App Layering

Deploy App layers as elastic layers

With the Elastic layers feature, you can deliver narrowly targeted apps outside of the base image. In fact, you can assign layers to specific users on demand. With the Elastic layer setting enabled in an image template, users who log on to the published images can be assigned specific app layers as elastic layers.

About elastic layers

An elastic layer is an app layer that you assign to individual users and groups for delivery on demand. Users receive the elastic layers assigned to them in addition to the apps included in the base image.

Elastic layers allow you to give each user a unique set of applications along with the common apps included in the base image. On session hosts, an elastic layer is used across sessions. On standalone desktops, elastic layers are used across floating pools and shared groups.

Based on user entitlements, elastic layers are delivered to users’ desktops upon login. You can assign elastic layers to users on session hosts, and also on standalone desktops, as long as the images were published using App Layering.

Elastic layer assignments

You can deliver a specific app layer version to members of a group each time they log in to their desktops. You assign the app layer version as an elastic layer. A copy of the layer is then stored in the appliance’s Network File Share, and delivered on-demand to the assigned AD users and groups, in addition to the layers that they receive via the base image.

To use this feature, you add Elastic Assignments specifying which users and groups receive each of the app layer. You then publish your base image with the Elastic Layering setting enabled.

How users access elastic layers assigned to them

When users log in to their session or desktop, icons for their elastic layers appear as shortcuts on the desktop.

A user receives an elastic layer in the following cases:

  • The user (an AD user in the management console) is assigned the layer.
  • An AD group that the user belongs to is assigned the layer.
  • A machine that the user logs into is a member of an AD Group that receives the elastic layer.
  • A machine that the user logs into is associated with an AD Group that is assigned to the layer via the management console.

When a user is assigned more than one version of a layer

When a layer is assigned directly to a user, and indirectly to one or more of the user’s groups, they receive the most recent directly assigned version. For example:

  • If the user is assigned Version 2, and a group that the user belongs to is assigned Version 3, the user gets Version 2.

  • If two or more groups that the user belongs to are assigned different versions of the same layer, the user receives the most recent version of the layer assigned.

When a user receives an app layer both in the base image, and as an elastic layer

When an app layer is included in the base image, do not assign it to the same user as an elastic layer. If the user does end up with the same layer assigned both ways, they receive the elastic layer, no matter the version.

Prerequisites

  • .NET Framework 4.5 is required on any layered Image where elastic layers are enabled.
  • The app layers that you want to assign as elastic layers.

Considerations

App layers with the same OS layer as the layered image

For best results, when assigning app layers as elastic layers, you can assign app layers that have the same OS layer as the one used in the layered image. However, with this traditional approach, you might need to create and manage additional copies of some app layers, one for each OS layer you deploy with.

OS layer switching for elastic layers

To assign an elastic layer to users on a layered image that uses a different OS layer, you need to enable this ability in the application layer properties by selecting the Allow this App Layer to be elastically assigned to all Layered Images, regardless of OS layer check box. All elastic layering limitations are valid when switching OS layers.

When it might work well

For simple applications that can be installed on any OS. Example: Notepad++, WinRAR, 7Zip

When it might not work well

For complex applications whose installation depends on the OS installed. Example:

  • If you use a Windows 10 OS layer to create the app layer, and the image assigned as a Server 2019 OS layer, then the application might not work as expected.
  • Applications that are dependent on a specific version of .Net might not run successfully if the new OS doesn’t have the correct version of .Net installed.

Note:

  • It is recommended that you use the same OS class and OS revisions that are close to each other. Example: You can use two Windows 10 22H2 revisions that are one week apart.
  • When using a different OS image, you must validate the layers that you are elastically assigning to any user. If the layers do not validate, you must create an application layer using the OS layer that is used for the image, and assign the layers to the user without selecting the Allow this App Layer to be elastically assigned to all Layered Images, regardless of OS layer check box.
  • When adding versions to an app layer, you must use the OS layer included in the original app layer.

Elastic Layering Limitations

You cannot use elastic layer for the following:

  • Microsoft Office, Office 365, Visual Studio.
  • Applications with drivers that use the driver store. Example: a printer driver.
  • Applications that modify the network stack or hardware. Example: a VPN client.
  • Applications that have boot level drivers. Example: a virus scanner.

An app layer does not preserve a local user or administrator that you add for an app that requires it, but the OS layer does. Therefore, add the local user or administrator to the OS layer before installing the application. Once the app layer is working, you can assign it as an elastic layer.

Elastic layer compatibility mode

When a user logs on to a desktop provisioned using a layered image, the elastic layer is composited into the image after the user logs on. If an elastic layer doesn’t load correctly, try enabling Elastic Layer Compatibility Mode. With Compatibility Mode enabled, the elastic layer starts loading before login is complete.

Important:

Compatibility mode is required when using published applications because the layer must be mounted before launch. Otherwise, we recommend disabling Compatibility Mode, unless an elastic layer doesn’t work as expected. Enabling this setting on too many layers slows login times.

The user account under which elastic layers run

By default, when the first user assigned an elastic layer logs on to their desktop, all elastic layers assigned to the user are mounted. Other users who log on to the machine hosting the layers use the same connection as the first user. The connection lasts for 10 hours after the first login, and then all elastic layers are disconnected. In a shift-based environment, users on the second shift would be impacted about two hours into the shift (or, 10 hours after the initial user logged on for the first shift).

If you are delivering elastic layers in a shift-based environment, you can change the default account under which all elastic layers run. Instead of running under the first user who logs in, you can change the default user for all elastic layers to the ulayer service, which runs under the local SYSTEM account. The SYSTEM account corresponds to the domain machine account of the machine that the ulayer service is running on when accessing the share. The file share containing your elastic layers requires read-only access, either for all users, or for each machine account.

  • To change the account for elastic layers to run under, create the registry DWORD value, and set it to 1:

    HKEY_LOCAL_MACHINE\Software\Unidesk\Ulayer:AsSelfAppAttach to **1**

  • To revert to running elastic layers under the first user to log in, set the registry DWORD value to 0:

    HKEY_LOCAL_MACHINE\Software\Unidesk\Ulayer:AsSelfAppAttach to **0**

  • To remove the setting so that elastic layers can only run in the default mode, remove the DWORD value:

    HKEY_LOCAL_MACHINE\Software\Unidesk\Ulayer:AsSelfAppAttach

Enable elastic layers on your base images

You can enable elastic layers on your base (layered) images by configuring the image template that you use to publish them:

  1. In the management console, select the image template to use for publishing your layered images.

  2. Select the Images tab, and then the image template on which you want to enable elastic layering.

  3. Select Edit Template from the Action bar.

  4. Select the Layered Image Disk tab.

  5. In the Elastic layering field, select Application Layering.

  6. Select the Confirm and Complete tab, and click Save Template and Publish.

  7. Use your provisioning system to distribute the virtual machines.

    When the users log in, the desktop includes an icon for each of their elastic app layers.

Run the Elastic Fit analyzer on app layers

Before assigning an app layer elastically, use the Elastic Fit Analyzer to determine the likelihood that the layer assignment will be successful.

Elastic Fit analysis

In the Layer Details, the Elastic Fit rating indicates how likely it is that the layer works when elastically assigned.

Good Elastic Fit. This layer works when deployed elastically.

Elastic Fit Pass

Poor Elastic Fit. Delivering the layer elastically is not likely to work when deployed elastically. The layer can behave differently than it does when it is deployed in a layered image.

Elastic Fit Fail

Elastic Fit details

You can learn more about an app layer’s Elastic Fit rating by expanding the Elastic Fit Analysis. If the Elastic Fit is less than ideal, the list of violated rules is displayed.

Low Severity Warning. Delivering the layer elastically is unlikely to cause any change in behavior or functionality for most applications.

Low Severity Warning

Medium Severity Warning. Delivering the layer elastically can cause minor changes in behavior or functionality for some applications.

Medium Severity Warning

High Severity Warning. Delivering the layer elastically is likely to cause significant changes in behavior or functionality for many applications.

High Severity Warning

Note:

If you receive a warning that a master key file change has been detected, and you did not intentionally change that file, set the value of the DeleteMasterKeys flag in the registry location HKLM\System\ControlSet001\Services\Uniservice to 1 (true). Now when the app layer is finalized, master key files are deleted from the layer. This value is not persistent and only works per revision. It must be set each time a revision of the layer is created.

Analyze an app layer’s Elastic Fit

All new versions of a layer version are analyzed for elastic layering compatibility when they are finalized. To analyze existing app layers for Elastic Fit:

  1. Log in to the management console.
  2. Select Layers > App Layers.
  3. Select the layer to analyze, and click Analyze Layer.
  4. On the Select Versions tab, choose the Layer Versions to analyze.
  5. On the Confirm and Complete tab, click Analyze Layer Versions. The analysis takes seconds.
  6. To see the Elastic Fit Analysis, select the app layers module, move the mouse pointer over the layer icon and click the Info icon.
  7. Expand the Version Information for each layer version, and look for the Elastic Fit rating.
  8. For a detailed report, expand the Elastic Fit Details. If the Elastic Fit is less than ideal, the list of violated rules will be displayed.
  9. You can display the AD tree and hide the violated rules by clicking a button acknowledging that the layer is unlikely to work as expected.

Upgrading from earlier releases

After upgrading from an early App Layering release, the Elastic Fit Detail shows that existing layer versions have not been analyzed. The versions have a single High severity Elastic Fit Detail, and a Poor Elastic Fit. For an accurate reading, run the analysis on existing layer versions.

Elastically assign an app layer to AD users and groups

The first time you assign an app layer elastically, we recommend starting with a simple app like Notepad++ or GIMP.

  1. Log in to the management console as an Admin user, and select Layers > App Layers.
  2. Select an app layer that you do not plan to include in the base image, and select the app version you want to assign.
  3. Click Update Assignments.
  4. Select the version of the app layer that you want to assign users.
  5. Skip Image Template Assignment. This is for assigning the layer to an image template.
  6. Select the users and groups that you want to receive this app layer version.
  7. Review your selections, and click Assign Layers.

When the users log in, there is an icon for each elastic layer they’ve been assigned.

Elastically assign an app layer to users via machine assignments and associations

You can assign layers to a machine by adding the machine to, or associating the machine with, the AD Group. Then elastically assign the app layers to the AD Group.

The layers assigned to the machine are available to every user who successfully logs into that machine. The App Layering Service scans for changes to the machine’s AD group memberships and associations every 10 minutes. When the users log in, they see an icon for each elastic app layer they’ve been assigned.

Use Active Directory to add the machine to the AD Group

Assuming you have a published layered image booted in your environment, you can add the machine to an AD Group, and assign elastic layers to the AD Group.

  1. Use Active Directory (AD) to add the machine to an AD Group.

  2. Select an app layer that you do not plan to include in the base image, and elastically assign the layer to an AD Group.

  3. You can wait for AD to propagate the changes and for the App Layering Service, or you can force the App Layering Service to update its list of machine groups by doing one of the following:

    • Wait for the App Layering Service to detect the changes (within 10 minutes by default).

    • Restart the App Layering Service.

    • Reboot the App Layering Service Machine.

    • Run the refresh.groups command:

      C:\Program Files\Unidesk\Layering Services\ulayer.exe refresh.groups

Example

You start with an AD User, and AD Group, and a machine that you provisioned using a layered image.

  • AD User: Kenya
    • Kenya has no elastic assignments.
  • AD Group: Marketing
    • The Marketing group includes the member Kenya.
  • Machine: ElasticTestMachine
    • The ElasticTestMachine base image includes the MS Office App Layer.

In this example, you elastically assign the Chrome App layer to ElasticTestMachine:

  1. In AD, you add the machine ElasticTestMachine to the Marketing AD Group.
  2. In the management console you elastically assign the Chrome App Layer to the Marketing Group.
  3. When Kenya, who is part of the Marketing group, logs into ElasticTestMachine, she receives both the MS Office App layer, which is in the base image, and the Chrome App layer.
  4. When any user who is not in the Marketing group logs into ElasticTestMachine, they also receive both Layers: MS Office because it is in the base image, and Chrome because the ElasticTestMachine is a member of the Marketing AD Group.

Manage elastic assignments

You can:

  • Add an elastic assignment.
  • Update an app layer and elastically assign the new version of the layer.
  • Remove elastic assignments.
  • Debug an elastic assignment.

Update an app layer and its elastic assignments

You’ve added elastic assignments to an app layer, and users are accessing the app as expected. A new version of the application is released, so you update it with a new version to the layer. Now you need to assign the new version to the users who have the layer.

  1. Log in to the management console and select Layers > App Layers.

  2. Select the elastically assigned app layer that you updated.

  3. Click Version Information > Update Assignments.

  4. Select the new version.

  5. Skip the Image Template Assignment tab.

  6. In the Elastic Assignment tab, there’s a list of Users and Groups who have been assigned a different version of the selected layer. Select the users and groups to whom you want to assign the new version of the layer.

    Notes:

    • If the list is long, use the Search field to filter the results.
    • If the list is empty, click the check box called, Show AD users and groups already at this version. A list of grayed out names appears. These users have already been assigned the version.
  7. On the Confirm and Complete tab, verify the Users and Groups that you want to receive the new version.

  8. Click Update Assignments.

Remove a layer’s elastic assignments

  1. Log in to the management console and select Layers > App Layers.

  2. Select the app layer for which you want to remove assignments, and select Remove Assignments.

  3. Select the assigned templates from which you want to remove the layer. The assignments for the layer are listed.

    If the list is long, use the Search field to filter the results.

  4. On the Confirm and Complete tab, verify that the correct image templates are selected to receive the new version.

  5. Click Remove Assignments.

Troubleshooting elastic layer issues

You can diagnose the source of an elastic layering issue by finding out whether the layer is being delivered, and whether the layer is working correctly. If needed, collect data for support, as described here.

Is the issue with layer delivery?

Are the things that you’d expect to see when this app is installed there?

  • Do you see the files and registry entries for the layer?
  • If the app is supposed to be in the Start menu, is it there?
  • If you expect there to be a shortcut for the app on the user’s desktop, is there one?

If you discover that app delivery is an issue, you can collect the following data, open a case, and send the data to support.

  1. Collect the data from these logs:

    • Windows App Event log – In the Windows Event Viewer under Windows Logs, export the application event log as an EVTX file.
    • App Layering Service log (ulayersvc.log) – C:\ProgramData\Unidesk\Logs\ulayersvc.log
  2. Collect the values of these Registry keys:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Unidesk\ULayer:AssignmentFile
    • HKEY_LOCAL_MACHINE\SOFTWARE\Unidesk\ULayer:RepositoryPath
  3. Collect the contents of the assignment (ElasticLayerAssignments.json) and Layers (Layers.json) files from the Repository Path.

  4. Contact Support.

Is the issue an operational one?

Any of these behaviors can indicate an elastic layering issue:

  • The app is being delivered but doesn’t launch correctly.
  • An operation within the app doesn’t work correctly.
  • A licensing problem or a security issue.
  • The app launches, but then misbehaves, for example, it crashes on startup, or starts up but doesn’t work right.

If the problem with the layer is operational, test the app layer in the base image to rule out general layering issues:

  1. Add the app layer to an image template, and publish a layered image that includes the app layer.
  2. Log in as a user who is not assigned the layer elastically, and make sure that the application is operational in the base image.
  3. Contact Support with your findings.