Recently, Citrix announced an experimental new feature in Workspace Cloud Labs, the Browser Apps Service.
This new service allows you to easily deliver web applications via a hosted web browser to solve browser compatibility issues, increase security, or improve performance over high-latency connections.
So far, Citrix has received lots of positive feedback from our customers. But still, the number one question customers have asked is, “When is Citrix going to offer the Browser Apps Service as an on-premises product?” The answer: We already have. The Browser Apps Service runs completely on off-the-shelf Citrix technologies that you can buy today.
In this post, I’ll provide a behind-the-scenes look at how Citrix built the Browser Apps Service and how you can it to deliver a great user experience to your end users for hosted web apps.
Under the covers, the Browser Apps Service is running the same XenApp technology we’re all familiar with. The Citrix Workspace Cloud operations team manages the service using the same Studio and Director you use today. VDAs are created with Machine Creation Services. Web applications are published using the publicly-available PowerShell SDK.
For the control plane, Citrix chose to use the hosted Applications and Desktops Service from Citrix Workspace Cloud. This ensures the service is kept evergreen with the latest fixes. and we can leverage new features like Azure VDA provisioning, which is currently only available via the Apps and Desktops service.
Seamless User Experience
One of the key goals of the service is to make the experience as seamless as possible for end users. A user’s workflow shouldn’t change when using a web app hosted by the Browser Apps Service—users should continue to enter a URL or click on a hyperlink as if they were accessing a regular web site, without being aware of what’s happening in the Browser Apps Service behind the scenes. To get this experience, Citrix uses a combination of features from XenApp, StoreFront, and the web browsers themselves.
Receiver for HTML5
The Browser Apps Service is designed for delivering specific web application to end users, not for general-purpose web browsing. So, Citrix chose to hide the fact that we’re running a web browser inside of another web browser. Web browsers support a special kiosk mode that does exactly this: it runs a single web application in full-screen mode, without any navigation or menu bars. Launching a web browser in kiosk mode can be accomplished by adding command-line flags to the published application:
- Google Chrome: chrome.exe –kiosk <URL>
- Microsoft Internet Explorer: iexplorer.exe -k <URL>
Add Shortcuts to Websites
The next step in providing a seamless user experience is launching the app via a URL that can be e-mailed or embedded in other web pages, just like any other web application. If using StoreFront, Receiver for Web has a feature that allows you to create shortcut URLs that go directly to a specific application. The user doesn’t have to go through the normal process of browsing through apps or adding them to their favorites. From the Receiver for Web console, just click the “Add Shortcuts to Websites” task to get a URL that you can embed in another intranet site to provide direct access to that application.
Finally, users of the Browser Apps Service don’t have separate credentials. The web browser doesn’t run under any particular Active Directory user account, so Citrix leveraged the unauthenticated users feature introduced in XenApp 7.6. This feature creates a pool of local user accounts on each VDA, named Anon000 through Anon999, and users are temporarily assigned to one of these users for only the lifetime of their session.
The unauthenticated users feature is particularly useful when delivering web apps to client on the local intranet, as it allows the user to launch without any credential prompt. When creating the Delivery Group, simply check the box shown below, then create an unauthenticated StoreFront store to provide access to these applications.
In addition to simply running Internet Explorer or Chrome as a published app, numerous GPOs need to be set on the VDAs to provide a more secure environment and a good end user experience. The list below isn’t comprehensive, but provides some of the policies recommended for VDAs hosting a published web browser on a multi-session (Remote Desktop Services) environment.
Some of the default web browser settings aren’t suitable for a Browser Apps Service deployment, particularly on a Server OS.
|Prevent running First Run wizard
Go directly to home page
|Enabled||Prevents first run wizards of IE so page loads seamlessly to content|
|Turn off Automatic Crash Recovery||Enabled||Crash recovery breaks out of Kiosk mode with additional prompts we want to avoid|
|Turn off Reopen Last Browsing Session||Enabled||Ensures each session maintains a fresh appearance|
|Turn off Shortcut Menu||Enabled||Removes the right click menu from Internet Explorer|
|Turn off first-run prompt
First-Run Opt-In : Enabled
|Enabled||Automatically uses recommended settings if not already set up|
First, download and install the Google Chrome ADMX template.
|Continue running background apps when Google Chrome is closed||Disabled||Ensures we recycle resources of the browser session|
|Disable saving browser history||Enabled||Allow shared machines to isolate and restrict session contamination from other users actions|
|Specify a list of enabled plugins||Enabled||Enable the browser plugins you desire|
|Allow users to show passwords in Password Manager||Disabled||Prevents access to any passwords that may inadvertently be saved|
|Enable the password manager||Disabled||Turns off the ability to save passwords during your session|
Build your own Browser Apps Service
The primary advantage of the Browser Apps Service is its simplicity. In seconds, you can go from a URL to a fully-functional hosted web browser with zero Citrix expertise. The Workspace Cloud operations team manages the infrastructure, including the VDA images hosting web browsers, patches and updates, and scales the infrastructure based on capacity demands.
However, the functionality itself is built on top of publically-available features in XenApp 7.6 and StoreFront 3.0. By using some of the tricks like kiosk mode and website shortcuts described above, you can offer end users the same seamless experience as the Browser Apps Service, using your existing XenApp infrastructure.