Architecture and Operation for App-V 4.6

IT Asset Management (Cloud)

This discussion applies to use of Microsoft App-V server infrastructure, streaming applications to App-V clients on end-point devices. (Where applications are instead installed by Microsoft Endpoint Configuration Manager (previously Microsoft SCCM), use the inventory import from Microsoft Endpoint Configuration Manager instead of this adapter.)

In its streaming implementation, Microsoft App-V release 4.6 has three main kinds of components:
  • A database (referred to here as the App-V Management Server database), which may be on a separate server
  • One or more Management Servers that access the App-V Management Server database and provide a user interface for system control
  • One or more streaming servers that may directly deliver application packages.

Of these, only the App-V Management Server database is relevant to the App-V server adapter for IT Asset Management.

Prerequisites

Operation requires that you have:
  • A supported version of Microsoft App-V (see Microsoft App-V Server Adapter).
  • An operational App-V Management Server database.
  • A FlexNet inventory beacon that has network access to your App-V Management Server database, and is also able to upload gathered inventory to the central IT Asset Management server (either directly or through a hierarchy of inventory beacons).
  • An inventory beacon importing Active Directory data from the same domain where the App-V server resides. (This may be the same inventory beacon that runs the App-V server adapter, but this is not a requirement.)
    Tip: If you have App-V applications secured by security groups from multiple Active Directory domains, ensure that the Active Directory import runs against all applicable domains in your environment. The simplest approach may well be to ensure that you import from all your Active Directory domains, since if you use foreign security principals from multiple trusted domains, it can be difficult to keep track of access to App-V packages. FlexNet Manager Suite imports only from each individually specified Active Directory domain; so you need to ensure that all applicable domains are specified. As an example of multiple domains being affected:
    • Suppose you have Group-A in Domain-A that contains a child Group-B, where Group-B actually comes from Domain-B.
    • In this case, granting access to an App-V package to Group-A also grants access to Group-B (because of the parent-child relationship between the groups).
    • This inheritance continues to work even when there is only one-way trust from Domain-B to Domain-A.
    • In such a case, it is imperative that you run an Active Directory import against both Domain-A and Domain-B. When you have many domains, the simplest path is just to run an Active Directory import from every domain.
  • Operators who can identify the applications represented by the App-V packages, and link those applications to the appropriate licenses.
Tip: You may have multiple App-V Management Servers, and multiple streaming servers, that link to a single App-V Management Server database. This requires only one connection from the IT Asset Management App-V server adapter, because this connects only to the database. However, if you have multiple App-V Management Server databases in your estate, configure a separate connection to each of them on appropriate inventory beacons. Where helpful, you may configure multiple such connections (each separately scheduled as you choose) on one inventory beacon.

In operation

The following diagram shows the operational architecture for the App-V server adapter for App-V release 4.6.

The numbers here refer to the numbers shown in the diagram above:
  1. The inventory beacon imports data from Active Directory, including groups (and their members), users, and computers, and the security identifiers for each item within Active Directory. (These security identifiers, or SIDs, are the same identifiers that App-V reports for usage of the applications delivered through App-V packages.)
    • These are immediately uploaded to the central application server for IT Asset Management.
    • As soon as the upload is completed, the data is imported into the compliance database.
  2. On the schedule you specify on the inventory beacon, the App-V adapter:
    • Connects to the App-V Management Server database
    • Imports a list of the App-V packages from the database, and the access control lists (ACLs) that determine which Active Directory groups and users have access to the applications inside the packages. The latter are identified by their security identifiers (SIDs).
    • Immediately uploads the data to the central application server for IT Asset Management. (If the upload fails for some reason, there is a catch-up upload task that by default is scheduled overnight.)
    • The data waits in the staging area on the central application server for the next scheduled inventory import and compliance calculation (by default, scheduled overnight).
  3. When information about a new App-V package is first imported, an operator must identify the package and link it (like installer evidence) to an application record. This work must be done manually because (in release 4.6) App-V packages are opaque about the applications they contain. As well, for any meaningful calculations of consumption, the application must be linked to a suitable license. This linking effort is required only for the first import of each new package.

Once the links are established, each subsequent compliance calculation assigns consumption by the correct users and computers to the appropriate (linked) license. This consumption information is then available both in the management views and in reports.

IT Asset Management (Cloud)

Current