Using App-V with Citrix Virtual Apps and Desktops
Microsoft Application Virtualization (App-V) lets you deploy, update, and support applications as services. Users access applications without installing them on their own devices. App-V and Microsoft User State Virtualization (USV) provide access to applications and data, regardless of location and connection to the internet. The following table lists supported versions.
|App-V||Citrix Virtual Apps and Desktops Delivery Controller||Citrix Virtual Apps and Desktops VDA|
|5.0 and 5.0 SP1||XenDesktop 7 through current, XenApp 7.5 through current||7.0 through current|
|5.0 SP2||XenDesktop 7 through current, XenApp 7.5 through current||7.1 through current|
|5.0 SP3 and 5.1||XenDesktop 7.6 through current, XenApp 7.6 through current||7.6.300 through current|
|App-V in Windows Server 2016||XenDesktop 7.12 through current, XenApp 7.12 through current||7.12 through current|
The App-V client does not support offline access to applications. App-V integration support includes using SMB shares for applications. The HTTP protocol is not supported. If you’re not familiar with App-V, see the Microsoft documentation. Here’s a recap of the App-V components mentioned in this article:
- Management server. Provides a centralized console to manage App-V infrastructure and delivers virtual applications to both the App-V Desktop Client and a Remote Desktop Services Client. The App-V management server authenticates, requests, and provides the security, metering, monitoring, and data gathering required by the administrator. The server uses Active Directory and supporting tools to manage users and applications.
- Publishing server. Provides App-V clients with applications for specific users, and hosts the virtual application package for streaming. It fetches the packages from the management server.
- Client. Retrieves virtual applications, publishes the applications on the client, and automatically sets up and manages virtual environments at runtime on Windows devices. You install the App-V client on the VDA, where it stores user-specific virtual application settings such as registry and file changes in each user’s profile.
Applications are available seamlessly without any pre-configuration or changes to operating system settings. You can launch App-V applications from Server OS and Desktop OS Delivery Groups:
- Through Citrix Workspace app
- Through the App-V client and Citrix Workspace app
- Simultaneously by multiple users on multiple devices
- Through Citrix StoreFront
Modified App-V application properties are implemented when the application is started. For example, for applications with a modified display name or customized icon, the modification appears when users start the application. Application customizations saved in dynamic configuration files are also applied when the application is launched.
You can use App-V packages and dynamic configuration files created with the App-V sequencer and then located on either App-V servers or network shares.
App-V servers: Using applications from packages on App-V servers requires ongoing communication between Studio and the App-V servers for discovery, configuration, and downloading to the VDAs. This incurs hardware, infrastructure, and administration overhead. Studio and the App-V servers must remain synchronized, particularly for user permissions.
This is called the dual admin management method because App-V package and application access requires both Studio and the App-V server consoles. This method works best in closely coupled App-V and Citrix deployments. In this method, the management server handles the dynamic configuration files. When you use the dual admin management method, the Citrix App-V components manage the registration of the appropriate publishing server required for an application launch. This ensures that the publishing server is synchronized for the user at the appropriate time. The publishing server maintains other aspects of the package life cycle (like refresh on logon and connection groups) using the settings that it is configured with.
Network share: Packages and XML deployment configuration files placed on a network share remove Studio’s dependence on the App-V server and database infrastructure, reducing overhead. (You must install the Microsoft App-V client on each VDA.)
This is called the single admin management method because App-V package and application use only needs the Studio console. You browse to the network share and add one or more App-V packages from that location to the Site-level Application Library . In this method, the Citrix App-V components process the Deployment Configuration Files when the application is launched. (User Configuration Files are not supported.) When you use the single admin management method, the Citrix App-V components manage all aspects of the Package’s life cycle on the host machine. Packages are added to the machine at broker startup, or when a configuration change is detected (which can also be at session launch time). Packages are first published to individual users on demand ‘just in time’ when a launch request is received from the Citrix Workspace app.
Single Admin also manages the lifecycle of connection groups required to meet the Isolation Group configuration definitions made in Studio.
 Application Library is a Citrix term for a caching repository that stores information about App-V packages. The Application Library also stores information about other Citrix application delivery technologies.
In both management methods, if the VDA is configured to discard user data, the publishing (or synchronizing) must be redone at the next session launch.
You can use one or both management methods simultaneously. In other words, when you add applications to Delivery Groups, the applications can come from App-V packages located on App-V servers or on a network share.
If you are using both management methods simultaneously, and the App-V package has a dynamic configuration file in both locations, the file in the App-V server (dual management) is used.
When you select Configuration > App-V Publishing in the Studio navigation pane, the display shows App-V package names and sources. The source column indicates whether the packages are located on the App-V server or cached in the Application Library. When you select a package, the details pane lists the applications and shortcuts in the package.
Dynamic configuration files
App-V packages can be customized using dynamic configuration files, that when applied to the package, can be used to change its characteristics. For example, you can use them to define extra application shortcuts and behaviors. Citrix App-V supports both types of dynamic configuration file. File settings are applied when the application is launched:
- Deployment Configuration Files provide machine-wide configuration for all users. These files are expected to be named <packageFileName>_DeploymentConfig.xml and located in the same folder as the App-V package they apply to. Supported by single and dual admin management.
- User Configuration Files provide user-specific configuration which supports per-user customizations to the package. Single Admin supports user config files named in the following format: <packageFileName>_[UserSID | Username | GroupSID |GroupName_]UserConfig.xml and located in the same folder as the App-V package they apply to.
When multiple user config files exist for a particular package, they are applied with the following priority:
- User SID
- AD Group SID (First found wins)
- AD Group Name (First found wins)
MyAppVPackage_S-1-5-21-000000001-0000000001-000000001-001_UserConfig.xml MyAppVPackage_joeblogs_UserConfig.xml MyAppVPackage_S-1-5-32-547_UserConfig.xml MyAppVPackage_Power Users_UserConfig.xml MyAppVPackage_UserConfig.xml
The user-specific portion of the file name can also optionally occur at the end (for example MyAppVPackage_UserConfig_joeblogs.xml).
Dynamic configuration file location
In single admin management, the Citrix App-V components only process dynamic configuration files which are found in the same folder as their App-V package. When applications in the package are launched, any changes to the corresponding dynamic configuration files are reapplied. If your dynamic configuration files are located in a different location to their packages, use a mapping file to map packages to their deployment configuration files.
To create a mapping file
- Open a new text file.
For each dynamic configuration file, add a line which specifies the path to the package using the format <PackageGuid> : path.
F1f4fd78ef044176aad9082073a0c780 : c:\widows\file\packagedeploy.xml
- Save the file as ctxAppVDynamicConfigurations.cfg in the same folder as the package. The entire directory hierarchy on the same UNC share as the App-V package is searched recursively upwards for this file every time an application in the package is launched.
You cannot apply changes to Dynamic Deployment Configuration when there are user sessions with an application in the package open. You can apply changes to Dynamic User Configuration files if other users but not the current user have the an application from the package open.
When you use the App-V single admin method, creating isolation groups allow you to specify interdependent groups of applications that must run in the sandbox. This feature is similar, but not identical to, App-V connection groups. Instead of the mandatory and optional package terminology used by the App-V management server, Citrix uses automatic and explicit for package deployment options.
- When a user launches an App-V application (the primary application), the isolation groups are searched for other application packages that are marked for automatic inclusion. Those packages are downloaded and included in the isolation group automatically. You do not need to add them to the Delivery Group that contains the primary application.
- An application package in the isolation group that is marked for explicit inclusion is downloaded only if you have explicitly added that application to the same Delivery Group that contains the primary application.
This allows you to create isolation groups containing a mix of automatically included applications that are available globally to all users. Plus, the group can contain a set of plug-ins and other applications (that might have specific licensing constraints), which you can limit to a certain set of users (identified through Delivery Groups) without having to create more isolation groups.
For example, application “app-a” requires JRE 1.7 to run. You can create an isolation group containing app-a (with an explicit deployment type) and JRE 1.7 (with an automatic deployment type). Then, add those App-V packages to one or more Delivery Groups. When a user launches app-a, JRE 1.7 is automatically deployed with it.
You can add an application to more than one App-V isolation group. However, when a user launches that application, the first isolation group to which that application was added is always used. You cannot order or prioritize other isolation groups containing that application.
Load balancing App-V servers
Load balancing management and publishing servers using DNS Round-Robin is supported if you are using the dual admin management method. Load balancing the management server behind Netscaler, F5 (or similar) Virtual IP is not supported because of the way Studio needs to communicate with the Management Server via remote PowerShell. For more information, see this Citrix blog article.
The following table summarizes the sequence of setup tasks for using App-V in Citrix Virtual Apps and Desktops using single- and dual admin management methods.
|Single admin||Dual admin||Task|
|X||X||Packaging and placement|
|X||Configure App-V server addresses in Studio|
|X||X||Install software on VDA machines|
|X||Add App-V packages to the Application Library|
|X||Add App-V isolation groups (optional)|
|X||X||Add App-V applications to Delivery Groups|
Deploy Microsoft App-V
For App-V deployment instructions, see https://technet.microsoft.com/en-us/windows/hh826068.
Optionally, change App-V publishing server settings. Citrix recommends using the SDK cmdlets on the Controller. See the SDK documentation for details.
- To view publishing server settings, enter Get-CtxAppvServerSetting -AppVPublishingServer <pubServer>.
- To ensure that App-V applications launch properly, enter Set-CtxAppvServerSetting –UserRefreshonLogon 0.
If you previously used GPO policy settings to manage publishing server settings, the GPO settings override any App-V integration settings, including cmdlet settings. This can result in App-V application launch failure. Citrix recommends that you remove all GPO policy settings and then use the SDK to configure those settings.
Packaging and placement
For either management method, create application packages using the App-V sequencer. See the Microsoft documentation for details.
- For single admin management, make the packages, and their corresponding dynamic configuration files, available on a UNC or SMB shared network location. Ensure that the Studio administrator who adds applications to Delivery Groups has at least read access to that location.
- For dual admin management, publish the packages on the App-V management server from a UNC path. (Publishing from HTTP URLs is not supported.)
Regardless of whether packages are on the App-V server or on a network share, ensure the packages have appropriate security permissions to allow the Studio administrator to access them. Network shares must be shared with “Authenticated users” to ensure that both the VDA and Studio have read access by default.
Configure App-V server addresses in Studio
Citrix recommends using the PowerShell cmdlets on the Controller to specify App-V server addresses if those servers use nondefault property values. See the SDK documentation for details. If you change App-V server addresses in Studio, some server connection properties you specify might be reset to default values. These properties are used on the VDAs to connect to App-V publishing servers. If this happens, reconfigure the nondefault values for any reset properties on the servers.
This procedure is valid only for the dual admin management method.
Specify App-V management and publishing server addresses for the dual admin management method either during or after Site creation. You can do this during or after creating the Site.
During Site creation:
- On the App-V page of the wizard, enter the URL of the Microsoft App-V management server, and the URL and port number of the App-V publishing server.
- Test the connection before continuing with the wizard. If the test fails, see the Troubleshoot section below.
After Site creation:
- Select Configuration > App-V Publishing in the Studio navigation pane.
- If you have not previously specified App-V server addresses, select Add Microsoft Server in the Actions pane.
- To change App-V server addresses, select Edit Microsoft Server in the Actions pane.
- Enter the URL of the Microsoft App-V management server, and the URL and port number of the App-V publishing server.
- Test the connection to those servers before closing the dialog box. If the test fails, see the Troubleshoot section below.
Later, if you want to remove all links to the App-V management and publishing servers and stop Studio from discovering App-V packages from those servers, select Remove Microsoft Server in the Actions pane. This action is allowed only if no applications in packages on those servers are currently published in any Delivery Groups. If they are, you must remove those applications from the Delivery Groups before you can remove the App-V servers.
Install software on VDA machines
Machines containing VDAs must have two sets of software installed to support App-V: one from Microsoft and the other from Citrix.
Microsoft App-V client
This software retrieves virtual applications, publishes the applications on the client, and automatically sets up and manages virtual environments at runtime on Windows devices. The App-V client stores user-specific virtual application settings, such as registry and file changes in each user’s profile.
The App-V client is available from Microsoft. Install a client on each machine containing a VDA, or on the master image that is used in a machine catalog to create VMs. Note: Windows 10 (1607 or greater) and Windows Server 2016 already include the App-V client. On those OSs only, enable the App-V client by running the PowerShell Enable-AppV cmdlet (no parameters). The Get-AppVStatus cmdlet retrieves the current enablement status.
After you install the App-V client, with Administrator permissions, run the PowerShell Get-AppvClientConfiguration cmdlet, and ensure that EnablePackageScripts is set to 1. If it is not set to 1, run Set-AppvClientConfiguration -EnablePackageScripts $true.
Citrix App-V components
The Citrix App-V component software is excluded by default when you install a VDA.
You can control this default behavior during VDA installation. In the graphical interface, select the Citrix Personalization for App-V - VDA check box on the Additional Components page. In the command line interface, use the /IncludeAdditional “Citrix Personalization for App-V VDA” option.
If you do not include the Citrix App-V components during VDA installation, but later want to use App-V applications: In the Windows machine’s Programs and Features list, right-click the Citrix Virtual Delivery Agent entry and then select Change. A wizard launches. In the wizard, enable the option that installs and enables App-V publishing components.
Add or remove App-V packages in the Application Library
These procedures are valid only for the single admin management method.
You must have at least read access to the network share containing the App-V packages.
Add an App-V package to the Application Library
- Select Configuration > App-V Publishing in the Studio navigation pane.
- Select Add Packages in the Actions pane.
- Browse to the share containing the App-V packages and select one or more packages.
- Click Add.
Remove an App-V package from the Application Library
Removing an App-V package from the Application Library removes it from the Studio App-V Publishing node display. However, it does not remove its applications from Delivery Groups, and those applications can still be launched. The package remains in its physical network location. (This effect differs from removing an App-V application from a Delivery Group.)
- Select Configuration > App-V Publishing in the Studio navigation pane.
- Select one or more packages to be removed.
- Select Remove Package in the Actions pane.
Add, edit, or remove App-V isolation groups
Add an App-V isolation group
- Select App-V Publishing in the Studio navigation pane.
- Select Add Isolation Group in the Actions pane.
- In the Add Isolation Group Settings dialog box, type a name and description for the isolation group.
- From the Available Packages list, select the applications you want to add to the isolation group, and then click the right arrow. The selected applications should now appear in the Packages in Isolation Group list. In the Deployment drop-down next to each application, select either Explicit or Automatic. You can also use the up and down arrows to change the order of applications in the list.
- When you are done, click OK.
Edit an App-V isolation group
- Select App-V Publishing from the Studio navigation pane.
- Select the Isolation Groups tab in the middle pane and then select the isolation group you want to edit.
- Select Edit Isolation Group in the Actions pane.
- In the Edit Isolation Group Settings dialog box, change the isolation group name or description, add or remove applications, change their deployment type, or change the application order.
- When you are done, click OK.
Remove an App-V isolation group
Removing an isolation group does not remove the application packages. It removes only the grouping.
- Select App-V Publishing from the Studio navigation pane.
- Select the Isolation Groups tab in the middle pane and then select the isolation group you want to remove.
- Select Remove Isolation Group from the Actions pane.
- Confirm the removal.
Add App-V applications to Delivery Groups
The following procedure focuses on how to add App-V applications to Delivery Groups. For complete details about creating a Delivery Group, see Create Delivery Groups.
Step 1: Choose whether you want to create a new Delivery Group or add App-V applications to an existing Delivery Group:
To create a Delivery Group containing App-V applications:
- Select Delivery Groups in the Studio navigation pane.
- Select Create Delivery Group in the Actions pane.
- On successive pages of the wizard, specify a machine catalog and users.
To add App-V applications to existing Delivery Groups:
- Select Applications in the Studio navigation pane.
- Select Add Applications in the Actions pane.
- Select one or more Delivery Groups where the App-V applications will be added.
Step 2: On the Applications page of the wizard, click the Add drop-down to display application sources. Select App-V.
Step 3: On the Add App-V Applications page, choose the App-V source: the App-V server or the Application Library. The resulting display includes the application names plus their package names and package versions. Select the check boxes next to the applications or application shortcuts you want to add. Then click OK.
Step 4: Complete the wizard.
Good to know:
- If you change an App-V application’s properties when adding them to a Delivery Group, the changes are made when the application is started. For example, if you modify an application’s display name or icon when adding it to the group, the change appears when a user starts the application.
- If you use dynamic configuration files to customize the properties of an App-V application, those properties override any changes you made when adding them to a Delivery Group.
- If you later edit a Delivery Group containing App-V applications, there is no change in App-V application performance if you change the group’s delivery type from desktops and applications to applications only.
- When you remove a previously published (single admin) App-V package from a Delivery Group, Citrix App-V client components attempt to clean up, unpublish, and remove any packages that are no longer in use by the single admin management method.
- If you are using a hybrid deployment—with packages delivered by the single admin management method and an App-V publishing server, managed either by dual admin or by another mechanism (such as Group policy)—it is not possible to determine which (now potentially redundant) packages came from which source. In this case, cleanup is not attempted.
- If you are not using a publishing server, but have packages on the VDA managed by another mechanism (such as SCCM, custom scripting, or a third party App-V management solution), the clean-up routines may remove packages which are still required. In this scenario, add a dummy App-V Management server registration to the VDA to prevent clean up being attempted.
Issues that can occur only when using the dual admin method are marked (DUAL).
(DUAL) There is a PowerShell connection error when you select Configuration > App-V Publishing in the Studio navigation pane.
- Is the Studio administrator also an App-V server administrator? The Studio administrator must belong to the “administrators” group on the App-V management server so that they can communicate with it.
(DUAL) The Test connection operation returns an error when you specify App-V server addresses in Studio.
- Is the App-V server powered on? Either send a Ping command or check the IIS Manager; each App-V server should be in a Started and Running state.
- Is PowerShell remoting enabled on the App-V server? If not, see http://technet.microsoft.com/en-us/magazine/ff700227.aspx.
- Is the Studio administrator also an App-V server administrator? The Studio administrator must belong to the administrators group on the App-V management server so that they can communicate with it.
- Is file sharing enabled on the App-V server? Enter
\\<App-V server FQDN>in Windows Explorer or with the Run command.
- Does the App-V server have the same file sharing permissions as the App-V administrator? On the App-V server, add an entry for
\\<App-V server FQDN>in Stored User Names and Passwords, specifying the credentials of the user who has administrator privileges on the App-V server. For guidance, see http://support.microsoft.com/kb/306541.
Is the App-V server in Active Directory?
If the Studio machine and the App-V server are in different Active Directory domains that do not have a trust relationship, from the PowerShell console on the Studio machine, run winrm s winrm/Config/client ‘@(TrustedHosts=”<App-V server FQDN>”)’.
If TrustedHosts is managed by GPO, the following error message displays: “The config setting TrustedHosts cannot be changed because use is controlled by policies. The policy would need to be set to Not Configured to change the config setting.” In this case, add an entry for the App-V server name to the TrustedHosts policy in GPO (Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Client).
(DUAL) Discovery fails when adding an App-V application to a Delivery Group.
- Is the Studio administrator also an App-V management server administrator? The Studio administrator must belong to the administrators group on the App-V management server so that they can communicate with it.
- Is the App-V management server running? Either send a Ping command or check the IIS Manager; each App-V server should be in a Started and Running state.
- Is PowerShell remoting enabled on both App-V servers? If not, see http://technet.microsoft.com/en-us/magazine/ff700227.aspx.
- Do packages have the appropriate security permissions for the Studio administrator to access?
App-V applications only launch in one browser version.
If you publish multiple sequenced versions of the same browser app, only one version of the app is able to launch at a time per user on the VDA. The same thing occurs even if Citrix components are not involved and the user starts the sequenced apps from desktop shortcuts which point to different paths.
Whichever browser version a user launches first, determines the browser version which runs subsequently for them. When Firefox detects a second launch of itself, it prefers to create an instance of the already running process, rather than create a new process. Other browsers may behave in the same way.
You can make the application launch in the intended Firefox browser version, by adding the command line parameter -no-remote to the shortcut’s launch command. Other browsers offer the same or similar facility.
You must be using XenApp 7.17 or higher to take advantage of the shortcut enumeration feature. You must also change the package in both versions of the app to get this bi-directional behavior.
App-V applications do not launch.
- (DUAL) Is the publishing server running?
- (DUAL) Do the App-V packages have appropriate security permissions so that users can access them?
- (DUAL) On the VDA, ensure that Temp is pointing to the correct location, and that there is enough space available in the Temp directory.
- (DUAL) On the App-V publishing server, run
Get-AppvPublishingServer \*to display the list of publishing servers.
- (DUAL) On the App-V publishing server, ensure that UserRefreshonLogon is set to False.
- (DUAL) On the App-V publishing server, as an administrator, run Set-AppvPublishingServer and set UserRefreshonLogon to False.
- Is a supported version of the App-V client installed on the VDA? Does the VDA have the enable package scripts setting enabled?
- On the machine containing the App-V client and VDA, from the Registry editor (regedit), go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\AppV. Ensure that the AppVServers key has the following value format: AppVManagementServer+metadata;PublishingServer (for example:
- On the machine or master image containing the App-V client and VDA, check that the PowerShell ExecutionPolicy is set to RemoteSigned. The App-V client provided by Microsoft is not signed, and this ExecutionPolicy allows PowerShell to run unsigned local scripts and cmdlets. Use one of the following two methods to set the ExecutionPolicy: (1) As an administrator, enter the cmdlet: Set-ExecutionPolicy RemoteSigned, or (2) From Group Policy settings, go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell> Turn on Script Execution.
If these steps do not resolve the issues, enable and examine the logs.
App-V configuration-related logs are located at C:\CtxAppvLogs. The application launch logs are located at: %LOCALAPPDATA%\Citrix\CtxAppvLogs. LOCALAPPDATA resolves to the local folder for the logged-on user. Check the local folder of the user for whom the application launch failed.
To enable Studio and VDA logs used for App-V, you must have administrator privileges. You will also need a text editor such as Notepad.
To enable Studio logs:
- Create the folder C:\CtxAppvLogs.
- Go to C:\Program Files\Citrix\StudioAppVIntegration\SnapIn\Citrix.Appv.Admin.V1. Open CtxAppvCommon.dll.config in a text editor and uncomment the line: <add key =”LogFileName” value=”C:\CtxAppvLogs\log.txt”/>
- Restart the Broker service to start logging.
To enable VDA logs:
- Create the folder C:\CtxAppvLogs.
- Go to C:\Program Files\Citrix\ Virtual Desktop Agent. Open CtxAppvCommon.dll.config in a text editor and uncomment the following line: <add key =”LogFileName” value=”C:\CtxAppvLogs\log.txt”/>
- Uncomment the line and set the value field to 1: <add key =”EnableLauncherLogs” value=”1”/>
- Restart the machine to start logging.