VMware releases Horizon App Manager. Here's our full analysis

Last week VMware officially launched VMware Horizon App Manager, the first phase of their "Horizon" project which extends on-premise user identities and app provisioning into cloud and SaaS apps.

Last week VMware officially launched VMware Horizon App Manager, the first phase of their "Horizon" project which extends on-premise user identities and app provisioning into cloud and SaaS apps. This is definitely a "v1" launch (well actually the stuff is labeled "v2" for some reason), and there's a long way to go before the products fulfill VMware's full vision, but it's exciting to see some real stuff here that we can finally get our hands on.

Why we need Horizon App Manager

In most current environments, companies use something like Active Directory for internal app authentication. (Both for Windows apps and a lot of in-house web apps.) But when it comes to external web-based SaaS apps on the public internet from third party companies, integration with the internal AD is often complex, so most companies just don't do it. This means that users have one username and password for their internal AD, plus another username and password for each external service they use.

For example, at TechTarget (my employer), in addition to my internal AD account, I have external accounts with Concur (travel & expense), ADP (pay stubs), Google (Analytics & Docs), AIM (chat), DropBox, ThinkStock (stock photography), Flickr (BriForum photos), Facebook (BrianMadden.com fan page), BrianMadden.com, Brightcove (video hosting), SurveyGizmo, and SightSpeed (HD video conferencing for BMTV). All twelve of those services are 100% official company-sponsored legitimate cloud-based services. These are not the "consumerization" things that I just do on my own in user crazyland. These are the "real" sites that my company knows about and authorizes me to use. (I won't even get into the dozens of other things I use on my own without their knowledge. :)

Do you know how was I able to crank out such a complete list of websites I use? I just checked the "passwords.txt" file which lives on my laptop that keeps track of all these things, because they all have different password complexity requirements, expiration dates, and password reuse policies.

So you see we have a few problems here:

  • This isn't secure, since I have to write down all my passwords.
  • Getting me setup in all of these systems was probably ten hours worth of helpdesk tickets, admin work, emails, and phone calls.
  • If I leave the company, they should (in theory) instantly shut off my access to all of this stuff. (Although in real life I know they won't because the no one at the company even knows how many of these services I use. And if they did, how diligent are they going to be about spending another ten hours disabling everything?)
  • Finally, as a user, this is really annoying. I hate having to lookup and then enter my username and password about 20-30 times every day. (Sure, I could use a password manager app to solve this, but that doesn't fix the first three issues.)

Enter VMware Horizon App Manager

VMware Horizon App Manager is a pay-for subscription service from VMware ($30 per user, per year) that allows you to extend your "on premise" identity (like Active Directory) out to all your external cloud/SaaS apps. When you sign up, VMware gives you a "Horizon Connector Virtual Appliance" (in OVA format) which you run yourself which acts as the bridge between your on-site AD (or whatever directory service you use) and the VMware Horizon cloud service which talks to all the external SaaS providers.

The basic workflow with Horizon is that admins spend some time up front configuring all the various SaaS/web/cloud apps that anyone in their company might use. Then moving forward, they "provision" an app to a user via a Horizon-based management tool which essentially has checkboxes to configure which users (or groups, etc.) have access to which SaaS apps. Admins can configure it so that users can provision themselves for new apps via an app catalog, or they can make it so that users would call the helpdesk and someone there would grant access to a new web app by checking the box.

The ultimate vision is that "checking the box" for the user can do the full provisioning at the SaaS/web/cloud provider too, based on his or her internal user account. The unfortunate reality of today's world, however, is that of the thousands (millions?) of web apps out there, only a few actually offer provisioning & de-provisioning APIs, so today's version of Horizon App Manager can only actually do the full automatic provisioning & de-provisioning for big SaaS apps like Google, Box, Salesforce, etc.

That said, today's Horizon can still be used for single sign-on for all those "other" web apps out there. If the web apps support one of the federated authentication standards, like SAML or, Oauth, Horizon App Manager can handle the authentication in a federated way. (In this case, though, the user must already have the account setup and provisioned on the service which is then hooked into Horizon.

And for "legacy" web apps, Horizon can fall back onto the traditional "password stuffing" technique, which is invoked via a Horizon browser plug-in. (And unfortunately, this is probably what the vast majority of web sites will have to use today.)

From the user's perspective, the workflow in a Horizon App Manager world is that they visit web page (dare I say "portal?") to access their apps instead of hitting each site's front door itself, like this:

Horizon web portal

This web portal will reconfigure itself based on the device that it's being access from.

Today's Horizon App Manager Limitations

VMware is quick to explain that what we're seeing now is just their "Phase 1" implementation, and that we'll see a quick cadence of new releases (one of the benefits of this being a "service" instead of a "product.")

The main limitation with today's version of Horizon App Manager is that it only works for web apps, and that most web apps have to use the "legacy" password stuffing SSO technique which requires a browser plug-in. Unfortunately that browser plug-in today only works with Firefox & IE8. VMware is working on other versions of the plug-in, including Chrome, Safari, other versions of IE, and plug-ins for all the various mobile device browsers. (Although iOS Safari doesn't all plug-ins, so they're probably going to have to build the web browsing capability into their native Horizon iOS app.)

The other limitation today is that since Horizon App Manager only handles web apps today, that means that when you push a button to launch an app, the only option you get is the web app option, even if you have a platform native app. For example, you can use your Android phone to access Horizon App Manager. If you then click on the "Salesforce" app icon, it will launch Salesforce in the Android browser and log you in. But do you really want to be using Salesforce via the browser on your Android phone when a native Android Salesforce app is available? (File this limitation under "Notes for future features.")

Horizon App Manager future features

The more you learn about Horizon App Manager, the more you get excited about the future features that will exist. (VMware has talked about some of these features themselves. Others listed here have just been made up by me right now.)

(1) First and foremost, more and more cloud/SaaS/web apps will create provisioning APIs (which VMware will integrate, not us!), and more will use federated authentication so we can do "real" SSO instead of that password stuffing. So while that might be a slow march that takes years to shake out, every month will be better than the last. And VMware will continue to release more password-stuffing browser plug-ins, so we should meet in the middle somewhere fairly soon.

(2) We'll also see platform-native Horizon clients that have full integration to native apps and the full device experience. For example, a native Windows Horizon App Manager client could put icons to Horizon apps in the Start Menu or on the desktop of a Windows user. This would essentially be exactly like Citrix Program Neighborhood Agent / Citrix Applications plug-in except that it would hook into Horizon for external web apps instead of the Citrix server.

(3) Future iterations of Horizon will also have platform-native clients for mobile OSes, like iOS, Android, and Blackberry, which will make the Horizon-managed apps look like device-native apps. (Well, at least it will let them be launched in the same way.) Hopefully we'll also see the ability for Horizon to manage platform-native apps, so if I want to run Salesforce on my iPhone then Horizon could make that happen. (And this doesn't have to be functionality that Horizon builds themselves. It might be fine just to integrate with the App Store to get the user to install the app, and from there Horizon could handle the authentication.)

(4) VMware also explained that they'll extend Horizon App Manager to Windows apps. For example, they could hook into seamless published Windows apps from Citrix XenApp, Quest vWorkspace, or Microsoft RemoteApp. Essentially the Horizon infrastructure would replace the native web interface or agent-based clients for these platforms--but they'd still connect through those platforms' native brokers, clients, and protocols. (And I assume that Citrix/Quest/Microsoft would be fine with this, since they're still getting paid and they're still managing the app delivery experience.) This means that the single Horizon App Manager app catalog could be the single "go to" place for both Windows and web apps to any platform and any device.

(5) You could also extend this to full Windows desktops (like from VMware View)--which I'm sure VMware has in the works--although personally I think that's a stupid idea because if I already have the local capability to launch a browser then presumably I already have a local desktop of some sort, and the last thing I want is a full remote Windows desktop to deal with in addition to my local desktop. (This is the perfect use case for seamless remote Windows apps, see Item 4 above.) Of course since VMware doesn't have their own ability to do this, I'm sure they'll use Horizon to awkwardly shove full View desktops down to their users. (Maybe they should license VDX from RES?)

(6) VMware is also talking about integrating ThinApp-based Windows native apps into Horizon App Manager. This is a great idea, although to be honest I'm not 100% sure how that would work. Right now ThinApp doesn't really have any kind of central catalog of which apps are available to which users. So I'm assuming with Horizon App Manager would become that catalog, and that you'd import all your ThinApp packages into it and they'd just appear as checkboxes in the Horizon admin that you can tick for different users (or that users can tick for themselves). Then perhaps the platform-native Horizon App Manager client would also be able to check to see if a particular ThinApp package is available locally, and if not, it could download it. In fact I'd love to see some intelligence that could link ThinApp packages which run locally with remote seamless apps (so users could run it locally if possible, and if not they could launch it remotely, like the old SoftGrid ZeroTouch).

(7) Looking even further out, I'd love Horizon to somehow integrate with whatever today's user virtualization products evolve to become. While it's nice that VMware bought RTO Virtual Profiles last year, that's a true Windows-based profile optimization tool. It doesn't have the capability--nor have I heard any hint that VMware wants to build the capability--to extend it to manage user settings across multiple device types and multiple OSes. So maybe Horizon can integrate with whatever AppSense/RES/triCerat/Sense evolve to become over the next few years?

Will VMware get there? Stay tuned...

As I've written before, I love the Horizon App Manager concept and I absolutely believe this is the proper direction for the future. I've written a bit about how the Windows desktop will evolve (or devolve?) over the next few years, and being able to manage a "desktop" as nothing more than a collection of apps and data will be critical.

I love that VMware is going down this path. And I *really* love that VMware is integrating with the Windows remote app publishers like Citrix/Microsoft/Quest/etc. for WIndows apps rather than going out and trying to build it on their own or buying someone like Ericom. Let those experts work on those products and let VMware be the central aggregation point for all apps across all platforms.

With regards to Horizon specifically and what it can and cannot do today, Gabe and I have a Horizon account set up for BrianMadden.com, and we're going to attempt to start using this thing on an ongoing, daily, production basis. (Oh yeah... Gabe, if you're reading this, give me a call. I have a new project to discuss with you.) We'll keep you posted...

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Hi Brian

Really good article, will you also take a deeper look into Citrix Open Cloud Access and maybe do a comparison between Citrix Open Cloud Access and VMware Horizon at some point?

My first thought regarding Citrix Open Cloud Access is of course the price and the requeriments surrounding NetScaler etc.

But it would be nice to have a comparison between the two products regarding what features/functions etc. they can provide or if they are just the same.

I'm 99% sure that Citrix at some point will make Open Cloud Access available on NetScaler VPX and maybe make it a free feature in the Platinum license, like with every thing else :-)



passwords.txt? What is this, the dark ages? Sheesh. :)

http://keepass.info to name just one brilliant, free multi-platform password manager.


I’ve anecdotally heard of identity theft but never envisioned myself as a target.

@Brian @Gabe,

please remove the account @KimmoJ  that is impersonating me.


Yeah right, there is only one person in the world with the name Kimmo and a last name that starts with J.

Though I hadn't noticed there was one here, only found the site a month or so back. Go figure. But I can actually prove that my name is Kimmo J if called upon to do so by Gabe or Brian.


Yeah, well crazy assumptions, my fault ….yet I’m glad that you changed to @ Kimmo Jaskari from @KimmoJ as I guess it would be in both our interest not to be interchangeably  

Move along folks, nothing to see