We will be testing Imprivata with App Volumes soon but our Production VDI was built with Unidesk and Imprivata is usually not a problem.  It does have a few oddities with RFID readers and needing to detect VMware Horizon View Agent during install but that's all been documented and once the layer was built, its built.  Nothing else needed to be done and it behaves like any layered app would.  We've built batch files which automated the Imprivata install setup so when a new Imprivata Hotfix comes out, we build a new layer, run the batch file install we wrote, and we're done.  Upgrading the 1800+ VDI clients is just a un-check here and a new check there.  Next maint cycle and they all come up with the hotfix version installed and the old version gone!

The trick could be that Imprivata (now this is older versions before 5.0 but I think it still holds true today) needs to see the VMware View Agent during install or else it doesn't install the little bits needed to pass creds though the different login screens correctly.  So if I understand App Volumes correctly, you need to make something where the Vmware Agent and the Imprivata can see each other during the Imprivata install.  There are several ways to do this in Unidesk but not 100% sure on App Volumes.  And since Imprivata makes changes to some Windows OS files, not sure how that would work exactly in App Volumes either.  We are testing the waters to see if anything has changed since we started VDI with Unidesk a few years ago.  Still just setting up the test environment for App Volumes.

Lastly, you may have to get with your VMware sales rep to get after Imprivata.  We had a small problem (just a registry key for the RFID readers) at the beginning and we could not figure it out.  Imprivata had a few old docs on the issue but still wasn't much help.  Our Vmware got with a higher VMware rep, who got with a higher Imprivata rep, who figured it out. 

FYI, we are running Vsphere 6.01?, View 6.02, Unidesk 2.9.4, Imprivata 5.1.207.48, 1800+ VDI machines, Teradici2 zero clients, RFIDeas readers.

Mike

For the record, I have no idea how and if Imprivata works or doesn't work and haven't tested it

But i do wanted to reply to the Unidesk topic though as we tested both applications.

Unidesk has a totally different way of building up the machine than Appvolumes has. What Unidesk does is build a machine per user based on a specific subset of applications, patches and a golden image. If something changes the machine that is assigned to you is being recreated with the specific applications and patches installed in the machine. The positive thing about Unidesk is that it builds up the machine pre-logon and thus enhances login times quite considerably. Also, applications that need to be there during logon (like Imprivata is i guess?) will work in a Unidesk application layer.

The biggest downside to Unidesk is (maybe it changed but this was the reason we didn't went with it) that it creates a machine per user. Also, if you want your users to be able to log in rather quickly all of those machines need to be started up and ready for the user.

Appvolumes builds up the machine during login. So when logging in it checks to see which applications you have assigned and then adds these applications during logon. The writable volume is the only VMDK that is being attached pre-logon. So you could try and install applications into this.

The biggest downside is that logon takes longer because the machine is being build up during logon. The biggest positive about Appvolumes is that a machine is never assigned or attached to 1 named user. Let's say you have 20000 users but only need 1000 desktops for this userbase to be available at any given time. Using Appvolumes I only need 1000 pooled floating desktops which are created within a split second (if storage is good enough to deliver the IOPS) were is using Unidesk you would need 20000 desktops available. Just do the math .

What could be a solution (but you would need VMWare itself to elaborate on this one, maybe Jason can) is to attach the appstack pre-logon. You can assign appstacks to a machine. Only downside is you can't use both user and computer assignments due to restrictions with the writable volume (this one must always be the first disk being attached at least until now). It once was the idea to do both and i really hope it is on the roadmap. It would heavily increase logon times for users and would fix issues with applications like these that need to be there pre logon.

We did try that Ray, assigning the stack to the machine. Indeed, pre-login, we saw the VMDK was mounted on the VM. That being said, we still didn't have any luck. Upon logging in, Imprivata just wasn't behaving how we expected.

Hey Chris,

Not sure if there are any other layering technologies that support this, but I have been using Unidesk successfully for application layering with Imprivata and all other applications outside of the parent image for the last 2 years.  If someone knows of another technology feel to add it here, but essentially Unidesks layering architecture starts below the OS so it is able to make those calls to the OS. 

Hey Ray,

Thanks for the reply, I just wanted to add that we started migrating to the new Unidesk 4.x platform that resolves the issues you mentioned so you kind of get the best of both worlds.  Good catch on the old platform though, that used to be a limitation caused by the added flexibility.

Hey epa,

It could be worth a try but i'm not quite sure how that will work out with other appstacks. The problem is that if it indeed grips into the View Agent some parts of the view agent might end up in the Appstack. I'm not 100% sure if all VMware settings and files are excluded from the appstack. I don't know what is being altered by this applications. It might well be that it is altering things that are not recorded into the appstack.

To be honest I thought that adding the appstack pre-logon would do the trick. At least the succes rate of that seems to be higher than adding the agent into the packaging machine, but that's just my 2 cents.