How to Simplify Centralized Image Management in Nutanix Frame with Microsoft Application Masking

April 29, 2021 | min

Microsoft® (FSLogix) Application Masking is a great product to use with Nutanix® Frame Desktop-as-a-Service (DaaS) solution. Application masking makes centralized image management even easier by hiding the applications based on conditions. With Application Masking, you can install all the applications into a single Frame™ sandbox and then provide access to these applications based on conditions such as group membership and many other options. The benefits are fewer master images, the ability to hide applications when publishing full desktops, and the ability to control application license usage. 

You can see all of this in action in a demo video I’ve embedded below.  It showcases the configuration of Microsoft Application Masking and the user experience both for users accessing  “designer” applications running NVIDIA-powered GPU virtual machines, and users leveraging “sales” applications running on CPU-only virtual machines--all from a single managed image. 


What if you could install all Windows® applications into a single Frame sandbox, thereby limiting the number of master images. Imagine you can hide applications and their components based on conditions, such as Identity Provider group membership or environment variables, all within the same Frame-powered Windows desktop solution. 

What if you could grant or deny access to applications, just by modifying the users’ Identity Provider group membership? This provides options of integrating your application delivery into self-service portals or (automatic) approval processes - users get the right set of apps without even touching the Frame environment! Or what if you could provide GPU-powered instances to “Designers” only and “NoGPU” instances to Sales, to accommodate their specific sales tools, all within the single Frame account? 

You can do this and more without using complex solutions, such as the free Microsoft Applocker or paid 3rd party User Environment Management solutions. How? Just use Microsoft (FSLogix) Application Masking and Frame together. 

Value of Application Masking + Nutanix Frame

  • Single image management made simple. Install 10s-100s of applications into the same Frame “Gold Master” aka SandBox and hide applications based on rules.
  • Fast logon times - no need to copy, install, or stream apps at user logon.
  • Dynamic access to applications based on rules or conditions such as IdP group membership, Windows variables, or Frame environment variables. The FSLogix filter driver hides the applications or components, such as fonts, folders, registry keys, Java  RunTime with ease.
  • Deliver a full Windows Desktop interface to users while dynamically providing access with granular access control to applications based on conditions. 
  • Free of charge for many, if not all, who are using VDI and DaaS. You are most likely eligible to access FSLogix Application Masking if you have one of the following Microsoft licenses.
  • Application license control, define rules and control who (device + users) can access, for example, Microsoft Visio or Microsoft Project while the application is installed into the sandbox.
  • Application performance at native speed. No additional system resources are required by the Workload VMs when using the Application Masking rules.
  • Not dependent on Microsoft Active Directory. Application masking and Frame work in a Microsoft “Classic” Active Directory (AD) Domain Joined and also in non-domain joined environments. It is great to be able to have a choice and support a diverse set of customer use-cases. Nutanix Frame is a born in the cloud Desktop-as-a-Service solution and unlike many other VDI/DaaS solutions it doesn’t require classic AD to operate.  
  • No (complex) 3rd party application layering solution needed to provide instant access to applications based on conditions.

Good to know!

  • Microsoft FSLogix Application Masking isn’t a replacement for “Application Isolation” solutions. When applications or components conflict with each other both Application Masking and Application Layering very often don’t help here. Solutions like Microsoft App-V or VMware ThinApp are primarily designed to isolate Windows applications and components. 
  • Microsoft Application Masking isn’t a replacement of “Application Layering” solutions--there is overlap for sure, but also clear differences. While Application Masking has many great benefits and use-cases, the actual applications still need to be installed and updated into the SandBox “GoldMaster.” One very common way is to manually or automatically install the applications into the “GoldMaster” (aka, Sandbox). Customers often are using existing processes and tools such as Microsoft SCCM, Automation Machine, Packer, Chocolatey, Scoop, and many others. These tools are responsible for installing, updating, and maintaining the operating system and Windows applications within the SandBox. 
  • Another way to dynamically deliver applications to the Windows desktop environment without affecting the underlying Windows image or OS is to use application layering solutions such as Liquidware™ FlexApp application delivery.

And Action!™It is great to see the combined Application Masking and Frame solution in action. 

The demo video shows what the actual end-user and administrator experience are. 

Two separate Frame sessions will be started; one user is “Sales” and the other user is “Designer.” 

Microsoft Application masking rules and associated conditions make sure that “Designer” only has access to the “designer applications,” such as Adobe and Autodesk Software, while the user “Sales” can only see and access Microsoft Office applications. 

Also, using Nutanix Frame’s easy account and image management the designers are able to run all these applications in an NVIDIA GPU-powered machine, while the sales user runs the Microsoft Office productivity applications on a NoGPU, CPU-only machine. This is all running and managed from a single Frame account with a single Sandbox image.

Also, the administrator created different rules to hide “Sales” and “Designer” applications using Microsoft Application Masking FSLogix rule editor. In this example, the Frame Account is configured to use “Domain Joined Instances” and various Active Directory security groups are configured to use the AppMasking rules.

Try Nutanix Frame for Yourself

The great news is that it’s fast, easy, and free to give Nutanix Frame a test drive yourself. You will get a great overview of both the user experience and admin experience. If you want to evaluate Frame and start a 30-day trial check out this page for more information. 

Ruben Spruijt - Sr. Technologist Nutanix - @rspruijt

© 2021 Nutanix, Inc.  All rights reserved. Nutanix, the Nutanix logo and all Nutanix product, feature and service names mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. Other brand names mentioned herein are for identification purposes only and may be the trademarks of their respective holder(s). This post may contain links to external websites that are not part of Nutanix does not control these sites and disclaims all responsibility for the content or accuracy of any external site. Our decision to link to an external site should not be considered an endorsement of any content on such a site. This post may contain express and implied forward-looking statements, which are not historical facts and are instead based on our current expectations, estimates and beliefs. The accuracy of such statements involves risks and uncertainties and depends upon future events, including those that may be beyond our control, and actual results may differ materially and adversely from those anticipated or implied by such statements. Any forward-looking statements included herein speak only as of the date hereof and, except as required by law, we assume no obligation to update or otherwise revise any of such forward-looking statements to reflect subsequent events or circumstances.