Virtual User Environment Manager
- Published: Thursday, 25 August 2011
Pierre Marnignon well-known from his website CitrixTools.Net and the corresponding freeware utilities now created a product called Virtual User Environment Manager. The Virtual User Environment Manager (VUEM) is available in a free community edition and a commercial edition for support, quicker updated and possible new specific features. VUEM is a product that is positioned in the user management/workspace market. This caused even some challenges before the product was available, but this lead to a lot of publicity. Let's take a look at the product and because this is the Glance at Free section I will use the community edition.
The product is divided in several components. The basis is a (SQL) database which is created and configured via the Management Console. The third component is available in two flavors a VUEM Agent and a VUEM Service Agent. The VUEM agent is the required component. This can be run in a silent (cmd) mode or with a user interface (providing the user the possibility to manage his printers and stays active after launching). This cmd agent provides the basic configuration options and you need to arrange the startup and also the agent closes after the configuration is finished. The agent service is optional and provides the automatic start-up of the standard agent, the possibility of offline usage, relaunch at reconnection and the more advanced features discussed later in this article.
The installation of the Administrator console is a simple and quick Next, Next installation, but requires .Net Framework 4. When you start the console the first time you need to enter the community license console and following the wizard for creating the database. During the wizard the logical parameters like the SQL server, database name and credentials for connecting to the server should be provided, but also a read-only and read/write groups should be specified. The users in the group read-only are typically normal users, for which VUEM is building the environment. The read/write group is for managing the environment via the console. When the database is created it's not automatically opened, you should first use the connect option to set-up a connection (this should be done every time you start the console).
The Agent installation is also straight forwarded MSI installation, where only the agent service requires SQL Server compact edition 3.5 SP2 as a prerequisite. Both agents can be installed unattended (also the management console can be installed in this way) using MSIEXEC command, no parameters are required for the client. Configuration is done via a custom delivered ADM template where you need to specify the database server, database name and the site name (more about this later on).
Configuration is all done out of the management console as exists of several parts.
The first step is to configure if needed more sites. Standard one site is configured, but more sites can be made. This can be useful if you would like to separate configurations from an hierarchal or administrative level.
Configuring the user environment is done via three parts. In the first part called Actions the configuration will be setup with the settings that should apply to a group of users. Configuration can be made on the following components:
- Applications: shortcuts to applications including the configuration of the place in the start menu.
- Printers: Mapping of network printers
- Drivers: Mapping of network shares or substitute folders to a drive letter.
- Registry Entries: Creating and/or setting registry setting on user level (CURRENT_USER).
- Environment Variables: Setting environment variables on user level.
- Ports: Assigning LPT or COM ports to user (groups).
- INI-values: Writing INI files settings and/or create an INI file.
- External Task: Possibility to start scripts or executable to perform tasks that are not available as another component.
- Folders and Files: Perform file and folder operations on user level.
- User DSN: Setting ODBC connection on a user level.
- File Associates: Configuring file type associations.
The second step is to add the groups and/or users in the Configured Users part. Here you add all the groups or users out of Active Directory into the product, which you would assign configurations to. The third part is called Filters and provided the product with the possibility to perform dynamic configurations based on conditions. Within this Filter component first conditions should be setup. A condition is a filter for a specific part of a user or machine. Filter conditions examples are IP-addresses, computer/client names, registry values, environment variables, user settings and XenApp/XenDesktop properties.
Those conditions should be used in the rules which are also available within the Filter part. A rule can exist on one or more conditions, where the conditions are combined (X AND Y situation). There is possibility to use more conditions with an OR situation in a rule.
Above mentioned three part (Actions, Configured Users and Filter) all come together in Actions Assignment. In this action assignment you select a user or group (there is a filter option to reduce the groups/users shown). When you double click the group or user you can assign configurations to that group.
In the left below pane all configurations are available configured at the Actions part. The desired configuration can be selected and transferred to right below pane. When you assign a configuration by moving it the right pane, the created rules are available to make the configuration dynamically. If no rules apply (so only a user group assignment is necessary), the default rule always true is available and should be selected. For applications shortcuts several options can be configured for placing the shortcut on several places and/or auto launch the application.
With the Actions assignment the main part of VUEM is shown. However you should not forget that by default nothing is processed. VUEM offers the possibility to introduce actions by component in your infrastructure. On the main configuration tab within the VUEM Configuration part you enable the actions that should be performed. Within the VUEM configuration lots of options are avaible for example cleaning the session at startup (removing printers, shortcuts and so on), the default startup options for the client (called agent) and the UI agent options (configure your own logo for example).
The last configuration options available are collected within the System Utilities. Here you configure Fast Logoff (the Terminal Server/Citrix session is disconnected during logoff so the session closes quick from an user perspective), CPU Management (lowering priority of a process when the process uses more CPU than configured, Memory Management (DLL sharing) and Processes Management (blacklisting processed that are not allowed by the user to start). For applying this setting you need to have the agent service to be installed on the client.
VUEM in action
Now we configured VUEM we are ready to let a user work on a VUEM controlled workstation / Terminal Server/ Citrix Server. Because VUEM does not handle policy files you should (still) use User Policies and a default configured profile to set-up the basic user environment (VUEM can remove current shortcuts out of the user profile). You should also consider carefully the black list for example I blocked cmd.exe but (logically) that is also used for running the agent during logon. When a user tried to start a blocked executable a message is displayed to the users, however you can see application popping up quickly before it's being blocked. You only need to define the executable name executable, so it's not path dependent. However if the user can rename the application executable, it can be started. Also you should not forget that the black list applies to all users, only an exception can be made to (the users in) the local administrators group.
The application shortcuts are working fine, also the pin to taskbar and start menu on a Windows 2008R2 are working like a charm. Also the other settings configured are applied as expected. If you set settings to run only once you should find a way to store the settings of the user, for example a profile solution (or roaming profiles, did I really write this down?).
Virtual User Environment Manager should be positioned between the Microsoft GPO Preferences option and a commercial Workspace Management product. In comparison with GPO Preferences offers some additional functionality like the process-, CPU and Memory management and a (much) more flexible way of assigning application shortcuts and settings arranged by the rules and conditions. This component is a real added value, which is only available in commercial Workspace Management products (as far as I know). You should get familiar with the way settings are applied although this way is seen in other (commercial) products; I personally like the other methods a bit better. In comparison with commercial products you will miss features like a hybrid profile solutions, policy to apply Microsoft user policies out of the product, delegation of control and more flexible configuration for the CPU, process and memory features.
VUEM is a perfect product to replace the difficult login scripts and a nice start to become familiar with the Workspace Management environment.