Skip to content

Advance Configurations

Enhanced Shell Tracking for Applications in Shell Mode

New session host server supports enhanced tracking of applications running in shell mode. Example of such applications are:

  1. Internet Explorer
  2. Explorer (My PC)
  3. Google Chrome
  4. Batch script driven app launches

Note

The feature is limited to applications delivery in shell mode only and will be controlled by Controller v3.3 or later, but if session host v3.3.0.11119 or greater is being delivered with older v3.2 controller, then it must be configured using registries carefully. Please see appendix for detailed information.

Configuration to Run Application with Specific User Credentials

In some deployments, it is required to run application with specific user privileges. From HyWorks v3.3 onwards, administrator will be able to configure to run application as:

  • Logged-in User (Default option)

  • System User

  • Specific User Credentials

For detailed step by step process is mentioned in application publishing section

Direct RDP/Console Block

In some deployments, it is required to block direct access (console/RDP) of users. The feature is integrated in HyWorks DVM agent, administrator will be able to configure access block using following registry settings in desktop VMs.

From HyWorks v3.4 onwards, session host server is having integrated DVM agent (Lite) and uses the same set of registries as DVM agent. Direct access can be blocked via registry entries of Session Host Server machine using following registry keys:

Registry key for Direct RDP Block:

HKLM\SOFTWARE\Accops\DVMAgent\DirectRdpBlocked

  • Default Value: True
  • Change to true and restart DVM agent service for changes to take effect. Now any non-admin users will be logged-out if attempted to take a direct RDP.

Registry key for Direct RDP Block for Admin Users:

HKLM\SOFTWARE\Accops\DVMAgent\DirectRdpAdminBlocked

  • Default value: False
  • Change as true and restart DVM agent for changes to take effect. Now even admin users will be logged-out if directly taking RDP of this desktop VM.

Registry key for Direct RDP/Console Block Timeout: (default: 15 seconds)

HKLM\SOFTWARE\Accops\DVMAgent\DirectRdpBlockTimeoutSec

  • Default value: 15
  • Desktop agent will wait for configured number of seconds for session validation. If it is not recognized as authorized session within configured time-limit, the session will be logged-out.

Registry key for Direct Console Block: (default: false), to block console access for desktop VM for non-admin users.

HKLM\SOFTWARE\Accops\DVMAgent\DirectConsoleBlocked

Registry key for Direct RDP/Console Block for Admin users: (default: false), to block console access for desktop VM for admin-users.

HKLM\SOFTWARE\Accops\DVMAgent\DirectRdpAdminBlocked

Important

  • The direct RDP block is enabled by default in latest DVM agent.
  • In some cases, where profile loading or connection is taking more time than configured time limit of direct RDP block, agent may interpret the session as a direct RDP connection and may log it out. The cases can be understood from logs and as per environment, the timeout can be increased.

Logs:

  • Following log will be created for sessions being logged-out by agent as direct RDP

    • Agent Log location: C:\Program Files (x86)\Accops\HyWorks Desktop Agent\Logs

    • Sample Log:

      Logging-out direct (Non-Accops) RDP session WTS ID [3] for user domain/username. Direct RDP session is not authorized. Logon-Time (34sec) and Connect-Time (37sec)

Allow calls from authorized controller(s) only

In some deployments, it is required to block unauthorized access to the session host service. From HyWorks v3.3 onwards, administrator will be able to configure block unauthorized access by updating authorized controller IPs list at: (default value: '*')

HKEY_LOCAL_MACHINE\SOFTWARE\Accops\Controller\EDC\SESSIONHOST\AuthorizedControllerIPs

Note

  • Default value is set as '*', which means all controllers are open to connect.
  • Replacing '*' with one or more (multi-string) controller IPs results in allowing only those listed controller(s) to communicate with the local Session Host Service.
  • In case, if unauthorized controller try to communicate an error log will come into both agent and controller logs.

Session change event scripts support

In some deployments, it is required to execute some scripts in case of session change events, the feature is integrated in HyWorks. Six types of session change event types are supported here:

  1. CONNECT
  2. DISCONNECT
  3. LOCK
  4. LOGOUT
  5. RECONNECT
  6. UNLOCK

Registry Base:

HKEY_LOCAL_MACHINE\SOFTWARE\Accops\DVMAgent\EVENTS

The administrator will be able to configure the session change event via updating the registry entries. Details about the registry key values are as follow.

Key Name Name Value Type Meaning
EVENTS EnableForAdmins FALSE String Set this flag as True to enable Session Change Events scripts execution for Admin users too.
================ ========================== ============================ ==== =========
EVENTS\CONNECT ISENABLED FALSE String Set this flag as True to enable Connect Event script execution.
EVENTS\CONNECT SYSTEM_CONTEXT_SCRIPT_PATH C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Connect_System.bat String The script is used execute batch commands in System context while Connect event.
EVENTS\CONNECT USER_CONTEXT_SCRIPT_PATH C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Connect_User.bat String The script is used execute batch commands in User context while Connect event.
================ ========================== ============================ ==== =========
EVENTS\DISCONNECT ISENABLED FALSE String Set this flag as True to enable Disconnect Event script execution.
EVENTS\DISCONNECT SYSTEM_CONTEXT_SCRIPT_PATH C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Disconnect_System.bat String The script is used execute batch commands in System context while Disconnect event.
EVENTS\DISCONNECT USER_CONTEXT_SCRIPT_PATH C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Disconnect_User.bat String The script is used execute batch commands in User context while Disconnect event.
================ ========================== ============================ ==== =========
EVENTS\LOCK ISENABLED FALSE String Set this flag as True to enable Lock Event script execution.
EVENTS\LOCK SYSTEM_CONTEXT_SCRIPT_PATH C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Lock_System.bat String The script is used execute batch commands in System context while Lock event.
EVENTS\LOCK USER_CONTEXT_SCRIPT_PATH C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Lock_User.bat String The script is used execute batch commands in User context while Lock event.
================ ========================== ============================ ==== =========
EVENTS\LOGOUT ISENABLED FALSE String Set this flag as True to enable Logout Event script execution.
EVENTS\LOGOUT SYSTEM_CONTEXT_SCRIPT_PATH C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Logout_System.bat String The script is used execute batch commands in System context while Logout event.
EVENTS\LOGOUT ExecutePreLogoutScriptInSystemContext FALSE String Script will be executed in system context before logout.
EVENTS\LOGOUT ExecutePreLogoutScriptInUserContext FALSE String Script will be executed in user context before logout.
================ ========================== ============================ ==== =========
EVENTS\RECONNECT ISENABLED FALSE String Set this flag as True to enable Reconnect Event script execution.
EVENTS\RECONNECT SYSTEM_CONTEXT_SCRIPT_PATH C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Reconnect_System.bat String The script is used execute batch commands in System context while Reconnect event.
EVENTS\RECONNECT USER_CONTEXT_SCRIPT_PATH C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Reconnect_User.bat String The script is used execute batch commands in User context while Reconnect event.
================ ========================== ============================ ==== =========
EVENTS\UNLOCK ISENABLED FALSE String Set this flag as True to enable Unlock Event script execution.
EVENTS\UNLOCK SYSTEM_CONTEXT_SCRIPT_PATH C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Unlock_System.bat String The script is used execute batch commands in System context while Unlock event.
EVENTS\UNLOCK USER_CONTEXT_SCRIPT_PATH C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\Unlock_User.bat String The script is used execute batch commands in User context while Unlock event.
================ ========================== ============================ ==== =========

The scripts can be updated for other custom usage. Scripts root folder:

C:\Program Files (x86)\Accops\HyWorks Desktop Agent\scripts\

Note

  • HyWorks only provides platform to execute the scripts on different events on system. The scripts have to be generated as per requirements.
  • HyWorks v3.4 or later is having integrated DVM agent (Lite) and thus same set of registry keys (from DVM agent) and scripts are used.

Pre-Post Scripts for AppLauncher (Linux Only)

HyWorks v3.3 or later, now allows Pre & Post scripts execution while application/desktop launch which means before launching application or desktop these scripts will get executed as some deployments may need per-post cleanups.

The scripts can be updated at (folder):

/etc/edcdvm/linuxDVM/scripts/

Available Scripts names:

  • AppLauncherPostScript.sh
  • AppLauncherPreScript.sh

Note

  • The scripts are only placeholders and administrators have to provide scripts are per the requirements.

HyShell

HyShell is desktop customization utility, which comes integrated with HyWorks Session Host Server. The primary objective of HyShell is to publish and manage desktop shortcuts on desktop of user session from session host server. HyShell will only manage those desktop shortcuts which are created by it and not available as public shortcuts installed by administrator.

Purpose

HyShell is required to publish shortcuts of those applications (virtual), which are assigned to the users (which means user is authorized to use them) and need not to see so many shortcuts of those applications which are of no use. For example, a session host server is installed with 50 different applications where as a typical user uses only 5 of them and in this situation showing all 50 will be very confusing for the user, instead user is shown with only those 5 applications which are useful. Similar approach is followed for other users as well and this is what HyShell does with shared hosted desktop.

How does HyShell work?

The functioning of HyShell is simple, when user connects to shared hosted desktop from appropriate endpoint of HyWorks/HyLite, HyShell is invoked. It triggers communication with Controller to get list of applications which are assigned to user and belong to this session host server. Then HyShell creates desktop shortcuts for all applications which are assigned to user and removes any other shortcuts which are not assigned to user.

Session Host Server Components

AppLauncher: It gets called once user logged in via client. AppLauncher will execute HyShell script to customize the desktop. This script can set application access and launch HyShell to create Desktop shortcuts and start menu links.

HyShell: HyShell is running in user context so it will collect user details like user desktop path, user start menu path, user session id (WtsId) etc. After collection this basic information it will call Session Host API which is exposed for HyShell tasks.

SessionHost: Session host expose endpoint for HyShell to accept user related data and executes following tasks.

  1. Run HyShellServerPreScript.ps1 script: This script contains Power Shell code to perform some operation which is required before create desktop shortcuts.

  2. Get Application list and its details from local DB and Controller for specified user.

  3. Try to create desktop icons and start menu links for user applications.

  4. Run HyShellServerPostScript.ps1 script This script contains Power Shell code to perform some operation which is required after creates desktop shortcuts.

Enabling HyShell

To enable HyShell, following configurations need to be done:

  1. Configuring applications for getting published for shared hosted desktop (in HyShell)

    1. Login into HyWorks Controller Management console with administrator rights
    2. In Add/ Edit application wizard -> Additional Settings screen
      1. In Access Settings section, select following options:
        1. Create Desktop Shortcut -> On shared hosted desktops
        2. Pin Application to Start Menu -> On shared hosted desktops
    3. Enable above options for all applications whose shortcuts need to be created on shared hosted desktop.

    Note

    HyShell will create shortcuts of those virtual applications, which are published on HyWorks and Which application shortcuts will get created:

    • Applications are published in HyWorks and enabled for shortcut creation on shared hosted desktops

    • Applications which are installed and published from the current server on which user has got connection

  2. Enable HyShell on Session Host Server

    1. Windows Session Host Server: Enable HyShell from Registry Editor Follow below steps to enable HyShell on session host server (Windows)

      1. Connect to session host server remotely using user credentials having administrator privileges

      2. Open Registry editor (Open Run prompt, type 'regedit' and press enter key)

      3. In Registry editor, navigate to following location:

        HKEY_LOCAL_MACHINE\SOFTWARE\Accops\Controller\EDC\SESSIONHOST

      4. Create or update following registry value

        1. Type: string
        2. Name: IsDesktopCustomizationEnabled
        3. Value: True

      5. Save registry value and exit registry editor

      6. Restart HyWorks Session Host Agent service

    2. Linux Session Host Server: Enable HyShell from configuration file Follow below steps to enable HyShell on session host server (Linux)

      1. Connect to Linux SHD server via SSH Client(if ssh enabled) or console session

      2. Open HyShell configuration file, command:

        sudo vi /etc/edcdvm/linuxDVM/hyShell/hyshell.config

      3. Set the value for IS_HYSHELL_ENABLED to 1.

      4. If any user added in EXCLUDE_USERS_LIST, then desktop restriction is not applicable for EXCLUDE_USERS_LIST

      5. Restart DVM Agent Service, by using following command, sudo systemctl restart edcdvm

      6. Linux SHD is now enabled with HyShell.

Pre-Post Scripts for HyShell

HyWorks v3.3 or later, now allows Pre & Post batch scripts execution while executing HyShell as well, which means before launching HyShell these scripts will get executed as some deployment need some kind of per-post cleanups as well.

Windows Session Host

PowerShell Scripts: These scripts can be used by admin to enable any customization as per user/client requirements. E.g. pushing specific policies before and after HyShell execution. HyShell executes in user context and launch HyShell, other 2 scripts are executed in service context. mentioned below:

The scripts can be updated at (folder):

C:\Program Files (x86)\Accops\HyWorks\SessionHost\HyShellScripts\

Available Scripts names:

  1. HyShellLauncherScript.ps1 : It will be launched by AppLauncher. So runs in user context and launch HyShell. HyWorks admin can add their own customization code in this file which needs to execute in user context.

  2. HyShellServerPreScript.ps1 : This script will be executed in service context before creating shortcuts on the desktop. Should contain a set of command need to execute before creating shortcuts and current user don't have permission, such situations can be executed in the service context.

  3. HyShellServerPostScript.ps1 : This script will be executed in service context after the creation of shortcuts on the desktop. Should contain a set of command need to execute after creating shortcuts and current user don't have permission, such situations can be executed in the service context.

Linux Session Host

The scripts can be updated at (folder):

/etc/edcdvm/linuxDVM/hyshell/

Available Scripts names:

  1. HyShellLauncherPreScript.sh: This script will be executed in user context before creating shortcuts on the desktop. Should contain a set of command need to execute before creating shortcuts.

  2. HyShellServerPreScript.sh: This script will be executed in service context before creating shortcuts on the desktop. Should contain a set of command need to execute before creating shortcuts and current user don't have permission, such situations can be executed in the service context.

  3. HyShellLauncherPostScript.sh: This script will be executed in user context after creating shortcuts on the desktop. Should contain a set of command need to execute before creating shortcuts.

  4. HyShellServerPostScript.sh: This script will be executed in service context after the creation of shortcuts on the desktop. Should contain a set of command need to execute after creating shortcuts and current user don't have permission, such situations can be executed in the service context.