Desktop and Application restrictions using tags

Using restrictive tags in XenApp & XenDesktop 7.12 allows you to selectively choose which VDA machines launch applications or desktops, regardless of what other machines exist in the same Delivery Groups.

Ever witnessed Delivery Group sprawl? It was a possiblility using earlier versions of XenApp and XenDesktop under the FMA architecture. You created separate Delivery Groups for single applications and desktops because you needed to apply different policies based on the application that was being accessed. You had different versions of server OS meaning you needed multiple Delivery Groups. Basically it was easy to end up with a lot of different Delivery Groups and extra time creating and maintaining the lifecycle of those Delivery Groups.

How about when you have ten application servers that use ODBC connections to SQL databases. You have two ODBC connections, one for Live and one for Testing on each VDA. You create a Test PVS Maintenance vDisk version that has the Testing ODBC connection pointing to a newer SQL database. Only one of the ten PVS Target VM is booted to the Test version. You now need that Testing application to launch only from one of the ten VDA machines without affecting anything else. You would probably have had to move that machine in to it’s own unique Delivery Group to ensure the application only launches from the test mode Target VM.

Updating an applcation? Now you only want to publish is to a small number of servers for testing, rather than all. This is not more easily possible.

Now you can use tags to restrict where the application is launched from. This will reduce administration and the need for additional Delivery Groups in your Citrix Site.

Look at the below example and how one Delivery Group is used to deliver a Shared Desktop and multiple applications. The VDAs could be using the same base image or they may be different images. Either way only certain machines will launch Microsoft Office, Calculator, RDP and so on. In previous versions of XenApp and XenDesktop multiple Delivery Groups would have been required.In this example I have two VDA machines (VDA1/VDA2) assigned to a Delivery Group. To split application resources we simply assign tags against desired VDAs and then use those same tags when creating Application Groups. For now, I want VDA1 and only VDA1 to launch Calculator. Within the Delivery Group click on a VDA and then click Manage Tags.No tags have been created or assigned to VDA1 yet. Click Create. Enter a name and description. Click OK. Click Create. A tag of Calculator is now assigned to VDA1. At this point we can create an Application Group to deploy Calculator. Right-click Applications and click Create Application Group. Click Next. Check the Delivery Group which contains the VDA tagging. Check Restrict launches to machines with tag. Use the drop-down box to select the Calculator tag. Notice Machines = 1 of 2. This shows that only one machine (VDA1) will be considered to launch applications within this Delivery Group, because VDA1 has the Calculator tag. Click Next. Select Allow any users in the selected Delivery Groups to use applications in this Application Group. This means user association is set at the Delivery Group level. Click Next. Browse for, and add Calculator. Click Next. Specify a name and click Finish. Now when users launch Calculator, VDA1 will only be considered for launch. When you want to restrict shared desktop launch from specific VDAs, create another tag and assign it to desktops you want to be considered for launch. Edit a Delivery Group, navigate to Desktops -> Add. Select Restrict launches to machines with tag and choose the Desktop tag. Click OK. From now desktops will only be launched from in my case VDA2.


20 Comments

  • Faye

    May 30, 2017

    Great article. Does this only work in 7.12 and later?

    Reply
    • George Spiers

      May 30, 2017

      Yes tags were introduced in 7.12

      Reply
  • Faye Jasman

    June 9, 2017

    Want to thank you again, upgraded to 7.13 and now I don’t have to split out servers by delivery group because of unique software. Might not have known about this feature without your article!

    Reply
    • George Spiers

      June 9, 2017

      No problem Faye glad it helped!

      Reply
  • Bob Harrison

    August 16, 2017

    I need to be able to test our main application on each machine of over 100 that host it. I cannot find a way to tag the application directly to the machine without creating an application group for each machine. Is there a way to do this? Thanks.

    Reply
    • George Spiers

      August 16, 2017

      Applications are assigned to Application Groups which are then tagged against specific desktops with matching tags. There isn’t a way to create a single application and tag it to a specific desktop without putting that application in to an Application Group.
      Why do you need to use tagging to test the application?

      Reply
      • Bob Harrison

        August 16, 2017

        We have 100 servers running this app on Xenapp as a published app. It is a requirement to test this app on every server after the bi-monthly application upgrade. Tags are the only method that I have found to work, but I was looking for a way to do it without setting up an application group for each server. An application (icon) with a tag to the server would be great, but apparently that is not available.

        Reply
        • George Spiers

          August 16, 2017

          That sounds intensive. If all 100 servers work off the same gold image provided by PVS/MCS then testing 10% IMO would be enough to satisfy requirements given that the image is controlled and in a read-only state. If they aren’t working off the same gold image, they should be!

          Reply
  • Dev

    August 28, 2017

    Is there a way which will enable to launch multiple Published Desktop sessions? Currently its limited only 1 session per user.

    Reply
    • George Spiers

      August 28, 2017

      You should be able to do that but you would need to disable Session Reconnection. Set-BrokerEntitlementPolicyRule -Name “Desktop Name” -SessionReconnection SameEndpointOnly OR DisconnectedOnly. Note there have been reports that session sharing does not work when Session Reconnection is disabled. This may be an issue if your Delivery Group publishes multiple applications.

      Reply
  • Carlos

    September 27, 2018

    I am running 7.15 CU2 > configured the option and I am not able to view the application in the StoreFront page.

    Reply
  • Shaik

    September 5, 2019

    great article !!

    Reply
  • Anonymous

    March 28, 2020

    HI George,

    May I get a script to assign tag to all machines in Delivery Group.

    Thanks,
    Josh

    Reply
  • Josh

    March 28, 2020

    Hi George,

    May I have a script to assign a Tag which is already created, which needs to assign to all the machines in a Delivery Group.

    Reply
    • George Spiers

      May 20, 2020

      Get-BrokerDesktop -DesktopGroupName nnn | Add-BrokerTag nnn

      Reply
  • Anon

    October 2, 2020

    Great article! I have one question.. If I have multiple VDAs in a delivery group and specific application groups for each VDA how would I prevent applications from piggybacking on the initial VDA session?
    .. For example; if I have VDA01 that is tagged with an MS Office application group tag, Outlook or Word are still capable of launching Internet Explorer or Chrome from hyperlinks in those e-mails or documents — the browser will use the same session ID assigned when Outlook was launched from Storefront, it will launch a browser session on VDA01, instead of the desired VDA02 that is tagged with a browser application group tags.

    .. I am guessing that I’m going about achieving this the wrong way, or tagging is just not that granular. Do you have any ideas or alternatives that I can look into? I’d appreciate it! I’m running XenApp 7.15 LTSR.

    Reply
    • Mike

      February 22, 2021

      We’re seeing a similar situation with tagged applications.

      + App A is tagged to VDA X.
      + App B is tagged to VDA Y.
      + When you open App A by itself, it does open on VDA X.
      + When you open App B by itself, it does open on VDA Y.
      + You open App A, and while App A is open, you want to open App B.
      + When you open App B, Citrix tries to open App B into the App A session already open on VDA X instead of opening a new session to VDA Y.
      + Because App B isn’t installed on VDA X, the launch fails (or nothing happens).

      So it works with one app opened by itself, but when you try to open a second tagged app, it wants to consolidate sessions and forces the second app into the session for the first one instead of opening a new session.

      Reply
      • Mike

        March 24, 2021

        Turns out my issue was due to having both an Application Group and a Delivery Group assigned to an application. If you do that, the Delivery Group settings take precedence (where I want sharing for universally-available apps) and the tagging and separation of sessions of the Application Group is ignored. These were existing applications created for testing prior to the creation of the Application Group so they had a previously-assigned Delivery Group, and I thought that didn’t matter and left it on. Took me a little bit to find the reference.

        https://www.citrix.com/blogs/2017/02/27/xenapp-and-xendesktop-7-13-launching-an-application-in-multiple-sessions/

        “It is important to note that all applications associated with a Delivery Group will session share by default. Although not recommended, applications can be configured to be associated simultaneously with Application Groups and Delivery Groups. In that case the session sharing settings on the Delivery Group will take precedence overriding the options configured at the Application Group level. Therefore it is important to ensure the required application is not also associated with a Delivery Group when making use of the new feature.”

        Reply
    • Anonymous

      March 24, 2021

      You could disable session sharing for that application group.
      https://support.citrix.com/article/CTX232362

      Reply
  • Sasi Tsadka

    August 23, 2021

    ther is a script that create a tag to specific dektop on the delivery group?
    We have 200 machines on the delivery group
    we want a script that create tag for each machine and then restrict user with tag
    there is option to do it?

    Reply

Leave a Reply