Restricting Application Access by XenApp Services Site

Posted on 2011/01/18


Have you ever needed to restrict what applications a user can access via their iPad? What if you want to allow a user to access one set of applications but filter the application set by devices, such as when a user is connecting via an iPad or mobile device?

One method is to setup a Access Gateway and create a filter and then go to XenApp and modify the application properties to require that filter for accessing the application. This is a wonderful solution when all the application access is coming through an Access Gateway already, such as with external users coming in through a NetScaler. However, internally, it doesn’t always make a lot of sense to add an Access Gateway (or a NetScaler) just for application management nor does it seem like a good idea to publish two versions of the same application for users not connecting through an Access Gateway.

Another method is to use filter the application displayed to the device by modifying the Enumeration.java file on the XenApp Services site (C:\inetpub\wwwroot\Citrix\<YourSiteNameHere> \app_code\PagesJava\com\citrix\wi\pna) to filter the list of applications as described in Citrix KB article CTX123969. This modification though relies solely on a “tag” character at the beginning of the description field. If it exists, the code can filter that application out (or into) the list returned to the end user.

It turns out that my client had some good business reasons for filtering different applications based on the device the user was connecting from. However, an application has only one description field so the trick was to make the description field work with multiple tags. What I came up with was a modification to that same code, but where the filter was looking for any value after a pre-defined delimiter. In other words, I could use a delimiter like “#” and then use device selector codes like say 1,2,3,4 in the description to allow different application lists based on the XenApp Services site.

For instance, suppose I had the following applications with the descriptions as listed below with requirements for displaying them on a regular corporate device, within a XenDesktop session, or on a iPad mobile device all accessed by the same user credentials.

Application

Application Description Display on Corporate PC (1) Display on XenDesktop (2) Display on iPad (3)
Application 1 Application 1 Description

Yes

Yes

Yes

Application 2 Application 2 Description

Yes

No

No

Application 3 Application 3 Description

Yes

Yes

No

Application 4

Application 4 Description

Yes No

Yes

The trick is to create a separate XenApp Services site for each one of the devices and control access to the site via Merchandising server, Access Gateway, or NetScaler. The next step is to modify the Web Interface code to display a different application set based on the XenApp Services site accessed by using the application’s description field. The code below looks for a delimiter character (#) and then looks to see if the application description contains the device specific display code of “2” as indicated for the site.

//The line below and the last line of this code segment
//already exist in the code. You are inserting the code
//between those two lines.
//
ResourceInfo[] resources = enumRequest.getAllResources();
//Begin code insert to create a a new array and filter it
//based on the delimiter and site identifier found in the
//Application Description field. The new array then
//replaces the original array that contained the complete
//Appset returned for the user.
//
//The delimiter character is # and specified at the end of the
//line that reads:
//int DelimLocate=resources[i].getDescription().lastIndexOf("#")
//
//The site code character is 2 and specified at the end of the
//line that reads:
//int CodeLocate=resources[i].getDescription().lastIndexOf("2")
//
//Modify the delimiter and site code for your environment
//directly on the lines listed above.
//
java.util.ArrayList filtered = new java.util.ArrayList();
for (int i=0; i<resources.length; i++)
{
 int DelimLocate = resources[i].getDescription().lastIndexOf("#");
 int CodeLocate = resources[i].getDescription().lastIndexOf("2"); 
 if (CodeLocate>DelimLocate && DelimLocate>0)  
 {          
    filtered.add(resources[i]);   
 }
}
resources = (ResourceInfo[]) filtered.toArray( new ResourceInfo[0] );
//
//Now the array has been replaced with a filtered version of
//the array, then code then continues.
//
String responseContent = pnaService.generateEnumerationResponse( resources );

Based on the code above, when the delimiter is a “#” sign and the site codes are 1, 2, and 3, modifying  the Application Descriptions as follows will enable the filtering of the applications based on the sites where the java code above has been implemented appropriately for each site.

Application Application Description Site 1 (PC) Site 2 (XD) Site 3 (iPad)
Application 1 Application 1 Description #123 Yes Yes Yes
Application 2 Application 2 Description #1 Yes No No
Application 3 Application 3 Description #12 Yes Yes No
Application 4 Application 4 Description #13 Yes No Yes

 Just for clarification, the algorithm used above is fast but not super smart. If a delimiter is used unexpectedly and the site value (a number in this case) appears after the delimiter the application filter will match. The table below shows some sample descriptions and the results:

Description Results
Application 1 Description #23 Appears for sites 2 & 3 (delimiter correctly used and numbers prior to the delimiter are ignored.)
#Application 2 Description Appears for site 2 (delimiter at the front enables all site codes after it)
Application 3 Appears for no sites (delimiter not found)
Application #2 #1 Appears for only site 1 (last instance of the delimiter is used for matching)

I suggest using a delimiter value not already found in the existing application descriptions to avoid any applications from accidentally being included in the filter. Once the XenApp services sites are created and users are automatically routed to the correct site based on the type of device, all the application sets can be managed through the Delivery Services console. Of course, any site without the modified code will continue to display the full appset for the user since it will not be filtering on the application description.

I hope you found this post useful. As always, feel free to comment. If you would like to be notified of future posts, please follow me in Twitter @pwilson98.

Advertisements