How to use FSlogix AppMasking on Intune managed devices


A while ago I was asked to apply FSLogix App Masking at a company to hide MS Office for certain users. Normally with just Active Directory that’s a done deal. But the targets were Intune managed. And since FSLogix Application Masking Is not yet supporting AzureAD we had to find other options.

We found that Hybrid Azure AD-joined offered us the best of both worlds (until Microsoft will support AzureAD in FSLogix App Masking)

I will not describe in this article how to configure a Hybrid Azure-AD configuration, but this site is a good starting point.

To start we will need a copy of FSLogix and a valid license is required. More information about the license requirements can be found here.

Download the latest version of FSLogix from this location.

At the time of writing the version is 2004.

Extract the 2 files:

  • FSLogixAppsSetup.exe
  • FSLogixAppsRuleEditorSetup.exe

Install these two files on a test target device.

After these applications are installed you can get the installation GUIDs for example via PowerShell, we will use these GUID’s later in this article.

EXE files are unfortunately not as easily to distribute as MSI files. But there is a solution, create a Win32 app package of the EXE files. To create a Win32 package (.intunewin file) you will need “Microsoft-Win32-Content-Prep-Tool” (IntuneWinAppUtil.exe) this can be downloaded here. At the time of writing v1.8.1 was the latest version. More information about this tool can be found here.

Download the tool and extract “IntuneWinAppUtil.exe”.

To create these packages start by creating two folders and place the respective files “FSLogixAppsSetup.exe” and “FSLogixAppsRuleEditorSetup.exe” in those folders.

Start by opening Command Prompt with administrative privileges.

You can create the necessary packages by executing the following command:

For our FSLogix Agent executable the command will be:

And for the FSLogix RulesEditor:

We are now ready to import the applications in Intune and distribute it to our test machine.

Go to Intune and logon.

Select “Apps” and select “Windows Apps”.

Next click “Add” to add.

Click “Windows app (Win32)” and click the “Select” button.

Click “Select app package file”

Next select the created .intunewin file and click “OK” to continue.

Enter a Name, Description and a Publisher. All other items are optionally.

Click “Next” when finished.

Next enter the “Install” and “Uninstall” commands leave install behavior to “System”. Select “Next” when finished.

In our case select 64-bit and Windows build 1903. You can fill the rest but these are also optional. Click “Next” when finished.

Next we need to add a detection rule this way Intune can verify if the software was installed.

Select the rule format “Manually configure detection rules”.

Click “Add” to add a detection rule.

Select the type “MSI” and enter the respective MSI GUID we collected earlier and click “OK”.

Click “Next” to continue tot the next step.

If you want, you can add Dependencies. As this is not necessary for this application we can click “Next” to continue.

Next click “Add Group” to add a group. The intention is that you can add computers to that group. Each member will receive the application. You can also skip this for now and configure this later.

Click “Next” to continue.

Finally click “Create” to create the application in Intune.

Next do the same for the FSLogix Rule Editor.

Now wait for the Applications to get installed on the test device.

When installed run the FSLogix Apps RuleEditor with Administrative privileges.

Create a new Rule Set.

Give the set a name like “MSOffice365”.

NOTE: The rules will be saved in the Documents folder by default.

Next select the application we want to hide, in this case Microsoft Office. Click “Scan”.

If you have extra language packs click “Add Another Application”.

Select the other application and click “Scan”.

If needed you can add extra files, folders or other objects to hide.

You can test the rules by selecting “Apply Rules to System”. As soon as this option is selected the rules are active. If you select the option again the rules are disabled.

Select “Manage Assignments” in the File menu.

From the documentation:

“Assignments are executed from top to bottom.

Consider if two assignments were made for the same Rule Set. The first assignment applies the Rule Set to Everyone, the second specifies the Rule Set does NOT apply to User1. In this case, the Rule Set would apply to everyone except User1.” (More Info)

If you want to hide MS Office only for a certain group and allow for anyone else you can configure the following assignments.

You can change the “Applies” option by selecting the rule and change the option.

If you want to hide MS Office for everyone and only show it to members of a certain group you can configure the following assignment.

NOTE: In tests this way didn’t prove to be reliable. There were issues during first login and the intune deployment.

I’ve seen that the usage of an Active Directory group directly in the Assignment Rules did not always apply to new users. Until today I haven’t figured out why that happened. Maybe something to do with hybrid joined machines and timing?

I found out that using a Local group in between did the trick. If you want to configure it for yourself try first without the local group. If this doesn’t give a consistent results try it with the following steps.

Create a (new) GPO and link it to the OU where the Hybrid Computer accounts are stored.

Navigate to “Computer Configuration” / “Preferences” / “Control Panel Settings” / “Local Users and Groups”

Select “New” / “Local Group” in the “Action” menu.

Enter a (Local) Group name and add the AD Group as a member. You can use for example the same name as the Domain Group. This way a Local Group will be added to each (Hybrid) Domain joined target.

To use this Local Group we need to make a change to the FSLogix Masking Rules.

Open the “File” menu and select the “Manage Assignments” option.

Double-click the Domain Group.

You can now change it to the Local Group.

To distribute the rules to our clients we’ll going to create a MSI file. MSI’s are easily to distribute via Intune. MSI’s can be created with the free version of Advanced Installer.

Start by creating a “Simple” project.

Select “Product Details” and enter Product Name and Publisher. You can leave the version number for now. If you ever want to update the rules simply reopen this project change the rules and update the version for example to v1.0.1.

You’ll have to make different packages, one for 32-bit and one for 64-bit to get the files in the right location. As our target OS is 64-bit we are going to make a 64-bit package.

Set the package to 64-bit under Install Parameters. And optionally you can set the “Limit to basic user interface” option.

Go to “Files and Folders” right click “Program Files 64” (this will be the “Program Files” directory on a 64-bit OS) and create the folder structure “FSLogix\Apps\Rules”

Do you remember where we created the AppMasking Rules? (Hint, by default in the Documents folder or where you saved it)

Drag the rules files into the created folder.

When you are finished making the project, save it.

Finally click the Build button. In the location where you saved the project a new directory will be created, “<Project name>-SetupFiles” where the MSI will be stored.

Install the MSI on a test machine and validate if the files are in the expected directory.

You can verify and get the MSI install GUID on the installed machine (we going to need this later on)

If you have validated the files you can uninstall the MSI so we can import it in Intune and test the deployment.

Go back to Intune again and add an application.

This time add an “Line-of-business app” to add a MSI file.

Click “Select app package file”.

Select the MSI file we created earlier.

Add a name for your application and a description. Also add a Publisher for example your company name, because you have created these rules. You can add extra command-line arguments here, but that is not necessary for our created MSI file. The rest is optional. Click “Next” when finished.

Again you can add an assignment or do this at a later stage. Click Next when finished.

Finally click “Create” to create the App.

After you assigned it you can verify in the App Overview

And you can verify it on the target device by checking the Program Files directory.

And that’s it. I know that these are a lot of steps

Leave a comment

Your email address will not be published. Required fields are marked *