AppSense Strata (now called StrataApps) is finally available, but will you use it?

On Tuesday, AppSense announced StrataApps from their AppSense Labs group. AppSense Labs, as you may have heard, is a new group with AppSense that releases technology that is viable, but doesn't necessarily fit into the typical AppSense product lines.

On Tuesday, AppSense announced StrataApps from their AppSense Labs group. AppSense Labs, as you may have heard, is a new group with AppSense that releases technology that is viable, but doesn't necessarily fit into the typical AppSense product lines. Their first release was DataLocker, which encrypts specific files in Dropbox, allowing them to be securely stored in the cloud.

StrataApps, formerly called "Strata," is a free user installed applications solution from AppSense that was first announced in 2011. The idea behind StrataApps is that you can give users the ability to manage their own, personal applications in locked down environments. Harry Labana wrote a blog post previewing the Strata technology in October, and promised a release in Q1 2012. With a few days to spare and a name change, they've made it just in time! 

What sets StrataApps apart from the traditional UIA vendors (if there is such a thing) is that it runs in "user land" as an application, and isn't reliant on layering solutions like Mokafive, UniDesk,  Wanova, and Citrix Personal vDisk (formerly RingCube). It does, however, have a few competitors in Liquidware Labs FlexApp and Ceedo. 

StrataApps aims to leverage the fact that organizations are inclined to continue business as usual when it comes to desktop and application management. That means that they build as many apps into the base image, then install one-off applications as needed using either direct installs or some sort of application virtualization. The problem with this is that if the user want to install other apps, IT has to get involved to install them, or IT has to give them admin rights. One costs money, and, well, so does the other (eventually). Of course, IT can always just deny the user that ability, which makes for unhappy and unproductive users.

StrataApps works as an agent-based solution, and when new application installs are started, they are automatically redirected to a storage area that is dedicated to StrataApps. That could be a USB drive, network share, or local hard drive. When running, the apps are no longer isolated, and they appear as part of Windows with full access to everything on the base OS (so no personal disk or virtual locations exposed to the user). In most cases, user installed apps work alongside the apps that are installed in the base. Since Windows is unaware that something is in the middle, it is possible that a user could upgrade an application, with the upgraded files living in the StrataApps storage area. If that causes problems, turning off the agent turns off the redirection and turns off the user installed apps, leaving them with only the base image (and un-upgraded apps). 

(I wonder what happens if a user uninstalls an application that they've upgraded. Does it mess with the base image at all? I'd hope not, but it could be that not ALL the files were upgrade, so not ALL the files were in the StrataApps storage area. I wonder if those original, base image files are removed, too?)

Because it runs in user land, there are some things that StrataApps can't do, like kernel drivers. That means that installing iTunes would leave you without the ability to burn CD's. Thankfully, not many applications require kernel drivers, so it shouldn't be a big deal. (iTunes is the only example I've heard of a consumer app, although I'm sure there are others. There also could be in-house apps that use them, but you have bigger problems if that's the case) 

Is it too late for user installed applications? 

Kevin Goodman and I gave a session on them at last year's BriForum, and when we asked the room if anyone used user installed apps, nobody raised their hand. I had a similar experience during a show I did in January, and only a few people expressed curiosity. That leads me to wonder if user installed apps solves a problem that not many people are having. Solutions that involve layering are complex, though, so maybe StrataApps (and other solutions like Ceedo and Liquidware Labs' FlexApp) is the kind of simple solution that companies are looking for to finally be able to remove admin rights from their desktops (both physical and virtual).

That said, the functionality isn't the same, so maybe we're back to square one: lots of good technology without an equivalent number of use cases. Of course, maybe it's just easier to give users admin rights and call it a day [shivering].


Join the conversation


Send me notifications when other members comment.

Please create a username to comment.


I think your summary at the end of your post is where the real problem exists, in respect to giving admin rights to users, which is totally unnecessary if you implement a privilege management solution. Users are given admin rights for many reasons, such as running privileged applications, performing basic administration tasks and … installing software.

Privilege management solutions solve this problem elegantly, without introducing the complexities, limitations and compatibility issues that are often introduced by isolation technologies. The isolation of an application isn’t really relevant in most cases anyway, as it’s more about letting the user self-provision a software package, without requiring an admin account.

With a privilege management solution all users log on with a standard user account and individual applications and installers are elevated based on centrally managed policies. The applications could come from a network share within the organization or directly from the internet, so the key is being able to define policies that give the right level of control and feedback to the user, with an audit trail for the IT department. I wrote a post on this very topic last week, which shows how privilege management can be used to manage the self-provisioning of software by users.



@Simon - Thanks for all the information and perspective. It hadn't even occurred to me that it would work with App-V, and that's a pretty cool capability.

I won't be giving a UIA session again this year, so you don't have to worry about me using that term in a session again. :)


Also, @Mark Austin, who clearly works for a company that does privilege elevation:

The problem isn't only users having admin rights, but it's also about making those applications portable. I neglected to mention in the article, but that's a big part of user installed apps (with apologies to Simon for using that term again).

Privilege elevation has it's place, for sure, but it seems to me that everyone has a solution for that.


Gabe, one thing has been irking me, you say "Solutions that involve layering are complex" as though that it is a given and indisputable fact. And I've seen similar comments made by other bloggers as well. Saying products like Unidesk are too complex... is it? really? For me, I was new to VDI a few months ago, we started a POC, the VDI learning curve was harder for me than the Unidesk part. Tons of admins I've dealt with think SCCM is complex too but they eventually learn it and are fine with it. I got Unidesk up and running rather quickly.

@Simon I think the focus of your reply is key, the problem is certainly unique per environment. For me, I refuse to put anything on an image and currently, if I were to go to VDI I feel like none of the products are ready yet so I would HAVE to install software on my image - for me that's moving backwards. We're not on VDI (yet) and will not be until we find and are happy with a layering solution. So far I think Unidesk is on the right track - just not quite ready for prime time.


@Jordan, to be clear, I'm not arguing against layering (or complexity, really). I'm just saying that it's one more piece that adds to the complexity of VDI. Time after time, we see that VDI is competing against business as usual, and adding layering and other solutions to the mix just make it more complex.

That's not a bad thing, because a lot of efficiencies and a lot of good can come from that (SBC is complex, but worth the effort), but if all you're trying to do is eliminate admin rights from users traditional desktops or make apps portable across base images, would you rather implement a layered VDI environment, or use something simple like Strata or FlexApp or something on your traditional desktops (which preserves business as usual).

I hope that clears it up, because I don't want it to sound like I'm ragging on layering. For me, it's all about goals, and satisfying those goals with the least amount of complexity. Everyone's use case is different, and I'm sure the solution you have implemented is appropriate for your company's goals.


@Gabe – yes, I clearly work for a privilege management company, but it was your closing summary around admin rights that prompted me to comment on your post. I have a strong background in both privilege management and application isolation technologies, so I completely understand the solution space for both. Your summary was pitching the StrataApps product as a way to remove admin rights, which is not its intended purpose and Simon has clarified this in his comments above.

The fact that StrataApps doesn’t require the user to have admin rights to install software is simply a side-effect of the way it functions. It is primarily enabling a user to self-install an application and isolate it from the operating system, as opposed to being pre-packaged with a solution like App-V. To drive home this point, StrataApps provides the exact same benefits for applications that don’t require admin rights to install. This is why VDI is an obvious use case for StrataApps, as separation from the operating system is beneficial in this environment, in order to keep the base image clean.

As for privilege management having its place, it’s relevant across the entire organization, whether physical or virtual, so the requirement for effectively managing privileges is a major issue in just about every company. Software installation is just one of the many reasons that users are granted admin rights, but that doesn’t mean that organizations actively encourage their users to install any software they like on their systems – quite the opposite in fact.

Allowing users to install software needs to be effectively managed through policy and then centrally audited, for compliance reasons. If you need to give a user complete flexibility to install software, due to the nature of their role, then it’s important to warn users of their actions and audit, as this makes users far more accountable for the software they install, and the audit trail is often required for compliance reasons.

In response to your comment on everyone having a privilege elevation capability, I think you mean that a few of the vendors that you are more familiar with, due to their focus around desktop virtualization, have added an elevation capability to their products. You’re probably far less familiar with security vendors like Avecto and BeyondTrust, who have pioneered and specialised in enterprise privilege management solutions for some time.


The question that many fail to consider is does IT need to be in the business of providing a service to support all application types and use cases? As Enterprise Consumerization becomes more prevalent, it is not realistic to expect IT to support and control everything. Therefore the need for solutions that make it easier for IT to shift the burden to the end user with empowerment while governing the parts that matter increasingly IMHO will enable greater responsible flexibility and freedom which is a better place to be.

With this in mind I believe that StrataApps has the potential to become an enabling piece for some as we have discovered while talking to customers. A simple example is on premise enterprise PCs. Some customers we have spoken to have good reasons to stay on physical PCs and are interested in a locked down managed image with admin rights removed. They want the StrataApps store to be local or on the network and allow users to install applications there. These are organizations that today allow admin rights on their PCs which is still the vast majority of people. :-(

StrataApps enables them to remove admin rights from their base build and provide some freedom and flexibility to their users which for the most part represents user mode apps and is good enough to address many users. This also fits with the existing management tools they have like App-V, so it's lower friction vs. changing the entire management model like layers solutions. This overall as some of our customers have told us leads them towards a better managed physical PC, improves security by enabling them to remove admin rights and is a good balance between enterprise efficiency and end user flexibility. We've also heard some very interesting use cases for corporate owned laptops that have similar challenges magnified by them being hard to manage as connectivity is not always there. They like all this functionality and optimization for free.

Some customers also tell us that there are exceptions that may require more granular governance of the base image to install things like drivers etc, this is where they want a more granular admin rights management capability which we also offer in other products. Some want to get even more sophisticated and create use cases around rules and actions on apps based on different logic which we also offer. Some want to use this with VDI, some would love to see us evolve this for RDS also. All of these ideas are great feedback and I believe others will come up with other's as they learn more. It was part of the motivation for us to make this an AppSense labs offering for free. We are interested in your feedback.

Following on from Gabe's sentiment. We wanted to start with something simple that adds value right away that offers freedom and flexibility for the end user and helps make things better for IT and users for the right use cases. That's what we believe enterprise consumerization is all about. We don't believe in point solution use cases that pretend to solve world hunger at a $3 price point. It's just not reality and it's next to impossible to grow with them as needs evolve and the world continues to offer more technology diversity at a rapidly increasing pace. We fully understand that even rights management does not solve security, it's part of a stack of solutions that make the difference. It's why Simon above describes UIA as a problem not a solution. It's why I smile when I see funny YouTube videos from people with an agenda trying to portray doom and gloom and not realizing their own ignorance that there is no such thing as a silver bullet that solves all problems. But hey maybe useful as a recruiting/propaganda tool for the weak minded…

Many capabilities have to be built and combined in different ways to enable solutions that solve real customer problems, whether they are IT driven or user driven which must be a knew way to think. The old way is IT controlled everything, an example of which is the admin rights managed by IT only or the highway type approach. The new way is govern what matters and empower people in sensible ways for BYOX (Bring your own everything). That's why we continue to evolve our user virtualization platform capabilities on many fronts to enable people centric computing use cases.