Using a desktop and remote application group to granularly control access to MSIX app attach

Microsoft

Overview

 

As of the writing of this article, Windows Virtual Desktop (WVD) supports one desktop application group (DAG) per host pool. This means that all users granted access to the DAG with MSIX app attach will see all applications. For example, if both Sales and HR users need a remote desktop but we must not allow Sales users to access HR applications we need to create a separate host pool.

This document provides an overview of how DAG and remote application groups (RAG) can be used together to isolate applications in remote desktop scenarios.

 

Note: This process has the side effect of displaying the remote apps in the user feed.

 

fig.png

Figure 1: MSIX app attaches and application isolation.

 

Sample scenario

To better understand MSIX app attach and WVD capabilities we will follow the scenario below.

All our users (Sales, HR, and Eng) must-have a remote desktop. They all need access to Teams and Edge. Sales need additional access to Whiteboard and To Do. HR needs access to Power Bi. Eng needs access to Visual Studio Code (VSC). We cannot allow users to have access to apps besides those to which they do not have permission.

 

 

Common Apps

Sales Apps

HR Apps

Eng Apps

Sales (Pieter)

Teams

Microsoft Edge

Whiteboard

ToDo

 

 

HR (Adam)

Teams

Edge

 

Power Bi

 

Eng (Stefan)

Teams

Edge

 

 

VSC

Setting up MSIX app attach

Requirements

To complete this scenario, we must have:

  • WVD deployment with MSIX app attach
  • MSIX share with correct permissions
  • Application dependencies are included in the master image
  • MSIX image for each app uploaded to the MSIX share
  • MSIX packages have been added to the host pool and are set to active

q.png

The wrong way

To complete the MSIX app attach we must add the MSIX applications to a DAG or RAG. In our scenario, we must use a DAG and not RAG. If we assign all the apps in the DAG that will break the app isolation requirement. We cannot use a RAG as that will not grant remote desktop access.

 

All MSIX applications are assigned to a DAG.

 

stge.png

 

Users for the different departments assigned to the DAG.

 

2.png

 

To verify this, we can log in as Pieter. Pieter has all the apps showing in his Start Menu (they were intentionally pinned).

 

verify.png

 

We can see that this was not what our scenario prescribes as an outcome.

The “right” way

We do not need to change our MSIX images and them being assigned to the host pool. We need to change our DAG and create three new RAGs (Remote Application Group).

 

Note: this scenario can be implemented only if the users are fully logged off (session disconnected) from all session hosts.

 

We need to leave only the common apps Teams and Edge in the DAG.

 

r1.png

 

We then create three RAGs name SalesApps, HRApps and EngApps.

 

r2.png

 

For each RAG we will add the corresponding MSIX applications and assign the corresponding users.

 

Note: All users must remain assigned to the DAG.

 

e.pngee.png

 

Note: The Showinwebfeed option will allow for the two application icons to be suppressed however this is not enabled in WVD currently.

 

SalesApps RAG has been configured as per our scenario.

When Sales user (Pieter) signs in the feed will show, the DAG and the apps assigned to the RAG.

 

sal.pngsales.png

Sales user experience

When Sales user (Pieter) signs in the feed will look like this.

 

123.png

 

In remote desktop:

  • Same host pool
  • Edge, Teams, Whiteboard, and Todo are available
  • VSCode is not available

z.png

Eng user experience

Note: If users have not been logged off during the reassignment of application to app groups please make sure to fully log off (session disconnected) users from all session hosts.

When Eng user (Stefan) signs in their feed shows.

eng.png

On remote desktop they can see:

  • Same host pool
  • Edge, Teams, and VS (Visual Studio) code are available.
  • Whiteboard is not available
  • All three apps are running

333.png

View from session host as admin

When we access the session host virtual machine directly, we can see:

  • when Sales user (Pieter) and Eng user (Stefan) sign they intentionally end up on the same machine.
  • Hostname
  • All mounted Virtual Hard Disks (VHDs) part in Disk Management
  • See staged packages on the machine using Get-AppxPacakge *<packageName>* -AllUsers

 

Note: the switch -AllUsers indicates that the package is staged for all users on the machine, but only those users that have it registered can use/see it.

 

123.png

 

 

 



2 Replies
Great article!

Has Showinwebfeed been enabled anywhere?
Also do we expect the Remote Apps to launch correctly without being in the DAG outside of the desktop?