kennisportal€¦ · user environment management smackdown version 2.1 february 2014 page i © 2014...

User Environment Management (UEM)

Smackdown

Author(s) : Ruben Spruijt

Version: 2.1

Date: February 2014

User Environment Management

Smackdown

Version 2.1 February 2014 Page i

© 2014 PQR, all rights reserved.

All rights reserved. Specifications are subject to change without notice. PQR, the PQR logo and its tagline Eenvoud in ICT are trademarks or registered trademarks of PQR in the Netherlands and/or other countries. All other brands or products mentioned in this document are trademarks or registered trademarks of their respective holders and should be treated as such.


Smackdown

Version 2.1 February 2014 Page ii

CONTENT

1. Introduction .............................................................................................................................. 1

1.1 Objectives ................................................................................................................................. 1

1.2 Intended Audience .................................................................................................................... 1

1.3 Vendor Involvement ................................................................................................................. 1

1.4 Suggestions and improvements ................................................................................................ 1

1.5 Contact ...................................................................................................................................... 2

2. About......................................................................................................................................... 3

2.1 About PQR ................................................................................................................................. 3

2.2 Acknowledgments ..................................................................................................................... 3

2.3 Quote’s ...................................................................................................................................... 6

3. User Environment Management .............................................................................................. 7

3.1 Strategy ..................................................................................................................................... 7

3.2 The essence of Application and Desktop Delivery .................................................................... 8

3.3 Layering the Cake and Application Delivery ............................................................................. 8

3.4 User Centric Computing ............................................................................................................ 9

3.5 The essence of User Environment Management (UEM) ........................................................10

3.6 The History of UEM .................................................................................................................11

3.7 Why UEM? ..............................................................................................................................11

3.8 UEM Functionality ...................................................................................................................12

3.9 UEM Strategy ..........................................................................................................................13

3.10 Desktop Transformation requires User Environment Management ......................................16

3.11 What’s in a name? ..................................................................................................................18

3.12 Frequently Asked Questions (FAQ) .........................................................................................22

4. UEM Functionality ...................................................................................................................26

4.1 User Profile Management .......................................................................................................26

4.2 User Personalization, Application and Desktop Management ...............................................30

4.3 Application Access Control, Security Management and User Rights Management ...............30

4.4 Resource Management ...........................................................................................................31

4.5 License Management ..............................................................................................................31

4.6 Monitoring, Auditing and Reporting .......................................................................................32

4.7 Configuration within Application Delivery ..............................................................................32

5. Solution Overview ...................................................................................................................35

5.1 Introduction ............................................................................................................................35

5.2 Vendor matrix, who has focus on what!? ...............................................................................36

5.3 Appsense .................................................................................................................................37

5.4 Citrix ........................................................................................................................................42


Smackdown

Version 2.1 February 2014 Page iii

5.5 Immidio ...................................................................................................................................45

5.6 Liquidware Labs ......................................................................................................................50

5.7 Microsoft (Group Policy, Group Policy Preferences and AGPM) ............................................53

5.8 Microsoft User Experience Virtualization (UE-V) 2.0 ..............................................................57

5.9 Norskale VUEM .......................................................................................................................59

5.10 PolicyPak Software ..................................................................................................................62

5.11 Quest (Dell) .............................................................................................................................68

5.12 RES Software ...........................................................................................................................69

5.13 Scense .....................................................................................................................................75

5.14 Tricerat ....................................................................................................................................79

5.15 Unidesk ...................................................................................................................................82

5.16 VMware View Persona Management .....................................................................................86

6. UEM features Comparison ......................................................................................................88

6.1 Introduction ............................................................................................................................88

6.2 Roadmap and Future additions ..............................................................................................90

6.3 Feature Compare Matrix .........................................................................................................91

6.4 Generic features and functionality .........................................................................................92

6.5 User Profile Management .....................................................................................................102

6.6 User Personalization, Application and Desktop Management .............................................106

6.7 Application Access Control, Security Management ..............................................................114

6.8 Resource Management .........................................................................................................120

6.9 License Management ............................................................................................................122

6.10 Monitoring, Auditing and Reporting .....................................................................................124

7. Conclusion .............................................................................................................................129

8. Change Log ............................................................................................................................131

9. Appendix: A-Team (PQR) members ......................................................................................138


Smackdown

Version 2.1 February 2014 Page 1

1. INTRODUCTION

Do you want to know the different User Environment Management solutions? Do you want to

know the role of UEM in Application and Desktop Delivery solutions such as VDI? Are you look-

ing for insights into User Environment Management? Are you looking for an independent

overview of the User Environment Management (UEM) solutions and curious about the differ-

ent features- and functions each UEM vendor is offering? If so, this is the whitepaper you

MUST read!

In the current market, there is an increasing demand for unbiased information about User En-

vironment Management solutions. This white paper focuses on solutions that are anticipated

to have an important role in User Environment Management. An overview of features has

been created to enable a better understanding and comparison of capabilities

1.1 OBJECTIVES

The overall goal of this whitepaper is to share information about:

What is User Environment Management?

Explain the pros and cons of User Environment Management.

Describe the strategic questions and functionality of UEM solutions.

User Environment Management functionality and solutions overview.

Describe the different UEM vendors and their solutions.

Compare the functionality and features of various UEM solutions.

1.2 INTENDED AUDIENCE

This document is intended for IT Managers, Architects, Analysts, System Administrators and IT-

Professionals in general who are responsible for and/or interested in designing, implementing

and maintaining User Environment Management solutions.

1.3 VENDOR INVOLVEMENT

All major vendors whose products are analyzed and described in the feature comparison have

been approached in advance to create awareness of this whitepaper and discuss the different

features and functionality.

1.4 SUGGESTIONS AND IMPROVEMENTS

We’ve done our best to be truthful, clear, complete and accurate in investigating and writing

down the different solutions. Our goal is to write an unbiased objective document where pos-

sible, which is valuable for the readers. If you have any comments, corrections or suggestions

for improvements of this document, we want to hear from you. We appreciate your feedback.

Please send e-mail Ruben Spruijt ([email protected]) include the product name and version number

and the title of the document in your message.

mailto:[email protected]


Smackdown


1.5 CONTACT

PQR; Tel: +31 (0)30 6629729

E-mail: [email protected]; www.pqr.com;

Twitter: http://www.twitter.com/pqrnl

THIS DOCUMENT IS PROVIDED "AS IS"

WITHOUT WARRANTY OF ANY KIND

FOR REFERENCE PURPOSES ONLY

COPYRIGHT PQR

PUBLISHING IN PART OR WHOLE IS PROHIBITED WITHOUT WRITTEN APPROVAL


http://www.pqr.com/

http://www.twitter.com/pqrnl


Smackdown


2. ABOUT

2.1 ABOUT PQR

PQR is a professional ICT infrastructure company focusing on the availability of data, applica-

tions and workspaces with optimized user experience in a secure and manageable way. PQR

provides its customers innovative ICT solutions, from on premise to cloud management, with-

out processes getting complex. Simplicity in ICT, that’s what PQR stands for.

PQR has traceable references and a wide range of expertise in the field, proven by many of our

high partner statuses and certifications. PQR is a Citrix Platinum Solution Advisor, HDS Tier 1

Platinum Partner, HP GOLD Preferred Partner, Microsoft Gold Partner, NetApp Star Partner,

RES Platinum Reseller, VMware Premier Partner en VMware Gold Authorized Consultant Part-

ner. PQR’s approach is based on four main pillars:

Data & System Availability;

Application & Desktop Delivery ;

Secure Access & Secure Networking;

Advanced IT Infrastructure & (Cloud) Management.

PQR, founded in 1990, is headquartered in De Meern and has over 107 employees. In fiscal

year 2011/2012 posted sales of € 94.9 million and a net after tax profit of € 4.6 million have

been recorded. www.pqr.com

2.2 ACKNOWLEDGMENTS

Team leader

Ruben Spruijt is CTO and focuses primarily on Enterprise Mobility, Virtualization,

Application and Desktop Delivery – tomorrow’s workspace. He is actively in-

volved in determining PQR’s vision and strategy. Ruben is a Microsoft Most Val-

uable Professional (MVP), Citrix Technology Professional (CTP) and VMware vEx-

pert and is the only European with these three virtualization awards. He gives

customers advice and has them benefit from his expertise; he motivates his col-

leagues and writes blogs, articles and opinion pieces on a regular basis. During

presentations in several national and international congresses, Ruben shares his

thoughts and knowledge on application and desktop delivery, and on virtualization solutions.

To contact Ruben at [email protected] or on twitter

http://www.pqr.com/

http://mvp.microsoft.com/en-us/default.aspx

http://community.citrix.com/display/cdn/Citrix+Technology+Professionals

http://communities.vmware.com/docs/DOC-18314

http://communities.vmware.com/docs/DOC-18314


http://www.twitter.com/rspruijt


Smackdown


Special thanks for Aaron Parker: Experienced Solutions Architect with

a highly technical and specialized background. Skilled in the art of

communicating and presenting to all levels. Assists customers in turn-

ing business requirements into strategies and converged solutions for

End User Computing, Desktop Virtualization, BYOD, MDM, MAM and

MIM.

Awarded for community leadership and involvement with Citrix Tech-

nology Professional (since 2012), Microsoft MVP (2011, 2012, and

2013) and AppSense Community Advisor (since 2012). Regular speaker

at events including Citrix Synergy (US/EU), BriForum (US/EU), E2EVC and the UK Citrix User

Group. You can find him blogging at stealthpuppy.com or contributing to and moderating the

TechNet App-V forums. Based in London, UK with an understanding family. To contact Aaron

directly send an email to [email protected] Follow Aaron on twitter: @stealthpuppy

Jeremy Moskowitz, Group Policy MVP: Jeremy is an 11-year recipient

of the Microsoft Group Policy MVP award and runs GPanswers.com for

Group Policy training and consulting. He also leads the solutions design

at PolicyPak Software. Jeremy contributed the Microsoft Group Policy

and Microsoft UE-V sections as well as the PolicyPak section. Follow

Jeremy on twitter @jeremymoskowitz or at www.GPanswers.com or

www.PolicyPak.com

Personal note from Ruben: I would give a special thanks to Aaron and

Jeremy who simply did an incredible job in investigating and reviewing various User Profile

Management solutions and contributing to the white paper. The amount of effort and private

time spend is extraordinary… Thanks!!

Community effort

A BIG thanks to: Rob Aarts and Jurjen van Leeuwen.

Thanks for their effort and support in reviewing this whitepaper.

A-Team!

Only through the effort and persistence of the ‘PQR - UEM Smackdown’ team we achieved the

goals, a big thanks to them!

Team Member Job description Email Twitter

Rob Beekmans Sr. Consultant [email protected] @robbeekmans

Matthijs Haverink Consultant [email protected] @vf_matt

Sven Huisman Consultant [email protected] @svenh

Jits Langedijk Consultant [email protected] @jrlangedijk

Anton van Pelt Consultant [email protected] @antonvanpelt

Peter Sterk Solutions Architect [email protected] @petersterk


http://www.twitter.com/stealthpuppy

http://www.twitter.com/jeremymoskowitz

http://www.gpanswers.com/

http://www.policypak.com/

mailto:%[email protected]

mailto:%[email protected]


http://www.twitter.com/robbeekmans


http://www.twitter.com/vf_matt


http://www.twitter.com/svenh


http://www.twitter.com/jrlangedijk


http://www.twitter.com/antonvanpelt


http://www.twitter.com/petersterk


Smackdown



Smackdown


2.3 QUOTE’S

"Whether you want to get the latest insights on desktop virtualization or you are new to the

space and need to quickly understand it, the UEM Smackdown is the essential guide to read. It

provides detailed analysis of the different offerings in the market today and gives an overview

of the strategic questions one should evaluate. This guide will be an excellent companion on

your Application and Desktop Delivery journey. Kudos to PQR for their continuing effort."

Bob Janssen, CTO and Founder, RES Software

"As the UEM space continues to grow and mature, the capabilities of the solutions and prod-

ucts in this space are evolving - PQR's UEM Smackdown educates the world on the depth and

complexity of delivering true User Environment Management, and highlights the many differ-

ent areas of functionality required for a comprehensive solution that can scale for organiza-

tions of all sizes. It is important for the technical community to have an independent, detailed

review of UEM solutions and at AppSense, we're delighted to see PQR fill that void."

Jon Rolls, VP Product Management, Appsense

“The UEM Smackdown is a good resource for starting your evaluation of UEM products. Desk-

top transformation involves many steps and User Management is an important one to get

right. Choosing the best solution for your organization based on architecture, features, and

value is essential and the UEM Smackdown of PQR brings this information together in one doc-

ument.”

Jason Mattox, CTO, Liquidware Labs


Smackdown


3. USER ENVIRONMENT MANAGEMENT

3.1 STRATEGY

If there is a trendy word in the IT industry, then, as well as Cloud Computing, this has to be

“virtualization”. Virtualization is nothing more than the decoupling of IT resources. The most

common forms of virtualization include network, storage, hardware / server, desktop and ap-

plication virtualization.

Application and Desktop Delivery is a process which has the goal of offering applications inde-

pendent of location and workstation, so that the user can work onsite, online, offsite and of-

fline anywhere and at any time. The dynamic delivery of applications is an essential functional-

ity and part of a broader strategy of an optimized Desktop. Managing the User Environment

and various Devices is a key element in maintaining the Application and Desktop Delivery in-

frastructure.

When studying and determining which Application and Desktop Delivery Solution and User

Environment and Client Device Management solution best suits the users and your organiza-

tion, it is essential that you ask yourself three questions:

1. What is the execution platform for the applications?

Within the execution platform, system resources such as the CPU, memory, disk and network

are used in order to execute the Windows and web-architected applications. The most fre-

quently used execution platforms include: Desktop, Laptop, Mobile Smartphone, Virtual Desk-

top Infrastructure and Remote Desktop Services. The choice of execution platform is the most

fundamental decision made! The applications are executed locally on the device or centrally in

a datacenter. Every platform has its own characteristics. In practice, every organization actual-

ly possesses a mixture of workstation access scenarios. The theories: “Less is more”, “Cut out

the exceptions” and “Manage Diversity” should always be in mind!

2. In what way are applications delivered and available on the execution platform?

An execution platform is great; but if there are no available applications, the platform is of no

real value to the end-user. The second question is this: How do the applications get onto the

execution platform?! A number of solutions exist for delivering Windows applications; the

most frequently used forms include installation, virtualization or remote presentation.

With installation, applications are delivered to the workstation and, where possible, installed

in an unattended manner. The execution platform is altered after the installation process is fin-

ished. Installing the application as a core component in the base image is also possible.

When applications are made available by means of Application Virtualization, they are availa-

ble ‘on demand’ on the execution platform. No adjustments are made to the execution plat-

form.

3. How are the execution platform and the applications managed from an IT-Pro and

from an end-user perspective?


Smackdown


An execution platform with a variety of Windows and web-architected applications are great

but how do you manage and maintain this environment? In a Bring Your Own Computer sce-

nario where does managing the environment start and where does it end? How is the desktop

composed from a user perspective? What are the different Access Scenarios? These and more

questions fit with this third question: How do we control, maintain and support the Desktop as

a concept and as an endpoint device from an IT Pro and end-user perspective.

3.2 THE ESSENCE OF APPLICATION AND DESKTOP DELIVERY

Making applications available to the end-user, regardless of the technology being used, is the

ultimate strategic objective of an Advanced ICT infrastructure. Maybe it’s a good time to use

the term business-consumer instead of end-user.

The delivery of the desktop as a concept can be divided in two worlds. The classic desktop and

laptop, running Windows, Linux or Mac OS X and the virtual desktop. In essence Desktop Vir-

tualization is the de-coupling of the desktop, the operating system and the end-user applica-

tions from the underlying endpoint or device. This kind of virtualization can be subdivided into

two types.

With the first type of virtualization, the end-user applications are executed remotely, server

hosted, and presented at the endpoint via a Remote Display Protocol. With the second type of

Desktop Virtualization solution, the applications are executed at the endpoint, client-side, and

presented locally on this workstation.

The above description outlines the first question: “What is the execution platform for the ap-

plications?” The second question: “In what way are applications delivered and available on the

execution platform” can be answered easily.

In most infrastructures the applications are web-architected or Windows-based. The ratio of

Web vs. Windows applications depends on the vertical, customer, history, legacy, innovation

and control of Application Development. Windows end-user applications can be installed

manual, automatic or integrated in the base-image or Windows applications can be virtualized

using Application Virtualization or Virtual Disk layering solutions.

A complete overview of all the Application and Desktop Delivery Solutions can be found here.

3.3 LAYERING THE CAKE AND APPLICATION DELIVERY

The “Layered Cake” model can express virtualization pieces. In essence, the goal is to break up

(or isolate) the Operating System (OS), the Applications (Apps) and the User Components.

The last part, User Components are made up of Personalization, Policy, User Rights Manage-

ment, User Installed Applications, and User Data (to name just a few pieces).

The goal with this separation is to create a loosely coupled infrastructure where it’s easier to

create a very dynamic Application and Desktop Delivery solution. In essence it’s a combination

of User Environment Management (UEM) and Application (APP) and Desktop Delivery (ADD)

solutions, such as VDI and Application Virtualization. At the end-of the day, getting to a “Lay-

http://www.pqr.com/images/PQR/Visuals/Schemas/PQR-schema_ApplicationDesktopDelivery.jpg


Smackdown


ered cake” methodology will help achieve Desktop Transformation and help achieve a Dynamic

Workspace for users.

Application Delivery

There are different methods of delivering applications to end-users, as explained in the dia-

gram below. It’s important to understand each method as well as the solutions and vendors in

this space. Each can provide solutions for this delivery method and the functionality, agility

and flexibility an end-user will receive. Most scenarios in the real world will be a Hybrid. In the

end, however, from an end-user perspective it should be transparent. With transparency

comes User Environment Management.

3.4 USER CENTRIC COMPUTING

More and more customers are designing, building and maintaining hybrid-style, flexible Appli-

cation and Desktop Delivery solutions. Customers are using a mix of traditional desktops and

laptops, Server Hosted Desktops using VDI and Remote Desktop Services, Web applications,

Application Installation and Virtualization in a mixed Operating System environment. The de-

vices are both managed and unmanaged (Bring Your Own Computer Scenarios).

User Environment Management delivers and maintains the User Workspace in a clear, visible,

predictable and profound way independent of the Application and Desktop Delivery concept

and understands the context of the user Access Scenario. Having a clear view of the access

scenarios, also known as personas, is essential and crucial for a complete Application and

Desktop Delivery solutions. The focus on the user context:

Who: Users; groups, personas;

Which: Device; capabilities managed and un-managed;

Where: Location; Online, Offline, offsite and onsite;

What: Applications, IT and end-user driven; services, resources, data content;

When: 24x7, specific times.

Figure 1: Application delivery methods


Smackdown


This is essential and needs to be unified in a User Environment Management solution. Concen-

trate on the users Environment means User Centric Computing.

At the end of the day customer will have a hybrid Application and Desktop Delivery infrastruc-

ture. For the end-user, the business consumer, application access needs to be transparent.

Transparency should mean that applications, desktop delivery, management and infrastruc-

ture are accounted for within various “Access Scenarios”. These scenarios should contain:

User/Role/Persona;

Applications/Services;

Devices;

Location;

Context Awareness.

Access scenarios need to be clear, profound and are part of the overall Application and Desk-

top Delivery Design process.

3.5 THE ESSENCE OF USER ENVIRONMENT MANAGEMENT (UEM)

The third question: “How are the execution platform and the applications managed...” needs

to be divided in an IT-Pro and end-user focused section.

Traditionally the endpoint is maintained with Client Management or PC lifecycle management

solutions such as Altiris Deployment Solution, IBM BigFix, Microsoft System Center Configura-

tion Manager, Novell ZenWorks and others.

The key functionality of these kinds of products includes: OS deployment, application deploy-

ment, asset management, inventory, integration with CMDB and remote control. The primary

focus of the Client Management solutions is the client device and not primarily the end-user’s

workspace.

Handling the User Environment, or User Workspace, isn’t in scope of the traditional approach

of most of the Client Management Solutions. Large software vendors are so focused on the

management and maintenance of ICT systems that they tend to forget the other important

half, focus on the user side of this management.

Users need to have a simple, uniform, fast and reliable workspace environment. Administra-

tors would like to be able to manage this (Windows) workspace centrally, regardless of wheth-

er it is a physical or virtual workplace, implemented locally or centrally and whether the (Win-

dows) applications are installed, streamed or virtualized. In many organizations the term ‘User

Environment Management’ is still relatively unknown.

Our Definition of User Environment Management:

“User Environment Management (UEM) is a software solution that facilitates the management

of the user environment and creates a dynamic, cost effective and for the business-consumer, a

transparent working environment. The focus is primarily on the end-user and his environment

and not on the end user's device”. Ruben Spruijt – CTO PQR


Smackdown


Our experience is when the organization understands the meaning of user workspace man-

agement and sees the opportunities and benefits this provides to the users and the IT organi-

zation, the customer is often surprised that this solution has not been applied earlier.

3.6 THE HISTORY OF UEM

Various User Environment Management solutions in the today’s market typically have come

from a Server-based Computing (Terminal Server or Citrix XenApp) environment where users

either execute full remote desktops or published applications. Server farms were often siloed

to reduce application conflicts. Silos have then introduced problems ensuring that user’s pref-

erences are available across different hosts and kept consistent between sessions.

Some other User Environment Management solutions started in the classic desktop market

where users executed applications locally but suffered from long logon times. Besides this, it

was harder to design setup and maintain a flexible workstation or roaming scenario because of

complexity and cluttering of User Profiles and Logon Scripts.

Roaming Profiles are not granular enough to reduce last-write-wins scenarios that occur in si-

loed Terminal Server farms or where users connect to multiple desktops simultaneously. By

being able to manage user preferences by application rather than a single profile per-OS, IT

can provide users with a more seamless desktop experience.

Logon scripts have been the solution that every organization has used to configure the user

environment. Often written in VBscript or KiXtart, these scripts aren’t usually optimized for

speed (processed synchronously and often they are single threaded). Additionally they have

been restricted to user logon and logoff and therefore must cater for anything the user could

potentially do during their session. Scripts also have to be maintained by engineers who un-

derstand scripting technologies, which is good for job security but bad for continuity, agility

and supportability.

Some organizations have even written their own UEM solutions in house. Organizations with

access to in house developers have designed, built and managed custom solutions written spe-

cifically for their needs; however this can introduce a management overhead that wouldn’t

normally be associated with off the shelf solutions.

3.7 WHY UEM?

In conversations with customers and during workshop sessions we regularly receive the ques-

tion: “What are the primary reasons for implementing User Environment Management Solu-

tions?” The answers are as varied as they are many:

Improve user experience and consistency across different platforms, VDI, SBC and lo-

cal Laptops and Desktops.

Create a transparent User Environment independent of the various delivery solutions

and empower a smooth Desktop Transformation.

Improves end-user mobility, access personalized applications and settings from any

machine, any Windows Operating System- Roaming users.

It stabilizes Windows user profiles.


Smackdown


Gain control over user profiles and truly manage them.

Accelerated and consistent logon times.

Makes migration from old to new Operating Systems and Application Delivery solu-

tions easier. Even rollback scenario’s from a new Operating System back to an old sys-

tem is possible.

Replace custom (legacy) scripts.

Central and uniform management of the User Environment is key and will result in

happy administrators and users and lower Total Cost of Ownership (TCO). Delegation

of control is essential in such a management solution.

Provide better and granular support of user and application preferences. Never delete

or restore entire user profiles.

It controls, facilitates and enforces user access to applications, file-types, (removable)

devices, network and data resources.

User centric computing gains context awareness. Based on user location, device and

custom settings, access to applications, data, network resources, devices and prefer-

ences is dynamically facilitated and from a security perspective enforced.

It facilitates Resource Management to control and optimize usage of CPU, Memory re-

sources with focus on applications and (Virtual) Desktops.

The end-user is able to install applications on his (virtual) desktop even without Ad-

ministrator Rights. User Installed applications with Dynamic Privileges, ideal for BYOD

(Bring Your Own Device) and scenarios where dynamic application delivery in a static, -

controlled desktop environment is needed.

It gives administrators and managers insights and reporting capabilities in Windows,

Web applications, (virtual) desktop and license usage. It enforces license compliancy

to various licensing models. Application licensing can be measured, tracked, enforced,

or controlled, where needed.

Delivers detailed information on changes inside the User Environment Management

environment that are needed as requirement for compliancy and certification stand-

ards such as Persona Information Acts (HIPAA), ISO 27001, SOX and NEN 7510.

User Environment Management is an essential part in ‘layering the cake’ strategy, which

means to separate (Physical) Hardware, Operating System, Applications and User Personal-

ization.

3.8 UEM FUNCTIONALITY

In a User Environment Management solution user personalization, applications and data need

to be portable and context aware. The focus of UEM Solutions is the dynamic composition of

the Users’ Environment. The environment, or workspace, is dynamically composed where the

solution handles:

User Personalization, Application and Desktop Management; Application settings and

configuration preferences, User Personalization such as printer settings.

User Profile Management; Manage Windows User profiles; local, roaming, hybrid,

mandatory.


Smackdown


Application and Access Control, Security Management; enforce access to applications,

persona and context aware.

Resource Management; Application performance optimization and management.

License Management: insights, reporting and enforcing the use of licenses.

Application Delivery: User centric Application Installation with Dynamic Privileges, Us-

er Installed Applications.

Monitoring, Auditing and Reporting facilities on various levels with focus on the user

environment.

User support; facilitating user support.

This functionality needs to be independent of:

Operating System version (e.g. Windows XP, Windows 7/8, Windows Server

2008/2012R2);

Processor architecture/platform (32-bit or 64-bit);

Application Deployment (e.g. MSI, Application Virtualization, web-architected applica-

tions and Remote Delivery via VDI or Remote Desktop Services – and across any com-

bination);

User Profile (e.g. local, mandatory, roaming);

Client Device (e.g. managed, un-managed);

User Context (e.g. online, offline, offsite, onsite scenario’s using Laptops, Desktop,

Remote Desktop Services and VDI solutions with trusted and untrusted devices).

“User Environment Management is a key element in Application and Desktop Delivery strategy,

and empowers the Desktop Transformation”

3.9 UEM STRATEGY

The growing reality of the transition to a dynamic datacenter is causing many IT organizations

to re-evaluate traditional IT operations, support, and management methods. Virtualizing the

Desktop is a reasonable piece to support growing numbers of unmanaged desktops, external

users and other use-case scenarios. Managing the (virtualized) Desktop is an essential compo-

nent in the complete stack. It’s important to have a Vision and Strategy around Application

and Desktop Delivery. Designing, building, managing and maintaining the vDesktop infrastruc-

ture using the right Technologies, corresponding vendors and products is an important last

step.

We see many organizations primarily focusing on features, products and vendors and lacking a

clear and profound overall vision and strategy. This approach isn’t good or bad, it depends on

what the goal of the organization is. When the organization needs a point solution, the various

vendors and corresponding products can help to solve this issue and fill the demands.

When the organization is investigating possibilities, advantages, use cases and functionality of

User Environment in the “Optimized desktop”, a profound vision and strategy should be in

place. The following discussions and corresponding topics should be part of the strategy:

What are the use-cases? And does the use-case require UEM?


Smackdown


What do I want to achieve?-, lowering TCO, business enabler, overall cost of owner-

ship and cost reducer?

What is the Business-case? What do you expect as a ROI?

Are you investigating a tactical (point)-or strategic solution? What do you want to

solve?

Is the solution complex to design, build and support? What is the impact on user ex-

perience and perceived performance? What the experience for IT Professionals using

the solution on a daily basis?

What’s your desktop delivery and migration strategy for Windows 7 and Windows

8.1?

Are you looking for a phased or big bang migration scenario? How do you take care of

profile changes during a migration (v1 and v2)? What is your rollback strategy when

all the user and application settings are migrated to Windows 7?

When do you refresh your Desktop OS with Windows 7?

Are you planning for delivery applications to a Windows Desktop OS or Windows

Server OS, in a Remote Desktop Services Session Host (RDSH) scenario?

Is work shifting a key driver for the Optimized Desktop? How are the roaming/flexible

and mobile users within the organization facilitated? How do you take care of Applica-

tion- and Desktop Delivery when the user has different Access scenarios? How do you

manage this user environment in different access scenarios?

How do you achieve consistent and uniform user environment across Desktop, Lap-

top, VDI and Remote Desktop Services in managed and un-managed scenarios?!

What is the strategy around Client Management, also known as PC Life Cycle Man-

agement, solutions and how does User Environment Management fit in the strategy

and technical decisions?

Do you need centralized and uniform management of the user environment? Do you

need delegation of control? How granular do you need this control?

How do you design, control and maintain logon scripts and user profiles? Are you fac-

ing long logon times to your environment and applications? How do you gain control

on user profiles and login scripts? Would your end-users benefit from a Profile clean-

up? Are you facing profile corruptions?

How do you handle all the application and user preferences such as printers, file-

types, drive mappings, access to applications, data, and network resources and appli-

cation settings? Is this needed for Desktop, Laptop, VDI and Remote Desktop Services?

Scripting?

Scripting, how many people really understand the complex and often legacy internal

scripts? How agile are these scripts and settings?

Is Application Virtualization in scope, how do you handle application preferences in a

mixed OS and Application, and Desktop Delivery infrastructure?

How do you control and administer access to specific external devices such as remov-

able storage devices with build-in in encryption based on persona?

Do you need context awareness? Based on user/role, device, location and various set-

tings access to application resources is controlled and enforced when needed.

What endpoints do you support- and manage?

Are administrator privileges needed to install an UEM component?


Smackdown


Is a client or agentless UEM solution required? Is it possible to (automatically) install

the UEM agent?

Is a Bring Your Own Device (BYOD) concept one of the key Access Scenarios?

What is your Application and Desktop Delivery solution in BYOC scenarios? Server-

Hosted, Client-side, Application Virtualization and Application Installation? How do you

deliver applications to these (un-managed) devices?

Do the end-user needs the ability to install and update applications? Is User Installed

Applications functionality needed? Does the user have the correct privileges to install,

or update software?

Do you need to manage the application on the un-managed devices in a BYOD scenar-

io? Can UEM manage the Application Delivery solution in BYOD scenario?

What is the starting point in managing the application?

Do you want to integrate and run local applications into the centralized desktop envi-

ronment and present centralized and local applications in one single interface to the

end-users?

How do you control, administer, audit and report which user has access to which ap-

plication from specific devices or locations? How do you control application usage, us-

er rights management?

How do you deliver detailed information on changes of the User Environment needed

for ISO 27001, HIPAA, SOX and NEN 7510 certification standards?

What solutions do you use to make sure you’re compliant? Can you measure, track

and enforce licensing? How do you currently license per device applications such as

Microsoft Project and Microsoft Visio?

Are billing, license-management, reporting and/or charge-back of the delivered appli-

cations needed?

Do you want to offer a Self-Support tool to your users to reduce the amount of

Helpdesk calls? Which UEM functionality do you want to integrate in the self-service

solution?

What is the role of Secure Access and Secure networking? How do endpoints connect

to the infrastructure?

What is the performance impact of the User Environment Management Solution on

the (virtual) Desktop? How do you optimize and control and manage the resources

such as CPU and Memory inside the (Virtual) Desktop?

Do you focus on stateless (pooled, shared) and/or stateful (assigned, private) images?

Does the UEM solution work flawlessly with Stateless solutions?

Is image deployment and management part of the (virtual) Desktop Strategy? What is

the role of User Environment Management in this strategy?

What is the impact while adding a User Environment Management solution on storage

(http://bit.ly/5HTajV) and how does it affect the business-case?

How does the solution scale? What do we need from a scalability point of view?

What is the performance and bandwidth impact on the network infrastructure; LAN,

WAN, WLAN?

What is your site topology? Multi-site, multiple datacenters?

Does the User Environment Management solution need to be proven and mature?

What is your definition of proven?

http://www.pqr.com/images/stories/PQR_algemeen/pqr%20schema%20secureaccesssecurenetworking.jpg

http://bit.ly/5HTajV


Smackdown


Is the IT organization mature enough to support and maintain the new solution? What

is the knowledge and skill-set of the IT-department?

Does the UEM vendor have (world-wide) 24x7 Multi-lingual support? Is this important

for you?

Is the UEM vendor a financial healthy organization? Is this important in evaluation of

the vendor?

Is there a huge eco-system with partners, consultancy, training and education around

the UEM solution? Is this important for you?

Is “Layering the cake” / separation of Operating System - Application - and User Pref-

erences part of the overall desktop strategy?

Bottom Line: Does IT have focus on your business-consumers, or end-user?!

3.10 DESKTOP TRANSFORMATION REQUIRES USER ENVIRONMENT MANAGEMENT

User Environment Management is not a new concept. Rather one that first got its roots from

early adopter management solutions such as Marimba (now BMC Blade Logic for Clients) and a

few other forward thinking such as BigFix (now IBM Tivoli), ManagSoft (now Flexera) and com-

panies like AppSense and RES Software.

The Enterprise market has struggled to deploy user centric solutions due to technical limita-

tions (tightly coupled OS, App, and User) forcing IT to fit users and applications into a machine

centric framework. Thus the users and the business had to adapt to the technical and process

limitations.

What is so fundamentally different between now and over a decade ago, that the User Para-

digm shift is finally taking place? A variety of factors are fuelling the broad adoption of User

Environment Management Solutions. Those factors include: Consumerization, Virtualization,

Movement to the Cloud and Increased Regulatory Compliance.

Additional regulations are being passed throughout the world that will require companies to

do as much as possible to protect application data and personal information. These regula-

tions place strict sanctions against doing what most employees consider as status quo today to

get their job done. Companies are struggling to comply, particularly multi-nationals, with the

various sanctions placed on them across the stack from the infrastructure to the client. Many

developed countries like Germany, France, Japan, the U.S., the U.K. are working to propose

additional sanctions in light of the recent outbreak of hactivists targeting larger multi-national

companies. Fears of cyber terrorism only guarantees that governments will consider additional

laws and frameworks to enforce compliance directives.

Another major issue is the technophile employee that has become accustomed to having in-

stant access to information at their fingertips. The introduction of one-touch services such as

Netflix, Spotify, Online Banking, or online movies has created a more demanding and inquisi-

tive workforce.

Whether companies like it, admit it or have the bandwidth to deal with it, employees are more

mobile, global and resourceful. Today, they are technical enough to know if they can’t get

what they need from IT they can bypass IT by copying the data to a flash drive, USB device,


Smackdown


cloud data store or other means. At the end of the day – they will do whatever they have to

do to balance work, personal life and desire to be competitive.

More regulations have been and are in the process of being passed throughout the world that

require companies do as much as possible to protect application and personal information.

These regulations place strict sanctions against doing what most employees do as status quo

today to get their job done.

Thirdly, virtualization is a major factor in the movement to User Environment Management

because it enables decoupling the desktop. By breaking down each component (OS, applica-

tions, user data) there are many benefits realized and new business models that were not pre-

viously possible.

Although many of these technologies have their roots in the late 90’s – they have really just

started to take off. In part this is due to natural progression required to mature the technolo-

gy to a point that it provides a seamless experience, evolution of licensing models (still taking

place), and ability to decouple the application to run across multiple platforms, OS, and devic-

es.

Now that the applications can truly be decoupled, targeted and executed across multiple

frameworks it is possible to juggle the various complex combinations of OS, App, and User Da-

ta. This combined with a workforce that is more mobile, less loyal, and likely to pose an issue

for the increased regulations creates a tornado effect. The dynamic nature of the Cloud and

Virtualization lend themselves to provide creative ways for employees to find their own solu-

tions with or without IT’s approval. Now companies have a dilemma – because unknowingly

their employees could be violating laws in several countries, opening up their systems to risks

for license and regulatory issues, and placing an increased burden on the business to transform

their infrastructure to control the situation.

User Environment Management now becomes a critical factor. IT must deliver services that

enable the applications and data to follow the user instead of tying the user to a single device.

The User wants to do their job regardless and will. How can IT control this? How can they en-

force entitlement, ensure compliance while reducing user frustration? Although it is not the

Holy Grail – User Environment Management is the first step in the right direction.

IT must change their policies for targeting and migration from that of a machine based ap-

proach to a User Based approach. That way they can see from point of access who has access

to what applications and data from what limited devices. The paradigm that was built for stat-

ic systems will not work well in the virtual world.

This is because the very nature of non-persistent solutions will mean that the “virtual envi-

ronment” will change. The only constant should be the user and data they access. In order to

make this possible – the new world must accommodate or tie users to applications and their

data. If not there will be a plethora of broken license schemes, virtual hosts, and inaccurate

inventory controls.

Although User Environment Management solutions have been around for some time– it is the

movement from static to dynamic environments across both servers and desktops that have

made UEM more critical now than ever before.


Smackdown


The transformation from static, physical clients to dynamic workspace means that there will be

some adapting and change along the way. The key thing to remember is that companies

(software producers and consumers alike) will have to change and adapt the status quo in or-

der to function, stay agile and deliver solutions that can balance the dynamic nature of the

cloud, mobile/technical users, and increasing regulations from all over the world.

Migrating from a machine based provisioning to a User provisioning environment will be the

critical first step in the journey to achieving balance in the dynamic world built on top of the

cloud.

3.11 WHAT’S IN A NAME?

We have attempted to remain vendor neutral in this white-paper and for that reason have

chosen “User Environment Management” (UEM) to describe the feature sets and solutions

covered herein.

When discussing this space with a technical audience it quickly becomes a challenge to use a

single term that can succinctly cover the features of each vendor’s solutions.

Unlike for instance Application Virtualization, this market has a broader set of products and

use cases which can make it difficult to describe with a single phrase or term. It seems that al-

most each vendor uses different wording to describe their solutions.

In the haze of messaging and marketing around User Environment Management, different

names can blur the arena; therefore it’s worthwhile having definitions of User Environment

Management, User State Virtualization, User Virtualization, User Workspaces, Profile Man-

agement and Profile Virtualization. Managing expectations is always hard; a good starting

point is to make sure everyone speaks the same (IT) language. The end-user, the business con-

sumer, is only interested in the overall functionality independent of name and solution.

Is the technology really the same?

Although this market has been around for some time and the products have been in wide use

by Terminal Server / Remote Desktop Services environments – the recent explosion in desktop

virtualization has brought new customers to products they may not have previously consid-

ered.

Customers are seeking to address challenges in both their physical and virtual desktop envi-

ronments. Here are their common challenges:

Delivering users a consistent computing experience independent of the device on

which they are accessing their applications by allowing the user’s personalization or

persona to follow them.

Providing a structured off the shelf approach to reducing the reliance on internally de-

veloped scripts and deliver application configurations in a timely manner – configuring

the environment based on context.

Controlling application access based on identify, location and device – give IT the abil-

ity to control, allow or deny application access where is makes sense, while still allow-

ing the user to get their work done.


Smackdown


Remaining in control of the desktop environment, yet retain the flexibility to enable

the business to function efficiently.

Every vendor covered in this white paper understands the challenges involved with roaming

user preferences and configuring the user environment on demand. Each product we have

compared includes features for solving the first two issues; however for many organizations

user environment management extends beyond these concepts.

To create a fair comparison, we must first accept the difference in feature sets and recognize

that every organization will have a different set of challenges to address. For some organiza-

tions a smaller (perhaps less expensive) solution may suit their environment, while others may

choose a more feature rich (and possibly more expensive) product.

User State Virtualization

Microsoft started using the term User State Virtualization (USV) as early as September 2008, to

describe a set of features that have been a part of Windows since Windows 2000. These fea-

tures are Roaming Profiles, Folder Redirection, and Offline Files.

Figure 2: User State Virtualization

These features used to be contained in what Microsoft branded “IntelliMirror” (when Win-

dows 2000 was introduced.) Microsoft is positioning IntelliMirror, now as “USV” as a comple-

ment to Desktop Virtualization.

Microsoft’s definition of USV excludes environment configuration that, in the context of this

whitepaper, excludes the use of USV as a general term applied to this space.

It is interesting to note here that the Microsoft approach also includes user data (e.g. docu-

ments, pictures etc.) in the definition of User State Virtualization. Data management is a core

offering of Windows that other products in this space don’t seek to replace, rather some solu-

tions enhance this capability.

The term virtualization in the context of the Microsoft offerings should be taken lightly. Alt-

hough Redirected Folders and Offline Files provide user data access across platforms and de-

http://www.microsoft.com/downloads/en/details.aspx?familyid=41250198-7edb-4087-90fb-af354f6cabaa&displaylang=en


Smackdown


vices, Microsoft only supports user profiles across a single operating system version and pro-

cessor architecture. Because of this, user’s application preferences cannot be moved seamless-

ly between operating systems using the in-box Windows tools only (Microsoft offers USMT for

one-way migrations). Far removed from the concept of virtualization.

For more information on Microsoft’s User State Virtualization, please refer to the following ar-

ticles:

Microsoft User State Virtualization Overview

Choosing an Appropriate User State Virtualization Solution

Infrastructure Planning and Design: Windows User State Virtualization

Managing Roaming User Data Deployment Guide

Roaming User Profiles

Overall Terms and definitions

The table below gives a complete overview of various the terms that have been used by ven-

dors and customers and a definition for each term.

Term Definition

User Profile The unique location within a Windows desktop to which a user has

write access. Application will write user preferences to this location

and the user can store data such as documents and pictures in this

location as well. The profile is created when the user first logs onto

a Windows desktop and persists on that desktop unless an adminis-

trator or policy deletes it

Personalization (or Persona) A user’s customizations to their environment – e.g. wallpaper,

shortcut placement, pinned items etc. Also includes application

preferences written to the user profile. Used as a term to describe

what is contained in a user profile

User Environment Management A controlled and structured approach to managing components of

the environment related to the user. This includes user profiles,

preference and policy management, application control and applica-

tion deployment. Can be achieved with the Windows in-box tools,

or can be enhanced using scripting or 3rd party solutions to achieve

a particular desired result

User State Virtualization Abstraction of user data and profile from the operating system –

Roaming Profiles, Folder Redirection and Offline Files. User State is

still tied to the version of the operating system and provides no

separation of individual application preferences

Originator: Microsoft

User Virtualization When used alongside OS Virtualization and Application Virtualiza-

tion, is a term that makes it easy to describe a layered approach to

desktop management and building the user environment on de-

http://support.microsoft.com/kb/2384951


http://technet.microsoft.com/en-us/library/dd560801(v=ws.10).aspx

http://technet.microsoft.com/en-us/windows/ff629664

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=fd01ed7a-c603-4f7c-8a60-8e4872b58bdf

http://technet.microsoft.com/en-us/library/ff877478.aspx

http://technet.microsoft.com/en-us/library/cc766489(WS.10).aspx

http://technet.microsoft.com/en-us/windows/ff629668


Smackdown


Term Definition

mand. Usage extends to user profiles, user environment manage-

ment, application control and user installed applications.

Originator: AppSense

Workspace Management Used to describe the process of abstracting user data and prefer-

ences from the operating system and along with application deliv-

ery, shortcut and file type association management, building the

user environment dependent on the users’ context (identity, loca-

tion, device etc.)

Originator: RES Software

User Profile Management Move beyond roaming profiles to actively manage the user profile –

may or may not provide segmentation of the profile

Layered User Personalization See User Virtualization

Decoupling Personalization Separating the user profile from the operating system. See User Vir-

tualization

Profile Segmentation Segment the profile into smaller chunks of related profile settings –

e.g. per-application settings. Those application settings may now be

portable across operating systems

User Virtualization Management See User Virtualization

Application and Workspace Per-

sonalization

See Workspace Management

User Workspace Virtualization See User Virtualization

Persistent Personalization Persist user profile data across sessions

Persona Management See User Profile Management

Profile Virtualization Implementing file system redirection to move the profile or parts of

the profile from its real location on disk to another location. Not to

be confused with Folder Redirection built into Windows

Profile Streaming Rather than load the entire profile at logon, stream only the data to

the client as it is requested. This improves logon times. Used in con-

junction with profile virtualization

Hybrid Profile Management Managing the user profile as a combination of a local or mandatory

profile with user preferences or personalization added at logon or

application start

Profile Management See User Profile Management

Profile Acceleration See Profile Streaming


Smackdown


Term Definition

User Installed Applications The ability for a user to install an application and have that applica-

tion then persist across different Windows desktops

User Rights Management or Privi-

lege Management

Dynamic elevation of specific user rights via a defined policy to

make administrative access more granular. Individual applications,

Control Panel applets or Windows tasks can be delegated without

adding the user to the local Administrators group

Dynamic Privileges See User Rights Management

3.12 FREQUENTLY ASKED QUESTIONS (FAQ)

Q: Do these solutions make desktop virtualization in all its forms cheaper?

A: This depends on what we’re looking to replace – roaming profiles and custom scripts or

other in-house developed tools? The 3rd party solutions should allow us to reduce operational

costs by improving the user experience and standardizing on a tool for managing the user envi-

ronment rather than relying on custom toolsets. Those products with functionality like self-

service features should help with reducing help desk calls.

Initial costs (CapEx) are going to be higher due to licensing and implementation, so a long term

vision for your desktop deployment is required to ensure that the product chosen is used to its

full potential and stays on track (OpEx). Depending on organization size and scale, handing it

over to operational teams will require considerable work (i.e. training and standards).

A good question to ask is – can the native Microsoft features (Roaming Profiles, Group Policy,

Offline Files etc.) meet the requirements of your organization’s needs? If you can live with Mi-

crosoft’s built-in configuration management functions, you might be able to forgo any 3rd party

UEM solution.

So, all the vendors will answer “Yes” to the question “Does UEM makes the desktop cheaper?”

Understanding the answer always depends on the context and details of the vendor explana-

tion. A good read for your own reality check and a starting point with an open discussion while

evaluating the vendors ROI and TCO calculation, is Brian Madden’s post ‘How to lie with cost

models’

Q: Do these solutions make desktop virtualization easier and faster to implement?

A: Customers who already have User Environment Management solutions deployed should see

a benefit and improvement in deployment times and adoption when implementing desktop

virtualization (or even a new physical desktop) – in-house knowledge and processes should al-

ready exist making implementation simpler.

If the customer is migrating from an existing desktop environment to virtual desktops, these

tools are intended to assist in migrating profiles from the older desktops into the new desk-

tops. This would be the ideal way to ease entry into desktop virtualization; however other than

replacing scripts with GUI tools, desktop virtualization may not necessarily be faster.

http://www.brianmadden.com/blogs/brianmadden/archive/2009/12/08/how-to-lie-with-cost-models.aspx

http://www.brianmadden.com/blogs/brianmadden/archive/2009/12/08/how-to-lie-with-cost-models.aspx


Smackdown


Q: How difficult are these solutions to be configured correctly? Popular opinion says they are

hard to configure correctly hard to maintain.

A: Although some of these solutions have been around for some time, the knowledge required

for implementation is not as broadly available as those that are included in Windows. Techni-

cally, all UEM products are niche solutions – trying to solve a particular problem. Remember

that most UEM solutions come from Terminal Server deployments and lessons learned there.

Considerations that need to be made during making a decision implementation include:

• Infrastructure requirements - database and file storage, network requirements etc.

• Configuration optimization - creating an initial configuration and optimizing it as the

project progresses.

• Implementing the best configuration solution for specific scenarios – there are multi-

ple ways to solve a configuration scenario.

In fairness, for some organizations there is a lack of deep knowledge of newer Group Policy

and Group Policy Preferences. Most organizations skipped Windows Vista and Windows Server

2008 where GPP came built-in, and few organizations realized that Group Policy Preferences

will work perfectly fine on Windows XP/Windows Server 2003 with a free update. But Group

Policy is nothing to be scared of, and many administrators use it and are successful with it eve-

ry day.

Q: If you are not using, or only partially using Desktop Virtualization, does it make sense to

implement these solutions in your physical environment?

A: Although virtual desktops bring management improvements (such as hardware, reporting

etc.), layers such as user personalization apply across physical and virtual environments the

same way. The user state virtualization features built into Windows may not scale as well as

some organization might expect (mainly roaming profiles). UEM solutions should assist cus-

tomers in improving the overall user experience (i.e. logon/logoff times, deliver configurations

when required (“just in time” instead of “just in case”) independent of the desktop delivery

method.

Q: Do these solutions replace any existing tools/processes?

A: In most deployments, large portions of custom tools or logons scripts (VBscript, Jscript,

KiXtart) can be replaced with GUI tools that should, in theory, generalize the knowledge re-

quired to support the user environment (replacing specialized knowledge) and can be pro-

cessed in parallel instead of sequentially.

Q: What happens to companies such as RES or AppSense when we discuss layers? Are they

relevant? What areas should they move into?

A: Unidesk has been pushing their layering technology as a solution for roaming profiles/user

personalization; however Unidesk can only solve this issue for virtual desktops (VDI). Many

customers are looking to provide personalization independent of the desktop type so that a

user can have the same (or close to the same) experience across any desktop. Only these types

of solutions can provide that consistency – even Microsoft would have a hard time providing

consistency across all desktop types.


Smackdown


To take a brief look at some other varying examples, AppSense, RES Software, Liquidware Labs,

Immidio and PolicyPak Software are all taking very different approaches with their portfolios.

AppSense is branching into Mobile Device Management, Data Access and User In-

stalled Applications.

RES Software also covers Workflow Automation, Data Access and reverse application

publishing and IT-Store.

Liquidware Labs’ main focus is desktop transformation and monitoring but now also

has a solution for User Installed Application.

Immidio has found success in focusing on cross-platform roaming of user preferences,

but too, is expanding their feature sets with policy management.

PolicyPak focuses on “what’s missing” in Microsoft’s portfolio and relies on customers

already leveraging Microsoft’s built-in and add-on solutions (Group Policy, Group Poli-

cy Preferences, AGPM, Folder Redirection, Roaming Profiles or UE-V) to make a com-

plete solution.

Q: Will Windows 8 change the game?

A: Now that Windows 8 is out, Microsoft has some new roaming features with modern (aka

Metro) applications. These settings can be roamed when users marry their on premise ac-

counts with a Windows SkyDrive account. Or, they can also be roamed with Microsoft’s prod-

uct UE-V, described in section 5.7.

When it comes to legacy Windows applications (and therefore AppData and the Registry)

those apps still require solutions like what we’re discussing in this paper here.

So, while Windows 8 may be a step toward a new user environment, it won’t change the game

significantly until Modern (aka Metro) applications become more popular (if they ever do).

So the need for user environment management will remain. AppSense wrote an interesting

blog post about this topic, a good read.

Q: Do these solutions really help with Application Virtualization, or is that just marketing?

A: Various UEM solutions can actually manage user personalization data inside of “bubbles” or

“sandboxes” where virtual applications reside.

This functionality is useful in (future) migration scenarios where customers are actually moving

settings between two types of application deployments solutions.

For example, customers new to Microsoft App-V may not realize the value in managing App-V

applications this way – those customers that do have experience with App-V applications

should see the benefit in not having to manage PKG files. By being able to pick and choose

which portions of the virtual profile are to be managed, you can now manage less data.

UEM is key to managing the user preferences regardless of the application delivery method

and this is especially true as you are migrating from standard application deployment to appli-

cation and desktop virtualization.

Q: What does Microsoft User Experience Virtualization mean for existing UEM vendors?

http://www.appsense.com/blog/post/2011/10/15/Windows-8-Metro.aspx


Smackdown


The release of a true profile management solution by Microsoft is a significant step in validat-

ing that profile management and cross desktop roaming matters to enterprise customers. It ef-

fectively confirms that profile management has now become a commodity, especially now that

all of the 3 main desktop virtualization vendors (Microsoft, Citrix and VMware) essentially

bundle profile management solutions with this core products.

Microsoft UE-V perhaps has two things going against it – UE-V can only be licensed through

MDOP and, at the time of writing, it’s still a version 1 product (v2 is in beta). Microsoft appear

to be rapidly developing UE-V, but there are effectively behind the existing players in terms of

maturing and feature sets.

UE-V is actually a good thing for two of the UEM vendors (Norskale and PolicyPak) who don’t

actually compete with UE-V and can thus integrate with it quite readily.


Smackdown


4. UEM FUNCTIONALITY

4.1 USER PROFILE MANAGEMENT

User Profile Management is a key component in the User Environment Management solution

stack. This chapter explains the various profile solutions.

User Profiles 101

User Profiles are a way to provide the user with a consistent workspace. User profiles allow the

user to save his own settings (desktop, screensaver, internet favorites, printers, etc.) and reuse

them on different computers. Every Windows user has a local copy of a profile, but the config-

uration of the profile determines if the settings are saved and/or available on the network.

The following user profile types are available:

Local;

Roaming;

Mandatory.

Local User Profiles

Local profiles are available on one computer only. As user’s log on, a directory is created for

the user in the default users directory (C:\Users). The personal user directory contains folders

like ‘Desktop’, ‘Favorites’ and ‘Documents’. As the user adds shortcuts to his personal desktop,

in the background a file is created in his ‘Desktop’ folder.

Other settings (desktop background, screensaver) are saved in the HKEY_CURRENT_USER reg-

istry key. A copy of this key is saved as a file in the user’s personal directory, known as

NTUSER.DAT. All the settings in NTUSER.DAT and the files and folders in the personal user di-

rectory is the sum of what defines his user profile.

When users log off, nothing special happens. The local profile copy remains on the computer.

Whenever the user logs on this same machine again, the local profile is re-loaded as his unique

user profile.

If the user users logs on to a second computer, Remote Desktop Server or non-persistent VDI

session, a new profile is created. Any customization by the user on any particular computer is

lost!

The advantage of local profiles is that there is very little administrative overhead and there is

no network storage requirement. They’re just there!

The disadvantages are also plain to see as well. Users can get confused when he uses more

than one computer. Any customization of his user workspace (think about shortcuts or printer

settings) do not follow them between desktops.

Roaming Profiles

To allow the user to roam and make use of different computers, it’s possible to use a roaming

profile. By configuring the Active Directory user object with a roaming user profile path, the


Smackdown


changes in the profile are copied to the network at logoff including the NTUSER.DAT file. It

should be noted that in Windows 7, the user’s registry changes can be optionally synchronized

in the background – not solely at logoff.

As soon the user logs on, the roaming profile folder is accessed and downloaded to the com-

puter for caching. Any customization by the user is saved locally and only during logoff is the

server-based profile is updated with cached copy of the local profile.

This provides a way to let the user roam between different computers and maintain some level

of consistency. This functionality introduces a new challenge - profiles from major versions of

Windows operating systems are not interchangeable. The following operating systems share

the same profile types:

Windows 2000, Windows Server 2003 and Windows XP all share one profile type (“v1

profiles”);

Windows Vista and above (Windows Server 2008/R2, Windows 7, Windows 8, Win-

dows Server 2012) all share a second profile type (“v2 profiles”).

Note that Microsoft does not support moving user profiles down-level (e.g. Windows 8 to

Windows 7), nor does Microsoft support mixed processor architectures (x86 or x64):


Another disadvantage is when a user works on a different machines simultaneously. One ses-

sion’s settings may override configuration changes of the other session (last-write-wins). This is

a common scenario in Remote Desktop Services and/or Citrix XenApp environments where si-

los are used to let users access applications that normally conflict when installed on the same

machine.

Mandatory Profiles

In some instances it is preferable that the user logs on with the same set of base settings.

Think of kiosk computers, where the look and feel needs to be same every day no matter what

changes are made to the profiles. When using mandatory profiles this is possible. During logon

a profile is locally cached and this profile is customizable. However, during logoff all changes

are deleted. To make a profile mandatory, it is necessary to configure one template profile.

That includes all required settings. Afterwards, the administrator renames NTUSER.DAT to

NTUSER.MAN.

The advantage of mandatory profiles is clear; the profile stays the same no matter what hap-

pens. In addition, this is exactly what makes the biggest disadvantage; any customization by

the user is lost during logoff. Mandatory Profiles may be configured in two ways when network

connectivity is absent. The default configuration is to provide a temporary profile to the user.

Mandatory Profiles may also be configured to prevent users from logging on when there is no

network connectivity.

Mandatory profiles can be a powerful tool when used with 3rd party UEM tools. Some User

Environment Management solutions provide a way to monitor (continuously or at logoff) any

changes made to the mandatory profile. These captured changes will be saved to the network

for future use. Whenever the user logs on to another machine, first the mandatory profile is



Smackdown


loaded and later on (at logon or on application launch) the unique settings are injected to the

locally cached profile. Immidio FlexProfiles and RES Zeroprofiling (part of Workspace Manager)

are examples of products that provide this functionality.

NOTE: There are some issues with mandatory profiles and Windows 7 remote assistance. Also

certificates are not supported with mandatory profiles. See

http://support.microsoft.com/kb/264732, http://support.microsoft.com/kb/309408.

Replacing Roaming Profiles

Using a 3rd party replacement for roaming profiles allows the organization to achieve several

objectives:

• Provide application settings across operating system versions – well behaved applica-

tions will not hard-code their settings allowing those settings to be decoupled from the

profile and provided across device types.

• Reduce the amount of managed data – managing application settings separately from

the Microsoft managed profile data presents the opportunity to capture only those

settings required for roaming or to only capture preferences for applications that are

important for roaming. Reducing the amount of data captured, reduces the storage

space consumed by user profiles.

• Supporting replication – Storing application preferences/profile data close to the “Ap-

plication Execution Environment” will improve logon/logoff times; however the 3rd

party solution must implement its own replication topology. Replication may be re-

quired to move profile data close to the desktop – across user locations or if a user is

using multiple desktops (physical and virtual), replicated profile data provides con-

sistency in each desktop.

• A common method of improving logon/logoff speeds is to redirect AppData to the

network; however this introduces its own issues (incompatible applications, network

I/O as applications are running). 3rd party products provide a real solution for these is-

sues without impacting I/O during application execution.

Replacing roaming profile however can give some challenges:

• Roaming profiles are essentially a hands-off solution – the administrator enables roam-

ing profiles and does little else. 3rd party solutions generally require the administrator

to establish all locations within the profile where an application will store preferences.

• Additional infrastructure is often required for a 3rd party solution – web servers and or

database servers may be required depending on the solution.

• Agents or other client-side pieces must often be installed – most of the 3rd party solu-

tions require and agent that must be added.

Replacing Custom Scripts

Many larger organizations have spent many years and invested millions of dollars in develop-

ing their own application deployment and user environment management solutions rather

than using off-the-shelf products.




Smackdown


Smaller organizations may have opted to write their own solutions based on scripting lan-

guages such as VBscript or KiXtart and leverage Group Policy to avoid the capital costs associ-

ated with 3rd party products. More recently, organizations are replacing VBscript or KiXtart

scripts with Group Policy Preferences, which is free from Microsoft and has a high degree of

flexibility when implemented properly.

As these organizations deploy Windows 7 and virtual desktops, they are increasingly looking to

3rd party vendors to provide their user environment management tools, to help them reduce

operational costs and meet regulatory compliance. Why replacing custom scripts is a good

idea?

• Custom scripts usually rely on interpreted code used in VBscript or KiXtart, solutions

based on agents will execute faster.

• Scripting languages are usually single threaded. Solutions with agents can run with

more than one thread and can therefore execute faster at logon.

• UEM tools are GUI driven which means less specialised knowledge and reduced train-

ing and support time.

Where do Group Policy and Group Policy Preferences fit in with UEM?

There’s a lot to be said for the native Microsoft tools. Both Group Policy (GP) with Group Policy

Preferences (GPPrefs) form the basis of an excellent solution for managing computers and the

user environment.

However some customers find that Group Policy either requires additional 3rd party add-ons

(Group Policy is extensible) or a complete replacement via alternate solutions.

Group Policy does a great job for the Microsoft pieces in the box. Microsoft ships more than

3500 policy settings that will set and lock down various operating system look and feel items

and set various security settings. Group Policy settings are known as “Policy” in that the user

cannot actively work around these set settings.

Microsoft’s Group Policy Preferences acts differently, in that nearly all the directives can be

worked around – by design – by the user. That’s why they’re called “Preferences.” For in-

stance, Group Policy Preference’s most popular features are delivering Drive Maps, Printers

and Shortcuts. And all of these settings can be deleted by the user at whim. It is notable that

Group Policy Preferences settings can re-apply during Group Policy background refresh, but

only if the client can actively make contact with a Domain Controller and is not offline.

GP/GPPrefs doesn’t consider what happens when users modify their settings. GP/GPPrefs is

only a “settings delivery” mechanism and doesn’t care what happens after the settings are de-

livered.

After settings are delivered, if a user changes “user controllable” areas, then Roaming Profiles

will contain these settings.

Group Policy and Group Policy preferences’ additions greatly enhance the administrator’s

toolbox and opportunities for managing the user environment; however there are several im-

portant pieces still missing from this arsenal:


Smackdown


• Roaming profiles have the same challenges: Since Windows 7, Microsoft has provided

administrators the ability to synchronize the user’s registry back to the network with-

out the user having to log off and back on again. This does not extend to AppData.

Note that some organizations might rely on redirecting AppData, but this does not

solve any of the issues involved with multiple desktop types and operating system ver-

sions. Roaming Profiles are still only supported per OS – organizations are unable to

provide application settings across operating system versions.

• Scripts could still be necessary for some tasks: Scripts might still be needed, and main-

tained plus they continue to have the same limitations as the scripts we used to write.

Though skillful use of Group Policy Preferences can often eliminate the need for many,

if not all, of a company’s scripts.

• Windows is still Windows – the basic architecture of Windows and roaming profiles

has not changed. To provide backward compatibility, Windows must still cater for

those applications that expect certain features and APIs to be available.

4.2 USER PERSONALIZATION, APPLICATION AND DESKTOP MANAGEMENT

User personalization, or Application and Desktop Management, is of course part of most of the

User Environment Management (UEM) solutions. This functionality provides the user and IT

admin with the tools to configure an expected desktop experience. With application and desk-

top management not only the initial look and feel of the user’s desktop is managed but it also

provides a way to configure future changes.

With application and desktop management you’re able to easily implement many tasks, such

as being able to:

• Configure the users look and feel of the desktop;

• Assign drive mappings to network shares;

• Assign printers;

• Assign applications and corresponding settings;

• Set, change or delete Registry settings;

• Provision specific application settings, such as Microsoft Outlook profile(s);

• Provision Database connection settings (ODBC).

Both Microsoft’s Group Policy Preferences and, in general, 3rd party User Environment Man-

agement solutions offer the possibility to make these configurations user and context aware.

4.3 APPLICATION ACCESS CONTROL, SECURITY MANAGEMENT AND USER RIGHTS

MANAGEMENT

Application Access Control is very important in today’s IT environments. Demanded by legal or

government regulations, organizations need to be in control so that users don’t have unau-

thorized access to applications, based on the context of the user, their device, location and

time of day.

User Environment Management solutions give the IT admin the possibility to strictly determine

what applications the user is allowed the use, and make that context aware. For instance,


Smackdown


when working on a desktop on premises the user is allowed to access and use the HRM data-

base application. However, when accessing a desktop from a computer at home the HRM da-

tabase application is not available. This functionality can be extended to time, location, device

or with specific requirements on the computer the user uses. With security management, the

User Environment Management solution provides and enforces access to applications.

Another aspect of security management is to protect the system and the network by strictly

configuring which executables the user is allowed to start. Actually this is mostly done the oth-

er way around; block everything and allow only ‘managed’ or known applications (“Whitelist-

ing”). Other Application Access Control functionality could be: Trusted Ownership, White lists,

Digital Signature, URL Filtering. Keyboard shortcuts, self-healing system settings or ‘desired

state configuration’. Security management can also provide a way to block unknown USB de-

vices, black/whitelist websites of network resources and limit access to local drives.

There are roughly two approaches of securing the user’s environment:

1. Block Everything. Open up only “desired items.” (whitelist)

2. Allow everything. Block only “undesired items.” (blacklist)

It is important to validate the organization’s approach to the user experience with regard to

security. In general, the CIO, security officer or security manager should be contacted for the

best approach. The reason this is important is that some UEM solutions keep very strict to a

certain approach, which may result in a lot of maintenance (by the IT admin) if it differs from

the organization’s approach.

4.4 RESOURCE MANAGEMENT

With more and more usage of a centralized desktop, it’s important to monitor and prevent ex-

cessive usage of resources. In a centralized desktop environment, multiple users typically share

the available resources of a single server. When processes or users demand too much from the

system this can influence the user experience of other users. In such event it’s important to

have technology available to limit the draining of system resources. Resource Management

monitors individual users and/or processes for excessive usage and takes appropriate action

when exceeding thresholds. In addition logging of these events can be very useful to deter-

mine system bottlenecks.

4.5 LICENSE MANAGEMENT

With license management it is possible to configure the licensing model (per named user, per

device/system, concurrent user or site) for each application. Reports on license usage (availa-

ble, max or average) are available.

Focus of License management in UEM is the user, his applications and the ability to use the

applications in the right (security) context. In addition, enforcing application access control is

also part of license management. When limits are configured unlicensed usage of applications

is prohibited. Side-note, make sure that the software vendor supports the Application Access

Control enforcement methods.


Smackdown


License management can provide insights into application usage. With monitoring application

usage, organizations can better determine the amount of licenses needed. In some cases this

means that many users don’t use specific applications and therefore savings are possible.

4.6 MONITORING, AUDITING AND REPORTING

Being able to monitor, audit and report on the user environment is a very useful feature. With

the flexibility and complexity of today’s application and desktop delivery infrastructures, it can

be a challenging task troubleshooting the user environment, especially when introducing addi-

tional elements into the infrastructure.

With different platforms, locations and context-awareness; where do you start looking when a

user is not able to connect his printer or does not see his set of applications? Monitoring, au-

diting and reporting the user environment is an important functionality of User Environment

Management solutions.

As with more and more products, auditing is very important. Being able to audit changes to

the user environment is key to comply with legal or governmental regulations, but also provide

insights in unauthorized changes. With auditing, should it be clear what was changed, when

and by whom? Of course, here company policy should lead in determining what to audit and

why.

Reporting is essential with any management solution, and so it is with User Environment Man-

agement. Reporting must provide information on usage, errors, environment and preferably

on any component of the User Environment Management solution. In Bring Your Own De-

vice/Computer (BYOD/BYOC) scenarios where the applications are executed on an unmanaged

device this can be challenging.

4.7 CONFIGURATION WITHIN APPLICATION DELIVERY

When approaching desktop and application delivery using a layered methodology, the aim is to

deliver applications to the user that makes sense based on when, where and the device that

best suits them. The goal is to deliver computing resources as a service – only by layering the

desktop can this be achieved.

A key component of this approach is to also align this with user environment management; so

IT now have the ability to configure if and when a user is allowed to execute an application,

and if they are, deliver user data, user preferences and application configuration or policies,

within a specific context. Context might consist of any combination of the following:

Device (ID, capabilities, corporate-owned or user-owned);

Identity (user or user group);

Location (inside or outside of the trusted network);

Applications;

Windows operating system version (or even other OS);

Processor type;

Business and IT policies.


Smackdown


Rather than desktop and application delivery being a just-in-case affair (deliver the all of the

user’s applications, data and preferences just in case the user needs them during that session),

we can now deliver these components on-demand, just-in-time (only when the user needs

them).

So can a just-in-time model be achieved without venturing beyond the tools provided by Mi-

crosoft or your desktop delivery vendor of choice? Like all things in IT, the answer is “it de-

pends”. Some environments (large and small) make amazing use of Microsoft’s native toolset.

You might choose to also layer the desktop with in-box tools. But having the rich triggers of a

user’s environment and with a just-in-time solution can only be truly realized with a UEM

product from a third party.

Just-in-time delivery achieves several things:

1. It improves the user experience by allowing the user to get to their applications and

data faster – the user is productive sooner.

2. IT has better control and view of the user environment because we are now have a

clearer view of the user layer.

3. The business can now have more trust and confidence in their computing environment

because it can be a more proactive environment.

User Environment Management is a key factor in this just-in-time or IT-as-a-service delivery,

because it is how we deliver the user layer and gain control over the computing environment,

whilst at the same time giving the user the freedom to work their way.

Getting to this point takes effort, there are no shortcuts; however traditional methods of desk-

top and application delivery are masking layers. We must first understand the applications and

the user roles within the environment. This is the core of desktop transformation – discovery

and consolidation provide the information to build the layers that create the environment.

UEM must span all application deployment methods, so that configuration and personalization

follow the user throughout the environment, regardless of how it is delivered.

While on the topic of application delivery, it’s also interesting to discuss the topic of applica-

tions in specific user contexts – how to deliver the long-tail applications? – Those applications

that only a handful of users need?


Smackdown


Figure 3: Applications in specific user context

Source: http://blogs.citrix.com/2011/08/24/personal-vdisks/

UEM solutions have had the ability to deliver a customized set of shortcuts (for either installed

or virtualized applications) for some time, but they are now also looking at more granularity

when it comes to specific applications. This is taking two, complimentary forms:

1. Provide granular administrative rights to allow users to install an application without

being an administrator (User Rights Management or Dynamic Privileges); and

2. Capturing those applications and persisting them between pooled virtual desktops or

even across physical desktops (User Installed Applications).

This might sound odd within the context of User Environment Management – allowing users to

make changes in a managed environment, but this will become part of the toolset for getting

any application to the user in any context.

With the right approach, User Environment Management becomes the bridge between an en-

vironment where the user can do what they need to get their job done and IT has the ability to

operate more dynamically but remain in control.

http://blogs.citrix.com/2011/08/24/personal-vdisks/


Smackdown


5. SOLUTION OVERVIEW

5.1 INTRODUCTION

To get an overview of the major players in the User Environment Management space, a num-

ber of solutions are explained in this chapter (sorted alphabetically by vendor). These solutions

have a broad range of lighter functionality to “everything included” functionality.

Some solutions are focused on VDI only while others have focus on the complete ‘Application,

and Desktop Delivery’ stack. Other vendors aren’t focused wholly on User Environment Man-

agement but enhance one or more pieces of functionality covered in this whitepaper. For in-

stance PolicyPak provides additional functionality by extending Group Policy; Norskale pro-

vides configuration management and don’t offer profile management.

On the other hand, bigger solutions like AppSense DesktopNow and RES Software Workpace

Manager are meant to deliver a wider set of functionality and attempt to provide something

for everyone. The goal of this chapter is to have a better understanding of the User Environ-

ment Management space from a vendor perspective – in their own words.

Note: The vendor solution descriptions are provided by the vendors. However, we have at-

tempted to remove any marketing fluff wherever possible.


Smackdown


5.2 VENDOR MATRIX, WHO HAS FOCUS ON WHAT!?

There are quite some vendors in the “User Environment Management space”. The diagram

below gives an overview of the focus of the various User Environment Management (UEM)

software vendors. This diagram has nothing to do with the (possible) discussion which vendor

provides the most and the best functionality and features. A complete overview of the fea-

tures and functionality is available in chapter 6 – Feature Overview.

Vendor Product

Use

r P

rofi

le M

gmt

Use

r P

erso

nal

izat

ion

Ap

plic

atio

n A

cces

s C

on

tro

l

Use

r R

igh

ts M

anag

eme

nt

Re

sou

rce

Man

agem

en

t

Lice

nse

Man

agem

en

t

Ap

plic

atio

n D

eliv

ery

Mo

nit

or,

Au

dit

an

d R

epo

rt

AppSense DesktopNow

Citrix User Profile Management

Immidio Flex+

Liquidware Labs ProfileUnity

Norskale VUEM Microsoft GPO, GPPrefs, USV

Microsoft UE-V

PolicyPak PolicyPak Application Manager

RES Software Workspace Manager

Scense User Workspace Manager

Tricerat Simplify Suite Quest vWorkspace

VMware Persona Management


Smackdown


5.3 APPSENSE

Introduction

AppSense has been providing world-leading technology solutions to optimize the user experi-

ence and simplify desktop management for over ten years, and has developed the technology,

experience and operational capacity to offer a solution to what has been to date the most

challenging yet important aspect of the desktop to manage - the user.

AppSense’s DesktopNow product suite virtualizes, centralizes, manages and applies the user

environment on to a desktop as required. It spans all Windows desktops across multiple OS

platforms, desktop and application delivery mechanisms, devices and locations.

In particular Environment Manager, one of the three core products in DesktopNow, enables

organizations to adopt a componentized desktop model by separating the user from the OS

and application components and then applying the user relating information to the OS or ap-

plication – regardless of its version, platform or how it is delivered. Separating the user also

enables the adoption of non-persistent/stateless virtual desktops and master/gold images by

ensuring the pristine components of configured with corporate policy and personalized for

each individual user desktop session.

Separating the user also enables the adoption of non-persistent/stateless virtual desktops and

master/gold images by ensuring the pristine components of configured with corporate policy

and personalized for each individual user desktop session

AppSense simplifies desktop management overhead, reduces operational costs, improves end

user experience and ensure that user settings and corporate policy is applied to set up, config-

ure and personalize a desktop, no matter how that desktop is delivered or where it is hosted.

Virtualization technology providers such as Microsoft, Citrix and VMware all embrace and

promote a move to the component desktop model and recognize the essential nature of the

user layer. AppSense User Virtualization achieves positive return on investment by:

replacing time consuming desktop management practices;

replacing troublesome user profiles;

reducing logon times;

providing a more stable user environment;

improving user uptime and application responsiveness;

increasing system capacity to support more users or applications on existing hardware

or consolidating physical hardware;

reducing Microsoft per device application license requirements;

eliminating the need for Local Administrator user accounts and related support calls &

costs;

reducing migration costs to new desktop models such as; Operating System Migra-

tions, adoption of Virtualized Applications, moving to a virtual desktop environment.


Smackdown


Functionality

Many organizations already have multiple ways in which they deliver desktops and applica-

tions to users, and the user must have the same look and feel across all such platforms howev-

er moving forward, such customers also see the adoption of many more ways in which they

deliver desktops, making User Virtualization a key component of their desktop strategy.

More and more customers are utilizing a mixed desktop estate and the types of desktop are on

the increase. Where for example profiles are already corrupted because of the mix in Terminal

Server (a.k.a. Session Virtualization) and VDI the challenge becomes bigger when adding an-

other desktop type. Building a componentized desktop where the final component is the User

Virtualization layer it becomes much easier to maintain and even migrate to (virtualize user

first). The mix can be Terminal Server/XenApp, Fat client, Laptops, VDI.

In the same way that delivery of operating systems and applications to the user requires an in-

frastructure, so too must the user environment. The AppSense Virtualized User Infrastructure

manages everything specific to a user. This user environment contains; user-based corporate

policy, personalization settings, user rights management and user-introduced applications. In-

frastructure management tools optimize the user environment. Enterprise-class reporting and

auditing tools provide visibility into the user environment; ensuring users have the best work-

ing experience. The infrastructure delivers the user environment into virtual, physical and

streamed desktops and applications – or combinations of those mechanisms - and also can ap-

ply the user environment across operating system versions (e.g. XP, Windows 7, Windows 8,

Server 2008 and 2012, 32/64 bit). For existing desktops, migration capabilities move employ-

ees into dynamically delivered, standard desktops seamlessly.

Cross Application Delivery mechanism AppSense does not care how the application is deliv-

ered. This means the user’s personality can roam from natively installed Windows applications

to virtualized Windows applications. It allows a phased migration to an application delivery

mechanism. All can be done in session without the need for the user to logoff and logon again.

By applying a “virtualize user first” methodology it is much easier to implement a new delivery

mechanism in terms of user acceptance. This is possible because settings are virtualized when

written by the application itself, before they are actually ‘landing’ in the profile or application

virtualization solution.

No requirement to logoff to achieve multi session support The User Settings are delivered in

real time over HTTP(S) when needed. This is based on the application start and stop triggers.

Traditional roaming profiles are loaded during logon and logoff. This enables a ‘just in time’

scenario instead of a ‘just in case’ scenario. Besides this the AppSense User Virtualization pro-

tocol enables compression to further downsize traffic and storage.

User / application settings can be analyzed, reported on, replicated, snapshot and rolled

back

Because the User Personalization Settings are stored in a SQL database they can be easily re-

ported on to determine the size or number of launches for example. In addition to this applica-

tions can be analyzed individually to determine/change the files and registry that are part of

the user settings. By default every application can be rolled back five (configurable) changes

without the need for the user to logoff or close other applications. Another benefit of the SQL


Smackdown


backend is replication. This enables settings to be replicated between SQL servers, either on

the same site, or, in enterprise deployments, between SQL databases on separate site loca-

tions. When a user logs off in Amsterdam, traveling to New York, the settings are already repli-

cated across to the site before the user is physically there. Settings can also be backed up for

DR and Redundancy purposes.

Parallel processing of policy actions by default AppSense User Virtualization processes policy

actions in parallel. If needed policy actions can be set in sequence. Looking at the dependen-

cies in traditional logon scripts and policies AppSense learnt over 80% of these actions and pol-

icies can be run in parallel. Take printer mappings or group drive mappings as an example.

They often check a lot of groups in sequence to work out if a user is member of a sudden

group and then apply the actions. AppSense works out the membership upfront only applying

the actions where a user is member of.

Multiple Triggers Traditionally an environment has a Logon/Logoff and a computer

Startup/Shutdown trigger. AppSense has these, plus triggers like application Start/Stop, Net-

work Connect/Disconnect, Session Locked/Unlocked and Session Reconnect/Connect. Applica-

tion related policy actions can be applied on application start speeding up the logon process

and preventing actions to be run that are not necessary.

User Rights Management (URM) – a.k.a. Privilege Management

URM allows complete control to applications, network locations, and administrative privileges

based on a rule set. The Windows OS has a very granular way of elevating or removing rights

based on tokens. The problem is that the Windows OS has 3 major templates that provide a

set of these tokens: Administrator, Power User and User. When a user needs a sudden token

privilege that is part of the “administrator template” it is often given the full administrative

rights. AppSense URM enables the possibility to inject or remove the correct privilege on the

fly.

Lockdown Often the majority of applications at customers is non-Microsoft and does not ship

with ADM(x) files. Therefore it is not possible to block functionality based on rules. AppSense

Environment Manager’s Lockdown technology enables Administrators to strip out unwanted

application and Operating System functionality depending on the user’s context, to reduce the

complexity of the end user experience or for security purposes. For example, it is possible to

hide or prevent access to specific application interface components such as buttons, menus

and toolbar items, disable keyboard strokes such as Print Screen, Copy or Paste and prevent

certain text from being entered into edit controls such as Web browser address bars. This ena-

bles a very granular control over application functionality. Since AppSense released Lockdown,

competitive products started using the term Lockdown for their Policy functionality.

Self-Healing To reduce support costs and improve the user experience, AppSense Environment

Manager Can automatically self-heal files, registry items, services and processes, in real-time,

to prevent user introduced changes or actions from compromising system integrity. The Inter-

net Explorer Toolbar key in HKCU is an example that AppSense recommends self-healing on to

ensure it is never changed. Services can be ensured to be always started and if fails reported

on


Smackdown


Trusted Ownership the Windows OS is perfectly secured against installations by users. Prob-

lem is that a portable application that does not need an installation and will start. The best

way to secure the Windows OS against portable code is to make a list of accessible items

(White listing). This can be done by using Microsoft SRP for example. The downside is that this

is based on hashing creating a lot of management overhead: every change in the environment

needs to be changed on the whitelist. Trusted Ownership utilizes information already in the

OS: file ownership. This means that software installed by the correct accounts (trusted owners)

is allowed to run. Any software that is copied by the users (non-trusted owners) will be

blocked. In this scenario a whitelisting model is applied that maintains itself.

Self-Authorizing Users AppSense UV has the Self Authorizing Users functionality built in for

years now. This gives definable users the ability to Self-Authorize an application that was not

installed by the ‘trusted owners’. All happens in the real OS, not virtual. This functionality

should not be confused with

‘User Installed Apps’ which is AppSense view on the virtualizing application installations by us-

ers as part of the User Virtualization.

Solutions:


o Windows 7 Migration

o Profile Management

o Policy Management

o Logon Optimization

o Desktop Virtualization

o Privilege Management

Enterprise Mobility Management

o File Sync & Sharing

o BYOD

AppSense Architecture for Personalization

AppSense consists of the Console, Agents, and optional components including a Personaliza-

tion Server and Microsoft SQL database. Each site is made up of three tiers: Client computers,

Personalization Servers and SQL Servers

Figure 4: Appsense Personalization

http://www.appsense.com/solutions/use-cases/user-environment-management

http://www.appsense.com/solutions/use-cases/user-environment-management/windows-7-migration

http://www.appsense.com/solutions/use-cases/user-environment-management/profile-management

http://www.appsense.com/solutions/use-cases/user-environment-management/policy-management

http://www.appsense.com/solutions/use-cases/user-environment-management/logon-optimization

http://www.appsense.com/solutions/use-cases/user-environment-management/desktop-virtualization

http://www.appsense.com/solutions/use-cases/user-environment-management/privilege-management

http://www.appsense.com/solutions/use-cases/user-environment-management/privilege-management

http://www.appsense.com/solutions/use-cases/enterprise-mobility-management

http://www.appsense.com/solutions/use-cases/enterprise-mobility-management/file-sync-sharing

http://www.appsense.com/solutions/use-cases/enterprise-mobility-management/byod

http://www.appsense.com/solutions/use-cases/enterprise-mobility-management/byod


Smackdown


(This is a very basic diagram and is applicable for personalization only, not in general for all Appsense so-

lutions)

The client computer hosts the user session, which contains the AppSense Environment Man-

ager agents. These modules monitor any changes that the user makes to their managed appli-

cations and communicates these back to the Personalization Server. The client computers can

be any combination of hardware and software that is capable of running a Windows session

Environment Manager Agent

The Environment Manager agent is installed on each managed endpoint, responsible for en-

suring user personalization data is saved and restored on demand and also ensures policy con-

figuration settings are applied when required.

Personalization Server (Tier 2)

The Personalization Server is an optional component that acts as a broker between the client

computers and the SQL database. It is an IIS web server responsible for synchronizing user per-

sonalization settings between the Personalization database and the Environment Manager

agent when the user logs on or off or when an application is started or stopped. The Personali-

zation Server runs as a website, using IIS on either Windows Server 2003 or Windows Server

2008 (including 2008R2). Client machines (Tier 1) connect through HTTP(s) handlers, and the

console uses WCF Services. It is designed to provide a secure communication of data and sup-

port 10,000’s of users simultaneously and when using Network Load Balancing Technologies,

multiple Personalization Servers can be configured in parallel to use a single database, or in en-

terprise environments, multiple [potentially synchronized] databases.

SQL Server Personalization Database (Tier 3)

The SQL database is an optional component that stores all user personalization settings on a

per application basis related to personalization sites and servers, users and groups, applica-

tions and endpoint configuration data Settings are pushed down when the Personalization

Server requests the latest settings on behalf of a client computer. Any changes made on the

client computer are then synchronized back to the SQL Database via the Personalization Serv-

er. The database is proven to support over 50,000 users and can be replicated between site lo-

cations.

Licensing Options

AppSense User Virtualization software is typically licensed on a per named user basis. A license

is required for each managed user.


Smackdown


5.4 CITRIX

Introduction

Citrix Profile management is intended as a user profile solution for XenApp servers, virtual

desktops created with XenDesktop, and physical desktops. Profile management ensures that

the user’s personal settings are applied to the user’s virtual desktop and applications, regard-

less of the location and end point device.

Profile management is enabled through a profile optimization service that provides an easy,

reliable way for managing these settings in Windows environments to ensure a consistent ex-

perience by maintaining a profile that follows the user. It auto-consolidates and optimizes user

profiles to minimize management and storage requirements and requires minimal administra-

tion, support and infrastructure, while providing users with improved logon and logout.

In a virtualized world, where users can get to their desktops and applications from practically

any location or device, you need to leverage “user profile” technology to ensure users get a

consistent experience every time. When users log on to their virtual desktop or launch a virtual

application, they want to see everything just as they left it, with their own personal settings,

shortcuts, templates, desktop wallpapers and favorites. The more complex and varied the user

access scenarios, the more challenging it becomes for IT to manage these user profiles.

The most common challenges that impact the user experience and that administrators have to

address when managing user profiles are:

Last writer wins – When users work on more than one physical or virtual device, their

individual personal settings may be overwritten in a seemingly random manner when

they log off.

Profile bloat and logon speed – Profile bloat creates unwieldy growth in user profiles

and resulting storage and management issues. Typically during logon Windows copies

the user’s roaming profile over the network down to the local machine. Logon time is

prolonged by the time it takes to transfer the whole profile over the network. The

larger the profiles are and the more files they contain the slower the logons will be

Benefits

Citrix Profile Management provides fast logons, the most control over profile settings and ad-

dresses the last-write wins issues all from a central management point (GPOs).

Citrix Profile Management provides more flexibility as of what needs to be included or exclud-

ed from a user profile. With Profile Management one can configure which registry keys in the

HKCU hive needs to be ignored or included during logoff. Also files and directories can be con-

figured so that they are exclude from a user profile as well as which folders outside the default

scope of a user profile needs to be fully synchronized or mirrored.

Profile Management is great for environments where users are presented resources such as

applications based on different operating systems.


Smackdown


Profile Management addresses the last-write-wins issue. No longer is the complete user profile

copied at logoff. Environments where users work within multiple sessions, i.e. one remote ses-

sion and a local session, are always faced with the default Windows profile handling procedure

where the user profile from the last session overrides all the other session user profiles.

Profile Management also provides a streaming functionality. With profile streaming, users’

profiles are synchronized on the local computer only when they are needed. Registry entries

are cached immediately, but files and folders are only cached when accessed by users. One of

the options is to use the cache entire profile feature, which fetches all of the files but staggers

their delivery in the background.

Features

Profile migration. Allows you to migrate profiles to and from physical computers and

virtual ones. Depending on the configuration settings, Profile management can copy

existing roaming profiles and local Windows profiles to the user store. Existing manda-

tory profiles can be used as the basis for Citrix user profiles when saved as a template.

Wildcard support. Allows the use of wildcard characters in file names for synchroniza-

tion, inclusion, and exclusion lists.

Extended synchronization. Synchronizes files and folders located outside of users' pro-

file folders.

Logging. All entries in log files are identified with the user name, domain, and session

id (where identifiable).

Multilingual profile support. Uses language-independent profile folder names in the

user store for Windows XP and Windows Server 2003.

Simplified installation and management. Enhanced installation and administration fea-

tures.

Consistent user settings. Solves the "last-write-wins" problem that occurs when the

last open session overwrites all of the profile data from previously closed sessions.

Easy integration. Profile management can be integrated easily into existing deploy-

ments. No new infrastructure or changes to logon and logoff scripts are required.

Unified installer. The same .msi file can be used for servers and desktops. There are

two versions of the file, for 32-bit and 64-bit systems.

Active Directory-managed licensing. You can manage user entitlement using an Active

Directory user group.

Windows 7 support. You can now manage profiles on user devices running Windows 7.

Integration with Citrix Receiver. Profile management releases and upgrades can be

managed using Citrix Receiver.

Improved monitoring and reporting. Additional Performance Monitor counters allow

you to measure several new aspects of logon and logoff, providing improved bench-

marking and integration with Citrix EdgeSight.

Licensing

Citrix Profile Manager is a feature of XenApp Enterprise and Platinum as well as XenDesktop

VDI, Enterprise and Platinum. By virtue of the XenApp, Citrix also extends rights for UPM us-

age to the user's physical devices e.g. you have 1,000 XenApp Enterprise users - these users


Smackdown


may install UPM on their Windows device(s) to also manage their profiles on those respective

devices. There is no separate licensing options for UPM, only as a feature of XenApp and

XenDesktop.

Architecture

You install the Profile Management agent on each computer whose profiles you want to man-

age. The installation is straight forward and available for x86 and x64 operating systems. These

operating systems are supported:

Desktops:

- Windows XP SP3;

- Windows Vista SP1;

- Windows 7.

Servers:

- Windows Server 2003 SP2;

- Windows Server 2008;

- Windows Server 2008 R2.

The Profile Management runs as a service and can be configured using ini-files or centrally with

the use of Microsoft Group Policy Object’s (GPO). An ADM-template is provided.

Citrix Profile Management intercepts the default Windows user profile handling process. As

soon as a Windows profile process starts, the Profile Management service kicks in and takes

care of the necessary actions based on the GPO settings, if available. In the situation that a

GPO is not linked to the OU which the computer object resides the ini-files are used.


Smackdown


As with a Windows roaming profile a central location is needed to store the profile. This cen-

tral location is called the User Store. Every user should have access to the user store, a net-

work folder where profiles are stored centrally. Alternatively, profiles can be stored in users'

home drive if preferred

Figure 6: Profile Management locations

5.5 IMMIDIO

Introduction

Immidio Flex+ provides end users with a personalized and dynamic Windows desktop, adapted

to their specific situation, based on aspects like role, device and location. With Flex+, Immidio

offers an extremely competitive workspace virtualization solution, requiring no additional in-

frastructure investments, and at a fraction of the price of comparable solutions.

Flex+ is the successor of Immidio Flex Profiles – the most successful Windows profile manage-

ment solution, with more than 2 million users worldwide. Driven by a changing landscape for

the workplace, where end users expect to work anywhere, anytime and on multiple devices

(including their own), Immidio developed Flex+ in close collaboration with its large installed

base.

Figure 5: Citrix Profile Management overview


Smackdown


Immidio Flex+ offers a desktop that adjusts to the actual situation of the end user, providing

access to the IT resources that are required, based on a user’s role, device and location. Many

organizations suffer from hidden productivity loss as a result of ad hoc activities like manually

mapping network drives and printers or providing application shortcuts to end users. This so-

called distortion not only impacts IT departments but also affects end users. The relevant user

experience that Flex+ offers, significantly eliminates this distortion.

Flex+ consists of five functional areas: Application Configuration Management, User Environ-

ment settings, Personalization, Application Migration and Dynamic Configuration. Each area is

further described in section 5.5.4.

Immidio is focused on providing a point solution where most other User Environment Man-

agement solutions provide a complete suite, which in turn is too much functionality for a ma-

jority of customers and prospects. Immidio products offer positive impact on the end-user ex-

perience and productivity, while the impact on the existing infrastructure remains limited, re-

sulting in a very attractive ROI.

Founded in 2008 and based in Amsterdam, the Netherlands, Immidio develops products in

close relationship with its customers, affiliated virtualization experts and the international vir-

tualization community. Their products have proven themselves at the sites of customers in

more than 20 countries, many of which are Fortune Global 500 companies. Immidio solutions

are exclusively delivered through an international network of technology peers and partners.

Benefits

IT benefits:

• Easy and low impact implementation at your own pace; • Immediate benefits across the organization; • Instantly improve logon and logoff times; • Scales seamlessly by leveraging existing Windows infrastructure; • No deployment and maintenance of additional back-end infrastructure; • Provide application-level support; • Compatible with Windows desktops, Microsoft RDS, VMware View, Citrix XenApp and

XenDesktop; • Support multi-tenancy scenarios from a single management console.

Business benefits:

• Increase productivity by delivering a relevant, personal and optimized environment to your users;

• Eliminate the large sum of small environment challenges; • Reduce helpdesk workload; • No additional investment in server roles required – leverage existing Windows infra-

structure; • Affordable product and easy implementation, resulting in fast ROI; • Instantly solve an urgent challenge; gradually implement the full workspace virtualiza-

tion functionality.


Smackdown


Immidio Architecture

Immidio Flex+ leverages existing Windows infrastructure, not enforcing additional compo-

nents, investments and maintenance on items like a Database or Web Server, therefore creat-

ing a very cost-effective User Environment Solution. Immidio Flex+ also uses commonly used

mechanisms for deployment (MSI) and configuration (Active Directory Group Policy) of the cli-

ent component, called Immidio FlexEngine. This strategy makes it possible to scale up along-

side the scaling of the Windows infrastructure and support off-line usage of managed Win-

dows devices.

Figure 7: Immidio Architecture

Functionality

Application Configuration Management

Flex+ Application Configuration Management enables you to configure the initial settings of an

application without having to rely on the defaults of the application. "Predefined Settings" can

be used as one-time defaults or can be set each time the application starts (guaranteeing that

application settings are always in the exact same state). A hybrid approach is also possible: de-

fine which application settings can be personalized and which should always remain at their in-

itial values, allowing partial personalization.


Smackdown


Using Immidio Application Profiler, you can capture predefined settings for an application.

Simply run the application on a reference system (monitored by Application Profiler) and con-

figure it as desired.

Flex+ also provides the capability to manage certain User Environment settings when an appli-

cation is launched, like mapping drives and printers, applying custom files, folders and registry

settings, and running custom tasks.

Application Configuration benefits:

• Decouple user settings from native and virtual applications; • Maintain a single application package while deploying it in multiple configurations; • Ensure compliance with company standards; • Prevent users from misconfiguring error-prone applications; • Only consume network resources (e.g. printers or network drives) when necessary; • Manage all application configuration elements on the application level.

User Environment settings

Immidio Flex+ enables you to centrally manage a variety of User Environment settings which

users need to perform their daily tasks.

The following User Environment settings are supported:

• Drive and printer mappings; • Environment variables; • Application shortcuts and file type associations; • Custom files, folders and registry settings; • Logon and logoff tasks; • Display language; • Hide drives; • Triggered tasks; • Policy settings.

User Environment settings benefits:

• Reduce complex scripting and prevent configuration errors; • Reduce use of dispersed Group Policy preferences; • Manage application shortcuts and file type associations for applications virtualized

with Microsoft App-V (MDOP), Novell ZAV and VMware ThinApp; • Centrally managed from a single management console.

Personalization

Flex+ Personalization decouples and segments user-specific desktop and application settings

from the Windows operating system, making them available across multiple devices, Windows

versions and application instances. Decoupled personalization is independent from the tradi-

tional Windows user profiles and allows for easy introduction and management of virtualiza-

tion technologies and application delivery mechanisms. Flex+ Personalization integrates seam-

lessly with natively installed and virtualized applications, providing users with a consistent user

experience across any Windows platform – physical, virtual or remote. Additionally, it enables


Smackdown


painless upgrades, like migrating from Windows XP to Windows 7 or Windows 8, or migrating

from App-V 4.x to App-V 5.

Personalization benefits:

1 Much shorter logon and logoff times; 2 Reset user settings per application rather than deleting the complete user profile; 3 Unique cleanup mechanism for existing roaming and local user profiles; 4 Manage personalization of applications virtualized with Microsoft App-V (MDOP); 5 A single "user profile" per user across multiple Windows platforms.

Application Migration

Immidio Flex+ can "roam" personal application settings of users from one operating system to

another (e.g. from Windows XP to Windows 7), as long as the application is storing its configu-

ration in the same location of the user profile (i.e. uses the same registry and AppData loca-

tions).

In any application version upgrade, either as part of an operating system migration or as part

of the application’s lifecycle management, Flex+ personalization can manage the personal ap-

plication settings. Some of these upgraded applications might however not store the applica-

tion settings in the same location as the previous version did, causing users to lose some of

their personal settings.

With Immidio Flex+ an XML-based settings migration mechanism is introduced, which can mi-

grate personal application settings between application versions. A migration file for convert-

ing Microsoft Office 2007 settings to Office 2010 is included with Flex+.

Application Migration benefits:

• Migrate application settings to prevent decreased end-user productivity; • Increase user acceptance for application or operating system upgrades; • Avoid helpdesk overload during migrations.

Dynamic Configuration

Flex+ Condition Sets allow you to combine conditions based on user, location and device char-

acteristics, enabling dynamic adaptation of content and appearance of the end-user desktop.

For example, you can provide access to a network printer based on the user’s current location

or create an application shortcut on the desktop based on the user’s identity. Conditions can

be evaluated again when users unlock their workstation or reconnect to a remote session.

Condition sets are managed centrally from the Flex+ Management Console and can be applied

to all configurable items within Flex+.

Dynamic Configuration benefits:

• Reduce complex scripting and prevent configuration errors; • Reduce use of dispersed Group Policy preferences; • Centrally managed from a single management console; • Manage globally instead of per configured item; • Globally enforce compliance to company standards; • Increase end-user productivity by providing the relevant desktop;


Smackdown


• Reduce helpdesk calls by anticipating on dynamic desktop usage scenarios; • Run built-in or custom tasks at logon and logoff, application launch and exit, lock and

unlock workstation, and disconnect and reconnect to a remote session.

Licensing and pricing

For each customer scenario there is a license model and procurement program that fits. For

traditional desktops there is a device based licensing model and for hosted environments a

concurrent user model. For mixed environments, where customers want to manage both the

local device and the remote session, a device based licensing will be sufficient. With purchase,

lease and rental constructions the Immidio products are available to fit any budget.

Pricing is an integral part of the Immidio philosophy. We strongly believe that solving a prob-

lem should not introduce new complexity, both on budget and technology. Immidio products

are priced to fit any budget and since we require no new infrastructure components to deliver

the full power of Workspace Virtualization, the TCO and ROI of Immidio Flex+ are the lowest in

the industry. This enables Enterprises to implement Workspace Virtualization organization

wide.

5.6 LIQUIDWARE LABS

Introduction

Liquidware Labs is a vendor who delivers desktop transformation solutions for next generation

physical and virtual desktops, including VMware View, Citrix XenDesktop, and Microsoft Win-

dows 7/8/8.1. The company's Stratusphere and ProfileUnity solutions provides a complete

methodology and software that enables organizations to cost-effectively plan, migrate, and

manage their next generation desktop infrastructure – physical, virtual, or RDSH.

Liquidware Labs ProfileUnity is flexible user management delivering a universal persona and

configuration that is compatible across any Windows desktop (XP/2000/Vista/Windows

7/8/8.1). The solution is a comprehensive, Windows user personalization and configuration

management solution. ProfileUnity separates user profiles, configurations, and data from the

Windows OS, enabling organizations to be more flexible than ever before with their desktops.

The solution features a lightweight yet robust agent that runs on your current Windows desk-

top infrastructure with no additional servers needed. It is highly-scalable and manages &

synchs the user’s profile, configuration, and management settings.

ProfileUnity makes it easy to deploy new applications, infrastructure resources and personality

consistently across your enterprise users and desktops from one central console while migrat-

ing existing data and settings from your physical PC’s to your next generation desktop strategy.

Benefits

• Deploy desktop settings from one central console

• Runs on your existing infrastructure with no SQL or IIS servers needed

• Migrate user data to VMware View, Citrix XenDesktop & Windows 7/8/8.1

• Manage user experience per User, AD Group, IP Subnet & more


Smackdown


• Lightweight agent and architecture that is highly scalable through your built-in DFS

replication

Administrators can centrally modify end-user configurations and settings as well as manage

application data settings. The solution features powerful functionality to including the ability

to allow select users to install their own applications in VDI environments with FlexApp User

Installed Application technology. FlexApp Department Installed Application technology also al-

lows administrators to virtualize difficult to virtualize applications and assign them to a group

of users through a context aware setting. Since applications can be fully assigned on top of the

base image dynamically, FlexApp technology is cited by Liquidware Labs’ customers for allow-

ing them to administer VDI with a very minimum number of base images. ProfileUnity can also

be utilized to manage and distrubute other app virtualization solutions such as VMware

ThinApp and Microsoft App-V by context aware settings.

Liquidware Labs boasts that the solution does not lock your user data into a SQL database

which effectively creates a one way data jail that can be difficult or impossible to diagnose or

migrate away from. ProfileUnity separates user profiles, configurations, and data from the

Windows OS, enabling organizations to be more flexible than ever before with their desktops.

Liquidware Labs ProfileUnity:

• Offers a persistent user experience at every logon

• Offers a persistent user experience among heterogeneous operating systems

• Offers users a non-persistent VM from a pool of linked clones in a VMware View or Cit-

rix XenDesktop environment

• Migrates users among differing versions of Windows

• Quickly recovers the user experience within seconds in the event of a desktop disaster

recovery

• Enables User and Department Installed Applications via FlexApp – thereby minimizing

the need to have numerous base images

Solution

ProfileUnity www.liquidwarelabs.com/products/profileunity.asp

Migration of User Authored Data

ProfileUnity has a data migration feature that is exclusive among user environment manage-

ment products. The functionality is part of the advanced features of a built-in folder redirec-

tion module

When the data migration functionality of ProfileUnity is leveraged along with its folder re-

direction options, ProfileUnity literally moves user authored data from legacy end-point

desktops to a storage device such as a server or SAN. This capability along with V1 to V2

profile compatibility seamlessly enables co-existence of mixed Windows desktop environ-

ments, Anytime Migration abilities, and is a key part of any desktop disaster recovery plan.

Functionality

Liquidware Labs ProfileUnity has the following functionality:

http://www.liquidwarelabs.com/products/profileunity.asp


Smackdown


Profile Portability in universal v1 or v2 format

Compatibility with any Windows operating system or delivery method including

XP/2000/Server 2003/Vista/Windows 7, 8, 8.1,/Server 2008,2012

Full Application settings management and portability for ProfileUnity FlexApp applica-

tions, App-V, VMware ThinApp, and others

Software and hardware inventory , includes additional functionality for VMware

ThinApp license management

Built-in summary reports which detail the configuration of the environment, used for

auditing access, compliance, and documenting the environment

Map Drives, Printers, resources

o Location and device aware settings: attach printers based on location, deliver

applications based on location or machine, group, IP address, etc

Profile Cleanup – Especially helpful in Windows RDS and Citrix Server based computer

environments, this feature allows adminstrators to remove the local copy of a user

profile with an admin defined variable

A new feature announced for early 2014 includes FlexDisk, high performance “follow-

me” VMDK storage. FlexDisk is designed for one-to-many app distribution and robust

user installed application performance. Session performance increases can be realized

through IOPS steering with FlexDisk by locating IOPS intensive apps on robust storage.

Architecture


Smackdown


Licensing

ProfileUnity is licensed per named user for $39 USD retail. Concurrent licensing options are

available for certain markets such as Education and Healthcare. A single license key is centrally

managed with no need to enter license keys on individual desktops.

5.7 MICROSOFT (GROUP POLICY, GROUP POLICY PREFERENCES AND AGPM)

Introduction

Microsoft’s solution for User Environment Management is it’s built in Group Policy mechanism.

Group Policy is made up of Group Policy Objects (GPOs) and can natively contain directives

called Policy or Preferences, but is also extensible to 3rd party directives.

Group Policy can be configured by creating a GPO and linking the GPO to a Site, Domain or Or-

ganizational Unit in Active Directory. GPOs can contain both User and Computer side direc-

tives. The configured settings are applied by the client at startup, logon and approximately

every 90 minutes in the background (processed independently on User and Computer side.)

Group Policy Preferences was acquired from a company called DesktopStandard. Group Policy

Preferences provides 21 new abilities to Group Policy and works from Windows XP clients on-

ward. Group Policy Preferences greatly extend the possibilities to configure the user environ-

ment and in many cases eliminates the need for complex logon scripts.

Group Policy Preferences’ most popular features include delivering drive mappings, shortcuts

and printer assignments

Roaming Profiles may or may not be used with Group Policy. That is, there is no “all or noth-

ing” with regard to Group Policy and Roaming Profiles. Many organizations choose to take ad-

vantage of Group Policy and Group Policy Preferences without ever turning on roaming or

mandatory profiles.

The configuration of roaming or mandatory profiles is usually handled using Active Directory

Users and Computers directly upon a users’ Active Directory account.

Benefits

Group Policy, Group Policy Preferences are free. Since it’s in the box most administrators have

had some use of Group Policy and/or Group Policy Preferences.

Other benefits are:

Works across any Windows experience - Physical, Virtual, and Laptops;

Works across all Windows operating systems from Windows XP onward;

Compatible with Microsoft RDS, VMware View, Citrix XenApp and Citrix XenDesktop;

No software to install on desktops, no additional shell environment. Note: A free Mi-

crosoft-provided update is required for Group Policy Preferences on XP and 2003 ma-

chines;

Data stays in Windows native format, you're never locked into a data jail;


Smackdown


Figure 8: user configuration

No architecture to deploy – everything is stored on domain controllers;

One-single solution for all of your Windows desktops;

Rich history of being extended by 3rd parties to perform specialized functions that are

not present “in the box”.

Functionality

With Group Policy Settings, the following functionality is available for user configuration:

Configure the look and feel of the desktop;

Lockdown supported areas to prevent unauthorized changes to the system;

Configure folder redirection;

Configure (older) Internet Explorer maintenance settings.

With Group Policy Preferences, the following functionality is available for user and computer-

configuration (user-side shown in screenshot below):

Map Drives, Printers, Shortcuts and more;

Set environment variables;

Deliver files, create folders folder;

Simple INI files and Registry edits;

ODBC settings;

Perform device restrictions;

Set folder options, Internet Explorer settings, Start Menu.

Group Policy Objects and Preferences contain functionality to configure

both the user and computer as well. Generally, when a computer receives

a computer-side setting, all users who use that computer are affected.

Context-awareness using Item-Level Targeting

Group Policy Preferences items have a rich collection of “Item Level Tar-

geting”. These enable specific Group Policy Preferences items to affect

machines specifically based on location, machine, group, IP address, OU,

and other filters.


Smackdown


Figure 9: Targeting

A partial list of ILT filters is shown in the screenshot. A full list of context-aware ILT filters can

be found at http://technet.microsoft.com/en-us/library/cc733022.aspx

Architecture

Active Directory Services is required to centrally manage and assign Group Policy Objects and

Preferences. Although some Group Policy settings can be configured on each computer – one

by one -- locally (using gpedit.msc). This is not a great option when mass configuration in an

enterprise environment is desired.

Group Policy Objects containing Policy and Preferences can be linked to Active Directory at dif-

ferent levels (sites, domain, OU) and directed to users and/or computers.

When using multiple Group Policy Objects, the processing order is always: Local, Site, Domain,

OU. The last effective Group Policy Object wins, but higher-level administrators can always en-

sure their directives “win” by using the “Enforced” setting upon a GPO.

Group Policy Objects indirectly change registry settings. Microsoft provides Administrative

Templates (*.adm, admx) which affect operating system settings, and some applications like

Microsoft Office or App-V. If necessary, it is possible to create additional templates by creating

an ADM or ADMX files, but those come with their own management challenges. (For two vide-

os expressing ADM and ADMX issues you may watch this video and also this video).

http://technet.microsoft.com/en-us/library/cc733022.aspx

http://www.youtube.com/watch?v=bJHx_4A3AHo

http://www.youtube.com/watch?v=UK23JWVJm-c


Smackdown


Licensing

No additional licenses are needed to get started with Group Policy Objects and/or Group Policy

Preferences. The default Windows Client Access License is enough.

Speed concerns

Sometimes Group Policy gets maligned for possibly causing slowness at startup and/or login.

When slow logons were analyzed by Microsoft and the root causes of those slow logins was

discovered, if they were Group Policy slowdowns, many were simply bugs which were later

fixed or otherwise mitigated. (A list of common Root Causes for Slow Boots and Logons can be

found at this article.)

While there are some reasons that Group Policy could be slowing down a startup or a logn, in

practice the most common reason Group Policy can be perceived to be “slow” is the improper

use of startup and login scripts which try to perform “too much”; such as copying large files

(every time at login), waiting for user input (and timing out), or referencing servers which don’t

exist -- thus holding up prescious startup or login time. Another common reason for slow-

downs is trying to deploy “very large” printer drivers via Group Policy Preferences (which can

be 30 – 500MB depending on the vendor.)

Said another way, when using Login or Startup scripts, or deploying large printer drivers via

Group Policy, and that operation takes 8 minutes to run, Group Policy is performing exactly

what it’s supposed to do.

While not every administrative action can be accounted for, the Group Policy engine itself has

several built in throttling mechanisms to specifically prevent slowness at startup and login:

Each GPO has a “version number” so that GPO’s contents are not re-downloaded if a

client has already seen the contents of a GPO. Said another way the client doesn’t re-

download each GPO every time, it only downloads new or changed GPOs, automatical-

ly speeding up startups and logins.

Starting in Windows XP (and continuing onward thru all Windows clients), all Group

Policy operations are, by default, performed in the background when possible. This

prevents most slowdowns from even being “felt” by the end user.

Starting in Windows 8.1, when the client is over a very slow connection (or there is no

local DC to provide GPOs), the client will use “locally cached GPOs” which exist on the

client machine to speed login time (which would have traditionally occurred over the

network).

Starting in Windows 8.1, one of the more popular Group Policy Preferences items,

Drive Maps, was re-written to always work in the background, speeding up login time

whenever Group Policy Preferences Drive Maps was used on a client, and therefore all

Group Policy processing overall.

Starting in Windows 8.1, login scripts are delayed for processing until 5 minutes after

login. This is to prevent disk contention during the most critical time of setting up the

users’ Explorer and (possible first time profile setup.) The delayed login script feature

of Windows 8.1 is is configurable to any value, including turning this feature off.

http://social.technet.microsoft.com/wiki/contents/articles/10130.root-causes-for-slow-boots-and-logons-sbsl.aspx


Smackdown


Therefore, Group Policy’s slowness can be mitigated when admins know where to look. In

these cases, a wholesale “replacement” of Group Policy and Group Policy Preferences for an-

other tool which replicates the Group Policy or Group Policy Preferences functionality isn’t

something every company should be looking to do until they’ve exhausted all troubleshooting

options with the Windows product they’ve already paid for.

A quick note about Microsoft’s AGPM

Microsoft’s Advanced Group Policy Management (AGPM) gets a special note here for two rea-

sons.

First, Microsoft AGPM is often misunderstood in what it can and cannot do. Specifically, Mi-

crosoft AGPM adds “change management” around Group Policy Objects themselves. That is,

AGPM’s main goal is to help multiple administrators create, edit, approve and rollback GPOs in

a systematic way. Contrary to popular believe, AGPM provides no added client-side superpow-

ers or benefits beyond what’s already in the box with Group Policy and Group Policy Prefer-

ences.

Next, Microsoft AGPM, while from Microsoft, is a paid add-on tool and comes as part of Mi-

crosoft’s MDOP suite and is not automatically licensed to all Windows licensees. AGPM is li-

censed as part of the MDOP (Microsoft Desktop Optimization Pack). And, as such, there is no

way to purchase it separately.

More info on licensing MDOP (which includes AGPM and UE-V discussed next in this docu-

ment) can be found at (this link.) Again, MDOP contains six total tools, of which AGPM is just

one of them. For a quick rundown of AGPM Myths and Facts, see the document at (this link).

On Dec 2, 2013, AGPM was updated to support Windows Server 2012 R2 on the server, and

Windows 8.1 on the client. The announcement can be found here:

http://technet.microsoft.com/en-us/library/dn458961.aspx

5.8 MICROSOFT USER EXPERIENCE VIRTUALIZATION (UE-V) 2.0

Introduction

Microsoft User Experience Virtualization, or UE-V is Microsoft’s spiritual successor to the in-

the-box experience of roaming user profiles. UE-V job is to roam users’ changes from applica-

tion and operating system settings. UE-V is not tasked with actually delivering or maintaining

operating systems or application settings in any way (this remains the function of Group Policy

and Group Policy Preferences). UE-V can roam user-changed application settings to or from

any of these platforms and application delivery mechanisms:

Windows 7 / Windows Server 2008 R2;

Windows 8 / Windows 8.1 / Windows Server 2012 / Windows Server 2012 R2;

32-bit or 64-bit platforms;

Remote Desktop Apps;

Installed apps;

Microsoft Application Virtualization 4.6 and 5.0.

http://www.microsoft.com/mdop

http://blogs.msdn.com/b/customer_reviews_of_stb_products/archive/2013/01/31/microsoft-advanced-group-policy-management-agpm-myths-and-facts.aspx


Smackdown


Architecture, Operations and Functionality Overview

Microsoft UE-V has main four components:

UE-V Agent (as an MSI);

UE-V Settings Location Templates;

UE-V Settings Storage Location.

The UE-V agent must be deployed to all machines where user preferences are to be managed.

The agent looks for the presence of UE-V templates on the machine or a network location de-

fined by the administrator. UE-V templates define the application to be monitored and the lo-

cations within that application to monitor. The UE-V agent then traps user-created preferences

changes to applications and stores them remotely for later use. UE-V storage of settings can be

stored in a file share or the users’ home drive.

When applications are launched (on the same machine or different machine), the user’s appli-

cation settings are downloaded before the application is launched. The UE-V agent will send

the user’s changed settings back at the following times: Logon, logoff, locking the machine, un-

locking the machine and connecting to an RDS session.

If the user is offline when he makes an application settings change, then it is stored and for-

warded the next time the user connects. Lastly, UE-V has a PowerShell interface to accept a

command that can roll back settings for a particular application to an initial state.

Additionally available is the UE-V Generator utility which enables administrators to create their

own templates for most applications.

Benefits

UE-V is a step up from Microsoft’s traditional roaming profiles because only the applications’

settings the user needs are downloaded at application launch time, instead of the entire pro-

file and all settings being downloaded at login time.

UE-V ships with some UE-V templates to help roam common Microsoft applications such at In-

ternet Explorer, Microsoft Office, and operating system desktop settings and accessories.

UE-V also ships with a template Generator utility that enables administrators to create their

own templates for well-behaved applications.

Microsoft officially supports the in the box templates for UE-V, and also has non-supported

additional UE-V templates available for download in the UE-V Gallery (link here).

The UE-V agent can be managed using Group Policy with downloadable ADMX templates from

this link: http://www.microsoft.com/en-us/download/details.aspx?id=35516.

Detractors

There are some known issues with UE-V as follows:

http://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V


Smackdown


There is no “Roaming Profiles to UE-V” wizard to help existing administrators migrate

from roaming profiles, although administrators could run both solutions together dur-

ing a migration phase.

At the time of writing there is no guidance or documentation from Microsoft to help

administrators migrate from roaming profiles to UE-V.

UE-V is not supported on Windows XP and there are no plans to make it work on Win-

dows XP machines.

What’s new in UE-V 2.0

UE-V 2.0 is a nice next step from UE-V 1.0, but there are some significant and notable updates:

UE-V 1.0 was reliant upon the same mechanism of Offline Files (also known as Client-

side caching or CSC). UE-V 2.0 adds its own synchronization engine, removing the de-

pendency on CSC to sync settings; though CSC may continued to be used as the sync

mechanism if desired.

Synchronization of Windows 8 Store app settings.

Syncrhonization if desired to a Microsoft account in OneDrive (formerly Skydrive) in-

stead of an SMB share or user’s home folder.

UE-V adds a user-interative applet called “Company Settings” which enables users to

select which settings will sync (and others will not). These settings are overridden by

UE-V’s Group Policy settings, if set by the administrator.

More about UE-V 2.0 can be found at http://technet.microsoft.com/en-

us/library/dn458913.aspx

Additionally, on Jan 28, 2014 Microsoft announced supported UE-V templates for Office 2013,

where it initially stated it was not planning on providing these templates. UE-V’s Office 2013

support announcement can be found at

http://blogs.windows.com/windows/b/springboard/archive/2014/01/28/announcing-ue-v-

office-2013-template-support.aspx

Licensing

UE-V is licensed as part of the MDOP (Microsoft Desktop Optimization Pack) and, as such,

there is no way to purchase it separately. More info on licensing MDOP (which includes UE-V

and AGPM as discussed in this document) can be found at (this link.) Again, MDOP contains six

total tools, of which UE-V is just one of them.

5.9 NORSKALE VUEM

Introduction

Norskale is the latest player to enter the UEM market and believes that user experience, sim-

plicity of use and low TCO are the most important factors when choosing a workspace man-

agement platform. The solution has already been proven in large and small environments alike

including a 20,000 seats environment that reached top performance and simplicity of man-

agement in just a week of work. 56% of users say that instant login and app reactivity are the

http://www.microsoft.com/mdop


Smackdown


main benefit of a new desktop. VUEM ensure you are getting that very high level of perfor-

mance on any Windows machine and keeps it constant across the entire life of the device.

Get all the functionalities you need rapidly, with only a few days of work and great value li-

censing. VUEM delivers the best user experience and lowest install/management cost for all

physical or virtual desktop, as well as XenApp. Refuse complexity and extravagant costs. VUEM

list price is $38/€28 per named user: perpetual license and first year of maintenance included.

Benefits

10 seconds login times for all your physical and virtual desktops as well as XenApp

(published apps and desktops).

Extremely fast applications reactivity thru constant CPU and RAM optimization.

Intuitive central console for all your user environment management. Even junior ad-

min are fully trained in 1 day.

Eliminates Scripts/GPO/GPPrefs in a few clicks.

Bring full context awareness to all the elements of your workspace. Give the user the

right resources and access depending on any scenario you can think of.

CPU and RAM optimization reduce user footprint for 20-25% more users per servers.

Manage and optimize Citrix user profile management (UPM) and Microsoft roaming

profiles (USV).

Self-services and self-healing for end users workspace reduce support call by up to

$200 per user every year.

Fully installed and configured in just a few days even in the most complex environ-

ments.

Granular and complete delegated administration console.

Complete reversibility in a snap: uninstall us without impact and refuse any vendor

lock-in.

Functionality

User Profile Management VUEM optimizes and centrally manages both Microsoft roaming

profiles and Citrix User Profile Management profiles. Both technologies are the de facto stand-

ards on SBC and “fat” environments. VUEM therefore ensures profiles integrity while making

sure that their sizes and speed are always best in class. And in the process greatly reduces the

cost of high-end storage associated with profiles.

User Personalization Scripts, GPO and GPPrefs are a messy affair which also trash every desk-

tops login time. VUEM eliminates them and automates workspace management thru a simple

console. No more reliance on a few rare in house experts, homogeneous use of best practices

in the entire environment and an immediate reduction in support calls. VUEM flexible actions

engine allows you to easily define every actions needed to replace even the most complex log-

in script, while ensuring top notch performances.

Application Access Control Protect your system using dynamically configured software re-

striction policies thru Whitelist and Blacklist.


Smackdown


Resource Management By managing apps priority levels dynamically, our “CPU Spikes man-

agement” protects the system against abusively intensive application. VUEM action reduces

any applications CPU footprint on the system without making them unstable or killing them.

We also offer the possibility to clamp any application types to a set percentage of CPU usage.

“Memory Management” analyzes and optimizes idle applications/processes. VUEM dynamical-

ly forces any apps to free up the extra memory it is withholding but not using.

VUEM optimizes the CPU and RAM utilization in any desktop environment: physical/virtual as

well as XenApp published desktops and apps. The results are always snappy applications re-

sponse times and up to 25% more users per server. Simple and really powerful, without any

risk of application breakage.

Application Delivery VUEM not only supports local applications but Citrix XenApp, Microsoft

RDS, App-V as well. All applications and resources types are delivered and controlled dynami-

cally according to users’ contexts. Furthermore, VUEM “Manage Applications” feature allows

users to access all context available resources and self-create shortcuts in the location they

think most appropriate.

Monitor, Audit and Report Through modeling wizard and the “resultant actions viewer”, Ad-

ministrators are not only able to see assigned actions applied to a specific user but also to un-

derstand why some actions have been discarded in the assignment process.

VUEM also enhances issues tracking with Helpdesk features such as sending an automated

email reports to support when users are having difficulties. Including a workspace screenshots

and the current environment information.

Architecture

Norskale has streamlined all our developments to ensure VUEM only needs the minimum in-

frastructure requirements. VUEM currently supports all major Clients and server OSes. 64 bits

is supported natively on all platforms (no emulation).

Desktops:

- Windows XP SP3;

- Windows Vista SP1;

- Windows 7.

Servers:

- Windows Server 2003 SP2;

- Windows Server 2008;

- Windows Server 2008 R2.

A very low footprint agent is deployed in the user workspace and is careful to minimize net-

work usage. The server itself is extremely compact and can withstand a very large user base

within a single VM. VUEM natively supports mirroring and clustering on the SQL server side

and the broker and workspace agent come with full offline capabilities.


Smackdown


Licensing

VUEM is licensed on a “per named user” basis and has a list price of $38/€28 per user. This li-

cense is perpetual and includes the first year of support and maintenance. Norskale also offers

site licenses, rentals and other licensing options. Contact us to discuss the best licensing model

to meet your requirements.

5.10 POLICYPAK SOFTWARE

Introduction

PolicyPak Application Manager delivers, enforces, locks down and remediates application and

operating system settings.

PolicyPak Application Manager’s directives can be deployed using Group Policy or an adminis-

trators’ own systems management tool like SCCM, LanDesk, KACE, Windows Intune and the

like.

PolicyPak Application Manager continually refreshes and remediates settings whenever Group

Policy applies (logon, reboot, and in the background) and whenever the application is

launched.

PolicyPak can deliver settings for just about any application: those which store their settings in

the Registry, INI files, XML files, JS files, or any other formats (that Microsoft’s built-in Group

Policy, Group Policy Preferences and ADM/ADMX templates simply cannot manage.) PolicyPak

has pre-configured Paks to configure common applications like Firefox, Flash Player, Java JRE,

Acrobat Reader, Acrobat Pro, Lync Client, AutoCad, Shockwave and over one hundred more.


Smackdown


Figure 10: PolicyPaks

PolicyPak Application Manager also comes with the PolicyPak Design Studio which enables

admins to quickly create their own Paks and manage their own in-house applications.

PolicyPak’s AppLock™ feature can gray out or hide many applications’ user interface settings as

well as perform lockout on applications’ entire tabs. This prevents users from working around

its recommended application settings within the UI.

PolicyPak’s ACL Lockdown™ feature takes ownership of the Registry and/or file-system pieces

from the user and application. In this way, settings are strictly guaranteed and cannot be

worked around.

PolicyPak Application Manager continually re-enforces applications settings whenever users

are logged on to the network (using Group Policy’s background refresh), and can optionally re-

enforce those settings even when the user is completely offline and disconnected from the

network.

Like Group Policy, PolicyPak Application Manager has both User and Computer side settings,

and works in the same fashion. Settings are created using the GPMC, contained within GPOs

and they can be linked to OUs with users or OUs with computers. In this way, IT administrators

don’t need to learn anything new: if they can use Group Policy, they already know how to use

PolicyPak Application Manager.


Smackdown


PolicyPak’s settings are simply delivered and re-delivered whenever a user roams to a new

machine, uses a Terminal Server or Citrix machine or starts up a VDI machine. PolicyPak will

deliver and re-deliver settings to applications when they are:

Installed and running on the machine (fat clients: desktops and laptops);

Installed and running on Terminal Services or Citrix XenApp;

Installed and running within VDI (VMware View, Citrix XenDesktop, etc.);

Delivered within virtualized “bubbles” or “sandboxes” (Microsoft App-V 4.6 or 5.0,

VMware ThinApp 4 or 5, Symantec Workspace Virtualization, and others);

Running on a machine which is online (and can see a Domain Controller) or running

completely Offline.

Architecture

PolicyPak Application Manager is a natural fit to organizations of any size already invested in

using Group Policy and Group Policy Preferences, SCCM any systems management tool or even

other UEM tools listed in this guide - but needs fine grained control of applications’ settings.

In short, PolicyPak requires absolutely no architecture at all beyond already having Active Di-

rectory, with any kind of Domain Controllers in any domain mode or functional level. There

are no schema updates or databases required.

Figure 11: PolicyPak Application Manager Architecture

PolicyPak’s directives can be delivered in two ways:

PolicyPak directives can be simply stored in GPOs and delivered naturally to the client.

(Link to Video)

PolicyPak directives can be delivered as MSI files and used with SCCM, LanDesk, KACE,

Intune or any other systems management tool already in house. (Link to SCCM Video,

Link to Windows Intune Video.)

http://www.policypak.com/products/policypak-br-professional-br-design-studio.html

http://www.policypak.com/integration/perform-desktop-lockdown-using-sccm-and-policypak.html

http://www.policypak.com/integration/perform-desktop-lockdown-using-microsoft-windows-intune.html


Smackdown


Because PolicyPak Application Manager utilizes Group Policy, SCCM or any systems manage-

ment tool as the transport, it can safely scale to hundreds of thousands of machines and re-

quires absolutely no databases, servers, or infrastructure to add or modify. This has the added

benefit of being up and running quickly, because administrators already know how to use it.

PolicyPak’s directives are read and processed by PolicyPak’s client-side-extension (which needs

to be installed on all machines to be managed.)

PolicyPak is compatible with Windows XP and later including Windows 7 and Windows 8 and

all Terminal Services (RDS) and Citrix Servers.

PolicyPak’s goal is to have maximum flexibility and interoperability, enable administrators to

follow existing Microsoft best practices, and leverage a company’s existing investment in

whatever technology they have implemented: Microsoft, Citrix, VMware, etc.

Benefits in Conjunction with Group Policy / Group Policy Preferences

When PolicyPak uses Group Policy as its “transport”, all Group Policy native tools

(GPMC, GPedit, GPupdate, GPresult, GPMC Reports, and Microsoft’s AGPM) work with

PolicyPak.

When PolicyPak uses your own systems management tool as it’s “transport”, you can

simply deploy PolicyPak directives as MSIs, then tap into enhanced reporting, such as

with SCCM reports and the like.

PolicyPak can deliver settings beyond traditional ADM and ADMX templates and what

Group Policy Preferences can deliver. PolicyPak can deliver complex Registry settings,

INI, XML, JS, and just about every other application’s settings type.

PolicyPak can gray out the UI of most applications and perform true ACL Lockdown™ of

both registry and file stores to guarantee IT settings (Regular Group Policy / Group Pol-

icy Preferences does not do this).

PolicyPak includes preconfigured Paks to get administrators started quickly with over

200 popular applications.

Included PolicyPak Design Studio to quickly create your own Paks for in-house and

home-grown applications.

Keeps working -- even when users are working off-line and not on the network (Regu-

lar Group Policy / Group Policy Preferences does not do this).

Reverts settings correctly when they no longer apply (Regular Group Policy / Group

Policy Preferences does not do this for applications).

Delivers settings to desktops, laptops, Terminal Services, XenApp, virtual desktops

(XenDesktop and VMware View), and virtual applications (Microsoft App-V, ThinApp,

Citrix Streaming) (Regular Group Policy / Group Policy Preferences cannot do this).

User Interface is the administrator’s normal GPMC and Group Policy editor, and appli-

cations to be managed look like the target application.


Smackdown


Figure 12: PolicyPak interface

Context-Aware Security via Item-Level Targeting

PolicyPak utilizes the same “Item Level Targeting” editor that the Group Policy Preferences

does. This enables administrators to specify conditions as to when PolicyPak directives

should apply to users or computers. The UI is exactly like the Group Policy Preferences and

requires no training for existing Group Policy administrators. (Video link to PolicyPak and

Item Level Targeting).

Figure 13: PolicyPak Targeting

Note additionally that these Item-Level Targeting filters are active and available both when

PolicyPak directives are deployed via Group Policy or your own systems management utility

like SCCM.

http://www.policypak.com/videos/sn6j7q1clmq.html

http://www.policypak.com/videos/sn6j7q1clmq.html


Smackdown


Solution

PolicyPak Application Manager comes with:

The PolicyPak CSE: This must be loaded on all machines you want to manage (32 and

64-bit);

PolicyPak GPMC Snap-in: Enables administrators to instantly use the GPMC to deliver

PolicyPak directives;

The PolicyPak DesignStudio: This enables administrators to create their own Paks

quickly;

PolicyPak Exporter: This takes PolicyPak directives and wraps them up into MSI files for

deployment with any systems management tool like SCCM, etc.

Over 200 pre-configured Paks to get started right away for common applications like

Office, Firefox, Flash, Java, and others.

Interoperability

PolicyPak works in conjunction with the following technology categories and products that IT

administrators already have and use:

Application Virtualization Technology:

Microsoft App-V 4.6 and 5.0 (Link to video);

VMware ThinApp 4 and 5 (Link to video);

Citrix XenApp Streaming (Link to video);

Novell ZENWorks & Spoon.Net (Link to Video);

Symantec Workspace Virtualization (Link to Video).

Application Deployment Solutions:

Traditional Installation (MDT, SCCM, LanDesk, etc.) (Link to SCCM Video);

Microsoft Intune (Link to Video);

Microsoft Terminal Services (Remote Desktop Services), Citrix XenApp (Link to video).

Group Policy Change Management Solutions:

Microsoft AGPM (Advanced Group Policy Management) (Link to video);

ScriptLogic Active Administrator (Link to video);

Quest GPOadmin (Link to video).

Group Policy-based Privilege Management Utilities:

BeyondTrust PowerBroker (Link to video);

Avecto Privilege Guard (Link to video);

Viewfinity Privilege Management (Link to video);

Quest/ScriptLogic Privilege Authority (Link to video).

VDI Solutions:

Microsoft VDI (Link to video);

VMware View (Link to video);

http://www.policypak.com/technology-and-downloads/manage-appv-sequences-with-group-policy-and-policypak.html

http://www.policypak.com/technology-and-downloads/policypak-extends-group-policy-to-vmware-thinapp.html

http://www.policypak.com/integration/policypak-extends-group-policy-to-citrix-xenapp-streaming.html

http://www.policypak.com/integration/policypak-extends-group-policy-to-spoon-novell-zenworks-app-virtualization.html

http://www.policypak.com/integration/policypak-symantec.html

http://www.policypak.com/integration/perform-desktop-lockdown-using-sccm-and-policypak.html

http://www.policypak.com/integration/perform-desktop-lockdown-using-microsoft-windows-intune.html

http://www.policypak.com/technology-and-downloads/policypak-enhances-xenapp-with-group-policy.html

http://www.policypak.com/technology-and-downloads/policypak-works-with-microsoft-agpm-advanced-group-policy-management.html

http://www.policypak.com/technology-and-downloads/policypak-works-with-scriptlogic-active-administrator.html

http://www.policypak.com/technology-and-downloads/quest-gpoadmin-works-with-policypak.html

http://www.policypak.com/technology-and-downloads/policypak-enhances-beyondtrust-powerbroker-desktops-windows-edition-privilege-manager.html

http://www.policypak.com/technology-and-downloads/policypak-complements-avecto-privilege-guard.html

http://www.policypak.com/technology-and-downloads/policypak-complements-viewfinity-privilege-management.html

http://www.policypak.com/technology-and-downloads/policypak-bolsters-scriptlogic-privilege-authority.html

http://www.policypak.com/integration/policypak-and-microsoft-vdi-better-together-to-manage-applications-settings.html

http://www.policypak.com/technology-and-downloads/policypak-supplements-vmware-view.html


Smackdown


Citrix XenDesktop (Link to video).

Profile management solutions:

Microsoft UE-V (Link to Video);

VMware Persona (Link to Video);

Unidesk, Citrix Profile Management;

Most other UEM solutions found in this guide.

Licensing

PolicyPak is licensed per active (non-diabled) computer account in Active Directory plus any

concurrent connections to Terminal Services or XenApp. PolicyPak can be licensed per OU,

multiple OUs (parent-child, or unrelated OUs), or for an entire domain.

5.11 QUEST (DELL)

Introduction

Quest vWorkspace is the result of an acquisition in 2007 by Quest of a company called Provi-

sion Networks. Founded in 2004, Provision Networks aimed to reduce the adoption barriers of

virtual desktop deployment and application delivery, through cutting-edge technologies that

address the end-to-end requirements of global deployments. Quest vWorkspace delivers vir-

tual applications and desktops from multiple hypervisors, Remote Desktop Services and blade

PCs through a single user access point and management center.

Benefits

Quest vWorkspace isn’t focused on User Environment Management but it has a small

set of capabilities in place without any additional charge. This is called the “MetaPro-

files” feature and it will capture settings at logoff and recreates them at logon. Bene-

fits.

The customer don’t always need an UEM solution in addition to their desktop virtual-

ization product when they use vWorkspace and that saved money while improve user

management.

Manage user environment settings (drive mappings, printers, registry keys) without

login scripts.

Dynamically make the user a local admin in a virtual desktop (or not) at connect time.

Dynamically build the start menu.

Location based printing.

Functionality

Quest vWorkspace offers control of the usual user environment settings (drive mapping, print-

ers, registry keys, screensavers, security policies, etc…) and also some persistence of user pro-

file changes between sessions in our MetaProfiles feature. All of these settings can be targeted

based on client name, IP, user name or group or OU. The settings can be applied to Terminal

Servers/Session Hosts or VDI.

http://www.policypak.com/technology-and-downloads/policypak-expands-xendesktop.html

http://www.policypak.com/integration/policypak-enhances-microsoft-user-experience-virtualization-u-ev.html

http://www.policypak.com/integration/policypak-extends-group-policy-to-vmware-horizon-view.html


Smackdown


This will allow to deploy a dynamically-generated and configured Windows desktop across

multiple virtualization technologies for a blended delivery, allowing lower costs, more control

and security, and management of the level of personalization possible by the user.

Architecture

The connection broker is called the vWorkspace Connection Broker. Other components are a

vWorkspace configuration database, vWorkspace web interface and vWorkspace SSL gateway

server. The protocol that is used to connect to the desktop is the regular RDP protocol. For a

better (graphics) performance over WAN the EOP protocol (Experience Optimized Protocol)

can be used.

Licensing

The UEM features are not sold separately but only available as part of Quest vWorkspace.

Quest vWorkspace is available in 2 types of licenses: The Desktop Services Edition and Enter-

prise Edition. Both are available as concurrent and device based licenses

5.12 RES SOFTWARE

Introduction

Traditionally a “desktop” was a PC, and managing a desktop meant managing the user’s de-

vice. That PC used to be in a fixed location and a fixed identity that logged onto it. Today, the

expectation is that a desktop is an access point to secure IT services that a user needs at a giv-

en moment at a given location. The modern desktop should be flexible and dynamic, but due

to old management technologies, it is static. It does not adapt itself to new situations, and se-

curity has become a challenge due to workers spending more time outside the office at all

times of the day and night. IT must adapt to and start to manage IT services that are delivered

into workspaces instead of desktops. RES Software workspace virtualization enables IT to cen-

trally deliver, manage and secure the key elements of a user’s computing experience, inde-

pendently of their workstyles and devices. By automating how IT services are delivered to vir-

tual workspaces, the RES Workspace Virtualization Suite offers dynamic, service-oriented ap-

proach to managing and delivering IT. RES Software prides itself in making IT organizations 10x

more productive at delivering IT services and managing user workspaces.

Functionality

Achieving a dynamic, service-oriented approach to managing and delivering IT requires three

components that tightly integrate with and sit on top of an organization’s existing hybrid infra-

structure:

A virtualized workspace exposes requested and approved IT services (applications, da-

ta, peripherals, etc.) to a user’s desktop based on context-aware business rules that

ensure compliance and secure usage. Even when a service is approved, that does not

mean it’s allowed in every situation. IT should be able to control the usage of IT re-

sources based on the approved user’s actual working context (i.e., time of day, loca-

tion and device).


Smackdown


IT automation must be capable of managing any standard IT task in the infrastructure.

This automation will carry out the standard technical changes that are needed to de-

liver the requested services, and integrate with the existing hybrid IT infrastructure.

A personalized service catalog with comprehensive workflow capabilities that can de-

liver much more than just applications for a single platform. Integration with HR or

Identity Management Systems allows IT to leverage system knowledge about end-

users and their roles within the organization.

Benefits

This workspace virtualization technology must integrate seamlessly with your existing hybrid

application delivery infrastructure no matter how varied and complex. But once it's in place,

you'll be able to:

Operate much more efficiently and lower the cost of daily IT operations dramatically.

Improve the user experience. Users can now request IT services via an IT Store, and

they will have those services delivered to them just in time. They do not have to wait

for the IT Help Desk any more. And, their services will be delivered into a context-

aware desktop that dynamically adapts itself whenever needed based on the changing

context of the user.

Context awareness and automation greatly improve security & compliance. The inde-

pendent management layer brings adaptive security and has a great auditing and re-

porting capabilities that make a big contribution to the security and compliance of

your IT services.

The result is a vastly more productive enterprise – for both IT professionals and the end user of

IT. In fact, RES Software’s customer experiences have shown 10x returns (and even greater) on

investment for many customers. RES Software technology works with any hybrid infrastruc-

ture, integrating seamlessly with infrastructure from leading platform vendors such as Citrix,

Microsoft and VMware.

RES Workspace Manager

The first building block of the RES Workspace Virtualization Suite is workspace management

technology provided by RES Workspace Manager. This is a lightweight platform that allows you

to manage every user’s workspace from a single console. You can think of Workspace Man-

agement technology as separating the user’s workspace from the underlying infrastructure so

changes to the infrastructure no longer affect the workspace. RES Workspace Manager dynam-

ically configures and secures applications, printers and personal settings, and syncs data in

your centrally managed workspace – independently of user profiles. It is available with option-

al Add-ons (what we call “RES Workspace Extensions”) that fit seamlessly into your overall so-

lution. Simply put, RES Workspace Manager makes IT Administrators’ jobs easier:

RES Automation Manager

IT Automation enables IT to automate the services that are delivered to the user’s workspace,

minimizing IT’s intervention and saving time. RES Automation Manager offers 120+ easy to use

automated tasks that make scripting safe, repeatable and intelligent. It is the product that de-


Smackdown


livers resources into the workspace for installing software, applying patches, etc. RES offers au-

tomation packs with the solution which are “connectors” to other applications in your enter-

prise.

RES Service Orchestration (IT Store)

RES Software envisions an IT store solution layered on top of this foundation, delivering the

orchestration of services to the user workspace as well as the IT store’s advanced user inter-

face. It provides a fast and convenient way for users to get the workspace services they need,

when they need them – greatly improving the users’ experiences with IT. And IT is able to de-

liver this superior user satisfaction with much lower cost and improved security and compli-

ance for IT. Additionally, RES Software offers Connectors to other applications. For example, IT

can integrate data directly from an HR or identity management system into the IT Automation

capability so there is no need to maintain a separate user profile within the overall workspace

virtualization solution.

RES Workspace Extensions

RES HyperDrive

A secure file sharing capability that runs on premises, but delivers a “cloud like” user experi-

ence. The Follow Me Data Requirement Providing access to corporate data is at the core of en-

abling your employees to be productive. As work styles have become more flexible, your users

expect fast and easy access to their data on a growing number of device types. RES HyperDrive

allows IT to introduce a secure and on-premises file sharing solution that helps you manage

important corporate data, while meeting the anywhere, anytime access needs of your users.

This capability – “Follow Me Data” – is critical to supporting today’s dynamic, mobile work-

force. RES HyperDrive offers a simple interface that allows users to seamlessly access their da-

ta through Windows Explorer, Mac Finder, Web browsers, and across different smartphone

and tablet platforms. Integration with Microsoft Outlook makes it easy to share files with con-

tacts inside and outside of your organization. RES HyperDrive is client independent and works

with your existing IT environment. RES HyperDrive enables IT to encrypt, back up and protect

corporate and user data.

RES Virtual Desktop Extender (VDX)

As an industry first, reverse seamless VDX technology provides the ability to deliver local appli-

cation and data experiences to remote, hosted virtual desktops. As the industry experiences

Consumerization trends such as BYO – these present administrators with in increased pressure

to support user requirements. These include applications that a user wants to use, on their

chosen device. RES Software’s VDX capability delivers the user preference – or user installed

applications, to a centrally managed virtual desktop.

Functionality of Workspace Manager

RES Workspace Manager lets you pick the level of management and control you want for your

organization, today. You can always upgrade as your organization grows or needs new fea-

tures. Select from the following modules:


Smackdown


• Dynamic Configuration

The Dynamic Configuration Module of Workspace Manager is your first step to a fully secured

and controlled desktop infrastructure for users. It provides context aware and centrally man-

aged workspaces for your users that contain all of the right applications, data, printing and

personal settings that are essential for their success. IT professionals can process any changes

and preview their impact from a single central console before altering a user’s workspace.

• Delegation and Compliance

The next step after enabling personalized desktops is gaining control and insight into your de-

ployed workspaces Improve your ability to manage your infrastructure with clear logs of

changes, current status reporting, and license usage data from all users. Allow first-line sup-

port to perform advanced diagnostics and trouble shooting in a hybrid desktop and application

delivery infrastructure. This module also makes it possible to open or restrict the management

console for different administrative roles and create real-time configuration reports. Plus, it

supports administrators in managing different application delivery techniques.

• Adaptive Security

Deliver a personalized desktop according to company business rules and compliance. Building

upon the previous modules, enabling security prevents users from unauthorized actions such

as executing certain applications and the use of removable disks. You can add or remove these

restrictions based on a user’s context.

Features of Workspace Manager

Context Awareness: The user workspace is built, just-in-time, based on the current and actual

user state such as location, time, device and identity of the user. Context can be based on AD

group membership, location awareness by determining the strongest wireless access point and

device type. Context awareness is key for IT to deliver the right services to the right user at the

right time and location.

Desktop Transformation: Transform any existing desktop infrastructure into managed user

workspaces with an intuitive wizard. Desktop transformation allows IT to use current user

state data to design the user workspace and implement step-by-step only applying the neces-

sary configuration.

Desktop and Application Management: Enables object oriented management of what IT of-

fers the end user. This includes items such as printers, applications, data sources, e-mail tem-

plates, folder redirection and synchronization. Giving the user access only to the items he/she

needs to be productive from a standard desktop.

Profile Management: Overcoming issues with roaming users by storing and applying profile

data in real time per application instead of everything at once during logon. Simple for IT to

implement by using the built-in templates and easy for the user to restore profile settings via

self-service.

Integration: Simplifies management, access and configuration of application virtualization

technologies, publishing technologies and application deployment technologies from a single


Smackdown


console. Seamless integration with Citrix XenApp, Microsoft RemoteApp, Microsoft App-V, Mi-

crosoft System Center Configuration Manager and RES Automation Manager, RES HyperDrive,

RES VDX and RES IT Store.

Compliance: Supporting software license and asset management by enabling application li-

cense metering and enforcement in hybrid desktop environments. Providing detailed audit in-

formation and insight on configuration changes and enforcing change management through

granular role based access control.

Reporting & Analysis: Providing first line support with analysis that helps them perform ad-

vanced real-time troubleshooting to resolve issues quicker as well as providing detailed insight

in workspace usage including applications, sessions and websites.

Security: Restricting access to applications, data, network, websites and removable storage

based on context. Enabling user rights management by elevating privileges on applications in-

stead of elevating the user to local administrator. Rendering all local drives read-only by a sim-

ple check-box instead of cumbersome policies and NTFS configurations.

Session Performance: Ensure a stable and resource efficient end user experience by enabling

performance optimization mechanisms.

Simple and Efficient Management: Simplify management of the desired user state by providing

the IT administrator with video tutorials, setup wizards and instant reporting of configuration.

Building-blocks enable easy and quick move of any configuration between environments such

as development, test & verification and production. Workspace Simulation allow the IT admin-

istrator to test impact of infrastructure changes before actual implementation.

Architecture

Figure 14: RES Architecture

The RES Software architecture is simple yet capable of managing any network topology, highly

scalable and easy to maintain. None of the components require dedicated hardware. The

main components are:


Smackdown


Console:

The Management Console is the central point of administration of your RES Workspace Man-

ager environment. This central console, which you will usually run from the administrator's

workstation, allows you to manage your entire computing environment, whether this is a desk-

top computing technology stack, a mobile computing technology stack, a server-based compu-

ting technology stack, or a combination of these.

Datastore:

The Datastore is the central database for your RES Workspace Manager environment. It con-

tains all configuration settings of the user workspace. Each computer on which RES Workspace

Manager has been installed and that has connection to a Datastore is an Agent of that Datas-

tore.

Relay Server (optional):

Relay Servers are an optional infrastructure component that can be used alongside Agents

connecting directly to the Datastore. Relay Servers cache information from the Datastore and

pass it on to Agents upon request. This means that Agents do not need contact the Datastore

directly. Relay servers can be daisy-chained to support complex networking infrastructures.

Relay Servers offer a number of advantages:

Improved scalability in all kinds of distributed network topologies;

Reduced network traffic in multiple-site environments, as fewer components connect

directly to the central Datastore over relatively slow data connections;

Reduced Datastore load, as fewer components connect directly to the central Datas-

tore;

Agents that connect to Relay Servers do not need to have a database driver installed

for the RES Workspace Manager Datastore.

Agent:

An Agent is a computer on which RES Workspace Manager is installed locally. This can be a

Terminal Server, a workstation, a laptop or a VDI desktop. Each Agent is available in the Man-

agement Console. Each Agent contains a local cache of all information that is stored in the

Datastore. This setup means that a session does not depend on connectivity, because infor-

mation is not coming directly from the Datastore. All data is available in the local data cache,

regardless of the availability of the Datastore. Each Agent contains a local cache of all infor-

mation that is stored in the Datastore. This setup means that a session does not depend on

connectivity, because information is not coming directly from the Datastore. All data is availa-

ble in the local data cache, regardless of the availability of the Datastore. Each Agent presents

the end user with a uniform workspace managed by RES Workspace Manager: the Workspace

Composer. The Workspace Composer is the uniform workspace that the end users are pre-

sented with, regardless of the technology stack used. This includes all applications, menu items

and settings to which the user is granted access.


Smackdown


Licensing

RES Workspace Manager supports named-user licensing and concurrent-user licensing.

• Named-user licensing, a license will be reserved for a user name when that user starts

a session within RES Workspace Manager. The license will be reserved for that user

until the system administrator releases the license.

• Concurrent-user licensing allows a number of licenses for a user session to be shared

among a larger number of users over time. When a user wishes to run a session, they

request a license from a central license server. When they finish using the application,

the license is reclaimed by the license server and made available to other users.

RES Workspace Manager 2012 can be purchased using either the concurrent or named user li-

censing model. When a laptop is installed with RES Workspace Manager, it will always claim a

license. When a trial version of RES Workspace Manager is installed, an evaluation license for

25 named user licenses is made available automatically as well as 25 VDX licenses. During the

evaluation period a customer can easily switch between the different RES Workspace Manager

Editions. It is possible to mix Concurrent and Named users in one RES Workspace Manager En-

vironment, but both licenses need to contain the same modules (edition).

RES Workspace Manager consists of the following modules:

• Dynamic Configuration - delivers a context aware user workspace independent from

the infrastructure;

• Delegation and Compliance – Diagnostic, troubleshooting and the integration with

other technologies;

• Adaptive Security – delivers a context aware security layer that is created around the

workspace.

The modules of RES Workspace Manager are not sold separately, but instead are combined in-

to editions:

• Bronze Edition: This edition contains the Dynamic Configuration module;

• Silver Edition – Option 1: This edition contains the Dynamic Configuration module and

the Delegation and Compliance module;

• Silver Edition – Option 2: This edition contains the Dynamic Configuration module and

the Adaptive Security module;

• Gold Edition: This edition contains the Dynamic Configuration module, the Delegation

and Compliance module and the Adaptive Security module.

5.13 SCENSE

Introduction

Scense extends the workspace as we know today to a personalized and customized one with

ubiquitous access. Universal access to IT resources, a context-aware user experience, location

services, Live Profiles and dynamic printer management all ensure a high level of freedom and

personalization for the user, while leaving control firmly in the hands of the IT department.


Smackdown


Scense Workspace Management is a true One-Stop shop for solutions to your IT challenges of

today and tomorrow.

Solution

Scense has been known for years as an easy to use, efficient workspace management solution

for desktop environments with Pc's, laptops, terminal services and virtual desktops. Managing

workspace environments with temporary staff, task workers and power users has never pro-

vided any challenges to Scense administrators. The latest release, Scense 8, also addresses the

latest IT challenges and use cases in the same elegant way.

Figure 15: Scense 8

Employee owned devices (BYOD, BYOC and CYOD) - Scense supports unmanaged devices

without the need for a complex to manage and expensive data center for hosted desktops or

terminal server sessions. Earlier versions of Scense have resulted in already tens of thousands

of end users using their own laptop or PC to use corporate applications and resources. As op-

posed to the way previous Scense versions made it possible to do ‘on premises’ BYOD, Scense

will be able to service BYOD remotely over the internet, including software distribution.

The Scense location services and context awareness will address the IT managers’ most urgent

concerns related to fear of data loss or leakage, compliancy rules and, last but not least, dirty

PC’s. At the same time, Scense Live Profiles will ensure a consistent user experience for the

end user by transferring personal application settings between corporate, managed and per-

sonal devices.

Mobile users - Facilitating mobile users with access to corporate applications and data, while

keeping IT regulations in place, has been a challenge for both administrators and end users for

years.

By delivering workspace management over the internet, end users are able to use corporate

resources or add new applications as soon as internet is available. No more hassle with VPN

connections or network cables. At the same time, IT is able to update machines of mobile end

users and enforce IT policies in real time to mobile devices. A mobile user is no longer a risk to,

but a friend of the IT department.

Functionality

Scense contains many unique, innovative, features that focus on user freedom, as well as con-

trol by and cost savings for the IT department. The new service oriented architecture of Scense

extends the reach of these features outside the corporate network.


Smackdown


Figure 16: Scense service oriented architecture

Dynamic Application Delivery and Control - Applications and all related information, like user

settings, policies, drive mappings or printers, are centrally managed and dynamically delivered,

personalized and configured accordingly to the circumstances under which a user operates.

Context aware access to these applications is provided in a secure, safe, efficient and elegant

way.

Conflict Free Provisioning - Scense “Conflict free Workspace Provisioning” is based on a tech-

nology called “Adaptive Installer: unique technology that enables real-time conflict isolation

during the installation of a Windows application. In combination with the integration of all ma-

jor application virtualization vendors, Scense always provides a 100% conflict free workspace,

even on unmanaged PCs and without the need for a client hypervisor.

Scense Live Profiles - A fire and forget solution for user profile management. Workspace and

application related user settings are separately and centrally stored but transparently available

regardless of the version of the Microsoft Windows operating system and accessible through-

out the entire landscape of physical and virtual desktops, laptops, terminal server sessions,

unmanaged PCs and natively installed and virtual applications.

User Workspace Management as a Service - With the support of WCF, the Scense Engines run

within Microsoft’s Internet Information Services. IIS's scalable and open architecture is ready

to handle the most demanding tasks. The switch to WCF also results in a change of communi-

cation protocols, opening up new use scenarios. The full Scense service portfolio will be availa-

ble over the internet, including application distribution.

Real time Monitoring and auditing - Scense’s “Session Control Engine” provides the adminis-

trator with real time information and control over his desktop environment from machine

startup until machine shutdown. Intervene directly, in real time when problems arise. Block

applications instantly, provide the end user with understandable messages, install on the fly

updates or applications and implement new policies when needed.

Self-service and Remote Support - Because of Scense’s session control engine, administrators

are empowered to proactively prevent desktop problems from happening. When issues do oc-

cur, users are encouraged to address these themselves. Repairing applications, refreshing

workspaces or resetting parts of the user-profile are all available to all user types: locked down

or not managed at all. Remote support functionality is available for the rare occasions that it is

really needed.


Smackdown


Architecture

Scense is easy to install, has minimal impact on your existing IT architecture and will support

on premise and hosted environments.

Figure 17: Scense Architecture

The server elements of Scense are installed centrally in the company’s data center or hosted

externally. Scense supports centralized and distributed multi-site implementations. Perfor-

mance and availability can be guaranteed by the use of Network Load Balancing, Database mir-

roring and Scense’s own multi-site support mechanisms.

Scense Database - The Scense database, containing all information and instructions related to applications, user settings, desktop configurations etcetera, is stored on an Oracle or MS SQL database server. Scense agents will contact this database, via the web service, to retrieve in-structions during the clients’ user and computer sessions.

Scense Server - At the heart of the Scense system are the Scense web services. These services are used by the Scense Executive component installed on the clients. The Scense Engine web service communicates tasks received from Scense Executive to the database engine. The Scense web services make full use of IIS’s scalability. Scense will use the communication pro-tocol that best fits the use case in play: http(s), ftp(s) or a WCF communication channel.

Scense File shares - The Scense file shares (App Store and Profile Store) store all the (virtual or physical) application packages that need to be available to end-users as well as multiple histor-ical versions of the Windows profile per user and per application. As soon as an end-user re-quests an application that is not available yet, the application is installed or streamed and started or activated. The user profile for that application is injected during application startup and stored after an application is stopped.

Every client managed by Scense needs the Scense client components. These can be installed

on virtual or physical desktops, on Terminal Servers, on laptops or employee-owned devices

that are not part of the Active Directory. Administrators can use the Scense update manager to

install and update Scense clients in an unattended and reliable way.


Smackdown


Scense Client and Scense Executive - The Scense Client and Scense Executive work together to

execute the Scense instruction on the desktop and give feedback to the user. If the client soft-

ware is unable to retrieve instructions from the Scense database (because the Scense Engine is

not responding) a local database is used, the Local Cache.

Licensing

The Scense Workspace Management Solution is licensed per named user or per device.

5.14 TRICERAT

Introduction

TriCerat has been helping organizations ranging from 20 users to multi-national corporations

address the complexities of virtual environments since 1997. Although the company started

with ScrewDrivers, a product for solving the printing headache in server based computing envi-

ronments; the portfolio has grown to address all of the most common challenges in managing

physical and virtual desktop estates.

The Simplify Suite consists of a set of solutions that enable an administrator to easily manage

all main aspects of the user desktop environment from one pane of glass, while overcoming

the typical complexities found in IT environments today. These solutions include enterprise

profile management, application access restriction, desktop customisation, server stability and

a true print management solution.

The triCerat approach remains true to its ScrewDrivers beginnings, namely to create a fully

scalable solution that gives the right level of functionality to solve the fundamental issues

without adding to the management complexity elsewhere. The result is that not only do com-

mon problem areas get addressed, but triCerat's approach promises that even the most junior

of administrators can quickly get to grips with the console, ensuring customers can quickly

adapt their IT environment to meet the changing needs of their users.

As well as the enterprise tools that form the Simplify Suite, triCerat offers a set of point solu-

tions that offer a quick-fix to issues like slow logons from roaming profiles and the challenge of

scanning in a server based computing environment.

Functionality

TriCerat’s Simplify Suite includes the following solutions:

PROFILE MANAGEMENT

TriCerat’s hybrid profile solution solves all common profile issues like slow logon times, profile

corruption and bloat, while overcoming v1/v2 and 32-/64-bit profile issues encountered when

migrating to a new OS or server platform. Registry keys are migrated into the Simplify data-

base and can be assigned rules (Save/Restore, Set, and Delete) in order to restrict profile bloat

and ensure a fully personalized user profile. A corrupted registry setting can be replaced with

the last known good version that was saved on the database. Folder redirection, drive map-


Smackdown


ping, drive restrictions, and Windows Explorer restrictions can be quickly and easily configured

in the console.

PRINT MANAGEMENT

TriCerat’s driverless printing solutions addresses slow printing, network bandwidth spikes, and

spooler crashes. The proprietary TMF print format achieves an average of 90% compression

rates and the print job streaming minimizes stress on the network. This solution is superior to

universal print drivers because it is compatible with 100% of printers, recognizes advanced

printer functionality, and eliminates the need to install printer drivers on the server. The Active

Directory integration enables proximity printing and through a print server fully supports print-

ing to any device (including thin clients, PDAs etc.).

DESKTOP SECURITY & CUSTOMIZATION

The administrator is given the tools to quickly and easily create a lock down on all aspects of

the user environment including the desktop, start menu, and taskbar functionality. This in-

cludes the triShell OS shell replacement that offers a similar experience across access devices

and is more secure and less memory intensive than the explorer.exe shell.

APPLICATION CONTROL

TriCerat uses trusted and banned lists to together with secure application signatures to control

what applications can be accessed by the user and ensure licensing compliance. Application

access is also location aware, allowing an application to launch depending on whether the user

is in the office or not.

SYSTEM PERFORMANCE

TriCerat’s system performance component ensures system stability and maximizes the number

of quality user sessions on the server by controlling CPU and memory resources. This is par-

ticularly suited for controlling legacy and rogue applications that hoard CPU and affect all users

on the server. Rules are set to first lower the priority and then clamp down CPU on the applica-

tion and user level until normal levels return.

Benefits

TriCerat’s approach to user environment management is not only to cut the costs of managing

an enterprise IT environment, but to do so at a level of complexity that even a junior adminis-

trator on the helpdesk could manage. TriCerat will allow all aspects of the user environment to

be controlled and altered based on the changing needs of users from the straightforward,

powerful Simplify Console. TriCerat offers a superior method to environment management in

the following ways:

• Centralized management for controlling whole user environments. One Active Directo-

ry querying management console is shared between all solutions that comprise the

Simplify Suite. This works with any combination of virtual or physical desktop envi-

ronments, giving administrators an accurate picture of what the user sees on their

desktop.


Smackdown


• Group Policy and script-free management. The Simplify Suite reduces the reliance on

policies and scripts for both setting up and managing the user environment. This re-

duces the time needed for new environment configurations and allows administrators

to quickly apply changes required by the user without the risk of undermining baseline

policy.

• Full personalization for the user and full control for the administrator. User acceptance

of a new environment is ensured by allowing users to personalize their work environ-

ment while administers retain full control. This includes assigning rules to what parts

of the registry are to be save/restored, set, or deleted.

• Solves main migration headaches when changing OS, server bit platform, access devic-

es, and virtualization technology. Migrations throw up unexpected hurdles that affect

profiles, printing and the user desktop experience. TriCerat addresses all of these is-

sues in advance and includes migration tools for bringing existing user settings into a

new environment.

• Reduces helpdesk costs by speeding resolution times. TriCerat overcomes most of the

common problems associated with managing the user environment in real-time, re-

flecting changes immediately on the desktop without requiring the user to restart their

machine. Doing so allows administrators to assist employees in getting back to work

quickly.

• Increased security of the user desktop minimizes threats. Full control of the user desk-

top allows administrators to close all potential security holes that could cause prob-

lems for the user. Should users need further flexibility, changes are simply made in the

console.

Architecture

Simplify Suite modules need to be installed on every machine (workstation, Terminal Server,

virtual desktop) that requires Simplify Suite functionality. The installation of all Simplify Suite

modules comes under 100MB and can be fully automated. The Simplify database is built on a

Microsoft SQL database, which is built on Microsoft standards and thus supports SQL cluster-

ing and maintenance plans for backup and replication.


Smackdown


Figure 18: TriCerat Simplify Suite architecture

Licensing & Pricing

TriCerat products are sold on a per user or per server basis. Product modules that make up the

Simplify Suite (including Simplify Profiles, Simplify Printing, Simplify Lockdown, and Simplify

Stability) can be sold alone or as part of the Simplify Suite. During the time this document was

going to press, triCerat was exploring a SPLA model for managed services partners

5.15 UNIDESK

Note from the author: Unidesk is an increasingly popular desktop provisioning, application delivery, and

management platform in the Server Hosted Desktop (VDI) space. Unidesk’s layering technology is often

used in place of VMware Linked Clones, View Composer, View Persona, and VMware ThinApp by

VMware View customers and in place of Citrix Provisioning Server, Citrix Machine Creation Services, Cit-

rix XenApp, Microsoft App-V, Citrix Personal vDisk, and Citrix Profile Management by Citrix XenDesktop

customers. Unidesk isn’t a User Environment Management solution as such, we believe it is wise to add

Unidesk to this whitepaper and inform you about the functionality and potential.

Introduction

Unidesk is a provisioning and application delivery solution for virtual desktops hosted on

VMware vSphere. Customers use the Unidesk layering platform in combination with VMware

View, Citrix XenDesktop, and other brokers when:

They have a large number of applications that cannot be easily virtualized;

They want to keep the number of gold images to 1 to simplify Windows OS patching

and updates;

They have users who require persistent desktops to keep user-installed applications

and other customizations.

They want to reduce the amount of storage needed for VDI up to 85%.


Smackdown


Benefits

Cost Savings

Reduce storage requirements: Unidesk shares single layers of the OS and applications across many virtual desktops and thin provisions user space to reduce SAN and NAS capacity requirements up to 85% for both persistent and non-persistent desktops.

Reduce OpEx: Customers report that with Unidesk, they can layer almost any application in less than 30 minutes, compared to the days it may require to virtualize the same applications. Also, most Unidesk customers have only 1 gold image for all desktops, compared to the 1 gold image for every 50-100 desktops required by non-Unidesk VDI implementations. The savings in Windows patching and application delivery time alone enables Unidesk to pay for itself in less then 6 months.

Reduce desktop support costs. Unidesk enables Level 1 service desk personnel to repair damaged virtual desktops simply by rolling the desktop’s User layer back to a previous snapshot. Bad registry keys and DLLs, malware, viruses, and other problems can be fixed with a simple reboot, without having to reimage the desktop or lose all user customizations.

IT Benefits

Minimize complexity. Unidesk's interface, "layer cake" approach to creating desktops

and full feature set means fewer point tools to learn.

Simplify application packaging and delivery. Traditional application virtualization re-

quires time and business knowledge to deal with the compatibility issues caused by

process isolation, and there are many applications that cannot be virtualized. Unidesk

can package any application in a fraction of the time. Just install the app the way you

would on a physical PC, and it can be immediately assigned to any number of desk-

tops.

Reduce patching time and costs. With only 1 gold image layer as the basis for all desk-

tops, Unidesk can deliver a virtually unlimited number of Windows hot fixes and up-

dates to all desktops in 1 day, without the patch failure rates typical of agent-based PC

management approaches.

End User Benefits

Full, rich desktop. Unidesk provides a consistently personal desktop experience that

ensures virtual desktop acceptance and enhances job satisfaction by making sure user

data, profile settings, and user-installed applications survive logouts, reboots, patches,

and upgrades.

Quickly receive new applications, updates, and patches from IT. Unidesk accelerates

delivery of new revenue-generating applications and patches needed for security and

compliance without time-consuming install procedures, scripting, or risk of patch fail-

ure.


Smackdown


Repair "broken" desktops instantly. End users don’t have to deal with lengthy desktop

downtime, or worry that personal settings and data will survive an attempted repair.

Unidesk can roll back user-installed applications or surgically repair specific applica-

tions, leaving all user data intact.

Functionality

Simpler, More Powerful Application Delivery

Unidesk can package and deliver applications in a fraction of the time required to virtualize the

same applications. Unidesk can also deliver antivirus, printer/scanner drivers, Office plug-ins,

and the many other applications that traditional application virtualization cannot. With

Unidesk layers, IT administrators can package or patch apps once, then assign them to any or

all desktops. If a mistake is made, they can simply roll the layer back to a previous version to

undo the problem.

Single Image OS Management

With all applications layered separately, all desktops can be created from a single, pristine Mi-

crosoft Windows gold OS layer. Administrators can patch the gold once, and all desktops get

updated. End users won't lose user customizations like they will with cloning solutions. Also,

the patch failures common with agent-based PC configuration tools are no longer an issue be-

cause of how Unidesk composites the new OS layer into every desktop using file system and

Registry virtualization.

100% Persistent Personalization

Profile management only captures user customizations that can be stored in a profile.

Unidesk’s storage-efficient persistent desktops capture everything - including profile settings,

data, and user-installed applications – and eliminate the need for profile management in most

cases.

85% Less Storage

By sharing the same OS and application layers across many desktops and thin provisioning user

layers, Unidesk cuts the VDI storage footprint up to 85% for both persistent and non-persistent

desktops.

Broker Integration Unidesk brokering connectors for VMware View and Citrix XenDesktop en-

able Unidesk desktops to be provisioned directly into View and XenDesktop pools and cata-

logs.Web-Based Management Interface Unidesk’s elegant management interface makes it

easy for administrators to provision, update, manage, and report on their entire VDI estate.

The web-based management console enables administrators to dynamically assemble desk-

tops from a pick list of independently packaged and versioned Microsoft Windows OS and ap-

plication layers.


Smackdown


Figure 19: Unidesk web-based management

Architecture

Unidesk is implemented as a system of “scale-out” virtual appliances that run on existing

VMware infrastructure.

The Unidesk Management Appliance hosts the Web-based management application that is

used by administrators to provision, patch, assign and report on virtual desktops. Only one

Management Appliance is typically needed for a VDI environment. The Management Appli-

ance also manages Unidesk policy and configuration, including information about Unidesk lay-

ers, desktops and users. The

Management Appliance can be

deployed on any host in the virtu-

al infrastructure as long as it can

communicate over TCP/IP with

Unidesk CachePoint appliances

and VMware vCenter Server.

The first Unidesk CachePoint ap-

pliance deployed takes on the

special role of Master CachePoint,

storing all Operating System (OS)

and Application layers. In produc-

tion VDI environments, a dedicat-

ed Master CachePoint appliance

should be deployed on a separate

host server to maximize virtual

desktop performance. The Master CachePoint automatically replicates OS and Application

layers to other secondary CachePoints, where the layers are cached as VMDKs. Layers are rep-

licated only if they are needed by at least one of the desktops associated with a CachePoint.

Figure 20: Unidesk architecture


Smackdown


Each secondary CachePoint caches the OS, Application and Personalization layers for the desk-

tops it hosts. The desktops are created with a small boot image in a VMDK file. At boot, this

disk supplies enough of the desktop operating system to load any drivers or early start services

required prior to the Unidesk filesystem drivers loading. Once the Unidesk drivers are loaded,

the desktop establishes connectivity to the correct OS, Application and Personalization layers,

stored as VMDKs in a directory structure under the CachePoint. All desktops assigned to a

CachePoint share the same OS and Application layers for dramatic storage savings. The Per-

sonalization layer for each desktop is then combined on top of the IT-controlled OS and App

layers. The virtual infrastructure and connection broker see Unidesk desktops as standard vir-

tual machines.

Licensing

Unidesk is based on a perpetual licensing model, with annual Complete Care service (support

and maintenance) mandatory for all purchases. The licensing unit is a Managed Desktop, de-

fined as the number of virtual desktops created, updated, and managed by Unidesk. This may

include persistent desktops (assigned to specific users, retain state, and used only by those us-

ers), non-persistent (don’t retain state, shared by many users e.g. labs), and non-concurrent

(may or may not retain state, shared by multiple users, but not at same time, e.g. shift work-

ers). Customers may purchase 3 years of Complete Care Service upfront in return for a dis-

counted price. Unidesk also plans to add term/subscription licensing options for service pro-

viders and site/enterprise licensing options for large opportunities.

5.16 VMWARE VIEW PERSONA MANAGEMENT

Introduction

Early 2010 VMware acquired certain assets from RTO Software, a provider of user profile man-

agement for Windows desktops and application/performance monitoring tools for desktop vir-

tualization, to enable effective persona management for VMware View.

With VMware View 5, VMware introduced View Persona Management. View Persona Man-

agement preserves user profiles and dynamically synchronizes them with a remote profile re-

pository. View Persona Management does not require the configuration of Windows roaming

profiles, and you can bypass Windows Active Directory in the management of View user pro-

files. If you already use roaming profiles, Persona Management enhances their functionality.

Persona Management downloads only the files that Windows requires at login, such as user

registry files. When the user or application opens other files from the desktop profile folder,

these files are copied from the stored user persona to the View desktop. This algorithm pro-

vides performance beyond that achieved with Windows roaming profiles. In addition, View

copies recent user profile changes to the desktop profile up to the remote repository every

few minutes.

Benefits

View Persona Management minimizes the amount of time necessary for login and logout by:


Smackdown


Downloading at login time only the files that Windows requires for login, such as user

registry files.

Downloading other user profile data only as needed, when the user or application

opens a profile folder on the View desktop. The profile folders appear to contain up-

to-date files, but the data is not downloaded until it is accessed.

Periodically uploading to the remote repository any changes made to the user profile.

The default time between automatic periodic uploads is ten minutes, and this time can

be configured.

Uploading at logout only the user profile changes since the last periodic upload. Be-

cause of the frequent automatic upload of changed user data during the user session,

this final upload does not take a long time.

By minimizing the amount of data uploaded or downloaded at any one time, Persona Man-

agement provides a performance improvement over Windows roaming profiles. A roaming

profile system managed by Windows copies the entire user profile to the local desktop at login

and copies all user profile changes up to the remote repository at logout.

View Persona Management is an alternative to Windows roaming profiles and allows you to

manage user profiles without relying on Active Directory for configuration. Instead, you con-

figure and manage user profiles entirely within the View environment. Any changes you make

to test View Persona Management have an effect only on View desktops and do not have a

global effect on other desktops, such as physical desktops. You can easily reconfigure View to

refine your implementation.

VMware View Persona Management is an integral part of the VMware View solution, which al-

so includes other features such as application provisioning. While other profile management

vendors rely on best practices and “good user behavior” to ensure that data and settings are

included in the Windows profile, the VMware approach is to manage a user’s “personality”.

The user personality encompasses the unique user experience including user data, user set-

tings, and application access, which is more than a Windows profile covers. By integrating per-

sonality management with other components, such as View Manager and View Composer,

VMware View delivers a complete solution to solve our customer’s problems holistically.

Licensing;

Persona Management is free as part of VMware Horizon View 5.x


Smackdown


6. UEM FEATURES COMPARISON

6.1 INTRODUCTION

It’s important to understand that comparing features is the last step in the decision tree. Vi-

sion, Strategy and Technology are the first steps to take. Each User Environment Management

product has its own functionality and feature-set.

It’s key to have an overview of the vendors, solutions and their functionality. Some vendors of-

fer complete and comprehensive sets of functionality while others are focused to deliver a

smaller solution set with specific functionality. Both scenarios are valid, it all depends what

kind of functionality you’re looking for. Keep the strategic questions mentioned in chapter 3.8

in mind!

Below you will find an overview of the various vendors, their solutions and the functionality

they are offering on a very high level. As mentioned in chapter 5 it’s key to understand that dif-

ferent vendors have different focus, approach and solutions to fill in the UEM space. The dif-

ferent focus areas used in the diagram are:

User Profile Management; Manage Windows User profiles; local, roaming, hybrid,

mandatory;

User Personalization, or Application and Desktop Management; Application icons, set-

tings and configuration preferences;

Application Access Control, with User Rights Management or Security Management;

enforce access to applications, persona and context aware.

Resource Management; Application performance optimization and management;

License Management; insights, reporting and enforcing the use of licenses;

Application Delivery: User centric Application Installation with Dynamic Privileges, Us-

er Installed Applications, Streamed and Virtualized applications;

Monitoring, Auditing and Reporting facilities on various levels with focus on the user

environment.


Smackdown


There are a lot of vendors in the User Environment Management space. The diagram below

gives an overview of the focus of the various User Environment Management (UEM) software

vendors. This diagram has nothing to do with the (possible) discussion which vendor provides

the most and the best functionality and features. A complete overview of the features and

functionality is available in this chapter.

Vendor Product

Use

r P

rofi

le M

gmt

Use

r P

erso

nal

isat

ion

Ap

plic

atio

n A

cces

s C

on

tro

l

Use

r R

igh

ts M

anag

eme

nt

Re

sou

rce

Man

agem

en

t

Lice

nse

Man

agem

en

t

Ap

plic

atio

n D

eliv

ery

Mo

nit

or,

Au

dit

an

d R

epo

rt

AppSense DesktopNow

Citrix User Profile Management

Immidio Flex+

Liquidware Labs ProfileUnity

Norskale VUEM Microsoft GPO, GPPrefs, USV

Microsoft UE-V

PolicyPak PolicyPak Application Manager

RES Software Workspace Manager

Scense User Workspace Manager

Tricerat Simplify Suite Quest vWorkspace

VMware Persona Management


Smackdown


Product Version

We did our best to be truthful and accurate in investigating and writing-down the different

features. When you see improvements please let us know. This detailed feature compare ma-

trix is developed with the following products and versions:

Product Version

AppSense Environment Manager 8.4 SP2

AppSense Performance Manager 8.1

AppSense Application Manager 8.7

Citrix User Profile Manager 3.1

Immidio Flex+ 8.1

Liquidware Labs ProfileUnity 5.7

Microsoft Windows Server and Client 2008 R2 and 7

Microsoft User Experience Virtualization 2.0

PolicyPak Application Manager Build 557

Quest vWorkspace 7.2

RES Workspace Manager 2012 SR3

Scense User Workspace Management 8.1

Tricerat Simplify Suite 5.5

Unidesk 2.5

6.2 ROADMAP AND FUTURE ADDITIONS

This document is just the beginning and will be developed and developed in the near future.

We plan to add more feature details of the currently named vendor solutions and want to add

new solutions where applicable. If you have any comments, corrections, or suggestions for im-

provements of this document, we want to hear from you! Please send e-mail to Ruben Spruijt



Smackdown


6.3 FEATURE COMPARE MATRIX

UEM solutions and features

Goal: Detailed description of features

Requirements: Hands-on-experience, vendor involvement

Result: Whitepaper

Method of Execution: Hands-on experience, read articles, communicate with ven-

dors and discuss with colleagues

Used legend:

√ = Applicable; X = Not applicable; --- Not needed ~= It depends; # =under investigation by PQR

A green √ or red X has nothing to do with advantage or disadvantage of a solution. It just pre-

sents the availability of the functionality. Note: It’s out of scope for this whitepaper to explain

the ‘It depends’ remarks’.


Smackdown


6.4 GENERIC FEATURES AND FUNCTIONALITY

Functionality Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

ser

Pro

file

Mgr

Imm

idio

Fle

x+

Mic

roso

ft G

P &

GP

Pre

fs

Mic

roso

ft U

E-V

Po

licyP

ak A

pp

licat

ion

Man

age

r

LWL

Pro

file

Un

ity

RES

Wo

rksp

ace

Mgr

Qu

est

vW

ork

spac

e

Sce

nse

Use

r W

ork

spac

eM

gr

Management Server / UEM solution

Server instance officially supports 1K concurrent connections √ --- --- √ # X √ √ √ √

Server instance officially supports 2.000 concurrent connections √ --- --- √ # X √ √ √ √

Server instance officially supports 5.000 concurrent connections √ --- --- √ # X √ √ √ √

Server instance officially supports 10.000 concurrent connections √ --- --- X # X √ √ √ √

Server instance officially supports 20.000 concurrent connections √ --- --- X # X √ X √ √

Database instance officially support 20.000 concurrent connections √ --- --- --- # --- --- √ # √

Total supported managed clients per ‘farm≤ 10.000 CCU √ √ √ √ X √ √ √ √ √

Total supported managed clients per ‘farm’ 10K – 25K CCU √ √ √ # X --- √ √ √ √

Total supported managed clients per ‘farm’ ≥ 25.000 CCU √ √ √ # X --- √ √ √ √

Integration with 3rd party systems management solutions √ X X √ X √ X √ X X

Centralized management console √ √ √ √ √ √ √ √ √ √

Web-based management interface √ X X X X X √ X X X

Single centralized management console for support and admin # # ~ # √ √ X √ # √

Windows GUI for Management (includes MMC) √ ~ ~ √ √ √ X X X √

Delegation of control √ √ X √ X √ X √ √ √

Delegation of control, granular delegated administration roles √ √ √ √ X √ X √ √ √

Console supports multiple concurrent administrators √ √ √ √ √ √ √ √ √ √


Smackdown


Functionality Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

ser

Pro

file

Mgr

Imm

idio

Fle

x+

Mic

roso

ft G

P &

GP

Pre

fs

Mic

roso

ft U

E-V

Po

licyP

ak A

pp

licat

ion

Man

age

r

LWL

Pro

file

Un

ity

RES

Wo

rksp

ace

Mgr

Qu

est

vW

ork

spac

e

Sce

nse

Use

r W

ork

spac

eM

gr

Admin access console with different credentials other than current account details √ # ~ --- --- --- √ √ # √

Console supports Single-Sign-On √ # √ --- --- --- X √ # √

Console supports SQL Authentication # # --- --- --- --- --- √ # √

Configuration check in/out process for multiple administrators √ # X --- --- --- X X # X

Single management console supports 5000+ managed clients √ √ √ √ √ √ √ √ √ √

client endpoint search capabilities across management console √ # X --- --- X X √ X √

Support for (wildcard) searching across management console √ # X X X --- √ √ √ √

Client – Server traffic is secured by design √ √ √ √ # √ √ √ √ √

Management traffic is secured by design √ √ √ √ √ √ √ √ √ √

Management traffic can be Network Load Balanced √ # ~ # # # --- √ # √

Auditing and security logging of admin actions √ # X √ √ √ X √ √ √

Event and error reporting √ √ √ √ √ √ √ √ √ √

Security hardening guidelines public available X X X X X X X X X X

Support low bandwidth/high latency WAN connections √ # √ √ √ √ √ √ # X

PowerShell SDK √ X X X X X X X √ X

Scripting (not including PowerShell) support and command-line interface √ X √ X √ X √ √ X √

Microsoft Group Policy-based management for agent/client settings √ √ √ √ √ √ √ X X X

API Interface (public) and documented √ # X # # X X X # X

Support for Branch/Relay-servers for scalability/minimizing site-2-site traffic √ # ~ # # --- --- √ # √

Client end point merging of multiple separate configurations √ # √ # # √ √ X # #


Smackdown


Functionality Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

ser

Pro

file

Mgr

Imm

idio

Fle

x+

Mic

roso

ft G

P &

GP

Pre

fs

Mic

roso

ft U

E-V

Po

licyP

ak A

pp

licat

ion

Man

age

r

LWL

Pro

file

Un

ity

RES

Wo

rksp

ace

Mgr

Qu

est

vW

ork

spac

e

Sce

nse

Use

r W

ork

spac

eM

gr

Configuration layering within the console √ # # # # √ √ √ # #

Configuration Change Tracking √ # X # # X X √ # √

Product Patching via MSPs √ # √ # # X --- X # X

Microsoft System Center Integration √ # ~ # # √ X √ # X

Schedule Agent Installation for immediate install √ # X # # --- --- X # √

Schedule Agent Installation at next computer start up prior to logon √ # X # # --- --- X # √

Schedule Agent Installation for any given time √ # X # # --- --- X # √

Enable user to postpone agent installation (within predefined timeframe) √ # X # # --- --- X # √

Agent Installation Notification available in multiple languages √ # X # # X --- X # √

Synchronized Agents & Configuration Deployment and Installation √ # --- --- --- --- --- √ # √

Force Agent to Poll Now to pull latest Configuration √ # --- √ √ √ X √ # X

Variable Poll Periods √ # --- √ X √ √ √ # √

Failover support via multiple Management Servers √ # --- # --- --- --- √ # √

Workspace Model to enable/disable UEM features # # √ # --- --- X √ # √

User Self-Initiated refresh /update of UEM configuration (no need to logoff/logon) # # √ --- √ --- √ √ # √

Management Server / UEM solution: Built-in PowerShell Cmdlets for scripted configuration # # # # # # X # # #

Licenses

No external license server required √ √ √ √ √ √ √ √ √ √


Smackdown


Functionality Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

ser

Pro

file

Mgr

Imm

idio

Fle

x+

Mic

roso

ft G

P &

GP

Pre

fs

Mic

roso

ft U

E-V

Po

licyP

ak A

pp

licat

ion

Man

age

r

LWL

Pro

file

Un

ity

RES

Wo

rksp

ace

Mgr

Qu

est

vW

ork

spac

e

Sce

nse

Use

r W

ork

spac

eM

gr

First year support and maintenance included in license # # √ # √ √ √ √ √ √

24 x 7 support included in base license √ # X # # X X X X X

24 x 7 support, additional pricing --- # √ # # X √ √ √ X

Built into Operating System X X X √ X X X X X X

Concurrent user/desktop licenses √ √ √ --- √ √ √ √ √ X

Per device licenses √ # √ --- X √ X √ √ √

Per named user licenses √ √ X --- √ X √ √ √ √

Per server licenses √ # X --- X -- X X X X

Enterprise/site license program √ X √ --- # √ √ √ X √

Academic/Education license program √ X √ --- # √ √ √ X √

Government license program √ √ √ --- # √ √ √ √ √

Service Provider license program √ √ √ --- # √ √ √ √ √

Free for personal usage (FFPU) X X X --- X X √ √ X √

Support and Community

Public and active community √ √ √ √ √ √ √ √ √ √

Official training classes available √ X √ X X √ √ √ √ √

Official certification program, VUE or Prometric √ X X X X X X √ X X

UEM technology is proven; the solution is being used for 1+ year in enterprise production en-

vironments. 10K+ endpoint, various deployment scenarios.

√ √ √ √ √ √ √ √ √ √


Smackdown


Functionality Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

ser

Pro

file

Mgr

Imm

idio

Fle

x+

Mic

roso

ft G

P &

GP

Pre

fs

Mic

roso

ft U

E-V

Po

licyP

ak A

pp

licat

ion

Man

age

r

LWL

Pro

file

Un

ity

RES

Wo

rksp

ace

Mgr

Qu

est

vW

ork

spac

e

Sce

nse

Use

r W

ork

spac

eM

gr

10+ of public available enterprise (10K CCU) references in EU using UEM solution √ √ √ √ # X X √ √ X

10+ of public available enterprise (10K CCU) references in US using UEM solution √ √ X √ # X X √ √ X

10+ of public available enterprise (50K CCU) references in EU using UEM solution X X X X # X X X X X

10+ of public available enterprise (50K CCU) references in US using UEM solution X X X X # X X X X X

Enterprise Reference Architecture, public available √ X X X # X X √ X X

Professional Services Organization – Business hours multi-lingual support √ √ √ √ √ X √ √ X X

Professional Services Organization - 24h multi-lingual support (possible additional contract) √ √ X √ √ X √ √ X X

Technical Account Manager (TAM) available √ √ √ √ √ X √ √ X √

Management Platform

Management through Active Directory ~ √ √ √ √ √ √ X X X

Management through file share X X √ X X √ √ X X X

Datastore tran1st Line support - Personalization Support Web Consolesfer Protocol - SMB √ √ √ √ √ √ √ √ X √

Datastore transfer Protocol - HTTP(s) √ X X X X X X √ X √

Datastore transfer Protocol - CIFS √ √ √ --- X --- √ √ X X

Datastore transfer Protocol - TCP / configurable and supported √ X --- --- X --- X X √ X

Datastore transfer Protocol - Database specific X X --- --- --- --- --- √ X √

Datastore transfer Protocol – Windows Communication Foundation X X --- --- --- --- X X X √

Datastore / database OS support


Smackdown


Functionality Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

ser

Pro

file

Mgr

Imm

idio

Fle

x+

Mic

roso

ft G

P &

GP

Pre

fs

Mic

roso

ft U

E-V

Po

licyP

ak A

pp

licat

ion

Man

age

r

LWL

Pro

file

Un

ity

RES

Wo

rksp

ace

Mgr

Qu

est

vW

ork

spac

e

Sce

nse

Use

r W

ork

spac

eM

gr

Management through database engine √ X --- --- --- --- √ √ √ √

Microsoft SQL Server 2005 Express Edition √ --- --- --- --- --- --- √ √ √

Microsoft SQL Server 2008/SP1 Express Edition √ --- --- --- --- --- --- √ √ √

Microsoft SQL Server 2008 R2 Express Edition √ --- --- --- --- --- --- √ √ √

Microsoft SQL Server 2005 √ --- --- --- --- --- --- √ √ √

Microsoft SQL Server 2008 R2 √ --- --- --- --- --- --- √ √ √

Microsoft SQL Server 2008/SP2 √ --- --- --- --- --- --- √ √ √

Microsoft SQL Server 2012 √ --- --- --- --- --- --- √ # √

Microsoft SQL Azure X --- --- --- --- --- --- √ X X

Microsoft SQL Server 2008 R2, built-in support for native SQL Mirroring √ --- --- --- --- --- --- √ # √

Oracle Enterprise X --- --- --- --- --- --- √ X √

MySQL Enterprise Server X --- --- --- --- --- --- √ X X

IBM DB2 X --- --- --- --- --- --- √ X X

PostgreSQL X --- --- --- --- --- X X X X

SQLLite X X X X X X X √ X X

Management Server OS support

Microsoft Windows Server 2003 R2 √ --- --- √ --- √ √ --- √ √

Microsoft Windows Server 2003 R2-64-bit √ --- --- √ --- √ √ --- √ √

Microsoft Windows Server 2008 √ --- --- √ --- √ √ --- √ √

Microsoft Windows Server 2008 64-bit √ --- --- √ --- √ √ --- √ √


Smackdown


Functionality Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

ser

Pro

file

Mgr

Imm

idio

Fle

x+

Mic

roso

ft G

P &

GP

Pre

fs

Mic

roso

ft U

E-V

Po

licyP

ak A

pp

licat

ion

Man

age

r

LWL

Pro

file

Un

ity

RES

Wo

rksp

ace

Mgr

Qu

est

vW

ork

spac

e

Sce

nse

Use

r W

ork

spac

eM

gr

Microsoft Windows Server 2008 R2 64-bit √ --- --- √ --- √ √ --- √ √

Virtual (Linux) appliance X --- --- X --- X √ --- X X

Supported Directory Services

OpenLDAP support X X X X X X X X X X

Novell eDirectory official support X X X X X X X √ X X

Novell Domain Services for Windows official support X X X X X X X √ X X

Microsoft Directory Services support; ADS 2003+ √ √ √ √ √ √ √ √ √ √

Microsoft Read Only Domain Controllers (RODC) √ # √ # # # √ √ # √

Supported Protocols for all UEM related components

TCP/IP v4 √ √ √ √ √ √ √ √ √ √

TCP/IP v6 # # √ √ √ √ √ ~ # X

UEM Software Architecture

Software and Agents available as 32bits component √ √ √ √ √ √ √ √ √ √

Software and Agents available as 64bits component, native 64 bits components √ # √ √ √ √ X √ # √

Client (endpoint) Operating System support

Microsoft Windows 8.0 / 8.1 (x86/x64) √ X √ √ √ √ √ √ X √


Smackdown


Functionality Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

ser

Pro

file

Mgr

Imm

idio

Fle

x+

Mic

roso

ft G

P &

GP

Pre

fs

Mic

roso

ft U

E-V

Po

licyP

ak A

pp

licat

ion

Man

age

r

LWL

Pro

file

Un

ity

RES

Wo

rksp

ace

Mgr

Qu

est

vW

ork

spac

e

Sce

nse

Use

r W

ork

spac

eM

gr

Microsoft Windows 8 RT X X X X X X X X X X

Microsoft Windows 7 Professional √ √ √ √ √ √ √ √ √ √

Microsoft Windows Vista Professional √ √ √ √ √ √ √ √ √ √

Microsoft Windows XP Professional √ √ √ √ X √ √ √ √ √

Microsoft Windows Server 2003 R2 √ √ √ √ X √ √ √ √ √

Microsoft Windows Server 2008 √ √ √ √ X √ √ √ √ √

Microsoft Windows Server 2008 R2 √ √ √ √ √ √ √ √ √ √

Microsoft Windows Server 2012 √ √ √ √ √ √ √ √ √ √

Windows XPe √ √ √ √ X √ √ √ √ √

Windows Embedded Standard 7+ √ √ √ √ √ √ √ √ √ √

Mac OS X X X X X X X X X X X

Unix flavors X X X X X X X X X X

Linux flavors X X X X X X X X X X

EPOC / Symbian X X X X X X X X X X

Wyse Thin OS (WTOS) X X X X X X X X X X

Apple iPhone/iPod IOS v6.x X X X X X X X X X X

Apple iPad IOS v6.x X X X X X X X X X X

Google Android v2.x X X X X X X X X X X

RIM BlackBerry X X X X X X X X X X

Windows Phone 7/8 X X X X X X X X X X


Smackdown


Functionality Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

ser

Pro

file

Mgr

Imm

idio

Fle

x+

Mic

roso

ft G

P &

GP

Pre

fs

Mic

roso

ft U

E-V

Po

licyP

ak A

pp

licat

ion

Man

age

r

LWL

Pro

file

Un

ity

RES

Wo

rksp

ace

Mgr

Qu

est

vW

ork

spac

e

Sce

nse

Use

r W

ork

spac

eM

gr

Client/User Session Environment

Agent technology, Helper √ X X X X X X √ X X

Agent technology, AppInitDLL √ X X X X √ X X X X

Agent technology, Service √ √ √ X √ √ X √ X √

Agent technology, Service (hooks WinLogon) √ X X X X X √ X √ X

Agent technology, Service (parent process) √ X X X √ √ √ √ X X

Agent technology, Kernel mode filter driver √ √ X X X X X √ X √

Agent technology, Executable X X √ X X X √ X X √

Option to run agent-free (no installation on Client system) X X √ X X X √ X X X

Command-line parameters √ X √ --- √ √ X ~ # √

Uses file system driver √ √ X --- X --- X √ # √

No kernel-mode component required √ √ X √ √ √ √ X √ √

Component with elevated user rights √ √ --- X X X √ √ # √

User self-service component √ X √ X X X ~ √ # √

Application Delivery integration

Citrix XenApp X --- √ √ √ √ √ √ X √

Microsoft RDSH – RemoteApp (native or MSI) X --- √ √ √ √ √ √ √ √

Microsoft Application Virtualization, App-V (native or MSI) √ --- √ X √ √ X √ √ √


Smackdown


Functionality Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

ser

Pro

file

Mgr

Imm

idio

Fle

x+

Mic

roso

ft G

P &

GP

Pre

fs

Mic

roso

ft U

E-V

Po

licyP

ak A

pp

licat

ion

Man

age

r

LWL

Pro

file

Un

ity

RES

Wo

rksp

ace

Mgr

Qu

est

vW

ork

spac

e

Sce

nse

Use

r W

ork

spac

eM

gr

Symantec Workspace Virtualization (native or MSI) X --- X √ X √ X √ X √

VMware ThinApp (native or MSI) X --- √ √ X √ √ √ √ √

Citrix XenApp Streaming --- --- √ X X √ X √ --- ---

Microsoft MSI # --- √ X √ √ √ √ √ √

User Experience

Reverse seamless functionality: Windows- and Web application integration X X X X X X X √ X X


Smackdown


6.5 USER PROFILE MANAGEMENT

Functionality Ap

pSe

nse

De

skto

pN

ow

Cit

ix

Use

r P

rofi

le M

anag

er

Imm

idio

Fle

x+

Mic

roso

ft G

P &

GP

Pre

fs

Mic

roso

ft U

E-V

Po

licyP

ak A

pp

licat

ion

Man

age

r

Liq

uid

war

e L

abs

Pro

file

Un

ity

RES

Wo

rksp

ace

Mgr

Qu

est

vW

ork

spac

e

Sce

nse

Use

r W

ork

spac

eM

gr

Methodology

Profile segmentation / partitioning / separation / decoupling √ X √ --- --- --- √ X √ √

Profile redirection/ streaming / virtualization √ √ √ --- √ --- √ √ √ √

Granularity and decoupling apps requires app setting knowledge ~ √ √ --- √ √ √ √ √ √

Migration

Replaces Windows Roaming Profiles √ √ √ --- √ --- √ √ √ √

Migrate from local or roaming profiles √ √ √ --- X --- √ √ √ √

Migrate from competing products √ √ √ --- X --- √ √ √ √

Migrate v1 to v2 profiles automatically √ X √ X X X √ √ X √

Migrate individual apps across versions √ X √ X X √ √ √ X √

Migrate for managed (UEM) profile back to Windows native profile √ # # # # # √ √ # √

Base Profile support

Local Profiles √ √ √ --- X --- √ √ √ √

Roaming Profiles √ X √ --- X --- √ √ X √

Mandatory Profiles √ √ √ --- X --- √ √ √ √

Streamed Profiles --- --- √ --- √ --- √ X √ X


Smackdown


Functionality Ap

pSe

nse

De

skto

pN

ow

Cit

ix

Use

r P

rofi

le M

anag

er

Imm

idio

Fle

x+

Mic

roso

ft G

P &

GP

Pre

fs

Mic

roso

ft U

E-V

Po

licyP

ak A

pp

licat

ion

Man

age

r

Liq

uid

war

e L

abs

Pro

file

Un

ity

RES

Wo

rksp

ace

Mgr

Qu

est

vW

ork

spac

e

Sce

nse

Use

r W

ork

spac

eM

gr

Works independent of Roaming Profiles √ √ √ --- √ √ √ √ √ √

User Profile Data Store

Windows File share √ √ √ √ √ X √ √ √ √

Management through database engine √ X --- --- X --- X √ √ √

Datastore transfer Protocol - SMB √ √ √ √ √ √ √ √ X X

Datastore transfer Protocol - HTTP(s) √ X X X X X X X X X

Datastore transfer Protocol - CIFS √ √ √ X X X √ √ X X

Datastore transfer Protocol - TCP / configurable supported √ X X X X X X X √ √

Datastore transfer Protocol - Database specific X X X X X X X √ X X

Datastore transfer Protocol - DCOM X X X X X X X X X X

Built-in replication/synchronization √ X √ X √ --- √ √ √ √

Data compression before transfer √ X √ X √ √ √ √ √ √

Synchronization of data is based on delta’s √ # # # # # √ √ # √

Data streaming during profile transfer --- X X X # --- X X # X

Parallel processing of logon actions √ --- √ X √ √ √ √ √ X

Support for Client Side Extensions √ # # # # # X X # X

Profile Management

Personalization loaded on demand (at app launch) for locally installed applications √ ~ √ X √ √ X √ X √


Smackdown


Functionality Ap

pSe

nse

De

skto

pN

ow

Cit

ix

Use

r P

rofi

le M

anag

er

Imm

idio

Fle

x+

Mic

roso

ft G

P &

GP

Pre

fs

Mic

roso

ft U

E-V

Po

licyP

ak A

pp

licat

ion

Man

age

r

Liq

uid

war

e L

abs

Pro

file

Un

ity

RES

Wo

rksp

ace

Mgr

Qu

est

vW

ork

spac

e

Sce

nse

Use

r W

ork

spac

eM

gr

Personalization loaded on demand (at app launch) for virtualized applications √ # # # √ √ X ~ # √

Personalization templates √ # # # # # √ √ # X

1st Line support - Personalization Support Web Console √ # # # # # X X # X

Automatically capture application personalization √ X √ X √ X √ √ X √

Automatically translate OS version properties √ X √ X X X √ √ X √

Built-in user profile snapshots √ X √ X X X X √ X √

User self-service and profile management √ # # # # # ~ √ # √

Cross-application delivery mechanism support (v-apps etc) √ X √ X √ √ √ √ X √

Cross-architecture support (32-bit & 64-bit) √ X √ √ √ √ √ √ √ √

Cross-operating system support for desktop settings √ X √ √ √ √ √ √ √ √

Discovery mode √ X √ X √ X X √ X √

Builtin Reporting √ X X X X X √ √ X X

Isolation/Virtualization/Redirection of application settings √ X X X # √ √ X √ X

Last write wins - Per Application √ X √ X √ X √ √ √ √

Last write wins - Per Session √ √ √ √ √ √ √ √ X √

Migrate from local or roaming profiles √ √ √ √ X X √ √ √ √

Offline (Cached) Mode √ X √ X √ √ √ √ X √

Pre-cache personalisation on new machines X X √ √ √ √ √ X X X

Support for Terminal Server /desktop silos √ √ √ √ √ √ √ √ √ √

Supports user certificates √ √ √ √ --- --- √ √ √ √


Smackdown


Functionality Ap

pSe

nse

De

skto

pN

ow

Cit

ix

Use

r P

rofi

le M

anag

er

Imm

idio

Fle

x+

Mic

roso

ft G

P &

GP

Pre

fs

Mic

roso

ft U

E-V

Po

licyP

ak A

pp

licat

ion

Man

age

r

Liq

uid

war

e L

abs

Pro

file

Un

ity

RES

Wo

rksp

ace

Mgr

Qu

est

vW

ork

spac

e

Sce

nse

Use

r W

ork

spac

eM

gr

Return to local or roaming profiles √ √ √ --- X --- √ √ √ √

Application Virtualization support

Citrix XenApp √ √ √ X √ √ √ √ X √

Microsoft Application Virtualization, App-V √ X √ X √ √ √ √ X √

Symantec Workspace Virtualization √ X X X X √ √ √ X √

VMware ThinApp √ X √ X X √ √ √ X √

Novell ZENWorks / Spoon.Net X X √ X X √ √ X X X

Cross Platform Personalization support

Cross-application delivery mechanism support (native, virtual, hosted apps etc.) √ X √ X √ X √ --- √ √

Cross-architecture support (32-bit & 64-bit) √ X √ √ √ √ √ --- √ √

Cross-operating system support for desktop settings √ X √ X √ √ √ --- X √


Smackdown


6.6 USER PERSONALIZATION, APPLICATION AND DESKTOP MANAGEMENT

Functionality Ap

pSe

nse

De

skto

pN

ow

Imm

idio

Fle

x+

Liq

uid

war

eLab

s

Pro

file

Un

ity

Mic

roso

ft G

P &

GP

Pre

fs

Mic

roso

ft U

E-V

Po

licyP

ak A

pp

licat

ion

Man

age

r

RES

Wo

rksp

ace

Mgr

Sen

se W

ork

spac

e M

gr

Policy configuration component √ √ √ # √ √ √ √

Extendable with 3rd party tools √ ~ X # √ X X √

Processing of configuration during Windows Logon √ # √ # √ √ √ √

Parallel processing of logon actions √ √ √ X X X √ √

Multithreading of logon actions √ # X # X √ X X

Policy component supports granular configuration √ √ √ # √ √ √ √

Can execute custom code (scripts, external EXE) √ √ √ # √ X √ √

Lockdown and removal of OS and 3rd party application UI/content √ X √ # ~ √ √ √

Healing of processes, registry keys, services and files √ X X X X √ √ X

Can define an application as a global object ~ --- √ # --- --- --- √

Native Action triggers

User Logon √ √ √ √ √ √ √ √

User Logoff √ √ √ √ ~ X √ √

Group Policy Refresh X X √ X √ √ X X

Delayed Event √ X X X X X √ √

Application Start √ √ X X X √ √ √


Smackdown


Functionality Ap

pSe

nse

De

skto

pN

ow

Imm

idio

Fle

x+

Liq

uid

war

eLab

s

Pro

file

Un

ity

Mic

roso

ft G

P &

GP

Pre

fs

Mic

roso

ft U

E-V

Po

licyP

ak A

pp

licat

ion

Man

age

r

RES

Wo

rksp

ace

Mgr

Sen

se W

ork

spac

e M

gr

Application Stop √ √ X X X X X √

Network Connect √ X X X √ √ √ X

Network Disconnect √ X X X X X √ X

Session Reconnect √ √ X X X X √ X

Session Disconnect √ √ X X X X X X

Session Lock √ √ X X X X X X

Session Unlock √ √ X X X X X X

Process Start √ √ X X X X √ X

Process Stop X √ X X X X X X

Application Install X X X X X X X X

On Error √ X X X X X X X

Computer Startup √ X √ # √ √ X √

Computer Shutdown √ X √ # ~ X X √

Process Start – From UNC Path √ √ X # X X X X

Manual / Scripted / On Schedule √ √ √ # √ √ √ √

Native policy actions

Copy files and/or folders √ √ √ √ √ X √ √

Desktop background √ ~ √ √ √ X √ √

Devices √ X √ # √ X √ X


Smackdown


Functionality Ap

pSe

nse

De

skto

pN

ow

Imm

idio

Fle

x+

Liq

uid

war

eLab

s

Pro

file

Un

ity

Mic

roso

ft G

P &

GP

Pre

fs

Mic

roso

ft U

E-V

Po

licyP

ak A

pp

licat

ion

Man

age

r

RES

Wo

rksp

ace

Mgr

Sen

se W

ork

spac

e M

gr

E-mail profiles X ~ √ √ X X √ X

Environment variables √ √ √ √ √ √ √ √

File-type associations √ √ √ X √ X √ √

File and Folder actions √ √ X # √ X √ √

Folder Redirection √ ~ √ √ √ X √ X

INI files √ √ √ √ √ √ √ √

Internet Settings √ ~ √ √ √ √ √ X

Internet Explorer settings √ ~ √ # √ √ √ X

Local users and groups X X X X √ X √ √

Network Drives √ √ √ √ √ X √ √

Shortcuts √ √ √ √ √ X √ √

ODBC data sources √ ~ √ √ √ X √ X

Power options √ X √ X √ X √ X

Printers √ √ √ √ √ X √ √

Regional options √ ~ √ √ √ √ √ X

Registry keys and values √ √ √ √ √ √ √ √

Scheduled tasks X X X X √ X √ √

Screen saver √ ~ √ √ √ √ √ X

Start Menu options √ ~ √ √ √ √ √ X

VPN and dial-up connections X X √ √ √ X √ X


Smackdown


Functionality Ap

pSe

nse

De

skto

pN

ow

Imm

idio

Fle

x+

Liq

uid

war

eLab

s

Pro

file

Un

ity

Mic

roso

ft G

P &

GP

Pre

fs

Mic

roso

ft U

E-V

Po

licyP

ak A

pp

licat

ion

Man

age

r

RES

Wo

rksp

ace

Mgr

Sen

se W

ork

spac

e M

gr

Windows Explorer folder option √ ~ √ √ √ X √ X

ADM / ADMX templates √ X X X √ --- √ X

Message Boxes √ ~ √ √ X X √ √

Configure Microsoft Fax client X X √ √ X X X X

Microsoft Office File locations √ X √ √ √ √ √ X

Microsoft Office preferences √ X √ √ √ √ √ X

Microsoft Outlook preferences √ X √ √ √ √ √ X

Outlook Express √ X √ √ X √ √ X

Remote Desktop Connection client settings X X √ √ X √ X X

Windows options √ ~ √ √ √ √ √ X

Windows services √ X √ √ √ X X X

Text File Update √ X X X X √ √ √

Text File Search √ X X X X X X X

File & Folder Copy √ √ X X √ X √ √

Ability to write your own Custom Policy Actions √ √ √ X X X X √

Folder mirroring √ # √ # X X X X

Folder Synchronization √ # √ # X X √ X

Custom VBScript queries for Actions √ √ X X X X X √

Custom JScript queries for Actions √ # X # X X X √

Customer PowerShell queries for Actions √ √ X X X X X X


Smackdown


Functionality Ap

pSe

nse

De

skto

pN

ow

Imm

idio

Fle

x+

Liq

uid

war

eLab

s

Pro

file

Un

ity

Mic

roso

ft G

P &

GP

Pre

fs

Mic

roso

ft U

E-V

Po

licyP

ak A

pp

licat

ion

Man

age

r

RES

Wo

rksp

ace

Mgr

Sen

se W

ork

spac

e M

gr

Only Copy ‘New’ or ‘Changed’ items, files or folders √ √ X X X X √ √

Ability to Mirror Folder to mirror source if files are removed √ √ X X X X √ X

Synchronize Folder, unlike Mirror this is a two way process √ X X X X X √ X

Built-in rules / native conditions

Active Directory Site √ √ √ √ √ √ √ √

Client Computer Domain √ √ √ √ √ √ √ √

Client Computer Group √ X √ √ ~ ~ √ √

Client Computer Organisational Unit √ √ √ √ √ √ √ √

Client Connection Protocol √ X √ X X √ √ √

Client IP Address / Address Range √ √ √ √ √ √ √ √

Client NetBIOS Name √ √ √ √ √ √ √ √

Client Screen Colour Depth √ X X X # √ √ √

Client Screen Resolution √ X X X √ X √ √

Computer Chassic Type # # X # # # √ √

Computer Domain √ √ √ √ # √ √ √

Computer Group √ X √ √ √ √ √ √

Computer IP Address / Range √ √ √ √ √ √ √ √

Computer MAC Address / Range √ X √ √ √ √ √ √

Computer Name (DNS / NetBIOS) √ √ √ √ √ √ √ √


Smackdown


Functionality Ap

pSe

nse

De

skto

pN

ow

Imm

idio

Fle

x+

Liq

uid

war

eLab

s

Pro

file

Un

ity

Mic

roso

ft G

P &

GP

Pre

fs

Mic

roso

ft U

E-V

Po

licyP

ak A

pp

licat

ion

Man

age

r

RES

Wo

rksp

ace

Mgr

Sen

se W

ork

spac

e M

gr

Computer Organizational Unit √ √ √ √ √ √ √ √

Operating System Service Pack √ √ X # √ √ √ √

Operating System version √ √ √ √ √ √ √ √

Operating System bit level (x86/x64) √ √ √ √ √ √ √ √

Published Application Name √ X X X √ √ X X

User Group √ √ X # √ √ √ √

User Is Administrator √ X X X √ √ √ √

User Name √ √ √ √ √ √ √ √

User Organisational Unit √ √ √ √ √ √ √ √

User Primary Domain Group √ X √ √ √ √ √ √

User Domain √ √ √ √ √ √ √ √

Initial Program X X X X X X X √

Working Directory X X X X X X X √

Session Name X X √ √ X X √ √

WMI Query X X X X √ √ √ √

File / Folder match (exists, version) √ √ X X √ √ √ √

Battery is present X √ √ X √ √ √ √

CPU speed X X √ X √ √ √ √

CPU Architecture (x86/x64) √ X X X √ √ √ √

Number of CPU’s X X X X √ √ √ √


Smackdown


Functionality Ap

pSe

nse

De

skto

pN

ow

Imm

idio

Fle

x+

Liq

uid

war

eLab

s

Pro

file

Un

ity

Mic

roso

ft G

P &

GP

Pre

fs

Mic

roso

ft U

E-V

Po

licyP

ak A

pp

licat

ion

Man

age

r

RES

Wo

rksp

ace

Mgr

Sen

se W

ork

spac

e M

gr

Wireless Connected network (SSID) X X X X X X √ X

Wireless Nearest access point (BSSID) X X X X X X √ X

Date/time match √ X √ X √ √ X √

Disk space X X X X √ √ X √

Environment variables √ √ √ X √ √ √ √

Language (user / system) X X √ X √ √ √ √

Custom LDAP query √ X X X √ √ X √

MSI query X X X X √ √ X √

Network connection type (VPN, Dailup etc.) X X √ X √ √ √ X

PCMCIA slot is present X X X X √ √ X X

Portable computer (Laptop) X √ √ √ √ √ √ √

Terminal Server √ √ √ √ √ √ √ √

Domain Controller √ X √ √ √ √ √ √

RAM size X X X X √ √ √ √

Registry match √ √ √ X √ √ √ √

Time range √ X X X √ √ ~ √

GP Processing Mode # X X X √ √ X X

Connection type (LAN/dialup) X X √ X √ √ √ √

VMware View client name √ X √ √ X X √ √

User interaction - Yes/No response √ X X # X X √ √


Smackdown


Functionality Ap

pSe

nse

De

skto

pN

ow

Imm

idio

Fle

x+

Liq

uid

war

eLab

s

Pro

file

Un

ity

Mic

roso

ft G

P &

GP

Pre

fs

Mic

roso

ft U

E-V

Po

licyP

ak A

pp

licat

ion

Man

age

r

RES

Wo

rksp

ace

Mgr

Sen

se W

ork

spac

e M

gr

Custom VBScript queries √ ~ X # X X X √

Custom Jscript queries √ ~ X # X X X √

Counter Condition – Run Once >>Run many √ ~ √ # √ √ √ √

Ability to write your own Custom Policy Conditions √ √ √ # X X X √

Custom VBScript queries for Conditions √ √ √ # X # X √

Custom Jscript queries for Conditions √ √ √ # X # X √

Custom PowerShell queries for Conditions √ √ √ # X # X X

Custom PowerShell queries √ ~ X # X # X X

If .. else condition √ √ √ # √ √ X √

Remote Host/URL X X X # # # √ √

Session Type √ X X # √ √ √ √

USB storage device, serial and vendor/product X X X # X X √ X

Any AD User Property (User settings from the user account) X X X # √ √ √ √

WiFi AccessPoint connectivity (BSSID) X X X X X X √ X


Smackdown


6.7 APPLICATION ACCESS CONTROL, SECURITY MANAGEMENT

Functionality Ap

pSe

nse

De

skto

p N

ow

RES

Wo

rksp

ace

Mgr

Sen

se W

ork

spac

e M

gr

Logging (product specific) √ √ √

Application access based on Active Directory User identity √ √ √

Application access based on Active Directory Group membership √ √ √

Application access based on Active Directory OU membership X √ √

Application access based on Novell User identity X √ X

Application access based on Novell Directory Group membership X √ X

Application access based on UEM Administrative Roles (RBAC) √ √ X

Alerting (action send mail) √ √ X

Alerting (SNMP) √ √ X

Event triggering (run scripts or custom action) √ √ √

Number of Application Instance limits √ √ X

Application Termination √ √ X

Terminate Application based on change to client name or IP address √ √ X

Application Clean Closure √ √ X

Display warning / Dialog box √ √ √

Blocked file archiving (move rule-blocked file to archive) √ X X

Application level Network Access Control √ √ X


Smackdown


Functionality Ap

pSe

nse

De

skto

p N

ow

RES

Wo

rksp

ace

Mgr

Sen

se W

ork

spac

e M

gr

Permit access to authorized IP addresses √ √ X

Deny access to prohibited IP addresses √ √ X

Permit access to authorized UNC paths √ √ X

Deny access to prohibited UNC paths √ √ X

Permit access to authorized host server names √ √ X

Deny access to prohibited host server names √ √ X

Permit access to authorized TCP/UDP ports √ √ X

Deny access to prohibited ports √ √ X

End Point Analysis Scan √ √ X

Application Usage scan √ √ X

User Rights / Privilege discovery mode / reporting √ √ X

Auditing and reporting of self-elevation √ X X

Elevate/Reduce user right for Applications √ √ √

Elevation/Reduce user rights to Control Panel Applets √ √ X

Elevate user rights on the internet for ActiveX / Web Installations √ X X

Elevate user rights for Application Installations √ √ √

Self-Elevation of user rights on demand with White & Black list options √ √ X

If application is Elevated, option to not elevate Child Processes spawned from the raised Application √ X X

If application is Elevated, option to not elevate Secure Dialog Boxes within the raised Application √ X X

Does not create and depend on a Local Adminstrator account on the machine for Elevation of User Rights √ √ √


Smackdown


Functionality Ap

pSe

nse

De

skto

p N

ow

RES

Wo

rksp

ace

Mgr

Sen

se W

ork

spac

e M

gr

Redirect a requested URL to a specified safe URL √ X X

Redirect an already open URL when context/condition changes √ X X

Redirect URL based on full URL address √ X X

Redirect URL based on Sub-Directory of address √ X X

Redirect URL based on use of Wild Cards √ X X

Time Based Application Access √ √ √

Security/blocking approach

Whitelisting √ √ √

Blacklisting √ √ X

(Certificate based) vendor trusting √ X X

User specific rights √ √ √

Trusted Ownership / Owner of file √ X X

SHA#1 Digital Signature of file √ X X

Contextual nodes/levels (block based on …)

Active Directory Site √ √ √

Any Active Directory User property X √ √

User √ √ √

Group √ √ √


Smackdown


Functionality Ap

pSe

nse

De

skto

p N

ow

RES

Wo

rksp

ace

Mgr

Sen

se W

ork

spac

e M

gr

Organizational Unit (OU) √ √ √

Device (detail; IP, computer name etc. ?) √ √ √

Computer Chassis type X √ √

CPU speed X √ √

CPU architecture (x86/x64) X √ √

CPU Number of processors X √ √

Memory (minimum installed) X √ √

Screen resolution X √ √

Screen color depth X √ √

CD/DVD (present/not present) X √ √

Client IP Address/Address range (local device) X √ √

Client name (local device) X √ √

Environment variables √ √ √

File √ √ √

File version X √ √

Folder √ √ √

USB Storage Device (Serial number/ Vendor & Product ID) X √ X

Operating System bit level (x86/x64) √ √ √

Operating System Version X √ √

Registry Setting & Value √ √ √


Smackdown


Functionality Ap

pSe

nse

De

skto

p N

ow

RES

Wo

rksp

ace

Mgr

Sen

se W

ork

spac

e M

gr

Remote Host (Ping/Port/HTTP/HTTPS) X √ X

Listener Name X √ X

Wireless Connected network (SSID) X √ X

Wireless Nearest access point (BSSID) X √ X

Session Type (Local Desktop/Remote Desktop/Remote Application) X √ √

Process √ √ √

Access Time √ √ √

Connection Type (e.g. RDP, ICA etc..) √ √ √

Port Number √ √ X

Output of VBScript √ X √

Output of PowerShell script √ X X

Output of jScript √ X X

Application / File vendor √ X X

Application / File product name √ X X

Application / File company name √ X X

Application / File description √ X X

Application / File product version (minimum and maximum) √ √ √

Product version (maximum and minimum √ √ √

Block/filter types/details (what to block)


Smackdown


Functionality Ap

pSe

nse

De

skto

p N

ow

RES

Wo

rksp

ace

Mgr

Sen

se W

ork

spac

e M

gr

Filename √ √ X

Filename Extension √ √ X

Folder √ √ X

Drive √ √ X

Removable Drive √ √ X

Signature √ √ X

Network Connection √ √ X

URL Filtering √ √ X

Software Installation √ √ X

Sessions X √ X

Registry keys X ~ X

Scripts √ √ X

Security levels

Security disabled (Unrestricted) √ √ X

Learning mode (Audit only) √ √ X

Self-Authorize √ X X

Security enabled (Restricted) √ √ X

Other


Smackdown


Functionality Ap

pSe

nse

De

skto

p N

ow

RES

Wo

rksp

ace

Mgr

Sen

se W

ork

spac

e M

gr

Ability to prevent malicious changes to alter file integrity √ √ X

Limit # of user-application sessions √ √ X

6.8 RESOURCE MANAGEMENT

Functionality Ap

pSe

nse

Mgm

t Su

ite

RES

Wo

rksp

ace

Mgr

Remarks

Logging (product specific) √ √

Alerting (action send mail) √ √

Event triggering (run scripts or custom action) √ √

Reporting / trending √ √

Fast Session Logoff (background logoff processing) √ √

Timed statistics collection √ X


Smackdown


Functionality Ap

pSe

nse

Mgm

t Su

ite

RES

Wo

rksp

ace

Mgr

Remarks

Throttling options

Share based CPU throttling √ X

Share based Memory throttling √ X

Share based Disk throttling √ X

Limit based CPU throttling √ X

Limit based Memory throttling per user √ √

Limit based Memory throttling per application/process √ X

Limit based Memory throttling per session √ √

CPU reservations √ X

CPU affinity √ X

Set CPU conditions/thresholds √ √

Set application specific CPU conditions/thresholds √ √

Optimization conditions

Window state (minimized, foreground background etc.) √ √

Session state (idle, disconnected, locked etc.) √ X

Detailed reporting on resource usage √ X

Other

Memory optimization √ √


Smackdown


Functionality Ap

pSe

nse

Mgm

t Su

ite

RES

Wo

rksp

ace

Mgr

Remarks

CPU/thread optimization √ √

6.9 LICENSE MANAGEMENT

There is a lot to write about License Management in the context of User Environment Management. In forthcoming versions of the whitepaper

more features will be analyzed and described.

Functionality Ap

pSe

nse

Mgm

t Su

ite

RES

Wo

rksp

ace

Mgr

Remarks

Assign license costs per app X √

License types

Companywide license √ √

Server license √ √

Per seat license √ √

Per named user license √ √


Smackdown


Functionality Ap

pSe

nse

Mgm

t Su

ite

RES

Wo

rksp

ace

Mgr

Remarks

Per concurrent user license √ √

Per device license √ √

Per device license (approved by ISV/Microsoft) X X link here

http://social.technet.microsoft.com/Forums/windowsserver/en-US/6045773a-ab5c-48bb-916b-a19923e85db6/ms-licensing-restricting-ts-apps-microsoft-supported-methods-gpo-or-appsense


Smackdown


6.10 MONITORING, AUDITING AND REPORTING

There is a lot to write about Monitoring, Auditing and Reporting in the context of User Environment Management. In forthcoming versions of

the whitepaper more features will be analyzed and described.

Functionality Ap

pSe

nse

Mgm

t Su

ite

RES

Wo

rksp

ace

Mgr

Remarks

Monitoring

Session processes √ √

Session CPU usage √ √

Session Memory usage √ X

User logon/logoff process √ √

Auditing

End-point audit information available (allow/deny access) √ X

Audit change log (generic) √ √

Audit change log (detailed per object) √ √

Review user logon and logoff process with history √ √

Reporting


Smackdown


Functionality Ap

pSe

nse

Mgm

t Su

ite

RES

Wo

rksp

ace

Mgr

Remarks

End-point software inventory √ √

End-point software usage inventory √ √

Resultant set of user specific applied UEM settings (logging) √ √

Resultant set of user specific applied UEM settings (planning) √ √

Export configuration / settings for documentation purposes √ √

Report application usage √ √

Report sessions usage √ √

Report application/license use per user √ √

Report application/license use per OU X √

Report application/license use per device X √

Report application/license use during a specific time frame √ √

Report application/license use by session state. X √

Report users per application √ √

Reporting application CPU usage per user/computer/OU √ √

Report website usage √ √

Report license usage √ √

User Analysis by IT support

Location and Devices (contextual user information) X √


Smackdown


Functionality Ap

pSe

nse

Mgm

t Su

ite

RES

Wo

rksp

ace

Mgr

Remarks

Account Properties (UEM/Active Directory/IT Store Services) X √

Application Access X √

File Types associations X √

E-mail Settings X √

Data Sources X √

Environment Variables X √

Commands (VBscript/PowerShell) X √

Drive and Port Mappings X √

Drive Substitutes X √

Folder Redirection X √

Folder Synchronization X √

User Home Directory X √

User Profile X √

Microsoft Configuration Manager tasks X √

Printers X √

User Registry/Policy X √

User Settings (view actual configuration) X √

User Settings (export configuration including registry and file/folders) X √

User Settings restore X √


Smackdown


Functionality Ap

pSe

nse

Mgm

t Su

ite

RES

Wo

rksp

ace

Mgr

Remarks

Application Security log X √

User Installed Applications log X √

Website security log X √

Removable Disks log X √

File and Folder log X √

Network Connections log X √

User Sessions X √

UEM Event Log X √

Performance events X √

Microsoft Remote Assistance Integration X √

UEM Self-Service in a controlled User Environment

Restore profile data √ √

Application start-up X √

Application desktop short-cuts X √

Application pin to task bar X √

Desktop background picture X √

Screensaver X √

Swap mouse buttons X √


Smackdown


Functionality Ap

pSe

nse

Mgm

t Su

ite

RES

Wo

rksp

ace

Mgr

Remarks

Usage statistics X √

Set default printer based on location (including local printers) X √

View context information X √

Language X √

Configuration refresh X √


Smackdown


7. CONCLUSION

Which User Environment Management solution is THE best?!; Good Question! But without a

better understanding of the complete picture and the requirements in general it is impossible

to give an accurate and profound answer. In essence it depends on various areas as mentioned

in detail in paragraph 3.8 ‘Strategy’.

Key areas for your User Environment Management strategy are:

Are you investigating a tactical (point)-or strategic solution? What do you want to solve?

What’s your desktop delivery and migration strategy for Windows 7?

How do you take care of profile changes during a migration (v1 and v2)? What is your role-

back strategy when all the user and application settings are migrated to Windows 7?

Is work shifting a key driver for the Optimized Desktop? How are the roaming/flexible and

mobile users within the organization facilitated?

How do you achieve consistent and uniform user environment across Desktop, Laptop,

VDI, Terminal Services in managed and un-managed scenarios?!

How do you design, control and maintain logon scripts and user profiles? Are you facing

long logon times to your environment and applications? Would your end-users benefit

from a Profile clean-up? Are you facing profile corruption?

How do you handle all the application and user preferences such as printers, file-types,

drive mappings, access to applications, data, and network resources and application set-

tings? How many people really understand the complex and often legacy internal scripts?

How agile are these scripts and settings?

Is Application Virtualization in scope, how do you handle application preferences in a

mixed OS and Application, and Desktop Delivery infrastructure?

Do you need context awareness? Based on user/role, device, location and various settings

access to application resources is controlled and enforced when needed.

What is your Application and Desktop Delivery solution in BYOC scenarios? How do you

deliver applications to these (un-managed) devices? What is the role of UEM?

Does the end-user need the ability to install and update applications? Is User Installed Ap-

plications functionality needed? Does the user have the correct privileges to install, or up-

date software?

How do you control, administer, audit and report which user has access to which applica-

tion from specific devices or locations? How do you control application usage, user rights

management?

What solutions do you use to make sure you’re compliant? Can you measure, track and

enforce licensing? How do you currently license per device applications such as Microsoft

Project and Microsoft Visio?

Are billing, license-management, reporting and/or charge-back of the delivered applica-

tions needed?

Do you want to offer a Self-Support tool to your users to reduce the amount of Helpdesk

calls?


Smackdown


Does the User Environment Management solution need to be proven and mature? What is

your definition of proven?

Is “Layering the cake” / separation of Operating System - Application - and User Prefer-

ences part of the overall desktop strategy?

Bottom Line: Does IT have focus on your end-user?!

It’s important to have a Vision and Strategy around Application and Desktop Delivery. User En-

vironment Management needs to be part of this Vision and Strategy. Designing, building, man-

aging and maintaining the Optimized (Virtual) Desktop infrastructure using the right technolo-

gies, corresponding vendors and products is the destination.

“This whitepaper is a useful resource in this journey!”


Smackdown


8. CHANGE LOG

Date June 2011 v1.0 - Initial Release

Date June 2011 v1.0.3 – Minor layout fixes + minor RES fixes in tables.

Date June 2011 v1.0.4 – Minor layout fixes

Date November 2011 v1.1 – Community and vendor feedback

Re-read and reviewed the complete document

Removed some typographical errors

Added information in chapter 1 to highlight objectives, suggestions and

improvements

Introduced the term business-consumer besides of end-user

Added chapter 3.3, ‘Layering the cake and Application Delivery’

Added information in chapter 3.4, ‘User Centric Computing’

Updated chapter 3.7, ‘Why UEM’

Updated chapter 3.8, ‘UEM Functionality’; different naming to stretch the

functionality and Desktop Transformation

Updated Chapter 3.9, ‘UEM Strategy’ and added new strategic questions.

Updated chapter 3.11, ‘What’s a name’ and added table ‘Overall terms and

definitions’

Updated chapter 3.12, ‘FAQ’

Updated chapter 4.2, ‘User Personalization’ header and small items in text

Updated chapter 4.3, ‘Application Access Control’ header and small topics in text

Updated chapter 4.5, ‘Licensing’ - small topics in text

Updated chapter 4.6, ’Monitoring, Auditing and Reporting’ small topics in text

Updated chapter 4.7, ‘Application Delivery’ in context of UEM;

Updated chapter 5.1 and 5.2 to highlight the goal and focus of the vendor solution

matric

Updated chapter 5.2, ‘vendor solutions matrix’

Updated chapter 5.3.2, AppSense functionality - License Control

Updated chapter 5.5, ‘Immidio’, introduction, functionality and pricing

Updated chapter 5.9, ‘RES Software’

Updated chapter 5.9.6, ‘RES Dynamic Desktop Studio’

Updated chapter 6.1, ‘Introduction’ and ‘vendor solutions matrix’

Updated chapter 6.2, ‘Product version’

New features added:

o Management Server / UEM solution, Database instance officially support

20K concurrent connections

Features updated, Generic Features and Functionality

o Management Server / UEM solution. Server instance officially supports

X.XXX concurrent connections


Smackdown


o Licenses, Education license program

o Support and Community; 10+ of public available enterprise (50K CCU)

references in EU using UEM solution

o Support and Community; Professional Services Organization

o Client (endpoint) Operating System support; Windows 8

Features updated, User Profile Management

o Action triggers, Process Start – From UNC Path

o Native policy actions, Text File Update

o Native policy actions, Text File Search

o Native policy actions, File & Folder Copy

o Built-in rules / native conditions, Counter Condition – Run Once >>Run

many

Features updated, Application Access Control

o Display warning / Dialog box

o Auditing and reporting of self-elevation

o Elevate/Reduce user right for Applications

o Elevation/Reduce user rights to Control Panel Applets

o Elevate user rights on the internet for ActiveX / Web Installations

o Elevate user rights for Application Installations

o Self-Elevation of user rights on demand with White & Black list options

Features updated, License Management

o Per device license (recognized and approved by ISV /Microsoft)

Features changes: AppSense

o Concurrent user/desktop licenses

o Per device licenses

o Enterprise/site license program

o Academic/Education license program

o Service Provider license program

o Integration with 3rd party systems management solutions

o Scripting (none PowerShell) support and command-line interface

o Datastore transfer Protocol - TCP / configurable and supported

o Client/User Session EnvironmentAgent technology, Service (hooks

WinLogon)

o Lockdown and removal of OS and 3rd party application UI/content

o Built-in rules / native conditions, Operating System Service Pack

o Built-in rules / native conditions, Operating System version

o Built-in rules / native conditions, User Domain

o Built-in rules / native conditions, File / Folder match (exists, version)

o Built-in rules / native conditions, Date/time match

o Built-in rules / native conditions, Environment variables

o Built-in rules / native conditions, Terminal Server

o Built-in rules / native conditions, Registry match

o Built-in rules / native conditions, Time range


Smackdown


o Built-in rules / native conditions, User interaction - Yes/No response

o Block/filter types/details (what to block), URL Filtering

o Block/filter types/details (what to block), Software Installation

o Block/filter types/details (what to block), Sessions

o Block/filter types/details (what to block), Registry keys

o Block/filter types/details (what to block), Scripts

o Throttling options, Share based Memory throttling

o Throttling options, Limit based Memory throttling per user

o Monitoring, Session processes

o Monitoring, Session CPU usage

o Monitoring, Session Memory usage

o Reporting, Resultant set of user specific applied UEM settings (planning)

o Reporting, Report sessions usage

o Reporting, Report application/license use per user

o Reporting, Report application/license use per OU

o Reporting, Report application/license use per device

o Reporting, Report application/license use during a specific time frame

o Reporting, Report application/license use by session state

o Reporting, Report users per application

o Reporting, Reporting application CPU usage per user/computer/OU

o Reporting, Report website usage

o Client/User Session Environment

o Agent technology, Service

o Agent technology, Service (parent process)

o Agent technology, Kernel mode filter driver

o Command-line parameters

o UPM, Migrate from competing products

o UPM, Migrate individual apps across versions

o Built-in rules / native conditions, Domain Controller

o Block/filter types/details (what to block), Scripts

RES Software Features updated

o Management Platform, Datastore transfer Protocol – SMB

o Management Platform, Datastore transfer Protocol – CIFS

o Agent technology, Service

o Agent technology, Kernel mode filter driver

o User Profile Datastore, Datastore transfer Protocol - SMB

o User Profile Datastore, Datastore transfer Protocol - CIFS

o User Profile Datastore, Built-in replication/synchronization

o User Profile Datastore, Parallel processing of logon actions

Immidio FlexProfiles Fetures update

o Personalisation loaded on demand (at app launch)

Added information in chapter 7, ‘conclusion’

Added chapter 8, ‘change log’


Smackdown


Date November 2011 v1.11

Added VMware Persona Management vendor information in Chapter 5.14

Date January 2012 v1.2

Review and editing of this document has also been performed by Jeremy Moskowitz, Group

Policy MVP.

Grammar and spelling check of complete document

Updated chapter 3.9, UEM Strategy

Updated chapter 3.12, FAQ

Updated chapter 4.1.1, ‘User Profiles 101’

Updated chapter 4.1.4, ‘Where does Group Policy and GPPrefs fit in with UEM’

Updated chapter 5.2, ‘Vendor matrix‘ with Policy Pak Software and updated Triceat

and Scense

Updated chapter 5.7, ‘Microsoft’

Added chapter 5.8, ‘PolicyPak Software’

Updated chapter 5.10.3 and 5.10.6, ‘RES Software’

Updated 5.12, ‘Tricerat’

Updated chapter 6.1, ‘Introduction’ and ‘vendor solutions matrix’ with Policy Pak

Software and Tricerat Simply Suite

Updated chapter 6.2, ‘Product versions’

Updated chapter 6.5, ‘Generic Features and Functionality with Policy Pak Software

Updated chapter 6.6, ‘User Profile Management’with Policy Pak Software

Updated chapter 6.7, ‘User Personalization’ with Policy Pak Software

Updated chapter 6.5, New features

o API Interface (public) and documented

o 24 x 7 support, additional pricing

o 24 x 7 support included in base license

o Microsoft SQL Server 2008R2, built-in support for native SQL Mirroring

o Software and Agents available as 32bits component

o Software and Agents available as 64bits component, native 64 bits compo-

nents


o Native policy actions, Ability to write your own Custom Policy Actions

o Native policy actions, Custom VBScript queries for Actions

o Native policy actions, Custom PowerShell queries for Actions

o Native policy actions, Only Copy ‘New’ or ‘Changed’ items, files or folders

o Native policy actions, Ability to Mirror Folder to mirror source if files are re-

moved

o Native policy actions, Syncronize Folder, unlike Mirror this is a two way pro-

cess

o Built-in rules / native conditions, Ability to write your own Custom Policy Con-

ditions


Smackdown


o Built-in rules / native conditions, Custom VBScript queries for Conditions

o Built-in rules / native conditions, Custom Jscript queries for Conditions

o Built-in rules / native conditions, Custom PowerShell queries for Conditions

o Built-in rules / native conditions, Custom PowerShell queries

o Built-in rules / native conditions, If .. else condition

o Built-in rules / native conditions, Remote Host/URL

o Built-in rules / native conditions, Session Type

o Built-in rules / native conditions, USB storage device, serial and ven-

dor/product

o Built-in rules / native conditions, Any AD User Property


o If application is Elevated, option to not elevate Child Processes spawned from

the raised Application

o If application is Elevated, option to not elevate Secure Dialog Boxes within the

raised Application

o Does not create and depend on a Local Adminstrator account on the machine

for Elevation of User Rights

o Redirect a requested URL to a specified safe URL

o Redirect an already open URL when context/condition changes

o Redirect URL based on full URL address

o Redirect URL based on Sub-Directory of address

o Redirect URL based on use of Wild Cards

o Time Based Application Access

o Contextual nodes/levels (block based on …) Connection Type (e.g. RDP, ICA

etc..)

o Contextual nodes/levels (block based on …) Port Number

o

Features updated 6.5, Generic Features and Functionality: RES Software

o Database instance officially support 20.000 concurrent connections

o Integration with 3rd party PC-lifeCycle management solutions

o Scripting (not including PowerShell) support and command-line interface

o Professional Services Organization - 24h multi-lingual support

Features updated 6.5, Generic Features and Functionality: Appsense

o Web-based management interface

o Delegation of control, granular delegated administration roles

o 24 x 7 support included in base license

Features updated 6.6, User Profile Management: RES Software

o Last write wins - Per Application

Features updated 6.6, User Profile Management: Tricerat

o Datastore transfer Protocol – SMB

o Datastore transfer Protocol - DCOM

o Offline (Cached) Mode

Features updated 6.6, User Profile Management: AppSense


Smackdown


o Application Virtualization support, VMware ThinApp

Features updated 6.7, User Personalization, Application and Desktop Management,

RES Software

o Parallel processing of logon actions

o Native Action triggers, Process Start

o Native policy actions, File & Folder Copy


Tricerat

o Can define an application as a global object

o Built-in rules / native conditions, Published Application Name


Appsense

o Extendable with 3rd party tools

o Built-in rules / native conditions, Vmware View client name

Tricerat added to chapter6.8 ,Application Access Control, Security Management

Tricerat added to chapter6.10, License Management

Date October 2013 v2.0

Review and editing of this document has also been performed by Jeremy Moskowitz, Group

Policy MVP.

Added whole chapter (5.8) on UE-V

Updated chapter 5.2, ‘Vendor matrix‘

Updated chapter 5.5 and 6.4 (Generic Features and Functionality) for ‘Immidio’

Updated chapter 5.7 on Group Policy, Group Policy Preferences and AGPM

o Added AGPM update for clairty

o Expanded upon Group Policy Preferences’s Item Level Targeting

Updated chapter 5.10 on PolicyPak Application Manager

Updated chapter 6.1, ‘vendor solutions matrix’

Features updated 6.4, Generic Features and Functionality: Immidio Flex+

o Microsoft Management Console Interface

o Support low bandwidth/high latency WAN connections

o Scripting (not including PowerShell) support and command-line interface

o Microsoft Group Policy-based management for agent/client settings

o API Interface (public) and documented

o First year support and maintenance included in license

o 24 x 7 support, additional pricing

o Service Provider license program

o Official training classes available

o UEM technology is proven; the solution is being used for 1+ year in enterprise

production environments. 10K+ endpoint, various deployment scenarios.

o 10+ of public available enterprise (10K CCU) references in EU using UEM solu-

tion


Smackdown


o Professional Services Organization – Business hours (CET) multi-lingual support

o Technical Account Manager (TAM) available

o Datastore transfer Protocol - TCP / configurable and supported

o Datastore transfer Protocol - Database specific

o Datastore transfer Protocol – DCOM

o Management through database engine

o TCP/IP v6

o Software and Agents available as 32bits component

o Software and Agents available as 64bits component, native 64 bits compo-

nents

o Microsoft Windows 8 (x86)

o Component with elevated user rights

o Citrix XenApp

o Microsoft RDSH – RemoteApp (native or MSI)

o Microsoft Application Virtualization, App-V (native or MSI)

o Symantec Workspace Virtualization (native or MSI)

o VMware ThinApp (native or MSI)

o Citrix XenApp Streaming

o Microsoft MSI

Features updated 6.5, User Profile Management: Immidio Flex+

o Profile redirection/ streaming / virtualization

o Migrate individual apps across versions

o Streamed Profiles

o Management through database engine

o Automatically capture application personalization

o Last write wins - Per Session

o Pre-cache personalisation on new machines

o Symantec Workspace Virtualization

o Novell ZENWorks / Spoon.Net

Features updated 6.6, User Personalization, Application and Desktop Management:

added Immidio Flex+

Vendor Solution Description added/updated : 5.8 VUEM -> Norskale V-UEM

Product added/updated 5.2 : VUEM -> Norskale V-UEM

Removed Tricerat from detailed feature matrix

Added tons of new features and updated the text overall

Date February 2013 v2.1

Updated LiquidWare Labs Solution description and mapped the features with latest

ProfileUnity version

Updated Microsoft UE-V 2.0

Updated PolicyPak Application Manager


Smackdown


9. APPENDIX: A-TEAM (PQR) MEMBERS

Rob Beekmans: Rob (1969) started in the IT field managing a Novell environment but worked in many different are-

as since then. Mainly his focus has been on SBC environments starting with Citrix Winframe 1.7 in the ‘80s’. So with

over 15 years of experience he has seen IT grow to a mature and cloud business as it is now. Rob is a Sr. Consultant

for PQR with his primary focus on application and desktop delivery and User Environment Management. Rob is a

Citrix Certified Enterprise Engineer (CCEE) and a RES PowerFuse/Workspace manager Certified Professional (RPFCP).

Rob can be reached at [email protected] or twitter.

Matthijs Haverink: Matthijs (1980) started his career as a system engineer and meanwhile has over 13 years of ex-

perience in the business of IT from support engineering to team management to design and implementation of

complex ICT infrastructures. His focus now, as a technical Consultant at PQR, is on Application and Desktop Delivery

including hardware virtualization, software virtualization and User Environment Management. Matthijs advises, de-

signs, implements and migrates advanced ICT-infrastructures. Matthijs has achieved certifications as a Microsoft

Certified Systems Engineer (MCSE +E), VMware Certified Professional Desktop (VCP5-DT) and Citrix Certified Admin-

istrator on Citrix Solutions like XenApp, Provisioning Server, XenServer, XenDesktop and more. You can reach Mat-

thijs at [email protected] or twitter

Sven Huisman: Sven (1977) studied Information Management in Utrecht. He started his career as system engineer

and meanwhile he has over 10 years of experience in the IT business. He is one of PQR’s technical Consultants, fo-

cusing on Application and Desktop Delivery, hardware and software virtualization. Sven advises, designs, imple-

ments and migrates advanced ICT-infrastructures. Having achieved the highest certifications of its most important

partners, Sven is a Citrix Certified Enterprise Administrator (CCEA), a Microsoft Certified Systems Engineer (MCSE)

and a VMware Certified Professional (VCP). Sven is awarded as VMware vExpert in 2009 - 2013. You can reach Sven

at [email protected] or twitter

Jits Langedijk: Jits (1979) started his career in IT as a service engineer and meanwhile he has over 10 years of expe-

rience in the IT business. As a technical consultant at PQR his primarily focus is Application and Desktop Delivery,

hardware and software virtualization. Jits advises, designs, implements and migrates advanced ICT-infrastructures.

Having achieved the highest certifications of its most important partners, Jits is a Citrix Certified Enterprise Adminis-

trator (CCEE), a Microsoft Certified IT Professional Enterprise Administrator (MCITP:EA) and a VMware Certified Pro-

fessional (VCP). You can reach Jits at [email protected]

Anton van Pelt: Anton (1984) is an technical consultant at PQR. Anton’s main focus: Application and Desktop Deliv-

ery solutions. Nevertheless, his interests are going much further than this what gives him a broad knowledge in

complex IT environments. For instance Anton was hired by Riffa Views International School in Bahrain in 2009 for

optimizing there environment. Anton advises, designs, implements and migrates advanced ICT-infrastructures. Hav-

ing achieved the highest certifications of its most important partners, Anton is a Citrix Certified Administrator (CCA)

for several Citrix products like XenApp, XenDesktop and Citrix Access Gateway, a Microsoft Certified Systems Engi-

neer (MCSE) and a RES Certified Professional (RCP). You can contact Anton by email at [email protected] Follow Anton on

twitter

Peter Sterk (1980) is a solution architect at PQR. In this position, he supports customers with any technical chal-

lenge they may encounter, following PQR’s credo ‘Simplicity in ICT’. Although he is focused on Enterprise Mobility,

Application, and Desktop Delivery, Peter is also able to overlook and advise on other components in IT infrastruc-

tures. Peter is active in communi-cating the vision of PQR on subjects like Application and Desktop Delivery and En-

terprise Mobility on various national and international events. You can contact Peter at [email protected] or on twitter


http://www.twitter.com/robbeekmans


http://twitter.com/vf_matt


http://www.twitter.com/svenh



http://www.twitter.com/antonaustirol25

http://www.twitter.com/PeterSterk

http://www.twitter.com/PeterSterk

as

as

PQR B.V.

Rijnzathe 7

3454 PV De Meern

The Netherlands

Tel: +31 (0)30 6629729

Fax: +31 (0)30 6665905

E-mail: [email protected]

www.PQR.com