Posts Tagged ‘App Virtualization’

Application Virtualization – The UAC Panacea?

January 19th, 2012 by Cyndi Meinke | No Comments | Filed in Application Virtualization, Desktop Management, Desktop OS, Managed Desktop, Microsoft, Symantec, Virtual Desktop Technology, Windows 7

…with contributions from Aaron Gierak, Voltaire Toledo, and Jeremy Pavlov.

The User Account Control (UAC) Challenge

It is commonly known that in XP you have to give end users Administrator privileges in order to do even the most simple routine tasks; like changing the system clock, plugging in a USB drive, running a defrag, updating software, or even running security products.  Of course you can use the RunAs command, but that still requires having an Administrator password – which defeats the security purpose of a limited user account.  And just when we thought moving to Windows 7 would eliminate this security privilege nightmare, enter UAC…

User Account Control (UAC) is a technology aimed to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase or elevation.  In this way, only applications trusted by the user may receive administrative privileges, and malware should be kept from compromising the operating system.  In other words, a user account may have Administrator privileges assigned to it, but the applications that the user runs do not inherit those privileges unless they are approved beforehand, or the user explicitly authorizes it.

It is possible to turn off UAC while installing software, and re-enable it at a later time.  However, this is not recommended since File & Registry Virtualization is only active when UAC is turned on – and if UAC is switched off, user settings and configuration files may be installed to an unintended location (i.e. a system directory rather than a user-specific directory).  Also Internet Explorer 7′s “Protected Mode” – whereby the browser runs in a sandbox with lower privileges than the standard user – relies on UAC; and will not function if UAC is disabled.

The Application Virtualization Question

So is application virtualization the solution?  If a virtualized package runs at the kernel level, does it eliminate having to give an XP user Administrator rights?  When you repackage an application that you have been running in XP – in order to port to Win7 – does the app skate by UAC in a way that allows you to keep UAC turned on?

By default, UAC virtualizes requests for protected resources to provide compatibility with applications not developed for UAC.  This is important because many applications written for Windows XP and earlier operating systems assume that the user has administrative privileges and attempt to write to protected resources such as the Program Files or System folders.  The first time an application makes a change to a virtualized resource, Windows copies the folder or registry key to the location within the user’s profile.  Then, the change is made to the user’s copy of that resource.  UAC virtualization is designed to allow already-installed applications to run successfully with standard user privileges, even if they store temporary files or logs in a protected folder.

Installs, Upgrades, and Updates

Many of the problems with UAC come from application installs or upgrades/updates where a new driver or an action that requires UAC acceptance is needed.  With application virtualization – especially a tool like Symantec’s Workspace Streaming where you package from the kernel level – you can bundle the drivers *inside* the virtual app.  As a result, nothing would ever be required of the end-user since nothing is ever “installed”. 

Secondary Executions

However, another issue that bumps against UAC is what we commonly call the “Secondary Execution Event”, where a loaded executable decides to make a call on its own (outside of the one that the app designer intended).  For instance, if a permitted/intended executable launched, and then it calls out to the manufacturer for an updated version, or the latest driver, that is not pre-bundled in the package.  Examples of this are the Juniper VPN agent or the MS Security Center executable.

Panacea or Pariah?

The good news is that application virtualization absolutely does address UAC and elevation features by isolating areas that normally prevent non-elevated users from writing to them by creating a virtual HKLM registry hive, \Windows and \Program Files.  Virtualizing applications also mitigates potential conflicts in a shared session environment like Remote Desktop Servers or XenApp.

However, is application virtualization the silver bullet to fix all elevation and UAC issues?  The answer is “it depends”.  If the application explicitly requires elevated privileges within its manifest, then it will always present a UAC prompt.  In addition, if the application attempts to make a system change like a driver installation or some kind of self-updating feature, it will force Windows 7 to prompt you for elevation.  These challenges can be further addressed with tools such as AppSense Application Manager, or Viewfinity Privilege Management (which elevate a user’s privilege on a per-executable basis), or SystemGuard (which can elevate privileges to write to the registry).

The bottom line is that application virtualization brings many advantages.  In addition to extending the life of legacy applications, reducing deployment costs, and reducing user downtime caused by install/uninstall issues and application conflicts, many UAC issues can be mitigated with application virtualization, especially when coupled with effective use of user virtualization tools.

 

Next installment – Application Streaming…

 

Did you like this? Share it:

Tags: , , , , , , , ,

Application Strategy in the New Enterprise…

December 15th, 2011 by Cyndi Meinke | No Comments | Filed in Application Virtualization, Virtual Desktop Management, Virtual Desktop Technology, Virtual Infrastructure, Virtual Workstation, Virtualization, Windows 7

Why is the right application strategy important?

Whether it is physical or virtual, the endpoint device won’t matter if you can’t get to your data; and it’s through applications that you get to your critical data.  But management of applications can be an administrative burden.  How can you take applications administration to the next level?

 The right application virtualization tool will:

  • Decrease your time to market by 20-40%
  • Decrease your software license spend by 30-50%
  • Reduce or eliminate your need to rewrite legacy applications
  • Allow central management of all your apps
  • Increase Software license management and compliance

For example, in the common case of having to reset a hung application, the average cost of a help desk ticket to reset an app is $345 without an application virtualization tool.  With the proper tool, an app reset can be done in 18 seconds; virtually eliminating that cost.  This has a two-fold benefit – decreased end user downtime, and decreased IT support costs.  But just having a tool to handle these situations does not — by itself — solve all your problems; you must have a strategy.

The right application strategy requires a 3-pronged approach

To arrive at an optimized virtual user-centric experience requires a three-part strategic focus that encompasses the following:

  1. Desktop Strategy
  2. Application Strategy
  3. User Strategy 

Each of these pieces is equally important.  While in some cases you can have an application strategy without a desktop strategy, you should never have a desktop strategy without an application strategy.  From this perspective, it becomes clear that an application strategy can actually be more important than a desktop strategy.  

How it can go wrong

My thoughts based on what I see from a sales and trending perspective:

  • Over time, server virtualization created such a positive ROI for both capex and opex, that it was assumed that desktop virtualization would be another no-brainer to implement.  Companies who have embarked on VDI pilots and initiatives have quickly become disillusioned; realizing that the same efficiencies that were gained at the server level do not necessarily apply at the desktop. Eventually, they are forced to rethink their strategy.
  • Companies that embark on Win7 migrations – and do not take the time to make a strategic decision about how they will manage their applications – may become disillusioned as well, as they are feeling the pain of long cycles to virtualize their applications for a new OS and new endpoint device.  And in addition to the long cycles to prepare the applications, there are the inevitable challenges with legacy apps and conflicting apps.
  • Aging infrastructures and desktop devices create projects driven by choosing an “endpoint strategy” (translated as endpoint device only) where the only thing taken into consideration is the device.  Their whole strategy is around making decisions about thin client, zero client, fat client, etc.; all without thinking about the delivery method or the user profile.

Overall, as companies make strategic decisions about their Virtual Desktop Strategy, there can be tunnel vision about the desktop piece as the only strategic piece, with applications and users being an afterthought.

How to make it right

Herein lies my mission:  To educate those embarking on a VDI initiative about the importance of choosing the right application strategy.

 

Did you like this? Share it:

Tags: , , , , , , , , , ,

Windows 7 Migration – Using App Virtualization

April 7th, 2010 by admin | No Comments | Filed in Desktop Management, Desktop OS, Microsoft, Virtual Desktop Management, Virtual Desktop Technology, Virtual Infrastructure, VMware

Windows 7 will impose many challenges to organizations having to migrate to this new operating system. Ensure application compatibility of your mission critical desktop applications using VMware ThinApp to virtualize applications. Then centralize and simplify desktop management using VMware View and virtualize your complete desktop environment.

  • Virtualize your desktop applications with VMware ThinApp to build in compatibility
  • Virtualize your desktops with VMware View for centralized management of your user environment
  • Ensure delivery of the best user experience with VMware View PCoIP

Minimize the Cost and Disruption of Windows 7 Migration

Get the benefits of upgrading to Windows 7 without endless testing and troubleshooting of integration issues.

IT organizations are faced with the daunting task of having to migrate their desktop environment to Windows 7 as Windows XP support approaches its end and Windows XP availability squeezed with impending complex licensing.

But upgrading 100s or 1000s of desktop devices is costly and time consuming. Windows XP applications will not automatically be compatible with Windows 7. For example Web-based apps that work great on Internet Explorer 6, may not run on Internet Explorer 8 with Windows 7. Additionally, many organizations have custom applications driving their businesses, recoding and recertification their applications for Windows 7 is a time-consuming and costly endeavor. Most of them will have to rely on external vendors to provide the new compatible applications. And the clock is ticking.

Start the transition to Windows 7 today by virtualizing your existing Windows applications with VMware ThinApp. Application virtualization removes the dependency of applications from the underlying operating system so you can run a single application across multiple Windows operating systems. This helps to streamline application migration, ease the burden of cost and complexity for IT and create a seamless transition for end users.

Once your applications are virtualized, consider moving to a complete Virtual Desktop environment using VMware View and further separate the operating system from the underlying hardware and deliver as a secure managed service from the datacenter.

Separate desktop environments from the underlying hardware and run a single image of the operating system on a variety of machines with VMware View. Desktop operating systems, applications and data can be isolated and managed independently in the datacenter.

The VMware virtual desktop solution lets you:

  • Minimize costly application porting and reduce regression testing
  • Reduce conflicts and support calls by providing application isolation and portability using VMware ThinApp, an integral part of VMware View
  • Deliver next generation desktop architecture with modular desktops
  • Enhance image and application management
  • Extend the life of your application and hardware to maximize and protect your investment

Minimize Costly Regression Testing

Applications virtualized with VMware ThinApp are contained in single image formats such as .EXE and .MSI. These images can simply be deployed to end point device or delivered as a secure managed service using View. There is no need for costly deployment downtime and disruption to end user activities.

Since virtualized applications are fully isolated images that do not require installation and commit no changes to the registry, this removes any potential conflict that can be introduced to the environment and greatly reduces the need for regression testing.

You can even deploy a single image of an application to multiple OS versions. Complete a company-wide Windows 7 migration quickly and easily, without costly application porting and lengthy regression testing. Using VMware desktop virtualization, you will:

  • Run a single image of the Windows 7 OS across your virtual environment on a variety of hardware types
  • Maintain user productivity by enabling Windows 7 migration across many systems without rebooting
  • Reduce management costs and power consumption by encapsulating older systems and running them in a more efficient, server-based environment
  • Ensure application compatibility on all endpoint devices

 

Fast to Deployment and Minimize Support Demand on IT

Migrating an entire desktop environment to a new operating system is a time-consuming and costly endeavor for IT and a disruptive event for end users. With VMware desktop virtualization solutions, you can continue to deliver the same applications your end users are accustomed to along with their profiles to Windows 7 quickly and seamlessly. By first virtualizing the applications with VMware ThinApp into single image files, then using VMware View to virtualize the desktops and isolating the desktop environment from the OS. The resulting combined stack helps IT to streamline deployments of both applications and virtual desktops to end point devices. The virtualized applications and desktop environments eliminate direct dependencies on the underlying Windows 7 environment. This helps to reduce conflicts and reduces demand on IT and helpdesk support.

  • Maximize worker productivity and dramatically reduce support calls and maintenance overhead with VMware View. Images of the desktops reside in the datacenter and are deployed to each end user‘s machine. Virtualizing applications isolates them from the OS so they remain unaffected during OS upgrades and migrations, lessening support costs and frustration.
  • Eliminate conflicts and reduce helpdesk support calls.
  • Migrate application and desktop as a single “stack” to minimize disruptive end user downtime.

Source: VMware

Did you like this? Share it:

Tags: , , , ,