow or deny based on parent process YesYes
Admin rights elevation and de-elevation for applications Granular control over processes that should run with admin privilege YesYes
Control elevation of child processes and common dialogs No Yes
Admin rights elevation and de-elevation for Windows components Elevate select control panels and other components No Yes
Local administrator restrictions Prevent local admins from killing services, executables, uninstall … No Yes
Self-elevation and selfauthorization Allow certain users to authorize and elevate apps and installers, with audit trail Partial - (User installed Applications)Yes
Offline change request Help desk workflow to allow installs, elevation and execution for offline users over the phone No Yes
URL Control Yes Yes
Per Device Application licencing Audit and limited access to device-based licencing apps like VisioYes Yes
Control over non-exe filesAllow/deny DLLs, batch Partial – executable files and DLLs Yes
macOS and Linux whitelisting Files, Folders and User Data Application control only Yes No
Robocopy functionality, with scheduled sync Yes Yes
Folder Redirection Yes Yes
Drive Mappings Yes Yes
Audit of file access YesYes
Controlled use of O365 OneDrive Storage Policy-controlled access, usage and audit No Yes
Application Performance
Thread throttling Temporarily clamp CPU usage by rogue threads No Yes
Memory trimming Reclaim unused allocated memory Yes Yes
CPU base priority change Moves problem threads to lower priority Yes Yes
CPU smart scheduling Replaces Windows CPU scheduler No Yes
Contextual control over performance features Condition Engine targets performance controls Yes Yes
Other
Deployment or “push” of agents Without 3 rd party solution YesYes
Integration with SCCMAgents and configurationsYesYes
Scriptable interface Script a workspace configuration without console or UI YesYes
Configuration snippets Yes Yes
Integration with Ivanti Automation Yes No
Integration with Ivanti (RES) Identity Director Yes No
App-V deployment to desktops Initiate package streaming Yes No
App-V application configuration and personalisation Ability to customise and personalise SCCM delivered applications Yes Yes
SCCM application deployment to desktop Initiate package installs Yes No
SCCM application configuration and personalisation Ability to customise and personalise applications delivered by SCCM Yes Yes
Application UI lockdown Remove edit boxes, restrict access to WinForms and buttons within applications No Yes
USB control YesYes
File Save control Prevent and restrict users from saving files or file types to local drives YesNo
Auditing Database Event log, CSV file, SCOM pack, Database
Logon Analysis Workspace Analysis web console EmMon and LogParser tools
VDX integrationVDX (Reverse seamless) application management from Workspace console YesNo
Manage Workspace with multiple admins at the same timeBuild new environment with multiple Workspace Admins at the same timeYesNo (Config file is locked when admin configures settings)
Intuïtieve ConsoleWorkspace management config is easy adopted by new adminsYes (Application Centric Approach)No (Multiple consoles needed for configuring single application)

Howto: Manage Windows 10 Workspaces using RES ONE Workspace v10

In this chapter I share my best practice for managing Windows 10 workspaces using RES ONE Workspace v10. I assume you already have experience with RES (Workspace) and Microsoft (Windows).

 

Choose the right Windows 10

First off all, some NRRR (Not Really RES Related) things. If you want to manage the tiles in the start menu you have to choose for Windows 10 Enterprise. It’s important to determine which service branch is going to be used in your environment.

See this chapter for the full story about choosing the right Windows 10 version.

 

Performance matters!

Users don’t like waiting (what about you?) so make sure your Workspace performance as you would accept it yourself. For more information and best practice about performance tuning Windows 10 see this blog. As a RES RSVP I am under NDA but I can tell you that the best performance upgrade from RES ONE Workspace is coming soon!

Keep watching my blogs for more information!

 

Automate!

My advise is to automate the installation/configuration off the golden image using tools like RES ONE Automation. This way your image is documented from the start and it’s easy to rollout a fresh new version.

This seems like lots off work but it saves time when managing/operating the environment. The (zero touch) rollout off Windows is made easy using the free MDT and WDS tools. See this blog post for that. Don’t worry, i will share a RES ONE Automation building block for helping you out here.

 

Security from the start!

One off the first thing we enable in the RES ONE Console is security (managed applications). My advice is to enable web security on the backend (not the frontend). In Server Based computing environments like Citrix or Microsoft Remote Desktop I advise to use the Read Only Blanketing Security feature also.

Make sure you get the business policy for removable devices like USB sticks or disks on paper. RES Security has plenty of skills on board to manage complex remove device policy’s.

New applications can be easy onboarded using the learning (security) mode. In this way processes are authorized on the managed application and not in the global authorized process list. off course it’s possible to move the authorized processes from global to application level.

Also see these resources for making sure you understand RES Security:

httpss://www.youtube.com/watch?v=XJCVkJAryAg

And these blogs about RES Security:

 

Setup The User Profile

To make a long story short: Don’t setup user profiles, Use local profiles instead. Don’t spent to much time in tweaking the default profile (leave it default). when you add or remove programs the default settings usually are reflected to the default user profile. Make sure your Workspaces are running from fast storage like SSD/flash.

Use (RES) Zero profile to save and apply user settings when needed in the user workspaces. That’s easy right?, don’t worry I will help you in setting up Zero Profile later in this chapter.

 

Manage several workspaces using ONE Workspace management console

RES ONE Workspace allows you to manage several Workspaces by creating workspace containers, use this cool feature to create your Test, Desktop and Server based computing workspaces in one management console.

httpss://www.youtube.com/watch?v=KC2C79HWoUE

 

Location and Devices

Use RES location and devices to make your Workspace dynamic, for example for location based printing or to make specific applications available only at the headquarters. your brain is the limitation in possibility’s here.

 

Browser configuration

As more and more applications are web based (private or public cloud) setting up a decent browser configuration is important. I don’t recommend to use Edge (yet) so let’s start with Internet Explorer 11 (IE11).

 

 

Default browser message?

When using outlook 2007 or 2010 you might keep getting the ‘Choose Default Browser’ message.

Set IE11 as your default browser using this post.

MMmmmm Cookies!

Off course you want your users to be able to roam cookies, but Microsoft only allows you to do so with roaming profiles with a persistent local profile. don’t worry RES found a solution for this. they tweak the local profile to roaming and set the required IE configuration.

 

 

Master / Slave Setup

Set all the Configuration (Zero Profile, tasks, variables, registry ect.) on one (master) IE11 application and link all other (slave) IE11 shortcuts to this master for the configuration and required user settings. let me help you with this buildingblok.

 

 

What about the other browsers?

Off course there are still applications that require Firefox or Chrome, my best practice is to deliver those browsers virtualized (Thinapp, App-V or whatever). Limit the browser to allow only the URL that’s required for the application to work and check the browser combability for those apps yourself because I noticed that for several applications IE11 just worked.

Use the Master / Slave setup I mentioned with these applications. Setup one (Firefox or Chrome) application and link the other applications that need these browser to this master application configuration.

 

Microsoft Office

Another frequently player on the user workspace is Microsoft Office, so it’s important to setup this one in a decent way also. use the default (built-in) RES templates to setup Zero profile for this applications.

you’re not capturing all settings with these templates. don’t worry, I will share my best practice buildingbloks for managing Office 2010 here for you.

 

Office add-in(s)

Make sure you find the locations off the add-ins which are installed in the golden image and next you delete them! Apply them in the user Workspace for only the users that require them. Place the add-in configuration on the application (not global).

 

Zero Profile configuration

User profiles contain a lot of junk so don’t manage, store and backup everything! Try roaming profiles if you want to capture all user settings ;-).

My advice is to configure Zero Profile for the common applications and use the wel known ‘beep system’ to configure the settings that the users miss. Use the built in (RES) templates and the built in (RES) tools to sample and capture user settings.

You might get lost in which application captures which settings, dont worry. use the user settings overview to get you back on track.

Don’t forget to instruct your users how to use the self-service feature to restore their own application settings.

 

 

 

 

 

 

 

Modern Apps?

My experience with modern apps that they are not used in business environments, another thing about modern apps is that they don’t allow saving user settings. My advice is to remove the modern apps using this PowerShell one liner:

Get-AppxProvisionedPackage -online | Remove-AppxProvisionedPackage -online’

 

Built-in Applications

Don’t forget to deliver the built-in apps like notepad, calculator and sniping tool because your users (also) need them. Microsoft decided to transfer calculator to a modern app so we need to install the ‘old’ calculator. use this link to download the old calculator.

 

File type association(s)

Do NOT configure file type association for the native installed applications. Use RES process interception for these applications. make sure that process interception is only configured for the applications that need to start using file type association (for example when many shortcuts are created and linked to a ‘Master’ application (like iexplore.exe for example) configure process interception only for the master application.

 

Printer troubles?

NRRR again, I didn’t find environments without printer problems (yet). In most cases the customer weren’t even aware off them ;-). Most problems occur with the (printer) drivers. The solution is simple: Take the time to find and install the right printer drivers on your print server and install the right drivers on your base image.

My advice is to not allow automatic printer driver installation. because this can slow down you login time dramatically and users don’t like that!

Packaged Drivers

Another thing with printer drivers is the way they are delivered/installed on the client. The right driver is installed on the client but a message pops up every time the user logs on about installing the driver. This can happen when your printer driver is not packaged.

To find out whether the driver is package-aware using print Manager. Open the drivers section, if the driver is package-aware it will have the ‘true’ status in the packaged column. See this Microsoft KB for more information.

There is a little trick printers that makes a system think that the driver is package-aware. To do it, open the
HKLM\System\CurrentControlSet\Control\Print\Enviroments\Windowsx64\Drivers\…\Driver name\ branch of the registry on the print server and change the value of ‘PrinterDriverAttributes’ key for the specific driver by adding 1 to the current value.For example, If the attribute value has been equal to 5, change it to 6.

The same has to be done for the driver attribute in HKLM\System\CurrentControlSet\Control\Print\Enviroments\Windowsx NT x86\Drivers…\Driver name\.

After the restart, your printers will connect without any warnings.

 

Elevated processes that require environment variables…

I had some issues using RES dynamic privileges when using environment variables. I noticed that after setting the ‘EnableLinkedConnections’ registry key solved this issue’s.
See this Microsoft KB for more information. There were some issue’s with the early Windows 10 builds but all seems to work fine now.

 

Antivirus

Again this NRRR but i have seen many workspace improvements after a decent configuration off the virus scanner. for example make sure you download and apply the Best Practice – Antivirus Recommendations from RES.

When using VMware ESXi and vSchield antivirus protection make sure that your VMware tools version in the image meets the version on the hosts.

 

Branding

Off course you want your Windows 10 workspace to look good! this means the lockscreen, user account pictures ect. needs to be set. The default user account pictures are stored in ‘C:\ProgramData\Microsoft\User Account Pictures’ and the default lockscreen picture can be best stored at ‘C:\Windows\web\screen’.

Again I can help you with this buildingblock.

 

Missing Tiles in startmenu?

I noticed that sometimes the Start Menu was empty (no tiles), while items were pinned in previous sessions. See this excellent blogpost from John Billekens for a workaround for this issue.

 

What’s that?, you want more? Check these related blogs:

I really hope this blog will help you and your organization rolling out Windows 10 in a efficient way. If you have a question, comment, compliment or suggestion, let me know.

Thanks for reading, Rob Aarts