Can You Give Power to Users Responsibly?

A significant problem when providing a Microsoft Windows desktop is how to give users control to let them get on with their job productively, while ensuring their time isn’t wasted and your business exposed to unnecessary risks and costs. Too little control and unlicensed software, possibly even malware and viruses, can be on your network. Too much control and IT limits, rather than supports. Something as simple as installing a custom printer driver is far more complicated than it should be.

At the recent technical conference Pubforum in Frankfurt, I was able to view a demo of two new up and coming features in Appsense‘s Application Manager – namely User Rights Management (URM) and User Installed Applications (UIA). Both are very impressive new additions to that product; features that can be used to help reduce management costs of your any desktops – not only for mobile users – but for any user who needs a greater level of personal control over a standardised environment, be that a traditional PC or a hosted desktop, to get their job done.

When is a User not a User?
Security is about keeping things safe. You distinguish “users” from “administrators” to keep users safe – essentially from themselves if we’re being honest.

Users ‘use’ their devices, their workspace. Ideally, they are restricted from functions that allow them to change settings because, if misused accidentally or maliciously, these changes can incur higher support costs and lost productivity. In the worst cases, security could be compromised or data lost: not only on the user’s device, which is bad, but across the entire organization. To lose one device could be seen as misfortune, to lose all them looks like carelessness.

However, there are cases where users do need increased access rights. For example, a user may need to be away from the office and install printers drivers or new hardware; they may need change settings or apply updates. In a Microsoft Windows operating system the traditional method of enabling Administrator rights is a binary choice. The user either has full administrator rights or no admin rights to the desktop and all applications. There is, of course, the concept of a Power User – but even Microsoft acknowledge in their knowledge base article that the Power Users group can put your devices at risk. You can give the user two accounts, an administrator and a user account – but often they’ll chose one (the admin, as its least effort) over the other: what’s worse is you’ve now two accounts to manage, two passwords to change or lose.

User Rights Management
What Appsense‘s have developed User Rights Management (URM) to ensure that only specific users are able to have elevated rights for predetermined applications in controlled situations.  Appsense aims to provide your business with a means to balance user needs with IT cost. During the presentation policies were applied that enabled to dynamically enable access to functions such as setting the date and time, changing wireless settings, installing printer drivers or unsetting individual control panel applets or even registry changes. URM also allows you to apply settings to group rather than a  single user and to “deny” as well as “allow”: so for instance to apply permissions that prevented an administrator from accidentally disabling a service or uninstalling a critical component. The service works by changing the user’s account rather than using an alternative account – meaning don’t have to have multiple accounts.

So I can buy this now?
For Appsense‘s offering the answer is “soon” User Rights Management is about to begin beta testing and Daniel O’Connor, Product Manager for Appsense‘s Application Manager product is seeking those interested in beta testing the service.

Appsense is not the first to deliver a product in this field. Avecto and Viewfinity, for example, provide solutions that allow privilege elevation to enable users to perform tasks such as disk defragmentation, or device management such as printer installation. As with Appsense‘s URM, these solutions allows  IT Administrators manage and assign privilege permissions to specific applications and desktop functions without granting full administrative rights.

However, while this feature is not unique to Appsense, it’s inclusion in Application Manager’s feature set is a great addition to helping keep Appsense at the forefront of workspace management market.

But URM was not the only feature in development – Appsense are working hard to extend Application Manager to also permit User Installed Applications.

User Installed Applications

I’ve got to admit I’ve been skeptical of  the benefits of UIA  – in fact I mentioned this back in Novemeber 2009.

You’ll be able to grant – with URM  – the ability for users to install applications. An issue here is – that application is then tied to the device: that install process is a ‘traditional install’.

While this may be beneficial for laptop users, its a cumbersome solution for traditional or hosted desktop solutions where users may not have access to fixed device. That said, if I’m a laptop users and for whatever reason I need a different laptop (because I left the other one in a taxi/airport/train/bar) time and effort need to be spend reinstalling those applications if I don’t have a complete image backup.

Appsense are working on service that allows users the ability to install an application into a desktop session and then have that application made available in any other desktop session – regardless of how that session is delivered.  It requires the application must be isolated and treated as part of the user’s personal environment.

A user’s profile may ‘roam’ – so their application settings, their documents are available to them wherever they log on: UIA enables this for applications.

This demo was very early code; it is unlikely to be available for consideration this year. Even at this stage User Installed Applications is going through extensive testing to understand limitations of the installation process. The end result will be a similar ‘sandboxed’ application delivery to say, Microsoft’s App-V or VMWare’s ThinApp. However, as this will be user driven Effectively,  the process needs to analyze and create the streaming and virtualization process automatically: not a trivial task.

As I mentioned back in November – having the facility to allow users to choose their own applications can be seen as enabling the user to be more productive by letting them choose the tools they need. Yet, there is an advantage in managing this process to ensure that the best price for licenses can be obtained, that the proper licenses are purchased, that there isn’t a duplication of software – if every user is installing their own applications who is authorizing that spend, and when?

How can this function help my business?

User Installed Applications is a function that can offer your business more than simply ‘allowing users to chose and install their own applications’. For that – you could utilize a user rights management product.  A User Installed Applications solution could enable you to deliver applications more cost effectively by

  • Removing the need for time consuming packaging process before applications are available to users.
  • Allowing not only user data, but user applications to roam with the user

VDI is not the only desktop solution; neither is a traditional desktop; or presentation virtualization. The greater businesses advantage is in adopting a range of solutions and allowing users to move (relatively) seamlessly between them. Working at a remote site on a laptop, to coming into the office to work on a traditional desktop, to working on a hosted desktop from home or a customer site. Including applications to follow the user regardless of what that workspace is running on will be an enabler for this.

But Andrew, I hear you ask, that all delivered now with web based applications is it not? Well, can web applications deliver services without access to the web? More importantly – while web based applications can offer a great deal of services the fact is a great many more applications have, ad continue to be, developed as “traditional” stand-alone/client server. Ah – but what about application packaging you may counter. User Installed Applications here offers the facility to reduce the time from a request of an application to the delivery to the user.

Interestingly, while the technologies will offer a seamless transition for users between workspaces, the question will be – will your software licenses support such a transition? Will they be licensed per user – or per device. Per Named User, or Per Concurrent user or pr company user? It is not just about the technology to deliver the application, to package the application but to monitor and manage the use of those applications.

Can You Give Power to Users Responsibly?

Avecto and Viewfinity, and soon Appsense offer products that you can deploy to give additional rights to users so that they can work effectively without being a drain on IT, or IT being a millstone to them. The facility for users to install their own applications as part of their own workspace takes this function a step further: fundamentally it should be about bringing your own device – it should be about giving your users the facility to configure their workspace so that they can best get on with their job.

Yet users don’t operate in isolation they work within an organization. Your users work within your organization. How is their day-to-day workspace being used? Have they bought software they don’t need? Is the software performing correctly? Are people aware of software that has already been bought? Are you subscribing to software that is no longer used? Ultimately this is likely to be the a growing role for IT – not delivering the applications but monitoring the application deployment and use and checking that it is being used responsibly.