For this blog, let us focus on server-hosted VDI. Take the scenario where a customer has one VDI-enabled image that is duplicated for everyone, offered in real-time via a brokered connection and this is torn down every time a user logs out. This is sometimes referred to as an ephemeral desktop or non-persistent workspace. In theory, there's little need for traditional endpoint management disciplines when using this model as everything is temporary. Could this really be the case?
In order to try and tackle this question, I'd like to call out a small subset of the core endpoint management disciplines that we've been used to over the years. Over the coming weeks I will expand on these subjects.
1) OS Deployment In a VDI world the concept of "imaging" is replaced by (thin) provisioning of a virtual machine based on one or more virtual disk images. So the delivery mechanism is different but what about what is inside the Operating System? Each desktop still needs to have a valid and unique machine name and potential registration to systems such as Active Directory. Am I missing something? Perhaps deployment is genuinely no longer needed.
2) Policy-enforced automation Like it or not, customers will be virtualizing a Windows Operating System for now. Even though the OS is becoming more and more of a shell in a VDI model, the end-user, and let's not forget IT, still need to enforce Operating System settings. One great example of this is printers. I need "my" printers based on "who" I am and "where" I am, and this needs to be delivered automatically and dynamically.
3)Remote Management VDI users will still get issues. Many support organizations will have a 30 minute or similar rule; if after 30 minutes I have not fixed the issue, re-image the desktop. In a VDI model, this reset operation becomes much more simple, but and there is a big but, I still need to collaborate in real-time with users to solve issues. If my spreadsheet macro is not working or my in-house application can't connect to its back-end due to misconfiguration by the user, reseting the desktop will not help.
4)Patch Management This particular topic is a very interesting one for me. Do customers need to have online patching when IT can keep one master image up to date. My personal belief is that we need both online and offline patching. If an urgent remediation is required by an entire organization, taking everyone offline and re-provisioning them with a new desktop may not be feasible, try getting away with that in a bank! If a fix is required now and you can not take users offline, online Patch Management is a must.
5) Software Delivery Without software the endpoint, whether physical or virtual, is next to useless. Whether the app is traditionally packaged as an MSI, virtualized, thin-presented or streamed, access to these applications based on the user's identity is a key component of user productivity.
6) Asset Management In the apparent fluid and dynamic world of VDI, IT still needs to secure the intelligence of who is running what apps, for how long and on what devices. Businesses still have license agreements to uphold and contracts to honour, virtualizing the desktop actually brings this more into focus and can actually add complexity.
In addition to these examples, what's more compelling is the convergence of tools to manage physical and virtual endpoints. It will be unlikely that a customer will cut all end-users over to VDI instantly. Perhaps the approach will be phased, more likely is that customers will look to provide VDI solutions for the subset of users that need it. In this case, using two tools and two management approaches will complicate matters hugely. So what is the answer? A tool that can manage physical and virtual desktops, and more importantly the user-experience, across all endpoint management disciplines should cut it. Wouldn't it be great to use the tool you are using today but take on VDI management with minimal additional effort?
With this in mind, what features does an endpoint management tool need to add to address VDI solutions? Can one tool bridge the gap?
one very important addon that ZCM delivers to VDI is the end point security. We are more and more living in a world of 'wikileaks', how does one prevent data flowing away thru USB disks. ZCM (ZESM) can solve that issue.
Next to it, it is for IT departments an ideal world that all users will have one and the same desktop. But the users do wish their own desktop, which is also possible with the current VDI solutions. At this point, ZCM can deliver the needed updates, patches and new programs. vmware, xendesk and the others do not provide a solution.
If you look at XENDesktop, it uses vhd file in the background. One vhd with the master image, one vhd file per catalog and after that a vhd file per user. All on a ext3 (because the default LVM format does not allow think provisioning) which in the end is accessable for ZCM on Linux or thru a NFS share for Windows server. That way, ZCM, if it could work directly with the vhd files, it could do more and more.
In the server-hosted model, which I would like to constrain this particular blog to, then I agree that security is still very important when inside the virtual endpoint. ZENworks can make security enforcement decisions based on who is logged into a device but the idea of location changes slightly in this model. Location of the endpoint is no longer the important factor, in a server-hosted world, the location of the endpoint is always "the data-center". However, the location of the access point can change and therefore becomes more and more important. So back to the title of this reply, "management is key", if the access point is under managed by a product such as ZENworks then it will be easier to make security posture decisions at the time of launching the virtual desktop. However, in many cases, the access point will not be managed (in-fact, this is a fundamental advantage of VDI) so decisions about configuration of the connection and the security posture of the VM/hypervisor will need to be enforced by the broker based on criteria such as "where am I?", "who am I?", "what am I?".
One key area of interest for me is, can we get the location awareness features in ZENworks to work in conjunction with (a) broker(s) to allow ZENworks to initiate a connection and control the configuration of that connection, such as USB access.
A lot of traditional security disciplines may not longer apply in a VDI world. For example, disk encryption, firewall, application control, ..... etc.
What part of security interests you the most in terms of VDI?
As of june 1st, the goverment in holland has to give the users the ability to work from home. That means that the correct security needs to be in place.