locked
disable appv package for particular computers RRS feed

  • Question

  • Hello,

    I have a package published to a computer group that contains hundreds of computers.

    Need to assure that the package (app) will not be available for a list of particular pcs from the group.

    Would it be enough just to remove a computer from the group?

    Other published packages should be available. Cannot test right now.

    But need the info.

    Thanks.


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis


    • Edited by pob579 Thursday, December 7, 2017 7:05 PM
    Thursday, December 7, 2017 6:33 PM

Answers

  • So basically you have an AD group containing 100 computers, and you want to target those 97 of those?  (making up the exact numbers). 

    With SCCM you might have a few extra options. With native infrastructure, assuming the machines are the same OS, here are the only options I can think of:

    On your file share (content share) add a deny to the specific machines you don't want access.  Since a deny wins over the allow, the machines would be targeted but the install (add-package) would fail.

    The other approach would be to update the packages to run some kind of script that checks a list and if the machine isn't on the list.  They talk about this general idea here:
    http://virtualvibes.co.uk/conditional-delivery-with-app-v-5-rollbackonerror/

    • Marked as answer by pob579 Friday, December 15, 2017 1:35 PM
    Friday, December 8, 2017 4:52 PM
  • 5.0 SP3 (5.0.10107) and above contains the changes in connection groups I described.  Both clients and servers need to be at or above this release.

    Tim Mangan MVP for App-V and Citrix CTP Author of AppV books: "PowerShell with App-V 5 (5.1 Edition)", "The Client Book (4.x)" and "OSD Reference Book" (http://www.tmurgent.com/Books )

    • Marked as answer by pob579 Friday, December 15, 2017 1:35 PM
    Wednesday, December 13, 2017 8:26 PM
    Moderator

All replies

  • Full infra or SCCM?

    (Please click on Vote as Helpful and/or Mark as Answer, if it has helped you.)

    MVP - Windows and Devices for IT

    app2pack.blogspot.com: app2pack.blogspot.com

    Friday, December 8, 2017 12:37 PM
  • native deployment:

    APPV MANAGER, PUBLISHING, SQL servers in place.

    What is the method for disable one package/app on few clients in Computer Group?

    Thanks.


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Friday, December 8, 2017 2:51 PM
  • So basically you have an AD group containing 100 computers, and you want to target those 97 of those?  (making up the exact numbers). 

    With SCCM you might have a few extra options. With native infrastructure, assuming the machines are the same OS, here are the only options I can think of:

    On your file share (content share) add a deny to the specific machines you don't want access.  Since a deny wins over the allow, the machines would be targeted but the install (add-package) would fail.

    The other approach would be to update the packages to run some kind of script that checks a list and if the machine isn't on the list.  They talk about this general idea here:
    http://virtualvibes.co.uk/conditional-delivery-with-app-v-5-rollbackonerror/

    • Marked as answer by pob579 Friday, December 15, 2017 1:35 PM
    Friday, December 8, 2017 4:52 PM
  • Hi,

    real situation:

    411 computers using 4 appv packages. One package should be denied for execution on all computers gradually.

    The app that should be restricted will be provided from Citrix.

    So the plan is: the tech enables the app from Citrix and should disable from execution the APPV one.

    The client computers are Windows 7. So there is another "thingy" about the copied shortcut icon on the Desktop because Appv could not publish the shortcut to the Desktop. But it is other story. I must assure that an existing Appv shortcut will not start the App of APPV package.

    > On your file share (content share) add a deny to the specific machines you don't want access.  Since a deny wins over the allow, the machines would be targeted but the install (add-package) would fail.

    So, I have to right click on package folder in Content folder and add computers under security tab for preventing the execution of Appv package?

    If you say I understood it correctly, then

    1. I will create a group "APP Denied" will add it to security TAB of the package

    2.  in permissions for "APP Denied" I will check Denied.

    3. then gradually will add computers to the group

    Should it really do what I want? The package is cached locally... So the deny should actually restrict the execution (by your advice).

    It would be pretty simple to accomplish without any scripting involved.

    Thanks for the idea.


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis


    • Edited by pob579 Friday, December 8, 2017 6:51 PM
    Friday, December 8, 2017 6:50 PM
  • I'm losing you a little bit, but if the packages are cached and already on the machine, NO what I wrote won't work.

    Are you looking to uninstall the packages or restrict them from installing?

    Adding a deny to the file permission will prevent NEW machines from getting access to it, thus stopping them from installing it.  It won't do anything to already existing computers.

    Friday, December 8, 2017 8:07 PM
  • the package in question was published 3 years ago.

    Sure it was cached on clients machines... Isn't it default behavior?

    I don't mind to uninstall it. But as a first action I want to restrict it from the execution.

    Again, there are 411 machines. I have to restrict/remove it only after enabling the same app from Citrix.

    1. can the execution of the appv package be restricted without uninstall?

    2. probably uninstall will be a right option for me... 

    please remind a syntax... I have all those tips in folder when worked on setting up Appv infra... Then the project was dead but still serves 400 machines..

    probably I have to put a command for uninstalling the package and another one for removing the icon from Desktop in a batch and execute it remotely...

    Any tip on automation plz.

    Thanks.



    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Saturday, December 9, 2017 12:24 AM
  • So to restate the problem, you have a package that you need to uninstall, and make it so it won't retarget the machine, but you can't remove the machine from the AD group.

    Its not elegent, but the only method I can think of is to:

    1.  Uninstall the package

    2.  Restrict the content share by putting specific denies on the file share for the computers you want to restrict

    To uninstall, you can do it a lot of ways, but assuming you want to stay App-V centric, you can create a blank App-V package that runs a powershell command at add-package time.  This is written from memory so check my spelling:
    stop-appvclientpackage -name "package name"|unpublish-appvclientpackage -global |remove-appvclientpackage

    Then you would add the computers you want to uninstall into this uninstall App-V package.  The computer will still attempt to get the package back, but will get denied to the .appv due to the permissions and thus fail silently.

    I know you said you want to first prohibit the execution, but in my opinion I would do the uninstall.  You would have to remove all entry points (shortcuts, FTA, COM) and if any user repaired the package those would come back.

    Let me know what you think.  Good luck!

    Wednesday, December 13, 2017 3:53 PM
  • as I stated above... I CAN remove the computer from the group.

    And first thought that just that will prevent the execution possibility of locally cashed package (was published 2 years ago). I thought that APPV management will be intuitive and restrict the package execution.

    As I have 3 packages: Pack1 Pack 2 Pack3, each of them published to the computer group:

    App 1 App 2 and App 3. Computer PC1 is a member of each group. So got 3 packages.

    Removing it from the group App 1 will disable publishing of App1. Correct?

    And the best method to DISABLE it is to Uninstall the package.

    Ideally, I want to do it remotely without bugging a user. But it could be a bit complex to run Powershell remotely... have to test.

    Thanks.


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Wednesday, December 13, 2017 4:52 PM
  • Sorry I'm joining late to the party...

    In reading the above, it is not entirely clear that this is with App-V 5, or what version. 

    But assuming you are on 5.1, we now have optional packages in a connection group.  So you modify the connection group not by deleting the app that only some people get, but by marking it "optional".  At least one package it the group must be mandatory (i.e. not marked optional). If you really need every package in the group to be optional you just create a dummy package published to everyone and make it the mandatory one in the group.  

    Once that change is in place, you can remove those certain users/machines from the AD security group that the package is published against. For the AD change to take effect, if it was a user account a logoff/logon is required and if it was a machine account a client reboot is required.  This will change out the cached Kerberos ticket dropping them out of the group, and then the publishing refresh will do the rest.

    tim


    Tim Mangan MVP for App-V and Citrix CTP Author of AppV books: "PowerShell with App-V 5 (5.1 Edition)", "The Client Book (4.x)" and "OSD Reference Book" (http://www.tmurgent.com/Books )

    Wednesday, December 13, 2017 5:45 PM
    Moderator
  • oh,  God came to the Earth (I mean App-V forum) :)

    Hi Tim,

    The App-V is 5.0.1224.0). I remember that I installed HOT Fix 5  (I guess latest before 5.1).

    So the real life scenario needed in January is:

    disable one of 3 published packages to a computer group.

    From your NOTE I understand that it is achievable with App-V 5.1.

    So not applies to my env.

    And I have to uninstall the package and unpublish the package (hope removal a pc from security group is enough).

    I guess as a first take I can just execute removal of the icon from Desktop. So the user will have just a new icon coming from Citrix (the new ver of app will be provided by Citrix).


    --- When you hit a wrong note its the next note that makes it good or bad. --- Miles Davis

    Wednesday, December 13, 2017 7:42 PM
  • 5.0 SP3 (5.0.10107) and above contains the changes in connection groups I described.  Both clients and servers need to be at or above this release.

    Tim Mangan MVP for App-V and Citrix CTP Author of AppV books: "PowerShell with App-V 5 (5.1 Edition)", "The Client Book (4.x)" and "OSD Reference Book" (http://www.tmurgent.com/Books )

    • Marked as answer by pob579 Friday, December 15, 2017 1:35 PM
    Wednesday, December 13, 2017 8:26 PM
    Moderator