Sunday, 24 March 2013

Using AppSense Application Manager to enforce Device Based License Control

Before I start, I know Microsoft VDA licensing makes this a very complex topic so I'm not going to go into that right now and will instead focus on traditional implementation of AppSense Application Manager for Device Based License control.

To start with I will summarise my understanding is that certain Microsoft (and other vendors) enforce per-device licensing restrictions. This means that when my company purchases a copy of an application for use on my computer it is licensed to that computer and that computer only. Take for instance my company purchases Microsoft Office for my computer I cannot simply walk over to Jenny's computer in the corner and use Microsoft Office because that device is not licensed for Microsoft Office.

Now historically speaking desktops were fairly straightforward, if a user required an application they would call their service desk, log a support call, procurement would follow and IT would then deploy the software to the end point. Then came Remote Desktop Services and XenApp which really confused the matter. Administrators had to install applications into this environment for their users to work productively but they then had to license any device which could access the environment. In most instances this would require a license for every device within the corporate network. Perhaps only 10% of your workforce need a specific application. It unreasonable to think a company would purchase 1,000 licenses when only 100 people needed the application. So IT organisations started purchasing physical desktops for these people as the cost of 100 desktops could often be roughly the same as 900 un-needed licenses.

Enter AppSense Application Manager...

Using AppSense Application Manager I start by creating my rules to deny access to the application. You have two options for doing this:

Create a device rule called Denied: <Application Name> and specify * as a computer type and *.*.*.* as the connecting device, as I've done below.

Now add all executables for the product you're looking to restrict into the prohibited items list, as I've done below:

Alternatively you could simply add the executables to the Everyone groups Prohibited items list as seen below:

Thats it, you've effectively blocked the above applications for all computers and connecting devices which would prevent users logging on to a XenApp server and launching an application listed above or strolling over to Jenny's computer and launching the application.

Now we need to create the rules to allow access to the application. Its important to remember that these are Device specific so using a group or user rules is not going to satisfy the licensing requirements.

Start by creating a device rule called Allowed: <Application Name> and add only the computer or connecting devices authorised for the application to the list.

In the example below APWAMA17 is authorised as a connecting device to launch Microsoft Office.

Now that I have my rule simply add the executables prohibited above to the Accessible Items list:

Deploy the configuration to the respective endpoint and you should be good to start testing.


One important thing to note is that you may be required to report on this. This can be done easily through the AppSense Management Center by temporarily enabling Application Manager Event 9001 within your deployment group(s)

Once this is done and has been enabled for a period of time (e.g. 72 hours) launch the AppSense Management Console and logon to a Management Server.

Click on the Reports node within the navigation pane.

Select Application Activity - Detailed

Within the criteria boxes enter the following details:

  • Reporting period start and end time
  • Under application name type *\<Application Name.exe> (e.g. *\winword.exe)
  • Under EventID type 9001

Now click Generate report. This will create a report of all devices managed by the AppSense Management Center that have application manager installed and have had the applications specified launched. 

The output is the report seen below which will show the client and user who launched the application. 

Note: It is possible to switch on anonymous user or client names which may be required in certain geographic regions due to government regulations. 

Once your report has been created remember to disable 9001 auditing as this will cause a significant amount of traffic from your endpoint(s) to your management server.