Deploy App layers as elastic layers

The Elastic layers feature lets you deliver narrowly targeted apps outside of the base image. In fact, you can assign layers to specific users on demand. With the Elastic layer setting enabled in an image template, users who log on to the published images can be assigned specific app layers as elastic layers.

About elastic layers

An elastic layer is an app layer that you assign to individual users and groups for delivery on demand. Users receive the elastic layers assigned to them in addition to the apps included in the base image.

Elastic layers allow you to give each user a unique set of applications along with the common apps included in the base image. On session hosts, an elastic layer is used across sessions. On standalone desktops, elastic layers are used across floating pools and shared groups.

Based on user entitlements, elastic layers are delivered to users’ desktops upon login. You can assign elastic layers to users on session hosts, and also on standalone desktops, as long as the images were published using App Layering.

Elastic layers are a feature of App Layering. You cannot use elastic layers as published virtual apps in Citrix Virtual Apps and Desktops. And, you cannot assign a Citrix Virtual App as an elastic layer.

Elastic layer assignments

You can deliver an app layer to members of a group each time they log into their desktops. You assign the app layer as an elastic layer. A copy of the layer is then stored in the appliance’s Network File Share, and delivered on-demand to the assigned AD users and groups, in addition to the layers that they receive via the base image.

To use this feature, you add Elastic Assignments specifying which users and groups receive each of the app layers. You then publish your base image with the Elastic Layering setting enabled.

How users access elastic layers assigned to them

When users log into their session or desktop, icons for their elastic layers appear as shortcuts on the desktop.

A user receives an elastic layer in the following cases:

  • The user (an AD user in the management console) is assigned the layer.
  • An AD group that the user belongs to is assigned the layer.
  • A machine that the user logs into is a member of an AD Group that receives the elastic layer.
  • A machine that the user logs into is associated with an AD Group that is assigned to the layer via the management console.

When a user is assigned more than one version of a layer

When a layer is assigned directly to a user, and indirectly to one or more of the user’s groups, they receive the most recent directly assigned version. For example:

  • If the user is assigned Version 2, and a group that the user belongs to is assigned Version 3, the user gets Version 2.

  • If two or more groups that the user belongs to are assigned different versions of the same layer, the user receives the most recent version of the layer assigned.

When a user receives an app layer both in the base image, and as an elastic layer

When an app layer is included in the base image, do not assign it to the same user as an elastic layer. If the user does end up with the same layer assigned both ways, they receive the elastic layer, no matter the version.

Prerequisites

  • .NET Framework 4.5 is required on any layered Image where elastic layers are enabled.
  • The app layers you want to assign as elastic layers.

Considerations

App layers with the same OS layer as the layered image

For best results when assigning app layers as elastic layers, only assign app layers that have the same OS layer as the one used in the layered image.

OS layer switching for elastic layers

Though there is nothing to stop you from assigning an elastic layer to users on a layered image that uses a different OS layer, the results are not guaranteed. If your tests show that the layer works, feel free to use it.

Note:

When adding versions to an app layer, you must use the OS layer included in the original app layer.

Elastic Layering Limitations

You cannot elastically layer the following:

  • Microsoft Office, Office 365, Visual Studio.
  • Applications with drivers that use the driver store. Example: a printer driver.
  • Applications that modify the network stack or hardware. Example: a VPN client.
  • Applications that have boot level drivers. Example: a virus scanner.

An app layer does not preserve a local user or administrator that you add for an app that requires it, but the OS layer does. Therefore, add the local user or administrator to the OS layer before installing the application. Once the app layer is working, you can assign it as an elastic layer.

Elastic layer compatibility mode

When a user logs on to a desktop provisioned using a layered image, the elastic layer is composited into the image after the user logs on. If an elastic layer doesn’t load correctly, try enabling Elastic Layer Compatibility Mode. With Compatibility Mode enabled, the elastic layer starts loading before login is complete.

Important:

We recommend disabling Compatibility Mode, unless an elastic layer doesn’t work as expected. Enabling this setting on too many layers slows login times.

The user account under which elastic layers run

By default, when the first user assigned an elastic layer logs on to their desktop, all elastic layers assigned to the user are mounted. Other users who log on to the machine hosting the layers use the same connection as the first user. The connection lasts for 10 hours after the first login, and then all elastic layers are disconnected. In a shift-based environment, users on the second shift would be impacted about two hours into the shift (or, 10 hours after the initial user logged on for the first shift).

If you are delivering elastic layers in a shift-based environment, you can change the default account under which all elastic layers run. Instead of running under the first user who logs in, you can change the default user for all elastic layers to the ulayer service, which runs under the local SYSTEM account. The SYSTEM account corresponds to the domain machine account of the machine that the ulayer service is running on when accessing the share. The file share containing your elastic layers requires read-only access, either for all users, or for each machine account.

  • To change the account for elastic layers to run under, create the registry DWORD value, and set it to 1:

    HKEY_LOCAL_MACHINE\Software\Unidesk\Ulayer:AsSelfAppAttach to **1**

  • To revert back to running elastic layers under the first user to log in, set the registry DWORD value to 0:

    HKEY_LOCAL_MACHINE\Software\Unidesk\Ulayer:AsSelfAppAttach to **0**

  • To remove the setting so that elastic layers can only run in the default mode, remove the DWORD value:

    HKEY_LOCAL_MACHINE\Software\Unidesk\Ulayer:AsSelfAppAttach

Enable elastic layers on your base images

You can enable elastic layers on your base (layered) images by configuring the image template that you use to publish them:

  1. In the management console, select the image template to use for publishing your layered images.

  2. Select the Images tab, and then the image template on which you want to enable elastic layering.

  3. Select Edit Template from the Action bar. The Edit Template wizard opens.

  4. Select the Layered Image Disk tab.

  5. In the Elastic layering field, select Application Layering.

  6. Select the Confirm and Complete tab, and click Save Template and Publish.

  7. Use your provisioning system to distribute the virtual machines.

    When the users log in, the desktop includes an icon for each of their elastic app layers.

Run the Elastic Fit analyzer on app layers

Before assigning an app layer elastically, use the Elastic Fit Analyzer to determine the likelihood that the layer assignment will be successful.

Elastic Fit analysis

In the Layer Details, the Elastic Fit rating indicates how likely it is that the layer works when elastically assigned.

Good Elastic Fit. This layer works when deployed elastically.

Elastic Fit Pass

Poor Elastic Fit. Delivering the layer elastically is not likely to work when deployed elastically. The layer can behave differently than it does when it is deployed in a layered image.

Elastic Fit Fail

Elastic Fit details

You can learn more about an app layer’s Elastic Fit rating by expanding the Elastic Fit Analysis. If the Elastic Fit is less than ideal, the list of violated rules is displayed.

Low Severity Warning. Delivering the layer elastically is unlikely to cause any change in behavior or functionality for most applications.

Low Severity Warning

Medium Severity Warning. Delivering the layer elastically can cause minor changes in behavior or functionality for some applications.

Medium Severity Warning

High Severity Warning. Delivering the layer elastically is likely to cause significant changes in behavior or functionality for many applications.

High Severity Warning

Analyze an app layer’s Elastic Fit

All new versions of a layer version are analyzed for elastic layering compatibility when they are finalized. To analyze existing app layers for Elastic Fit:

  1. Log into the management console.
  2. Select Layers > App Layers.
  3. Select the layer to analyze, and click Analyze Layer.
  4. On the Select Versions tab, choose the Layer Versions to analyze.
  5. On the Confirm and Complete tab, click Analyze Layer Versions. The analysis takes seconds.
  6. To see the Elastic Fit Analysis, select the app layers module, move the mouse pointer over the layer icon and click the Info icon.
  7. Expand the Version Information for each layer version, and look for the Elastic Fit rating.
  8. For a detailed report, expand the Elastic Fit Details. If the Elastic Fit is less than ideal, the list of violated rules will be displayed.
  9. You can display the AD tree and hide the violated rules by clicking a button acknowledging that the layer is unlikely to work as expected.

Upgrading from earlier releases

After upgrading from an early App Layering release, the Elastic Fit Detail shows that existing layer versions have not been analyzed. The versions have a single High severity Elastic Fit Detail, and a Poor Elastic Fit. For an accurate reading, run the analysis on existing layer versions.

Elastically assign an app layer to AD users and groups

The first time you assign an app layer elastically, we recommend starting with a simple app like Notepad++ or GIMP.

  1. Log into the management console as an Admin user, and select Layers > App Layers.
  2. Select an app layer that you do not plan to include in the base image, and select Add Assignments.
  3. In the wizard that opens, select the version of the app layer that you want to assign users.
  4. Skip the Image Template Assignment tab. This tab is for assigning the layer to an image template.
  5. In the Elastic Assignment tab, select the users and groups you want to receive this app layer.
  6. In the Confirm and Complete tab, review your selections, and click Assign Layers.

When the users log in, there is an icon for each elastic layer they’ve been assigned.

Elastically assign an app layer to users via machine assignments and associations

You can assign layers to a machine by adding the machine to, or associating the machine with, the AD Group. Then elastically assign the app layers to the AD Group.

The layers assigned to the machine are available to every user who successfully logs into that machine. The App Layering Service scans for changes to the machine’s AD group memberships and associations every 10 minutes. When the users log in, they see an icon for each elastic app layer they’ve been assigned.

Use Active Directory to add the machine to the AD Group

Assuming you have a published layered image booted in your environment, you can add the machine to an AD Group, and assign elastic layers to the AD Group.

  1. Use Active Directory (AD) to add the machine to an AD Group.

  2. Select an app layer that you do not plan to include in the base image, and elastically assign the layer to an AD Group.

  3. You can wait for AD to propagate the changes and for the App Layering Service, or you can force the App Layering Service to update its list of machine groups by doing one of the following:

    • Wait for the App Layering Service to detect the changes (within 10 minutes by default).

    • Restart the App Layering Service.

    • Reboot the App Layering Service Machine.

    • Run the refresh.groups command:

      C:\Program Files\Unidesk\Layering Services\ulayer.exe refresh.groups

Example

You start with an AD User, and AD Group, and a machine that you provisioned using a layered image.

  • AD User: Kenya
    • Kenya has no elastic assignments.
  • AD Group: Marketing
    • The Marketing group includes the member Kenya.
  • Machine: ElasticTestMachine
    • The ElasticTestMachine base image includes the MS Office App Layer.

In this example, you elastically assign the Chrome App layer to ElasticTestMachine:

  1. In AD, you add the machine ElasticTestMachine to the Marketing AD Group.
  2. In the management console you elastically assign the Chrome App Layer to the Marketing Group.
  3. When Kenya, who is part of the Marketing group, logs into ElasticTestMachine, she receives both the MS Office App layer, which is in the base image, and the Chrome App layer.
  4. When any user who is not in the Marketing group logs into ElasticTestMachine, they also receive both Layers: MS Office because it is in the base image, and Chrome because the ElasticTestMachine is a member of the Marketing AD Group.

Use the management console to associate the machine with an AD Group

Associating a set of machines with an AD Group allows any machine running the App Layering Service to have layers elastically assigned to it via AD group membership.

Elastic layers granted via Machine association can be thought of as extending the layers assigned to a user. For example, if a machine matches multiple Machine Associations, only the unique layers are added to the ones the user already has.

In the management console, you use asterisk (*) wildcards in a machine name pattern to specify a set of machine names. For example:

     
Machine name pattern Matches these names Does not match these names
machine* machine01; machineindetroit amachine; localtestmachine
*machine amachine; localtestmachine machine01; machineindetroit
ky*eng ky02359eng; kytesteng 01ky_eng; testky01eng
*eng* eng01; 1eng; 1eng01 en01; 1en; 1en01

You can create Machine Associations before or after elastically assigning App layers to the AD Group. Also, the machines do not need to exist when you add the associations, as the associations exist within App Layering only, and AD is not aware of them.

Associate a set of machines with an AD Group

  1. Log into the management console as an Admin user, and select Users > Tree.

  2. Expand the Tree, select the appropriate Group and click Edit Properties in the Action bar. This opens the Edit Group Wizard.

Machine association not checked

  1. Select the check box, Associate machines with this AD Group. This reveals the Machine Name Pattern field:

Machine association checked

  1. Specify a set of machines to associate with the AD group by entering a machine name pattern. For examples, see the above table of Machine name patterns.

  2. On the Confirm and Complete tab, select Update Group. Notice the shape of a computer monitor superimposed over the group icon. This indicates that machines are associated with the group.

Machine association icon

When you click the group’s icon, the Detail view includes a field called, Associate With Machines.

Machine association details

Example

You start with the machine, Mach1, the AD Group, MachineGroup, and the App Layers for Firefox and MS Office.

  • Machine: Mach1
  • AD Group: MachineGroup
  • App Layers: Firefox, MS Office

Further, you have elastically assigned the Firefox and MS Office Layers to the AD Group.

Say you add a machine association to MachineGroup with a name pattern of Mach. when a domain user logs into Mach1, they receive the Firefox and MS Office elastic app layers.

Manage elastic assignments

You can:

  • View a user’s elastic layer assignments.
  • Add an elastic assignment.
  • Update an app layer and elastically assign the new version of the layer.
  • Remove elastic assignments.
  • Debug an elastic assignment.

View a user’s elastic layer assignments

  1. Log into the management console and select Users > Tree.
  2. Select an AD User or Group, and click the “i” icon to the right of the name. If the user or group is assigned elastic layers, the layers are listed below the profile information in the Details window.

Update an app layer and its elastic assignments

You’ve added elastic assignments to an app layer, and users are accessing the app as expected. A new version of the application is released, so you update it with a new version to the layer. Now you need to assign the new version to the users who have the layer.

  1. Log into the management console and select Layers > App Layers.

  2. Select the elastically assigned app layer that you updated.

  3. Right-click the layer icon and select Update Assignments.

  4. In the wizard that opens, select the new version.

  5. Skip the Image Template Assignment tab.

  6. In the Elastic Assignment tab, there’s a list of Users and Groups who have been assigned a different version of the selected layer. Select the users and groups to whom you want to assign the new version of the layer.

    Notes:

    • If the list is long, use the Search field to filter the results.
    • If the list is empty, click the check box called, Show AD users and groups already at this version. A list of grayed out names appears. These users have already been assigned the version.
  7. On the Confirm and Complete tab, verify the Users and Groups that you want to receive the new version.

  8. Click Update Assignments.

Remove a layer’s elastic assignments

  1. Log into the management console and select Layers > App Layers.

  2. Select the app layer for which you want to remove assignments, and select Remove Assignments.

  3. In the wizard that opens, select the assigned templates from which you want to remove the layer. The assignments for the layer are listed.

    If the list is long, use the Search field to filter the results.

  4. On the Confirm and Complete tab, verify that the correct image templates are selected to receive the new version.

  5. Click Remove Assignments.

Troubleshooting elastic layer issues

You can diagnose the source of an elastic layering issue by finding out whether the layer is being delivered, and whether the layer is working correctly. If needed, collect data for support, as described here.

Is the issue with layer delivery?

Are the things you’d expect to see when this app is installed there?

  • Do you see the files and registry entries for the layer?
  • If the app is supposed to be in the Start menu, is it there?
  • If you expect there to be a shortcut for the app on the user’s desktop, is there one?

If you discover that app delivery is an issue, you can collect the following data, open a case, and send the data to support.

  1. Collect the data from these logs:

    • Windows App Event log – In the Windows Event Viewer under Windows Logs, export the application event log as an EVTX file.
    • App Layering Service log (ulayersvc.log) – C:\ProgramData\Unidesk\Logs\ulayersvc.log
  2. Collect the values of these Registry keys:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Unidesk\ULayer:AssignmentFile
    • HKEY_LOCAL_MACHINE\SOFTWARE\Unidesk\ULayer:RepositoryPath
  3. Collect the contents of the assignment (ElasticLayerAssignments.json) and Layers (Layers.json) files from the Repository Path.

  4. Contact Support.

Is the issue an operational one?

Any of these behaviors can indicate an elastic layering issue:

  • The app is being delivered but doesn’t launch correctly.
  • An operation within the app doesn’t work correctly.
  • A licensing problem or a security issue.
  • The app launches, but then misbehaves, for example, it crashes on startup, or starts up but doesn’t work right.

If the problem with the layer is operational, test the app layer in the base image to rule out general layering issues:

  1. Add the app layer to an image template, and publish a layered image that includes the app layer.
  2. Log in as a user who is not assigned the layer elastically, and make sure that the application is operational in the base image.
  3. Contact Support with your findings.