When you capture and store ThinApp applications to distribute from VMware Identity Manager, you must meet certain requirements.
Requirements on the ThinApp Packages
To create or repackage ThinApp packages that VMware Identity Manager can manage, you must use a version of ThinApp that VMware Identity Manager supports. VMware Identity Manager supports ThinApp 4.7.2 and later. For updated information about supported versions, see the VMware Product Interoperability Matrixes at http://www.vmware.com/resources/compatibility/sim/interop_matrix.php.
You must have ThinApp packages that VMware Identity Manager can manage. In the ThinApp capture-and-build process, you can create packages that VMware Identity Manager can manage or ones that it cannot manage. For example, when you use the ThinApp Setup Capture wizard to capture an application, you can make a package that VMware Identity Manager can manage by selecting the Manage with Workspace check box. See the VMware ThinApp documentation for detailed information on ThinApp features and the appropriate parameters to use to create a package compatible with VMware Identity Manager.
For existing ThinApp packages, you can use the relink - h command to enable the packages for VMware Identity Manager. For information about how to convert existing ThinApp packages to packages that VMware Identity Manager can manage, see the VMware Identity Manager Administration Guide.
You must store the ThinApp packages on a network share that meets the requirements for the combination of network share type, repository access, and desired ThinApp package deployment mode for your organization's needs.
Requirements on the Network Share Repository
The ThinApp packages must reside on a network share, also known as the ThinApp package repository. The network share must be accessible using a Uniform Naming Convention (UNC) path from each system running the VMware Identity Manager Desktop application used to access the ThinApp packages. For example, a network share named appshare
on a host named server
is accessible using the UNC path \\server\appshare. The fully qualified hostname of the network share folder must be resolvable from VMware Identity Manager.
The network share can be a Common Internet File System (CIFS) or a Distributed File System (DFS) share. The DFS share can be a single Server Message Block (SMB) file share or multiple SMB file shares organized as a distributed file system. CIFS and DFS shares running on NetApp storage systems are supported. DFS shares on Isilon storage systems are also supported.
The network share must meet the criteria appropriate for the type of access you configure VMware Identity Manager to use for accessing the ThinApp package repository: domain-based access or account-based access. The type of access determines the allowable combinations for the following items:
- Whether you use a CIFS network share or a DFS network share for the ThinApp package repository.
- Whether you must join VMware Identity Manager and the network share's host to the same Active Directory domain.
- Whether the user's Windows system must join the Active Directory domain to use the ThinApp packages.
- The ThinApp package installation mode that the installed VMware Identity Manager Desktop application is set to use for obtaining and running the virtualized applications on the Windows system on which the application is installed. The package installation mode that is used on the user's Windows system is set during the installation process when the VMware Identity Manager Desktop application is installed on that Windows system. This package installation mode determines the mode of ThinApp deployment used by that Windows system, download mode or streaming mode.
Access Type | Network Share Type | Requirements on VMware Identity Manager | Requirements for the User's Windows System |
---|---|---|---|
Domain-based access | You can use a CIFS share for your ThinApp package repository when you use domain-based access. You cannot use a DFS share for domain-based access. If you have a DFS share, you must use account-based access. |
You must join VMware Identity Manager to the Active Directory domain so it can join the Windows network share and access the packages. For more information about how to configure VMware Identity Manager to join the domain, see information about configuring Kerberos in VMware Identity Manager Installation and Configuration.
Note: Windows authentication is not required.
The network share must support authentication and file permissions that are based on computer accounts. VMware Identity Manager accesses the network share with the computer account of VMware Identity Manager in the domain. The network share's folder and file permissions must be configured such that the combination of permissions allows read access for the computer account of VMware Identity Manager in the domain. |
The user's Windows system must join the Active Directory domain before that user can use their entitled ThinApp packages. The following systems must all be joined to the same domain:
When you use domain-based access, the following installation modes for the ThinApp packages are allowed.
By default, the COPY_TO_LOCAL installation mode is set as the default installation mode when you install the VMware Identity Manager Desktop application on a Windows system by running the graphical version of the client's installer program. To set a different installation mode as the default installation mode for the packages, you must run the client installation using the command line. See the Command-Line Installer Options for VMware Identity Manager Desktop.
Important: HTTP_DOWNLOAD mode requires the IDP URL to be reachable from the user's Windows machine. RUN_FROM_SHARE and COPY_TO_LOCAL modes require the ThinApp share to be reachable from the user's Windows machine.
|
Account-based access | You can use either a CIFS share or a DFS share for your ThinApp package repository when you use account-based access. | You must configure VMware Identity Manager to use a share user account and password to access the network share and the packages. The share user account and password is any combination that has read access to the UNC path to the network share folder. You do not have to join VMware Identity Manager to the Active Directory domain to access the network share.
Note: In the
VMware Identity Manager console, you must complete the Join Domain page before you can use the ThinApp Packages page.
Note: Account based access is required if you are using NetApp share.
|
The user's Windows system does not have to join the Active Directory domain before that user can use their entitled ThinApp packages. Windows authentication is not required. The user's Windows system, VMware Identity Manager, and the host of the network share with the ThinApp packages do not have to be joined to the same Active Directory domain. With account-based access configured, the following installation modes for the ThinApp packages are allowed.
If the user's Windows system might be joined to the domain at some times and not joined to the domain at other times, you can install the client with the COPY_TO_LOCAL mode and the AUTO_TRY_HTTP option enabled, as long as VMware Identity Manager is configured for account-based access. With this configuration, the client first tries to use the COPY_TO_LOCAL mode to download the packages. If the Windows system is not joined to the domain at that time, that attempt to copy the packages fails. However, with the AUTO_TRY_HTTP option enabled, the client immediately makes an attempt to use HTTP to download the packages. This combination of COPY_TO_LOCAL and AUTO_TRY_HTTP is the default when you install the VMware Identity Manager Desktop application on a Windows system by running the graphical version of the client's installer program. VMware Identity Manager must be configured for account-based access for the attempt to download the packages using HTTP_DOWNLOAD mode to succeed.
Important: HTTP_DOWNLOAD mode requires the IDP URL to be reachable from the user's Windows machine. RUN_FROM_SHARE and COPY_TO_LOCAL modes require the ThinApp share to be reachable from the user's Windows machine.
|
In addition, the ThinApp packages repository must meet the following criteria according to the described situation.
- When your settings involve systems joining the Active Directory domain, make sure that a disjoint namespace does not prevent domain member computers from accessing the network share that hosts the ThinApp packages. A disjoint namespace occurs when an Active Directory domain name is different from the DNS namespace that machines in that domain use.
- The network share's file and sharing permissions must be configured to provide read access and the ability to run applications to those users that you want to run the ThinApp applications using the COPY_TO_LOCAL or RUN_FROM_SHARE option.
For example, for the Active Directory user accounts of those users that you want to run the ThinApp applications in streaming mode, setting the Shared Folder permission to Read and the NTFS permission to Read & Execute provides read access and the ability to run the applications to those users.
The NTFS permission setting of Read & Execute is required to run a ThinApp application using the ThinApp streaming mode, which corresponds to the VMware Identity Manager Desktop application's RUN_FROM_SHARE installation mode. If your organization requires the NTFS permission set to Read, your users can use the ThinApp download mode for the virtualized application. ThinApp download mode corresponds to installing the Windows client with either the COPY_TO_LOCAL installation mode or HTTP_DOWNLOAD installation mode. With either of those installation modes, the applications are downloaded to the Windows systems and launched locally.
Both CIFS and DFS network shares must have the ThinApp packages organized in individual subdirectories in a directory under the namespace, not subdirectories in the namespace itself, such as \\server\appshare\thinapp1, \\server\appshare\thinapp2, and so on. See Create a Network Share for ThinApp Packages That VMware Identity Manager Manages.