App Layering and Windows: With UEM, You Can Bring It On
*This post originally appeared on the AppSense blog prior to the rebrand in January 2017, when AppSense, LANDESK, Shavlik, Wavelink, and HEAT Software merged under the new name Ivanti.
At AppSense I often say, “let someone else deliver Windows and apps, we will take it from there and make them secure, optimized and personal.” That, in a nutshell, is what we do, and by focusing on that, we have become the number one player in user experience management (UEM).
Occasionally someone will ask whether we should get into those other areas, so here is our view into what it means to “deliver Windows and the apps.”
Deliver Windows. No one really wants to deal with an operating system at all, but if you need to run Windows apps you need Windows, so what is the best way to deploy it? The majority of users have Windows installed locally on their desktop or laptop. IT can either let users find it for themselves (BYOPC) or IT can install a standardized image for them, using tools like Windows Deployment Services, System Center Configuration Manager, LANDesk, Dell (KACE), Symantec/Altiris and many others.
Another approach is desktop virtualization, in which Windows stays in the data center and is remote-displayed on the end user device, using solutions from Citrix, Dell, VMware and others. These are highly optimized solutions that have taken 20 years to refine in order to handle and support the wide array of environments in the enterprise. AppSense partners with all these solution providers to cover every Windows deployment methodology in use in the enterprise.
Deliver the Apps. Deployment of Windows applications is a fast-evolving area where no one size fits all. To put in perspective, we are talking about traditional/classic/fat/native Win32 apps here, which have been developed for 30 years against the Windows API and are firmly embedded as Line-Of-Business tools in most enterprises. It is not uncommon in a large enterprise to hear that there are more than 10,000 Windows apps in use and, although some business tools have been replaced by web apps, they have only made a small dent in the total catalog of Windows apps used and maintained in the world.
Here’s the problem: Windows apps represent a management headache because (a) they need to interact with each other but they can also conflict, and (b) they need updating with new versions and they use different installer technologies.
Windows apps were written to be installed onto a local PC running a local copy of Windows, so what techniques can IT use to simplify the challenge of managing Windows apps in the enterprise? Consider these:
- Put the app in the base Windows image. This is sometimes unavoidable for apps that don’t like any of the other techniques listed below, but it comes at a high cost because it adds extra steps to the process of making the Windows image every time the app or OS changes.
- Stream the app over the network into Windows. This is very appealing because it works with any method of deploying Windows and the user can run what they need on-demand. However, there are challenges. Not all apps work in the streamed app container (some say < 50%, some nearer 80%). There can be a delay while the app is streamed and initialized, and apps that interact have to be streamed together, increasing complexity and slowing the user experience.
- Attach the apps as layers. This relatively new technique works at the storage level in virtual desktops by encapsulating one or more apps inside a virtual disk and connecting that to a Windows VM. Similar in concept to app streaming, it avoids the delays as apps are copied into Windows across the network. It still has the challenges of how to package together apps that need to interact and, despite vendor claims, there are still concerns around the % of apps that are compatible with layering.
On a Security note: it is interesting that both app streaming and layering rely on encapsulating one or more apps in a virtual container, and integrating that container with Windows. Some vendors have reversed this approach to secure the app and limit the data flows between the app and the rest of Windows, creating a kind of sandbox. The theory is that, if an app has limited access to the file system and network then it cannot cause damage if it is exploited by an attacker. There is some merit to this (although sandboxes have weaknesses http://www.securityweek.com/glimpse-latest-sandbox-evasion-techniques), but it doesn’t mean that app streaming or layering have any value in securing the desktop. Sandboxes work by intentionally limiting an app’s ability to interact and share data with Windows and other apps in the interests of security, while app virtualization (streaming or layering) eases delivery of an app with as few limitations as possible.
So, nothing is perfect, and while it’s great to see so much innovation in the app deployment space, there is still no dominant solution due to the inherent challenges and inconsistencies in Windows apps. The good news is that AppSense partners with all of these solution vendors, and no matter how the app and desktop arrive, we will secure, optimize and make them personal.