VMware THINAPP 4.6 - Controlling Application Access with Active Directory; Package.ini Entries for Active Directory Access Control

To Next Page

To Previous Page

VMware, Inc. 45

Chapter 3 Deploying Applications

Deploying MSI Files on Microsoft Vista

WhenyoudeployMSIfilesonVista,youmustindicatewhetheraninstallerneedselevatedprivileges.Typical

individualuserinstallationsdonotrequireelevatedprivilegesbutindividualmachineinstallationsrequire

suchprivileges.

ThinAppprovidestheMSIRequireElevatedPrivilegesparameterinthePackage.inifilethatspecifies

theneedforelevatedprivilegeswhenthevalue

issetto1.Specifyingavalueof1forthisparameterorforcing

anindividualuserinstallationfromthecommandlinecangenerateUACprompts.Specifyingavalueof0for

thisparameterpreventsUACpromptsbutthedeploymentfailsformachine‐wideinstallations.

Controlling Application Access with Active Directory

YoucancontrolaccesstoapplicationsusingActiveDirectorygroups.

Whenyoubuildapackage,ThinA pp convertsActiv eDirectorygroupnamesintoSecurityIdentifier(SID)

values.ASIDisasmallbinaryvaluethatuniquelyidentifiesanobject.SIDvaluesarenotuniqueforafew

groups,suchastheadministrator

group.BecauseThinAppstoresSIDvaluesinpackagesforfuturevalidation,

thefollowingconsiderationsapplytoActiveDirectoryuse:

 YoumustbeconnectedtoyourActiveDirectorydomainduringthebuildprocessandthegroupsyou

specifymustexist.ThinApplooksuptheSIDvalueduringthebuild.

 Ifyoudeleteagroupandre‐createit,theSIDmightchange.Inthiscase,rebuildthepackageto

authenticateagainstthenewgroup.

 Whenusersareoffline,ThinAppcanauthenticatethemusingcachedcredentials.Iftheuserscanloginto

theirmachines,authenticationstillworks.Useagrouppolicytosettheperiodwhencachedcredentials

arevalid.

 CachedcredentialsmightnotrefreshonclientsuntilthenextActiveDirectoryrefreshcycle.Youcanforce

agrouppolicyonaclientbyusingthegpupdatecommand.Thiscommandrefresheslocalgrouppolicy,

grouppolicy,andsecuritysettingsstoredinActiveDirectory.YoumightlogoutbeforeActiveDirectory

credentials

arerecached.

 Certaingroups,suchastheAdministratorsgroupandEveryonegroup,havethesameSIDonevery

ActiveDirectorydomainandworkgroup.Othergroupsyoucreatehaveadomain‐specificSID.Users

cannotcreatetheirownlocalgroupwiththesamenametobypassauthentication.

 ActiveDirectoryDomainServicesdefinesecuritygroupsanddistributiongroups.Ifyouusenested

groups,ThinAppcanonlysupportnestedsecuritygroups.

Package.ini Entries for Active Directory Access Control

ThinAppprovidesthePermittedGroupsparameterinthePackage.inifiletocontrolActiveDirectory

access.

Whenyoustartacapturedapplication,thePermittedGroupsparametercheckswhetherauserisamember

ofaspecifiedActiveDirectorygroup.IftheuserisnotamemberoftheActiveDirectorygroup,Thinappdoes

not

starttheapplication.ForinformationaboutrestrictingpackagestoActiv eDirectorygroups,see

“PermittedGroups”onpage 73.

InthefollowingPackage.inientry,App1andApp2inheritPermittedGroupsvalues.

[BuildOptions]

PermittedGroups=Administrators;OfficeUsers

[App1.exe]

...

[App2.exe]

...

Main Page

VMware THINAPP 4.6 - Controlling Application Access with Active Directory; Package.ini Entries for Active Directory Access Control

Table of Contents

Related product manuals