Hi everyone, Steve Bucci here, and today I wanted to talk about an incredibly powerful feature of Application Virtualization 4.5 which is the ability to control the licensing of packages. Although App-V allows you to assign applications to specific users and groups, Application Licensing can allow further control of who can use the software and for how long. It is important to make the distinction early on that the licensing applies per package, so there is no granular licensing control for specific applications within a package.
This article will provide the information and steps required across the App-V Management Server and Client for successfully managing licensing. Most everything in this document should apply to SoftGrid 4.1 as well but strictly App-V 4.5 is addressed.
Why Use Application Licensing?
Here is an example of how Application Licensing through App-V can be a highly effective solution:
Contoso is a leading manufacturer of goods. Contoso purchases 20 licenses of a sophisticated and expensive inventory tracking application. Although most of Contoso’s applications have been purchased under an Enterprise model, it is cost prohibitive to do so with the inventory tracking application. Also, there is only a certain amount of users per shift that need access to the application.
In order to maintain license compliance for the inventory application the administrator creates a Custom Provider Policy and an Application Licenses Policy. The Application License Policy defines the boundaries of who can use the application. The Provider Policy enforces the license. When users launch any other application they will use the Default Provider Policy which does not enforce licensing. However, when they launch the inventory tracking application, they will use the Custom Provider Policy which will enforce licensing.
As a result of the two policies working together, all the benefits of App-V are maintained while keeping Contoso from violating the license agreement for the inventory tracking application.
- App-V 4.5 Management Server
- App-V 4.5 Management Console
- App-V 4.5 RTM client (or later)
- Any Sequenced Application
Provider Policies allow an Administrator to specify a set of rules that are applied to users making connections to App-V applications. As connections come into the Server Group (Provider) the server appends server rules (Provider Policy) to the connection. If the user does not specify a Custom Provider Policy then the rules of the "Default Provider" will be applied. A benefit of creating Custom Provider Policies gives the administrator the ability to sequence numerous applications and deploy them to their users under various conditions.
IMPORTANT: The Default Provider Policy cannot be used to Enforce Licensing. At least one other policy must be created in order to Enforce Licensing.
Creating a New Provider Policy for Enforcing Licensing
1. Open the Application Virtualization 4.5 Management Console
2. In the left hand column, right click on Provider Policies and select NEW PROVIDER POLICY.
3. Enter a name for the Provider Policy in the POLICY NAME field.
4. Here is explanation of the additional options on this first screen:
a. Manage Client Desktop - Specifies, when selected, that the settings defined at the
App-V Management Console for application shortcuts and the file type
associations will be applied to all clients. If there are conflicting settings at
the client then the Server's settings will take precedence. Default = Selected.
b. Refresh Desktop Configuration… - Specifies that a App-V client will contact the
App-V Server for updated desktop configuration information at user login.
c. Refresh Configuration every - Specifies that a App-V client will refresh their desktop
configuration information at the defined interval. Default is not selected when creating additional policies
5. Click Next.
6. The GROUP ASSIGNMENT screen appears.
a. Group Assignment - Group assignment within a Provider policy designates what groups of users from the account authority have permissions to the Provider Policy. If a user is not part of a group that has permissions to the Provider Policy and they attempt to launch an application that uses the Provider Policy, they will be denied access and receive a "Launch Failed" message. Typically the App-V Users' group is assigned rights to all Provider Policies. If you are using specific Active Directory Groups per application, you should give permissions to the policy for each specific group.
7. Click Next.
8. The PROVIDER PIPELINE screen appears. For license enforcement, this screen is the most important. The Provider Pipeline defines the rule set that applied to a user connection that has the Provider Policy appended in the OSD file.
a. Check LICENSING.
b. Change the drop-down to Enforce License Polices
9. Here is an additional explanation of the options on the Provider Pipeline screen.
- i. Windows Authentication (Default) - specifies all users will pass the username,
password, and domain, supplied at logon to the client computer. These login
credentials are sent securely over the network to the App-V system. If the user has been granted access to the application, if will begin to stream. If the logged-on user does not have access, the alternate credentials dialog box will
appear, allowing users to specify an account that does have access to the specified application.
- ii. Enforce Access Permission Settings - Specifies, when checked (the default), that
access to all applications will be authorized against Access Permissions under the application record.
b. Log Usage Information - Specifies that a metering module is enabled in the Provider
Policy's Pipeline to measure user sessions from start to normal end (application
ended by client), or abnormal end (application ended by server). The logged
information also contains which server and applications were used. The package and application usage will be logged to the database.
c. Licensing - specifies that a licensing module is enabled in the Provider Policy's pipeline to track or grant licenses (default is unchecked). The following license types are available:
- i. Audit License Usage only - will not prevent a user from launching an
application. This is an excellent method to determine if your enterprise has too many or too little licenses for an application.
- ii. Enforce License Policies - will require every user who makes a connection using
the Provider Policy to have an available and valid license for the application in order to launch it.
10. Click APPLY
11. A warning will pop-up:
a. IMPORTANT: Although restarting the Management Server Service is a relatively quick process, no users will be able to connect and stream applications during that period. It is recommended that restarting the Server Service be done during non-business hours.
Additional information on Provider Policies can be found on TechNet: http://technet.microsoft.com/en-us/library/cc843819.aspx
Which License type should you use?
There are three types of Application Licenses that can be defined: Named, Concurrent, and Unlimited. Common to all three of these is the ability to expire, or “time bomb”, an application. As part of the expiration feature you can set how far in advance a user is warned of the application expiration.
Named - allows you name specific people, not groups, who are allowed to use an application. If users are set up per application in Active Directory (AD), this may be redundant.
A scenario where you could have a named license while still having per application groups in AD might be beta testing. There could be 500 users in the “PowerPoint” group, and 5 people in that group could be specifically named to beta test the next version. The same AD group could be used for testing the next version of PowerPoint, but only the 5 specifically named users could actually launch it.
More likely, is a scenario where an enterprise has all the App-V users in one AD group. Specifically naming individuals in a license narrows the scope of that application deployment to just those individuals.
Concurrent - allows a set number of licenses to be used at any one time.
The company Contoso may have three shifts of 100 employees. Instead of having to purchase 300 licenses for a software package, App-V can limit that usage to only 100 active launches at a time. Now, Contoso can save money on software costs while ensuring they honor the software manufacturer’s license terms.
Unlimited - having an expiration date on an application is the reason to use an Unlimited license. By importing an application into the Management Console, you essentially have unlimited usage of an application for the groups that are allowed to use that application. If an application has to have an end to its lifecycle, App-V can ensure that happens with this license type.
Application License Policies
This information in the bullets below is directly from the App-V documentation on TechNet at http://technet.microsoft.com/en-us/library/cc843724.aspx
How to Create an Application License Group : TechNet Article: http://technet.microsoft.com/en-us/library/cc817113.aspx
The Application Virtualization Server Management Console enables you to organize and manage application licenses. Depending on the type of license group, you can control who has access to the application and how many users can access an application at a time. You can use the following procedure to create an application license group.
To create an application license group
1. In the left pane of the Application Virtualization Server Management Console, right-click the Application Licenses node.
2. Select one of the following menu items that corresponds to the type of license group you want to create, and complete the pages in the associated New License Wizard:
a. New Unlimited License
b. New Concurrent License
c. New Named License
3. Click Finish.
- How to Associate an Application with a License Group
- How to Remove an Application from a License Group
- How to Set Up an Unlimited License Group
- How to Set Up a Concurrent License Group
Why to use Application Licensing was discussed earlier in this document. A quick recap, however, is that Application Licenses let the App-V administrator define any limitations to who can use an application, how many people can use an application, and for how long that application can be used.
Configuring Application Licenses
1. For specific license configuration info, please refer to http://technet.microsoft.com/en-us/library/cc843724.aspx.
2. Open the App-V 4.5 Management Console
3. In the left hand column, right click on Application Licenses and select the type of license to be created.
4. Name the license. This is typically the name of application, though appending the name with the license type will make identification easier.
a. i.e.,” Blender_Named” identifies the license as being a Named License for the application “Blender.”
5. Set a License Expiration Warning. This lets users know X many minutes before an application expires and shuts down.
6. Click Next
7. A License Description is required and will further help you identify the purpose of the license.
8. Make sure ENABLED is checked. If it is not checked the license is not active.
9. Enter an Expiration Date if appropriate for your license.
10. Enter the License Key information if appropriate for your application
Applying Application Licenses and Provider Policies
Once the Application License and the Provider Policy is created, it is still necessary to correctly apply these to an application. The steps below assume the application has already been imported into App-V, though the Application License can be applied during the import process.
1. Open the App-V Management Console
2. Select “Applications” in the left hand column.
3. Select the appropriate application in the center column, right-click, and select PROPERTIES
4. On the GENERAL tab, select the appropriate license from the Application License Group drop-down.
5. Click APPLY. Click OK.
6. Browse to the CONTENT share for your Mgmt. Server.
7. Open the appropriate OSD file for editing in Notepad.
8. On the CODEBASE tag, verify the Provider Policy is named. If the Policy is not named, it will have to be added.
a. The Provider Policy is added after ... appname.sft
- i. ?CUSTOMER=ProviderPolicyName
9. Save the OSD file
10. In the App-V Management Console, in the left-hand column, right-click “Applications” and select REFRESH.
11. In the App-V Management Console, in the left-hand column, right-click “Packages” and select REFRESH.
12. Re-stream the application.
13. Users who are authorized to use the application via the Licenses and Policies will have a successful launch.
14. Users who are not authorized to use the application will receive the error below:
If Licensing is not working, try these steps to troubleshoot the issue.
- Clear the application from the Client cache and re-stream
- Make sure the user is allowed or denied in the policy or AD, depending on the result you are expecting.
- In the Client, right-click on the application and select PROPERTIES
- Licensing will not work when the 4.5/4.6 Client is installed against 4.1 Management Server.
- The number of concurrent licenses are not reset when the Application Virtualization Management Server service restarts- http://support.microsoft.com/kb/2447513
- Scroll through the LOCAL OSD FILE PATH so you identify the GUID, at least the first few characters.
- Copy the path, stopping at OSD CACHE, not including the GUID
- Open the appropriate OSD in Notepad
- Verify the Provider Policy is correct in the locally cached OSD file
- If it is not, verify the same in the OSD on the CONTENT share.
- Repeat steps to apply license if needed
- Verify if App-V Management Server Service was restarted after a Provider Policy was created.
- If the APPLICATION SOURCE ROOT registry key is defined it MUST use RTSP or RTSPS.
- Licensing does not work with file or http streaming
- App-V Provider Policies: http://technet.microsoft.com/en-us/library/cc817092.aspx
- How to Manage Application Licenses in the Server Management Console http://technet.microsoft.com/en-us/library/cc843724.aspx
Steve Bucci | Support Escalation Engineer
The App-V Team blog: http://blogs.technet.com/appv/
The WSUS Support Team blog: http://blogs.technet.com/sus/
The SCMDM Support Team blog: http://blogs.technet.com/mdm/
The ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
The SCOM 2007 Support Team blog: http://blogs.technet.com/operationsmgr/
The SCVMM Team blog: http://blogs.technet.com/scvmm/
The MED-V Team blog: http://blogs.technet.com/medv/
The DPM Team blog: http://blogs.technet.com/dpm/
The OOB Support Team blog: http://blogs.technet.com/oob/
The Opalis Team blog: http://blogs.technet.com/opalis
The Service Manager Team blog: http: http://blogs.technet.com/b/servicemanager
The AVIcode Team blog: http: http://blogs.technet.com/b/avicode
The System Center Essentials Team blog: http: http://blogs.technet.com/b/systemcenteressentials
The Server App-V Team blog: http: http://blogs.technet.com/b/serverappv