Deploy App layers as elastic layers
The Elastic layers feature lets you deliver narrowly targeted apps outside of the base image. In fact, you can assign layers to specific users on demand. With the Elastic layer setting enabled in an image template, users who log on to the published images can be assigned specific app layers as elastic layers.
About elastic layers
An elastic layer is an app layer that you assign to individual users and groups for delivery on demand. Users receive the elastic layers assigned to them in addition to the apps included in the base image.
Elastic layers allow you to give each user a unique set of applications along with the common apps included in the base image. On session hosts, an elastic layer is used across sessions. On standalone desktops, elastic layers are used across floating pools and shared groups.
Based on user entitlements, elastic layers are delivered to users’ desktops upon login. You can assign elastic layers to users on session hosts, and also on standalone desktops, as long as the images were published using App Layering.
Elastic layers are a feature of App Layering. You cannot use elastic layers as published virtual apps in Citrix Virtual Apps and Desktops. And, you cannot assign a Citrix Virtual App as an elastic layer.
Elastic layer assignments
You can deliver a specific app layer version to members of a group each time they log into their desktops. You assign the app layer version as an elastic layer. A copy of the layer is then stored in the appliance’s Network File Share, and delivered on-demand to the assigned AD users and groups, in addition to the layers that they receive via the base image.
To use this feature, you add Elastic Assignments specifying which users and groups receive each of the app layer. You then publish your base image with the Elastic Layering setting enabled.
How users access elastic layers assigned to them
When users log into their session or desktop, icons for their elastic layers appear as shortcuts on the desktop.
A user receives an elastic layer in the following cases:
- The user (an AD user in the management console) is assigned the layer.
- An AD group that the user belongs to is assigned the layer.
- A machine that the user logs into is a member of an AD Group that receives the elastic layer.
- A machine that the user logs into is associated with an AD Group that is assigned to the layer via the management console.
When a user is assigned more than one version of a layer
When a layer is assigned directly to a user, and indirectly to one or more of the user’s groups, they receive the most recent directly assigned version. For example:
If the user is assigned Version 2, and a group that the user belongs to is assigned Version 3, the user gets Version 2.
If two or more groups that the user belongs to are assigned different versions of the same layer, the user receives the most recent version of the layer assigned.
When a user receives an app layer both in the base image, and as an elastic layer
When an app layer is included in the base image, do not assign it to the same user as an elastic layer. If the user does end up with the same layer assigned both ways, they receive the elastic layer, no matter the version.
- .NET Framework 4.5 is required on any layered Image where elastic layers are enabled.
- The app layers you want to assign as elastic layers.
App layers with the same OS layer as the layered image
For best results when assigning app layers as elastic layers, only assign app layers that have the same OS layer as the one used in the layered image.
OS layer switching for elastic layers
Though there is nothing to stop you from assigning an elastic layer to users on a layered image that uses a different OS layer, the results are not guaranteed. If your tests show that the layer works, feel free to use it.
When adding versions to an app layer, you must use the OS layer included in the original app layer.
Elastic Layering Limitations
You cannot elastically layer the following:
- Microsoft Office, Office 365, Visual Studio.
- Applications with drivers that use the driver store. Example: a printer driver.
- Applications that modify the network stack or hardware. Example: a VPN client.
- Applications that have boot level drivers. Example: a virus scanner.
An app layer does not preserve a local user or administrator that you add for an app that requires it, but the OS layer does. Therefore, add the local user or administrator to the OS layer before installing the application. Once the app layer is working, you can assign it as an elastic layer.
Elastic layer compatibility mode
When a user logs on to a desktop provisioned using a layered image, the elastic layer is composited into the image after the user logs on. If an elastic layer doesn’t load correctly, try enabling Elastic Layer Compatibility Mode. With Compatibility Mode enabled, the elastic layer starts loading before login is complete.
Compatibility mode is required when using published applications because the layer must be mounted prior to launch. Otherwise, we recommend disabling Compatibility Mode, unless an elastic layer doesn’t work as expected. Enabling this setting on too many layers slows login times.
The user account under which elastic layers run
By default, when the first user assigned an elastic layer logs on to their desktop, all elastic layers assigned to the user are mounted. Other users who log on to the machine hosting the layers use the same connection as the first user. The connection lasts for 10 hours after the first login, and then all elastic layers are disconnected. In a shift-based environment, users on the second shift would be impacted about two hours into the shift (or, 10 hours after the initial user logged on for the first shift).
If you are delivering elastic layers in a shift-based environment, you can change the default account under which all elastic layers run. Instead of running under the first user who logs in, you can change the default user for all elastic layers to the
ulayer service, which runs under the local
SYSTEM account. The
SYSTEM account corresponds to the domain machine account of the machine that the
ulayer service is running on when accessing the share. The file share containing your elastic layers requires
read-only access, either for all users, or for each machine account.
To change the account for elastic layers to run under, create the registry
DWORDvalue, and set it to 1:
HKEY_LOCAL_MACHINE\Software\Unidesk\Ulayer:AsSelfAppAttach to **1**
To revert back to running elastic layers under the first user to log in, set the registry
DWORDvalue to 0:
HKEY_LOCAL_MACHINE\Software\Unidesk\Ulayer:AsSelfAppAttach to **0**
To remove the setting so that elastic layers can only run in the default mode, remove the
Enable elastic layers on your base images
You can enable elastic layers on your base (layered) images by configuring the image template that you use to publish them:
In the management console, select the image template to use for publishing your layered images.
Select the Images tab, and then the image template on which you want to enable elastic layering.
Select Edit Template from the Action bar.
Select the Layered Image Disk tab.
In the Elastic layering field, select Application Layering.
Select the Confirm and Complete tab, and click Save Template and Publish.
Use your provisioning system to distribute the virtual machines.
When the users log in, the desktop includes an icon for each of their elastic app layers.
Run the Elastic Fit analyzer on app layers
Before assigning an app layer elastically, use the Elastic Fit Analyzer to determine the likelihood that the layer assignment will be successful.
Elastic Fit analysis
In the Layer Details, the Elastic Fit rating indicates how likely it is that the layer works when elastically assigned.
Good Elastic Fit. This layer works when deployed elastically.
Poor Elastic Fit. Delivering the layer elastically is not likely to work when deployed elastically. The layer can behave differently than it does when it is deployed in a layered image.
Elastic Fit details
You can learn more about an app layer’s Elastic Fit rating by expanding the Elastic Fit Analysis. If the Elastic Fit is less than ideal, the list of violated rules is displayed.
Low Severity Warning. Delivering the layer elastically is unlikely to cause any change in behavior or functionality for most applications.
Medium Severity Warning. Delivering the layer elastically can cause minor changes in behavior or functionality for some applications.
High Severity Warning. Delivering the layer elastically is likely to cause significant changes in behavior or functionality for many applications.
If you receive a warning that a master key file change has been detected, and you did not intentionally change that file, set the value of the
DeleteMasterKeysflag in the registry location
HKLM\System\ControlSet001\Services\Uniserviceto 1 (true). Now when the app layer is finalized, master key files will be deleted from the layer. This value is not persistent and only works per revision. It must be set each time a revision of the layer is created.
Analyze an app layer’s Elastic Fit
All new versions of a layer version are analyzed for elastic layering compatibility when they are finalized. To analyze existing app layers for Elastic Fit:
- Log into the management console.
- Select Layers > App Layers.
- Select the layer to analyze, and click Analyze Layer.
- On the Select Versions tab, choose the Layer Versions to analyze.
- On the Confirm and Complete tab, click Analyze Layer Versions. The analysis takes seconds.
- To see the Elastic Fit Analysis, select the app layers module, move the mouse pointer over the layer icon and click the Info icon.
- Expand the Version Information for each layer version, and look for the Elastic Fit rating.
- For a detailed report, expand the Elastic Fit Details. If the Elastic Fit is less than ideal, the list of violated rules will be displayed.
- You can display the AD tree and hide the violated rules by clicking a button acknowledging that the layer is unlikely to work as expected.
Upgrading from earlier releases
After upgrading from an early App Layering release, the Elastic Fit Detail shows that existing layer versions have not been analyzed. The versions have a single High severity Elastic Fit Detail, and a Poor Elastic Fit. For an accurate reading, run the analysis on existing layer versions.
Elastically assign an app layer to AD users and groups
The first time you assign an app layer elastically, we recommend starting with a simple app like Notepad++ or GIMP.
- Log into the management console as an Admin user, and select Layers > App Layers.
- Select an app layer that you do not plan to include in the base image, and select the app version you want to assign.
- Click Update Assignments.
- Select the version of the app layer that you want to assign users.
- Skip Image Template Assignment. This is for assigning the layer to an image template.
- Select the users and groups you want to receive this app layer version.
- Review your selections, and click Assign Layers.
When the users log in, there is an icon for each elastic layer they’ve been assigned.
Elastically assign an app layer to users via machine assignments and associations
You can assign layers to a machine by adding the machine to, or associating the machine with, the AD Group. Then elastically assign the app layers to the AD Group.
The layers assigned to the machine are available to every user who successfully logs into that machine. The App Layering Service scans for changes to the machine’s AD group memberships and associations every 10 minutes. When the users log in, they see an icon for each elastic app layer they’ve been assigned.
Use Active Directory to add the machine to the AD Group
Assuming you have a published layered image booted in your environment, you can add the machine to an AD Group, and assign elastic layers to the AD Group.
Use Active Directory (AD) to add the machine to an AD Group.
Select an app layer that you do not plan to include in the base image, and elastically assign the layer to an AD Group.
You can wait for AD to propagate the changes and for the App Layering Service, or you can force the App Layering Service to update its list of machine groups by doing one of the following:
Wait for the App Layering Service to detect the changes (within 10 minutes by default).
Restart the App Layering Service.
Reboot the App Layering Service Machine.
Run the refresh.groups command:
C:\Program Files\Unidesk\Layering Services\ulayer.exe refresh.groups
You start with an AD User, and AD Group, and a machine that you provisioned using a layered image.
- AD User: Kenya
- Kenya has no elastic assignments.
- AD Group: Marketing
- The Marketing group includes the member Kenya.
- Machine: ElasticTestMachine
- The ElasticTestMachine base image includes the MS Office App Layer.
In this example, you elastically assign the Chrome App layer to ElasticTestMachine:
- In AD, you add the machine ElasticTestMachine to the Marketing AD Group.
- In the management console you elastically assign the Chrome App Layer to the Marketing Group.
- When Kenya, who is part of the Marketing group, logs into ElasticTestMachine, she receives both the MS Office App layer, which is in the base image, and the Chrome App layer.
- When any user who is not in the Marketing group logs into ElasticTestMachine, they also receive both Layers: MS Office because it is in the base image, and Chrome because the ElasticTestMachine is a member of the Marketing AD Group.
Manage elastic assignments
- Add an elastic assignment.
- Update an app layer and elastically assign the new version of the layer.
- Remove elastic assignments.
- Debug an elastic assignment.
Update an app layer and its elastic assignments
You’ve added elastic assignments to an app layer, and users are accessing the app as expected. A new version of the application is released, so you update it with a new version to the layer. Now you need to assign the new version to the users who have the layer.
Log into the management console and select Layers > App Layers.
Select the elastically assigned app layer that you updated.
Click Version Information > Update Assignments.
Select the new version.
Skip the Image Template Assignment tab.
In the Elastic Assignment tab, there’s a list of Users and Groups who have been assigned a different version of the selected layer. Select the users and groups to whom you want to assign the new version of the layer.
- If the list is long, use the Search field to filter the results.
- If the list is empty, click the check box called, Show AD users and groups already at this version. A list of grayed out names appears. These users have already been assigned the version.
On the Confirm and Complete tab, verify the Users and Groups that you want to receive the new version.
Click Update Assignments.
Remove a layer’s elastic assignments
Log into the management console and select Layers > App Layers.
Select the app layer for which you want to remove assignments, and select Remove Assignments.
Select the assigned templates from which you want to remove the layer. The assignments for the layer are listed.
If the list is long, use the Search field to filter the results.
On the Confirm and Complete tab, verify that the correct image templates are selected to receive the new version.
Click Remove Assignments.
Troubleshooting elastic layer issues
You can diagnose the source of an elastic layering issue by finding out whether the layer is being delivered, and whether the layer is working correctly. If needed, collect data for support, as described here.
Is the issue with layer delivery?
Are the things you’d expect to see when this app is installed there?
- Do you see the files and registry entries for the layer?
- If the app is supposed to be in the Start menu, is it there?
- If you expect there to be a shortcut for the app on the user’s desktop, is there one?
If you discover that app delivery is an issue, you can collect the following data, open a case, and send the data to support.
Collect the data from these logs:
- Windows App Event log – In the Windows Event Viewer under Windows Logs, export the application event log as an EVTX file.
- App Layering Service log (ulayersvc.log) – C:\ProgramData\Unidesk\Logs\ulayersvc.log
Collect the values of these Registry keys:
Collect the contents of the assignment (ElasticLayerAssignments.json) and Layers (Layers.json) files from the Repository Path.
Is the issue an operational one?
Any of these behaviors can indicate an elastic layering issue:
- The app is being delivered but doesn’t launch correctly.
- An operation within the app doesn’t work correctly.
- A licensing problem or a security issue.
- The app launches, but then misbehaves, for example, it crashes on startup, or starts up but doesn’t work right.
If the problem with the layer is operational, test the app layer in the base image to rule out general layering issues:
- Add the app layer to an image template, and publish a layered image that includes the app layer.
- Log in as a user who is not assigned the layer elastically, and make sure that the application is operational in the base image.
- Contact Support with your findings.
In this article
- About elastic layers
- Enable elastic layers on your base images
- Run the Elastic Fit analyzer on app layers
- Elastic Fit details
- Elastically assign an app layer to AD users and groups
- Elastically assign an app layer to users via machine assignments and associations
- Manage elastic assignments
- Remove a layer’s elastic assignments