Desktop and Application restrictions using tags

Using restrictive tags in XenApp & XenDesktop 7.12 allows you to selectively choose which VDA machines launch applications or desktops, regardless of what other machines exist in the same Delivery Groups.

Ever witnessed Delivery Group sprawl? It was a possiblility using earlier versions of XenApp and XenDesktop under the FMA architecture. You created separate Delivery Groups for single applications and desktops because you needed to apply different policies based on the application that was being accessed. You had different versions of server OS meaning you needed multiple Delivery Groups. Basically it was easy to end up with a lot of different Delivery Groups and extra time creating and maintaining the lifecycle of those Delivery Groups.

How about when you have ten application servers that use ODBC connections to SQL databases. You have two ODBC connections, one for Live and one for Testing on each VDA. You create a Test PVS Maintenance vDisk version that has the Testing ODBC connection pointing to a newer SQL database. Only one of the ten PVS Target VM is booted to the Test version. You now need that Testing application to launch only from one of the ten VDA machines without affecting anything else. You would probably have had to move that machine in to it’s own unique Delivery Group to ensure the application only launches from the test mode Target VM.

Updating an applcation? Now you only want to publish is to a small number of servers for testing, rather than all. This is not more easily possible.

Now you can use tags to restrict where the application is launched from. This will reduce administration and the need for additional Delivery Groups in your Citrix Site.

Look at the below example and how one Delivery Group is used to deliver a Shared Desktop and multiple applications. The VDAs could be using the same base image or they may be different images. Either way only certain machines will launch Microsoft Office, Calculator, RDP and so on. In previous versions of XenApp and XenDesktop multiple Delivery Groups would have been required.In this example I have two VDA machines (VDA1/VDA2) assigned to a Delivery Group. To split application resources we simply assign tags against desired VDAs and then use those same tags when creating Application Groups. For now, I want VDA1 and only VDA1 to launch Calculator. Within the Delivery Group click on a VDA and then click Manage Tags.No tags have been created or assigned to VDA1 yet. Click Create. Enter a name and description. Click OK. Click Create. A tag of Calculator is now assigned to VDA1. At this point we can create an Application Group to deploy Calculator. Right-click Applications and click Create Application Group. Click Next. Check the Delivery Group which contains the VDA tagging. Check Restrict launches to machines with tag. Use the drop-down box to select the Calculator tag. Notice Machines = 1 of 2. This shows that only one machine (VDA1) will be considered to launch applications within this Delivery Group, because VDA1 has the Calculator tag. Click Next. Select Allow any users in the selected Delivery Groups to use applications in this Application Group. This means user association is set at the Delivery Group level. Click Next. Browse for, and add Calculator. Click Next. Specify a name and click Finish. Now when users launch Calculator, VDA1 will only be considered for launch. When you want to restrict shared desktop launch from specific VDAs, create another tag and assign it to desktops you want to be considered for launch. Edit a Delivery Group, navigate to Desktops -> Add. Select Restrict launches to machines with tag and choose the Desktop tag. Click OK. From now desktops will only be launched from in my case VDA2.


8 Comments

  • Faye

    May 30, 2017

    Great article. Does this only work in 7.12 and later?

    Reply
    • George Spiers

      May 30, 2017

      Yes tags were introduced in 7.12

      Reply
  • Faye Jasman

    June 9, 2017

    Want to thank you again, upgraded to 7.13 and now I don’t have to split out servers by delivery group because of unique software. Might not have known about this feature without your article!

    Reply
    • George Spiers

      June 9, 2017

      No problem Faye glad it helped!

      Reply
  • Bob Harrison

    August 16, 2017

    I need to be able to test our main application on each machine of over 100 that host it. I cannot find a way to tag the application directly to the machine without creating an application group for each machine. Is there a way to do this? Thanks.

    Reply
    • George Spiers

      August 16, 2017

      Applications are assigned to Application Groups which are then tagged against specific desktops with matching tags. There isn’t a way to create a single application and tag it to a specific desktop without putting that application in to an Application Group.
      Why do you need to use tagging to test the application?

      Reply
      • Bob Harrison

        August 16, 2017

        We have 100 servers running this app on Xenapp as a published app. It is a requirement to test this app on every server after the bi-monthly application upgrade. Tags are the only method that I have found to work, but I was looking for a way to do it without setting up an application group for each server. An application (icon) with a tag to the server would be great, but apparently that is not available.

        Reply
        • George Spiers

          August 16, 2017

          That sounds intensive. If all 100 servers work off the same gold image provided by PVS/MCS then testing 10% IMO would be enough to satisfy requirements given that the image is controlled and in a read-only state. If they aren’t working off the same gold image, they should be!

          Reply

Leave a Reply