Appliance security improvements
The Apache HTTP Server ("httpd") server on the appliance includes several security improvements. Based on the CIS Apache HTTP Server 2.4 Benchmark, improvements include:
- Server version update
- Restrictions in module and TLS configuration
- Changes in permissions, access control, and logging.
Export and import layers (App Layering Labs)
The layer export and import feature lets you move the layers from one App Layering appliance to another. For example, you can move layers from your proof of concept environment to an appliance in your production environment.
Labs features are early versions of features planned for future releases. When you install the product, new Labs features are disabled. In this release, Labs features include:
You can persist user profile settings, data, and user-installed applications in non-persistent VDI environments with the user layer. The user layer supports Windows 7 64-bit and Windows 10, 64-bit environments for Citrix XenDesktop, VMware Horizon View, and View JIT.
Access the management console through Citrix Cloud (Labs)
You can access the App Layering management console through the Citrix Cloud App Layering Manage tab. For a new installation, see Access the Management Console for steps and known issues. If you are upgrading from an App Layering 4.0.x release, see Upgrade. When you open either of these topics, you can select the hypervisor for more information.
Export and import layers
You can move layers from one App Layering appliance to another by using the layer export and import feature. For example, you can move layers that you create in your proof of concept environment to a new appliance you've installed in your production environment.
For information about supported platforms in Citrix App Layering, see System requirements.
You can upgrade from Unidesk 4.0.8 to Citrix App Layering 4.3.0. To access the management console in Citrix Cloud, install a Cloud Connector. For more information, see the Upgrade instructions. You can find instructions for the supported platforms.
Access through the Citrix Cloud (App Layering Labs)
For known issues accessing the management console in Citrix Cloud, which is in Labs, see the section Issues with Labs later in this article.
File downloads from Citrix ShareFile
You can download files by using Citrix ShareFile but you cannot save changes to the files. (UNI-55850)
- There are issues with Windows Search when using a user layer. (UNI-53320), (UNI-54524), (UNI-54520)
- A red 'X' network adapter icon indicates that there's an issue even when the network is functional. When using a user layer, the network icon appears as a red x, even when everything is functional. You can ignore the red 'X'. (UNI-53443)
- Put Microsoft Office in the layered image. If you use add-ins or Office 365, you must include Office in the layered image, not in the user layer. If Microsoft Office is not in the user layer, activation issues can occur. (UNI-53474)
User Layers on Windows 10
- You can disable Windows 10 Store apps on Windows 10 Enterprise only. If you want to disable Windows 10 Store apps, do the following:
- Create an operating system revision.
- From an administrator command prompt, run the script at C:\Windows\Setup\Scripts\RemoveStoreApps.cmd.
- Finalize and deploy the image based on this operating system revision.
- Users have access to Edge and Cortana only. (UNI-56935)
- After you upgrade to Windows 10 in the OS layer, store tile reconstruction can occur when users log on for the first time. The reconstruction period is usually less than one hour. Reconstruction can take longer depending on system load factors and the behavior of Windows. During this period, users can notice that Start menu tiles lack proper icons or do not respond. Usually, tile response is slow and can appear broken. However, these conditions resolve themselves during the reconstruction period. Other (non-tile) applications continue to work but can run slower because of the reconstruction activities in the background. Users initial log on following a major operating system upgrade can take longer because of reconstruction activities. It is considered normal post-upgrade behavior.
- If you roll back a Windows 10 OS layer across major versions (such as 1607 to 1511), user layers are not compatible. Rolling back from one subrelease to another is fine. If the user layers are not compatible, delete and recreate the user layers. (UNI-57006)
- An error message appears that the temporary element is not found. Some newer versions of Windows 10 use Store apps as default applications. Attempting to open a file with an association to one of those applications can result in an "Element not found" message. Users can wait until the application is ready to use through Windows Store. (UNI-57749)
User Layers on Windows 10 and Windows 7
- Changes to Windows indexing options do not persist when you enable user layers on Windows 10 and Windows 7 desktops. If you set Indexing Options for an elastically layered app, the settings are not present when users log on. If an indexing option change is critical for all users, you can include it in a new version of the OS layer. You can also include it in a new app layer, which is a better option. The change becomes the default for all users. (UNI-56064, UNI-56213)
App Layering appliance and management console
- After you upgrade from App Layering 4.1.0 or 4.2.0, you might need to change the App Layering administrative passwords.
- The fonts for the management console might not load correctly. It occurs when you access the App Layering appliance with Internet Explorer running on a server operating system. To prevent this issue, add the appliance IP address to the Trusted Sites list in Internet Explorer. (UNI-50830)
- Tasks created before this release do not have fully qualified owners. Only administrators can cancel the tasks. (UNI-52741)
- After adding new disks to the appliance, restart the appliance. When you add a version to an OS layer, package the layer on the hypervisor from which you imported the operating system during layer creation. (UNI-53580)
- If an IP address is already in use with another virtual machine, configuring a different IP address on the appliance can cause a network service failure. For example, if the app layering appliance has a dynamic IP address and you reconfigure it to use a static IP address. An error message, "Job for network service failed." If the appliance loses network connectivity, change to an unused IP address and restart the appliance.
- Use the same hypervisor when adding a version to your OS layer. When you add a version to an OS layer, package the layer on the same hypervisor from which you imported the operating system during layer creation. (UNI-44372)
- When you update the OS layer, Windows Updates are disabled automatically. Disabling automatic updates help avoid situations where Windows starts an update in the background before, or during, an OS layer finalization. When you add a version to an OS layer, manually start the download and installation of Windows updates. Then repeat the downloads and installation until you apply all available updates before finalizing the new OS layer. (UNI-58115)
- Use the built-in administrator account when you log on to a packaging machine. Otherwise, RunOnce scripts do not run, and finalization of the layer does not occur. (UNI-58154)
- Apps can appear to load slowly in user sessions. Disable automatic updates for applications, such as Chrome and Firefox. Windows prompts the user to make changes by using an administrator account even though the user does not have administrator access. Instruct the user to click No when prompted and then the application starts successfully.
- When you create an app layer version, the operating system machine tools do not update when you use connector caching. If the connector cache contains a previous boot disk and you use it to build a packaging machine, expired tools might be on the disk. (UNI-58113)
Elastic Layering (general)
- Newly imported layers do not retain their Elastic Fit status. To restore the correct status to an elastically assigned layer, run Elastic Fit on the Layer. (UNI-59617)
- Users receive the following alert when starting an elastically assigned Skype layer for the first time: "The Installer has insufficient privileges to modify this file: url." If the user clicks Ignore, Skype opens as expected. If the user clicks Ignore, Skype opens as expected. (UNI-52164)
- Empty directories are visible to Windows Explorer users when Citrix App Layering drivers are running. When you enable an image with elastic layering, users might be able to view files and directories from other sessions in Windows Explorer. If users browse files with Windows Explorer, they might be able to see empty directories associated with other sessions that use elastic layering. Directories explored in the other session might create folders visible to all sessions that have permission to browse that directory. If users access to the volume is not available, they cannot see the directories and contents of the drives.
- Elastic layers require .NET Framework 4.5. If you are using Citrix App Layering elastic layers, install .NET Framework 4.5 on any layered image where you enable elastic layers.
- If using elastic layer assignments with Windows Server 2008 or Windows 7, create your file share with a sector size of 512. For details about this issue and related operating system updates, see the following:
- Citrix App Layering supports Horizon View 6.1 and later. Elastic layer assignments do not support Persona Management in Horizon View. (UNI-53639)
Elastic Layering (Microsoft Office)
- The shortcuts to assign Office apps elastically might be visible on the Start menu for users who are not assigned the apps. Although these shortcuts are visible, they only work for users to whom you assigned the apps. (UNI-49687)
- When Microsoft Office is assigned elastically, use built-in license activation scripting. For best results when using Office elastically, consider the following:
- Using the built-in license activation scripting
- Adding c:\windows\setup\scripts\officeactivate.cmd to the script path when finalizing the Office app layer or editing its properties. (UNI-50467)
- When elastically layering Microsoft Office, do not install OneNote. Instead, include OneNote in the layered image. The OneNote printer driver allows other Office apps to print to OneNote. (UNI-50449)
- Citrix App Layering does not support Windows 10 Creators Update version 1703.
- Windows 10 upgrades require a 60-GB disk for the OS layer version. When you add a version to the Windows 10 OS layer, change the maximum layer size from 30 GB to 60 GB.
- Upgrading requires extra steps when going to a new Windows 10 major release. During the upgrade, Windows 10 can create a recovery volume on the same disk as the OS layer version. Always delete this volume before you finalize the OS layer version. Otherwise, the recovery volume can cause desktops to fail to start correctly.
Citrix Provisioning Services
- When you create an image template, the target device hardware settings must match the Windows operating system and platform layer settings. Ensure that the hardware settings on the target device match the operating system and platform layer hardware settings, especially the number of CPUs. If they don't match, you can get a restart required message when you start the published image. (UNI-50799, UNI-46333, UNI-51599)
- When using Provisioning Services, you must disable IPv6 in the OS layer. If you disable IPv6 in the platform layer instead of in the OS layer, when Provisioning Services start, the network connection fails and stops responding. (UNI-53600)
- If permissions are wrong when you publish an image, an error message might appear that says the operation timed out. (UNI-54516)
- Although the management console allows image names that contain a period (.), those names fail in the Provisioning Services environment. Do not include a period in the name. (UNI-54263)
- When you prepare your operating system image for use in XenServer, you must open port 5900. (UNI-50846)
- When you create a Citrix App Layering connector configuration that points to a child node in a XenServer pool produces an unexpected error message. To avoid this issue, only use the primary node when creating connector configurations. (UNI-52454)
- When you import an OS layer from a XenServer virtual machine, use the XenServer connector to perform the import directly. There might be issues exporting the virtual machine image to a network file share first and then importing it to XenServer. (UNI-52669)
VMware Horizon View
- Elastic layers are only supported with floating desktop pools. (UNI-53442)
- When you use VMware Horizon View, Microsoft Office does not work correctly as an elastic layer (UNI-59343)
- Citrix App Layering does not support Azure File storage. Create a network file share or an SMB file share in Azure to use with Citrix App Layering. (UNI-42272)
- Publishing layered images simultaneously to the same Azure resource group fails. Either deploy one at a time, or deploy the layered images to different resource groups. (UNI-43376)
- If the fully qualified domain name (FQDN) is not typed in the format Azure expects, the FQDN in Azure can fail. For more information, see Create a fully qualified domain name in the Azure portal for a Windows VM. (UNI-51587)
- The Azure connector configuration name must be unique. When creating an Azure connector configuration, you cannot use the same name as an existing configuration. If you do use the same name, you cannot save the changes. (UNI-56230)
- When using elastic layering in Hyper-V, you use unmanaged RDS pools. (UNI-53545)
- Create Imprivata app layers withw the appropriate broker platform layer as a prerequisite. This action is critical for Citrix Provisioning Services, Citrix Machine Creation Services, and Horizon View environments.