Transform Desktops and Accelerate User Experience
October 12, 2017
Paul Whalley | Product Manager | Ivanti
Andrew Swindells | Product Manager | Ivanti
Major IT projects, like Windows 10 migration and updates, Office 365 adoption, migrating to Citrix Cloud, desktop transformation, or reducing cyber-threat risk, are challenging to plan and execute while keeping end users productive. While user acceptance is critical to IT project success, delivering a great user experience during and post-project can become an afterthought due to the pressure to keep a project “on time and on budget”.
For the end user computing initiatives described above (and more), Ivanti User Workspace Manager (UWM), formerly DesktopNow Plus, significantly reduces the need to sacrifice user productivity to keep projects on track and ensures that those projects deliver results that significantly improve the user experience, driving up acceptance and productivity. In this webinar, you’ll learn:
- Which IT initiatives can benefit most from UWM inclusion
- How UWM keeps end users working throughout the project
- How UWM increases user acceptance when initiatives are delivered.
Nanette: This is Transform Desktops and Accelerate User Acceptance, and we're glad you could join us today. Our speakers today are Paul Whalley, who's senior product manager for Environment Manager and he'll be talking, of course, about Environment Manager today; Andy Swindells, the senior product manager for File Director; Ollie Sills, the Senior Product Marketing Manager. He's going to be pinch-hitting today and covering Application Control and Performance Manager. I'm Nannette Vilushis. I manage our product marketing, and I'm going to be your moderator.
Please feel free to ask questions in the Q&A section of WebEx. We have Hannah Curtis monitoring those questions, and she’ll interrupt us and ask us questions as they come up or answer them in Q&A if she has the answer at hand, so please don’t hold back on questions. We want to hear them. We're interested in knowing what you need to know.
As IT people, we all know the biggest roadblock to project success is user resistance. Making sure users are happy with the outcome of a project is important to leveraging it to the fullest extent and avoiding end users doing run-arounds or go-arounds, which you know they will do, and using the technology you've chosen and the investment you've made and fully exploiting it to benefit your company. These major initiatives are areas where end users are particularly touched with the project and can be particularly destructive if they're not accepting of it. Those areas are endpoint security and disaster recovery, Windows 10 migration, any virtualization projects―reducing logon times, desktop transformation of PC replacement, so break/fix, and in this case, you could also classify that as going to VDI or going to Windows 10, workforce mobility, and then that area of cloud initiative, we'll talk about that, too.
Endpoint Security and Disaster Recovery
First, let's cover endpoint security and disaster recovery, something that's on everyone's mind all the time these days. The challenge is that users hate restrictions. They hate them, and they'll go around them if they can. When you're talking about endpoint security and disaster recovery, you don't want to mess around. You need to lock down users and you need them to be acquiescent to that, so the solution is to give users everything they need to do their job, but no more and no less than that. The products that help with that are Application Control and Environment Manager. First, Ollie will talk about Application Control.
Ollie: Thanks, Nanette. Ivanti Application Control, as the name suggests, enables full control of application access. This can be used to prevent the installation or execution of unauthorized content such as ransomware, unlicensed software, CPU intensive applications, or other malicious executables. It can be achieved through traditional whitelisting or blacklisting, and for additional security, the digital hash of the file can be taken and used to ensure the file is legitimate. This is effectively like checking the fingerprint of the file, so if the file is changed in any way, the digital hash will not match and the executable will be blocked from executing. This is, however, a labor-intensive way of managing applications, as the whitelist and blacklist need to be constantly maintained.
As an alternative, Ivanti provides a unique method of application control called Trusted Ownership Checking. This checks to see who's introduced the file into the system and, hence, who owns it. If the executable is owned by a nontrusted user, e.g., a standard user, the executable is prevented from being installed or executed. If it's been introduced onto the system by a trusted user, for example an administrator, or by a specific software installation account, such as Mcrosoft System Center, the application can run automatically or be installed. This provides out-of-the-box protection from all unknown executables and eliminates the IT admin overhead associated with managing black or whitelists.
Ivanti Application Control also provides Windows privilege management capabilities. This allows IT to remove full admin rights from users, and then elevate their privileges on a per-application or per-operating system component basis. Giving users full admin rights to their endpoints can be dangerous. Users can potentially introduce unauthorized executables onto devices or inadvertently, or even maliciously, stop-install security solutions, leaving the device open to security vulnerabilities.
Removing admin rights locks the system down for users but can adversely affect the user experience. For example, if something goes wrong with a print job, standard users can’t stop and restart the print spooler service on their endpoints because they don't have admin rights. By elevating users’ privileges to be able to stop or start only that print spooler service enables the user to continue to perform their daily role, eliminates security vulnerabilities, and reduces unnecessary IT support calls. For trusted users such as power users, IT can also provide them with a self-elevation capability. This allows users to choose for themselves to run or install an application with elevated privileges. However, all self-elevation events are audited for security and compliance purposes.
Finally, URL redirection allows IT to protect users from insecure or outdated web content by blocking or redirecting access to specific web pages. For example, this is useful to prevent third-party contractors or temporary workers from accessing sensitive internal web content. I'll now hand the reigns over to Paul to talk you through the security features on Environment Manager.
Paul: Hi, everyone. Ollie mentioned a lot of the security capabilities in UWM, but Environment Manager actually controls the session and the desktop that users are logged onto simply by providing the policy down to the endpoint based on the context of the user. We also have a very rich condition engine, which can determine what is enforced on the laptop based on things like network location, whether the user is logging on from home or in the office. You can lock down and enforce particular application functionality such as printing and access to Save within Office, for example, all based on where the user's logging on. We can also apply group-policy-like settings, but because we have a multithreaded engine, we can get them down to the user faster, which gets you a nice, quick, logon time, which I think we'll embellish on later.
Nanette: Okay. Are you going to talk about lockdowns?
Paul: Yes. The lockdown, as we mentioned, is if the user's logging on from a different location, we can lock down and control parts of the application. For example, if you want to prevent users printing Word documents when they're off the network or in a local Internet cafe, you can use Environment Manager policy to set up that configuration. Also, for email signatures, you can create them out-of-the-box using Active Directory attributes to prepopulate all your users’ email signature details. You don’t have to set them up manually, and you get a nice, standard corporate standardization in your environment.
The lockdown is actually performed by our Wizard. It's a nice, easy spy tool, which is basically a crosser that lets you select portions of an application or even Windows Explorer and lock down that menu dialogue so you can get granular with the configurations. All of our customers use this beyond the settings you get, for example, with an Office GPL template.
Nanette: Okay, terrific. Let's talk a little about Windows 10 migration. We've been talking a lot about this here. We have two products in particular that help ease the trauma of a Windows 10 migration for IT and for users. The challenge, of course, with Windows 10 migration is that users hate change, any change of any kind. We did a survey earlier this year and asked users how they felt about major changes to their desktop, such as changes to their OS, and 92 percent were very distressed by the thought of their desktop changing, so we know for a fact they definitely hate it and IT knows that, too.
The solution is don't force change on users. You may need to change their OS but give them the personalization they had before and make sure their files are where they expect them to be. Three products that help with that are Environment Manager, File Director, and Insight. We'll review those, now, and we'll start with Environment Manager, so we'll hand it back to Paul.
Environment Manager and Windows 10 Migration
Paul: Thanks, Nanette. That's a great point you mentioned about users not having to go through change, having to get a new provisioned OS, and having to set up all their settings manually from the start. Especially with Windows 10, you have a unique, new set of dialogues and not everything is in the same place as you'd expect with Windows 7 or Windows XP desktop.
What we do with Environment Manager is we have a set of templates, which are best-practice Windows and application templates. We can take the settings from your existing Windows 7 environment, for example, and import them into our centralized database. We're not taking the user’s profile, we're taking the application settings as defined by our template. The administrator simply has to assign what applications and settings they want to migrate, and then it's the agent that does the import at the next logon for the user.
The great thing about this is once we have central management of the profile, the user can roam across devices with our agent installed and, dependent on OS, get the versions they need. For example, when they go to Windows 10, they get all the wallpaper settings they had previously, all the taskbar items, all the shortcuts, and some of the key things within the Office world, things like signatures, which I mentioned earlier, mail profiles, all that is seamlessly migrated.
From the administration side, we have a centralized dashboard and a service desk tool with which you can monitor and control your migration and see the progress of your users’ onboarding to personalization. This ensures you can phase your upgrades, whether you want to do it via AD group or by department. You can set these conditions quite quickly within the console and start onboarding users.
Personalization rollback is something that's controlled via the service desk function, which is a web application so you can access this from any browser and you can see either a group of users or a particular user's personalization that’s been imported. For example, you could look at the file and registry settings for Microsoft Office and roll back and take backups of that user's data. One key way some of our customers do this, and we have a quick guide for this in the service desk console, is create a backup and mark it as protected, so you have a known good set of settings. This is a great one after you've done your migration, so you have a known good profile. I think we're going to move on to File Director, and Andy's going to talk about some of the great stuff File Director does.
Nanette: Andy, take it away.
File Director and Windows 10 Migration
Andy: Okay. Thanks a lot, Nanette. Thanks a lot, Paul. Good afternoon/good morning/good evening to everybody who's listening today. File Director provides instantly the features and functionality that help provide the remedy for what is at times a Window 10 headache, at the same time ensuring the end user's experience is at the forefront throughout the migration. As Nanette mentioned and Paul mentioned, that's the key to any challenge IT takes on―the user experience. How do we go about doing this? There are three features listed in this slide. I'm going to pick these out one-by-one briefly. There's a wealth of information available on the community that goes over this in more detail.
File sync and migration: What this does is give the power to the administrator to provide file synchronization in a way that suits their and also the end user’s requirements. We don't want to dictate to the administrator they work in a certain way, and at the same time, we don't want to reduce the options the administrator has to pass on to the end users. We can provide functionality such as enabling on-demand, real-time, or background syncing of user files. It's the background sync that's really worth calling out, here. The administrator can file and synchronize the user's files and folders to backend storage in such a way that the end user's unaware it's taking place. Next is going to be traditional, on-premise SMB storage. Ours is the version 4.3 release, which is the current release of File Director from earlier this year. We can also now save that to cloud-based storage such as OneDrive for Business. I'm going to cover that a little later in more detail.
The second point is in-location sync. This is being done to make a powerful aspect we can do, and this brings in the Insight tool mentioned earlier in the original slide and there’ll be more detail as we go into it. This allows us to discover the locations where users are storing their files on the endpoint. For example, they've created their own folder structure for that machine that's unique to them. They have a folder inside the C drive, which says My Documents, and under this they have My Excel Sheets, My Word Documents, and so on. Insight can capture this information and make it available to the administrator in the way he or she needs it. Using this file information, they can then configure it to find those files and folders and make sure they're migrated so the end user's experience is not reduced in any way. Also, what's important and interesting to talk about is that the right types of files get migrated. We don't want to migrate the user's iTunes library or download the Game of Thrones, for example, so what we can do is say we're interested in Excel files, we're interested in Word Documents, and any MP3s or MP4s, leave those where they are, we're not going to migrate those. In-location sync is important and very powerful.
The final point I want to call out regarding File Director is the Mapped Drive Emulation. This allows end users to have the same in-office experience no matter where they are. If they're working from home, they can still access the network shares without having to use a VPN connection, for example. From a Windows 10 migration perspective, this means remote users don't need to travel to the office to have their files synchronized. I'm going to hand it to Ollie now to go into a little more detail regarding the Insight product I mentioned a few minutes ago.
Insight and Windows 10 Migration
Ollie: Thanks, Andy. We'll start by looking at how Insight can help with user experience analysis. For those looking at migrating to Windows 10, Ivanti Insight provides the ability to monitor and baseline your current environment from an endpoint user experience perspective and then compare your new Windows 10 environment to that baseline. This is ideal for identifying current performance bottlenecks or security vulnerabilities and ensuring they've been addressed in your new Windows 10 estate. One of the big problems faced by a lot of our customers is the issue of data sprawl and ensuring user files are backed up and can be migrated as Andy spoke about. Ivanti Insight enables IT to identify where users are storing their files on endpoints and how much data there is. This makes it far easier to perform file migration to on-premises or cloud-based storage and ensure there is enough room available to cater for all users' files. Ivanti Insight can also be used to identify which applications or operating system content being used requires elevated privileges to roam and which users are requesting access to it. This will help with the removal of admin privileges and the elevation of rights for users.
Next up, we have a video showing how Ivanti addresses Windows 10 migration.
Nanette: Bear with me a second, and I'm going to pull that up. Paul and Andy, I think, will be talking to this as we go forward.
Ivanti and Windows 10 Migratiion
Andy: Yes. What we're seeing there is the AD control migration I spoke about earlier. This is the Environment Manager console, and basically, we're setting up a migration based on an Active Directory group. We're importing the migration user's security group, which Jane is a member of. In a moment, Jane is going to log on to her Windows 7 endpoint, and she's going to get her agents deployed and also get her profile imported into the database. As you can see there, we're simply running some dialogues as you normally see in Windows, and now the user has her personalization. At this stage, we're not personalizing, we're simply capturing the data ready for the migration. When Word opens up, you can see Jane has specific customizations. She has a few view, look, and feel additions added, which we're going to capture as well within the profile migration.
Also, File Director is going to copy those files. This is used in the in-location sync feature in File Director that Andy mentioned, which predefines settings, locations such as My Document and My Pictures, for example. You can set up File Director to migrate them seamlessly in the backend so you don’t have to get your users to move any files as part of the migration. We handle that for you. That's the zero-touch aspect that's really great and that customers love with the migration.
We're going to go into Outlook here to show you that Jane has some things in a draft, and she has a customized signature, so when we go to Windows 10, you'll see we persist those at first logon. There we go, we added Jane's signature, and I think we're going to have a look at the File Director system tray in a second to make sure all the files have been synchronized to the backend. That's something you can monitor with Splunk or with any sort of SIS Log tool. You can get data and analytics on the amount of data Jane will be syncing to the backend. You can actually monitor that before you do the migration. Right here, you can see we're actually copying up the files, and you'll be able to check when that's finished. We can log Jane off then, and she is ready to go with her Windows 10 machine.
This is the first time Jane's logged onto this Windows 10 machine, and you'll see she gets all her same settings and all her files, which we've persisted with a combination of File Director and Environment Manager. There's the user’s same desktop. She has the same taskbar, the same shortcuts, and when you open up Word, you'll see she has the same customizations. From a user perspective, she’s fine, she's ready to go. She can access her email, she has a signature, and she has a mail profile. There’s no configuration to set up, she's literally ready for work.
One of the great things about this is if you wanted to publish, whether it was a VDI or whether it was a published desktop, it doesn't matter. As long as our agents are on the actual endpoint, we will give that consistent experience across devices. I think we're now going to go into Outlook and show exactly the same look and feel she got in Windows 7. [Pause] There's all that. Those overlays you can see there, the little ticks, that's coming from File Director to tell you you've synchronized and downloaded those files to the user's local My Documents location. I think that's pretty much it.
Nanette: There it is. Terrific.
Let's go back to the presentation. That was Windows 10 migration. We showed you Environment Manager, moving settings over, setting some personalization, and File Director, moving files, pointing to where files are in the new location, and making sure the user's desktop is populated with the files they had from the day before.
Let's talk a little about virtualization. One of the things I come across personally as a user is you want your desktop to be personalized. You spend a lot of time getting it the way you want it, and then they move to VDI and you get this vanilla thing you can't personalize, and that's really annoying. The solution, of course, is to allow users to personalize their desktop. The product to do that is Environment Manager, and Paul is going to talk about that specifically with an eye toward VDI. Paul?
Environment Manager and VDI
Paul: That's right, Nanette. One of the key things to point out about our personalization is it doesn't matter whether it's a published application, an App-V published app, or a streamed app by another provisioning technique. The way we virtualize, capture the file and registry changes and information, and persist it, it all works seamlessly across those applications. It doesn't matter if you're using Word on your laptop that might be installed natively/locally on your machine, and you want to go through a published version of Word, which might be on your XenApp or VMware infrastructure. We roam those settings across devices. That's the key thing we showed in the previous demonstration.
Once we decouple the profile and we're controlling applications and settings on a per-app basis, you could roam around, and we back up those files so the service desk or the user could roll back the settings. Not only is it great for roaming across sessions but also across virtualization or application delivery methods. We can work hand-in-hand with them, and our policies can be deployed via our management center, which has a nice configuration engine, or as per the slide previously, we work with SCCM as well, so you can save configurations straight to SCCM if that's your environmental delivery for applications and configs. It's quite broad in its methods for deployment, and it suits a whole number of use cases.
One last thing to point out is our personalization. It's streamed to the application that starts, so we don't bring down those settings at logon, as you get with a generic profile or some of the other profile solutions out there. We stream down the settings when the user double-clicks on the icon, and similarly, at application stop, we sync all the changes back to our backend server. You don't have to log off to get your personalizations saved and your backups run out. It's quite a nice, seamless, just-in-time architecture.
Nanette: I think next we have reduced logon time. This is a big problem in a lot of organizations, and a lot of organizations purchase Environment Manager Insight simply because logon times are such a problem. We did a study last year on logon times, and we asked what is the tipping point for a logon time where employees lose focus and wander off, go to the coffee machine, start looking at their phone, whatever? That is 30 seconds. At 30 seconds, users lose focus and start doing something else. If you go to our website, I believe you can download the white paper with detail on that. If you want a copy of the white paper, request it in the Q&A and we’d be happy to send it to you.
The solution, of course, is to reduce logon times. Get users to work faster, which saves the company money and keeps users focused on their work, which again saves the company money and goes to the bottom line. That is Environment Manager and Insight. We'll talk about Environment Manager first and, specifically, where it helps reduce logon times.
Paul: Yes. As Nanette mentioned, 30 seconds is about the time where users start to get distracted when they're logging on in the morning and might start calling the IT help desk. Definitely, in Environment Manager, one of the key focus points is we can reduce those help desk calls significantly by controlling and giving the admin more granular control over the logon experience. We have quite a granular range of triggers to control when policy and personalization is assigned to the user. As I mentioned previously, with application personalization, all that is done literally on-demand and in just-in-time fashion, so straightaway those application settings are not part of your logon problem. They're all things that are only streamed down to the user when he or she requires them. You have other things in your environment you might need to set up that you might have done with logon scripts or GPO historically. Logon scripts are things that run single-threaded and, literally, you simply wait until it's done.
With Environment Manager, we have a massive array of actions and conditions so that over the years and over the releases, we've eliminated the need for those logon scripts and you can convert them into native EM actions, which you can run in parallel. That means you're not getting a single-threaded approach, but instead you can run things all at the same time and get a nice, fast, logon experience. Similarly, with ADMX, they run in a single-threaded fashion, and you can import those ADMXs into our native ADMX actions, configure them, and run them multithreaded. That's really a great use case that can easily get those logon times reduced.
Nanette: Okay. Let's talk a little about Insight and how that helps to reduce logon times.
Insight Helps to Reduce Logon Times
Ollie: Sure. Ivanti Insight can monitor all user logons across your entire user estate. It's then possible to highlight slow logon times and troubleshoot bottlenecks occurring in the logon process. A simple-to-use web interface provides charts and graphs showing the user logon times. They're all filterable by date, user, operating system, or other custom variables. The graphs show a breakdown of the logon process, including the individual components making up that logon process and the time each component takes to complete its task. This is really useful for quickly identifying performance bottlenecks. For example, it could be something like a group policy object they're supplying slowly, and then addressing that slow logon time issue.
Nanette: Okay. Thanks, Ollie. Let's talk about a big, sweeping topic: desktop transformation and PC replacement. This could be anything. This could be a big hardware swap out. It could be for break/fix. Anything that falls into that category. As with Windows 10 migration, users might want a shiny new laptop, but they want their familiar desktop even though it's old and tired. They don't care. It's theirs. They've made it what they want and they love it, but you can't give them a fresh new desktop with their familiar settings. That is where Environment Manager comes in to save the day and keep users happy. Paul?
Desktop Transformation and PC Replacement
Paul: Hi, Nanette. It's literally the migration story we talked about earlier. It’s something where you could decouple that and apply it to a break/fix scenario. A break/fix is the same to the user as getting a new machine. They might have to have a reimage, for example, but as soon as our agents are deployed onto that endpoint, we will stream down whatever settings the user last saved to the database. Similarly, with policy, we will deploy that policy and the users get exactly the same experience.
A lot of customers are using our profile robot capabilities so they can easily save a set of known good settings for the user, and you can do that across your estate. If you need to re-provision or you need to send out a new laptop to one of your users, they won’t have to be walked through setting up all their applications again and all the mailboxes. Literally, Environment Manager handles that on their behalf.
Nanette: When they start it back up, as you saw with Jane's desktop, it's right where they left it the day before, which is pretty awesome from a user perspective.
Workforce Mobility and Ivanti Products
Okay. Workforce mobility: It can be a user that moves from desk-to-desk, it can be applied to a clinician in a hospital, for example, who's moving from crash cart to crash cart or a sales rep who is moving from state to state or country to country. The bottom line is that users expect their workspace and their experience will not change no matter where they are. They have high expectations and a lot of it is based on their experience with their phone, but with the user workspace manager products, you can give users a great experience regardless of where they go or what time of day it is. You can still protect your corporate assets and apply security policy as you need to. Those products include Application Control, Environment Manager, File Director, and Performance Manager, which we haven't talked about yet. Let's start with Application Control. Ollie, can you talk about that a little?
Ollie: Sure. No problem, Nanette. Certain vendors, including Microsoft, license some of their software on a per-device basis. For multiuser environments such as Citrix, XenApp, or Microsoft RDSH, where users can connect to resources and applications from any client, it makes control of application license usage difficult and expensive. Per-device licensing dictates that if a user has the capability to connect to an application on a server and run it from a specific connecting device, the organization must purchase a license for that connecting device. If you have 10,000 devices that can potentially connect to a Microsoft RDSH, Citrix, or XenApp server, the application installed on that must be licensed for 10,000 devices. However, there may only be 100 users who need access to this application, so license costs are far greater than are actually needed. Ivanti Application Control can limit applications running from within multiuser environments such as Microsoft RDSH, Citrix, or XenApp from specific connecting devices, based on the client name, IP address, or MAC address of that connecting device, satisfying per-device license restrictions. Attempts to run an application from a nonlicensed device will be prevented. This means the organization only needs to purchase 100 rather than 10,000 licenses for the application, thus reducing software costs dramatically. Paul, over to you to talk about Workforce Mobility with Environment Manager.
Paul: Thanks, Ollie. As I mentioned earlier, the context condition engine is where this really comes into play. As your workforce is roaming around from office to office or working from home remotely, we can set up, with our network awareness and our session awareness, when the user locks and goes home and gets a new IP address, for example, we can apply policy and personalization. Based on that personalization, the user can work in an offline mode, exactly for this use case. We cache all the settings locally, so even if they don’t have a corporate network connection, they don't lose any of the personalization for that space. When they're back on the network, they sync all the settings back up. There's no risk of a user roaming around and not getting the desktop IT requires them to get.
Nanette: Okay. Let's talk about File Director. Andy?
Andy: Okay. With today’s ever increasing end-user mobility and adoption of mobile devices, it's important that IT provides access to the files and documents when, where, and also how the user needs them. Traditional data, accounting spreadsheets, or HR documents in Word being completely in an office or in a desktop machine are far behind us. Today, it's more and more vital that the HR manager can get the job offer out to a new employee while using their tablet sitting in a coffee shop. I'd say the days of the traditional everybody works in their office 9:00 to 5:00 are far behind us, and there's this new world we need to adapt to. By using things like Mac Drive emulation and file sync migration features we talked about earlier, IT can now meet this demand far easier than it could in the past. However, as with any new challenge with IT, there's a security aspect that is unknown to the end user working in the coffee shop, but it’s huge to the IT team making sure their sync space is secure.
File Director solves this problem by providing not only a policy-driven security model but also allowing complete control over what types of devices can access the storage. It's also possible for IT to send reports on who, where, and how the storage is being accessed. While still providing that functionality to work where the user needs to work. IT retains that control and auditing ability that is paramount to anything IT does. All this functionality across is provided without impacting the way the end user works by using the Mac Drive emulation feature, for example. The accounting spreadsheet is still accessed in the same way whether the user is in the London office or working on a train heading toward the client in Scotland. Finally now, I'll hand it to Ollie who's going to talk about Ivanti Performance Manager.
Nanette: Okay Ollie, over to you.
Ollie: Thank you very much. Ivanti Performance Manager is designed specifically for multiuser environments and ensures consistent user experience across physical desktops, virtual desktops, cloud-based desktops, or server-based computing environments. CPU thread throttling is patented technology that ensures an excellent quality of service for users in the event of all the CPU being consumed on the system. It does this by identifying the user causing the problem, the application the user is running that's causing the problem, and the individual thread within that application that is consuming the CPU. It then applies a clamp to that specific thread for a period of seconds to free up CPU for all the user's applications and threads. This relieves the load on the system and ensures superior performance for everybody logged onto that server.
In addition, each user is given a fair share of the CPU in the event one or more users is consuming all the processor resource. CPU fair shares balance the CPU between all logged-on users. If one user runs a CPU intensive application, what it does is place this user's application in a lower priority with the system processor to ensure each user still gets a fair share of CPU resources, guaranteeing a consistent quality of service.
The final piece there is physical memory trimming. When an application is launched, it attempts to grab a certain amount of physical memory to run. Sometimes, the application doesn't need all the memory it's grabbed, so physical memory trimming kicks in on the application launch to free up unessential physical memory usage. It can also free up physical memory based on the application's state―whether it's in the foreground, the background, minimized, etc. This frees up critical system resources for users and applications that need it and dramatically improves server density, as well. Typically, on average, we can get around 40 percent more users per server, which helps save on hardware, software, and maintenance costs.
Nanette: Okay. Terrific. Let's talk a little about cloud initiatives, which also covers a lot of ground, but it's something that's really emerging as a direction Microsoft is going in, which of course means we're all going there, too. Users don't really care, cloud-shmoud. They don't care where it is. They don't care if it's on-prem, off-prem, literally in a cloud, or not. They simply want a consistent, quality computing experience no matter where the infrastructure is. The solution is to give that to them. Give them a consistent workspace and a consistent performance. The products there are Environment Manager and Cloud Director. I should also mention that we classify Office 365 in this area, too. Anything that's SaaS-based is coming from elsewhere than locally, but users expect a local performance from that, as well. They don't really care about any of the backend. They're looking at their desktop. They simply want to get their job done. We'll talk first about Environment Manager from a cloud perspective, focusing I think, Paul, on Office 365.
Paul: That's right, Nanette. As customers are moving over to more SaaS-based applications, more and more services are being moved to a cloud-based delivery. The main one we're seeing at the moment is Office 365, which is, even outside of Ivanti, a major initiative in most organizations if only to leverage some of the functionality and power of Office 365, even from an exchange perspective. In VDI environments and nonpersistent environments, there's a big change in behavior as you move mailboxes off the network and put them in the cloud, because, if you want to utilize things such as cached exchange mode or online mode in exchange, you're now contacting over the One and the Internet rather than your local data center. What we're finding is customers want to use cached exchange mode, which offers better performance by far, but in a nonpersistent world, you're having to stream down that mailbox every time the user logs on.
What cache roaming is doing with Environment Manager is enabling admins to set up users to access a container that contains and persists their settings for applications such as not only the OST file, but also things like the Skype GAL, the global address list, OneDrive, OneNote, all those big caches that aren’t personalization, so to speak, but they're the files that speed up the user's experience. They don't want to be waiting while you connect to exchange and stream down the mailbox because things like search are affected, as well as general functionality and operability. Cache roaming is an initiative in the policy engine and something customers can leverage today with a white paper that's on our website.
From a personalization perspective, we've always used industry standard web services, such as AIS and https. This gave us a great kickstart when cloud became such an accelerated and adopted delivery method in a customer environment. As we move toward cloud and software-as-a-service with personalization, we’re in a great place with our architecture. We use this and our customers are using personalization in the cloud today. We have a great white paper Andy put together that documents how you can set up an infrastructure-as-a-service design and start leveraging cloud services to control and manage your personalization.
We're moving toward a more native approach, and we're looking at Azure SQL and some of the web services and service fabrics that Azure offers, which really drives down the cost and speeds up the performance for our customers. All of that is to ensure the final point, the policy and desktop configuration we can deliver in a true off-network, wherever you are in the world, when you're connecting to personalization. You can use Azure AD, you can use all these great authentication providers to make sure your users are always online. The policy we talk about here, although it's Environment Manager, we can also deploy Application Control Policy and Performance Manager, so any updates you need to get out to your workforce, you can deploy no matter where they are.
Nanette: I want to mention that the white papers Paul mentioned, one on cache roaming and one on setting up the end-user infrastructure in the cloud, feel free to shoot us an email and a question in the Q&A if you want to get that paper, and we'll be happy to send it to you. Let's talk about File Director in the context of Office 365 and OneDrive. Andy?
File Director and Office 365
Andy: Okay. We mentioned OneDrive in the perspective of File Director a little earlier in the presentation. As I mentioned, this is a feature we introduced in the version 4.3 release earlier this year. We're going to look at driving a high degree of focus in upcoming releases around File Director, and we hope to enhance the functionality that comes with this connector. As and when this is available, as Nanette mentioned, there will be communications and so on, so if you have interest in this area, please keep an eye out for that information coming out.
When Microsoft announced one terabyte of OneDrive storage was available to every user as part of the Office 365 subscription, there was a great deal of excitement. All of a sudden, it seemed like all the world's problems were solved by this announcement. At the same time, it brought a number of questions, problems, and considerations to the IT industry as a whole. Among them were things like OneDrive is great, but it can’t be used on all endpoints; using OneDrive requires users to work in a different way; to use all that storage you’re no longer working in that native experience you're used to; and we need to adopt this new file storage paradigm that's completely alien to users and has a whole set of new challenges.
I’ve found it’s not always an option for Windows 10 migration, break/fix, and system replacement. With OneDrive lacking that sync control, with forcing redirection, and using self-service, it falls short of some of the key areas it should be moving into. There are obviously IT issues we need to focus on, as well. It's a common theme throughout this presentation as to how it’s regarded by the end users and their experience in the way IT provides services to them. All of a sudden, with this new OneDrive storage, end users need to be trained to use it. They need to change the way they work. Also, users have an ingrained process for saving files. They save files in a certain way, and all of a sudden, they now need to save things in a different way, in a different place that is completely alien to them. It's then two sets of challenges, an IT side and an end-user side of things.
With OneDrive and the business connector, I actually find we can use File Director to address this problem from both the end user and the IT sides of things, and that's because the connector allows users to continue to save their files in the way they do today. For example, I always save my files to the H-drive, and now IT can provide that same consistent, native, “save my files to the H-drive” functionality while tapping into that one terabyte of storage the user's completely unaware of. What happens now is the user continues to save to that H-drive, continues to save Word documents, for example the employee offer or the accounting spreadsheet, into the H-drive as they always have done, but now the IT organization is able to tap into that one terabyte of storage per user as part of the Office 365 description seamlessly to the user. The user has no break in the way they save, and IT gain all the benefits of that. The user never needs to change the way they work, and IT gain all the benefits of that. It's an absolutely fantastic step forward, we feel anyway, from the way the product now works.
As well as that H-drive challenge, there’s also great benefits with break/fix, migrations scenarios. File Director has the sync controls, pause, and redirection capabilities that I mentioned earlier are missing from OneDrive. In the scenario of a user needing a new laptop,
they can continue to have access to their files and folders in the same location on the new or loan machine with no impact or change to the way they work. Previously, if I was given a loan laptop or while my laptop was getting repaired, for example, I had to save files in a different location and had to copy things back using USB sticks and so on. Using File Director, that need goes away. There’s no need to do that anymore, and the user continues to work regardless of what machine or scenario he or she is working in.
Nanette: First, let's take a look at cache roaming, which Paul has spoken about, and we'll start that right now.
Paul: Brilliant. Thanks, Nanette. We have some subtitles, but I'll just roll with it, and we'll get the logon underway. As you can see, this user's never logged on to a Windows endpoint. You're getting the similar first-run animation you get when you start Windows 10, but as you see, through personalization, they have all the settings they expect. Where we get really clever is we cache roam and we've connected to a VHD store and the user has all their mail instantly, as you can see. In the background, the connection is still going to the mail online server, but all of this mailbox has been cached locally. If we go into the settings of the Outlook session, you'll see that the admin has set up mail cache mode so all that has been provisioned and streamed down to the user from a persistent VHD.
If we have a quick look in the profile, you'll see we're making no changes to the user's profile. If the user is moving environments, it's still the same local path that is being set in the profile, but we're redirecting and creating a junction point, if you like, into the VHD, which is persisted across sessions. You can see that the actual VHD, you could actually see this from the disk management utility, but obviously a user wouldn’t have access to that. With Performance Manager, you can see the increased performance you get, and also, you'll see that the local devices being referenced, we're not going out into a UMT share, we're not doing anything clever with it. The network filter drivers, as far as the OS is concerned, as far as the application is concerned, this is a local OST file it's accessing.
Nanette: Okay. Terrific. Andy, let's take a look at OneDrive.
One Drive and Cache Roaming
Andy: There are some distinct aspects of One Drive and File Director in use together. As you can see, the OneDrive native experience. There’s nothing supersonic about this. We can bring in those similar files and folders the user is used to experiencing and we can give them the names and so on they’re used to seeing, while also tapping into that OneDrive storage in the background. It makes it available from anywhere. Again, I could be on the train going to Scotland, and I can access those files and folders and look them over, but how do I go about my ubiquitous H-drive? How do I go about that? We definitely have ways of doing this and that is to bring in the in-location sync and the OneDrive business connector I mentioned earlier today. That’s the H-drive, that’s in the background, and that should now receive the same files that are received in the OneDrive cart and also the File Director cart and the user’s now working in the same way he’s always worked. There we go, that’s consistent for the user and native to them, as well. That’s the real power of this. Different ways of accessing this information, all these files and so on. That should now give it to the user in the way the user is used to working. Service desk calls are reduced, and the training.
Nanette: Yes, make it all about the user, but IT benefits tremendously from that. I think we don't have time for questions, but questions have been asked throughout. We have captured the names of all those who asked us to send white papers. We'll be happy to do that, so watch your email. Thanks very much for your attention today. We're sorry for the delay at the beginning. We hope we made it up to you. Take care and we'll talk to you soon.