The following blog is one of a series of blogs that will discuss the integration of third-party User Environment management solutions. This blog will focus on Liquidware ProfileUnity™ profile manager with a Nutanix Frame Desktop as a Service (DaaS) deployment. We will break down the ProfileUnity capabilities and a high-level implementation as follows:
- What is ProfileUnity
- How Does ProfileUnity Work
- Why ProfileUnity with Frame
- ProfileUnity vs Nutanix Frame Enterprise Profiles
- How to implement ProfileUnity with Frame
What Is ProfileUnity
ProfileUnity is a User Environment management solution that delivers a full spectrum of features that includes Profile Management, and Centralized Policy Management that goes beyond traditional Microsoft Group Policies, as well as advanced features such as Privilege Elevation and Application Rights Management.
The capabilities with ProfileUnity are vast and far reaching, some key aspects are:
- Centralized Dynamic User Profile, App Management, and Policy Managementacross all Windows workspaces.
- Context-aware filters apply profiles, app management, policies and FlexApp delivery.
- Works across mixed OS versions for zero downtime migrations/co-existence.
- Supports Physical, Virtual, and Cloud Workspaces – Amazon Workspaces, Nutanix Frame, Microsoft Azure, Google Cloud Platform, and others.
In this blog we will discuss specific aspects of the product, primarily the User Profile and Policy Management features configured within a Nutanix Frame deployment as the area of focus. A future blog will cover the Application Management aspects with Nutanix Frame.A breakdown of ProfileUnity from a reference architecture perspective is as shown in the figure listed below:
How Does ProfileUnity Work
ProfileUnity is available as a standalone product and consists of three parts:
- The Management Console - provides one central location where administrators can configure persona management, user, and machine policies.
- The Client Tools - manages each user’s settings and persona during their session.
- The FlexApp Packaging Console (optional) - allows administrators to configure and prepare any applications that will need to be configured for users and made available as a department installed application (DIA) through application layering. (Planned to be covered in a future blog.)
The user environment is centrally managed via the Management Console and configured and maintained within a database to point to file shares and storage locations for configuration file settings, (a ProfileUnity Netlogon or UNC Shared folder) and for user data and configuration persistence (a ProfileUnity user data share or storage container location). As users login, the user experience is actively configured, monitored, and maintained while in a session, then persisted and written back to the user data location by ProfileUnity at logoff. There are many areas in which ProfileUnity can manage a user environment and persona. All contained within a configuration database, managed within the ProfileUnity console. These can be seen in the figure listed below:
Note the items with numbers in red in the figure above, these are the areas in which configurations have been set (all of which are default settings by ProfileUnity). These items in red are as listed below:
- Portability Settings (35)
- User Defined Scripts (7)
- Application Launcher (15)
- Registry (28)
- Folder Redirection (6)
- Windows Options (1)
The initial numbers listed beside each in red are the active configurations that have been set, that are general best practice configurations Liquidware has found to enhance a user's environment experience and persona in a Windows desktop environment.
Liquidware has created configuration templates that automatically pre-configure settings based on the goals you are trying to achieve in your environment. You also can add or import custom templates into this library from the Administration area.
There are two user profile or persona specific areas of a ProfileUnity deployment that can be used for persistence these are:
- Profile Disk (VHD or VHDX)
- Portability Settings (Files and Folders)
A ProfileUnity deployment can leverage either or both capabilities depending on use case needs and requirements.
The profile disk is what is called the “E-Z button” for user data persistence. It will simply capture all user data and changes within a session and write the data and changes back to a mounted profile disk located on a traditional file share, or in a cloud-based storage model. This method consumes more storage space but allows for a more fundamental approach to user data persistence. Also, user data cannot be migrated directly into or out of the disk. As an option, a Microsoft FSLogix profile disk can be used instead to accomplish a similar unmanaged profile. It is important to note that either Profile Unity’s Profile Disk or FSLogix profiles are susceptible to Microsoft profile issues such as profile corruption. Profile Unity’s Portability feature mentioned below overcomes profile corruption and adds robust capabilities, such as profile rollbacks, to either a Profile Disk or an FSLogix profile.
The portability settings are a more dynamic approach that can be used alone or alongside a Profile Disk or FSLogix profiles. Profile Portability stores a folder and registry have a users’ profile on a traditional file share, or in a cloud-based storage model. Profile Portability allows you to manage the user experience more granularly to meet more demanding use case requirements, that go beyond simply persisting user data. When used with Profile Disk or an FSLogix profile, profiles can be set to automatically heal if they become corrupt. Profiles can also be rolled back by an Administrator. Only select profile data is saved (a smart profile) and the data is also compressed when stored. This method uses less storage space when that is a requirement, additionally this is also ideal for user profile migration strategies as ProfileUnity’s portable profiles work across multiple Windows OS versions automatically.
Policy management is easy to perform with ProfileUnity which includes a comprehensive set of advanced context-aware filters that go beyond Microsoft’s Item Level Targeting. ProfileUnity provides features not available in Group Policies. While you can keep using Microsoft Group Policies (GPOs) and ProfileUnity together, you can also replace most GPOs with ProfileUnity policies which can provide more granular control over users and the conditions by which they can access resources.
One clear benefit of ProfileUnity policies are much faster login times. Microsoft Group policies can be slow to execute on users’ desktops. It can sometimes take minutes for a user to login because of the time it takes to apply Group Policies or login scripts alone –and this does not count actual profile load time. A main reason Group Policies are slow is because they tend to conduct a Microsoft Active Directory (AD) lookup for every single policy being applied to a user. This operation creates a lot of overhead on the network and takes a while to process.
ProfileUnity can execute policies based on Microsoft AD criteria but can also leverage more than 300 combinations of variables that are defined with ProfileUnity’ s context-aware filters. ProfileUnity applies policies much faster than Microsoft Group Policies because it performs one master lookup when authenticating policies against Microsoft AD.
The granular control that ProfileUnity context-aware filters provides, also significantly enhances workspace security with precise policies that also are universally applied to all Windows desktops in the environment. The Filter Screen to manage this is as shown in the figure listed below:
Why ProfileUnity with Frame
So why is ProfileUnity a good fit for a user environment management solution when using Nutanix Frame? There are numerous reasons some of which are detailed below:
- Multiple Frame account (and local account) access from one centralized User Profile source
- Migrate or Co-exist Windows OSs – seamless onboarding to new desktops physical, virtual or cloud
- Fast profile handling – Office 365, OneDrive, and similar large profiles are easily handled with ProfileUnity’s Profile Disk
- Replace Roaming Profiles – solving profile portability, granular, faster, and dependable
- Lower costs of delivering VDI – lower storage and management costs
- Make more users compatible with virtual or cloud desktops – knowledge workers and power users can have the customizations and apps they demand
- Deliver context aware desktops – printer management, settings, shortcuts, etc. all based on custom filters
- Disaster Recovery - Persona, data, and apps restored in seconds to any Windows desktop – multi-cloud strategies are also supported
- Ongoing management of the desktop – provision settings, configure, registry, lockdown, etc.
- One central user management console -Persona, Apps, Configurations, and central migration settings – for all Windows desktop
Using ProfileUnity with Frame is ideally best suited for when you want to go beyond the default out of the box experience within Frame for user environment management and persona persistence.
Let us say for example you are in a hybrid cloud model (see figure below) and using both private and public Frame accounts that you wish to have the user experience within each be referenced and maintained from a central location for the user's persona. Or you want multiple Frame accounts with the same cloud model to use a centralized solution. ProfileUnity is a great fit for these use case needs and requirements.
ProfileUnity vs Nutanix Frame Enterprise Profiles
Frame Enterprise Profiles
One important aspect of Nutanix Frame is that it already has a built-in User Environment persona management feature called Enterprise Profiles. This feature is an OEM version of a ProfileUnity Profile Disk that has been developed and deployed via a partnership between Liquidware and Nutanix Frame. This feature is very simple to implement and can be done without the use of the full ProfileUnity product. It comes standard with Nutanix Frame as part of any Frame subscription. For more detail on the enterprise profile feature please refer to the following link: Enterprise Profiles — Nutanix Frame Documentation documentation.
The capabilities of Nutanix Fame Enterprise Profiles compared against the full ProfileUnity product are as follows:
|Nutanix Enterprise Profiles||Liquidware ProfileUnity|
|Profile Disk||Profile Disk|
|User Data||Advanced Filters|
|Portability (multi-Frame account use case, local physical desktop, physical and virtual together)|
|ADMX (GPO managed)|
One important drawback to the Nutanix Frame native feature is that it is tied to a single Frame account and cannot be centrally accessed across multiple accounts for the same user. For a centrally managed profile solution across multiple Frame accounts, you will need to use the full ProfileUnity solution, and disable this built-in feature.
The table below highlight the Pros and Cons of the Nutanix Frame Enterprise Profile feature:
|Built into Frame||Not as flexible|
|Simple to Manage within Frame||Garbage In Garbage Out model (GIGO)|
|Feature parity with a Microsoft Standard (FSLogix VHD)||No Enterprise Features|
|No additional Licensing costs||Mobility (one per Frame Account only)|
|Autogrow capabilities||Single availability Zone (AZ) and no multi-Region availability in public cloud|
|Integrated disk backup solution||Potential for corruption|
How to implement ProfileUnity with Frame
Now let us talk about how we deploy ProfileUnity with Nutanix Frame. We will detail the requirements for each product, then the steps for deployment within a Nutanix Frame environment.
- Microsoft Windows Active Directory (AD) is required to deploy its client files to the desktop and point the user to its configuration file.
- Dedicated OU structure
- A domain-based file share (under Netlogon) to host the ProfileUnity configuration files
- A file share or storage location for user environments
- A windows server (2008R2 or higher) to act as the ProfileUnity management server for console access over port TCP port 8000 (cannot be on a Domain Controller)
The following Environment Access rights are needed to administer the deployment:
- A Windows Active Directory Domain Admin or have equivalent access
- Can create and link Active Directory Group Policy Objects (GPOs
- The Frame account must be using the Frame Guest Agent (FGA) version 8.x.x
- The “Frame” user (admin account) must be excluded (via provided script run once in sandbox VM) from processing a ProfileUnity client tools deployment into the sandbox
- The sandbox should not use local GPOs for ProfileUnity enablement
- Frame Workload VMs will need to be AD domain joined within the Frame accounts and within the OU that ProfileUnity and Frame will manage the workloads
The following primary steps are what is needed to properly configure and deploy ProfileUnity within a Frame environment. These are the minimal steps needed for configuration and are for a single Frame account. For the details specific within each step, please see the reference links at the bottom of this blog to guide you through the detailed sub steps for each primary step listed below (if needed). For conciseness in this blog the detailed sub steps have been kept out.
You can also check this quick start guide: ProfileUnity™ with FlexApp™ Technology: Quick Start & Evaluation Guide.
- Deploy the ProfileUnity management server and console (domain joined) on a server.
- Setup a file share within the Netlogon path (a subfolder and share) to host the client tools and configuration files.
- Configure an AD OU for ProfileUnity to use as per the documentation. (Block inheritance)
- Link the ProfileUnity GPO.
- Configure a file share or storage container for hosting ProfileUnity user data.
- Configure the ProfileUnity setup in the console to point to the file shares used and deployment model wanted (portability, profile disk, or both). Deploy the client tools, apply any filters you wish to use. (Frame connection only for example).
- Update a Frame account sandbox with the deployed ProfileUnity configuration and client tools (initially you copy from Netlogon ProfileUnity share to the VM).
- Remove the OEM version of the ProfileUnity agent from the Frame account sandbox VM.
- Run the Frame user exclusion power shell script in the sandbox VM, reboot the VM.
- Configure the Frame account to be domain joined and point to the AD OU that ProfileUnity and Frame are set up for.
- If enabled, disable the Enterprise Profiles feature in the Frame account session settings.
- Configure and enable the GPO for ProfileUnity in the OU it is linked too, then set startup and logout scripts in the GPO.
- Publish the Frame sandbox to the deployed production pools of VMs in the Frame accounts dashboard.
- Login as a user to a Frame desktop or published application from its launchpad and validate functionality.
# Get SID for local Frame user
$frameUserSID = (Get-LocalUser -Name "Frame").SID.Value
# Resolve local Users group name from SID
$usersGroup = ([System.Security.Principal.SecurityIdentifier]'S-1-5-32-545').Translate([System.Security.Principal.NTAccount]).Value.Split("\")
$usersGroupSID = (Get-LocalGroup -Name "$usersGroup").SID.Value
# Load ProfileUnity XML for editing
$xmlFileName = "C:\Program Files\ProfileUnity\FlexApp\LwlLogonNotifier.exe.config"
[xml]$xmlDoc = Get-Content $xmlFileName
# Create "assignments" element and add exclusion entry
$assignment = $xmlDoc.CreateElement("assignments")
$exclusion = 'FlexDisk' -f $usersGroupSID
$exclusion += "`r`n" + 'exclusion' -f $frameUserSID
$assignment.InnerXml = $exclusion
# Append to LwlLogonNotifier.exe.config
Once the ProfileUnity setup steps above are completed you can add more Frame accounts to use the deployment, by simply completing the Frame specific steps listed above for each Frame account needed.
In closing I would like to thank the Liquidware Team for their collaboration and assistance. Thomas Lahaussois thomas @liquidware.com and Thomas Miller firstname.lastname@example.org each for their invaluable assistance with this blog.
Resource reference Links
- Welcome to Frame Platform Documentation — Nutanix Frame Documentation
- ProfileUnity™ with FlexApp™ Technology: Installation & Configuration Guide
- ProfileUnity Advanced Features Overview - Liquidware
- Nutanix Xi Frame DaaS platform Solutions - Liquidware
- ProfileUnity with FlexApp Documentation – Liquidware Customer Support
Dan Simmons is a Senior Solutions Architect with Nutanix Frame who has worked in the public and private sector with an extensive background in VDI. A former Citrix employee in technical support, consulting, and system engineering roles. He started at Nutanix as a federal team resident consultant, supporting Citrix VDI workloads, later transitioning to the Frame Solution Architect team. Dan is also an 82nd airborne infantry paratrooper and combat veteran. Happy father and husband, WWII history buff, amateur no limit Texas hold em poker player, and comic book geek when time permits.
© 2021 Nutanix, Inc. All rights reserved. Nutanix, the Nutanix logo and all Nutanix product, feature and service names mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. Other brand names mentioned herein are for identification purposes only and may be the trademarks of their respective holder(s). This post may contain links to external websites that are not part of Nutanix.com. Nutanix does not control these sites and disclaims all responsibility for the content or accuracy of any external site. Our decision to link to an external site should not be considered an endorsement of any content on such a site. Certain information contained in this post may relate to or be based on studies, publications, surveys and other data obtained from third-party sources and our own internal estimates and research. While we believe these third-party studies, publications, surveys and other data are reliable as of the date of this post, they have not independently verified, and we make no representation as to the adequacy, fairness, accuracy, or completeness of any information obtained from third-party sources.
This post may contain express and implied forward-looking statements, which are not historical facts and are instead based on our current expectations, estimates and beliefs. The accuracy of such statements involves risks and uncertainties and depends upon future events, including those that may be beyond our control, and actual results may differ materially and adversely from those anticipated or implied by such statements. Any forward-looking statements included herein speak only as of the date hereof and, except as required by law, we assume no obligation to update or otherwise revise any of such forward-looking statements to reflect subsequent events or circumstance.