Aaron Parker's stealthpuppy

Subscribe to Aaron Parker's stealthpuppy feed Aaron Parker's stealthpuppy
on applications, desktop and Terminal Server deployment, virtualisation and anything else that takes my fancy
Updated: 5 hours 23 min ago

Melbourne CUGC IV – It’s LTSR in the Spotlight!

Wed, 10/04/2017 - 11:20

We’ve been busy planning our next CUGC meet-up for 2017, which will be on the 24th of October at the Telstra Conference Center at 242 Exhibition St. To attend the meet-up, ensure you’ve signed up at the MyCUGC.org site: https://www.mycugc.org/page/melbourne-oct24-2017 


We’ve got Christian Lloyd from Citrix to take us through the XenDesktop / XenApp 7.15 LTSR release. This release is not to be underestimated and I’m expecting to see many organisations finally moving off XenApp 6.5 and those still on 7.6 LTSR, upgrade to 7.15 to take advantage of the new features. Because the latest release has so many features, the theme for this meeting will be ‘Doing more with what you have‘; so we’ll also take you through some of the really interesting features (e.g. FAS, App Layering, Workspace Environment Management, etc.) that you can be taking advantage of to improve your XD/XA environments. Plus get your questions about how to migrate answered.

CUGC Community Presentation

We still have space for a community presentation – if you’re interested in presenting on any topic related to Citrix technologies, we would love for you to present. 


This month, we’re really happy to have eG Innovations sponsoring our meet-up and to discuss proactive monitoring, assessment and management of your Citrix XenDesktop and XenApp environments. To get an idea what eG Innovations is doing, check out this recent Citrix blog article: Monitor Logon Performance Seamlessly with eG Innovations. Did you know they have a logon simulator? Check it out: 

eG Enterprise Express-Free-Logon Simulator screenshot

eG Innovations enables us to rent the venue and also provide beer and pizza for XenBeers afterwards, so we’d love to see you there. Even better, they’ll be giving away a Google Home!

Win Google Home at our next CUGC meet-up

Special Announcement

Be sure to come along to this month’s event to hear about our extra special December event. This is not something you’re going to want to miss.


This article by Aaron Parker, Melbourne CUGC IV – It’s LTSR in the Spotlight! appeared first on Aaron Parker.

Categories: Community, Virtualisation

Simple Country of Origin Control for NetScaler with Azure AD

Thu, 09/28/2017 - 06:29

Great news! Microsoft has enabled a number of available conditions and custom controls in Azure AD for use in Conditional Access making these policies even more useful. This includes a simple method to control access to Citrix NetScaler by country of origin.

Back in March of this year, I was working on a project to design a solution for hosting applications in an Azure data centre, with access provided by Citrix XenApp and NetScaler. This particular customer needed to control access to both Office 365 applications and XenApp from specific locations only. 

By configuring Citrix FAS and NetScaler with SAML authentication to Azure AD, we were able to use Named Locations in Azure AD Conditional Access policies to achieve the desired goal. For instance we could allow Office 365 only from compliant or domain-joined PCs and ensure access to XenApp only from specific locations. Thus for a certain group of users, they could only access Office 365 applications from XenApp and then only from a specific physical location.

All was well, until Microsoft pulled the ability to use Named Locations in Conditional Access policies half-way through the project. Lesson learned – never rely on preview features in Azure.

At Ignite 2017 this week, Microsoft announced a number of new conditions that includes the ability again to use Named Locations in conditions. What’s new here is the ability to pick from a list of countries when defining those locations. With the number of new conditions available, including Terms of Use, VPN connectivity and Custom controls, I am hoping that Microsoft will not pull these features in the future and instead get them out of preview as quickly as possible.

SAML All The Things!

In my previous article on integrating Citrix NetScaler with Azure AD and Conditional Access, I’ve described the steps to enable SAML authentication to Azure AD from NetScaler to enable a single authentication experience across remote published apps (or desktops) and Office 365. You could extend this of course to additional applications, provide users with single sign-on across all sorts of applications.

Doing so allows IT to control access to any application, whether that be legacy Win32 apps, or new SaaS applications from a single administrative experience with Conditional Access. Seen in the screenshot below, I have policies providing access to various applications – it’s a beautiful thing.

Azure AD Conditional Access policies

Conditions in Conditional Access Policies

The new conditions and controls should be available now, in preview, for just about everyone. These include:

  • Custom controls – JSON for customised controls from 3rd party claim providers. This should enable just about any type of user or device control in a CA policy
  • Terms of use – require a user to consent to your organisation’s terms of use before they get access to an application
  • VPN connectivity – force device compliance (for Windows 10 devices) before being allowed access to a corporate VPN

New conditions and controls in preview

Enabling Country of Origin

Previously Named Locations allow you to only provide locations via specific subnets to define egress locations, e.g. your corporate office. New in Named Locations is the ability to add specific countries that you could use in allow or block scenarios, effectively enabling a whitelist or blacklist of regions.

Creating a Named Location to define country of origin

Once these Named Locations are defined, it’s possible to mix and match locations depending on your requirements. Within a Conditional Access policy, enable Locations under Conditions, and add the Named Locations. Use either Include or Exclude to whitelist or blacklist respectively.

Allowing access from specific countries

And that’s it! We now have country of origin as a condition that we could use as one condition to ensure access is secure. Allow compliant device, enforce MFA, or a custom control to give you confidence that access to XenApp or XenDesktop applications (or perhaps even web apps) is secure.

Granting access with MFA

If we were to compare setting up NetScaler Gateway with AD integration, 3rd party multi-factor authentication and country of origin access by subscribing to a country database (see How to Use NetScaler to Block Access to a Website Using a Location Database Based on User’s Country), I’m sure you would agree this method is simpler and easier to maintain.

This article by Aaron Parker, Simple Country of Origin Control for NetScaler with Azure AD appeared first on Aaron Parker.

Categories: Community, Virtualisation

Intune Company Portal for macOS Experience

Sat, 09/02/2017 - 06:06

Microsoft released a beta version of the Intune Company Portal for macOS just last month; however, it’s since been pulled from the Download Center. This app had been made available along with the announcement of Conditional Access supporting macOS in preview.

Installing the Company Portal is required to enable Conditional Access support on macOS, so I imagine a new version will be made available soon. If you’re testing with Macs or looking for full support with Intune, this is an important part of the puzzle.

Intune Web Enrollment

Previous to the Company Portal on macOS, enrollment in Intune is a largely manual process that requires logging into the Intune web portal with a browser, downloading a management profile and installing that manually. Not the best user experience.

Here’s what that looks like:

Intune Company Portal for macOS Experience

With the Company Portal, the user experience is streamlined, with the management profile installed automatically and you can see device compliance status from within the app. Here’s a quick look at the end-user experience with the Intune Company Portal for macOS on macOS Sierra.

Hopefully we’ll see the portal app available for download again soon and available for wider testing. I’m also hoping that the availability of the Portal app means we’ll see the ability for Intune to install apps on macOS. As we see more Mac devices (either corporate or personally owned), the ability to deploy and manage apps on this platform becomes critical. 

This article by Aaron Parker, Intune Company Portal for macOS Experience appeared first on Aaron Parker.

Categories: Community, Virtualisation

Install-VisualCRedistributables.ps1 – A Visual C++ Redistributable Installer

Wed, 08/16/2017 - 13:50

In updating my MDT deployment shares recently, I got tired of having to do something about the Visual C++ Redistributable installers and finally decided to do something about it, so I’ve written a script that will download the installers and optionally install them – Install-VisualCRedistributables.ps1.

This script reads an external XML file that contains the installer information for each of the Visual C++ Redistributables, so that changes to URLs, install options and new redistributables can be made without making changes to the script. The XML file lists the download URL and install instructions for each installer and looks like this:

<?xml version="1.0" encoding="UTF-8"?> <Redistributables> <Platform Architecture="x64" Release="2005" Install="/Q"> <Redistributable> <Name>Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package MFC Security Update</Name> <URL>https://www.microsoft.com/en-us/download/details.aspx?id=26347</URL> <Download>https://download.microsoft.com/download/8/B/4/8B42259F-5D70-43F4-AC2E-4B208FD8D66A/vcredist_x64.EXE</Download> </Redistributable> <Redistributable> </Platform> <Platform Architecture="x86" Release="2005" Install="/Q"> <Redistributable> <Name>Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package MFC Security Update</Name> <URL>https://www.microsoft.com/en-us/download/details.aspx?id=26347</URL> <Download>https://download.microsoft.com/download/8/B/4/8B42259F-5D70-43F4-AC2E-4B208FD8D66A/vcredist_x86.EXE</Download> </Redistributable> </Platform> <Platform Architecture="x64" Release="2017" Install="/install /passive /norestart"> <Redistributable> <Name>Microsoft Visual C++ Redistributable for Visual Studio 2017</Name> <URL>https://www.visualstudio.com/downloads/</URL> <Download>https://download.microsoft.com/download/3/b/f/3bf6e759-c555-4595-8973-86b7b4312927/vc_redist.x64.exe</Download> </Redistributable> </Platform> <Platform Architecture="x86" Release="2017" Install="/install /passive /norestart"> <Redistributable> <Name>Microsoft Visual C++ Redistributable for Visual Studio 2017</Name> <URL>https://www.visualstudio.com/downloads/</URL> <Download>https://download.microsoft.com/download/1/f/e/1febbdb2-aded-4e14-9063-39fb17e88444/vc_redist.x86.exe</Download> </Redistributable> </Platform> </Redistributables>

The script will install the redistributables in the order listed in the XML file thus ensuring they are installed in the correct order.

Using Install-VisualCRedistributables.ps1

Download Install-VisualCRedistributables.ps1 and VisualCRedistributablesSupported.xml from the repository and edit the XML as required. As this includes all supported redistributables from 2008 to 2017, all will be downloaded and installed by default. If you don’t need all of them in your environment, remove those that aren’t required.

The script can be run in two phases – one to download the installers and again to install the redistributables – this is useful for downloading the installers to add to your reference image via MDT, for example. The script can also be used to download and install in one action.


The parameters for the script are:


This points to the XML file that contains the details about the Visual C++ Redistributables. This must be in the expected format, otherwise the script will fail.

Example – Downloads the Visual C++ Redistributables listed in VisualCRedistributables.xml.

.\Install-VisualCRedistributables.ps1 -Xml ".\VisualCRedistributablesSupported.xml"


Specify a target folder to download the Redistributables to, otherwise use the current folder.

Example – Downloads the Visual C++ Redistributables listed in VisualCRedistributables.xml to C:\Redist.

.\Install-VisualCRedistributables.ps1 -Xml ".\VisualCRedistributablesSupported.xml" -Path C:\Redist


By default the script will only download the Redistributables. This allows you to download the Redistributables for seperate deployment (e.g. in a reference image). Add -Install to install each of the Redistributables as well.

Example – Downloads and installs the Visual C++ Redistributables listed in VisualCRedistributables.xml.

.\Install-VisualCRedistributables.ps1 -Xml ".\VisualCRedistributablesSupported.xml" -Install:$True


Here is an example of the end result with the Redistributables installed. Note that 2015 and 2017 are the same major version (14.x), so once 2017 is installed, 2015 will not be displayed in the programs list. 2005 are not installed by default, as these are no longer supported.

Microsoft Visual C++ Redistributables


This is the first version of the script and to the best of my knowledge the XML file is correct. Feedback and corrections is welcome and I have some plans to update the script with some additional error checking.

This article by Aaron Parker, Install-VisualCRedistributables.ps1 – A Visual C++ Redistributable Installer appeared first on Aaron Parker.

Categories: Community, Virtualisation