AppSense seem to be trying to highlight and enhance the flexibility of their product lines at the moment, and this is something I am all for. You don't have to necessarily perceive the DesktopNow suite as a direct competitor or alternative to other technologies - as most of you are aware, the answers for many enterprises lie in using various complementary technologies together to produce the right solution for your needs. I blogged recently about integrating AppSense Environment Manager with Citrix UPM - today, we will see that AppSense has given us the capability to deploy Application Manager configurations from within Microsoft's own Group Policy Objects, allowing you to roll out AM configurations in the same way you would Software Restriction Policies or AppLocker settings. In short, we leverage the power of Group Policy to take advantage of the extra features of Application Manager.
Why would you do it this way?
That's as good a question as any to start with. Well, using Group Policy to deploy AM configurations removes the dependence on a deployment infrastructure. So you wouldn't need to use the Management Center, or SCCM, to handle the distribution of the configuration to your endpoints - you'd simply offload it into Active Directory itself. This significantly reduces the complexity of your AM deployment, and also allows you to use the same console as you would do for your other Group Policy Objects. Even if you're just licensed for Application Manager, this still entitles you to use the Management Center feature of DesktopNow, but that necessitates a separate security model and a second console. If you want to tie the deployment of AM configurations directly into your existing Group Policy infrastructure, this is a very neat way to do it and streamlines the solution by a sizeable chunk.
I'd also steer clear of labelling this as an "SME-only" kind of solution - I've seen larger enterprises where this could certainly be a value add as well. In some cases, Application Manager is used exclusively for management of device-based licensing, and having to use the Management Console certainly adds to the unwieldiness of narrow-scope deployments such as this. Direct GPO integration would be a good idea in these cases too.
Installing the new features
In order to take advantage of this feature you will have to download and install the new 8 FR 7 Application Manager software (while you're on, you might as well take advantage of the upgrade to Management Center 8 FR 5 as well).
Application Manager doesn't have any back-end components, so to upgrade the AM instance, you simply need to do the following:-
- Download the new software from MyAppSense.com
- Install the upgraded Application Manager Console in all necessary locations
- Install the upgraded Application Manager Documentation in all necessary locations
- Load the upgraded Application Manager Agents into the Management Center using the Package Library Add Package function
- Open your existing 8.x configurations in the upgraded Application Manager Console, and save them under a new name to make them 8 FR 7 configurations
- Assign the new agents and configurations to your Deployment Groups
Did I just say simple? Maybe that's not strictly true :-)
NOTE - if you upgrade the Management Center to 8 FR 5 while doing this, don't forget there is a Management Server database update required also. So when you've run the installers on each Management Server, don't forget to run the Management Server Configuration Tool on one of them to perform the schema updates
Working with the console
Now, when you open the Application Manager 8 FR 7 Console, you will notice a few new features. Such as this
Yes, that's a long overdue Sort feature for the Group Rules. Not particularly broad in scope, but still. Can we have a Search feature now please, like Environment Manager has Find and Replace?
There's also a much fuller Regular Expression support, which is good news for those randomized filenames I always tend to find myself dealing with.
Also I noticed on the ribbon menu, there is now a Preferences button (which may have been introduced earlier, but I've only just noticed it) which has this option
which should be good news for those of you who use App-V, ThinApp or other packaging methods to provide your consoles to your administrators, as you can now deselect the splash screen and save valuable app launch time.
Anyway - I am digressing a bit here. What we are interested in is the capability to save within Group Policy. Now, to do this, you will need the Remote Server Administration Tools installed on the endpoint you are running the Application Manager Console on (here's a link to the Windows 7 version). If you're running on Windows XP x64 or Server 2003 x64, apparently this is not supported, so I wouldn't recommend running them from there, but x86 XP and Server 2003 should be fine as long as .Net 1.1 and GPMC are installed. If you're an idiot, like me, you can spend ages searching for the Windows Server 2008 R2 RSAT, and then remember that you simply add it as a Feature from within Server Manager :-0
Once you've installed the Remote Server Administration Tools or added the GPMC as a feature, you can open a configuration up and observe that we now have an additional Save As function
followed by a domain selection dialog
Naturally it goes without saying that you will need the necessary rights to create, edit and save GPOs into your AD. Any user account that already deals with GPOs should be sufficient to use this function.
The console is a little unintuitive here as it seems to be initially suggesting that you need to save the configuration into a pre-existing GPO (in which case I would wonder if it would append to the existing GPO or overwrite all of the settings), but luckily right-clicking on your target OU gives you the option to create and link a new one
Then you simply need to give it a name
and it's at this stage you will find out if your account has the required rights or not :-)
Once we've rectified that error, it will Save without issue, and you can now open a configuration from Group Policy using the same dialog
Sweet! Now our configuration will exist as a GPO in the location of \\<Domain Controller>\SysVol\<domain.fqdn>\Policies\<guid for GPO>\Machine\AppSense. Don't forget that you will be subject to the usual replication period, so don't expect it to appear instantly if you have a large or sub-optimal AD setup.
Processing, processing order and merging
The AM configuration GPO will only apply to Computer objects within the target GPO. The usual processing order applies, but if you have multiple AM configuration objects applying to a single object, the Endpoint Configuration Merging feature will take effect. I've yet to put together a post on this (my apologies), but for now, you can read about it in the AppSense documentation.
If you look in the GPMC directly, I would recommend changing the settings for this GPO to User Configuration Settings Disabled, if the GPO only contains AppSense AM settings, because they are Computer settings only
This will speed up the processing time slightly.
You can't edit the GPO directly from GPMC though, you will need to ensure that you use the Application Manager Console for this. The GPMC would need to have access to the ADM files required, and you will see the error below trying to view the settings
I haven't tried to edit the configuration directly to see what might happen if you do it through the GPMC rather than the Application Manager Console, but given the amount of corrupted GPOs I've seen in my time, I can probably hazard a guess as to the worst possible outcome. Suffice to say you may want to tie down the GPO access through the GPMC to limit it to people who can also access the configuration via the Application Manager Console.
Summary
So, what we have here is a nifty little new feature in Application Manager that opens up the scope even further for deployment options. In my world, I can see this as an ideal way to put Application Manager configurations out on a live environment in audit mode, so I can gather information whilst still creating the AppSense infrastructure. But that's just the first use case I can come up with - I've got no doubt this has got quite a bit of mileage for lots of different situations. Application Manager, despite being a part of the DesktopNow suite I've got a lot of time for, still has a lot of niggles in the console that annoy me - having to specify hundreds of devices by name for Device Rules still narks the hell out of me, even though there are a few VBScripts kicking about to address this - but this addition makes me hope that there is going to be a lot of change for the better in AM in the very near future. Let's hope these new features are just the start.