Simplify Suite In A Vdi Environment
Simplify Suite in a VDI Environment
“Before jumping onto the VDI bandwagon, ensure a smooth transition.
triCerat solves the problems you may face when transitioning to VDI.”
—Andrew Parlette, VP of Product Development
Adam D. Oliver, Sales Engineer
Gary L. Weber, Simplify Profiles Developer
Alicia H. Davis, Marketing Communication Manager
triCerat, Inc.
January 14, 2009
What is VDI?
VDI (Virtual Desktop Infrastructure) is poised to drastically change the way companies run their
desktops. In VDI, application workload is moved from a desktop at the user’s workspace to a
virtual desktop running on a central server. An endpoint is then used to remotely connect to this
virtual desktop via a connection protocol such as RDP or ICA. Endpoints can be a fat client, a
traditional desktop computer with a full version of Windows, or a thin client (a small piece of
equipment running an embedded version of Windows, Linux, or a proprietary OS). Unlike a
Terminal Server or Citrix Server environment, VDI provides a full desktop experience to users,
as opposed to just individual applications.
VDI environments have multiple advantages including increased security, reduced maintenance
costs, and high scalability. However, before diving into a complete VDI makeover there are
several things you need to think about.
Why VDI?
With today’s concerns about data security, management simplification, and cost reduction,
implementing a virtual desktop solution is very appealing. The use of thin clients as endpoints
can greatly increase system security because all application processing and data caching happens
on the virtual desktop, leaving no risk of compromising sensitive data if an endpoint is stolen.
The reduced hardware requirements of a thin client allow the devices to consume very little
power and keep the cost of the devices low. Instead of needing to refresh all physical user
desktops to increase performance, administrators can continue to use the same thin clients and
only upgrade the server hardware that is hosting the virtual desktops.
The maintenance and expansion of a VDI environment is much simpler in comparison to a
physical desktop environment. Corrupt virtual desktops can easily be destroyed and recreated by
copying another working virtual desktop. In environments with multiple servers hosting virtual
desktops, users can connect to any working server and not be affected by a down server.
Expanding the capacity of a VDI environment can be done simply by purchasing another server
or by upgrading hardware in a current server.
Even with all the benefits VDI provides, the existing problems of user profile customization,
machine settings management, and application lockdown will continue to plague organizations.
On top of that, VDI can add complications to your printing. triCerat has a complete suite of
products to attack and resolve these issues, allowing you to take full advantage of all a VDI
environment has to offer.
The User Profile Customization Problem
Microsoft’s profile solutions can be a double-edged sword. Users need customization options in
order to execute their jobs with efficiency, yet too much freedom can lead to corruption problems
and lax work production. Contrary to some opinions,
1) Local Profiles – Cannot follow user from
desktop virtualization will not solve the problems user
machine to machine
profiles currently have on physical desktops. There are a
2) Roaming Profiles – Uncontrolled growth
few different profile choices native to a Windows Server
3) Mandatory Profiles – No customization
environment that attempt to handle your particular
situation.
1) Local Profile: Stores any user customizations on the desktop running the session.
During logon, there is no need to copy the profile from a network location, resulting
in fast user logon. However, the profile is local to this desktop and will not follow
the user if they change desktops. Also be aware that any time a user logs on to a
desktop for the first time, they will have no settings. Each desktop now contains a
different profile making it impossible to manage user customizations. In VDI, users
connect to any available virtual desktop and will constantly need to reapply and
customizations.
2) Roaming Profile: Stores all customized settings to a shared network location. This
allows any desktop to copy the user’s profile during logon so their settings are
available on every desktop. At logoff the profile is copied back to the network
location, maintaining the most current copy of user settings on the network. There is
no way to control what profile information is saved. This causes the profile to grow
very large, increasing both logon and logoff times. At best, administrators can use
group policy to manage a text list of folders in the profile to be omitted from the
profile. Profile corruption during logoff can also bring work to a halt as Windows
may be unable to replace the registry file at logoff, causing the network copy to
become corrupt or deleted and consequently losing all settings.
3) Mandatory Profile: Like a roaming profile, a mandatory profile stores all settings on
the network. The key difference is that a mandatory profile never copies back to the
network location at logoff and therefore never changes. Since a mandatory profile
does not change, there is no growth in size, resulting in fast logons. This greatly
improves user productivity and eliminates the profile corruption possible in roaming
profiles. However, any customization a user makes is lost since the profile cannot
be altered which may impede a user’s ability to work optimally.
In choosing a profile format, using local profiles forces administrators to assign a user to a
specific virtual desktop, negating the benefit VDI brings in easily deleting and creating virtual
desktops when needed. This leaves administrators picking between a roaming profile with
uncontrollable profile growth or a mandatory profile with complete lack of customization. While
this choice may maintain the status quo for the user experience, addressing the profile issue will
improve user productivity and reduce maintenance of the environment. The ideal solution is a
mixture between the roaming and mandatory profile without the disadvantages of either.
triCerat’s Simplify Profiles offers a robust and efficient
Full customization
hybrid solution, allowing an administrator to have
Minimal logon and off times
complete control over what sections of a profile are saved.
Central management point using
The user's profile is kept to a minimum size, logons are
Simplify Console
Robust storage of user customizations
optimized, and tools are provided to manage the profile
data. triCerat includes the Profile Migration Utility to
easily migrate existing profile settings into the database. Profile corruption becomes a thing of
the past, greatly reducing administrative overhead.
Users are configured with a small mandatory profile which contains only a few basic user
settings. When a user logs on, the mandatory profile is copied down from the network, any
Active Directory group policies are applied, and then Simplify Profiles steps in. Using the
Simplify Console, administrators can add different types of objects that are applied during logon
and logoff. There are three object types in Simplify Profiles.
1) File Operation Objects: Consist of copy, move, rename, and delete. Operations can be
performed on files or folders and support wildcards and environment variables, such as
%USERNAME%. These objects can be used to copy Application Data folders to a
central server store instead of redirecting the entire Application Data folder. Any
application delays due to applications hitting a redirected Application Data folder can be
eliminated.
2) Registry Operation Objects: Can create keys and values in the registry. A key can also be
marked Save/Restore. At logoff this key, and all sub-keys if selected, will be saved to the
database. This data will be restored at logon. Only the data specified by the
administrator is saved, reducing overhead and keeping logon times to a minimum.
triCerat’s triReg utility can be used to browse all registry information saved in the
database. Using triReg, any application data can be deleted or modified by the
administrator.
3) Policy Objects: Drive mappings, drive restrictions, explorer restrictions, and folder
redirections are all policy objects. Drive mapping entries are added directly to the
registry, eliminating any excess logon time due to net use commands. Drive restrictions
can both hide and prevent access to any drive letter. Explorer restrictions can prevent
changes to the desktop environment like drive mapping and accessing security settings on
folders and files. Simplify Profiles goes beyond what is available in group policy by
allowing redirection of eight profile folders.
This hybrid solution brings administrators what the Microsoft solutions lack. It’s no longer a
matter of all or nothing. Administrators can have a robust solution that eliminates profile issues
in the current environment and optimizes the logon process. triCerat’s Profile Analysis Tool
(PAT) can be used to break down folder size within a profile, identifying folders that have
grown excessively large. PAT can locate local, roaming, mandatory, terminal server, and cached
profiles. Download the free Profile Analysis Tool from triCerat today at http://www.tricerat.com
in the downloads section.
Virtual Desktop Settings
Virtual desktops are typically accessed through connection
Messy group policy configurations
protocols such as the Remote Desktop Protocol (RDP) and
Connection protocols can be bogged down
PortICA (Citrix’s ICA port for VDI). While these
by heavy visuals
protocols have been greatly improved over the years, they
can still suffer when many visual effects are used. If little network bandwidth is available, items
such as menu fades, screen savers with heavy graphics, and the fading of the desktop during
logoffs can greatly affect a user’s desktop experience. Other settings such as adjusting automatic
updates and turning off the Desktop Clean Up Wizard tool can also improve the user’s desktop
experience.
Microsoft provides the ability to change many settings through group policy. Combining
policies from different levels can lead to an organization unit nesting nightmare. Blocking
inherited policies or making assignments at an individual user level is not possible. If a setting is
not in group policy then it cannot be set and assigned, which leaves altering registry information
via scripts as the only option.
Simplify Profiles can be used to specify any desktop
Easily modify any registry setting
setting in the registry. Registry objects can then be
Can be assigned at any AD level
assigned to entire domains, organizational units, users,
groups, computers, and more. Furthermore, administrators can deny any assignment that is
inherited from a higher level. Since any setting that is in the registry can be provided,
administrators are not limited to what is available solely in group policy. From one central point,
an administrator has complete control over the user registry.
The Printing Problem
VDI environments can create a print driver headache of for
Driver management headache
an administrator. When client endpoints have locally
No central management
attached printers, drivers for each model will need to exist
Unreliable universal print driver
on the virtual desktop. The more virtual desktops in use,
the more time consuming it is to maintain the environment. Universal print drivers like the one
provided by Citrix is only a fallback measure that can frequently fail to detect a printer. If the
printers in use are directly connected to the network, administrators have to add each one into a
user profile. This lack of a central administration point makes printer additions and changes
unnecessarily tedious.
triCerat can eliminate the need to worry about driver management on virtual desktops. The
ScrewDrivers technology is our universal print driver that eliminates the need for any other
printer drivers on the virtual desktop. The ScrewDrivers
100% Guaranteed universal print driver
Server for XP & Vista is loaded on the virtual desktop
Central management for network printers
64-bit compatibility
image and the ScrewDrivers Client is installed on the
endpoint. Upon logon, printer capabilities are passed to the
virtual desktop and a copy of the local printer is created for the user. ScrewDrivers is
compatible with both 32-bit and 64-bit versions of Windows.
For network printer environments, the Simplify Printing Bundle can bring the ScrewDrivers
technology to print servers. A small agent is installed on a printer server and a management
console is used to easily assign printers to Active Directory domains, organization units, groups,
users, and more. Both the Simplify Printing Bundle and ScrewDrivers offer users a custom file
format to pass data to the endpoint or printer server. This TMF format compresses the print job
far more than the standard EMF format.
Locking Down the Desktop
Blocking administrative rights from end users is a good
Restart required to take effect
way to start locking down a desktop. With the Software
Complicated group policy inheritance
Restriction architecture of group policy, restrictions are
downloaded to a machine and then applied the next time a machine is started. Being a group
policy, they are assigned at the Organizational Unit (OU) or domain level. Mixing group
policies or nesting OUs to create the desired effect can be very complicated and time consuming.
In addition, user desktops are not fully customizable and require administrators to manage
shortcuts inside a user’s profile to control the desktop experience.
triCerat offers two products to lockdown and customize the
Complete control over all processes
desktop. Simplify Lockdown, like Software Restrictions,
Easily to assigned to most AD objects
allows an administrator to specify either a banned or
Can define valid child processes
Provides complete customization of user’s
trusted list of applications. Applications can be identified
desktop
by the filename or the filename and path. In addition it can
include a hash on the executable or arguments used with the executable. When using a hash,
each application object can contain multiple hashes, allowing one object to cover different
versions of the executable. In addition, a separate list of trusted applications can be created on a
per object basis for complete control over child processes. Using the Simplify Console, these
objects can be assigned to Active Directory users, groups, OUs, computers, or be based on where
the user is connecting. This gives the administrator far more flexibility and ease in assigning
objects.
Simplify Desktop includes an Explorer shell replacement called triShell that gives an
administrator full control over what is on a user’s desktop, start menu, and quick launch. This is
done by using application objects in the Simplify Console and not by managing program
shortcuts buried in a user’s profile. It is possible to give users a desktop with only the icons for
the applications they need and eliminate all unnecessary shortcuts. These objects can be
refreshed by a user mid-session, allowing an administrator to make instant changes. Ultimately,
using the triShell with a banned or trusted list in Simplify Lockdown provides a more secure and
customized user experience.
Why triCerat?
Administrators need a way to attack existing issues in order to make their VDI transition
seamless. Using the tools available in Windows can complicate management and create a partial
solution. triCerat’s suite of products can resolve these problems, whereby reducing
administrative overhead and maintenance costs. Simplify Profiles can give users customization,
drastically reduce logon times, and give an administrator full control of virtual desktop settings.
Simplify Printing can eliminate the driver management headache of endpoint attached printers
and easily configure user network printers. Simplify Desktop and Simplify Lockdown can give
complete control over the look of a user desktop and allow only authorized software to run.
Whether you have a complete VDI environment or a physical environment in transition to VDI,
the Simplify Suite will benefit your system. Visit http://www.tricerat.com today to download a
fully featured 30-day trial of the Simplify Suite.
