locked
Virtual APP targeted to a group showing up for all users. RRS feed

  • Question

  • Hi,

    I have a problem in my envirinment. We are using SCCM2007 Sp1 R2 in our evnvironment.

    We create a collection based on user group and advertised Vapp to that group. The installation is perfect. But a user who is not a part of the group is able to see the short cuts and launch the application. Vapp client installed in 4.5, sccm client is 6221.

    Can some one please suggest a solution for this, if you have come accross the same issue.

    Thanks
    Friday, March 27, 2009 12:34 PM

Answers

All replies

  • Hello,

    Never implemented a solution with SCCM, however Tim has some explaining;
    http://social.technet.microsoft.com/Forums/en-US/appvclients/thread/7634b7cc-de37-4369-b7ff-6f4477daeb30

    Hope this helps, if not I would suggest looking around this forum or softgridguru.com - or contact MS directly.

    /Znack
    Friday, March 27, 2009 1:16 PM
  • Hmm that's strange. I've written an article about App-V and SCCM User advertisements and did not see this issue.
    http://desktopcontrol.blogspot.com/2009/02/how-to-user-based-and-machine-based-app.html

    Could you check to see any inconsistencies?
    Normally the difference between User and Computer assigned is in the creation of the collection.

    Thanks
    Monday, March 30, 2009 9:53 AM
    Answerer
  • Hi Ment,

    I have seen that article before. We were using User Resource while creating collections. Now we tested some applications with user group resource. But nothing changed. Do user resource and user group resource make much changes?

    Will it be a packaging issue?
    Should we do any settings in Vapp client.

    please go through the logs below

    ADD PACKAGE command line = ["C:\Program Files\Microsoft Application Virtualization Client\SFTMIME.COM" ADD PACKAGE:"TRM_BridgePageBuilder_2.0.3_MNT" /MANIFEST "C:\\WINDOWS\\system32\\CCM\\Cache\\TST00093.1.S-1-5-21-36943883-714553068-3808660527-2709\\TRM_BridgePageBuilder_2.0.3_MNT_manifest.xml" /OverrideUrl "FILE://C:\\WINDOWS\\system32\\CCM\\Cache\\TST00093.1.S-1-5-21-36943883-714553068-3808660527-2709\\TST00093.sft"]

    Raising event:
    [SMS_CodePage(437), SMS_LocaleID(1033)]
    instance of CLIMSG_VIRTUALAPP_INFO_PACKAGEADD_SUCCESS
    {
     AdvertisementId = "TST200D4";
     ClientID = "GUID:628458BF-76F7-44AA-8351-7016CFAB00A6";
     DateTime = "20090328075155.114000+000";
     MachineName = "DT4ZJ62BS";
     PackageID = "TST000DF";
     ProcessID = 2108;
     SiteCode = "TST";
     ThreadID = 2028;
     VirtualAppPackageGUID = "{CE7C3623-7196-428A-AEEA-29AAE6D5520A}";
     VirtualAppPackageName = "Microsoft_Access_2007SP1_VFS";

    PUBLISH PACKAGE command line = ["C:\Program Files\Microsoft Application Virtualization Client\SFTMIME.COM" PUBLISH PACKAGE:"{CE7C3623-7196-428A-AEEA-29AAE6D5520A}" /GLOBAL /MANIFEST "C:\\WINDOWS\\system32\\CCM\\Cache\\TST000DF.1.S-1-5-21-36943883-714553068-3808660527-2709\\Microsoft_Access_2007SP1_VFS_manifest.xml"]

    Tuesday, March 31, 2009 11:25 AM
  • Thanks a lot Znac,

    I found the /global switch being executed in our environment while publishing the package. Any idea on how we can fix this. Will it be a sequencing issue?

    Thanks
    Tuesday, March 31, 2009 11:26 AM
  • Hello,

    Well, try to follow Ments tips..
    http://desktopcontrol.blogspot.com/2009/02/how-to-user-based-and-machine-based-app.html

    I don't have any experience of this so unfortunately I am not much of help here..
    (I could of course read the documentation, but that you could do yourselves and you will not have to be dependt on my poor knowledge transferring skills)
    /Znack
    Tuesday, March 31, 2009 11:44 AM
  • This is not something you can influence during sequencing nor is it a client configuration setting.
    It's the way ConfigMgr publishes the package as you can see in the log.

    I will test User Resource in my environment and see if I have the same results as you.

    Regards,

    Ment van der Plas
    Tuesday, March 31, 2009 12:12 PM
    Answerer
  • I will test User Resource in my environment and see if I have the same results as you.
    I've tested with a User Resource and did not have the same situation as you have, but instead the packages were added on a per user level. 
    So this scenario also works as expected.

    Your logs showed me however that you did a "download and run" instead of a "stream from dp" scenario. So when I gave that scenario a try I did get the same results as you.
    So that's what's causing the issue in your situation. I could only get positive results with a "stream from dp" scenario.

    I can't explain why SCCM is adding the package globally in a download and run scenario. I would expect it to be able to add the package on a per user level.
    Maybe it has something to do with the cache that you share amongst all users on that machine?

    On the other hand, just to be clear, the fact that the application is only showing up for one user is NOT a security boundary of any kind. It's only a display thing.
    In the SCCM scenario (as well as the MSI scenario) there is no central authority to allow application startup as in the full infrastructure scenario.
    Instead once the application is added to App-V client console the application can be started by any user through either:
    - sfttray /launch "Application Name"
    - right-click the OSD (cached or central) and select Open with --> Microsoft Application Virtualization Client tray (doubleclick doesn't work for some reason. Probably the Vapplauncher.exe prohibits that)
    - by using the App-V Client Diagnostic and Configuration tool I created for troubleshooting purposes.

    Hope this clears up the issue you are having.

    Regards,

    Ment van der Plas
    Wednesday, April 1, 2009 6:07 PM
    Answerer
  • Thnaks for your time, Ment.

    So , you mean to say that you have the same issues while doing a download and run. Right?

    I am thinking to escalate the problem to Microsoft.

     

    Thanx again

     

    Jinu

    Thursday, April 2, 2009 8:29 AM
  • Yes, that is exactly what I'm saying.

    Before escalating, maybe someone from MSFT can comment on how this is supposed/designed to work.

    Thanks

    Ment van der Plas
    Thursday, April 2, 2009 11:19 AM
    Answerer
  • Thanx Ment,

    But how can we put this in front on MSFT?

    Jinno
    Thursday, April 2, 2009 12:11 PM
  • Please turn on debug logging to see what's happening in the ExecMgr.log.

     

    SInce you're seeing the use of the /Global switch in the VirtualApp.log, do you see the following in the ExecMgr.log just before the package is registered with the AppV client?

     

        "Machine targeted for execution."

     

    When a user is targeted it should say:  "Logged on user targeted for execution."

     

    I tested the user based targeting download and execute scenario this morning and it worked.  The application was published for users I defined in my collection.


    Regards

    Gene Ferioli 


    Senior Program Manager, Microsoft Application Virtualization, Microsoft
    Friday, April 3, 2009 4:55 PM
  • This should work. "Download and execute" does not make any difference when publishing package. SCCM adds " /GLOBAL" in the publishing command only when the Vapp advertisement is targeted to machine. I suspect something is wrong in the collection or advertisement, so the SCCM client thinks this is a per machine advertisement. I suggest you run policy spy on the client, in the "actual" tab, go to machine\CCM_SoftwareDistribution, and check if you can find policy for your virtual application. One tip to find vapp policy quickly: check those policies with PRG_ProgramID="[Virtual application]". If you can find it, that proves the advertisement is targeted to the machine, not the user. Please double check your collection and advertisement setting, and ensure only user is targeted.
    Friday, April 3, 2009 5:03 PM
  • Hi Samsonli,

    [E90FE0] Indicating __InstanceModificationEvent settings change on object CCM_SoftwareDistribution.ADV_AdvertisementID="TST200D6",PKG_PackageID="TST000DD",PRG_ProgramID="[Virtual application]".

    I can see the above policy in the policyagentprovider.log in the client machine. Does this show that the Vapp is advertised to the machine?

    We are creating collection on dynamic query using AD user group, selecting user resource in collection properties.

    I dont think there is much settings in the advertisements which can target application to machine , instead of users.

    Please help us iin troubleshooting the issue..

    Thanks
    Monday, April 6, 2009 9:40 AM
  • Hi Gene,

    I cannot see neither machine targeted nor logged on user targeted. But one thing i can say here is the applications will only be installed if a user present in the group logs in. If you log in with a user which is not present in any of the groups, then non of the v-apps will be installed.

    We noticied this issues here, when we scratched our PC's to WinXP SP3 through OSD. afer that the applications will start installing one by one.The advertisements will will available in Run advertised programs(RAP) only for the users present in the group. and it runs only for those users.

    But our problem really is that the shortcuts are getting published with /Global and it is available in all user profiles, which should not happen. If you delete the shortcuts from all users profile, the it is fine.


    Jinno

    Monday, April 6, 2009 9:55 AM
  • Hi All,

    Further to my testings, today i found that /Global switch is using after the machine goes for a reboot. After the OSD, the applications start installing without any problems, in between i rebooted the machine, the vapps which are installed after the reboot in having the /global switch in publish package.

    So i think it is something to do with the client settings(Vapp client). I am not sure about the configuration. I our environment Vapp client is installed through OSD. So we have any additional settings/configurations in Vapp client.

    Soon after the OSD and before any applications, i can see a publishing server in the vapp client, but after installations of some applications or a reboot, i am not able to see the publishing server. Can some one share me the client settings if any...

    Thanks again

    Jinno
    Tuesday, April 7, 2009 11:58 AM
  • Jinno,

    Could you share your App-V client installation parameters with us? Which settings are you setting additionally? and how, GPO/script?
    How does this publishing server get configured? There shouldn't be any in a native SCCM / App-V environment.

    Thanks

    Ment van der Plas
    Tuesday, April 7, 2009 12:09 PM
    Answerer
  • Hi Ment,

    We are installing App-V client through a exe and the same will be installed via OSD. We are using SCCM R2 and i dont see any publishing servers configured in App-V client. Should we configure the publishing server seperately. I can take some screenshots if required.

    I found something else, the app-v programs are installing with /Global only after a reboot of the machine(Manual/by any other programs). So i think some app-v client settings are getting changed after the reboot. Any applications installed before the reboot doesnot have any issues.

    Thanks

    Jinno
    Wednesday, April 8, 2009 8:39 AM
  • When using the App-V Client with SCCM, you should not set a publishing server.

    As to the other, I too am confused and am testing differing scenarios trying to figure out why and when this works (or not).
    Friday, June 5, 2009 12:31 PM
    Moderator
  • Hello,

    This showed up today;
    http://support.microsoft.com/default.aspx?scid=kb;en-us;972417&sd=rss&spid=12769

    The /GLOBAL flag makes the package available to all users instead of just the currently logged on user in System Center Configuration Manager 2007

    /Znack

    • Proposed as answer by znack Thursday, July 30, 2009 9:58 PM
    • Marked as answer by Ment van der PlasEditor Wednesday, August 19, 2009 7:26 AM
    Thursday, July 30, 2009 9:58 PM
  • Hi v-jijaga,

    Can you test this hotfix and maybe confirm that it fixes your particular issue? Then we can close this thread.

    Regards

    Ment van der Plas
    Monday, August 17, 2009 10:54 AM
    Answerer
  • Hi Ment,

    Thanks a million... This hotfix resolved the issue in our environment. Bill still this hot fix will not fix the existing applications. But any how it is working..

    Thanks all for you support..

    Jinno
    Wednesday, August 19, 2009 7:14 AM