Aaron Parker's stealthpuppy

Subscribe to Aaron Parker's stealthpuppy feed Aaron Parker's stealthpuppy
on applications, desktop and Terminal Server deployment, virtualisation and anything else that takes my fancy
Updated: 5 hours 59 min ago

Dynamic Software Update Rings in Microsoft Intune

Wed, 10/10/2018 - 02:27

Microsoft Intune provides management of Window 10 Update Rings to enable Windows as a Service, via the Software Updates feature. This enrols a Windows PC into Windows Update for Business to manage feature and quality updates the device receives and how quickly it updates to a new release. As you scale the number of devices managed by Microsoft Intune, the need to manage the software update or deployment rings is key to adopting Windows 10 successfully. Being able to do so dynamically and empowering end-users by involving them in the process sounds like an idea that’s just crazy enough to work. This article details an approach to achieve dynamic software update rings.

Dynamic Groups 

Azure AD Premium includes Dynamic Device and User groups whose membership can change, well dynamically. This feature enables us to apply software update rings to dynamic groups where the membership can be based on just about any user or device property that suits our needs.

In most cases, applying Windows 10 Update Rings to devices, rather than users, is the best approach to ensure that updates can be better tracked across specific hardware and software combinations. I don’t necessarily want a user moving between PCs and have devices move back and forth between update rings. Basing update rings on dynamic device groups is then likely the better approach.

Software Update Rings

For the purposes of illustration, I’ve created a basic approach to update rings with the 3 rings show here:

  • Semi-Annual Channel – we need a catch-all ring applied to All Devices. If our dynamic groups that are based on a device property don’t catch a device, it won’t get the correct update ring applied. This approach ensures that by default, a device is treated as generally production ready be being enrolled in the Semi-Annual Channel to receive well tested updates. This ring is assigned to All Devices, while excluding Azure AD dynamic groups assigned to all other rings
  • Semi-Annual Channel (Targeted) – here devices are enrolled for a pilot ring so that the latest Windows 10 release can be tested before rolling out the majority of PCs. This ring applies to a specific Azure AD dynamic group
  • Windows Insider – to preview upcoming Windows 10 releases it’s important to be enrolled in the Windows Insider program. This ring applies to a specific Azure AD dynamic group

My update rings in this example are quite simple, but the approach can be customised for specific environments and needs.

Update Rings configured within Intune Software Updates

Assigning Devices

To assign a device to an update ring, we need to leverage a device property that can be dynamically set. Here, Device Category fits this bill in a number of ways – here, the administrator can view the device category and therefore the device’s update ring, by viewing the device properties in the Intune console. If device category is not set (it will be set to Unassigned), our catch-all update ring will ensure the device is set to a production ready state.

Device properties in Intune

The device category can also be viewed in the Intune Company Portal, thus making it easy to view this property from multiple locations. This visibility makes device category a good choice for managing our update rings.

Device properties in the Intune Company Portal

The Intune Administrator creates device categories in the console. As you can see in the image below, I’ve chosen Production, Pilot and Preview as the device categories that provide, hopefully, clear indication as to what each category is for.

Intune Device categories

Here’s where the choice of using Device Category for assigning update rings is possibly a bit out there – the end-user chooses the device category! When enrolling their device or launching the Intune Company Portal for the first time they see the device category choices:

Setting a device category in the Intune Company Portal

There’s no replacement for end-user education, so it would behoove an organisation to include instructions on which category to choose, but in my mind it’s obvious that most users should choose Production. Having device category descriptions displayed as well would help, but they don’t at this time. Device categories are only shown once and the user cannot change the category after enrolment. Bulk changes to or reporting on categories can be achieved using the new Intune PowerShell SDK.

Dynamic Software Update Rings

Now that we have Update rings in place and an approach assigning them via Dynamic Device groups in Azure AD, we can create those groups based on membership rules that query Device Category. I’ve created two groups – Devices-Pilot and Devices-Preview that use a query where deviceCategory equals Pilot or Preview respectively. A Devices-Production group can also be created, but isn’t required because the production update ring applies to All Devices. A production devices group would assist with reporting.

Dynamic group membership rules

For these devices groups, the membership rules are:

  • Devices-Production: (device.deviceCategory -eq "Production") -or (device.deviceCategory -eq "Unknown") 
  • Devices-Pilot: (device.deviceCategory -eq "Pilot") 
  • Devices-Preview: (device.deviceCategory -eq "Preview") 

We can take this a step further and account for corporate vs. personal devices. Where users can enrol personal devices and you would prefer not to deploy Software update policies to them, membership can be filtered further. Using an advanced membership rule, update the group membership with:

  • Devices-Production: ((device.deviceCategory -eq "Production") -or (device.deviceCategory -eq "Unknown")) -and (device.deviceOwnership -eq "Company") 
  • Devices-Pilot: (device.deviceCategory -eq "Pilot") -and (device.deviceOwnership -eq "Company") 
  • Devices-Preview: (device.deviceCategory -eq "Preview") -and (device.deviceOwnership -eq "Company") 

With these groups created, assignments for my Software update rings are:

  • Semi-Annual Channel – assign to All Devices and exclude Devices-Pilot and Devices-Preview. 
  • Semi-Annual Channel (Targeted) – assign to Devices-Pilot
  • Windows Insider – assign to Devices-Preview

When a category is assigned to a device, the dynamic group will update at some point and the policy will apply on a subsequent device policy refresh.

Dynamic Software Updates

The same approach can be used for deploying applications that provide preview channels similar to Windows. Microsoft Office 365 ProPlus is an obvious choice – we can create Office application deployments using Update Channels with assignments using our Dynamic Device groups.

Office 365 ProPlus apps in Intune to manage update channels

The update rings I’ve implemented in my test environment include:

  • Office 365 ProPlus Semi-Annual Channel or Semi-Annual Channel (Targeted) that is assigned to All Devices and excludes Devices-Pilot and Devices-Preview, we have a catch all Office deployment package that will go out to the majority of devices
  • Office 365 ProPlus Semi-Annual Channel (Targeted) or Monthly Channel assigned to the Devices-Pilot group to receive the latest updates
  • Office 365 ProPlus Monthly Channel (Targeted) assigned to the Devices-Preview group to test Office Insider updates for testing upcoming features

Office 365 ProPlus then updates itself on the end-device based on the assigned channel. This actually works quite well for this application as you can pretty seamlessly move between channels as required.

Wrapping Up

In this article, I’ve shown you how to enable dynamic Software Update rings for Windows Office in Intune using Azure AD Device Dynamic groups. This uses what may be a controversial approach – devices category chosen by the end-user. Modern device management forces us to rethink our engagement with end-users and involving them more directly in the testing process can help make IT more personal.

For more controlled environments, the choice of category can be overwritten by the administrator, especially for users who may need to roll back to a more stable release.

Photo by Mathew Schwartz on Unsplash

This article by Aaron Parker, Dynamic Software Update Rings in Microsoft Intune appeared first on Aaron Parker.

Categories: Community, Virtualisation

Visualising ConfigMgr, Intune and Windows 10 Releases

Wed, 09/26/2018 - 15:11

I recently presented a session titled ‘Modern Management Methodology Imaginarium‘ at the xenappblog.com Virtual Expo September 2018 event. In this session, I discussed my thoughts and approach to modern management, primarily for Windows 10. The session provided a bit of background, some definitions for what makes up the modern desktop and a high-level approach to implementing it.

The Modern Desktop

While the ‘modern desktop’ is most certainly a popular topic in the EUC space today, how to implement a modern desktop approach I think, is not yet widely understood. Organisations are looking to solve the same desktop challenges we’ve had for the past 20 years, in a more efficient and secure manner. Implementing the modern desktop requires defining a methodology that follows the same basic process followed for any desktop project – discovery and assessment, design, build, test, pilot, deploy (rinse and repeat). 

Successfully adopting the modern desktop requires leveraging analytics which is easier to achieve with current cloud-based toolsets (Microsoft has essentially made this free). Whilst analytics show you where you are, it’s important to understand where you need to get to, or at least what the journey will look like.

Faster Release Schedules

Software vendors have changed their approach to releases and more regular smaller releases are common. I posit that the effect of this on our methodology or approach is seen primarily in the design phase – a design document can be out of date a week after you’ve written it. Thus we should ensure that we document design principles and business outcomes rather than get bogged down in the details.

In my session, I demonstrated this with current Microsoft products – System Center Configuration Manager, Microsoft Intune and, of course, Windows 10 itself. The pace of releases has increased, which while great for innovation, can out pressure IT groups implementing and managing these products. Microsoft Intune has weekly updates!

Here’s the slide I created to visualise this theme.

Visualising ConfigMgr, Intune and Windows 10 Releases

Download the Slide

A number of people have asked about using the slide, so I’m making it available here for download to use in your own presentations. Download here in PowerPoint format: Visualising ConfigMgr, Intune and Windows 10 Releases.

Note that this is covered under the same license as all content on this site – a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. If you use the slide, please keep the attribution intact. I welcome any updates or improvements you might have.

View the Session

Eric should making the recordings from last week’s Virtual Expo available soon, so you should be able to see my session in full.

Photo by Alex Litvin on Unsplash


This article by Aaron Parker, Visualising ConfigMgr, Intune and Windows 10 Releases appeared first on Aaron Parker.

Categories: Community, Virtualisation

Storage Sense on Windows 10 configured with Intune

Sun, 09/02/2018 - 10:46

In a modern management scenario, enabling end-points to perform automatic maintenance tasks will reduce TCO by avoiding scenarios that might result in support calls. Storage Sense in Windows 10 is a great way to manage free disk space on PCs by clearing caches, temporary files, old downloads, Windows Update cleanup, previous Windows Versions, and more, but it it’s not fully enabled by default. Storage Sense can potentially remove gigabytes of data, freeing up valuable space on smaller drives.

Here’s how to enable this feature on Windows 10 PCs enrolled in Microsoft Intune.

Storage Sense Settings

Storage Sense can be found in the Windows 10 Settings app and has only a few settings that can be changed. Typically a user may enable Storage Sense and accept the default settings and for most PCs, the defaults are likely good enough. Here’s what’s available in Windows 10 1803:

Enabling Storage Sense in Windows 10 Settings

Settings are stored in the user profile at:


 Settings are stored somewhat cryptically with numbers representing various options.

Storage Sense settings in the Registry

These values translate to following options and values in the table below:

SettingRegistry ValueOptionRegistry Data Storage Sense01Off0 On1 Run Storage Sense2048Every Day1 Every Week7 Every Month30 When Windows decides0 Delete temporary files that my apps aren't using04Selected0 Not selected1 Delete files in my recycle bin if they have been there for over08Off0 On1 256Never0 1 day1 14 days14 30 days30 60 days60 Delete files in my Downloads folder if they have been there for over32Off0 On1 512Never0 1 day1 14 days14 30 days30 60 days60

Now that we know what the options are, we can decide on what to deploy and deliver them to enrolled end-points.

Configure via PowerShell

Using the values from the table above, a PowerShell script can be deployed via Intune to configure our desired settings. The script below will enable Storage Sense along with several settings to regularly remove outdated or temporary files.

# Enable Storage Sense # Ensure the StorageSense key exists $key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense" If (!(Test-Path "$key")) { New-Item -Path "$key" | Out-Null } If (!(Test-Path "$key\Parameters")) { New-Item -Path "$key\Parameters" | Out-Null } If (!(Test-Path "$key\Parameters\StoragePolicy")) { New-Item -Path "$key\Parameters\StoragePolicy" | Out-Null } # Set Storage Sense settings # Enable Storage Sense Set-ItemProperty -Path "$key\Parameters\StoragePolicy" -Name "01" -Type DWord -Value 1 # Set 'Run Storage Sense' to Every Week Set-ItemProperty -Path "$key\Parameters\StoragePolicy" -Name "2048" -Type DWord -Value 7 # Enable 'Delete temporary files that my apps aren't using' Set-ItemProperty -Path "$key\Parameters\StoragePolicy" -Name "04" -Type DWord -Value 1 # Set 'Delete files in my recycle bin if they have been there for over' to 14 days Set-ItemProperty -Path "$key\Parameters\StoragePolicy" -Name "08" -Type DWord -Value 1 Set-ItemProperty -Path "$key\Parameters\StoragePolicy" -Name "256" -Type DWord -Value 14 # Set 'Delete files in my Downloads folder if they have been there for over' to 60 days Set-ItemProperty -Path "$key\Parameters\StoragePolicy" -Name "32" -Type DWord -Value 1 Set-ItemProperty -Path "$key\Parameters\StoragePolicy" -Name "512" -Type DWord -Value 60 # Set value that Storage Sense has already notified the user Set-ItemProperty -Path "$key\Parameters\StoragePolicy" -Name "StoragePoliciesNotified" -Type DWord -Value 1

Modify the script as desired – at the very least the script should enable Storage Sense and leave the remaining settings as default. Save the script as a PowerShell file and deploy via the Intune console in the Azure portal. Ensure that the script runs with the logged on user’s credentials because it will write to HKCU.

Enabling Storage Sense with a PowerShell script in Intune

Assign the script to All Users and their PC will receive the script. It’s important to note that, because the settings are stored in HKCU and are not policies, the user can either disable Storage Sense or change other settings.

Wrapping Up

Storage Sense is a great feature to enable on Windows 10 PCs for both personal and corporate PCs. In a modern management scenario, it’s another tool in our kit for enabling end-points to be self-sufficient, so I highly recommend testing and enabling the feature by default. This article has shown you how to configure Storage Sense via Intune and PowerShell with all of the possible combinations required to configure it to suit your requirements.

Hold On…

Storage Sense shows you how much disk capacity has been cleaned in the previous month in the Settings app. For a bit of a laugh, you can modify the value where this is stored so that Settings displays spaced saved that’s clearly not genuine.

Messing around with the value of saved space

You’ll find the registry value (20180901) in this key:


Image Credit: Photo by Florian Pérennès on Unsplash

This article by Aaron Parker, Storage Sense on Windows 10 configured with Intune appeared first on Aaron Parker.

Categories: Community, Virtualisation

Citrix Workspace app deployed with Microsoft Intune

Mon, 08/13/2018 - 04:57

Citrix Workspace app is here to replace Citrix Receiver with a new UI and capabilities (primarily for Citrix Cloud customers). Here’s how to deploy it across various supported platforms in a modern management capacity with Microsoft Intune.

Windows 10

There are multiple deployment options for Workspace app on Windows via Microsoft Intune:

  • Workspace app from the Microsoft Store. This version has some feature limitations but requires the least amount of effort to deploy
  • The full Workspace app that provides the best compatibility, but doesn’t ship as a Windows Installer file and therefore requires custom solutions to deploy
Microsoft Store

Adding the Workspace app from the Microsoft Store is well documented and should take only 5 minutes to get the app from the Store, synchronise to Intune and assign the app to your users. How’s that for done and dusted? – I’m sure you’ve got better things to do than package and maintain applications.

Citrix Workspace in the Microsoft Store

The Workspace app can be assigned as available for end-users to install via the Intune Company Portal or required for automatic deployment. Once deployed, the Store will take care of updates, thus there is no further action required by the administrator.

Citrix Workspace app in the Microsoft Intune Company Portal

If you have already deployed Citrix Receiver from the Microsoft Store via Intune, it should be automatically updated to Citrix Workspace. One they key feature limitations of the Microsoft Store version is pass-through authentication, so you might need to consider alternative deployment options


The Workspace app installer is a single executable just it has been with Citrix Receiver. This presents a challenge to deploy Workspace app as a line-of-business application with Intune which requires Win32 applications to be packaged as a single Windows Installer file. PowerShell scripts are a simple alternative, but deploying applications via PowerShell has two key considerations:

  • PowerShell scripts can’t be applied to computer groups
  • PowerShell scripts are executed on devices only when an Azure Active Directory user is signed in to the device

Deploying this way also means that the Workspace app will be deployed regardless of user choice and of course does not support deployment via the Intune Company Portal.

Like we’ve done previously with Citrix Receiver, the Workspace app can be deployed to Windows 10 machines via Intune with PowerShell without requiring custom packaging. We need a consistent URL that will always download the latest version of Workspace app and a command line to perform a silent installation. Your command line options might differ depending on your target environment, but the example script below will download and install the Workspace app.  

$Url = "https://downloadplugins.citrix.com/Windows/CitrixWorkspaceApp.exe" $Target = "$env:SystemRoot\Temp\CitrixWorkspaceApp.exe" $Arguments = '/AutoUpdateCheck=Auto /AutoUpdateStream=Current /DeferUpdateCount=3 /AURolloutPriority=Slow /NoReboot /Silent EnableCEIP=False' Start-BitsTransfer -Source $Url -Destination $Target -Priority High -TransferPolicy Always -ErrorAction Continue Start-Process -FilePath $Target -ArgumentList $Arguments -Wait

Once deployed, devices must then rely on auto-updates to ensure that Workspace app is kept up-to-date. 

Re-package Citrix Workspace app for Windows Installer

With the right tools and a bit of effort, Citrix Workspace app can be re-packaged into a single Windows Installer file. Once you’ve packaged the app with this method you’ll need to maintain the package and update it regularly. As with the PowerShell method though, auto-updates will keep Workspace app up-to-date once deployed.

Is this approach right for you? This requires maintaining and deploying a custom package and is dependent on how the environment is managed and available skillsets. Only you can answer that for your projects or environments. A custom package isn’t ideal and I recommend using the Microsoft Store version as the default approach instead.

Citrix Workspace app extracted Windows Installer files

HDX RealTime Media Engine

The Citrix HDX RealTime Media Engine – required for optimising Skype for Business under XenApp and XenDesktop, does come as a single Windows Installer file. This makes it easy then to deploy the engine to Windows PCs as a Required line-of-business application without modification or custom packaging. This will ensure that no user interaction is required to install the engine since most users are unlikely to know what it does anyway.

Bonus: Citrix Workspace app for Chrome

If you have Google Chrome deployed in your environment and you’d like to deploy the Citrix Workspace app for Chrome, this can be achieved with a PowerShell script that will either deploy it as a preference that users must approve or as a policy that will be automatically pushed out and users will be unable to remove from Chrome.

Google provides detailed documentation on deploying Chrome extensions on Windows.

Here’s a basic script to deploy Workspace app for Chrome via PowerShell that uses the app’s Chrome Web Store identifier (haiffjcadagjlijoggckpgfnoeiflnem) to tell Chrome to install the app on next launch. This shows both approaches – deploy as a preference or enforced.

# Citrix Receiver / Workspace app as a preference $Path = "Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Chrome\Extensions" $Value = "update_url" $Data = "https://clients2.google.com/service/update2/crx" $Key = "$Path\haiffjcadagjlijoggckpgfnoeiflnem" New-Item -Path $Key -ErrorAction SilentlyContinue New-ItemProperty -Path $Key -Name $Value -Value $Data -Force -ErrorAction SilentlyContinue # Citrix Receiver / Workspace app as a policy $Key = "Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist" $ExistingValues = (Get-Item -Path $Key).Property $Value = [int]$ExistingValues[$ExistingValues.Count-1] + 1 $Data = "haiffjcadagjlijoggckpgfnoeiflnem;https://clients2.google.com/service/update2/crx" New-Item -Path $Key -ErrorAction SilentlyContinue New-ItemProperty -Path $Key -Name $Value -Value $Data -Force -ErrorAction SilentlyContinue

Add the script to the Intune portal and assign to a user group to deploy. Ensure the script runs in the system context because it needs to write to HKLM.


The Citrix Workspace app can be deployed as a line-of-business application with Microsoft Intune. The Workspace app download comes as an Installer package (inside an Apple Disk Image) that can be converted into suitable file format with the Microsoft Intune App Wrapping Tool, ready to deploy with Intune.

The Citrix Workspace app disk image

Convert the Installer

Instructions for converting a .pkg file to a .intunemac file are outlined in the documentation, and the basic process I have followed to convert the Citrix Workspace app installer file is:

  1. Download the Intune App Wrapping Tool for Mac executable – IntuneAppUtil  – to a local folder. I’ve downloaded it to ~/bin.
  2. Mark the file as executable. In my example, I’ve done this with:
chmod +x ~/bin/IntuneAppUtil
  1. Optionally copy the Install Citrix Workspace.pkg file to a local folder. You should also be able to run the converter against the copy stored in the disk image. In my example, I’ve copied the installer to ~/Projects/Intune-Apps.
  2. Convert the .pkg file into the required .intunemac format with a command similar to the following example – note that the -o switch should include a directory path only.
~/bin/IntuneAppUtil -c ~/Projects/Intune-Apps/Install\ Citrix\ Workspace.pkg -o ~/Projects/Intune-Apps -v

If successful the command line will look similar to the following screenshot:

Converting the Citrix Workspace app with IntuneAppUtil

The Workspace app installer will have been converted into a .intunemac format ready to import into the Intune portal for distributing to users.

The converted Citrix Workspace app

Distribute with Intune

With the prepared package, create a new line-of-business app in the Intune portal, select the .intunemac file and enter application information as follows:

  • Name – Citrix Workspace
  • Description – copy and paste the description from Workspace app on the Microsoft Store
  • Publisher – Citrix
  • Ignore app version – Yes
  • Category – Business or Productivity
  • Information URL – https://docs.citrix.com/en-us/citrix-workspace-app-for-mac.html
  • Privacy URL – https://www.citrix.com.au/about/legal.html
  • Logo – download the Workspace app icon in PNG format here

Once the details have been added, click OK to create the application. I initially had issues with uploading the application on Chrome on macOS. I was successful on Internet Explorer.

Adding the Citrix Workspace app as a line-of-business app in Microsoft Intune

Once the application has been created and assigned to users, it will be available for install in the Intune Company Portal. The application can also be set to required for automatic deployment.

Citrix Workspace available in the Intune Company Portal on macOS

Just as on Windows, updates to the Citrix Workspace app can be managed with the inbuilt updater, post-deployment.

HDX RealTime Media Engine

The Citrix HDX RealTime Media Engine is also available as an installer package that can be converted and deployed the same way as Workspace itself. Citrix Workspace app is now a 64-bit macOS application and will, therefore, require a 64-bit version of the HDX RealTime Media Engine. Right now, a 64-bit HDX RealTime Media Engine is in tech preview that can be downloaded, packaged, uploaded as a line-of-business application and assigned.


As at the time of writing, Citrix Receiver is still available on the iOS App Store and we should see it updated to Citrix Workspace app soon. Adding an iOS application in Microsoft Intune is, fortunately, a simple process:

  1. Add an application and choose ‘Store app – iOS’, then search the app store
  2. Search for ‘Citrix’, ‘Citrix Receiver’ or ‘Citrix Workspace’
  3. Choose ‘Citrix Receiver’ or ‘Citrix Workspace’ depending on what is returned
  4. Save the change and Add the application
  5. Assign the application as required 

The application will be available in the Intune Company Portal:

Citrix Workspace for iOS available in the Intune Company Portal

For existing deployments of Citrix Receiver, they should be updated to Citrix Workspace app automatically.

Android Android Store app

At the time of writing, the Workspace app for Android is not available in the Google Play Store, but a tech preview is available for download as an APK. I would recommend deploying Citrix Receiver via the Google Play Store, but with access to an APK file, you can deploy Android applications directly to enrolled devices as a line-of-business application with Intune.

The process for deploying Citrix Workspace app or Citrix Receiver on Android follows the standard Android store app deployment steps:

  1. Add an application and choose ‘Store app – Android’, then search the app store
  2. Name – ‘Citrix Workspace’ or ‘Citrix Receiver’
  3. Description – copy and paste the description from Workspace app on the Microsoft Store
  4. Publisher – Citrix
  5. Appstore URL – https://play.google.com/store/apps/details?id=com.citrix.Receiver
  6. Minimum operating system – Android 4.4 (Kitkat)
  7. Category – Business or Productivity
  8. Privacy URL – https://www.citrix.com.au/about/legal.html
  9. Logo – download the Workspace app icon in PNG format here

Assign the application and it will be available to users in the Intune Company Portal.

Android Work Profile app

In the future, it’s more likely that organisations will leverage the Android enterprise capabilities, previously known as Android for Work. This also simplifies Android app deployment with a connection between Microsoft Intune and the Google Play store. Once configured, browse the Google Play store, approve a list of desired apps and these will then appear for assignment in the Mobile Apps node in Intune.

Here’s Citrix Receiver in the Google Play store.

Approving Citrix Receiver in the Google Play store

Once approved, you must choose how new permissions will be approved:

  • Keep approved when app requests new permissions – Users will be able to install the updated app. (Default)
  • Revoke app approval when this app requests new permissions – App will be removed from the store until it is reapproved.

You can approve and deploy Citrix Receiver today, which should be automatically updated to Citrix Workspace app once it is released.


In this article, I’ve covered the high-level steps required for deployment of the Citrix Workspace app across the various major platforms supported by Microsoft Intune. Mobile platforms, including the Microsoft Store on Windows 10, will require the least amount of administrative effort to configure, deploy and update. For most organisations supporting Windows as their primary platform, even with Microsoft Intune, the choice of deployment solution will depend on Workpace app feature requirements.

This article by Aaron Parker, Citrix Workspace app deployed with Microsoft Intune appeared first on Aaron Parker.

Categories: Community, Virtualisation

Thunderbolt end-user experience macOS vs. Windows

Tue, 08/07/2018 - 04:01

Thunderbolt 3 (and USB-C) are here to provide a single cable for everything, although your experience with this technology will differ depending on your choice of operating system. Here’s a quick look at the end-user experience of TB on macOS and Windows.

Thunderbolt 3 on macOS

Thunderbolt on macOS just works – plug-in a TB device and off you go. This makes sense given that the standard was designed by Intel and Apple. Unpacking and plugging in a Thunderbolt dock with external displays, ethernet, audio etc., on macOS in just about every case will work without installing drivers.

Thunderbolt ports on the MacBook Pro

Here’s Apple’s dirty (not so) secret though – excluding the MacBook Air (and the Mini that comes with TB2), all current Macs have TB3 ports, except for the MacBook. It has a single USB-C port only. Maybe that’s OK – the TB target market is likely to be purchasing the Pro line anyway, but Apple isn’t a fan of labelling their ports, so caveat emptor.

macOS provides a good look at the devices plugged into your TB ports:

macOS System Report showing Thunderbolt devices

Note that while the MacBook Pro with Touch Bar has 4 Thunderbolt 3 ports, these are divided across 2 busses. If you have more than one device plugged in, ensure they’re plugged into either side of the laptop for best performance.

Thunderbolt 3 on Windows

Thunderbolt 3 on Windows 10? That is unfortunately not so straight-forward. 

I’ve been testing connection to my dock on an HP Elitebook x360 G2 that comes equipped with 2 x TB3 ports. The default Windows 10 image for this machine is an absolute mess that has a whole lot of software that isn’t required. Resetting the machine back to defaults strips it right back to the bare essentials, excluding the Thunderbolt driver and software. After plugging in a TB device, it isn’t recognised and no driver or software is downloaded from Windows Update. Interestingly, no driver or software was offered by the HP Support Assistant app designed to help end-users keep their HP PCs up to date.

Windows PCs equipped with Thunderbolt ports will have the driver and software installed by default, so typically this won’t be an issue; however, if you’re resetting the PC or creating a corporate image, you’ll need to install that software. Every OEM should supply Thunderbolt software for download, which for HP PCs is listed as Intel Thunderbolt 3 Secure Connect. The software is actually provided by Intel and available in various downloads on their site.

With the software installed and a device plugged in, the user sees a message box asking to approve the connection to a Thunderbolt device. Management actions such as approving or removing a device requires administrator rights on the PC. Pluggable has a good article on the entire user experience and troubleshooting.

Approving connection to TB devices on Windows 10

Once approved, the device can then be viewed and managed. 

Viewing attached TB devices on Windows 10

Of course, once plugged in, Windows sees the peripherals and connects to them as usual.

Peripherals plugged into a TB dock on Windows 10

Thunderbolt on Windows isn’t as simple as it could be. It would be great to see drivers installed directly from Windows Update instead of being available separately, but once installed everything works as you would expect.


Thunderbolt will see as wide spread adoption as USB 3.1, but users with specialised requirements such as video editors, CAD, etc., will benefit from the available bandwidth, which today is 40 Gbit/s vs. 10 Gbit/s. Early USB 3.2 hardware with 20 Gbit/s speeds has been demonstrated recently and this may further reduce the need for some users to go to devices providing the higher bandwidth.

The end-user experience of TB on macOS vs. Windows 10 is kind of disappointing – Windows requires that you install drivers and the software requires administrative rights. Not an ideal experience for home or SMB users and these requirements might preclude the usage of Thunderbolt in enterprise environments. However my own personal experience on a MacBook is pretty awesome – just plug in and go. Looks like I’ll be on macOS for the foreseeable future.

Linda Xu

This article by Aaron Parker, Thunderbolt end-user experience macOS vs. Windows appeared first on Aaron Parker.

Categories: Community, Virtualisation

Thunderbolt 3 – One Cable to Rule Them All

Sat, 08/04/2018 - 13:51

Thunderbolt 3 and USB-C have arrived to make our life easier and more confusing all at the same time. The promise of a single cable that does everything is appealing but for the average consumer, knowing what to purchase is challenging. This article is a view into my research into Thunderbolt, USB-C and 4K monitors and what I’ve ultimately purchased.

In an effort to reduce the clutter on my desk and improve my viewing experience for work, I’ve invested in a Thunderbolt 3 dock and a 4K monitor. This article isn’t necessarily a review of this hardware – instead consider this a walkthrough of how I made these specific choices and my experiences with a Thunderbolt 3 dock. In a follow up article, I’ll discuss Thunderbolt and high HPI experiences on macOS and Windows.

The Quest for Less Clutter

I work primarily from home and given my job, I’m in front of a computer for extended periods; thus, I need a clean and neat workspace to be able to focus. I’m not great at keeping my workspace tidy as I should be, so anything I can do to reduce clutter on my desk has got to assist. This is where the right choice in hardware comes in – I run a 13″ MacBook Pro that comes with four Thunderbolt ports, as my primary driver, so I have the opportunity to do everything through a single cable.

With the right solution, I should be able to run power to the laptop plus all other inputs and outputs from a Thunderbolt dock, providing me the ability to cleanly route cables (as much as I can). This also means that I can arrive at my desk or leave by pulling out or plugging in a single cable. Everything else I then need for travel remains in my backpack, requiring me to only transfer my laptop.

The Hunt for More Pixels

After upgrading to the MacBook Pro last year (from the MacBook Air), the biggest impact to my daily experience has been the quality of the display. Crisp text, icons and high quality OS and application artefacts in both macOS and Windows 10 is a joy to use. 

Did I mention this screen is amazing? I never want to see a pixel again #macbook #apple

— Aaron Parker (@stealthpuppy) August 2, 2017

I’m of course spoilt by having access to a MacBook display, but it’s driven me to want a similar experience from my external monitor. To that end, I’ve looked at adding a 4K display to my layout. I have been plugging into an external 1080p monitor for dual screen work and the difference in quality to a 4K display is noticeable. 

Playing Hardware Roulette

When I first started looking at simplifying my setup, I started with the monitor – originally I was looking at a USB-C or Thunderbolt monitor that could drive everything rather than the seperate dock and monitor that I’ve ended up with. The choices for USB-C monitors are still limited in 2018 and Thunderbolt even more so; however, it seems we’re at an inflection point with USB-C and I suspect that within 12-months, USB-C will be everywhere. Thunderbolt 3 is even appearing in a good number of PCs.

To make a choice for what works for you, I would recommend starting with a display with a resolution and size that suits your needs, then consider ports and how you’ll connect it to your MacBook or PC. However, unless you can test your hardware choices you’re often playing roulette when purchasing tech devices, so relying on reviews and crossing my fingers is what I’ve done with this purchase.

Pixels Be Gone!

High resolution displays are moving beyond 1080p with 4K monitors being a common option for both PC displays and TVs. With a pixel density matched to the right physical size of the display you can have resolutions where it’s impossible to see individual pixels providing an outstanding visual feast.

Here’s two articles I recommend reading on the topic of displays and pixel density – while written primarily for a Mac audience, they’re still applicable to Windows PCs:

The short version is this – the aim of a ‘Retina’ display is that you don’t see individual pixels, so as the screen size increases, you need to increase resolution.  Sounds simple enough, but I think it’s easy to believe that a 4K 27″ display will give you retina quality, which is just not the case.

So with the desire to improve my external display options, I needed to find the right monitor and look at how to connect to it.

Choosing a 4K Display

LG provides two purpose built monitors for the Mac both of which come with trade offs and caveats if you want to support cross platform:

  • The LG Ultrafine 4K monitor. This 21.5″ monitor has an amazing display with full macOS support (given that it was built for the Mac), but the additional 3 USB-C ports are USB 2 speeds only. With the peripherals I need to drive as well, this would just require too many additional dongles. On top of the $1010 AUD, I’d need to account for the price of additional dongles
  • The LG Ultrafine 5K monitor, this model does come with USB-C 3.1 ports, but to drive this display, you’ll need the 15″ MacBook Pro. It has the same number of USB-C outputs and the same issue with dongles if you have more than 3 peripherals to plug into it. This is the model I’ve seen in person and the display is outstanding

Both of these monitors should in theory work with Windows devices, but given that all control is provided in software (built into macOS), they aren’t really going to be a monitor to consider if you’re on PC. There’s plenty of reviews on these monitors if you’re interested.

There is a range of USB-C monitors available in 2018 which typically start at 27″ and for anything reasonable, you’ll be paying $500 USD and up, but I had three drivers for a choice in monitor:

  1. A 4K resolution to get to a Retina display as close as possible
  2. Keep the size 24″ to match my existing 1080p monitor and not go above a physical size that would show individual pixels
  3. Desk space – dual 24″ monitors takes up almost my entire desk, so anything larger would force me back to a single monitor setup

The choices of 24″ 4K monitors is even more limited and considering that I need to connect to it, I need to factor in the cost of a dock. Sticking with a 4K 24″ monitor should match the scaling of my existing monitor at 200%, so items should appear at exactly the same size, but four times the fidelity. However, I had no way of determining exactly how it would look before purchasing.

Picking the Right Cable

To drive a 4K monitor, you have a choice of DisplayPort or HDMI, but today, DisplayPort is your best choice – this might change soon though as HDMI 2.1 devices arrive. DisplayPort and HDMI are a bit of a mess right now with multiple versions that support different resolutions and frame rates. HDMI 2.0 is needed at a minimum, but DisplayPort 1.4 is pretty common.

With DisplayPort though, keep in mind you’re likely to require an Active DisplayPort cable when connecting over DP from a dock. This might be monitor and dock dependant and there’s no guarantee that the DP cable that comes with your monitor is an Active cable.

Thunderbolt 3 Docks

At this point, I should probably explain my choice of Thunderbolt over USB-C – it comes down to bandwidth. Thunderbolt is capable of 40 Gbps, while USB 3.1 over USB-C has a 10 Gbps maximum throughput. To drive 4K and 1080p monitors, 1Gbps ethernet, a USB microphone, scanner, audio and an external HDD, I need no bottlenecks over a single cable. I could possibly replace the 1080p monitor with another 4K, but I may be pushed the Intel GPU a bit far at that point. So Thunderbolt ensures that I have no issue with bandwidth for the foreseeable future.

Here’s a couple of great articles that test and compare various docks and I used these to inform my choice of dock.

  • Guidemaster: Picking the right Thunderbolt 3 or USB-C dock for your desk at ArsTechnica
  • The Best Thunderbolt 3 Docks at WireCutter
Thunderbolt Cable Considerations

If you do go down the Thunderbolt route, be aware that it too has requirements on cables – if you go beyond a 50cm cable, the bandwidth will half and you need to source an Active Thunderbolt cable to keep the 40Gbps bandwidth. My recommendation is to stick with a 50cm cable if you can.

Hardware Experiences

So what is the experience or usability like? Here’s a quick overview of my chosen hardware.

Caldigit TS3 Plus

Picking a Thunderbolt 3 docks was fairly simple – ensure I have enough ports, including DisplayPort, and see what the reviews recommend. With that info in hand, I settled on the Caldigit TS3 Plus. This dock has plenty of ports for all of the peripherals I need to plug into it, including DisplayPort and Ethernet.

Ports on the Caldigit TS3Pro Thunderbolt 3 dock

I have added a USB-C to HDMI adapter to connect my existing 1080p monitor. I’ve found StarTech adapters and cables to be good quality at reasonable prices. Interestingly, I’ve had to plug this into the second Thunderbolt port on the dock to get video out, so even though the dock as 2 USB 3.1 Type-C ports, only the second Thunderbolt port must support DP Alt Mode.

The dock came with a 50cm Thunderbolt 3 port and 85W output, thus the single cable powers my laptop and connects to all external peripherals. It’s a solid unit in brushed aluminium with a power supply larger than the device itself, which should hopefully assist with heat dissipation. 

The Caldigit TS3 Plus next to a 60W Apple power supply and its own external power supply

Thunderbolt on macOS is plug-and-play and  I was able to unbox the dock and plug-in within a few minutes. I have the dock on top of my desk rather than mounting underneath for access to the SD card slot and front facing USB slot. The only change I would have liked to see would be to have the audio ports on the back of the unit to make routing cables easier.

Purchase? Yes, absolutely.

Dell P2415Q

In 24″ 4K monitors I had basically two choices:

Based on reviews, an in-built USB hub and an optional speaker that attaches to the bottom of the monitor, I went with the Dell. It has bezels that are thicker than I’d like, but overall it provides a pretty good display. It’s not near the LG Ultrafine in quality, but it’s reasonable for the price. The difference in display quality due to the sheer number of pixels between this screen and the 1080p next to it, is huge.

The monitor comes with a cable with DisplayPort to Mini DisplayPort connectors, which I assume is to either reduce cost, or enable input from Dell PCs with Mini DisplayPort. Thankfully it has work OK, going from full size DisplayPort into the dock and Mini DisplayPort into the monitor. Presumably then, the cable is an Active cable. There are two more full size DisplayPort ports available, so I should be able to plug in my desktop PC in the future.

Scaling in macOS and Windows 10 works a treat and I’ll discuss that in more detail in another article; however, what concerned me before the purchase is exactly how macOS would scale on screen windows. Fortunately, the default scaling is spot on.

Dell P2415Q scaling options on macOS

My audio inputs and outputs are now a little over the top:

macOS audio outputs / inputs with Thunderbolt 3 and DisplayPort

Purchase? Maybe – this depends on your space requirements and budget. Whatever you purchase, keep in mind the capabilities of your GPU and how sharp you want windows and text to appear on screen. The larger the screen the more chance you’ll see pixels.


Overall, I’m very happy with this setup. I’ve had a chance to tidy my workspace by connecting to a single cable that does it all. While I’ve chosen Thunderbolt, USB-C might work for you and the options for doing so are increasing. 

Fortunately, this particular setup has worked well and does support both Mac and PC. I started with the intention to discuss the software side as well and compare the experience of macOS and Windows 10 for Thunderbolt and high DPI screens,  but that will now have to wait for a follow up. 

Angela Compagnone

This article by Aaron Parker, Thunderbolt 3 – One Cable to Rule Them All appeared first on Aaron Parker.

Categories: Community, Virtualisation