I started my career as a desktop admin in the mid-1990s. Back then, the “user environment” was simple. One user = one computer = one copy of Windows. I think we pretty much used local profiles exclusively. Important files were stored on network file shares and everyone had admin rights.
Then this Citrix thing came along. A Citrix server introduced me to the two key concepts of the Windows environment:
- There were some settings that I needed to lock down, because I didn’t want something a user did in one session to affect all the other users on the server.
- There were some settings (and files) I wanted to centralize because I wanted the user’s desktop to “look the same” regardless of which of our identically-configured WinFrame servers they happened to connect to.
And just like that, I was introduced to profiles and policies.
In the beginning, we had profiles and policies
The early days of using Citrix servers were my introduction to non-persistent desktops (though we’d have been laughed out of the room if we called it that back then).
I’m not 100% sure I even knew what a user profile was before Citrix. Sure, our desktop users had them, but they were all local profiles which lived on the C: drive of each desktop. All I knew is that if a user installed something, made a change, or set some option then it would still be there when they turned the computer back on the next day.
We quickly learned about this thing called roaming profiles that meant that all the files, folders, and registry keys that defined a users environment could be copied to a central file share when they logged off, and copied back down to their desktop (the Citrix server, in this case) when they logged back in.
All was well.
Of course we also knew that there were some settings (in the form of registry keys) that allowed us to restrict the behavior of certain applications and settings in Windows. Sure, we could use group memberships and file permissions to prevent users from running PointCast, but Windows policies (and later Group Policy) meant that we could actually control the behavior of the Windows desktop and applications. (Cool! No more right-click menu!)
By combining profiles and policies, we were able to manage everything we needed to manage in those early Citrix environments, and again, all was well.
Enter the third-party profile management vendors
As Citrix’s popularity started to boom in the early 2000s, Citrix admins realized that while the built-in profiles and policies could do a lot in theory, in practice they were a nightmare to manage. We ran into all sorts of issues. Users logged into multiple desktops at the same time (which was common with MetaFrame published applications from different servers) would “overwrite” central settings based on the last server they logged out of. Group Policy was a beast to manage if you had different groups with different apps on different servers. And, most crucially, we found it was very difficult to control which settings users could change and which settings we had to enforce. (Again, made difficult by different users in different groups with different apps on different servers with different buckets of settings.)
So around this time (still in the early 2000s), we saw the rise of third-party “profile management” (as it was called then) vendors. My earliest memories were of AppSense, RES, and Tricerat (though I’m sure there were more), and I remember talking about them on the THIN List and seeing just how powerful they where.
These third-party profile management vendors gave us Citrix admins easy-to-use GUIs which let us simply control which files, settings, and registry keys should be set, forced, or protected for different users, groups, published applications, and servers. We didn’t have to be experts in the registry to use them, rather, we could just say, “this group gets these printers, this group gets these mail settings, these users can change their desktop wallpapers and users in this office all get this shared drive."
These products were a joy to use and they really sold themselves in those early days—especially to the Citrix admin who had been trying to do it all manually up until then.
Hey, we can use these for more than Citrix!
When these profile management tools came out, they were all designed for Citrix environments. But as the 2000s wore on, every single profile management vendor enhanced their products so they would work with traditional, physical desktops and laptops, (including laptops that were not connected to the corporate network).
The idea was, “Hey, you like how easy it is to manage your user environment on your Citrix servers, so how would you like to be able to use these same tools to manage all of your Windows desktops?” It took awhile for that concept to catch on, but eventually it did. After all, why would you want to manage your user environment one way when your users are on a Citrix server, and another way when they’re on their desktop?
Speaking of “user environment”, that also started to change in the mid 2000s. Up until that point, we had been calling these things “profile management” tools. That was a fine name, but it had been around for many years and was starting to sound like it represented “yesterday’s” technology. After all, web apps and SaaS were starting to be a thing, and we started to see the profile management vendors really extend and enhance what could be done on top of what pure Windows profiles could do. (Security management, performance management, etc.) I joined the fray myself, writing in 2007 that it was time to start using the term “User Environment Management” instead of “Profile Management."
This naming fad continued as virtualization picked up steam in the late 2000s and every single software vendor started adding a “v” to their product names and claiming they did this “virtualization” thing too. (I was in on that too!)
Where are we today?
Today the term “User Environment Management (UEM)” is pretty universal when describing the tools and techniques we can use to manage the complete Windows user environment.
We have the same players who’ve been part of it from the beginning (AppSense, RES, Tricerat), as well as Liquidware Labs, Scense, Norskale (and others I’m sure). The “Big 3” have solutions here too. Citrix has UPM, VMware bought RTO Software and Immidio, and Microsoft has UE-V.
So what exactly do these things do today?
Like the old days, the fundamentals are still there:
- They let us “force” certain settings on users.
- They allow us to control which settings the users can change, and which of those are saved and re-applied the next time they log in.
- They let us control which files and folders are stored where.
- They provide a nice GUI we can use to apply these settings to users, groups, applications, and servers.
- They let us do “advanced” targeting of our settings, with specific settings based on user location, time of day, type of client device, etc.
In addition to these fundamentals, most of today’s EUM tools have advanced features such as:
- Security. We can apply very granular security policies based on the advanced targeting and customize the security of the environment in a much richer way than is possible via user and group permissions alone.
- Permissions escalation. Admins do not want users running with admin rights. Users want to be able to do whatever they want. Today’s UEM tools can let users request escalation of their permissions, either temporarily letting them have more rights, or granting rights to do certain things without giving them full admin rights.
- Performance. These tools let us manage the performance of the user environment, both in terms of “just-in-time” delivery of settings and data (to make login times fast) and in terms of limiting CPU and memory access to ensure that one users doesn’t impact other users on the same server.
- Analytics & Audit. Many of today’s products let admins view detailed performance metrics and reports as well as audit information about what applications users actually use and how they use them.
Today’s UEM products are very good, broadly-speaking. (Of course there is the vendor-to-vendor comparison that will always happen, and I can safely say that the third-party products are leaps-and-bounds more advanced than what you get from the Big 3 (Citrix, Microsoft, VMware).
That said, after talking to these companies at Synergy, BriForum, and VMworld over the summer, I can tell you that there’s a lot more potential in what they can offer moving forward.
First, we’re going to see enhancements for Windows 10. Many of the older methods used by UEM vendors to “hook” applications and intercept Windows calls will no longer work, so they’re all updating their offerings to continue to do what they do as Windows evolves.
As Universal (a.k.a. “Metro” a.k.a. “Windows Store” a.k.a. “TileWorld”) apps catch on, we’re going to see the UEM vendors enhance their products to work with them. Universal apps do not hook into Windows in the same way that traditional desktop applications do, so the traditional techniques UEM vendors use will have to be extended. (There are anecdotal stories of users using Universal Apps to get around old-school policy controls, so look out for that!)
Microsoft has also talked about cloud-based personalization services for Universal Apps. This (in addition to Windows 10’s ability to store personalization settings as part of a user’s Microsoft account) will be an opportunity for UEM vendors to step in to manage these. (It’s also another thing to look out for as an admin!)
Another thing I heard the UEM vendors talk about was how they’re getting smarter in terms of helping admins create the policies they use to manage the user environment. In the old days it was easy. One user, a few groups, a few apps, and a couples of servers. Now we have lots of users and lots of groups, with lots of apps (including Windows desktop apps, Universal Apps, web apps, SaaS), and users are doing more things from more places.
In the old days, you could sit down at the management console and built-out all the policies in an afternoon. Now that’s not possible, and if you try you’ll probably just end up with something that’s restrictive and annoying to your users.
Moving forward, expect to see UEM vendors integrating their policy engines with their analytics engines to provide guidance (or even automated recommendations) for how policies should be built.
I don’t think any UEM vendor would call their product a “security product” per se, but the fact of the matter is that UEM products will continue to be a key part of your Windows security solution. We all hear about how bad “Day Zero” breaches are, so a tightly-controlled Windows environment is the way to avoid that. Of course a tightly-controlled Windows environment is something users don’t like, which is why the UEM vendors are combining security, management, and user experience to deliver the best of both worlds.
While DaaS is certainly not going to take off anytime soon, the idea of moving the management of a Windows desktop into the cloud while keeping the delivery local is pretty awesome. (Citrix Workspace Cloud, VMware Enzo, Microsoft Azure AD & identity services, etc.) We can expect UEM vendors to follow suit, both in terms of hooking into these larger frameworks as well as allowing their management servers and user interfaces to be hosted on-premises, off-premises, or in the cloud. They’re moving beyond “we hook into your AD”.
Finally, UEM vendors will continue to hone their message and their products around application delivery. This is something that they’ve traditionally not been involved in. The actual delivery of Windows applications is dominated by Microsoft with SCCM, InTune, and App-V.
That said, we’re coming into a new era of Windows app delivery and management. Whether you call it “layering” is a topic for another day, but the reality is that VMware AppVolumes, UniDesk, FSLogix, Liquidware Labs, Numecent, Citrix AppDisk, and whatever Microsoft is doing in Azure is changing the game in terms of how applications are actually assembled, connected, and presented to users. Combine that with the fact that the actual “delivery” of an application can be as simple as mounting a VHD or VMDK, and we have a pretty interesting road ahead.
The UEM vendors provide the “other half” of the app management story, and it will be interesting to see how this evolves. (So far it seems they’re partnering. Will the buy? Or be bought? Or be friendly to all and enhance? Interesting, interesting!)
It’s interesting to see how far the UEM segment of our industry has come since the early days in the late '90s. It’s cool that the vendors I leaned on almost 20 years ago are still here doing their thing.
I absolutely believe that a third-party UEM product is critical in today’s world for both physical and virtual desktops, and I’m convinced this will be the case for a long time. Luckily the vendors have stepped up, and we have a lot of cool things to look forward to since Microsoft Windows isn’t going anywhere anytime soon.