Citrix DaaS

App packages

Microsoft provides three packaging technologies to deliver applications to users: App-V, MSIX, and MSIX app attach. This article walks you through how to deploy and deliver these packaged applications in your Citrix DaaS environment:

Deploy and deliver App-V applications

This section covers the following information:

  • Overview. Describes the management methods that Citrix DaaS uses to deliver and manage the App-V packages.
  • Procedures. Provides procedures for deploying and delivering these packages.

Overview

This section describes the management methods that Citrix DaaS uses to deliver and manage the App-V packages. For more information about the components and concepts with which you interact when delivering App-V packaged applications, see the Microsoft documentation: https://docs.microsoft.com/en-us/windows/application-management/app-v/appv-for-windows.

Citrix DaaS delivers and manages App-V packages using the following methods:

  • Dual Admin. Application packages are configured and managed on App-V servers. Citrix DaaS and App-V servers work together to deliver and manage packages.

    This method requires Citrix DaaS to periodically refresh the snapshot view of the App-V server’s state. It incurs hardware, infrastructure, and administration overhead. Citrix DaaS and App-V servers must stay synchronized, particularly for user permissions.

    Dual Admin works best in deployments where App-V and Citrix Cloud are closely coupled:

    • App-V management server. Publishes and manages the lifecycle of App-V Packages and the Dynamic Configuration Files.
    • Citrix Personalization component installed on VDA machines. Manage the registration of the appropriate App-V publishing server required for application launches.

    This method ensures that the App-V publishing server is synchronized for the user at the appropriate time. The publishing server maintains other aspects of the package life cycle, such as refresh on logon and connection groups.

  • Single Admin. Application packages are stored on network shares. Citrix DaaS delivers and manages packages independently.

    This method reduces overhead because the App-V servers and database infrastructure aren’t needed in the deployment.

    In this method, you store App-V packages on a network share and upload their metadata from that location to Citrix Cloud. The Citrix Personalization component installed on VDA machines then manages and delivers applications as follows:

    • Process the Deployment Configuration Files and User Configuration Files when an application is launched.

    • Manage all aspects of the life cycles for packages on the host machine.

You can use both management methods simultaneously. In other words, when you add applications to delivery groups, the applications can come from App-V packages present on App-V servers or on network shares.

Note:

If you’re using both management methods simultaneously and the App-V package has a Dynamic Configuration File in both locations, the file on the App-V server (Dual Admin) is used.

Procedures

To support the delivery of App-V applications, you must install the Citrix Personalization component on VDA machines. See Install the Citrix Personalization component on VDA machines for details.

To deliver App-V packaged applications to your users, follow these steps:

  1. Store application packages on network shares.
  2. Upload application packages into Citrix Cloud.
  3. Add applications to delivery groups.
  4. To enable automatic delivery of interdependent App-V packages, create isolation groups.

To have Citrix DaaS recognize and apply App-V Dynamic Configuration Files in the Single Admin method, see this Citrix blog.

Deploy and deliver MSIX and MSIX app attach applications

This section covers the following information:

  • Overview. Describes how Citrix DaaS delivers and manages the MSIX and MSIX app attach packages.
  • Procedures. Provides procedures for deploying and delivering these packages.

Overview

Citrix DaaS delivers MSIX and MSIX app attach applications to users through the Citrix Personalization component installed on VDA machines. This component manages all aspects of the life cycles for packages on the host machine.

For more information about MSIX and MSIX app attach, see the Microsoft documentation: https://docs.microsoft.com/en-us/windows/msix/ and https://docs.microsoft.com/en-us/azure/virtual-desktop/what-is-app-attach respectively.

Procedures

To support the delivery of MSIX and MSIX app attach packages, you must install the Citrix Personalization component on VDA machines. See Install the Citrix Personalization component on VDA machines for details.

To deliver MSIX and MSIX app attach packaged applications to your users, follow these steps:

  1. Store application packages on network shares.
  2. Upload application packages into Citrix Cloud.
  3. Add applications to delivery groups.

Install the Citrix Personalization component on VDA machines

The Citrix Personalization component manages the publishing process for application packages in App-V, MSIX, and MSIX app attach formats. This component isn’t installed by default when you install a VDA. You can install the component during or after VDA installation.

To install the component during VDA installation, use either of the following ways:

  • In the installation wizard, go to the Additional Components page and then select the Citrix Personalization for App-V - VDA check box.
  • In the command line interface, use the /includeadditional “Citrix Personalization for App-V – VDA” option.

To install the component after VDA installation, follow these steps:

  1. On the VDA machine, go to Control Panel > Programs > Programs and Features, right-click Citrix Virtual Delivery Agent, and then select Change.
  2. In the wizard that appears, proceed to the Additional Components page and then enable the Citrix Personalization for App-V - VDA check box.

Note:

Microsoft App-V Desktop Client is the component that runs virtual applications from App-V packages on user devices. Windows 10 (1607 or later), Windows Server 2016, and Windows Server 2019 already include this App-V client software. You only need to enable it on VDA machines. For more information, see this Microsoft documentation article: https://docs.microsoft.com/en-us/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.

Store application packages on network shares

After you set up the infrastructure, generate the application packages and store them in a network location, such as a UNC or SMB network share, or on an Azure File Share.

Detailed steps are as follows:

  1. Generate application packages. See the Microsoft documentation for details.

  2. Store application packages in a network location:

    • For App-V Single Admin: Store the packages and the corresponding Dynamic Configuration Files (App-V) on a UNC or SMB network share or on an Azure File Share.

    • For App-V Dual Admin: Publish the packages onto the App-V management server from a UNC path. (Publishing from HTTP URLs isn’t supported.)

    • For MSIX or MSIX app attach: Store the packages on a UNC or SMB network share or on an Azure File Share.

  3. Make sure that the VDA has read permission on the package storage path:

    • If you store packages on a UNC or SMB network share in your AD domain, grant the VDA machine read permission to the storage path. To do so, you can give the machine’s AD account read permission to the share explicitly, or include the account in an AD group that has that permission.

    • If you store packages on an Azure File Share, first grant a user account read permission to the storage path in Azure. Next, configure ctxAppVService running on the VDA machine to use that user account to access the package storage path. See the following section for detailed steps.

Change the user logon account

The VDA calls ctxAppVService to access package storage paths. By default, ctxAppVService accesses package storage paths using the machine’s Local System account. This type of machine authentication works in AD domains. However, it doesn’t work in the AD and Azure AD integration scenarios, which require user account-based authentication.

If you store packages on an Azure File Share, change the logon account for ctxAppVService to a user account that has read permission on the package storage path. Detailed steps are as follows:

  1. Start Services, right-click ctxAppVService, and then select Properties.

  2. On the Log on tab, select This account, enter a user account that has read permission to the package storage path, and then enter the user’s password twice.

  3. Click OK.

Upload application packages into Citrix Cloud

After you store application packages to a network location as needed, upload them to Citrix Cloud for delivery. Use either of the following methods as needed:

Preparations

Citrix DaaS uses a VDA machine to set up the connection to the network location for package discovery. Therefore, create a delivery group beforehand and make sure that at least one VDA in the group meets the following requirements:

  • VDA version:
    • To discover App-V packages: 2203 or later
    • To discover MSIX and MSIX app attach packages: 2209 or later
  • Citrix Personalization for App-V component: Installed
  • Permission on the package location: Read (See Step 2: Store application packages on network shares for details.)
  • Power: On
  • State: Registered

Required roles

By default, if you have the Cloud Administrator or Full Administrator role, you can upload application packages to Citrix Cloud. You can also create custom roles to perform the upload actions. The following table lists the permissions required by the App packages actions.

Action Required permission
Add package (upload one by one) Create Application Discovery Sessions
Add source (upload in bulk) Create Application Discovery Profiles
Check for package updates Create Application Discovery Sessions
Remove source Remove Application Discovery Profiles

Upload application packages in bulk

Upload packages in a network location to Citrix Cloud. Make sure that you have the following items ready before the upload:

  • A delivery group that meets the Preparation requirements
  • The network location path

To upload packages in bulk, follow these steps:

  1. From Manage > Full Configuration, select App Packages in the left pane.
  2. On the Sources tab, click the Add Source button. The Add Source page appears.
  3. In the Name field, enter a descriptive name for the package source.
  4. In the Delivery group field, click Select a delivery group. Next, select a delivery group that meets the requirements stated in Preparation and then click OK.
  5. In the Location type field, select Microsoft App-V server or Network share based on where you store the packages, and then complete the corresponding settings:
    • If you select Microsoft App-V server, enter the following information:
      • URL of the Management server. Example: http://appv-server.example.com
      • Login credentials of the management server administrator.
      • URL and port number of the publishing server. Example: http://appv-server.example.com:3330
    • If you selected Network share, specify the following information:
      • Enter the UNC path of the network share. Example: \\Package-Server\apps\
      • Select the package types that you want to upload. Options include App-V, MSIX, and MSIX app attach.
      • Specify whether to search subfolders for packages.
  6. Click Add Source.

    The Add Source page closes and the newly added source appears in the source list. Citrix DaaS uploads the packages to Citrix Cloud using a VDA in the delivery group. After the upload completes, the Status field shows Import successful. The corresponding packages appear on the Packages tab.

    Note:

    To check for package updates in a source location and import them to Citrix Cloud, select the location in the source list and click Check for Package Updates.

Upload application packages one by one

Upload an application package from a network share to Citrix Cloud. Before the upload, make sure that you have the following items ready:

  • A delivery group that meets the requirements stated in Preparation
  • The network location path.

To upload a package to Citrix Cloud, follow these steps:

  1. From Manage > Full Configuration, select App Packages in the left pane.
  2. On the Packages tab, click the Add Package button. The Add Package page appears.
  3. In the Delivery group field, click Select a delivery group. Next, select a delivery group that meets the requirements stated in Preparation, and then click OK.
  4. In the Package full path field, enter a path as needed:
    • To upload several packages at a time, enter their full paths, separated by semicolons (;). Example: \\Package-Server\apps\office365.appv;\\Package-Server\apps\skype.msix;\\Package-Server\apps\slack.vhd
    • To upload all packages present on a network share, enter the storage path. Example: \package-Server\apps\
  5. Click Add Package.

    The application package appears on the Packages tab.

Add applications to delivery groups

After an application package is fully uploaded, add its applications to one or more delivery groups as needed. As a result, users associated with those delivery groups can access the applications.

Note:

Packaged applications can be assigned only to delivery groups of the Applications or Desktops and Applications type.

To add one or more applications in a package to several delivery groups, follow these steps:

  1. From Manage > Full Configuration, select App Packages in the left pane.
  2. On the Packages tab, select a package as needed.
  3. In the action bar, click Assign Applications to Delivery Groups. The Assign Applications to Delivery Groups page appears.
  4. Select one or more applications in the package as needed, and then click Next. Delivery groups of the Applications or Desktops and Applications delivery type appear.
  5. In the delivery groups list, select the groups to which you want to assign the applications, and then click Next. Note: If you selected an MSIX or MSIX app attach package, only delivery groups whose functional level is 2106 or later are shown in the list.
  6. Click Finish.

You can also add packaged applications to a delivery group when:

(Optional) Create isolation groups for App-V packages

You can create isolation groups to enable the automatic delivery of interdependent App-V packages.

Note:

Isolation groups are supported for the App-V Single Admin method. If you’re using the App-V Dual Admin method, you can achieve the same goal by creating connection groups in the Microsoft App-V infrastructure. For more information, see this Microsoft documentation article: https://docs.microsoft.com/en-us/windows/application-management/app-v/appv-connection-group-file.

About isolation groups

An isolation group is a collection of interdependent application packages that must run in the same Windows Sandbox to create a virtual environment. Citrix App-V isolation groups are similar but not identical to App-V connection groups. An isolation group includes two types of packages:

  • Explicit application packages. Applications with specific licensing requirements. You can restrict those applications to a specific range of users by adding them to delivery groups.
  • Automatic application packages. Applications that are always available to all users regardless of whether they are added to delivery groups.

For example, the application app-a requires JRE 1.7 to run. You can create an isolation group that contains app-a (marked as Explicit) and JRE 1.7 (marked as Automatic). Next, add the App-V package for app-a to one or more delivery groups. When a user launches app-a, JRE 1.7 is automatically deployed with it.

When a user starts an App-V application marked as Explicit in an isolation group, Citrix DaaS checks the user’s access permission to the application in delivery groups. If the user has permission to access the application, any Automatic application packages in the same isolation group are made available to the user.

You do not need to add the Automatic packages to any delivery group. If there’s another Explicit application package in the isolation group, that package is made available to the user only if it is in the same delivery group.

For more information about isolated groups, see this Citrix blog.

Create an App-V isolation group

Create an isolation group and add interdependent application packages to it. Detailed steps are as follows:

  1. On the Isolation Groups tab, click Add Isolation Group.
  2. Enter a name and description for the isolation group. All application packages in Citrix Cloud appear in the Available Packages list.
  3. From the Available Packages list, select an application as needed, and then click the right arrow. The selected application appears in the Packages in Isolation Group list.
  4. In the Deployment field, select Explicit or Automatic for the application.
  5. Repeat steps 2–3 to add more packages.
  6. To adjust the order of packages in the list, click the up or down arrow.
  7. Click Save.

Note:

Isolation Group configurations result in the creation of an App-V Connection Groups on the VDA. Deployment scenarios can become complex and the App-V client supports packages that are only in one active Connection Group at a time. We recommend that you avoid adding the same package to two different isolation groups that are added to the same delivery group.

Publish packaged applications on single-session or shared desktop VDAs

You can now deliver App-V, MSIX, and MSIX app attach packages to your single-session or shared desktop VDA sessions directly through delivery groups. You can access the packaged applications on your desktop VDA at sign-in based on the accessibility permissions set on the applications.

Benefits

  • Applications available on the VDA at sign-in and not staged on demand through Workspace or StoreFront.
  • Improved launch time when accessing the packaged applications.
  • Facilitates maintenance of the packaged applications independently, separate from the VDA’s base image.

Considerations

  • This option is available for single-session VDAs only through the appropriate PowerShell SDK. It is not currently available in the Full Configuration workflow. Publishing to shared desktops can be done with the PowerShell SDK or in the existing way through the Full Configuration workflow. For more information on the existing procedure, see Add applications to delivery groups.
  • Applications must be part of a delivery group.

Before you begin

Procedure

To deliver packaged applications to desktop VDAs, follow these steps:

  1. Import application packages to Full Configuration.
  2. Publish the packaged BrokerApplication.
  3. Limit the visibility of applications on Full Configuration.

Import application packages to Full Configuration

  1. Sign in to Citrix Cloud.
  2. In the DaaS tile, click Manage.
  3. Go to Delivery Groups page, and create a delivery group. For more information, see Create delivery groups.
  4. Import the application packages to Full Configuration. For more information, see Upload application packages into Citrix Cloud.

Publish the packaged application on BrokerApplication

If you are publishing to a multi-session (shared) VDA or to a single-session application VDA, then the publishing procedure is unchanged. For more information, see Add applications to delivery groups. When you are publishing to a single-session desktop VDA, do the following:

On the Delivery Controller, run the following PowerShell commands:

  1. To retrieve the commands present in the package:

    Import-Module "D:\Support\Tools\Scripts\Citrix.Cloud.AppLibrary.Admin.v1.psm1"

    Note:

    The version of the App-V package discovery module that supports this functionality is present on the Citrix Virtual Apps and Desktops ISO (2311 or higher versions) on this path.

  2. To retrieve the relevant delivery group IDs and packaged application IDs:

    Get-BrokerDesktopGroup | Format-Table Uid, Name Get-AppLibAppVApplication | Format-Table Uid, Name

  3. To publish the packages and create the appropriate BrokerMachineConfigurations:

    Publish-PackagedApplication -AppLibararyApplicationUid <AppLibararyApplication.Uid > -DesktopGroupUid <DesktopGroup.Uid>

  4. To synchronize the Broker configurations, which are later sent out to the Broker agent on VDA:

    Update-DesktopGroupMachineConfigurations -DesktopGroupUid <DesktopGroup.Uid>

    Note:

    Ensure to run the PowerShell command Update-DesktopGroupMachineConfigurations after you publish or remove packaged applications from a VDA.

Limit the visibility of applications on Full Configuration

By default, users have all the packaged applications assigned to the delivery group serving their VDA available on their desktop session. You can control the visibility of packaged applications on the desktop VDAs by setting the visibility of applications to specific users or groups on the Full Configuration. To manage the visibility of packaged applications, see Change Application Properties or refer to the following images.

Application properties

Application visibility