Today, I’m excited to tell you about a new feature in XenApp and XenDesktop 7.12: restricting application groups and desktops to tagged machines. The sets of tagged machines are analogous to Worker Groups in XenApp 6.x.
Before we take a tour of the design changes, use cases and new workflows, I recommend that you take a look at my previous two blog posts for the necessary background information:
- Taking XenApp and XenDesktop 7.8 to the Next Level – Desktops and new tagging UI
- Introducing Application Groups in XenApp and XenDesktop 7.9 – Application groups
Application group and desktop machine tags
An application group can be restricted to a single set of tagged machines. Once a tag restriction has been defined for an application group, applications within the group will only be hosted by machines with the tag.
In the diagram above, the applications in App Group 1 can be delivered from the first or last set of machines in the delivery group and the applications in App Group 2 can be delivered from the second or last set of machines in the delivery group.
Similarly, a desktop can be restricted to a single set of tagged machines. Once a tag restriction has been defined for a desktop, the desktop will only be hosted by machines with the tag.
In the diagram above, the desktops in Desktop 1 can be delivered from the first or last set of machines in the delivery group and the desktops in Desktop 2 can be delivered from the second or last set of machines in the delivery group.
Note that machines cannot be shared between multiple delivery groups, so it is recommended that fewer delivery groups are used with machine tag restrictions.
When would I use machine tag restrictions?
- Provide the applications in an application group or desktops in a delivery group from a specific set of tagged machines.
- Move an application to a “maintenance” application group with a new user list and limit the access to that application for maintenance or diagnostic purposes.
The combination of application groups, desktops and machine tag restrictions provides greater flexibility and simplified configuration of a XenApp and XenDesktop deployment.
Consider the case where you maintain a collection of identical application servers and wish to provide access to different groups of applications utilizing all of the server capacity. This could be achieved by the creation of a single delivery group that contains all of the servers. Users that require access to Microsoft Office, say, could be contained in a different application group to users that require access to Adobe Creative Suite, say. The users defined in each application group are a subset of the XenApp and XenDesktop users defined on the delivery group.
Imagine that Microsoft Office is mission-critical to the business and must always remain available whereas the Adobe Creative Suite users are happy to beta test the latest Windows security patches. This could be achieved by restricting the Microsoft Office application group to the unpatched subset of servers in the delivery group.
New Machine Tag Restriction Workflows
In this blog post we are going to view the machine tag restriction workflows from the perspective of Citrix Studio. As with all workflows in the FMA architecture (7.x), all functionality relating to machine tag restrictions is also available from the PowerShell SDK.
Let’s walkthrough the restriction of application groups and desktops to tagged machines.
Step 1: Create “Worker Group 1” and “Worker Group 2” machine tags
From the Search node in Citrix Studio, select the machines that you would like to tag and click the Manage Tags action. From here you can create the “Worker Group 1” and “Worker Group 2” machine tags. Click Save to apply the tags to the selected machines.
Step 2: Restrict desktops in delivery group to machines in “Worker Group 1”
From the Delivery Groups node in Citrix Studio, click the Create Delivery Group wizard and add a desktop on the Desktops page. From here you can restrict desktop launches to machines with the “Worker Group 1” tag.
The Desktops tab for a delivery group allows you to view the machine tags required for its desktops.
Step 3: Restrict applications in application group to machines in “Worker Group 2”
From the Applications node in Citrix Studio, click the Create Application Group wizard. From here you can restrict application launches to machines with the “Worker Group 2” tag.
The Groups tab for an application allows you to view the machine tags required for its application groups.
Step 4: Delete “Worker Group 2” machine tag
At this point you may be wondering what happens when you attempt to delete a machine tag while it is being used to restrict an application group or desktop to a set of tagged machines. Don’t worry, we’ve got it covered! You will be prevented from deleting the machine tag and a warning page will be shown that details the application groups and/or desktops that would be affected by the deletion.
- Machine tag restrictions are optional and are similar to worker groups in XenApp 6.x.
- Both application groups and desktops can be restricted to a single set of tagged machines.
- Access of users to machines can be controlled through the use of machine tag restrictions without the need for additional delivery groups.
- When using machine tag restrictions, we recommend that fewer delivery groups are used.
See the product documentation for more information about restricting application groups and desktops to tagged machines.
If you have any questions, feel free to ask in the comments section below.