To make a true BYOC play, VMware needs centralized management of Fusion and Workstation

Fusion Pro added functionality


A few weeks ago I wrote about Horizon Suite and about how Horizon Mirage comes with a license to use VMware Fusion Pro to address BYOC situations. In that article I lamented the fact that Fusion Pro was a Mac solution. Someone from VMware reached out to us and mentioned that VMware Player also comes with Fusion Pro, and because of that is licensed for commercial use, which it wasn't before. (Tell that to the companies using it!) What we didn't get out of that, though, is that it also comes with added functionality.

Fusion Pro is interesting because it adds management capabilities to Fusion that make it more enterprise-ready. There's no central management console, but it does expand the feature set to include the ability to create and run restricted VMs, limit access to USB devices, and create custom networks. Restricted VMs are ones that are pre-configured with settings that cannot be altered by end users, like drag and drop transfers between the host and guest. 

VMware Player's inclusion with Fusion Pro seems somewhat insignificant at first, but it actually has the ability to run the same restricted VMs as Fusion Pro. Ultimately that means that VMware Mirage can be used to support not only Mac, but Windows and Linux BYOC scenarios. (Although, I dare you to find me a Linux BYOC scenario from a normal user...) This is the message VMware was trying to get across that we missed, and it seems like a fair solution that makes use of the products currently available.

Prior to this revelation (which most people probably already knew since it came out around VMworld), I kept thinking about the possibility of a Workstation Pro. While the additional functionality of VMware Player scratches my BYOC-for-Mirage itch, I'm still left thinking about the possibilities. Fusion Pro adds some nice features, but it really only brings it closer to the functionality that's also in Workstation (which also supports restricted VMs). What would be cool is centralized management across the board. 

In a BYOC environment, IT accepts the fact that they cannot control the host. They can, however, control the VM and, to some extent, the hypervisor. Today that control is exhibited by deploying the aforementioned restricted VMs, leaving the hypervisor alone. What I'd like to see across the board is a management system that not only controls what a VM can and cannot do from a central location, but also the hypervisor itself since it is the BYOC enabler. It's like PC management, but in this case the hardware is virtual. If IT has the ability to maintain the VM settings, hypervisor configuration, and the restricted OS inside, then that makes for a better-managed BYOC situation. 

Think of it a bit like MDM or MAM on mobile devices. With those technologies, IT can deploy apps and configuration settings to devices that they don't own, while ensuring certain settings are in place to strike a good balance between management and end user flexibility. I'm not suggesting that the hypervisor have any management hooks into the host OS, just that the hypervisor can keep an eye on what's happening and react according to IT policies. For instance, if a virus is detected on the host, disable access to the VM until it's fixed. Or, new network or hardware settings could be centrally created and delivered. Plus, IT would have the ability to grant access to VMs, or to revoke that access when a user leaves the company or loses the laptop. 

This isn't new thinking of course. It's the client hypervisor mindset that a few companies are already on board with. Citrix has XenClient, Mokafive has, well, Mokafive, and Virtual Bridges has VERDE LEAF. At one time VMware was on that path, trying to create a Type-1 client hypervisor from the ground up (remember CVP?). Now those lines have blurred, and we don't really care so much whether a client hypervisor is Type-1 or Type-2. I'm not saying that it's something that should be used enterprise-wide, but if supporting BYOC is the goal, VMware already has the technologies in place to deliver the entire stack—they just have to be tied together. Mirage is the first step in that, and bringing it down a level to the hypervisor could be Step 2.


Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Kind of like an improved version of VMWare ACE. Ace with desktop management features. I dont see VMware going down that path again.


Haha...right. I want a better ACE :)


Ok, so I'm one of those guys who WOULD be a Linux BYOC user... and you say I'm not "normal".  What am I then? :)


I mean this in the best possible way - There aren't many "normal" users reading this site!


I remember trialing ACE back in the day, just as MS purchased Kidaro for Med-V.

I asked at that time about including management over OSX tier 2 hyper-visors, apparently this was on the road map. But I guess ACE got killed off before this could come to fruition.


Are we saying ACE was too far ahead of the BYOC curve?  I was a big customer of it, I never understood why Kidaro / Moka5 bothered competing and now Moka is my only option.


Gabe, I agree that the new capabilities of VMware Fusion Pro are a welcome upgrade.

However, the assumption that users only need Windows apps, or use Windows apps exclusively is categorically incorrect. As we have discussed, your team uses Macs and Mac apps, and we know VMware executives use local Mac apps and locally installed Windows VMs. And they carry confidential data on those Macs which is not protected.

Limiting management and delivery to Windows applications completely misses the target. VMware, Citrix, NetApp, Cisco, EMC, IBM, and a host of other companies use Macs today, and those users use Mac apps, not just Windows.

It is not just a Windows world, and as you have stated, with BYOC IT no longer controls the end point device.

The Orchard Parc team has conducted a lot of research to understand Mac user behavior, and challenges and risks they represent to IT.  We have found some common truths about Mac users across almost every industry:

* use Mac apps

* access Windows apps occasionally

* mount confidential corporate data that must be secured

* tend not to backup

* do not enable encryption, or turn it off.

* work remote, mobile and off-line

* have local device Admin rights

In industries such as healthcare, a lost laptop is considered a data breach unless IT can "validate" or prove that the data was protected. If the BYOC user can override settings, turn off encryption and has not backed up, it's a breach, even if the data was in fact protected.

And according to Intel, the average cost of a significant HIPPA data breach is about $5 million.

The Windows delivery solutions that you mention were designed circa 2006-2010 to solve Windows deployment issues, not solve the problems associated with the BYOC scenarios and regulatory compliance environment we have today in 2013.

The statement "In a BYOC environment, IT accepts the fact that they cannot control the host" is not accurate. IT wants and needs to control the host. Unfortunately, they cannot do so with the tools you mention.

Alas, BYOC means that the user has local device Admin rights, and can override system settings defined by IT. I concur that controlling the Windows VM and related app settings is a step forward, but the local Admin can override many of these settings and still can access data via root.  Fusion is a Mac app after-all.

All in all, not a very secure environment.

As we have discussed, OPUS from Orchard Parc provides Mac User Persona Virtualization. It provides IT with the ability to deploy a secure dual persona Mac environment with high performance local execution, virtual appliance efficiency, and secure data to satisfy the most stringent regulatory compliance standards. Corporate data remanins secure, while personal data remains private.

And users can leverage local Mac apps, including Fusion based Windows VMs.

OPUS gives IT what you say is not possible, and what we know they need today: control over the corporate Mac desktop image on the BYOC host, even if the user has local Admin rights.

IT enjoys zero touch deployment and management and can govern all local device access and security settings, even if the user has local Admin rights. And it’s a virtual appliance so the benefits of enterprise class virtualization can now be delivered to Mac users. And that’s far superior to supporting Mac users with a Mac Mini Server, right?

Gabe, Windows image management is not enough. It may have been in 2008, but not in 2013.

Let's schedule that review.