So Citrix Synergy May 12th-14th in San Francisco is around the corner. There is ample speculation in the industry regarding the availability of XenClient. If you want to learn more and a chance to win one, check out this post from James Millington. Also, below is a video blog with some of my thoughts about Synergy and my preparation.
Regardless of when XenClient is generally made available, I think there is a misconception that XenClient will be used for BYOC (Bring Your Own Computer) use cases right out of the gate. I certainly understand the use case and empathize with the strong desire for BYOC. However I don’t think that will be the primary driver for the technology in the early days for many people. I also don’t believe that this is the only way to provide BYOC, more on that in the future. Today, anybody marginally familiar with XenDesktop which includes XenApp knows that online BYOC can be enabled for desktops and apps and has been by millions of users for many years with HDX.
However for offline use, based on my experience, I still believe that the preference for many users will still be for a corporate owned laptop for the reassurance and ability to call the helpdesk when there is a problem. It does not matter if users hate the helpdesk, they still miss it when it’s taken away. Especially if they are non technical users not accustomed to dealing with third party technology support. I also don’t believe every company will provide stipends to their employees like Citrix does to buy their own device. That could be due to culture, budget constraints and some lawyer types out there will also make liability arguments to make it policy. However I think that is largely up to interpretation from customer to customer.
I’ve worked in highly regulated environments for a long time as a user/IT provider, and in a very flexible environment at Citrix more recently. Regardless of device ownership, I want to be able to do the things I want on my laptop. My users were no different. I care about security as a user to a point, but care more about it with my former IT hat on. When security interferes with my user experience I hate life and try to find ways around the system. Worse, I don’t use my secure corporate issued laptop. Unfortunately, when that happens and there comes a time when I really need to work offline, I try to game the system. It’s just too frustrating a process. I have to bear the full disk encryption software experience that is slowing down my laptop and then get greeted with all queued up OS and application patches that I missed because I never bothered to connect for so long. Of course this happens at an airport about 45 minutes before a flight when I really need to get a few things done.
Instead, in my former life I simply defaulted back to using hosted desktops and apps whenever I could so the connection experience back to my resources was fast. I tried to avoid using “corporate issued” laptops, unless I had no choice to get data I was working on uploaded into the organization in a secure manner. Even then I tried to get around the security. For example, emailing documents to my personal email address so I could read and work on them and then email back. This is a data leakage nightmare if this was really sensitive data. For many document types this is not feasible due to regulatory requirements. This also meant that because my corporate laptop would not let me browse to anything that was deemed to be a data leakage risk, I would end up carrying two devices just to check personal email and Skype with friends and family! Not so much fun for me or my users lugging around excess baggage for limited benefit. There had to be a solution…..
I looked at secure USB based solutions, but concluded for the average user I just did not want to deal with lost USB sticks, the costs, management overhead etc. I then became really interested in Type 2 hypervisors and how they could be better secured with rich policy to protect against data leakage to enable a better secure laptop experience. I shared ideas with many of the current vendors that offer these solutions today, and tried many of them. Ultimately I concluded that the user experience was still not good enough. I really did not want to boot my personal OS, boot my secure Type 2 corporate OS and then be greeted with all the 2 factor authentication requirements and have to suffer the degradation in performance on my personal OS due to the overhead of a Type 2 hypervisor. I also did not want work security stuff to mess up my personal OS. It’s like visiting my house and sitting on my coach and having a cup of tea. That’s ok, but to insist that you want to lie down in my bed would raise an eyebrow at the very least! It’s bad manners…..
I could not see this being a viable solution for all my users. Add to that, that the unsecured base user OS was still a huge attack surface for the Type 2 hypervisor, no matter how much effort was put into securing the perimeter. Troubleshooting issues on a user managed OS was also not feasible at scale IMO. So I only ever saw this as a marginal use case for VIP users.
A Better Way
Then my attention turned to Type 1 hypervisors for the client and why I am very excited about XenClient. I think XenClient corporate issued laptops could be provided to users with a need for multiple machines. One could be for work the other personal. Or it could be more restricted, one could be super secure and the other could be more relaxed for certain use cases. Developers could have environments with different IDEs, different builds and still maintain their security posture. These virtual machines can be booted simultaneously, run independently and securely side by side while preserving the user experience. I think of this as a reverse BYOC use case and I believe this is far simpler for customers to adopt within their existing organizational DNA.
Perhaps you agree, perhaps you don’t but I welcome your opinion. I am sure this will be a hot topic at Synergy this year. You’ll be able to find me this year at Synergy at the following sessions:
Hope to see you there!