Do virtual endpoints need to be managed?

For this blog, let us focus on server-hosted VDI. Take the scenario where a customer has one VDI-enabled image that is duplicated for everyone, offered in real-time via a brokered connection and this is torn down every time a user logs out. This is sometimes referred to as an ephemeral desktop or non-persistent workspace. In theory, there's little need for traditional endpoint management disciplines when using this model as everything is temporary. Could this really be the case?

In order to try and tackle this question, I'd like to call out a small subset of the core endpoint management disciplines that we've been used to over the years. Over the coming weeks I will expand on these subjects.

1) OS Deployment
In a VDI world the concept of "imaging" is replaced by (thin) provisioning of a virtual machine based on one or more virtual disk images. So the delivery mechanism is different but what about what is inside the Operating System? Each desktop still needs to have a valid and unique machine name and potential registration to systems such as Active Directory. Am I missing something? Perhaps deployment is genuinely no longer needed.

2) Policy-enforced automation
Like it or not, customers will be virtualizing a Windows Operating System for now. Even though the OS is becoming more and more of a shell in a VDI model, the end-user, and let's not forget IT, still need to enforce Operating System settings. One great example of this is printers. I need "my" printers based on "who" I am and "where" I am, and this needs to be delivered automatically and dynamically.

3)Remote Management
VDI users will still get issues. Many support organizations will have a 30 minute or similar rule; if after 30 minutes I have not fixed the issue, re-image the desktop. In a VDI model, this reset operation becomes much more simple, but and there is a big but, I still need to collaborate in real-time with users to solve issues. If my spreadsheet macro is not working or my in-house application can't connect to its back-end due to misconfiguration by the user, reseting the desktop will not help.

4)Patch Management
This particular topic is a very interesting one for me. Do customers need to have online patching when IT can keep one master image up to date. My personal belief is that we need both online and offline patching. If an urgent remediation is required by an entire organization, taking everyone offline and re-provisioning them with a new desktop may not be feasible, try getting away with that in a bank! If a fix is required now and you can not take users offline, online Patch Management is a must.

5) Software Delivery
Without software the endpoint, whether physical or virtual, is next to useless. Whether the app is traditionally packaged as an MSI, virtualized, thin-presented or streamed, access to these applications based on the user's identity is a key component of user productivity.

6) Asset Management
In the apparent fluid and dynamic world of VDI, IT still needs to secure the intelligence of who is running what apps, for how long and on what devices. Businesses still have license agreements to uphold and contracts to honour, virtualizing the desktop actually brings this more into focus and can actually add complexity.

In addition to these examples, what's more compelling is the convergence of tools to manage physical and virtual endpoints. It will be unlikely that a customer will cut all end-users over to VDI instantly. Perhaps the approach will be phased, more likely is that customers will look to provide VDI solutions for the subset of users that need it. In this case, using two tools and two management approaches will complicate matters hugely. So what is the answer? A tool that can manage physical and virtual desktops, and more importantly the user-experience, across all endpoint management disciplines should cut it. Wouldn't it be great to use the tool you are using today but take on VDI management with minimal additional effort?

With this in mind, what features does an endpoint management tool need to add to address VDI solutions? Can one tool bridge the gap?


How To-Best Practice
Comment List
  • Nothing is officially on the roadmap yet. In terms of incremental features, we have a bunch of features we can add relatively easily such as identifying VDI machines surfacing registration rules, dynamic groups, searches, dashboard etc.

    I will keep people posted on our thoughts via this blog and the various events I speak at.

    Would love to know your thoughts.

    What does the ZCC need to help manage a VDI environment?
  • Anders, about the remote control..
    we have virtual XP machines running on VMware View, I can RemoteControl the RDP sessions from ZCM10.3.3 normally.

  • This is good topic,
    but as many have already deployed VDI solutions, it would be nice to know what has Novell already planned for ZCM regarding VDI - and when will we see those things?

    We would need atleast to easily separate VDI machines from physical machines in ZCM, in order to do different associations on bundles/policies etc. dynamic groups or such..
  • Interesting, can you share an literature on this in English? Perhaps a tough ask.

    How specific are the requirements for home-working?
  • As of june 1st, the goverment in holland has to give the users the ability to work from home. That means that the correct security needs to be in place.

  • Don't worry, I haven't forgotten about eDirectory. Unless you have ZENworks 7 there is no reason to register a machine to eDirectory, hence why I didn't mention it in terms of OS deployment.

    It is my understanding that Win7 has limitations around RDP connections. Citrix and VMware have solutions for remote collaboration using their own protocols (HDX, PCoIP)

  • In the server-hosted model, which I would like to constrain this particular blog to, then I agree that security is still very important when inside the virtual endpoint. ZENworks can make security enforcement decisions based on who is logged into a device but the idea of location changes slightly in this model. Location of the endpoint is no longer the important factor, in a server-hosted world, the location of the endpoint is always "the data-center". However, the location of the access point can change and therefore becomes more and more important. So back to the title of this reply, "management is key", if the access point is under managed by a product such as ZENworks then it will be easier to make security posture decisions at the time of launching the virtual desktop. However, in many cases, the access point will not be managed (in-fact, this is a fundamental advantage of VDI) so decisions about configuration of the connection and the security posture of the VM/hypervisor will need to be enforced by the broker based on criteria such as "where am I?", "who am I?", "what am I?".

    One key area of interest for me is, can we get the location awareness features in ZENworks to work in conjunction with (a) broker(s) to allow ZENworks to initiate a connection and control the configuration of that connection, such as USB access.

    A lot of traditional security disciplines may not longer apply in a VDI world. For example, disk encryption, firewall, application control, ..... etc.

    What part of security interests you the most in terms of VDI?
  • Ahem.. You forgot to mention eDirectory :) And yes, we need to manage virtual workstations with ZCM, just as we do physical ones. Software rollout, per-user settings and above all remote control. Right now you cannot RC a virtual PC to which a user has a RDP connection, somewhat of a PITA.
  • one very important addon that ZCM delivers to VDI is the end point security. We are more and more living in a world of 'wikileaks', how does one prevent data flowing away thru USB disks. ZCM (ZESM) can solve that issue.

    Next to it, it is for IT departments an ideal world that all users will have one and the same desktop. But the users do wish their own desktop, which is also possible with the current VDI solutions. At this point, ZCM can deliver the needed updates, patches and new programs. vmware, xendesk and the others do not provide a solution.

    If you look at XENDesktop, it uses vhd file in the background. One vhd with the master image, one vhd file per catalog and after that a vhd file per user. All on a ext3 (because the default LVM format does not allow think provisioning) which in the end is accessable for ZCM on Linux or thru a NFS share for Windows server. That way, ZCM, if it could work directly with the vhd files, it could do more and more.
  • Excellent point.

    Profile management and the ability to personalise a session is key firstly to making VDI work but also, and I think more importantly, it allows users to roam between different access points and endpoints. For example, a user that can roam from a desktop, to a laptop, to a server hosted VDI session, to a thin-presented desktop and still maintain their applications whilst being managed by one tool, is very compelling.