Smackdown - v2.1

Transcription

Smackdown - v2.1

User Environment Management
(UEM)
Comparison Whitepaper
(aka Smackdown)
Author(s):
Rob Beekmans
Version:
16.03
Date:
May 2016
© 2016 PQR, all rights reserved.
All rights reserved. Specifications are subject to change without notice. PQR, the PQR logo and its tagline ICT altijd
binnen bereik are trademarks or registered trademarks of PQR in the Netherlands and/or other countries. All other
brands or products mentioned in this document are trademarks or registered trademarks of their respective holders and should be treated as such.
Version 16.03
may 2016
Page i
CONTENT
1.
Introduction ..............................................................................................................................1
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
2.
Objectives .................................................................................................................................1
Intended Audience ....................................................................................................................1
Vendor Involvement .................................................................................................................1
Community involvement ..........................................................................................................1
Document creation process ......................................................................................................1
Suggestions and improvements ................................................................................................2
Sponsoring ................................................................................................................................2
Contact ......................................................................................................................................2
About.........................................................................................................................................4
2.1
2.2
2.3
2.4
About PQR .................................................................................................................................4
Acknowledgments.....................................................................................................................4
Community effort .....................................................................................................................6
Quotes from CTOs and Founders of UEM Product Companies ................................................8
3.
Definitions and Terms used in this paper .................................................................................9
4.
What is User Environment Management (and why should you care?) ..................................11
4.1
4.2
4.3
4.4
5.
UEM: Defined ..........................................................................................................................11
UEM and the “Layer Cake” analogy ........................................................................................12
The Pre-History of UEM (and the case for better solutions) ..................................................13
Why UEM? ..............................................................................................................................16
In-Box UEM from Microsoft ....................................................................................................17
5.1
5.2
5.3
6.
Microsoft’s own in-box UEM solution: Group Policy and Group Policy Preferences .............17
A quick note about Microsoft’s AGPM ...................................................................................22
Microsoft’s “now included” Roaming Profile Replacement / Successor: UE-V ......................22
Before deciding on a 3rd party UEM Solution .........................................................................25
6.1
6.2
6.3
7.
Frequently Asked Questions (FAQ) about 3RD party UEM tools .............................................25
What else should I look for in a UEM tool? ............................................................................28
The future of UEM and the UEM whitepaper .........................................................................30
Solution Overview ...................................................................................................................32
7.1
7.2
7.3
7.4
7.5
7.6
7.7
Introduction ............................................................................................................................32
Vendor matrix, who has focus on what!? ...............................................................................33
AppiXoft ..................................................................................................................................34
AppSense ................................................................................................................................39
Citrix ........................................................................................................................................44
FSLogix: ...................................................................................................................................48
Liquidware Labs ......................................................................................................................53
Version 16.03
may 2016
Page ii
7.8
7.9
7.10
7.11
7.12
7.13
7.14
8.
Norskale .................................................................................................................................58
PolicyPak Software..................................................................................................................61
RES ..........................................................................................................................................67
Tricerat ....................................................................................................................................72
Unidesk ...................................................................................................................................75
VMware User Environment Manager .....................................................................................80
VMware View Persona Management .....................................................................................85
UEM features Comparison ......................................................................................................87
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
Introduction ............................................................................................................................87
Roadmap and Future additions ..............................................................................................89
Feature Compare Matrix.........................................................................................................90
Generic features and functionality .........................................................................................91
User Profile Management .....................................................................................................103
User Personalization, Application and Desktop Management .............................................108
Application Access Control, Security Management ..............................................................117
Resource Management .........................................................................................................124
License Management ............................................................................................................126
Monitoring, Auditing and Reporting .....................................................................................127
9.
Conclusion .............................................................................................................................132
10.
Change Log ............................................................................................................................134
Version 16.03
may 2016
Page iii
1.
INTRODUCTION
Are you overwhelmed by all the different User Environment Management (UEM) solutions
available? Are you looking for insights into User Environment Management? Are you looking
for an independent overview of the User Environment Management solutions and curious
about the different features and functions each UEM vendor is offering? If so, this updated
Comparison Whitepaper (also known as PQR’s Smackdown) is a must read!
In the current market, there is an increasing demand for unbiased information about User Environment Management solutions. This whitepaper focuses on solutions enabling businesses
to manage the User Environment. An overview of features has been created to enable a better
understanding and comparison of capabilities.
1.1
OBJECTIVES
The overall goal of this whitepaper is to share information about:




1.2
What is User Environment Management?
User Environment Management functionality and solutions overview;
Describe the different UEM vendors and their solutions;
Compare the functionality and features of various UEM solutions;
INTENDED AUDIENCE
This document is intended for IT Managers, Architects, Analysts, System Administrators and ITProfessionals in general who are responsible for and/or interested in designing, implementing
and maintaining User Environment Management solutions.
1.3
VENDOR INVOLVEMENT
All major vendors whose products are analyzed and described in the feature comparison have
been approached in advance to create awareness of this whitepaper and discuss the different
features and functionality. The product descriptions are written by the vendors, they had four
pages of freedom to show their product to you.
1.4
COMMUNITY INVOLVEMENT
Members of the UEM community were approached to help with the update of this document.
In the next chapter we’ll introduce the member of the community.
1.5
DOCUMENT CREATION PROCESS
The document has been created with the help of the community and co-workers who did the
initial review of solutions. The reviews were then reviewed by a peer reviewer before we ac-
Version 16.03
6 juni 2016
Page 1
cepted them in the matrix. The vendors got the opportunity to review the matrix before publication and provide input about the review. If the input was considered valid the document was
updated.
1.6
SUGGESTIONS AND IMPROVEMENTS
We’ve done our best to be truthful, clear, complete and accurate in investigating and writing
down the different solutions. Our goal is to write an unbiased objective document where possible, which is valuable for the readers. If you have any comments, corrections or suggestions
for improvements of this document, we want to hear from you. We appreciate your feedback.
Please send e-mail Rob Beekmans ([email protected]) include the product name and version number
and the title of the document in your message.
1.7
SPONSORING
PQR does not receive any sponsoring from any vendor for this document. This document is
created with the help of many community friends and the vendors. We find it of the utmost
importance to be independent and stay independent in our whitepapers. The only sponsoring
we get from vendors is their valuable review of the document for which we are very grateful.
1.8
CONTACT
PQR; Tel: +31 (0)30 6629729
E-mail: [email protected]; www.PQR.com;
Twitter: http://www.twitter.com/pqrnl
Version 16.03
6 juni 2016
Page 2
THIS DOCUMENT IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND
FOR REFERENCE PURPOSES ONLY
COPYRIGHT PQR
PUBLISHING IN PART OR WHOLE IS PROHIBITED WITHOUT WRITTEN APPROVAL
Version 16.03
6 juni 2016
Page 3
2.
ABOUT
2.1
ABOUT PQR
PQR, trusted advisor and integrator for modern datacenter, workspace and cloud solutions,
focuses on availability of data, applications and work spaces in a secure and manageable way.
Along with a suite of IT services PQR guarantees a stable environment, to ensure ICT is always
within your reach.
PQR customers are active in all sectors of society and can be classified as medium to large organizations where ICT is essential to the business. PQR has profound knowledge of the education, government, profit and healthcare markets.
In addition to many traceable references PQR absorbs a wide range of knowledge areas, according to high status levels and preferable certifications. PQR is Cisco Premier Partner, Citrix
Platinum Solution Advisor, Hitachi Data Systems Platinum Partner, HP Platinum Partner, Microsoft Gold Partner, NetApp Star Partner, RES Platinum Partner and VMware Premier Partner.
PQR, founded in 1990, is established in De Meern and counts over 100 employees.
2.2
ACKNOWLEDGMENTS
LEADER
Rob Beekmans is a 26-year IT veteran that worked in many fields in IT before he joined PQR almost 8 year ago. Rob is a senior consultant with a
strong focus on Application and desktop delivery, User Environment Management, Mobility and Monitoring. Rob is a VMware vExpert and is a
member of the VMware EUC-Champion group, The End-User Computing
Champions Program is an “Outsiders-who-are-Insiders” Expert Program
designed with the help of several EUC experts in the community. Rob
shares his vision and insights on his personal blog, on webinars or on stage. Follow Rob on
Twitter or visit his blog. If you want to contact Rob you can do so at [email protected]
The document previously was managed by my former PQR colleague Ruben Spruijt. After Ruben left a new “leader” was needed to make sure the document was updated. I took up the
task to update the document and gathered a team of experts to help me. I thank Ruben for his
hard work over the past years and wish him the best at his new job.
Version 16.03
6 juni 2016
Page 4
Founder
Ruben Spruijt is Chief Technology Officer at Atlantis Computing, responsible for
driving vision, technology evangelism and thought leadership with Atlantis customers, partners and communities. Mr. Spruijt is a well-regarded author,
speaker, market analyst, technologist, and all-around geek. An established industry leader and luminary, he is one of only a few individuals in the world to hold
three prestigious virtualization awards: Microsoft Most Valuable Professional
(MVP), Citrix Technology Professional (CTP) and VMware vExpert.
Mr. Spruijt has presented more than 150 sessions at national and international events such as
BriForum, Citrix iForum Japan, Citrix Synergy, Gartner Catalyst, Microsoft Ignite, Microsoft
TechEd, NVIDIA GTC, and VMworld. Mr. Spruijt founded several independent industry analysis
bodies including Project Virtual Reality Check (VRC), Team Remote Graphics Experts
(TeamRGE), AppVirtGURU written and co-authoring multiple disruptive ‘Smackdown’ research
whitepapers. Mr. Spruijt is based in the Netherlands where he lives with his wife and three
kids.
Major contributors
Special thanks go out to Jeremy who helped me with the initial review and edit of the first 50
pages of the document. He worked through the Dutch-English sentences and turned them to
English. Without his hours of work on this the readability of the document would be worse.
Further on he worked on the Microsoft piece of the document, which is a separate chapter for
it’s the base everyone starts off from.
Jeremy Moskowitz, Group Policy MVP: Jeremy is a 13-year recipient
of the Microsoft MVP award with a concentration in Group Policy. He
runs GPanswers.com for Group Policy training and consulting. He also
leads the solutions design at PolicyPak Software. Jeremy contributed
the Microsoft Group Policy and Microsoft UE-V sections as well as the
PolicyPak section. Follow Jeremy on twitter @jeremymoskowitz or at
www.GPanswers.com or www.PolicyPak.com
Another big thanks goes out to my co-workers Hayscen de Lannoy
who worked with me on the last edits of those 50 pages and the general review before this document was able to go live.
Hayscen de Lannoy: Hayscen had his start in the IT field 18 years ago
doing application migrations and desktop deployments. He is now a
senior workspace consultant at PQR with a passion for Server Based
Computing, VDI, User Environment Management, automation and deployment. Follow Hayscen on twitter at @hdelannoy.
Version 16.03
6 juni 2016
Page 5
2.3
COMMUNITY EFFORT
The community is a very important part of my professional life, I can’t imagine not being in
contact with many of the guys listed here. When I took up the job to update the paper I knew
the community had to be included. So here are the community hero’s that made this version
of the whitepaper possible. Of course this little piece of text does not reflect the time they invested, thanks guys for all the effort. It’s more than appreciated.
Version 16.03
Igor van der Burgh
Ryan Revord
@Igor_vd_Burgh
@rsrevord
Sven Huisman
Patrick van den Born
@svenh
@pvdnBorn
Marius Sandbu
Julien Sybille
@msandbu
@jsybille
Rob Aarts
Erik Bakker
@Rob_Aarts
@Bakker_Erik
6 juni 2016
Page 6
Mathias Kowalkowski
Sean Massey
@stflr
@SeanpMassey
David Seaman
Henk Hoogendoorn
@vyvere
@HenkHoogendoorn
Neo Crazy Dad
@neocrazydady
Patrick Rouse
@Patrick_C_Rouse
Geoffrey van der
Molen
Hayscen de Lannoy
@hdlannoy
@GeoffreyvdMolen
Richard Kuiper
@RKuiper
Version 16.03
6 juni 2016
Page 7
2.4
QUOTES FROM CTOS AND FOUNDERS OF UEM PRODUCT COMPANIES
"Whether you want to get the latest insights on desktop virtualization or you are new to the
space and need to quickly understand it, the UEM whitepaper is the essential guide to read. It
provides detailed analysis of the different offerings in the market today and gives an overview
of the strategic questions one should evaluate. This guide will be an excellent companion on
your Application and Desktop Delivery journey. Kudos to PQR for their continuing effort."
Bob Janssen, CTO and Founder, RES
"As the UEM space continues to grow and mature, the capabilities of the solutions and products in this space are evolving - PQR's UEM whie paper educates the world on the depth and
complexity of delivering true User Environment Management, and highlights the many different areas of functionality required for a comprehensive solution that can scale for organizations of all sizes. It is important for the technical community to have an independent, detailed
review of UEM solutions and at AppSense, we're delighted to see PQR fill that void."
Jon Rolls, VP Product Management, Appsense
“In their efforts of balancing productivity and manageability, businesses will eventually see the
value of User Environment Management. PQR’s UEM whitepaper is the invaluable guide for
those who are looking for ways to make this balancing act feasible and affordable.”
Richard Kuijpers, Managing Director, Appixoft
“The UEM whitepaper is a good resource for starting your evaluation of UEM products. Desktop transformation involves many steps and User Management is an important one to get
right. Choosing the best solution for your organization based on architecture, features, and
value is essential and the UEM whitepaper of PQR brings this information together in one document.”
Jason Mattox, CTO, Liquidware Labs
“UEM can mean different things to different people. Ultimately it’s about adding more horsepower to managing the desktop and the user’s experience, than what is normally possible out
of the box. The information in the UEM whitepaper offers IT admins solutions from different
vendors to augment or supplant what’s in the box. The information in this guide could be the
key you need to a true ‘next generation’ desktop experience as we head into the era of Windows 10 everywhere.”
Jeremy Moskowitz, Founder, PolicyPak Software
"We believe that workspace performance is key for all organizations, large and small, because
it directly impacts the success of the most important aspects of an IT environment: user experience, simplicity, and budget. Our innovative algorithms optimize the way applications run, allowing up to 70% more end-users in virtual environments, while our UEM engine allows you to
deliver fully managed workspaces with less than 10 second login times. All of this can be easily
achieved by configuring only a few settings in the management console.”
Pierre Marmignon, Founder and CEO of Norskale
Version 16.03
6 juni 2016
Page 8
3.
DEFINITIONS AND TERMS USED IN THIS PAPER
This table below gives an overview of various terms that we will be using in this paper. You can
refer back to this section as needed throughout the paper.
Term
Definition
User Profile
The unique location within a Windows desktop to which a user has write
access. Application will write user preferences to this location and the
user can store data such as documents and pictures in this location as
well. The profile is created when the user first logs onto a Windows desktop and persists on that desktop unless an administrator or policy deletes
it
Personalization (or Persona)
A user’s customizations to their environment – e.g. wallpaper, shortcut
placement, pinned items etc. Also includes application preferences written to the user profile. Used as a term to describe what is contained in a
user profile
A controlled and structured approach to managing components of the environment related to the user. This includes user profiles, preference, policy management, monitoring, auditing, application control and application deployment. Can be achieved with the Windows in-box tools, or can
be enhanced using scripting or 3rd party solutions to achieve a particular
desired result
User State Virtualization
Abstraction of user data and profile from the operating system – Roaming
Profiles, Folder Redirection and Offline Files. User State is still tied to the
version of the operating system and provides no separation of individual
application preferences
Originator: Microsoft
User Virtualization
When used alongside OS Virtualization and Application Virtualization; is a
term that makes it easy to describe a layered approach to desktop management and building the user environment on demand. Usage extends
to user profiles, user environment management, application control and
user installed applications.
Originator: AppSense
Workspace Management
Used to describe the process of abstracting user data and preferences
from the operating system and along with application delivery, shortcut
and file type association management, building the user environment dependent on the users’ context (identity, location, device etc.)
Originator: RES
User Profile Management
Version 16.03
Move beyond roaming profiles to actively manage the user profile – may
or may not provide segmentation of the profile
6 juni 2016
Page 9
Term
Definition
Layered User Personalization
See User Virtualization
Decoupling Personalization
Separating the user profile from the operating system. See User Virtualization
Profile Segmentation
Segment the profile into smaller chunks of related profile settings – e.g.
per-application settings. Those application settings may now be portable
across operating systems
User Virtualization Management
Application and Workspace Personalization
See Workspace Management
User Workspace Virtualization
Persistent Personalization
Persist user profile data across sessions
Persona Management
See User Profile Management
Profile Virtualization
Implementing file system redirection to move the profile or parts of the
profile from its real location on disk to another location. Not to be confused with Folder Redirection built into Windows
Profile Streaming
Rather than load the entire profile at logon, stream only the data to the
client as it is requested. This improves logon times. Used in conjunction
with profile virtualization
Hybrid Profile Management
Managing the user profile as a combination of a local or mandatory profile with user preferences or personalization added at logon or application
start
Profile Management
See User Profile Management
Profile Acceleration
See Profile Streaming
User Installed Applications
The ability for a user to install an application and have that application
then persist across different Windows desktops
User Rights Management or Privilege Management
Dynamic elevation of specific user rights via a defined policy to make administrative access more granular. Individual applications, Control Panel
applets or Windows tasks can be delegated without adding the user to
the local Administrators group
Dynamic Privileges
See User Rights Management
Version 16.03
6 juni 2016
Page 10
4.
WHAT IS USER ENVIRONMENT MANAGEMENT (AND
WHY SHOULD YOU CARE?)
4.1
UEM: DEFINED
User Environment Management, or UEM for short, is an easy way to describe any addition to
the in-the-box Windows experience to make the desktop more manageable.
That being said, at one time, the (perhaps original) definition of UEM was somewhat more narrow; UEM once meant to roam settings from machine to machine without the use of roaming
profiles.
Since end-user computing needs got more sophisticated, use cases evolved, VDI, BYOD, and
other desktop-enablement technologies emerged from infancy to adulthood, so transformed
the original definition of UEM as well.
UEM goes beyond the traditional “Configuration Management” (CM) and, indeed, in many
cases is a complement and not a competition to Configuration Management utilities.
Traditional CM solutions are products like Altiris Endpoint Management, LANDESK, IBM BigFix,
Microsoft System Center Configuration Manager (SCCM), Novell ZenWorks and others.
To help to understand the difference between UEM and CM, here are some core feature examples that describe typical non-overlapping features between the two concepts.
CM product features sample:




Deploy operating systems and desktop software
Perform patch management
Perform hardware and software inventory
Configure antivirus
UEM product features sample:





Roam end-user settings between machines
Configure desktop look and feel
Map drives, deploy printers, create shortcuts
Show / hide / layer applications on a desktop
Manage and configure Internet Explorer
As such, the primary focus of the Client Management solutions is the client device and not primarily the end-user’s workspace.
UEM products, on the other hand are about the user’s experience and interaction to their
desktop, and not about the client device.
Version 16.03
6 juni 2016
Page 11
Therefore our definition of User Environment Management (UEM) for 2016 is:
“User Environment Management (UEM) is any software solution which facilitates the management of the end-user user computing environment. The software’s primary focus would
be about the end-user experience and not on the end user's device”.
That being said, in the same way no two products are the same, neither will you find the exact
same feature set in a CM product, nor will you find the same feature set in a UEM product.
One UEM product might roam settings between machines, and another might not have that
feature at all, and instead, do an amazing job at configuring the desktop look and feel. Another
UEM product might not do either of those functions, but instead perform application hiding.
Said another way, the spectrum of UEM products is quite diverse. Because of that an IT department might start by using the in-the-box UEM solution (Group Policy) augment or replace it
with one or more 3rd party UEM products to make a whole solution which solves the particular
business and end-user cases needed.
Some UEM products try to do “everything.” Some UEM products try to do just one thing. Other
UEM products do a handful of things.
4.2
UEM AND THE “LAYER CAKE” ANALOGY
A user with a fresh install of Windows 10 and nothing else equals a user who cannot do any
real work. To perform real work, a user needs:







Applications.
Drive maps.
Shortcuts.
Printers.
Security, desktop and application settings.
Personalized look and feel settings.
Access to documents.
…..and a lot more.
As such, just providing a desktop to a user gives him very little to do. Therefore, the term
“Layer Cake” has emerged as model to express what must happen after the desktop is deployed.
These layers can be layered on directly or in virtualized pieces.
The ideal situation is to break up (or isolate) the Operating System (OS), the Applications
(Apps) and the User Components. By isolating each piece, you can interchange any of the
pieces, and still have a functioning desktop system “cake.”
Version 16.03
6 juni 2016
Page 12
In the figure 1, we can see the basis of the layer cake:



OS is first (bottom)
Applications are second (middle)
User settings are last (top)
Figure 1
To go deeper into the layer model:



4.3
OS: OS delivery can occur in a myriad of ways such as golden / master image, streaming image, layered, VDI, RDS, etc.
Applications: Applications can be present by being “physically installed” (using MSI),
placed there with Application Virtualization, and/or layered and/or hidden.
User: User settings (and restrictions) are last, which include personalization, security
policies, look and feel settings, and so on.
THE PRE-HISTORY OF UEM (AND THE CASE FOR BETTER SOLUTIONS)
Before vendors came along with elegant solutions to solve desktop environment challenges, it
was reasonably common for IT admins to cobble together their own rudimentary solutions for
desktop management.
For instance, if you couldn’t install two applications on the same desktop, admins would simply
install the applications on two different servers (siloing them), and publishing the applications
for use. Poof! Instant workaround!
But, with workarounds come problems. While this reduced application conflicts, now the silo
introduced problems ensuring that user’s preferences are available across different hosts and
kept consistent between sessions!
So Roaming Profiles (in Microsoft Windows) were introduced to store and recall settings. The
goal of Microsoft Windows Roaming Profiles goals was to store user-changed settings so they
were recalled and available the next time the user logged on, or when the user changed machines.
Version 16.03
6 juni 2016
Page 13
But with Roaming Profiles came other problems. Some problems with roaming profiles were
real, actual problems. Other problems with roaming profiles felt like real problems, but instead
were misunderstanding or perception problems. Other problems were simply mere annoyances with the way Microsoft handled roaming profiles’ implementation. Let’s break down the
three categories of roaming profile issues:



Roaming Profile implementation annoyances
Roaming profile “real problems”
Roaming profile “perceived problems”
Roaming profile implementation annoyances
Roaming profiles should have been implemented such that it was drop-dead easy to roam
from machine to machine and operating system to operating system. However, the implementation from Microsoft is simply not that way.
Instead, Microsoft’s recommendation is that all versions of the profile (mostly based upon operating system revisions) should be siloed. That is, you shouldn’t intermingle user preference
data from one version to another; nor can you intermingle 32 and 64 bit profiles (Microsoft KB
http://support.microsoft.com/kb/2384951).
Therefore, the Operating System to Profile Version chart looks like what’s seen in Figure 2.
Figure 2
Then after successfully siloing each operating system’s data, the next prescription would then
to use Redirected Folders to get to end-user data. The end-result would be roaming from machine to machine, regardless of machine type. And even though there was a different profile
for each operating system, at least the user could access the same data, because of the folder
redirection.
Roaming profile “real” problems:
Besides the implementation annoyance of having to silo roaming profiles, there are some actual real problems with roaming profiles.
Over time, lots of user settings can be stored in the profile. And therefore at login time, when
speed is most needed, that time is wasted loading the (now large) user profile. That being said,
even since Windows XP, roaming profiles only need to download only the NTUSER.DAT file and
Version 16.03
6 juni 2016
Page 14
only the changes between the profile and what's already on the machine. This does pose a real
problem for non-persistent VDI desktops and whenever users log into a brand new machine or
session, because that first login is always downloading the whole profile; thus being slow (the
first time.)
Another real problem of roaming profiles is that if a user made an undesired change or for
whatever reason the user's state needed to be restored, there was no good way to do this.
Even performing a real backup and restore could sometimes not restore the state back as users expected.
Roaming profile “not real” & perception problems:
It is definitely true that you can corrupt a profile if you don’t heed Microsoft’s warning to silo
your roaming profiles based upon operating system. And in the distant past, it was quite easy
to roam from Windows NT to Windows 2000 and causing actual profile corruption along the
way.
One of the perceived problems with roaming profiles might not actually be a problem at all.
Since windows 7 and continuing on to Windows 10, actual profile corruption could be a perceived phenenomon as opposed to a real actual problem occurance.
This blog entry from Mike Stephens at Microsoft really says it all, and is worth a read. It's entitled "Mythical Creatures - Corrupt User Profiles" and is found here.
If you want a second opinion from a profile expert read "Corrupt User Profiles - Do They Even
Exist?" which is found here.
Said another way, roaming profiles are not without problems and drawbacks. But actual hardcore “corruption” could simply be misintrepration of what is really occurring on a system.
Using scripts to compensate for Roaming Profiles and missing functions out of the box.
Logon scripts, logoff scripts, startup scripts, shutdown scripts and manually executed scripts
have often been used to work around in-box limitations where IT admins have wanted to enhance the user environments.
Script engines like VBscript, KiXstart, Powershell, and others aren’t usually optimized for speed
nor do they often have error handling or reporting. Scripts cannot cater for everything a user
could potentially do during their session. Scripts also have to be maintained by engineers who
understand how to write and maintain scripts. Which is good for job security but bad for continuity, agility and long term supportability.
Some organizations have even written their own full-blown in-house UEM solutions because,
historically, the market wasn’t mature enough with commercial solutions. Even if an in-house
UEM solution works reasonably well, even one minor feature change could introduce a large IT
cost to build and maintain as well as distract the IT team from other important tasks.
Version 16.03
6 juni 2016
Page 15
4.4
WHY UEM?
Now that we’ve established why UEM was needed, let’s continue onward with a slightly different angle. Let’s try to sussinclty answer the question: “What are the primary reasons for implementing any UEM solution?” The potential answers are as varied as they are many:















Version 16.03
Improve user experience when logging on
Migrate between OS’s while maintaining user settings
Enable installing of user’s own applications (User-installed applications)
Avoiding use of Windows Roaming profiles
Extending Group Policy to do more (and go to more places)
Replace scripts with something graphical and consistent.
Provide better and granular support of user and application preferences.
Enforce / enable access to applications, file-types, (removable) devices, network and
data resources.
Enable context awareness (ie: Based on user location, device and custom settings,
grant access to applications, data, network resources, devices and preferences dynamically)
It facilitates Resource Management to control and optimize usage of CPU, Memory resources with focus on applications and (Virtual) Desktops.
Facilitate BYOD
Layer applications not already found in the base image
Hide applications pre-installed in the base image
Report on detailed information changes inside the User Environment Management environment which could be needed for compliancy and certification standards such as
Persona Information Acts (HIPAA), ISO 27001, SOX and NEN 7510.
Audit and monitor user environments for security events
6 juni 2016
Page 16
5.
IN-BOX UEM FROM MICROSOFT
Almost all IT departments use Windows as their platform of choice; and as such all the areas
we discuss will be Windows-centric. And with the pre-paid investment in Windows already
comes a small advantage: there’s already a UEM solution in the box from Microsoft.
This section explores what is ostensibly “free” since it’s already paid for and in most cases already partially or fully utilized. Most organizations will have a Microsoft environment and with
that comes the license agreement. That license agreement hands you an in-box UEM solution
from Microsoft. Is this one product? No the UEM solution Microsoft is handing you is a combination of multiple tools imbedded in Windows. With the Microsoft license agreement comes
Group Policy and Group Policy Preferences. Depending on the license agreement, SA licensed
or not, you get access to UE-V. These tools will offer you a basic UEM solution that might just
do for you. For more advanced UEM features or more complex scenario’s you need to look at
other vendors to complement Microsoft in your organization.So first we will show you what
Microsoft has to offer, you have to understand what is there before you can decide if it will do
for you.
5.1
MICROSOFT’S OWN IN-BOX UEM SOLUTION: GROUP POLICY AND GROUP POLICY PREFERENCES
Microsoft’s solution for User Environment Management is built in the Group Policy mechanism.
There’s a lot to be said for the native Microsoft tools. Both Group Policy (GP) with Group Policy
Preferences (GPPrefs) form the basis of an excellent solution for managing computers and the
user environment.
Indeed, Microsoft acquired DesktopStandard in order to acquire Group Policy Preferences,
which has positively delighted many administrators since its inclusion in 2008.
However some customers find that Group Policy either requires additional 3rd party add-ons
(Group Policy is extensible) or a complete replacement via alternate solutions.
Group Policy does a great job for managing the Microsoft pieces in the box. Microsoft ships
more than 3500 policy settings that will set and lock down various operating system look and
feel items and set various security settings. That being said, there are two types of settings
within the Group Policy system:
Version 16.03

Policy Settings: These are “True policy” in that a standard user cannot actively work
around these set settings. These are all the Adminitrative Template items and security
items.

Preferences Items: Microsoft’s Group Policy Preferences acts differently, in that nearly
all the directives can be worked around – by design – by the user. That’s why they’re
6 juni 2016
Page 17
called “Preferences.” For instance, Group Policy Preference’s most popular features
are delivering Drive Maps, Printers and Shortcuts. And the user at whim can delete all
of these settings. It is notable that Group Policy Preferences settings can re-apply during Group Policy background refresh, but only if the client can actively make contact
with a Domain Controller and is not offline.
The Group Policy ecosystem is only a “settings delivery” mechanism and doesn’t care what
happens after the settings are delivered. After settings are delivered, if a user changes “user
controllable” areas, then Roaming Profiles will typically contain these settings.
Group Policy and Group Policy preferences’ additions greatly enhance the administrator’s
toolbox and opportunities for managing the user environment; however there are several important pieces still missing from this arsenal:
•
•
•
Microsoft’s own Roaming profiles have the same continued challenges: Roaming Profiles are still only supported per OS – organizations are unable to provide application
settings across operating system versions.
Scripts could still be necessary for some tasks: Scripts might still be needed, and maintained plus they continue to have the same limitations as the scripts we used to write.
Though skillful use of Group Policy Preferences can often eliminate the need for many,
if not all, of a company’s scripts.
Some Group Policy Preferences items have not been made upwardly compatible with
Windows 10, such as File Open assignments.
As stated, a Group Policy infrastructure is made up of Group Policy Objects (GPOs) and can natively contain directives called Policy or Preferences, but is also extensible to 3rd party directives.
Group Policy can be configured by creating a GPO and linking the GPO to a Site, Domain or Organizational Unit in Active Directory. GPOs can contain both User and Computer side directives. The configured settings are applied by the client at startup, logon and approximately
every 90 minutes in the background (processed independently on User and Computer side.)
Group Policy Preferences provides 21 user-environment management (UEM) abilities to Group
Policy and works from Windows XP clients onward. Group Policy Preferences greatly extend
the possibilities to configure the user environment and in many cases eliminates the need for
complex logon scripts.
Group Policy Preferences’ most popular features include delivering drive mappings, shortcuts
and printer assignments
Roaming Profiles may or may not be used with Group Policy. That is, there is no “all or nothing” with regard to Group Policy and Roaming Profiles. Many organizations choose to take advantage of Group Policy and Group Policy Preferences without ever turning on roaming or
mandatory profiles.
Version 16.03
6 juni 2016
Page 18
The configuration of roaming or mandatory profiles is usually handled using Active Directory
Users and Computers directly upon a users’ Active Directory account.
Benefits
Group Policy, Group Policy Preferences are free as they come with the Microsoft Windows installation. Since it’s in the box most administrators have had some use of Group Policy and/or
Group Policy Preferences.
Other benefits are:








Works across any Windows experience - Physical, Virtual, and Laptops.
Works across all Windows operating systems from Windows XP onward; continued
support for all Windows 10 endpoint systems.
Compatible with Microsoft RDS, VMware Horizon View, Citrix XenApp and Citrix
XenDesktop.
No software to install on desktops, no additional shell environment.
Data stays in Windows native format, you're never locked into a data jail.
No architecture to deploy – everything is stored on domain controllers; the Group Policy client is already on all Windows endpoints.
One-single solution for all of your Windows desktops.
Rich history of being extended by 3rd parties to perform specialized functions that are
not present “in the box”.
Functionality
With Group Policy Settings, the main functionality is:




Configure the look and feel of the desktop for in-the-box Windows functions (Control
Panel, Desktop, etc.)
Manage security aspects: underlying operating system, firewall security, application
whitelisting / blacklisting (AppLocker)
Lockdown supported areas to prevent unauthorized changes to the system.
Configure behavior of roaming profiles, folder redirection and offline files
With Group Policy Preferences, the following functionality is available for user and computer
configuration (user-side shown in screenshot below):







Version 16.03
Map Drives, Printers, Shortcuts and more.
Set environment variables.
Deliver files, create folders folder.
Simple INI files and Registry edits.
ODBC settings.
Perform device restrictions.
Set folder options, Internet Explorer settings, Start Menu.
6 juni 2016
Page 19
Group Policy Objects and Preferences contain functionality to configure both the user and
computer as well. Generally, when a computer receives a computer-side setting, all users who
use that computer are affected.
Context-awareness using Item-Level Targeting
Group Policy Preferences items have a rich collection of built-in “Item Level Targeting” filters.
These enable specific Group Policy Preferences items to affect machines specifically based on
location, machine, group, IP address, OU, and other filters.
Figure 3: Targeting
A partial list of ILT filters is shown in the screenshot. A full list of context-aware ILT filters can
be found at http://technet.microsoft.com/en-us/library/cc733022.aspx
Architecture
Active Directory Services is required to centrally manage and assign Group Policy Objects and
Preferences. Although some Group Policy settings can be configured on each computer – one
by one -- locally (using gpedit.msc). This is not a great option when mass configuration in an
enterprise environment is desired.
Group Policy Objects containing Policy and Preferences can be linked to Active Directory at different levels (sites, domain, OU) and directed to users and/or computers.
Version 16.03
6 juni 2016
Page 20
When using multiple Group Policy Objects, the processing order is always: Local, Site, Domain,
OU. The last effective Group Policy Object wins, but higher-level administrators can always ensure their directives “win” by using the “Enforced” setting upon a GPO.
Some Group Policy settings directly or indirectly change registry settings. Microsoft provides
Administrative Templates (*.adm, admx), which affect operating system settings, and some applications like Microsoft Office or App-V.
Licensing
No additional licenses are needed to get started with Group Policy Objects and/or Group Policy
Preferences. The default Windows Client Access License is enough.
Speed concerns
While there are some reasons that Group Policy could be slowing down a startup or a login, in
practice the most common reason Group Policy can be perceived to be “slow” is the improper
use of startup and login scripts which try to perform “too much”; such as copying large files
(every time at login), waiting for user input (and timing out), or referencing servers which don’t
exist -- thus holding up prescious startup or login time. Another common reason for slowdowns is trying to deploy “very large” printer drivers via Group Policy Preferences (which can
be 30 – 500MB depending on the vendor.)
Said another way, when using Login or Startup scripts, or deploying large printer drivers via
Group Policy, Group Policy is performing exactly what it’s supposed to do.
While not every administrative action can be accounted for, the Group Policy engine itself has
several built in throttling mechanisms to specifically prevent slowness at startup and login:





Version 16.03
Each GPO has a “version number” so that GPO’s contents are not re-downloaded if a
client has already seen the contents of a GPO. Said another way the client doesn’t redownload each GPO every time, it only downloads new or changed GPOs, automatically speeding up startups and logins.
Starting in Windows XP (and continuing onward thru all Windows clients), all Group
Policy operations are, by default, performed in the background when possible. This
prevents most slowdowns from even being “felt” by the end user.
Starting in Windows 8.1, and when synchronous processing is required, the client will
use “locally cached GPOs” which exist on the client machine to speed login time (which
would have traditionally occurred over the network).
Starting in Windows 8.1, one of the more popular Group Policy Preferences items,
Drive Maps, was re-written to always work in the background, speeding up login time
whenever Group Policy Preferences Drive Maps was used on a client, and therefore all
Group Policy processing overall.
Starting in Windows 8.1, login scripts are delayed for processing until 5 minutes after
login. This is to prevent disk contention during the most critical time of setting up the
6 juni 2016
Page 21
users’ Explorer and (possible first time profile setup.) The delayed login script feature
of Windows 8.1 is is configurable to any value, including turning this feature off.
Therefore, Group Policy’s slowness can be mitigated when admins know where to look. In
these cases, a wholesale “replacement” of Group Policy and Group Policy Preferences for another tool which replicates the Group Policy or Group Policy Preferences functionality isn’t
something every company should be looking to do until they’ve exhausted all troubleshooting
options with the Windows product they’ve already paid for.
For very detailed information about finding and locating Group Policy slowdown issues, see
Group Policy: Notes from the Field - Tips, Tricks, and Troubleshooting, a talk from TechEd
North America 2014 from Jeremy Moskowitz, Group Policy MVP found here.
5.2
A QUICK NOTE ABOUT MICROSOFT’S AGPM
Microsoft’s Advanced Group Policy Management (AGPM) gets a special note here for two reasons.
First, Microsoft AGPM is often misunderstood in what it can and cannot do. Specifically, Microsoft AGPM adds “change management” around Group Policy Objects themselves. That is,
AGPM’s main goal is to help multiple administrators create, edit, approve and rollback GPOs in
a systematic way.
Contrary to popular believe, AGPM provides zero added client-side superpowers or benefits
beyond what’s already in the box with Group Policy and Group Policy Preferences.
AGPM is simply a way to store GPOs “offline”, manage them with a team, and put them into
production in a systemized fashion.
For a quick rundown of AGPM Myths and Facts, see the document at (this link).
As a side note, AGPM 4.0 SP3 was recently released with minor update to work with Windows
10 clients and recently added Powershell support.
5.3
MICROSOFT’S “NOW INCLUDED” ROAMING PROFILE REPLACEMENT / SUCCESSOR: UE-V
In previous UEM whitepaper, Microsoft’s UE-V was considered a “competitor” to other UEM
solutions found in the next section of this paper which sought to work around the limitations
of Roaming Profiles.
That’s because Microsoft previously sold and licensed UE-V as part of a suite of utilities called
MDOP or the Microsoft Desktop Optimation Pak. But Microsoft doesn’t sell MDOP anymore.
MDOP is now simply included to all Software Assurance customers.
Therefore, understanding UE-V before investigating 3rd party UEM tools is paramount, because
ostensibly, you can think of UE-V being almost like it’s “in the box” now for Software Assurance
customers.
Version 16.03
6 juni 2016
Page 22
Architecture, Operations and Functionality Overview
Microsoft UE-V has main four components:




UE-V Agent (as an MSI);
UE-V Settings Location Templates;
UE-V Settings Storage Location.
UE-V Template Generator utlity.
The UE-V agent must be deployed to all machines where user preferences are to be managed.
The agent looks for the presence of UE-V templates on the machine or a network location defined by the administrator. UE-V templates define the application to be monitored and the locations within that application to monitor. The UE-V agent then traps user-created preferences
changes to applications and stores them remotely for later use. UE-V storage of settings can be
stored in a file share or the users home drive.
When applications are launched (on the same machine or different machine), the user’s application settings are downloaded before the application is launched. The UE-V agent will send
the user’s changed settings back at the following times: Logon, logoff, locking the machine, unlocking the machine and connecting to an RDS session.
If the user is offline when he makes an application settings change, then it is stored and forwarded the next time the user connects. Lastly, UE-V has a PowerShell interface to accept a
command that can roll back settings for a particular application to an initial state.
Additionally available is the UE-V Generator utility, which enables administrators to create
their own templates for most applications.
Benefits
UE-V is a step up from Microsoft’s traditional roaming profiles because only the applications’
settings the user needs are downloaded at application launch time, instead of the entire profile and all settings being downloaded at login time.
UE-V ships with some UE-V templates to help roam common Microsoft applications such at Internet Explorer, Microsoft Office, and operating system desktop settings and accessories.
UE-V also ships with a template Generator utility that enables administrators to create their
own templates for well-behaved applications.
Microsoft officially supports the in the box templates for UE-V, and also has non-supported additional UE-V templates available for download in the UE-V Gallery (link here).
The UE-V agent can be managed using Group Policy with downloadable ADMX templates and
adive from this link.
Detractors
There are some known issues with UE-V as follows:
Version 16.03
6 juni 2016
Page 23



There is no “Roaming Profiles to UE-V” wizard to help existing administrators migrate
from roaming profiles, although administrators could run both solutions together during a migration phase.
UE-V is now out for several years, and there really is still no guidance or documentation from Microsoft to help administrators migrate from roaming profiles to UE-V.
UE-V is not supported on Windows XP and there are no plans to make it work on Windows XP machines.
Licensing and Download
UE-V is ostensibly free for al Microsoft SA customers.
UE-V is download as part of the MDOP (Microsoft Desktop Optimization Pack).
More info on licensing MDOP (which includes UE-V and AGPM as discussed in this document)
can be found at (this link.) Again, MDOP contains six total tools, of which UE-V is just one of
them.
Version 16.03
6 juni 2016
Page 24
6.
BEFORE DECIDING ON A 3RD PARTY UEM SOLUTION
Most of the remainder of this paper details 3rd party UEM solutions. Because no two solutions
are alike, and there is Microsoft’s in-box UEM tools (Group Policy, Group Policy Preferences
and UE-V), here are some items you might want to think about before you even start to investigate any 3d party UEM tool.
6.1
FREQUENTLY ASKED QUESTIONS (FAQ) ABOUT 3RD PARTY UEM TOOLS
Q: Now that Microsoft has its own roaming profile replacement tool (Microsoft UE-V) and
it’s ostensibly “free” tool (for SA customers), what does this mean for me as an IT admin, and
what does it mean for other UEM vendors?
A: The release of a true profile management solution by Microsoft is a significant step in validating that profile management and cross desktop roaming matters to enterprise customers. It
effectively confirms that profile management has now become a commodity, especially now
that all of the 3 main desktop virtualization vendors (Microsoft, Citrix and VMware) essentially
bundle roaming profile replacement solutions with their core products.
Microsoft is marching forward with developing UE-V features, but they are effectively behind
other UEM players in terms of maturity and feature sets.
If you are a Microsoft SA customer you might first take a look at your Microsoft tooling since
they are included in the license. Depending on your business requirements you might want to
look at other UEM solutions.
Q: Do 3rd party UEM solutions make desktop virtualization projects cheaper?
A: So, you need to be careful when asking this question. All the vendors with 3rd party UEM solutions will try to “Yes” to the question “Does UEM make managing the desktop cheaper?”
The short answer to this is No, it won’t make it cheaper, UEM is not meant to make projects
cheaper, it’s meant to offer you a solution in the end-user environment that makes end-users
more happy and flexible. It will, when implemented correctly, save money on management of
the environment.
Q: Do these solutions make desktop virtualization easier and faster to implement?
A: Customers who already have User Environment Management solutions deployed should see
a benefit and improvement in deployment times and adoption when implementing desktop
virtualization (or even a new physical desktop) – in-house knowledge and processes should already exist making implementation simpler and thus faster.
If the customer is migrating from an existing desktop environment to new environment, these
tools are intended to assist in migrating profiles and login scripts from the older desktops into
the new desktops. This would be the ideal way to ease entry into desktop virtualization; however other than replacing scripts with GUI tools, desktop virtualization may not necessarily be
Version 16.03
6 juni 2016
Page 25
faster. It will make implementation easier as you can guarantee that settings are deployed to
each and ever desktop identically.
Q: How difficult are 3rd party UEM solutions to install, configure and maintain?
A: Although some of these solutions have been around for some time, the knowledge required
for implementation is not as broadly available as those that are included with the in –box Windows UEM tools. The difficulty of using a solution depends per product; one is more difficult to
learn than the other. In general you could say that anyone with several years of experience in
IT should be able to learn if rather fast. This knowledge “issue” is also there with the standard
in-box Windows possibilities, to use the tools offered there requires learning as well. If you
start with a solid understanding of what you want to solve you’re half way there.
Technically, all UEM products were niche solutions – trying to solve a particular problem. Remember that many UEM solutions sprang from problems born from the world of Terminal
Server deployments and the problems found there.
As you consider a 3rd party UEM solution, making a decision implementation includes knowing:
•
•
•
•
Infrastructure requirements - database and file storage, network requirements etc.
Configuration optimization - creating an initial configuration and optimizing it as the
project progresses.
Implementing the best configuration solution for specific scenarios – there are multiple ways to solve a configuration scenario.
Training and staffing: who is going to “own” this new 3rd party UEM solution in your
organization. How will you train the next team member?
Q: Do these solutions replace any existing tools/processes?
A: In most deployments, large portions of logons scripts (VBscript, Jscript, KiXtart) can be replaced with graphical user interfaces from different UEM solutions. That should, in theory,
generalize the knowledge required to support the user environment (replacing specialized
knowledge). As you move more and more User related management in one tool other tools
and processes might be obsolete. Will it replace all tools you currently use? Probably not, but
that will differ for each organization.
Q: Are all UEM vendors selling the same thing?
A: Actually, no.
It’s true many UEM vendors are first and foremost trying to resolve the issues with “Roaming”
Profiles and often make logins faster.
That being said, some UEM vendors aren’t trying to do anything like that at all.
Version 16.03
6 juni 2016
Page 26
And still other UEM vendors are also selling add-ons to their core solutions and branching out
to other areas as well.
For instance, AppSense, RES, Citrix, VMware and Microsoft all have something that tries to replace in-box Roaming Profiles.
But vendors like Unidesk and FSLogix are building solutions, which add (or hide) application
layers, making applications interchangeable on an already-delivered desktop.
And, to take a brief look at some other varying examples, AppSense, RES, Liquidware Labs, and
PolicyPak Software are all taking very different approaches with their portfolios.






AppSense is branching into Mobile Device Management, Data Access and User Installed Applications
Unidesk layers applications on VDI images
FSLogix hides applications pre-installed in golden images
Liquidware Labs has branched out to User Installed Applications and application layering
RES now delivers Workflow Automation, Data Access and an Service Store as well a security in their UEM solutions
PolicyPak focuses on “what’s missing” in Microsoft’s portfolio and leverages customers
existing Microsoft Group Policy or SCCM intrastructure and/or AGPM, Roaming Profiles or UE-V to make a complete solution.
Q: Will Windows 10 change the game?
A: When Windows 8 was released, Microsoft introduced some new roaming features with
modern (aka Metro / Universal) applications. These settings can be roamed when users marry
their on-premises accounts with a Windows SkyDrive account. Or, they can also be roamed
with Microsoft’s product UE-V, discussed earlier.
What about Windows 10? The main feature of Windows 10 is that it’s supposedly the “last”
version of Windows, with in-place upgrades going forward. In this way, it becomes less important for UEM vendors to say that they are always on the bleeding edge of operating system
compatibility, because eventually, nearly all systems will be on Windows 10.
Therefore, UEM solutions will always be needed to fill the gap, to manage the desktop experience, and provide an awesome experience for end-users. Will Windows 10 be a game
changer? I don’t think so, I think the game changer has been the development in storage that
made virtual desktop environments more interesting from a cost perspective. Before storage
was the bottleneck for many many disks where needed to offer any performance, today speed
isn’t an issue and more organizations move to virtual desktops and of course Window 10.
Q: Do these solutions really help with Application Virtualization, or is that just marketing?
Version 16.03
6 juni 2016
Page 27
A: Yes. Various UEM solutions can actually manage user personalization data inside of “bubbles” or “sandboxes” where virtual applications reside.
If you’re using Application Virtualization products like App-V or ThinApp, then ensure your
UEM product works alongside it and can manage and/or roam user’s settings from within the
bubbles.
The market of application virtualization is shifting from virtualization to layering as Unidesk,
Liquidware Labs Profile Unity and VMware Appvolumes offer application layering methods
where applications are installed in reference machine and attached to desktops when needed.
This is not virtualization and won’t isolate anything. It is a new way of offering departemental
applications.
6.2
WHAT ELSE SHOULD I LOOK FOR IN A UEM TOOL?
Remember that no UEM tool is right for everyone. As such, here are the key items to look for
within all the tools in this guide, and see which one is right for you.
User personalization and/or Application and Desktop Management
This is typically the core of most UEM tools, but not all. The usual complement of features
would be items like:
•
•
•
•
•
•
•
Configure the users look and feel of the desktop
Assign drive mappings to network shares
Assign printers
Assign applications and corresponding settings
Set, change or delete Registry settings
Provision specific application settings, such as Microsoft Outlook profile(s)
Provision Database connection settings (ODBC)
Both in-box Microsoft’s Group Policy / Group Policy Preferences Preferences and, in general,
3rd party UEM solutions offer the possibility to make many of these configurations. The difference to Microsoft offering and the other UEM solution is that most others are offering contextawerness with all the features. Allowing you to controle when a printer is connected and when
a setitngs is loaded versus it is loaded always at logon in every scenario.
Whitelist / blacklist: Application Access Control
As of Windows 7 Microsoft provides Applocker which can be used to allow or block user-context applications from running. New to Windows 10 is DeviceGuard, which can provide both
user-mode and kernel-mode code integrity.
That being said, some UEM solutions give the IT admin-enhanced ability to strictly determine
what applications the user is allowed the use, and make that context aware. For instance,
when working on a desktop on-premises the user is allowed to access and use the HRM data-
Version 16.03
6 juni 2016
Page 28
base application. However, when accessing a desktop from a computer at home the HRM database application is not available. This functionality can be extended to time, location, device
or with specific requirements on the computer the user uses. With security management, the
User Environment Management solution provides and enforces access to applications.
Some vendors offer the ability to deliver a functionality of an application or button in an application based on a user or group whereas other cannot do this other than per server/desktop.
User Rights Management / Elevation
Newer to some 3rd party UEM tools is the ability to sidestep UAC prompts.
If you want to accelerate your walk away from admins on all workstations, consider a solution
which enables you to specify where UAC prompts can be automatically run with admin rights.
Resource Management
Resource Management monitors individual users and/or processes for excessive usage and
takes appropriate action when exceeding thresholds. In addition logging of these events can
be very useful to determine system bottlenecks. This can help pack more users onto shared resources like VDI and RDS.
License Management
UEM solutions with license management enable you to configure the licensing model (per
named user, per device/system, concurrent user or site) for each application.
License management can provide insights into application usage. With monitoring application
usage, organizations can better determine the amount of licenses needed. In some cases this
means that many users don’t use specific applications and therefore savings are possible.
Monitoring, Auditing and Reporting
Make sure that the UEM solution you invest in has reporting that makes sense for your organization. Sometimes “too much” reporting means you wont use it at all. Likewise make sure you
understand how to troubleshoot your UEM solution so when something goes wrong, you have
a basic understanding of what to try to fix.
“Just in time” / Layered Application Delivery / User-installed applications.
Some UEM solutions can help you manage your number of gold images.
They will enable you to layer applications on after the image is deployed.
Others will help you hide applications after the image is deployed.
Others will enable you to provide a method for users to install their own applications.
Just-in-time delivery achieves several things:
Version 16.03
6 juni 2016
Page 29
1. It improves the user experience by allowing the user to get to their applications and
data faster – the user is productive sooner.
2. IT has better control and view of the user environment because we are now having a
clearer view of the user layer.
3. The business can now have more trust and confidence in their computing environment
because it can be a more proactive environment.
A way to think about why you might need Just-in-time delivery of applications is shown in Figure 3. Here you can see that the largest percentage of users uses the same number of applications (say, Microsoft Office.) But the more applications you have, the fewer number of your users actually utilize them.
Figure 4: Applications in specific user context
Source: Citrix
You might also need the ability to enable users to install their own applications.
This might sound odd within the context of User Environment Management – allowing users to
make changes in a managed environment, but this will become part of the toolset for getting
any application to the user in any context.
6.3
THE FUTURE OF UEM AND THE UEM WHITEPAPER
One question I get on a regular basis is how do you see the future of this document? Will there
be a next version alike?
In the field we all see customers working with a versatile number of devices working while using resources in a cloud or on on-premises. These devices need to be managed. They have applications, data and settings that need central management. This is not different from the UEM
management where we want central management for applications, data and settings for employees working on FAT clients or in a virtual environment. Merging of those two businesses is
Version 16.03
6 juni 2016
Page 30
coming our way, there is no us and them anymore in the near future. UEM and EMM will
merge into one, there is no way we can stop that. In the future, and the future is now, users
will work on different devices expecting the same experience everywhere. UEM and EMM will
need to work together offering that, one managing the device the other everything on the device. Look at what VMware is doing with UEM and Airwatch and Horizon View, look at what
Microsoft is doing with Enterprise State Roaming and OneDrive. Citrix also has all the tools in
hand with XenMobile, VDA agent and receiver to manage any device for any user.
So to answer the question, I think the next version or at least one of the next versions will be a
merge of the two worlds, a workspace management comparison whitepaper of some sort, perhaps a different name but one with both worlds combined.
Version 16.03
6 juni 2016
Page 31
7.
SOLUTION OVERVIEW
7.1
INTRODUCTION
To get an overview of the major players in the User Environment Management space, a number of solutions are explained in this chapter (sorted alphabetically by vendor). These solutions
have a broad range of lighter functionality to “everything included” functionality.
This time we’ve done things a bit different, before we played the teacher who would take out
too much marketing fluff of what was deliverd. That was a huge task and actually not one I was
looking forward to. One vendor might think I cut them short in favor of the other. So in this
edition we let the vendors go free, they all got the freedom to write four pages about their
product, their solution, their suite. I don’t mind what they write, they have four pages to convince you they are what you need.
Some vendors are small some are Enterprises, some are part of bigger companies. All vendors
have equall amount of pages to write on, we don’t judge we compare.
I call this the UEM Vendor marketplace so mind the step, when you enter this chapter you
leave the unbiased sector and you’re in the hand of marketing. Hope we see you again in
chapter 8.
Version 16.03
6 juni 2016
Page 32
7.2
VENDOR MATRIX, WHO HAS FOCUS ON WHAT!?
Version 16.03
Scense
AppSense
DesktopNow
Citrix
Liquidware Labs
ProfileUnity
Microsoft
GPO, GPPrefs, USV, UE-v
Norskale
VUEM
PolicyPak
PolicyPak Suite
RES
ONE Workspace
Tricerat
Simplify Suite
VMware
Persona Management
VMware
User environment Management
6 juni 2016
Application Delivery
Resource Management
User Rights Management
License Management
Page 33
Monitor, Audit and Report
Product
Application Access Control
Vendor
Appixoft
User Personalisation
User Profile Mgmt
There are quite some vendors in the “User Environment Management space”. The diagram
below gives an overview of the focus of the various User Environment Management (UEM)
software vendors. This diagram has nothing to do with the (possible) discussion which vendor
provides the most and the best functionality and features. A complete overview of the features and functionality is available in chapter 6 – Feature Overview.
7.3
APPIXOFT
Introduction
AppiXoft enhances productivity for both end-users and administrators with the Scense UEM
solution. Scense makes it easy for the administrator to provide great and consistent user experience.
Scense WSM extends the workspace as we know today to a personalized and customized one.
Universal access to IT resources, a context-aware user experience, location services, Live Profiles, software metering, reporting and dynamic printer management all ensure a high level of
freedom and personalization for the user, while leaving control firmly in the hands of the IT department. Scense Workspace Management is a true One-Stop shop for solutions to your IT
challenges of today and tomorrow.
Solution
Scense has been known for years as an easy to use, efficient workspace management solution
for desktop environments with Pc's, laptops, terminal services and virtual desktops. Managing
workspace environments with temporary staff, task workers and power users has never provided any challenges to Scense administrators. The latest release, Scense 10, continues to address the latest IT challenges and use cases in the same elegant way.
Figure 5: Scense 10
Employee owned devices (BYOD, BYOC and CYOD) - Scense supports unmanaged devices
without the need for a complex to manage and expensive data center for hosted desktops or
terminal server sessions. Earlier versions of Scense have resulted in already tens of thousands
of end users using their own laptop or PC to use corporate applications and resources. As opposed to the way previous Scense versions made it possible to do ‘on premises’ BYOD, Scense
will be able to service BYOD remotely over the internet, including software distribution.
The Scense location services and context awareness will address the IT managers’ most urgent
concerns related to fear of data loss or leakage, compliancy rules and, last but not least, dirty
PC’s. At the same time, Scense Live Profiles will ensure a consistent user experience for the
end user by transferring personal application settings between corporate, managed and personal devices.
Version 16.03
6 juni 2016
Page 34
Mobile users - Facilitating mobile users with access to corporate applications and data, while
keeping IT regulations in place, has been a challenge for both administrators and end users for
years.
By delivering workspace management over the internet, end users are able to use corporate
resources or add new applications as soon as internet is available. No more hassle with VPN
connections or network cables. At the same time, IT is able to update machines of mobile end
users and enforce IT policies in real time to mobile devices. A mobile user is no longer a risk to,
but a friend of the IT department.
Functionality
Scense contains many unique, innovative, features that focus on user freedom, as well as control by and cost savings for the IT department. The new service oriented architecture of Scense
extends the reach of these features outside the corporate network.
Figure 6: Scense service oriented architecture
Dynamic Application Delivery and Control - Applications and all related information, like user
settings, policies, drive mappings or printers, are centrally managed and dynamically delivered,
personalized and configured accordingly to the circumstances under which a user operates.
Context aware access to these applications is provided in a secure, safe, efficient and elegant
way.
Conflict Free Provisioning - Scense “Conflict free Workspace Provisioning” is based on a technology called “Adaptive Installer: unique technology that enables real-time conflict isolation
during the installation of a Windows application. In combination with the integration of all major application virtualization vendors, Scense always provides a 100% conflict free workspace,
even on unmanaged PCs and without the need for a client hypervisor.
Scense Live Profiles - A fire and forget solution for user profile management. Workspace and
application related user settings are separately and centrally stored but transparently available
regardless of the version and architecture of the Microsoft Windows operating system and accessible throughout the entire landscape of physical and virtual desktops, laptops, terminal
server sessions, unmanaged PCs and natively installed and virtual applications.
User Workspace Management as a Service - With the support of WCF, the Scense Engines run
within Microsoft’s Internet Information Services. IIS's scalable and open architecture is ready
Version 16.03
6 juni 2016
Page 35
to handle the most demanding tasks. The switch to WCF also results in a change of communication protocols, opening up new use scenarios. The full Scense service portfolio will be available over the internet, including application distribution.
Real time Monitoring and auditing - Scense’s “Session Control Engine” provides the administrator with real time information and control over his desktop environment from machine
startup until machine shutdown. Intervene directly, in real time when problems arise. Block
applications instantly, provide the end user with understandable messages, install on the fly
updates or applications and implement new policies when needed.
Self-service and Remote Support - Because of Scense’s session control engine, administrators
are empowered to proactively prevent desktop problems from happening. When issues do occur, users are encouraged to address these themselves. Repairing applications, refreshing
workspaces or resetting parts of the user-profile are all available to all user types: locked down
or not managed at all. Remote support functionality is available for the rare occasions that it is
really needed.
Software Metering and Reporting - Scense will track the usage of applications on all workstations and store this information in the central database from which clear and informative
reports are generated by the Scense Report Viewer. Scense comes with several preset reports
that show application usage in several ways. Reports can be added and modified. Having a firm
grip on costs is very important for the IT manager. Excessive software costs coming from unnecessary renewals or over-compliance on expensive software can very easily stack up to large
amounts. IT Managers who are looking for ways to reduce the IT expenses will quickly appreciate the insight Scense Software Metering will bring to them.
Architecture
Scense is easy to install, has minimal impact on your existing IT architecture and will support
on premises and hosted environments.
Version 16.03
6 juni 2016
Page 36
Figure 7: Scense Architecture
The server elements of Scense are installed centrally in the company’s data center or hosted
externally. Scense supports centralized and distributed multi-site implementations. Performance and availability can be guaranteed by the use of Network Load Balancing, Database mirroring and Scense’s own multi-site support mechanisms.
Scense Database - The Scense database, containing all information and instructions related to
applications, user settings, desktop configurations etcetera, is stored on an Oracle or MS SQL
database server. Scense agents will contact this database, via the web service, to retrieve instructions during the clients’ user and computer sessions.
Scense Server - At the heart of the Scense system are the Scense web services. These services
are used by the Scense Executive component installed on the clients. The Scense Engine web
service communicates tasks received from Scense Executive to the database engine. The
Scense web services make full use of IIS’s scalability. Scense will use the communication protocol that best fits the use case in play: http(s), ftp(s) or a WCF communication channel.
Scense File shares - The Scense file shares (App Store and Profile Store) store all the (virtual or
physical) application packages that need to be available to end-users as well as multiple historical versions of the Windows profile per user and per application. As soon as an end-user requests an application that is not available yet, the application is installed or streamed and
started or activated. The user profile for that application is injected during application startup
and stored after an application is stopped.
Version 16.03
6 juni 2016
Page 37
Every client managed by Scense needs the Scense client components. These can be installed
on virtual or physical desktops, on Terminal Servers, on laptops or employee-owned devices
that are not part of the Active Directory. Administrators can use the Scense update manager to
install and update Scense clients in an unattended and reliable way.
Scense Client and Scense Executive - The Scense Client and Scense Executive work together to
execute the Scense instruction on the desktop and give feedback to the user. If the client software is unable to retrieve instructions from the Scense database (because the Scense Engine is
not responding) a local database is used, the Local Cache.
Licensing
The Scense Workspace Management Solution is licensed per named user or per device
Version 16.03
6 juni 2016
Page 38
7.4
APPSENSE
Introduction
Founded in 1999, AppSense is the global leader in “Secure User Environment Management.”
This comprehensive, highly scalable set of solutions enable IT teams to deliver an enhanced
user experience with improved endpoint security across physical, virtual, and cloud based
desktops. With over 3,600 customers worldwide, AppSense has now been deployed to over
9,000,000 endpoints. AppSense revenues exceed $100M and it employs around 400 employees across the globe. AppSense was recently acquired by LANDESK, who plan to allow
AppSense products to continue to innovate independently and help them gain market share in
user environment management. AppSense operates a channel-based model and works with
both global and regional system integrators and partners to deliver its solutions. AppSense offers a number of services including pre and post sales consultancy packages and operates a
24/7 support desk.
AppSense technologies are commonly sold as the DesktopNow Plus suite. DesktopNow Plus
allows organizations to abstract the management and user elements away from the underlying
platform, OS and application delivery mechanism. This is done to deliver a consistent yet secure productive workspace regardless of how the environment is being delivered. This layer of
abstraction allows AppSense to create something known as “USER DNA.” The user’s DNA consists of both user personal settings and data in addition to policies and configurations placed
on the user by IT. By managing and applying the USER DNA on demand, organizations can improve the user experience provide contextual security to windows endpoints without effecting
productivity, and reduce costs associated with Windows migrations and.
The DesktopNow Plus Suite is made up of the following components which whilst are commonly sold together, can be purchased independently to help organizations solve a particular
use case.
 Environment Manager
 Application Manager
 Performance Manager
 DataNow
 Insight
AppSense believes that user data is a key element of “User DNA”. However, this “UEM whitepaper” document will only discuss and compare the AppSense DesktopNow suite (Application
Manager, Environment Manager and Performance Manager). In other words, Insight and
DataNow technologies which make up the DesktopNow Plus suite are excluded from this report. For more information on DesktopNow Plus, Insight or DataNow, please visit our website
at www.appsense.com, and also look out for the PQR “Enterprise File Sync and Share comparison whitepaper” document that discusses DataNow in more detail.
Version 16.03
6 juni 2016
Page 39
Whilst AppSense agents and configurations can be deployed via any 3rd party tool (such as
SCCM), AppSense also provides the AppSense Management Center at no addition cost to its
customers. This is a highly scalable, 3-tier deployment and management platform that allows
both deployment and auditing of DesktopNow.
Many organizations already have multiple ways in which they deliver desktops and applications to users (Desktop, Datacenter, Cloud). This “hybrid Windows world” means that it is becoming more difficult to manage users across these multiple delivery platforms. The user requires an environment tailored and personalized to their needs to be productive. They want
flexibility in what they can do and or change, but also expect their preferences to roam with
them and carry forward onto new platforms. IT needs to lower the cost of managing the multiple environments, deliver a fast and predictable user experience, and monitor and secure the
environment on behalf of the business.
Delivering a secure yet productive Windows environment has historically been challenging. AppSense solves this challenge by…




Version 16.03
Improving user experience
o Extremely fast logon times
o Complete removal of profile related support calls and profile bloat
o Consistent user experience across multiple platforms
o Consistent user experience during Windows migration
o Ability to carry both user data and personal preferences from one environment to another.
Securing the endpoint
o Application control and whitelisting without the administrative overhead of
creating lists of known or unknown executables
o Protection against user-introduced and unknown executables
o The ability to implement least privilege management and remove the need to
provide users with local admin rights
o Containerize user sessions by limiting both users and applications to only communication on certain addresses or ports.
Reduction in Capital expenditure
o Audit and control application execution based on user, device and connecting
device to reduce application license costs
o Manage CPU and memory to increase user density which decreases hardware
and associated management costs.
Reduction in Operational Costs
o Reduction in 3rd line profile related support calls
o Consolidate management of policies and management across multiple estates.
o Reduction in both OS image management and application packaging
o Reduction in the cost associated with remediation and break-fix
o Reduced time and cost associated with any Windows migration and /or transformation project
6 juni 2016
Page 40
Functionality
AppSense can take any Windows image no matter where it resides and upon machine startup
and/or user logon, dynamically configure, personalize, secure and optimize the environment
specific to the user and their context. This removes the need for logon scripts, Group Policies,
Roaming profiles, whitelisting, admin rights, server isolation, multiple images, multiple application packages, offline files, and folder redirection.
Profile Management – the key to desktop personalization
AppSense replaces traditional user profile management with an on-demand personalization
approach delivering a more secure and user friendly workspace. AppSense utilizes a 3-tier architecture for synchronizing user application profiles to an endpoint. User application profiles
are stored in a SQL database and synchronized down to end points via an IIS server over
HTTPS. Whilst a SMB share can be used, AppSense recommends this 3-tier approach as it provides a number of unique benefits. “Multiple Application Delivery Support” and “cross OS
support” means that AppSense does not care how the application is delivered and on what
desktop. User profile information can roam freely from locally installed applications on Windows 7 to a virtualized application on Windows 10 as an example. Roaming of this profile can
be done in session without the need for the user to logoff and logon. AppSense supports both
desktop and server operating systems, varying CPU architectures, and multiple desktop and
application delivery technologies such as XenApp, XenDesktop, VMware Horizon View, RDSH,
App-V, ThinApp, AppVolumes, Unidesk, SCCM and many others. Because profile data is being
stored in SQL, snapshotting, rollback, last known good, and delta sync is possible out of the
box. This allows both user self-service and web based support tools to easily manage user
profile information and remediate where needed. The use of IIS and SQL also provides support
options for mirroring, failover, scalability and DR.
A contextual Rules Engine at the heart of all AppSense technologies means that the User DNA
can be applied on user/user group, but extend to more contextual rules such as IP address,
NetBIOS name, device type, date/time, etc. More recent versions of AppSense have also introduced new rules enabling file checks, registry checks, NetScaler policies, and both Citrix and
Version 16.03
6 juni 2016
Page 41
VMware conditions. In addition to the rules engine, AppSense also utilizes a number of “triggers”. These triggers allow AppSense to check rules and process actions at other times in addition to logon and logoff. “Session connect”, “network connect”, “desktop unlock” and “process
start” are just some of these triggers allowing more granular control over when profile management and configuration takes place. Unlike traditional roaming profiles which are loaded
during logon and logoff, AppSense enables a just-in-time load of application settings instead of
a just-in-case. Unlike a traditional logon script which executes in sequence, AppSense achieves
ultra-fast logons thanks to its multithreaded and optimized agent which can cache and process
configurations in parallel. AppSense also includes “pre”, “during” and “post” logon triggers, allowing admins to control when Windows desktop configuration takes place to further reduce
logon times. DPI settings, for example can be set “pre desktop” but other items can be placed
under the “post logon” trigger to allow tasks to run after the and not impact logon times. Another example could utilize the “unlock trigger” to allow printer mappings to be amended
based on location when the user unlocks their desktop.
Endpoint Security – Application control and User Rights Management (Least Privilege)
Regardless of whether you are deploying a VDI image to developers or a physical laptop to a
standard user, local administrative rights continue to cause organizations a challenge when it
comes to providing a secure and productive environment. Windows endpoint security is a major focus for many organizations and removing local admin rights from the user based can have
significant benefits when it comes to protecting Windows endpoints. The challenge is that too
many Windows admin tasks (like changing the Date/Time) and applications still require local
admin privileges. AppSense user rights management can elevate tasks and applications asneeded, allowing organizations to implement a least privilege management practice. In addition, application control and whitelisting is recommended to secure, control and audit which
applications are being installed and run by users. AppSense utilizes a unique approach called
Trusted Ownership™ Checking which removes the administrative overhead of whitelisting.
Users can run executables which have been delivered by the business and 3rd party application
deployment tools, but are protected against unknown and user-introduced executables. Application control also allows authorized applications to be controlled based on context, allowing
AppSense to audit and control per device licensed applications and those applications which
need to be controlled for compliance reasons. (See Gartner report on how AppSense helps
“Ensure Applications Are Properly Licensed on VDI”, Nathan Hill & Stewart Buchanan, March
7th, 2016.) Additional features known as “Self Authorization” and “emergency change control”
also allows users to self-install and self-authorize unknown applications when they are offline
or away from the office.
Lockdown The majority of applications at customer sites are non-Microsoft and do not come
with Administrative Templates (ADM and ADMX) files. It is therefore not possible to block
functionality based on rules. AppSense Environment Manager’s Lockdown technology enables
administrators to strip out unwanted application and Operating System functionality depending on the user’s context, to reduce the complexity of the end user experience or for security
purposes. For example, it is possible to hide or prevent access to specific application interface
Version 16.03
6 juni 2016
Page 42
components such as buttons, menus and toolbar items, disable keyboard strokes such as Print
Screen, Copy or Paste and prevent certain text from being entered into edit controls such as
Web browser address bars.
Performance Management Simultaneously reducing capital expenditure associated with user
density and hardware in virtualized environment and improving user experience, AppSense
has patented technology which manages and controls both CPU and Memory. By managing
runaway CPU thread, scheduling CPU processes, optimizing DLL rebasing and trimming
memory, AppSense can prevent CPU lock ups, reduce memory hungry applications and ensure
a consistent quality of service yet increase user density.
Solutions:







Windows Migrations
Endpoint security
Profile Management
Privileged Management
File and Data Sync
Performance Management
User based analytics.
Licensing Options
AppSense User Virtualization software is typically licensed on a named user basis. A license is
required for each managed user regardless of how many devices they use. Concurrent licensing is also available on request.
Version 16.03
6 juni 2016
Page 43
7.5
CITRIX
Introduction
Citrix’s User Environment Management solution is premised on the following technologies.
Some are Citrix delivered capabilties and others are leveraging the inherent capabilties of
Group Policy with Group Policy Preferences.





Profile Management: Citrix UPM (User Profile Manager); UPM Cross-Platform Settings;
Micrsoft’s UE-V (may be leveraged with UPM instead of Cross-Platform Settings feature)
Data: ShareFile is the recommended method to manage user data such as documents
across all devices and OS platforms.
User Environment Settings: Microsoft GPP (a component GPO) is a very powerful
method for managing all user environment settings (like printers, home drives,
shortcuts etc). It is inherent within AD at no additional cost and includes item level
targeting (and other methods) to highly customize and focus user environment settings.
Apps Control/Licensing: XenApp with features like App Limits; Microsoft AppLocker
adds an additional layer of app control and is also built into AD.
Monitor, Audit, Report
o UPM Log Parser, Troubleshooter and a PowerSehll based UPM best practice
validation tool
o Citrix Director logon and profile related statistics
Profile Management (Citrix UPM)
Citrix Profile management is intended as a user profile solution for XenApp, XenDesktop, and
physical desktops. Profile management ensures that the user’s Windows’s profile is roamed
effectively and reliably across all the user’s sessions and connections.
Profile management is enabled through a profile optimization service that provides an easy,
reliable way for managing these settings in Windows environments to ensure a consistent experience by maintaining a profile that follows the user. It auto-consolidates and optimizes user
profiles to minimize management and storage requirements and requires minimal administration, support and infrastructure, while providing users with improved logon and logout.
The most common challenges that impact the user experience and that administrators have to
address when managing user profiles are:


Version 16.03
Last writer wins – When users work on more than one physical or virtual device, their
individual personal settings may be overwritten in a seemingly random manner when
they log off.
Profile bloat and logon speed – Profile bloat creates unwieldy growth in user profiles
and resulting storage and management issues. Typically during logon Windows copies
the user’s roaming profile over the network down to the local machine. Logon time is
6 juni 2016
Page 44
prolonged by the time it takes to transfer the whole profile over the network. The
larger the profiles are and the more files they contain the slower the logons will be
Benefits
Citrix Profile Management provides fast logons, the most control over profile settings and addresses the last-write wins issues all from a central management point (GPOs).
Citrix Profile Management provides more flexibility as of what needs to be included or excluded from a user profile. With Profile Management one can configure which registry keys in
the HKCU hive needs to be ignored or included during logoff. Also files and directories can be
configured so that they are exclude from a user profile.
Profile Management addresses the last-write-wins issue. No longer is the complete user profile
copied at logoff. Environments where users work within multiple sessions, i.e. one remote session and a local session, are always faced with the default Windows profile handling procedure
where the user profile from the last session overrides all the other session user profiles.
Profile Management also provides a streaming functionality. With profile streaming, users’
profiles are synchronized on the local computer only when they are needed. Registry entries
are cached immediately, but files and folders are only cached when accessed by users or applications.
Features






Version 16.03
Profile streaming. Profile streaming completely negates the impact of the user’s profile size and its impact to logon and logoff. When profile streaming is leveraged, the
profile load time for a profile whether it’s 100 MB or even 500 MB may remain in the
6-7 seconds load range. The profile data is then only copied down on demand when
it’s actually needed or requested by a user action or application acitivity.
Active write back. With Active Write Back, setitngs are written back to the user store
as they occur instead of ewaiting for a logoff event to synchronize all the setitngs back.
This both improves the reliability of capturing changed settings during a session but
also prevents loss should a logoff event never occur.
Profile migration allows you to migrate profiles to and from physical computers and
virtual ones. Depending on the configuration settings, Profile management can copy
existing roaming profiles and local Windows profiles to the user store. Existing mandatory profiles can be used as the basis for Citrix user profiles when saved as a template.
Wildcard support. Allows the use of wildcard characters in file names for synchronization, inclusion, and exclusion lists.
Logging. All entries in log files are identified with the user name, domain, and session
id (where identifiable).
Consistent user settings. Solves the "last-write-wins" problem that occurs when the
last open session overwrites all of the profile data from previously closed sessions.
6 juni 2016
Page 45



Easy integration. Profile management can be integrated easily into existing deployments. No new infrastructure or changes to logon and logoff scripts are required.
Active Directory-managed licensing. You can manage user entitlement using an Active
Directory user group.
Improved monitoring and reporting. Additional Performance Monitor counters and Citrix Director/EdgeSight integrations allow you to measure several new aspects of logon
and logoff, providing improved benchmarking.
Licensing
Citrix Profile Manager is a feature of XenApp and XenDesktop (All Editions). Citrix licenses users are extended rights for UPM usage to the user's physical devices e.g. you have 1,000 XenApp Enterprise users - these users may install UPM on their Windows device(s) to also manage their profiles on those respective devices. There is no separate licensing options for UPM,
only as a feature of XenApp and XenDesktop.
Architecture
You install the Profile Management agent on each computer whose profiles you want to manage. The installation is straight forward and available for x86 and x64 operating systems. All
currently available operating systems are supported.
The Profile Management runs as a service and can be configured using ini-files and/or centrally
with the use of Microsoft Group Policy Object’s (GPO). ADM and ADMX templates are provided.
Citrix Profile Management intercepts the default Windows user profile handling process. As
soon as a Windows profile process starts, the Profile Management service kicks in and takes
care of the necessary actions based on the GPO settings and INI settings.
Version 16.03
6 juni 2016
Page 46
As with a Windows roaming profile a central location is needed to store the profile. This central location is called the User Store. Every user should have access to the user store, a network folder where profiles are stored centrally. Alternatively, profiles can be stored in users'
home drive if preferred
Figure 8: Citrix Profile Management overview
Version 16.03
6 juni 2016
Page 47
7.6
FSLOGIX:
Introducing: FSLogix™ Office 365 Container for Citrix (Q2 2016)
Best of Citrix Synergy 2015 Winner, Application and Desktop Virtualization, FSLogix addresses
problems that have prevented wide scale adoption of the enterprise virtual workspace, simplifying administration and providing the best user experience for maximum productivity. FSLogix
Apps dynamically provides per user application visibility, and allows applications to run at native speed with no need for sequencing and repackaging. FSLogix Profile Containers provide
the industry's fastest logon time and allow applications like MS Outlook and Windows Search
to run at speeds on par with local installations (finally!). Profile Containers enable large file access and true Cached Exchange Mode for Office 365 and other hosted email products, eliminate the logon storm impact of folder redirection, and significantly reduces load on network
and server resources.
New in Q2: Starting in Q2, 2016, a subset of Profile Containers will be sold as a separate dropin module, FSLogix™ Office 365 Container for Citrix, allowing administrators to take full advantage of our Office 365 support without having remove their existing profile solution. This
new offering is the industry’s first drop-in solution that enables true Cached Exchange Mode
for all virtual workspaces using Office 365, and real time search for virtual desktops. FSLogix™
Office 365 Container for Citrix installs in minutes, and allows enterprises to virtualize and persist OST files for users with XenApp, Terminal Services, and non-persistent or ‘pooled’ virtual
desktop infrastructure. In addition to addressing email and search performance, critical settings for Office 365 such as OneDrive cache, Skype for Business global address list (GAL), and
Windows search database will now persist between sessions.
Version 16.03
6 juni 2016
Page 48
Image Masking Drives Revolutionary Innovation
FSLogix Apps is a solution designed to enable IT Administrators to manage the emerging enterprise workspace, reducing the amount of hardware, time and labor required to support physical, virtual, and cloud desktops. FSLogix has developed a technique called Image Masking to
create a single Unified Base Image that hides everything a logged in user should not see. This
approach provides predictable and real-time access to applications and other workspace components like fonts, browser plugins, application and add-ons, easily addressing complex management problems like regional or departmental uniqueness of plugins – all from a single image. Image Masking uses advanced file system filtering which extends from the base image out
to VHDs and other critical infrastructure areas.
Image masking functions identically and transparently across a wide range of Windows-based
platforms, simplifying the path from traditional to virtual environments, with a single, unified
approach to image management, profile access, and application delivery. Installed as a software agent, FSLogix Apps seamlessly integrates with Windows centric desktop virtualization
solutions from Microsoft, Citrix, VMware, and other industry leaders.
Solution
FSLogix Apps targets the following three solution areas:
1. Gold Image Consolidation: With Unified Base Images, enterprises can combine all applications, plus browser and app plugins, onto a single gold image, or greatly reduce
their current number of images. Based on the image masking technique, users see only
the applications, plugins and other components that they are licensed and authorized
to see, simplifying application delivery across physical and virtualized Windows infrastructures. Every application, extension, font, etc., installed in the Unified Base Image
is available in real time only to users authorized to access them. Unlike traditional application virtualization, Image Masking allows real-time application execution with natively installed applications, and no repackaging or sequencing.
2. User Profile Containerization: Profile Containers are local or remote volumes which
eliminate the need for folder redirection or Roaming Profile optimization, allowing users to have a consistent, familiar, workspace experience with no limitations on the size
of the profile or the size of any individual files. This approach solves the problem of
large files (like OST’s and PST’s) in VDI and RDSH. Users and businesses increase
productivity by having access to their unique work environment on any device, native
application speeds and unbeatable logon times. Unlike other products, FSLogix provides this solution without the overhead of remote servers and additional configuration databases.
Version 16.03
6 juni 2016
Page 49
FSLogix Profile Container




Provides sub 15-second logons across all environments and locations for most enterprises
Enables true Cached Exchange Mode, allowing Office 365 and internally managed
email on virtual desktops to perform like locally installed
Eliminates logon storms and recovers critical server and network infrastructure
Consolidates profile contents to a single point of management for data retention
Slow logon and application launch times are one of the top complaints in virtual desktops.
Profile Containers are a new architectural approach to address this problem. Instead of placing all of the user’s files on a network share like in the redirected files approach, FSLogix encapsulates the entire profile –including the registry– in an in-guest container. This advanced
filtering approach removes the maximum amount of resource utilization from processing user
profile data and eliminates the need for legacy profile products and folder redirection. User
profile performance is indistinguishable to local, yet administrators receive the benefits of centralized profiles, including easy off loading for data retention and compliance, with little or no
ongoing administration.
FSLogix Office 365 Container for Citrix (New in Q2, 2016)
This component provides just the award winning Office 365 support from Profile Containers, in
a simple, drop-in solution that works alongside your existing profile management system.
True Cached Exchange Mode – with patent-pending OST containerization, Outlook on XenApp
and XenDesktop can now function and perform as if locally installed on a high performance
workstation. Users don’t need to compromise email and calendar performance to adopt strategic initiatives like virtual desktops.
Version 16.03
6 juni 2016
Page 50
Real-Time Search – enables inbox and personal folder search to work as designed on XenDesktop, with maximum performance, and no workarounds requiring end-user training or unique
behavior between physical and virtual environments.
Plug and Play management – features a micro-application footprint with drop-in installation,
GPO templates, simple rules based configuration, and the use of existing CIFS/SMB servers, improving the ROI of existing enterprise infrastructure.
Infrastructure compatibility – works on all major virtual desktop and hosted email solutions,
complimenting profile management products traditionally used in virtual workspace environments.
Affordable pricing – with an expected retail list price of $10 per user, there’s no barrier to
making email on virtual desktops enterprise class.
FSLogix Apps, Application and Profile Containers, and FSLogix™ Office 365 Container for Citrix
provide multi-platform support for all major Windows™ based virtual desktops, hosted email
providers, and profile management products, turning virtual desktops into the enterprise class
virtual workspace.
3. Just-in-Time Application Delivery: FSLogix supports an unlimited number of Application Containers for situations where combining all applications into a single image is
not practical, for licensing or technical reasons. Application Containers may be either
local or remote volume libraries. Combining Application Containers with Unified Base
Image technology provides the flexibility to IT to use the optimal design approach for
their unique requirements.
When using Apps it is not necessary to sequence or package applications. All applications are
installed natively using the application’s .msi install. From there, FSLogix Apps takes advantage
of Active Directory to control the visibility of when any application is visible to individual users
or groups.
Installed as a software agent, Apps has key advantages over traditional application virtualization solutions:






Version 16.03
Native application performance. Since applications run natively, performance is
not impacted.
Supports all Windows applications. Platforms can be traditional or virtual desktops.
No need to sequence or package applications. Since applications run natively,
there is no need to sequence or package. Consequently, all applications, including
applications with device drivers, are supported (e.g. iTunes, Adobe Acrobat, Citrix
and View clients).
Compatible with existing application virtualization solutions. Complements existing
solutions especially for applications that cannot be virtualized.
Citrix XenApp/RDSH silo consolidation. A single image can contain all virtualized
and remote applications for all users, eliminating the need for silos.
Multiple application versions in the same image. Application versions reside in the
image and are assigned to individual users.
6 juni 2016
Page 51




Time-to-deploy significantly reduced. Since no packaging is required, FSLogix Apps
can be installed onto existing servers and systems for quick deployment.
Simplified image management. A single image can contain all versions of all applications for all users.
Easy license management. Applications can be revealed or removed in accordance
with license requirements.
Compatible with application management systems. Can be used with solutions
from a variety of vendors, including Altiris Client Management Suite or Microsoft
System Center.
Licensing
FSLogix is engineering the enterprise class virtual workspace. Request a fully functional trial
version for your enterprise at www.fslogix.com
Version 16.03
6 juni 2016
Page 52
7.7
LIQUIDWARE LABS
Introduction
Liquidware Labs ProfileUnity provides sophisticated User Environment Management with advanced features that lead the industry. The company separately innovated FlexApp, a unique
and robust application layering technology with a very high application compatibility rate – to
date higher than other similar offerings on the market. While the two products can be licensed separately, Liquidware Labs is the only independent vendor to provide this unique
combination of solutions from a single management console if desired.
ProfileUnity has been on the market since 2005, therefore the product’s User Environment
Management features are mature and comprehensive. Liquidware Labs acquired the solution
and development team in 2009 and added significant development resources – focusing on
new features, ease-of-use and innovation in the area of Application Rights Management and
Application Delivery though User Environment Management.
Today, ProfileUnity provides great value to organizations who are looking to replace roaming
profiles and folder redirection or basic profile management tools. Not only does ProfileUnity
address these needs with precision, the solution go beyond much of the competition, offering
many advanced features that are not found in competing products. In some cases features
that are built in to ProfileUnity are sold separately by competitors as additional add-on components. Below are the four core areas covered by ProfileUnity’s User Environment Management
features:
Version 16.03

Advanced Profile Management - ProfileUnity supports multiple versions of Microsoft
Operating Systems therefore customers can leverage ProfileUnity to on-board physical
desktop users to any new Windows desktop including virtual and server hosted desktops. Subsequent to moving to ProfileUnity the first time, profiles never have to be
“migrated” as a ProfileUnity-managed profile can be made compatible across OS versions. Data outside of the profile in locations such as the HKLM area of the system registry and files anywhere within the system, can be made portable with ProfileUnity. Exclusive ProfileUnity Profile Disk technology can be leveraged for superior performance
with large profiles and files including .PST and OST files.

Advanced Policy Management – ProfileUnity can be leveraged to go beyond the limits
of Microsoft Group Policies. ProfileUnity is much faster than similar Microsoft Group
Policy actions mainly because the solution’s Active Directory (AD) lookups are far more
efficient. ProfileUnity policies are also well documented which is useful when there is a
change of desktop administrators or audit. Any profile or policy attribute can be assigned on a “Context-Aware” basis, including Microsoft AD attributes or on virtually
any type of criteria including virtual client name/client address, or location. It is very
important to note that ProfileUnity runs “as Admin” privileges and can therefore be
used to secure (or lockdown) desktops or change machine level policy settings. Some
6 juni 2016
Page 53
UEM solutions do not “run as Admin” and so, are very limited in their policy management.

Application Rights Management – While some UEM vendors charge separately for Application Rights Management, ProfileUnity includes these features as standard. Application Rights Management features enable administrators to manage application privileges or restrict applications (whitelist or blacklist) from running by using one or more
context-aware settings. These features enable you to keep your desktops and network
secure by limiting and elevating user rights per application and process. This allows
you to keep your users as Standard Users and only elevate them to local Administrator
when needed to perform a specific task/application.

Advanced User Data Management – ProfileUnity includes robust folder redirection
options that will not only redirect key folders for best practices, like My Document and
the Desktop, but can also migrate user authored data in the background. This feature
is particularly helpful when on-boarding users from legacy physical desktops to new
physical or virtual desktops.
Architecture
Straight-forward, yet Highly Scalable Architecture
ProfileUnity was designed by Desktop Administrators for Desktop Administrators. Since the beginning, the Liquidware Labs development team has always made it a priority to keep the
product architecture straight-forward, easy to scale to tens of thousands, and highly available.
There are no SQL clusters or other servers needed in the architecture therefore there are no
hidden costs and no challenges when you scale to hundreds or thousands of users. For this
reason, ProfileUnity is also very easy and quick to install and configure. A proof of concept is
possible in under one hour.
ProfileUnity’s architecture leverages existing network and Windows® infrastructure. The main
agent is very lightweight (apx. 6mb) it can be cached down at logon to users’ desktops through
an included Microsoft® Group Policy template. It can also be easily included in the base image
of your desktops. Regardless, the agent files, configuration and related services are hosted on
a network file share that is already highly available, scaled, and features read-only access for
users. Because of these requirements, the best location for this file share is the Netlogon share
on your domain controllers. The Netlogon location is not a hard requirement, an alternative
file share path can be used.
Version 16.03
6 juni 2016
Page 54
User Profiles are stored in the user’s standard replicated network file share location such as
their “home drive.” Even if FlexApp application layering features are leveraged, virtual disks
are also hosted on replicated storage paths. With this straightforward architecture, even if the
ProfileUnity Management Console goes offline, ProfileUnity will continue to run on users’
desktops. If VMDK layers are chosen the architecture remains straightforward but the ProfileUnity Management console will be replicated to standard Windows Servers to ensure high-availability.
Application Layering
Liquidware Labs FlexApp Application Layering is an advanced technology, tightly integrated
within the ProfileUnity User Environment Management platform. It is a fully integrated solution that leverages profile settings and policies but can also be implemented as a stand-alone
solution. FlexApp enables Administrators to assign department-level applications to groups of
users, and to, optionally, empower selected users to install their own applications. FlexApp
complements application virtualization solutions that use isolation, such as Microsoft App-V
and VMware ThinApp. FlexApp application layering is also compatible with many desktop virtualization platforms, including Citrix XenApp/XenDesktop and VMware Horizon View. These
environments can be kept ultra-secure, by leveraging ProfileUnity's Application Rights Management features, which eliminates the need to make users full "Local Admins" in order to run
or install applications. FlexApp technology supports Application Strategy design, Application
Delivery approaches and Application Lifecycle Management.
Delivering applications as layers requires a robust management and often times User Environment Management is very closely related. Because Liquidware Labs has integrating Application
Layering with User Environment Management, the two solutions solves many needs in the
area of Application Delivery including:
Version 16.03
6 juni 2016
Page 55





Robust User Profile Availability – ProfileUnity makes a complete user profile available
including the persona settings of virtualized and layered applications.
Delivery of layered applications by user environment settings, including assignment
per Active Directory Group, user, or one of over 300 combinations of context aware
settings included with ProfileUnity.
Application Restrictions – often applications may need to be layered to a shared environment such as an RDSH server. Application Rights Management in ProfileUnity allows for applications to be restricted by a context-aware setting and/or Active Directory criteria.
Privilege Elevation – often applications may require local Administrator rights. ProfileUnity includes secure privilege elevation of select applications per user, group, or
other context-aware setting.
Registry modifications – often applications may need registry settings to be changed
to function as desired. For example, run once dialog boxes may need to be repressed.
ProfileUnity can merge, exclude, or replace registry keys to enhance the seamlessness
of application delivery.
Exclusive Features and Benefits of ProfileUnity Compared to other UEM solutions
There are many reasons to choose ProfileUnity for your User Environment Management
needs. Many Fortune 500 as well as industry-leading organizations have chosen the solution
for one or more of the following compelling reasons:









Fast user logins
Robust and complete User Environment Management
Straight-forward and highly –scalable architecture with no hidden costs
Ease-of-use – short learning curve with no need to hire dedicated staff
Proof-of-concept can be completed in under an hour
INCLUDED Application Rights Management features
License cost that is often half the price of competitors
FlexApp Application Layering that leads the industry (optional licensing)
Highly-available and highly resilient design
Liquidware Labs Essentials Suite
Liquidware Labs provides comprehensive User Environment Management, Application Layering and User Experience Monitoring in one convenient and extremely affordable suite known
as Essentials, which includes ProfileUnity with FlexApp, Stratusphere UX, and Flex-IO.
Thousands of customers have discovered that the following solutions are necessary to launch,
scale and optimize next-generation desktops:
User Environment Management with ProfileUnity
 One user profile across VDI, RDSH, DAAS & physical devices
 Up to 10X faster logons vs. roaming profiles or basic profile tools
Version 16.03
6 juni 2016
Page 56



Application and User Right Management features
Location/context-aware policy and profile capabilities
Automated migration to Windows 7/8.x and Server 2008/2012r2
Application Layering with FlexApp
 Reduce the number of master desktop images to manage
 Deliver applications on demand
 Gain persistent user experience with non-persistent infrastructure
 Provision application volumes as VHD or VMDK
 Gain full compatibility with Citrix Provisioning Services and Machine Creation Services
Visibility with Stratusphere UX - User-Experience Monitoring
 Diagnose true root cause and identify resource constraints
 Optimize resource utilization and performance
 Grow and scale virtual desktop environments with confidence
IOPS Acceleration – Flex-IO
 Boost resources for an apx. 25,000 additional IOPS per virtual host
 Reduce latency by as much as 75%
 Compatible with persistent and non-persistent VDI environments
 A Flex-IO server license is provided upon request per Liquidware Labs customer
Licensing and Contact Information
ProfileUnity with FlexApp is available for $59 per named user. The Liquidware Labs Essentials
Suite is available for $79 per named user. Concurrent licensing is available for Education and
Healthcare customers. Other pricing configurations are available. Pricing subject to change at
any time and may be regional.
Liquidware Labs products are Citrix Ready, VMware-certified, and are available through a
global network of partners. Visit www.LiquidwareLabs.com to learn more or download trial
software. Contact [email protected] for more information.
Version 16.03
6 juni 2016
Page 57
7.8
NORSKALE
Introduction
Norskale believes that user experience, simplicity, and cost savings are the most important factors when choosing a workspace management platform. Norskale is an easy-to-use, 100% software solution that cuts the cost of desktops and applications, and delivers the best possible
workspace performance—best application response times, accelerated logons, and a truly dynamic desktop—for any IT environment.
The Norskale solution and its benefits have been proven in large and small environments alike,
including in an 80K seat environment that reached peak performance and simplicity of management after less than a week in production. 56% of users say that application reactivity and instant login are the main benefit of a new desktop. Norskale ensure a constant high level of performance on any Windows device throughout the life of the device.
Norskale delivers the functionality users need in only a few days, and offers a variety of licensing
options for optimal flexibility and value. Norskale provides the best and most consistent user
and end-user experience, while ensuring the lowest installation and management costs for all
physical and virtual desktops and applications.
Benefits











Version 16.03
10-second logon and response times for all physical and virtual desktops and applications.
Consistently fast application reactivity through constant CPU and RAM optimization.
Optimized CPU and RAM utilization reduces each end-user’s footprint, and on the
whole, a minimum of 20-25% more users can be accommodated per server.
Intuitive central console for all user environment management. Because management
is simple, administrators are fully trained in a single day, no matter their level of technical expertise.
Scripts/GPO/GPPrefs can be eliminated in a few clicks.
Brings full context awareness to all elements of the workspace, and provides all endusers with the custom resources and access they need.
Optimizes and simplifies management of Citrix User Profile Management (UPM) and Microsoft Roaming Profiles (USV).
Proprietary self-services and self-healing for end-user workspaces reduce support calls
by up to $200 per user annually.
Fully installed and configured in just a few days, even in the most complex environments.
Granular and completely delegated admin console.
Fast, easy, and complete reversibility; no uninstall impact or vendor lock-in.
6 juni 2016
Page 58
Functionality
User Profile Management By replacing logon scripts and desktop lockdown Group Policy
Objects (GPO), Norskale simplifies the job of the IT team by removing complexity from any
new or existing implementation. The settings are intuitively designed for easy learning and
are accessible through the central console.
Norskale optimizes and centrally manages both Microsoft Roaming Profiles and Citrix User Profile Management (UPM) profiles. Both technologies are the de facto standard on SBC and “fat”
environments. Norskale ensures profile integrity, while making sure that sizes and speed are
always best in class, and in the process, greatly reduces the cost of high-end storage typically
associated with profiles.
User Personalization Scripts, GPO, and GPPrefs are messy and often result in slow desktop logon times. Norskale quickly eliminates these factors that cause complexity, and automates
workspace management through a simple, intuitive console. Because Norskale is easy to manage and maintain with limited training required, there is no need to rely on a limited number
of experts. The flexible Actions engine allows users to easily define every action needed to replace even the most complex login script, while ensuring top-notch performance.
Application Access Control Norskale keeps the IT environment agile, and quickly identifies
each end-user device type, and dynamically adjusts the workspace for optimal efficiency and
security. In addition, by using dynamically configured software restriction policies through
Whitelist and blacklist, Norskale protects the system as a whole.
Norskale Transformer (patent-pending) further reduces project rollout times and deployment
costs, by instantly converting a connected Windows terminal into virtual machine clients. This
add-on module transforms the PC into a customizable and user-friendly kiosk interface, where
end-users launch their virtual or hosted desktops and applications, and locally installed applications seamlessly, while the underlying Windows operating system remains fully locked down
and secure.
Resource Management By using innovative algorithms that change the way applications
consume system resources, patent-pending Norskale technology extends the life of hardware, and delivers desktops and applications that are significantly faster and more costeffective.
Norskale optimizes the way applications consume RAM, CPU, and Input/Output (I/O), reducing hardware requirements—including during application migration—by up to 70%.
Virtual server sizing is based on average usage—not peak usage, delivering a better ROI
and extending hardware life for a lower TCO. The non-intrusive Norskale technology monitors and analyzes user behavior in real time, optimizing the resource allocation process
and the way applications run, to ensure that all users have the required amount of resources. In addition, Memory Management functionality analyzes and optimizes idle applications and processes, dynamically forcing them to release any extra memory they are
not using.
Version 16.03
6 juni 2016
Page 59
Norskale optimizes RAM, CPU, and Input/Output (I/O) in any pure or hybrid desktop environment, including physical and virtual desktops, and published desktops and applications. The
results are fast application response times, and up to 70% more users per server.
Application Delivery Norskale supports local and virtual applications, including Citrix XenApp,
and Microsoft RDS and App-V. All application and resource types are delivered and controlled
according to end-user context. Further, the Manage Applications feature allows end-users to
access their context-available resources and self-create shortcuts in desired locations.
Monitor, Audit and Report Through the Modeling Wizard and the Resultant Actions Viewer,
administrators are able to view assigned actions applied to specific users, and data is provided
to understand them; for example, the reason certain actions were discarded during an assignment process.
Norskale also includes useful issue-tracking functionality with helpdesk features that save time
and reduce support calls. For example, if an administrator needs to report an issue, he can instantly send screenshots and a detailed automated email report that includes data about the
current environment to his Support Team.
Architecture
The Norskale architecture is highly scalable and resilient, allowing administrators to centrally manage large environments (80K+ users) without added complexity or high infrastructure costs. This non-intrusive and compatible technology ensures a smooth deployment in new and existing IT environments. It can be deployed within a few hours and managed on a daily basis, without the need for extensive training.
Norskale is committed to streamlining product development on an ongoing basis to maintain
minimum infrastructure requirements. All major client and server operating systems are supported, including native 64-bit support on all platforms (no emulation).
A Low Footprint Agent is deployed in each user workspace to minimize network usage without
impacting performance. The server itself is extremely compact and can withstand a very large
user base within a single VM. Norskale natively supports mirroring and clustering on the SQL
Server side, and the Broker and Workspace Agents are equipped with full offline capabilities.
Licensing
Norskale is licensed on a per-named-user basis. This license is perpetual. The maintenance
contract includes support, and major and minor release access. Site licenses, rentals, and other
licensing options are also available, so that each customer can benefit from a licensing model
that meets their workspace and budget requirements.
Version 16.03
6 juni 2016
Page 60
7.9
POLICYPAK SOFTWARE
Introduction
PolicyPak delivers, enforces, locks down and remediates application, browser and operating
system settings. For brevity, we will describe only the following three components:
 PolicyPak Application Settings Manager
 PolicyPak Browser Router and
 PolicyPak Admin Templates Manager
There are two editions of PolicyPak:

PolicyPak On-Premise Edition: for domain joined machines which are managed by
Group Policy, SCCM or any on-premise management system.
 PolicyPak Cloud Edition: for domain joined or non-domain joined machines.
PolicyPak Cloud edition has the special ability to deliver all real Microsoft Group Policy settings
using the Internet (Video demo.) You can see where PolicyPak On-Premise and/or PolicyPak
Cloud might be used in your company in the Figure below.
Figure 9: PolicyPak has two suites which can be used separately or together
All directives are created and edited in the familiar Group Policy environment. Computers
and/or Users can be managed.
Version 16.03
6 juni 2016
Page 61
Figure 2: PolicyPak directives are created, edited and (optionally) exported using the Group Policy editor
interface
All items can then be delivered using Group Policy, or optionally exported and delivered using
SCCM (or any other on-premise delivery tool), or uploaded and delivered to PolicyPak Cloud.
Quite simply: IT administrators don’t need to add any additional infrastructure or learn anything new. If they use Group Policy, SCCM or another on-premise delivery tool, then IT admins
already know how to use PolicyPak and have everything they need in order to implement immediately.
PolicyPak’s settings are simply delivered and enforced when a user roams to a new machine,
uses a Terminal Server or Citrix machine or starts up a VDI machine. PolicyPak also works with
virtualized applications (Microsoft App-V 4.6 or 5.0, VMware ThinApp 4 or 5, Symantec Workspace Virtualization, and others).
All PolicyPak components and settings are “Context Aware” with the same “Item Level Targeting” editor that the Group Policy Preferences uses. This enables administrators to specify conditions as to when PolicyPak directives should apply to users or computers. The UI is exactly
like Group Policy Preferences and requires no training for existing Group Policy administrators.
(Video link to PolicyPak and Item Level Targeting).
Note additionally that these Item-Level Targeting filters are active and available when PolicyPak directives are deployed via Group Policy, or when using your own systems management
utility like SCCM, or when using PolicyPak cloud.
For details on the other components in the suite, check out the PolicyPak Website, PolicyPak.com.
PolicyPak Application Settings Manager
PolicyPak can deliver and enforce settings for just about any application that stores their settings in the Registry, INI files, XML files, JS files, or any other formats (that Microsoft’s built-in
Group Policy, Group Policy Preferences and ADM/ADMX templates simply cannot manage.)
Version 16.03
6 juni 2016
Page 62
PolicyPak has pre-configured Paks to configure common applications like Firefox, Flash Player,
Java JRE, Internet Explorer, Google Chrome, Acrobat Reader, Acrobat Pro, Skype for Business
Client, AutoCad, Shockwave and over four hundred more.
PolicyPak has special enhanced coverage for Firefox, Java, and Internet Explorer to manage
nearly all aspects of these applications including deploying certificates, managing bookmarks,
and preventing add-ons.
Figure 3: PolicyPak Application Manager, some pre-defined Paks, and user interface
PolicyPak Application Settings Manager also comes with the PolicyPak Design Studio which enables admins to quickly create their own Paks and manage their own in-house applications.
(Video demo.)
PolicyPak’s AppLock™ feature can gray out or hide many applications’ user interface settings as
well as perform lockout on applications’ entire tabs. This prevents users from working around
its recommended application settings within the UI.
PolicyPak’s ACL Lockdown™ feature takes ownership of the Registry and/or file-system pieces
from the user and application. In this way, settings are strictly guaranteed and cannot be
worked around.
PolicyPak keeps IT settings enforced even when the user is completely offline and disconnected from the network. See how PolicyPak Application Settings Manager can manage Internet Explorer, Firefox, Chrome, Java, and 400+ more applications (website with video demos.)
PolicyPak Browser Router
PolicyPak Browser Router manages your modern multiple-browser environment.
Version 16.03
6 juni 2016
Page 63
Now you can automatically ensure that users launch the right browser for the right website.
The result is that websites load in for the most compatible and secure browser as dictated by
the IT team.
Guide specific websites or website patterns to open in Internet Explorer, Firefox, Google
Chrome or Edge (forthcoming) as well as Custom browsers for use with App-V or ThinApp for
specific websites or patterns. Users never have to think; you’ve done all the thinking for them.
Figure 4: PolicyPak Browser Router will open the right browser for the right website
Creating a rule is point-and-click easy within the Group Policy editor to make a “route” between a website (or pattern) and the browser you want to open. Your rules are created and
contained within the GPO. Additionally for Internet Explorer, you can dynamically set Compatibility and Enterprise modes like what is seen here.
Version 16.03
6 juni 2016
Page 64
Figure 5: PolicyPak Browser Router User Interface within Group Policy
PolicyPak Admin Templates Manager
PolicyPak Admin Templates Manager enables you to consolidate Group Policy settings from
many GPOs into only a few GPOs.
So instead of having many, many GPOs, you can consolidate your GPOs and target which policy
settings will occur under what specific conditions (Video Demo).
Version 16.03
6 juni 2016
Page 65
Figure 6: PolicyPak Admin Templates Manager enables Collections of real ADMX and ADM Group Policy settings
As a bonus, once policies are in a collection, Group Policy settings can be exported as XML files
and be optionally:


delivered using SCCM or other on-premise management tool (Video Demo) or
delivered using PolicyPak Cloud (Video Demo).
Licensing
There are multiple components in the PolicyPak suites, and all components are included to
customers in good standing.
PolicyPak On-Premise is licensed per active (non-disabled) computer account in Active Directory plus any concurrent connections to Terminal Services or XenApp. PolicyPak on-premise
can be licensed per OU, multiple OUs (parent-child, or unrelated OUs), or for an entire domain.
PolicyPak Cloud is licensed in 100-license blocks. Licenses are consumed from a “pool” of licensed. Any desktop or laptop can consume a license.
More about licensing PolicyPak can be found here.
Version 16.03
6 juni 2016
Page 66
7.10
RES
Introduction
RES was founded in 1999 by Bob Janssen while he was looking for a way to
simplify the management of several users on a Microsoft Terminal Server.
Today, RES is a leader in digital workspace technology, empowering IT to
make digital workspaces secure, automated and people-centric for easy
adoption and use.
RES ONE Workspace allows IT to centrally manage and secure apps and services for the workforce across the most complex environments, including physical, virtual and cloud based solutions. RES ONE Workspace offers today’s digital workforce a better, more personal technology
experience, while giving IT the control to increase security and reduce costs. Configuration and
management are centralized, so IT can build workspaces that roam across devices, operating
systems, delivery platforms and more. RES ONE Workspace can be combined with RES ONE
Automation and RES ONE Service Store in the RES ONE Suite to fully empower the workforce
through self-service and automated delivery and return of the right apps and services to each
person’s secure digital workspace.
Architecture
Figure 10: RES ONE Workspace Architecture
The RES ONE Workspace architecture is simple and capable of managing many network topologies, scalable and easy to install and maintain. None of the components require dedicated
hardware.
Version 16.03
6 juni 2016
Page 67
RES ONE Workspace Console:
The RES ONE Workspace Console is the administration center of your workspace environment(s) and installed on a Windows-based platform. The management console is used to create the list of all possible desktop items that need to be composed and secured in a user workspace. The management console is intuitive by offering a workspace designer which helps you
setup the environment. Workspace simulation lets you find out which configuration items are
used to build a specific user workspace and offers a way to simulate the behavior of changes.
In the management console, you can create role-based access to the console, and itis the main
interface for the IT professional.
RES ONE Workspace Datastore:
The Datastore is the central database for your RES ONE Workspace environment. All computers in a RES ONE Workspace environment connect to this database. It runs on a central database server that you have installed prior to installing the RES ONE Workspace Console. The
datastore can exist on any of the following database types: MS SQL (including Express and Azure), Oracle, DB2 and MySQL.
RES ONE Workspace Relay Server (optional):
The Relay Server component makes it possible to create a flexible architecture that consolidates and centralizes all RES ONE Workspace configuration data into one central database,
while ensuring that dispersed Agents across multiple sites obtain configuration data efficiently
and in a timely manner. Relay Servers are an optional infrastructure component and are used
by many organizations in order to improve scalability, reduce network traffic and reduce the
overall Datastore load. Relay Servers Cache information from the Datastore and pass it on to
Agents or to other Relay Servers. Agents can be configured to contact the Datastore directly,
or to use Relay Servers. The relay server can be installed on Windows, but RES also have a
Linux version available on request.
RES ONE Workspace Agent:
An agent can be installed on Windows, Mac (OS X) or Linux. This can be a terminal Server, a
workstation, laptop or a VDI desktop. Each Agent is available in the Management Console. All
data is available in the local data cache, regardless of the availability of the Datastore. Each
Agent presents the end user with a uniform workspace managed by the Workspace Composer.
The RES ONE Workspace Composer builds the users workspace, regardless of the technology
stack used. This includes all applications, registry, menu items, files, and settings to which the
user is granted access.
Linux and Mac OS X agents support the managed applications Security feature, providing the
capability to allow or block executables in user sessions based on Authorized Files with MD5,
SHA-1 and SHA-256 file hashes and must be connected to a RES ONE Workspace Relay Server.
Version 16.03
6 juni 2016
Page 68
Functionality
User Profile Management: Save and apply profile data per application (instead of loading the
whole Windows profile during logon). Setup can be done by using built-in templates or can be
discovered by running an application in learning mode. You can offer users to restore their
own profile settings (per application) via self-service.
Context Awareness: RES builds a workspace based on the current and actual user state such
as location, time, device and identity of the user. Context can be based on AD group membership, location awareness by determining the strongest wireless access point and device type.
Context awareness can be used to deliver the right services to the right user at the right time
and location.
Security: Restricting access to applications, data, network, websites and removable storage
based on context. Enabling user rights management by elevating privileges on applications instead of elevating the user to local administrator. Rendering all local drives read-only by a
simple check-box instead of cumbersome policies and NTFS configurations. File access based
on hash (MD5, SHA-1 and SHA-256) is a recent addition to RES ONE Workspace. For organizations that have strict security and compliance initiatives, a RES ONE Workspace installation can
be configured for FIPS compliance for superior security and encryption across components and
the way they communicate with each other.
Desktop and Application Management: Enables object oriented management of what IT offers the end user. This includes items such as printers, applications, data sources, e-mail templates, folder redirection and synchronization. Giving the user access only to the items he/she
needs to be productive from a standard desktop.
Integration: Simplifies management, access and configuration of application virtualization
technologies, publishing technologies and application deployment technologies from a single
console.
Compliance: Supporting software license and asset management by enabling application license metering and enforcement in hybrid desktop environments. Providing detailed audit information and insight on configuration changes and enforcing change management through
granular role based access control.
Reporting & Analysis: Providing first line support with analysis that helps them perform advanced real-time troubleshooting to resolve issues quicker as well as providing detailed insight
in workspace usage including applications, sessions and websites. RES Viewpoint is used as a
companion to RES ONE Workspace, and provides customers a wealth of information about the
as-is environment prior to deployment of RES ONE Workspace or any other change to the
desktop. Because it is based on Microsoft Azure, there are no infrastructure requirements at
all.
Session Performance: Ensure a stable and resource efficient end user experience by enabling
performance optimization mechanisms.
Version 16.03
6 juni 2016
Page 69
Desktop Transformation: Transform any existing desktop infrastructure into managed user
workspaces with an intuitive wizard. Desktop transformation allows IT professionals to use current user state data to design the user workspace and implement step-by-step only applying
the necessary configuration.
Simple and Efficient Management: Simplify management of the desired user state by providing video tutorials, setup wizards and instant reporting of configuration. Building-blocks enable
easy and quick move of any configuration between environments such as development, test &
verification and production. Workspace Simulation allow the IT administrator to test impact of
infrastructure changes before actual implementation.
Delegation of Control: Role-based access to specific configuration parts in the console.
Reverse Seamless Technology: Deliver local application and data experiences to remote,
hosted virtual desktops.
Benefits
RES ONE Workspace offers enterprises a variety of benefits around increased productivity, reduced costs and improved security and compliance.
Increased Productivity: The ability to mask routine technology changes and upgrades and limit
workforce disruption is a major advantage of RES ONE Workspace. Migrations become zero
impact, and day-in and day-out, users have an optimized workspace that dynamically adapts
based on context. RES enables a mobile workforce.
Lower Cost of IT Operations: By centralizing management of users across all virtual and physical delivery platforms, IT no only saves time, but also maximizes the investment made in virtual desktop technology. RES has also been proven to reduce service desk tickets related the
user experience by delivering an optimal workspace. Additionally, enterprises are able to better control license use by having full visibility into the usage of apps and services in the workspace, eliminating costly finds for over-usage.
Greater Security and Compliance: The need to protect and organization and mitigate risks has
never been higher. RES allows IT teams to define and enforce granular context aware access
policies to ensure that access is safe and compliant. Application and web security features protect the organization from cybersecurity threats and other risks at the user level, giving enterprises an added layer of security.
In addition to these benefits, RES ONE Workspace provides the foundation
that organizations need to provide the most comprehensive digital workspace experience to employees. RES customers can leverage other solutions in the RES ONE Suite to power their workspace with automation,
predictable service delivery and return and self-service capabilities. Combined, IT has the tools needed to design, build, deliver and control every
Version 16.03
6 juni 2016
Page 70
aspect of the worker’s business journey with intuitive self-service and security that adapt at
each step along the way.
Licensing
RES ONE Workspace can be purchased using either the concurrent or named user licensing
model.
RES ONE Workspace consists of three modules and customers can purchase any combination
of the modules to match their needs:
•
•
•
Dynamic Configuration - delivers a context aware user workspace independent from
the infrastructure;
Delegation and Compliance – Diagnostic, troubleshooting and the integration with
other technologies;
Adaptive Security – delivers a context aware security layer that is created around the
workspace.
References
Website:
Youtube channel:
Admin guide:
Version 16.03
http://www.res.com
https://www.youtube.com/user/RESSoftware/videos
https://support.ressoftware.com/WorkspaceAdminGuide2015/
6 juni 2016
Page 71
7.11
TRICERAT
Introduction
TriCerat has been helping organizations ranging from 20 users to multi-national corporations
address the complexities of virtual environments since 1997. Although the company started
with ScrewDrivers, a product for solving the printing headache in server based computing environments; the portfolio has grown to address all of the most common challenges in managing
physical and virtual desktop estates.
The Simplify Suite consists of a set of solutions that enable an administrator to easily manage
all main aspects of the user desktop environment from one pane of glass, while overcoming
the typical complexities found in IT environments today. These solutions include enterprise
profile management, application access restriction, desktop customisation, server stability and
a true print management solution.
The triCerat approach remains true to its ScrewDrivers beginnings, namely to create a fully
scalable solution that gives the right level of functionality to solve the fundamental issues without adding to the management complexity elsewhere. The result is that not only do common
problem areas get addressed, but triCerat's approach promises that even the most junior of
administrators can quickly get to grips with the console, ensuring customers can quickly adapt
their IT environment to meet the changing needs of their users.
As well as the enterprise tools that form the Simplify Suite, triCerat offers a set of point solutions that offer a quick-fix to issues like slow logons from roaming profiles and the challenge of
scanning in a server based computing environment.
Functionality
TriCerat’s Simplify Suite includes the following solutions:
PROFILE MANAGEMENT
TriCerat’s hybrid profile solution solves all common profile issues like slow logon times, profile
corruption and bloat, while overcoming v1/v2 and 32-/64-bit profile issues encountered when
migrating to a new OS or server platform. Registry keys are migrated into the Simplify database and can be assigned rules (Save/Restore, Set, and Delete) in order to restrict profile bloat
and ensure a fully personalized user profile. A corrupted registry setting can be replaced with
the last known good version that was saved on the database. Folder redirection, drive mapping, drive restrictions, and Windows Explorer restrictions can be quickly and easily configured
in the console.
PRINT MANAGEMENT
TriCerat’s driverless printing solutions addresses slow printing, network bandwidth spikes, and
spooler crashes. The proprietary TMF print format achieves an average of 90% compression
rates and the print job streaming minimizes stress on the network. This solution is superior to
Version 16.03
6 juni 2016
Page 72
universal print drivers because it is compatible with 100% of printers, recognizes advanced
printer functionality, and eliminates the need to install printer drivers on the server. The Active
Directory integration enables proximity printing and through a print server fully supports printing to any device (including thin clients, PDAs etc.).
DESKTOP SECURITY & CUSTOMIZATION
The administrator is given the tools to quickly and easily create a lock down on all aspects of
the user environment including the desktop, start menu, and taskbar functionality. This includes the triShell OS shell replacement that offers a similar experience across access devices
and is more secure and less memory intensive than the explorer.exe shell.
APPLICATION CONTROL
TriCerat uses trusted and banned lists to together with secure application signatures to control
what applications can be accessed by the user and ensure licensing compliance. Application
access is also location aware, allowing an application to launch depending on whether the user
is in the office or not.
SYSTEM PERFORMANCE
TriCerat’s system performance component ensures system stability and maximizes the number
of quality user sessions on the server by controlling CPU and memory resources. This is particularly suited for controlling legacy and rogue applications that hoard CPU and affect all users
on the server. Rules are set to first lower the priority and then clamp down CPU on the application and user level until normal levels return.
Benefits
TriCerat’s approach to user environment management is not only to cut the costs of managing
an enterprise IT environment, but to do so at a level of complexity that even a junior administrator on the helpdesk could manage. TriCerat will allow all aspects of the user environment to
be controlled and altered based on the changing needs of users from the straightforward,
powerful Simplify Console. TriCerat offers a superior method to environment management in
the following ways:
•
•
Version 16.03
Centralized management for controlling whole user environments. One Active Directory querying management console is shared between all solutions that comprise the
Simplify Suite. This works with any combination of virtual or physical desktop environments, giving administrators an accurate picture of what the user sees on their desktop.
Group Policy and script-free management. The Simplify Suite reduces the reliance on
policies and scripts for both setting up and managing the user environment. This reduces the time needed for new environment configurations and allows administrators
to quickly apply changes required by the user without the risk of undermining baseline
policy.
6 juni 2016
Page 73
•
•
•
•
Full personalization for the user and full control for the administrator. User acceptance
of a new environment is ensured by allowing users to personalize their work environment while administers retain full control. This includes assigning rules to what parts
of the registry are to be save/restored, set, or deleted.
Solves main migration headaches when changing OS, server bit platform, access devices, and virtualization technology. Migrations throw up unexpected hurdles that affect profiles, printing and the user desktop experience. TriCerat addresses all of these
issues in advance and includes migration tools for bringing existing user settings into a
new environment.
Reduces helpdesk costs by speeding resolution times. TriCerat overcomes most of the
common problems associated with managing the user environment in real-time, reflecting changes immediately on the desktop without requiring the user to restart their
machine. Doing so allows administrators to assist employees in getting back to work
quickly.
Increased security of the user desktop minimizes threats. Full control of the user desktop allows administrators to close all potential security holes that could cause problems for the user. Should users need further flexibility, changes are simply made in the
console.
Architecture
Simplify Suite modules need to be installed on every machine (workstation, Terminal Server,
virtual desktop) that requires Simplify Suite functionality. The installation of all Simplify Suite
modules comes under 100MB and can be fully automated. The Simplify database is built on a
Microsoft SQL database, which is built on Microsoft standards and thus supports SQL clustering and maintenance plans for backup and replication.
Figure 11: TriCerat Simplify Suite architecture
Version 16.03
6 juni 2016
Page 74
Licensing & Pricing
TriCerat products are sold on a per user or per server basis. Product modules that make up the
Simplify Suite (including Simplify Profiles, Simplify Printing, Simplify Lockdown, and Simplify
Stability) can be sold alone or as part of the Simplify Suite. During the time this document was
going to press, triCerat was exploring a SPLA model for managed services partners
7.12
UNIDESK
Note from the author: Unidesk is an increasingly popular desktop provisioning, application delivery, and
management platform in the Server Hosted Desktop (VDI) space. Unidesk’s layering technology is often
used in place of VMware Linked Clones, View Composer, View Persona, and VMware ThinApp by
VMware View customers and in place of Citrix Provisioning Server, Citrix Machine Creation Services, Citrix XenApp, Microsoft App-V, Citrix Personal vDisk, and Citrix Profile Management by Citrix XenDesktop
customers. Unidesk isn’t a User Environment Management solution as such, we believe it is wise to add
Unidesk to this whitepaper and inform you about the functionality and potential.
Introduction
Unidesk is a provisioning and application delivery solution for virtual desktops hosted on
VMware vSphere. Customers use the Unidesk layering platform in combination with VMware
View, Citrix XenDesktop, and other brokers when:



They have a large number of applications that cannot be easily virtualized;
They want to keep the number of gold images to 1 to simplify Windows OS patching
and updates;
They have users who require persistent desktops to keep user-installed applications
and other customizations.
They want to reduce the amount of storage needed for VDI up to 85%.
Benefits
Cost Savings



Version 16.03
Reduce storage requirements: Unidesk shares single layers of the OS and applications
across many virtual desktops and thin provisions user space to reduce SAN and NAS
capacity requirements up to 85% for both persistent and non-persistent desktops.
Reduce OpEx: Customers report that with Unidesk, they can layer almost any
application in less than 30 minutes, compared to the days it may require to virtualize
the same applications. Also, most Unidesk customers have only 1 gold image for all
desktops, compared to the 1 gold image for every 50-100 desktops required by nonUnidesk VDI implementations. The savings in Windows patching and application
delivery time alone enables Unidesk to pay for itself in less then 6 months.
Reduce desktop support costs. Unidesk enables Level 1 service desk personnel to
repair damaged virtual desktops simply by rolling the desktop’s User layer back to a
previous snapshot. Bad registry keys and DLLs, malware, viruses, and other problems
6 juni 2016
Page 75
can be fixed with a simple reboot, without having to reimage the desktop or lose all
user customizations.
IT Benefits



Minimize complexity. Unidesk's interface, "layer cake" approach to creating desktops
and full feature set means fewer point tools to learn.
Simplify application packaging and delivery. Traditional application virtualization requires time and business knowledge to deal with the compatibility issues caused by
process isolation, and there are many applications that cannot be virtualized. Unidesk
can package any application in a fraction of the time. Just install the app the way you
would on a physical PC, and it can be immediately assigned to any number of desktops.
Reduce patching time and costs. With only 1 gold image layer as the basis for all desktops, Unidesk can deliver a virtually unlimited number of Windows hot fixes and updates to all desktops in 1 day, without the patch failure rates typical of agent-based PC
management approaches.
End User Benefits



Full, rich desktop. Unidesk provides a consistently personal desktop experience that
ensures virtual desktop acceptance and enhances job satisfaction by making sure user
data, profile settings, and user-installed applications survive logouts, reboots, patches,
and upgrades.
Quickly receive new applications, updates, and patches from IT. Unidesk accelerates
delivery of new revenue-generating applications and patches needed for security and
compliance without time-consuming install procedures, scripting, or risk of patch failure.
Repair "broken" desktops instantly. End users don’t have to deal with lengthy desktop
downtime, or worry that personal settings and data will survive an attempted repair.
Unidesk can roll back user-installed applications or surgically repair specific applications, leaving all user data intact.
Functionality
Simpler, More Powerful Application Delivery
Unidesk can package and deliver applications in a fraction of the time required to virtualize the
same applications. Unidesk can also deliver antivirus, printer/scanner drivers, Office plug-ins,
and the many other applications that traditional application virtualization cannot. With
Unidesk layers, IT administrators can package or patch apps once, then assign them to any or
Version 16.03
6 juni 2016
Page 76
all desktops. If a mistake is made, they can simply roll the layer back to a previous version to
undo the problem.
Single Image OS Management
With all applications layered separately, all desktops can be created from a single, pristine Microsoft Windows gold OS layer. Administrators can patch the gold once, and all desktops get
updated. End users won't lose user customizations like they will with cloning solutions. Also,
the patch failures common with agent-based PC configuration tools are no longer an issue because of how Unidesk composites the new OS layer into every desktop using file system and
Registry virtualization.
100% Persistent Personalization
Profile management only captures user customizations that can be stored in a profile.
Unidesk’s storage-efficient persistent desktops capture everything - including profile settings,
data, and user-installed applications – and eliminate the need for profile management in most
cases.
85% Less Storage
By sharing the same OS and application layers across many desktops and thin provisioning user
layers, Unidesk cuts the VDI storage footprint up to 85% for both persistent and non-persistent
desktops.
Broker Integration Unidesk brokering connectors for VMware View and Citrix XenDesktop enable Unidesk desktops to be provisioned directly into View and XenDesktop pools and catalogs.Web-Based Management Interface Unidesk’s elegant management interface makes it
easy for administrators to provision, update, manage, and report on their entire VDI estate.
The web-based management console enables administrators to dynamically assemble desktops from a pick list of independently packaged and versioned Microsoft Windows OS and application layers.
Version 16.03
6 juni 2016
Page 77
Figure 12: Unidesk web-based management
Architecture
Unidesk is implemented as a system of “scale-out” virtual appliances that run on existing
VMware infrastructure.
The Unidesk Management Appliance hosts the Web-based management application that is
used by administrators to provision, patch, assign and report on virtual desktops. Only one
Management Appliance is typically needed for a VDI environment. The Management Appliance also manages Unidesk policy and configuration, including information about Unidesk layers, desktops and users. The
Management Appliance can be
deployed on any host in the virtual infrastructure as long as it
can communicate over TCP/IP
with Unidesk CachePoint appliances and VMware vCenter
Server.
The first Unidesk CachePoint appliance deployed takes on the
special role of Master CachePoint,
storing all Operating System (OS)
and Application layers. In production VDI environments, a dediFigure 13: Unidesk architecture
cated Master CachePoint appliance should be deployed on a
Version 16.03
6 juni 2016
Page 78
separate host server to maximize virtual desktop performance. The Master CachePoint automatically replicates OS and Application layers to other secondary CachePoints, where the layers are cached as VMDKs. Layers are replicated only if they are needed by at least one of the
desktops associated with a CachePoint.
Each secondary CachePoint caches the OS, Application and Personalization layers for the desktops it hosts. The desktops are created with a small boot image in a VMDK file. At boot, this
disk supplies enough of the desktop operating system to load any drivers or early start services
required prior to the Unidesk filesystem drivers loading. Once the Unidesk drivers are loaded,
the desktop establishes connectivity to the correct OS, Application and Personalization layers,
stored as VMDKs in a directory structure under the CachePoint. All desktops assigned to a
CachePoint share the same OS and Application layers for dramatic storage savings. The Personalization layer for each desktop is then combined on top of the IT-controlled OS and App
layers. The virtual infrastructure and connection broker see Unidesk desktops as standard virtual machines.
Licensing
Unidesk is based on a perpetual licensing model, with annual Complete Care service (support
and maintenance) mandatory for all purchases. The licensing unit is a Managed Desktop, defined as the number of virtual desktops created, updated, and managed by Unidesk. This may
include persistent desktops (assigned to specific users, retain state, and used only by those users), non-persistent (don’t retain state, shared by many users e.g. labs), and non-concurrent
(may or may not retain state, shared by multiple users, but not at same time, e.g. shift workers). Customers may purchase 3 years of Complete Care Service upfront in return for a discounted price. Unidesk also plans to add term/subscription licensing options for service providers and site/enterprise licensing options for large opportunities.
Version 16.03
6 juni 2016
Page 79
7.13
VMWARE USER ENVIRONMENT MANAGER
Introduction
VMware User Environment Manager™ offers personalization and dynamic policy configuration
across any virtual, physical and cloud-based Windows desktop environment. User Environment
Manager simplifies end-user profile management by providing organizations with a single,
light-weight and scalable solution that leverages existing infrastructure. It accelerates time-todesktop and time-to-application by replacing bloated roaming profiles and unmaintainable,
complex logon scripts. It maps environmental settings (such as networks and printers), and dynamically applies end-user security policies and personalizations. Utilizing the Horizon Cloud
Manager, this focused, powerful and scalable solution is engineered to deliver workplace
productivity while driving down the cost of day-to-day desktop support and operations.
VMware User Environment Manager is the successor of Immidio Flex Profiles – the most successful Windows profile management solution, with more than 2 million users worldwide. Immidio developed VMware User Environment Manager in close collaboration with its large installed base.
VMware User Environment Manager offers a desktop that adjusts to the actual situation of the
end user, providing access to the IT resources that are required, based on a user’s role, device
and location.
VMware User Environment Manager consists of five functional areas: Application Configuration Management, User Environment settings, Personalization, Application Migration and Dynamic Configuration.
VMware differentiates its UEM solution from those from other vendors by focusing on the
core requirements needed to deliver a positive user experience, in a light-weight, simple to administer package. VMware User Environment Manager positively impacts end-user experience
and productivity, while leveraging existing IT infrastructure, resulting in a very attractive ROI.
Benefits
IT benefits: “Centralized and simplified user environment management”

Engineered to be simple yet powerful, scalable and fast; User Environment Manager
demonstrates value almost immediately
 Accelerates upgrades, migrations, and on-boarding with easy to maintain policies and
tools.
 Replaces unmaintainable, complex GPO and Logon Scripts with dynamic policy
 Reduces helpdesk incidents by replacing bloated, corruptible Roaming Profiles with a
more efficient and scalable solution
End-User benefits: “Consistent and personalized experience across devices and locations”

Version 16.03
Maintain personalized settings across multiple devices, even non-persistent VDI sessions
6 juni 2016
Page 80
 Experience auto-mapping printers and networks as you roam between locations
 Enjoy speedy logon times and faster time-to- application, with minimal downtime
Business benefits: “Enterprise-grade user management with low up-front investment”



Scale out services with a single solution that supports virtual, physical, and cloudhosted environments
Drive down user management costs without adding additional infrastructure
Respond to changing business dynamics with the ability to quickly add/remove profile
and personalization services
Architecture
In order to control costs, VMware User Environment Manager leverages a company’s existing
Windows infrastructure. Unlike other solutions, it does not require additional components,
such as a databases or web servers. VMware User Environment Manager also uses commonly
used mechanisms for deployment (MSI) and configuration (Active Directory Group Policy) of
the client agent. This strategy makes it possible to scale up alongside the scaling of the Windows infrastructure and also, to support off-line usage of managed Windows devices.
Figure 14: Architecture
Version 16.03
6 juni 2016
Page 81
If a customer has deployed the optional Horizon Cloud Manager, then daily maintenance tasks
can performed using this unified single console.
Functionality
Application Configuration Management
Application Configuration Management enables you to configure the initial settings of an application without having to rely on the defaults of the application. "Predefined Settings" can be
used as one-time defaults or can be set each time the application starts (guaranteeing that application settings are always in the exact same state). A hybrid approach is also possible: define
which application settings can be personalized and which should always remain at their initial
values, allowing partial personalization.
Using Application Profiler, you can capture predefined settings for an application by simple
running the application on a reference system (monitored by Application Profiler) and then
configuring as desired.
VMware User Environment Manager also provides the capability to manage certain User Environment settings when an application is launched, like mapping drives and printers, applying
custom files, folders and registry settings, and running custom tasks.
Additionally, central policy controlled black and whitelists govern which applications a user has
access to at any given time.
Application Configuration benefits:
•
•
•
•
•
•
Decouple user settings from native and virtual applications
Maintain a single application package while deploying it in multiple configurations
Ensure compliance with company standards
Prevent users from misconfiguring error-prone applications
Only consume network resources (e.g. printers or network drives) when necessary
Manage all application configuration elements on the application level
User Environment settings
VMware User Environment Manager enables you to centrally manage a variety of User Environment settings which users need to perform their daily tasks.
The following User Environment settings are supported:
•
•
•
•
•
•
•
Version 16.03
Drive and printer mappings
Environment variables
Application shortcuts and file type associations
Custom files, folders and registry settings
Logon and logoff tasks
Display language
Hide drives
6 juni 2016
Page 82
•
•
Triggered tasks
Policy settings
User Environment settings benefits:
•
•
•
•
Reduce complex scripting and prevent configuration errors
Reduce use of dispersed Group Policy preferences
Manage application shortcuts and file type associations for applications virtualized
with Microsoft App-V (MDOP), Novell ZAV and VMware ThinApp
Centrally managed from a single management console
Personalization
VMware User Environment Manager Personalization decouples and segments user-specific
desktop and application settings from the Windows operating system, making them available
across multiple devices, Windows versions and application instances. Decoupled personalization is independent from the traditional Windows user profiles and allows for easy introduction and management of virtualization technologies and application delivery mechanisms. Personalization integrates seamlessly with natively installed and virtualized applications, providing
users with a consistent user experience across any Windows platform – physical, virtual or remote. Additionally, it enables painless upgrades, like migrating from Windows XP to Windows
7 or Windows 10, or migrating from App-V 4 to App-V 5.
Additionally, VMware User Environment Manager makes it easier for admins to make a users’
personal data available on multiple devices.
Personalization benefits:





Much shorter logon and logoff times
Reset user settings per application rather than deleting the complete user profile
Unique cleanup mechanism for existing roaming and local user profiles
Manage personalization of applications virtualized with Microsoft App-V (MDOP)
A single "user profile" per user across multiple Windows platforms
Application Migration
VMware User Environment Manager can "roam" personal application settings of users from
one operating system to another (e.g. from Windows XP to Windows 7), as long as the application is storing its configuration in the same location of the user profile (i.e. uses the same registry and AppData locations).
In any application version upgrade (e.g. Office 2007 to Office 2016), either as part of an operating system migration or as part of the application’s lifecycle management, VMware personalization can manage the personal application settings.
Application Migration benefits:
•
•
Version 16.03
Migrate application settings to increase end-user productivity
Increase user acceptance for application or operating system upgrades
6 juni 2016
Page 83
•
Avoid helpdesk overload during migrations.
Smart Policy
Condition Sets allow you to combine conditions based on user, location and device characteristics, enabling dynamic adaptation of content and appearance of the end-user desktop. For example, you can provide access to a network printer based on the user’s current location or create an application shortcut on the desktop based on the user’s identity. Conditions can be
evaluated again when users unlock their workstation or reconnect to a remote session.
Smart Policy is deeply integrated in to Horizon 7 with conditional support for poolnames, tags,
endpoint location and View name and IP information. Using these conditions, you can dynamically control the system clipboard, client drive, USB access, printing capabilities and bandwidth
profile.
Condition sets are managed centrally from the Management Console and can be applied to all
configurable items within VMware User Environment Manager.
Dynamic Configuration benefits:
•
•
•
•
•
•
•
•
Reduce complex scripting and prevent configuration errors
Reduce use of dispersed Group Policy preferences
Centrally managed from a single management console
Manage globally instead of per configured item
Globally enforce compliance to company standards
Increase end-user productivity by providing the relevant desktop
Reduce helpdesk calls by anticipating on dynamic desktop usage scenarios
Run built-in or custom tasks at logon and logoff, application launch and exit, lock and
unlock workstation, and disconnect and reconnect to a remote session
Licensing and pricing
VMware User Environment Manager is available stand-alone or as part of Workspace ONE,
Horizon 7, Horizon Air, and VMware AppVolumes.
Version 16.03
6 juni 2016
Page 84
7.14
VMWARE VIEW PERSONA MANAGEMENT
Introduction
Early 2010 VMware acquired certain assets from RTO Software, a provider of user profile management for Windows desktops and application/performance monitoring tools for desktop virtualization, to enable effective persona management for VMware View.
With VMware View 5, VMware introduced View Persona Management. View Persona Management preserves user profiles and dynamically synchronizes them with a remote profile repository. View Persona Management does not require the configuration of Windows roaming profiles, and you can bypass Windows Active Directory in the management of View user profiles.
If you already use roaming profiles, Persona Management enhances their functionality.
Persona Management downloads only the files that Windows requires at login, such as user
registry files. When the user or application opens other files from the desktop profile folder,
these files are copied from the stored user persona to the View desktop. This algorithm provides performance beyond that achieved with Windows roaming profiles. In addition, View
copies recent user profile changes to the desktop profile up to the remote repository every
few minutes.
Benefits
View Persona Management minimizes the amount of time necessary for login and logout by:




Downloading at login time only the files that Windows requires for login, such as user
registry files.
Downloading other user profile data only as needed, when the user or application
opens a profile folder on the View desktop. The profile folders appear to contain upto-date files, but the data is not downloaded until it is accessed.
Periodically uploading to the remote repository any changes made to the user profile.
The default time between automatic periodic uploads is ten minutes, and this time can
be configured.
Uploading at logout only the user profile changes since the last periodic upload. Because of the frequent automatic upload of changed user data during the user session,
this final upload does not take a long time.
By minimizing the amount of data uploaded or downloaded at any one time, Persona Management provides a performance improvement over Windows roaming profiles. A roaming profile
system managed by Windows copies the entire user profile to the local desktop at login and
copies all user profile changes up to the remote repository at logout.
View Persona Management is an alternative to Windows roaming profiles and allows you to
manage user profiles without relying on Active Directory for configuration. Instead, you configure and manage user profiles entirely within the View environment. Any changes you make to
test View Persona Management have an effect only on View desktops and do not have a global
Version 16.03
6 juni 2016
Page 85
effect on other desktops, such as physical desktops. You can easily reconfigure View to refine
your implementation.
VMware View Persona Management is an integral part of the VMware View solution, which
also includes other features such as application provisioning. While other profile management
vendors rely on best practices and “good user behavior” to ensure that data and settings are
included in the Windows profile, the VMware approach is to manage a user’s “personality”.
The user personality encompasses the unique user experience including user data, user settings, and application access, which is more than a Windows profile covers. By integrating personality management with other components, such as View Manager and View Composer,
VMware View delivers a complete solution to solve our customer’s problems holistically.
Licensing;
Persona Management is free as part of VMware Horizon View 7.x
Version 16.03
6 juni 2016
Page 86
8.
UEM FEATURES COMPARISON
8.1
INTRODUCTION
It’s important to understand that comparing features is the last step in the decision tree. Vision, Strategy and Technology are the first steps to take. Each User Environment Management
product has its own functionality and feature-set.
It’s key to have an overview of the vendors, solutions and their functionality. Some vendors offer complete and comprehensive sets of functionality while others are focused to deliver a
smaller solution set with specific functionality. Both scenarios are valid, it all depends what
kind of functionality you’re looking for. Keep the strategic questions mentioned in chapter 3.8
in mind!
Below you will find an overview of the various vendors, their solutions and the functionality
they are offering on a very high level. As mentioned in chapter 5 it’s key to understand that different vendors have different focus, approach and solutions to fill in the UEM space. The different focus areas used in the diagram are:







Version 16.03
User Profile Management; Manage Windows User profiles; local, roaming, hybrid,
mandatory;
User Personalization, or Application and Desktop Management; Application icons, settings and configuration preferences;
Application Access Control, with User Rights Management or Security Management;
enforce access to applications, persona and context aware.
Resource Management; Application performance optimization and management;
License Management; insights, reporting and enforcing the use of licenses;
Application Delivery: User centric Application Installation with Dynamic Privileges,
User Installed Applications, Streamed and Virtualized applications;
Monitoring, Auditing and Reporting facilities on various levels with focus on the user
environment.
6 juni 2016
Page 87
Scense
AppSense
DesktopNow
Citrix
Liquidware Labs
ProfileUnity + suite
Microsoft
GPO, GPPrefs, USV, UE-v
Norskale
VUEM
PolicyPak
PolicyPak Suite
RES
ONE Workspace
Tricerat
Simplify Suite
VMware
Persona Management
VMware
User environment Management
Application Delivery
License Management
Resource Management
User Rights Management
In this version of the whitepaper I added more bullets to some of the vendors, I included bullets to vendors that offer functionality in a suite instead of the core product. All of these vendors offer the functionality that help you manage your UEM environment.
Version 16.03
6 juni 2016
Page 88
Monitor, Audit and Report
Product
Application Access Control
Vendor
Appixoft
User Personalisation
User Profile Mgmt
There are a lot of vendors in the User Environment Management space. The diagram below
gives an overview of the focus of the various User Environment Management (UEM) software
vendors. This diagram has nothing to do with the (possible) discussion which vendor provides
the most and the best functionality and features. A complete overview of the features and
functionality is available in this chapter.
Product Version
We did our best to be truthful and accurate in investigating and writing-down the different
features. When you see improvements please let us know. This detailed feature compare matrix is developed with the following products and versions:
Product
AppiXoft Scense
AppSense Environment Manager
AppSense Performance Manager
AppSense Application Manager
Citrix User Profile Manager
Citrix XenApp / XenDesktop
FSLogix
Liquidware Labs ProfileUnity
Liquidware Labs Flex-io
Liquidware Labs Stratusphere
Microsoft Windows Server and Client
Microsoft User Experience Virtualization
Norskale VUEM
PolicyPak Suite
RES ONE Workspace
RES ONE Automation
Tricerat Simplify Suite
Unidesk
VMware User Environment Management
VMware Persona Management
VMware vROps
VMware App volumes
8.2
Version
10
10.0
10.0
10.0
3.1
7.8
2.1
6.5
1.5
5.8.1
2012R2 and 10
2.0
4.0
Build 901
2015 SR2
2015
5.5
2.5
9.0
7
6.2
2.11
ROADMAP AND FUTURE ADDITIONS
This document is just the beginning and will be developed and developed in the near future.
We plan to add more feature details of the currently named vendor solutions and want to add
new solutions where applicable. If you have any comments, corrections, or suggestions for improvements of this document, we want to hear from you! Please send e-mail to Rob Beekmans
Version 16.03
6 juni 2016
Page 89
8.3
FEATURE COMPARE MATRIX
Goal:
Requirements:
Result:
Method of Execution:
UEM solutions and features
Detailed description of features
Hands-on-experience, vendor involvement
Whitepaper
Hands-on experience, read articles, communicate with vendors and discuss with colleagues
Legend:
√ = Applicable;
X = Not applicable;
--- Not needed
~= It depends;
# =under investigation by PQR
A green √ or red X has nothing to do with advantage or disadvantage of a solution. It just presents the availability of the functionality. Note: It’s out of scope for this whitepaper to explain
the ‘It depends’ remarks’.
# are under investigation and will be changed to other symbols as soon as we get confirmation
on the functionality or support. A next version of the whitepaper will reflect the changes.
Version 16.03
6 juni 2016
Page 90
VMware
Persona Management
VMware UEM
RES ONE Workspace
PolicyPak Suire
Norskale VUEM
Microsoft
Citix UPM
Functionality
AppSense DesktopNow
GENERIC FEATURES AND FUNCTIONALITY
AppiXoft Scense
8.4
Management Server / UEM solution
Server instance officially supports 1K concurrent connections
√
√
---
√
√
---
√
√
---
---
Server instance officially supports 2.000 concurrent connections
√
√
---
√
√
---
√
√
---
---
√
√
---
√
√
---
√
√
---
---
√
√
---
#
√
---
√
√
---
---
√
√
---
#
√
---
√
√
---
---
Database instance officially support 20.000 concurrent connections
√
√
---
#
√
---
---
√
---
---
Total supported managed clients per ‘farm≤ 10.000 CCU
√
√
√
√
√
√
√
√
√
#
Total supported managed clients per ‘farm’ 10K – 25K CCU
√
√
√
√
√
#
√
√
√
#
Total supported managed clients per ‘farm’ ≥ 25.000 CCU
√
√
√
√
√
#
√
√
√
#
Integration with 3rd party systems management solutions
X
√
X
√
√
√
X
√
X
X
Version 16.03
may 2016
Page 91
VMware
Persona Management
VMware UEM
RES ONE Workspace
PolicyPak Suire
Norskale VUEM
Microsoft
Citix UPM
Functionality
AppSense DesktopNow
AppiXoft Scense
Centralized management console
√
√
X
√
√
√
√
√
√
X
Web-based management interface
X
√
X
X
X
X
√
X
X
X
Single centralized management console for support and admin
√
X
X
√
√
√
√
√
~
X
Windows GUI for Management (includes MMC)
√
√
~
√
√
√
√
X
~
X
Delegation of control
√
√
X
X
√
√
√
√
X
X
Delegation of control, granular delegated administration roles
√
√
X
√
√
√
X
√
√
X
Console supports multiple concurrent administrators
√
√
~
√
√
√
√
√
√
---
Multi user operations - quick tasks
Admin access console with different credentials other than current account details
#
√
√
√
#
---
#
---
#
√
#
---
#
√
#
√
#
~
#
---
Console supports Single-Sign-On
√
√
---
---
√
---
√
√
√
---
Console supports SQL Authentication
√
√
---
---
#
---
---
√
---
---
Configuration check in/out process for multiple administrators
X
√
---
---
√
---
X
X
X
---
Version 16.03
may 2016
Page 92
VMware
Persona Management
VMware UEM
RES ONE Workspace
PolicyPak Suire
Norskale VUEM
Microsoft
Citix UPM
Functionality
AppSense DesktopNow
AppiXoft Scense
Single management console supports 5000+ managed clients
√
√
√
√
√
√
√
√
√
√
client endpoint search capabilities across management console
√
√
---
---
#
X
√
√
X
---
Support for (wildcard) searching across management console
√
√
---
X
√
---
√
√
X
---
Client – Server traffic is secure by design
√
√
√
√
√
√
√
√
√
√
Management traffic is secure by design
√
√
√
√
√
√
√
√
√
√
Management traffic can be Network Load Balanced
√
√
---
---
√
#
---
√
~
---
Auditing and security logging of admin actions
√
√
X
√
√
√
√
√
X
√
Event and error reporting
√
√
√
√
√
√
√
√
√
√
Security hardening guidelines public available
X
X
X
X
X
X
X
X
X
X
Support low bandwidth/high latency WAN connections
√
√
√
√
√
√
√
√
√
PowerShell SDK
X
√
X
X
X
X
X
X
X
Scripting (not including PowerShell) support and command-line interface
√
√
X
√
X
X
√
√
√
Version 16.03
may 2016
X
Page 93
VMware
Persona Management
RES ONE Workspace
√
√
√
√
X
√
√
API Interface (public) and documented
X
√
X
~
X
X
√
X
X
X
Support for Branch/Relay-servers for scalability/minimizing site-2-site traffic
√
√
---
---
√
---
---
√
~
---
Client end point merging of multiple separate configurations
#
√
X
#
√
√
√
X
√
X
Configuration layering within the console
#
√
X
~
#
√
√
√
#
X
Configuration Change Tracking
√
√
X
X
√
X
X
√
X
X
Product Patching via MSPs
X
√
X
√
√
X
---
X
√
X
Microsoft System Center Integration
X
√
X
X
X
√
X
√
~
X
Schedule Agent Installation for immediate install
Schedule Agent Installation at next computer start up prior to logon
Schedule Agent Installation for any given time
Enable user to postpone agent installation (within predefined timeframe)
Agent Installation Notification available in multiple languages
Synchronized Agents & Configuration Deployment and Installation
Force Agent to Poll Now to pull latest Configuration
√
√
√
√
√
√
√
√
√
√
√
√
√
√
X
X
X
X
-------
------------√
X
X
X
X
X
√
√
--------X
--√
------------X
X
X
X
X
√
√
√
---------------
------------X
Version 16.03
may 2016
VMware UEM
√
PolicyPak Suire
√
Norskale VUEM
X
Microsoft
Microsoft Group Policy-based management for agent/client settings
Citix UPM
Functionality
AppiXoft Scense
AppSense DesktopNow
Page 94
Force agent to restart internal controller (not the service) – for e.g. debugging
Force agent to clear some cache to reinforce some settings
Force agent to do an administrative refresh
Variable Poll Periods
Failover support via multiple Management Servers
Workspace Model to enable/disable UEM features
Update of UEM Configuration: User Self-Initiated refresh
Update of UEM configuration (no need to logoff/logon)
Update of UEM configuration at User Logon
Update of UEM of configuration at computer Startup
Management Server / UEM solution: Built-in PowerShell Cmdlets for scripted configuration
Licenses
No external license server required
First year support and maintenance included in license
24 x 7 support included in base license
24 x 7 support, additional pricing
Built into Operating System
Version 16.03
may 2016
VMware
Persona Management
VMware UEM
RES ONE Workspace
PolicyPak Suire
Norskale VUEM
Microsoft
Citix UPM
Functionality
AppSense DesktopNow
AppiXoft Scense
#
#
#
√
√
√
X
√
√
#
#
√
~
#
√
√
√
X
√
√
√
√
--#
#
------X
X
√
#
---
X
X
X
√
--√
X
√
√
√
√
√
√
√
√
√
√
X
√
√
#
X
#
----√
--------√
#
#
------√
--X
X
√
√
√
X
#
√
X
√
√
√
√
√
√
#
#
√
√
√
----√
√
√
√
#
#
X
X
X
X
----X
X
√
#
X
√
√
X
X
X
√
X
√
--X
#
#
#
X
X
√
√
#
#
√
√
√
√
--X
√
√
X
X
X
√
√
X
√
X
√
√
X
√
X
√
√
X
√
X
√
#
√
X
X
Page 95
Physical endpoint use license included with VDI/RDS license
Concurrent user/desktop licenses
Per device licenses
Per named user licenses
Per server licenses
Enterprise/site license program
Academic/Education license program
Government license program
Service Provider license program
Free for personal usage (FFPU)
Support and Community
Public and active community
Official training classes available
Official certification program, VUE or Prometric
UEM technology is proven; the solution is being used for 1+ year in enterprise production
environments. 10K+ endpoint, various deployment scenarios.
10+ of public available enterprise (10K CCU) references in EU using UEM solution
10+ of public available enterprise (10K CCU) references in US using UEM solution
Version 16.03
may 2016
VMware
Persona Management
VMware UEM
RES ONE Workspace
PolicyPak Suire
Norskale VUEM
Microsoft
Citix UPM
Functionality
AppSense DesktopNow
AppiXoft Scense
--√
√
√
X
√
√
√
√
√
--√
X
√
√
√
√
√
√
X
√
√
√
√
X
X
√
√
X
X
#
√
X
√
X
√
√
√
#
X
--√
√
√
X
√
√
√
√
√
--√
√
X
--√
√
√
√
X
--√
X
√
X
√
√
√
√
√
--√
X
√
X
√
√
√
√
√
#
√
√
√
X
√
√
√
√
X
X
----------------X
√
√
X
√
√
√
√
√
√
X
X
√
√
X
X
√
√
√
X
√
√
√
X
√
√
√
X
√
√
√
√
√
√
√
X
√
√
X
X
√
X
X
√
√
√
√
√
√
√
#
X
X
X
X
√
√
√
X
X
X
Page 96
10+ of public available enterprise (50K CCU) references in EU using UEM solution
10+ of public available enterprise (50K CCU) references in US using UEM solution
Enterprise Reference Architecture, public available
Professional Services Organization – Business hours multi-lingual support
Professional Services Organization - 24h multi-lingual support (possible additional contract)
Technical Account Manager (TAM) available
Management Platform
Management through Active Directory
Management through file share
Datastore transfer Protocol - SMB
Datastore transfer Protocol - HTTP(s)
Datastore transfer Protocol – SMB
Datastore transfer Protocol - TCP / configurable and supported
Datastore transfer Protocol - Database specific (protocol differs per DB type)
Datastore transfer Protocol – Windows Communication Foundation
VMware
Persona Management
VMware UEM
RES ONE Workspace
PolicyPak Suire
Norskale VUEM
Microsoft
Citix UPM
Functionality
AppSense DesktopNow
AppiXoft Scense
X
X
X
√
X
X
X
√
√
√
X
X
√
√
√
X
X
#
√
√
X
#
√
√
√
X
X
X
X
X
X
X
X
√
√
X
X
√
√
√
X
X
X
√
√
X
X
X
√
√
√
√
√
√
√
X
√
√
√
√
X
X
√
√
X
X
√
√
~
X
√
√
√
√
√
X
√
X
√
X
√
X
X
X
√
X
√
X
X
X
-----
√
X
X
X
X
√
X
√
√
√
√
X
---------
√
√
√
X
√
X
--X
X
X
√
√
√
√
√
X
√
√
√
--√
-------
√
√
√
X
√
X
X
X
Datastore / database OS support
Version 16.03
may 2016
Page 97
VMware
Persona Management
VMware UEM
RES ONE Workspace
PolicyPak Suire
Norskale VUEM
Microsoft
Citix UPM
Functionality
AppSense DesktopNow
AppiXoft Scense
Management through database engine
Microsoft SQL Server 2005 Express Edition
Microsoft SQL Server 2008 SP1 Express Edition
Microsoft SQL Server 2008 R2 Express Edition
Microsoft SQL Server 2005
Microsoft SQL Server 2008 R2
Microsoft SQL Server 2008/SP2
Microsoft SQL Server 2012
Microsoft SQL server 2014
Microsoft SQL Azure
Microsoft SQL Server 2008 R2, built-in support for native SQL Mirroring
Oracle Enterprise
MySQL Enterprise Server
IBM DB2
PostgreSQL
√
√
√
√
√
√
√
√
√
X
√
√
X
X
X
√
X
√
√
X
X
X
√
√
X
√
X
X
X
X
X
-----------------------------
-------------------------------
√
X
√
√
X
√
√
√
√
√
√
X
X
X
X
-------------------------------
√
-----------------------------
√
√
√
√
√
√
√
√
√
√
√
√
√
√
X
-------------------------------
-------------------------------
Management Server OS support
Microsoft Windows Server 2003 R2
Microsoft Windows Server 2003 R2-64-bit
√
√
X
X
-----
√
√
√
√
√
√
X
X
-----
X
X
-----
Version 16.03
may 2016
Page 98
VMware
Persona Management
VMware UEM
RES ONE Workspace
PolicyPak Suire
Norskale VUEM
Microsoft
Citix UPM
Functionality
AppSense DesktopNow
AppiXoft Scense
Microsoft Windows Server 2008
Microsoft Windows Server 2008 64-bit
Microsoft Windows Server 2008 R2 64-bit
Microsoft Windows Server 2012 64-bit
Microsoft Windows Server 2012R2 64-bit
Microsoft Windows Server 2016 (tech preview)
Virtual (Linux) appliance
√
√
√
√
√
X
X
X
√
√
√
√
X
X
------#
#
X
---
√
√
√
√
√
X
X
√
√
√
√
√
√
X
√
√
√
#
#
X
X
√
√
√
√
√
X
√
------#
√
X
---
√
√
√
√
√
√
---
---------------
Supported Directory Services
OpenLDAP support
Novell eDirectory official support
Novell Domain Services for Windows official support
Microsoft Directory Services support; ADS 2003+
Microsoft Read Only Domain Controllers (RODC)
X
X
X
√
√
X
X
X
√
√
X
X
X
√
√
X
X
X
√
√
X
X
X
√
√
X
X
X
√
#
X
X
X
√
√
X
√
√
√
√
X
X
X
√
√
X
X
X
√
#
Supported Protocols for all UEM related components
TCP/IP v4
TCP/IP v6
√
~
√
√
√
√
√
√
√
√
√
√
√
√
√
~
√
√
√
#
Version 16.03
may 2016
Page 99
UEM Software Architecture
Software and Agents available as 32bits component
Software and Agents available as 64bits component, native 64 bits components
VMware
Persona Management
VMware UEM
RES ONE Workspace
PolicyPak Suire
Norskale VUEM
Microsoft
Citix UPM
Functionality
AppSense DesktopNow
AppiXoft Scense
√
√
√
√
√
√
√
√
√
√
√
√
√
X
√
√
√
√
√
√
√
√
X
√
√
√
√
√
√
√
√
√
X
√
√
X
√
X
X
X
X
√
√
X
√
X
√
√
X
√
√
√
√
√
√
√
√
√
X
√
√
X
√
√
√
√
√
√
√
√
√
X
√
√
X
√
√
√
√
√
√
√
√
√
X
√
√
X
√
√
√
√
√
√
√
√
√
X
√
√
X
√
√
√
√
√
√
√
√
√
X
√
√
X
√
X
√
X
√
√
√
√
√
~
√
√
X
√
√
√
√
√
√
√
√
√
X
√
√
X
√
X
X
X
X
√
√
X
X
X
Client Operating System support
Microsoft Windows 10 (x86/x64)
Microsoft Windows 8.0 / 8.1 (x86/x64)
Microsoft Windows 8 RT
Microsoft Windows 7 Professional
Microsoft Windows Vista Professional
Microsoft Windows XP Professional
Microsoft Windows Server 2008
Windows XPe
Windows Embedded Standard 7+
Mac OS X
Version 16.03
may 2016
Page 100
Microsoft
Norskale VUEM
PolicyPak Suire
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
~
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Client/User Session Environment
Agent technology, Helper
Agent technology, AppInitDLL
Agent technology, Service
Agent technology, Service (hooks WinLogon)
Agent technology, Service (parent process)
Agent technology, Kernel mode filter driver
Agent technology, Executable
X
X
√
X
X
√
√
√
X
√
√
√
√
X
X
X
√
X
X
√
X
X
X
√
X
√
X
X
X
X
√
X
√
X
√
X
√
√
X
√
X
X
X
X
X
√
√
√
√
√
X
√
X
√
√
X
X
X
√
X
X
X
√
X
X
√
X
X
#
X
Version 16.03
may 2016
VMware
Persona Management
Citix UPM
X
X
X
X
X
X
X
X
X
X
VMware UEM
AppSense DesktopNow
Unix flavours
Linux flavours
EPOC / Symbian
Wyse Thin OS (WTOS)
Apple iPhone/iPod IOS v6.x
Apple iPad IOS v6.x
Google Android v2.x
RIM BlackBerry
Windows Phone 7/8
Windows Phone 10
RES ONE Workspace
Functionality
AppiXoft Scense
Page 101
VMware
Persona Management
VMware UEM
RES ONE Workspace
PolicyPak Suire
Norskale VUEM
Microsoft
Citix UPM
Functionality
AppSense DesktopNow
AppiXoft Scense
Option to run agent-free (no installation on Client system)
Command-line parameters
Uses file system driver
No kernel-mode component required
Component with elevated user rights
User self-service component
X
√
√
√
√
√
X
√
√
√
√
√
X
X
√
√
√
X
X
√
X
√
X
X
X
√
X
√
~
√
X
√
--√
X
X
√
X
X
√
√
~
X
√
√
X
√
√
√
√
X
X
--√
X
X
#
#
X
X
Application Delivery integration
Citrix XenApp: Ability to Publish Citrix applications
Microsoft RDSH: RemoteApp (native or MSI)
Microsoft Application Virtualization, App-V (native or MSI)
Symantec Workspace Virtualization (native or MSI)
VMware ThinApp (native or MSI)
Citrix XenApp Streaming
Microsoft MSI
Windows Store apps
#
√
√
√
√
X
√
#
X
X
√
X
X
X
#
√
X
X
X
X
X
X
X
#
X
√
√
#
X
X
√
#
√
√
#
X
√
X
√
#
X
√
√
√
√
√
√
#
√
√
X
X
√
X
√
#
√
√
√
√
√
√
√
#
X
√
√
√
√
√
√
X
X
X
X
X
X
X
X
X
User Experience
Reverse seamless functionality: Windows- and Web application integration
X
X
~
X
√
X
X
√
X
X
Version 16.03
may 2016
Page 102
Version 16.03
VMware Persona
Management
VMware UEM
RES ONE Workspace Mgr
Liquidware Labs
ProfileUnity
PolicyPak Suite
Microsoft
Citix User Profile Manager
AppSense DesktopNow
USER PROFILE MANAGEMENT
AppiXoft Scense
8.5
Functionality
Methodology
Profile segmentation / partitioning / separation / decoupling
Profile redirection/ streaming / virtualization
Granularity and decoupling apps
Templates and / or wizards available to capture user settings
√
√
√
#
√
√
~
√
X
√
√
X
--√
√
X
----√
X
√
√
√
√
√
√
√
√
√
√
√
√
√
√
X
X
Migration
Replaces Windows Roaming Profiles
Migrate from local or roaming profiles
Migrate from competing products
Migrate v1 to v2 profiles (automatically)
Migrate from v2 to v5 profiles (automatically)
Migrate from vx to v6 profiles (automatically
Migrate individual apps across versions
Migrate for managed (UEM) profile back to Windows native profile
√
√
√
√
√
#
√
√
√
√
√
√
√
√
√
√
√
√
√
X
X
#
√
√
√
X
X
X
X
X
X
---
------X
X
X
√
---
√
√
√
√
√
√
√
√
√
√
√
√
#
#
√
√
√
√
√
√
√
√
√
√
√
√
√
~
~
#
X
√
may 2016
Page 103
Version 16.03
VMware Persona
Management
VMware UEM
Liquidware Labs
ProfileUnity
PolicyPak Suite
Microsoft
AppSense DesktopNow
AppiXoft Scense
Functionality
Base Profile support
Local Profiles
Roaming Profiles
Mandatory Profiles
Streamed Profiles
Works independent of Roaming Profiles
√
√
√
X
√
√
√
√
--√
√
X
√
√
√
X
X
X
√
√
--------√
√
√
√
--√
√
√
√
X
√
√
√
√
√
√
√
√
#
#
√
User Profile Data Store
Windows File share
Management through database engine
Datastore transfer Protocol - SMB
Datastore transfer Protocol - HTTP(s)
Datastore transfer Protocol - CIFS
Datastore transfer Protocol - TCP / configurable supported
Datastore transfer Protocol - Database specific
Datastore transfer Protocol - DCOM
Built-in replication/synchronization
Data compression before transfer
Synchronization of data is based on delta’s
Data streaming during profile transfer
√
√
X
X
X
√
X
X
√
√
√
X
√
√
√
√
√
√
X
X
√
√
√
---
√
--√
X
√
X
X
X
√
X
√
√
√
--√
X
X
X
X
X
√
√
--#
X
--√
X
X
X
X
X
--√
#
---
√
--√
--√
------√
√
√
---
√
√
√
X
√
X
√
X
√
√
√
X
√
--√
--√
------√
√
√
√
√
--√
X
√
X
X
X
√
X
X
X
may 2016
Page 104
Version 16.03
VMware Persona
Management
VMware UEM
Liquidware Labs
ProfileUnity
PolicyPak Suite
Microsoft
AppSense DesktopNow
AppiXoft Scense
Functionality
Parallel processing of logon actions
Support for Client Side Extensions
√
X
√
√
-----
√
√
√
#
√
---
√
X
√
√
X
#
Profile Management
Personalization loaded on demand (at app launch) for locally installed applications
Personalization loaded on demand (at app launch) for virtualized applications
Personalization templates
1st Line support - Personalization Support Web Console
Automatically capture application personalization
Automatically translate OS version properties
Built-in user profile snapshots
Automatic user personalization removal
User self-service and profile management
Cross-application delivery mechanism support (v-apps etc)
Cross-architecture support (32-bit & 64-bit)
Cross-operating system support for desktop settings
Discovery mode
Builtin Reporting
Isolation/Virtualization/Redirection of application settings
Last write wins - Per Application
√
√
X
X
√
√
√
#
√
√
√
√
√
X
X
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
~
~
√
X
X
X
X
#
X
X
X
X
X
X
X
X
√
√
X
X
√
X
X
#
X
√
√
√
√
X
#
√
√
√
#
#
X
X
X
#
#
√
√
√
X
X
√
X
√
√
√
X
√
√
√
#
~
√
√
√
X
√
√
√
√
√
√
X
√
√
√
#
√
√
√
√
√
√
√
√
√
√
√
#
√
√
√
#
√
√
√
√
√
X
X
√
X
X
X
X
X
X
X
#
X
X
#
#
X
X
X
#
may 2016
Page 105
VMware Persona
Management
VMware UEM
Liquidware Labs
ProfileUnity
PolicyPak Suite
Microsoft
AppSense DesktopNow
AppiXoft Scense
Functionality
Last write wins - Per Session
Migrate from local or roaming profiles
Offline (Cached) Mode
Pre-cache personalisation on new machines
Support for Terminal Server /desktop silos
Supports user certificates
Return to local or roaming profiles
√
√
√
X
√
√
√
√
√
√
√
√
√
√
√
√
√
X
√
√
√
√
√
√
√
√
√
X
√
X
√
√
√
-----
√
√
√
√
√
√
√
√
√
√
X
√
√
√
√
√
√
√
√
√
√
#
√
X
X
#
#
√
Application Virtualization support
Microsoft Application Virtualization, App-V
Symantec Workspace Virtualization
VMware ThinApp
Novell ZENWorks / Turbo.net
√
√
√
X
√
√
√
X
X
X
X
X
√
X
X
X
√
√
√
√
√
√
√
√
√
√
√
√
√
X
√
√
X
X
√
X
√
√
#
√
√
√
#
#
#
-------
-------
√
√
√
√
√
X
√
#
#
X
X
X
Application Layering support
VMware Appvolumes
Citrix AppDisk
Unidesk
Version 16.03
may 2016
Page 106
Version 16.03
may 2016
√
√
√
√
√
√
X
X
X
√
√
√
X
√
√
√
√
√
-------
√
√
√
VMware Persona
Management
VMware UEM
Liquidware Labs
ProfileUnity
PolicyPak Suite
Microsoft
AppSense DesktopNow
Functionality
Cross Platform Personalization support
Cross-application delivery mechanism support (native, virtual, hosted apps etc.)
Cross-architecture support (32-bit & 64-bit)
Cross-operating system support for desktop settings
AppiXoft Scense
X
X
X
Page 107
Version 16.03
VMware UEM
VMware PM
√
X
√
√
√
√
√
√
√
√
X
√
X
√
√
X
√
√
√
√
√
√
X
√
√
√
√
√
~
√
√
√
√
√
√
X
X
X
#
X
X
X
X
X
X
Native Action triggers
User Logon
User Logoff
Group Policy Refresh
Delayed Event
Application Start
√
√
X
√
√
√
√
X
√
√
√
√
X
X
X
√
√
√
√
√
√
√
√
X
X
√
X
√
X
X
√
X
√
X
√
√
√
X
√
√
√
√
√
X
√
√
√
X
√
X
may 2016
PolicyPak Suite
√
√
√
X
√
√
√
~
X
Norskale VUEM
√
X
√
√
X
√
√
√
X
Microsoft
X
X
#
#
#
√
#
X
X
LiquidwareLabs
ProfileUnity
√
√
√
√
√
√
√
√
√
Citrix UPM
√
√
√
√
√
√
√
√
X
AppSense
DesktopNow
Functionality
Policy configuration component
Extendable with 3rd party tools
Processing of configuration during Windows Logon
Parallel processing of logon actions
Multithreading of logon actions
Policy component supports granular configuration
Can execute custom code (scripts, external EXE)
Lockdown and removal of OS and 3rd party application UI/content
Healing of processes, registry keys, services and files
RES One Workspace
USER PERSONALIZATION, APPLICATION AND DESKTOP MANAGEMENT
AppiXoft Scense
8.6
Page 108
Version 16.03
VMware UEM
VMware PM
X
√
X
X
X
X
X
X
X
X
X
√
X
X
√
√
√
√
√
X
X
X
√
√
X
X
X
X
X
√
√
X
X
√
√
√
√
√
√
X
X
X
X
√
√
X
X
X
X
X
X
X
X
X
X
X
X
X
X
√
Native policy actions
Copy files and/or folders
√
√
X
√
√
√
X
√
√
X
may 2016
PolicyPak Suite
X
√
√
√
X
X
√
X
X
√
#
√
X
X
√
Norskale VUEM
X
√
X
X
X
X
X
X
X
X
X
√
√
X
√
Microsoft
√
√
√
√
√
√
√
√
√
X
X
√
√
√
√
LiquidwareLabs
ProfileUnity
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Citrix UPM
√
√
√
√
√
√
√
√
√
X
√
√
√
√
√
AppSense
DesktopNow
√
X
X
X
X
X
X
X
X
X
X
√
√
X
√
AppiXoft Scense
Functionality
Application Stop
Network Connect
Network Disconnect
Session Reconnect
Session Disconnect
Session Lock
Session Unlock
Process Start
Process Stop
Application Install
On Error
Computer Startup
Computer Shutdown
Process Start – From UNC Path
Manual / Scripted / On Schedule
RES One Workspace
Page 109
Version 16.03
may 2016
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
X
X
√
√
√
√
√
~
~
X
√
√
√
√
√
X
PolicyPak Suite
Norskale VUEM
Microsoft
LiquidwareLabs
ProfileUnity
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
X
X
X
X
√
X
X
X
√
√
√
X
X
X
X
X
X
√
VMware PM
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
VMware UEM
√
√
X
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
RES One Workspace
√
X
X
X
√
√
√
X
√
X
X
√
√
√
X
X
√
X
Citrix UPM
Functionality
Desktop background / wallpaper
Devices
E-mail profiles
Outlook setup
File-type associations
File and Folder actions
Folder Redirection
INI files
Internet Settings
Internet Explorer settings
Local users and groups
Network Drives
Shortcuts
ODBC data sources
Power options
Printers
Regional options
AppSense
DesktopNow
AppiXoft Scense
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
X
~
~
√
√
√
√
√
√
√
X
√
√
√
X
√
√
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Page 110
Version 16.03
may 2016
√
√
√
√
√
√
√
√
√
√
√
√
√
√
#
√
√
X
PolicyPak Suite
Norskale VUEM
√
X
√
√
X
√
X
√
X
X
X
X
X
X
#
√
X
#
√
X
√
√
X
X
--X
X
√
√
√
√
√
X
√
X
X
VMware PM
√
X
√
√
√
√
√
√
√
√
√
√
√
√
#
√
√
#
Microsoft
LiquidwareLabs
ProfileUnity
Citrix UPM
X
X
X
X
X
X
X
X
X
X
X
X
X
X
#
X
X
#
VMware UEM
√
X
√
√
√
√
√
√
X
√
√
√
√
X
√
√
√
√
RES One Workspace
√
√
X
X
X
X
X
√
X
X
X
X
X
X
#
√
√
#
AppSense
DesktopNow
Functionality
Registry keys and values
Scheduled tasks
Screen saver
Start Menu options
VPN and dial-up connections
Windows Explorer folder option
ADM / ADMX templates
Message Boxes
Configure Microsoft Fax client
Microsoft Office File locations
Microsoft Office preferences
Microsoft Outlook preferences
Outlook Express
Remote Desktop Connection client settings
Pinned items
Windows options
Windows services
Tekst file Create
AppiXoft Scense
√
√
√
√
√
√
√
√
X
√
√
√
√
X
√
√
X
#
√
X
√
√
X
√
√
√
X
√
√
√
√
√
#
√
X
#
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Page 111
Version 16.03
VMware UEM
VMware PM
√
X
X
X
X
X
X
X
X
X
X
X
#
√
X
√
√
√
√
√
X
√
√
√
√
√
X
X
√
√
#
#
√
#
√
√
√
X
X
X
X
X
X
X
X
X
X
X
X
X
X
#
Built-in rules / native conditions
Active Directory Site
Client Computer Domain
Client Computer Group
√
√
√
√
√
√
X
X
X
√
√
√
√
√
√
√
#
#
√
√
~
√
√
√
√
√
X
X
X
X
may 2016
PolicyPak Suite
√
√
√
X
X
X
X
X
X
√
X
X
#
Norskale VUEM
X
X
√
X
√
√
X
X
X
X
X
X
#
Microsoft
√
X
√
√
√
√
X
X
X
√
√
X
#
LiquidwareLabs
ProfileUnity
X
X
X
X
X
X
X
X
X
X
X
X
#
Citrix UPM
√
√
√
√
√
√
√
√
√
√
√
√
X
AppSense
DesktopNow
√
X
√
√
X
X
√
√
~
√
X
X
X
AppiXoft Scense
Functionality
Text File Update
Text File Search
File & Folder Copy
Ability to write your own Custom Policy Actions
Folder mirroring
Folder Synchronization
Custom VBScript queries for Actions
Custom JScript queries for Actions
Custom PowerShell queries for Actions
Only Copy ‘New’ or ‘Changed’ items, files or folders
Ability to Mirror Folder to mirror source if files are removed
Synchronize Folder, unlike Mirror this is a two way process
Windows 10 tiles
RES One Workspace
Page 112
Version 16.03
may 2016
√
X
√
√
#
√
X
#
√
√
√
√
√
√
√
√
√
√
PolicyPak Suite
Norskale VUEM
#
#
√
√
X
X
X
√
#
√
X
√
X
√
√
√
√
√
√
√
√
√
√
X
#
√
√
√
√
√
√
√
√
√
√
√
VMware PM
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
Microsoft
LiquidwareLabs
ProfileUnity
Citrix UPM
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
VMware UEM
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
RES One Workspace
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
X
√
AppSense
DesktopNow
Functionality
Client Computer Organisational Unit
Client Connection Protocol
Client IP Address / Address Range
Client NetBIOS Name
Client Screen Colour Depth
Client Screen Resolution
Computer Chassic Type (device detection)
Computer Domain
Computer Group
Computer IP Address / Range
Computer MAC Address / Range
Computer Name (DNS / NetBIOS)
Computer Organizational Unit
Operating System Service Pack
Operating System version
Operating System bit level (x86/x64)
Published Application Name
User Group
AppiXoft Scense
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
X
√
√
√
√
√
X
X
#
√
X
√
X
√
√
√
√
√
X
√
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Page 113
Version 16.03
may 2016
√
√
√
√
√
X
X
√
√
√
√
√
√
√
X
X
√
√
PolicyPak Suite
Norskale VUEM
√
√
√
√
√
√
X
√
√
√
X
X
√
X
X
X
√
X
√
√
√
√
√
X
X
X
√
√
√
√
√
√
X
X
√
√
VMware PM
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
X
Microsoft
LiquidwareLabs
ProfileUnity
Citrix UPM
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
VMware UEM
√
√
√
√
√
X
X
~
X
√
√
X
√
X
X
X
√
X
RES One Workspace
√
√
√
√
√
√
√
√
√
√
√
√
√
√
X
X
√
√
AppSense
DesktopNow
Functionality
User Is Administrator
User Name
User Organizational Unit
User Primary Domain Group
User Domain
Initial Program
Working Directory
Session Name
WMI Query
File / Folder match (exists, version)
Battery is present
CPU speed
CPU Architecture (x86/x64)
Number of CPU’s
Wireless Connected network (SSID)
Wireless Nearest access point (BSSID)
Date/time match
Disk space
AppiXoft Scense
√
√
√
√
√
X
X
√
√
√
√
√
√
√
√
√
X
X
X
√
√
X
√
X
X
X
X
√
√
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Page 114
Version 16.03
may 2016
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
X
X
X
PolicyPak Suite
Norskale VUEM
√
√
√
X
X
X
X
√
√
X
√
√
X
X
√
X
X
X
√
√
√
√
√
√
√
√
√
√
√
√
√
√
X
X
X
X
VMware PM
√
√
√
X
√
X
√
√
√
X
√
√
X
√
√
X
X
X
Microsoft
LiquidwareLabs
ProfileUnity
Citrix UPM
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
VMware UEM
√
X
√
X
X
X
√
√
√
X
√
√
√
X
√
√
√
√
RES One Workspace
√
√
√
√
X
X
√
√
√
√
√
√
X
√
√
√
√
√
AppSense
DesktopNow
Functionality
Language (user / system)
Custom LDAP query
MSI query
Network connection type (VPN, Dailup etc.)
PCMCIA slot is present
Portable computer (Laptop)
Terminal Server
Domain Controller
RAM size
Registry match
Time range
GP Processing Mode
Connection type (LAN/dialup)
VMware View client name
User interaction - Yes/No response
Custom VBScript queries
Custom Jscript queries
AppiXoft Scense
√
√
X
X
√
X
√
√
√
√
√
√
X
√
√
√
X
X
√
X
X
X
X
X
√
√
X
X
√
X
X
X
√
X
~
~
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Page 115
Version 16.03
may 2016
√
X
X
X
X
X
√
X
√
X
√
√
X
X
X
X
X
PolicyPak Suite
Norskale VUEM
√
√
X
X
X
X
X
X
√
X
√
#
X
#
#
#
#
√
X
#
#
#
#
√
#
√
X
√
#
X
#
#
#
#
VMware PM
√
√
√
√
√
X
√
√
√
√
√
√
X
X
X
X
X
Microsoft
LiquidwareLabs
ProfileUnity
Citrix UPM
X
X
X
X
X
X
X
X
X
X
X
#
X
#
#
#
#
VMware UEM
√
√
√
√
√
√
√
X
√
X
X
√
X
√
√
√
√
RES One Workspace
√
√
√
√
~
~
√
√
√
X
√
#
X
#
#
#
#
AppSense
DesktopNow
Functionality
Counter Condition – Run Once >>Run many
Ability to write your own Custom Policy Conditions
Custom VBScript queries for Conditions
Custom Jscript queries for Conditions
Custom PowerShell queries for Conditions
Custom PowerShell queries
If .. else condition
Remote Host/URL
Session Type
USB storage device, serial and vendor/product
Any AD User Property (User settings from the user account)
Is VDI (detect Citrix or VMware software)
WiFi AccessPoint connectivity (BSSID)
Citrix PVS vDisk present and vDisk mode
Citrix Netscaler session policies and hostname
VMware Horizon view Broker
VMware Horizon View tunneled connection
AppiXoft Scense
√
X
X
X
X
X
X
√
√
√
√
#
√
#
#
#
#
~
√
√
√
√
~
√
X
X
X
X
√
X
X
X
√
√
X
X
X
X
X
X
X
X
X
X
X
#
X
#
#
#
#
Page 116
Version 16.03
may 2016
√
√
√
√
X
X
X
X
X
√
X
X
X
X
√
X
X
X
X
X
√
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
X
√
√
VMware UEM
√
√
√
√
X
X
X
X
X
√
X
√
X
X
√
X
X
√
RES One Workspace
√
√
√
√
X
X
√
√
√
√
√
√
√
√
√
√
√
√
Norskale VUEM
Liquidware Labs
ProfileUnity
Functionality
Logging (product specific)
Application access based on Active Directory User identity
Application access based on Active Directory Group membership
Application access based on Active Directory OU membership
Application access based on Novell User identity
Application access based on Novell Directory Group membership
Application access based on UEM Administrative Roles (RBAC)
Alerting (action send mail)
Alerting (SNMP)
Event triggering (run scripts or custom action)
Number of Application Instance limits
Application Termination
Terminate Application based on change to client name or IP address
Application Clean Closure
Display warning / Dialog box
Blocked file archiving (move rule-blocked file to archive)
Application level Network Access Control
Permit access to authorized IP addresses
AppSense
DesktopNow
APPLICATION ACCESS CONTROL, SECURITY MANAGEMENT
Appixoft Scense
8.7
√
√
√
√
X
X
X
X
X
√
X
X
X
X
√
X
X
X
Page 117
Version 16.03
may 2016
√
X
X
X
X
X
X
X
X
X
√
√
√
√
√
X
√
√
X
X
X
X
X
X
X
X
√
X
X
√
X
X
√
√
√
√
√
√
√
√
√
√
√
√
X
X
X
X
X
X
√
√
X
√
√
X
X
X
X
X
X
X
X
X
X
X
X
X
√
√
√
√
√
X
√
√
√
√
√
#
X
X
X
X
X
X
X
X
X
X
X
X
VMware UEM
Liquidware Labs
ProfileUnity
√
√
√
√
√
Norskale VUEM
AppSense
DesktopNow
Permit access to authorized TCP/UDP ports
Deny access to prohibited ports
End Point Analysis Scan
Application Usage scan
User Rights / Privilege discovery mode / reporting
Auditing and reporting of self-elevation
Elevate/Reduce user right for Applications
Elevation/Reduce user rights to Control Panel Applets
Elevate user rights on the internet for ActiveX / Web Installations
Elevate user rights for Application Installations
Self-Elevation of user rights on demand with white & blacklist options
If application is Elevated, option to not elevate Child Processes spawned from the raised Application
X
X
X
X
X
Appixoft Scense
Functionality
Deny access to prohibited IP addresses
Permit access to authorized UNC paths
Deny access to prohibited UNC paths
Permit access to authorized host server names
Deny access to prohibited host server names
RES One Workspace
Page 118
Version 16.03
may 2016
X
X
#
X
√
√
√
X
√
X
X
X
X
X
X
√
√
√
√
√
√
√
√
X
X
X
X
√
X
X
X
X
X
X
X
X
X
X
X
√
X
X
X
X
X
X
√
X
X
√
X
X
#
#
√
√
√
√
√
√
√
√
√
√
√
√
X
√
#
#
√
√
X
X
X
X
X
X
√
√
X
√
X
√
√
√
√
√
X
X
X
X
X
X
VMware UEM
Liquidware Labs
ProfileUnity
√
Norskale VUEM
AppSense
DesktopNow
Security/blocking approach
Whitelisting
Blacklisting
(Certificate based) vendor trusting
User specific rights
Trusted Ownership / Owner of file
SHA#1 Digital Signature of file
SHA-256 Digital Signature of file
MD5 Digital Signature of file
X
Appixoft Scense
Functionality
If application is Elevated, option to not elevate Secure Dialog Boxes within the raised Application
Does not create and depend on a Local Adminstrator account on the machine for Elevation of
User Rights
Redirect a requested URL to a specified safe URL
Redirect an already open URL when context/condition changes
Redirect URL based on full URL address
Redirect URL based on Sub-Directory of address
Redirect URL based on use of Wild Cards
Time Based Application Access
RES One Workspace
Page 119
Version 16.03
#
#
X
X
X
X
X
X
Contextual nodes/levels (block based on …)
Active Directory Site
Any Active Directory User property
User
Group
Organizational Unit (OU)
Device (detail; IP, computer name etc. ?)
Computer Chassis type
CPU speed
CPU architecture (x86/x64)
CPU Number of processors
Memory (minimum installed)
Screen resolution
Screen color depth
CD/DVD (present/not present)
Client IP Address/Address range (local device)
Client name (local device)
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
X
√
√
√
√
X
X
X
X
X
√
√
X
√
√
√
√
√
√
√
√
√
X
√
X
X
√
√
X
√
√
X
X
X
√
X
X
X
X
X
X
X
X
X
X
X
X
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
#
√
√
√
√
X
X
X
X
X
X
X
X
√
√
may 2016
VMware UEM
√
√
Norskale VUEM
Liquidware Labs
ProfileUnity
#
#
Appixoft Scense
Functionality
ADLER32
Metadata / file properties
AppSense
DesktopNow
RES One Workspace
Page 120
Version 16.03
may 2016
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
X
X
X
VMware UEM
√
√
√
√
X
√
√
√
√
X
X
X
√
√
√
√
X
X
X
X
RES One Workspace
√
√
√
√
X
√
√
√
√
X
X
X
√
√
√
√
√
√
√
√
Norskale VUEM
Liquidware Labs
ProfileUnity
√
√
√
√
X
√
√
√
√
X
X
X
√
√
√
√
X
√
√
√
AppSense
DesktopNow
Functionality
File
File version
Folder
USB Storage Device (Serial number/ Vendor & Product ID)
Operating System bit level (x86/x64)
Operating System Version
Registry Setting & Value
Remote Host (Ping/Port/HTTP/HTTPS)
Listener Name
Wireless Connected network (SSID)
Wireless Nearest access point (BSSID)
Session Type (Local Desktop/Remote Desktop/Remote Application)
Process
Access Time
Connection Type (e.g. RDP, ICA etc..)
Port Number
Output of VBScript
Output of PowerShell script
Output of jScript
Appixoft Scense
√
√
√
√
√
√
√
√
X
X
X
X
X
X
X
√
X
√
√
√
Page 121
Version 16.03
√
√
√
√
√
√
X
X
X
X
X
X
X
X
X
X
√
√
X
X
X
X
X
√
Block/filter types/details (what to block)
Filename
Filename Extension
Folder
Drive
Removable Drive
Signature
Network Connection
URL Filtering
Software Installation
Sessions
Registry keys
Scripts
X
X
X
X
X
X
X
X
X
X
X
X
√
√
√
√
√
√
√
√
√
X
√
√
√
√
√
√
X
√
X
X
√
X
√
X
√
X
X
X
X
X
X
X
X
X
X
X
√
√
√
√
√
√
√
√
√
√
√
√
√
√
X
X
X
X
X
X
X
X
X
X
may 2016
VMware UEM
√
√
√
√
√
√
Norskale VUEM
Liquidware Labs
ProfileUnity
X
X
X
X
√
√
Appixoft Scense
Functionality
Application / File vendor
Application / File product name
Application / File company name
Application / File description
Application / File product version (minimum and maximum)
Product version (maximum and minimum
AppSense
DesktopNow
RES One Workspace
Page 122
X
X
X
X
√
X
X
√
√
√
X
√
X
X
X
X
Other
Ability to prevent malicious changes to alter file integrity
Limit # of user-application sessions
X
X
√
√
X
X
X
X
√
√
X
X
may 2016
VMware UEM
Liquidware Labs
ProfileUnity
√
√
√
√
Norskale VUEM
AppSense
DesktopNow
X
X
X
X
Appixoft Scense
Security levels
Security disabled (Unrestricted)
Learning mode (Audit only)
Self-Authorize
Security enabled (Restricted)
Functionality
Version 16.03
RES One Workspace
Page 123
RESOURCE MANAGEMENT
Version 16.03
RES ONE Workspace
√
√
√
√
√
√
X
X
X
X
X
X
√
X
X
√
√
√
√
√
√
√
√
√
Throttling options
Share based CPU throttling
Share based Memory throttling
Share based Disk throttling
Limit based CPU throttling
Limit based Memory throttling per user
Limit based Memory throttling per application/process
Limit based Memory throttling per session
CPU reservations
√
√
√
√
√
√
√
√
X
X
X
X
X
X
X
X
#
#
#
#
#
#
#
#
X
X
X
X
√
X
√
X
may 2016
Liquidware Labs
Profile Unity
Functionality
Logging (product specific)
Alerting (action send mail)
Event triggering (run scripts or custom action)
Reporting / trending
Fast Session Logoff (background logoff processing)
Timed statistics collection
Norskale VUEM
AppSense Desktop Now
8.8
Page 124
Version 16.03
RES ONE Workspace
√
√
√
X
X
X
#
#
#
X
√
√
Optimization conditions
Window state (minimized, foreground background etc.)
Session state (idle, disconnected, locked etc.)
Detailed reporting on resource usage
√
√
√
X
X
X
#
#
#
√
X
X
Other
Memory optimization
CPU/thread optimization
IOPS optimization
√
√
X
X
X
√
#
#
X
√
√
X
may 2016
Liquidware Labs
Profile Unity
Functionality
CPU affinity
Set CPU conditions/thresholds
Set application specific CPU conditions/thresholds
Norskale VUEM
Page 125
8.9
LICENSE MANAGEMENT
Version 16.03
may 2016
RES ONE Workspace
Functionality
Assign license costs per app
License types
Companywide license
Server license
Per seat license
Per named user license
Per concurrent user license
Per device license
Recognized by Gartner
AppSense DesktopNow
AppiXoft Scense
There is a lot to write about License Management in the context of User Environment Management. In forthcoming versions of the \paper
more features will be analyzed and described.
X
X
√
X
X
√
√
√
√
X
√
√
√
√
√
√
√
√
√
√
√
√
√
√
Page 126
8.10
MONITORING, AUDITING AND REPORTING
There is a lot to write about Monitoring, Auditing and Reporting in the context of User Environment Management. In forthcoming versions of
the whitepaper more features will be analyzed and described.
Version 16.03
may 2016
Liquidware Labs Suite
Norskale VUEM
RES ONE Workspace
VMware vROps
X
X
X
#
√
#
X
Functionality
Monitoring
Session processes
Session CPU usage
Session Memory usage
Average disk queue length
User logon/logoff process
User Logon time (average/per user)
User Experience
AppiXoft Scense
A number of vendors listed in this document are also offering monitoring solutions. I’ve included the products of those vendors also, not all
features of the monitoring products are highlighted of course. This document is about User Environment Management and only the features I
find relevant are here. If you are looking for a monitoring product you contact the vendor of that product for more information or if you are
located in the Netherlands contact us.
√
√
√
#
√
#
X
√
√
√
√
√
√
#
√
√
√
√
√
√
√
√
√
X
#
√
#
X
√
√
√
√
√
√
X
Page 127
Version 16.03
Norskale VUEM
RES ONE Workspace
VMware vROps
X
X
#
√
X
#
Auditing
End-point audit information available (allow/deny access)
Audit change log (generic)
Audit change log (detailed per object)
Review user logon and logoff process with history
X
X
X
X
√
√
√
√
√
√
√
√
X
√
√
√
X
√
√
√
#
#
#
#
Reporting
End-point software inventory
End-point software usage inventory
Resultant set of user specific applied UEM settings (logging)
Resultant set of user specific applied UEM settings (planning)
Export configuration / settings for documentation purposes
Report application usage
Report sessions usage
Report application/license use per user
Report application/license use per OU
Report application/license use per device
X
X
X
X
X
√
X
√
X
X
√
√
√
√
√
√
√
√
X
√
√
√
√
√
√
√
√
√
√
√
√
X
√
√
X
√
√
√
X
X
√
√
√
√
√
√
√
√
√
√
#
#
#
#
#
√
#
#
#
#
AppiXoft Scense
Functionality
Content switching
may 2016
Page 128
Version 16.03
Norskale VUEM
RES ONE Workspace
VMware vROps
√
X
√
X
#
#
X
√
#
#
√
X
√
√
#
#
√
√
#
#
√
√
√
√
#
#
√
√
#
#
X
X
X
√
√
√
X
X
#
#
√
√
√
√
#
#
√
√
√
√
#
#
#
#
#
#
#
#
#
#
User Analysis by IT support
Location and Devices (contextual user information)
Account Properties (UEM/Active Directory/IT Store Services)
Application Access
File Types associations
E-mail Settings
Data Sources
Environment Variables
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
√
X
√
X
X
X
√
√
√
X
√
√
√
√
√
√
√
√
√
X
X
X
X
X
X
X
may 2016
AppiXoft Scense
Functionality
Report application/license use during a specific time frame
Report application/license use by session state.
Report users per application
Report application CPU usage per user/computer/OU/Top10
Report application RAM usage per user/computer/OU/Top10
Report application I/O usages per user/computer/OU/Top10
Report website usage
Report license usage
Export Application security log for use with external products
Export Removalbe disk security log for use with external products
Page 129
Version 16.03
may 2016
Norskale VUEM
RES ONE Workspace
VMware vROps
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Functionality
Commands (VBscript/PowerShell)
Drive and Port Mappings
Drive Substitutes
Folder Redirection
Folder Synchronization
User Home Directory
User Profile
Microsoft Configuration Manager tasks
Printers
User Registry/Policy
User Settings (view actual configuration)
User Settings (export configuration including registry and file/folders)
User Settings restore
Application Security log
User Installed Applications log
Website security log
Removable Disks log
File and Folder log
Network Connections log
AppiXoft Scense
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
√
√
X
√
√
X
X
X
X
X
X
X
X
#
#
#
#
#
#
√
√
√
√
X
√
√
X
√
√
√
X
√
X
X
X
X
X
X
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
X
X
X
X
X
X
X
X
X
X
X
X
X
#
#
#
#
#
#
Page 130
Version 16.03
Norskale VUEM
RES ONE Workspace
VMware vROps
X
X
X
X
X
X
X
X
#
#
#
#
X
X
X
X
√
√
√
√
#
#
#
#
UEM Self-Service in a controlled User Environment
Restore profile data
Application start-up
Application desktop short-cuts
Application pin to task bar
Desktop background picture
Screensaver
Swap mouse buttons
Usage statistics
Set default printer based on location (including local printers)
View context information
Language
Configuration refresh
X
X
X
X
X
X
X
X
X
X
X
X
√
X
X
X
X
X
X
X
X
X
X
X
#
#
#
#
#
#
#
#
#
#
#
#
X
√
√
√
√
X
X
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
#
X
X
X
X
X
X
X
X
X
X
X
may 2016
AppiXoft Scense
Functionality
User Sessions
UEM Event Log
Performance events
Microsoft Remote Assistance Integration
Page 131
9.
CONCLUSION
UEM is a key part in our environment these days, more then ever it is a component that you
can’t do without. With so many players on the market it’s hard to find the one that you need.
In this whitepaper we tried to help you understand what UEM stands for, what you already got
when you are a Microsoft customer, where to think about when looking for UEM and what the
differences are between the products.
Which User Environment Management solution is THE best?!; Good Question! As said before,
we don’t judge we compare. Which solution is the best? The best solution is the one that fits
your use case, your environment, your users and your app strategy. Together with your IT partner you now have the ability to go deeper in your UEM selection process, the pieces are on the
table and they just need to know your requirements.
Key areas for your User Environment Management strategy are:









Version 16.03
Are you investigating a tactical (point)-or strategic solution? What do you want to solve?
What’s your desktop delivery and migration strategy for Windows 7?
How do you take care of profile changes during a migration (v1 and v2)? What is your roleback strategy when all the user and application settings are migrated to Windows 7?
Is work shifting a key driver for the Optimized Desktop? How are the roaming/flexible and
mobile users within the organization facilitated?
How do you achieve consistent and uniform user environment across Desktop, Laptop,
VDI, Terminal Services in managed and un-managed scenarios?!
How do you design, control and maintain logon scripts and user profiles? Are you facing
long logon times to your environment and applications? Would your end-users benefit
from a Profile clean-up? Are you facing profile corruption?
How do you handle all the application and user preferences such as printers, file-types,
drive mappings, access to applications, data, and network resources and application settings? How many people really understand the complex and often legacy internal scripts?
How agile are these scripts and settings?
Is Application Virtualization in scope, how do you handle application preferences in a
mixed OS and Application, and Desktop Delivery infrastructure?
Do you need context awareness? Based on user/role, device, location and various settings
access to application resources is controlled and enforced when needed.
What is your Application and Desktop Delivery solution in BYOC scenarios? How do you
deliver applications to these (un-managed) devices? What is the role of UEM?
Does the end-user need the ability to install and update applications? Is User Installed Applications functionality needed? Does the user have the correct privileges to install, or update software?
may 2016
Page 132







Version 16.03
How do you control, administer, audit and report which user has access to which application from specific devices or locations? How do you control application usage, user rights
management?
What solutions do you use to make sure you’re compliant? Can you measure, track and
enforce licensing? How do you currently license per device applications such as Microsoft
Project and Microsoft Visio?
Are billing, license-management, reporting and/or charge-back of the delivered applications needed?
Do you want to offer a Self-Support tool to your users to reduce the amount of Helpdesk
calls?
Does the User Environment Management solution need to be proven and mature? What is
your definition of proven?
Is “Layering the cake” / separation of Operating System - Application - and User Preferences part of the overall desktop strategy?
Bottom Line: Does IT have focus on your end-user?!
may 2016
Page 133
10.
CHANGE LOG
Date June 2011 v1.0 - Initial Release
Date June 2011 v1.0.3 – Minor layout fixes + minor RES fixes in tables.
Date June 2011 v1.0.4 – Minor layout fixes
Date November 2011 v1.1 – Community and vendor feedback

























Version 16.03
Re-read and reviewed the complete document
Removed some typographical errors
Added information in chapter 1 to highlight objectives, suggestions and
improvements
Introduced the term business-consumer besides of end-user
Added chapter 3.3, ‘Layering the cake and Application Delivery’
Added information in chapter 3.4, ‘User Centric Computing’
Updated chapter 3.7, ‘Why UEM’
Updated chapter 3.8, ‘UEM Functionality’; different naming to stretch the
functionality and Desktop Transformation
Updated Chapter 3.9, ‘UEM Strategy’ and added new strategic questions.
Updated chapter 3.11, ‘What’s a name’ and added table ‘Overall terms and
definitions’
Updated chapter 3.12, ‘FAQ’
Updated chapter 4.2, ‘User Personalization’ header and small items in text
Updated chapter 4.3, ‘Application Access Control’ header and small topics in text
Updated chapter 4.5, ‘Licensing’ - small topics in text
Updated chapter 4.6, ’Monitoring, Auditing and Reporting’ small topics in text
Updated chapter 4.7, ‘Application Delivery’ in context of UEM;
Updated chapter 5.1 and 5.2 to highlight the goal and focus of the vendor solution
matric
Updated chapter 5.2, ‘vendor solutions matrix’
Updated chapter 5.3.2, AppSense functionality - License Control
Updated chapter 5.5, ‘Immidio’, introduction, functionality and pricing
Updated chapter 5.9, ‘RES Software’
Updated chapter 5.9.6, ‘RES Dynamic Desktop Studio’
Updated chapter 6.1, ‘Introduction’ and ‘vendor solutions matrix’
Updated chapter 6.2, ‘Product version’
New features added:
may 2016
Page 134
o





Version 16.03
Management Server / UEM solution, Database instance officially support
20K concurrent connections
Features updated, Generic Features and Functionality
o Management Server / UEM solution. Server instance officially supports
X.XXX concurrent connections
o Licenses, Education license program
o Support and Community; 10+ of public available enterprise (50K CCU)
references in EU using UEM solution
o Support and Community; Professional Services Organization
o Client (endpoint) Operating System support; Windows 8
Features updated, User Profile Management
o Action triggers, Process Start – From UNC Path
o Native policy actions, Text File Update
o Native policy actions, Text File Search
o Native policy actions, File & Folder Copy
o Built-in rules / native conditions, Counter Condition – Run Once >>Run
many
Features updated, Application Access Control
o Display warning / Dialog box
o Auditing and reporting of self-elevation
o Elevate/Reduce user right for Applications
o Elevation/Reduce user rights to Control Panel Applets
o Elevate user rights on the internet for ActiveX / Web Installations
o Elevate user rights for Application Installations
o Self-Elevation of user rights on demand with white & blacklist options
Features updated, License Management
o Per device license (recognized and approved by ISV /Microsoft)
Features changes: AppSense
o Concurrent user/desktop licenses
o Per device licenses
o Enterprise/site license program
o Academic/Education license program
o Service Provider license program
o Integration with 3rd party systems management solutions
o Scripting (none PowerShell) support and command-line interface
o Datastore transfer Protocol - TCP / configurable and supported
o Client/User Session EnvironmentAgent technology, Service (hooks
WinLogon)
o Lockdown and removal of OS and 3rd party application UI/content
o Built-in rules / native conditions, Operating System Service Pack
may 2016
Page 135

Version 16.03
o Built-in rules / native conditions, Operating System version
o Built-in rules / native conditions, User Domain
o Built-in rules / native conditions, File / Folder match (exists, version)
o Built-in rules / native conditions, Date/time match
o Built-in rules / native conditions, Environment variables
o Built-in rules / native conditions, Terminal Server
o Built-in rules / native conditions, Registry match
o Built-in rules / native conditions, Time range
o Built-in rules / native conditions, User interaction - Yes/No response
o Block/filter types/details (what to block), URL Filtering
o Block/filter types/details (what to block), Software Installation
o Block/filter types/details (what to block), Sessions
o Block/filter types/details (what to block), Registry keys
o Block/filter types/details (what to block), Scripts
o Throttling options, Share based Memory throttling
o Throttling options, Limit based Memory throttling per user
o Monitoring, Session processes
o Monitoring, Session CPU usage
o Monitoring, Session Memory usage
o Reporting, Resultant set of user specific applied UEM settings (planning)
o Reporting, Report sessions usage
o Reporting, Report application/license use per user
o Reporting, Report application/license use per OU
o Reporting, Report application/license use per device
o Reporting, Report application/license use during a specific time frame
o Reporting, Report application/license use by session state
o Reporting, Report users per application
o Reporting, Reporting application CPU usage per user/computer/OU
o Reporting, Report website usage
o Client/User Session Environment
o Agent technology, Service
o Agent technology, Service (parent process)
o Agent technology, Kernel mode filter driver
o Command-line parameters
o UPM, Migrate from competing products
o UPM, Migrate individual apps across versions
o Built-in rules / native conditions, Domain Controller
o Block/filter types/details (what to block), Scripts
RES Software Features updated
o Management Platform, Datastore transfer Protocol – SMB
may 2016
Page 136



o Management Platform, Datastore transfer Protocol – CIFS
o Agent technology, Service
o Agent technology, Kernel mode filter driver
o User Profile Datastore, Datastore transfer Protocol - SMB
o User Profile Datastore, Datastore transfer Protocol - CIFS
o User Profile Datastore, Built-in replication/synchronization
o User Profile Datastore, Parallel processing of logon actions
Immidio FlexProfiles Fetures update
o Personalisation loaded on demand (at app launch)
Added information in chapter 7, ‘conclusion’
Added chapter 8, ‘change log’
Date November 2011 v1.11

Added VMware Persona Management vendor information in Chapter 5.14
Date January 2012 v1.2
Review and editing of this document has also been performed by Jeremy Moskowitz, Group
Policy MVP.
















Version 16.03
Grammar and spelling check of complete document
Updated chapter 3.9, UEM Strategy
Updated chapter 3.12, FAQ
Updated chapter 4.1.1, ‘User Profiles 101’
Updated chapter 4.1.4, ‘Where does Group Policy and GPPrefs fit in with UEM’
Updated chapter 5.2, ‘Vendor matrix‘ with Policy Pak Software and updated Triceat
and Scense
Updated chapter 5.7, ‘Microsoft’
Added chapter 5.8, ‘PolicyPak Software’
Updated chapter 5.10.3 and 5.10.6, ‘RES Software’
Updated 5.12, ‘Tricerat’
Updated chapter 6.1, ‘Introduction’ and ‘vendor solutions matrix’ with Policy Pak Software and Tricerat Simply Suite
Updated chapter 6.2, ‘Product versions’
Updated chapter 6.5, ‘Generic Features and Functionality with Policy Pak Software
Updated chapter 6.6, ‘User Profile Management’with Policy Pak Software
Updated chapter 6.7, ‘User Personalization’ with Policy Pak Software
Updated chapter 6.5, New features
o API Interface (public) and documented
o 24 x 7 support, additional pricing
o 24 x 7 support included in base license
may 2016
Page 137
o
o
o


Version 16.03
Microsoft SQL Server 2008R2, built-in support for native SQL Mirroring
Software and Agents available as 32bits component
Software and Agents available as 64bits component, native 64 bits components
o Native policy actions, Ability to write your own Custom Policy Actions
o Native policy actions, Custom VBScript queries for Actions
o Native policy actions, Custom PowerShell queries for Actions
o Native policy actions, Only Copy ‘New’ or ‘Changed’ items, files or folders
o Native policy actions, Ability to Mirror Folder to mirror source if files are removed
o Native policy actions, Syncronize Folder, unlike Mirror this is a two way process
o Built-in rules / native conditions, Ability to write your own Custom Policy Conditions
o Built-in rules / native conditions, Custom VBScript queries for Conditions
o Built-in rules / native conditions, Custom Jscript queries for Conditions
o Built-in rules / native conditions, Custom PowerShell queries for Conditions
o Built-in rules / native conditions, Custom PowerShell queries
o Built-in rules / native conditions, If .. else condition
o Built-in rules / native conditions, Remote Host/URL
o Built-in rules / native conditions, Session Type
o Built-in rules / native conditions, USB storage device, serial and vendor/product
o Built-in rules / native conditions, Any AD User Property
o If application is Elevated, option to not elevate Child Processes spawned from
the raised Application
o If application is Elevated, option to not elevate Secure Dialog Boxes within the
raised Application
o Does not create and depend on a Local Adminstrator account on the machine
for Elevation of User Rights
o Redirect a requested URL to a specified safe URL
o Redirect an already open URL when context/condition changes
o Redirect URL based on full URL address
o Redirect URL based on Sub-Directory of address
o Redirect URL based on use of Wild Cards
o Time Based Application Access
o Contextual nodes/levels (block based on …) Connection Type (e.g. RDP, ICA
etc..)
may 2016
Page 138










o Contextual nodes/levels (block based on …) Port Number
o
Features updated 6.5, Generic Features and Functionality: RES Software
o Database instance officially support 20.000 concurrent connections
o Integration with 3rd party PC-lifeCycle management solutions
o Scripting (not including PowerShell) support and command-line interface
o Professional Services Organization - 24h multi-lingual support
Features updated 6.5, Generic Features and Functionality: Appsense
o Web-based management interface
o Delegation of control, granular delegated administration roles
o 24 x 7 support included in base license
Features updated 6.6, User Profile Management: RES Software
o Last write wins - Per Application
Features updated 6.6, User Profile Management: Tricerat
o Datastore transfer Protocol – SMB
o Datastore transfer Protocol - DCOM
o Offline (Cached) Mode
Features updated 6.6, User Profile Management: AppSense
o Application Virtualization support, VMware ThinApp
Features updated 6.7, User Personalization, Application and Desktop Management,
RES Software
o Parallel processing of logon actions
o Native Action triggers, Process Start
o Native policy actions, File & Folder Copy
Tricerat
o Can define an application as a global object
o Built-in rules / native conditions, Published Application Name
Appsense
o Extendable with 3rd party tools
o Built-in rules / native conditions, Vmware View client name
Tricerat added to chapter6.8 ,Application Access Control, Security Management
Tricerat added to chapter6.10, License Management
Date October 2013 v2.0
Review and editing of this document has also been performed by Jeremy Moskowitz, Group
Policy MVP.

Version 16.03
Added whole chapter (5.8) on UE-V
may 2016
Page 139






Version 16.03
Updated chapter 5.2, ‘Vendor matrix‘
Updated chapter 5.5 and 6.4 (Generic Features and Functionality) for ‘Immidio’
Updated chapter 5.7 on Group Policy, Group Policy Preferences and AGPM
o Added AGPM update for clairty
o Expanded upon Group Policy Preferences’s Item Level Targeting
Updated chapter 5.10 on PolicyPak Application Manager
Updated chapter 6.1, ‘vendor solutions matrix’
Features updated 6.4, Generic Features and Functionality: Immidio Flex+
o Microsoft Management Console Interface
o Support low bandwidth/high latency WAN connections
o Scripting (not including PowerShell) support and command-line interface
o Microsoft Group Policy-based management for agent/client settings
o API Interface (public) and documented
o First year support and maintenance included in license
o 24 x 7 support, additional pricing
o Service Provider license program
o Official training classes available
o UEM technology is proven; the solution is being used for 1+ year in enterprise
production environments. 10K+ endpoint, various deployment scenarios.
o 10+ of public available enterprise (10K CCU) references in EU using UEM solution
o Professional Services Organization – Business hours (CET) multi-lingual support
o Technical Account Manager (TAM) available
o Datastore transfer Protocol - TCP / configurable and supported
o Datastore transfer Protocol - Database specific
o Datastore transfer Protocol – DCOM
o Management through database engine
o TCP/IP v6
o Software and Agents available as 32bits component
o Software and Agents available as 64bits component, native 64 bits components
o Microsoft Windows 8 (x86)
o Component with elevated user rights
o Citrix XenApp
o Microsoft RDSH – RemoteApp (native or MSI)
o Microsoft Application Virtualization, App-V (native or MSI)
o Symantec Workspace Virtualization (native or MSI)
o VMware ThinApp (native or MSI)
o Citrix XenApp Streaming
o Microsoft MSI
may 2016
Page 140






Features updated 6.5, User Profile Management: Immidio Flex+
o Profile redirection/ streaming / virtualization
o Migrate individual apps across versions
o Streamed Profiles
o Management through database engine
o Automatically capture application personalization
o Last write wins - Per Session
o Pre-cache personalisation on new machines
o Symantec Workspace Virtualization
o Novell ZENWorks / Spoon.Net
Features updated 6.6, User Personalization, Application and Desktop Management:
added Immidio Flex+
Vendor Solution Description added/updated : 5.8 VUEM -> Norskale V-UEM
Product added/updated 5.2 : VUEM -> Norskale V-UEM
Removed Tricerat from detailed feature matrix
Added tons of new features and updated the text overall
Date February 2013 v2.1



Updated LiquidWare Labs Solution description and mapped the features with latest
ProfileUnity version
Updated Microsoft UE-V 2.0
Updated PolicyPak Application Manager
January – April 2016 – version 16.01
Too many changes in the document after two year, so only highlights of changes will be listed
here for the moment, for the next version a more detailed change log will be available.
Naming





Scense renamed to Appixoft
Immidio renamed to VMware UEM
VMware PM added to tables
RES Software workspace renamed to RES ONE workspace
Microsoft has been combined in one column for readability.
General

Moved all vendors in alphabetic order
Generic features and functionality
Version 16.03
may 2016
Page 141



VMware PM added o the table
Renamed Quest to DELL Wyse
Features of products have been added or changed.

User Personalization, application and Desktop management

Application Access Control, security management




VMware UEM added in the matrix
Liquidware labs added in the matrix
Norksale added in the matrix
Resource Management



Norskale added to the matrix
Liquidware labs added to the matrix
License Management

Features of products have been added or changed
Monitoring, auditing and reporting

12th of April 2016



Changed Richard kuipers to Kuiper
Changed Geoffrey to Geoffrey
Changed Sense to Scense in four occasions.
Generic Features and Functionality

Changed Windows 201264 and Windows 2012R2 64 at Profile unity to Green
May 2016 – 16.03

Removed DELL vWorkspace from the document
Generic features and functionality
Version 16.03
may 2016
Page 142






Renamed Windows 2016 to windows 2016 tech preview
Changed support for Windows 2016 tech preview to green for RES
Change 20000 connections to green for RES
Support for Windows 10 tiles for RES turned to green
VUEM: force agent to poll NOW for update to green
Multi user operations
New lines:









Appsense: Is VDI (detect Citrix or VMware software)
Appsense: WiFi AccessPoint connectivity (BSSID)
Appsense: Citrix PVS vDisk present and vDisk mode
Appsense: Citrix Netscaler session policies and hostname
Appsense: VMware Horizon view Broker
Appsense: VMware Horizon View tunneled connection
VUEM: Force agent to restart internal controller (not the service) – for e.g. debugging
VUEM: Force agent to clear some cache to reinforce some settings
VUEM: Force agent to do an administrative refresh
User profile management



Changed support for Appvolumes and Appdisk to green for RES (SR2)
Migrate from v2 to v5 profiles (automatically)
Appsense: Automaticall remove personalization data
New line:

Appsense : Migrate from vx to v6 profiles (automatically
Application control and security

Change SHA1, SHA256 and MD5 to green for RES
Integration


Windows Store apps
Windows 10 tiles
Policy



Pinned items
Outlook setup
Text file create
Monitoring, auditing and reporting
Version 16.03
may 2016
Page 143






VUEM: session processes, cpu and memory usage
VUEM: report application cpu usage
Added line: report user logon time.
VUEM: user logon time to green, the rest to #
VUEM: Average disk queue length
VUEM: User logon time, average and per user
Chapter 7

Added new text for FSLogix
Chapter 8



Version 16.03
Added VMware vRops to monitoring as it is offered in the Horizon Suite
Added Liquidware Lbas Stratusphere UX as it is offered in the suite.
Version of AppSense to 10
may 2016
Page 144
PQR B.V.
Rijnzathe 7
3454 PV De Meern
The Netherlands
Tel: +31 (0)30 6629729
@pqrNL
www.PQR.com
[email protected]
Version 16.03
may 2016
Page 145
as
as

Smackdown - v2.1

Transcription

Similar documents

I`m helping to end MS by participating in the 2016 Jayman BUILT MS

! Sun Casino Montecarlo !

The Board of Directors of Qatar Fuel (WOQOD) is pleased to invite

5 `S` Training Program at ABV-IIITM, Gwalior on 21.07.2016

4 star ALOE HOTEL, PAPHOS

Mission College

loyola institute for ministry on-campus open house thursday, may 12

KMEA Standards Handout

2016 MW Alliance Raffle - Manitowish Waters Alliance LTD

HERE - Perfect Shots Photography