In a previous post I described how to install and configure the ShareFile Windows Sync client and the ShareFile Outlook Plugin. In a few previous projects I needed to implement these clients into a Citrix XenApp / XenDesktop environment where they also use RES Workspace Manager for user personalization. Another challenge was that not every user within the XenApp / XenDesktop environments would get a ShareFile account, so access to the ShareFile clients should be limited.
In this blog I will show you to accomplish this in a few easy steps.
ShareFile Sync for Windows
Other than on a local desktop or laptop, you will need to install the ShareFile Sync for Windows On-Demand version (Certified for XenApp and XenDesktop). The main difference between this version and the local desktop/laptop version is that files are not automatically be available offline. The file will be downloaded on the moment the user opens the file.
Installation
Click Install
Select I accept the terms in the License Agreement and click Install
Click Finish
Click Close
Policies
The Windows Sync client can be configured by policies. This can be done via the ShareFileOn-demand.admx templete which is located on a computer where the Windows Sync client is installed on in the following path C:\Program Files\Citrix\ShareFile\Sync\Configuration\PolicyDefinitions\
Install the ShareFileOn-demand.admx in the Policy Definitions directory of the Active Directory so that it is possible to set these settings global.
For almost every ShareFile implementation I configure SAML integration for authentication (XenMobile AppController or ADFS). Therefor I set the following policy settings so that the Windows Sync client will automatically configured without interaction of the end user.
Policies > Administrative Templates > ShareFile > Enterprise Sync
User policies;
Account
| Enabled, <subdomain>.sharefile.eu (or .com) |
Authentication Type
|
Single Sign on using AD credential
|
On-demandPersonalFolder
|
Enabled, Sync Personal Folder
|
Machine policies;
| On-demandSyncDiskVolume |
Enabled, C:\
|
RES Workspace Manager : Hide all Drives
There are a few things that needs to be set within the RES Workspace Manager, but first check if the following setting is applied under Drive and Port Mappings;
Hide all drives (unless otherwise specified)
This makes it impossible for the Windows Sync client to open the ShareFile file location of the user. If this is the case add the following mapping;
Fill in the following information;
Enabled: YesAdministrative note: Only for Sharefile useAction: Do not perform mapping operationDevice: C:Friendly name: System Drive (only for Sharefile)Hide drive: Always hide, but allow accessAccess Control: <domain>\<ShareFile AD Usergroup>
RES Workspace Manager : Capture Windows Sync settings
For the ShareFile Sync clients, settings needs to be captured to make the settings roaming, for that the following User Settings are added under Composition > User Settings;
Fill in the following information;
Name: Sharefile SyncZero Profile mode: Capture targeted items on session endEnabled: YesPreserve: Roam settings for user to any deviceApply: Load on session startCapturing: Registry Key: HKEY_CURRENT_USER\Software\Citrix\Sharefile\Sync
RES Workspace Manager : Limit access to the Windows Sync
If not every Citrix XenApp or XenDesktop user gets a ShareFile account we need to limit access to the Windows Sync client. This can be easily done with the RES Workspace Manager, but as an alternative you can configure this also with GPO’s.
The first step is to make an export and then remove the following registry keys from the vDisk (or every server if PVS is not being used);
- SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Citrix ShareFile Sync Monitor
- SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Citrix ShareFile Sync Session Agent
To make the ShareFile Sync client work for a selected ShareFile user group, the registry keys removed from the HKEY_LOCAL_MACHINE must be added to the HKEY_CURRENT_USER by usingUser Registry in RES Workspace Manager.
Fill in the following information;
Name: Anything you likeAdministratrative note: Automatic startup ShareFile Sync client (or something you like)Enabled: YesRequired connection state: Both online and offline connectionsAccess Control: <domain>\<ShareFile user group>
ShareFile Outlook Plug-in
For the ShareFile Outlook Plug-In 3.3 use the Per-machine MSI version. This is a silent installation without any installation dialogs. Also the automatic update function is not available in this version. This is also not recommended in a XenApp / XenDesktop environment where also a read only vDisk is used.
RES Workspace Manager : Limit access to the ShareFile Outlook Plug-in
To limit access to the ShareFile Outlook Plug-in export and remove the following registry key from the XenApp / XenDesktop vDisk (or every server if PVS is not used);
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\Malone.AddinModule]
“FriendlyName”=”ShareFile Outlook Plug-in”
“Description”=”AddinModule”
“CommandLineSafe”=dword:00000000
“LoadBehavior”=dword:00000003
“FriendlyName”=”ShareFile Outlook Plug-in”
“Description”=”AddinModule”
“CommandLineSafe”=dword:00000000
“LoadBehavior”=dword:00000003
Within RES Workspace Manager make a new User Registry with the above registry key but then for the HKEY_CURRENT_USER and add an Access Control filter for the ShareFile Active Directory user group.
For the non-ShareFile users create also a User Registry and apply the following registry keys underHKEY CURRENT USERS
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\Addins\Malone.AddinModule]“FriendlyName”=”ShareFile Outlook Plug-in”
“Description”=”AddinModule”
“CommandLineSafe”=dword:00000000
“LoadBehavior”=dword:00000002
“Description”=”AddinModule”
“CommandLineSafe”=dword:00000000
“LoadBehavior”=dword:00000002
Add an Access Control filter for non-sharefile users, for example; NOT in <domain>\<ShareFile user group>
Keep in mind the Load Behavior registry key. If it is set to 3 the plugin will be loaded, if it is set to 2, the plugin will be disabled.
RES Workspace Manager : SAML Configuration
To auto configure the ShareFile Outlook Plugin for the end user with the correct authentication method, a registry key can be applied for the ShareFile users. With this registry key applied, the end user will no longer gets the “Getting Started” wizard and the Plugin is silent configured.
Within RES Workspace Manager configure an User Registry with an access filter for the ShareFile Active Directory user group. In the next example an .eu ShareFile account is used and SAML authentication integration is applied (ADFS). Add the following registry key;
[HKEY_CURRENT_USER\Software\Citrix\ShareFile\SSO]
“Method”=”saml-integrated”
“UserConfigurable”=dword:00000000
“Subdomain”=”<subdomain>”
“Domain”=”sharefile.eu”
“ApiCP”=”sf-api.eu”
“Method”=”saml-integrated”
“UserConfigurable”=dword:00000000
“Subdomain”=”<subdomain>”
“Domain”=”sharefile.eu”
“ApiCP”=”sf-api.eu”
RES Workspace Manager : Capture ShareFile Outlook Plug-in settings
To make the ShareFile Outlook Plug-in settings roaming capture the following file;
%appdata%\ShareFile\Outlook\config.cfg
Share the post "Installing and Configuring Citrix ShareFile clients in a XenApp / XenDesktop environment and limit access with RES Workspace Manager"
No comments:
Post a Comment