Hi, we are using a triggered task for "workstation locked" with the command:
C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe -s
this trigger is perfectly working and good:
2020-02-20 10:04:47.145 [DEBUG] Tasks run for trigger 'Workstation locked':
2020-02-20 10:04:47.145 [DEBUG] At 10:04:33.232, ran custom command '"C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe" -s' ('UEM Sicherung bei Client Sperrung.xml')
If a user locks his session, we always have this WARN Message:
2020-02-20 12:55:49.783 [INFO ] Starting FlexEngine v220.127.116.111 [IFP#ff08c95d-397b49b>>]
2020-02-20 12:55:49.783 [INFO ] Performing path-based export
2020-02-20 12:55:49.785 [DEBUG] User: xxxxxx (A/L), Computer: xxxxxx, OS: x64-win10 (Version 1809, BuildNumber 17763.805, SuiteMask 100, ProductType 1/4, Lang 0407, IE 11.805.17763.0, DEM 18.104.22.1681, ProcInfo 1/1/4/8, UTC+01:00S), PTS: 18428/16304/1C
2020-02-20 12:55:49.785 [DEBUG] Policy "Always wait for the network at computer startup and logon" is enabled
2020-02-20 12:55:49.785 [DEBUG] Policy "Run logon scripts synchronously" is not configured
2020-02-20 12:55:49.801 [DEBUG] Redirected folders: Desktop, Favorites, Personal
2020-02-20 12:55:49.801 [DEBUG] Policy "Point and Print Restrictions" is configured for the computer (1/2)
2020-02-20 12:55:49.801 [DEBUG] User policy last applied at 2020-02-20 11:44:34.706 (took 5.900 s)
2020-02-20 12:55:49.804 [DEBUG] Boot time: 2020-02-20 04:00:35.286, Logon time: 2020-02-20 08:22:33.069
2020-02-20 12:55:49.804 [DEBUG] Recursively processing config files from path 'xxxxx'
2020-02-20 12:55:49.804 [DEBUG] Using profile archive path 'xxxxxxxxx'
2020-02-20 12:55:49.804 [DEBUG] Profile archives will be compressed
2020-02-20 12:55:49.804 [DEBUG] Creating 5 backups (single backup per day) in path 'xxxxxxxxx'
2020-02-20 12:55:49.804 [DEBUG] Logging to event log for path-based import/export, asynchronous DEM actions, user environment settings refresh, DirectFlex refresh
2020-02-20 12:55:49.804 [DEBUG] Logging to file 'xxxxxxxxxx'
2020-02-20 12:55:49.804 [DEBUG] Log file will be overwritten when larger than 4096 kilobytes
2020-02-20 12:55:49.804 [DEBUG] If Flex config files path is not available at logon, skip import and display a message for 60 seconds
2020-02-20 12:55:49.804 [DEBUG] If profile archive path is not available at logon, skip import but apply user environment settings and display a message for 60 seconds
2020-02-20 12:55:49.807 [DEBUG] Showing progress information
2020-02-20 12:55:49.807 [DEBUG] Certificate support for mandatory profiles is enabled
2020-02-20 12:55:49.816 [WARN ] Previous import not marked as successful -- skipping export
2020-02-20 12:55:49.819 [INFO ] Done (35 ms) [<<IFP#ff08c95d-397b49b]
Anyone any idea why ? the import on logon looks good:
2020-02-20 10:04:47.156 [INFO ] Done (13545 ms) [<<IFP#f3aff782-397b49b]
At logoff, the DEM agent checks to see whether it ran correctly at logon. That's a precaution so we don't overwrite your profile archives with "empty" settings in case we did not import them at logon.
That logic is quite basic; we set a flag after a successful path-based import, and we check for and clear that flag at path-based export.
You're performing a path-based export mid-session, which clears that flag. At the path-based export at logoff, the DEM agent checks the flag, does not find it, and considers that as "Previous import not marked as successful".
However, it's not a good idea to run "FlexEngine.exe -s" within a session anyway. All sorts of files might be in use mid-session, preventing them from correctly being exported. Similarly, the settings for non-DirectFlex applications that are running at that time might be in an inconsistent state, as could be the case for Windows Explorer or other Windows components. In addition, as part of a path-based export, we stop DirectFlex, application blocking, and privilege elevation, and undo user environment settings if so configured...
What sort of settings are you trying to save when the workstation is locked?
Hi Arnout, thanks for the reply!
Our users often use more than one PC and / or one VMware session in one day and we wanted to use the "Flexengine -s" triggered task to save our users the individual intermediate steps in the day.
If a user moves from PC "A" to PC "B" and then to PC "C", the changes on PC "C" should also be loaded on PC "B" and PC "A". Our users often do not log off from a PC but lock (Windows+L or STRG-ALT-DEL) - if at all) the client.
We try to save all kinds of settings and files like Windows Environment or Apps like Firefox links, Office 2016 Changes, Changes to company own apps and even Gimp/WinSCP/Putty and other freeware changes.
Thank you ! Cheers
I understand the use case, but I'm really wondering how well this would work in practice. Given that files might be locked or settings might be in an inconsistent state at the time, you could very well end up with profile archives that are incomplete (missing the locked files) or inconsistent.
It's more effort to create and maintain, but you could consider an experiment with a more targeted approach that has fewer side effects (as it won't stop DirectFlex, application blocking, and privilege elevation, and won't undo user environment settings) and won't result in that "Previous import not marked as successful" scenario.
Instead of running that "FlexEngine.exe -s", run a script that performs individual profile archive exports:
"C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe" -i "%UEMConfigShare%\FireFox.ini" -s "%UEMProfileArchives%\FireFox.zip" -b-
"C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe" -i "%UEMConfigShare%\Word2016.ini" -s "%UEMProfileArchives%\Word2016.zip" -b-
I've added that -b- argument to prevent creating backups, so as not to overwrite valid backups with potentially "corrupted" profile archives. (And also because I just realized that we don't have a %UEMProfileArchiveBackups% variable – I'll add that in a future version.)
I still don't think the mid-session export is a good idea, but at least this approach would give you some more control. NOTE: make sure you don't use profile cleanup in these config files.
Thank you sir But if we not use the workstation lock and unlock trigger with flexengine -s anymore, would it be not a problem with the usecase anyway?
i.e. ==> User works on Workstation "A", some time after that he moves to Workstation "B" without locking "A". Then he logs off on Workstation "B" with the DELTA he makes on "B" - Now back to Worksation "A" no DELTA from "B" is there because no log off or Flexeninge -s Trigger on "A"... Now he logs off on Workstation "A" and there we go... Savings from Workstation "B" are gone and overwritten from Workstation "A" with a chance of corrupt files from last Save from Workstation "B" because some Office or other files on Workstation "A" where "open" already ?
If users can logon to multiple sessions, you can always encounter the "last write wins" scenario. For application settings, DirectFlex helps (as long as your users exit applications .)
The corruption I referred to would be due to the DEM agent trying to export config files and registry information while Windows components or applications are still actively using them. For a DirectFlex export or a "-s" at logoff that won't be the case – what chance of corrupt files do you see here?
We thought it´s a good idea to save and reload the User Settings/Files between their sessions if they work on more than 1 Session.
So we build this for the trigger "Workstation locked"
... and that for the triggeer "Workstation unlocked":
I share your opinion that saving various user settings across multiple PCs can lead to corrupt data if certain applications "lock" the file. We wanted to improve the user experience with these triggers because we have a lot of users who work on several PCs ...
Sure, I understand. But as described above, even apart from files being locked and registry settings potentially being inconsistent, mid-session -s/-r is a bad idea.If you do want to go ahead with this, please consider using the script approach to deal with individual profile archives.
Also, any reason why you configured the unlock trigger to only apply if the IP has changed?