Prereqs:
Security groups for masking
Share where rules will be placed
Copy script to have rules available on VDA (copy them) in order to make use of app masking
- We have already installed the application apprule editor on the master image/VDA. We need to open it up and create the rules
- Open rule editor from your VDA (make sure you run as admin, otherwise you won`t be able to apply/save rule at the end)
- Create a new rule set and save it using a naming convention relevant to what you`re doing (for ease of management)
- Once you have saved (select “enter file name” basically saves the object with this name) you are presented with 3 possibilities of defining the rule. Most comprehensive one is the “chose from installed programs” entry.
- For our testing, we will select “Mozilla Thunderbird”
- After selection, we can go with “scan” to list all the entries from where app is presented to the user.
- Once scan is complete, click ok to see the list
- In order to test if this rule works, toggle “apply rules to system” button
- You should notice that thunderbird app is no longer available on your desktop as “apply rules to system” radio button is toggled on. You may see the shortcut in start menu as you are looking for the app but selecting it does nothing. Logging off and back on should take care of this
- Toggle the “apply rules to system” one more time to restore app functionality (we now know how it will behave in production)
- Now it is time to assign this rule to user/group objects before saving.
- Select the “Manage Assignments” radio button
- You will see that “Everyone” is already set as “does not apply”. This means that rule will not apply to this group. We need to add a group to which this rule will apply. If not already done so, create a group and add users as members
- Once group was created, you can add it to the assignment rule set:
- Once added, you will have “everyone” left with “no rule apply” and “nothunderbird” with “rule apply”
- This means that rule will only apply to members of “nothunderbird” group.
- Now that the rule is done, you can create a share to have them centrally available with the right permissions, copy them over and implement the copy script
Saved rules (on VDA): C:\Users\dexanul\Documents
Source (share): \\Ddc\AppMask
Destination (VDA): C:\Program Files\FSLogix\Apps\Rules
- Set copy script via policy in order to have the rules copied over via GPO. You will need to copy the files to full path. Relative path may result in permissions issue.
Full path:
C:\Windows\SYSVOL\sysvol\dexanul.lab\scripts
Relative path:
\\dexanul\sysvol\dexanul.lab\scripts
- Script itself needs to only be updated with the share where rules reside:
- Configure GPO with the following settings (i`m using it as a startup script)
- Reboot VDA and logon with user member of nothunderbird security group and check Destination (VDA): C:\Program Files\FSLogix\Apps\Rules to confirm that the rules are copied over and applied
- After reboot, rules have been copied over but since i`m not logged on with correct user, I can still see the thunderbird icon on desktop and can execute it
- Logging on with correct user, we can see that shortcut is not available on desktop only in start and it cannot be executed
Reference articles:
Configuration reference (video) FSLOGIX Application Masking
Application Masking with FSLogix in Windows Virtual Desktop
AppMasking copy script
https://github.com/tsrob50/WVD-Public/blob/master/Copy-AppMaskRules.ps1
Other step-by-step guides
https://cloudbuild.co.uk/tag/how-to-configure-fslogix-step-by-step/