If you let your users have full control of their tablets, can you lock down their desktops?

In the world of desktop virtualization, there's a lot of talk about how to reign-in control of users' desktops while still giving them the freedom to work as needed (installing their own apps, etc.).

In the world of desktop virtualization, there's a lot of talk about how to reign-in control of users' desktops while still giving them the freedom to work as needed (installing their own apps, etc.). For the past twenty years or so, most users have had full desktops or laptops with enough security permissions to be able to do what they needed to do.

But then this whole desktop virtualization and VDI thing came along, and a lot of companies started focusing on ways to lower the costs of management of their desktop computers. One way to do that is to "lock down" the users' desktops. As you can imagine, a locked down desktop means that users can't install anything, and when users can't install anything, it's harder for them to break things (which leads to less support and ultimately lower costs).

But the flip side of the "locked down" desktop is that users hate it. This is especially true with the whole consumerization trend where users often use non-IT-provided apps and services to do their jobs. How can an IT department embrace consumerization yet still lock down users desktops? But does letting users do whatever they want on their desktops mean that IT is forced with high support costs since users will break everything all the time?

One way around this is to give users two desktops--one which is wide open and unlocked (often called the "sandbox" or "Wild West desktop,"--and another which is locked down and controlled. The locked down desktop is the corporate desktop, complete with the corporate apps, VPN client, security software, domain membership, and no ability for users to do anything. So it's cheap and easy to support. Then the users can use their unlocked Wild West desktop to install their consumer apps and whatever else it is that they need to do to be happy. And of course, IT doesn't support the Wild West desktop. If the user breaks it, too bad for them!

So while this "dual desktops" is a perfectly valid management technique, it can be expensive and complex. Of course IT isn't literally going to give each user two laptops, but they are going to have to use some kind of client virtual machine or combine a locally-installed desktop with a full VDI desktop. Really no matter how you slice it you're talking about two desktops per user. And even though IT is only supporting one of them, it's still not too ideal.

But I wonder: For the Wild West unlocked environment, does IT really have to give the user an actual Microsoft Windows desktop? You hear so much about how users can do more and more with tablets. I wonder if IT gives each user a tablet, will that be enough to satiate their desire to do the consumer-type things they need? Then maybe you can get away with only having to support a single desktop for them, which is the locked down corporate one.

What do you think? An easy shortcut?

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

An interesting proposal to an age-old problem.  But, if the tablets start to connect to the corporate network, and IT is expected to support them, do we end up where we started?  Perhaps it's better to utilize the solutions available today to balance security and productivity. Using privilege management IT can define the framework in which end users can have their own freedom, even in a locked down environment. Privige policies control any necessary elevated permissions, keeping users happy and security risks out.


I like this idea a lot. When you look at where things are going, most of the apps you want to be able to install yourself will be available for tablets.

So why not just a Tablet as the client with whatever apps a user wants, connect to a Virtual Desktop managed by IT. As noted by Gil, you don't want the Tablet on the internal LAN so have guest network, then treat the tablet as a remote device or BYOD.  

Connect to a high res display , full keyboard and mouse , multitask with virtual desktop and local apps .. kind of sounds like a Nirvana Device :-)