VMware App Volumes Administration Guide

VMware App Volumes
Administration Guide
VMware App Volumes 2.13
VMware App Volumes Administration Guide
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
If you have comments about this documentation, submit your feedback to
docfeedback@vmware.com
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
Copyright © 2017,2018 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc.
2
Contents
About This Book
5
1 Configuring App Volumes Manager 6
Verify License
6
Configuring and Using Active Directory
Configuring a Machine Manager
7
12
Configuring Security Protocols and Cipher Suites
14
Configuring Storage for AppStacks and Writable Volumes
16
Asynchronous Mounting on App Volumes Manager and Agent
Advanced Settings Page
18
19
Reduce App Volumes Login Time on Windows 10
19
Disable Microsoft Windows NTLM Authentication
19
2 Using SSL Certificates with App Volumes Manager 21
Configuring SSL Certificates for Machine Managers
21
Managing SSL Between App Volumes Manager and Agent
23
3 Working with AppStacks 30
Creating and Provisioning AppStacks
Assigning and Attaching AppStacks
30
34
Edit an AppStack 38
Update an AppStack
39
Import AppStacks to App Volumes
39
Check Datastores for Available AppStacks
Unassign an AppStack
40
AppStacks Precedence
40
Delete AppStacks
40
41
4 Working with Writable Volumes 42
Assigning and Attaching Writable Volumes
Create a Writable Volume
Import Writable Volumes
46
47
Update Writable Volumes
47
48
Rescan Writable Volumes
VMware, Inc.
44
Enable a Writable Volume
Edit a Writable Volume
43
49
Expand a Writable Volume
49
Disable a Writable Volume
49
3
VMware App Volumes Administration Guide
Delete a Writable Volume
50
Considerations and Limitations for Writable Volumes
Writable Volume Exclusions
50
Protecting Writable Volumes
52
50
5 Advanced App Volumes Configuration 53
Batch Script Files
53
Configure Batch File Timeouts
53
Configuring SVdriver and SVservice
54
Create a Custom vCenter Server Role
57
Create a Custom vCenter Server Role Using PowerCLI
59
6 Viewing Activity Logs and Troubleshooting Information 61
Create a Troubleshooting Archive
Remove a Troubleshooting Archive
VMware, Inc.
61
62
4
About This Book
The VMware App Volumes Administration Guide provides information on how to configure and use
®
VMware App Volumes . App Volumes is a real-time application delivery system that enterprises can use
to dynamically deliver and manage applications.
This guide also provides information on configuring SSL certificates for App Volumes Manager, and
creating and managing Writable Volumes and AppStacks.
Intended Audience
This information is intended for experienced IT system administrators who are familiar with virtual
machine technology and datacenter operations.
VMware Technical Publications Glossary
VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For
definitions of terms as they are used in VMware technical documentation, go to
http://www.vmware.com/support/pubs.
VMware, Inc.
5
Configuring App Volumes
Manager
1
You must configure the App Volumes Manager after installing it. Configuring the App Volumes Manager
involves setting up the Active Directory, group administrative access, storage access settings, and also
validating host credentials.
After configuring the App Volumes Manager, you can create and work with specialized containers known
as AppStacks and Writable Volumes.
This chapter includes the following topics:
n
Verify License
n
Configuring and Using Active Directory
n
Configuring a Machine Manager
n
Configuring Security Protocols and Cipher Suites
n
Configuring Storage for AppStacks and Writable Volumes
n
Asynchronous Mounting on App Volumes Manager and Agent
n
Advanced Settings Page
n
Reduce App Volumes Login Time on Windows 10
n
Disable Microsoft Windows NTLM Authentication
Verify License
You must enter the App Volumes license information before configuring other components. A valid license
is required to activate and use App Volumes.
Prerequisites
Ensure that you have downloaded and installed the App Volumes license file. The production license file
can be downloaded from the VMware App Volumes product download page.
Procedure
1
From the App Volumes Manager console, click CONFIGURATION > License.
2
Verify the license information that is displayed.
If you have an evaluation license, you can use App Volumes until the expiration date.
VMware, Inc.
6
VMware App Volumes Administration Guide
3
(Optional) To apply a different license, click Edit and browse to the location of the license you want to
upload.
4
Click Upload to upload the App Volumes license file.
5
Click Next and follow on-screen instructions.
Configuring and Using Active Directory
App Volumes uses Active Directory to add domains and assign applications and Writable Volumes to
users, groups, computers, and Organizational Units (OUs).
As an administrator with full access to App Volumes Manager, you can configure and work with Active
Directory domains and users in many ways:
n
Add multiple Active Directory domains and assign unique credentials and administrator access to
users from these domains
n
Assign Writable Volumes to a specific user
n
Filter entities based on their domain
n
Search across multiple Active Directory domains
n
Manage assignments for any user, group, or computer from any configured Active Directory domain
n
Add multiple domain controller hosts
n
Connect securely to Active Directory and validate the certificate
Active Directory Objects Lookup
App Volumes Manager looks up Active Directory objects by their GUID instead of UPN (User Principal
Name). This enables administrators to move users across domains and organizational units (OUs) and
even rename users and computers without affecting their AppStacks or Writable Volumes assignments.
Automatic Active Directory Synchronization
App Volumes Manager maintains a database record for any Active Directory that is seen by an
App Volumes agent or assigned to an AppStack or a Writable Volume.
A background job runs every hour to synchronize up to 100 entities in the Active Directory. If there are
more than 100 objects, then the next batch of 100 objects is synchronized in the hour after the first batch
of objects has been synchronized.
Note GUID synchronization from Active Directory servers might take up to a week and it varies based on
the number of objects that are present in the system.
Active Directory Domains Page
The Active Directory Domains page in the App Volumes Manager shows information about the configured
domains and certificates and displays the list of configured domain controllers.
VMware, Inc.
7
VMware App Volumes Administration Guide
Navigate to CONFIGURATION > AD Domains to view following information about the configured
domains:
n
Active Directory Domain Name
n
Username
n
LDAP Base
n
Netbios
n
LDAPs
n
Port
You can see the list of domain controller hosts that are configured for the user. Click View DCs and you
can see the following information about the configured hosts:
n
Name
n
connection status
n
Date and time the host last connected
n
Date and time the connection failed
n
Failure count
Connecting Securely to Active Directory
As an App Volumes administrator, you can choose to connect to Active Directory over a secure or
insecure LDAP connection.
n
Secure LDAP (LDAPs) - Connect to Active Directory over a dedicated LDAPs port. The default port
number for LDAPs is 636. The user must have downloaded a CA root certificate of the domain.
App Volumes uses this certificate to trust the connection.
n
LDAP over TLS - Connect to Active Directory over TLS. The default port number for LDAP is 389.
The user must have downloaded a CA certificate of the domain, App Volumes uses this certificate to
trust the connection.
n
LDAP (insecure) - Connect to Active Directory over an insecure connection over plain LDAP.
Note The initial binding however, occurs over GSS-SPNEGO.
Enable Secure Communication Between App Volumes Manager and Active
Directory
When you configure an Active Directory, you can choose to have App Volumes Manager communicate
securely with the Active Directory.
Prerequisites
n
Active Directory must be configured for LDAP over SSL (LDAPS) or StartTLS (LDAP over TLS).
VMware, Inc.
8
VMware App Volumes Administration Guide
n
Root certification authority (CA) certificates of the Active Directory domains - If the certificates are not
in PEM (Base64 encoded) format, see the OpenSSL or similar documentation to convert the file to
PEM format.
Note When you have multiple root certificates from different domains, you can combine all the PEM
formatted certificates into a single file by copying the contents of each file one by one to a single .pem
file.
n
In App Volumes Manager, domain controller host names that are specified in the domain controller
hosts field must match the certificate host names.
Procedure
1
Ensure the name of the PEM formatted certificate file is adCA.pem.
2
On each App Volumes Manager server, copy the adCA.pem file to the /config directory where the
App Volumes Manager is installed.
The default installation location for App Volumes Manager is C:\Program Files (x86)\Cloud
Volumes\Manager.
3
Restart the App Volumes Manager servers.
4
Using App Volumes Manager, configure the Active Directory Connection to use LDAP over SSL
(LDAPS) or StartTLS (LDAP over TLS).
Adding and Configuring Domain Controller Hosts
You can add a single domain controller host or multiple hosts when you register an Active Directory.
You might configure multiple domain controller hosts to ensure redundancy and failover operations. If the
primary domain controller that App Volumes Manager is connected to goes down, then App Volumes
Manager can perform a failover and switch to a different host. This ensures that App Volumes users are
unaffected by the downtime and can continue their operations without interruption.
You can choose how App Volumes Manager detects domain controllers. Consider the following when you
add domain controllers:
n
If you provide a list of domain controllers, App Volumes Manager looks for a domain controller only in
the list you provided. If the domain controllers in the list are all down, App Volumes Manager does not
search for or detect any other domain controller.
n
If you do not provide a list of domain controllers, App Volumes Manager detects domain controllers
automatically and also assigns a priority to them.
n
App Volumes Manager will search for and try to connect to domain controllers from the same site.
Domain controllers from other sites are also added in order of binding time.
Note Domain controllers in the same site always have higher priority over those from different sites.
You can view the list of domain controllers and their connectivity status under CONFIGURATION > AD
Domains.
VMware, Inc.
9
VMware App Volumes Administration Guide
Refresh Domain Controllers
The list of available domain controllers is refreshed every 480 minutes (8 hours). Use the environment
variable, TIME_TO_REFRESH_DOMAIN_CONTROLLERS, to change the default time of 8 hours.
Note You must set the time in minutes.
Register an Active Directory Domain
Configure and register an Active Directory domain. You can assign applications to users, computers,
groups, and organizational units (OUs) using Active Directory.
Prerequisites
Important If you want to connect securely from App Volumes Manager to Active Directory using a
LDAPs connection, you must have downloaded a CA domain certificate. See Connecting Securely to
Active Directory and Enable Secure Communication Between App Volumes Manager and Active
Directory.
Procedure
1
From App Volumes Manager, go to CONFIGURATION > AD Domains.
2
Click Register Domain.
3
Enter the Active Directory information on the Register Active Directory Domain page.
Parameter
Description
Active Directory Domain Name
A fully qualified domain name of the Active Directory domain where users and
target computers are residing, for example corp.example.com.
Domain Controller Hosts (Optional)
IP address (10.98.87.67) or FQDN (dc01.corp.example.com). You can also
provide the virtual IP address of a load balancer that is used as the front-end
server of the domain controller. This option provides High Availability (HA)
capability for connections to Active Directory.
You can add multiple domain controller hosts; use commas to separate the
names of the hosts.
Important If you do not add a domain controller host, the system detects the
hosts that are available and connect to the nearest domain controller.
LDAP Base (Optional)
Distinct name of the Active Directory container or organizational unit that stores
required entities (if you want to limit the scope of enumeration). By default,
App Volumes Manager enumerates all users, groups, OUs, and computer objects
within Active Directory.
Example: OU=Engineering, DC=corp, DC=vmware, DC=com
Username
The user name of the service account that has access to the target Active
Directory domain. For example, admin-1. The user can be an administrator with
read-only permissions.
Password
The password for the service account. Ensure that domain policies do not enforce
password expiration for the service account.
VMware, Inc.
10
VMware App Volumes Administration Guide
Parameter
Description
Security
Select one of the following options from the drop-down menu to configure the
LDAP connection:
Port (Optional)
4
n
Secure LDAP (LDAPS) - Select this box if you want to connect to Active
Directory over SSL.
n
LDAP over TLS - Connect to Active Directory over LDAP using TLS. You
must have installed a trusted certificate from a certificate authority.
n
LDAP (insecure) - Connect to Active Directory without using a secure
connection.
A port number other than the default. The default port is used if this text box is left
blank.
Click Register.
Handling Authentication Failures
App Volumes uses Active Directory to add domains and assign applications and Writable Volumes to
users, groups, computers, and Organizational Units (OUs). App Volumes thus inherits the authentication
and account policies of Active Directory.
Authentication Overview and Group Policy Settings
Active Directory implements authentication measures such as inserting random delays between failed
authentications, configuring the number of failed authentication attempts and so on.
See https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/windowsauthentication-overview for an authentication overview and https://technet.microsoft.com/enus/library/dn751050(v=ws.11).aspx for information about Group Policy Settings of Active Directory.
Add an Administrator Group
Add an App Volumes administrator group who can log in to the App Volumes Manager and manage the
users and groups.
You can create multiple administrator groups for a single Active Directory domain.
Note You cannot configure a single user as an administrator, you can only add a group as an
administrator.
Prerequisites
Ensure that you have already added the group to the Active Directory database.
Procedure
1
From the App Volumes Manager console, click CONFIGURATION > Admin Roles > Assign Role.
2
Select a domain from the drop-down list; select All to search in all domains or select a specific
domain.
3
Search Groups; you can filter the search query by Contains, Begins, Ends, or Equals.
VMware, Inc.
11
VMware App Volumes Administration Guide
4
(Optional) Check the Search all domains in the Active Directory forest checkbox if you want to
search in all domains.
5
Click Search.
6
Select the Active Directory group from the drop-down list and click Assign.
All users within the group are granted administrator privileges.
What to do next
After you have added the administrators, you can configure the Machine Managers and App Volumes
storage. See Configuring a Machine Manager and Configure Storage For AppStacks.
Configuring a Machine Manager
The App Volumes operation mode is determined by configuring the Machine Manager.
The Machine Manager determines the type of hypervisor connection. Three types of hypervisor
connections are available. You can configure the hypervisor to connect to one of the following hosts using
the App Volumes Manager console.
Table 1‑1. Hypervisor Connection Types
Hypervisor Connection Type
Description
VMware vCenter Server
Preferred connection type for mid-to-large environments.
Enables the use of VMDK Direct Attached operation mode.
When using this connection type, you can assign AppStacks
and Writable Volumes to the virtual machines running on
multiple hypervisor hosts. See Establish a Secure vCenter
Server Connection to set up a secure connection to
vCenter Server.
Single ESXi Host
Enables the use of VMDK Direct Attached Operation Mode, but
only for a single ESXi host. Use this connection type for small
deployments and proofs of concepts. You can assign AppStacks
and Writable Volumes to the virtual machines running on a
single hypervisor host.
VHD In-Guest Services
Disables other hypervisor connections and enables the use of
VHD In-Guest operation mode. Use this connection type to
assign AppStacks and writable volumes either to virtual
machines running on an unsupported third-party hypervisor or to
the physical computers. See Configure VHD In-Guest Storage.
Note You cannot change the operation mode after you configure the Machine Manager. However, if you
have configured vCenter Server as the first Machine Manager, additional vCenter Server instances can
be added and configured.
VMware, Inc.
12
VMware App Volumes Administration Guide
Reconfigure vCenter Server
If you regenerate new certificates for ESXi hosts and you have selected vCenter Server as your machine
manager, with the Mount on Host option, you must reconfigure your vCenter Server.
See Regenerate Certificates for an ESXi Host section in the VMware vSphere ESXi and vCenter Server 5
Documentation.
Set Up the Machine Manager Connection
App Volumes operation mode is determined by configuring a machine manager. You cannot change the
operation mode of App Volumes after you configure the machine manager.
Prerequisites
Ensure that the domain policies do not enforce password expiration for the service account on the
machine manager to be configured.
Procedure
1
From the App Volumes Manager console, click CONFIGURATION > Machine Managers.
2
Click Register Machine Manager.
3
Select and configure the machine manager.
Connection Type
Description
vCenter Server
Enter host name, user name, and password details. You can optionally enable the
Mount Local or Mount on Host options.
If you select a vCenter Server instance as the first configured machine manager,
you can add and configure additional servers.
ESXi (Single Host)
Enter host name, user name, and password details for the ESXi host.
VHD In-Guest
Does not require any credentials.
a
4
(Optional) To view the permissions required by the service account, click Required vCenter
Permissions.
Click Save.
The configured machine manager is displayed on the Machine Managers page.
What to do next
See Establish a Secure vCenter Server Connection to connect App Volumes Manager securely to a
vCenter Server.
You can also create a custom role on the vCenter Server. See Create a Custom vCenter Server Role
Using PowerCLI.
VMware, Inc.
13
VMware App Volumes Administration Guide
Configuring Security Protocols and Cipher Suites
You can configure the security protocols and cipher suites for App Volumes Manager so that only the TLS
connections that you have specified are accepted by App Volumes Manager.
You can also configure cipher suites to add ciphers and disable weak ciphers.
Configure TLS Connections in App Volumes Manager
You can modify the Nginx configuration file to ensure that App Volumes Manager accepts connections
only from specified TLS versions.
App Volumes Manager uses SSL and TLS to communicate with servers and App Volumes agents. See
Chapter 2 Using SSL Certificates with App Volumes Manager.
Prerequisites
n
n
You must have administrator privileges on the machine where App Volumes Manager is installed.
Locate the nginx.conf file and create a backup of the file. The default location for nginx.conf is
C:\Program Files (x86)\CloudVolumes\Manager\nginx\conf\.
Procedure
1
Log in to the machine where App Volumes Manager is installed.
2
Identify the ssl_protocols line in the nginx.conf file and retain only the TLS versions that you
want App Volumes Manager to connect with.
For example, if you include TLSv1.1 and TLSv1.2 in the ssl_protocols line, App Volumes Manager
will accept connections only from these TLS versions.
3
Restart the App Volumes Manager service.
Example: Configure TLS v1.1 and TLS v1.2 Protocols
In this example, App Volumes Manager will accept connections only from agents that use TLS v1.1 and
TLS v1.2 protocols, as specified in the ssl_protocols entry in the Nginx configuration file.
server {
server_name 0.0.0.0;
listen 3443;
listen 443;
listen [::]:443;
ssl on;
ssl_certificate
appvol_ca1_vmware.com.crt;
ssl_certificate_key
appvol_ca1_vmware.com.key;
ssl_protocols TLSv1.1 TLSv1.2
VMware, Inc.
14
VMware App Volumes Administration Guide
ssl_session_cache
builtin:1000;
ssl_session_timeout 5m;
root ../public;
TLS v1.0 Protocol Communication
TLS v1.0 protocol communications from App Volumes agents is disabled. All communication from the
agent is done through TLS v1.1 and TLS v1.2 protocols.
App Volumes Manager can communicate with older agents only if the Allow TLS v1.0 protocol (Not
recommended) box is selected. This box is deselected by default.
You can enable TLS v 1.0 support for App Volumes Manager during App Volumes Manager installation.
Select the Allow TLS v1.0 protocol (Not recommended) box when you install App Volumes Manager.
See the Install App Volumes Manager section in the App Volumes Installation Guide.
Configure Cipher Suites in App Volumes Manager
You can modify the Nginx configuration file to add ciphers or remove weak ciphers.
Prerequisites
n
You must have administrator privileges on the machine where App Volumes Manager is installed.
n
You must use the format that is defined in
https://www.openssl.org/docs/man1.0.2/apps/ciphers.html under the section CIPHER LIST
FORMAT while adding the ciphers. The ciphers are specified as a list separated by colons, spaces, or
commas.
n
Locate the nginx.conf file and create a back up of the file. nginx.conf is located at C:\Program
Files (x86)\CloudVolumes\Manager\nginx\conf\.
Procedure
1
Log in to the machine where App Volumes Manager is installed.
2
Identify the line starting with ssl_ciphers in the nginx.conf file.
Add the list of ciphers before the existing list of ciphers; the order of ciphers matters.
For example, add ECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH to the existing list of
ciphers.
3
(Optional) To disable any ciphers, remove the ciphers from the list.
4
Restart the App Volumes Manager service.
VMware, Inc.
15
VMware App Volumes Administration Guide
Configuring Storage for AppStacks and Writable Volumes
You must specify the storage and template paths and select the type of storage for AppStacks and
Writable Volumes before creating and using them.
Typically, the default storage path is /cloudvolumes/writable.
Configure Storage For AppStacks
You can configure storage for AppStacks by selecting the default storage locations and paths.
Volumes are attached only for virtual machines on the host. You can add available storage only when App
Volumes Manager is configured in the VHD In-Guest mode. Otherwise, the list of storage locations and
datastores is populated from vCenter Server. See Configure VHD In-Guest Storage.
Note Ensure that the paths for the default locations and the templates are separate from each other.
Prerequisites
Use a storage location that is accessible to all virtual machine host servers. When using VMDK Direct
Attach Operation Mode, the App Volumes Manager requires local or shared storage to be configured on
the hypervisor.
Procedure
1
From the App Volumes Manager, click CONFIGURATION > Storage.
If you have configured the storage options, click Edit to change the configuration.
2
Enter the default storage information for AppStacks:
Option
Description
Default Storage Location
Storage Location in VC
Default Storage Path
For example, /cloudvolums/apps
Templates Path
For example,/cloudvolumes/writable_templates
3
Confirm your storage settings and click Save.
4
(Optional) Check Import volumes immediately to import the volumes immediately. This option does
not allow you to perform administrative tasks while import is underway.
5
Verify the information you entered on the Upload Prepackaged Volumes page, select the volumes,
and click Upload.
The volumes packaged with this App Volumes Manager are uploaded to the selected datastore.
VMware, Inc.
16
VMware App Volumes Administration Guide
Configure Storage for Writable Volumes
Configure storage for Writable Volumes by selecting the default storage locations and paths.
Note If local host storage is used, volumes are attached only for virtual machines on that host.
Prerequisites
Use a storage location that is accessible to all virtual machine host servers. When using VMDK Direct
Attach Operation Mode, the App Volumes Manager requires local or shared storage to be configured on
the hypervisor.
Procedure
1
From the App Volumes Manager, click CONFIGURATION > Storage.
If you have configured the storage options, click Edit to change the configuration.
2
Enter the information for the following fields:
Option
Description
Default Storage Location
Storage Location in VC
Default Storage Path
For example, /cloudvolumes/writable
Templates Path
For example,/cloudvolumes/writable_templates
3
Confirm your storage settings and click Save.
4
(Optional) Check Import volumes immediately to import the volumes immediately. This option does
not allow you to perform administrative tasks while import is underway.
5
Verify the information you entered on the Upload Prepackaged Volumes page, select the volumes,
and click Upload.
The volumes packaged with this App Volumes Manager are uploaded to the selected datastore.
Configure VHD In-Guest Storage
To use App Volumes with VHD In-Guest Operation mode, the machines where the App Volumes Manager
and agents are installed require special permissions on the CIFS file share.
Procedure
1
On a file server, create a new empty folder.
2
Copy the contents of the Hypervisor\In-Guest VHD folder from the App Volumes installation media
to the new folder.
3
Share the folder and grant full access permissions on the file share to everyone.
VMware, Inc.
17
VMware App Volumes Administration Guide
4
Configure NTFS permissions as described below.
An Active Directory domain group might be used to manage permissions for the following roles:
n
Managers: App Volumes Manager
n
Agents: Machines that receive App Volumes and writable volumes assignments
n
Capture Agents: Machines that are used for provisioning new App Volumes agents
Table 1‑2. NTFS folder permissions required for each role
Folder
Managers
Agents
Capture Agents
apps
Full
Read
Write
apps_templates
Read
None
None
writable
Full
Write or None
None
Note Write permissions are
required by Agents when
Dynamic Permissions are
not enabled.
writable_templates
Read
None
None
Asynchronous Mounting on App Volumes Manager and
Agent
You can configure asynchronous mounting on App Volumes Manager and agent to enable App Volumes
Manager to handle a large number of login requests within a short time and improve scalability.
When you attach Writable Volumes or AppStacks, the App Volumes Manager has to keep a number of
HTTP connections open until the volumes are all mounted. When asynchronous mounting is enabled,
App Volumes Manager does not have to wait until all the volumes are mounted and can handle other
requests concurrently.
By default, asynchronous mounting is disabled on both the App Volumes Manager and agent.
Important You must change the settings on both the App Volumes Manager and agent to enable
asynchronous mounting. You must also attach any Writable Volumes before sending a user login request.
Enable Asynchronous Mounting
To enable this setting on the agent, Log in as administrator where the App Volumes agent is installed and
change the registry key settings as follows:
Table 1‑3. App Volumes Agent Registry Key Settings
Registry Setting
Value
Path
HKLM\SYSTEM\CurrentControlSet\Services\svservice\Pa
rameters
Key
Asyncmount
VMware, Inc.
18
VMware App Volumes Administration Guide
Table 1‑3. App Volumes Agent Registry Key Settings (Continued)
Registry Setting
Value
Type
DWORD
Value
1
To enable this setting on the App Volumes Manager, log in to App Volumes Manager and go to the
Advanced Settings page and check the Asynchronous Mounting box.
Advanced Settings Page
You can configure certain advanced settings for App Volumes and view the state of some App Volumes
Manager environment variables on the Settings page.
Type
Value
Description
General Settings
UI Session Timeout
The number of seconds App Volumes
Manager remains active after the user
logs on. The default value is 30 minutes.
General Settings
Certificate Authority File
Path of certificate file used by machine
managers.
Volume Mounting
Asynchronous Mounting
Enable the user to login even if a Writable
Volume or AppStack cannot be attached
to the user at the time of login
Writable Volumes
Delete Protection
Protect volumes from getting deleted
directly from storage.
Writable Volumes
Force Reboot on Error
If a Writable Volume is assigned to a user,
and the volume does not get attached to
the user, the user has the option to reboot
the machine.
Reduce App Volumes Login Time on Windows 10
The Windows Modules Installer service affects the App Volumes login time on Windows 10.
If the VMs on which App Volumes is installed remain idle, the Windows Modules Installer service
becomes enabled and causes the App Volumes login time to increase.
Disable the Windows Modules Installer service completely to prevent the service from starting
automatically.
See the relevant Microsoft documentation to learn how to disable the Windows Modules Installer service.
Disable Microsoft Windows NTLM Authentication
NTLM (NT LAN Manager) authentication is used to make the communication between
App Volumes Manager and agent more secure.
When an App Volumes agent make an HTTP request to the App Volumes Manager, NTLM is used to
authenticate the user and user account with the entry in the Active Directory.
VMware, Inc.
19
VMware App Volumes Administration Guide
You can disable NTLM by defining a system environment variable on the machine where App Volumes
Manager is installed.
See https://technet.microsoft.com/en-us/library/jj852241(v=ws.11).aspx to understand the implications of
disabling NTLM.
Procedure
1
Log in as administrator to the machine where App Volumes Manager is installed.
2
Open Control Panel and click System > Advanced System Settings > Environment Variables >
New.
The New System Variable window appears.
3
In the Variable name text box, enter AVM_NTLM_DISABLED.
4
In the Variable value text box, enter 1.
5
Restart the computer.
The App Volumes Manager service also restarts.
VMware, Inc.
20
Using SSL Certificates with App
Volumes Manager
2
App Volumes Manager uses SSL to communicate with Active Directory, Machine Managers, and
App Volumes agents.
Using App Volumes Manager, you can perform a variety of tasks to configure and use SSL certificates.
You can replace, import, disable, and manage the SSL certificates used for SSL communication and
validation.
n
You can configure Active Directory to reject connection with App Volumes Manager if SSL certificate
validation fails. See Configuring and Using Active Directory.
n
You can add and upload trusted SSL certificates from the App Volumes Manager console to establish
a secure connection to the vCenter Server and the remote SQL server.
n
You can also replace the default App Volumes Manager certificates that are used for communication
with App Volumes agents, disable SSL and SSL certificate validation, and enable an HTTP
connection.
This chapter includes the following topics:
n
Configuring SSL Certificates for Machine Managers
n
Managing SSL Between App Volumes Manager and Agent
Configuring SSL Certificates for Machine Managers
You can establish secure connections from App Volumes Manager to SQL Server and vCenter Server.
Establishing a Secure SQL Server Connection
If the instance of App Volumes Manager that you have installed connects to an SQL server, you can
change the default Windows ODBC settings and connect securely to App Volumes Manager.
Ensure that you have downloaded the SSL certificate on the SQL server instance and imported the
certificate as a Trusted Certificate on to the machine where App Volumes Manager is installed . Change
the ODBC settings on this machine.
For detailed instructions, see https://support.microsoft.com/en-us/kb/316898.
Establish a Secure vCenter Server Connection
You can securely connect to a vCenter Server from App Volumes using an SSL certificate.
VMware, Inc.
21
VMware App Volumes Administration Guide
Prerequisites
Ensure that the vCenter Server you are connecting to has a domain SSL certificate.
The certificate must be verified and accepted by App Volumes.
Procedure
1
From the App Volumes Manager console, click Machine Managers > Add Machine Manager.
2
Enter the required Machine Manager information and click Save.
3
Option
Description
Type
Enter vCenter Server
Host name
The host name of the Machine Manager. For example,
server.your-domain.local
User name
The user name with which you will access the machine. For example,
YOURDOMAIN\administrator.
Password
The password for the user name.
Mount Local
Select this option if your VM's datastore has local copies of volumes and you
want to mount the local copies.
Mount on Host
Select this option if you want to connect directly to the VM host. This results in
increased performance and decreases the burden on the vCenter Server.
Verify the certificate details.
If the certificate is not trusted or verified, the following messages are seen:
n
A window with details of the certificate (SHA1 fingerprint, period of validity) that is present in the
vCenter Server.
n
A message at the top right corner:
Server error: SSL certificate is not verified and needs to be accepted to continue.
4
Click Accept to accept the certificate.
You can also log in to the vCenter Server as an administrator and verify the SHA1 code.
The Machine Manager is successfully added after the certificate is verified.
5
Click Certificate to view the certificate you added.
If the certificate is changed on the vCenter Server after it has established a connection with App
Volumes Manager, the Certificate not valid message is displayed when you log in to App
Volumes Manager.
Note You also see this message when you upgrade App Volumes to the latest version.
6
To validate the certificate again, select the vCenter Server under Machine Managers, click
Certificate, and accept the certificate.
You now have a trusted SSL certificate to connect to the vCenter Server.
VMware, Inc.
22
VMware App Volumes Administration Guide
What to do next
When you upgrade App Volumes from an older version to the latest version, you might have to manually
accept the certificates to retain the connection to vCenter Server.
Managing SSL Between App Volumes Manager and Agent
A default self-signed certificate is installed when you install App Volumes Manager. App Volumes agents
use SSL to communicate with the App Volumes Manager and validate the certificate.
Replace the Self-Signed Certificate with CA-signed Certificate
A self-signed certificate is installed when you install App Volumes Manager. You can replace the default
self-signed certificate by modifying the Nginx configuration file.
Note The self-signed certificate is installed in the same location as the Nginx configuration file:
C:\Program Files (x86)\CloudVolumes\Manager\nginx\conf.
Prerequisites
n
Obtain an SSL certificate from a trusted Certificate Authority (CA).
n
Download the CA-signed certificate that you obtained and the corresponding key to the machine
where the App Volumes Manager is installed. Note down the location where the files are downloaded.
n
If you provide a passphrase while generating the private key during the Certificate Signing Request
(CSR), note down the passphrase.
n
Verify that the common name on the CA-signed certificate is the same as the host name or the IP
address of App Volumes Manager that you configured while installing the agent.
n
Verify that the SSL key and certificate are both in PEM (Base64 encoded) format.
n
Verify that the certificate and key are Nginx compliant.
Procedure
1
Log in as administrator to the machine where the App Volumes Manager is installed.
2
Navigate to C:\Program Files (x86)\CloudVolumes\Manager\nginx\conf and make a copy of
the existing Nginx configuration file, nginx.conf.
3
Open the Nginx configuration file.
4
Edit the ssl_certificate and ssl_certificate_key variables in the Nginx configuration file to point to the
path of the certificate and key files that you downloaded.
5
(Optional) If you had provided a passphrase for the CA-signed certificate, enter the passphrase for
your certificate in the Nginx configuration file.
6
Save the configuration file.
7
Restart the App Volumes Manager service.
VMware, Inc.
23
VMware App Volumes Administration Guide
Example: Nginx Configuration File
In this example, the appvol_ca1_vmware.com.crt and appvol_ca1_vmware.com.key are the default selfsigned certificates.
server {
server_name 0.0.0.0;
listen 3443;
listen 443;
listen [::]:443;
ssl on;
ssl_certificate
appvol_ca1_vmware.com.crt;
ssl_certificate_key
appvol_ca1_vmware.com.key;
ssl_session_cache
builtin:1000;
ssl_session_timeout 5m;
root ../public;
What to do next
You can download and add the CA-signed certificate to the trust store of the App Volumes agent directly.
Import Default Self-Signed Certificate
If you do not want to replace the default self-signed certificate in the App Volumes Manager, you can
import the certificate and add it to the local trust store of the machine where the App Volumes agent is
installed.
If you have installed and configured multiple App Volumes Manager instances for use in all agent
machines, then the self-signed certificates have to be imported from each App Volumes Manager
instance to the agent machines.
Prerequisites
Obtain the IP address of the App Volumes Manager instance whose certificate you want to import.
Procedure
1
Log in as an administrator to the machine where the App Volumes agent is installed.
2
In a Web browser, enter the host name or IP address of the App Volumes Manager in the form of
https://hostname.
A warning message that the SSL certificate is not validated is displayed.
3
Click the warning message and follow instructions to download the SSL certificate displayed in the
browser.
4
Open the Microsoft Management Console (MMC) and import the downloaded SSL certificate.
See https://technet.microsoft.com/en-us/library/cc754841(v=ws.11).aspx#BKMK_addlocal for detailed
instructions to import the SSL certificate after downloading it.
VMware, Inc.
24
VMware App Volumes Administration Guide
Disable SSL Certificate Validation in App Volumes Agent
SSL certificate validation is enabled by default when you install the App Volumes agent.
You can disable SSL certificate validation in the agent, either when you are installing the agent or after
you have installed the agent.
Note When you disable certificate validation, untrusted App Volumes Manager certificates are not
validated , but communication between App Volumes Manager and agent still occurs over SSL. If you
want to disable SSL completely, see Disable SSL in App Volumes Agent.
Disable SSL Certificate Validation When Installing App Volumes Agent
The App Volumes agent validates the SSL certificate of the App Volumes Manager during communication
with the manager. You can disable the certificate validation when you are installing the agent.
Procedure
u
When you install the App Volumes agent, select the Disable Certificate Validation with App
Volumes Manager box on the App Volumes Agent window.
Certificate validation is disabled but communication with the manager still occurs over SSL.
Disable SSL Certificate Validation in App Volumes Agent After Installation
You can disable SSL certificate validation after you have installed the agent.
Procedure
1
Log in as administrator on the machine where the App Volumes agent is installed.
2
Click the Start menu in Windows and enter regedit to open the Registry editor.
3
In the Registry Editor, go to
HKLM\System\CurrentControlSet\Services\svservices\Parameters.
4
Locate and set the EnforceSSlCertificateValidation key to 0.
The SSL certificate is no longer validated.
5
Restart the App Volumes service.
SSL certificate validation is disabled in App Volumes agent.
Enable HTTP in App Volumes Manager
You can enable an HTTP connection in App Volumes Manager, either when you are installing the
manager or after installation.
VMware, Inc.
25
VMware App Volumes Administration Guide
You might want to enable an HTTP communication, for example, when you upgrade App Volumes to the
latest version, and want to install and test App Volumes immediately without configuring SSL certificates.
Note Enable HTTP only in a non-production environment or if you are running App Volumes Manager
behind a load balancer.
Enable an HTTP Connection in App Volumes Manager During Installation
You can enable an HTTP connection when you are installing App Volumes Manager.
Procedure
1
When you choose networks ports during App Volumes Manager installation, select the Allow
Connections Over HTTP (insecure) option.
2
Enter a value for the HTTP port or retain the default value of 80.
HTTP is enabled in App Volumes Manager and you can now disable SSL in the agent and configure the
agent to communicate over HTTP. See Disable SSL in App Volumes Agent.
Enable HTTP in App Volumes Manager After Installation
You can modify the Nginx configuration file in App Volumes Manager if you want to enable HTTP in the
manager after it has been installed.
Important This server block is not present in the Nginx file by default; add this server block only if you
have not enabled HTTP when installing App Volumes Manager.
Prerequisites
Navigate to C:\Program Files (x86)\CloudVolumes\Manager\nginx\conf and take a back up of
the existing Nginx configuration file, nginx.conf.
Procedure
1
Log in as administrator to the machine where App Volumes Manager is installed.
2
Navigate to C:\Program Files (x86)\CloudVolumes\Manager\nginx\conf, open the Nginx
configuration file, and copy the following block in the Nginx file after include
proxy/vcenter*.conf;.
server {
server_name
listen
listen
0.0.0.0;
80;
[::]:80;
root
../public;
rewrite ^/(.*)/$ /$1 permanent;
access_log
error_log
VMware, Inc.
logs/access_http.log main;
logs/error_http.log info;
26
VMware App Volumes Administration Guide
charset utf-8;
override_charset on;
gzip on;
gzip_types application/json application/javascript;
error_page 404
/404.html;
error_page 502
/502.html;
#error_page
500 502 503 504 /500.html;
location ~* ^.+\.(jpg|jpeg|gif|png|ico)$ {
expires max;
break;
}
location ~* ^.+\.(css|js|htm|html|json)$ {
#expires 0; # expire immediately
expires 5m;
break;
}
location / {
try_files /index.html @manager;
}
location ^~ /ngvc/ {
access_log logs/access_ngvc_http.log main;
error_log logs/error_ngvc_http.log info;
proxy_connect_timeout 10;
#proxy_next_upstream off;
proxy_next_upstream timeout;
proxy_read_timeout 600;
proxy_send_timeout 30;
send_timeout 30;
proxy_redirect off;
server_name_in_redirect off;
proxy_pass_header Cookie;
proxy_pass_header Set-Cookie;
proxy_pass_header X-Accel-Redirect;
proxy_set_header Host $host:80;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header X-Backend $upstream_addr;
proxy_pass http://ngvc;
}
location @manager {
proxy_connect_timeout 10;
#proxy_next_upstream off;
proxy_next_upstream timeout;
proxy_read_timeout 600;
proxy_send_timeout 30;
send_timeout 30;
proxy_redirect off;
VMware, Inc.
27
VMware App Volumes Administration Guide
server_name_in_redirect off;
proxy_pass_header Cookie;
proxy_pass_header Set-Cookie;
proxy_pass_header X-Accel-Redirect;
proxy_set_header Host $host:80;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header X-Backend $upstream_addr;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_pass http://manager;
}
}
3
Restart the App Volumes service.
App Volumes Manager now communicates over HTTP.
Disable SSL in App Volumes Agent
You can disable SSL in App Volumes agent after you have installed the agent.
Prerequisites
Verify that you have enabled HTTP connection in App Volumes Manager. See Enable an HTTP
Connection in App Volumes Manager During Installation.
Procedure
1
Log in as administrator on the machine where the App Volumes agent is installed.
2
Click the Start menu in Windows and enter regedit to open the Registry editor.
3
In the Registry Editor, go to
HKLM\System\CurrentControlSet\Services\svservices\Parameters.
4
Set the SSL key in the HKLM\System\CurrentControlSet\Services\svservices\Parameters
path to 0.
5
Restart the App Volumes service.
SSL is disabled in the App Volumes agent and all agent communication with the App Volumes Manager
occurs over HTTP.
Check for SSL Certificate Revocation
You can configure the App Volumes agent to check if the SSL certificate used by a server to communicate
with the agent is revoked or not.
VMware, Inc.
28
VMware App Volumes Administration Guide
App Volumes agents use SSL to communicate with App Volumes Manager and validate the certificate. By
default, the App Volumes agent does not check if the SSL certificate that is used by the server to
communicate with the agent is revoked or not. This can lead to decreased security in the form of
persistent MITM attacks against the App Volumes agent.
Prerequisites
n
You must have administrator privileges to the machine where the App Volumes agent is installed.
n
SSL and SSL certificate validation must be enabled on the agent. If you have enabled HTTP on the
manager, and disabled SSL on the agent, you cannot check for certificate revocation on the server.
Procedure
1
Log in as administrator to the machine where App Volumes agent is installed.
2
Run regedit to open the Windows registry settings, and select
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svservice\Parameters.
3
Select and set the EnforceSSLCertificateRevocation DWORD key to 1.
Note The EnforceSSLCertificateRevocation variable can be set only if the
EnforceSSLCertificateValidation key is already enabled.
If the SSL certificate is revoked on the server and SSL certificate revocation checking is enabled on the
agent, the SSL connection between agent and manager is immediately terminated.
VMware, Inc.
29
Working with AppStacks
3
You can bundle applications and data into specialized read-only containers called AppStacks. You can
assign AppStacks to users, groups, or accounts, and deliver applications through them.
Using the App Volumes Manager, you can create, provision, assign, update, edit, and delete, and
manage AppStacks.
You must be aware of the following considerations when you are creating and provisioning AppStacks:
n
n
Physical endpoints and AppStacks are supported only under the following constraints:
n
VHD In-Guest mode is the only supported machine manager mode.
n
You must have a constant network connection.
n
The OS on the physical device must be non-persistent, streamed, or both.
Provisioning of Internet Explorer into an AppStack is not supported. Due to the tight OS integration
and dependencies, use an application isolation technology such as VMware ThinApp, and then use
App Volumes for delivery of the isolated application package.
You can have an AppStack assigned to a user and a computer concurrently. See Assigning and Attaching
AppStacks.
This chapter includes the following topics:
n
Creating and Provisioning AppStacks
n
Assigning and Attaching AppStacks
n
Edit an AppStack
n
Update an AppStack
n
Import AppStacks to App Volumes
n
Check Datastores for Available AppStacks
n
Unassign an AppStack
n
AppStacks Precedence
n
Delete AppStacks
Creating and Provisioning AppStacks
You must first create and provision an AppStack and then assign the AppStack to users and groups.
VMware, Inc.
30
VMware App Volumes Administration Guide
After you create an AppStack using the App Volumes Manager, you must log in to the provisioning
machine where the AppStack is attached, and install the applications in the AppStack. You can then
assign the AppStack to users and groups.
Preparing a Provisioning Machine
Provision the AppStacks on a clean base image, that is a virtual machine, that closely resembles the
target environment to which you later plan to deploy the AppStack.
For example, the provisioning virtual machine and the target should be at the same patch and service
pack level. If you have included applications in the base image, they should also be present in the
provisioning virtual machine.
Perform provisioning on a virtual machine that does not have any assigned AppStacks. If you have
previously assigned any AppStacks to the virtual machine, or if the virtual machine has been used for
provisioning before, that virtual machine should be set back to a clean snapshot before you begin
provisioning a new AppStack.
Best Practices for Provisioning Virtual Machines and Applications
You can follow some best practices while provisioning virtual machines and applications.
n
Ensure that you have local administrator rights for provisioning.
n
Perform only one provisioning process in each virtual machine. You can provision multiple virtual
machines at the same time.
n
If the provisioning virtual machine has a service pack, such as Service Pack 1, ensure that all virtual
machines delivering applications are at the same or later service pack level.
n
(Optional) For best performance, include application dependencies (such as Java, or .NET) in the
same AppStack as the application.
n
The provisioning system should not have antivirus agents, VMware Horizon with View agent, or any
other filter driver applications installed or enabled.
n
When provisioning an application, always install the application for all users. This ensures the
application is installed under Program Files rather than a single user profile. This also creates
application icons in the All Users folder.
n
The provisioning virtual machine usually joins the same domain as the production virtual machine.
However, this is dependent on the applications that are being provisioned. Some application
requirements and licensing models require that the virtual machine shares a common SID with the
production virtual machine.
n
Do not deliver applications that require a common SID to a pool or to virtual machines that have had
Sysprep run on them. These cases should be used in conjunction with VMware Horizon with View
Composer or other similar OS cloning technologies that preserve the machine SID.
VMware, Inc.
31
VMware App Volumes Administration Guide
n
Virtual machines used for provisioning should have a snapshot dedicated to the state of a user's
desktop. After provisioning, virtual machines should have a clean snapshot that was made directly
following the App Volumes agent installation. After the completion of provisioning, the virtual machine
reverts to a clean state, that is, the snapshot.
n
Provision the AppStacks on a clean base image, that is a virtual machine that closely resembles the
target environment to which you later plan to deploy the AppStack. For example, the provisioning
virtual machine and target should be at the same patch and service pack level and, if applications are
included in the base image, they should also be present in the provisioning virtual machine.
n
If you are provisioning AppStacks on a virtual machine has been used for provisioning before, the
virtual machine should be set back to the clean snapshot before provisioning a new AppStack.
Create an AppStack
Create a new AppStack.
When you create an AppStack, you only provide the name, storage, path, and description of the
AppStack.
Procedure
1
From the App Volumes Manager console, click Volumes > AppStack > Create AppStack.
2
Enter the following information for the AppStack and click Create:
Option
Description
Name
A name that describes the type of applications contained in the AppStack.
Storage
Name of your default datastore.
Path
The path for the volume. The path to the apps_templates and
writable_templates file on the datastore is created during the initial setup
process. You can change the path to further sub-categorize volumes. For
example: appvolumes/apps/your_folder..
Template
Select a template for the AppStack, usually in the form of a VMDK file.
Description
A short description of the AppStack, usually names of applications that the
AppStack will contain.
What to do next
n
Provision the AppStack to attach it and install applications. The AppStack is not fully created until the
you have completed provisioning. See Provision An AppStack and Install Applications in AppStacks.
n
You can limit the number of active attachments of the AppStack you created. See Edit an AppStack.
Provision An AppStack
After you create a new AppStack, you must provision the AppStack by attaching it to the provisioning
computer and installing the applications in it.
VMware, Inc.
32
VMware App Volumes Administration Guide
Prerequisites
Ensure that the AppStack you want to provision is not already provisioned. You can check the status of an
AppStack on the AppStacks page under Volumes > AppStacks.
You cannot provision an AppStack on a computer that has a Writable Volume attached to it.
Procedure
1
From the App Volumes Manager console, click Volumes > AppStacks.
A list of available AppStacks is displayed.
2
Select the AppStack you want to provision, and click Provision.
Note Check the Status column to ensure that
The Provision AppStack:<AppStackName> window is displayed.
3
Search for and select the provisioning computer by entering a full or partial name of the computer.
4
Click Provision to attach the AppStack to the virtual machine.
Note For VHD In-Guest mounting, the provisioning computer must be powered off.
5
Log in to the provisioned computer and install the applications into AppStack to complete the
provisioning process.
Install Applications in AppStacks
After a new AppStack is attached to the provisioning machine, you must install the applications in the
AppStack to complete the provisioning process.
Prerequisites
n
Verify that the App Volumes agent is installed on the provisioning machine and is configured to
connect to the App Volumes Manager.
n
If the application you are about to install uses insecure ciphers, and if you have disabled weak
ciphers in SSL and TLS while installing the App Volumes agent, the application might not function
properly. If your application installs and uses its own SSL and TLS libraries, disabling weak ciphers
does not impact the functioning of the application.
See Install App Volumes Agent in the App Volumes Installation Guide.
Procedure
1
Log in to the provisioning computer.
Note Ensure that you are now in the provisioning mode.
VMware, Inc.
33
VMware App Volumes Administration Guide
2
Follow the on-screen instructions to install the applications in the attached AppStack.
Note Do not click OK until you have installed all your applications. If you click OK before installation
is completed for the first application, the AppStack is created, but it is empty.
3
After installing the applications successfully, click OK to return to the App Volumes Manager.
4
Restart the provisioning machine and log in to it.
What to do next
Check the applications in the provisioned AppStack to ensure that provisioning was successfully
completed. The AppStack is ready to be assigned to users and groups. See Assign an AppStack to a
User.
Note If you are installing Microsoft .NET Framework 2.0 or .NET Framework 3.5 on a Windows 10
machine, ensure that the application is enabled in the base and not in the AppStack. See the instructions
on https://docs.microsoft.com/en-us/dotnet/framework/install/dotnet-35-windows-10 to enable the .NET
Framework 3.5 on Windows 10.
Assigning and Attaching AppStacks
You can assign AppStacks to a user, group, computer, or organizational unit (OU).
An AppStack can be either a user-assigned AppStack or a computer-based AppStack.
Note the following considerations when you assign an AppStack and a Writable Volume:
n
If a user has a user-assigned AppStack and a Writable Volume, both are attached to the user.
n
An AppStack that is assigned to a user does not get attached to the user if the user logs in to a
computer that has a computer-based Writable Volume attached to it. However, if the Writable Volume
is disabled, then the AppStack is attached to the user.
n
If you assign an AppStack to a user, and the user logs in to a computer that has the same AppStack
attached to it, then the user-assigned AppStack does not get attached to the user.
n
You can set an attachment limit to an AppStack and limit the number of attachments. If you set an
attachment limit of 1, and attach the AppStack to both a user and computer, the AppStack is attached
to the computer. See Limiting AppStack Attachments.
n
You can attach an AppStack to a user and a computer concurrently even if auto-login is not enabled
in the VM. The AppStack is attached to the user when the user logs in.
n
If you have enabled the Allow non-domain entities feature, and then assign an AppStack to both a
computer and a user, the AppStack is attached to the computer and not the user.
VMware, Inc.
34
VMware App Volumes Administration Guide
AppStack Attachment Errors
If App Volumes Manager is unable to attach a AppStack or a Writable Volume to a user or computer, the
App Volumes agent displays error messages. These messages are also displayed if the manager can
attach the Writable Volume but the agent cannot access the file share (VHD configuration).
If the attachment is unsuccessful, all session data is lost and the user has to restart the session. The user
can try to log in to a different VM and if the AppStack is available and attaches successfully, the user can
continue with the operation.
App Volumes displays similar error messages when there are problems with attaching Writable Volumes.
See Assigning and Attaching Writable Volumes.
Important Due to LDAP limitations, App Volumes Manager does not support assignments that span
multiple domains in the same forest. If you want to assign AppStacks to users through group
membership, the user and the group that the user belongs to must be in the same domain, where the App
Volumes Manager is deployed.
For example, if you assign an AppStack to a group in domain A, but a user of the group belongs to
domain B, the AppStack does not get attached to the user.
However, you can assign AppStacks directly to the users in domain B, or if the group is also in domain B.
Limiting AppStack Attachments
You can limit the number of active attachments of an AppStack and configure each AppStack with the
maximum number of concurrent assignments that are allowed.
Limiting attachments might be helpful when you want to enforce licensing constraints, for example.
You cannot set the attachment limit when you create an AppStack. After the AppStack is created, you can
edit the AppStack to set this limit. See Edit an AppStack.
Note the following considerations when you limit AppStack attachments:
n
All applications that are captured within the selected AppStack are limited.
n
If you want to enforce the limitation only for a specific application, the application must be captured
separately and alone in an AppStack.
n
If you reduce the attachment limit, the change is not reflected for the user until the user logs out and
logs back in; no active attachment is removed when the limit is reduced.
n
Similarly, if you increase the attachment limit, a user who was previously denied an AppStack
attachment, will not receive the attachment until the user logs out and logs back in to the machine.
Assign an AppStack to a User
After you create and provision an AppStack, you can assign the AppStack to a user.
VMware, Inc.
35
VMware App Volumes Administration Guide
Procedure
1
From the App Volumes Manager, go to Directory > Users.
The Managed Users page with a list of users is displayed.
2
Select the user for whom you want to assign the AppStack.
Ensure that the status of the user is set to Enabled.
3
Click Assign AppStack.
4
Select an available AppStack from the list.
5
(Optional) Check the Limit attachment of these assignments to specific computers.
a
6
If you want the selected AppStack to be attached only when the user logs in to a specific
computer, specify the computer prefix.
Select one of the following methods of assignment:
Option
Description
Attach AppStack on next login or
reboot
The AppStack is attached when the user logs in or reboots the machine.
Attach AppStack immediately
The volume is attached instantly to all computers on which the selected users are
logged in. If you are assigning the AppStack to a group or organizational unit, all
users or computers in that group get the attachments immediately.
After the AppStack is assigned to the selected entity, the entity becomes known to the App Volumes
Manager.
What to do next
Go to Volumes > Assignments to view the complete list of AppStack assignments and manage them.
You can have an AppStack assigned to a user and computer at the same time. See Assign an AppStack
to a Computer.
Assign an AppStack to a Computer
After you create and provision an AppStack, you can assign the AppStack to a computer.
Procedure
1
From the App Volumes Manager, go to Directory > Computers.
The Managed Computers page with a list of computers is displayed.
2
Select the computer for which you want to assign the AppStack.
Ensure that the status of the computer is set to Enabled.
3
Click Assign AppStack.
4
Select an available AppStack from the list.
VMware, Inc.
36
VMware App Volumes Administration Guide
5
(Optional) Select the Detach on shutdown if you want the assigned AppStack to be detached when
the user logs off from the assigned computer.
6
Select one of the following methods of assignment:
Option
Description
Attach AppStack on next login or
reboot
The AppStack is attached when the user logs in or reboots the machine.
Attach AppStack immediately
The volume is attached instantly to all computers on which the selected users are
logged in. If you are assigning the AppStack to a group or organizational unit, all
users or computers in that group get the attachments immediately.
After the AppStack is assigned to the selected entity, the entity becomes known to the App Volumes
Manager.
What to do next
Go to Volumes > Assignments to view the complete list of AppStack assignments and manage them.
Assign an AppStack to a Group
After you create and provision an AppStack, you can assign the AppStack to a group.
Procedure
1
From the App Volumes Manager, go to Directory > Groups.
The Managed groups page with a list of groups is displayed.
2
Select the group for whom you want to assign the AppStack.
Ensure that the status of the group is set to Enabled.
3
Click Assign AppStack.
4
Select an available AppStack from the list.
5
Select one of the following methods of assignment:
Option
Description
Attach AppStack on next login or
reboot
The AppStack is attached when the user logs in or reboots the machine.
Attach AppStack immediately
The volume is attached instantly to all computers on which the selected users are
logged in. If you are assigning the AppStack to a group or organizational unit, all
users or computers in that group get the attachments immediately.
After the AppStack is assigned to the selected entity, the entity becomes known to the App Volumes
Manager.
What to do next
Go to Volumes > Assignments to view the complete list of AppStack assignments and manage them.
VMware, Inc.
37
VMware App Volumes Administration Guide
Assign an AppStack to an Organizational Unit (OU)
After you create and provision an AppStack, you can assign the AppStack to an organizational unit.
Procedure
1
From the App Volumes Manager, go to Directory > Users.
The Managed Organizational Units page with a list of OUs is displayed.
2
Select the OU for which you want to assign the AppStack.
Ensure that the status of the OU is set to Enabled.
3
Click Assign AppStack.
4
Select an available AppStack from the list.
5
Select one of the following methods of assignment:
Option
Description
Attach AppStack on next login or
reboot
The AppStack is attached when the user logs in or reboots the machine he is
logged in to.
Attach AppStack immediately
The volume is attached instantly to all computers on which the selected users are
logged in. If you are assigning the AppStack to a group or organizational unit, all
users or computers in that group get the attachments immediately.
After the AppStack is assigned to the selected entity, the entity becomes known to the App Volumes
Manager.
What to do next
Go to Volumes > Assignments to view the complete list of AppStack assignments and manage them.
Edit an AppStack
You can edit an AppStack to change its name, description, the type of OS to which it is attached, and the
number of attachments of the AppStack.
The Filename and the Path variables are set when the AppStack is created and cannot be updated.
Important When you specify a limit for the number of attachments for an AppStack, all applications that
are captured within the AppStack are limited by this number. If you want to enforce an attachment limit for
a single application, that application has to be captured separately in a separate AppStack.
Prerequisites
Ensure that the AppStack you want to edit is provisioned. See Provision An AppStack.
Procedure
1
From the App Volumes Manager console, go to Volumes > AppStacks.
2
Select the AppStack that you want to edit and click Edit.
VMware, Inc.
38
VMware App Volumes Administration Guide
3
Update the name, description, or OS type and click Save.
4
(Optional) Check the Limit Attachments box to limit the number of active attachments for the
AppStack.
What to do next
Click the Rescan icon to view the latest information about the available AppStacks.
Update an AppStack
You can update an AppStack to add, delete, and update applications that are installed in it.
When you update an AppStack, App Volumes creates a clone of this AppStack and the updated
AppStack is in an unprovisioned state.
Procedure
1
From the App Volumes Manager console, click Volumes > AppStacks.
2
Select the AppStack that you want to update.
To select the AppStack, you can simply click on the AppStack, or select the checkbox next to it.
3
Click Update.
4
Enter the information you want to update and click Create.
Field
Description
Name
The name of the AppStack.
Storage
The location where you want the AppStack to be stored.
Path
Path to the datastore.
Description
A description of the applications in this AppStack.
The AppStack is updated and is unprovisioned.
What to do next
Provision the updated AppStack. See Creating and Provisioning AppStacks.
Import AppStacks to App Volumes
If you have preconfigured third-party AppStacks or have AppStacks from another deployment, you can
import them to App Volumes.
Prerequisites
Using the vCenter Server datastore browser, select a datastore, create a new folder, and upload the
AppStacks to this folder.
Procedure
1
From the App Volumes Manager console, click Volumes > AppStack > Import AppStacks.
VMware, Inc.
39
VMware App Volumes Administration Guide
2
Browse to the datastore where you uploaded the AppStacks and select the AppStack you want to
import.
3
Click Import.
The AppStacks are imported and become known to the App Volumes Manager. You can now assign and
attach the imported AppStacks.
Check Datastores for Available AppStacks
You can verify whether the AppStacks in the datastore are still present and accessible.
Procedure
1
From the App Volumes Manager console, click Volumes > AppStacks.
2
Click Rescan.
A list of all known and available App Volumes Manager is displayed.
What to do next
If you find that new AppStacks have been added to the datastore, use the Import option to import them,
and make the AppStacks known to the App Volumes Manager that you are logged in to.
Unassign an AppStack
You can unassign an AppStack that you have assigned.
Procedure
1
From App Volumes Manager, go to Volumes > AppStacks.
2
Select an AppStack that is assigned.
Select an AppStack to view the assignment details. You can also see if the AppStack is assigned and
the number of assignments in the Assigned column.
3
Click Unassign.
4
Select the entity from which you want to unassign the AppStack and click Unassign.
5
On the Confirm Unassign window, select if you want to Detach AppStack on next logout or
reboot or if you want to Detach AppStack immediately and click Unassign.
AppStacks Precedence
When multiple AppStacks that share common components are assigned to a machine, you can reorder
the AppStacks to give priority to oneAppStack over the others. Override precedence provides the ability
to designate attachment priority for entities who have multiple AppStacks assigned to them.
You can reorder AppStacks provisioned with App Volumes 2.5 or later.
VMware, Inc.
40
VMware App Volumes Administration Guide
If you have multiple AppStacks assigned to an entity, you can use the precedence rules and the Override
Precedence feature to assign priority to the AppStacks.
n
Direct assignments to a user takes precedence over group or Organization Unit(OU) assignments.
n
Assignments to a group take precedence over Organization Unit(OU) assignments.
n
If a user is a member of multiple groups or OUs and the same AppStack is assigned to those multiple
groups or OUs at different priorities, then the Override Precedence attachment priority is not
guaranteed. Only the priorities within one group or OU are assured, but attachments from
assignments of the other groups or OUs may be mixed in that ordering.
As an example, you can have both Adobe 9 and Adobe 10.x App Volumes attached to a machine,
although they cannot co-exist natively. When users double-click a PDF file on the desktop, only one
Adobe Reader is launched. If you have assigned a higher precedence to Adobe 9 than Adobe 10.x,
Adobe 9 gets the priority as the default PDF reader application. If you want to modify the default
application, you can use the reordering feature in App Volumes Manager to adjust the stack order, so that
Adobe 10.x becomes the default PDF reader.
See the KB article https://kb.vmware.com/kb/2146035 for information on how to provision and use
Microsoft Office applications with App Volumes.
Delete AppStacks
You can delete legacy and deprecated AppStacks from the disk.
Prerequisites
Verify that the AppStacks you want to delete are not assigned to any computers, users, or groups.
Procedure
1
From the App Volumes Manager console, click Volumes > AppStack and select the AppStack you
want to remove.
2
Click Delete.
Note AppStack and Writable Volume that can no longer be contacted on a datastore have their state
set to Unreachable. You can remove AppStacks or writable volumes even when they are
unreachable. This action cleans up the metadata in the App Volumes database.
What to do next
Click the Rescan icon to display a list of the updated and available AppStacks.
VMware, Inc.
41
Working with Writable Volumes
4
With Writable Volumes, you can configure per-user volumes where users can install and configure their
own applications and keep the data that is specific to their profile. A Writable Volume is assigned to a
specific user and becomes available to the user from any machine.
A Writable Volume is an empty VMDK or VHD file that you assign to a specific user. It mounts to the VM
when the user authenticates to the desktop. You can attach only one Writable Volume at a time per-user
per OS. For example, if a user logs into a Windows 7 machine and a Windows 10 machine at the same
time, one volume is attached to the user on Windows 7 and another one on Windows 10.
A Writable Volume can contain data such as application settings, user profile, licensing information,
configuration files, and user-installed applications.
Using App Volumes Manager, you can create, import, edit, expand, and disable Writable Volumes.
Writable Volumes with User Environment Management
Solutions
You can use Writable Volumes to complement a user environment management solution such as
VMware User Environment Manager. Such solutions can manage data in Writable Volumes at a more
granular level and enforce policies based on different conditions or events by providing contextual rules.
With Writable Volumes, you can use containers for local user profile delivery across systems.
Writable Volumes with Non-Persistent Virtual Desktops
On a non-persistent virtual desktop environment, all applications that the user installs are removed after
the user logs out of the desktop. Writable Volumes store the applications and settings of users and make
user-specific data persistent and portable across non-persistent virtual desktops. This way, you can
address use cases, such as providing development and test machines for users to install custom
applications on non-persistent virtual desktops.
VMware, Inc.
42
VMware App Volumes Administration Guide
Storage Configuration with Writable Volumes
When designing your environment for Writable Volumes, consider that a Writable Volume requires both
read and write I/O. The input output operations per second (IOPS) for a Writable Volume might vary for
each user depending on how the users consume their data. IOPS might also vary depending on the type
of data that the users are allowed to store on their Writable Volume.
You can manage the number of Writable Volumes that can be configured on a single storage LUN by
monitoring how the users access their Writable Volumes.
Writable Volumes Exclusions
Using the Writable Volumes exclusions feature, you can exclude specific locations of user Writable
Volumes, such as file paths or registry keys, from being overwritten. Use this feature only if you are an IT
administrator or an advanced App Volumes administrator. The exclusions do not affect AppStacks or
system volumes. See Writable Volume Exclusions for more information.
This chapter includes the following topics:
n
Assigning and Attaching Writable Volumes
n
Create a Writable Volume
n
Import Writable Volumes
n
Enable a Writable Volume
n
Update Writable Volumes
n
Edit a Writable Volume
n
Rescan Writable Volumes
n
Expand a Writable Volume
n
Disable a Writable Volume
n
Delete a Writable Volume
n
Considerations and Limitations for Writable Volumes
n
Writable Volume Exclusions
n
Protecting Writable Volumes
Assigning and Attaching Writable Volumes
You can assign Writable Volumes to a user, group, computer, or organizational unit (OU).
Note the following considerations when you assign and attach Writable Volumes:
n
When a Writable Volume is created for a user, it is assigned to the user immediately. When the
volume is assigned to a group, it is created when a user belonging to the assigned group logs in to
the machine.
VMware, Inc.
43
VMware App Volumes Administration Guide
n
A user can have more than one Writable Volume attached at the same time if the volume is OSspecific, or created for a computer with a specific prefix. For example, suppose that you create a
Writable Volume for each of the following:
n
A Windows 7 machine
n
A Windows 10 machine
n
A computer with Win2012-dev prefix to its name
n
A computer with Win2012-test prefix to its name
Then, when the user logs in to these different machines at the same time, each Writable Volume that
is assigned to the specific machine is attached to the user at the same time.
n
A machine can have only one Writable Volume attached to it at a given point in time.
n
A Writable Volume must be enabled before it can be attached. See Enable a Writable Volume.
Note A user can also have multiple volumes attached to the same OS if there are two separate nodes
and the user logs in to the desktop on both nodes.
Writable Volume Attachment Errors
If a Writable Volume that is assigned to a user or a computer does not attach correctly or if an assigned
volume is running out of space, an error message is displayed and the user may have to restart the
session.
The user may also see attachment errors when an assigned Writable Volume is disabled by the
administrator or if the App Volumes agent is unable to access the volume due to permission issues, for
example.
In such cases, the user can try to log in to a different VM and retry the operations. If the volume becomes
available, the user can continue with the operations.
Similar errors are displayed if AppStacks are unable to get attached. See Assigning and Attaching
AppStacks.
Create a Writable Volume
You can create Writable Volumes for computers and users to store user-specific data such as application
settings, user profiles, configuration settings, and licensing information.
Prerequisites
Your account must have read access to the domains that you use with App Volumes, and the domains
must be configured with two-way trust. See the User Accounts and Credentials section in the VMware
App Volumes Installation guide for more information.
Procedure
1
From the App Volumes Manager console, select Volumes > Writables > Create Writable.
VMware, Inc.
44
VMware App Volumes Administration Guide
2
From the Domain drop-down menu, select a domain that is configured with App Volumes.
3
Enter a search string in the Search Active Directory text box domain to locate the entity to which
you want to assign the Writable Volume.
You can search for individual users, computers, groups, or OUs. User Principal Name string searches
(search_term@domain.local) and Down-Level Logon Name string searches
(domain\search_string) are supported. You can filter your search query by Contains, Begins,
Ends, or Equals.
a
4
(Optional) Select the Search all domains in the Active Directory forest check box to search
the entire Active Directory forest.
Click Search.
Note Searching all domains in the forest might result in slow performance.
A list of entities is displayed.
Note If you are unable to locate the entity that you want, it your account might not have read access
to the domains you are searching, or the domains are not configured with two-way trust.
5
Select the check box for the entity for which you want to create the Writable Volume.
If you select a group or OU, individual Writable Volumes are created for each member of that group or
OU. Group membership is discovered by using recursion, meaning that users and computers in
subgroups also receive volumes. However, when creating Writable Volumes for OUs, groups are not
recursed.
6
Enter the following information:
Option
Description
Destination Storage
You can select either the default datastore or a different datastore. The default
datastore is the datastore that you configured for storing the Writable Volumes. If
you select a different datastore, verify that you have the Writable Volumes
templates on that datastore in the cloudvolumes/writable_templates folder.
Destination Path
The default path is <varname>/cloudvolumes/writable.
Source Template
Select a source template from the drop-down menu for the new Writable Volume:
VMware, Inc.
n
UIA only - Captures all user-installed applications but does not capture any
data that is written to the user profile. You can use this template with a thirdparty profile solution or VMware User Environment Manager.
n
UIA+profile - Includes all user-installed applications and user profile data. The
user profile data is only a local profile and is not a roaming profile or other
managed user profiles. The profile is delivered early in the boot process and
considered only a local profile delivery. Additional profile tools like roaming
profiles and VMware User Environment Manager still apply and work as
expected. Use this template if a profile solution is not in place.
45
VMware App Volumes Administration Guide
7
(Optional) Select the appropriate box to configure additional settings for the Writable Volume.
Option
Description
Prevent user login if
the writable is in use
on another computer
Select this option to ensure that the user does not log in to a computer to which their Writable
Volume is not present. Using a desktop without an attached Writable Volume may result in the user
working on a machine where the data is not saved to the Writable Volume.
Limit the attachment
of users writables to
specific computers
Use this setting for users who do not need to access their Writable Volume on all computers that
they use. Also, some users might need separate Writable Volumes that are only attached to specific
computers.
For example, a user has two Writable Volumes assigned, one limited to Win7-Dev and another
limited to Win7-Test. When the user logs in to the computer named Win7-Dev-021, the user gets
the first volume. When the user logs in to Win7-Testing, the user gets the second volume. If the
user logs in to Win2012R2, no Writable Volume is attached.
Delay writable
Delay the creation of Writable Volumes for group and OU members until their next login. This option
creation for group/OU
members until they
log in
only affects groups and OUs. Users and computer entities that were directly selected have their
volumes created immediately.
Use this option when you select a group or an OU. Often these containers can have hundreds or
thousands of members. This can be problematic because creating many volumes at the same time
might take a long time. Some members might not need a Writable Volume.
8
Click Create.
9
On the Confirm Create Writable Volumes window, select when you want to create the selected
volume:
n
Create volume in the background - App Volumes Manager dispatches a background job to
create the volume and the display goes back to the manager console immediately.
n
Create volume immediately - App Volumes Manager waits for the volume to be created and the
console is not responsive until either the process is complete or 10 minutes have elapsed.
What to do next
Confirm that the Writable Volume has been created for the user. From the App Volumes Manager
console, select Volumes > Writables and check that the volume you just created has the status set to
Enabled.
Import Writable Volumes
If you have Writable Volumes from another App Volumes deployment, you can import them to your
current deployment.
Prerequisites
Ensure that you have access to the Writable Volumes that you want to import. You can verify access in
one of the following ways:
n
Verify that your vCenter Server instance has access to the datastore where the Writable Volumes that
you want to import reside.
n
Copy the VMDK files of the Writable Volumes to a different folder on the datastore that you already
use for Writable Volumes on your current App Volumes deployment.
VMware, Inc.
46
VMware App Volumes Administration Guide
Procedure
1
From the App Volumes Manager, select Volumes > Writables > Import Writables.
2
Select the datastore from the drop-down list.
3
Provide the path from where you want to import the Writable Volumes.
4
Click Import.
5
On the Confirm Import Writable Volumes window, choose when you want to import the selected
volume:
n
Import volumes in the background - App Volumes Manager dispatches a background job to
import the volume and the display goes back to the manager console immediately.
n
Import volumes immediately - App Volumes Manager waits for the import to be completed and
the console is not responsive until either the process is complete or 10 minutes have elapsed.
What to do next
Click Rescan to update the list of Writable Volumes in the App Volumes Manager.
Enable a Writable Volume
You can enable a Writable Volume for a user or a computer.
You must enable a Writable Volume before you can attach it to a user or computer.
Prerequisites
Ensure you have created the volume you want to enable. See Create a Writable Volume.
Procedure
1
From the App Volumes Manager, go to Volumes > Writables.
2
Select a Writable Volume and click Enable.
3
Click Enable on the Confirm Enable window.
What to do next
You can now assign the enabled volume to a user or computer.
Update Writable Volumes
You can upload .zip files to the Writable Volumes VMDKs and the files become available to the user the
next time the user logs in to the desktop.
You provide the files in a ZIP format. You cannot change any user-installed applications that are already
in the Writable Volumes.
Note Once a Writable Volume is updated, you cannot reverse the updates. You must update again
separately to make any further changes.
VMware, Inc.
47
VMware App Volumes Administration Guide
Prerequisites
n
Create a ZIP file that contains the files that you want to upload. The ZIP file must be smaller than 5
MB.
n
Place the file at the root of the Writable Volumes or any location that is accessible to the App Volumes
Manager.
Procedure
1
From the App Volumes Manager console, select Volumes > Writables > Update Writables.
2
Browse and select the zip file.
3
Click Upload.
Edit a Writable Volume
You can edit some settings of a Writable Volume.
The Name, Filename, and Path text boxes are not editable.
Procedure
1
From App Volumes Manager, go to Volumes > Writables.
A list of entities is displayed.
2
Select the user or entity for whom you want to edit the Writable Volume.
A list of operations that can be performed on the volume is displayed.
3
Click Edit to update the available settings.
Option
Description
Prevent user login if
the writable is in use
on another computer
Select this option to ensure that the user does not log in to a computer to which their Writable
Volume is not present. Using a desktop without an attached Writable Volume may result in the user
working on a machine where the data is not saved to the Writable Volume.
Limit the attachment
of users writables to
specific computers
Select this setting for users who do not need to access their Writable Volume on all computers that
they use. Also, some users might need separate Writable Volumes that are only attached to specific
computers.
For example, a user that has two Writable Volumes, one limited to Win7-Dev and another limited to
Win7-Test. When the user logs in to the computer named Win7-Dev-021, the user gets the first
volume. When the user logs in to Win7-Testing, the user gets the second volume. If the user logs in
to Win2012R2, no Writable Volume is attached.
Description
Enter a description for the Writable Volume.
Operating System
Select the additional OS for which you want to attach the Writable Volume.
Note You cannot deselect the OS to which the volume was previously attached.
Note If you select multiple operating systems, it might result in the volume becoming inoperable.
4
Click Save.
VMware, Inc.
48
VMware App Volumes Administration Guide
Rescan Writable Volumes
To get the updated list of accessible Writable Volumes in your App Volumes deployment, you can rescan
the datastore where the Writable Volumes VMDK files reside.
The rescan operation only checks for Writable Volumes that are already configured to this App Volumes
Manager instance.
If new Writable Volumes are added to the datastore from a different App Volumes Manager or
deployment, use the Import option so that the current App Volumes Manager detects them. See Import
Writable Volumes for details.
Procedure
u
From the App Volumes Manager console, click Rescan.
If any of the Writable Volumes VMDK files are missing from the datastore or are corrupt, they appear as
Detached under Writable Volumes in App Volumes Manager.
Expand a Writable Volume
You can specify a new size for a Writable Volume using the App Volumes Manager and App Volumes
increases the .vmdk file to the new size.
Important You cannot expand a Writable Volume if your Machine Manager is configured as VHD InGuest Services. This feature is available only on vCenter Server. See Configuring a Machine Manager
and Set Up the Machine Manager Connection.
Procedure
1
From the App Volumes Manager console, select Volumes > Writables.
2
Select a Writable Volume from the list and click Expand.
A Confirm Expand window is displayed.
3
Enter the new size for the volume and click Expand.
You must enter a size that is at least 1 GB greater than the current size of the Writable Volume.
The Writable Volume file is expanded to the new size the next time the user logs in to the virtual machine.
Disable a Writable Volume
You can disable an assigned Writable Volume.
You can attach aWritable Volume to a user only when the volume is enabled. When you disable a
Writable Volume, and the user does not have any Writable Volume on the datastore, it is not attached to
the user.
VMware, Inc.
49
VMware App Volumes Administration Guide
A new Writable Volume will not be created to replace a disabled Writable Volume unless you have also
deleted the volume from the datatastore. In such a case, a new volume is created.
Prerequisites
Ensure that the Writable Volume you want to disable is enabled and assigned to a user or computer.
Procedure
1
From the App Volumes Manager, go to Volumes > Writables.
2
Select a Writable Volume and click Disable.
3
Click Disable on the Confirm Disable window.
Delete a Writable Volume
You can delete a Writable Volume.
A volume that is deleted is immediately detached from all computers. All associated data and settings are
also deleted permanently.
Prerequisites
Ensure that the Writable Volume you want to delete is not in use by any user or computer.
Procedure
1
From the App Volumes Manager, go to Volumes > Writables.
2
Select a Writable Volume and click Delete.
3
Click Delete on the Confirm Disable window.
What to do next
If you chose to delete more than one volume, the deleted volume may still be displayed in the App
Volumes Manager. Refresh the App Volumes Manager to see the updated list of available volumes.
Considerations and Limitations for Writable Volumes
You must be aware of the following considerations and limitations when working with Writable Volumes.
n
Disable automatic Windows updates.
n
Detach the volume before performing any update to the OS.
n
Detach all Writable Volumes when performing any revert, recompose, or refresh of the virtual
machines.
Writable Volume Exclusions
You can specify certain locations of Writable Volumes to exclude them from being persisted across
sessions or getting overwritten.
VMware, Inc.
50
VMware App Volumes Administration Guide
As an administrator, you might want to prevent automatic updates of some applications and prefer to
update the AppStacks that contain these applications manually.
When applications are automatically updated, multiple copies of the files might get created since the
applications are also stored on the Writable Volumes. The existing applications then either do not behave
as desired or stop working completely. To prevent this behavior, you can apply Writable Volumes
exclusions to specific locations and registry paths.
You can also specify exclusions to prevent certain folders such as temporary download folders, from
accumulating huge, unwanted files.
Important The Writable Volumes exclusions feature is for advanced IT administrators or users who are
aware of application behavior with App Volumes and want to tweak the way applications are managed or
how Writable Volumes are used along with AppStacks.
Keep the following considerations in mind before you apply Writable Volumes exclusions:
n
If the user modifies the locations that are excluded, the changes are lost when the user logs off the
machine.
n
You must be aware of the application behavior and the data that gets stored in the folders you want to
exclude.
n
Do not use generic locations such as \REGISTRY\MACHINE\SOFTWARE or \Program Files(x86)\.
Using generic locations can cause all application updates to be erased.
Prerequisites
You must have administrator privileges on the machine where the App Volumes agent is installed.
Procedure
1
Log in as administrator to the machine where the App Volumes agent is installed.
2
Locate and open the writable volumes configuration file, SnapVol.cfg.
3
Add the following entry in the SnapVol.cfg file, where path is the location of the application or
registry that you want to exclude: exclude_uwv=path
You can specify multiple exclusions.
Example: Exclude an Application Location
The following examples exclude the folder and registry location of Notepad++ from being overwritten
during an update.
exclude_uwv_file=\Program Files (x86)\Notepad++
exclude_uvw_reg=\REGISTRY\MACHINE\SOFTWARE\Notepad++
What to do next
You must test the application after applying any Writable Volumes exclusions to ensure that the
application works as desired.
VMware, Inc.
51
VMware App Volumes Administration Guide
Protecting Writable Volumes
App Volumes employs a default protection mechanism to prevent accidental deletion of attached VMDK
volumes.
You can override this default protection by setting the CV_NO_PROTECT environment variable to 1.
Caution With the CV_NO_PROTECT=1 setting, there is no protection in place for volumes and might
result in the loss of a user's Writable Volumes.
If you delete a VM, vSphere deletes any writable disks that are attached.
Note Do not use the CV_NO_PROTECT variable when App Volumes is configured to use Writable
Volumes.
Configuring the AVM_PROTECT_VOLUMES Variable
The AVM_PROTECT_VOLUMES environment variable provides increased volume protection and logon
performance by using the updated vSphere functionality. Setting AVM_PROTECT_VOLUMES=1 enables
support for vMotion and increases VMDK attachment performance.
Note Storage vMotion is not supported.
You can use AVM_PROTECT_VOLUMES only with the following versions of vSphere:
n
6.0 Update 1a (or newer)
n
5.5 Update 3b (or newer)
Note If you set AVM_PROTECT_VOLUMES=1 on unsupported versions of ESX/ESXi on all hypervisors
running App Volumes, it results in protection failures.
VMware, Inc.
52
Advanced App Volumes
Configuration
5
The advanced configuration methods are for advanced users and administrators, who want to perform
advanced configuration, configure scripting, and configure other variable settings.
You can configure App Volumes Manager by selecting configuration options such as batch script files,
called at various points during system startup and login. You can also configure registry options for
services, drivers, and other parameters.
This chapter includes the following topics:
n
Batch Script Files
n
Configure Batch File Timeouts
n
Configuring SVdriver and SVservice
n
Create a Custom vCenter Server Role
n
Create a Custom vCenter Server Role Using PowerCLI
Batch Script Files
App Volumes agent executes batch script files either when an AppStack or a Writable Volume is attached
dynamically or at various points during system startup and login.
The baseline configuration is defined in the AppStack and writable volume template. Not all batch script
files are present by default, only the scripts present on the volume are executed.
Note Script file names are case-sensitive.
Configure Batch File Timeouts
Batch files run serially and a new script does not start until an existing script has completed. You can
configure a timeout to prevent a script from blocking login or logout processes.
Wait times are defined in seconds and can be configured by creating a corresponding registry value of
REG_DWORD type under the following registry key:
HKLM\SYSTEM\CurrentControlSet\services\svservice\Parameters
VMware, Inc.
53
VMware App Volumes Administration Guide
Configuring SVdriver and SVservice
The App Volumes agent consists of two major components, SVdriver and SVservice. SVdriver is
responsible for the virtualization of volumes into the OS and SVservice is responsible for communicating
system events, such as computer startup, login, logout, and shutdown, with the App Volumes Manager.
You can configure SVidriver and SVservice with the following registry values.
Security
Context
Wait Time Registry
Parameter
Called when a volume is dynamically
attached, or during system startup but
before virtualization is activated.
System
account
WaitPrestartup (default do not
wait)
startup.bat
Called when a volume is dynamically
attached, or when system starts up.
System
account
WaitStartup (default do not
wait)
startup_postsvc.bat
Called as and called after services have
been started on the volume (not called if
there are no services on volume).
System
account
WaitStartupPostSvc (default
do not wait)
logon.bat
Called when the user logs in and before
Windows Explorer starts.
User
account
WaitLogon (default wait until it
finishes)
logon_postsvc.bat
Called after services have been started
and not called if no services are running
on volume.
User
account
WaitLogonPostsvc (default do
not wait)
shellstart.bat
Called when a volume is dynamically
attached or when Windows Explorer
starts.
User
account
WaitShellstart (default do not
wait)
shellstop.bat
Called when the user logs out before
Windows Explorer is closed.
User
account
WaitShellstop (default do not
wait)
logoff.bat
Called when the user logs out and
Windows Explorer is closed.
User
account
WaitLogoff (default do not
wait)
shutdown_presvc.bat
Called when the computer is shutting
down before services are stopped.
System
account
WaitShutdownPresvc (default
do not wait)
shutdown.bat
Called when the computer is shutting
down after services are stopped.
System
account
WaitShutdown (default do not
wait)
allvolattached.bat
Called after all volumes are processed.
For example, if the user has 3
AppStacks, this is called after all 3 have
loaded.
System
account
WaitAllvolattached (default do
not wait)
allvolattached_shellstarted.bat
Called after all volumes are processed
and the user session is started.
User
account
None
Script Name
Triggers
prestartup.bat
VMware, Inc.
54
VMware App Volumes Administration Guide
Security
Context
Wait Time Registry
Parameter
Called at the end of provisioning to
perform any one-time steps required at
the end of provisioning. Invoked when
clicking the provisioning complete pop-up
window while the volume is still
virtualized.
System
account
WaitPostProv (default wait
forever)
Called at phase 2 of the provisioning
process after the machine is rebooted,
but before App Volumes Manager has
been notified that provisioning is
complete. This is the last chance to
perform any actions on the provisioned
volume with virtualization disabled.
System
account
WaitProvP2 (default wait
forever)
Script Name
Triggers
post_prov.bat
prov_p2.bat
Configuring the SVdriver Parameters
You can configure SVdriver with registry keys and optionally by configuring the values in the
HKLM\SYSTEM\CurrentControlSet\services\svdriver\Parameters registry key.
Configure SVdriver with the following registry keys:
Registry Key
Type
Description
LogFileSizeInKB
REG_DWORD
Configure the size of the log file before rotating the log file. The default value is
51200 (50 MB).
ReorderTimeOutInSeconds
REG_DWORD
Configure the wait time for all volumes to be attached and processed based on
Order Precedence set from within App Volumes Manager. The timeout is defined in
seconds.
MinimizeReplication
REG_DWORD
Configure how changes are preserved in a writable volume. If this value is 1, only
changes to data are preserved in a writable volume. If this value is 0, changes to
data and file attributes (hidden, Read Only, and so on) permissions are preserved in
writable volume.
EnableShortFileName
REG_DWORD
For legacy AppStacks created earlier than App Volumes 2.3, set this parameter to 0
to disable DOS short names.
EnableRegValueMerging
REG_DWORD
If this value is 1, merge certain registry values such as AppInitDlls across volumes.
This action is additive across the volumes.
DriveLetterSettings
REG_DWORD
The value for DriveLetterSettings is in a hexadecimal format, and any number of
flags might be combined to implement multiple parameters.
Configuring Drive Letter Settings
You can configure the App Volumes agent to interact with mapped volumes by using a system path to the
volume, instead of mapping it to a drive letter.
Most modern applications are compatible with this behavior, but some applications might require a drive
letter to access program or application files. To support such situations while maintaining the familiar user
interface, App Volumes can hide the drive from Windows Explorer after it is mapped.
VMware, Inc.
55
VMware App Volumes Administration Guide
Configure this behaviour with the DriveLetterSettings registry value. The value for DriveLetterSettings is
in a hexadecimal format, and any number of flags might be combined to implement multiple parameters.
For example, if you want to use the 0x00000001 and 0x00000008 flags, the result is 0x00000009. Enter
this as 9 because you only work with the significant digits.
Value
Description
0x0000001
DRIVELETTER_REMOVE_WRITABLE. Do not assign drive letter for writable volumes.
0x0000002
DRIVELETTER_REMOVE_READONLY. Do not assign drive letter for AppStack volumes.
0x0000004
DRIVELETTER_HIDE_WRITABLE. Hide drive letter for writable volumes.
0x0000008
DRIVELETTER_HIDE_READONLY. Hide drive letter for AppStack volumes.
The default registry value is 3. This means that for writable volumes, the drive letter is hidden, and for
AppStackvolumes, the drive letter is not assigned.
Configuring the SVservice Parameters
You can configure SVservice with the following registry keys and optionally configuring the values in the
HKLM\SYSTEM\CurrentControlSet\services\svservice\Parameters registry key.
Parameter
Type
Description
LogFileSizeInKB
REG_DWORD
The size of the log file before rotating the log file. The default is 51200
(50MB).
MaxDelayTimeOutS
REG_DWORD
The maximum wait for a response from the App Volumes Manager, in
seconds. If set to 0, the wait for response is forever. The default is 2 minutes.
ResolveTimeOutMs
REG_DWORD
Defined in milliseconds for name resolution. If resolution takes longer than
the timeout value, the action is canceled. The default is 0, which waits for
completion.
ConnectTimeOutMs
REG_DWORD
Defined in milliseconds for server connection requests. If a connection
request takes longer than this timeout value, the request is canceled. The
default is 10 seconds.
SendTimeOutMs
REG_DWORD
Defined in milliseconds for sending requests. If sending a request takes
longer than this timeout value, the request is canceled. The default is 30
seconds.
ReceiveTimeOutMs
REG_DWORD
Defined in milliseconds to receive a response to a request. If a response
takes longer than this timeout value, the request is canceled. The default is 5
minutes.
ProvisioningCompleteTimeOut
REG_DWORD
Defined in seconds to keep trying to contact the App Volumes Manager after
provisioning is completed. The default is 120.
DomainNameWaitTimeOut
REG_DWORD
Defined in seconds how long to wait for the computer during startup to
resolve Active Directory domain name. On machines that are not joined to
any domain, you can set the value to 1 for faster login. The default is 60.
WaitInstallFonts
REG_DWORD
Defines how long to wait in seconds for fonts to be installed. The default is to
not wait for completion.
VMware, Inc.
56
VMware App Volumes Administration Guide
Parameter
Type
Description
WaitUninstallFonts
REG_DWORD
Defines how long to wait in seconds for fonts to be removed. The default is to
not wait for completion.
WaitForFirstVolumeOnly
REG_DWORD
Defined in seconds, only hold logon for the first volume. After the first volume
is complete, the remaining are handled in the background, and the logon
process is allowed to proceed. To wait for all volumes to load before releasing
the logon process, set this value to 0. The default is 1.
Configuring the Volume Behavior Parameters
You can configure the volume behavior parameters for SVservice with the VolWaitTimeout,
VolDelayLoadTime, and CleanSystemWritable registry keys.
Parameter
Type
Description
VolWaitTimeout
REG_DWORD
Defined in seconds. The time required for a volume to be processed before ignoring the
volume and proceeding with the login process. The default value is 180.
VolDelayLoadTime
REG_DWORD
Defined in seconds. The time required after logon process to delay volume
attachments. This value is ignored if a writable volume is used. You must attach
writable volumes before attaching any AppStacks. If the value is greater than
VolWaitTimeout, it will be reduced to the value of VolWaitTimeout. This might speed up
the login time by delaying the virtualizing of applications until after logon is complete.
The default value is 0 (do not delay load time).
CleanSystemWritable
REG_DWORD
If set to 1 and no writable volumes are attached, SVservice clears any changes saved
to the system during operation after a reboot. If set to 0, changes are stored in
c:\SVROOT on system volume. The default value is 0.
Configuring the General Behavior Parameters
You can configure the services, drivers, and general behavior parameters values for SVservice with the
following registry keys.
Value
Type
Description
RebootAfterDetach
REG_DWORD
If set to 1, the system automatically reboots after a user logs off. The default is 0.
DisableAutoStartServices
REG_DWORD
If set to 1, services on volumes do not automatically start after attachment. The
default is 0.
HidePopups
REG_DWORD
If set to 1, svservice.exe does not generate pop-up messages. The default is 0.
DisableRunKeys
REG_DWORD
If set to 1, applications in the Run key are not called. The default is 0.
Create a Custom vCenter Server Role
As a vCenter Server administrator, you can create a custom vCenter Server role and assign privileges to
it.
A service account is used by the App Volumes Manager to communicate with vCenter Server. The default
administrator role can be used for this service account, but you can create a vCenter Server role with
certain privileges, specifically for the App Volumes service account.
VMware, Inc.
57
VMware App Volumes Administration Guide
You can also use PowerCLI to create a custom role. See Create a Custom vCenter Server Role Using
PowerCLI.
Procedure
1
Manually create a new vCenter Server role.
2
Assign privileges to the role.
Object
Permission
Datastore
n
Allocate space
n
Browse datastore
n
Low-level file operations
n
Remove file
n
Update virtual machine files
n
Create folder
n
Delete folder
Folder
Global
Host
Cancel task
n
Create virtual machine
n
Delete virtual machine
n
Reconfigure virtual machine
Resource
Assign virtual machine to resource pool
Sessions
View and stop sessions
Tasks
Create task
Virtual machine > Configuration
n
Add existing disk
n
Add new disk
n
Add or remove device
Interaction
VMware, Inc.
n
Change resource
n
Remove disk
n
Settings
n
Power Off
n
Power On
n
Suspend
58
VMware App Volumes Administration Guide
Object
Permission
Inventory
n
Create from existing
n
Create new
n
Move
n
Register
n
Remove
n
Unregister
n
Clone template
n
Clone virtual machine
Provisioning
n
Create template from virtual machine
n
Customize
n
Deploy template
n
Mark as template
n
Mark as virtual machine
n
Modify customization specifications
n
Promote disks
n
Read customization specifications
Create a Custom vCenter Server Role Using PowerCLI
You can create custom vCenter Server roles by using PowerCLI.
Procedure
1
Create a text file called CV_role_ids.txt and add the following content:
System.Anonymous
System.View
System.Read
Global.CancelTask
Folder.Create
Folder.Delete
Datastore.Browse
Datastore.DeleteFile
Datastore.FileManagement
Datastore.AllocateSpace
Datastore.UpdateVirtualMachineFiles
Host.Local.CreateVM
Host.Local.ReconfigVM
Host.Local.DeleteVM
VirtualMachine.Inventory.Create
VirtualMachine.Inventory.CreateFromExisting
VirtualMachine.Inventory.Register
VirtualMachine.Inventory.Delete
VirtualMachine.Inventory.Unregister
VirtualMachine.Inventory.Move
VirtualMachine.Interact.PowerOn
VirtualMachine.Interact.PowerOff
VirtualMachine.Interact.Suspend
VirtualMachine.Config.AddExistingDisk
VirtualMachine.Config.AddNewDisk
VMware, Inc.
59
VMware App Volumes Administration Guide
VirtualMachine.Config.RemoveDisk
VirtualMachine.Config.AddRemoveDevice
VirtualMachine.Config.Settings
VirtualMachine.Config.Resource
VirtualMachine.Provisioning.Customize
VirtualMachine.Provisioning.Clone
VirtualMachine.Provisioning.PromoteDisks
VirtualMachine.Provisioning.CreateTemplateFromVM
VirtualMachine.Provisioning.DeployTemplate
VirtualMachine.Provisioning.CloneTemplate
VirtualMachine.Provisioning.MarkAsTemplate
VirtualMachine.Provisioning.MarkAsVM
VirtualMachine.Provisioning.ReadCustSpecs
VirtualMachine.Provisioning.ModifyCustSpecs
Resource.AssignVMToPool
Task.Create
Sessions.TerminateSession
2
Modify the vCenter Server location in the following PowerShell script and run it:
The CV_role_ids.txt file must be in the same folder as the PowerShell script.
$cvRole = "App Volumes Role"
$cvRolePermFile = "CV_role_ids.txt"
$viSserver = "your-vcenter-server-FQDN"
Connect-VIServer -server $viServer
$cvRoleIds = @()
Get-Content $cvRolePermFile | Foreach-Object{
$cvRoleIds += $_P
}
New-VIRole -name $cvRole -Privilege (Get-VIPrivilege -Server $viserver -id $cvRoleIds) -Server
$viserver
Set-VIRole -Role $cvRole -AddPrivilege (Get-VIPrivilege -Server $viserver -id $cvRoleIds) -Server
$viserver
VMware, Inc.
60
Viewing Activity Logs and
Troubleshooting Information
6
You can view system activity, server logs, and error messages, and download troubleshooting log files
from the ACTIVITY tab in App Volumes Manager.
The Activity Log contains information about user logins, computer power-ups, and volume attachments.
System messages include messages and errors generated from internal events such as polling for
domain controllers, Active Directory access, and so on.
This chapter includes the following topics:
n
Create a Troubleshooting Archive
n
Remove a Troubleshooting Archive
Create a Troubleshooting Archive
The App Volumes Manager archives logs and configuration files and you can view and download these
files for troubleshooting purposes.
Procedure
1
From App Volumes Manager, go to ACTIVITY > Troubleshooting and click Create.
2
On the Create Troubleshooting Archive window, select the configuration data and log files you want
to archive.
3
Click Create.
The archived file is created. By default, the files are saved in C:/Program Files
(x86)/CloudVolumes/Manager/public/troubleshooting on the current server.
What to do next
To download an archived file, select the file. A zipped file is downloaded.
Note If you are running App Volumes Manager behind a load balancer, you will not be able to download
the archived file. Log in directly to the App Volumes Manager to access the archived file.
VMware, Inc.
61
VMware App Volumes Administration Guide
Remove a Troubleshooting Archive
You can delete a troubleshooting archive. You might want to delete the archive to clear up disk space on
the server.
Note Removing an archive removes the file from its physical location along with the record of the file.
But if App Volumes Manager is behind a load balancer, the archive may continue to exist on the physical
server.
Prerequisites
Ensure you have permissions to modify files in the location where the archives are saved. By default, the
files are saved in C:/Program Files (x86)/CloudVolumes/Manager/public/troubleshooting.
Procedure
1
From App Volumes Manager, go to ACTIVITY > Troubleshooting tab.
2
Click the '+' sign next to the archive you want to delete and click Remove.
By default, the archives belonging to the manager on the current server are displayed. To view the list
of archives from all managers, select the All Servers option from the drop-down list.
3
Confirm that you want to remove the file on the Confirm Remove window and click Remove.
VMware, Inc.
62
Download PDF
Similar pages