No need for “real” user-installed app support. Just use a second VM instead!

I've written (and reaffirmed) that "full" support for user-installed applications is critical for desktop virtualization to take off.

I’ve written (and reaffirmed) that “full” support for user-installed applications is critical for desktop virtualization to take off. I’ve since realized that instead of waiting for future products to fully support this feature, we can already satisfy what’s essentially the same requirement by simply giving our users two VMs each—a locked-down one for corporate apps and a second one for non-standard user-installed apps.

What is a “user-installed app?”

One of the ways that desktop virtualization (regardless of it’s specific incarnation) saves money is by giving administrators the ability to create and manage a single Windows desktop image that’s shared by hundreds or even thousands of users. Of course most environments of this size have differing requirements for different groups of users (in terms of the apps they need, hardware requirements, etc.). So the idea is that an admin creates a single “baseline” image that all users share, and then when the user logs in, that image is customized (on-demand) for the user’s specific needs. A big part of this customization can be the applications that the user needs, and today’s application virtualization technologies do a decent job of streaming or providing the applications “on demand” into the user’s Windows session.

The only problem with this is that these “on demand” deliveries of applications can only be done for the specific applications that the administer has pre-configured. This is fine for the standard apps that an organization needs. But what about all these “one off” apps that admins don’t have time to virtualize or package? In the old days users could just install their nonstandard apps on their workstations and be okay. But now that we need to share the master disk image with multiple people, we can’t let users install their own apps unless we give them each their own personal disk image.

ISVs to the rescue?

For the longest time, I really expected the vendors to solve this problem. I sort of assumed that one of the traditional app virtualization vendors would make a kind of modification to their product where it would always run in “package mode” (for lack of a better term). So anything the user did (or installed) during his or her session would be encapsulated and stored somewhere outside of the image, allowing the any apps they installed to be “put back” the next time they logged on.

Certainly the vendors are working on this. User workspace management vendors like AppSense, RTO Software, Scense, and RES Software are getting pretty close. Viewfinity has built a whole company around this concept from the start, and it’s rapidly becoming clear to me that this is RingCube’s future too. (I also wrote about how MokaFive was going down this path earlier this year.) Even companies like Atlantis (who plays in the disk I/O virtualization space) has a hand in the user-installed app department.

Who needs these ISVs?

It occurred to me after reading Daniel Feller’s blog “Do virtual desktops really need to support user-installed apps?” that the answer to that is “no.” (Well, “yes” we need users to be able to install their own apps, but “no,” we don’t need this to be a feature of the platform per se. Daniel’s blog post was really more about talking about why user-installed apps were a bad idea for VDI in general, though he does mention the concept of the user-managed PC.

Today’s user-installed app solution: Give the user a second, unmanaged VM

As I mentioned in the opening of this article, I initially thought that we needed the ISVs to give us “real” support for user-installed apps. But Daniel’s post made me realize that we don’t have to wait. It’s as simple as giving the user a second VM that they can use for all their own stuff. This VM can be right next to their locked-down corporate VM (whether it’s in the datacenter or on the client) and can be the “go to” destination when users need to install their own apps.

In addition to being possible today, I really question whether we’ll EVER be able to wholly solved the user-installed app problem. I mean Windows just wasn’t designed to be sliced into the thin layers we’re using today, so there are some things that just won’t work. (For example: What if you have an XP SP2 base image and the user installs an app which is encapsulated and stored somewhere persistent for the user. Then what if the admin updates the underlying Windows layer to SP3, but that user-installed app is not SP3 compatible. What happens? Do we remove the user-installed app? Do we continue to boot that user to SP2? Do we do something else?) The point is that all these products that try to make Windows more “layer-like” have their work ahead of them.

In the meantime, the rest of us can just give our users a second VM.

Moving forward you could even imagine something like Citrix’s VM-host apps feature growing to support user installed apps in a “personal” VM. Imagine if Citrix gave each user a persistent VM into which they could install whatever they wanted, and then those apps were automatically and dynamically recognized and delivered seamlessly into the user’s primary desktop.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Ah Brian, there are some of us that are already doing this. cough.


I recommend that you move this to the endpoint device to reduce cost, as user installed VMs will bloat.

If you move it to the endpoint you should also have management in place. You dont need to actively manage the VM OS via client agents, but the management layer is vital for intial provisioning, decommissioning, and security.

On the security part think if a client could change the VMs network settings they could DOS your DHCP via consuming all your leases (larger scale rollout).

Im sure AppDetective will drop in with some type 1 vs type 2 debate... lol


That will work, but I think having 2 VMs, side-by-side, does not meet one of my core objectives of a virtual desktop: Seamless. Many of us who have these discussions are tech savy people and can easily comprehend the purpose of each VM.  What about users? They will be in their locked-down VM and try to install something. They won't remember to go to the other VM.  Plus, what about a user-installed app that must use material from a corporate-delivered app?  how do they integrate?  

Truthfully, there isn't a perfect technical solution yet.  Letting user's install apps brings about tons of issues, which is one of the major reasons why we have the desktop management nightmare that we have now with physical desktops.  But I do know users will need to install their own apps in order for desktop virtualization to succeed (don't tell Citrix IT, but I've installed my own apps on my Citrix desktop). I personally think the best solution isn't really a technical solution but more of a process improvement.  IT must have an application request process that can pofile, package and deliver these user-installed apps quickly.  So, I find an app I need. I install it.  It works.  I reboot. It is gone.  I submit a request to IT, they start profiling it.  During this time, I install every day until it shows up in my application store.  

Daniel (Twitter @djfeller)


Somewhere, Steve Balmer must be smiling at this.


Hey Brian,

Are you advocating that while we are trying to reduce the physcial footprint of desktops and servers through virtualization - that it's a good idea to increase and perhaps double the amount of desktop OS's that have to be suported and maintained by giving users an extra VM or 2 for their user-installed apps?

Not sure I could get management to buy into that one.


@John, Yes, that's exactly what I'm advocating. The idea is that we'll be saving money on the support side. And if this is on the client, it's not like we're going to have to go out and buy bigger drives or anything.

But I think that if the personal VM is in a VLAN that is isolated with Internet access only, it wouldn't too much extra work. We don't ever really have to support it.. we can just refresh it if it gets broken. (Like a home PC.)


@djfeller, I'm going to disagree with you about the need to integrate these two VMs, and in fact I'll suggest that having two full desktops might be an advantage.

There was a study done (I forget where and I can't find it now) that users preferred the two separate full desktops because it was mentally easier to keep track of what was "work" and what was "personal."

Of course that's just for some users. Others might like and prefer integration. I'm just saying that I don't think integration is necessarily needed to make all this work.


Brilliant. Vendors around the world (esp those who sell VM/VDI-based solutions) are cheering while end-customers are cursing this recommendation.

Reminds me of a quote from the movie Contact "First rule of government spending, why have one when you can have two for twice the price."


I thought about this when I first started to figure out how to VDI enable my workstations.

My only solution is to use the computers already there, not use thin clients.

That way the user has full access to his workstation, using the OEM license that came with it. Only thing we would have to install would be the VMware View Client, or just link to the webportal. Everything work related would be in the VDI image, as closed as we could have it. Might even be smart to disable internet access for the VDI image.

If the workstaion os would be toast we would just factory reset it with the disks that came with it.


I agree with djfeller, in the enteprise you need to have a solid process around app request/packaging/deployment in order to make apps available in a short timeframe.  If users feel that they can request apps and get either the app that was requested or an approved alternative in a fairly quick manner, then the need for users to download and install apps is reduced.  Developers, I think, are a special case where the need to test components and apps necessitates the ability for them to be able to install what they need.


I'm not sure I'm understanding this, but what you're saying is one desktop per user isn't enough, give them 2?  What about all the VECD licensing costs?  You're second "user" VM now needs to be managed like a regular desktop, patches, AV updates, etc because it has to be private.  How are you saving on support costs?

Personally, I think the concept of user installed applications is a business policy issue, not an IT issue.  When did it become IT's problem to accommodate users to install iTunes and Firefox?


Twice the VMs to manage and twice the licensing for IT to handle not to mention a slew of other bloat.  I really appreciate the idea of providing a desktop that the user can truly make their own since this improves the user's experience which is directly related to their productivity. I do believe that eventually we will see products which run in "install" capture mode which are capable of gathering the changes that the user's newly installed app have made and then slip them into the non-persistent image that they receive.  This is an extension of the user's customizations - the things that make it "their" computer.  However, there will be issues with this like the example Brian provided.

Giving the users another VM may solve the problem for now but it ultimately will not lead to reduced operating costs.  Yes, you can just refresh their custom "user" VM back to the original state if they blow it up but now that user has to rebuild and customize their system and they feel completely abandoned by IT.  Plus, part of the reason for granting them the right to install applications is so that they have access to those tools that are necessary to perform some job function outside of the IT provided applications.  This means these user installed apps probably will need to interact with the corporate apps/data.  If persisting an additional VM and refreshing it when necessary is an option, you might as well just give them a dedicated corporate VM in the first place.  Isn't one persisted VM better than one non-persistent + one persistent?


Re: Licensing, I think we're talking about VECD for all of this, and this is something that you'd be allowed to do under an existing VECD license. So no additional license costs.

As for support, I'm thinking that wouldn't be as big of a deal either, because the whole point is that you wouldn't have to support this OS. I like the idea of even putting each of these in their own VLAN so they see nothing except a (QOSes) internet connection. (Although I recognize that might require a network upgrade.)

And finally, I guess we need to define "user-installed app." I think of this as everything that can't easily be layered into the formal corp desktop image, which might be silly things like iTunes and Firefox, but it could also be things they need for their jobs that IT was never too keen on supporting anyway. I think that when you move to virtual desktops, you can't just ignore the fact that users have been installing their own apps for years and take that away from them.


One feature that we plan to introduce in the next version of Ericom PowerTerm WebConnect (scheduled for release by the end of the year) is what we call Unified Desktop. Basically, it's two or more desktops seamlessly integrated. Sort of like VMware Fusion or Parallels Coherence for remote desktops. Using this feature, the local desktop might be used for the user installed applications, while the organizational desktop would be locked down in the data center.


I would think Citrix could provide user-installed app support by adding XenApp Application Isolation Environment (AIE) technology to XenDesktop.

Users would create and store applications in an AIE repository that would overlay onto the managed system image.


Where does the company's liability play into all of this?  I don't believe for a second that if someone has violated a licensing agreement or committed a malicious act (intentional or not) that only the individual will be held responsible.  Big lawsuits and big new stories come from big names.


I still don't buy into it, respectfully.  I love the idea of giving users a disposable/re-doable OS but I don't think it's that simple or inexpensive.

Last time I checked, VECD licensing was still and additional cost ?  Small maybe,  but still a cost.   Then there's antivirus, patching, software license auditing (if you want to verify legal ownership).  I ran into this same discussion today concerning Pocket Ace.  Great idea in concept, but it's still another OS to manage with additional costs, no matter how you slice it up.

@Dan Shappir - Unified Desktop sounds intriguing.  Hope we hear more when it's released.


djfeller,  I hate to pick on ya buddy but that's not how organization are structured or organized.  There are few organization that have adopted App Virtualization as a strategic direction but the bulk are tactical solutions. They haven't operationalized App Virtualization yet.  Second, a users is not going to put up with installing the application everyday.  This is a waste of time and resources.  Loss of productivity.  Third, requesting an application to sequenced/profile can take an eternity in many organizations.

Seamless is great, but we are not there yet with Desktop Applications.  We are getting closer with XA FP2, but its no where close to where it should have been.  There are few things that have to happen before we see the Seamless vision fulfilled.


I agree with many of posts above regarding liability, IT support mess etc. There is no way that any service level can be offered for this mode of operation if you allow users to install apps inside a corporate image. That does not mean type 2/1 solutions can not be used to address this. This is same thing as giving them two desktops or VM's, however not inside the corporation on the same network. Complex to split tunnel them, unless you treat everything as hostile and VPN in with end point posture checks etc. I think the term 'user installed apps' is a crappy term that leads to chaos. Layers solves a different problem, and should not be confused with User Installed apps which is an edge case. Layers is all about helping better manage desktops and apps etc. I hoping for the big vendors to offer real layers in time, user installed apps is just a gimmick edge case that has too much hype associated with it.


@Dan Is your Unified Desktop the same concept as Project Alice AKA reverse seamless from Citrix. What ever happened to that?

Another feature not added to the product that the market needs..... Uggggh


@appdetective, actually no, Reverse Seamless and Unified Desktop are not the same thing. While they share common technology (and with regular seamless as well) the purpose, and hence functionality, are different.

Reverse Seamless, like regular seamless, is about integrating applications running at different locations into a single, coherent desktop. So, for example, you only have one Start Menu and one Taskbar. The only difference between regular and reverse seamless is that with regular seamless remote applications are integrated into the local desktop, whereas with Reverse Seamless local applications are integrated into the a remote desktop.

BTW we also implemented Reverse Seamless, see:

Unified Desktop is about giving users access to two (or more) desktops at the same time, without forcing them to toggle. The user is aware that some applications are running at one location and other applications are running at another. This means, for example, two Start Menus on the screen as the same time.

Actually, this sounds like an interesting topic for me to blog about :)


There is a fundamental weakness in this dual work+play VMs approach. Sure you can give users a second VM to do what they want with, it comes with costs but it can be done. The real problem is that it assumes that users would never need to install applications in the work VM. That means that everything users might need must be packaged and delivered is some other way. There are all sorts of personal productivity applications which users need plus any new applications that are not yet (and may never) be packaged. This all makes the work VM too restrictive.

There are users this will work for but it is not practical for general users’ needs.

Martin Ingram (AppSense)


@Dan, you should. Stitching the desktops as one unit combined with your brokerless feature, I know you will get a lot of support from the banks. My advise to you, go market these like hell to the banks, I can't say who, but you will figure it out once you start reaching out. Citrix needs to wake up!!!! If indeed your protocol is rock solid then I predict many banks can move away from Citrix from some use cases in a reliable brokerless mode.


What I'd like to see is some sort of compartmentalization of an existing OS, like Parallels Virtuozzo does for server OS's.  If a version of Virtuozzo was released for Win 7, users could feasibly install applications into one "container" and leave the other container(s) alone for business apps and whatnot.  The key here is that it is one OS to maintain and pay for, and resource consumption is significantly lower since there isn't really another virtual machine running.


@John Radcliffe is the only sane person on this post.

When did IT become about the users wanting to play solitaire and install apps. From a security, licensing, productivity standpoint this is absolute insanity.

If a corporation wants to take the road of having a user "Play" environment then it should move all of it's apps to a TS or XenApp environment and publish them or convert them to silverlight, flash (think Adobe AIR) and host them.


@Elvar, I think you're on to something.  This issue is at least partially solved by taking advantage of the fat clients you already have or by initiating a Bring Your Own Computer (BYOC) program. A BYOC program inherently solves the user-installed apps issue: users can install whatever they want on their own local desktop, which is explicitly unsupported by IT.  However, their virtual corporate desktop is locked down.  Users get the personalization they desire w/o requiring a second VM for IT to manage.  IT gets the management and security benefits of a locked-down corporate VM.

You have to really look at what users are asking for.  They want to feel like they're using their own computer and be able to personalize it.  IT interprets that as granting users installation rights.  But users don't care about HOW personalization is achieved, only that they have it. So if users want to feel like they're using their own computer, why not let them through BYOC?

Giving users installation rights on their corporate VM isn't really the answer and isn't what users are explicitly asking for.  Why let users install a bloated app like iTunes on their virtual desktop when you can let them install it on their local desktop?  That way, users can listen to music, which is their real goal, and IT rightly keeps that workload out of the datacenter.  If users can install whatever they want on their corporate VM, IT will have to keep increasing the CPU, RAM and storage resources of those corporate VMs--just like IT essentially does now with PC refresh cycles.

I have to agree with Daniel here: how often is the everyday user installing an application that is critical to their job function?  The most common examples I've heard have to do with IT admins who want to use certain tools.  But IT admins are not the everyday user.  In many cases, users might just have a one-off need for an app and then never need it again.  

@Joe Shonk, if the user has a recurring work-related need for an app, then there should be a process for formally requesting that app, whether it's delivered via Application Virtualization or not.  If a process does not exist, then users likely will resort to some under-the-radar means of getting the application, which means you may be allowing the use of an un-licensed app within your data center.  Sure, users may be doing that now while IT looks the other way, but the stakes are different when that workload is now running within the data center.

If your users have local computing resources, why not let them take advantage of those resources for apps they need/want to install?  Just move their corporate workloads onto a locked-down VM that's safely within the data center.  In doing so, you've also made it easier to support a BYOC or telecommuting initiative.  If your users are on thin clients, well, they likely are in a task-driven environment and haven't needed installation rights this far, so why allow them now?


Instead of giving users two VM's, perhaps just allowing them to bring their personal laptops to work would be simpler.  Although I'm skeptical of BYOC (which seems to be growing in popularity).  Give them open WIFI to connect to Citrix where they can access their corp desktop, but can still install apps locally.  No IT support on personal machines, no additional licensing costs, no second VM to support, no license violations using free software designated for non-corp use.  It probably wouldn't work for everyone, but for those users who "have to have" an application it could be a cheap option.


Internal IT departments really need to have a look at what they control, how they control it and why they actually control it.

In times gone past we removed "games" from the SOE. We had the best of intentions but....

Why did we spend engineering time on this task?

What did it achieve?

Achieved nothing but pissed a few people off !

Does locking down the corporate desktop actually save you money?

I don't think so but I'd be interested in other views.

Only gotcha is software compliance and where the liability lies in a corporate environment. Even with the second VM, if that VM is either running in the Data Centre or at the desk I imagine IT still has the obligation to "protect users from themselves".


Admin rights on users machines is why malware spreads. Therefore restricting rights on IT managed VM is more secure and saves costs on support etc. Admin rights is one of the reasons PC are so hard to manage.


So....if the problem is malware spread, surely full lock down is a like taking a sledge hammer to a thumb tack !

Do better things, not things better !!!


I'd sooner endorse 100% adoption of BYOPC (as soon as I completed my NAC/NAP infrastructure that is) before I allowed a user have two separate VMs just for the purposes of running their malware of the month.   BTW, I've already seen one company with almost two times the number of PCs vs employees.  It's just wrong on so many levels.  BTW, these are the same people that are so interested in cloud computing because of the capex/opex scenario, but I keep staring at one giant capex/opex problem at the # of desktops and all the management costs that go with it.  PCs are dirt cheap, managing them is what costs you again and again.



I think it's great to see some acknowledgement that user installed apps are a real requirement and IT can't continue to keep their head in the sand.

Don't forget that some organisations see "whacky little apps" like iTunes and Firefox as corporate applications purely in relation to staff engagement and ultimately a staff retention strategy!

The word "management" is used a lot with various underlying definitions. To me, a good use of management spend should go towards continual mapping and inventorising the applications ACTUALLY being used in an environment. With this information an organisation can make informed decisions about about how to deliver their applications. Yep, maybe the answer to some apps is let them self install but the organisation at least needs to know of any licensing compliance issues that may exist.

Don't think for one second that you only need to worry about apps within SCCM (or equivalent) and those published in your TS/CTX environment.

Sorry for the rant...i think i'm a little off topic but I'm passionate about understanding when people say management, what are they actually doing !!


Doesn't this whole discussion come down to an underlying issue with IT? Not being able to deliver the services that users require.  What happens when you don’t get the service you demand from your cable provider? You go satellite.  What happens if your phone carrier doesn’t provide you good coverage? There are plenty of others to choose from.  But at work, we are stuck with an IT organization that is not living up to their end of the deal.  Because I’m a consultant, I see many wonderful IT organizations that really have their acts together. The things they are able to do are astounding. But then I see IT organizations that have no clue. Their entire mission is just to get through the day without someone coming in and ripping their heads off because the environment is a bloody nightmare.

If you are going to do desktop virtualization/VDI, then IT needs to have their act together and be able to allow users the ability to request new apps and have those apps delivered within the supported infrastructure in a timely manner (days/week, not months). Desktop virtualization is a new way to deliver a user’s desktop.  Shouldn’t we then have a new operating model that fits in with the new direction?

Twitter: @djfeller


@Daniel Feller -  I don't think the problem lies with users being able to REQUEST their own apps.  The problem for IT Support is users being able to install whatever they want.  There's a huge difference.  How many of us remember Quake, Napster, uTorrent and a host of other user-installed apps showing up on our networks and causing issues with the network?  I've never had a problem working with users to get applications installed where there was a business justification.  Sometimes it took a lot of work, sometimes extra equipment, but most of the time - it was just as simple as testing/installing a new app on a Citrix/TS.  There will probably always be cases where a user (especially developers) will need PC's/VM's that are customized for special use, but in a corporate environment, I'd say that's probably 5% or lower.  I think those kind of numbers are manageable.


@John - I think you made the point.  Users should be able to request any app to be part of the virtual desktop environment, but it is up to the business to decide if it is indeed a business requirement. Quake, Napster, uTorrent are not.  I would not expect any IT to deliver these to users.  But there must be a process in place for users to request apps, apps to be validated, and apps to be profiled if approved - all in a timely manner.


@Clayton what are you smoking? Retention strategy to install iTunes and provide a service level! Give them BYOPC to do all that, or a second machine. Ask those morons users to go find another job in this economy.

That does not mean we should not enable user self service as djfeller alludes to,but creating a cluster F by allowing users to install unmanaged applications into a managed OS just adds to costs, and the mess that is PC management at scale today and a security risk period.


Brian validates what we’ve been hearing from companies in that they can see the benefits of being able to better manage their desktop environment using virtualization technology, but it’s still not fully baked yet.  Most companies struggle with the “one off” application packaging and handling user initiated changes that interfere with the base image.  I believe most of us agree we cannot expect IT Admins to package, virtualized, and sequence all apps in advance.  Viewfinity’s approach is different in that it virtualizes applications on the fly by automatically encapsulating applications as they are installed on the client device (without pre-packing). Also, any user initiated changes that deviate from the master image are placed in the user layer and can be preserved for that user between login sessions. This helps organizations provide their users with the “personal computing” experience they’re accustomed to but doesn’t require additional VMs or any noticeable changes to the desktop.  


@appdetective I'm glad I don't work for your company. To me your views are why "traditional" IT departments are viewed the way they are.

Who are IT to demand a business case for the use of an app?

My point is....people will run application regardless of any IT approval....that's why we are having this discussion Embrace this rather than trying at all costs (substantial cost...some people call it "Desktop Management") to stop it.


All we need is something so that the end user can fix their own problems.

Basically, we need something like System Restore, except a bit more robust.


(1) built-in app virtualization for all apps

(2) user-state virtualization

(3) user-data virtualization

Note:  all virtualization has database back-end, with logging

Then, when the user has a problem, the user can either "roll back themselves", or the admin can perform the "rollback" though a simple interface.

This idea would work.

We could call it Virtual Go Back, Corporate Edition, and sell it for $250 per user  (all it is is logging  app and user environment personalization within a database, and offering the end user easy-click access to revert to a prior time when things worked).

Since app virtualization already exists, and user environment personalization with database back-end already exists, we could just extend something similar to appsense to virtualized apps, and then add in the easy go-back functionality for end users.

Problem solved, users can then fix most of their own problems.


@Clayton saying "Who are IT to demand a business case for the use of an app?"

Interesting, sort of.

IT's demand the business case because -

1) They are typically the one's who end up supporting it when it breaks.  That affects efficiency, which affects support costs $$.  Oddly enough, $$ seems to be important to management and those who have an interest in the success of the organization/business.

2) IT's have been put in the position of providing a stable, supportable and financially/legally responsible IT infrastructure.  You can't do that if you let users install whatever apps they want.  It would be a great world if users never installed apps (either accidently or on purpose) that didn't have a detrimental effect on the network,  didn't require support, didn't cause issues for other computers and never required legal licensing.  Have you run across such an group of users?  or an IT organization that doesn't care about how one user's actions can affect the business?

That being said, I'm all for giving users legally licensed applications that they need to do their jobs, that aren't detrimental to the network and can be supported without excessive costs.  Any IT management group should welcome any use of software/OS that can make users more productive and make the organization more successful.  


I like the idea of a second VM for power users. Another option, if it's not a business app that is justifiable for IT to publish ( iTunes, TwitterDeck, etc ) why not connect to your home PC and run what ever you want remotely ?

Will User Installed apps become an obstacle to VDI deployment ? I am taking a Poll here: