FSLogix App Masking in Citrix Environments

What is App Masking and what do we need it for?

App Masking minimize the number of Golden Images required, by allowing all applications to be installed in a single Golden Image. The mapping and separation of applications (as well as printers, fonts, office add-ins, Internet Explorer plug-ins, etc.) is done without packaging, sequencing, backend infrastructure or virtualization.

FSLogix App Masking

This is achieved by granular access control of the installed applications through App Masking Rules. These rules can be used to completely hide the application in an user runtime, so that it no longer appears in the file system, registry or under programs and features.

Because no additional ressources are required by the system when using the rules, applications run at their native speed.

Another possible use of App Masking is to serve the licensing conditions of different software vendors. Microsoft Visio or Project are popular examples here.

If Microsoft Visio is installed on a Citrix Worker, customers must present a Visio license for each potential user. To counteract this, the environments are separated by application silos (Worker only for this one application), so that only those users have access for which licenses are available.

With App Masking we can install Visio on the Golden Master and secure it via App Masking Rules (local computer name or user name) in such a way that Microsoft accepts this in its license check.

How it works

When a user logs on to a system, on which FSLogix Agent is installed, that agent checks the existing rule sets in the Compiled Rules folder. According to these rules, the applications (registry entries, files and folders) are assigned or hidden, based on the defined assignments (AD groups, process, network location, OU, etc.). If new rules or assignment files are added or deleted in the Rules folder, this has an immediate effect on the system.

Diagram FSLogix App Masking

Components

The following components must be installed to use FSLogix App Masking

FSLogix Agent

The agent (FSLogixAppsSetup.exe) contains all FSLogix functions and is hidden behind the Windows service FSLogix Apps Services. This service controls the filter driver (frxdrv.sys) that is responsible for hiding the components in App Masking as well as for redirecting access to the Profile/Office Container.

The FSLogix agent must be installed on all systems on which App Masking should be applied (e.g. Golden Master).

FSLogix Apps RuleEditor

The second App Masking component to install is the FSLogix Apps RuleEditor (FSLogixAppsRuleEditorSetup.exe). It is used to create the rule sets and to assign the rule sets via assignments.

When creating rule sets, two different files are generated (fxr & fxa file). The two files are stored by default in the folder C:\Users\<Username>\Documents\FSLogix Rule Sets.

fxa fxr files

The FSLogix Rule File (.fxr) contains the configuration of the rule set. So which registry entries, files etc. should be hidden by the filter driver.

The FSLogix Rule Assignment File (.fxa) contains the assignments (AD group, OU etc.) of the respective rule set.

For the rule sets to be processed by FSLogix Agent, these files must be copied to the C:\Program Files\FSLogix\Apps\Rules folder on the worker.

The FSLogix Apps RuleEditor does not need to be installed on the worker. I recommend to install it on the central administration machine or on an infrastructure server.

Rule Set TypeS

Here is a quick overview of the different Rule Set Types.

Blank Rule Set

Blank Rule Set can be used to create an empty rule set, which must then be manually filled with the files, folders and registry entries to be hidden.

Rule Set Blank Rule Set  Choose from installed programs

How further entries are added, I will explain in the later sections.

FSLogix Apps RuleEditor Blank
Enter Program Files Path

With Enter Program Files Path the path to the application can be set. Useful for programs that do not appear under Installed Programs, such as PowerShell. By clicking on Scan the application is scanned and the required settings for hiding are defined. After analyzing the application, you can add another application to the New Rule Set by clicking Add Another Application.

Enter Program Files Path
Choose from installed programs

The easiest way to automatically analyze the applications is via Choose from installed programs. The Program Installation Directory is automatically filled when the application is selected. This can be corrected with the Browse button. By clicking on Scan the application is scanned and the required settings for hiding are defined. After analyzing the application, you can add another application to the New Rule Set by clicking Add Another Application.

Choose from installed programs

Rule Types

The Rule Set Types contain several Rule Types. We can define four different Rule Types in App Masking. By right-clicking on existing rules or into the empty area of Blank Rule you get the following menu.

New Rule Delete Rule Edit Rule

The menu items are self-explanatory. With them I can correct existing rule sets or create completely new ones.

Wildcard & Variables in Rule Types

The following wildcards and variables can simplify the creation of rules.

Wildcard (Only in Source Path)

Under Rule Types, the wildcard * can only be used in the source path, to represent an entire path element, such as the user name.

Source Path

Example: C:\Users\*\AppData\Roaming\Microsoft\Teams\Cache

Variables (Only in Destination Path)

The following variables can only be used in the destination path. These variables are marked with two underscores before and after the variable names.

Destination Path
VariableDescription
__USER_SID__Resolves the user SID
__USER_NAME__Resolves the user name
__USER_PROFILE_PATH__Resolves the path to the user profile folder (e.g. C:\Users\User01)
Environment Variables

The following Environment Variables (Case Sensitive!) can be used in both the source and destination paths.

Environment Variable

In the RuleEditor the Environment Variables automatically replace a suitable path.

Examples:

  • %WindowsFolder%
  • %CommonAppDataFolder%
  • %CommonStartMenuFolder%
  • %CommonFilesFolder32%
  • %ProgramFilesFolder32%
  • %SystemFolder32%
  • %CommonFilesFolder64%
  • %ProgramFilesFolder64%
  • %SystemFolder64%
  • %SystemDriveFolder%

This is valid for the following Rule Types.

Hiding Rule

With Hiding Rules you can hide files, folders, printers, fonts, registry values and keys. With Browse you can select the Object Type to be hidden or you define under Object Type what you want to hide and enter it manually under Object Name. You have to do this if the files, folders, printers etc. are not available on the server where you create the rules.

Add Rule Hiding Rule

Via Browse the selection window changes depending on the Object Type.

File

A single file must be selected here.

Hiding Rule Choose File
Directory

A single folder must be selected here. This will hide all files and subfolders in it.

Hiding Rule Choose Directory
Registry Value

At this point a single registry value can be selected.

Hiding Rule Select Registry Value
Registry Key

A single registry key must be selected here. This will hide all sub keys and registry values in it.

Hiding Rule Select Registry Key
Printer

Here a single printer must be selected from the list of installed printers.

Hiding Rule Select Printer
Font

Here you must select a single font from the list of installed fonts.

Hiding Rule Select a Font family
Redirection Rule

With Redirection Rules you can redirect files, folders, registry values and keys. With the Folder Icons you select the source and destination Object Type to redirect or you define under Object Type what you want to redirect and enter it manually under Source and Destination. You have to do this if the files, folders etc. do not exist on the server where you create the rules.

Redirection Rule

The Copy Object feature copies the existing files, with their contents, to the target (if the user is authorized in the target).

Example:
As an example I take the starting and ending of teams. In the listed screenshots, from left to right, you can see the activation of the redirection and deactivation of the redirection. I use the watchdog.txt file, because if it is not present, it is created by teams at startup and no data is written to it during the short runtime of the test.

If you activate redirection with disabled Copy Object, the existing files are not copied. In the source folder the watchdog.txt file has a size of 1 KB. The file in the target folder has a size of 0 KB after the test, because it was newly created.

Deactivate Copy Object

If the redirection is activated with Copy Object enabled, the existing files are copied as well. In the source folder the watchdog.txt file has a size of 1 KB. The file in the target folder has the same size and content after the test, because it was initially copied over.

Activate Copy Object

Via the Folder Icon the selection window changes depending on the Object Type at Source and Destination.

File

A single file must be selected here.

Hiding Rule Choose File
Directory

A single folder must be selected here. This will hide all files and subfolders in it.

Hiding Rule Choose Directory

Example:
In this example I redirect the Teams folder from the profile to a folder directly to C:\.

Redirection Rule Teams

Here are the contents of the folders before the test. In the Teams folder I have created a new folder named Test.

Before Test

Now I activate the Rule Set with the button Apply Rules to System. After the activation the Rule Set is activated without consideration of the assignment list.

Apply Rules to System

Now the previously created test folder is no longer visible under the Teams path, because it was redirected to the target folder. The content of the Teams folder was not deleted!

Activate Rules

Now Teams are started and you can see that the Teams folder is filled. But in reality the files are stored in the previously defined destination folder. The program doesn’t notice this (like Office & Profile Container).

File creation

After Teams are closed and the Rule Set is disabled, you will now see the files created by Teams in the target folder and only the previously created test folder in the source folder.

After Test
Registry Value

Here a single Registry Value must be selected.

Hiding Rule Select Registry Value
Registry Key

A single registry key must be selected here. This will hide all sub keys and registry values in it.

Hiding Rule Select Registry Key
App Container (VHD) Rule

With App Container Rule you can redirect folders directly into a VHD file. With the Folder Icon you select the source folder and the destination container.

App Container (VHD) Rule
App Container (VHD) Rule Container
Specify Value Rule

With Specify Value Rule you can edit registry values. Via the Folder Icon you can select the registry value you want to edit and enter the new value under Data.

Specify Value Rule
Specify Value Rule Select Registry Value

Assignment Sequence

The following settings must be defined per assignment Rule Set.

Rule Set does apply to user/group is displayed as Yes under Applies.
This means that these settings or application is not displayed to the user.

Rule Set does not apply to user/group is displayed as No under Applies.
This means that these settings or application is displayed for the user.

The added assignment rule sets are processed from top to bottom. This means that first a rule set should be defined, which hides the application (e.g. Everyone) and then the approvals per assignment rule set.

Processing Sequence Assignment List

Example: Two assignments are stored in the same rule set. The first assignment is for the group Everyone (Applies defined with Yes) and the second rule set below is for User01 (Applies defined with No).

Assignment List Everyone Yes User01 No

In this case the rule set (therefore the application) would apply to everyone except User01 and therefore only User01 would see the application.

If you change the order of the Assignments Rule Sets, so that the User01 Rule Set is at the top and then the rule for Everyone, this would result in the following.

Assignment List User01 No Everyone Yes

The settings for User01 to display the application would be directly overwritten by the Everyone Assignment below. Therefore nobody would get this application displayed.

Assignment Types

The following assignment options are offered.

Assignments User Group Process Network Location Computer Directory Container Environment Variable
User

Direct assignment to Active Directory User.

AD User

The button next to the User input field takes you to the AD search.

Select Users or Groups
Group

Assignment to Active Directory group. Most frequently used.

AD Group

The button next to the Group input field takes you to the AD search.

Select Groups
Process

Assignment to a process or a child process of the specified process.

Process
Network Location

Assignment to local IP address of the client.

Network Location

In my example, my own client at home.

Local ipconfig
Computer

Direct assignment to Active Directory computer account.

Computer

The button next to the input field Computer takes you to the AD search.

Select Computer or Groups
Directory Container

Assignment to content of the specified Active Directory Organizational Unit.

Directory Container

The button (…) next to the input field takes you to the AD structure where you can select the OUs.

Directory Container Dialog
Environment Variable

Assignment based on environment variable. Only environment variables that exist at logon are supported. Environment variables set during logon are not supported.

Environment Variable CLIENTNAME

Test the environment variable directly on the worker.

%CLIENTNAME%

The wildcards ? and * can be used in the Value field.

Wildcard

Optionally, the From File button can be used to select a text file containing a list of device names.

Choose File

One client per line must be listed in the file.

Text File

Then an assignment rule set is created for each line from the file.

Assignments Rule Set CLIENTNAME

Set As Template

After the assignment list is configured, this settings can be defined as a template for new rule sets. To do this, click on Set As Template and all new assignment lists will look like the current one by default.

Save as Template Assignment File

AD Reporting

With the AD Reporting button, within the Assignment List or in the main menu, the assignment of the rule set can be checked.

FSLogix App Masking AD Reporting
AD Reporting

In the following window click on New Query to start a query.

AD Reporting New Query

Enter the AD group or user you want to check.

Select Users or Groups

Now you can examine the result. Here when the application is displayed (Applies No).

AD Reporting Applies No

Or if the application is hidden (Applies Yes).

Licensing Report

Change Licensing Parameters can be used to define how many days a “license” is assigned to a device.

Change Licensing Parameters

This value must be defined for each rule set individually or is set to 90 days by default.

Licensing Parameters

With the Licensing Report you can generate reports (PDF) to determine your device-based licensing consumption for the rule set.

Licensing Portal

After clicking on Licensing Portal, define the desired period of the report in the following window.

Generate Licensing Report

You will then receive the desired report in PDF format.

License Report PDF

Licensing

Now first to the licensing. We may use FSLogix components if we meet one of the following requirements:

  • Microsoft 365 E3/E5
  • Microsoft 365 A3/A5/ Student Use Benefits
  • Microsoft 365 F1
  • Microsoft 365 Business
  • Windows 10 Enterprise E3/E5
  • Windows 10 Education A3/A5
  • Windows 10 VDA per user
  • Remote Desktop Services (RDS) Client Access License (CAL)
  • Remote Desktop Services (RDS) Subscriber Access License (SAL)

Setup of FSLogix Agent

Extract FSLogix
  • Start the installer FSLogixAppsSetup on the system that will be managed by App Masking later
Start FSLogixAppsSetup.exe
  • Click in the following window on “I agree to the license terms and conditions
Install FSLogix Profile Container Office Container Java Version Control Application Masking
  • Via the button Options you can adjust the path of the installation
Setup Options FSLogix Apps Setup
  • Click Install to start the installation
Setup Progress Processing
  • After the installation you can check the Services menu, that the FSLogix services are installed and running
FSLogix Apps Services FSLogix Cloud Caching Services

FSLogix Apps Service

  • Service name: frxsvc
  • Description: FSLogix Apps Service Component.
  • Path to executable: “C:\Program Files\FSLogix\Apps\frxsvc.exe”
  • Startup type: Automatic

Einrichtung FSLogix Apps RuleEditor

  • Start the installer FSLogixAppsRuleEditorSetup on the system that will be used to create the rule sets
Installer FSLogixAppsRuleEditorSetup.exe
  • Click in the following window on “I agree to the license terms and conditions
I agree to the license terms and conditions
  • Via the button Options you can adjust the path of the installation
Setup Options FSLogix Apps Setup
  • Click Install to start the installation.
Setup Progress Processing
Setup Successful

Configuration of Rule Sets

  • Start the FSLogix Apps RuleEditor as local administrator
FSLogix Apps RuleEditor
  • Click on the displayed icon or on File > New to create a new rule set
New Rule Sets
  • Enter the name for the new rule set in the following window and confirm this with a click on Enter file name
New Rule Set File
  • Now you can select how the rule set is defined
  • In this example I select Choose from installed programs
Choose from installed programs
    By clicking on Scan the application is now scanned and the required settings for hiding are defined
Scan Complete Add Another Application
  • After the analysis of the application, another application can be integrated into the new rule set via Add Another Application
Scan Complete Add Another Application
  • When all required applications have been analyzed, this can be confirmed with OK

Note: At the bottom of the Rule Set display, a summary of the rules is shown (here e.g. 10 Hiding Rules)

FSLogix Rule Set
  • To assign another assignment to the rule sets click on the displayed icon (is grayed out if no rule set is loaded) or on File > Manage Assignments
 File > Manage Assignments
  • Further assignments can be added via Add (Everyone is already stored in the default)
Aggignments Everyone
  • In this example I just add the user User01 and change his setting to Rule Set does not apply to user/group so that this user sees the application
Rule Set does not apply to user/group
  • After the correct Assignments are added, this can be confirmed with Apply

Providing Rule Sets

To activate the App Masking Rules on a worker, the created fxr and fxa files must be placed in the folder C:\Program Files\FSLogix\Apps\Rules.

Deploy Rule Sets

These rule sets are automatically detected by the service (frxsvc.exe) and compiled into a special format used by the FSLogix drivers (frxdrv.sys & frxdrvvt.sys). The service then notifies the driver about a change (creation, deletion or update of rule sets) and the driver performs a live update of the installed rule sets. The newly compiled rule set files are located in the folder C:\Program Files\FSLogix\Apps\CompiledRules.

CompiledRules

Group Policy Preferences

With GPP you can distribute these created rule sets, which are stored centrally, to individual workers.

Group Policy Preferences

Here first the content of the FsLogix Rules folder is cleaned up.

GPP Delete

Then the existing rule sets are copied into the folder and processed by the agent.

GPP Update

WEM File System Operations

Using WEM, the rule sets created can be distributed to the workers via file system operations.

WEM File System Operations

With the first action the content of the FsLogix Rules folder is cleaned up.

File System Operation delete

Then the existing rule sets are copied into the folder and processed by the agent.

File System Operations Create

Troubleshooting

Agent & Services

To check if the agent is running, enter the following commands at the command prompt.

sc query frxsvc
sc query frxdrv

To check if the required services (frxdrv, frxdrvvt & frxccd) are started, enter the following command in an Elevated Command Prompt (Run as Administrator)

Fltmc

Logs

Check the log files of the individual areas. If these are not available (default value 0), activate them in the registry as follows

Registry Path: HKLM\SOFTWARE\FSLogix\Logging

All values are type DWORD and are set to ‘0’ to disable logging for the component or to ‘1’ to enable logging for the component.

ComponentValue NameDefaultDefault Path
Rule EditorRuleEditor0%ProgramData%\FSLogix\Logs\RuleEditor
FSLogix Agent Service (frxsvc.exe)Service0%ProgramData%\FSLogix\Logs\Service
Rule CompilationRuleCompilation0%ProgramData%\FSLogix\Logs\RuleCompilation
Font VisibilityFont0%ProgramData%\FSLogix\Logs\Font
Network InformationNetwork0%ProgramData%\FSLogix\Logs\Network
Printer VisibilityPrinter0%ProgramData%\FSLogix\Logs\Printer
AD Computer Group ProcessingAdsComputerGroup0%ProgramData%\FSLogix\Logs\AdsComputerGroup
Driver InterfaceDriverInterface0%ProgramData%\FSLogix\Logs\DriverInterface
Process Start MonitorProcessStart0%ProgramData%\FSLogix\Logs\ProcessStart

Rule Files

Copy the compiled rule set files from the folder C:\Program Files\FSLogix\Apps\CompiledRules and open them with an editor to compare the content with the original rule set files.

Compiled Rules

fxc is the rule file.

fxc file

fxac is the assignment file.

fxac File

3 thoughts on “FSLogix App Masking in Citrix Environments”

  1. Hi, I created Golden Image and install FSLogix Agent on it. after provisioning Masking rules did not apply. in FSLogix monitor shown these 2 errors:
    1. Failed to get Computers group SIDs (the specified domain either doesn't exist or Could not be Contacted)
    2. querying computer
    s fully qualified distinguished name failed (the specified domain either doesn’t exist or Could not be Contacted)

    Environment :
    Windows 10 x64 2004 as golden image
    VMware Horizon 7.12 Connection Server
    FSLogix 2.9.7349.30108

    p.s: on golden image everything is fine and working, problem arise after provisioning!
    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

*