User Installed Applications – My Take
Citrix, Terminal Server, VDI January 29th, 2010
The conversation about user installed applications has been happening for a while now and much has been said about it by many people such as, Andrew Wood, Gareth Kitson, Chris Oldroyd, Daniel Feller, Jeff Pitsch, Ron Oglesby, Brian Madden, Chris Fleck and more. The purpose of this post is both to oblige a few people who have asked me to put my thoughts down and for me to clarify exactly what I think. I’m going to ignore BYOC and Client hypervisors for the time being to concentrate on the issues surrounding the applications.To set out why I think this topic is important. I think that user installation of applications is the key differentiator for VDI over terminal services, as I said in a previous post Why is VDI changing into Terminal Server? the difference between Terminal Services and VDI is actually very small without it.
If we want to understand why this change is now possible we should look at why it has been impossible in the past.
Terminal Server: Any change by one person can adversely effect anyone else running on that box, this is not likely to change and to my mind is the biggest single historical drawback to TS based solutions that has no end in sight.
Fat Desktops: Support is the key here, as if a user broke their PC usually they couldn’t fix it and it took a ‘man in a van’ to go and resolve the issue. This is especially problematic where the user has a time critical job, or the site is far away. Of course remote tools help with this, but desktops don’t have kvm boards for when the OS goes south. Allowing users free rein meant that support calls would go through the roof and as the time to resolve was huge, it meant that without locking down the desktop companies would spend massive amounts of time, energy and money just keeping the wheels on.
The fact that for the past fifteen years whether enterprise desktops have been fat client or terminal server based, the only choice has been to lock them down. This means industry inertia seems to be almost unstoppable.
The situation has now changed. Our user base is changing, we now have the Echo/Y generation who grew up with computers, they learn to type at school along with writing. They break and maintain their own home PCs, they regularly download and use the tools they need to get the job done. As these people move into management the old monolithic top down attitude of only using what the IT department give them to do their job will be anathema to them and they will start to demand change. The people who do a job, day in day out, know what tools they need to be productive much better than the IT dept does. If we don’t give them those tools they will resent us for not enabling their work. We need to empower people to be more productive, not take away their motivation, morale and confidence in the organisation.
If we bring the desktop OS into the datacenter we should be able to bring to bear the tools to enable this kind of user empowerment.
If we are going to allow this we have clasify which are the different types of user installed applications. To borrow a little from Simon Bramfitt, with some of my own (in italics), here’s what we are talking about:
- The departmental app that works with business data that is formally acknowledges as being important to that department and has it’s own budget and support mechanism, but is for what ever reason not packaged by IT. This notion may not sit well with some people, but anyone who has worked in a large enterprise knows they exist and might privately offer plenty of justifications as to why an app might fall into this bucket.
- The communication app: gotomeeting, webex clients etc that may need to be installed by the user, they may also need other clients to tie into outside companies systems eg they may need to install a citrix web client. Or a propriety Active X plugin for company XYZ’s web app.
- The personal productivity app that fulfills a limited business function, legitimately purchased but not formally acknowledged by IT as a supported app. A copy of MindMapper maybe that’s needed to map up a new business process. It may only be used by a few people across the enterprise but it fills an important role for them.
- The personal non-productivity tool like iTunes that is OK to have in a BYOPC environment, but not the sort of thing you want interfering with the corporate computing environment. Although a case could be made for iTunes U and work oriented podcasts etc.
- The totally unauthorised, no excuse, just down loaded from the internet, malware vector that claimed to be a free ring-tone generator.
As Microsoft found out to its cost allowing uncontrolled user installed apps is a nightmare. So if a user can install all of the above how do we both allow the right apps and protect ourselves against the wrong ones AND reduce our support costs?
- Any application that directly manipulates business data must provided by the enterprise.
- The desktop OS must be treated as an untrusted device.
- Approved applications should be delivered by TS or App streaming.
- The users must have a method for choosing from available enterprise applications.
- Users data and enterprise application settings must be separate from user installed application settings.
- Users must have have the ability to roll back their environment to any point in the past, while keeping data and enterprise application customisations.
- Users must be able to reset their machines to virgin state whilst keeping data and enterprise application settings.
The last two are the keys to reducing the support costs, ie if the user breaks things you give them the tools to fix it, without needing to have IT skills. This is possible at the moment with Atlantis, also AppSense have something in the works to enable this coming out soon.
If the users have an appropriate method to choose their own enterprise apps eg Dazzle, they are less likely to need to install their own. If a large percentage of users are installing a certain app, for instance if a client sends a department files in tar.gz format and 7-zip becomes prevalent in the organisation then the IT department should be able to see this and change it from an unsupported user installed application to a supported enterprise provided application, I call this the ‘park paths‘ methodology. To do this you need a way to catalog exactly what users are installing. As an interesting side effect, this may be what brings Open Source apps into the enterprise for the first time.
If users can provide themselves with the tools they need in a timely fashion and lets face it this is exactly what IT admins have been doing for years, business agility is increased, with the right tools support is decreased and application provision is improved. Giving the organisation lower costs and a competitive advantage.
User installed applications are a minefield, but with the right approach I believe that it could be the VDI killer feature.
January 29th, 2010 at 3:07 am
Good reading Jim. To me, the key is to have a large portfolio of applications that the user can select and stream. Users don’t want to install apps, they want to run them. I’ll put myself in this category too. This seems to be pretty consistent with your view, which gives me a smile and if this proves “right”, the need to build stuff to enable user installed apps largely goes away, even with pooled desktops.
January 29th, 2010 at 8:59 am
@Joe I agree that a major part of getting the right tools available to the right person involves exatly what you say, but what would be your solution if the functionality wasn’t there?
January 29th, 2010 at 10:38 pm
Portfolios to me are good – multiple portfolios. As for user installed apps, MSI ain’t exactly used to the idea of running without privilege and most concepts for solving user installed apps “assume” the user has admin rights. They won’t though because the machine is locked down, even for hosted desktops.
If the portfolio of streamable user selectable apps is big enough, the problem of user installed apps goes away. You just have to engage application sources “outside” the standard corporate space, with the provision for restrictions of source sites where the admin can control the sources. Eventually, there becomes a balance where machine is locked at the OS layer, but users can install/stream their stuff from admin approved sources. I think it will work and will work at least as well as letting users “install” their own stuff.