How we got preservation tools installed in our secured work environments

How we got preservation tools installed in our secured work environments

As part of the Ministry of Education, Culture and Science (OCW), we at the National Archives of the Netherlands (NANeth) work with virtual Windows work environments. A number of standard applications are made available via this ‘Virtual Desktop Infrastructure‘ (VDI), such as Microsoft Office, Adobe Acrobat Reader and an internet browser.

Installing applications yourself is not allowed. But suppose you want to get started with digital preservation tools. Like DROID for identifying file formats. Or JHOVE or veraPDF for file format validation. Then you can try to work around the security and find a ‘hack’. A better solution is to contact your service provider. DUO provides desktop management services for OCW. They had the perfect solution for us. And were willing to explain that solution to me for this blog – thank you!

OPF’s reference workflow for digital preservation explains why tools like DROID, JHOVE and veraPDF are useful for our (and your) digital preservation work.

VMware ThinApp

DUO’s solution is not an ad hoc customisation, but uses the virtualisation of applications with VMware ThinApp. In this blog I explain in outline and in my layman’s terms how we make use of this. If you have the same kind of environment, this can also be a solution for you to get tools installed. Or perhaps this blog provides inspiration to achieve the same goal in a different way. Of course, this solution works for more types of applications than just the open source preservation tools that this blog is about.

If you google terms such as ThinApp, MSI(X) or packaging, you will find information about how these technologies work. Your service provider probably also knows exactly how this works. So I am not going to explain that in this blog. I do zoom in on how the packaging process works for us. With this knowledge, you will be better prepared when you talk to your service provider. Please use it to your advantage.


The process of getting ThinApps deployed starts with proper preparation. The service provider needs information about you as the applicant, the application to be installed and, for example, the license. Because a ThinApp is stored in its own ‘virtual bubble’ (more on that later), it is important to know whether the application needs to contact backend servers. Like a database. That requires additional work.

The packaging process in outline

Also indicate who the functional manager of the application is. While DROID is managed by The National Archives (TNA), JHOVE by the Open Preservation Foundation (OPF) and veraPDF by the veraPDF consortium, it’s a good idea to have a contact person for your service provider in your organisation. They can functionally test whether the application works in your environment and answer questions about the application. Or they can contact TNA, OPF or veraPDF if necessary. All this information goes on the application form.


Your application form starts the intake. This gives the service provider a overview of the application. The functional manager is there for more substantive knowledge. Together you make a working example of the installed and configured application, with a description for functional testing of the application. This ensures that the test process is less dependent on the functional manager.

An important part of the intake is determining whether the application can be used as a ThinApp at all. An alternative is to make it an MSI. Such an MSI is, in short, an installation file. The main difference with a ThinApp is that the ThinApp is the installed version of the application.

Yet another option is to add the application to the standard ‘image’ of the working environment – a virtual hard disk with all standard software. Like Windows and Office. Adding an application to the image is therefore only useful if most users are going to use the application. Otherwise, managing the image becomes too laborious and costly.


To understand why an installation file is not such a useful solution in our work environment, I repeat that we work with VDIs. Most users have a ‘stateless’ work environment. This ‘non-persistent’ environment is not preserved when you log out. Every time you log in, the environment is rebuilt for you.

Building that environment starts with the image that is the same for everyone. If you as a user need a specific extra application, it can be installed for you via an MSI. But you probably don’t want to have to wait for all extra applications to be installed every time you log in. Just imagine how much working time OCW would spend looking at installation progress bars every day. Hence ThinApps for normal users.

For those users who have a ‘stateful’ working environment, such an MSI can be useful. After installing the application once, it is stored in this ‘persistent’ environment. The application is installed on the user’s image. And unlike stateless environments, the image of the stateful environment is preserved.

During the intake you also make decisions about the update frequency. At TNA, OPF and veraPDF you can find information about how often the applications are updated.


Now it is time to start building the ThinApp. What I found particularly interesting is that a ‘capture tool’ is used here: turn on the capture tool, install the application, turn off the capture tool, and the tool tells you which files have now been added to the work environment. And what changes occurred in the Windows registry, for example. Tip: Turn off Windows Update first.

The information collected by the capture tool is converted into a ThinApp by the service provider. This ThinApp will be placed in a folder on a network drive. Access to the folder containing the application is arranged for groups of users via Active Directory. This is how you create a ‘virtual bubble’. If you do not have rights to use the application, you cannot access it. And through the ThinApp mechanism, the application cannot influence other bubbles either. Very safe. And it prevents DLL hell.

The ThinApp is not built at DUO by the same person who did the intake. That person has already installed and used the application. That can cause blind spots. The builder creates the ThinApp with a fresh pair of eyes.

Test and production

Now that the ThinApp has been built, the service provider performs a technical test: does the application work as a ThinApp from inside its virtual bubble? Can it be deployed to the groups of users for which the application is intended?

Subsequently, the service provider and the functional manager jointly perform a functional test. This preferably takes place in a test environment. When everyone is satisfied with how the application works, the ThinApp can be put into production.

In practice

At NANeth, we have used this process to make DROID, JHOVE and veraPDF available as ThinApps. The digital preservation team uses it. Others can request the tools too. Add them to the Active Directory group and they can use them. This is e.g. useful if you organise a workshop about these tools for your colleagues. They can then get access to the tools temporarily or permanently. In addition to these preservation tools, dozens of other ThinApps are available within OCW, from Audacity and Freemind to Keepass and VLC.

DROID, JHOVE and veraPDF in our work environment

Together with DUO, we recently updated JHOVE to the most recent version. DROID is up to date and can download new signature files itself. No package update is required for this. (DROID stores the signature files in the user’s home folder on a network drive.) VeraPDF is the next application to update.


By working together with our desktop management service provider DUO, we have found a standardised, process-based and secure solution for getting open source tools for digital preservation installed in our secured work environment. No hacks. ThinApps.

Even if you don’t use VDI’s, or if you have a service provider that doesn’t work with ThinApps, this blog can help you. You may be able to arrange with your service provider or IT department a network drive with installed tools available through Active Directory (or LDAP) for those who need them.

Or maybe you found another solution. Please share that solution. So that as a community we collect different solutions from which to choose, when we want to deploy preservation tools in our work environments.

Leave a Reply

Join the conversation