The rise of the employee-owned PC in a world where CIOs are losing control

A few months ago there was an interesting conversation on Slashdot about how IT departments are starting to fear their users.

A few months ago there was an interesting conversation on Slashdot about how IT departments are starting to fear their users. The conversation is based around an editorial by Ben Worthen in CIO magazine. The jist of Worthen's editorial was that for years CIOs have been in control of their users, but that's starting to change. In fact just last week here in Chicago I went out with a girl who mentioned that she got Trillian running on her corporate PC and got around the blocking mechanisms that her IT department put in place. This wasn't an IT girl--this was just a regular iPod-loving instant messaging user. Regular users like this threaten the control that a CIO can enforce.

This will be a problem for old school CIOs. Enlightened CIOs, according to Worthen, view users as "customers." Citrix CEO Mark Templeton takes this a step further, claiming the "very enlightened CIOs view users as subscribers."

So the evolution is Users --> Customers --> Subscribers. What does this mean in practical terms, and what does it have to do with application delivery?

I've been beating the "IT is just about applications" drum for going on seven years now. Citrix has been talking about "on demand applications" for probably five years. The whole thin client computing vision (which has evolved into "application delivery") removes the application execution dependency from the client device. If these trends continue, we should see employees that are free to choose whatever device they want while allowing CIOs to maintain the needed control over the aspects of IT that they need to control.

Let's break this down:

First, technologies like server-based computing, VDI, application streaming, and web application architectures continue to remove the dependency of a particular client device for an application to be able to be used on that device. Technologies like Citrix's SmartAccess, Microsoft's Network Access Protection, and Cisco's Self-Defending Network technology help to ensure that the corporate IT assets are protected regardless of what virus-infected spyware-laden piece-of-crap a user (or customer or subscriber) hooks up to the network.

Second, CIOs are increasingly recognizing that the only reason they needed control of the complete end-to-end IT infrastructure was that if they didn't control the end user device, that device probably wouldn't be able to run the corporate applications. Therefore it was an "all or nothing" scenario. IT had to be in control of everything. Period. But now that the technologies that can provide corporate Windows applications as a service are real (SBC, streaming, VDI), smart CIOs can take a step back with regards to full control of the end user devices. This can lead to higher employee moral while lowering the scope of what IT has to manage. (And some might argue that it's the only inevitable outcome given a world full of my Trillian-installing friends.)

All of this is slowly building to a trend colloquially known is the "employee-owned PC." The basic idea is a that user can bring just about whatever computing device they want, and IT can provide the applications that are needed for work in a secure and reliable way. There are a few things driving this trend:

  • Apple. Like 'em or not, the reality is that Apple is quickly gaining market shares among individual users. Now I know that when you look at the overall numbers, the percentage of Mac computers is tiny.. 6 percent or something like that. But that's including the millions of corporate computers. If you look at the computers that individual people are buying, Mac's share is really increasing fast. (Here's an anecdotal example of this. There are 19 Terminal Server MVPs. 5 of them use a Mac as their primary device. Already that's over 25%, which is really high. Now of those 14 who use Windows laptops, most of them have the laptops issued to them by their employers, and at the MVP summit a few months ago, I heard again and again, "I'd be a Mac user if my company would let me.")
  • The evolving workplace. Another reality is that the line between home and work is blurring. More people are doing more work outside of the corporate walls. It used to be that work was a "place," but now work is an "activity." Back when work was a place, it was easy for IT to enforce a standard computing device. But now that employees are working early and late and from home and on the road, they won't tolerate not having iTunes and the photo software and their games on their computers. And they won't tolerate having two separate devices--one for work on one for personal stuff.
  • The masses of users are really young. The kids graduating from college entering the workplace today do not remember a world without the Internet. This is the YouTube / MySpace generation. Every year, millions and millions of new AD user accounts are created for these kids, and each new wave is more computer savvy than the previous.

What does this mean for us as IT professionals focused on application delivery?

First of all, this whole "application delivery as a service" couldn't be better timed! Sure we were able to dabble with this in the form of ASPs and offshoring over the past decade, but the next few years will usher the transformation of "applications as a service" from a a niche for a select few into a major strategic direction for all IT departments. There are so many technologies that are coming into their own right now to support this. Virtualization. Modularization. Ubiquitous connectivity.

Of couse everyone is familiar with Citrix, VMware, application streaming, OS streaming, etc. So what's new?

What's new is how people are starting to think about how these various technologies can be used together. Instead of using VMware + ACE to boot a local VM on a client, what if you used Ardence to stream that VM down to the client? Or what if you used Ardence natively on the client to stream down a hypervisor? What if you used Ardence to boot Parallels applications to a Mac desktop? Then within the Windows VM, what if you streamed applications down as needed? You could even let the VM have full access to the corporate network while letting the Mac host connect to a VLAN with pure Internet connectivity.

I'm just putting some ideas out there, but there's one that I want to look at a bit closer. Have you heard of Parallels for Mac? (Remember I'm a Mac user now :) This is what originally got me thinking abut this whole "employee-owned PC" thing. On one level, Parallels is just like Virtual PC or VMware workstation for Intel-based Macs. It's VM software that lets you build and run multiple VMs on a Mac OS host. Nothing new there.

Like all VM software, Parallels lets you view your VMs in either a resizeable window or as full screen. But where Parallels differs is that in addition to the “windowed” and “full screen” view options, Parallels gives you a third option they call “coherence,” and coherence is game changing. Here’s why:

The “coherence” mode of Parallels is a lot like Citrix’s seamless windows, except for a VM. So in my case I have my Mac desktop that's my main interface. I’m also running Windows XP locally in a Parallels VM. When set for “coherence” mode, any application windows on my Windows XP desktop show up as regular seamless application windows on my Mac desktop. I can resize, ALT+TAB, and cut and paste with all the Windows applications as if they were regular Mac apps.

Here’s a screen shot of my Mac desktop with Parallels running in coherence mode. I have the Mac calculator and the Windows calculator running side-by-side.

As you can see, Parallels running in coherence mode puts the Windows taskbar on the Mac desktop, right next to the Mac dock! In my case I have the Windows taskbar (along with the Start button, clock, etc.) along the bottom of the screen, and I have the Mac dock along the left edge of the screen.

This mode of operation is truly a hybrid desktop experience. “Am I running Windows or Mac?” Answer: “Yes!?”

I’ve been using Parallels in coherence mode for about two months, but after only a few hours, I completely forget that different apps were running in different VM sessions.

Do you remember VMware ACE (“Assured Computing Environment”)? It's essentially a VMware player application that packages up a VM, a disk image, and the VMware code into a nice package that lets anyone run the VM with only a few clicks. The ACE can run in a Window or in a full screen environment.

The promise of ACE is that it could provide a standard, corporate-controlled PC “image” for consultants to run while working onsite at company locations. The downside to ACE is that it’s an “either / or” solution—you’re either working in the ACE VM, or you’re working in your local OS. ACE had a lot of potential, but it was ackward to use. Parallels changes that.

Now let’s bring Citrix into the mix. Over the past several years, Citrix has been pushing their “SmartAccess” technology—the set of technologies that can provide a “dimmer switch” style of access instead of an on or off switch. (As I mentioned previously, Microsoft, Cisco, and others offer or will soon offer similar technologies.) The idea with SmartAccess is that Citrix software can analyze your client device to figure out how secure it is, and then give you varying levels of access depending on the security of the client. Did you two-factor authenticate? Great, then you can use the healthcare app. What’s that? You don’t have an up-to-date antivirus package on your laptop? Fine. You can still use the Healthcare app, but you won’t be able to cut and paste or copy files between your local device and the remote application server.

And let's not forget Ardence (which Citrix bought in December). Why not use the Ardence technology to PXE boot the VM and stream the corporate OS to the client?

The bottom line is that there are technologies which make the "employee-owned PC" a reality today. This is just the tip of the iceberg. VoIP and Bluetooth technology could add "employee-owned telephone" to the mix, ultimately driving towards a work environment in which the employee is able to use whatever devices he or she wants, while the corporation can still ensure that the employee is able to work and access everything that's needed.

And to think... Five years ago I was worried that this whole "SBC thing" would fall out of favor and I'd have to learn a "real" product. Well here's to five more years of focusing on applications!

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

There may be another alternative...
What if ISPs made it easy to use some of these technologies if they were implanted in our homes?  If my ISP could provide me with a name resolution for my dynamic IP address (or a fixed address) I could have my own home computing infrastrucure and access all my "non work approved" apps from the office.
Now the work infrastructure is only about work things, except for allowing access out.  This makes things like end-user device scans more important and actually increases the market potential for a company like Citrix.
The idea of employee owned computing is novel.  The latest breed of virtualization and SaaS technologies further facilitate this trend, however there's one problem they don't address.  How will IT support physical device failures?  I'm thinking IT would own x amount of spare notebooks that they could rent out to an employee while they get their own computer fixed?  Remember employee downtime means loss of productivity and big costs.
Yeah I agree that something like that would need to be put in place. In fact, that's one of the beauties of all this technology.. If the employee's device fails, they can use pretty much anything else to be back up and running fast.

I think you're right when you say that there are more and more employees that are capable to manage their own pc's. Those people will do well in such an IT environment.
However there is also a large group of users that think they are capable of managing their own pc's, but still run into problems they cannot solve on their own. These group of users demand a large degree of freedom (because they want to run Parallels), but as a business you're still forced to support their pc's.
I know that when SBC / application virtualization / Ardence is used, you do not rely that much on the base OS. However if there are problems with the employee owned PC (drivers, PC / OS does not start), you now bring those problems into your organisation. And this is a big change, because before when the private pc was something else than the work pc, you were not confronted with those problems. I think that the business still needs to address these issues, because otherwise the productivity of the employee will suffer. Even worse, since the employee does not have an IT support organisation to turn to, also the productivity of the colleagues that are savvy enough to solve the problems will suffer.
So how do you manage this? You're suddenly confronted with many, many different pc's. And don't think of only the different hardware models, also consider the different OS (Mac, XP, Vista, 2000 Pro), the different applications. They all may have an impact on the application service that you as a business try to  deliver and you may still need to address them. Has such an IT environment ever been thoroughly researched for productivity implications. What are the lessons learned? For what type of organisations will this work? When does it NOT work? How about security? If we are able to answer these type of questions, then we will have a more precise idea on how popular such an IT model will become.

Great rant Brian ! I don't think you're far off, although it does al depend on the economy (I know this is stating the obvious). If another bubble should innovation usually slows down and the dollardonkeys usually stick with what they know (and what they pay for that).
And what will become even more crucial? Indeed, the network. Every single component of these future infrastructures will depend heavily on stabile, (extremely) high bandwidth - low cost networks connections.  This ranges from PAN to LAN to WAN.
I guess children will be born with RJ45 connections soon ...
Michel Roth

Brian, thank you for the informative and thought-provoking article. As I understand it the gist of your article is that SBC, including its derivatives and complementing technologies, can enable greater computing flexibility for the work-force. Interestingly However I must admit that most of the customer I have talked to have had an emotional rejection of this SBC computing idea over the past few years ... I was talking to a partner of ours (I work for IBM) that told me that one of their customers did not want to pursue with a VDI project because the end-users where waiting for a brand new PC and they couldn't handle how to explain them that there was a "thin client" instead of a brand new desktop. Go figure.
So do you think this means that SBC is going to be presented and used in a way that is very different from how it is currently applied?
Very interesting post, but raises an interesting queston. If you are using a VMDK file or even better, streaming it from Ardence. Assuming that this is not in a read only state, how do you protect that image from the host operating system? For instance, a virus running in memory in the host operating systems. Doe VMWare truly isolate the VMDK so that it will not be affected by the host. This would be of most concern to CIO's. Look forward to some feedback.
I agree, there is no way a company or the government will be spending money supporting a users own computers.  What else would you like to get? A users own car being fixed and  it's the companys pleasure pay for the repairs! Would be nice, wouldn't it? The company's provide computers/laptops so the user can do the work (that's the stuff the user gets paid for) and not to give him the ability to get his messenger going or playing games....

A VMDK file is just that - a file, and any file can be modified (you could sign a file to prevent tempering but that is not relevant to mutable files like VMDK files). End-point inspection can be used to prevent streaming to devices that contain such malware, but such tests are mostly effective against known threats not against new and yet unknown threats. Also, some malware is designed to specifically target and disable or circumvent such inspections. It's an arms race.
In this context SBC or VDI would be more secure as the applications are run on the server and access to local devices can be disabled. But even then you are at risk from Trojans that record the screen, mouse and keyboards. If you are not using two-factor authentication then such form of spyware can be used to provide a hacker with the info required to access your system. Even if the hacker is prevented from that, the spyware may still provide access to restricted information. It could even be used to simulate mouse and keyboard events to cause damage. Also ICA files could be modified.
Even if the malware is unable to access your business apps and data it could still impede productivity by consuming CPU, poping up banner adds, or floding the network.

I'm already seeing interest in this type of delivery in large companies (PoC stage stuff) - the first step is being driven by:

- Business units that (think they)  can save money by opting out of the "supported corporate PC" package to source and support their own hardware. 

- Providing access to 3rd parties / consultants / contractors - most large corporates are awash with temporary staff and consultants who need PCs and Internet access to function.  Current solutions are typical pools of spare kit and turning a blind eye to contractors laptops plugged into the network.

- Highly mobile Exec's who want & need to work from anywhere

Those are the factors that are seeing this stuff being implemented now.

Taking it a step further - if you are provided a cheap thin client to work on, but can bring in your Mac and use it (switching back to the terminal if something goes wrong) you pretty much have the scenario described.


Don’t let the word “owned” from the title confuse the message of the article. Owned from a company view is an asset and from IT view a controlled item, and owned from a user (customer/subscriber) as customized.


The root question as I see it is, As users find ways around IT controls to customize (own) their work sponsored computer, How does IT provide a safe and secure computing environment? Same with users accessing work resources from their personal (users asset) computers, or public computers (cyber cafes, library computers, etc).


Removing application dependency from the client device is a solution and will continue to be an industry trend. Brian is pointing out that there is on the market options to securely provide access to the company’s application today and we should see a growing amount of these application providers in the future.

That and the new college grad down the hall is more tech savvy than your desktop support tech and will find a way to create an unsecured computing environment for his or her company computer.


Application hosting is also anther way to lower a companies asset costs. If pizza deliver requires the deliver to have their own transportation, how far off are we from having a new field rep required to provide their own computer? After all, companies already do not provide computers for users to check their e-mail remotely and an office desk computer. Companies provide a remote e-mail solution such as OWA instead.


Years ago I worked for a company that franchised their retail outlets and the majority of the franchise owners hated the fact that they had to buy the computer package from the company (computers, software & network connection) when all they really wanted was the name, retail build and application solution. Many of the franchise owners added their own computers onto the network causing a new round of headaches.



I think Brian (and the rest of the vsionaries) makes a good point with this article.

I made a few more (positive) comments in a blog thread here:


This is all captialism vs communism, liberty vs statism, individual freedom vs centralized planning.
The former always wins, and will always win. Sure, there'll be people (users in this case) who fall off when they can't keep up, let's say one guy gets problems on his pc. So what, if you've got 20 very productive, happy, and power users, that can easily help him by showing how they've done it. No cost, increased productivity, no blame on management (the guy who screws it up is himself to blame). So what about viruses and dangers that can be introduced by each individual? Face it - you can't control that anyway today. I'm carrying ipod, mobile phone, usb stick, cds, and have an internet connection. You can't block all of that on all employees. Give them all the tools they need, and educate etc. And if you really care, give them Macs or any Unix / BSD o.s. in the first place, and let them VMWare and Parallells to box in Windows if it needs to be present.

Remember the future of the users to come are the Echo Boomers.  THey are tech savvy and know how they like the computing env.  If you open your mind and see the benefits, it will all make sense.  Many IT organizations have become this monolith of policy and procedure and claim security and compliance as an excuse not to rethink, innovate, and encourage progress and growth. THe ROI for employee owned computers is huge in a large enterprise. Even if you take out the desktop virtualization piece, it would still be huge.  THis is not a debate on wether or not it should happen, it is a fact that it WILL it or not.  Users are demanding this and IT can only allow this, or workarounds will be found.In the new age of Macintosh in the enterprise and end users wanting that awesome experience of the worlds best OS, IT will eventually have to comply.  Why would someone HAVE to install fusion or Parallels to work?  Macs connect to anything out of the box if the user or someone in IT has any clue on how to read a manual on Macs.  Support costs will be lower because most tech savvy users (echo types) usually do not need the hand holding that users have needed in the past.  they know their way around a laptop and usually do the troubleshooting themselves.  Granted, Employee owned computers is not for every user, people who refuse to use the computer for anything but work will always need a company owned asset and hand holding support for anything.  THe concept is focused towards users who use the laptop as a digital hub for their lives.  Myspace, Facebook, iPhone, Blogging, iTunes, PodCasts, Flikr, and many others, are a way of life for these people.  THey have no use for people who are not "on the net".   Being an IT Professional, I welcome the new way IT will operate because it is time for a new school of thinking and IT can no longer say, "because we said so!"