AppSense Strata (now called StrataApps) is finally available, but will you use it?

Gabe,

I think your summary at the end of your post is where the real problem exists, in respect to giving admin rights to users, which is totally unnecessary if you implement a privilege management solution. Users are given admin rights for many reasons, such as running privileged applications, performing basic administration tasks and … installing software.

Privilege management solutions solve this problem elegantly, without introducing the complexities, limitations and compatibility issues that are often introduced by isolation technologies. The isolation of an application isn’t really relevant in most cases anyway, as it’s more about letting the user self-provision a software package, without requiring an admin account.

With a privilege management solution all users log on with a standard user account and individual applications and installers are elevated based on centrally managed policies. The applications could come from a network share within the organization or directly from the internet, so the key is being able to define policies that give the right level of control and feedback to the user, with an audit trail for the IT department. I wrote a post on this very topic last week, which shows how privilege management can be used to manage the self-provisioning of software by users.

www.avecto.com/.../self-provisioned-software-installation-with-privilege-guard

Mark

@Gabe - thanks for the write up!

I agree and think you both make some valid points…

The question you raise and the fundamental challenge is, IMO, around the terminology "UIA."

It's used incorrectly and means different things dependent on the audience, the technology stack being used and the use cases.

User Installed Applications (UIA), User Managed Applications, Privilege management, application control, licensing, layering and isolation are all different ways in which apps can be managed, deployed, installed and executed –Like nearly everything in IT, no one single piece of technology fits all (yet); and in too many cases the customer requirement is not understood….:(

The need (and terminology used) for User installed applications was initially born from a VDI requirement when deploying non persistent/stateless images. That requirement still exists today and can be solved in a number of ways - typically not by just one product or another but by combining solutions. Today, a single "UIA solution" or "UIA product" will never fit all use cases.

In a non persistent/stateless VDI environment there is a requirement to

1. Allow the user to install the app (having the correct rights)

2. Provide a store (layer) for those apps installed.

Ringcube for example solves the 2nd challenge of storage but doesn't allow a standard user to install. By combining it with the “user rights management” solution in AppSense Application Manager (note not StrataApps) which solves the 1st challenge), the two solutions together meet the requirement of User Managed Apps in the data center – something we already have working – roll on XenDesktop 5.6!

For many, it doesn't stop there, controlling when that application runs, (any app in fact) and from which "connecting device" is also something we commonly see as an additional requirement – either for licensing or compliance reasons. Again, something AppSense has been doing for many many years….

www.appsense.com/application-control

The need for a "user rights" or "privilege management" solution in the traditional desktop space exists for another reason. Typically due to users historically having full administrative privileges on their desktop. A very different reason from the VDI example and an area that both AppSense, Avecto and Beyond trust provide solutions for…

Users may have been granted these privileges due to a windows task (IP settings, Add/remove hardware for instance) or application requiring admin rights to run. Others may have been given admin rights to solve the challenge around users needing to install their own applications. In both cases a user rights solution removes the need to provide the user with administrative rights yet allows those tasks, apps or installs to run. Brian also has recently posted another unique way of doing it for $399…:)

www.brianmadden.com/.../how-you-can-quot-buy-quot-back-your-users-admin-rights-for-399.aspx

Its important to note however, that a user rights solution does not deal with where those installations are stored – they would write into the base image of the OS…..the question is then "does the app need to roam or be persistent?"

It is therefore our opinion and goal of making the traditional desktop "disposable"- this is yet another requirement / use case. This is achieved by StrataApps removing the "user rights problem" and additionally, "providing a separate store/layer" for those applications to sit in.

If I lost or rebuilt my windows laptop today, the C:\Drive which contains my OS image is disposable. By running our very own personalization software and utilizing the StrataApps technology, my replacement laptop or rebuilt image would be re-personalized upon logon. My profile settings and application settings would be delivered back down to my device and the StrataApps technology would layer MY installed applications removing the need to re install them! User rights alone would not provide me this functionality.

Another point to mention is aligning User Managed Applications with Corporate Delivered App-V applications, whereby now with StrataApps the user can introduce add-ons and plugins to App-V delivered applications, and StrataApps can seamlessly combine the two in a merged view, seamless to the user.  And it means IT can benefit from a reduced number of different package instances.

To summarize, there is no one "silver bullet" solution that solves the UIA problem – The UIA problem is different for everyone – perhaps we should stop using the term UIA and start saying what we mean? @Gabe - Briforum question this year could choose to exclude the word UIA? :) I also believe that Windows VHD’s may also change the way we deploy, install and manage our apps moving forward…..However, we believe that adding StrataApps to our existing User Virtualization offering gives people choice and a number of options…..and its free!

A recent piece of work by one of our consultants demonstrated that by configuring StrataApps alongside some of the existing UV suite (Environment Manager and Application Manager), he was able to create an environment providing an application store of known good apps (from a known good location); which the "standard" user could install; contextually control the execution of the app; store the user managed apps in layer separate to the OS and personalize it from a profile management point of view. Powerful stuff….

Simon Townsend - AppSense

Apologies for the cheap plug(s) but it was an AppSense article...hope it explains the differences in Tech and use cases....

Gabe, one thing has been irking me, you say "Solutions that involve layering are complex" as though that it is a given and indisputable fact. And I've seen similar comments made by other bloggers as well. Saying products like Unidesk are too complex... is it? really? For me, I was new to VDI a few months ago, we started a POC, the VDI learning curve was harder for me than the Unidesk part. Tons of admins I've dealt with think SCCM is complex too but they eventually learn it and are fine with it. I got Unidesk up and running rather quickly.

@Simon I think the focus of your reply is key, the problem is certainly unique per environment. For me, I refuse to put anything on an image and currently, if I were to go to VDI I feel like none of the products are ready yet so I would HAVE to install software on my image - for me that's moving backwards. We're not on VDI (yet) and will not be until we find and are happy with a layering solution. So far I think Unidesk is on the right track - just not quite ready for prime time.

@Gabe – yes, I clearly work for a privilege management company, but it was your closing summary around admin rights that prompted me to comment on your post. I have a strong background in both privilege management and application isolation technologies, so I completely understand the solution space for both. Your summary was pitching the StrataApps product as a way to remove admin rights, which is not its intended purpose and Simon has clarified this in his comments above.

The fact that StrataApps doesn’t require the user to have admin rights to install software is simply a side-effect of the way it functions. It is primarily enabling a user to self-install an application and isolate it from the operating system, as opposed to being pre-packaged with a solution like App-V. To drive home this point, StrataApps provides the exact same benefits for applications that don’t require admin rights to install. This is why VDI is an obvious use case for StrataApps, as separation from the operating system is beneficial in this environment, in order to keep the base image clean.

As for privilege management having its place, it’s relevant across the entire organization, whether physical or virtual, so the requirement for effectively managing privileges is a major issue in just about every company. Software installation is just one of the many reasons that users are granted admin rights, but that doesn’t mean that organizations actively encourage their users to install any software they like on their systems – quite the opposite in fact.

Allowing users to install software needs to be effectively managed through policy and then centrally audited, for compliance reasons. If you need to give a user complete flexibility to install software, due to the nature of their role, then it’s important to warn users of their actions and audit, as this makes users far more accountable for the software they install, and the audit trail is often required for compliance reasons.

In response to your comment on everyone having a privilege elevation capability, I think you mean that a few of the vendors that you are more familiar with, due to their focus around desktop virtualization, have added an elevation capability to their products. You’re probably far less familiar with security vendors like Avecto and BeyondTrust, who have pioneered and specialised in enterprise privilege management solutions for some time.

The question that many fail to consider is does IT need to be in the business of providing a service to support all application types and use cases? As Enterprise Consumerization becomes more prevalent, it is not realistic to expect IT to support and control everything. Therefore the need for solutions that make it easier for IT to shift the burden to the end user with empowerment while governing the parts that matter increasingly IMHO will enable greater responsible flexibility and freedom which is a better place to be.

With this in mind I believe that StrataApps has the potential to become an enabling piece for some as we have discovered while talking to customers. A simple example is on premise enterprise PCs. Some customers we have spoken to have good reasons to stay on physical PCs and are interested in a locked down managed image with admin rights removed. They want the StrataApps store to be local or on the network and allow users to install applications there. These are organizations that today allow admin rights on their PCs which is still the vast majority of people. :-(

StrataApps enables them to remove admin rights from their base build and provide some freedom and flexibility to their users which for the most part represents user mode apps and is good enough to address many users. This also fits with the existing management tools they have like App-V, so it's lower friction vs. changing the entire management model like layers solutions. This overall as some of our customers have told us leads them towards a better managed physical PC, improves security by enabling them to remove admin rights and is a good balance between enterprise efficiency and end user flexibility. We've also heard some very interesting use cases for corporate owned laptops that have similar challenges magnified by them being hard to manage as connectivity is not always there. They like all this functionality and optimization for free.

Some customers also tell us that there are exceptions that may require more granular governance of the base image to install things like drivers etc, this is where they want a more granular admin rights management capability which we also offer in other products. Some want to get even more sophisticated and create use cases around rules and actions on apps based on different logic which we also offer. Some want to use this with VDI, some would love to see us evolve this for RDS also. All of these ideas are great feedback and I believe others will come up with other's as they learn more. It was part of the motivation for us to make this an AppSense labs offering for free. We are interested in your feedback.

Following on from Gabe's sentiment. We wanted to start with something simple that adds value right away that offers freedom and flexibility for the end user and helps make things better for IT and users for the right use cases. That's what we believe enterprise consumerization is all about. We don't believe in point solution use cases that pretend to solve world hunger at a $3 price point. It's just not reality and it's next to impossible to grow with them as needs evolve and the world continues to offer more technology diversity at a rapidly increasing pace. We fully understand that even rights management does not solve security, it's part of a stack of solutions that make the difference. It's why Simon above describes UIA as a problem not a solution. It's why I smile when I see funny YouTube videos www.youtube.com/watch from people with an agenda trying to portray doom and gloom and not realizing their own ignorance that there is no such thing as a silver bullet that solves all problems. But hey maybe useful as a recruiting/propaganda tool for the weak minded…

Many capabilities have to be built and combined in different ways to enable solutions that solve real customer problems, whether they are IT driven or user driven which must be a knew way to think. The old way is IT controlled everything, an example of which is the admin rights managed by IT only or the highway type approach. The new way is govern what matters and empower people in sensible ways for BYOX (Bring your own everything). That's why we continue to evolve our user virtualization platform capabilities on many fronts to enable people centric computing use cases.