Now AppSense is entering the "user installed apps" game. Will these things ever become real?

Yesterday AppSense CTO Harry Labana announced that AppSense is getting closer to releasing their "Strata" product for managing user-installed apps (UIA) in locked-down and layered environments. This is something they first talked about at BriForum last year, and while Strata won't be available until 2012, Harry did announce that it would be free.

Yesterday AppSense CTO Harry Labana announced that AppSense is getting closer to releasing their "Strata" product for managing user-installed apps (UIA) in locked-down and layered environments. This is something they first talked about at BriForum last year, and while Strata won't be available until 2012, Harry did announce that it would be free.

This comes on the heels of Liquidware Labs' "FlexApp" announcement at VMworld in Las Vegas a few months ago where they'll add a UIA capability to their Profile Unity product. (Here's a demo of it shot by the Dutch VMUG.) We also have UIA capabilities in many of the existing "layering," products, including Moka5, Wanova, Virtual Computer, Unidesk, Citrix RingCube, and probably a few others I'm forgetting.

But I wonder: Will user-installed apps ever become a major thing? Will these products ever become mainstream? My sense has been that they won't, so let's dig into that today.

What is "user-installed apps" (UIA)?

The term user-installed app is used to describe an application that a user installs on his or her laptop or desktop as opposed to an application that's installed by the corporate IT department. In the traditional desktop world, UIA wasn't even a topic of conversation because users were generally able to install whatever they wanted. Corporate IT would provide the base computer with the corporate apps, and users could go nuts after that.

But when it comes to desktop virtualization, UIA is a big deal. A lot of people use desktop virtualization to simplify the management or their desktops. Unfortunately though, the term "simplify the management" usually means "lock down the desktops." While this is fine (and certainly simplifies things), it means that users aren't able to install their own applications anymore. But since we're talking about virtualizing the users entire desktop, that can be a big problem.

So what do you do? Do you "simplify" the desktop by locking it down (thereby making your life easier), or do you let the users install their own apps (making their life easier)?

Enter the user-installed apps solutions

The vendors selling UIA solutions are attempting to provide a solution that's the best of both worlds. They want to allow users to install their own applications into a locked down environment, but as the applications are being installed, they're sort of transparently redirected to a personal area for the user instead of being written to the locked-down system area. Then when the user logs into a different locked down system the next day, the UIA tool can reconnect the user to their personal area which contains their applications, and it appears that the user has everything they need despite the system being completely locked down!

The raw technology that makes this happen is pretty stable. It's not that hard to watch what an application installer does and to redirect anything it writes (files, system changes, registry keys) to an user-specific location without the app knowing. (I'm sure the various vendors will disagree and say that they do it better, etc., but my point is the actual virtualization technology to make this happen is not the problem.)

The problem is that the layering solutions (and, by extension, the UIA solutions) don't work with every app. This is something that's widely acknowledged in the industry. Layering is great, UIA is great, but neither work with every application. Some people think that's ok, because the more apps the users can install on their own, the less IT has to worry about. Others think the limitations are show-stopping, because if the new layered, UIA, virtual desktop can't work for all apps, then that means you have to find some other way to deliver those last few apps. And if you're doing that, why are you using desktop virtualization in the first place? (We've written a lot about layering over the years. If you want some more background on the concept in general, check out Gabe's What is layering and why does it matter?)

Does UIA even matter?

With all the arguments and conversations about UIA over the past few years, some people are beginning to wonder if this is even a conversation worth having? And I've always thought that a "simple" way to support UIA was to just give each user their own "unlocked" VM.

Other people have pointed out that many of the new "applications" that users install are simple enough that that these UIA or layering tools should work fine. Sure, there may be some apps here and there that don't work, but so what? If UIA means that users can install TweetDeck and AIM and the GoToMeeting plug-ins, then shouldn't that be good enough?

What do you think about UIA? And if AppSense makes Strata free, does that end this conversation? We just use Strata if we need it, and ignore UIA if we don't?

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

All the risks related to users installing their own software affect the company itself. Security and data leakage issues, legal consequences because of illegal software installations, the company  (the companies IT departmens) will suffer the consequences. So UIA is not just about temporary leveraging user credentials (RES) or capturing file system interactions (AppSense). It is about trust, control and governance.

As long as end users are using corporate IT resources to install and store personal data and applications, IT needs to be in the loop. IT will never take responsability for apps installed by users themselves. As long as IT exactly knows what is installed, by who and on what device\session and (most important) is able to intervene, UIA might have a chance for adoption. We (Scense) know that even with this amount of control, IT departments have difficulties embracing UIA.

I was not able to check the specs of Strata yet but am very curious about the levels of management and control it offers.


Will ever a CIO let user install their own applications on a corporate own device with the risk to get technical issues (virus, malware, trojan) but also legal issues (illegal software, ...).

As the device is owned by the company, the company is responsable for the content on it (at least in my country)...

Better to take the other way an dplace corporate apps on personnal device (locally or not).


There are 2 distinct camps:

1. Those that want full security and locked-down computers in their orgs.


2. Those who allow BYOD and apps to be installed.

While I have the utmost respect for Harry, I “sense” an App that already exists: Sandboxie. I have been touting this little gem for years. Why reinvent the management mousetrap. Better to innovate on ideas that exist for improvement purposes. I would even go out on a limb and say that this is even a better virtualization tool than client-side hypervisors.


I think @Hessel hit on on the head. The UIA challenge is less about the mechanics of how you capture user-installed apps and more about policy and governance. Right now, every organization has a power structure. In some cases, IT has the power and locks everything down. In others, users have the power and it's the wild west of rampant admin rights, user-installed apps, etc. with IT folks just dealing with it as best they can. (Obviously, not every company is at one of these extremes, but in pretty much every organization I've talked to you can clearly identify which side of the scale the power sits on.)

The winning UIA strategy will be the one that brings the power scale between IT and users into balance. At AppSense, we already do this very well today with user admin rights. As our customers are moving from XP to Windows 7, they are dialing back admin rights while taking a "common sense" approach to letting users elevate rights when the productivity/user satisfaction benefit outweighs the downside for IT. It bring the power scale into balance. IT may not be completely happy, since users can still take baby steps aware from a uniform desktop image. Users may not be completely happy, since they don't have free rein like they did with XP. When everyone is a little unhappy, it's usually the sign of a pretty good compromise.

Even pre-Strata, we have been extending this concept beyond user rights to user-installed applications. With our current platform, IT admins can already selectively white list user-initiated ActiveX software installations at a very surgical level. So, for example, users in "locked down" environments can be empowered to install software from specific approved websites ( and being two common examples) without exposure to any conceivable ActiveX exposure in the wild. You can even tune this down to specific applications (or versions of applications) on a given website if you want. It's not religion. It's not a power grab. It's pragmatism.

This is working, and our UIA plans are simply an extension of this philosophy to full-fledged Windows apps. The application capture, while by no means trivial, is a commodity. Maybe you like Strata. Maybe you are a XenDesktop user and you like RingCube. The key missing piece, as the early commenters have pointed out, is wrapping IT policy and governance around it.



I 100% agree with that. "Trust is Good, Control is better". Are these "missing pieces" the reason you are giving it away for free?



It's mostly because we are humanitarians. ;)



It is true that it is easy to build a layering solution that works with basic applications.  But it is quite difficult to make a layering solution that works with *all* applications, including system-level services, kernel drivers, boot-time services and make it play well with other virtualization solutions.

That's probably why you think that it's "widely acknowledged" that layering solutions don't work with every app.  It's true that most of the layering products don't work, but ours does ;-).  We were

the first to release a layering product more than two years ago and we were working on it for a long time before that as well.  It takes a while to get everything right and it is certainly a non-trivial accomplishment to get to 100% compatibility.

Most of the layering and user-installed application "solutions" out there are just application virtualization derivatives and have the

corresponding poor compatibility, poor desktop integration, and missing functionality.  They work fine with basic applications in the same way it is trivial to make an App-V package of a basic application.  But they don't work with 20-50% of the applications out there.  And any user-installed application or layering solution that doesn't work with a significant proportion of apps is not really

a solution at all.  These are not niche applications.  I'm talking about basic stuff like iTunes (which uses a kernel driver, btw), Visual Studio, software to mount ISO images, software to sync my phone, etc.

From what I've read about AppSense Strata, it is along the lines of this application virtualization approach and will have all the same associated problems.

Regarding the risks of allowing user-installed apps and the associated legal and support can of worms, the technology behind user-installed applications goes beyond just applications that the user installs

themselves.  It also covers custom applications installed on behalf of the user, via MSI, SMS, software distribution, etc.  Once you can layer custom applications while updating and managing the base image separately, you get true single-image management, regardless of whether you actually allow users to install their own apps.  One interesting data point is 98+% of our customers have the user-installed apps feature turned on, even if they don't allow users to install their own apps.

The second point is you may think that users don't install apps or need to install their own apps, but you are almost certainly wrong.  First, if you give users admin rights, you are already doing

user-installed apps.  Second, we are still a very long way off from users not having to install their own apps.  It goes beyond apps like iTunes and instant messager.  When you join a webinar you need to install the webinar software.  Office plugins for productivity.  I even need to install a device driver so I can charge my iPad from my PC.  Unless you are talking about the most basic task worker, like it or not users still have a need to install their own software.


CTO, MokaFive


I agree in part with John Whaley, but have a different take on his appraisal.

A large percentage of the solutions our there right now which virtualise applications and purport to provide 'layers' for this and that; many of these solutions add filter drivers which in my opinion are going to add up to some scalability headaches for VDI.

If you take the Project VRC white paper which discusses the impact of various app virtualisation solutions as an example it seems plain to me that every time you try to fix one layer by intercepting traffic at the kernel level and redirecting it somewhere, performance and scalability are invariably going to suffer.

So, once I have my PVS delivered image, with personal vDisk or Appsense Strata, then push other apps into my desktop using App-V or Citrix App streaming, then add other filter drivers to virtualise my user profile, how long will it be before every i/o is pushed through such a complex stack of filters that my back end scalability starts to suffer?

I'm sure Moores Law will keep providing us with the additional cycles we need to stay on a level playing field, but at some point surely we need a better solution?


I think only looking at applications that a user installs by it self does not show the hole problem.

We have many traditional fat client customers (and that's still the majority) having hundreds of application packaged in msi format and centrally managed. But on the other hand they have thousands of applications that have been installed manually (not nessesarily by the user himself but by support services).

You can argue that this is not a optimized environment but it's reality and if you think about the operational effort for centrally managing 2000 apps (packaging, updating, testing, ...) compared to install an app by support staff by using remote support tools, than it's hard to say that it's really the more expensive way.

Back to desktop virtualization and single image management:

If the customer is not able or willing to consolidate their applications in a dramatic way, then you'll end up in a lot of master images...enventually more than you can handle.

So you have to enable a way to provide all the applications that

...can't be virtualized

..., are required only on some desktops (and therefor are to expensive to manage them centrally)

...or are used by some "important" people and can't be refused.

On a shared image I think some kind of UIA (even so the user does not necessarily install the software by itself) is required - if the target is to address all endpoints.


I usually read free when it's not open sourced as a gimmick as I know there is always a gotcha. I think Appsense should consider open sourcing Strata and encourage people to build on top of it. I guess the point Appsense wants to make is, this BS conversation on UIA in the data center is commodity. Even Citrix understands that UIA in the data center is BS and hence positioning Ringcube as a personal disk. (BTW that also lacks all the mgmt that is needed). VDI is the wrong model to allow UIA for the masses no matter what John Whaley and others keeps trying to sell with the evolving and almost failed Moka 5 business model until Quest came along with a lifeline. Sorry, John, you're a smart guy but I think you don't appreciate the data center and how things work operationally.

Back to the gotcha. Harry I guess that's the biggest joke of all. We now have to buy an expensive product to get the governance you are talking about if implementing UIA in the data center with some controls. I'm ok paying for value and capability, but for that I expect a lot in return. EM 8.0 was a nightmare, the product took a while to truly appreciate the power. Perhaps take a look at the RES console, much weaker capabilities but just feels easier..... despite what I think of them.

Too many consoles and still no delegated admin. The darn thing has to work really well and my confidence has been shaken recently, so fix your f'ing functional testing.

As for use cases. I will disagree with John Whaley once again. If I want 100% app compat I will use a PC or a hypervisor. What I'd actually like is an API so I put my own stuff that I know works in the layer and then look to back it up. That is something I would consider in the data center. I want less stuff in that layer and I want it to be very simple and reliable and fast. There is a potential future play for multiple layers but it's years away and don't believe the apps will work well enough as I written before.

I do like the suggestion of client use cases with a layer. Need to think about that one more but could be more pragmatic than client side hypervisors for a subset of use cases. No reason not to use them with a client hypervisor that I can think of. But here is where I may be more inclined to agree with John Whaley on the client side. Client side use cases are likely to represent a greater diversity of apps so I have to feel that most of the apps I care about will work. I can accept some not working if it means no hypervisor needed and the layer is free.

So I guess free is a smart move and takes the wind out of the hype and focuses the conversation back on what really needs to be solved in the right way in the data center. Much work however still needs to be done in the current product that Appsense should not loose sight of.