- Management - In a typical corporate infrastructure, you manage desktops using remote software technology such as Altiris or some other push technology. It is really hard to manage hundreds of desktops as you are well aware if you administer desktops in your corporate infrastructure. Using technology such as virtual desktop infrastructure (VDI) allows you to have central management of all your desktops and really control what is being installed and used on the desktops. Deployment of virtual desktops is lightning fast as opposed to using imaging technology such as Norton or other antiquated technologies. Would you like to manage 500 desktops all over the United States or Europe or manage them from one data center?
- Security - Security is a key factor in rolling out VDI. With VDI, you have greater control of how you secure your desktop. You can lock down the image from external devices or prevent copying data from the image to your local machine; I'm a big fan of this feature of VDI. Remote users or road warriors also benefit as sensitive data is stored on the server in the data center and not the device. If the device is stolen, the information is protected.
- OS migrations - Let's say you want to roll out Windows Vista to a select few managers. Prior to VDI, you would have to look at their equipment and most likely upgrade hardware, memory, disk space, etc. With VDI, you can just push out a Windows Vista image from a central location to the group of managers.
- VDI image - You can create a library of VDI images to meet all of your company needs. If your company is seasonal, you can have extra images to handle the increased employee traffic. If you use third-party vendors/contractors/consultants, you can use secure/encrypted locked down images to allow them to work in your environment.
- Snapshot technology - With VDI, you have the ability to roll back desktops to different states. This is a great feature, and it allows you to give a lot of flexibility to your end users.
- Go green - A thin client VDI session will use less electricity than a desktop computer. Using VDI is a way to reduce your carbon footprint on our planet and save your company money in power costs.
- Independence - With VDI, who cares what device you use? A thin client, a PC, Apple, Linux, etc. As long as you can connect to your VDI with ICA or RDP, you are golden.
Unfortunately, it is very hard to get anything accomplished in my company as they tend to shy away from anything that could make even one person unhappy. There are agents in my call center that upon taking the job I found had local admin rights and were installing tons of crap on their machines. After a couple of reinstalls due to viruses I took away everyones rights, that hasnt gone to well but Ive stuck to my guns and the complaints are starting to lessen a bit. The biggest hurdle is going to be limiting people to one monitor, if our agents have to give up their dual monitor setup it will never fly.
No one cares about dubious stuff such as the whole global warming scare. Lowering power consumption cuts utility costs. Period. That hippie crap rarely flies in the boardroom; especially during a recession.
We have at our company a drive to move to VDI but we have found that in situations where you need to move in and out of lots of different programs lots of times, this solution doesn't lend itself well. Also, we frequently find that getting new software you need to do your job requires a lot of hoops and frequently is denied. With a desktop and admin rights, you can install what you need to do the job and not have to worry about hoops. Users don't like VDI, and the fact that I can take my work anywhere doesn't matter to me if I can't install what I need when I need it.
Why does it cost? If you have outdated servers and you consolidate servers with blades and virtualize,YOU WILL save money. It will cost you some money to buy the servers but you will save money. You aren't looking at the bigger picture but I understand as your job is not to look at the bigger picture but to concentrate on multiple IT tasks at a time. Your response to the carbon footprint would be much better with supporting examples.
Quote from Mike "With a desktop and admin rights, you can install what you need to do the job and not have to worry about hoops" ROLMAO - I spit coffee all over my screen and keyboard when I read this.. Hey, all your Bases Belong to Us
The battle over whether users need the ability to install software or not is not so simple. Everyone casts it in terms of black and white, but the truth is that it is a colored spectrum. For example, graphic artists frequently want/need to install new filters, font sets, and the odd imaging program, to say nothing of the huge numbers of images that they download as source material. Trying to put a "security review" process in place would stifle that creative department, and also keep the graphics people from responding to quick turnaround requests from, typically, marketing. Software engineers are also constantly wanting to try new tools, and some of them actually have greater knowledge of system administration than most of the IT / support stuff. Rather than invoking blanket policy, reviewing different users' cases can lead to a more flexible response. Grahic artist needs to install new software all the time? Fine. Their machine, which is anyway a high-powered desktop with large monitors and graphics tablets, doesn't virtualize well, anyway. So deploy outside the VDI zone, into a DMZ, and set up a gateway through the inner firewall into the VDI zone, so that all of the images they send inwards are scanned for viruses. Plus, keep RSYNC images inside the firewall, and on a weekly or semi-monthly basis schedule an IT person to sit with the graphics people and update the image with the new software (including fonts) that they want to keep. Letting them feel in control of their own machines, but also showing that the corporate security is an issue, puts them into a more security-conscious frame of mind when they download, and makes them fans of the IT department - a win all around. Finding a flexible path for different classes of users can reduce inter-departmental friction and increase productivity, without seriously compromising data integrity or corporate infrastructure. You have to be clear, though, on why such special cases ARE special cases, to keep others without a real need from asking for the same privileges. Telling another (non-graphics) user that they, too, can install their own software if they 1) give up remote login, 2) give up roaming profile, 3) lock themselves into a single workstation, and 4) make them sit for frequent security reviews and backups, usually shuts them down. If they insist, give in, and then charge back the admin time of dedicating an IT staffer to them for 2-3 hours per week back to their department. If their manager really wants them to have it, he can't object to it, and must accept the cost, and then IT can justify larger staffing because "it's really the other departments' budgets, not ours." Flexible management - better results.
Every job should have a list of software that a specific job title needs. As an IT admin, I do not want you to have the ability to load whatever you want. Thats how networks get viruses and more problems arise. You just need a better workflow/process at your company.
Allowing users to install software they feel they need in order to do their job on their own without a security review is asking for trouble. Sounds like more of a process issue than a control issue when requests for software is denied. We're looking into VDI, but with about 20% of our users being mobile, we have to move out carefully. Being able to work while on a plane or when unable to connect to the home office is critical.
We have it fully deployed and love the benefits. The biggest hurdles have been users. The strugle for them to remain (perceived) control over the desktops they use has been viscious.
The software image was loaded from a central server, there were no issues with users changing settings or introducing malware, and the devices were a SNAp to connect and manage. Of course that was 1983......
That's been my policy here ever since. I don't have time to clean spyware off of 100+ desktop or support some random piece of junk software that they use at home.
it's still their desktop but it can move around with them. They have more flexibility than they realize.
Nothing like marketing/writers spinning what was old to make it new again. Gotta fill up their column space or risk not having a job.
Aw, memories of the old days... snap dumps, disabled waits, calculating the size of your JES2 checkpoint. And my favorite of all, the CVT.
Your problem is implementing new security measures. I'd hate to be a project manager on that project. When your users lose the power they once had, they tie their issues to the entire VDI project. It can be hard explaining that the project is a success with an army of angry users. It can be even harder explaining the dichotmy between securing desktops and the VDI project which brings many other benefits to the table. Hindsight is 20/20, but I would have locked down desktops long before the VDI project just to get them used to the concept and work out any issues like applications that require the user to have admin access.
See, we have a bad situation where the previous administration allowed all users to be pretty much local admins without any desktop management. We first found out how bad it was when we set policies to limit local profiles and storage and directed everyone to utilize there network shares. Our storage requirements tripled in 4 months. As we scanned the file servers, we quickly found that 90% of the files should be deleted - mp3, avi, iso, etc. But, I digress... With the VDI solution, we regain control. The desktop is locked down, the profile is very structured and clean. Most aspects of the users interface is directed toward production - not entertainment. Those who conform are able to experience a wonderfully stable and efficient work tool. Unfortunately, many seek to dispove the validity of the solution so as to retain their play grounds.
Can go anywhere they go. We use Terminal Servers and devices are getting smaller and smaller. I would say is close to VDI if not the same. Can even log from home machines over the network.