5.1
Table Of Contents
- ThinApp User’s Guide
- Contents
- About This Book
- Installing ThinApp
- Capturing Applications
- Phases of the Capture Process
- Preparing to Capture Applications
- Capturing Applications with the Setup Capture Wizard
- Create a System Image Before the Application Installation
- Rescan the System with the Installed Application
- Defining Entry Points as Shortcuts into the Virtual Environment
- Set Entry Points
- Manage with VMware Horizon Application Manager
- Set User Groups
- Defining Isolation Modes for the Physical File System
- Set File System Isolation Modes
- Storing Application Changes in the Sandbox
- Customize the Sandbox Location
- Send Anonymous Statistics to VMware
- Customize ThinApp Project Settings
- Defining Package Settings
- Customize Package Settings
- Opening Project and Parameter Files
- Build Virtual Applications
- Advanced Package Configuration
- Capturing Internet Explorer 6 on Windows XP
- Capturing Multiple Application Installers with ThinApp Converter
- ThinApp Package Management
- Deploying Applications
- ThinApp Deployment Options
- Establishing File Type Associations with the thinreg.exe Utility
- Building an MSI Database
- Controlling Application Access with Active Directory
- Starting and Stopping Virtual Services
- Using ThinApp Packages Streamed from the Network
- Using Captured Applications with Other System Components
- Performing Paste Operations
- Accessing Printers
- Accessing Drivers
- Accessing the Local Disk, the Removable Disk, and Network Shares
- Accessing the System Registry
- Accessing Networking and Sockets
- Using Shared Memory and Named Pipes
- Using COM, DCOM, and Out-of-Process COM Components
- Starting Services
- Using File Type Associations
- Sample Isolation Mode Configuration Depending on Deployment Context
- Updating and Linking Applications
- Application Updates That the End User Triggers
- Application Sync Updates
- Using Application Sync in a Managed or Unmanaged Environment
- Update Firefox 2.0.0.3 to Firefox 3 with Application Sync
- Fix an Incorrect Update with Application Sync
- Application Sync Effect on Entry Point Executable Files
- Updating thinreg.exe Registrations with Application Sync
- Maintaining the Primary Data Container Name with Application Sync
- Completing the Application Sync Process When Applications Create Child Processes
- Application Link Updates
- View of the Application using Application Link
- Link a Base Application to the Microsoft .NET Framework
- Set Up Nested Links with Application Link
- Affecting Isolation Modes with Application Link
- PermittedGroups Effect on Linked Packages
- Sandbox Changes for Standalone and Linked Packages
- Import Order for Linked Packages
- File and Registry Collisions in Linked Packages
- VBScript Collisions in Linked Packages
- VBScript Function Order in Linked Packages
- Storing Multiple Versions of a Linked Application in the Same Directory
- Using Application Sync for a Base Application and Linked Packages
- Application Sync Updates
- Application Updates That the Administrator Triggers
- Automatic Application Updates
- Upgrading Running Applications on a Network Share
- Application Synchronization Using Group Policy Object
- Sandbox Considerations for Upgraded Applications
- Updating the ThinApp Version of Packages
- Application Updates That the End User Triggers
- Locating the ThinApp Sandbox
- Creating ThinApp Snapshots and Projects from the Command Line
- ThinApp File System Formats and Macros
- Creating ThinApp Scripts
- Callback Functions
- Implement Scripts in a ThinApp Environment
- API Functions
- Monitoring and Troubleshooting ThinApp
- Glossary
- Index
VMware, Inc. 43
Chapter 3 Deploying Applications
Deploying MSI Files on Microsoft Vista
When you deploy MSI files on Vista, you must indicate whether an installer needs elevated privileges. Typical
individual user installations do not require elevated privileges but individual machine installations require
such privileges.
ThinApp provides the MSIRequireElevatedPrivileges parameter in the Package.ini file that specifies
the need for elevated privileges when the value is set to 1. Specifying a value of 1 for this parameter or forcing
an individual user installation from the command line can generate UAC prompts. Specifying a value of 0 for
this parameter prevents UAC prompts but the deployment fails for machine-wide installations.
Controlling Application Access with Active Directory
You can control access to applications using Active Directory groups.
When you build a package, ThinApp converts Active Directory group names into Security Identifier (SID)
values. A SID is a small binary value that uniquely identifies an object. SID values are not unique for a few
groups, such as the administrator group. Because ThinApp stores SID values in packages for future validation,
the following considerations apply to Active Directory use:
You must be connected to your Active Directory domain during the build process and the groups you
specify must exist. ThinApp looks up the SID value during the build.
If you delete a group and re-create it, the SID might change. In this case, rebuild the package to
authenticate against the new group.
When users are offline, ThinApp can authenticate them using cached credentials. If the users can log into
their machines, authentication still works. Use a group policy to set the period when cached credentials
are valid.
Cached credentials might not refresh on clients until the next Active Directory refresh cycle. You can force
a group policy on a client by using the gpupdate command. This command refreshes local group policy,
group policy, and security settings stored in Active Directory. You might log out before Active Directory
credentials are recached.
Certain groups, such as the Administrators group and Everyone group, have the same SID on every
Active Directory domain and workgroup. Other groups you create have a domain-specific SID. Users
cannot create their own local group with the same name to bypass authentication.
Active Directory Domain Services define security groups and distribution groups. If you use nested
groups, ThinApp can only support nested security groups.
Package.ini Entries for Active Directory Access Control
ThinApp provides the PermittedGroups parameter in the Package.ini file to control Active Directory
access.
When you start a captured application, the PermittedGroups parameter checks whether a user is a member
of a specified Active Directory group. If the user is not a member of the Active Directory group, ThinApp does
not start the application. For information about restricting packages to Active Directory groups, see
“PermittedGroups” on page 69.
In the following Package.ini entry, App1 and App2 inherit PermittedGroups values.
[BuildOptions]
PermittedGroups=Administrators;OfficeUsers
[App1.exe]
...
..
[App2.exe]
...
...