The Changing World of End-User ComputingMarco Broeken

Take a quick walk through the IT jungle!

EXECUTIVE SERIES

The Gorilla Guide to...

®

Express Edition

Compliments of

INSIDE THE GUIDE:

• How DaaS Is Enabling Better EUC• Top DaaS Use Cases• Why User Experience Is King

THE GORILLA GUIDE TO...

The Changing World of End-User Computing Express Edition

AUTHOR

By Marco Broeken

Copyright © 2019 by ActualTech Media

All rights reserved. This book or any portion thereof may not be repro-duced or used in any manner whatsoever without the express written permission of the publisher except for the use of brief quotations in a book review. Printed in the United States of America.

ACTUALTECH MEDIA Okatie Village Ste 103-157

Bluffton, SC 29909

www.actualtechmedia.com

Introduction 4

Defining DaaS 4

DaaS vs. Traditional VDI 5

DaaS Makes the Complex Easy 6

DaaS Use Cases 7

DaaS Implementation 8Licensing Considerations 14

DaaS Security 16

DaaS User Onboarding 18

User Experience is King 21

DaaS Interoperability 23

DaaS in a Hybrid Cloud World 25

It Just Works 26

TABLE OF CONTENTS

T H E C H A N G I N G W O R L D O F E N D-U S E R C O M P U T I N G 4

IntroductionThe end-user computing (EUC) world is changing quickly. It’s responding to new IT concerns like bring your own device, mobility, and cloud, while also deal-ing with old issues like platform updates, high costs, and security concerns. More and more, businesses are looking to centralize management and flexible provi-sioning of desktop environments, and are stumped by either technical complexity issues or the upfront costs required for their digital transition.

One of the most important developments in that re-sponse is Desktops-as-a-Service, or DaaS.

Defining DaaS

To start with, DaaS architecture is multi-tenant, and organizations purchase the service through a subscrip-tion model.

Here are some of its most important characteristics:

• It’s true multi-tenant. Every customer has its own desktop portal, own networks, own Active Directory. Everything is centrally managed by the service provider.

T H E C H A N G I N G W O R L D O F E N D-U S E R C O M P U T I N G 5

• It’s easy to scale up and down. Easy to provision for the first time. Easy to manage over time.

• It has enterprise integration. This includes private VPN to on-premises networks, and VNet peering to a nearby infrastructure cloud where utility servers are running. In addition, best-of-breed products and market solutions are utilized.

• Secure by design. Isolated and secure network for each customer. True separation—access to desktops are only permitted through a client’s active directory.

• OpEx. A pay-as-you-go system.

DaaS vs. Traditional VDI

While there are several differences between DaaS and traditional virtual desktop infrastructure (VDI) solutions, the major one is that, with DaaS, IT depart-ments don’t have to worry about managing the virtual infrastructure and brokering, as this is handled by the service provider. “Infrastructure” in this context can include the network, servers, user desktops, and hosted applications.

Deploying a new VDI environment on-premises means buying a lot of hardware and software licenses, resulting

T H E C H A N G I N G W O R L D O F E N D-U S E R C O M P U T I N G 6

in a huge initial investment that you have to recoup over time. Whether you want to support 100 or 1,000 users, these upfront costs are substantial. With DaaS, though, these costs are eliminated.

Further savings can be realized in organizations that allow BYOD. Many organizations haven’t implemented a BYOD program due to security concerns about untrusted data being introduced to the network.

DaaS keeps those devices off the internal networks and keeps company data off those devices; therefore, they’re not subject to viruses, theft of company data from a lost or stolen device, or other security concerns. All data interaction is done on the remote, secured DaaS infrastructure. The BYOD endpoint acts only as a client for accessing the secured DaaS desktop.

DaaS Makes the Complex EasyVDI is a powerful, flexible solution, but because it’s implemented in-house it brings a number of challeng-es, including requiring data center space, hardware, licenses, and often, experienced consultants. There can be significant upfront capital expenses and scaling challenges depending on staffing and company size.

T H E C H A N G I N G W O R L D O F E N D-U S E R C O M P U T I N G 7

IT departments will also need to be able to ensure con-sistent performance at every time of day, whatever the current workload.

DaaS can be implemented in partnership with any supported cloud provider. You’re trading upfront CapEx costs for more predictable OpEx costs, which lets your team focus on new and expanded services. Workspaces for new users can be spun up instantaneously, and per-formance tends to be consistent, reliable, and non-dis-ruptive to daily work.

DaaS Use Cases

There are a number of use cases for DaaS that may not be immediately obvious, including:

• Rapid scale-up for temporary employees, temporary contractors, and seasonal workers.

• Companies with utility servers hosted at a public cloud provider that want to have their digital workspace next to their resources for fast access and compliancy.

• Disaster recovery. A DaaS environment can be on standby in case of a disaster, but ongoing costs re-main low when an outage is not underway due to the on-demand nature of DaaS. Additionally, desktop

T H E C H A N G I N G W O R L D O F E N D-U S E R C O M P U T I N G 8

infrastructure maintenance for the DR environment is offloaded onto the DaaS provider. DR site main-tenance is an often-overlooked part of running an in-house VDI infrastructure.

• Users might require occasional access to GPU-enabled desktops to support high-end graphics applications like AutoCAD without the need for a high-end GPU enabled workstations. Resources are paid per hour to keep the cost down.

• Legacy applications. Most organizations have some legacy applications that are still useful, but that can no longer be updated for some reason. DaaS makes it easy to continue to support these applications and make them accessible from any device.

DaaS Implementation

When you’re ready to migrate your user desktops to a service provider, you’ve already picked a service provid-er and have likely agreed on a certain service level.

T H E C H A N G I N G W O R L D O F E N D-U S E R C O M P U T I N G 9

What is Nutanix Xi Frame?Nutanix Xi Frame is a unique DaaS

platform built for the multi-cloud

world. Xi Frame doesn’t just move

VDI technology that was designed

for on-premises deployments into the

public cloud—it’s been built from scratch

for the cloud, resulting in a cost-efficient,

scalable, simple-to-use, multi-tenant application and

desktop delivery platform.

Xi Frame allows you to run Windows apps on any device,

from any location. You can create virtual workspaces for

your teams, customers, or partners in less than an hour, and

integrate them with existing systems using APIs, SDKs, and

developer tools.

Nutanix Xi Frame delivers Windows apps and desktop to

users on any device with a browser on a secure cloud plat-

form (see Figure 1). Whether the organization wants their

workload VMs on-premises or in the public cloud, they’ll

have access to fast CPUs or even NVIDIA vGPUs.

Nutanix is further enhancing Xi Frame so that user

workspaces will be able to run on Nutanix HCI hardware

on-premises, allowing you to deliver the benefits of

T H E C H A N G I N G W O R L D O F E N D-U S E R C O M P U T I N G 1 0

virtual desktops and applications from infrastructure you

own and control.

Nutanix Xi Frame services come with a launchpad where

users can start one of their desktops or access applications.

App

sSt

orag

e IA

MCl

oud

Acc

ess

Deploy desktops on choice of public cloud or in your datacenter

ANY INFRASTRUCTURE

Deliver desktops or complex apps quickly and easily

ANY APP

User and admin access from any browser and any device

ACCESS FROM ANY BROWSER

Integrate with industry leading cloud services

ANY STORAGE/IAM

Figure 1: Nutanix Xi Frame benefits.

T H E C H A N G I N G W O R L D O F E N D-U S E R C O M P U T I N G 1 1

Users can also access other launchpads, if it’s authorized by

their administrator.

Administrators have their own account management

interface where they can create production desktop pools

and publish applications. Additional capabilities include

creating/restoring backups, configuring utility servers,

managing capacity, and managing configuration.

Xi Frame Advantages

Cloud native

• Born in the cloud, so it’s scalable, secure, and cost effective

• Built for multiclouds and hybrid clouds, including those built on Azure, AWS and, Nutanix AHV

• CPU, NVIDIA vGPU and multi-GPU powered machines

• Named, concurrent users, pay per month, start w/5 users

Simple, clean user experience

• User experience: run any software in a browser

• Windows and Linux persistent and non-per-

sistent desktops

• Admin experience: easy to set up and configure; and

rolling updates

• Developer experience: APIs, automation CI/CD

T H E C H A N G I N G W O R L D O F E N D-U S E R C O M P U T I N G 1 2

There are numerous points to discuss with your DaaS provider, to make sure you’re getting the best combina-tion of price and service. Here are some of the delivera-bles to get in writing:

• Uptime guarantees

• Your recourse in the event of an SLA violation

• Helpdesk ticket response times

Security

• FedRAMP Ready

• Role-based access control (RBAC) with “Super Admin”

functionality

• End-to-end encryption is built in

One-click enterprise integrations

• Identity (Classic AD, Azure AD, Google, Okta, Ping,

SAML/OAuth)

• Cloud storage (Dropbox, Box, Google Drive, OneDrive)

• Networking (Peering, Direct Connect, VPN, ExpressRoute)

• APIs (CI/CD, headless access to apps, embedded applica-

tions, frame application, frame web services)

T H E C H A N G I N G W O R L D O F E N D-U S E R C O M P U T I N G 1 3

• Dealing with moves/adds/changes

• Costs of scaling up and down, including monthly lim-itations on scaling

You should also ensure that the service provider is re-porting monthly on service levels and response times.

There have been plenty of cases where service provid-ers have no SLA reporting in place and performance and uptime are on a best effort basis. This leads to poor outcomes.

Also pick a service provider that knows desktops, and understands your particular needs. Make sure they’re asking the right questions—using a comprehensive questionnaire—to determine what you need and size accordingly. Desktop workloads are quite different than server and application workloads and your service pro-vider should be well versed in the differences.

Next to this, to have the best result, it would be wise to have your backend servers local to your desktops. Have your desktops talk to your servers over low latency and good bandwidth. Users will experience poor application and file performance if, for example, desktops run in a public cloud but the backend data is still located at the company headquarters.

T H E C H A N G I N G W O R L D O F E N D-U S E R C O M P U T I N G 1 4

When all that’s done and you have a signed the agree-ment, you’re ready to migrate your desktops to the DaaS environment.

Licensing ConsiderationsThe licensing policies in a DaaS desktop world are al-most as convoluted as the tech behind it. Normally, the DaaS provider purchases all the necessary licenses and their customers simply pay a monthly or annual fee to lease access to the DaaS desktop.

One of the problems with this licensing model is that the underlying hardware is shared between customers, re-quiring a different license model than on-premises VDI.

In order to use a “real” desktop OS like Windows 10 with DaaS, you have to buy the virtual desktop access (VDA) license yourself. In addition, your service provider can’t run any of your desktops on the same hardware with any other customers. Currently, there is no Services Provider License Agreement (SPLA) model for Windows VDA.

This means that in many cases, only mid-sized to large customers can afford to license Windows desktop OSes, because they can lease their own hardware resources from their service provider. Those with a more limited budget need to get their Windows licenses through the Microsoft SPLA program.

T H E C H A N G I N G W O R L D O F E N D-U S E R C O M P U T I N G 1 5

The SPLA program does allow service providers to share their hardware with multiple customers, but it requires customers to run a Windows Server OS. In practice, what this means for many DaaS customers with a lim-ited budget is that they will get a Windows Server OS skinned to look like a desktop OS. The SPLA licenses are licensed per user.

Fortunately, from the end-user perspective the Windows Server 2019 OS looks very similar to Windows 10. There is no real difference in performance or looks. So while these licensing considerations are important to understand, the end result is not necessarily worse if you must go the SPLA route.

The other requirement with both desktop and Windows Server OSes is that you’ll need a Remote Desktop Server Client Access License (RDS-CAL) on a per-user connec-tion basis.

In order to simplify this whole process as the DaaS land-scape matures, Microsoft has launched the Qualified Multitenant Hoster (QMTH) Program. This program authorizes qualified third-party service providers to host Windows desktop OSes via a Microsoft Cloud Agreement subscription or Microsoft Volume Licensing agreement on multitenant hardware. This allows the

T H E C H A N G I N G W O R L D O F E N D-U S E R C O M P U T I N G 1 6

service provider to pay for your Windows 10 desktop OS as a subscription, much like Office 365.

The bottom line is this: if you’re a small shop and you require Windows 10 as a desktop OS, you’ll need a ser-vice provider that’s part of the QMTH program.

DaaS SecurityMost DaaS providers place a premium on security, and architect their solutions with that goal in mind. It shows, too, in the results—security in the cloud is often better than security in on-premises infrastructure. On-premises infrastructure is usually designed for just one company, with no boundaries between different parts of the business. Cloud infrastructure, in contrast, usually contains data from multiple companies, making isola-tion critical.

For DaaS providers, security is a design criteria. Each tenant must be isolated from all other tenants, and every tenant must be isolated from the provider’s own management infrastructure.

Security in an ideal DaaS solution would necessitate true separation of tenants, which means asking some clari-fying questions such as:

• Is each tenant hosted on separate hardware?

T H E C H A N G I N G W O R L D O F E N D-U S E R C O M P U T I N G 1 7

• Do they share the hardware, and just separate ses-sions on the same VM?

This is very important to know before you choose a DaaS provider, because what seems like a subtle difference could have significant implications for things like reg-ulatory compliance.

Think about how your employees share the company data. Company data can be everywhere: sent in e-mails as attachments; through USB keys; in online storage providers like OneDrive and Dropbox; and so on. It’s getting increasingly difficult to understand how and to whom company data is shared.

Because of this fragmentation, it’s a good idea to have a well thought out company policy on how data may be shared publicly—especially when you host everything in the cloud.

A good way to determine who has access to your DaaS environment is via two factor authentication (2FA), which adds a second level of protection for logins. Requiring only a username and password is single-fac-tor authentication. 2FA requires the user to have a sec-ond credential before being able to access an account. This second credential can be a code from a hardware token or an SMS sent to a mobile phone or something biometrical like a fingerprint.

T H E C H A N G I N G W O R L D O F E N D-U S E R C O M P U T I N G 1 8

DaaS User OnboardingOnboarding in the DaaS world can be fraught with pit-falls. This is where a consultancy can help; they have deep experience with, and understanding of, the DaaS onboarding process and how to do it successfully. The approach shown in Figure 2 typically works well:

The first thing to do is to fully understand the current desktop environment. This should also involve a de-tailed questionnaire about the current environment to determine the scope of the needs. Here are some rele-vant questions to ask.

• How many users will be hosted on the DaaS?

• What type of users do we have? Task workers or power users?

• How many desktops are needed?

• What do your users actually do all day? What is the application workload?

• How many, and what kind, of applications are being supported?

• What are the performance requirements? Are there multiple tiers of performance requirement depending on the user or application?

• Are there GPU requirements to take into account?

T H E C H A N G I N G W O R L D O F E N D-U S E R C O M P U T I N G 1 9

The good news is that there are several assessment tools available to run on current desktops (physical or virtual) to help get a better understanding of the requirements. When you have a solid understanding of your current environment, your DaaS provider will know how to build and size it accordingly.

INTAKE

VALIDATE

TEST

BUILD

ACCEPT

DEPLOY

Figure 2: An effective method of onboarding DaaS users.

T H E C H A N G I N G W O R L D O F E N D-U S E R C O M P U T I N G 2 0

When the intake and validation have completed, it’s time to build and test a proof of concept (POC). For the POC, the DaaS provider will build a simulated production environment to determine the effectiveness of the pro-posed solution.

When building phase has finished, it’s essential to test the environment thoroughly. There are numerous tools available to test and monitor end user experience in DaaS environments with a production-like load. It’s import-ant to completely validate that performance is optimal before going into production. (Note that it’s common for the number of virtual desktops to be increased as a result of the POC process.)

After the environment is completely validated and accepted it’s time to go into production. At this point, users are migrated in batches to the DaaS environment, with their accompanying user and company data.

When you’ve successfully onboarded your users and your DaaS is running, the transition to maintaining your envi-ronment happens. Management of DaaS infrastructures can be complex, and there’s a delicate balance between a stable and performant environment and satisfied end users. Simple patches or updates can have a huge impact on desktop/user performance.

T H E C H A N G I N G W O R L D O F E N D-U S E R C O M P U T I N G 2 1

The right DaaS provider will deliver a personalized deployment plan that meets your user experience and security goals while reducing your desktop sup-port burdens.

User Experience is KingIn the early days of VDI, user experience left a lot to be desired, chiefly because server hardware was slow. Additionally, graphics protocols were not very good and poorly optimized for WAN connections. Then, when the

KEEP ‘EM SEPARATEAs a best practice, you should have a

separate pool of desktop resources where you regularly test new desktop images to find and prevent performance bottlenecks and compatibility or interoperability prob-lems before they’re released into production. Monitoring the DaaS environment enables administrators to address performance is-sues proactively. It’s crucial to ensure that all your applications work well before going into production.

T H E C H A N G I N G W O R L D O F E N D-U S E R C O M P U T I N G 2 2

inevitable latency hit, the sluggish result was directly visible on your screen.

That’s not true anymore, for the most part. Over the years, enterprise hardware and desktop protocols have dramatically improved in terms of stability, speed, and reduced latency. Users who log in to their workspaces today feel like they’re working on a fully-featured workstation, making the end user experience much more satisfying.

Not only is the experience better, but it’s also more comprehensive. With the addition of graphical process-ing units (GPUs), users can even handle demanding jobs like CAD/CAM or video rendering on their DaaS desktop. Desktop OSes like Windows 10 require more GPU power than ever before, and more GPUs are being added to keep up with demand.

This is made possible by public cloud providers renting out GPUs on a per-hour basis, making adoption easy and reasonably inexpensive—it’s trivial now to rent out a GPU-enabled desktop for a few hours or a few days, depending on the need.

Beyond the GPU enhancements, there have been similar improvements with CPUs. The latest CPU architecture with high core counts and high clock speeds have had a very positive effect on the user experience. The upshot is

T H E C H A N G I N G W O R L D O F E N D-U S E R C O M P U T I N G 2 3

that when using multi-core DaaS desktops, you’ll have enough horsepower to get the job done, similar to work-ing at a traditional high-powered physical workstation.

DaaS InteroperabilityMost DaaS environments are built and designed to work with your existing IT environment—whether on-premises, in the cloud, or both—to support complex client-server applications.

In cloud environments like AWS or Azure, their standard offering can be extended with services like VNET peering and VPN Gateways to connect to utility servers hosted on their premises or in your own data center (Figure 3).

“Sandbox”(Gold Master)

Launchpad(s)

“Production” Pool- Min- Max- Buffer

“Utility” Server(s)- License Server- Database- Other

VNET

VM

VM VMVM VM VM

VM VM VM

VM VM VM

VM type A

VM type B

VNET Peer Cloud VNET

On-premNetwork

VNETGateway

Figure 3: Extending a DaaS environment to the cloud.

T H E C H A N G I N G W O R L D O F E N D-U S E R C O M P U T I N G 2 4

You’ll also need these products to connect the DaaS envi-ronment securely to your office network(s).

Besides connecting your networks, there are many SaaS applications and cloud storage providers to connect to from within your DaaS environment. There are many easy-to-use plugins that let you connect and sync your identity to Azure AD or other identity source. You can have your fileservers sync with OneDrive and SharePoint, for example. All of this can be done within your own security parameters, of course.

Many DaaS providers have an application catalog available in their customer portal—preconfigured SaaS applications with Single-Sign-On (SSO) support that can be added at the push of a button. Via SSO, users can then connect to all the apps to which they’ve been granted access.

Note that there’s no need for administrators to manage all these SaaS applications separately. The best thing about this is that it’s fairly easy to revoke a user’s access when they no longer have access to company resources.

Having every app or workspace your users need in one portal, configured with a single identity, is very power-ful—it’s also secure, and easy to configure and maintain.

T H E C H A N G I N G W O R L D O F E N D-U S E R C O M P U T I N G 2 5

DaaS in a Hybrid Cloud WorldThe application landscape today reveals a hybrid world. Many legacy applications are tied to the desktop for the foreseeable future, while others are successfully moved to SaaS.

And although cloud adoption has come a long way, there’s no doubt that companies are still firmly en-sconced in their data centers. They’re maintaining their hardware and software, and using the public cloud where it makes sense—for instance, test/dev opera-tions, backup, and resource elasticity.

Platform Service 36 months contract

<36M Contract for Building Blocks

<36M Contract for Building Blocks

<36M Contract for Building Blocks

1 month Contract for Building Blocks

1 month Contract

Base users

ServiceSetup

Migration /Onboarding

Core Subscriptions

Seasonal workers

Extension based on new capacity demand

1 month Contract

Figure 4: One of DaaS’s strengths is its ability to quickly scale up.

T H E C H A N G I N G W O R L D O F E N D-U S E R C O M P U T I N G 2 6

When talking about DaaS in a hybrid world, we’re talking about a DaaS-based service in on-premises data centers for core employees, which is then extended out to DaaS in the public cloud for temporary employees or seasonal workers when you have limited needs. (Figure 4)

It Just Works

The biggest plus of using DaaS is that everything just works. You don’t need expensive consultants to design, build, and configure this new environment. You don’t need hypervisor, storage, and platform administrators anymore. And best of all, you don’t have all the upfront costs you would normally have. Everything is managed and extensively monitored by your service provider.

Those are strong factors in DaaS’s favor. Make sure you take them into consideration when deciding how to build out your EUC infrastructure.