Digital Works and VMware: VDI is Dead, Long Live VDI
Hello! Today we want to talk about how the VMware vendor sees the VDI market.
Digitalization rules the world. Many companies no longer have a fixed work day, and somewhere even a fixed workplace. Businesses need employees to always be in touch — at least, read mail — and respond quickly to events. That is, the ideal picture from the point of view of the business looks like this: the company has implemented convenient, transparent, secure access to working tools from any device from anywhere in the world.
As it was before
Some 5-10 years ago it was different. Classic VDI reigned: Windows laptops and desktops were in the workplace, and every self-respecting company carefully deployed VDI and terminal farms locally. Companies actively tried to provide access to the virtual workstation from mobile devices so that the user could, for example, read their corporate mail or edit a corporate document. This way of working was, to put it mildly, uncomfortable. It is much easier for the user to open a mobile application, read mail, download a file, edit it in a mobile editor and send it further. People are accustomed to the daily use of mobile applications, instant messengers and social networks in their personal lives, and want to use the same convenient tools in their work. From a company’s point of view,
Since then, a lot has changed.
Mobile ecosystems have gone through a stage of explosive growth: today both Windows and macOS laptops are in use, and the mobile camp has shared Android and iOS with its applications and development environments. The number of accounts in corporate systems and other services is increasing, as well as the ways to access them: today we use not only passwords and smart cards, but also biometric authentication by fingerprint or face scan. The amount of information generated by users has increased many times - we often repeat this phrase, but do not always attach sufficient importance to it, although this will leave us with less data that needs to be processed, transferred and stored.
In general, the classic VDI 5-10 years ago is just a small piece of the modern concept of the digital workstation, rapidly changing under the influence of an accelerating world and the requirements for reducing the Time-to-Market.
Now it’s important not just to create virtual desktops and let users on them, but to solve more global tasks:
- Manage user end devices (including smartphones, tablets, laptops).
- Manage user environment (dynamic configuration of user environment on any virtual workstations, user profile management).
- Get advanced analytics about user applications, sessions, devices, etc.
- Ensure high security of corporate data.
- Automate everything as much as possible.
Today, a digital workstation is in demand, supporting access from any gadgets and OS, working conveniently and seamlessly for the user, while being protected from hacking and penetration. Users do not need the desktop or environment that the classic VDI provides, but specific applications as a service. A person wants to go to the corporate application portal, click a button and get the right application.
Therefore, at present, VDI is only part of a large ecosystem called the digital workplace.
Ultimately, everything is done so that the user can effectively solve their work tasks.
How to move from this beautiful idea to practical implementation?
What do they offer us today
A number of vendors today offer solutions of varying degrees of complexity, with which you can create an infrastructure of digital workstations. And today we’ll talk about how VMware sees this market.
A few years ago, VMware took a look at the trend where the world of End-user computing is heading (towards infrastructure technologies for end users) and swallowed a number of companies to integrate their products into their ecosystem - Workspace ONE.
There are various editions of Workspace ONE:
- Workspace ONE Standard
- Workspace ONE Advanced
- Workspace ONE Enterprise
- Workspace ONE Enterprise for VDI
All publications are available for purchase both in the form of a cloud service, and in the form of software for installation in their own infrastructure (on-premise). It should be noted that most Russian customers, for various reasons, prefer to deploy and use products in their own infrastructure, while Western customers often use cloud versions.
The main products included in Workspace ONE:
- Horizon - solves the problems of creating and managing virtual workplaces, and also includes important products for building a modern digital workplace:
- AppVolumes, from the acquired company Cloud Volumes, implements layers that "untie" applications from the virtual desktop, so that you can change it at any time without any harm to applications and user data.
- User Environment Manager (UEM), from the acquired company Immidio, allows you to personalize and dynamically manage your user environment, regardless of where the user is connected and from which device. Suppose you configured the display of letters in Outlook and your signature, and all these settings will “fly” to any of your other virtual workplace.
- Identity Manager - solves the tasks of creating a portal of access to various applications (cloud, legacy applications, web applications), as well as virtual workstations. It implements the Single Sign-On mechanism for all corporate applications (both internal and third-party).
- Unified Endpoint Management (UEM), previously both a product and an absorbed company, was called AirWatch - a set of products that solves the tasks of centralized management of end-client mobile devices (iOS and Android) and modern versions of client operating systems (Windows 10, macOS) from which users receive access to corporate data.
A description of all the available functionality of each of these products can take several large articles. Below we will talk about the capabilities of VMware Horizon, without which building a modern digital workstation is impossible. A description of the possibilities for managing client workplaces will be given in one of our next articles.
This is a basic product for creating and managing virtual desktop infrastructure.
VMware Horizon is available in several editions that differ from each other in the set of available functionality:
- Horizon standard
- Horizon advanced
- Horizon enterprise
- Horizon for Linux
Recently, the approach to applying VDI in the corporate infrastructure and the approach to deploying the virtual machines themselves - virtual desktops - have changed a lot.
We explain in more detail.
Previously, we created Full-clones of virtual machines for each user, and if you had to change something in them, we had to first update the original machine, and then clone it for a long time and tedious again or use third-party configuration management tools (for example, System Center Configuration Manager ) To store Full-clones, you need a storage system with well-functioning deduplication and compression technologies, and in case of a complete clone breakdown, you need to have a backup copy of it, or spend time reconfiguring such a unique virtual desktop.
In addition to Full-clones, Linked-clones were invented - they allowed saving disk space in storage at a time when compression and deduplication technologies at the storage level had not yet been developed. The administrator managed the “golden image”, filling it with what users need: office applications and corporate application clients. After that, the image was cloned, and users were given access to the clones.
It was assumed that in Linked-clones it was impossible to change anything (for example, installing an additional application in an already created virtual workstation), and all the data was stored on file servers. The administrator could quickly kill and redeploy such a clone.
In general, the scheme was working, only creating and editing a “golden image”, and then redeploying virtual desktops was long and inconvenient.
But problems with saving the user environment still persisted. The downtime of the service during the updates was greatly reduced, but it was not possible to get rid of it. The infrastructure itself was quite difficult to operate for IT staff.
VMware is currently focusing on Instant Clone technology. They allow you to quickly create and provide the end user with a virtual machine - a virtual desktop.
The essence of the technology is that on the fly a clone of an already included virtual machine is created, which begins to use the same memory area as the parent virtual machine. At the same time, the child virtual machine cannot write to the shared memory area, only to the one specially allocated for it. Read / write operations are performed similarly, using the parent disk of the parent virtual machine.
The instant clone implements the Just In Time Desktop approach: the contents of the image were minimized, and the management of settings and access to the application was moved to different levels. With this approach, virtual desktops are deployed in a few seconds (unlike Linked clones).
But the fact is that the Instant clone is not a permanent job. After the user finishes, the virtual machine is deleted. To get rid of this drawback, a concept was proposed in the form of a separate framework, Just In Time Management Platform (JMP). ( https://techzone.vmware.com/resource/jmp-and-vmware-horizon-7-deployment-considerations ). To personalize such a temporary workplace, the AppVolumes and User Environment Manager (UEM) products included in JMP are used.
According to the policies, virtual desktops are connected via VMware AppVolumes to designated read-only applications - Appstack, as well as dedicated writable disks that allow the user to save their data and install personal applications.
- AppVolumes is a technology for seamless delivery of applications and personal disks to virtual desktops. It includes:
- AppStack - is a prepared portable application or a set of applications that connect to user desktops in read-only mode. Technically, this is a separate virtual disk (vmdk file) that can be dynamically connected to user virtual workstations.
- Writable disk - a personal virtual disk (vmdk-file) associated with a specific user. This technology allows the user to save personal files, settings, registry data and install personal applications.
- User Environment Manager - user environment management in a virtual workplace. Responsible for redirecting user folders, mounting network drives, logon / logoff scripts, connecting printers, etc.
That is, VMware offers this approach: the user logs in, receives a virtual workstation with his applications and the applied environment settings, and works quietly. And when it logs out, the virtual machine is destroyed. The next time the user logs in, a new VM is created, which again is dynamically assembled from the components, like a constructor. And for different employees you can collect individual jobs.
Such a scheme greatly simplifies support. For example, before, in order to update applications, the administrator first installed fresh versions, created a new “golden image”, clicked the “Update” button, and in a few hours new virtual workstations were deployed. And in the case of Instant-clones, everything happens “live” and takes literally minutes: the user logged out, then logged in again and got into a new workplace with updated applications.
When using AppVolumes, the administrator prepares a new AppStack (container for the application), presses a few buttons, and the old container is untied from the user, and the new one is tied, the update is ready.
To put it in a marketing language, time-to-market has shrunk significantly.
Putting all this together, we get a single ecosystem in which the user is most comfortable getting access to corporate data and applications from any workplace, and from the point of view of the administrator, secure access to data is provided, infrastructure management is simplified.
The Horizon bundle, starting with the Advanced edition, includes a license to use the VMware vSAN hyper-converged storage system, which no other vendor on the market offers. By purchasing Horizon software as a standalone product or as part of the Workspace ONE platform, customers no longer need to think about where to place virtual desktops.
Corporate app store
Another interesting feature is the corporate app store. This is a portal, on the pages of which, users can choose the tools they need, immediately run them and use them. This portal can be implemented using the VMware Identity Manager application, which is part of VMware Horizon Enterprise and, depending on the required functionality, in various editions of Workspace ONE.
The portal authorizes the user and, based on the prescribed policies, shows which corporate resources an employee can use, which applications will be available to him.
In addition to its own applications, in the store you can publish cloud applications that are on the side of service providers or SaaS providers. The user does not need to remember a bunch of links, just click on the shortcuts in the store: “Click here to access the application management system”, “Click here to get to the laboratory for deployment of the environment, testing”, “Click the icon, and it will start your workplace with the necessary access, ”and the like.
The user does not even need to remember where to go, everything you need can be placed on a kind of showcase, which is collected individually for each employee in accordance with the policies.
A single portal is also very convenient for the adaptation of beginners - there is no need to maintain corporate knowledge bases that are always out of date. You can forget about the situation when the user does not know what applications are used in the company, how to find and apply them. And when the user quits, the administrator will be able to quickly and centrally block all accesses. You do not need to go through all the systems separately, and if the administrator is distracted or invited to drink tea, he will not accidentally leave some of the access open.
You can log in to the portal using a password or two-factor authentication. Since this is one of the key security mechanisms, management of the login method is centralized. Usually, the user only needs to enter the password once (Single Sign-On), and inside the system he will be able to switch between applications and services as much as necessary, no longer confirming that he is he, without entering passwords anywhere. The user does not need to remember many different passwords, which, as a result, are often written down on a piece of paper and put under the keyboard.
Clouds and Services
All of the above wealth does not have to be deployed and maintained at the facilities of its infrastructure. From the cloud, you can get Identity Manager, Unified Endpoint Management (aka Airwatch), or even completely VDI as a service. In this case, specialized connectors are deployed in their own infrastructure. This approach frees the administrator from updating infrastructure components, ensuring their availability and backup, allowing them to tackle end-user problems.
Of course, such a model is not suitable for a bank or government organization, but many commercial companies can transfer the costs of IT infrastructure using the cloud to the category of operating expenses, thereby optimizing the budget and minimizing their expenses. If the need for some component of the cloud IT infrastructure disappears, it is enough to abandon it.
Together with the vendor, we implemented a pilot project of an application store with one large telecom operator. VMware colleagues helped set up Unified Endpoint Management (Airwatch) for managing end-user devices, and we set up virtual machine provisioning, installing brokers, specialized security servers, Unified Access Gateway, AppVolumes, UEM.
Technologically, the scheme was as follows:
- Unified Endpoint Management manages user devices.
- Horizon organizes the creation and deployment of terminal tables, RDSH.
- Virtual machines running the terminal server role run business applications.
- Access to business applications is via Identity Manager from any user device, including smartphones, tablets and laptops.
Virtual terminal servers were created using the technology of Linked-clones, but in general it was possible to use Instant-clones, which were just starting to apply. After the deployment of virtual terminal servers, applications packaged in AppStack were automatically connected to them, after which published business applications automatically appeared on the portal. That is, the user does not even know that he is logging on to the terminal farm, which is raised on virtual machines on the VMware virtualization platform. The user sees just the icon of a business application, or, if necessary, a full virtual workstation.
Access to information was not only from VM, but also from any mobile devices. For example, on the iPad, in two clicks, you could open documents stored in the corporate document repository. At the same time, the document itself could not be copied to a mobile device or any other external storage, which ensured the safety of confidential documents in the corporate infrastructure. The project was successful, and then the customer himself continued to maintain the system. That is, Workspace ONE does not require you to depend on a vendor or integrator for life, just deploy and configure the system, and then you can maintain its work and reconfigure it on your own.
Recall that the Workspace ONE system consists of three main blocks:
- Horizon is the good old VDI.
- Identity Manager is an application portal that can be purchased separately or as part of Horizon.
- Unified Endpoint Management - client device management.
Together, they solve several big problems when creating digital jobs:
- Simplify administration.
- Protect information.
- Automate as much as possible.
- Provide usability.
The last item is far from the last in importance. If the result of a combination of several technologies is inconvenient to use, then the benefits of the innovation will be small - people will in every way avoid the imposed pain. Employees are not required to suffer from poor UX (user experience), it is necessary to strive to ensure that corporate tools are as convenient to use as the best commercial ones. Of course, not to the detriment of information security.
So, thanks to the takeover of companies and the adaptation of their software products, VMware has developed the Workspace ONE product line to create a digital workspace environment in which a virtual machine with an OS does not play a key role. You can recreate it at any time, which will not affect the user in any way: all his files, settings and applications will remain in their places. And it doesn’t matter which device will be used for access.
Dmitry Gorokhov, Head of Virtualization Department, Jet Infosystems