Did Ivanti Add “Layering” to Environment Manager FR4?

So layering and “VHD containers” seem to be a hot topic. Everyone seems to have a solution that utilizes “VHDs” in one way or another. Citrix has its “App Layering” product (formally Unidesk), FSLogix has “Profile Containers” and “365 Containers”, Liquidware has “FlexApp”, and now Ivanti has “Cache Roaming”. All of these solutions utilize VHD files in one way or another.

Not all of these solutions are the same however; there is a big difference between layering and containers. “Layering” is the ability to combine the contents of a “VHD” file with that of your operating system’s “VHD” to present a merged view of the files and registry settings within. Ron Olgesby talks about a petri dish when he explains it. What is reported back to the operating system is a top down view of the layers as if you were looking at a stack of petri dishes from the top.

The Unidesk logo illustrates it well (see below). If a file or registry value in a layer above the operating system exists in both locations the top layer wins and the file in the layer below loses, and is ignored. These solutions tend to be pretty complex and compatibility among OS’s and applications can be an issue as the layers change.

Containers on the other hand simply redirect a folder in the file system to a single “VHD” file. This file can reside on the local file system or a network share. The simplest example of this is FSLogix’s “Profile Containers”; it just mounts a VHD file that resides on a file server and is copied into the users c:\users\%username% folder at logon. As the user makes changes to their profile those changes are actually written into the “VHD” file sitting on a network share. When the user logs off, the “VHD” file is simply disconnected.

So now that we know the difference between layering and containers the question is, “Did Ivanti add “layering” to Environment Manager?” No, not really, but they did add VHD containers in the form of two additional policy actions in Environment Manager Policy. See the image below.

So what do these two new Environment Manager actions actually do? Well the “Manage VHD” action is the ability to create a container. This action will allow you to create a “VHD” file and mount it as a folder within the user’s profile. This could be “handy” to redirect “non-redirectable” folders within the users profile which I have done in the past using symbolic links (https://community.ivanti.com/message/133574). The other benefit could be additional support for redirecting the Outlook OST file, much like FSLogix’s “Office 365 Container”. The image below represents the new dialog for managing the “VHD” policy action In Ivanti environment manager.

So, what is the “Cache Roaming” action and what does it do (see image below)? Well, this is simply a symbolic link action with some built-in pre-set locations pre-configured for you. You can use one of the pre-set locations or choose any path you would like, then you can redirect that location to another local folder or a network folder.

Quick note: The Application Name field here is simply a display name.

If you haven’t noticed the suggested paths in the text boxes for both actions list “%LOCALAPPDATA%\VHD Root Folder”. It’s as if Ivanti is suggesting we create a VHD on a file share to mount a generic folder in the profile and then use symbolic links (Cache Roaming action) to redirect the local cache folders into this single “VHD”. In order for that to work, you would have to nest actions and use two different solutions to achieve the desired result. This adds quite a bit of complexity due to more moving parts.

These new actions are great additions for the experienced “Environment Manager” administrator but like a lot of the policy actions, if misused they can come back to bite you. Creating, mounting, and formatting a VHD file can take time… so much so that Ivanti added status messages at logon for it. When deciding if you want to use a container you’ll want to evaluate the folder in question and decide whether or not personalization would be better.

Some apps such as Chrome utilize many small files and as such are not good with personalization. Performance issues are often seen as all these small files must be copied in to the profile at logon and copied out at logoff. There is also a known issue with IIS; therefore personalization with large file sizes and file counts causes personalization to fail (https://community.ivanti.com/docs/DOC-46040).

These types of issues can be resolved by utilizing a “VHD” container. I’ve actually used a local “VHD” container to capture the chrome settings and then used a Windows Setting Group to capture the single VHD. It’s a great example of this new feature and how it can be utilized to capture user settings and not just “caches”. The images below represent this examples “Policy Action” and “Windows Setting Group”.

Windows Setting Group:

The above solution for Chrome will work for multi-session environments meaning the user can launch Chrome from more than one device or session at a time. If we were to redirect the folder to a VHD on a file share, then the first session would lock the file and the folder would fail to mount from the second session/device. Things like the OST file will never fit in personalization so must be sent to a file share. This being the case this solution will not work for multi-session environments.

Let’s imagine the file is locked, and the user launches a second session. The “VHD” action would fail and the OST file would be created in the default location within the local profile. Since it’s a new file the contents of the mailbox would start to download all over again. This file would then grow until the specified amount of mail is downloaded, possibly filling the write cache on your Citrix server.

FSLogix addressed this by utilizing “differencing disks”. Each session creates a “differencing disk” and that disk is merged into a base “VHD” file at logoff preventing disk locks. You can find more on the “differencing disks” here: https://wilkyit.com/2017/07/17/fslogix-concurrent-access-to-o365-containers-vhdaccessmode-explained/

As with any feature… I have my thoughts on it. First, it’s great that we have new functionality in the product, although at this point it seems like a bit of a “me too” move as most everyone is utilizing containers now days. I would love to see this feature enhanced with things like the “differencing disks” to support multiple sessions. I understand this is a “V1” feature and I’m glad to have it.

Hopefully we can see some improvement with it in the future.

Landon Winburn
Principal Architect
Critical Design Associates