On more occasions than I’d like, I’ve had to configure AppSense Application Manager to allow a certain file to execute from the %temp% folder. However, when you need to configure it for a Remote Desktop Services/XenApp session, you may find a small bug in Application Manager forces you to adapt the rule slightly. Hopefully it will be rectified in a forthcoming update, but until then, here’s a quick rundown how to avoid it.
The %temp% variable, in a Remote Desktop Services session, includes a session id. For instance, on a 2008 or 2008 R2 server, the %temp% variable for a user looks like this
TEMP=C:\Users\UserID\Local Settings\Temp\1
However, for performance reasons apparently, AppSense Application Manager caches this variable very early in the logon process – before the Remote Desktop Services session modifies it to include the session id. Therefore, to Application Manager, the %temp% variable looks like this
TEMP=C:\Users\UserID\Local Settings\Temp
Naturally, if you were to configure an AppSense Application Manager rule that looked like this
the application you want to allow to execute wouldn’t be allowed to run. To get around it, simply add a wildcard to the path for your Accessible Item like this.
Now the Session ID will be incorporated into the path, and the executable will be allowed to run.
One final note – if you are writing rules for both ordinary desktop clients and Remote Desktop Services sessions and you need to allow something to run from %temp%, you’ll have to write two Accessible Items rules. One for the Remote Desktop Services session with the wildcard, and one for the ordinary desktop endpoints without the wildcard. Hopefully it will soon be fixed and you can make do with one rule for both.
Share
