Post to Twitter |
Comments (4) |
Views (2653) |
Do we really want to allow our users to have the ability to self provision / install applications? Won't this just cause mayhem and anarchy? How will we ensure that we are licensed to install the applications that the users choses to install?
Simon Rust, VP of Technology at AppSense answers these questions in an article he posted over of the AppSense Community Blog - Please find the post below:
These are a small sample of some of the obvious and key issues that the IT administrator needs to seriously consider when thinking about allowing the user to install applications of their own choice.
Just this week, @HarryLabana asked the following question via Twitter - "Are user installed apps a compliance nightmare waiting to happen?". A very sensible question that effectively is asking, "WHY should we even consider allowing the user to install their own stuff?"
To labor on the need briefly, it is relatively simple as to why we need to cater for it (we don't need to agree with it, but we do have to accept it to a certain degree 
). Bottom line is that for years, there has been a challenge with packaging all the applications required by a user to conduct their daily duties. This is a challenge that traditional desktop managers have had for years, and now with desktop virtualization it is perhaps getting more noise. Unfortunately it is not going away any time soon, in fact may be getting worse as time progresses and the number of applications increases. If we choose to not allow users to install their own stuff, then how do we ensure that the user does not fall foul downstream of an application not being available and hence their inability to conduct their work? An obvious example would be the corporate user who uses Microsoft Live Meeting to conduct online meetings, who has a meeting booked with an organization that uses Citrix GoToMeeting. The GoToMeeting client would not be installed, and hence the user would only find this out 5 to 10 minutes before the session, and hence would be unable to join
AppSense Product Manager Chris Oldroyd (Twitter - @coldroyd) wrote about the various user installed applications a month or so ago and is well worth a read - What is a User Installed Application? And why should we care?
So, now we have accepted that we need to cater in some form or another, we can move on to consider HOW. The key aspects to delivering users with the ability to install their own apps is CONTROL - it would be insane (most would argue) to allow ALL users with the ability to install their own stuff. Very quickly the enterprise would find themselves in a situation where literally 1000's of applications have found their way in, and are posing a serious legal issue. It is (mostly) true that a typical enterprise using laptop devices has this very issue today, since the majority of users of laptop devices are administrators of them. There is usually a solid business reason (from years gone by) as to why the user is an administrator, whether that reason being a requirement to install printer drivers (pre Vista) or something like that. Typically, once a user has admin rights, it is nigh impossible to get them back again
Arguably this is all part of something called "User Rights Management" as well as "Personalization". Both of these are clearly becoming markets in their own right with vendors appearing in it regularly, and many other vendors morphing their solutions to fit the model(s) also 
In order to deliver against the need, but to do so in that all important controlled manner, we need to enable / allow for the following (there will be more - these are just the key areas);
- Only allow certain users to install apps (AD group based / end point device based)
- Only allow those users to install from certain (internal) network location(s) - that way the enterprise can control exactly WHAT a user who is authorized to install can install
- Only allow those users to install applications from certain vendors
- Full reporting is required to enable the administration team to be able to see what is out there in a quick snapshot
- Full administrative override to enable rapid removal of any applications as necessary
The overriding point here is simple - user installed applications is NOT for everyone, but it will be for a significant portion of the user population, so we need to provision for it in some way - simply saying no will not cut it.
Thanks
Gareth Kitson
AppSense
Twitter - @garethkitson
Comments (4)
Nov 12
Pierre Marmignon says:
Hi Gareth, I totally agree on almost all your concerns. What I'm actually see...Hi Gareth,
I totally agree on almost all your concerns.
What I'm actually seeing is that in today's IT world you have task workers (quite "forced" to deal with only packaged applications) and Power Users.
Power users (I'm thinking of VIPs, Developpers, Some Laptop users ...), for work or fun reasons (iTunes ? Development tools ?) have the rights to install their own applications without any IT control.
Now that we're talking about centralizing desktops, IT departments do not want to manage all these specifics apps neither package them.
That's where we then need the flexibility that can give users installed apps, to manage these exceptions, but also in a way that will allow to get consistent image management without breaking them (layering ?).
I agree with you on the control requirements but the main point regarding my customers concerns is to be able to keep the actual flexibility in a centralized world.
Best Regards,
Pierre Marmignon
http://www.citrixtools.net
Nov 12
John Radcliffe says:
You bring up some good points Gareth, I agree in that there can be a n...You bring up some good points Gareth,
I agree in that there can be a need to provide non-standard applications to users, when they need them. I would also 'guestimate', that for a typical office environment, users have 99% of the applications available that they need to perform their jobs on a daily basis and about 1% or less of those applications aren't there the exact moment they need them. In the example that you mention, that scenario shouldn't happen more than once for any given particular application. Once the issue is raised that a needed, free 'add-on' isn't available, it should be tested, then added.
The business decision comes into place when weighing the cost of providing that 1% of unavailable applications - to the cost of not having those apps available when they are needed. Seriously, on a daily basis, how often do users need access to applications where the need is dynamic and unforseen?
I think part of the issue here is user's not having the same control over their work PC's as they do as their home PC's. At home, they can install whatever they want, when they want, all support and legal issues aside. At work, they are expected to work within a given framework of applications and structure. For some people, it's like having to give up the remote contol to the TV at home!
While there will always be exceptions, I believe the best solution to the issue is for IT departments to become more flexible and dynamic in their ability to provide their users the applications that they need in a reasonable timeframe, when the justification is there.
I think one of the hidden issues here is that often funding has to be secured for user-requested apps and sometimes that funding can be difficult to obtain if the justification doesn't support it. From my past experience, it's the process of requesting/justification that users tend not to want to get involved with for various reasons, some real, some imagined. Unfortunately, I've seen cases where users that did have the ability to install applications (at will) have circumvented the approval process and installed software without purchasing/testing it and in a few cases, installed software which had an adverse affect on other users and the network. There are all kinds of legal and support issues tied to a free-to-install whatever world
Thanks for the post - lots of room for discussion.
John Radcliffe
Nov 12
Anonymous says:
Why not just choose an Application Virtualization solution -- like Insta...Why not just choose an Application Virtualization solution -- like InstallFree -- which of course doesn't "install" the App at all -- just Provisions it -- and then deliver it (via GPO) to selected Users/Groups? You could even let them "provision" it to themselves, on the fly (assuming they have Rights) and you get the best of both worlds... Users taking the Apps they want, Admins having centralized control, and nobody has to fiddle with local installs? For Apps that cannot be virtualized, deliver them a XD4 Desktop with the App installed, or put it on a Hosted VM?
It's nice when Technology can allow - or come close to allowing -- everybody what they want.
Nov 16
Andrew Wood says:
Anonymous, great work on all those limericks by the way - I particularly liked y...Anonymous, great work on all those limericks by the way - I particularly liked your <!-- /* Font Definitions */ @font-face
But, I think you're missing John's very good points. InstallFree is an effective app virtualisation solution - it layers application deployment which is a fundamental part of deploying future desktops. But, InstallFree isn't "Free as in Effort" - an administrator has to prep the application and make it available to users in order for them to install - thats different from user installed apps - where the user expects to be able to pop in a CD themselves (or fire up some itunes type interface perhaps) and run through the installation themselves
As John says - there's a rise in (senior) users wanting/demanding that they have greater flexibility on what they can install on the device they've been given to work with. I agree entirely with John's point that the process of attaining the application through a centralised service - that accomodates business use/budget/support/license compliance.
App virtualisation solutions help IT departments deliver applications quickly, they help reduce the impact of compatibility and compliance but, they don't replace business processes that have been designed to reduce/minimise costs of bringing in new apps.
Moreover those end user 'apps' aren't always apps - they're device drivers allowing access to new devices, new components. While an app can be encapsulated, can a device driver? If users are installing their own devices or drivers how can you ensure that they're not compromising the end device's stability - and once that's compromised - what happens when they attach that device to your network?
Gareth, I think your reasons for reducing user's ability to add apps are valid, but if you focus on the points you suggest essentially, you've left IT with the current model where apps are pre-installed rather than added by users: if you match the bullet points - where would the advantage be in letting the users add their own apps - why wait for the app to install once they've received their device?
Add Comment