My first post will describe a solution that can help service providers to use Citrix CloudPortal Service Manager (CPSM) together with Citrix App Studio to manage the visibility and usage of installed applications within published Desktop.

For those of you who have been working with Citrix App Studio and integration with CloudPortal Service Manager before probably know that the current integration of these great products has a limitation that they can “only” enable automation and creation of published desktops or published applications.  What if your plan as service provider is to only to offer Windows Desktop as Service and all application usage and execution will occur within the published desktop? How do you manage the access and visibility or even billing for the applications installed inside the desktop?  There are great third party tools like AppSense who can do this or another option is to use the basic functionality of Citrix App Studio and CPSM in a bit more creative way…

If you need to know more about how to setup Citrix App Studio I encourage having a look on a great Quick Deployment guide written by Thomas Hammond  that describes how do a basic setup of Citrix App Studio (/blogs/2012/03/29/citrix-app-studio-quick-deployment-guide/).

The integrating between CloudPortal Service Manager and Citrix App Studio is done by installing new service (Hosted Apps and Desktop) in CloudPortal Service Manager. There is a good Citrix TV video that shows how to accomplish the integration (

When using Hosted Apps and Desktop service from CloudPortal Service Manager to provision an advertisement created in Citrix App Studio for the first customer, a domain local group for that advertisement is created under CortexSystem/Services/HostedAppsandDesktops OU in Active Directory domain. By default CPSM uses group naming HostedAppsandDesktops UserPlanName when creating these groups. CPSM uses this group to control which customer has the availability of the advertisement. When a customer subscribes to the advertisement made available with CPSM, a new customer specific domain global group is created and it’s added to be member of domain local group controlling the availability of the advertisement.  The default naming convention CPSM uses is for this group is HostedAppsandDesktops CustomerShortCode UserPlanName. So basically the idea here is that that we will use the CPSM system wide domain local group that controls the availability of the advertisement to manage the application access inside the published desktop. Theintegration between CPSM and App Studio (Hosted Apps and Desktops service) will take care of the process creating the tenant in App Studio as well as creating the subscription of the tenant filtered with the customer specific domain global group created by CPSM and add the newly created subscription to the advertisement in App Studio. And yes, we will let App Studio to leverage it’s built in automatic workflows to take care of creating the published applications to the XenApp farm based on the configurations made in App Studio even though we are not going to use the published applications in this case.

So let say a new application named SAP will be installed to the customer dedicated XenApp session host. After the installation process Citrix App Studio is used to automatically populate the newly installed SAP application and create an advertisement of it. After creating the advertisement, a new user plan need to be created in CPSM (in our case the name will be just SAP) and this user plan will be mapped to the newly created advertisement. When the new advertisement in CPSM is enabled and provisioned for the first customer, the CPSM system wide domain local group is created under CortexSystem/Services HostedAppsandDesktops OU in addition to the customer specified domain global group. At this stage we will use the domain local group created (in this case HostedAppsandDesktops SAP) to enable the read and execute permission of NTFS rights of the start menu shortcut’s and application executables of SAP application inside the XenApp session host and remove those rights from default users group. When users are provisioned with the user plan from CPSM, tenant will be created inside App Studio, subscription for that tenant will be created as well and the creation of the published applications within XenApp farm is automated by App Studio workflows. This is nothing new right?  The User provisioned will be member of the customer related domain global group (in this case HostedAppsandDesktops CCS SAP) which is member of the CPSM system wide domain local group that controls the availability of the advertisement as well as it entitles with the required NTFS rights. This is just basic group nesting, right? At the end user will get the required group memberships and rights that enable the visibility and usage of the application inside the desktop.  As our service provider does not want to offer or even show the published applications for user when logging through Web Interface or Cloud Gateway, the published applications created by App Studio can be disabled and hidden from the users. Instead of doing this by published application basis in AppCenter, we can use App Studio to change these properties in the advertisement as global for each published application created. Every time a new customer admin provisions a user plan that maps to the advertisement for users in CPSM, App Studio will create the required published applications automatically and it will inherit the advertisement settings so the new published applications will be created with properties to be hidden and disabled.

If the service provider for some reason will need to offer the to possibilty to access published application in the future, it’s only required change the properties of the existiting publisheed applications or advertisement settings to make this happen.

And there you have a solution to manage the application access inside a published desktop with using built in features of Citrix CloudPortal Services Manager and Citrix App Studio.