The lowdown on Symantec’s entry into the desktop virt. space: Symantec Workspace Virtualization 6.1

I wrote in the past about Symantec acquiring the necessary companies to be a “real” competitor in the application virtualization space. It started in 2004 when a company called FSLogic was bought by Altiris.

I wrote in the past about Symantec acquiring the necessary companies to be a “real” competitor in the application virtualization space. It started in 2004 when a company called FSLogic was bought by Altiris. (FSLogic’s “Protect” project was the root of what ultimately would become Altiris SVS.) Then in 2007, Altiris was bought by Symantec, leading to “Symantec SVS,” an application virtualization product. Unfortunately SVS lacked streaming capabilities, so in 2008, Symantec bought AppStream.

A few months later, Symantec bought connection broker vendor nSuite. And finally, a few weeks ago, Symantec announced they’d licensed a profile management product from another company.

Phew! If you can follow all that, you’ll realize that Symantec now has four distinct products in the desktop and application virtualization space. To that end, Symantec just announced a new offering called “Symantec Endpoint Virtualization Suite 6.1,” made up of those four products (albeit with new names for each):

  • Symantec Workspace Virtualization (formerly Altiris SVS)
  • Symantec Workspace Streaming (formerly AppStream)
  • Symantec Workspace Corporate / Remote (formerly nSuite)
  • Symantec Workspace Profiles (OEM’ed from someone, TDB)

Let’s take a look at each of these more in depth:

Symantec Workspace Virtualization

Workspace Virtualization is the bad name for the good product which was formerly known as Altiris SVS. This is an application virtualization product that will compete with Microsoft App-V, VMware ThinApp, InstallFree, etc.

Workspace Virtualization is essentially a filter driver which transparently redirects all disk reads and writes into an application’s virtual “layer” without the OS even knowing it. (In other words, the OS thinks it’s reading from and writing to “\Program Files\Some App,” but in reality it’s being read from and written to an separate, isolated area of the disk. This is similar in concept to the way many application virtualization products work except that with Symantec’s Workspace Virtualization, the external operating system is also “fooled” into thinking the app is there (whereas many app virtualization products only fool the app executable itself).

This architecture means that external applications (whether virtualized or not) can very easily see “into” virtualized apps, so for example, right-click menus and other cross-app integration works perfectly without any configuration!

Of course this is also a downside, because it means that conflicting side-by-side apps would still conflict. (In other words, the SVS product historically offered just “virtualization” without “isolation,” so you could just run a streamed app without properly installing it, but it could still conflict with other apps.)

Symantec understood that to be a problem, so one of the new features in Workspace Virtualization v6.1 is that “isolation” can be enabled for a specific app package (or “layer”). It’s literally as simple as a check box for that layer. You check to enable isolation, and it essentially shuts-off the filter driver as needed.

Whether a layer is isolated or not, or whether certain layers have dependencies on other layers, is all determined at runtime. This means that you don’t have to spend packaging time configuration the holes in your bubbles. You just package your apps, and if you need to isolate or have certain apps depend on each other, you can configure that as you deploy your packages.

Another little small (yet crucial) improvement to Workspace Virtualization 6.1 over SVS is that the product now officially supports Terminal Server. (In the past, this functionality was only available via a hack from a Dutch company called DeltaISIS.)

In many ways, it appears that Symantec’s new Workspace Control will be superior to products like App-V and ThinApp (although they’ll each have their niche). However, I’m not really an expert with these products. That’s more for people like Ruben Spruijt, Shawn Bass, or Erik Westhovens to discuss.)

Symantec Workspace Streaming

One of the sort of strange things about the FSLogic/Altiris/Symantec SVS solution was that it was *just* virtualization—it didn’t include a streaming component. (So basically once you got it down to the client, great, but as for how you’re supposed to get it there… well… good luck with that!)

AppStream was a standalone software company whose one product was used for streaming apps to client (although, somewhat presciently, they didn’t virtualize or isolate the apps that they streamed). Needless to say, Altiris SVS and AppStream were a perfect match, and shortly after Symantec aquired Altiris, they also bought AppStream.

One of the cool things about AppStream / Symantec Workspace Streaming is that you don’t *have* to use it with Workplace Virtualization. In other words, you can stream apps that aren’t virtualized. In this case the streaming sorts of acts like a “copy on demand” for the files (or bits of files) to be put onto the client device.

Symantec Workspace Corporate / Remote

The Workspace Corporate and Workspace Remote products are the Symantec-branded versions of the connection broker Symantec picked up when they bought nSuite. The new Symantec 6.1 version is basically the same as the prior nSuite version, but with Symantec colors, Symantec’s much more rigorous QA process, and a bunch of tweaks to the installation process.

Fundamentally, Workspace Corporate is a connection broker. There’s a web interface. You publish apps and resources via their own database or Active Directory. They add all sorts of features like single sign-on and remote printing. They have a lightweight locked-down shell that replaces the Windows Shell. The one thing they don’t do is hook into the actual delivery protocol. That’s left to RDP or whatever product you’re connecting too. In a lot of ways, the Workspace Corporate and Workspace Remote products remind me of a cross between Leostream’s connection broker and some kind of “Citrix Lite.”

I asked Symantec folks about the capabilities of this product, and who they saw using it. They focused on the fact that it was fast, inexpensive, easy to configure, and contains most of the features that people will need out of the box. It can also be used to control access on the client to local apps (whether streamed or otherwise), so it’s kind of the new interface to bring local and remote apps together.

Even though Workspace Corporate and Workspace Remote have been announced, it’s going to be another month or so before they’re shipping. I fully admit that I don’t quite understand all the bits about how these work, so that’s one of the products that we’ll be testing as soon as it’s available.

Symantec Workspace Profiles

The fourth and final product of Symantec’s Endpoint Virtualization Suite is Workspace Profiles. This is a good old-fashioned (hah!) profile virtualization product that Symantec OEM’ed from someone. (They haven’t publicly disclosed who, but I promise I’ll know whose it is after playing with it for about 15 seconds in the lab later today. I’ll update this article then.)

Workspace Profiles is going to be released in beta next month, and they’re hoping for general availability a few months after that.

Does Symantec have all the pieces to pull it off?

The short answer seems to be “yes.” If you look back to what I’ve been writing about over the past few months, I think what Symantec is doing fits nicely with what needs to be done. They have an application virtualization and delivery product. They have a profile virtualization product. And they have a framework to connect it all together.

I see a few potential risks / key factors that Symantec must get right:

  • I don’t have a high degree of confidence with the connection broker yet. I saw it. It’s seems okay. I didn’t jump up and say “YES YES YES” when I saw it, but I don’t want to make a proper opinion on it until I can use it.
  • Symantec has great mindshare around client devices, but unfortunately a lot of desktop virtualization people are hopped up on the “virtualization” word. So companies like Citrix and VMware have more pull in this space today. One could argue that Symantec is better positioned to manage endpoints, but that’s something that they’ll really have to remind people over and over for the next few years.
  • Symantec Endpoint Virtualization Suite 6.1 is definitely suffering from the “Suite in name only” problem right now. Hopefully they’ll integrate everything over the next few years, but right now, it’s more like four products from the same vendor instead of one big product.
  • I like that Symantec is “above” the hypervisor (client or server) and above the raw disk image management. They are focusing on the “endpoint” as a Windows instance, as opposed to a device. (Maybe this changes depending on what happens with V-Pro and some other things, but for now, they’ve got enough on their plate and I think that’s ok.)
  • Desktop virtualization is very confusing. (Imagine virtual clients and virtual hosts and virtual apps and hypervisors all over the place.) How do you protect the whole stack? How do you manage the whole stack? How do you ensure the performance of the whole stack? In a lot of ways, it seems that Symantec is better suited to deal with that then the other desktop virtualization folks who “just” focus on virtual desktops.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

II agree that this is an interesting company that needs to be watched.  Much as I have lobbied for Microsoft to break up SoftGrid when they purchased it to create flexibility in ways to deploy the constituent parts (for which we have seen some progress), the challenge for Symantec is just the opposite - to integrate into true solutions.

Symantec is a very large company with plenty of resources - enough to be a big player in this currently three horse play.  The question remains as to if they are satisfied with their current business model or if in a flat economy they can eschew short term profits to focus on winning the game.  It is good that you keep an eye on them in this space.


As an Altiris customer for the past 4 years, I have only 1's takes Symantec an eternity to integrate anything.  Symantec/Altiris 6.5 (or 6.1 depending on where you look) which was the first release after Symantec acquired them integrated nothing except some AV reports.  Now I'm hurrying up and waiting for 7.0 which I doubt will include the virtualization piece.  Just to give you an idea....Altiris had Carbon Copy....Symantec had PCAnywhere....something as simple as a remote control agent still hasn't been integrated between the two companies.

We'll see....


I too have been an Altiris customer for about four years now...and I really like their products, but I have to agree with Tony, they do take a long time to integrate a product which they acquire.  I saw some ppt slides for Symantec Workspace Corporate back in October and the product looked very interesting.  It looked very much a solution for people that want to run multiple desktop environments on the same system (i.e. personal & business), and then have the two environments secure where they could  or could not talk to each other based on you setup.

I also had a look at AppStream a little bit after they were acquired, and found the interface inwhich you control what machines/users are assigned which applications a little clunky and not straight forward.  You also could not use the NS dynamic collections or a target for the application streaming product.  DO you know if this has changed with the new NS 7?

Did the mention if the products in the “Symantec Endpoint Virtualization Suite 6.1" can be licensed al la carte....or do have to buy the whole package if you want to use (continue to use) one feature such as  Symantec Workspace Virtualization (formerly Altiris SVS)?

Symantec has done a really good job of merging the the feature set between Ghost and RDeploy in the Deployment server....and it looks as though they have come a long way with their system monitoring tools...but I think the desktop virtualization spcae area definitely has some wrinkles that need to be ironed out.


@ Craig I don't know for sure, but one of the touted features in NS 7 is hierarchical collections (collections nested within collections - not just inclusions and exclusions)  I think 7.0 will have, hopefully, more AppStream integration but I haven't really looked into it, I've been very happy using XenApp to stream apps compared to SVS.


Tony, curious to understand why you would use XenApp for streaming vs. App-V if you are a MSFT MDOp customer. In my experience it's slower and the interface flow is horrid.



I can't speak for Tony....but where I work we are also an MDOP, and we run Citrix also.  We currently aren't licensed of streaming in Symantec/Altiris so we can't do that....and we tested SoftGrid right after MS acquired them....but we had some major problems which we still working through.  Currently we deploy software through msi's within Altiris/Symantec NS mostly because we don't want to stand up the infrastructure to support App-V, and because honestly none us are real experts on it.  I am hoping we move towards that direction in a year or two, so our environment would be more dynamic, but right now we are knee deep in other projects that have a higher precedence.


@appdetective  I do not have SA on the desktop which does not entitle me to MDOP.  However we are in the process of renewing our MS ELA and are looking to add SA + MDOP, which might I add is insanely expensive over 3 years...damn you Windows 7.  I've actually had very good results and performance with XenApp, but have no basis for comparison against App-V.


Quote: "Another little small (yet crucial) improvement to Workspace Virtualization 6.1 over SVS is that the product now officially supports Terminal Server. (In the past, this functionality was only available via a hack from a Dutch company called DeltaISIS.)"

It's not a hack, but a addon product that actually does more then only multiuser management.

It resets the variables inside the layers for every user.

Also there is a memory allocation tool build inside that manages the memory more efficient for fatser working and more user per server.

The product you named "hack" is called DVS4SBC.