user workspace management - eddie jacksoneddiejackson.net/web_documents/the_shortcut_guide... ·...

The Shortcut Guide ToThe Shortcut Guide Totmtm

User WorkspaceManagement

Greg Shields

The Shortcut Guide to User Workspace Management Greg Shields

i

Introduction to Realtime Publishers by Don Jones, Series Editor For several years now, Realtime has produced dozens and dozens of high‐quality books that just happen to be delivered in electronic format—at no cost to you, the reader. We’ve made this unique publishing model work through the generous support and cooperation of our sponsors, who agree to bear each book’s production expenses for the benefit of our readers.

Although we’ve always offered our publications to you for free, don’t think for a moment that quality is anything less than our top priority. My job is to make sure that our books are as good as—and in most cases better than—any printed book that would cost you $40 or more. Our electronic publishing model offers several advantages over printed books: You receive chapters literally as fast as our authors produce them (hence the “realtime” aspect of our model), and we can update chapters to reflect the latest changes in technology.

I want to point out that our books are by no means paid advertisements or white papers. We’re an independent publishing company, and an important aspect of my job is to make sure that our authors are free to voice their expertise and opinions without reservation or restriction. We maintain complete editorial control of our publications, and I’m proud that we’ve produced so many quality books over the past years.

I want to extend an invitation to visit us at http://nexus.realtimepublishers.com, especially if you’ve received this publication from a friend or colleague. We have a wide variety of additional books on a range of topics, and you’re sure to find something that’s of interest to you—and it won’t cost you a thing. We hope you’ll continue to come to Realtime for your

far into the future. educational needs

enjoy. Until then,

Don Jones

http://nexus.realtimepublishers.com/


ii

Introduction to Realtime Publishers ................................................................................................................. i

Ch

apter 1: What Is User Workspace Management? .................................................................................. 1

De coupling the Layers of Windows ............................................................................................................. 2

Encapsulation and Decoupling ................................................................................................................. 3

The Benefits of Decoupling ......................................................................................................................... 3

User Workspace Management Enables Decoupling ........................................................................ 6

The Ridiculous Pain of User Profiles ........................................................................................................... 7

The Case for User Workspace Management ............................................................................................ 9

Co ntent, Context, and Security .................................................................................................................... 11

Content ............................................................................................................................................................. 12

Context ............................................................................................................................................................. 12

Security ............................................................................................................................................................ 13

Users Get Personalization, IT Gets Control ........................................................................................... 13

User Workspace Management Changes Everything .......................................................................... 14

Chap ter 2: Personalization Equals Content + Context .......................................................................... 15

The Misalignment Between IT and Users ......................................................................................... 16

De fining Personalization ............................................................................................................................... 17

The Right Content ........................................................................................................................................ 17

The Right People .......................................................................................................................................... 19

Th e Right Circumstances .......................................................................................................................... 20

Bob’s Location .......................................................................................................................................... 21

Bob’s Device .............................................................................................................................................. 21

When Bob Connects ............................................................................................................................... 22

Summing it Up ............................................................................................................................................... 22

Th e Power of Pervasive ................................................................................................................................. 23

Server‐Based Computing and Remote Desktop Services ........................................................... 24

Local Application Installation ................................................................................................................ 24


iii

Application Virtualization ........................................................................................................................ 24

Hosted Virtual Desktops ........................................................................................................................... 24

Pooled Virtual Desktops ........................................................................................................................... 24

Cr eating Pervasive Personalization .......................................................................................................... 24

Incorporating Run Books into Personalization .............................................................................. 27

User Workspace Management Facilitates Workplace Satisfaction ............................................. 28

Chap ter 3: Tying Security to People, Not Devices ................................................................................... 29

Comfortable Security ................................................................................................................................. 30

Ce ntralizing Security with Personality.................................................................................................... 30

Personalization Is Security: An Example ........................................................................................... 32

Adding Security to Content and Context ................................................................................................ 32

Co ntent Security ................................................................................................................................................ 33

Security of Applications ............................................................................................................................ 34

Security of Removable Disks .................................................................................................................. 35

Security of Files and Folders ................................................................................................................... 36

Security of the Network ............................................................................................................................ 37

Co ntext Security ................................................................................................................................................ 37

Location Security ......................................................................................................................................... 38

Device Security ............................................................................................................................................. 38

Integrating Security with the Delivery Infrastructure ..................................................................... 39

Pervasive Personalization Can Mean Pervasive Security ............................................................... 40

Ch apter 4: Transforming to an Environment of User Workspace Management ....................... 41

De livering User Workspace Management ............................................................................................. 42

The Workspace Composer Agent .......................................................................................................... 45

The Centralized Database ........................................................................................................................ 46

The Workspace Designer ......................................................................................................................... 47

Controlling Applications Through the Workspace ............................................................................ 48


iv

Mi grating to User Workspace Management ......................................................................................... 49

Desktop Sampling ........................................................................................................................................ 50

Workspace Design ....................................................................................................................................... 50

Initial Agent Installation ........................................................................................................................... 51

Environment Control and Tuning ......................................................................................................... 51

Extending Agent Coverage ....................................................................................................................... 51

En vironment Transformation: Two Real‐World Examples ........................................................... 52

Migration Scenario—Upgrades ............................................................................................................. 52

Green Field Scenario—VDI ...................................................................................................................... 53

Improving Your Life. Improving the Lives of Your Users. ............................................................... 54


v

Copyright Statement © 2010 Realtime Publishers. All rights reserved. This site contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtime Publishers (the “Materials”) and this site and any such Materials are protected by international copyright and trademark laws.

THE MATERIALS ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtime Publishers its web site sponsors. In no event shall Realtime Publishers or its web site sponsors be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials.

The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part, except that one copy may be downloaded for your personal, non-commercial use on a single computer. In connection with such use, you may not modify or obscure any copyright or other proprietary notice.

The Materials may contain trademarks, services marks and logos that are the property of third parties. You are not permitted to use these trademarks, services marks or logos without prior written consent of such third parties.

Realtime Publishers and the Realtime Publishers logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners.

If you have any questions about these terms, or if you would like information about licensing materials from Realtime Publishers, please contact us via e-mail at [email protected].

mailto:[email protected]


1

[Editor’s Note: This book was downloaded from Realtime Nexus—The Digital Library for IT Professionals. All leading technology books from Realtime Publishers can be found at http://nexus.realtimepublishers.com.]

Chapter 1: What Is User Workspace Management?

I spent four hours yesterday upgrading exactly one desktop from Windows Vista to Windows 7. Four hours! Yet that’s not the most disheartening part of this story. You already know that installing a fresh copy of Windows has today become fantastically easy. You can create a new instance of Windows 7 in a few clicks of the mouse: Agree to an EULA, select a disk drive, enter a license key, and in the time it takes to brew a fresh pot of coffee, you’ve got a fully‐functional OS instance. The problem is that’s the easy part. The real pain in terms of time, effort, and labor comes not in provisioning that Windows OS, but in dealing with all the little bits of user personality information that one must transfer from one OS instance to another. You know the story: Upgrading an OS, or moving a user to a new desktop, or creating a remote application or hosted desktop infrastructure. All of these activities are core to the job of an IT professional. And all are actually fairly easy to accomplish—except for that all‐important process of managing, maintaining, transferring, and/or replicating your users’ workspace data. In my experience yesterday, installing Windows 7 consumed about 30 minutes of the project’s four hours. The other three‐and‐a‐half hours saw myself and my user seeking out every scattered bit of their stored information, transferring what they needed to a temporary location, remembering and then subsequently re‐transferring a few forgotten

ack into the new OS. items, and eventually merging that data bThree‐and‐a‐half hours for all this work, for a single workstation! Ridiculous! Whether you’re upgrading OSs, migrating them, or simply need a better way to administer user data

there has got to be a across multiple (and sometimes simultaneous) points of access, smarter approach to managing your users’ workspaces.

What that “smarter approach” might look like is the central theme behind this Shortcut Guide. In its four chapters, you’ll learn how User Workspace Management can fully decouple your users’ workspaces from their operating systems (OSs). As a result, your all‐critical user data becomes capable of roaming across every class of IT infrastructure, while you gain more‐powerful tools in managing it. But before we talk about solutions, let’s first analyze the problem by taking a look at the layers within the Windows OS. By decoupling those layers, User Workspace Management enables some very powerful trickery that make my problem—as well as many of yours—go away completely.



2

Decoupling the Layers of Windows When you sit down in front of a Windows computer, it’s easy at first blush to see that computer as a single entity. You interact with an OS. You install and work with applications. You customize settings for your printers, your desktop environment, your USB drives, as well as the settings specific to the applications you use. It is the combination of these

his guide. elements that makes up the computer on which you’re reading t

Yet that single entity that is your computer is really made up of a set of layers. Each layer in that stack contributes in some way to the creation of a fully‐useable computer.

Think for a minute about those layers that could make up a typical Windows computer. One representation is shown in Figure 1.1. At the figure’s base is your hardware itself. That hardware might be a laptop or a desktop. Or it could be one of any number of virtual or otherwise non‐standard technology infrastructures.

Hardware

Operating System

Applications

User Workspace

Figure 1.1: The many layers of the Windows OS.

For example, instead of being a traditional desktop, that computer’s hardware might exist atop a hosted virtual desktop, located somewhere within a data center. It could also be sourced from a remote applications infrastructure such as Microsoft’s Remote Desktop Services or Citrix XenApp. Essentially, any infrastructure that allows for the installation of an OS can be the base layer of this OS stack.

Atop that hardware is the installation of the OS itself. In my story, that OS started out as Windows Vista but was later upgraded to Windows 7. Microsoft Windows is available in a number of versions—both for servers and workstations—of which you probably support more than one version today.

Layered atop that OS is a set of applications. These applications might be installed locally. Some might be deployed through an automated software deployment solution, while others might be streamed down to that computer using application virtualization. Even others might be applications atop a remote applications infrastructure, with their access enabled through links within the local computer.


3

On top of all of these layers are your user customizations themselves. As stated before, these are the settings that make up your desktop environment. Some you may have customized yourself, while others may have been enforced through a stated company or IT policy. Important to recognize here is that the sum total of these configurations is what comprises your user workspace.

Encapsulation and Decoupling With this understanding in mind, let’s assume that through the use of one or more software products, it becomes possible to logically encapsulate these layers. This process of encapsulation creates hard lines between the user workspace and the applications and OS it customizes. It does the same thing between applications and the OS, as well as between the OS and the hardware on which it rests.

Without this logical encapsulation in place, managing that computer is a very difficult thing to do. Without some automated software deployment or application virtualization solution, adding a new piece of software means I have to manually touch each and every computer. Updating a piece of software requires a lengthy uninstallation‐followed‐by‐reinstallation process. Lacking solutions like these, working with OSs and applications in any form is both difficult and time consuming.

The same holds true at the user workspace layer as well. User data is natively stored within a Windows user profile, with that profile containing all the customizations that elevate a freshly‐installed Windows OS into something that’s personalized for each user. Lacking logical encapsulation at this layer, moving that user data between different computers becomes challenging to the point of absurdity. If you’ve ever spent four hours trying to upgrade a single user’s computer from one OS to another, you know this pain.

The Benefits of Decoupling Now, envision an environment where each of these layers has been fully encapsulated. Such an environment would see a full decoupling of each layer from the others. Here, for example, a hard line would exist between the user’s workspace and their applications. The user’s workspace would be independent from the OS as well as its hardware.

In such an environment, that user’s workspace would immediately become fully mobile. This becomes possible because that workspace is no longer directly reliant on the layers below it. Because the decoupled workspace now exists in its own independent and isolated layer, that layer can trivially move between different computer instances. Such an environment would gain some very interesting benefits to administration.

For example, consider the change that is represented in Figure 1.2. Here, the user workspace has been decoupled from its OS and installed applications. With the aforementioned encapsulation in place, it becomes possible to swap out the underlying OS along with its applications.


4

Figure 1.2: Decoupling the user’s workspace enables it to work atop new computer

instances.

This situation exactly mirrors the OS upgrade I explained in the beginning of this chapter. If the user workspace on the computer in my story were encapsulated in this way, upgrading that OS would require only three very simple steps:

• Synchronize. The first step would be to ensure the user workspace on the computer I plan to upgrade was synchronized with an offline copy. Depending on the solution, this process could have occurred automatically in the background or through some administrator action.

• Update. Once an offline copy of my user workspace was complete and verified, I would need only to insert the Windows DVD and complete the upgrade.

• Reapply. My final step once the upgrade and application installations were complete would be to reapply the user workspace back to the new OS. That workspace would seamlessly apply on top of the new OS, returning the user’s personality information back to the upgraded OS.

This process sounds vaguely similar to the manual steps I went through to locate the user’s information, copy to an offline location, and merge it back with the upgraded OS. However, different with a User Workspace Management solution is the logic that fully automates these steps.

User Workspace Management Compensates for OS Differences Critical also to recognize is that different versions of the Windows OS have very different structures for user data. For example, versions prior to Windows Vista store user data in the C:\Documents and Settings folder. Windows Vista and later versions store that data in C:\Users. Windows Vista and Windows 7 also have different folder structures for storing user data within profiles. Registry structures can also be different between different OS versions. Yet although these changes are substantial between versions, they can be compensated for. A decoupled environment would need to include the necessary logic to translate between different OS versions; however, one that included such logic would fully automate the transfer of user workspaces between OSs.


5

Along the same lines, a decoupled environment could also enable hardware independence for user workspaces. Because of its encapsulation, that same user workspace could be seamlessly applied to any class of hardware infrastructure as well (see Figure 1.3).

Figure 1.3: Decoupling creates hardware infrastructure independence.

That hardware could be realized as a replacement desktop, a changeover between a desktop and laptop, or among any of the multiple virtual or application infrastructure technologies available today. With this flexibility, IT immediately loses a set of traditionally challenging hurdles:

• Seamless desktop to laptop. Swapping a desktop for a laptop becomes immediately seamless. The same user workspace that was created for the desktop would be immediately available once logged into the laptop.

• Seamless desktop to shared desktop. Similar to the change for laptops, users who move from their primary computer to a shared desktop—such as one in a conference room or kiosk—would immediately and seamlessly have access to the same user workspace and same resources.

• Seamless desktop to virtual desktop. Environments making the move to hosted virtual desktops needn’t worry about user settings between physical and virtual environments. Users who log onto their hosted virtual desktop automatically and seamlessly have the same experience as with their primary desktop.

• Seamless desktop to remote application. Lastly, remote applications infrastructures needn’t necessarily create new workspaces for users. When users click links to launch remote applications or desktops, those environments include the exact same workspace configuration as on their primary desktop.

Decoupling additionally eliminates the reliance between the user workspace and its installed applications (see Figure 1.4). With a decoupled user workspace, it becomes trivial to change the set of available applications within any hardware infrastructure. In such an environment, user personalization data that functions with one application will automatically work with that application if it is available. Replacement or updated pplications can leverage existing personalization data or create their own. a


6

Figure 1.4: Decoupling enables application flexibility.

Methods for application delivery grow more flexible as well. When user workspaces are decoupled from applications, the applications can be made available to users in many different ways with the assurance that personalization is retained. For example, an application that was at one point directly installed to a desktop can also be made available through a remote applications infrastructure. Another within a remote applications infrastructure can be later streamed to desktops on‐demand. In every case, users are always guaranteed that their personal settings will apply no matter how the application is delivered.

User Workspace Management and User Virtualization To the keen eye, this concept of layer encapsulation and decoupling should resemble another important topic in IT—virtualization. The concepts of User Workspace Management and User Virtualization are similar in terms of scope and capabilities.

User Workspace Management Enables Decoupling The workspace decoupling in each of these scenarios is made possible through the software solutions that enable User Workspace Management. Such solutions integrate with the various hardware infrastructures already in your environment to enable the seamless roaming of user workspaces.

Yet, how does this logical encapsulation and decoupling actually work? And how close are these solutions to long‐held technologies such as traditional Windows profiles? Although they appear similar in construct, you’ll find substantial differences in delivery as well as workspace management between a User Workspace Management solution and what you’re sed to seeing with Windows profiles. u


7

The Ridiculous Pain of User Profiles When you envision the concept of a user workspace, it is perhaps easiest to start by considering traditional Windows user profiles. User profiles are designed to contain settings and configurations that are unique to a particular user. For example, when a user changes their desktop background, the information about that configuration change is stored within their user profile. The same holds true for essentially every look‐and‐feel change to the user’s workspace as well as custom configurations to that computer’s applications.

Windows user profiles are obviously user‐centric, but they are by nature device‐centric as well. A traditional Windows user profile exists on exactly one computer (see Figure 1.5), with each profile corresponding to a unique user. Stored within that computer’s Users or Documents and Settings folder, each user profile contains the custom settings that have been defined for that user and for that device.

Figure 1.5: With traditional user profiles, the user’s workspace is defined for each

user and for each individual device.

This solution works well when users log in exclusively to the same computer. This is a situation that was common in IT’s “old days”: Users begin their day by logging into their assigned computer, they interact with it throughout the day to do their jobs, and log out as they leave in the evening. One person equals one computer.

Yet this one‐computer‐per‐person concept is a quickly‐dying scenario. Today’s business needs often require users to move between computers. Also needed are entirely‐separate remote application infrastructures such as Microsoft’s Remote Desktop Services or Citrix’s XenApp. Some businesses leverage the use of virtual hosted desktops as a replacement to or in addition to traditional desktops.

In each of these examples, the job of a single user requires the support of more than one computer. In some cases, a single user can require the support of multiple computers at the same time. With a user’s workspace constrained by device, each new login requires an entirely separate process of workspace configuration to make it ready for use. Essentially, every time a user logs in somewhere new, they must restart the process of making their workspace comfortable and useful for them. As the number of endpoints increases in such an environment, so does the number of separate workspaces. The result is a substantial

base. amount of wasted time, and ultimately an unhappy user


8

Microsoft’s native solution for this problem was and continues to be the creation of roaming profiles. These enable the “roaming” of a traditional user profile to multiple endpoint computers (see Figure 1.6). Using a roaming profile, the user’s workspace is copied from a central storage location to the endpoint at the moment the user logs in. While logged in, the user enjoys the workspace customizations they’ve stored in their profile. When they later log out of that workstation, the roaming profile is returned back to the storage location to await the next login.

Figure 1.6: Roaming profiles centralize the storage of the user’s workspace,

delivering it via file copy to devices during login.

Although a great idea in concept, this all‐or‐nothing approach actually complicates rather than resolves the problem in a number of ways. Think about some of the problems environments experience today with roaming profiles:

• Synchronization. The process of copying profiles to and from a storage location at login and logout creates synchronization problems which are exacerbated when multiple endpoints are used simultaneously.

• Capture. Roaming profiles only capture and deliver configurations that are contained within the user’s profile and user registry hive. Some applications do not store user‐specific settings in these locations, and as such, they are not properly captured by the user’s profile.

• Accumulation. Roaming profiles accumulate changes over time. Copied down to any number of very different endpoints—desktops, laptops, Terminal Servers, hosted desktops, and so on—a roaming profile gathers and stores artifacts from each. This occurs even when artifacts don’t merge properly with some endpoints, causing broken links and orphaned configurations.


9

• Delay. The copy process for a roaming profile is folder‐centric, which means that an entire folder of files must be transferred between storage and endpoint at each login and logout. Even a single large file on a user’s desktop can significantly increase the time required to login and logout.

• Management. Lastly, and most importantly, the centralized management of user profiles can only be accomplished through Group Policy or via scripts. Both of these solutions occur after the profile is delivered rather than in conjunction with it, making profile management a reactive rather than a proactive solution.

It should be obvious within this short narrative to see the limitations in both solutions. Traditional user profiles offer stability but without the needed multiple‐endpoint extensibility. Roaming profiles, in contrast, gain the extensibility but by sacrificing stability. In the end, neither is an effective solutions for today’s dynamic computing requirements, and neither fully decouples the user’s workspace from the applications and OS that lie beneath.

The Case for User Workspace Management The central problem in both of these solutions is that each is focused on managing devices and users. Using native Windows profiles, User A gets Profile A, which is delivered no matter whether they’re logging into Desktop A, Server B, or Remote Application C. The result is a monolithic answer to a fine‐grained problem, when what is needed is a solution that doesn’t really care about devices, users, or delivery endpoints. Rather than focusing on devices and users, such a solution instead should desire only to manage the content that makes up your user’s workspace.

Think for a minute how a content‐centric solution would be quite different than native Windows profiles. In a content‐centric solution, neither the device nor the user really matter anymore. Such a solution dynamically constructs the user’s workspace at each and every login. The composition of that workspace is based on a combination of enforced configurations as determined by company and IT policy along with others that are unique and personalized to each user. Each setting is granularly configured as an individual object that is associated with the user’s workspace. Although the user’s native “profile” still exists in a content‐centric solution, there is no longer a sense of delivering that profile as a whole entity.

Figure 1.7 shows a graphical representation of how this might look. Here, the user’s profile still exists as a structure within each possible endpoint. Different, however, is the presence of a third‐party software agent on each endpoint that interacts with an external database. Contained within that database is the comprehensive set of workspace configurations that are required by every endpoint. When the user logs into any endpoint in the environment, their workspace is granularly composed rather than brute‐force applied through an all‐or‐nothing profile transfer.


10

Figure 1.7: A contentcentric solution granularly composes the user’s workspace

rather than resorting to an allornothing folder transfer.

This granular com position of the workspace accomplishes a number of tasks all at once:

• Decoupling. Each possible workspace configuration is stored within the external database and composed within the user’s session at the moment they log in. This decoupling of the user’s workspace content from their actual profile eliminates the accumulation and capture problems noted earlier with traditional profiles.

• Workspace pervasiveness. By decoupling the configuration elements of the workspace from the workspace itself, that workspace composition becomes applicable to any endpoint. Thus, the same workspace configuration that applies to Desktop A could also seamlessly apply to Server B or Remote Application C. Further, if a user found themselves logging into Desktop A, Server B, and Remote Application C at the same time, they would assuredly find the same workspace in each.

• Synchronization. The communication to the third‐party agent needn’t flow in only a single direction. Such an agent can regularly watch for other configurations that have been personalized by the user, such as an updated desktop background or

nges back with the database with different screen saver, and synchronize those charelatively little delay.


11

• Itemlevel Management. Traditional profiles can generally only be centrally managed through Group Policy or the use of custom‐coded scripts. Although the combination of both gives a measure of control over workspace elements, that control is always reactive—occurring after the profile is laid into place. A content‐centric solution enables the management of individual workspace configuration items at an item‐by‐item level.

• Standardization plus personalization. Finally, such a solution has the capability of defining some elements that are required, while leaving other elements to be personalized by users. Users like the ability to customize certain parts of their environment, giving them a comfortable look and feel. Other parts must be controlled by corporate or IT policy. A content‐centric solution’s item‐level management gives IT the power to determine which configurations are controlled and which can remain personalized.

The end result with a User Workspace Management solution is that resources and applications become exposed to the user as a function of the endpoint agent. That same agent enables administrators to wield granular control over which items are exposed, which are controlled or otherwise locked down, and which are available for user customization.

Content, Context, and Security And yet the management of content and its exposure to users is only the first component of a fully‐realized User Workspace Management solution. In environments with such solutions, the client‐installed agent is charged with composing the user’s workspace based on the union of three distinct but important factors: content, context, and security, shown graphically in Figure 1.8.

Figure 1.8: User Workspace Management is the union of content, context, and

security.


12

Let’s take a look at each these three elements in turn. You’ll see how the combination of each is required to truly serve all the needs of the dynamic business computing environment.

Content Content relates to the resources that users require to complete their assigned duties. This chapter has already discussed some of those components, with a more‐detailed conversation to occur in Chapter 2. However, the recognition that users require access to various applications, data, printers, and other user settings is important to understanding the types of content that a User Workspace Management solution can deliver.

Context Delivering content is one thing, but delivering it appropriately is yet another. Recognition of the user’s context is a critical component of today’s dynamic computing environments but remains a glaring omission in traditional profile‐based solutions.

Today’s users more and more require the use of multiple mechanisms for accessing their applications and data. Some of those mechanisms require the direct installation to local hardware, while others are hosted via network‐based remote infrastructures. Others roam among areas of the network or even between security zones. The problem intrinsic to this horizontal spread of application availability is in recognizing where the user is and via what mechanism are they accessing their resources.

Within the parameters of a User Management Workspace solution, context can be based on a spread of different factors. Obviously, the user’s identity itself is a central aspect of their context: For example, the “jdoe” account is logically linked to the person named “Jane Doe.” However, context here can also be based on other factors, such as the location from which that user is connecting, the time of day or day of week, and the device on which the user is working. Each of these elements of context is used to determine what kinds of content are delivered to the user.

It’s easiest to visualize this by means of a simplistic example. Consider a business that spans multiple floors in an office building. In such a business, there are likely a number of printers on each floor. In the traditional network, finding the right printer that is close to you and contains the right features can be a guess‐and‐check process. Without automation, users must search for printers that appear close in proximity based on their name or network label.

Context‐sensitivity within a User Workspace Management solution enables the workspace itself to identify the right printer based on proximity and feature set. In this example, when a user logs out of one computer on the first floor and into another on the second, their workspace will automatically update the printer configuration to connect to the closest rinter. p


13

Security Combining context with content is important not only for resource delivery but also in applying the right security. Completing the three elements in this union are the security configurations that apply to delivered content. Those configurations can and will be different based on the context of the user.

For example, consider a user that is accessing an application and associated set of data using their desktop within the brick‐and‐mortar office. Located within the protective confines of the office, that user likely requires relatively open access to these resources. They should be able to print the data, copy‐and‐paste it between applications, and accomplish all the tasks that are commonly associated with the resource.

Consider how things change when that user goes home for the evening. First, should that user have access to run the application? Should the user be able to use the application with the same set of data? If access is granted for users in this context, should they have the same privileges with the data that they do while in the office?

Lacking a User Workspace Management solution, it may not be possible to answer these questions. Further, the user’s workspace may not be well‐controlled enough to actually enact changes if their answers were known. Yet another feature of a User Workspace Management solution’s client agent is the ability to granularly secure resource access based on that context.

This concept of context‐sensitive security to resources is a fundamental part of a User Workspace Management solution’s value proposition. As such, the whole of Chapter 3 is dedicated to exploring this topic of security in depth.

Users Get Personalization, IT Gets Control The administrative power of such a solution shouldn’t go unnoticed. Remember that a User Workspace Management solution is above all a mechanism for IT to define—and ultimately control—the workspace for its users. By entirely decoupling that workspace from its IT infrastructure components, users automatically gain the assurance that their comfortable workspace will always be available irrespective of how they’re accessing resources. Yet also gained through the decoupling is the complete control of the workspace itself.

Built into your User Workspace Management solution should be an administrative toolkit that enables IT to identify and set configurations on common workspace elements. Using that toolkit, IT gains the power to identify which areas of the environment they want to

ation. control and which they want to leave for user personaliz


14

For example, using such a toolkit in a highly‐locked down environment, IT can configure desktop settings to a corporate standard. Screen savers, desktop backgrounds, timeouts, printers, and attached devices can be assigned a specific configuration that cannot be overridden by experimenting employees. At the same time, applications can be identified, delivered, and configured based on the users’ context. Users that require Microsoft Office can be granted access to it, enabling the automatic installation, streaming, or access via remote connection to the application. Users who do not have a need for Microsoft Office can be prevented access to use it through any or all delivery mechanisms.

Other environments don’t place a priority on strict controls to user workspaces. They might encourage users to customize their environment with desktop wallpapers or custom printer connections but lock down problematic screen savers. These environments also can identify application and data access based on username, group, time of day, or other factors.

Important to recognize here is the creation of a spectrum between IT and business control of the environment along with user personalization. Depending on the needs of your business, your security policies, and your level of needed control, that spectrum can shift in either direction through just a few clicks in the administrative interface.

User Workspace Management Changes Everything This first chapter has attempted to outline the framework that is User Workspace Management. Here, you began your look into how its powerful framework can dramatically change the ways you administer resource access to users. Continuing on this discussion are Chapters 2 and 3. Chapter 2 goes into detail about the combination of context and content, explaining in greater detail the kinds of content that can be deployed as well why and how user context impacts their availability. Chapter 3 continues the conversation by discussing the linkage between security and people as opposed to security and devices. Decoupling security from the perspective of the device enables a more cohesive application as people move around in their daily lives.

The last step is actually getting there. Chapter 4 concludes the discussion by focusing on the transformation process a business organization will use in moving from traditional profile management to real User Workspace Management.


15

Chapter 2: Personalization Equals Content + Context

I spent time today walking the hallways of a business not unlike your own. In its rows of cubicle walls, grey‐and‐blue color schemes, and ergonomic furniture, I found hundreds of different computers. Laptops, desktops, monitors both CRT and LCD, printers and peripherals, even a few mobile devices—room after room of equipment that enables this business to function.

And as I was walking through those hallways, the IT professional in me took over by default. My inner IT pro pondered the administrative work required to support each piece of equipment. Each requires an operating system (OS), patching, applications and updates, along with the occasional troubleshooting and technical support. Accomplishing each of these tasks requires smart thinking paired with software solutions.

That business was full of equipment that enables it to operate, but at the same time, the equipment itself requires special care and feeding. In the end, that’s our job in IT: managing the special care and feeding of all that equipment. Systems administration is what we think about when we get up in the morning, and it’s the last thing on our minds as we drift off to sleep. We live, eat, and breathe technology along with technology’s “equipment.”

And then I paused for a minute, and found myself pondering not the equipment but instead the people. For a moment I stopped thinking of those laptops and desktops with my IT professional’s eye. I stopped thinking of that equipment as equipment, and instead considered it as do the people who use it: To everyone else in the business, that equipment is merely an extension of their job role.

Suddenly, the culture of business outside the walls of IT became clear. We in IT are programmed to think of the equipment we manage as problems to be solved—devices to which we apply troubleshooting support. But to the rest of the business’ employees, that equipment is an extension of themselves. They use their desktops to communicate with customers and business partners, write memos, and draw up spreadsheets. They lug their laptop through airports to present at meetings and conferences. They think of printers not as devices in need of toner and IP addresses; rather, the printer enables them to convert soft copy documents to hard for sharing with others.


16

It was then that I realized the crucial component in this serendipity: With everyone else in our business, it’s the personality that matters. Lacking personality, that computer becomes little more than a strange device they don’t understand. Lacking personality, users don’t know how to interact with their equipment or they fear even touching it. Without a personality, their computers become objects for your IT group to deal with and cease being personal.

The Misalignment Between IT and Users There’s a misalignment between IT and users in many companies. In these businesses, the IT organization sees itself as a technology‐first group of people. Their mission is to ensure consistent and secure access to applications and data. When servers or desktops experience a problem, IT is the group called in to work the fix. IT’s success in these companies is usually measured by the number of work orders they close each month or how many days they can operate without a major outage.

This focus is critically important. Desktops and servers that go down absolutely impact the functionality of business, as do applications that break when they aren’t updated or patched appropriately. But it is exactly this equipment‐centric focus that brings its own set of problems.

Consider my frustration in Chapter 1’s first few pages. There, I explained the problems I experienced in upgrading just a single workstation from Windows Vista to Windows 7. Upgrading the OS was a simple process, taking only about 30 minutes and zero effort. But transferring over the user’s personal information—their desktop shortcuts, important files, browser bookmarks, and the like—consumed another three‐and‐a‐half hours.

That user’s personal files may have been of little importance to me; my task was merely to upgrade their desktop. And yet to the user, those personal files are worth substantially more than any new OS. If that user can’t find the shortcut to their accounting spreadsheet or their connection to the office printer, a new OS does them little good. And, in fact, the new OS might actually hinder their ability to do their job.

That’s why personality—and the preservation of personality, no matter how our users might connect—is so incredibly important. Users in a business must be able to accomplish their given job. And no matter how many newfangled access methods we create to connect users to applications and data, no solution is complete without considering the user’s workspace. Elevating this consideration from an afterthought to one of primary importance s the first step in eliminating the misalignment between IT and users. i


17

Defining Personalization This realization is perfectly positioned for this guide’s discussion on User Workspace Management. Personalization and the preservation of personalization across access methods effectively represent a central tenet of User Workspace Management. The practices and software solutions that fulfill User Workspace Management are primarily laid into place to ensure that personality is seamlessly delivered no matter how that user might connect. Chapter 1 discussed some of the mechanics of how this might work, with a further discussion to occur later in this chapter.

Where Chapter 1 left off was in the explanation of personalization itself. Put simply, personalization is about getting the right content to the right people in the right circumstances. This definition is exceptionally precise in the way it describes such a system. To help you better understand, let’s deconstruct each of its salient points in the following sections.

The Right Content Digging under the covers of the Windows OS, you’ll find thousands (if not more) of different configurations that aggregate to create a personalized desktop. These thousands of configurations, as shown in Figure 2.1, represent printers, desktop, bookmarks, network configurations, personal files and folders, and even application settings. All of these individual personality configurations represent the content that a user expects to be present on their computer when they log in.

Figure 2.1: There are many configurations that combine to create personalit

The “personal” in this content’s personalization stems from the fact that each of these settings tends to be uniquely created by each individual user. As such, each user will realize

eir workspace over time.

y.

a different set of settings as they organically construct th


18

Think for a minute about the different workspaces you might see today in your own computing environment. As you walk through the hallways of your business, you might see one user with a solid red background. Another might display a picture of that user’s children. Look at the composition of any two desktops and you’ll see a different set of icons, a few of which are positioned there by IT but most which have been created by the individual user.

Those substantial differences between each user’s workspace are what make the computer comfortable to work with. For example, every time that John uses the link on his desktop to find his spreadsheet, he grows just a bit more comfortable with doing his job. Every time that Jane double‐clicks Microsoft Outlook, she knows that it is already populated with the correct configuration and will quickly bring forth her email.

Yet those substantial differences also pose a problem to the unprepared IT organization. The collection of individual user settings can be spread across many locations on that computer. They’re stored in files, within the registry, even within Active Directory (AD) itself. This spread of configurations across multiple applications and data structures makes capturing the data challenging. Essentially, without a very smart system, you’ll never be able to decouple the environment in the ways that Chapter 1’s promising mobility requires.

You Could Script This, But… You might be thinking to yourself at this point, “The number of places where users store their data isn’t all that large. I could create a script to accomplish this data gathering.” Absolutely, you could, but would you want to? There are long‐term risks in custom script creation not considered by many IT professionals as they choose to build solutions themselves. First, although collecting this data may be easy, the repositioning of it onto replacement equipment is much more difficult. Managing and maintaining custom scripts over time can itself be a full‐time job. Changes to OSs and applications require extra effort. All of these combine to create a situation where a well‐meaning script creator finds themselves in support of a fully‐fledged application. Further, as you’ll discover in a minute, there is more to personality management than simple migration from one access point to another. A true User Workspace Management solution will also include administrative toolsets that enable IT control over portions of personality, while others are left to users. Accomplishing that requires far more than any simple script.

That’s why User Workspace Management solutions become such useful tools for the aligned IT organization. These solutions have been built with the logic to seek out and capture each user’s personal information from across the many locations where it can be stored. Different than a “profile,” where presence or absence of user data is an all‐or‐nothing thing, User Workspace Management solutions granularly capture and deliver the right content to wherever it is needed.


19

The Right People And yet “the right content” is only the first step, because a fully‐unmanaged environment presents its own set of problems. Think about what can happen when your users’ content is left completely to their own decisions. Such a practice unnecessarily exposes the environment to risk.

This chapter has talked about the need for user workspace preservation no matter what the access point. But what if those configurations are inappropriate or even dangerous to the business computing infrastructure? What if some outside force, such as malware or an ill‐informed user, has configured their computer in a way that hurts themselves and the business rather than helping it?

It is because of these problematic situations that most IT environments choose to proactively manage personality in some way. When IT can prevent certain applications from installing, they at the same time protect themselves against licensing violations and the introduction of bad code. When IT creates a baseline for application settings or customizes application settings for each individual user, they at the same time enforce corporate policies for the protection of the environment. Each of these proactive management elements are laid into place to ensure that the right people are interacting with the right content.

The problem with traditional approaches to proactive management stems from the nature of policies themselves. Due to limitations in how policies can be applied and enforced, many IT organizations that want to control certain elements of personality ultimately find themselves forced to control all elements of personality. In order to ensure that desktops have the right software, IT must itself do all the installing. In order to protect desktops from bad personality configurations, IT must enforce settings that cannot be overwritten. Although the net result is a more‐secured environment, it is at the same time a moresterile environment, devoid of all the elements that make the computer personal and comfortable.

Delivering the right content to the right people requires a solution that splits the control of personality elements. On one side are the individual users and their settings. On the other sits the IT organization and the business, each with its own charter and set of policies to be enforced. An effective User Workspace Management solution should, like what is shown in Figure 2.2, enable the configuration of a desktop and its applications to be divided in some way between these two groups.


20

Figure 2.2: Today’s computing environments require a split of control between those that are customizable by the user and others that are defined by IT and business

policies.

Consider how this separation of responsibility might improve your environment:

• Users can be given the ability to adjust their desktop settings but are prevented from modifying security settings.

• Users can be given the ability to adjust configurations for Microsoft Word and Office, while those for Microsoft Outlook are defined by IT.

• Users can be given the ability to install applications but only those that have been prepackaged and made available by the IT organization.

• Different users can be assigned different application configurations based on a combination of who they are along with established IT policy.

Building an environment like these enables IT to maintain the necessary lockdowns that prevent data disclosure, theft, or loss. At the same time, users are also given the ability to personalize their desktops as they see fit.

The Right Circumstances Completing this chapter’s definition of personality is the recognition that certain content also only makes sense within the right context. Like a joke at a funeral or a comic strip on the front page of the paper, sometimes content doesn’t make sense or is inappropriate based on the circumstances of its consumer.

This idea of “circumstances” is based on the recognition that personalization is really the intersection of content plus context (see Figure 2.3). As discussed in the previous section, that context can be based on the individual.


21

SecurityContext

Content

UserWorkspace

Management

Personalization is Delivering

Context-appropriate Content

Figure 2.3: Personalization is the intersection of content and context.

For example, Bob the Accountant should get a set of configurations simply because he is Bob and because he is also an accountant. Who Bob is determines some level of how his workspace is managed. But “who Bob is” only defines one of the two important things about Bob’s connection to the office network today. The other part can be simply described as “where Bob is.” Think for a minute about how this second factor could be addressed. You’ll find that there are a number of elements that could describe where Bob is.

Bob’s Location If Bob is connecting to the environment from within the environment, it can be reasonably assumed that he is using a protected connection. Thus, by connecting from his desktop computer, IT can enable the highest level of access to applications and data. Conversely, if Bob connects via Remote Desktop Services or Citrix XenApp from his home computer, that location is fully‐unprotected. IT should be able to restrict the applications and data to which Bob has access.

Yet these two situations represent only the two opposites of locations where Bob could connect. What if he’s connecting via a conference room or a kiosk computer in the lunchroom? Should these partially‐protected locations get special restrictions as well? A well‐designed User Workspace Management solution will be able to granularly define which settings Bob should get based on the location from which Bob connects.

Bob’s Device Making decisions based strictly on Bob’s location only partially defines his context. For example, how should IT configure Bob’s experience when he logs in from his company‐supplied laptop but via his home network connection? Should the content that is delivered to Bob’s connection be different than if his connection is from his uncontrolled home computer?


22

How do any of these decisions change when Bob’s device is not a physical device but a logical one? If Bob is connecting via Remote Desktop Services or Citrix XenApp, should he get a different level of resource access than if he uses a VPN client? Further, should Bob’s hosted virtual desktop via Citrix XenDesktop or VMware View get a completely different configuration than any of the previously mentioned scenarios?

Other classes of devices have even more special requirements. Consider today’s proliferation of enterprise‐worthy mobile devices. With these, should Bob’s configuration be adjusted further to support the capabilities of these devices? As these devices are more likely to be lost or stolen, should Bob be given more limited access to data? Can Bob’s connection be reconfigured such that the device retains no data whatsoever? For all of these questions, likely the answer is “yes.”

When Bob Connects Each of these are questions that must be answered to fully construct Bob’s context. Yet a third element might need to be included in the calculation as well: When is Bob connecting? Here, should Bob’s connection be adjusted for the times of day when Bob really shouldn’t be attaching to work. Should applications that need special administrative access be restricted from Bob during the evening hours?

A User Workspace Management solution that provides time‐of‐day manipulations can also be a handy solution for IT. Such a solution can enable IT to perform maintenance on portions of the IT environment, all the while seamlessly repositioning incoming user connections to alternative hardware, connection mediums, or servers. The net result is a reduced sense of downtime, with downed services being seamlessly fulfilled through surviving alternatives.

In any of these situations, the “when” that is associated with Bob’s connection can have a dramatic difference on the resources he is given. To be fully functional for these requirements, your chosen User Workspace Management solution should include the support for time‐based configuration decisions.

Summing it Up When you start summing up all of the above intersections, getting the right content to the right people in the right circumstances delivers some very interesting advantages to the IT environment. Consider a few of the following situations that result from the deployment of an effective User Workspace Management solution:

• Jane is allowed to manage her wireless settings while out of the office, and those same settings are defined while she’s within the LAN. Her settings can be automatically configured to the proper settings for her local wireless LAN, no matter which building she’s in.

• The configuration of Brian’s hosted virtual desktop can be locked down much tighter than his primary desktop. With many virtual desktops sharing the same physical host, this extra lockdown ensures that IT gets greater virtual machine consolidation.


23

• Eloise’s laptop needs to interact with her business’ Exchange server both when she’s in the office and on the road. That configuration can be automatically and seamlessly adjusted as her network connection changes to ensure she’s always in contact with her email.

• Dan is promoted from Call Center Phone Operator to Call Center Manager, an activity that happens often with the high turnover rate of employees. He is immediately granted access to the set of restricted Manager applications simply by adding him to a new group.

The Power of Pervasive We’re not done yet. All of this capacity for managed and semi‐managed personalization only works when it can be applied everywhere. It is for this reason that you will often see the buzzword pervasive personalization tagged to User Workstation Management solutions. Although you might scoff at the buzzwords as simple marketing material, in actuality, this term well describes the tactics that smart solutions in this space are using today.

The “pervasive” in pervasive personality describes the fact that a well‐designed User Workspace Management solution must be able to deliver personality everywhere. No matter if you’re using traditional desktops, server‐based computing, hosted virtual desktops, or any combination thereof, such a solution must seamlessly flow the user’s workspace across each technology.

This statement means that a User Workspace Management solution has a big role to fill. Think for a minute about the different mechanisms IT has at its disposal to connect users with their applications and data. For example, consider Figure 2.4—these workspace delivery systems can run atop many different software platforms.

Figure 2.4: An effective User Workspace Management solution can sit in front of any

workspace delivery system.


24

Server‐Based Computing and Remote Desktop Services Server‐based computing and Remote Desktop Services use session‐based architectures to enable multiple users to share resources on the same server. Microsoft’s Terminal Services and Remote Desktop Services, as well as Citrix’s XenApp, are three of the primary examples in use today. These technologies can deliver either a single application or a full desktop to connecting users. Here, a user’s workspace can be delivered to the session as it is created when the user logs in.

Local Application Installation In combination with an automated application installation solution, prepackaged applications can be made available for automatic installation by users when needed. Users based on their role and requirements can be assigned applications—along with their associated customizations—which follow them across the desktops they use.

Application Virtualization Superior to local application installation is the ability to decouple and encapsulate applications from the OS entirely. This process is at a high level similar to the kind of decoupling and encapsulation that User Workspace Management accomplishes with user personality. Different here is that the applications themselves are just‐in‐time delivered to users as they are needed, negating the need for manual effort by IT.

Hosted Virtual Desktops Also referred to as VDI environments, hosted virtual desktops commonly link users to specific virtualized desktops that reside within the data center. By virtualizing the desktop, users can effectively access that desktop from anywhere, while IT gains greater control over its security and configuration. Here, user personality can be highly managed to ensure resources are not oversubscribed and virtual desktops interact appropriately with each other.

Pooled Virtual Desktops Similar to hosted virtual desktops, pooled virtual desktops instead connect users randomly to a pool of available and similarly‐configured desktops. Here is where user personality delivery can bring great value, with applications, customizations, and data just‐in‐time applied to a generic OS instance as the user logs in. Once the user is finished with their session, those settings can be returned to a database for later distribution.

Creating Pervasive Personalization Every business today leverages at least one of the above six infrastructures. Even the most nascent of businesses tends to start with traditional desktops that are configured through local software installation. Those with greater levels of IT maturity find themselves eventually adding other technologies to extend application and data access or to improve the delivery of services. Evolving through server‐based computing, virtual desktops, and application virtualization architectures, businesses today often find themselves supporting many access points all at once.


25

Consider how these access points create complexities in some areas while they reduce complexity in others. For example, perhaps a business has determined that it needs to enable access to a set of applications over the Internet. Some of those applications function well atop Microsoft’s Remote Desktop Services. Other applications, for reasons of performance or incompatibility, don’t work well within this technology’s session‐based architecture. For the company’s second set of applications, a deployment to pooled virtual desktops is necessary to get around the incompatibilities.

Environments like this with multiple access points are common. The workflow of a business creates the need for application and data access through multiple technology architectures. The problem, however, in being successful with this everything‐for‐everyone mindset has been in synchronizing the requisite personality information.

The solution for this problem occurs when a User Workspace Management solution is laid in front of each technology architecture. Figure 2.5 shows the use case for this architecture in relation to this section’s example. Here, the user needs to access Application A atop Remote Desktop Services technology. That same user needs to simultaneously access Application B atop a pooled virtual desktop. Lacking a User Workspace Management solution, that user would be forced to re‐create their workspace with each new access point. Conversely, with a centralized User Workspace Management solution in place, personality information is seamlessly synchronized between the two connections.

Figure 2.5: Deploying User Workspace Management in front of delivery architectures

solves the personality synchronization problem.

The mechanisms that enable this synchronization are illustrated in Figure 2.6. In this image, a user has the option of selecting any of the available technology architectures available to them: laptop, desktop, virtual desktop, Remote Desktop Services session, and so on. Each of these potential targets for the user’s attention is preinstalled with a software agent for the User Workspace Management solution.


26

Figure 2.6: Centralizing user personality data into a database enables its delivery to

any technology.

That agent communicates with a centralized database where user configurations are stored. The configurations are comprised of those that are created by each individual user (their “personality” data) along with other policy‐driven configurations that have been defined by IT and business policies. The management workstation at the top represents the

mechanism by which administrators can enact change to configurations.

Because configurations are regularly replicated between individual devices and the centralized database, any changes can be swiftly distributed to other devices as they are identified by the User Workspace Management solution. Effectively, when a user makes a change within one technology architecture, it can be assumed to be available within the others within a reasonable amount of time. The same holds true for administrators, who can modify their policy‐driven configurations and assume that they will be quickly applied across all technology architectures.


27

Incorporating Run Books into Personalization It should be obvious at this point that there are innumerable ways in which user workspaces can be controlled. With an effective User Workspace Management solution in place, the biggest limitation lies only within the administrator’s imagination.

The challenge is in actually converting a desired state or configuration into a set of code that is actionable within target technology infrastructures. Recognizing that you want a policy and actually creating that policy can be difficult without the right set of tools.

It is because of these hurdles that many User Workspace Management solutions include Run Book Automation features. These features enable the creation of “building blocks” of configurations, which can be logically linked to create a policy. Figure 2.7 shows how five building blocks are linked into a run book. That run book, along with its configurations, is ultimately deployed to a set of target computers through the User Workspace Management solution.

Figure 2.7: Run Book Automation uses building blocks to enact change to user

workspaces.

Run books and Run Book Automation are particularly handy in environments where extreme levels of configuration experience, such as advanced scripting techniques, have not yet developed. To aid these environments, Run Book Automation solutions often include preconfigured building blocks that can be easily linked to create a needed configuration. Because the building block itself is the logical item of interaction, it abstracts the underlying code. The result is that virtually any configuration can be created without needing to understand the details of the code beneath. When considering a User Workspace Management solution, take a look through its building blocks to verify that they nclude the configurations you need for your own environment. i


28

User Workspace Management Facilitates Workplace Satisfaction In the end, the goal of any User Workspace Management solution is the assurance of user satisfaction. Keeping your fellow employees happy is a primary responsibility of any support organization like Information Technology. By implementing a User Workspace Management solution, you ensure that your users will retain the same comfortable experience across a range of technology infrastructures. At the same time, your IT organization gains the ability to modify or expand the environment without fear of interrupting your users’ daily tasks.

You’ll notice back in Figure 2.3 that a complete discussion on User Workspace Management requires the intersection of not two but three different elements. This chapter has introduced the first two in its discussion on content and context; also needed is a conversation on the security implications. Chapter 3 of this guide will discuss the benefits of tying security to people as opposed to devices by using a User Workspace Management solution.


29

Chapter 3: Tying Security to People, Not Devices

I’m a genuinely optimistic kind of person. I believe in the intrinsic human desire to ultimately do what’s right, notwithstanding the circumstances. Although that innate positivity works great for some parts of my IT professional’s career, it probably doesn’t make me the best IT security person.

Why? Because it takes a certain type of person to be really good at IT security. Those individuals, by virtue of their job’s charter, are forced to approach every situation with a critical eye. They seek out weak points in IT architectures, looking for places where bad people can do bad things. Their role is to protect company assets by setting policies, permissions, lockdowns, and security measures.

Yet although the role of the security administrator won’t soon be going away, there’s an argument that new approaches to security are quickly becoming necessary. Consider once again today’s evolving business climate as outlined in Chapter 1. There, I explained how the traditional one‐computer‐per‐person approach no longer makes sense for IT. Today’s users find themselves launching applications on their desktops as well as via remote application infrastructures. They connect from home as well as on the road. They leverage certificate‐based logins in addition to passwords, but not at every login. In short, today’s user behaviors are unpredictable.

Complicating this situation further is the recognition that today’s user employs multiple mechanisms to access applications and data, often at the same time. One user might log in to their local desktop and connect to a remote application, only to find themselves an hour later also using a conference room computer. Another might login twice from home, using at the same time their home computer and their company‐supplied laptop.

Yesterday’s IT security professional might shudder at these scenarios. When users have the ability to connect from anywhere and use any resource, this immediately complicates the application of security. In an everything‐for‐everyone environment, comprehensively applying security at every location is a challenging task, requiring meticulous effort to catch every potential endpoint.

Yet the problem with this approach is in its focus. Today’s unpredictable user needn’t necessarily complicate the application of security configurations. In fact, with the right technology in place, the idea of where security is applied grows less important. Replacing it is a new focus on how that security is applied. With User Workspace Management, that how ies security to dynamic people and not devices. t


30

Comfortable Security Getting to the how also solves another conundrum first introduced in Chapter 2. That conundrum deals with the traditional approach to management, including security management, and how IT must be aligned with the needs of its business and users to be fully successful. To quote:

The problem with traditional approaches to proactive management stems from the nature of policies themselves. Due to limitations in how policies can be applied and enforced, many IT organizations who want to control certain elements of personality ultimately find themselves forced to control all elements of personality. In order to ensure that desktops have the right software, IT must itself do all the installing. In order to protect desktops from bad personality configurations, IT must enforce settings that cannot be overwritten.

Although the net result is a more‐secure environment, it is at the same time a moresterile environment, devoid of all the elements that make the computer personal and comfortable.

Yesterday’s IT security professional might scoff at the last three words in the previous sentence: Personal and comfortable? Why should IT care about what is personal and comfortable? We’re here to assure the secure access to applications and data. It’s up to the user to find their needed comfort. However, it is exactly that comfortable personality that is fundamentally important to a business’ users.

As a result, today’s approaches to both managing and applying security require an additional look at how users go about accomplishing their tasks. One mechanism to accomplish this goal is by shifting the application of security from the individual device to a focus on the actual user. Your User Workspace Management solution can go far in enabling this shift.

Centralizing Security with Personality This guide has already talked about the logical encapsulation of the user workspace that occurs through a User Workspace Management solution. By separating the user workspace layer from the others on every computer—applications, operating system (OS), and hardware—the user workspace becomes fully mobile. And by enabling mobility, it becomes possible to compose a unified workspace for each user atop any application and desktop delivery solution.

Now, here’s where things start to get interesting: What also becomes possible is the management of security configurations within the workspace. Since the workspace is pervasive, composed dynamically at each login, you gain the ability to assign security configurations to the user no matter where or how they might connect. Indeed a lofty

gies that are available today. statement, but one that can be realized through technolo


31

Let’s think of this in another way: By creating this unified and pervasive workspace across delivery mechanisms, you gain the ability to tie security to the tailor‐made workspace rather than the devices they use. This is the case because every user must interact with their user workspace, no matter which mechanisms they use to connect.

Figure 3.1 shows a representation of how the workspace is the absolute entry point for users. Because it is pervasive across all access mechanisms, the security context can elevate beyond the individual device itself and refocus instead onto the user’s workspace. Whether a user connects into a remote application, a local desktop, or via some other future mechanism, the workspace for that user is guaranteed to be composed at the time of login.

Figure 3.1: Using User Workspace Management, security can be tied to users because users must interact through their workspace. This can be through multiple, or even

multiple and simultaneous, interfaces.

It further means that security can be configured once to a centralized location (in this example, the User Workspace Management solution’s database) with the assurance of its later distribution to every delivery mechanism.

Note Chapter 4 will go into the mechanics of workspace composition in greater detail.


32

Personalization Is Security: An Example Understanding this new security context is easiest through a simplistic example. You might not necessarily use this example in your environment today, but it shows the power of targeting security to the workspace. Consider the situation where you require a particular folder to be present on each desktop. That folder might contain company data or it might be a pointer to data that is elsewhere. Important to recognize for this example is that the folder must be present and that certain permissions must be set on the folder.

Using the traditional approach, you might ensure the folder’s presence through a login script or a Group Policy. Either of these two solutions can indeed create the needed folder on each user’s desktop. In fact, creating that folder is a relatively trivial task using either of these solutions. The task of creating that folder is one thing; actually managing it over time and across the many different logins and logouts of that user—some sequential, some concurrent—becomes quite a bit more painful.

The problem lies in the device‐centric approaches used by login scripts and policies. The folder in this example can indeed be created using either of these solutions. Once created, however, that folder remains resident in the user’s profile. Along with the profile, it then follows the user around among their connections, potentially causing synchronization problems during concurrent logins or leaving artifacts as the profile ages. If, sometime in the future, you need to remove or edit that folder, you’ll find a significant lack of easy solutions to do so.

Contrast this limitation to what occurs during the workspace composition process in a User Workspace Management solution. In such a solution, the workspace is dynamically composed at each and every login. Its composition is based on the granular characteristics that are defined within the solution’s administrative console in combination with user customizations. There are no worries about artifacts or synchronization problems because the workspace is constructed anew with each and every login.

Using a User Workspace Management solution, both the folder as well as its security privileges can be assured at each and every login—concurrent or sequential—because of this at‐every‐login composition.

Adding Security to Content and Context As a result of all this, security can be delivered on‐demand in the same way as the previous chapter’s personalization settings. In fact, security itself comprises one of the three parts that make up the whole concept of User Workspace Management. Chapter 2 of this guide

introduced the three‐part color wheel that encompasses these three parts.

Focusing there on the overlap of Content and Context, the previous chapter discussed how content could be delivered to users based on their context. Essentially, the same user can be assigned different content based on who they are or where they are. Although Content and Context are both essential parts of the user’s workspace, Chapter 2’s discussion fully omitted the third component of workspace security (see Figure 3.2).


33

Context

Content

UserWorkspace

Management

Figure 3.2: User Workspace Management’s three components, of which only two

were discussed in the previous chapter.

Adding the security component to this discussion, you can see how two new overlaps are immediately created. The first is the overlap of content and security, with the second being the overlap of context and security. Each of these overlaps creates a new area in which User Workspace Management defines and manages the environment.

Content Security The easier of these two overlaps to initially understand relates to the protection of applications and data. This concept is easy because protecting these parts of the environment are tasks that IT security professionals have done since the very first computers.

As you can see in Figure 3.3, Content Security has its focus in exactly that protection of applications and data. Different here, however, is in how those applications and data elements are protected. Traditional IT security solutions, even those based on user profiles, tend to accomplish this by applying security controls at the level of the individual device.


34

SecurityContext

Content

UserWorkspace

Management

Content Security protects applications and data.

Figure 3.3: Protecting applications and data is the theme behind the overlap in

content with security.

However, applying content control through the user workspace layer enables administrators to apply security configurations without needing to care about the device at all. Applications, removable disks, files and folders, network settings, and even session settings are possible elements that can be controlled within the user’s workspace.

Security of Applications Users need applications in order to accomplish their tasks. But at the same time, the principle of least privilege suggests that users should have only those applications that are specifically required. As with data, applications that are not required should be restricted from use.

One challenge in fulfilling this requirement has to do with the limitations of today’s application deployment and management solutions. Today’s application deployment mechanisms might be able to install applications, but generally only to a set of computers. This set of computers might have been created in the deployment tool’s management console based on who generally uses which computer; however, at the end of the day, the ultimate installation collection is created as a list of computers.

Today’s best‐in‐class User Workspace Management solutions get around this problem through the granular assignment of application security based on workspace context. Not long ago, this was made possible by pre‐installing a set of known applications onto each endpoint. Although each application might be installed everywhere, the permissions to use

ough the user workspace layer. that application could be granularly assigned to users thr


35

This early solution ensured that the right users were always granted access to their needed applications, no matter where they connect. However, as you can probably imagine, the infrastructure requirements to support every application on every device were somewhat non‐optimized. Maintaining application installations everywhere often grew to be a challenging task.

A more modern approach integrates the permissions‐assignment capabilities of the user workspace layer with the distribution power of application virtualization. In such an infrastructure, the User Workspace Management solution contains and manages the permissions across any and all access points. It then integrates with the application virtualization solution to distribute needed applications to endpoints as needed by the currently logged‐in user.

Virtualized applications leave no footprint on the endpoint and can be removed by deleting a set of files, so the reverse can also be true. As the user logs off, their applications are removed from the endpoint, refreshing it in preparation for the next user.

Installing applications is only one component of this category. Once installed, every application has its own set of configurations that IT likely wants to bring under centralized control. Examples of these might be as simple as an Outlook signature file or as complex as a custom application with database configurations. As before, scripting or Group Policies can accomplish this task; however, both of these tools operate with their aforementioned limitations to ongoing management. Further, when applications are provisioned through a User Workspace Management solution, the framework exists in that solution to automatically apply custom configurations as the application is provisioned. As a result, environments that leverage User Workspace Management gain the ability to provision applications and ensure their correct configuration, all within a single solution.

Security of Removable Disks Removable disks have grown in popularity in recent years. Today, hundreds of models are available that support different capabilities and ever‐growing storage sizes. At the same time, removable disks are shrinking in size. Although this makes them exceptionally handy for data transfer, it also makes them a risk for highly‐secure environments.

Think for a minute about the last USB hard drive you worked with. In a 2.5” form factor, it is now possible to store upwards of an entire terabyte of information. Drive capacities are only growing, with drives the size of your thumb now supporting multiple gigabytes.

One of today’s biggest security concerns relates to the ability to quietly plug one of these devices into your network and steal critical business data. Yet another security concern relates to removable disks that have been encoded to perform an action as they’re inserted. We’ve all seen the television shows where the bad guys divert someone’s attention, only to

an attack on the local LAN. surreptitiously plug in a removable device that launches


36

The primary issue with these devices relates to the fact that they are at the same time convenient and problematic. Some users have a legitimate need to plug in removable disks for tasks associated with their job roles. Others have no such business need. Unfortunately, as with other all‐or‐nothing approaches, the option with native solutions is usually limited to either preventing access by everyone or allowing access to everyone. Greater levels of granularity are either impossible or very difficult to manage.

As with applications, a User Workspace Management solution enables removable drive access to be defined by users, instead of by devices. Using such a solution, users who are permitted to use removable devices will be able to do so no matter where they login.

Security of Files and Folders The earlier section’s “folder‐on‐the‐desktop” example does a good job of explaining how file and folder security can be dramatically enhanced through a User Workspace Management solution. Also possible with this example is the ability to deposit necessary shortcuts to files and folders, or other resources on the user’s desktop, Start Menu, or other locations.

Yet another useful application of User Workspace Management for files and folders has to do with certain remote application infrastructures. These solutions provide an easy ability to offload application processing back to servers in the data center. However, although their offloading and remoting capabilities are usually well designed, a regularly‐occurring problem has to do with provisioning the connections for users to actually navigate to their needed remote applications.

Consider the situation where you have a custom application, ABC App, which is hosted atop Microsoft’s Remote Desktop Services or Citrix XenApp. This application provides services that are needed by a limited set of users in your business. Due to limited authentication within the application itself, users who should not have access must not be able to launch the remote application.

Using a User Workspace Management solution, it becomes possible to distribute the individual connection files that relate to this remote application. Rather than storing these files on a file server where they may be difficult to find or available to inappropriate personnel, such a solution can provision the remote application’s connection file into the user’s workspace.

Once the application is a part of the composed user workspace, administrators for the application can be assured that its users will always be able to access the application. No matter whether they’re connecting via desktops or even through an external interface, their connection to ABC App is always available. Conversely, those users who should not have access will not have the capacity to locate or use the connection because it is not vailable in their workspace. a


37

Security of the Network It has been said before in this guide that an effective User Workspace Management solution can customize the workspace based on the context of the user. That user’s context can be related to the delivery mechanism they’re using—such as a Remote Desktop Services session versus a traditional desktop. It can also be related to the location from which a user attempts to connect. Users often have access to your network through many different IP address ranges; for example, one range for traditional VPN access, another for internal resources, and even another for users in an extranet.

Your User Workspace Management solution should provide the ability to customize or lock down the workspace based on a user’s network point of entry. This context‐sensitive network security provides a way to lock down resources when users enter the network through untrusted connections, such as limiting access to sensitive data through outside connections. Its knowledge of the user’s entry network further enables administrators to tailor the workspace for added protection, such as adjusting host‐based firewalls based on the user’s context.

Context Security The third and final overlap in this three‐part color wheel deals with the combination of Context and Security. This guide has many times discussed how users in a User Workspace Management solution can login from anywhere and get the same environment. It has also talked about the security concerns related to the everything‐for‐everyone configuration.

Most IT organizations build multiple access infrastructures for their users; however, most of those organizations also want to limit inbound users of those infrastructures to only those users who specifically have need for them. Consider the “work from home” scenario that has been discussed a few times to this point. Although some organizations might create such an environment for all of their employees, others might desire to limit work‐from‐home capabilities to only a limited set of employees.

Context Security (see Figure 3.5) concerns itself with fulfilling the desire to lock down these access infrastructures to predefined individuals. As Figure 3.5 shows, Context Security enables the filtering of available delivery mechanisms based on administrator‐defined parameters. Those filters can be based on the user’s location or the device they’re using to connect.


38

Figure 3.5: Context Security enables administrators to identify which users get which

resources based on the user’s context.

Location Security It should be obvious to the security‐minded IT professional that delivery mechanisms that are enabled for Internet access can be used anywhere the Internet is available. This empowers users to access and complete their work from anywhere. It also introduces the risk of exposure for data or even litigation when data is accessed in inappropriate geographic areas.

Consider the situation where a business is working on data that is appropriate for its geographic area. That data might be financial data or even governmental data that must not pass outside the boundaries of the country. Location security in User Workspace Management enables the workspace to be granularly provisioned only to those areas that are appropriate for the data.

Device Security Individual devices themselves can also be a point of security concern. For example, a user’s corporate‐provided laptop is usually a managed item, containing the necessary protection measures (anti‐malware, anti‐hacking, firewalls, and so on) that make it an acceptable access point. In contrast, a user’s desktop at home has no such protections. That desktop might be installed with anti‐malware tools, or it might have been infected with keylogging

malware that can capture data from every connection.


39

Environments that want to provide Internet‐based access to their users might also want to control that access to managed assets only, such as the corporate‐sponsored laptop. Corporate‐managed assets can be further controlled by integrating User Workspace Management with a Network Access Protection (NAP) solution. This integration provides a way to restrict access to only those resources that are properly secured, such as having the right updates, correct firewall settings, up‐to‐date anti‐malware signatures, and other key security configurations. With User Workspace Management’s device security capabilities, the user workspace can be granularly provisioned only to those assets which IT and security consider to be appropriate.

Integrating Security with the Delivery Infrastructure The final step in this process is the integration of workspace security with the rest of the delivery infrastructure. Remember that personalization and security configurations within a User Workspace Management solution tend to enable control for the user workspace layer alone, typically leaving each of the layers below to their own solutions for management and security.

It is for this reason that this chapter’s title is, in a way, slightly misleading. Depending on the delivery infrastructure, there are some elements of security that still require a device‐specific approach. One example of these elements is the need for regular patching of the core OS. This need fairly obviously is not a configuration that would be applied at the user workspace layer—most users don’t have the permissions necessary to apply patches and reboot the computer (not to mention such a task is probably something that administrators wouldn’t want).

Properly integrating user workspace security with the rest of the delivery infrastructure requires a holistic approach with other solutions. Those solutions might handle elements such as OS and application patching. They might handle firewalls and core application installations. They might even handle the application provisioning, as explained earlier. Your User Workspace Management solution should include the necessary built‐in integrations to enable it to work with your existing security and delivery solutions.

At the same time, incorporating a User Workspace Management solution into an existing infrastructure requires a re‐analysis of which solution should provide which services. By adding User Workspace Management into your environment, you might find that configuration control via solutions such as login scripts or Group Policy is no longer relevant. The same addition might eliminate some of the steps necessary for application nstallation or security configuration control. i


40

Pervasive Personalization Can Mean Pervasive Security You’ve likely continued reading this guide because the power of pervasive personalization is attractive. Enabling the decoupling of the user workspace from its underlying delivery mechanism also enables you to pull user customizations “out of the box.” Thinking globally about the workspace rather than locally brings significant administrative advantages, while making life easier for your users.

At the same time, as you’ve discovered in this chapter, creating this environment of pervasive personalization can mean one of pervasive security as well. Security settings that might have been challenging to manage using other solutions grow trivial as they migrate with users and their unpredictable behaviors. In the end, even the least‐typical security administrators can see how it improves both their job as well as the experience of their users.

To this point, all three of this guide’s chapters have touched on the mechanics of how User Workspace Management actually accomplishes this mission. This light touch on the bits‐and‐bytes of these solutions is purposeful, and arguably necessary. The paradigm that is User Workspace Management can be entirely new for many IT professionals, making it

s. important to understand where it benefits before the conversation on how it benefit

Chapter 4, the final in this guide, finishes with that detailed look at User Workspace Management’s technical underpinnings. It will also discuss the steps necessary to incorporate a potential solution into your environment today. You’ll find in its pages that although its concepts are indeed a shift in thinking, actually transforming to an environment of User Workspace Management can be easier—and involve less impact—than you think.


41

Chapter 4: Transforming to an Environment of User Workspace Management

I’ve been working with IT systems, both servers and workstations, since before the days we had management tools. Back in those days, the idea of automation centered around “getting enough technicians into the field to sweep the hallways.” I still shudder as I remember a few multi‐site, company‐wide configuration updates that didn’t change all that much but required dozens of people and massive coordination to get the job done. Good riddance to manual administration.

Also a part of my professional history is what seems to be a constant struggle with Windows profiles. Whether fixing local profiles gone wrong on individual desktops or managing thousands of remote ones for large‐scale remote application infrastructures, Windows profiles have tended to be that technology that keeps me in the office during evenings and weekends.

It is that pain, combined with the pain I see in the eyes of my users, that makes User Workspace Management solutions so attractive. Their ability to take the profile out of the user’s profile eliminates a massive administrative pain while improving the experience of every user.

The technological bits and bytes that actually accomplish that decoupling is a topic that’s been touched upon throughout this guide. You’ve already come to understand the workspace itself, and how that workspace can be made pervasive across the spectrum of delivery mechanisms. You should at this point also recognize how that workspace is composed from an integration of content, context, and security. Most importantly, you should appreciate how an environment of pervasive personality brings with it key security capabilities that improve your overall security posture.

But, as I mentioned in the conclusion of the previous chapter, the real technological detail of User Workspace Management is a topic that’s best left for this final chapter. Now that you understand the value and the positioning of this solution’s paradigm, your final questions should center around “How do I get this implemented in my environment?”

Answering that question is the primary topic of this final chapter. In it, you’ll learn the details of the workspace composition process, including all the components that are necessary to enable its functionality. You’ll also discover how the process of transforming to this new paradigm needn’t necessarily be a forklift process. Using a selection of tools that are available today, you can incrementally implement this technology with a low level of risk to your operations.


42

Delivering User Workspace Management Understanding the technology that enables User Workspace Management first requires a thorough understanding of the steps involved in workspace composition. This composition process is used by User Workspace Management software solutions in dynamically constructing the workspace at the moment the user needs it.

Important to recognize is that this composition process is fundamentally different than what you’re used to seeing with roaming user profiles. In fact, from this point on, forget everything you ever knew about roaming user profiles:

• Ignore the fact that they are file‐based constructs that are copied en masse from a storage location to the target device.

• Ignore that the logon process requires and waits for (most of) that file copy to complete before it hands control over to the user.

• Ignore the fact that the data in roaming user profiles must eventually be copied back to the central storage location if it is to be available for future logins. With roaming user profiles, this return of user data has traditionally been done only at logoff; although Windows 7 and Windows Server 2008 R2 now support a simplified background upload of some roaming profile data.

Instead, replace the profiles paradigm that you’ve been working with for over a decade with a new one that that focuses on dynamic composition.

In a composed environment, the user’s workspace isn’t reliant on a set of files and registry hives that must be first copied from a file share. Instead, a composed environment dynamically creates each and every user setting on the device and at the point of login.

To help envision this further, consider the average Windows desktop (see Figure 4.1). This Windows desktop isn’t part of a remote application infrastructure, nor is it virtualized. It is simply your basic, run‐of‐the‐mill desktop that a user works with to do their job.

Figure 4.1: An average Windows desktop, with usercontrolled settings (in green)

and ITcontrolled settings (in tan).


43

On this desktop are a number of configurations that the user has created in order to make them more productive. Those settings might be related to applications, such as email settings in Microsoft Outlook. They might be printers that are physically close to the user or have the features that the user specifically requires. They can even be personality settings such as a friendly desktop wallpaper or a series of icons on the desktop.

Some elements on this average Windows desktop might also be configured by IT. For example, IT probably handles the networking settings as well as the configuration for security software such as firewalls and anti‐malware. Other settings may require administrator access, which can only be modified by a member of the IT department.

All of these settings combine to create the user’s workspace. And, in an environment where that user never leaves the confines of that single machine, leaving those settings on that machine might be a completely functional solution for that user and their IT department.

Now, let’s extend this example with the assumption that the user will log in elsewhere, or that the IT department wants greater control over the content and delivery of the user’s workspace. At this point, the IT department has two options for delivering the user’s customizations to the user. Figure 4.2 shows a graphical representation of these two options.

Figure 4.2: Illustrating the differences between a roaming profile transfer and

desktop composition.


44

The transfer of a traditional roaming profile is used in Figure 4.2’s top graphic. There, you can see how the profile must be transferred from some kind of external storage location (typically a file share) to the machine during the point of login. In the bottom graphic is a very different scenario. There, a User Workspace Management solution is used to construct or compose each of the individual configurations directly on the machine at the point of login.

Accomplishing this composition requires a set of parts that work together to enable the composition. Shown graphically in Figure 4.3, let’s take a look at each in turn.

Figure 4.3: Extending Chapter 2’s image to include each component of the User

Workspace Management architecture.


45

The Workspace Composer Agent Most of the action in this environment happens within the client agent itself. This client agent operates as the workspace composer, creating the user’s environment as the user needs it. The workspace composer agent is primarily activated with the instantiation of the logon process. Installed directly to each computer instance where User Workspace Management is desired, the agent is responsible for a number of tasks.

The first job of the agent is to communicate with the User Workspace Management database to identify and cache the possible customizations that are relevant to the computer. This caching process downloads and stores the set of possible configurations, based on user information as well as user context information. The caching process is done prior to user logins to reduce the amount of time required to compose the environment and to ensure the workspace is available should the user disconnect from the network (more on this in a minute).

The client is called to action at the moment the user attempts to login. Its first job here is to identify who the user is as well as the context of the user, such as from where and via what mechanism is the user connecting. This context information is cross‐referenced with cached information to identify the desktop configurations that are appropriate for the user and their context. Specific configurations at this point may be allowed or denied based on updates to the user’s rights and permissions, or the context by which the user is attempting to connect.

Once the proper configuration is identified for the user—a process that takes very little time—the agent’s second job is to proceed with the composition of the workspace. This composition process configures and exposes each workspace item (those discussed in Chapter 2 are excellent examples) based on the identified characteristics. This process, as shown in the bottom image of Figure 4.2, happens entirely within the local computer and without the need for the large‐scale movement of files.

Control of the workspace is handed off to the user upon completing its composition. At that point, the user is able to work with the computer normally. In the background, however, the agent goes about its third responsibility. This final job for the agent is to watch for changes to the user’s context as well as user‐initiated changes to the content. This monitoring is exceptionally important for synchronization as well as security.

For example, if different settings are configured for different contexts, one job of the agent is to monitor and reconstruct a new workspace when that context change occurs. This dynamic reconstruction of the environment ensures that users cannot change their context without seeing a similar change to the workspace. It also assures the security configurations based on context by requiring a wholesale workspace reconstruction when that context changes.


46

While monitoring for context changes, that agent is also watching for content changes as well. As discussed in the earlier chapters, users want to be able to modify their desktops—perhaps adding a new icon or updating a setting—and rest assured that that change will be mirrored to their other workspaces. The final job of the agent is to monitor for those configuration changes and subsequently notify the database for update. At the same time, the agent is keeping in touch with the database in order to be notified and compensate when other workspaces have experienced changes.

The Centralized Database Enabling the mobility aspect of the user’s workspace is a centralized database. As explained in previous chapters, the User Workspace Management database operates as the central clearinghouse not only for capturing user content changes but also for storing the entire range of potential changes that could be made to the desktop. The database at the same time operates as a single point of control to which each agent maintains communication.

The fact that a database is used is fundamentally important to this architecture. Compare this database approach with the file‐based nature of traditional roaming profiles. Using traditional profiles, user customizations are stored within the profile itself. This distribution of settings means that each individual profile stores information about that profile only. Further, making policy‐based changes requires interfacing with each and every profile at the point of use. There can be substantial differences between any two profiles and their internal configurations, so the process of enforcing policies occurs as a reactive step with the profile loading process.

Using a centralized database, individual user information is consolidated with administrator and policy settings into a single storage location. There, the workspace settings for each user are dynamically composed at login, rather than occurring as an after‐effect. Further, the normalization of data that occurs within a database eliminates the duplication and widespread scattering of data that is normally seen within a profile.

What About Disconnected Environments? It should be obvious at this point that database access for agents can quickly become a problem in disconnected environments. In these environments, such as when a laptop leaves the LAN and roams outside the office, agents have no access to the database. It is for this reason that agents constantly synchronize and cache workspace characteristic data. Caching data on the local machine enables the agent to compose the user’s workspace with the best possible data, even when no access to the centralized database is possible.


47

The Workspace Designer This guide has discussed many times how another of the benefits of User Workspace Management is the granular administrative control over the environment. Using such a solution, administrators can lock down and otherwise control certain aspects of the workspace. Other aspects can be left for personalization by the individual user. Important to recognize here—and another important difference between this solution and traditional roaming profiles—is the ability for IT and administrators to scope which options are personalized and which are controlled.

For example, consider an environment that can be connected to via the Internet and has access to sensitive data. In that environment, IT and security administrators might want to control every aspect of the user workspace. In such a situation, a user will be delivered an extremely locked‐down environment with no capacity for personalization. Another environment may be the individual desktops that are contained within the business’ brick‐and‐mortar offices. That environment has a lower risk for exposure, and as such may have fewer areas that require control. In this second environment, IT and security administrators can control only a portion of the environment while leaving the rest open for personalization.

Important to recognize here is that both of these ideologically different environments can be administered from within the same User Workspace Management solution. Their data can be stored in the same database. Different only are the administrative controls that are assigned to the individual servers and desktops that IT has logically partitioned into each environment.

Note Even the idea of assigning a “high security” label to a set of servers or desktops is no longer necessary with User Workspace Management. An effective solution will allow a further degree of granularity for different users with different contexts on the same server. Thus, two different users or even the same user in two different contexts can be delivered completely different experiences.

Enabling all this to occur is the workspace designer tool. This administrative console is used by the administrator to identify each of the contexts of interest as well as the content and security configurations that will be controlled. The workspace designer becomes the location where administrators identify each of these elements for distribution to the database and ultimately the workspace composer agents at each endpoint.


48

Controlling Applications Through the Workspace This guide’s ongoing discussion of how User Workspace Management enables “granular control” and “eliminates the file‐based nature of traditional roaming” should at this point begin begging an important question. That question relates to the actual processes by which such a solution can actually manage your applications.

A central problem with the centralized management of applications has to do with how those applications store their information. Some applications store customizations within the registry, while others store their information within files that can be located anywhere on the local system. Even among those that store their information in the registry, there can be multiple places within that registry where the data is ultimately deposited (HKEY_LOCAL_MACHINE versus HKEY_CURRENT_USER as well as subkeys of both immediately come to mind).

The technical aspect of controlling those applications comes in managing each application’s customizations. This is done by overwriting the applications’ default customization information with another set that is appropriate for the user’s workspace. The process of locating and documenting where these customizations are made involves a bit of sleuthing

files. on the part of the administrator, seeking out potential areas in the registry and within

For example, Microsoft’s Notepad application can be equipped with a status bar that provides information about the current cursor position within the document. That status bar is not enabled by default; however, its information can be of use to a user who is searching through that document.

The configuration for enabling Notepad’s status bar is found within the registry, specifically in the key HKEY_CURRENT_USER\Software\Microsoft\Notepad\StatusBar. When the value for this key is set to 0, the bar is not present; when it is set to 1, the bar will be displayed the next time Notepad is run (see Figure 4.4).

Figure 4.4: Notepad’s registry location for defining the configuration of its status bar.


49

A User Workspace Management solution provides the enforcement mechanism for defining the application’s configuration. This mechanism is commonly manifested through the solution’s workspace designer console. In that console will be areas where the Notepad application can be defined, and with that definition will be the ability to insert custom configurations. Once defined within the designer, the application configuration is then available for distribution to agents and storage within the centralized database.

Such solutions, however, tend not to include the tools that assist the administrator with actually locating and identifying the correct registry key or file location where the configuration is held by the application. That process is best left for external tools that can watch for and alert on changes as configurations are made. When considering a User Workspace Management solution, you may also consider looking for additional tools that assist with your application customization needs.

Migrating to User Workspace Management Yet another benefit of the agent plus centralized database approach used by many User Workspace Management solutions is in how this architecture impacts the implementation process. Actually getting to that end state of full User Workspace Management needn’t

ce. necessarily require a full‐scale forklift of every server, desktop, and endpoint all at on

In fact, attempting to move an entire environment all at once is not considered a best practice with most solutions. By slowly and iteratively migrating your chosen solution into your environment, you can ensure that user information is not lost and that services remain intact throughout the project.

Five general process steps (see Figure 4.5) are commonly used with User Workspace Management solutions to fulfill the iterative approach. Those five steps involve the sampling of the environment, using information from that sampling to create an initial design, implementing that design to a limited area, incrementally adding points of control and tuning the design, and finally extending agent coverage to other parts of the network. Each of those steps is further explained in the sections that follow.

Figure 4.5: The five steps in migrating to a User Workspace Management solution.


50

Desktop Sampling Before you can create a well‐defined workspace, you first need to understand the movements and actions that are common to your user base. This part is fundamentally necessary to a smart design because it allows IT to use a data‐driven approach to environment control rather than making decisions in a vacuum.

One method for desktop sampling uses manual methods such as observation and user interviews. These tools enable the project team to identify where users are connecting into the environment, what tasks they are accomplishing, what resources they need, and how they go about completing the tasks associated with their job role.

Although observation and user interviews are indeed helpful for any implementation project, their manual methods tend to lead to gaps in coverage of control options. Users may be wary of increasing control and change their responses or observed behaviors in anticipation of the new technology. Other users may not see the efficacy in such a solution, and may provide misleading results.

An alternative approach may use automated sampling tools that are provided by the User Workspace Management software vendor. These tools keep a constant monitor on the environment while working in the background. Allowing these tools to monitor and report on behaviors provides a better sense of data over and above the manual steps previously discussed.

Note Some products include the sampling activity as a component of the workspace composer agent itself. This merging of responsibilities enables you to deploy only a single agent to accomplish both tasks.

Workspace Design Information gathered through the desktop sampling process will fill out the picture of user behaviors on your managed systems. It at the same time should highlight some of the areas of gap in your security policies and practices that can be fixed through the control of the workspace. Most importantly, the sampling process will provide your project team with the added situational awareness needed to better control workspaces throughout your environment’s many contexts. It will also serve as the data that can be used for quantifying what those contexts are as well as which you want to bring under control.

Leveraging the information gained through the first step, it becomes possible to begin creating an initial workspace design. This design will likely be based on a subset of user contexts in order to keep the project manageable during its initial phases. This initial workspace design will focus on identifying which areas are to be controlled by IT and

ble by the individual user. business policies as well as which will remain customiza


51

Note Important to note here is that any workspace design is an iterative process. You will find in your first run through the process that you’ve missed areas or that you’ve configured too much control into others. This right‐sizing should be expected and is an excellent reason why it is important to start small.

Initial Agent Installation Remember that the workhorse of any User Workspace Management solution is its workspace composer agent. A system that does not have this agent does not fall under the control of your User Workspace Management solution. Conversely, when agents are installed to computers, those computers can incrementally be brought under centralized control.

It is also important to recognize that this initial installation of agents needn’t necessary immediately begin the control of workspaces. Remember that the goal of this process is to at the same time control the workspace while retaining user customizations within that workspace. It is for this reason why the agents in an effective solution will have the additional job of identifying and synchronizing each user’s personalization data back to the central database as a first step in this process.

Environment Control and Tuning With the agent installation and initial data synchronization complete, control of the process returns back to the project team. The initial synchronization provides the foundation upon which administrative controls can be based. The project team can then elect to throw away certain customizations, overwriting them with those as defined by IT and business policy. The remaining customizations are left to the user for creating that comfortable workspace they will eventually use across all delivery mechanisms.

This tuning process may take an extended period of time, as the project team and the users in the sample group work back and forth to identify which areas can and should be controlled. At the same time, the project team should use the data in the first cycle to identify additional contexts that may have been missed in the initial design.

Extending Agent Coverage When ready, the final step in each iteration of this process is the extension of agent coverage to the rest of the environment. This final step serves as the rollout of the final product to the area under control. Depending on the needs of the business, that final rollout can occur by delivery mechanism or by class of user.


52

Environment Transformation: Two Real‐World Examples Finally, all this technical conversation leads us right back to the original position first discussed in Chapter 1. That position was outlined as the new systems management paradigm that can be enjoyed by environments that embrace User Workspace Management. At this point, you should see both the technical and business benefits that arrive with the logical encapsulation of the workspace and its decoupling from the rest of the system.

This recognition opens the door for substantially improving some steps in what are commonly considered very difficult IT projects. Because you are now able to protect the users’ workspace from changes to the underlying structures, you should feel a greater comfort with proactively enacting change:

• t users Making changes to applications, including upgrading versions, needn’t impac

• Wholesale migrations to new operating systems (OSs) can occur seamlessly

• Replacement of traditional hardware with different or even virtual hardware won’t impact the user

Two of those scenarios are worth taking a quick final look: the migration to virtual hosted desktops and the upgrade of Windows XP (or other OSs) to Windows 7.

Migration Scenario—Upgrades The first of these real‐world scenarios has to do with the desire to move off the Windows XP (or other OS) platform to Microsoft’s newest Windows 7 OS. At issue for many with this upgrade is the upgrade’s ratio of cost versus benefit. In effect, do the extra benefits of a new OS like Windows 7 outweigh the pains in actually migrating to it?

Using traditional systems management solutions, those pains can indeed be substantial. As discussed in Chapter 1, the process to actually migrate user settings off of a candidate system can consume substantially more time than the upgrade itself. In my own personal experience, the upgrade took 30 minutes to complete while the manual personality transfer process consumed three‐and‐a‐half hours. Attempting to accomplish such an upgrade through manual methods often doesn’t pass the cost versus benefits test for many organizations.

However, incorporating such an upgrade within the framework of a User Workspace Management solution can substantially reduce the cost side of this equation. Using such a solution, as shown in Figure 4.6, individual user data is virtually eliminated from consideration as a cost center. Once in place, users need only be instructed to log out of their sessions when they leave for the day. That logout process ensures the complete synchronization of their personal data with the centralized database. Under the covers and using traditional systems management tools, IT can then replace the existing Windows XP instance with a Windows 7 OS. Once complete, the user’s workspace is then reconfigured to fit within the new OS and ultimately delivered as the user returns for the day.


53

Figure 4.6: Upgrading from Windows XP to Windows 7 becomes a more trivial

exercise when paired with User Workspace Management.

Green Field Scenario—VDI The second solution is one that is growing in use throughout the IT industry. VDI or hosted virtual desktops are becoming more common in many industries due to their ability to relocate much of the processing (and, thus, security and administration) of desktops back to the data center.

However, in environments that lack User Workspace Management, actually getting users off their physical OSs and onto a virtual instance incurs the same pains as the OS upgrade discussed earlier. Moving a user from a physical instance to a virtual one incurs the same kinds of costs as a wholesale replacement of hardware.

Figure 4.7: A fullyrealized User Workspace Management solution also reduces many

of the costs and pain points for a VDI migration.


54

However, a fully‐realized User Workspace Management solution also assists with VDI upgrades. In the same way as the example earlier, a User Workspace Management solution enables the synchronization of user data to its centralized database, enabling IT to seamlessly replace physical hardware with virtual.

Improving Your Life. Improving the Lives of Your Users. In the end, a User Workspace Management solution has the potential to enhance many of the traditionally‐painful operations of IT. With it, difficult tasks such as OS upgrades, migrations, and wholesale paradigm changes like VDI become more‐trivial solutions to incorporate. The first step is in decoupling your users from their devices.

Hopefully, this guide has given you some impression about how solutions in the User Workspace Management ecosystem can assist your business. Solutions like these bring about true management of IT’s “last mile,” making life easier for the IT professional and roject manager while at the same time making life easier for its users. p

Download Additional Books from Realtime Nexus! Realtime Nexus—The Digital Library provides world‐class expert resources that IT professionals depend on to learn about the newest technologies. If you found this book to be informative, we encourage you to download more of our industry‐leading technology books and video guides at Realtime Nexus. Please visit ttp://nexus.realtimepublishers.comh .
