Microsoft Technologies for Consumerization
Published: April 19, 2011
The workplace is changing. The boundaries between peoples’ professional and personal lives are blurring. Work is no longer confined to the office. Employees check work email at home during the night and update their social media at the office during the day. In addition to their desktop computers, they're using portable computers, slates, and smartphones.
Windows Optimized Desktop
The Windows Optimized Desktop offers client computing choices to enhance user productivity while meeting specific business and IT needs. Built on the Windows 7 Enterprise operating system, managed by Microsoft System Center, and secured by Microsoft Forefront Endpoint Protection, the Windows Optimized Desktop includes virtualization technologies with integrated management across physical and virtual machines (VMs), including virtual desktop infrastructures. Add Microsoft Office 2010, Windows Internet Explorer 9, and the Microsoft Desktop Optimization Pack (MDOP) to enable a workforce that is more productive, manageable, and secure.
In consumerization scenarios, application management is about provisioning applications and controlling which applications users can run on their computers. System Center Configuration Manager 2007 and Microsoft Application Virtualization (App-V) are key deployment technologies. Additionally, AppLocker is a Windows 7 Enterprise feature that you can use to control access to applications.
Organizations using System Center Essentials can also use it to distribute applications. For more information about Essentials, see System Center Essentials. Technical guidance for deploying applications is available in the System Center Essentials 2010 Operations Guide.
User State Virtualization
A specific challenge to embracing consumerization is people working on more than one computer. This scenario can be painful for both end users and IT pros. Users’ files and settings do not follow them when they roam from computer to computer. If a user creates a document on his or her work computer, for example, that document isn’t immediately available when he or she logs on to a slate or through a VM accessed by a non-Windows PC. For IT, decentralized storage of files and settings leads to even more challenges. Files are difficult to back up. They’re difficult to secure. And because they’re scattered across many PCs, availability of important files is difficult to manage.
The Infrastructure Planning and Design: Windows User State Virtualization guide can help you implement user state virtualization.
Local Data Security
BitLocker Drive Encryption is an integral security feature in Windows 7 Enterprise that helps protect data stored on fixed drives and the operating system drive. BitLocker helps protect against offline attacks, which are attacks made by disabling or circumventing the installed operating system or by physically removing the hard drive to attack the data separately. BitLocker helps ensure that users can read the data on the drive and write data to the drive only when they have either the required password, smart card credentials, or are using the data drive on a BitLocker-protected computer that has the proper keys.
The TPM interacts with BitLocker operating system drive protection to help provide protection at system startup. This is not visible to the user, and the user logon experience is unchanged. However, if the startup information has changed, BitLocker will enter recovery mode, and the user will need a recovery password or recovery key to regain access to the data.
In Windows 7 Enterprise, BitLocker To Go extends BitLocker to portable drives, such as USB flash drives. Users can encrypt portable drives by using a password or smart card. Authorized users can view the information on any PC that runs Windows 7, Windows Vista, or Windows XP by using the BitLocker To Go Reader. Also, by using Group Policy, you can require data protection for writing to any removable storage device but can enable unprotected storage devices to be used in read-only mode.
The Windows 7 Backup and Restore feature creates safety copies of users’ most important personal files. They can let Windows choose what to back up or pick individual folders, libraries, and drives to back up—on whatever schedule works best for them. Windows supports backing up to another drive or a DVD. Windows 7 Professional, Windows 7 Ultimate, and Windows 7 Enterprise also support backing up files to a network location.
Forefront Unified Access Gateway (UAG) provides remote client endpoints with access to corporate applications, networks, and internal resources via a Web site. Client endpoints include not only computers running Windows but also other non-Windows devices. It supports the following scenarios:
Infrastructure Planning and Design: Forefront Unified Access Gateway on TechNet provides guidance for designing a Forefront UAG deployment. Additional detailed technical guidance is available in Forefront Unified Access Gateway (UAG) on TechNet.
Network Access Protection (NAP) includes client and server components that allow you to create and enforce health requirement policies that define the required software and system configurations for computers that connect to your network. NAP enforces health requirements by inspecting and assessing the health of client computers, limiting network access when client computers are noncompliant, and remediating noncompliant client computers for unlimited network access. NAP enforces health requirements on client computers that are attempting to connect to a network. NAP can also provide ongoing health compliance enforcement while a compliant client computer is connected to a network.
The Network Access Protection Design Guide can help you design a NAP deployment. The Network Access Protection Deployment Guide provides detailed technical guidance for the above scenarios.
In addition to securing local data and network access, protecting access to business information—such as intellectual property—is an important consideration if you're embracing consumerization. Two technologies are available for protecting this information:
Windows Cloud Services
For organizations that do not have the resources or infrastructure to support the Windows Optimized Desktop, Windows Intune can help deliver the management and security essentials. Organizations that have deployed the Windows Optimized Desktop can manage pockets of unmanaged computers (home-office computers and consumer devices running Windows that users bring to work) by using Windows Intune (Figure 1).
Remote assistance alerts provide a key tool for troubleshooting problems that occur on managed computers. A user on a managed computer can initiate a remote assistance request, which generates an alert. When you view the alert in the Windows Intune administrator console, you can accept the request. Accepting the request opens a Microsoft Easy Assist session so that you can perform remote troubleshooting on the user’s computer.
Virtual applications are streamed to computers as network services. They do not leave footprints on systems and are easy to update. They’re also self-contained, helping prevent conflicts between personal and business applications that may cause downtime and require intervention from the support team.
As shown in Figure 2, the primary components of App-V are:
Figure 2. Application Virtualization
App-V 4.6 is the latest version of the product. With App-V 4.6, you can sequence and run 32-bit and 64-bit applications on the 64-bit version of Windows 7. It supports new Windows 7 features such as the taskbar, Jump Lists, AppLocker, BranchCache, and BitLocker To Go. App-V 4.6 adds support for 12 additional languages. To support Microsoft Virtual Desktop Infrastructure (VDI), App-V 4.6 provides the capability for a read-only shared cache to help optimize server disk storage. Last, App-V 4.6 improves the sequencing experience and provides support for sequencing 32-bit and 64-bit applications. You can learn more about App-V at the Microsoft Desktop Optimization Pack Web site. More detailed technical information is available on TechNet at Application Virtualization.
System Center Configuration Manager 2007
Configuration Manager gives IT pros the ability to deploy, upgrade, and track usage of both physical and virtual applications in a single management experience. By seamlessly integrating virtual application formats into the Configuration Manager software-distribution capability, IT pros can follow known processes and workflow for delivering virtual applications to end users. This enables IT to deliver applications more quickly while also isolating potentially conflicting applications from interfering with one another. Configuration Manager’s integration with App-V provides added scalability while also allowing IT to enable existing distribution points to stream virtual applications, eliminating the need for a separate App-V infrastructure. With Configuration Manager, virtual applications can be delivered to either computers or users. Administrators can inventory virtual applications and deliver virtual applications as part of Operating System Deployment task sequences.
Figure 3. Configuration Manager and App-V Infrastructure
Using Configuration Manager to publish virtual applications requires that you follow a simple process. At a high level, managing virtual applications with Configuration Manager requires applications to be sequenced, published by using Configuration Manager advertisements, and delivered to the end clients. The following minimum process is required to support App-V in a Configuration Manager infrastructure:
Managing virtual applications with Configuration Manger will require an App-V sequencer for creating packages, a Configuration Manager site server, Configuration Manager distribution points for delivery of the packages, and Configuration Manager client computers with the App-V client installed. The following minimum components are required to support App-V in a Configuration Manager Infrastructure:
System Center Configuration Manager 2012
Configuration Manager 2012, now in beta 2 release, helps IT empower their users with the devices and applications they need to be productive, while maintaining the control necessary to protect corporate assets. It provides a unified infrastructure for managing mobile, physical, and virtual environments that allows IT to deliver and control user experiences based on user identity, connectivity, and device specifics. Along with all of the world-class inventory, operating system deployment, update management, assessment, and settings enforcement you’ve come to expect from Configuration Manager, the new release will deliver:
You can find more information about the new updated capabilities involving the deployment of virtual applications in System Center Configuration Manager 2012 beta 2 release at Introduction to Application Management in Configuration Manager 2012.
Virtual Desktop Infrastructure
Due to consumerization, users are bringing to work more than just PCs running Windows. Non-Windows-based slates and tablets run a range of operating systems, such as Apple iOS, Google Android, Linux, and so on. These devices provide different user interfaces, different levels of security, and different management capabilities. There are multiple operating systems across consumer devices, so adopting a systematic approach to management and security is essential.
Figure 4. Virtual Desktop Infrastructure
For more information about VDI, see Virtualization Products and Technologies.
Part of Windows Server 2008 R2, Remote Desktop Services (RDS) provides the Remote Desktop Connection Broker (RD Connection Broker). RD Connection Broker is a native VDI connection broker that provides a unified experience for accessing VDI as well as traditional session-based remote desktops. RD Connection Broker delivers virtual desktops similarly to RemoteApp. For example, a user will access http://rds-all.contoso.corp/rdweb to see a Web page listing both authorized applications and desktops, once authenticated.
Figure 5. Remote Desktop Connection Broker
With RemoteApp and Desktop Connection, users can access RemoteApp programs and virtual desktops directly from the Start menu without specifying the RDS URL. This capability minimizes user training and offers a consistent user experience on Windows applications.
With VDI, a virtual desktop is isolated from the client’s device and runs in a VM maintained in a data center. The device can be a desktop, laptop, slate, or thin-client computer—running Windows or another operating system. Users interact with their virtual desktops through RDP and RemoteFX, which provides a rich desktop experience. Similar to session-based remote desktops (i.e., Terminal Services), VDI provides a server session with a full-fidelity desktop environment that is virtualized within a server-based hypervisor. The premise of VDI is that all users are running virtual desktops on VMs. Key technical components making VDI a reality include:
There are two VDI deployment models:
VDI essentially delivers a desktop on demand to a user device via a network connection. This is different from running a conventional desktop computer, in which an OEM license is bound to hardware and cannot be dynamically assigned, as with VDI. Traditional licensing has become insufficient to correctly reflect the number of licenses consumed in a desktop deployment delivered with VDI.
Both the VDI Standard Suite and the VDI Premium Suite are licensed per client device that accesses the VDI environment, and thereby allow for flexibility of server infrastructure design and growth. You can learn more about VDI suite licensing at Microsoft's Remote Desktop Services site. Additional information about Remote Desktop Services Licensing is available at Licensing Remote Desktop Services in Windows Server 2008 R2.
Both RDS and VDI are core components of desktop virtualization, and they satisfy specific computing requirements and scenarios with deployment readiness and flexibility. For a remote task worker who needs to access a specific application for carrying out a well-defined task—such as entering data or reporting a status for time reporting, inventory updating, or incident reporting—RemoteApp might be sufficient. However, a knowledge worker—who performs complex or unstructured routines such as analyzing data, architecting a solution, designing a product, writing code, or troubleshooting systems—will likely require full access to a desktop to assure productivity, and deploying a virtual desktop is one solution.
Table 1. Session-Based Virtualization vs. VDI
Note: Citrix XenDesktop is a Microsoft Partner solution that can deliver on-demand virtual desktops and applications to users on any device they use, anywhere they use it. To learn more about Citrix XenDesktop, see the Citrix XenDesktop Web site. Additionally, the blog entry Microsoft Virtual Desktop Infrastructure (VDI) utilising Citrix Xendesktop as the Broker describes in detail how XenDesktop fits into and enhances VDI architectures.
Choosing the Right Technologies
This article has described four technologies that can help your organization embrace consumerization. These technologies are Windows Optimized Desktop, Windows Intune, Application Virtualization, and VDI. The following list describes how these technologies fit in to specific consumerization scenarios:
In all cases, application virtualization can provide users access to the applications they need. For more information, see the section titled “Application Virtualization,” earlier in this article.
Smartphones and Mobile OS Support
Tools are available to manage smartphones in the enterprise. For example, you can use Exchange ActiveSync to manage many Microsoft and non-Microsoft smartphones. Exchange ActiveSync is a Microsoft Exchange Server synchronization protocol that is optimized to work over high-latency and low-bandwidth networks. The protocol, based on HTTP and XML, enables devices to access information such as e-mail, calendars, and contacts on an Exchange Server system.
Remote Device Wipe
Mobile phones can store sensitive corporate data and provide access to many corporate resources. If a device is lost or stolen, that data can be compromised. Through Exchange ActiveSync policies, you can add a password requirement to mobile phones, mandating that users enter a password to access their phones. Microsoft recommends that, in addition to requiring a device password, you configure your mobile phones to automatically prompt for a password after a period of inactivity. The combination of a device password and inactivity locking provides more security for your corporate data. For more information, see the section titled “Device Management” later in this white paper.
You can remotely wipe a device by using one of three methods:
For more information about remote device wipe in Exchange Server 2010, see Perform a Remote Wipe on a Mobile Phone on TechNet.
You can create an Exchange ActiveSync mailbox policy to configure a variety of security options for users and their devices. In addition to password requirements and settings, you can use the General tab on the policy to specify the types of mobile phones that can connect to the Exchange Server system and whether attachments can be synchronized. The following summarizes the available policies:
On TechNet, Managing Exchange ActiveSync with Policies provides a full list of mailbox policies and describes how to configure them by using the EMC and the Shell. The ability to manage devices through Exchange Active Synch will also be a core feature of the upcoming System Center Configuration Manager 2012, which is now in beta 2 release.
Idle Timeout Value
Direct Push Technology uses Exchange ActiveSync to keep data on a smartphone synchronized with data on Exchange Server. On firewalls, a network idle connection time-out indicates how long a connection is permitted to live without traffic after a Transmission Control Protocol (TCP) connection is fully established. You must correctly set this time-out value to allow the Exchange ActiveSync heartbeat interval and the enterprise session interval to communicate effectively. If the firewall closes the session, mail would remain undelivered until the client reconnects, and the user could be unsynchronized for long periods of time. Microsoft recommends that organizations set time-outs on their incoming firewalls to 30 minutes. For more information, see Understanding Direct Push and Exchange Server 2010.
Exchange Server includes the Autodiscover service, which simplifies the provisioning of mobile phones by returning the required system settings after a user enters his or her e-mail address and password. The Autodiscover service is enabled by default in Exchange Server 2010 (Figure 6).
Figure 6. Autodiscover with Exchange ActiveSync
The ability to use Autodiscover depends on the operating system of the mobile phone you're using. Not all mobile phone operating systems that support synchronization with Exchange Server support Autodiscover. For more information about operating systems that support Autodiscover, see the blog post Updated - Comparison of Exchange ActiveSync Clients ( Windows phone, Windows Mobile, Android, Nokia, Apple, Palm ).
IT must be able to embrace consumerization where it is appropriate, while at the same time minimizing risks to the enterprise and its data. By assessing and understanding your users, in addition to the devices that they want to use, you can help ensure that consumerization benefits your business, and that these benefits can be measured and evaluated.