Opinion: Isolation – To be or not to be?

For several years now, I’ve held the opinion that isolation is becoming less and less important when it comes to Application Virtualization of general end users applications. You see, isolation was great when DLL hell was a major issue but developers have got better at producing a higher standard of application. DLL Hell is all but gone, in my experience at least. If you’ve ever demo’d AppV, ThinApp or any other application virtualization solution before, you’ve likely presented yourself launching multiple versions of Microsoft Word side by side on the same machine. That’s still pretty cool but now some applications are even developed to work side by side with previous or later versions of themselves! So, what’s to be gained with isolating your applications?

Not all applications will allow multiple versions to work side by side. And although dll hell is not a widespread problem any more, application conflicts can still occur, particularly on a shared RDS session host or a XenApp Terminal Server in which you may have many, many applications hosted and running concurrently. Containerization is also becoming popular which relies heavily on isolation.

Am I saying isolation should be scrapped entirely?

No, not at all. I still see the value in it, for the reasons I stated in the previous paragraph BUT I’d love to have the option to switch the isolation off when, I so please!. If I have an application with drivers, I can either spend hours trying to extract the drivers or just proceed with a traditional local install. If I have an application with COM+, I can again spend valuable time extracting this. It’s not a good use of my time! We also all likely hear that companies get around 80% of their applications packaged and delivered with a solution like App-V or ThinApp. How are they handling the other 20%? Wouldn’t it be great to handle all applications the same way and without issue?

In my efforts to extract drivers in the past, I believe I could see part of the challenge for Application Virtualization vendors and why drivers are a limitation for so many in the market e.g. Microsoft App-V, VMWare ThinApp , Spoon.net, Cameyo etc. Developers are not consistent with how they deliver their drivers. I’m sure these vendors would love to have a way to simply detect the application you are trying to package has a driver, automatically take that driver out and deliver it side by side with the virtual application, maintain the isolation and integrity of the app BUT I’d also bet that it’s very difficult or impossible to try to code a solution to handle these when there’s no standard being followed.

Read moreOpinion: Isolation – To be or not to be?

Dealing with Drivers in App-V

This is really just me relaying my experience in dealing with applications that contain drivers. Like I said in my previous post, vendors are not consistent with how they deliver their applications, so I may not cover absolutely every possibility but these are examples of some that I have.

1.) Separate Driver Installer extracted

In some glorious cases, vendors actually split out their drivers into separate packages. I’d love if this was the standard but it’s not! If you run the install you may find a Drivers folder or Drivers MSI in the extracted installer under %temp%

Drivers1

For a great example, check out Nicke Kallens great blog post HERE

2.) Vendor MSI

In a few cases, you may notice during an install of a vendor supplied MSI, there may be a feature for the actual driver install, if it’s optional.

FoxitEvernote

If you are lucky enough, your application install may have an optional feature in it. If you go to the custom setup option during the install, you can usually tell if such an option exists. You can then open the MSI and go to the Feature table and find the name of the feature you want:

Feature

You might be able to just install the MSI with the ADDLOCAL= parameter with the Feature e.g. msiexec /I FoxitPhantomPDF706_Business_enu_Setup.msi ADDLOCAL=FX_Evernote

In which case, Add a scrip to the MachineScripts of your App-V application Deployment Configuration file to install the driver as above.

Read moreDealing with Drivers in App-V

How to: Setup MBAM 2.5

A couple of years ago, I setup MBAM in a production environment for a company that wanted it. The setup was heartbreaking! It was so complex and at the time there wasn’t any good info online, on how to do it. So I published a few blog posts myself. One of which you can find HERE. Well, the good news is that Microsoft greatly simplified the setup and they now cater for larger scale Enterprise environments. If you’d like a video to follow, take a look at this:

It’s a great video that shows a start to finish setup. This blog post is just my footnotes from my own setup, which was not quite as complex as the setup in the video, as I was setting up on one home server.. Many times I use my site as a memory dump from different projects that I’ve worked on. One note before we start. Desktops that you wish to encrypt MUST have a TPM chip UNLESS they are running Windows 8. In the past TPM was a must across the board, however now there’s an option to deploy to Microsofts newer Operating Systems without a TPM chip.

Pre-requisites 

.Net Framework 4.5
If the server you are using already has IIS installed and does not yet have .Net, you may need to run the command: aspnet_regiis -I

Powershell 3.0

ASP.Net MVC4 for SSP

SQL Server

Download and add the MDOP Group Policy Template: MDOP Template

If you are setting up for a Production environment, it’s recommended to split out the server setup depending on how large your environment is, it may be two servers or more.

Also for a Production environment it’s a good idea to user a Certificate for security purposes

Similar to the previous version of MBAM, there’s several different roles and service accounts required, so you may want to setup service accounts before you start. They are as follows:

Read\Write Access User or Group for Databases

Group for Reporting

A domain account for the Compliance and Audit Service

A domain account for the Application Pool

AD Group for Advanced Help Desk Users

AD Group for regular Help Desk Users

Create SPN

Launch the command line as administrator on your server

setspn

 

As you can see, in my single server setup. I created an SPN pointing to my single server by using the command:

setspn – S http/MBAM01.Rorymon.com MBAM01

Read moreHow to: Setup MBAM 2.5