I wrote in the past about Symantec acquiring the necessary companies to be a “real” competitor in the application virtualization space. It started in 2004 when a company called FSLogic was bought by Altiris. (FSLogic’s “Protect” project was the root of what ultimately would become Altiris SVS.) Then in 2007, Altiris was bought by Symantec, leading to “Symantec SVS,” an application virtualization product. Unfortunately SVS lacked streaming capabilities, so in 2008, Symantec bought AppStream.
A few months later, Symantec bought connection broker vendor nSuite. And finally, a few weeks ago, Symantec announced they’d licensed a profile management product from another company.
Phew! If you can follow all that, you’ll realize that Symantec now has four distinct products in the desktop and application virtualization space. To that end, Symantec just announced a new offering called “Symantec Endpoint Virtualization Suite 6.1,” made up of those four products (albeit with new names for each):
- Symantec Workspace Virtualization (formerly Altiris SVS)
- Symantec Workspace Streaming (formerly AppStream)
- Symantec Workspace Corporate / Remote (formerly nSuite)
- Symantec Workspace Profiles (OEM’ed from someone, TDB)
Let’s take a look at each of these more in depth:
Symantec Workspace Virtualization
Workspace Virtualization is the bad name for the good product which was formerly known as Altiris SVS. This is an application virtualization product that will compete with Microsoft App-V, VMware ThinApp, InstallFree, etc.
Workspace Virtualization is essentially a filter driver which transparently redirects all disk reads and writes into an application’s virtual “layer” without the OS even knowing it. (In other words, the OS thinks it’s reading from and writing to “\Program Files\Some App,” but in reality it’s being read from and written to an separate, isolated area of the disk. This is similar in concept to the way many application virtualization products work except that with Symantec’s Workspace Virtualization, the external operating system is also “fooled” into thinking the app is there (whereas many app virtualization products only fool the app executable itself).
This architecture means that external applications (whether virtualized or not) can very easily see “into” virtualized apps, so for example, right-click menus and other cross-app integration works perfectly without any configuration!
Of course this is also a downside, because it means that conflicting side-by-side apps would still conflict. (In other words, the SVS product historically offered just “virtualization” without “isolation,” so you could just run a streamed app without properly installing it, but it could still conflict with other apps.)
Symantec understood that to be a problem, so one of the new features in Workspace Virtualization v6.1 is that “isolation” can be enabled for a specific app package (or “layer”). It’s literally as simple as a check box for that layer. You check to enable isolation, and it essentially shuts-off the filter driver as needed.
Whether a layer is isolated or not, or whether certain layers have dependencies on other layers, is all determined at runtime. This means that you don’t have to spend packaging time configuration the holes in your bubbles. You just package your apps, and if you need to isolate or have certain apps depend on each other, you can configure that as you deploy your packages.
Another little small (yet crucial) improvement to Workspace Virtualization 6.1 over SVS is that the product now officially supports Terminal Server. (In the past, this functionality was only available via a hack from a Dutch company called DeltaISIS.)
In many ways, it appears that Symantec’s new Workspace Control will be superior to products like App-V and ThinApp (although they’ll each have their niche). However, I’m not really an expert with these products. That’s more for people like Ruben Spruijt, Shawn Bass, or Erik Westhovens to discuss.)
Symantec Workspace Streaming
One of the sort of strange things about the FSLogic/Altiris/Symantec SVS solution was that it was *just* virtualization—it didn’t include a streaming component. (So basically once you got it down to the client, great, but as for how you’re supposed to get it there… well… good luck with that!)
AppStream was a standalone software company whose one product was used for streaming apps to client (although, somewhat presciently, they didn’t virtualize or isolate the apps that they streamed). Needless to say, Altiris SVS and AppStream were a perfect match, and shortly after Symantec aquired Altiris, they also bought AppStream.
One of the cool things about AppStream / Symantec Workspace Streaming is that you don’t *have* to use it with Workplace Virtualization. In other words, you can stream apps that aren’t virtualized. In this case the streaming sorts of acts like a “copy on demand” for the files (or bits of files) to be put onto the client device.
Symantec Workspace Corporate / Remote
The Workspace Corporate and Workspace Remote products are the Symantec-branded versions of the connection broker Symantec picked up when they bought nSuite. The new Symantec 6.1 version is basically the same as the prior nSuite version, but with Symantec colors, Symantec’s much more rigorous QA process, and a bunch of tweaks to the installation process.
Fundamentally, Workspace Corporate is a connection broker. There’s a web interface. You publish apps and resources via their own database or Active Directory. They add all sorts of features like single sign-on and remote printing. They have a lightweight locked-down shell that replaces the Windows Shell. The one thing they don’t do is hook into the actual delivery protocol. That’s left to RDP or whatever product you’re connecting too. In a lot of ways, the Workspace Corporate and Workspace Remote products remind me of a cross between Leostream’s connection broker and some kind of “Citrix Lite.”
I asked Symantec folks about the capabilities of this product, and who they saw using it. They focused on the fact that it was fast, inexpensive, easy to configure, and contains most of the features that people will need out of the box. It can also be used to control access on the client to local apps (whether streamed or otherwise), so it’s kind of the new interface to bring local and remote apps together.
Even though Workspace Corporate and Workspace Remote have been announced, it’s going to be another month or so before they’re shipping. I fully admit that I don’t quite understand all the bits about how these work, so that’s one of the products that we’ll be testing as soon as it’s available.
Symantec Workspace Profiles
The fourth and final product of Symantec’s Endpoint Virtualization Suite is Workspace Profiles. This is a good old-fashioned (hah!) profile virtualization product that Symantec OEM’ed from someone. (They haven’t publicly disclosed who, but I promise I’ll know whose it is after playing with it for about 15 seconds in the lab later today. I’ll update this article then.)
Workspace Profiles is going to be released in beta next month, and they’re hoping for general availability a few months after that.
Does Symantec have all the pieces to pull it off?
The short answer seems to be “yes.” If you look back to what I’ve been writing about over the past few months, I think what Symantec is doing fits nicely with what needs to be done. They have an application virtualization and delivery product. They have a profile virtualization product. And they have a framework to connect it all together.
I see a few potential risks / key factors that Symantec must get right:
- I don’t have a high degree of confidence with the connection broker yet. I saw it. It’s seems okay. I didn’t jump up and say “YES YES YES” when I saw it, but I don’t want to make a proper opinion on it until I can use it.
- Symantec has great mindshare around client devices, but unfortunately a lot of desktop virtualization people are hopped up on the “virtualization” word. So companies like Citrix and VMware have more pull in this space today. One could argue that Symantec is better positioned to manage endpoints, but that’s something that they’ll really have to remind people over and over for the next few years.
- Symantec Endpoint Virtualization Suite 6.1 is definitely suffering from the “Suite in name only” problem right now. Hopefully they’ll integrate everything over the next few years, but right now, it’s more like four products from the same vendor instead of one big product.
- I like that Symantec is “above” the hypervisor (client or server) and above the raw disk image management. They are focusing on the “endpoint” as a Windows instance, as opposed to a device. (Maybe this changes depending on what happens with V-Pro and some other things, but for now, they’ve got enough on their plate and I think that’s ok.)
- Desktop virtualization is very confusing. (Imagine virtual clients and virtual hosts and virtual apps and hypervisors all over the place.) How do you protect the whole stack? How do you manage the whole stack? How do you ensure the performance of the whole stack? In a lot of ways, it seems that Symantec is better suited to deal with that then the other desktop virtualization folks who “just” focus on virtual desktops.