locked
Application not removed from local cache on publishing refresh RRS feed

  • Question

  • I'm using App-V 4.6 RTM x64 for RDS. Applications are published on App-V Management Server. I have sequenced Office 2010, Project 2010 and Visio 2010 in one package. Because of separate licencing I have created dedicated AD groups for Office, Project, Visio and configured access for those groups on App-V Management Server. OfficeGroup has access to all Office 2010 applications except Project and Visio in Office package, GroupProject has access only to Project 2010 application in Office package, and GroupVisio has access only to Visio 2010 application in Office package.

    All seemed to work well until I tested scenario when a user had access to Office, Project and Visio, and then had his rights to Project and Visio revoked, i.e. user is removed from AD groups GroupProject and GroupVisio.

    In this case when the user logs in and publishing refresh happens, Project and Visio icons are still there in his start menu, but file type associations are removed.

    I turned on verbose logging on client, and this is what I found in logfile:

     

    [08/20/2010 13:22:42:951 MIME VRB] {tid=1930:usr=user1}
    User no longer has access to 'Microsoft Visio 2010 14.0.4755.10002', attempting to remove

    [08/20/2010 13:22:42:951 AMGR VRB] {tid=1930:usr=user1}
    FindAppByName(name=Microsoft Visio 2010 14.0.4755.10002, ver=, owner=0xffffffff

    [08/20/2010 13:22:42:951 AMGR VRB] {tid=1930:usr=user1}
    FindAppInternal(..., match=Microsoft Visio 2010 14.0.4755.10002, owner=0xffffffff, ...)

    [08/20/2010 13:22:42:951 AMGR VRB] {tid=1930:usr=user1}
    Found an instance of 'Microsoft Visio 2010 14.0.4755.10002' owned by 0xffffffff

    [08/20/2010 13:22:42:951 SWAP VRB] {hap=19:app=Microsoft Visio 2010 14.0.4755.10002:tid=1930:usr=user1}
    RemoveCurrentUserData(force=FALSE, config=TRUE)

    [08/20/2010 13:22:42:951 SWAP VRB] {hap=19:app=Microsoft Visio 2010 14.0.4755.10002:tid=1930:usr=user1}
    FindOtherInstance(ulFlags=0x00008420)

    [08/20/2010 13:22:42:951 AMGR VRB] {tid=1930:usr=user1}
    FirstApp(ulFilter=0x00000001)

    [08/20/2010 13:22:42:951 SWAP VRB] {tid=1930:usr=user1}
    Found a match: hApp 35

    [08/20/2010 13:22:42:967 SWAP VRB] {hap=19:app=Microsoft Visio 2010 14.0.4755.10002:tid=1930:usr=user1}
    Can't remove app because its settings are in use

     

    Problem is that user is still able to run the applications from local cache he has no rights to.

     

    I am able to remove application manually with no problems issuing following command within the user's session:

    sftmime delete app:"Microsoft Visio 2010"

     

    Why publishing refresh process can't remove the applications?

    Any help appreciated.

     

    Friday, August 20, 2010 10:47 AM

Answers

  • Your answer is right there in the log file: "Can't remove app because its settings are in use" - because Project and Visio are in the same package, all Office applications are now using the same settings/configuration. Whether the shortcut should be removed or not I can't say specifically; however you could team this with Group Policy Preferences to delete the shortcuts at login.

    Although you have separate groups for Project and Visio, the user could still actually run them by several methods including launching a command prompt in the Office environment and running VISIO.EXE or MSPROJ.EXE or by using Word and inserting a Project or Visio object.

    To restrict users from running Project and Visio, you can use AppLocker to restrict execution of the main processes. There's a great article on AppLocker and App-V here: http://www.brianmadden.com/blogs/timmangan/archive/2009/10/28/AppV-and-AppLocker.aspx

    Friday, August 20, 2010 11:24 AM
    Moderator

All replies

  • Your answer is right there in the log file: "Can't remove app because its settings are in use" - because Project and Visio are in the same package, all Office applications are now using the same settings/configuration. Whether the shortcut should be removed or not I can't say specifically; however you could team this with Group Policy Preferences to delete the shortcuts at login.

    Although you have separate groups for Project and Visio, the user could still actually run them by several methods including launching a command prompt in the Office environment and running VISIO.EXE or MSPROJ.EXE or by using Word and inserting a Project or Visio object.

    To restrict users from running Project and Visio, you can use AppLocker to restrict execution of the main processes. There's a great article on AppLocker and App-V here: http://www.brianmadden.com/blogs/timmangan/archive/2009/10/28/AppV-and-AppLocker.aspx

    Friday, August 20, 2010 11:24 AM
    Moderator
  • Hello,

    Seems that the settings were in use and therefore its not removed.
    /Znack
    Friday, August 20, 2010 11:24 AM
  • Yes I noticed that line, my question was why publishing refresh cannot remove application if I can remove it manually without problems.

    But you're right, even if it is removed, the user can still run it. I just tested it this way:

    sfttray /exe VISIO.EXE /launch "Microsoft Word 2010"

    and Visio opens just fine even though I deleted Visio application from server cache and user is not member of AD group configured for Visio application on AppV Management Server.

    So basically a user can launch every single application in a package if he has rights to at least one application in that package configured on App-V Management Server. And there is no way restrict that except for using something like AppLocker.

    Thanks for article on AppLocker, looks like that is a way to go besides trying to sequence Project and Visio into separate packages. I tried that one time, but with partial success - Project crashed every time on startup when dynamically linked to Office package.

     

    Friday, August 20, 2010 1:03 PM
  • I generally recommend putting all of the Office application into the same package because of the inter-dependencies - that way the applications will as users expect.

    Dynamic Suite Composition is not a great approach when for multiple Office applications as this is a bit too complex for v1 of DSC.

    Friday, August 20, 2010 1:09 PM
    Moderator
  • The reason for beeing able to launch a "removed" application with "sfttray /exe VISIO.EXE /launch "Microsoft Word 2010" is, that you don't use the original App-V shortcut. Instead, you access the "Package" that contains Word and access a file in it.

    This is similar to "classical" shortcuts deployed to the user's start menu. Deleting these Shortcuts does not prevent the user from going into the Programs Files folder, finding any .exe and launching it.

    If you really want to protect "other" applications from beeing run, you'd have to set NTFS onto the .exe files during Sequencing and to make sure "Enforce Security Descriptors" is enabled.

    (Remote Desktop/Terminal Servers do have the samme issue as well: Publishing an application (like Word) does not prevent the user from using the file/open dialog to point to visio.exe)

     

     

     


    Falko
    Thursday, August 26, 2010 1:05 PM
    Moderator