How To Keep Control Of Employee-Owned PCs

What’s more, focusing your management measures at the client OS level can lead to restricted platform options, and platform flexibility – the freedom for users to opt for Mac OS X or Linux over Windows, for instance – is often a significant driver for user-controlled system strategies.

Finally, with every mandated management layer that’s added to a user-controlled machine – particularly as we move into the realm of whitelisting – the machine moves farther from being user-controlled, and those management layers may prove difficult to keep in place.

Looking forward, I expect to see application whitelisting and privilege management technologies, including those that ship by default with Windows, mature to the point where today’s all-or-nothing, superuser-versus-limited-rights state of affairs will give way to broad user control within a generously sized, but closely vetted, range of operations and installable applications.

Approach Two: A Separate Peace

Since trying to enforce good policy on machines that lie outside the control of IT is such a tricky proposition, a simpler way to install controls involves situating a tightly controlled desktop environment within the employee’s machine through desktop virtualisation.

The most mature means of providing users with desktop environments that are segregated from their hardware involve SBC (server-based computing) products such as Microsoft Terminal Services and Citrix Systems’ XenApp (formerly known as Presentation Server). These products enable administrators to deliver managed desktop environments or individual applications to their users.

In addition to traditional server-based computing, companies can deliver managed desktop sessions hosted from individual virtual machines running in the data centre atop hypervisor products such as multiple VMware ESX Server or Citrix XenServer desktop virtual machines. Users can then access the hosted sessions through a remote desktop technology such as VNC (Virtual Network Computing) or Microsoft’s RDP (Remote Desktop Protocol).

This approach offers more flexibility than server-based computing because VM-based desktops can be treated the same as typical desktops, in terms of the sorts of applications to which they can play host. However, SBC and VDI (virtual desktop infrastructure) share the same significant downside: Both strategies rely on continuous network connectivity to keep user desktops accessible.

For the many situations in which stable network connectivity cannot be relied upon, client-side desktop virtualisation options – such as VMware’s ACE – enable IT departments to deploy virtual computing environments that run atop a Type 2 hypervisor, which is itself hosted under the user’s client operating system.