User Installed Applications – My Take

Posted by Jim Moyle on January 29th, 2010
The conversation about user installed applications has been happening for a while now and much has been said about it by many people such as, Andrew Wood, Gareth KitsonChris OldroydDaniel FellerJeff PitschRon Oglesby, Brian MaddenChris Fleck and more.  The purpose of this post is both to oblige a few people who have asked me to put my thoughts down and for me to clarify exactly what I think.  I’m going to ignore BYOC and Client hypervisors for the time being to concentrate on the issues surrounding the applications.
To set out why I think this topic is important.  I think that user installation of applications is the key differentiator for VDI over terminal services, as I said in a previous post Why is VDI changing into Terminal Server? the difference between Terminal Services and VDI is actually very small without it.
If we want to understand why this change is now possible we should look at why it has been impossible in the past.
Terminal Server:  Any change by one person can adversely effect anyone else running on that box, this is not likely to change and to my mind is the biggest single historical drawback to TS based solutions that has no end in sight.
Fat Desktops:  Support is the key here, as if a user broke their PC usually they couldn’t fix it and it took a ‘man in a van’ to go and resolve the issue.  This is especially problematic where the user has a time critical job, or the site is far away.  Of course remote tools help with this, but desktops don’t have kvm boards for when the OS goes south.  Allowing users free rein meant that support calls would go through the roof and as the time to resolve was huge, it meant that without locking down the desktop companies would spend massive amounts of time, energy and money just keeping the wheels on.
The fact that for the past fifteen years whether enterprise desktops have been fat client or terminal server based, the only choice has been to lock them down.  This means industry inertia seems to be almost unstoppable.

The situation has now changed.  Our user base is changing, we now have the Echo/Y generation who grew up with computers, they learn to type at school along with writing.  They break and maintain their own home PCs, they regularly download and use the tools they need to get the job done.  As these people move into management the old monolithic top down attitude of only using what the IT department give them to do their job will be anathema to them and they will start to demand change.  The people who do a job, day in day out, know what tools they need to be productive much better than the IT dept does. If we don’t give them those tools they will resent us for not enabling their work.  We need to empower people to be more productive, not take away their motivation, morale and confidence in the organisation.

If we bring the desktop OS into the datacenter we should be able to bring to bear the tools to enable this kind of user empowerment.

If we are going to allow this we have clasify which are the different types of user installed applications.  To borrow a little from Simon Bramfitt, with some of my own (in italics), here’s what we are talking about:
  • The departmental app that works with business data that is formally acknowledges as being important to that department and has it’s own budget and support mechanism, but is for what ever reason not packaged by IT. This notion may not sit well with some people, but anyone who has worked in a large enterprise knows they exist and might privately offer plenty of justifications as to why an app might fall into this bucket.
  • The communication app: gotomeeting, webex clients etc that may need to be installed by the user, they may also need other clients to tie into outside companies systems eg they may need to install a citrix web client. Or a propriety Active X plugin for company XYZ’s web app.
  • The personal productivity app that fulfills a limited business function, legitimately purchased but not formally acknowledged by IT as a supported app. A copy of MindMapper maybe that’s needed to map up a new business process. It may only be used by a few people across the enterprise but it fills an important role for them.
  • The personal non-productivity tool like iTunes that is OK to have in a BYOPC environment, but not the sort of thing you want interfering with the corporate computing environment. Although a case could be made for iTunes U and work oriented podcasts etc.
  • The totally unauthorised, no excuse, just down loaded from the internet, malware vector that claimed to be a free ring-tone generator.

As Microsoft found out to its cost allowing uncontrolled user installed apps is a nightmare. So if a user can install all of the above how do we both allow the right apps and protect ourselves against the wrong ones AND reduce our support costs?

  • Any application that directly manipulates business data must provided by the enterprise.
  • The desktop OS must be treated as an untrusted device.
  • Approved applications should be delivered by TS or App streaming.
  • The users must have a method for choosing from available enterprise applications.
  • Users data and enterprise application settings must be separate from user installed application settings.
  • Users must have have the ability to roll back their environment to any point in the past, while keeping data and enterprise application customisations.
  • Users must be able to reset their machines to virgin state whilst keeping data and enterprise application settings.
The last two are the keys to reducing the support costs, ie if the user breaks things you give them the tools to fix it, without needing to have IT skills.  This is possible at the moment with Atlantis, also AppSense have something in the works to enable this coming out soon.
If the users have an appropriate method to choose their own enterprise apps eg Dazzle, they are less likely to need to install their own.  If a large percentage of users are installing a certain app, for instance if a client sends a department files in tar.gz format and 7-zip becomes prevalent in the organisation then the IT department should be able to see this and change it from an unsupported user installed application to a supported enterprise provided application, I call this the ‘park paths‘ methodology.  To do this you need a way to catalog exactly what users are installing.  As an interesting side effect, this may be what brings Open Source apps into the enterprise for the first time.

If users can provide themselves with the tools they need in a timely fashion and lets face it this is exactly what IT admins have been doing for years, business agility is increased, with the right tools support is decreased and application provision is improved.  Giving the organisation lower costs and a competitive advantage.

User installed applications are a minefield, but with the right approach I believe that it could be the VDI killer feature.

Citrix, Terminal Server, VDI 3 Comments »

The VMware PCoIP ‘Killer App’

Posted by Jim Moyle on September 2nd, 2009

VMware Logo

With the announcement of the inclusion of the PC over IP (PCoIP) Teradici in VMware View this week at VMworld.  I think that there is something people may be missing.

The big disadvantage of the original hardware to hardware PCoIP implementation was that each connection to the server required it’s own Teradici card.  This is obviously not a scalable solution.  As the software to software solution is unveiled at VMworld, the attention seems to be on the fact you can get the performance without stuffing your servers full of Teradici cards.  To my mind the software to software approach has a big flaw, you need power on the client. Power on the client means either a full PC on the other end, which defies the point, or a really expensive thin client.

The real key would be to go from software to hardware.  A software client on the server communicating with a hardware Teradici chip on the client.  You could avoid all the issues of managing the ‘almost PC’ modern thin clients and go back to the cheap, minimal management, devices I think thin clients should be.

I’m curious as to why this is not being made more of as the client devices are already there like this one from Samsung and if you look at the Teradici video on Brian Maddens site they say it will work.

As the devices get cheaper, maybe down to about $200 with the great performance of PCoIP I can see this being the ‘killer app’ for VMware in this space.

Protocol, VDI 3 Comments »

Why is VDI changing into Terminal Server?

Posted by Jim Moyle on May 21st, 2009

It is, and I’m about to try and prove it to you.  Not only is VDI changing into Terminal Server it’s been done through a series of entirely logical and yet very stupid choices.

To work this out we need to start from first principles, way back in 2005ish.  We had many expensively maintained fat desktops, spare CPU cycles in the data center and a virtualisation layer.  This meant that we could take the fat desktops not already covered by terminal server (which only counted for around 20%) and move them into the data-center.  These new desktops would allow our users to install apps, personalise their OS, and IT could keep the environment stable.  People were saying things like ‘I can give my users local admin privileges!’.

That was the dream and it all sounded pretty good.  Then people realised that they would have to change cheap storage on the end point for expensive storage in the data-center.  Also it just seemed, well silly, to have 5000 copies of explorer.exe sitting on the SAN.  The advantages of data de-dupe were talked about, but the model that everyone settled on was a golden OS image, Citrix had Provisioning Server and VMware had linked clones.  Not only did this solve the high SAN demands, it enabled us to only update/patch one golden image and it worked for everyone! Double win!

So now we have thousands of users on one golden image, trouble is we need different application sets.  No Problem! said the industry, we have application virtualisation, it’s even a fairly mature technology, ThinApp, Citrix Streaming, App-V and all the rest.  Except not all applications are suitable for streaming, some have license requirements that rely on MAC addresses, some install drivers or services, etc. etc.

In any large organisation there are maybe 2% of these applications which are generally more than 10 years old, but that can’t be dumped.  Out of say six hundred apps that’s only twelve apps that need to be in the golden image, so we increase the number of golden images to twelve, and the rest of the applications are streamed.

So far so good, although with this golden image model, we have hit a snag, to allow users to install applications, we need to use block level deltas to save the personal information.  Over time these block level deltas can grow to the size of the original installation, ruining our nice SAN space saving ideas!  Not only that, when you update the base image you can’t reconcile the deltas, you have to throw them away.  That’s no good, you can’t give users a facility and then randomly remove their changes.  OK, lets lock down the OS, we can use a profile solution to save user personalisation using the file system (although obviously no user installed apps).  For a great explanation of block vs file see Brian Madden’s post “Atlantis Computing hopes to solve the “file-based” versus “block-based” VDI disk image challenge

Lots of vendors already in the Terminal Server space, immediately said ‘We have a profile solution!’ and Appsense, RES, RTO, Tricerat etc put out VDI profile solutions.

All of this worked great in the POCs and pilots, trouble is when it scaled up to 1000s of users we found that the power users who were moving gigs of VMDK’s around or working with large media files etc. meant we had to have REALLY expensive Tier 1 storage at the SAN, it became uneconomical to move those users to VDI so we left them on their fat desktops.

So where does that leave us on our big VDI project?

  • Multiple users on an OS image
  • Application silos
  • Locked down desktops
  • Profile solutions from Appsense, RTO, RES etc.
  • Users limited to Task and knowledge workers
  • Oh yeah, print solutions from Citrix and ThinPrint.
  • Desktops accessed via RDP or ICA

I mean what does that sound like to you?  To me it sounds EXACTLY like Terminal Server.  What we have done is taken a VDI dream and apply terminal server thinking to it, unsurprisingly, it’s now looking just like terminal server, but with extra licensing costs.

We need to apply some brand new thinking, there are vendors out there trying to do this, like the afore mentioned Atlantis, but before VDI really takes off we need to rethink a lot of things or Gartners prediction of VDI being a $65 billion business with 40% of the worlds professional desktops seems to be a long way off.

VDI 14 Comments »
Wordpress Themes by Windows Vista Installation Forums
Copyright © 2007 JimMoyle.com. All rights reserved.