Aaron Parker's stealthpuppy

Subscribe to Aaron Parker's stealthpuppy feed Aaron Parker's stealthpuppy
on applications, desktop and Terminal Server deployment, virtualisation and anything else that takes my fancy
Updated: 51 min 35 sec ago

Get latest Citrix Receiver version with PowerShell

Tue, 01/09/2018 - 01:57

I’ve previously written about deploying Citrix Receiver to Windows 10 via Intune with PowerShell. I wrote a script that will detect an installed version of Receiver and update to the latest version if it is out of date. To start with, I’ve hard-coded the current Receiver for Windows version into the script; however, that’s not necessarily the best approach, because it will require updating whenever Receiver is updated.

The Citrix Receiver download page provides a source for querying Receiver versions for all platforms, so if we parse that page, we have a source for the latest Receiver versions for all platforms.

I’ve written a script that will parse the downloads page and return the current Receiver version for each platform unless a login for that platform is required. If you’re looking to find the Receiver version for Windows, Windows LTSR, Linux, Mac etc., the script can be used to return the version number for the desired platform.

Here’s the script:

To use the script, save as Get-CitrixReceiverVersion.ps1 and run from the command line. With no parameters, it will return the version number for Citrix Receiver for Windows:

.\Get-CitrixReceiverVersion.ps1

The script returns specific platforms with the -Platform parameter. This only accepts valid values, such as ‘Windows’, ‘Mac’ and ‘Linux’ and the script will validate those values and supports tab completion.

.\Get-CitrixReceiverVersion.ps1 -Platform Mac

Here’s the script in action:

Get-CitrixReceiverVersion.ps1 returning the latest version for various Receiver platforms

I’ve written this primarily for my purposes, but perhaps there are other purposes that I’ve not yet considered. Feedback, issues and improvements to the script are welcome.

This article by Aaron Parker, Get latest Citrix Receiver version with PowerShell appeared first on Aaron Parker.

Categories: Community, Virtualisation

Folder Redirection to OneDrive on Windows 10 with Intune

Wed, 12/27/2017 - 11:15

If you’re deploying Windows 10 with Modern Management (Azure AD joined, MDM managed), you’ll likely have wondered about data protection – if users aren’t intentionally saving documents to their OneDrive folder, those documents are likely not synchronised and therefore not protected against data loss.

Traditionally managed PCs will have folder redirection (and offline files) so that user’s documents are synchronised when corporate network connectivity is restored. Some organisations will even have implemented folder redirection into the OneDrive folder via Group Policy, as a better alternative.

Implementing folder redirection for Windows 10 via Intune currently isn’t possible, so we need a creative solution to this challenge. With PowerShell scripts available to deploy via Intune, we can create a custom approach for redirecting important folders into OneDrive.

How Folder Redirection Works

Here’s an old, but a good article that covers how the Folder Redirection Extension works. It was written for Windows XP / Windows Server 2003, but the concepts are still the same in 2017. The article includes the following overview of folder redirection:

Folder Redirection processing contains five steps:

  1. Determine which user folders to redirect based on changes to Group Policy settings at the time of logon.
  2. Determine the target location specified for redirection and confirm the user has access rights to that location.
  3. If the target folder does not exist, the folder is created and the appropriate access control list (ACL) rights are set.
  4. If the folder exists, access rights and folder ownership are checked.
  5. If desired, the files contained within specified folders are moved to the new location, which also deletes them from the source folder if the source folders are local.

In this case, because we’re looking to redirect folders with the source and destination in the user profile on a local disk, we can skip steps 2, 3, and 4. Step 1 is obviously our main requirement and step 5 – moving existing data into the new folder on the same disk, should be quick and reasonably safe on modern PCs with SSDs.

Given that we don’t have Group Policy available to us, we need to implement steps 1 and 5 in such a way that we can be sure the redirection and move of data will be successful.

Implementing folder redirection in PowerShell 

A script that implements folder redirection using SHSetKnownFolderPath is available from here: SetupFoldersForOneDrive.ps1. This defines a function called Set-KnownFolderPath that can be used to redirect a known folder of your choosing to a target path and it works quite well. In its current iteration though, all it does is redirect the folder. 

Because we also need to move the folder contents, I’ve forked the script and added some additional functionality:

This version of the script updates the Set-KnownFolderPath function to ensure all known folders for Documents, Pictures etc. are covered and adds:

  • Get-KownFolderPath – we need to know what the existing physical path is before redirecting the folder
  • Move-Files – a wrapper for Robocopy.exe. Rather than implement the same functionality of Robocopy in PowerShell, the script references it directly to move the contents of the folder to the new location. This ensures that we also get a full log of all files moved to the new path.
  • Redirect-Folder – this function wraps some testing around the redirect + move functionality
  • Reads the OneDrive for Business sync folder from the registry to avoid hard-coding the target path
  • Implements redirection for the Desktop, Documents and Pictures folders.

My script could do with some additional error checking and robustness; however, it provides the functionality required to redirect specific folders into the OneDrive folder and can be re-run as required to ensure that redirection is implemented for each folder.

Deploying with Microsoft Intune

Intune allows you to deploy PowerShell scripts that run either in the user’s context or in the Local System context. 

Intune PowerShell script settings – user context. Not what we want.

Implementing the redirection script in the user context though fails when adding the SHSetKnownFolderPath class to the script session. Additionally, deploying the script in this manner will only run the script once – if the OneDrive client is not configured correctly when the script runs, the folder redirection will then never work.

Instead of deploying the folder redirection script with Intune, we can instead deploy a script that downloads the folder redirection script to a local path and creates a scheduled task that runs at user login to run the script. That way, we can be sure that the redirection script will run after the user has logged into the OneDrive client and set up the local sync folder in their profile. Additionally, this approach will enable folder redirection to run for any user logging onto the PC.

The script below will download the redirection script to C:\ProgramData\Scripts, create the scheduled task and output a transcript into the same folder.

Note that this downloads the redirection script from my public gist repository. If you implement this in production, I would highly recommend a more secure source for the redirection script.

Right now this script is quite simple – it will need to be updated to remove or update an existing script in the event you need to remove the script from Intune and re-add it.

To deploy the script via Intune, save it locally as Set-RedirectOneDriveTask.ps1 and add as a new PowerShell script under Device Configuration. Ensure that the script runs as Local System by setting ‘Run this script using the logged on credentials’ to No. This is required for creating the scheduled task. 

Adding the Create OneDrive Redirect Task script to Intune

Assign the script to a user or device group and track deployment progress in the Overview blade. A successful deployment will result in a scheduled task on the target PCs. 

OneDrive Folder Redirection Task Properties

When the script is downloaded and the task is created successfully, you’ll see the script and a transcript in C:\ProgramData\Scripts.

The downloaded folder redirection script

When the folder redirection script runs Robocopy to move documents, it will log those moves to %LocalAppData%\RedirectLogs.

Data copy/move logs

When implemented in this way, the script will run at user login and successfully implement folder redirection into the OneDrive for Business sync folder. The user will see a PowerShell script window (even though it’s set to hidden) – this could be fixed by pointing the scheduled task to a VBscript wrapper.

Configuring OneDrive

OneDrive should be configured for single sign-on for the best user experience. Not necessarily a requirement; however, it will make it quicker for users to be up and running and therefore quicker for the script to redirect the target folders.

Given the approach outlined in this article, it’s unlikely that the user’s folders will be redirected on the first login. Adding a delay to the scheduled task may allow redirection to work on the first run; however, this would require several tasks to run in order and Intune won’t necessarily run all tasks in the required order.

Summary

In this article, I’ve outlined an approach to implementing folder redirection with PowerShell, via Intune, into the OneDrive for Business sync folder. This uses a script deployed from Intune to Windows 10 Azure AD joined machines to download the folder redirection script and create a scheduled task that runs at user login to perform the redirection and data move.

Redirecting the Desktop, Documents and Pictures should provide protection for the key user folders. While redirecting additional documents is possible, they can often contain data that would be less this ideal for synchronising to OneDrive.

Redirected Documents folder in the OneDrive sync folder

The scripts I’ve posted here are provided as-is and I highly recommend testing carefully before implementing in production.

Bonus 

The folder redirection script will work for any enterprise file and sync tool, not just OneDrive for Business. For example, if you wanted to redirect folders into Citrix ShareFile, just read the PersonalFolderRootLocation value from HKCU\Software\Citrix\ShareFile\Sync to find the sync folder.

This article by Aaron Parker, Folder Redirection to OneDrive on Windows 10 with Intune appeared first on Aaron Parker.

Categories: Community, Virtualisation

Deploy Citrix Receiver to Windows 10 with Intune and PowerShell

Sat, 12/23/2017 - 01:47

If you’ve Windows 10 Modern Management you’ll know that some applications present a challenge for deployment via Intune (or any MDM solution), because Windows 10 MDM supports the deployment of Win32 applications via a single MSI only. Applications such as Citrix Receiver, that are a single EXE (that wraps multiple MSI files), can be particularly challenging. You can create a custom wrapper to deploy Receiver, but this requires a packaging tool and some specific knowledge on how to package applications.

Microsoft Intune now supports deploying PowerShell scripts to Windows 10 machines, which can provide a more flexible framework for deploying complex applications. For Citrix Reciever, we can use this approach to target Windows 10 PCs for downloading the latest version of Receiver directly from Citrix and install it with any required command line options. This ensures that devices always install the latest version and the Intune administrator only ever has to create a single deployment option via a PowerShell script.

Installing Citrix Receiver

Here’s a simple script to detect whether Receiver is installed and if not, download and install Receiver using a specific set of command line options.

The script could be extended with some additional error checking and logging to provide some additional auditing of the installation, but I have tested this successfully.

Deploying via Intune

Deploying the script via Intune is done just like any other PowerShell script. Save the script locally and then in the Azure Portal, Intune blade, under Device Configuration / PowerShell scripts, add a new script and upload the saved script.

Adding the Install-CitrixReceiver.ps1 script to Intune

Assign the script to an Azure AD group for target users or devices. Your script should then be listed as an assigned script. 

Install-CitrixReceiver.ps1 alongside other PowerShell scripts

Once deployed, we can track successful installations in the Overview blade. Note that the script will only run once per target device – it should be unlikely that the device will receive the script and have it fail (e.g. fail to download the CitrixReceiver.exe), but there could be edge cases where installation fails as a result of some very specific circumstances.

Citrix Receiver deployment overview

Post-deployment, we can rely on the updater functionality built into the latest Receiver releases to keep end-points up to date.

Summary

We used a simple approach to the deployment of a non-MSI application to Windows 10 via Intune with a PowerShell script. A simple example that enables deployment of Citrix Receiver with no special packaging and we can be sure that because the end-point downloads Reciever directly from Citrix, the latest version will be deployed each time.

This article by Aaron Parker, Deploy Citrix Receiver to Windows 10 with Intune and PowerShell appeared first on Aaron Parker.

Categories: Community, Virtualisation

Improving Ivanti Application Control Message Boxes

Sat, 12/02/2017 - 12:37

Ivanti Application Control (previously AppSense Application Manager) is an application whitelisting and privilege management solution; however, I think you’re likely aware of that since you’re reading this article. Application Control has a number of customisable message boxes that are displayed to the end-user for Windows application whitelisting or privilege elevation scenarios. In this article, I’ll discuss improving the end-user experience with some visual flair and text.

Default Message Boxes

Let’s take a look at a typical message box. Below is the default Access Denied message displayed to users on Windows 10 when attempting to start an application that hasn’t been white-listed.

Ivanti Application Control default access denied message box

With apologies to Guy Leech (the original developer of AppSense Application Manager), this message box doesn’t fit with Microsoft’s recommended Windows 7 or Windows 10 desktop UI guidelines nor display anything useful to the end user that is useful or actionable. Side note – on Windows 10, I’d love to see this particular message as a notification instead because there’s no immediate action the user can take.

Here’s another message box – this one is shown for privilege escalation. Similar in a sense to a UAC dialogue box, but this forces the user to complete the action for elevating an application with a reason for taking that action that can be audited.

Ivanti Application Control default self-elevation message box

There are several scenarios where Application Control may display a message to the end user:

  • Access Denied – execution of an application is denied
  • Application Limits Exceeded – the end-user is prevented from running multiple instances of an application
  • Self-Elevation – an end-user can elevate an application via Application Control instead of being granted administrative rights
  • System Controls – the user can be prevented from uninstalling an application, clearing specific event logs or stopping services
  • Time Limits – time limits can be put on application execution
  • Self-Authorization – end-user can be given the ability to whitelist an application themselves
  • Network Connections – controls can be placed on network destinations, paths or ports

So, potentially a reasonable level of interaction with the end-user and thus Application Control can have some impact on the perception of a user’s everyday experience. Fortunately, each of these message boxes is almost fully customisable – Ivanti provides the administrator with the ability to control both the appearance and text in the message to something that may suit a specific requirement or the environment into which it is deployed.

Creating “Good” Message Boxes

Dialog boxes suck (or at least a good chunk of them do). To understand why here’s an excellent article I recommend reading – The Magic of Flow and Why Dialogs Frustrate People. The dialogs interrupt user workflow and it’s safe to assume a user is typically seeing multiple messages in a single session (not just our Application Control messages).

Application Control supports customising the messages as well as the UI with HTML and CSS. With customisable notifications, the Application Control administrator effectively becomes a UX designer; therefore to provide users with the best experience possible and balance security needs of the organisation, we should consider carefully that experience both visually and narratively in the text displayed to the user.

When customising these I recommend paying careful attention to the language and tone of the text. Empowering a user to take the right, or no, action without generating unnecessary service desk calls is important. Here are my 3 recommendations for customising these messages boxes for an environment:

  • Ensure the message boxes fit with Microsoft UX guidelines for Windows – apart from not visually assaulting the senses, fitting in with the standard Windows visual style will provide users with a sense that these messages are a part of the normal Windows desktop workflow
  • Don’t overwhelm the user with explanatory text that they aren’t going to read anyway – avoid dialogue box fatigue. If you can, provide a link to more information, so that the user can choose to read up on why the system has been implemented
  • Don’t assume the user is doing the wrong thing. Taking a default hostile stance via the language or wording used in the messages won’t foster a sense of trust. Yes, insider threats are often the main cause of security breaches, but IT can do its part in building team trust

I believe these to be reasonable principles to consider, but of course, some environments may have specific requirements.

Microsoft has published user interface guidelines for Windows for many years, with what I would call “mixed results” from the developer community. While good design isn’t easy, Microsoft has guidelines on FontsStyle and Tone, and User Interface Principles that are applicable to the Application Control administrator.

Looking for Inspiration

Microsoft has specific message boxes in User Account Control that I’ve used as the basis for improving the messages boxes from Application Control; both visually and in the language/text. Here’s a typical UAC message box on Windows 10 – it provides some immediate visual feedback with colour and simple language for the user to act upon:

Windows User Account Control message box

UAC (and SmartScreen) displays various message boxes depending on the action taken that have different colours to better provide the user with an immediate visual feedback. 

From top to bottom: blocked app, app with unknown publisher, app with a known/trusted publisher

Sticking with an established visual style, we can use these colours in our Application Control message boxes. I haven’t found documentation on the colours from Microsoft, so the hex values below might not be 100% accurate.

Blue (#85b8e8 ) background is from the message box used to identify Windows components or software that is signed and trusted Yellow (#f8d470) background is from the message box that identifies components or applications that are untrusted or not signed Red (#8e000b) background denotes an application that has been blocked by Windows SmartScreen I’ve used a softer red (#bf3235) background from the Ivanti Application Control console instead of UAC

In addition to the visual style, we can use these as examples of the language to use in our customised Application Control message boxes. 

Updating Ivanti Application Control Message Boxes

These message boxes are customisable via HTML and CSS, so we have the ability to exert a certain level of control on the look and feel. To enable the full level of customisation, you’ll need to be running Application Control 10.1 FR3, as the limit on the number of characters in some of the messages has been removed.

Here are the default Message Settings properties:

Ivanti Application Control message settings

Under that advanced button, is the CSS used to customise the visuals. So the first thing we’re going to do is customise that CSS to align the visuals with Windows 10. I am maintaining an updated CSS file to completely replace the default CSS on GitHub, which means that anyone can fork the file, improve it and contribute.

There are a few things that the CSS does and provides customisation for:

  1. Changes the default font to Segoe UI, the default Windows font (instead of Microsoft San Serif). The font used in the user input box in self-elevation message boxes is changed to Consolas instead of Courier New
  2. Hides the red and white X graphic. By default, this image is shown on all message boxes and doesn’t actually fit in with the intention of all messages boxes
  3. Enables a header in the 3 colours shown above
  4. Gives buttons a Windows 10 look
  5. Prevents scrollbars from showing inside the message boxes – because the messages can only be set to a fixed height and width, some scrolling occurs even in the default messages shown in the images at the beginning of this article

At the moment, this CSS isn’t perfect and requires updates to fix the cutting off text on the right-hand side of the dialog box, but I think it’s a huge improvement over what’s provided by default. 

Access Denied

Let’s look again at the default Access Denied message box. This doesn’t fit into the Windows UI, doesn’t necessarily tell the user what’s occurred or tell them whether any further action is required.

Ivanti Application Control default access denied dialog box

With our new CSS in place, we can modify the HTML behind this message to reflect what’s going on, as well as provide the user with a link to a page with more information. Note that because my CSS isn’t currently perfect, I’m cheating a bit by putting a carriage return after “Running this app might put”, so that the text isn’t cut off on the righ-hand side of the message box.

<div class="header red">An app has been prevented from running to protect this PC.</div> <div class="description">An unrecognised or unauthorised app was prevented from starting. Running this app might put your PC at risk. Blocked app: %ExecutableName% Location: %DirectoryName% Description: %AC_FileDescription% Publisher: %AC_CompanyName% Please view the <a href="https://servicedesk.stealthpuppy.com">Information Security Corner</a> for details on why this app was blocked. To install an app, you may need to raise a service request. </div>

Because we have a fixed height and width for the box, I’ve set the height to 690 pixels and the width to 440. Our new Access Denied message box now looks like this:

Ivanti Application Control access denied message box with improved styling

In this example, we are now providing the user with some immediate visual feedback, some reason as to why the application was blocked, some details on what was blocked and finally a link to more information (i.e. the action that the user can take). An external page can provide the user with a framework for understanding what’s going on and whether they should pick up the phone for the service desk (or not), with better detail and interaction than a message box could provide.

Self-Elevation

Now let’s do the same with the Self-Elevation action. Here’s the HTML:

<div class="header yellow">Do you want to allow this app to make changes to your device?</div> <div class="description">App name: %ExecutableName% <br/>This action will run this app with elevated privileges. Please provide the reason for taking this action. This information will be logged and audited. Improper use of elevated applications are in violation of the <a href="https://servicedesk.stealthpuppy.com">Acceptable Use Policy</a>.</div>

I’ve set the height to 770 pixels and the width to 460. Here’s the result:

Ivanti Application Control self-elevation message box with improved styling

In this example, we aren’t bombarding the end-user with text nor assuming what they’re doing is a hostile action. If you’re an IT Pro or a developer, there’s a good chance you’ll need to elevate an application several times during a single session, so this could be something you see multiple times a day.

System Controls

For a simple example, let’s update the System Controls message.

<div class="header blue">Uninstall of %ApplicationName% is not permitted.</div> <div class="description">Removal of this application has been denied to protect the integrity of this PC.</div>

Which then looks like this:

Ivanti Application Control system controls message box with improved styling

Here we’ve used blue to differentiate this from the previous two messages.

Be aware of High DPI Displays

Note that today Application Control doesn’t support high DPI displays or scaling above 100% very well. Because those dialog boxes are a fixed size and the contents don’t scale, you get something like this:

Ivanti Application Control Access Denied Dialog at 200% scaling

Ivanti is, of course, aware of the issue and I assume there’ll be a fix in a future update. Until then, at least on Windows 10, you can override the high DPI scaling behaviour. The Application Control Agent folder has a number of executables that run each of the messages. For example, to fix the scaling on the Access Denied message box, set compatibility of AMMessage.exe that the high DPI scaling behaviour is set to System (Enhanced).

Setting Application Control High DPI Scaling Compatibility

Once set, the message box will be set to its correct size and scaled up on high DPI displays, thus the box may look fuzzy depending on resolution and scaling. To avoid setting this on each executable individually on each end-point, use Group Policy or the Application Compatibility Toolkit to set these properties.

Conclusion

In this article, I’ve discussed how to improve the Ivanti Application Control message boxes for both visuals and text. With some effort, we’ve updated the style to better fit in with Windows 10, but these look right at home on Windows 7 as well. Additionally, the text has been improved to provide users with (hopefully) just the right amount of explanation, enabling them to take effective action if needed.

The custom CSS streamlines the visuals and better aligns the message boxes with UI guidelines from Microsoft. While I’ve made the CSS available on GitHub, it could do with some improvement. Opening this up to the community will enable feedback and updates.

This article by Aaron Parker, Improving Ivanti Application Control Message Boxes appeared first on Aaron Parker.

Categories: Community, Virtualisation

Melbourne CUGC IV – It’s LTSR in the Spotlight!

Wed, 10/04/2017 - 11:20

We’ve been busy planning our next CUGC meet-up for 2017, which will be on the 24th of October at the Telstra Conference Center at 242 Exhibition St. To attend the meet-up, ensure you’ve signed up at the MyCUGC.org site: https://www.mycugc.org/page/melbourne-oct24-2017 

Agenda

We’ve got Christian Lloyd from Citrix to take us through the XenDesktop / XenApp 7.15 LTSR release. This release is not to be underestimated and I’m expecting to see many organisations finally moving off XenApp 6.5 and those still on 7.6 LTSR, upgrade to 7.15 to take advantage of the new features. Because the latest release has so many features, the theme for this meeting will be ‘Doing more with what you have‘; so we’ll also take you through some of the really interesting features (e.g. FAS, App Layering, Workspace Environment Management, etc.) that you can be taking advantage of to improve your XD/XA environments. Plus get your questions about how to migrate answered.

CUGC Community Presentation

We still have space for a community presentation – if you’re interested in presenting on any topic related to Citrix technologies, we would love for you to present. 

Sponsor

This month, we’re really happy to have eG Innovations sponsoring our meet-up and to discuss proactive monitoring, assessment and management of your Citrix XenDesktop and XenApp environments. To get an idea what eG Innovations is doing, check out this recent Citrix blog article: Monitor Logon Performance Seamlessly with eG Innovations. Did you know they have a logon simulator? Check it out: 

eG Enterprise Express-Free-Logon Simulator screenshot

eG Innovations enables us to rent the venue and also provide beer and pizza for XenBeers afterwards, so we’d love to see you there. Even better, they’ll be giving away a Google Home!

Win Google Home at our next CUGC meet-up

Special Announcement

Be sure to come along to this month’s event to hear about our extra special December event. This is not something you’re going to want to miss.

 

This article by Aaron Parker, Melbourne CUGC IV – It’s LTSR in the Spotlight! appeared first on Aaron Parker.

Categories: Community, Virtualisation