Jan 27 2021 12:36 PM - edited Jan 27 2021 12:42 PM
As of the writing of this article, Windows Virtual Desktop (WVD) supports one desktop application group (DAG) per host pool. This means that all users granted access to the DAG with MSIX app attach will see all applications. For example, if both Sales and HR users need a remote desktop but we must not allow Sales users to access HR applications we need to create a separate host pool.
This document provides an overview of how DAG and remote application groups (RAG) can be used together to isolate applications in remote desktop scenarios.
Note: This process has the side effect of displaying the remote apps in the user feed.
Figure 1: MSIX app attaches and application isolation.
To better understand MSIX app attach and WVD capabilities we will follow the scenario below.
All our users (Sales, HR, and Eng) must-have a remote desktop. They all need access to Teams and Edge. Sales need additional access to Whiteboard and To Do. HR needs access to Power Bi. Eng needs access to Visual Studio Code (VSC). We cannot allow users to have access to apps besides those to which they do not have permission.
|
Common Apps |
Sales Apps |
HR Apps |
Eng Apps |
Sales (Pieter) |
Teams Microsoft Edge |
Whiteboard ToDo |
|
|
HR (Adam) |
Teams Edge |
|
Power Bi |
|
Eng (Stefan) |
Teams Edge |
|
|
VSC |
To complete this scenario, we must have:
To complete the MSIX app attach we must add the MSIX applications to a DAG or RAG. In our scenario, we must use a DAG and not RAG. If we assign all the apps in the DAG that will break the app isolation requirement. We cannot use a RAG as that will not grant remote desktop access.
All MSIX applications are assigned to a DAG.
Users for the different departments assigned to the DAG.
To verify this, we can log in as Pieter. Pieter has all the apps showing in his Start Menu (they were intentionally pinned).
We can see that this was not what our scenario prescribes as an outcome.
We do not need to change our MSIX images and them being assigned to the host pool. We need to change our DAG and create three new RAGs (Remote Application Group).
Note: this scenario can be implemented only if the users are fully logged off (session disconnected) from all session hosts.
We need to leave only the common apps Teams and Edge in the DAG.
We then create three RAGs name SalesApps, HRApps and EngApps.
For each RAG we will add the corresponding MSIX applications and assign the corresponding users.
Note: All users must remain assigned to the DAG.
Note: The Showinwebfeed option will allow for the two application icons to be suppressed however this is not enabled in WVD currently.
SalesApps RAG has been configured as per our scenario.
When Sales user (Pieter) signs in the feed will show, the DAG and the apps assigned to the RAG.
When Sales user (Pieter) signs in the feed will look like this.
In remote desktop:
Note: If users have not been logged off during the reassignment of application to app groups please make sure to fully log off (session disconnected) users from all session hosts.
When Eng user (Stefan) signs in their feed shows.
On remote desktop they can see:
When we access the session host virtual machine directly, we can see:
Note: the switch -AllUsers indicates that the package is staged for all users on the machine, but only those users that have it registered can use/see it.
Sep 10 2021 08:37 AM
Sep 13 2021 03:42 PM