Disable copy and paste or printing within your virtual application

Let me first say ThinApp is by absolutely no means a security product, it is an application virtualization product. But ThinApp, as an application virtualization product, certainly can help to make your environment more secure. For example when using ThinApp for your applications you can deploy critical patches much faster as it would be possible with traditional software deployment tool like SCCM or LanDesk.

That said customers still ask how they can disable certain functions within ThinApp to make their applications more secure. These functions are copy and past as well as cut and paste and of course printing. Obviously ThinApp can handle these requirements as one of the most versatile application virtualization solution on the market.

Disable copy and paste / cut and paste

To disable copy and paste within your virtual application you have to modify the package.ini in the [BuildOptions] section. To disable this functionality just add the following line:

DisableCutPaste=1

PackageIniCutPaste

If the user then tries to copy or cut and paste something he gets the following message by default.

PackageIniCutPasteResult

You can change this message by adding just another line and modify the message as wanted.

DisableCutPasteMsg=Administrator has disabled Cut and Paste for application %1s

The variable %1s will be replaced by the name of the process of which you want to copy or cut content from. In this example it is firefox.exe

Disable printing

To disable printing from a ThinApp package you also have to add just another line to your package.ini build options.

DisablePrinting=1

PackageIniDisablePrinting

When a user tries to print from the virtual application while this option is set he gets the following result.

PackageIniDisablePrintingResult

If this tip may come in handy you should pay Christoph Harding’s (@cdommermuth) blog called That’s my view (http://www.thatsmyview.net) a visit. He brought this customer requirement to my attention.

VMware announced Horizon Suite, but where did ThinApp go?

VMware today announced Horizon Suite as well as three new products called Horizon Workspace, Horizon Mirage and Horizon View.

VMwareEUCProducts

As you probably noticed two of these four products aren’t actual new. VMware View and VMware Mirage are still the same products, but updated and rebranded to match the new Horizon umbrella.

VMware Horizon View 5.2 contains many new cool features like clientless HTML 5 access, hardware accelerated 3D graphics and Windows 8 support. Andre Leibovici (@andreleibovici) wrote a very good article about what’s new in VMware Horizon View 5.2VMware Horizon Mirage 4.0 biggest new feature is the support for application layering. This allows you to deploy applications and ThinApp packages using Mirages new app layering technique.

VMware Horizon Workspace is a brand new product enabling IT departements to deliver secure and policy-driven data and applications to any device. Last but not least, Horizon Suite is a new product bundle which combines View, Mirage and Workspace. To get more information about the Horizon Suite and Workspace I suggest another great article by Andre: Introduction to the new VMware Horizon Suite.

With all the excitement about this product launch you may still have noticed that ThinApp is gone from the product listing. Don’t panic, ThinApp is still alive and kicking but there are some changes.

Unfortunately ThinApp will not be available as a standalone product anymore. ThinApp is now bundled with the Horizon product line. No matter if you buy Horizon Mirage, View, Workspace or the whole Suite you will always get ThinApp. ThinApp will be integrated in each of this products, so that you can see and use it as a product feature now.

To make a long story short: ThinApp transformed from being a standalone product to being an integral part of the Horizon product family. In my opinion that is a good thing. ThinApp will gain a lot of traction being an integral part of Horizon and also it will gain additional functionality. For example reporting and auditing when combined with Horizon Workspace or a completely new deployment method using Mirages app layers.

To be clear you can still use ThinApp in standalone mode. There is no need to deploy Horizon Workspace, View or Mirage to use ThinApp, but to license ThinApp in the future you have to buy one of the Horizon products. If you still want to buy ThinApp as a standalone product the ThinApp standalone licenses are still available to buy until the end of 2013. After that ThinApp will only be available as part of the Horzion product family. You can read more about the end of availability announcement of VMware ThinApp as a standalone product in the following FAQ: VMware ThinApp Client & Suite End of Availability and End of Support Lifecycle FAQs (direct link to PDF).

Ps: The ThinApp product page is still available.

ThinApp Scripting: Launch virtual application only if a specific process is not running

In my daily life as Consultant for VMware I implement a lot of customer specific scripts using the ThinApp scripting engine and I just thought: Why not share these scripts?

The following script can be used if a ThinApp application can or should not be launched if a specific process is already running. In this particular case a virtualized instance of SAP should only be able to launch if no native instance of SAP is running already.

' Run script if an entry point is launched
Function OnFirstParentStart

	' Initialize variables
	Dim objWMIService, objWMIProcess, objShell
	Dim colWMIProcess
	Dim strTitle, strMessage, strComputer, strProcess
	Dim intButton

	' Set computer to localhost
	strComputer = "."
	' Set process to check
	strProcess = "saplogon.exe"

	' Set error message
	strTitle = "VMware ThinApp"
	strMessage = "The process " & strProcess & "is already running!" & Vbcrlf & "Please close the process and then try again."
	intButton = 48

	' Connect to WMI service
	Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
	Set colWMIProcess = objWMIService.ExecQuery("Select * from Win32_Process Where Name='" & strProcess & "'")
	If colWMIProcess.Count > 0 Then
		' Display message box
		Msgbox strMessage, intButton, strTitle
		ExitProcess 0
	End If

' End of OnFirstParentStart Function
End Function

To implement this script in your ThinApp project just save the code above as .vbs file in your ThinApp projects folder und customize the variable strProcess. Just enter the process you want to check and you are ready.
You can also customize the error message the user gets by modifying the variable strMessage.

ThinApp Setup Capture doesn’t capture file type associations

Together with my friend Sebastian Stein (@BERSFO) from tempero.it we discovered a little problem with the ThinApp Setup Capture. When capturing an application, in our case we captures ACDSee, it may happen that the Setup Capture wizard doesn’t record the file type associations registered by the application.

You can easy fix this using the commandline tools assoc and ftype to reregister the file type associations during the capture process. For a detailed description see Sebastian’s article.
Virtualize ACDSee with ThinApp and register File Types

ThinDirect redirection message does not close automatically

Normally the ThinDirect redirection message disappears after a few seconds when a web page got redirected.

ThinDirectNormal

In some cases the redirection may working properly but the ThinDirect redirection message does not close automatically.

ThinDirectBroken

Most of the time the reason for this behavior is caused by very restrictive Internet Explorer security settings. In particular when the security setting option Active Scripting is disabled. This is the case if the standard security level High is chosen for the zone Internet where the ThinDirect add-on belongs to by default.

IEActiveScriptingIESecurityHigh

There are two solutions to get the redirection message to disappear again:

  1. Enable Active Scripting for the zone Internet or
  2. Add “about:internet” to the local intranet or trusted sites

Virtualize Microsoft Visio 2010 and Project 2010 while Microsoft Office 2010 is installed locally

My colleague Peter Björk (@thepeb) wrote a very helpful article on how to virtualize Microsoft Visio and Project 2010 while Microsoft Office is locally installed!

“While many are virtualizing Microsoft Office 2010 during a Proof Of Concept (POC) most companies decide to install Microsoft Office natively rather than virtualizing it. Both packaging method are valid but many times it’s easier and more efficient to have Office locally installed. That said, virtualizing Microsoft Visio and Project is a whole different ballgame. Virtualizing Visio/Project makes very much sense in many designs. There are quite a few KB articles and blog posts out there covering Office 2010 and it’s components. But so far I’ve yet to see a complete list of what is needed in order to build a Visio/Project package and have it coexist and to a certain degree integrate with native Office. So I started to collect all data I found on Internet. I ended up adding a couple thinks myself as well.”

Check out Peter’s article on the official VMware ThinApp blog.
ThinApp Microsoft Visio and Project 2010 while locally installed Microsoft Office 2010

ThinApp, OS migrations and application compatibility

StarkWinXPEoS

Image source: http://memegenerator.net/instance/34382526

A picture is worth a thousand words.

We all know that the official support for Windows XP ends on April 8, 2014.

Therefore many customers starting to look at ways to migrate their legacy applications from Windows XP to a newer version of Windows. While many applications may run on Windows 7 (or later) without any hassle there are still some apps which aren’t working on Windows 7 out of the box. As always exactly these apps are most likely declared as business critical or at least very important.

Many people see ThinApp as the silver bullet when it comes to OS migrations and application compatibility issues. To a certain degree they are right, ThinApp can definitely help to solve many application compatibility issues and ease the pain of a Windows 7 migration. But ThinApp unfortunately can’t perform magic.

There are many reasons why applications won’t run on Windows 7. To understand if ThinApp can help or not we first have to analyse why applications may not run on a newer version of Windows.

Common Compatibility Issues

  • Deprecated .dll files, executable (.exe) files, COM objects, registry keys and application-programming interfaces (APIs)
  • Hard-coded locations (file locations, directories, registry keys)
  • User Account Control (UAC)
  • Operating System Version Changes
  • Dependencies to a specific Internet Explorer version
  • 64-bit versions of Windows do not support 16-bit components, 16-bit processes, or 16-bit applications

Source: http://technet.microsoft.com/en-us/library/cc766242(WS.10).aspx

Some of these issues can easily be fixed even with built-in Windows functions. For example an application may check on which operating system it is running (see Operating System Version Changes in the source link above) and refuses to run if not running on top of Windows XP. You can easily fool the application to think it is running on Windows XP even if it is really running on Windows 7 using the compatibility mode option.

However other issues aren’t fixable at all. If an application relies on 16-bit components or is a 16-bit application itself and you want to migrate to a 64-bit version of Windows you are out of luck. The application simply will not work. You could however use VMware Workstation or View to deploy 32-bit virtual Windows machines for your legacy 16-bit applications. Another example for an application which will probably not work if it depends on APIs which are deprecated or undocumented and therefore not available or working different in Windows 7.

Where ThinApp can’t help

  • Running applications which depend on deprecated APIs
  • Run 16-bit applications on 64-bit Windows.

Other reasons why an application might fail to work on Windows 7 like deprecated .dll files, hard-coded locations and dependencies to specific versions of Internet Explorer are a perfect fit for ThinApp!

With ThinApp you are able to:

As you can see there are many cases in which ThinApp can provide help running legacy Windows XP applications on Windows 7 even if they wouldn’t work when installed natively. However there are no guaranties this will work and it may require some effort to get it working. Still it is worth a try considering all the benefits you gain when using ThinApp especially when migrating to a newer version of Windows.

If you want to know exactly when support for Windows XP will end you should try the official Windows XP End Of Support Countdown Gadget.

ThinApp Scripting with VBScript

Most of the times when I talk to our customers they want some functionality in ThinApp which it doesn’t offered out of the box.  For example:

  • Allow to run a virtualized application only until a specific date.
  • Update a configuration file every time the applications is launched.
  • Allow an application only to be executed when user is inside the corporate office.
  • Messure the usage of an application.
  • Enforce licensing restriction.
  • And so on…

While such functionality, as already said, isn’t offered by ThinApp out of the box there is something else much more powerful available. With ThinApp you have a fully fledged scripting engine available in each and every ThinApp package. This allows you to implement advanced functionalities like the examples mentioned above.

ThinApp supports running VBScript-based scripts out of the box. Just place your .vbs files side by side to the package.ini, run build.bat and you have successfully integrated your script in your ThinApp package. While it is really that simple there are some very helpful things you should know about.

Functions

The ThinApp script engine natively supports VBScript. Besides the whole spectrum of VBScript functions the ThinApp script engine itself provides some additional functions. For example:

  • ExpandPath
    This function allows us to convert a macro folder to a system folder.
  • ExecuteExternalProcess
    With this function it is possible to launch a process outside the virtual environment.
  • GetBuildOption
    GetBuildOption lets us look inside the package.ini file.
  • GetFileVersionValue
    With this function we are able to check if a file has for example a specific version.
  • GetCommandLine
    This option show the command line argument a entry point was called with.
  • GetCurrentProcessName
    Show the name of the current process which triggered the VBScript launch.
  • SetRegistryIsolation
    With the help of this function you can change the registry isolation mode for a specific key during the runtime.

These are just a few example of functions the ThinApp script engine supports. All of them are documented in the ThinApp User’s Guide. Using a bit of VBScript and some of the specific ThinApp functions you could for example implement your own little help function to your ThinApp packages which works as follows:

Launch your ThinApp entry point with the parameter -thinstallhelp.
ThinAppHelpCommand

And as a result you see a message box with some helpful information about your ThinApp package.
ThinAppHelpMessage

Here is the code realizing this little helper.

Function OnFirstParentStart

	' Check command line input for help parameter (-thinstallhelp)
	If InStr(GetCommandLine(), "-thinstallhelp") Then

		' Get current entry point / process
		strCurrentProcess = GetCurrentProcessName

		' Get build options from package.ini
		strInventoryName = GetBuildOption("InventoryName")
		strSandboxName = GetBuildOption("SandboxName")
		strCaptureRuntime = GetBuildOption("CapturedUsingVersion")
		strOptAppLinks = GetBuildOption("OptionalAppLinks")
		strReqAppLinks = GetBuildOption("RequiredAppLinks")

		' Set message box title
		strTitle = "ThinApp Help"

		' Compose output
		strMessage = "Current entry point / process: " & strCurrentProcess & Vbcrlf & Vbcrlf & "InventoryName: " & strInventoryName & Vbcrlf & "SandboxName: " & strSandboxName & Vbcrlf & "Capture Runtime: " & strCaptureRuntime & Vbcrlf & "Optional AppLinks: " & strOptAppLinks & Vbcrlf & "Required AppLinks: " & strReqAppLinks

		' Display message box with Ok button and title
		Msgbox strMessage, 0, strTitle

		' Exit process as we just want to show the help message
		ExitProcess 0

	End If
   
End Function

Callback functions

As soon as you add a VBScript to your ThinApp package the script gets executed every time a process gets launched within your ThinApp package. This equally applies to manually launched entry points and automatically launched child processes. As you can imagine this isn’t a very good behavior performance wise. For this reason the ThinApp scripting engine includes so-called callback functions. Callback functions help to control when and how often your VBScript code is executed.

Callback function
When to use?
OnFirstSandboxOwnerUse this callback function if you want to run your code each time your sandbox gets locked. This means as soon as the first process launches and locks your sandbox, normally the first entry point your launching, your code gets executed.
OnFirstParentStartThis function is called every time a ThinApp entry point is launched.
OnFirstParentExitOnFirstParentExit is executed each time a parent process (an executable launched by an entry point) is closed. It is also executed if some child processes are left.
OnLastProcessExitThis function is useful if you want to run your code when all processes of your virtual application are closed. As soon as the last process quits this script gets executed.
-When you not place your code in one of these callback functions your code will be executed each time a new process in your ThinApp package launched.

For a better understanding which functions is called when try the following example. Just save the code below as example.vbs file in your ThinApp project directory, rebuild your application and start using it. The example script displays a pop up message with the name of the function currently executed and the name of the process triggering the function.


Function OnFirstSandboxOwner

   strMessage = "OnFirstSandboxOwner: " & GetCurrentProcessName
   MsgBox(strMessage)

End Function

Function OnFirstParentStart

   strMessage = "OnFirstParentStart: " & GetCurrentProcessName
   MsgBox(strMessage)

End Function

Function OnFirstParentExit

   strMessage = "OnFirstParentExit: " & GetCurrentProcessName
   MsgBox(strMessage)

End Function

Function OnLastProcessExit

   strMessage = "OnLastProcessExit: " & GetCurrentProcessName
   MsgBox(strMessage)

End Function

strMessage = "OnEveryProcess: " & GetCurrentProcessName
MsgBox(strMessage)

.vbs files

As you may have discovered in your own testing you can add more than one script (.vbs) file to your project directory. If you add multiple scripts every script gets executed in alphanumerical ascending or descending order. The callback function OnFirstSandboxOwner is using an ascending order while all other callback functions are using a descending order. Have a look at an example using two scripts called A.vbs, B.vbs and C.vbs and the callback functions OnFirstSandboxOwner and OnFirstParentExit:

Execution order OnFirstSandboxOwner:

  1. A.vbs
  2. B.vbs
  3. C.vbs

Execution order OnFirstParentExit:

  1. C.vbs
  2. B.vbs
  3. A.vbs

As you see it is a bit chaotic and I strongly advice only to work with one VBScript file.

AppLinks

Also if you are using AppLinks and you linking two or more ThinApp packages each containing VBScripts you have to be aware of the following circumstances. Let’s suppose you have two ThinApp packages each containing a bunch of scripts. ThinApp package 1 contais A.vbs, B.vbs, D.vbs and Z.vbs while ThinApp package 2 contains A.vbs and C.vbs. ThinApp package 1 has ThinApp package 2 configured as an AppLink. What do you think happens now? Here is an example when the scripts are executed in the callback function OnFirstParentStart:

  1. A.vbs (from ThinApp package 2)
  2. B.vbs (from ThinApp package 1)
  3. C.vbs (from ThinApp package 2)
  4. D.vbs (from ThinApp package 1)
  5. Z.vbs (from ThinApp package 1)

As you can see the order is still the same as discussed in the .vbs file section with one exception. As both packages contained the A.vbs file only the A.vbs file from the second ThinApp package is executed. This behavior is anticipated as files from a child AppLink package (in this case ThinApp package 2) are always overwriting files from its parent AppLink package (in this case ThinApp package 1).

Conclusion

You now know that ThinApp has an integrated script engine which natively supports VBScript, callback  and some addition function. You also know how the ThinApp script engine works. With these insights you should now be able to realize some if not all of the missing functions you always wanted ThinApp to have – assumed you have a little bit of know how in the VBScript corner.

How to check what ThinApp version a package was built with

To check what ThinApp runtime version was used to build a single package you can use a simple command line argument.

MyThinAppPackage.exe -thinstall

ThinstallVersionCmd

While this is good enough to check one or two packages it isn’t very practical if you need to check a whole bunch of packages. Also the -thinstallversion command line parameter isn’t very script friendly either. But no worries the ThinApp SDK and PowerShell come to the rescue. The following script allows us to list the ThinApp runtime version of a specific file or all files in a folder (and subfolders):

Param
(
    [Parameter(Mandatory=$true)]
    [ValidateScript({ Test-Path $_ })]
    [string]
    $Path
)

$ThinApp = New-Object -ComObject ThinApp.Management
$files = Get-ChildItem $Path -Recurse | ForEach-Object {$_.Fullname}

ForEach ($file in $files)
{
    Try
    {
        $ThinAppType = $ThinApp.GetThinAppType($file)
    }
    Catch
    {
      $ThinAppType = $null
    }

    If (($ThinAppType -lt 6) -and ($ThinAppType -gt 0))
    {
        $ThinAppPackage = $ThinApp.OpenPackage($file)
        New-Object -TypeName PSObject -Property @{
            Name = $ThinAppPackage.InventoryName
            Version = $ThinAppPackage.ThinAppVersion
            Path = $file
        }
    }
}

Row 1-7 is used to quiz the user for a path or a file. Then in row 9 the ThinApp com object is created and in row 10 a list of fully qualified file names (even of files in subfolders) based on the user provided path or file is created. In row 14 to 21 the script checks if it can get the ThinApp type of the current file and if not it catches the error. Within lines 23 – 30 if the current file is a valid (1-5) ThinApp package it reads out the InventoryName, file name and path and the ThinApp runtime version and creates a new PowerShell object for it.

In action it looks like this:
ThinstallVersionPSPath

In order to use this script you have to register the ThinApp SDK (to learn how to do it visit my “Getting started with ThinApp SDK and PowerShell” article) and then just execute the script in a PowerShell console and provide a folder or file. Here are some examples:

To check the version of a single file:

.\Get-ThinAppVersion.ps1 -Path 'Z:\ThinApp\Apps\Mozilla Firefox.exe'

To check the version of all files in the provided folder and subfolders:

.\Get-ThinAppVersion.ps1 -Path Z:\ThinApp\Apps

You can even check files and folders on a network share:

.\Get-ThinAppVersion.ps1 -Path \\server\thinapp
To execute this script your PowerShell execution policy need to be set to “Unrestricted” (or lower) as this script isn’t signed. More information about the PowerShell execution policy can be found via the following link: http://technet.microsoft.com/en-us/library/ee176961.aspx

As the output is a fully functional PowerShell object you can do some cool stuff. For example you can create a CSV file listing all your ThinApp packages and the corresponding version or filter for a specific runtime version.

To export the results to a CSV use this command:

.\Get-ThinAppVersion.ps1 -Path Z:\ThinApp\Apps | Export-Csv -Path C:\temp\MyThinAppRuntimeVersions.txt

To only list ThinApp packages which are using a specific runtime version use this command:

.\Get-ThinAppVersion.ps1 -Path Z:\ThinApp\Apps | Where-Object {$_.Version -eq "4.7.0-556613"}

Download the script using the button below.
Download

Release: VMware Horizon Workspace for iOS and Android

VMware Horizon Workspace for iOS and Android is now available in the Apple AppStore and Google Play.

This slideshow requires JavaScript.

This is a little glimpse in the future of what VMware has up in its sleeves for 2013. Horizon Suite is announced to be available in Q1/2013 and was already demonstrated at VMworld 2012.

VMware Horizon Workspace for iOS enables secure, anywhere access to files, applications and View Desktops from any device. To use VMware Horizon Workspace you need an account on your company’s internal VMware Horizon Workspace system, please contact your system administrator for details.

FEATURES:
*View all your files from your other computers and devices.
*Collaborate with people within or external to your organization.
*Upload new and manage your files and folders.
*View files even when offline.
*Access your enterprise applications from anywhere.
*Once device is authorized, no need to remember extra passwords.
*Open your View Desktop with HTML Access or View Client for iOS.
*Easily manage your device and data, including the ability to remote wipe from a central web console.
*Works with iOS 6.x and above

VMware Horizon Workspace for iOSVMware Horizon Workspace for Android

Page 2 of 3123