FSLogix App Masking in Citrix Environments

What is App Masking and what do we need it for?

App Masking minimize the number of Golden Images required, by allowing all applications to be installed in a single Golden Image. The mapping and separation of applications (as well as printers, fonts, office add-ins, Internet Explorer plug-ins, etc.) is done without packaging, sequencing, backend infrastructure or virtualization.

This is achieved by granular access control of the installed applications through App Masking Rules. These rules can be used to completely hide the application in an user runtime, so that it no longer appears in the file system, registry or under programs and features.

Because no additional ressources are required by the system when using the rules, applications run at their native speed.

Another possible use of App Masking is to serve the licensing conditions of different software vendors. Microsoft Visio or Project are popular examples here.

If Microsoft Visio is installed on a Citrix Worker, customers must present a Visio license for each potential user. To counteract this, the environments are separated by application silos (Worker only for this one application), so that only those users have access for which licenses are available.

With App Masking we can install Visio on the Golden Master and secure it via App Masking Rules (local computer name or user name) in such a way that Microsoft accepts this in its license check.

How it works

When a user logs on to a system, on which FSLogix Agent is installed, that agent checks the existing rule sets in the Compiled Rules folder. According to these rules, the applications (registry entries, files and folders) are assigned or hidden, based on the defined assignments (AD groups, process, network location, OU, etc.). If new rules or assignment files are added or deleted in the Rules folder, this has an immediate effect on the system.

Components

The following components must be installed to use FSLogix App Masking

FSLogix Agent

The agent (FSLogixAppsSetup.exe) contains all FSLogix functions and is hidden behind the Windows service FSLogix Apps Services. This service controls the filter driver (frxdrv.sys) that is responsible for hiding the components in App Masking as well as for redirecting access to the Profile/Office Container.

The FSLogix agent must be installed on all systems on which App Masking should be applied (e.g. Golden Master).

FSLogix Apps RuleEditor

The second App Masking component to install is the FSLogix Apps RuleEditor (FSLogixAppsRuleEditorSetup.exe). It is used to create the rule sets and to assign the rule sets via assignments.

When creating rule sets, two different files are generated (fxr & fxa file). The two files are stored by default in the folder C:\Users\<Username>\Documents\FSLogix Rule Sets.

The FSLogix Rule File (.fxr) contains the configuration of the rule set. So which registry entries, files etc. should be hidden by the filter driver.

The FSLogix Rule Assignment File (.fxa) contains the assignments (AD group, OU etc.) of the respective rule set.

For the rule sets to be processed by FSLogix Agent, these files must be copied to the C:\Program Files\FSLogix\Apps\Rules folder on the worker.

The FSLogix Apps RuleEditor does not need to be installed on the worker. I recommend to install it on the central administration machine or on an infrastructure server.

Rule Set Types

Here is a quick overview of the different Rule Set Types.

Blank Rule Set

Blank Rule Set can be used to create an empty rule set, which must then be manually filled with the files, folders and registry entries to be hidden.

How further entries are added, I will explain in the later sections.

Enter Program Files Path

With Enter Program Files Path the path to the application can be set. Useful for programs that do not appear under Installed Programs, such as PowerShell. By clicking on Scan the application is scanned and the required settings for hiding are defined. After analyzing the application, you can add another application to the New Rule Set by clicking Add Another Application.

Choose from installed programs

The easiest way to automatically analyze the applications is via Choose from installed programs. The Program Installation Directory is automatically filled when the application is selected. This can be corrected with the Browse button. By clicking on Scan the application is scanned and the required settings for hiding are defined. After analyzing the application, you can add another application to the New Rule Set by clicking Add Another Application.

Rule Types

The Rule Set Types contain several Rule Types. We can define four different Rule Types in App Masking. By right-clicking on existing rules or into the empty area of Blank Rule you get the following menu.

The menu items are self-explanatory. With them I can correct existing rule sets or create completely new ones.

Wildcard & Variables in Rule Types

The following wildcards and variables can simplify the creation of rules.

Wildcard (Only in Source Path)

Under Rule Types, the wildcard * can only be used in the source path, to represent an entire path element, such as the user name.

Example: C:\Users\*\AppData\Roaming\Microsoft\Teams\Cache

Variables (Only in Destination Path)

The following variables can only be used in the destination path. These variables are marked with two underscores before and after the variable names.

Variable	Description
__USER_SID__	Resolves the user SID
__USER_NAME__	Resolves the user name
__USER_PROFILE_PATH__	Resolves the path to the user profile folder (e.g. C:\Users\User01)

Environment Variables

The following Environment Variables (Case Sensitive!) can be used in both the source and destination paths.

In the RuleEditor the Environment Variables automatically replace a suitable path.

Examples:

• %WindowsFolder%
• %CommonAppDataFolder%
• %CommonStartMenuFolder%
• %CommonFilesFolder32%
• %ProgramFilesFolder32%
• %SystemFolder32%
• %CommonFilesFolder64%
• %ProgramFilesFolder64%
• %SystemFolder64%
• %SystemDriveFolder%

This is valid for the following Rule Types.

Hiding Rule

With Hiding Rules you can hide files, folders, printers, fonts, registry values and keys. With Browse you can select the Object Type to be hidden or you define under Object Type what you want to hide and enter it manually under Object Name. You have to do this if the files, folders, printers etc. are not available on the server where you create the rules.

Via Browse the selection window changes depending on the Object Type.

File

A single file must be selected here.

Directory

A single folder must be selected here. This will hide all files and subfolders in it.

Registry Value

At this point a single registry value can be selected.

Registry Key

A single registry key must be selected here. This will hide all sub keys and registry values in it.

Printer

Here a single printer must be selected from the list of installed printers.

Font

Here you must select a single font from the list of installed fonts.

Redirection Rule

With Redirection Rules you can redirect files, folders, registry values and keys. With the Folder Icons you select the source and destination Object Type to redirect or you define under Object Type what you want to redirect and enter it manually under Source and Destination. You have to do this if the files, folders etc. do not exist on the server where you create the rules.

The Copy Object feature copies the existing files, with their contents, to the target (if the user is authorized in the target).

Example:
As an example I take the starting and ending of teams. In the listed screenshots, from left to right, you can see the activation of the redirection and deactivation of the redirection. I use the watchdog.txt file, because if it is not present, it is created by teams at startup and no data is written to it during the short runtime of the test.

If you activate redirection with disabled Copy Object, the existing files are not copied. In the source folder the watchdog.txt file has a size of 1 KB. The file in the target folder has a size of 0 KB after the test, because it was newly created.

If the redirection is activated with Copy Object enabled, the existing files are copied as well. In the source folder the watchdog.txt file has a size of 1 KB. The file in the target folder has the same size and content after the test, because it was initially copied over.

Via the Folder Icon the selection window changes depending on the Object Type at Source and Destination.

File

A single file must be selected here.

Directory

A single folder must be selected here. This will hide all files and subfolders in it.

Example:
In this example I redirect the Teams folder from the profile to a folder directly to C:\.

Here are the contents of the folders before the test. In the Teams folder I have created a new folder named Test.

Now I activate the Rule Set with the button Apply Rules to System. After the activation the Rule Set is activated without consideration of the assignment list.

Now the previously created test folder is no longer visible under the Teams path, because it was redirected to the target folder. The content of the Teams folder was not deleted!

Now Teams are started and you can see that the Teams folder is filled. But in reality the files are stored in the previously defined destination folder. The program doesn’t notice this (like Office & Profile Container).

After Teams are closed and the Rule Set is disabled, you will now see the files created by Teams in the target folder and only the previously created test folder in the source folder.

Registry Value

Here a single Registry Value must be selected.

Registry Key

A single registry key must be selected here. This will hide all sub keys and registry values in it.

App Container (VHD) Rule

With App Container Rule you can redirect folders directly into a VHD file. With the Folder Icon you select the source folder and the destination container.

Specify Value Rule

With Specify Value Rule you can edit registry values. Via the Folder Icon you can select the registry value you want to edit and enter the new value under Data.

Assignment Sequence

The following settings must be defined per assignment Rule Set.

Rule Set does apply to user/group is displayed as Yes under Applies.
This means that these settings or application is not displayed to the user.

Rule Set does not apply to user/group is displayed as No under Applies.
This means that these settings or application is displayed for the user.

The added assignment rule sets are processed from top to bottom. This means that first a rule set should be defined, which hides the application (e.g. Everyone) and then the approvals per assignment rule set.

Example: Two assignments are stored in the same rule set. The first assignment is for the group Everyone (Applies defined with Yes) and the second rule set below is for User01 (Applies defined with No).

In this case the rule set (therefore the application) would apply to everyone except User01 and therefore only User01 would see the application.

If you change the order of the Assignments Rule Sets, so that the User01 Rule Set is at the top and then the rule for Everyone, this would result in the following.

The settings for User01 to display the application would be directly overwritten by the Everyone Assignment below. Therefore nobody would get this application displayed.

Assignment Types

The following assignment options are offered.

User

Direct assignment to Active Directory User.

The button next to the User input field takes you to the AD search.

Group

Assignment to Active Directory group. Most frequently used.

The button next to the Group input field takes you to the AD search.

Process

Assignment to a process or a child process of the specified process.

Network Location

Assignment to local IP address of the client.

In my example, my own client at home.

Computer

Direct assignment to Active Directory computer account.

The button next to the input field Computer takes you to the AD search.

Directory Container

Assignment to content of the specified Active Directory Organizational Unit.

The button (…) next to the input field takes you to the AD structure where you can select the OUs.

Environment Variable

Assignment based on environment variable. Only environment variables that exist at logon are supported. Environment variables set during logon are not supported.

Test the environment variable directly on the worker.

The wildcards ? and * can be used in the Value field.

Optionally, the From File button can be used to select a text file containing a list of device names.

One client per line must be listed in the file.

Then an assignment rule set is created for each line from the file.

Set As Template

After the assignment list is configured, this settings can be defined as a template for new rule sets. To do this, click on Set As Template and all new assignment lists will look like the current one by default.

AD Reporting

With the AD Reporting button, within the Assignment List or in the main menu, the assignment of the rule set can be checked.

In the following window click on New Query to start a query.

Enter the AD group or user you want to check.

Now you can examine the result. Here when the application is displayed (Applies No).

Or if the application is hidden (Applies Yes).

Licensing Report

Change Licensing Parameters can be used to define how many days a “license” is assigned to a device.

This value must be defined for each rule set individually or is set to 90 days by default.

With the Licensing Report you can generate reports (PDF) to determine your device-based licensing consumption for the rule set.

After clicking on Licensing Portal, define the desired period of the report in the following window.

You will then receive the desired report in PDF format.

Licensing

Now first to the licensing. We may use FSLogix components if we meet one of the following requirements:

• Microsoft 365 E3/E5
• Microsoft 365 A3/A5/ Student Use Benefits
• Microsoft 365 F1
• Microsoft 365 Business
• Windows 10 Enterprise E3/E5
• Windows 10 Education A3/A5
• Windows 10 VDA per user
• Remote Desktop Services (RDS) Client Access License (CAL)
• Remote Desktop Services (RDS) Subscriber Access License (SAL)

Setup of FSLogix Agent

• Download the FSLogix package and extract it
• After some tests I can not recommend every version, the following versions are tested and did not cause any errors with my customers
  • Version FSLogix_Apps_2.9.6964.52690 -> Old & Stable
  • Version FSLogix_Apps_2.9.7349.30108 -> New & Stable

• Start the installer FSLogixAppsSetup on the system that will be managed by App Masking later

• Click in the following window on “I agree to the license terms and conditions“

• Via the button Options you can adjust the path of the installation

• Click Install to start the installation

• After the installation you can check the Services menu, that the FSLogix services are installed and running

FSLogix Apps Service

• Service name: frxsvc
• Description: FSLogix Apps Service Component.
• Path to executable: “C:\Program Files\FSLogix\Apps\frxsvc.exe”
• Startup type: Automatic

Einrichtung FSLogix Apps RuleEditor

• Start the installer FSLogixAppsRuleEditorSetup on the system that will be used to create the rule sets

• Click in the following window on “I agree to the license terms and conditions“

• Via the button Options you can adjust the path of the installation

• Click Install to start the installation.

Configuration of Rule Sets

• Start the FSLogix Apps RuleEditor as local administrator

• Click on the displayed icon or on File > New to create a new rule set

• Enter the name for the new rule set in the following window and confirm this with a click on Enter file name

• Now you can select how the rule set is defined

• In this example I select Choose from installed programs

By clicking on Scan the application is now scanned and the required settings for hiding are defined

• After the analysis of the application, another application can be integrated into the new rule set via Add Another Application

• When all required applications have been analyzed, this can be confirmed with OK

Note: At the bottom of the Rule Set display, a summary of the rules is shown (here e.g. 10 Hiding Rules)

• To assign another assignment to the rule sets click on the displayed icon (is grayed out if no rule set is loaded) or on File > Manage Assignments

• Further assignments can be added via Add (Everyone is already stored in the default)

• In this example I just add the user User01 and change his setting to Rule Set does not apply to user/group so that this user sees the application

• After the correct Assignments are added, this can be confirmed with Apply

Providing Rule Sets

To activate the App Masking Rules on a worker, the created fxr and fxa files must be placed in the folder C:\Program Files\FSLogix\Apps\Rules.

These rule sets are automatically detected by the service (frxsvc.exe) and compiled into a special format used by the FSLogix drivers (frxdrv.sys & frxdrvvt.sys). The service then notifies the driver about a change (creation, deletion or update of rule sets) and the driver performs a live update of the installed rule sets. The newly compiled rule set files are located in the folder C:\Program Files\FSLogix\Apps\CompiledRules.

Group Policy Preferences

With GPP you can distribute these created rule sets, which are stored centrally, to individual workers.

Here first the content of the FsLogix Rules folder is cleaned up.

Then the existing rule sets are copied into the folder and processed by the agent.

WEM File System Operations

Using WEM, the rule sets created can be distributed to the workers via file system operations.

With the first action the content of the FsLogix Rules folder is cleaned up.

Then the existing rule sets are copied into the folder and processed by the agent.

Troubleshooting

Agent & Services

To check if the agent is running, enter the following commands at the command prompt.

To check if the required services (frxdrv, frxdrvvt & frxccd) are started, enter the following command in an Elevated Command Prompt (Run as Administrator)

Logs

Check the log files of the individual areas. If these are not available (default value 0), activate them in the registry as follows

Registry Path: HKLM\SOFTWARE\FSLogix\Logging

All values are type DWORD and are set to ‘0’ to disable logging for the component or to ‘1’ to enable logging for the component.

Component	Value Name	Default	Default Path
Rule Editor	RuleEditor	0	%ProgramData%\FSLogix\Logs\RuleEditor
FSLogix Agent Service (frxsvc.exe)	Service	0	%ProgramData%\FSLogix\Logs\Service
Rule Compilation	RuleCompilation	0	%ProgramData%\FSLogix\Logs\RuleCompilation
Font Visibility	Font	0	%ProgramData%\FSLogix\Logs\Font
Network Information	Network	0	%ProgramData%\FSLogix\Logs\Network
Printer Visibility	Printer	0	%ProgramData%\FSLogix\Logs\Printer
AD Computer Group Processing	AdsComputerGroup	0	%ProgramData%\FSLogix\Logs\AdsComputerGroup
Driver Interface	DriverInterface	0	%ProgramData%\FSLogix\Logs\DriverInterface
Process Start Monitor	ProcessStart	0	%ProgramData%\FSLogix\Logs\ProcessStart

Rule Files

Copy the compiled rule set files from the folder C:\Program Files\FSLogix\Apps\CompiledRules and open them with an editor to compare the content with the original rule set files.

fxc is the rule file.

fxac is the assignment file.