User Installed Applications – Dream or Nightmare?

On his twitter account Harry Labana (@harrylabana), Citrix’s VP and CTO Desktop and Application Virtualization, posed the question “Are User Installed Applications A Compliance Nightmare Waiting To Happen“. User Installed Applications do indeed empower the user – but is there truly a business gain to allowing users greater freedom to control their workspace.

Virtualised desktops give organisations greater flexibility and agility in delivering a user workspace to users. Workspaces don’t need to be delivered on a company supplied device, user’s own laptops or even publicly available devices can be used. Citrix’s CEO Mark Templeton believes this greater agility will lead to IT being consumerised – users not only working where they want to work, but choosing and managing the tools that help them work effectively.

User Installed Applications would be a powerful service. Users could be given the facility to select their own applications and peripherals without the need to wait for IT to configure their device. By enabling to users to work quickly with the tools they know and need could drive productivity – IT would be have more time to focus on maintaining and monitoring the infrastructure. Simon Rust, VP of Technology at AppSense, has stated that there has long been a challenge with packaging all the applications required by a user to conduct their daily duties in desktop environments – and that desktop virtualisation is driving this demand more.

Application Virtualisation

Effective Application Virtualisation technologies are available from a number of vendors – Microsoft has APP-V, Citrix and VMWare both have their own solutions and there are vendors such as Symantec’s Worskspace Streaming and InstallFree. With these solutions, applications can be deployed quickly to user’s desktops but importantly, application virtualisation allows better co-existence of applications – reducing time regression testing for compatibility with the operating system and other applications and ultimately improving the delivery time to the user.

This function could allow users to install their own choice of applications into their workspace without impacting on the corporate configuration. Indeed, App-V’s predecessor can be traced back to creating a solution that would allow games companies to rent their software to PC gamers. Joe Jessen, Analyst for Desktop with the Virtualization Practice, in Desired End State for the Next Generation Desktop highlights layering application deployment as a fundamental part of future enterprise desktops deployments. Surely user installed application is just another layer?

While it may be ‘InstallFree’ it is not “Free as in Effort” – none of the existing application virtualisation solutions are.  All solutions require an administrator to prepare the application: there is a configuration process from installation media to virtualised application which takes effort and time. Does the application have dependencies (on other applications such as Outlook, or Excel) which settings need to remain persistent, where are settings to be stored – where does the data go. What are the performance demands of this application – does it need more memory, more CPU, greater disk speeds or capacity?  Is the user introducing a process or procedure that they understand but no one else does is a business consideration. Should the application go wrong, who do they call?

How will the new application’s patches and updates be maintained? How is the application stored and redeployed should the user need/want to move to another device or create a new workspace? These issues shouldn’t be the responsibility of the user who should be being productive doing their tasks, not supporting their application.

How is that application licensed? To the user? To the device? How is the software licensed, do you hold a license already, is there a site license, where is the source media stored for recovery, is this a commercial or a non-commercial instance  – indeed – does the virtualisation process invalidate other license agreements?  A number of tools are available to report on user’s application use – Liquidware’s Stratusphere or RTO Discover for example: Appsense’s Application Manager allows granular management of application licenses proactively preventing use on non authorised devices. While these tools are effective in maintaining compliance – an unchecked installation capability can lead to unnecessary costs in terms of training, support and performance and indeed may invalidate other licenses.

A corporate desktop application installation is far from the consumer experience of adding an application to say your iPhone. A consumer application works with and maintains the consumer’s data. A business application works and maintains the business data – they are two different entities.

Creating a process that allows seamless creation of an application that can run without impacting other applications is perhaps the most straightforward component to deliver User Installed Applications. There still needs to be a method of validating the impact on the business of introducing a new tool or component.

Applications Everywhere, but not a thought to print

Indeed, end user management of their device is more than simply installing applications. Providing mobile users with the capability to add device drivers to support peripherals out of the office has traditionally been a conflict between usability and reliability.

It would not be unusual for users to be made administrators of their device. While this solves usability issues this configuration leads to unreliable environments, leading to these devices being costly to support, and costly in terms of lost productivity.

Solutions are available to allow far more granular control of privileges. For example, Viewfinity provide Elevate Privileges to enable users to perform tasks such as disk defragmentation, or device management such as printer installation. An advantage that Viewfinity’s solution in that IT Administrators manage and assign privilege permissions to specific applications and desktop functions without granting full administrative rights

However in introducing this function bear in mind that you are allowing administration access to devices that will eventually connect directly to your network. By enabling users to change their preconfigured and secured environment you increase the risk introducing malware/virus into your corporate network. When permitting this function you shouldn’t simply consider granting the right to install, but how then that software persists on device, how it is removed, how it is monitored so that you ensure that that what users install will not adversely impact on the rest of network. Moving the installation task to the user may allow them work effectively, but that cost in terms of increased productivity shouldn’t come at the cost of compromising your corporate data.

One Workspace Good, Two Workspaces Better?

An alternative solution to enable greater user control over their workspace you may consider is to have multiple workspaces: one workspace locked down as a ‘corporate’ workspace and a freely managed ‘user’ workspace.

Yet in introducing the facility for devices supporting different workspaces there are still issues of application support, license use and application performance not to mention the data security of allowing corporate data to be manipulated and stored in that user managed partition, which is effectively outside of the corporate network.

Products such as MokaFive’s LivePC or Virutal Computer’s NXTop PC can be used here. These products allow for application/driver installation, can address issues stability within each workspace instance. While these type of solutions can better address the stability and security – they don’t resolve the business process issues of ensuring that user installed applications best meet the business needs.

Don’t have nightmares

The driver for virtualisation projects is typically to reduce cost make better use of resources. Desktop virtualisation is no different. In Presentation Virtualisation, desktops are typically delivered to environments where tight control is accommodated, but as desktops are delivered to more demanding users you may well be considering allowing granting greater autonomy for application deployment.

Yet, there is a cost advantage to manage business users in structured way. Control, consideration and planning are not Bad Things.  Maintenance of your desktop environment should be easy, fast, and inexpensive – and this is best delivered when there are structures and controls in place rather than an unrestricted right to manage.

There is an impact of poorly installed or badly performing applications on shared infrastructure is higher than when users have dedicated devices – so allowing User Installed Applications in a shared environment needs additional consideration. Introducing software into your network will have an impact on security are you confident that the applications and devices are properly restricted.

There is a business gain to allow users greater freedom to control their workspace – but that control should be focused on maximising their productivity. Installing new applications without control isn’t simply a compliance problem, it may increase the productivity of one user – but that gain can be lost in a variety of ways – on-going support and maintenance, poor performance, and unstructured licensing

When looking to deliver applications bear in mind that workspaces should be quickly delivered and easy to maintain, that you should utilise technology to enable your IT team to rapidly deliver the best solution not enable your users to waste their time being IT and that enabling agility doesn’t require losing control.