Architecture and Operation for App-V 5 and Later

FlexNet Manager Suite 2021 R1 (On-Premises)

This discussion applies to use of Microsoft App-V server infrastructure, streaming applications to App-V clients on end-point devices. (Where applications are instead installed by Microsoft SCCM, use the inventory import from SCCM instead of this adapter.)

In its streaming implementation, Microsoft App-V release 5.0 (and later) has the following components, apart from the App-V clients:
  • A database (referred to here as the App-V Management Server database), which may be on a separate server
  • A separate reporting database (referred to here as the App-V reporting database), which may also be on a separate server (importantly, this database stores application usage information)
  • One or more Management Servers that access the App-V Management Server database and provide a user interface for system control
  • One or more Reporting Servers that access the App-V reporting database and provide operational reports to help manage the App-V infrastructure
  • One or more streaming servers (called App-V Publishing Servers) that may directly deliver application packages.

Of these, for App-V 5.0 and later, only the App-V reporting database and an App-V Management Server are relevant to the App-V server adapter for FlexNet Manager Suite. (If you are familiar with the adapter for release 4.6 of App-V, notice that we have switched databases, and added the Management Server — the architecture is completely different.)

Prerequisites

Operation requires that you have:
  • A supported version of Microsoft App-V (see App-V Server Adapter).
  • An operational App-V reporting database.
  • An operational AppV Management Server.
  • The AppVMgmtSvr.ps1 PowerShell script installed, configured and scheduled on your AppV Management Server (see Obtaining (and Deploying) the Adapter Components for details). This is one of the significant changes since the previous adapter.
  • A FlexNet inventory beacon that has network access to your App-V reporting database, and is also able to upload gathered inventory to the central FlexNet Manager Suite server (either directly or through a hierarchy of inventory beacons).
  • An inventory beacon importing Active Directory data from the same domain where the App-V server resides. (This may be the same inventory beacon that runs the App-V server adapter, but this is not a requirement.)
    Tip: If you have App-V applications secured by security groups from multiple Active Directory domains, ensure that the Active Directory import runs against all applicable domains in your environment. The simplest approach may well be to ensure that you import from all your Active Directory domains, since if you use foreign security principals from multiple trusted domains, it can be difficult to keep track of access to App-V packages. FlexNet Manager Suite imports only from each individually specified Active Directory domain; so you need to ensure that all applicable domains are specified. As an example of multiple domains being affected:
    • Suppose you have Group-A in Domain-A that contains a child Group-B, where Group-B actually comes from Domain-B.
    • In this case, granting access to an App-V package to Group-A also grants access to Group-B (because of the parent-child relationship between the groups).
    • This inheritance continues to work even when there is only one-way trust from Domain-B to Domain-A.
    • In such a case, it is imperative that you run an Active Directory import against both Domain-A and Domain-B. When you have many domains, the simplest path is just to run an Active Directory import from every domain.
  • Operators who can link the applications identified in the App-V packages to the appropriate licenses.
Tip: You need only one connection from the FlexNet Manager Suite App-V server adapter (on an inventory beacon) to the App-V reporting database. This single App-V reporting database may support multiple App-V Management Servers, and multiple Publishing Servers; but only a single connection to the database is required.

Limitation

For App-V release 5.0 and later, the system supports installation of the AppVMgmtSvr.ps1 PowerShell script on only one App-V Management Server. This single Management Server may support multiple Publishing Servers (if necessary spread worldwide for faster distribution of App-V packages to App-V clients); and the App-V clients may report to multiple Reporting Servers (independent of the source from which the App-V packages were downloaded). Different App-V Management Servers do not self-identify in the .raa inventory file, and the App-V reporting database does not identify which application usage information is associated with which App-V Management Server. For these reasons, only a single App-V Management Server (for release 5.0 and later) is supported.

If your App-V (release 5.0 or later) environment has multiple Management Servers, choose one as the data source for App-V packages and the applications they contain. For example, if you have Production, Dev, and Test servers, place the AppVMgmtSvr.ps1 PowerShell script on the Production App-V Management Server. Also ensure that the App-V server adapter (on an inventory beacon) connects to the matching Production App-V reporting database.

In operation

The following diagram shows the operational architecture for the App-V server adapter for release 5.0 and later.

The numbers here refer to the numbers shown in the diagram above:
  1. The inventory beacon imports data from Active Directory, including groups (and their members), users, and computers, and the security identifiers for each item within Active Directory. (These security identifiers, or SIDs, are the same identifiers that App-V reports for usage of the applications delivered through App-V packages.)
    • These are immediately uploaded to the central application server for FlexNet Manager Suite.
    • As soon as the upload is completed, the data is imported into the compliance database.
  2. On the schedule you specify on the App-V Management Server, the AppVMgmtSvr.ps1 PowerShell script:
    • Uses the API to gather a list of the available App-V packages
    • Imports from the database, and the access control lists (ACLs) that determine which Active Directory groups and users have access to the applications inside the packages. The latter are identified by their security identifiers (SIDs)
    • Uploads the collected data in a remote application access (.raa) file to its configured inventory beacon, which in turn uploads the file to the central application server for FlexNet Manager Suite.
    • The data waits in the staging area on the central application server for the next scheduled inventory import and compliance calculation (by default, scheduled overnight).
  3. On the schedule you specify on the inventory beacon, the App-V adapter:
    • Connects to the App-V reporting database
    • Imports App-V package usage by users and computers. These are all identified by their security identifiers (SIDs).
    • Immediately uploads the data to the central application server for FlexNet Manager Suite. (If the upload fails for some reason, there is a catch-up upload task that by default is scheduled overnight.)
    • The .raa file collected by the PowerShell script is uploaded and immediately resolved into staging tables in the database.
      Tip: If you manually copy an .raa file to your application server, you can import it with the following command:
      > mgsimport -t remoteApplication
    • The data waits in the staging area on the central application server for the next scheduled inventory import and compliance calculation (by default, scheduled overnight).
  4. When the compliance calculation is run, FlexNet Manager Suite uses the uploaded SIDs to correlate the various data elements:
    • App-V packages are shown as installer evidence (based on the MSI information uploaded by the AppVMgmtSvr.ps1 PowerShell script).
    • If an appropriate application record exists (either in the Application Recognition Library or as a locally-created record) with a suitable installer evidence rule, the installed evidence (package) is automatically matched with the application.
    • All users with access to an App-V package are shown as having an installation of the related application on every computer for which the user is either the assigned or calculated user.
    • All computers with access to an App-V package are shown as having an installation of the related application.
    • If the application is linked to a license, consumption is shown for the correct users and computers on that license (or, if it is linked to multiple licenses, on the highest priority license still having unconsumed entitlements). This consumption information is then available both in the management views and in reports. (If this is the first import to reveal an application in an App-V package, an operator needs to link the application record to an appropriate license.)

FlexNet Manager Suite (On-Premises)

2021 R1