How you can "buy" back your users' admin rights for $399

One of the goals of many desktop admins is to get control of users' Windows desktops. Doing so means that your desktop environment will be cheaper, easier to manage, and more secure.

One of the goals of many desktop admins is to get control of users' Windows desktops. Doing so means that your desktop environment will be cheaper, easier to manage, and more secure. (And this applies regardless of whether you have physical or virtual desktops.)

This control is much easier if your users do NOT have local admin rights on their desktops. For many companies (and lucky IT admins), this is the case already. But what if your users currently have admin rights on their desktops? How can you take those admin rights away without seriously pissing them off?

There's an old trick we used to use in the nineties that's still valid today. Back when Citrix MetaFrame and Terminal Server first came out, it was hard to get users on board because they were "losing" so much by moving from their desktop to a thin client. While there wasn't much web video in those days, the main complaints users had was that they couldn't have their own software and that they couldn't listen to CDs. Fortunately in those days most monitors were the huge glass CRTs, so we just started buying the "new" LCD monitors (which were still about 4" thick with 2" bezels) and giving those to the users with the thin clients.

The results were amazing. Users were actually fighting over who got to go to the "thin client" first. (Of course they assumed that the "thin" in "thin client" referred to the LCD screen, but what did we care? All we knew is that users wanted to move to Citrix.)

Of course now everyone has LCD screens, so that same trick doesn't work… Or does it?

I propose that if you buy iPads for your users, then you can lock down their Windows desktops, and they won't mind. (We talked about some of the advantages of doing this last month on ConsumerizeIT, with the big ones being that users can install whatever they want on their iPads so they shouldn't mind a locked down desktop as much.) Even if you don't have desktop virtualization and don't plan on allowing users to access Windows apps on their iPads, just give them iPads anyway and tell the users that your company is cool now and the iPad is the user-installed app solution.

You can buy an iPad 2 for $399, which is really another way to say you can buy back your users' admin rights for $399.

IPad 2

Seriously, I'll bet you have some users where you'd pay for this out of your own pocket! Imagine how much easier your life would be if your problem users didn't have admin rights? This is now possible, thanks to Apple! (Or Android, or WOA, or whatever it is the users want.)

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

We're seeing some of this happening now, and it's one of the reasons we're investing in our new InstallFree Nexus platform (which is now in open beta, by the way). With traditional solutions like RDS and Citrix there's a lot of overhead in providing users with remote access to their Windows applications. But when you can access everything through the browser with just a few clicks and work on your documents (which are already on Dropbox, SkyDrive, whatever) then the iPad starts looking like a really sweet thin client. And it plays Infinity Blade too...


The deal breaker for iPad's was that multi-selecting was impossible with our core business application.

I had to toss it aside for a PC with a keyboard and mouse.


You are on to a great idea but I think it needs more explanation and perhaps some improvements. You gave the rational above but may want to elaborate on the concept.

1. Provide users with a locked down Virtual Desktop maximized for scalability. ( Shared Hosted if possible, VDI if required for compatability )

This provides required IT apps with minimal support costs and assures security.

2. For users that want or need to install their own apps, also provide an iPad/Tablet. Increasingly most user desired apps are available as a tablet app. Allow users to intall what they need for themselves and let them self support apps that are not provided by IT in the virtual desktop.

3. For a client device dock the Tablet/iPad with a high resolution display & bluetooth keyboard plus a Receiver app to access the IT virtual desktop.  

4. If a full mouse, multi monitor or peripheral is required, also provide a Thin Client.  

5. Provide a guest wifi network for iPad/tablet access that isolates untrusted Tablets from the IT secured network.

The potential improvements would be have a tablet and dock that provides full mouse, multi-monitor / extended display, and multitasking to run and display the virtual desktop and local tablet apps. ( iOS limitations may advantage Android for this )

Thoughts ?    


@Chris, I like where you're going with this. Totally agree with #1 and #2.

For #3, I don't get why IT would want to provide a keyboard & mouse for the tablet.. why not just provide a thin client? So I like #4 too.

#5 I like the concept, but I don't like the idea of a separate guest and secure network. I like one network that is all untrusted, with certain devices having the ability to authenticate to the network that has the servers. (So untrusted network plus CAG SSL+VPN, etc.)

So I'm like 80% in agreement with you. This just goes back to the conversation we had about the Atrix way back when.. I don't think the tablet device needs the keyboard and mouse. Let the tablet be a tablet, and they can use a keyboard & mouse with their TV or whatever other device they use for their real desktop. That's all stateless anyway.. no need to confuse the two. (And any data they need from in the Windows session is in the cloud, not only on the tablet. So need need for tablet client.)


The "Big Monitor" with a little engine model still works great. we just "sold out" a pilot at a customer by ensuring that 24-27" monitors came with the basic and advanced thin clients.

I agree that a mobile device has sex appeal, but I don't think the iPad can buy back user rights as easily. There are a lot of folks who have them already, and many realize (rightly) that trying to use productifict applications on an iPad is awesome, but not as natural as a keyboard and mouse.

I think there needs to be a more direct link between the admin rights issue and the user desktop to make this strategy a true success. the good news is that drawing that link is internal marketing and you can get pretty creative where needed.

One thing we do consistently talk to our customers about is selective elevation and logging/auditing to verify policy compliance. We use AppSense Application Manager to do Rights Elevation for installers to personalized vDisks, with a EULA type warning about installing software. This lets us allow customization where needed for one-off applications, websites, etc. (key point,  as long as they are job function related and they are ready to tell their manager why)

Often with this scenario we can enable the user sufficiently, while educating them about the risks that they (personally) bear for bringing in unauthorized applications, that the migration to a virtual desktop is not as impactful as it used to be in the old days. This allows the user to function without IT needing to worry about the massive number of applications installed on 1-5 PC's throughout organizations for valid reasons.

Of course we still push automated updating (users hate rebooting for patches too), security, recovery, anywhere access, faster application and data access, workforce continuity, and more into the message to ensure that the end-user customer understands their choices and capabilities that they get with this new desktop. If they get an iPad too, it might just help, but I can give out 3 in every class/seminar of 30 in exchange answering a question after a random drawing and get just as much benefit. (for those keeping score at home this will save about $10k per class and can be used to offset the training costs.

There are a lot of cool ideas out there, but the long and short of it is that you need to do internal marketing to sell VDI as a product to your users because they don't understand why things need to change, but once they see the benefits (to them) they will usually buy in, in a big way.