I am a fan of utilizing a single image when possible for environments. Loading everything into a single image guarantees apps can interact with each other correctly, and reduces the number of images IT has to support. However, not all users need access to all applications, including management tools that you may want to have installed for ease of administration. You can use NTFS permissions to restrict access to apps, but the apps are still visible. And audits will show these apps and not necessarily show access rights.
FSLogix has an Application hiding tool that comes with the standard FSLogix profile engine. It uses the same hooking tool into the file system and registry, but instead of creating a pointer to something, it instead hides pointers to resources. It hides them so effectively that for all sakes and purposes the app is not installed on the machine. Visibility to these apps is tied to Active Directory Groups, so giving access to the app is as easy as adding the user to a group and having them re-login.
Application hiding rules are read from C:\Program Files\FSLogix\Apps\Rules during the FSLogix service start. So create your rules with the Rules Editor, deploy them to this folder and then reboot/deploy your machine.
Jeff’s Soapbox time
I would love to see this rules editor and deployment integrated into Citrix WEM. I used to use the AppLocker functionality available there, but this is a much cleaner and solid solution than I had with AppLocker. I will still utilize AppLocker when dealing with compliance sites where they need system standard lockdowns, but for the smaller deployments where there are less apps to hide or manage, this tool wins out.
Installation
To install the Rules Editor download the latest FSLogix install from https://aka.ms/fslogix/download
Extract FSLogixAppsRuleEditorSetup from the x64\Release folder and execute it accepting the defaults.
Once installed launch it from the Start Menu.
Click New, select a folder to store your Rule, enter a name and then Click Enter file name. This will start the Rule Wizard.
From this wizard you can create a Blank Rule Set to manually set all your features, a path to a program install, or select an install that is accessible from Add/Remove Programs. The majority of applications sets I have created leverage the Installed Programs option. Once you have selected your choice, click Ok.
When the process shows Complete, click OK.
You now can modify these rules as necessary. When hiding some Suite programs like Project, or Visio, the wizard will automatically add the whole Office directory. So be sure and pare those down to just what is needed.
Click the Manage Assignments button on the task bar.
Here you will set who this rule applies to (hides app) and who it doesn’t apply to (allowed to app.) When there is nesting of groups you may need to move policies up or down to guarantee the appropriate logic. IMPORTANT NOTE: Ensure that any account that installs/updates applications has Rule does not apply to user/group applied to it. Otherwise installers will receive errors attempting to install applications onto a machine where it already is, but is hidden. I have had situations where I have had to re-train engineers on this function.
Once completed Click Ok.
You now can save in the Rules Editor app. In the folder you selected earlier you will see your rules and assignments files. Copy those to the C:\Program Files\FSLogix\Apps\Rules folder and restart the FSLogix services to test.