User Workspace Manager
In this section:
- Prepare to Upgrade
- Upgrade with the User Workspace Manager Installer
- Upgrade Application Control
- Upgrade Environment Manager
- Upgrade Configurations
- Upgrade Servers
Note that when upgrading server and database infrastructure we recommend you upgrade by no more than 2 major versions in each step. Upgrading 3 or 4 versions in one operation is not a method that has been tested and could produce unexpected behavior. For further information please refer to this Community article.
Existing User Workspace Manager software packages upgrade automatically during the installation process, including database schemas, agents, and configurations. Prior to an upgrade, it is recommended that you do the following:
- Back up all databases
- Save all product configuration packages from the console as MSI files.
- If necessary, save all earlier versions of the product agent software that you would like to maintain.
- You must upgrade the Management Server before you upgrade the Deployment Agent. The Management Server must be of the same version number or later than the installed Deployment Agent.
- Disconnect all users from the Personalization Servers.
- Take all Personalization Servers offline until the upgrade is complete.
- Run the whole suite installer to upgrade components.
Run the Installer by executing the setup.exe file in the installation media.
The Welcome screen displays.
Select Upgrade and click Next.
The Product Selection screen displays.
Only the products currently installed display for you to select to upgrade. If you have server products installed, each instance is listed. Select the ones to upgrade.
Select the product components that you want to upgrade and click Next.
The Summary screen displays listing the products to be upgraded.
The next step depends on whether all prerequisites are installed:
If any prerequisites are missing the Prerequisites screen displays.
Select InstallAll to install all missing prerequisites. Once all components are installed the upgrade process starts immediately.
- If there are no missing prerequisites the upgrade process starts.
- If there are missing server prerequisites the Server Prerequisites screen displays, select Install All to install all missing components.
On completion the Upgrade Complete screen displays.
- Click Finish to exit the Installer and open the Help Portal.
If you are upgrading configurations used in previous versions of Application Control, the introduction of the Process Rules and Group Management functionality may render the following parts of the configuration redundant:
- Trusted Applications
- Signature Groups
- Network Connection Groups
- URL Redirection and Custom Rules
Upgrades and Process Rules
If the Application Control configuration contains Trusted Application rules, the upgrade will preserve the Trusted Applications feature’s behavior although some functionality regarding the three Trusted Applications options may be lost.
The table below shows how the various Trusted Application states will be converted to Process rules during a configuration upgrade.
Trusted Application State
No Process rules added.
Disable Trusted Applications Checking
No Process rules added.
Only when blocked by Trusted Ownership
For each Trusted Application defined:
A new Process rule is created with the name Upgraded Trusted Application Rule (*).Where * represents a number automatically incremented from 1 to the number of Trusted Application rules present in the configuration being upgraded.
A new Process Identifier is added to the newly created Process rule.
If the Trusted Application rule was defined using a full file path then the process identifier list has one file name entry with the exact same text.
If the Trusted Application rule was defined using a digital signature then the process identifier has one digital signature entry with the same digital signature. Any file name information is preserved.
For each of the trusted content entries for the Trusted Application rule, a new Allowed Item is added. The Trusted Ownership setting is set to Off, for all added entries.
Upgrades and Group Management
If the Application Control configuration contains Signature Groups and Network Connection Groups, the upgrade directly converts them to Group Management and renames them Groups. The name of the Signature or Network Connection Group remains the same and the contents of the Signature or Network Connection Group remain the same.
To avoid any problems that may be encountered if the upgrade produces any duplicate names, each upgraded Group will be suffixed with its origin and that it was an upgrade.
A Signature Group called A, becomes a Group called A - Upgraded Signature Group.
A Network Connection Group called B, becomes a Group called B - Upgraded Network Connection Group.
URL Redirection and Custom Rules
Custom rules and URL Redirection in Application Manager 10.0 and later (Application Control from 10.1 FR1 and later) differ considerably from versions 8.8 and 8.9. You can upgrade version 8.8 and 8.9 configurations by opening them in a version 10.0 or later console and saving them. This changes the configurations as follows:
- Custom rules are recreated using the new version 10.n conditions, matching the behavior of the earlier version rules.
- URL Redirections are converted to Custom rules that contain:
- Matching conditions for connection types, IP addresses, and port numbers.
- Browser Control items for the sensitive URLs.
- If you don't upgrade the configuration, the Application Control Agent version 10.n still reads the configuration, but the URL Redirection and Custom rules are ignored. The rest of the application still applies.
Environment Manager components must be upgraded in the following order:
All Personalization Servers and Databases
All Personalization Servers and Databases must be upgraded together - if you are using SQL replication then see separate best practice guides on upgrading the database and server.
Personalization Server is only compatible with the matching console version, so the consoles will need to be upgraded immediately after the servers. Note that the Policy configuration should not be upgraded until step 4.
The Personalization components in the Environment Manager Agent are compatible with all Personalization Server versions.
If you have configurations created with older consoles then you might need to upgrade agents and configurations simultaneously, one group at a time.
When new agents have been deployed to all endpoints and are working successfully then any legacy policy configurations in use can be upgraded by the latest console and deployed.
Endpoint Configuration Merging
If you are using the Endpoint Configuration Merging function in Environment Manager, all configurations must be of the same EM product version. Upgrade all configurations before merging. For more information see Configuration Endpoint Merging in the Environment Manager help.
- Personalization Groups that used Global Desktop Settings that were Shared are placed in a GlobalShared Windows Settings Group.
- Personalization Groups that used Separate Global Desktop Settings are placed in the Windows Settings Groups to match the appropriate operating systems:
- Personalization Groups that used specific shared and separate Desktop Settings are placed in either of the following Windows Settings Groups:
- [Personalization Group Name]_Shared
- [Personalization Group Name]_OS
- Session Data is placed in a SessionData Windows Settings Group.
- Certificates and Credentials are placed in the Security Windows Settings Group.
These groups are created to ensure backward compatibility during the upgrade process. They are applied to Personalization Groups that are using Desktop Settings when the Environment Manager agent is upgraded to 8.6. It is recommended that they are replaced using the default 8.6 Windows Settings Groups wherever possible.
Upgrade The Logon Trigger
In Environment Manager 8.5, a new Logon trigger structure was introduced replacing the single Logon trigger with three sub-triggers. This increases efficiency and speeds up login times, as Environment Manager actions can be configured to run at their most appropriate point during the user logon process:
- Pre-Session - Actions take effect before terminal services is notified of the logon. Registry, Group Policy, and Environment actions are compatible with this sub-trigger. During the upgrade, actions that were previously in the Logon Environment tab are moved here.
- Pre-Desktop - Actions take effect when the user logs on to the system but before the desktop shell has started. During the upgrade, actions that were previously in the Logon trigger are moved here.
- Desktop Created- Actions take effect after the desktop shell and Explorer has started. To improve efficiency and logon times, any non-critical Logon actions should be added to this trigger, for example, mapping drives and printers.
The graphics below show a single configuration before and after Logon trigger upgrade:
After upgrading the configuration:
Logon Condition 1 has been moved from the Logon Environment tab to the Pre-Session trigger
Nodes 1, 2, 3 and 4 have been moved from the Logon node to the Pre-Desktop trigger
The Desktop Created sub-trigger has been added
If you do not upgrade the Logon trigger, the upgraded configuration will open with the single Logon trigger. You will be prompted to upgrade each time you open the configuration.
The Logon trigger method can be changed at any time using the Advanced Settings in the Environment Manager console. See Configuration Settings in the Environment Manager Policy Help for further details.
The client maintains both the legacy format and the saved certificates and credentials in the same profile. When a new client logs on with an old profile, the client uses the old format to restore the certificates if there is no new-format data, and saves it in the new format. From then on there is no roaming between legacy and new clients.
Personalization Operations Bulk Operations User Selection
The Personalization Operations utility, introduced in Environment Manager 10.n, is a web-based console for managing personalization data. You can create bulk data operations for multiple users that apply to Personalization Groups, Active Directory (AD) groups, or specific users. The Active Directory (AD) group information in the database comes from the endpoints. When a user logs on using a version 10.n endpoint, the endpoint provides a list of the AD groups to which the user belongs. Endpoints running earlier versions of Environment Manager do not provide this information, so in a newly-upgraded system there is no AD group information at all, and selecting users by AD group is not possible. As the endpoints are upgraded to version 10.n and users log on, the database receives AD group information about the users and searching for AD groups works.
User Workspace Manager product configurations must be upgraded sequentially by major product version.
To upgrade a configuration, open it in the latest product console. The console detects that the configuration was created in an earlier version and prompts you to upgrade. When the configuration is subsequently saved, it is saved as the latest version and it is ready to be deployed using a deployment mechanism.
Environment Manager policy configuration files are upgraded when opened in a combined or policy console. When you open a configuration created in a more recent version of the console, you are asked if you want to upgrade the configuration. Click Yes to upgrade, click No to open the console with an empty configuration.
Save the configuration to complete the upgrade and ensure compatibility with the latest version of the agent, server, and console. Once the configuration has been saved it is ready to be deployed.
Policy configurations cannot be upgraded in the Personalization only console. They can only be upgraded if opened in the policy or combined console.
Caution: Any work in progress configurations are deleted during the upgrade process, so they must be saved before upgrading.
All servers connected to a database must be upgraded at the same time.
For further information on upgrading servers, see Upgrade.
Was this article useful?
Copyright © 2019, Ivanti. All rights reserved.