Custom Restriction Fields in Provision
under review
Stuart Pearson
It would be useful to be able to add custom data to "Provisions". "Device ownership" and "On-site" are both based on registry keys. Being able to have admin-created additional types would allow users on AppsAnywhere Cloud or users where the devices are not AD-joined to be able to better control application visibility.
i.e. Custom restrictions could be created based on registry keys or file existence / contents to create better flexibility for denying access to apps that are not licensed in certain areas.
James McNab
Documentation for the preview Device name restrictions feature is now available on our docs site: https://docs.appsanywhere.com/appsanywhere/3.2/device-name-restrictions-for-delivery-methods
A
Andy Corps
James McNab, Thanks for this. Its a step towards what we'd like.
Unfortunately our naming convention to assist in simplification of Intune device deployment, and ease DNS updates when devices are possibly moved from one lab to another, our device name patterns are based on the devices serial number rather than location with a minimal 3letter prefix.
Its unlikely we'd be able to convince the powers that be of a more descriptive device hostname, :-(
James McNab
After further discussions and feedback, we now have a new feature available in preview for AppsAnywhere 3.2; Device name restrictions for delivery methods.
Device name restrictions allow delivery methods to be restricted to specific devices by name. This is useful when application access is controlled via SAML, including AppsAnywhere Cloud. This is our first step to provide you with more ways to target applications to specific devices in non-AD environments and for devices that are not AD-joined.
We are planning to release the registry tag based restrictions discussed below later this year, which will give you an even more flexible way to control applications based on device.
Device name restrictions is available in preview for AppsAnywhere 3.2, and must be enabled by AppsAnywhere support. Please contact your Customer Success Manager for more details and to schedule the update.
James McNab
We are actively looking at this suggestion and how we might implement it, we appreciate this is a limitation of AppsAnywhere Cloud as SAML has no concept of devices.
This would also help with https://feedback.appsanywhere.com/feature-requests/p/entra-machine-groups ahead of us implementing support for Intune device groups.
Nothing is nailed down yet but this is how I'm currently thinking about it:
- You deploy a registry key to the desired devices in an (e.g. HKLM\SOFTWARE\Software2\Tags\DeviceGroup) with a desired value (e.g. AdobeAllowed).
- You add a registry key tag restriction to the delivery method, setting the tag name and value to look for (DeviceGroup and AdobeAllowed).
- The AppsAnywhere client detects any registry keys and their values set within the path (e.g. HKLM\SOFTWARE\Software2\Tags\... and sends these tags and their values to AppsAnywhere during validation.
- AppsAnywhere restricts the delivery method to devices with the required tag and matching tag value.
Would this be a workable solution?
James McNab
Development Manager - AppsAnywhere
Stuart Pearson
James McNab,
That sounds reasonable as long as there is potential for a large(ish) amount of registry tags to be used - which it sounds like there probably would be.
Personally, I'm not too fussed about variables or files so if it's easier to use registry keys then that's fine by me.
Stuart
James McNab
Stuart Pearson Hi Stuart, thank you for the feedback.
How many tags you would be looking to create if we had this feature?
Stuart Pearson
James McNab,
It's quite hard to say, as a new user, but I can imagine somewhere around the 15 mark at the moment although I had envisaged that an (almost) infinite amount would be possible. It might be worth trying to understand how many AD groups a typical admin would have linked into their Provisions.
Stuart
Stuart Pearson
I would hope / envisage being able to set multiple custom tags, as you say Andy, based on registry / file / variable. These could be pushed out by any method - Intune, GPO, SCCM etc so would be useful for all customers, not just AppsAnywhere Cloud / Intune.
James McNab
under review
A
Andy Corps
Agreed. Simplest solution I can see is to apply a "tag" (via reg or env variable or file) to a device via Intune while deploying the AppsAnywhere client.
This tag could be used as a restriction type.