Post to Twitter |
Comments (15) |
Views (4040) |
After my first blog, I received a few comments focused about user-installed applications and how there isn't much talk about them. Faisal posted a comment that stated he was doing a pilot with XenDesktop. Right now the biggest complaint is that users can't install their own "personal" applications and this is one of the big questions regarding virtual desktops. We had a few comments from others wanting to know the same thing (some really good posts). Well, here are my thoughts
With a physical desktop model, users could essentially do just about anything to their workstation. How much of a good thing was this? It makes the user happy, but what are the associated risks?
- Managing the endpoint became a nightmare. Hard to know what application conflicts will ensue with these unknown applications.
- Introduction of viruses, malware, spyware, etc. Many of the applications users install are freeware/shareware from untrustworthy sites. If it is on the desktop, does it now have the freedom to inflict damage to the rest of the network?
- Workstations became bloated and eventually slowed to a crawl resulting in IT having to completely rebuild the workstation.
Let's now move to the desktop virtualization model. If we are using hosted virtual desktops, that typically means the desktop is now operating within the confines of the data center. If you allow users to install applications onto their hosted virtual desktop, in my opinion, you might as well just open the doors to your data center and let anyone in because that is what you are doing if you let users install anything. Doesn't that concern you? If not, try telling this to a security person within the organization. After they recover from their stroke, they will tell you why this is not a good idea.
Now I'm not saying that we can't and shouldn't allow user-installed applications, I just want to make sure everyone understands the risks with doing such a thing. With the 3rd party solutions that are out there (AppSense and Atlantis Computing were mentioned in the comments from a previous blog post), my question would be
- How do we protect the data center from unknown apps.
- How do we keep the virtual desktop optimized and supportable. I don't want manage more bloated desktops By the way, this makes a great case for a Bring Your Own Computer (BYOC or BYOPC) model.
I do just want to add one more point. I've been using a hosted virtual desktop for about 2 months now with a shared disk, so any changes I make (application installs) go away after reboot. Truthfully, I haven't had much of a problem. I did need to download and install a few freeware tools to help me finish a project, but I only used those items for about 2 hrs. The nice thing, in this instance, was after I rebooted, they were gone. I don't plan on using them again. And if I do, I'll just re-install. Of course this isn't an application I need.
So the final question is should we really allow user-installed applications to persist or should we have a process in place where IT can quickly virtualize and deliver these applications to the respective users through a standardized application delivery approach?
Daniel - Lead Architect - Worldwide Consulting Solutions
Follow me on Twitter: http://www.twitter.com/djfeller
Follow me in the Blogs: http://community.citrix.com/blogs/citrite/danielf
Comments (15)
Sep 04
Anonymous says:
What about software licensing and compliance? Isn't that another reason to leave...What about software licensing and compliance? Isn't that another reason to leave software installation to IT?
Sep 04
Jim Moyle says:
The issue of user installed applications is going to be huge, the idea of a mono...The issue of user installed applications is going to be huge, the idea of a monolithic 'top down' IT infrastructure is anathema to the new generation of users coming into the industry.
They are used to being able to find and use the right tools, they expect to be able to do the same at work. There is nothing quite so demotivating as knowing there may be, for example, an open source tool which will save you days of work, yet someone you have never seen has decided you cannot install it.
Before the virtual desktop, the cost of sending people out to troubleshoot individual PC's in remote locations was far too high, which is why desktops were locked down to start with. Now the desktops are in the datacenter and should be under our control, the support costs should equally lower, as many, many TCO calculations show.
We need to empower the users, not lock them down. With the desktops being centralised and the right tools at our disposal there is no reason why we shouldn't be able to give users the freedom to do their jobs in the most efficient way they see fit, as they surely know a lot better than we do how to acheive that.
Sep 04
Daniel Feller says:
But don't you see this as a breach in the security of the data center? Don't ...But don't you see this as a breach in the security of the data center?
Don't we also end up with slow, bloated workstations with tons of antiquated tools/utilities that the user no longer uses or only uses a few times a year?
For example, one of the tools I downloaded into my virtual desktop was a free PDF writer because the one in Word didn't quite work for one of my documents. I ended up downloading/installing 4 different ones before I found one that worked. I was pretty happy when I logged off and back on that they were gone. I got back to a clean workstation.
Sep 07
Jim Moyle says:
I agree that the security concerns are large, but not insurmountable. You ...I agree that the security concerns are large, but not insurmountable. You could firewall off your Desktops and provide access to the official application list via XenApp. With Dazzle at the front end they would have a choice of an official app before downloading another.
As regards the bloat you are talking about, we should provide the user with tools to roll back their desktop to a previous point in time and a reset button so they can get a new build whenever they want. Of course the user environment would need to be abstracted from the OS, so they could reset and still keep their settings.
If I put up some shelves at home I use a drill I bought from the local hardware store. If I'm a builder I have a much higher class of power tool. If I'm at work I expect a superior set of tools to do my job, at the moment, for computer workers, this is the opposite way round.
Sep 04
Albert Grandville says:
The way I see it this is no different than the argument for seatbelt laws or man...The way I see it this is no different than the argument for seatbelt laws or mandatory health insurance.
People want to be free to make their own choices and, inevitably, their own mistakes. However, when they invariably hurt themselves they fully expect the system to "do the right thing" and bail them out. A structured work environment is the only way to ensure that users have the most reliable access to the tools they need to do their jobs and isn't that, after all, the point?
The "Wild West' model of users installing whatever software they find laying around on their work machines is messy, expensive and ultimately drives IT cost and detracts from user productivity.
BYOC is one potential answer. With BYOC users have an environment that they manage where they are free to install any software they like and another, provided to them, by the business which, while more restrictive, will undoubtedly be more reliable.
Al-
Sep 04
Bryon Thomas says:
Dan, I see it less as a question of "whether to support" user-installed apps but...Dan, I see it less as a question of "whether to support" user-installed apps but more of "how to support" user-installed apps. In my daily work, I have several mission-critical apps unsupported by IT. In other words, If I was unable to use these apps, my productivity would severely reduced.
Firefox Browser (3.5) - I use multiple add-ins for FireFox that really help daily work: Delicious Bookmarks, Xmarks, and IE Tab are some of my most used.
SnagIt - I'm always mocking up/commenting on web pages, docs, graphics and this program is my left hand (I'm left handed).
doPDF - A great freebie utility for for printing to PDF, which I find works better than some of the other utilities (Give this one a try, if you are not already using it)
PureText - Combined with a shortcut key, this free utility is indispensable for copying text and removing all formatting in one keystroke.
Therefore, if a virtual desktop did not allow me to install each of these apps, I would struggle to accomplish my daily work. How are companies enabling this, as cost-effectively as possible, in virtual desktop environments? What are the real-world lessons/gotchas from supporting user-installed apps in virtual desktop environments? What are the best practices?
Thanks,
Bryon Thomas
Sep 04
Pat Bruns says:
Yes, users loading their own apps is risky. Yes, it makes them happy. Yes, it is...Yes, users loading their own apps is risky. Yes, it makes them happy. Yes, it is a potential security breach. And yes, some organizations will require it for some users.
That's why it's good that you, the administrator, have choices. You can implement read-only and/or read-write VDs. You decide if a specific user's desktop should persist or not.
Typically, developers that require flexibility get it more often than a clerk that wants custom emoticons. This seems reasonable.
This is a good illustration of why VDI is interesting - you need to satisfy both the server AND the desktop administrators. (And the users!)
-Pat
Sep 04
Simon Bramfitt says:
Hi Dan The short answer is a nice and simples 'Yes'. The full answer, clearly ...Hi Dan
The short answer is a nice and simples 'Yes'. The full answer, clearly evidenced by the breadth of responses seen so far, is rich, nuanced by many different factors, and probably worth several sessions at Synergy next year.
More later
Simon
Sep 08
Anonymous says:
I think the "makes them happy" seems to suggest I'd just an issue about preferen...I think the "makes them happy" seems to suggest I'd just an issue about preference. I can't speak for non-developer users but for me there are certain tools that make me more productive - ie. the benefit both me and the company I work for. Having said that I do think it's a bad idea to have users just install whatever they want. I think the key is to have a lightweight, responsive mechanism to allow applications to be requested. This would allow IT to prevent malware and license issues and would also allow users to select from a safe 'best of breed' catalogue of software.
Sep 08
Tarkan Kocoglu says:
Dan, this is a reasonable question, especially considering the current trend of...Dan,
this is a reasonable question, especially considering the current trend of virtual desktop and how end user consumerization drives IT. Giving a freedom of choice is good, which makes the user happy. However, having users install their own apps is risky and will drive probably the IT costs because of higher maintenance. IT in a company needs to provide a working environment with all relevant apps to work with. For sure, there will be apps that are missed by users, but they can be arranged by depts or requests to IT.
Furthermore, I see big issues from a license perspective for apps. Imagine installing apps with hacked keys etc, what is the legal position of this? Who is now responsible? The company or the user itself?
Virtual desktops will give more freedom, but I think they still need to be lock down to certain degree that aligns with company security and license policies. In the meantime, BYOC is probably the best "hybrid" solution.
Tarkan
Sep 09
Kevin Wilson says:
"Open the doors of the data center" - we use separate networks for our virtual P..."Open the doors of the data center" - we use separate networks for our virtual PCs within the data center to keep them isolated from servers and server traffic. I have to assume this is a best practice and opens things up in no worse a fashion than if the users were in the office.
Sep 14
Anonymous says:
see my garden, my virtual place http://mygarden.hit.bgsee my garden, my virtual place http://mygarden.hit.bg
Sep 24
CHUCK NEVILLE says:
I have been having this discussion with several clients recently. I believe that...I have been having this discussion with several clients recently. I believe that we have to take control of the desktop away from the end users. It will be a hugh political issue in many companies but has to be done to survive in todays IT environment.
In my discussions with clients, both IT management and C levels, I contend that we need a shift in our thinking when providing desktops and access to apps. We only need to give apps that the end user needs and not what they think they need and all apps need to be approved by some authority within the client environment. Normally every user in a company has access to the WWW. Why? Why not give them what they need? You increase productivity, lower the risk of malware, reduce the bandwidth hog and make support easier.
I have been testing XenDesktop for several months now and have successful implementations. However, it is a tough solution and takes a lot of though in the design phase. I found very quickly that I need to do a very through analysis on apps before even touching a keyboard.
Oct 02
Marc Evans says:
We (VESK) have been comtemplating this for a while now and have decided to offer...We (VESK) have been comtemplating this for a while now and have decided to offer two packages for clients to overcome this. Any company that has almost identical user stations and wants to lock the users down we offer XenApp to. This obviously means all users have the same software but have their own storage space. If any new software is required the contact person for said company has to contact us and ask for new software to be added to the server for all users to access.
Any company that has individual users that require specific software for each virtual desktopwe offer XenDesktop to. These users won't be locked down as much but still unable to install software, just because from research most employers want this. The reasoning we've found is that they'd perfer to lock users down and pay for new software to be add rather than a user causing a massive error by doing something stupid and having to pay for the hosted desktopto be sorted out.
We have been looking into a third alternative using XenDesktop which allows users to have full control of their desktops. This method would envolve have each desktop backed up on a nightly basis and if in the event of a screw up the desktop could be rolled back.
Oct 02
Anonymous says:
Role based job definitions are a key ingredient to a successful and cost effecti...Role based job definitions are a key ingredient to a successful and cost effective virtual desktop environment. Classifying users based on their job function works well in our identity management provisioning and could be extended into the desktop model to account for applications needed to perform their job. For instance, If I am a teller my id gets created an assigned to a role which provides the necessary security groups and distribution lists based on what I defined the role to be. Following these guidelines I would know what apps a teller would need to perform the teller role and have a corresponding virtual desktop with these apps assigned to them.
Virtual Desktops are not a replace all solution, it is up to you to determine where this solutions fits the business needs, not the end users. The asset is still the companies whether it is virtualized or not and it is up to the company not IT to find the "right fit".
Add Comment