Controlling browsers using FastTrack

FastTrack can be used for a variety of purposes in relation to internet browsers. You can use FastTrack to set the default browser and the default home page across Internet Explorer, Firefox and Chrome.

You can also use FastTrack to control which browser is launched, when a user starts a browser link, similar to products like Browsium. A growing problem as Internet Explorer gets more and more locked down for every new version, is incompatibility with legacy applications. This page demonstrates a solution to this problem.

Browser control

Setting the start page

To control the start page for users, we can use the SetHomePage command. While you can set the home page using Group Policies, this only works for Internet Explorer. The SetHomePage command works across Internet Explorer, Firefox and Chrome. The easiest way to set the home page is to set up a FastTrack logon script, as demonstrated here. Once a logon script is set up, you can simply issue the command anywhere in your logon script.

Setting the default browser

If you need to set the default browser, you can use the SetDefaultBrowser command in the same logon script, where you use the SetHomePage command. This command will set the default browser to Internet Explorer, Firefox or Chrome and remove the default browser checks in all three of them. If you set it to for example Chrome and Chrome is not installed, the command has no effect and will not change the current default browser for the current user. There is however one thing to be aware of. If you have clients that are Windows 8 or newer, the SetDefaultBrowser command has no effect. This is because of the legal problems that Microsoft had in relation to free browser choice. For this reason, it is not possible to change the default browser automatically without user consent or by setting it using Group Policies, which requires Windows 2012. This is explained further down.

Logon Script Wizard

You can use the Logon Script Builder to use the commands in the engine to control browser settings, instead of write a script manually. The screenshot below is the browser page of the wizard.

Home Screen Logon Script Browser checks

Using multiple browsers through a mediator

A common problem that many companies experience is that not all web applications work in the most recent version of Internet Explorer. To solve this problem, you can inject an intermediate script into the process, when a user clicks a hyperlink or enters an address in the Windows Explorer address bar. Instead of this spawning the user's default browser, we can inject a script in the middle to control the browser spawn. This script is set as the default browser instead of an actual browser.

Injecting a mediator script as the default browser

If there is a need to use a legacy browser, you can virtualize it using for example Novells' ZENWorks or Spoon, which can sandbox an application, enabling you to produce a single exe file for a virtualized Internet Explorer 6 for example. Your FastTrack controller script then allows you to control when the virtualized application is used. If you detect that a certain partial url is passed to your intermediate script, you start the virtualized exe file and pass the url.

The way we do this is to use the SetScriptAsDefaultBrowser command, which requires us to point to a script file, which will be the script file in the middle in the drawing above. The command will overrule the default browser of the current user and the easiest way to get the command executed, is in a FastTrack logon script, where we simply insert the command in the prelogon.fsh script:

SetScriptAsDefaultBrowser [FastTrackPath]\BrowserControl.fsh

Notice that we point to an intermediate script in the "FastTrackPath" directory. If you take another look at the logon script documentation here, you will notice that the logon script files are cached locally for performance reasons. When we simply create a new script in the "fshbin" folder on the netlogon share named BrowserControl.fsh, we get a "free" deployment of our controller script - and more importantly, you can just alter the script and it automatically takes effect for all users at next logon.

Netlogon script files

Next we need to write the script that controls the logic. The most important thing to know, when writing the script is that we get the url by using the VirtualBrowserURL function and the end result must be that we call a browser passing this parameter to the browser exe. In the real world, a typical reason for needing such a script is that certain internal applications require a different browser than the typically used one and in such a case, we would detect internal server names in the script. For the purpose of demonstration, we will simply let the user use Internet Explorer by default, but if the user starts www.google.com, it will use Chrome. If the users enters a url that starts with the server name "AcmeServer", we will start a virtualized Internet Explorer 6. You get download this script directly in Automation Studio. In the Script Editor, click the "New Script" button and select the "MultiBrowser Control" template script.

''==== RUN CHROME FOR GOOGLE.COM ===

If StartsWith [VirtualBrowserURL],http://www.google.com Then

  If Not FileExists [ProgramFilesDirx86]\Google\Chrome\Application\chrome.exe Then

    ShowErrorMessage "Chrome is required, but not installed. Please contact the IT department."

    ''here we could use the SendEmail command to notify IT using the [ComputerName] and [UserName] functions

  Else

    Launch [ProgramFilesDirx86]\Google\Chrome\Application\chrome.exe,[VirtualBrowserURL]

  End If

  Exit

End If

 

''==== RUN VIRTUAL IE6 FOR URLS STARTING WITH "ACMESERVER" ===

If StartsWith [VirtualBrowserURL],http://acmeserver Then

  If Not FileExists [ProgramFilesDirx86]\Acme\VirtualIE6.exe Then

    ShowErrorMessage "The required version of Internet Explorer is not installed. Please contact the IT department."

    ''here we could use the SendEmail command to notify IT using the [ComputerName] and [UserName] functions

  Else

    Launch [ProgramFilesDirx86]\Acme\VirtualIE6.exe

  End If

  Exit

End If

 

''==== DEFAULT: IE ===

Launch [ProgramFilesDir]\Internet Explorer\iexplore.exe,[VirtualBrowserURL]

Notice that you have all FastTrack commands available in the script. This means that you can email someone in the IT department, if a user does not have a required browser installed. We could also present a graphical menu and ask the user for a preference for certain urls or we can start a Citrix application using the RunIcaApp command as explained here for certain urls.

If all your clients are from the Windows XP or Windows 7 generation, the rest of this page has no relevance for you. For servers hosting remote sessions, Windows 2008 is equivalent to Windows 7 and Windows 2012 is equivalent to Windows 8.

Setting the default browser in Windows 8

Windows 8 introduced breaking changes in options to set the default browser for a user. From Windows 8, it is not possible to set the default browser without the user's consent or by using Windows 2012 Group Policies. This breaking change is a bit annoying for systems administrators, because it means there are two scenarios that have to be handled for mixed environments with Windows XP/7 and Windows 8. The reason for this change is European Union legislation. In 2009 Microsoft committed to allow open browser choice according to IP-09-1941. In 2013 Microsoft was slapped with a $730 million fine for not complying with the agreement (see IP-09-1941). A technical side-effect of this is that it is not possible to automatically set the default browser in Windows 8 without user consent, as this would violate the legislation, which again unfortunately means that the SetDefaultBrowser and SetScriptAsDefaultBrowser commands cannot work from Windows 8.

It is however possible to overrule the default browser of Windows 8 clients (and Windows 2012 remote sessions) using Group Policies on Windows Server 2012. The bad news is that if you have Windows 8 clients and Windows 2008 servers, there is no way you can set the default browser on Windows 8 clients, until you have upgraded to Windows Server 2012. If you Google setting the default browser using Group Policies, you will find a series of registry keys that can be set using Group Polices for Windows 2003 and Windows 2008. These no longer work on Windows 8, because a new hash key that is a unique combination of the user, browser name and protocol is introduced and that can only be generated by Windows itself, when a user uses Default Programs in the Control Panel or it is set using Windows 2012 Group Policies. The hash key exists to prevent the default browser from being set by than other these two.

Introducing: FastTrack's Virtual Browser

In Windows 8 environments, we can only set the default browser automatically using Group Policies. As a script is not an actual browser, the approach needs to be radically different than using the SetScriptAsDefaultBrowser command, to be able to inject a script as a default browser on Windows 8. The InstallVirtualBrowser command will allow a script to impersonate a browser. If you execute the InstallVirtualBrowser command on Windows 8, Windows 8.1, Windows 2012 or any newer version, a virtual browser will be listed in your default programs list:

Virtual browser

The InstallVirtualBrowser command needs a script file as input for installation, just like SetScriptAsDefaultBrowser.

InstallVirtualBrowser BrowserControl.fsh

In mixed environments, the script file used for InstallVirtualBrowser (Windows 8) and SetScriptAsDefaultBrowser (Windows XP/7) is the same script, because they are just two different means of achieving execution of the same script in the same scenario (the user starts a hyperlink). But while the SetScriptAsDefaultBrowser sets a script as the default browser for the current user (typically in a logon script), the InstallVirtualBrowser installs the virtual browser at the system level like real browsers and the InstallVirtualBrowser command must therefore be executed once as an administrator on each client in order to install it. An example of deploying an InstallVirtualBrowser script is shown further down.

The purpose of emulating a browser is not to make it available for the end user to select it, but to force an assignment of the default browser on the end user through Group Policies. On a Windows 2012 domain controller server, open the Group Policy that you need to modify and locate the File Explorer options (which is not available in Windows 2008) under Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> File Explorer. Open "Set a default associations configuration file" as shown below. Note that the policy is set at a system level, not the user level, which is the reason the virtual browser is also installed at a system level. As is also the case with User Account Control (UAC), it is policy decided by Microsoft that it is a system-wide setting that cannot be differentiated per user.

Group Policies for default browser

You must point to an XML file that describes the associations. Create an XML like the one below. If you are already using another xml file, you can use that and replace the two http and https associations. The FastTrackURL is the system name of the virtual browser installed by the InstallVirtualBrowser command.
<?xml version="1.0" encoding="UTF-8"?>
<DefaultAssociations>
  <Association Identifier="http" ProgId="FastTrackURL" ApplicationName="FastTrack Virtual Browser" />
  <Association Identifier="https" ProgId="FastTrackURL" ApplicationName="FastTrack Virtual Browser" />
</DefaultAssociations>
If you have a mixed environment of Windows XP/7 and Windows 8 clients, you need to implement both solutions, meaning that you need to include the SetScriptAsDefaultBrowser command in your logon script for Windows XP/7 clients and also deploy a virtual browser for Windows 8 clients.

Default browser notifications

When you assign a browser using Group Policies, your users might get the default browser notifications that a browser is not the default browser. You can get rid of these browser notifications by issuing the RemoveDefaultBrowserChecks command in your logon script. This command removes the default browser checks in both Internet Explorer, Firefox and Chrome at the same time in one command. The SetScriptAsDefaultBrowser and SetDefaultBrowser commands include the removal of these notifications also, when executed on Windows XP or Windows 7.

Deploying the virtual browser

To deploy the virtual browser to your machines, you basically just need to get the InstallVirtualBrowser command executed on all clients. You can build an exe file and execute once on clients or as part of a startup script, or you can build an MSI file and deploy that using your management system or Group Policies. To create an MSI File, write a script like the one below and hit the "Compile to MSI" button.

If MSIInstallContext Then

  InstallVirtualBrowser \\FastTrack\netlogon\BrowserControl.fsh

Else

  RemoveVirtualBrowser

End If

Creating MSI file from project

Notice that the script above uses a full path to a script file. If you do not include a path, the script will be copied to the local harddrive and used from there, as it was when you built it into the MSI file. This is important to know, because if you leave the script on a public network share, you do not need to redeploy, when the controller script (BrowserControl.fsh in this case) is changed. If you want to include the script inside the MSI file, you must remember to select it as an additional file, when compiling the MSI file and exclude the path in the script.

Remember that if you use a network share to host the browser controller script file, the file gets read by all users every time they start a hyperlink. If this is an issue, a good compromise is to deploy the controller script itself to a local folder on all clients through Group Policies and point to the local path of this file in the MSI installation script.

When the installation script above executes on a client, it does not install the virtual browser on clients older than Windows 8, but it still registers as an installation in the Windows control panel program list. If it's not possible to deploy only to Windows 8 (or newer) machines, it is therefore safe to deploy to all clients.


Rating: 5 out of 5

"Use this as a replacement for VBScript and PowerShell"

"It's easy to include attractive GUI elements in FastTrack scripts, beyond the basic dialog boxes and text input that VBScript offers ... Another powerful feature is the ability to distribute scripts as Windows Installer (.msi) or standard .exe files. Although interesting in its own right, this ability results in a much more intriguing capability: to repackage -- or wrap -- software installers as .msi files without using snapshots. If you've ever created an .msi installer file from before-and-after system snapshots, for use with a software distribution system such as Group Policy or SCCM, then you know how hit-and-miss the results can be."

Read full review


Rating: 8 out of 10

"Faster than the rest"

"We found the FastTrack syntax to be more transparent and easier to learn than Microsoft's PowerShell – the editor in particular provided good support in this regard. the Script Editor offers a large number of options from the command set through to simple output of graphical elements, which cannot be achieved at all with PowerShell or other solutions or only with a significantly greater level of effort."

"Anyone wanting to tackle the many hurdles in everyday admin and especially anyone for whom logon scripts and client automation is a priority will benefit from the variety of functions offered by FastTrack."

Review in English      Review in German